@pingagent/sdk 0.1.10 → 0.1.11

package/dist/chunk-R3D7LOGB.js

@@ -0,0 +1,3553 @@
+// src/client.ts
+import { ERROR_HINTS, ErrorCode as ErrorCode2, SCHEMA_TASK as SCHEMA_TASK2, SCHEMA_CONTACT_REQUEST as SCHEMA_CONTACT_REQUEST2, SCHEMA_RESULT as SCHEMA_RESULT2, SCHEMA_TEXT as SCHEMA_TEXT2 } from "@pingagent/schemas";
+import {
+  buildUnsignedEnvelope,
+  signEnvelope
+} from "@pingagent/protocol";
+
+// src/transport.ts
+import { ErrorCode } from "@pingagent/schemas";
+var HttpTransport = class {
+  serverUrl;
+  accessToken;
+  maxRetries;
+  onTokenRefreshed;
+  constructor(opts) {
+    this.serverUrl = opts.serverUrl.replace(/\/$/, "");
+    this.accessToken = opts.accessToken;
+    this.maxRetries = opts.maxRetries ?? 3;
+    this.onTokenRefreshed = opts.onTokenRefreshed;
+  }
+  setToken(token) {
+    this.accessToken = token;
+  }
+  /** Fetch a URL with Bearer auth (e.g. artifact upload/download). */
+  async fetchWithAuth(url, options = {}) {
+    const headers = { Authorization: `Bearer ${this.accessToken}` };
+    if (options.contentType) headers["Content-Type"] = options.contentType;
+    const res = await fetch(url, {
+      method: options.method ?? "GET",
+      headers,
+      body: options.body ?? void 0
+    });
+    if (!res.ok) {
+      const text = await res.text();
+      throw new Error(`Request failed (${res.status}): ${text.slice(0, 200)}`);
+    }
+    return res.arrayBuffer();
+  }
+  async request(method, path6, body, skipAuth = false) {
+    const url = `${this.serverUrl}${path6}`;
+    const headers = {
+      "Content-Type": "application/json"
+    };
+    if (!skipAuth) {
+      headers["Authorization"] = `Bearer ${this.accessToken}`;
+    }
+    let lastError = null;
+    const delays = [1e3, 2e3, 4e3];
+    for (let attempt = 0; attempt <= this.maxRetries; attempt++) {
+      try {
+        const res = await fetch(url, {
+          method,
+          headers,
+          body: body ? JSON.stringify(body) : void 0
+        });
+        const text = await res.text();
+        let data;
+        try {
+          data = text ? JSON.parse(text) : {};
+        } catch {
+          throw new Error(`Server returned non-JSON (${res.status}): ${text.slice(0, 200)}`);
+        }
+        if (res.status === 401 && data.error?.code === ErrorCode.TOKEN_EXPIRED && attempt === 0) {
+          const refreshed = await this.refreshToken();
+          if (refreshed) {
+            headers["Authorization"] = `Bearer ${this.accessToken}`;
+            continue;
+          }
+        }
+        if (res.status === 429 && data.error?.retry_after_ms) {
+          await sleep(data.error.retry_after_ms);
+          continue;
+        }
+        if (res.status >= 500 && attempt < this.maxRetries) {
+          await sleep(delays[attempt] ?? 4e3);
+          continue;
+        }
+        return data;
+      } catch (e) {
+        lastError = e;
+        if (attempt < this.maxRetries) {
+          await sleep(delays[attempt] ?? 4e3);
+        }
+      }
+    }
+    throw lastError ?? new Error("Request failed after retries");
+  }
+  async refreshToken() {
+    try {
+      const res = await fetch(`${this.serverUrl}/v1/auth/refresh`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ access_token: this.accessToken })
+      });
+      if (!res.ok) return false;
+      const text = await res.text();
+      let data;
+      try {
+        data = text ? JSON.parse(text) : {};
+      } catch {
+        return false;
+      }
+      if (!data.ok || !data.data) return false;
+      this.accessToken = data.data.access_token;
+      const expiresAt = Date.now() + data.data.expires_ms;
+      this.onTokenRefreshed?.(data.data.access_token, expiresAt);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+};
+function sleep(ms) {
+  return new Promise((resolve4) => setTimeout(resolve4, ms));
+}
+
+// src/identity.ts
+import * as fs from "fs";
+import * as path2 from "path";
+import { generateKeyPairSync } from "crypto";
+import { generateIdentity as genId } from "@pingagent/protocol";
+
+// src/paths.ts
+import * as path from "path";
+import * as os from "os";
+var DEFAULT_ROOT_DIR = path.join(os.homedir(), ".pingagent");
+function getRootDir() {
+  return process.env.PINGAGENT_ROOT_DIR || DEFAULT_ROOT_DIR;
+}
+function getProfile() {
+  const p = process.env.PINGAGENT_PROFILE;
+  if (!p) return void 0;
+  return p.trim() || void 0;
+}
+function getIdentityPath(explicitPath) {
+  const envPath = process.env.PINGAGENT_IDENTITY_PATH?.trim();
+  if (explicitPath) return explicitPath;
+  if (envPath) return path.resolve(envPath.replace(/^~(?=\/|$)/, os.homedir()));
+  const root = getRootDir();
+  const profile = getProfile();
+  if (!profile) {
+    return path.join(root, "identity.json");
+  }
+  return path.join(root, "profiles", profile, "identity.json");
+}
+function getStorePath(explicitPath) {
+  const envPath = process.env.PINGAGENT_STORE_PATH?.trim();
+  if (explicitPath) return explicitPath;
+  if (envPath) return path.resolve(envPath.replace(/^~(?=\/|$)/, os.homedir()));
+  const root = getRootDir();
+  const profile = getProfile();
+  if (!profile) {
+    return path.join(root, "store.db");
+  }
+  return path.join(root, "profiles", profile, "store.db");
+}
+
+// src/identity.ts
+function toBase64(bytes) {
+  let binary = "";
+  for (const b of bytes) binary += String.fromCharCode(b);
+  return btoa(binary);
+}
+function fromBase64(b64) {
+  const binary = atob(b64);
+  const bytes = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) bytes[i] = binary.charCodeAt(i);
+  return bytes;
+}
+function generateEncryptionKeyPair() {
+  const { privateKey, publicKey } = generateKeyPairSync("ec", { namedCurve: "prime256v1" });
+  const privateJwk = privateKey.export({ format: "jwk" });
+  const publicJwk = publicKey.export({ format: "jwk" });
+  return {
+    encryptionPublicKeyJwk: {
+      kty: "EC",
+      crv: "P-256",
+      x: publicJwk.x,
+      y: publicJwk.y
+    },
+    encryptionPrivateKeyJwk: {
+      kty: "EC",
+      crv: "P-256",
+      x: privateJwk.x,
+      y: privateJwk.y,
+      d: privateJwk.d
+    }
+  };
+}
+function ensureIdentityEncryptionKeys(identity) {
+  if (identity.encryptionPublicKeyJwk && identity.encryptionPrivateKeyJwk) {
+    return {
+      encryptionPublicKeyJwk: identity.encryptionPublicKeyJwk,
+      encryptionPrivateKeyJwk: identity.encryptionPrivateKeyJwk
+    };
+  }
+  return generateEncryptionKeyPair();
+}
+function generateIdentity() {
+  const signingIdentity = genId();
+  return {
+    ...signingIdentity,
+    ...ensureIdentityEncryptionKeys({})
+  };
+}
+function identityExists(identityPath) {
+  return fs.existsSync(getIdentityPath(identityPath));
+}
+function loadIdentity(identityPath) {
+  const p = getIdentityPath(identityPath);
+  const data = JSON.parse(fs.readFileSync(p, "utf-8"));
+  const encryption = ensureIdentityEncryptionKeys({
+    encryptionPublicKeyJwk: data.encryption_public_key,
+    encryptionPrivateKeyJwk: data.encryption_private_key
+  });
+  if (!data.encryption_public_key || !data.encryption_private_key) {
+    data.encryption_public_key = encryption.encryptionPublicKeyJwk;
+    data.encryption_private_key = encryption.encryptionPrivateKeyJwk;
+    fs.writeFileSync(p, JSON.stringify(data, null, 2), { mode: 384 });
+  }
+  return {
+    publicKey: fromBase64(data.public_key),
+    privateKey: fromBase64(data.private_key),
+    ...encryption,
+    did: data.did,
+    deviceId: data.device_id,
+    serverUrl: data.server_url,
+    accessToken: data.access_token,
+    tokenExpiresAt: data.token_expires_at,
+    mode: data.mode
+  };
+}
+function saveIdentity(identity, opts, identityPath) {
+  const p = getIdentityPath(identityPath);
+  const dir = path2.dirname(p);
+  if (!fs.existsSync(dir)) {
+    fs.mkdirSync(dir, { recursive: true, mode: 448 });
+  }
+  const encryption = ensureIdentityEncryptionKeys(identity);
+  const stored = {
+    public_key: toBase64(identity.publicKey),
+    private_key: toBase64(identity.privateKey),
+    encryption_public_key: encryption.encryptionPublicKeyJwk,
+    encryption_private_key: encryption.encryptionPrivateKeyJwk,
+    did: identity.did,
+    device_id: identity.deviceId,
+    server_url: opts?.serverUrl,
+    access_token: opts?.accessToken,
+    token_expires_at: opts?.tokenExpiresAt,
+    mode: opts?.mode,
+    alias: opts?.alias
+  };
+  fs.writeFileSync(p, JSON.stringify(stored, null, 2), { mode: 384 });
+}
+function updateStoredToken(accessToken, expiresAt, identityPath) {
+  const p = getIdentityPath(identityPath);
+  const data = JSON.parse(fs.readFileSync(p, "utf-8"));
+  data.access_token = accessToken;
+  data.token_expires_at = expiresAt;
+  fs.writeFileSync(p, JSON.stringify(data, null, 2), { mode: 384 });
+}
+
+// src/contacts.ts
+function rowToContact(row) {
+  return {
+    did: row.did,
+    alias: row.alias ?? void 0,
+    display_name: row.display_name ?? void 0,
+    notes: row.notes ?? void 0,
+    conversation_id: row.conversation_id ?? void 0,
+    trusted: row.trusted === 1,
+    added_at: row.added_at,
+    last_message_at: row.last_message_at ?? void 0,
+    tags: row.tags ? JSON.parse(row.tags) : void 0
+  };
+}
+var ContactManager = class {
+  store;
+  constructor(store) {
+    this.store = store;
+  }
+  add(contact) {
+    const db = this.store.getDb();
+    const now = contact.added_at ?? Date.now();
+    db.prepare(`
+      INSERT INTO contacts (did, alias, display_name, notes, conversation_id, trusted, added_at, last_message_at, tags)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+      ON CONFLICT(did) DO UPDATE SET
+        alias = COALESCE(excluded.alias, contacts.alias),
+        display_name = COALESCE(excluded.display_name, contacts.display_name),
+        notes = COALESCE(excluded.notes, contacts.notes),
+        conversation_id = COALESCE(excluded.conversation_id, contacts.conversation_id),
+        trusted = excluded.trusted,
+        last_message_at = COALESCE(excluded.last_message_at, contacts.last_message_at),
+        tags = COALESCE(excluded.tags, contacts.tags)
+    `).run(
+      contact.did,
+      contact.alias ?? null,
+      contact.display_name ?? null,
+      contact.notes ?? null,
+      contact.conversation_id ?? null,
+      contact.trusted ? 1 : 0,
+      now,
+      contact.last_message_at ?? null,
+      contact.tags ? JSON.stringify(contact.tags) : null
+    );
+    return { ...contact, added_at: now };
+  }
+  remove(did) {
+    const result = this.store.getDb().prepare("DELETE FROM contacts WHERE did = ?").run(did);
+    return result.changes > 0;
+  }
+  get(did) {
+    const row = this.store.getDb().prepare("SELECT * FROM contacts WHERE did = ?").get(did);
+    return row ? rowToContact(row) : null;
+  }
+  update(did, updates) {
+    const existing = this.get(did);
+    if (!existing) return null;
+    const fields = [];
+    const values = [];
+    if (updates.alias !== void 0) {
+      fields.push("alias = ?");
+      values.push(updates.alias);
+    }
+    if (updates.display_name !== void 0) {
+      fields.push("display_name = ?");
+      values.push(updates.display_name);
+    }
+    if (updates.notes !== void 0) {
+      fields.push("notes = ?");
+      values.push(updates.notes);
+    }
+    if (updates.conversation_id !== void 0) {
+      fields.push("conversation_id = ?");
+      values.push(updates.conversation_id);
+    }
+    if (updates.trusted !== void 0) {
+      fields.push("trusted = ?");
+      values.push(updates.trusted ? 1 : 0);
+    }
+    if (updates.last_message_at !== void 0) {
+      fields.push("last_message_at = ?");
+      values.push(updates.last_message_at);
+    }
+    if (updates.tags !== void 0) {
+      fields.push("tags = ?");
+      values.push(JSON.stringify(updates.tags));
+    }
+    if (fields.length === 0) return existing;
+    values.push(did);
+    this.store.getDb().prepare(`UPDATE contacts SET ${fields.join(", ")} WHERE did = ?`).run(...values);
+    return this.get(did);
+  }
+  list(opts) {
+    const conditions = [];
+    const params = [];
+    if (opts?.trusted !== void 0) {
+      conditions.push("trusted = ?");
+      params.push(opts.trusted ? 1 : 0);
+    }
+    if (opts?.tag) {
+      conditions.push("tags LIKE ?");
+      params.push(`%"${opts.tag}"%`);
+    }
+    const where = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
+    const limit = opts?.limit ? `LIMIT ${opts.limit}` : "";
+    const offset = opts?.offset ? `OFFSET ${opts.offset}` : "";
+    const rows = this.store.getDb().prepare(`SELECT * FROM contacts ${where} ORDER BY added_at DESC ${limit} ${offset}`).all(...params);
+    return rows.map(rowToContact);
+  }
+  search(query) {
+    const pattern = `%${query}%`;
+    const rows = this.store.getDb().prepare(`
+        SELECT * FROM contacts
+        WHERE did LIKE ? OR alias LIKE ? OR display_name LIKE ? OR notes LIKE ?
+        ORDER BY added_at DESC
+      `).all(pattern, pattern, pattern, pattern);
+    return rows.map(rowToContact);
+  }
+  export(format = "json") {
+    const contacts = this.list();
+    if (format === "csv") {
+      const header = "did,alias,display_name,notes,conversation_id,trusted,added_at,last_message_at,tags";
+      const rows = contacts.map(
+        (c) => [
+          c.did,
+          c.alias ?? "",
+          c.display_name ?? "",
+          c.notes ?? "",
+          c.conversation_id ?? "",
+          c.trusted,
+          c.added_at,
+          c.last_message_at ?? "",
+          c.tags ? JSON.stringify(c.tags) : ""
+        ].map((v) => `"${String(v).replace(/"/g, '""')}"`).join(",")
+      );
+      return [header, ...rows].join("\n");
+    }
+    return JSON.stringify(contacts, null, 2);
+  }
+  import(data, format = "json") {
+    let imported = 0;
+    let skipped = 0;
+    if (format === "json") {
+      const contacts = JSON.parse(data);
+      for (const c of contacts) {
+        try {
+          this.add(c);
+          imported++;
+        } catch {
+          skipped++;
+        }
+      }
+    } else {
+      const lines = data.split("\n").filter((l) => l.trim());
+      for (let i = 1; i < lines.length; i++) {
+        try {
+          const cols = parseCsvLine(lines[i]);
+          this.add({
+            did: cols[0],
+            alias: cols[1] || void 0,
+            display_name: cols[2] || void 0,
+            notes: cols[3] || void 0,
+            conversation_id: cols[4] || void 0,
+            trusted: cols[5] === "1" || cols[5] === "true",
+            added_at: parseInt(cols[6]) || Date.now(),
+            last_message_at: cols[7] ? parseInt(cols[7]) : void 0,
+            tags: cols[8] ? JSON.parse(cols[8]) : void 0
+          });
+          imported++;
+        } catch {
+          skipped++;
+        }
+      }
+    }
+    return { imported, skipped };
+  }
+};
+function parseCsvLine(line) {
+  const result = [];
+  let current = "";
+  let inQuotes = false;
+  for (let i = 0; i < line.length; i++) {
+    const ch = line[i];
+    if (inQuotes) {
+      if (ch === '"' && line[i + 1] === '"') {
+        current += '"';
+        i++;
+      } else if (ch === '"') {
+        inQuotes = false;
+      } else {
+        current += ch;
+      }
+    } else {
+      if (ch === '"') {
+        inQuotes = true;
+      } else if (ch === ",") {
+        result.push(current);
+        current = "";
+      } else {
+        current += ch;
+      }
+    }
+  }
+  result.push(current);
+  return result;
+}
+
+// src/history.ts
+function rowToMessage(row) {
+  return {
+    conversation_id: row.conversation_id,
+    message_id: row.message_id,
+    seq: row.seq ?? void 0,
+    sender_did: row.sender_did,
+    schema: row.schema,
+    payload: JSON.parse(row.payload),
+    ts_ms: row.ts_ms,
+    direction: row.direction
+  };
+}
+var HistoryManager = class {
+  store;
+  constructor(store) {
+    this.store = store;
+  }
+  save(messages) {
+    const db = this.store.getDb();
+    const stmt = db.prepare(`
+      INSERT INTO messages (conversation_id, message_id, seq, sender_did, schema, payload, ts_ms, direction)
+      VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+      ON CONFLICT(message_id) DO UPDATE SET
+        seq = COALESCE(excluded.seq, messages.seq),
+        payload = excluded.payload,
+        ts_ms = excluded.ts_ms
+    `);
+    let count = 0;
+    const tx = db.transaction(() => {
+      for (const msg of messages) {
+        stmt.run(
+          msg.conversation_id,
+          msg.message_id,
+          msg.seq ?? null,
+          msg.sender_did,
+          msg.schema,
+          JSON.stringify(msg.payload),
+          msg.ts_ms,
+          msg.direction
+        );
+        count++;
+      }
+    });
+    tx();
+    return count;
+  }
+  list(conversationId, opts) {
+    const conditions = ["conversation_id = ?"];
+    const params = [conversationId];
+    if (opts?.beforeSeq !== void 0) {
+      conditions.push("seq < ?");
+      params.push(opts.beforeSeq);
+    }
+    if (opts?.afterSeq !== void 0) {
+      conditions.push("seq > ?");
+      params.push(opts.afterSeq);
+    }
+    if (opts?.beforeTsMs !== void 0) {
+      conditions.push("ts_ms < ?");
+      params.push(opts.beforeTsMs);
+    }
+    if (opts?.afterTsMs !== void 0) {
+      conditions.push("ts_ms > ?");
+      params.push(opts.afterTsMs);
+    }
+    const limit = opts?.limit ?? 100;
+    const rows = this.store.getDb().prepare(`SELECT * FROM messages WHERE ${conditions.join(" AND ")} ORDER BY COALESCE(seq, ts_ms) ASC LIMIT ?`).all(...params, limit);
+    return rows.map(rowToMessage);
+  }
+  /**
+   * List the most recent N messages *before* a seq (paging older history).
+   * Only compares rows where seq is not null.
+   */
+  listBeforeSeq(conversationId, beforeSeq, limit) {
+    const rows = this.store.getDb().prepare(
+      `SELECT * FROM messages
+         WHERE conversation_id = ? AND seq IS NOT NULL AND seq < ?
+         ORDER BY seq DESC
+         LIMIT ?`
+    ).all(conversationId, beforeSeq, limit);
+    return rows.map(rowToMessage).reverse();
+  }
+  /**
+   * List the most recent N messages *before* a timestamp (paging older history).
+   */
+  listBeforeTs(conversationId, beforeTsMs, limit) {
+    const rows = this.store.getDb().prepare(
+      `SELECT * FROM messages
+         WHERE conversation_id = ? AND ts_ms < ?
+         ORDER BY ts_ms DESC
+         LIMIT ?`
+    ).all(conversationId, beforeTsMs, limit);
+    return rows.map(rowToMessage).reverse();
+  }
+  /** Returns the N most recent messages (chronological order, oldest to newest of those N). */
+  listRecent(conversationId, limit) {
+    const rows = this.store.getDb().prepare(
+      `SELECT * FROM messages WHERE conversation_id = ? ORDER BY COALESCE(seq, ts_ms) DESC LIMIT ?`
+    ).all(conversationId, limit);
+    return rows.map(rowToMessage).reverse();
+  }
+  search(query, opts) {
+    const conditions = ["payload LIKE ?"];
+    const params = [`%${query}%`];
+    if (opts?.conversationId) {
+      conditions.push("conversation_id = ?");
+      params.push(opts.conversationId);
+    }
+    const limit = opts?.limit ?? 50;
+    const rows = this.store.getDb().prepare(`SELECT * FROM messages WHERE ${conditions.join(" AND ")} ORDER BY ts_ms DESC LIMIT ?`).all(...params, limit);
+    return rows.map(rowToMessage);
+  }
+  delete(conversationId) {
+    const result = this.store.getDb().prepare("DELETE FROM messages WHERE conversation_id = ?").run(conversationId);
+    this.store.getDb().prepare("DELETE FROM sync_state WHERE conversation_id = ?").run(conversationId);
+    return result.changes;
+  }
+  listConversations() {
+    const rows = this.store.getDb().prepare(`
+        SELECT conversation_id, COUNT(*) as message_count, MAX(ts_ms) as last_message_at
+        FROM messages
+        GROUP BY conversation_id
+        ORDER BY last_message_at DESC
+      `).all();
+    return rows;
+  }
+  getLastSyncedSeq(conversationId) {
+    const row = this.store.getDb().prepare("SELECT last_synced_seq FROM sync_state WHERE conversation_id = ?").get(conversationId);
+    return row?.last_synced_seq ?? 0;
+  }
+  setLastSyncedSeq(conversationId, seq) {
+    this.store.getDb().prepare(`
+      INSERT INTO sync_state (conversation_id, last_synced_seq, last_synced_at)
+      VALUES (?, ?, ?)
+      ON CONFLICT(conversation_id) DO UPDATE SET last_synced_seq = excluded.last_synced_seq, last_synced_at = excluded.last_synced_at
+    `).run(conversationId, seq, Date.now());
+  }
+  export(opts) {
+    const format = opts?.format ?? "json";
+    let messages;
+    if (opts?.conversationId) {
+      messages = this.list(opts.conversationId, { limit: 1e5 });
+    } else {
+      const rows = this.store.getDb().prepare("SELECT * FROM messages ORDER BY ts_ms ASC").all();
+      messages = rows.map(rowToMessage);
+    }
+    if (format === "csv") {
+      const header = "conversation_id,message_id,seq,sender_did,schema,payload,ts_ms,direction";
+      const lines = messages.map(
+        (m) => [
+          m.conversation_id,
+          m.message_id,
+          m.seq ?? "",
+          m.sender_did,
+          m.schema,
+          JSON.stringify(m.payload),
+          m.ts_ms,
+          m.direction
+        ].map((v) => `"${String(v).replace(/"/g, '""')}"`).join(",")
+      );
+      return [header, ...lines].join("\n");
+    }
+    return JSON.stringify(messages, null, 2);
+  }
+  async syncFromServer(client, conversationId, opts) {
+    const sinceSeq = opts?.full ? 0 : this.getLastSyncedSeq(conversationId);
+    let totalSynced = 0;
+    let currentSeq = sinceSeq;
+    while (true) {
+      const res = await client.fetchInbox(conversationId, {
+        sinceSeq: currentSeq,
+        limit: 50
+      });
+      if (!res.ok || !res.data || res.data.messages.length === 0) break;
+      const messages = res.data.messages.map((msg) => ({
+        conversation_id: conversationId,
+        message_id: msg.message_id,
+        seq: msg.seq,
+        sender_did: msg.sender_did,
+        schema: msg.schema,
+        payload: msg.payload,
+        ts_ms: msg.ts_ms,
+        direction: "received"
+      }));
+      this.save(messages);
+      totalSynced += messages.length;
+      currentSeq = res.data.next_since_seq;
+      this.setLastSyncedSeq(conversationId, currentSeq);
+      if (!res.data.has_more) break;
+    }
+    return { synced: totalSynced };
+  }
+  async listMergedRecent(client, conversationId, opts) {
+    const limit = opts?.limit ?? 50;
+    const box = opts?.box ?? "ready";
+    const local = this.listRecent(conversationId, limit * 2);
+    const remoteRes = await client.fetchInbox(conversationId, { sinceSeq: 0, limit, box: box === "all" ? "ready" : box });
+    const remote = remoteRes.ok && remoteRes.data ? remoteRes.data.messages.map((msg) => ({
+      conversation_id: conversationId,
+      message_id: msg.message_id,
+      seq: msg.seq,
+      sender_did: msg.sender_did,
+      schema: msg.schema,
+      payload: msg.payload,
+      ts_ms: msg.ts_ms,
+      direction: msg.sender_did === client.getDid() ? "sent" : "received"
+    })) : [];
+    const byId = /* @__PURE__ */ new Map();
+    for (const msg of [...local, ...remote]) byId.set(msg.message_id, msg);
+    return Array.from(byId.values()).sort((a, b) => (a.seq ?? a.ts_ms) - (b.seq ?? b.ts_ms)).slice(-limit);
+  }
+};
+
+// src/session.ts
+function rowToSession(row) {
+  return {
+    session_key: row.session_key,
+    remote_did: row.remote_did ?? void 0,
+    conversation_id: row.conversation_id ?? void 0,
+    trust_state: row.trust_state || "stranger",
+    last_message_preview: row.last_message_preview ?? void 0,
+    last_remote_activity_at: row.last_remote_activity_at ?? void 0,
+    last_read_seq: row.last_read_seq ?? 0,
+    unread_count: row.unread_count ?? 0,
+    active: row.active === 1,
+    updated_at: row.updated_at ?? 0
+  };
+}
+function previewFromPayload(payload) {
+  if (payload == null) return "";
+  if (typeof payload === "string") return payload.slice(0, 280);
+  if (typeof payload !== "object") return String(payload).slice(0, 280);
+  const value = payload;
+  const preferred = value.text ?? value.title ?? value.summary ?? value.message ?? value.description ?? value.error_message;
+  if (typeof preferred === "string") return preferred.slice(0, 280);
+  return JSON.stringify(payload).slice(0, 280);
+}
+function buildSessionKey(opts) {
+  const type = opts.conversationType ?? "";
+  if (type === "channel" || type === "group" || opts.conversationId.startsWith("c_grp_")) {
+    return `hook:im:conv:${opts.conversationId}`;
+  }
+  const remote = (opts.remoteDid ?? "").trim();
+  if (!remote) {
+    return `hook:im:conv:${opts.conversationId}`;
+  }
+  const local = (opts.localDid ?? "").trim();
+  if (!local) {
+    return `hook:im:peer:${remote}:conv:${opts.conversationId}`;
+  }
+  return `hook:im:did:${local}:peer:${remote}`;
+}
+var SessionManager = class {
+  constructor(store) {
+    this.store = store;
+  }
+  upsert(state) {
+    const now = state.updated_at ?? Date.now();
+    const existing = this.get(state.session_key);
+    const next = {
+      session_key: state.session_key,
+      remote_did: state.remote_did ?? existing?.remote_did,
+      conversation_id: state.conversation_id ?? existing?.conversation_id,
+      trust_state: state.trust_state ?? existing?.trust_state ?? "stranger",
+      last_message_preview: state.last_message_preview ?? existing?.last_message_preview,
+      last_remote_activity_at: state.last_remote_activity_at ?? existing?.last_remote_activity_at,
+      last_read_seq: state.last_read_seq ?? existing?.last_read_seq ?? 0,
+      unread_count: state.unread_count ?? existing?.unread_count ?? 0,
+      active: state.active ?? existing?.active ?? false,
+      updated_at: now
+    };
+    if (next.active) {
+      this.store.getDb().prepare("UPDATE session_state SET active = 0 WHERE session_key != ?").run(next.session_key);
+    }
+    this.store.getDb().prepare(`
+      INSERT INTO session_state (
+        session_key, remote_did, conversation_id, trust_state, last_message_preview,
+        last_remote_activity_at, last_read_seq, unread_count, active, updated_at
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+      ON CONFLICT(session_key) DO UPDATE SET
+        remote_did = COALESCE(excluded.remote_did, session_state.remote_did),
+        conversation_id = COALESCE(excluded.conversation_id, session_state.conversation_id),
+        trust_state = excluded.trust_state,
+        last_message_preview = COALESCE(excluded.last_message_preview, session_state.last_message_preview),
+        last_remote_activity_at = COALESCE(excluded.last_remote_activity_at, session_state.last_remote_activity_at),
+        last_read_seq = excluded.last_read_seq,
+        unread_count = excluded.unread_count,
+        active = excluded.active,
+        updated_at = excluded.updated_at
+    `).run(
+      next.session_key,
+      next.remote_did ?? null,
+      next.conversation_id ?? null,
+      next.trust_state,
+      next.last_message_preview ?? null,
+      next.last_remote_activity_at ?? null,
+      next.last_read_seq,
+      next.unread_count,
+      next.active ? 1 : 0,
+      next.updated_at
+    );
+    return next;
+  }
+  upsertFromMessage(input) {
+    const sessionKey = input.session_key ?? buildSessionKey({
+      localDid: "",
+      remoteDid: input.remote_did ?? input.sender_did ?? "",
+      conversationId: input.conversation_id
+    });
+    const existing = this.get(sessionKey);
+    const preview = previewFromPayload(input.payload);
+    const isRemote = input.sender_is_self !== true;
+    const seq = input.seq ?? 0;
+    const lastReadSeq = existing?.last_read_seq ?? 0;
+    const unreadCount = isRemote && seq > lastReadSeq ? Math.max(existing?.unread_count ?? 0, seq - lastReadSeq) : existing?.unread_count ?? 0;
+    const activity = isRemote ? input.ts_ms ?? Date.now() : existing?.last_remote_activity_at;
+    return this.upsert({
+      session_key: sessionKey,
+      remote_did: input.remote_did ?? existing?.remote_did ?? (isRemote ? input.sender_did : void 0),
+      conversation_id: input.conversation_id,
+      trust_state: input.trust_state ?? existing?.trust_state ?? "stranger",
+      last_message_preview: preview || existing?.last_message_preview,
+      last_remote_activity_at: activity,
+      last_read_seq: existing?.last_read_seq ?? 0,
+      unread_count: unreadCount,
+      active: existing?.active ?? false,
+      updated_at: input.ts_ms ?? Date.now()
+    });
+  }
+  get(sessionKey) {
+    const row = this.store.getDb().prepare("SELECT * FROM session_state WHERE session_key = ?").get(sessionKey);
+    return row ? rowToSession(row) : null;
+  }
+  getByConversationId(conversationId) {
+    const row = this.store.getDb().prepare("SELECT * FROM session_state WHERE conversation_id = ? ORDER BY updated_at DESC LIMIT 1").get(conversationId);
+    return row ? rowToSession(row) : null;
+  }
+  getActiveSession() {
+    const row = this.store.getDb().prepare("SELECT * FROM session_state WHERE active = 1 ORDER BY updated_at DESC LIMIT 1").get();
+    return row ? rowToSession(row) : null;
+  }
+  listRecentSessions(limit = 20) {
+    const rows = this.store.getDb().prepare("SELECT * FROM session_state ORDER BY COALESCE(last_remote_activity_at, updated_at) DESC, updated_at DESC LIMIT ?").all(limit);
+    return rows.map(rowToSession);
+  }
+  focusSession(sessionKey) {
+    const session = this.get(sessionKey);
+    if (!session) return null;
+    this.store.getDb().prepare("UPDATE session_state SET active = CASE WHEN session_key = ? THEN 1 ELSE 0 END").run(sessionKey);
+    return this.get(sessionKey);
+  }
+  markRead(sessionKey, seq) {
+    const session = this.get(sessionKey);
+    if (!session) return null;
+    const lastReadSeq = Math.max(session.last_read_seq, seq ?? session.last_read_seq);
+    return this.upsert({
+      session_key: sessionKey,
+      last_read_seq: lastReadSeq,
+      unread_count: 0,
+      active: session.active
+    });
+  }
+  nextUnread() {
+    const row = this.store.getDb().prepare("SELECT * FROM session_state WHERE unread_count > 0 ORDER BY last_remote_activity_at DESC, updated_at DESC LIMIT 1").get();
+    return row ? rowToSession(row) : null;
+  }
+  resolveReplyTarget(sessionKey) {
+    const session = sessionKey ? this.get(sessionKey) : this.getActiveSession();
+    if (!session) return null;
+    return {
+      session_key: session.session_key,
+      remote_did: session.remote_did,
+      conversation_id: session.conversation_id,
+      trust_state: session.trust_state
+    };
+  }
+};
+
+// src/session-summaries.ts
+function rowToSummary(row) {
+  return {
+    session_key: row.session_key,
+    objective: row.objective ?? void 0,
+    context: row.context ?? void 0,
+    constraints: row.constraints ?? void 0,
+    decisions: row.decisions ?? void 0,
+    open_questions: row.open_questions ?? void 0,
+    next_action: row.next_action ?? void 0,
+    handoff_ready_text: row.handoff_ready_text ?? void 0,
+    updated_at: row.updated_at
+  };
+}
+function cleanText(value) {
+  const text = String(value ?? "").trim();
+  return text ? text.slice(0, 8e3) : void 0;
+}
+function buildSessionSummaryHandoffText(summary) {
+  if (!summary) return "";
+  if (summary.handoff_ready_text) return summary.handoff_ready_text;
+  const parts = [
+    summary.objective ? `Objective: ${summary.objective}` : null,
+    summary.context ? `Context: ${summary.context}` : null,
+    summary.constraints ? `Constraints: ${summary.constraints}` : null,
+    summary.decisions ? `Decisions: ${summary.decisions}` : null,
+    summary.open_questions ? `Open questions: ${summary.open_questions}` : null,
+    summary.next_action ? `Next action: ${summary.next_action}` : null
+  ].filter(Boolean);
+  return parts.join("\n");
+}
+var SessionSummaryManager = class {
+  constructor(store) {
+    this.store = store;
+  }
+  upsert(input) {
+    const now = input.updated_at ?? Date.now();
+    const existing = this.get(input.session_key);
+    const next = {
+      session_key: input.session_key,
+      objective: cleanText(input.objective) ?? existing?.objective,
+      context: cleanText(input.context) ?? existing?.context,
+      constraints: cleanText(input.constraints) ?? existing?.constraints,
+      decisions: cleanText(input.decisions) ?? existing?.decisions,
+      open_questions: cleanText(input.open_questions) ?? existing?.open_questions,
+      next_action: cleanText(input.next_action) ?? existing?.next_action,
+      handoff_ready_text: cleanText(input.handoff_ready_text) ?? existing?.handoff_ready_text,
+      updated_at: now
+    };
+    this.store.getDb().prepare(`
+      INSERT INTO session_summaries (
+        session_key, objective, context, constraints, decisions, open_questions, next_action, handoff_ready_text, updated_at
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)
+      ON CONFLICT(session_key) DO UPDATE SET
+        objective = excluded.objective,
+        context = excluded.context,
+        constraints = excluded.constraints,
+        decisions = excluded.decisions,
+        open_questions = excluded.open_questions,
+        next_action = excluded.next_action,
+        handoff_ready_text = excluded.handoff_ready_text,
+        updated_at = excluded.updated_at
+    `).run(
+      next.session_key,
+      next.objective ?? null,
+      next.context ?? null,
+      next.constraints ?? null,
+      next.decisions ?? null,
+      next.open_questions ?? null,
+      next.next_action ?? null,
+      next.handoff_ready_text ?? null,
+      next.updated_at
+    );
+    return next;
+  }
+  get(sessionKey) {
+    const row = this.store.getDb().prepare("SELECT * FROM session_summaries WHERE session_key = ?").get(sessionKey);
+    return row ? rowToSummary(row) : null;
+  }
+  listRecent(limit = 20) {
+    const rows = this.store.getDb().prepare("SELECT * FROM session_summaries ORDER BY updated_at DESC LIMIT ?").all(limit);
+    return rows.map(rowToSummary);
+  }
+};
+
+// src/task-threads.ts
+function rowToThread(row) {
+  return {
+    task_id: row.task_id,
+    session_key: row.session_key,
+    conversation_id: row.conversation_id,
+    title: row.title ?? void 0,
+    status: row.status,
+    started_at: row.started_at ?? void 0,
+    updated_at: row.updated_at,
+    result_summary: row.result_summary ?? void 0,
+    error_code: row.error_code ?? void 0,
+    error_message: row.error_message ?? void 0
+  };
+}
+var TaskThreadManager = class {
+  constructor(store) {
+    this.store = store;
+  }
+  upsert(thread) {
+    const updatedAt = thread.updated_at ?? Date.now();
+    const existing = this.get(thread.task_id);
+    this.store.getDb().prepare(`
+      INSERT INTO task_threads (
+        task_id, session_key, conversation_id, title, status, started_at, updated_at, result_summary, error_code, error_message
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+      ON CONFLICT(task_id) DO UPDATE SET
+        session_key = excluded.session_key,
+        conversation_id = excluded.conversation_id,
+        title = COALESCE(excluded.title, task_threads.title),
+        status = excluded.status,
+        started_at = COALESCE(excluded.started_at, task_threads.started_at),
+        updated_at = excluded.updated_at,
+        result_summary = COALESCE(excluded.result_summary, task_threads.result_summary),
+        error_code = COALESCE(excluded.error_code, task_threads.error_code),
+        error_message = COALESCE(excluded.error_message, task_threads.error_message)
+    `).run(
+      thread.task_id,
+      thread.session_key,
+      thread.conversation_id,
+      thread.title ?? null,
+      thread.status,
+      thread.started_at ?? existing?.started_at ?? updatedAt,
+      updatedAt,
+      thread.result_summary ?? null,
+      thread.error_code ?? null,
+      thread.error_message ?? null
+    );
+    return this.get(thread.task_id);
+  }
+  get(taskId) {
+    const row = this.store.getDb().prepare("SELECT * FROM task_threads WHERE task_id = ?").get(taskId);
+    return row ? rowToThread(row) : null;
+  }
+  listBySession(sessionKey, limit = 20) {
+    const rows = this.store.getDb().prepare("SELECT * FROM task_threads WHERE session_key = ? ORDER BY updated_at DESC LIMIT ?").all(sessionKey, limit);
+    return rows.map(rowToThread);
+  }
+  listByConversation(conversationId, limit = 20) {
+    const rows = this.store.getDb().prepare("SELECT * FROM task_threads WHERE conversation_id = ? ORDER BY updated_at DESC LIMIT ?").all(conversationId, limit);
+    return rows.map(rowToThread);
+  }
+  listRecent(limit = 20) {
+    const rows = this.store.getDb().prepare("SELECT * FROM task_threads ORDER BY updated_at DESC LIMIT ?").all(limit);
+    return rows.map(rowToThread);
+  }
+};
+
+// src/task-handoffs.ts
+function cleanText2(value) {
+  const text = String(value ?? "").trim();
+  return text ? text.slice(0, 8e3) : void 0;
+}
+function rowToHandoff(row) {
+  return {
+    task_id: row.task_id,
+    session_key: row.session_key,
+    conversation_id: row.conversation_id,
+    objective: row.objective ?? void 0,
+    carry_forward_summary: row.carry_forward_summary ?? void 0,
+    success_criteria: row.success_criteria ?? void 0,
+    callback_session_key: row.callback_session_key ?? void 0,
+    priority: row.priority ?? void 0,
+    delegated_by: row.delegated_by ?? void 0,
+    delegated_to: row.delegated_to ?? void 0,
+    updated_at: row.updated_at
+  };
+}
+var TaskHandoffManager = class {
+  constructor(store) {
+    this.store = store;
+  }
+  upsert(input) {
+    const now = input.updated_at ?? Date.now();
+    const existing = this.get(input.task_id);
+    const next = {
+      task_id: input.task_id,
+      session_key: input.session_key,
+      conversation_id: input.conversation_id,
+      objective: cleanText2(input.objective) ?? existing?.objective,
+      carry_forward_summary: cleanText2(input.carry_forward_summary) ?? existing?.carry_forward_summary,
+      success_criteria: cleanText2(input.success_criteria) ?? existing?.success_criteria,
+      callback_session_key: cleanText2(input.callback_session_key) ?? existing?.callback_session_key,
+      priority: cleanText2(input.priority) ?? existing?.priority,
+      delegated_by: cleanText2(input.delegated_by) ?? existing?.delegated_by,
+      delegated_to: cleanText2(input.delegated_to) ?? existing?.delegated_to,
+      updated_at: now
+    };
+    this.store.getDb().prepare(`
+      INSERT INTO task_handoffs (
+        task_id, session_key, conversation_id, objective, carry_forward_summary, success_criteria,
+        callback_session_key, priority, delegated_by, delegated_to, updated_at
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+      ON CONFLICT(task_id) DO UPDATE SET
+        session_key = excluded.session_key,
+        conversation_id = excluded.conversation_id,
+        objective = excluded.objective,
+        carry_forward_summary = excluded.carry_forward_summary,
+        success_criteria = excluded.success_criteria,
+        callback_session_key = excluded.callback_session_key,
+        priority = excluded.priority,
+        delegated_by = excluded.delegated_by,
+        delegated_to = excluded.delegated_to,
+        updated_at = excluded.updated_at
+    `).run(
+      next.task_id,
+      next.session_key,
+      next.conversation_id,
+      next.objective ?? null,
+      next.carry_forward_summary ?? null,
+      next.success_criteria ?? null,
+      next.callback_session_key ?? null,
+      next.priority ?? null,
+      next.delegated_by ?? null,
+      next.delegated_to ?? null,
+      next.updated_at
+    );
+    return next;
+  }
+  get(taskId) {
+    const row = this.store.getDb().prepare("SELECT * FROM task_handoffs WHERE task_id = ?").get(taskId);
+    return row ? rowToHandoff(row) : null;
+  }
+  listBySession(sessionKey, limit = 20) {
+    const rows = this.store.getDb().prepare("SELECT * FROM task_handoffs WHERE session_key = ? ORDER BY updated_at DESC LIMIT ?").all(sessionKey, limit);
+    return rows.map(rowToHandoff);
+  }
+};
+
+// src/capability-card.ts
+function normalizeStringList(value) {
+  if (!Array.isArray(value)) return void 0;
+  const list = value.map((item) => String(item ?? "").trim()).filter(Boolean).slice(0, 32);
+  return list.length ? list : void 0;
+}
+function normalizeCapabilityCardItem(value) {
+  if (!value || typeof value !== "object") return null;
+  const source = value;
+  const id = String(source.id ?? "").trim();
+  if (!id) return null;
+  const label = String(source.label ?? "").trim() || void 0;
+  const description = String(source.description ?? "").trim() || void 0;
+  const acceptsTasks = typeof source.accepts_tasks === "boolean" ? source.accepts_tasks : void 0;
+  const acceptsMessages = typeof source.accepts_messages === "boolean" ? source.accepts_messages : void 0;
+  return {
+    id,
+    label,
+    description,
+    accepts_tasks: acceptsTasks,
+    accepts_messages: acceptsMessages,
+    input_modes: normalizeStringList(source.input_modes),
+    output_modes: normalizeStringList(source.output_modes),
+    examples: normalizeStringList(source.examples)
+  };
+}
+function normalizeCapabilityCard(value) {
+  if (!value || typeof value !== "object") return void 0;
+  const source = value;
+  const preferred = String(source.preferred_contact_mode ?? "").trim();
+  const capabilities = Array.isArray(source.capabilities) ? source.capabilities.map(normalizeCapabilityCardItem).filter(Boolean) : [];
+  return {
+    version: String(source.version ?? "1").trim() || "1",
+    summary: String(source.summary ?? "").trim() || void 0,
+    accepts_new_work: typeof source.accepts_new_work === "boolean" ? source.accepts_new_work : void 0,
+    preferred_contact_mode: preferred === "dm" || preferred === "task" || preferred === "either" ? preferred : void 0,
+    capabilities
+  };
+}
+function capabilityCardToLegacyCapabilities(card) {
+  if (!card?.capabilities?.length) return [];
+  return card.capabilities.map((item) => item.label || item.id).map((item) => String(item ?? "").trim()).filter(Boolean).slice(0, 24);
+}
+function formatCapabilityCardSummary(card) {
+  if (!card) return "(none)";
+  const parts = [];
+  if (card.summary) parts.push(card.summary);
+  if (card.preferred_contact_mode) parts.push(`preferred_contact_mode=${card.preferred_contact_mode}`);
+  if (typeof card.accepts_new_work === "boolean") parts.push(`accepts_new_work=${card.accepts_new_work}`);
+  if (card.capabilities?.length) {
+    parts.push(`capabilities=${card.capabilities.map((item) => item.label || item.id).join(", ")}`);
+  }
+  return parts.join(" | ") || "(none)";
+}
+
+// src/e2ee.ts
+import { webcrypto } from "crypto";
+import { SCHEMA_CONTACT_REQUEST, SCHEMA_RESULT, SCHEMA_TASK, SCHEMA_TEXT } from "@pingagent/schemas";
+var subtle = webcrypto.subtle;
+var encoder = new TextEncoder();
+var decoder = new TextDecoder();
+function bytesToBase64Url(bytes) {
+  return Buffer.from(bytes).toString("base64url");
+}
+function base64UrlToBytes(value) {
+  return new Uint8Array(Buffer.from(value, "base64url"));
+}
+function isObject(value) {
+  return value != null && typeof value === "object" && !Array.isArray(value);
+}
+async function importEncryptionPublicKey(jwk) {
+  return subtle.importKey(
+    "jwk",
+    { ...jwk, ext: true },
+    { name: "ECDH", namedCurve: "P-256" },
+    false,
+    []
+  );
+}
+async function importEncryptionPrivateKey(jwk) {
+  return subtle.importKey(
+    "jwk",
+    { ...jwk, ext: true, key_ops: ["deriveKey"] },
+    { name: "ECDH", namedCurve: "P-256" },
+    false,
+    ["deriveKey"]
+  );
+}
+function splitPayloadForEncryption(schema, payload) {
+  if (schema === SCHEMA_TASK) {
+    const {
+      task_id,
+      idempotency_key,
+      expected_output_schema,
+      timeout_ms,
+      ...protectedPayload
+    } = payload;
+    return {
+      cleartext: {
+        ...task_id ? { task_id } : {},
+        ...idempotency_key ? { idempotency_key } : {},
+        ...expected_output_schema ? { expected_output_schema } : {},
+        ...timeout_ms ? { timeout_ms } : {}
+      },
+      protectedPayload
+    };
+  }
+  if (schema === SCHEMA_RESULT) {
+    const { task_id, status, elapsed_ms, ...protectedPayload } = payload;
+    return {
+      cleartext: {
+        ...task_id ? { task_id } : {},
+        ...status ? { status } : {},
+        ...elapsed_ms != null ? { elapsed_ms } : {}
+      },
+      protectedPayload
+    };
+  }
+  if (schema === SCHEMA_TEXT || schema === SCHEMA_CONTACT_REQUEST) {
+    return { cleartext: {}, protectedPayload: payload };
+  }
+  return { cleartext: payload, protectedPayload: {} };
+}
+function mergePayloadFromWrapper(wrapper, decryptedProtectedPayload) {
+  return {
+    ...wrapper.__e2ee.cleartext,
+    ...decryptedProtectedPayload
+  };
+}
+function isEncryptedPayload(payload) {
+  return isObject(payload) && isObject(payload.__e2ee) && Array.isArray(payload.__e2ee.recipients) && isObject(payload.__e2ee.cleartext);
+}
+function shouldEncryptConversationPayload(conversationId, schema) {
+  if (!(conversationId.startsWith("c_dm_") || conversationId.startsWith("c_pdm_"))) return false;
+  return schema === SCHEMA_TEXT || schema === SCHEMA_CONTACT_REQUEST || schema === SCHEMA_TASK || schema === SCHEMA_RESULT;
+}
+async function encryptPayloadForRecipients(opts) {
+  const { cleartext, protectedPayload } = splitPayloadForEncryption(opts.schema, opts.payload);
+  const recipientBlobs = [];
+  const plaintextBytes = encoder.encode(JSON.stringify(protectedPayload));
+  const uniqueRecipients = /* @__PURE__ */ new Map();
+  for (const recipient of opts.recipients) {
+    uniqueRecipients.set(recipient.did, recipient);
+  }
+  for (const recipient of uniqueRecipients.values()) {
+    if (!recipient.encryption_public_key) {
+      throw new Error(`Recipient ${recipient.did} has no registered encryption public key`);
+    }
+    const ephemeral = await subtle.generateKey(
+      { name: "ECDH", namedCurve: "P-256" },
+      true,
+      ["deriveKey"]
+    );
+    const recipientPublicKey = await importEncryptionPublicKey(recipient.encryption_public_key);
+    const contentKey = await subtle.deriveKey(
+      { name: "ECDH", public: recipientPublicKey },
+      ephemeral.privateKey,
+      { name: "AES-GCM", length: 256 },
+      false,
+      ["encrypt"]
+    );
+    const iv = webcrypto.getRandomValues(new Uint8Array(12));
+    const ciphertext = await subtle.encrypt(
+      { name: "AES-GCM", iv },
+      contentKey,
+      plaintextBytes
+    );
+    const ephemeralPublicKey = await subtle.exportKey("jwk", ephemeral.publicKey);
+    recipientBlobs.push({
+      did: recipient.did,
+      alg: "ECDH-P256+A256GCM",
+      ephemeral_public_key: {
+        kty: "EC",
+        crv: "P-256",
+        x: ephemeralPublicKey.x,
+        y: ephemeralPublicKey.y
+      },
+      iv: bytesToBase64Url(iv),
+      ciphertext: bytesToBase64Url(new Uint8Array(ciphertext))
+    });
+  }
+  return {
+    __e2ee: {
+      v: 1,
+      alg: "ECDH-P256+A256GCM",
+      recipients: recipientBlobs,
+      cleartext
+    }
+  };
+}
+async function decryptPayloadForIdentity(schema, payload, identity) {
+  if (!isEncryptedPayload(payload)) return payload;
+  if (!identity.encryptionPrivateKeyJwk) return payload;
+  const recipientBlob = payload.__e2ee.recipients.find((recipient) => recipient.did === identity.did);
+  if (!recipientBlob) return payload;
+  const privateKey = await importEncryptionPrivateKey(identity.encryptionPrivateKeyJwk);
+  const ephemeralPublicKey = await importEncryptionPublicKey(recipientBlob.ephemeral_public_key);
+  const contentKey = await subtle.deriveKey(
+    { name: "ECDH", public: ephemeralPublicKey },
+    privateKey,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["decrypt"]
+  );
+  const plaintext = await subtle.decrypt(
+    { name: "AES-GCM", iv: base64UrlToBytes(recipientBlob.iv) },
+    contentKey,
+    base64UrlToBytes(recipientBlob.ciphertext)
+  );
+  const decryptedProtectedPayload = JSON.parse(decoder.decode(plaintext));
+  return mergePayloadFromWrapper(payload, decryptedProtectedPayload);
+}
+
+// src/client.ts
+var PingAgentClient = class {
+  constructor(opts) {
+    this.opts = opts;
+    this.identity = Object.assign(opts.identity, ensureIdentityEncryptionKeys(opts.identity));
+    this.transport = new HttpTransport({
+      serverUrl: opts.serverUrl,
+      accessToken: opts.accessToken,
+      onTokenRefreshed: opts.onTokenRefreshed
+    });
+    if (opts.store) {
+      this.contactManager = new ContactManager(opts.store);
+      this.historyManager = new HistoryManager(opts.store);
+      this.sessionManager = new SessionManager(opts.store);
+      this.sessionSummaryManager = new SessionSummaryManager(opts.store);
+      this.taskThreadManager = new TaskThreadManager(opts.store);
+      this.taskHandoffManager = new TaskHandoffManager(opts.store);
+    }
+  }
+  transport;
+  identity;
+  contactManager;
+  historyManager;
+  sessionManager;
+  sessionSummaryManager;
+  taskThreadManager;
+  taskHandoffManager;
+  agentCardCache = /* @__PURE__ */ new Map();
+  getContactManager() {
+    return this.contactManager;
+  }
+  getHistoryManager() {
+    return this.historyManager;
+  }
+  getSessionManager() {
+    return this.sessionManager;
+  }
+  getSessionSummaryManager() {
+    return this.sessionSummaryManager;
+  }
+  getTaskThreadManager() {
+    return this.taskThreadManager;
+  }
+  getTaskHandoffManager() {
+    return this.taskHandoffManager;
+  }
+  /** Update the in-memory access token (e.g. after proactive refresh from disk). */
+  setAccessToken(token) {
+    this.transport.setToken(token);
+  }
+  async register(developerToken) {
+    let binary = "";
+    for (const b of this.identity.publicKey) binary += String.fromCharCode(b);
+    const publicKeyBase64 = btoa(binary);
+    return this.transport.request("POST", "/v1/agent/register", {
+      device_id: this.identity.deviceId,
+      public_key: publicKeyBase64,
+      encryption_public_key: this.identity.encryptionPublicKeyJwk,
+      developer_token: developerToken
+    }, true);
+  }
+  async openConversation(targetDid) {
+    const res = await this.transport.request("POST", "/v1/conversations/open", {
+      targets: [targetDid]
+    });
+    if (res.ok && res.data?.recipient_encryption_public_key) {
+      this.agentCardCache.set(targetDid, {
+        did: targetDid,
+        encryption_public_key: res.data.recipient_encryption_public_key
+      });
+    }
+    return res;
+  }
+  async resolveConversationPeer(conversationId) {
+    const fromSession = this.sessionManager?.getByConversationId(conversationId)?.remote_did;
+    if (fromSession) return fromSession;
+    const convList = await this.listConversations({ type: "dm" });
+    if (!convList.ok || !convList.data) return null;
+    return convList.data.conversations.find((conv) => conv.conversation_id === conversationId)?.target_did ?? null;
+  }
+  async getRecipientEncryptionCard(did) {
+    if (did === this.identity.did) {
+      return {
+        did,
+        encryption_public_key: this.identity.encryptionPublicKeyJwk
+      };
+    }
+    const cached = this.agentCardCache.get(did);
+    if (cached?.encryption_public_key) return cached;
+    const cardRes = await this.getAgentCard(did);
+    if (!cardRes.ok || !cardRes.data?.encryption_public_key) {
+      throw new Error(`Recipient ${did} has no registered encryption key`);
+    }
+    const card = {
+      did,
+      encryption_public_key: cardRes.data.encryption_public_key
+    };
+    this.agentCardCache.set(did, card);
+    return card;
+  }
+  sameEncryptionPublicKey(left, right) {
+    if (!left || !right) return false;
+    return left.kty === right.kty && left.crv === right.crv && left.x === right.x && left.y === right.y;
+  }
+  async sendMessage(conversationId, schema, payload) {
+    const ttlMs = schema === SCHEMA_TEXT2 ? 6048e5 : void 0;
+    let payloadForTransport = payload;
+    if (shouldEncryptConversationPayload(conversationId, schema)) {
+      try {
+        const remoteDid = await this.resolveConversationPeer(conversationId);
+        if (!remoteDid) {
+          return {
+            ok: false,
+            error: { code: ErrorCode2.INTERNAL, message: `Cannot determine peer DID for encrypted conversation ${conversationId}`, hint: "List conversations again or reopen the conversation before sending." }
+          };
+        }
+        const recipient = await this.getRecipientEncryptionCard(remoteDid);
+        payloadForTransport = await encryptPayloadForRecipients({
+          schema,
+          payload,
+          recipients: [
+            recipient,
+            {
+              did: this.identity.did,
+              encryption_public_key: this.identity.encryptionPublicKeyJwk
+            }
+          ]
+        });
+      } catch (error) {
+        return {
+          ok: false,
+          error: {
+            code: ErrorCode2.INTERNAL,
+            message: error?.message ?? "Failed to encrypt message payload",
+            hint: "Both sides must register encryption keys before direct messages can be sent end-to-end encrypted."
+          }
+        };
+      }
+    }
+    const unsigned = buildUnsignedEnvelope({
+      type: "message",
+      conversationId,
+      senderDid: this.identity.did,
+      senderDeviceId: this.identity.deviceId,
+      schema,
+      payload: payloadForTransport,
+      ttlMs
+    });
+    const signed = signEnvelope(unsigned, this.identity.privateKey);
+    const res = await this.transport.request("POST", "/v1/messages/send", signed);
+    if (res.ok && this.historyManager) {
+      this.historyManager.save([{
+        conversation_id: conversationId,
+        message_id: signed.message_id,
+        seq: res.data?.seq,
+        sender_did: this.identity.did,
+        schema,
+        payload,
+        ts_ms: signed.ts_ms,
+        direction: "sent"
+      }]);
+      this.sessionManager?.upsertFromMessage({
+        session_key: this.sessionManager.getByConversationId(conversationId)?.session_key,
+        remote_did: this.sessionManager.getByConversationId(conversationId)?.remote_did,
+        conversation_id: conversationId,
+        trust_state: this.sessionManager.getByConversationId(conversationId)?.trust_state ?? "trusted",
+        sender_did: this.identity.did,
+        sender_is_self: true,
+        schema,
+        payload,
+        seq: res.data?.seq,
+        ts_ms: signed.ts_ms
+      });
+    }
+    return res;
+  }
+  async sendTask(conversationId, task) {
+    return this.sendMessage(conversationId, SCHEMA_TASK2, {
+      ...task,
+      idempotency_key: task.task_id,
+      expected_output_schema: SCHEMA_RESULT2
+    });
+  }
+  async sendContactRequest(conversationId, message) {
+    const { v7: uuidv7 } = await import("uuid");
+    return this.sendMessage(conversationId, SCHEMA_CONTACT_REQUEST2, {
+      request_id: `r_${uuidv7()}`,
+      from_did: this.identity.did,
+      to_did: "",
+      capabilities: ["task", "result", "files"],
+      message,
+      expires_ms: 864e5
+    });
+  }
+  async fetchInbox(conversationId, opts) {
+    const params = new URLSearchParams({
+      conversation_id: conversationId,
+      since_seq: String(opts?.sinceSeq ?? 0),
+      limit: String(opts?.limit ?? 50),
+      box: opts?.box ?? "ready"
+    });
+    const res = await this.transport.request("GET", `/v1/inbox/fetch?${params}`);
+    if (res.ok && res.data && this.historyManager) {
+      const decryptedMessages = await Promise.all(res.data.messages.map(async (msg) => ({
+        ...msg,
+        payload: await decryptPayloadForIdentity(msg.schema, msg.payload ?? {}, this.identity).catch(() => msg.payload ?? {})
+      })));
+      res.data.messages = decryptedMessages;
+      const msgs = decryptedMessages.map((msg) => ({
+        conversation_id: conversationId,
+        message_id: msg.message_id,
+        seq: msg.seq,
+        sender_did: msg.sender_did,
+        schema: msg.schema,
+        payload: msg.payload,
+        ts_ms: msg.ts_ms,
+        direction: msg.sender_did === this.identity.did ? "sent" : "received"
+      }));
+      if (msgs.length > 0) {
+        this.historyManager.save(msgs);
+        const maxSeq = Math.max(...msgs.map((m) => m.seq ?? 0));
+        if (maxSeq > 0) this.historyManager.setLastSyncedSeq(conversationId, maxSeq);
+      }
+      for (const msg of decryptedMessages) {
+        const existingSession = this.sessionManager?.getByConversationId(conversationId);
+        this.sessionManager?.upsertFromMessage({
+          session_key: existingSession?.session_key,
+          remote_did: existingSession?.remote_did ?? (msg.sender_did !== this.identity.did ? msg.sender_did : void 0),
+          conversation_id: conversationId,
+          trust_state: existingSession?.trust_state ?? (opts?.box === "strangers" ? "pending" : "trusted"),
+          sender_did: msg.sender_did,
+          sender_is_self: msg.sender_did === this.identity.did,
+          schema: msg.schema,
+          payload: msg.payload,
+          seq: msg.seq,
+          ts_ms: msg.ts_ms
+        });
+        if (msg.schema === SCHEMA_RESULT2 && msg.payload?.task_id) {
+          const session = this.sessionManager?.getByConversationId(conversationId);
+          this.taskThreadManager?.upsert({
+            task_id: msg.payload.task_id,
+            session_key: session?.session_key ?? buildSessionKey({ localDid: this.identity.did, conversationId, remoteDid: session?.remote_did }),
+            conversation_id: conversationId,
+            status: msg.payload.status === "ok" ? "processed" : "failed",
+            updated_at: msg.ts_ms ?? Date.now(),
+            result_summary: msg.payload?.output?.summary,
+            error_code: msg.payload?.error?.code,
+            error_message: msg.payload?.error?.message
+          });
+        }
+      }
+    }
+    return res;
+  }
+  async ack(conversationId, forMessageId, status, opts) {
+    return this.transport.request("POST", "/v1/receipts/ack", {
+      conversation_id: conversationId,
+      for_message_id: forMessageId,
+      for_task_id: opts?.forTaskId,
+      status,
+      reason: opts?.reason,
+      detail: opts?.detail
+    });
+  }
+  async approveContact(conversationId) {
+    const res = await this.transport.request("POST", "/v1/control/approve_contact", {
+      conversation_id: conversationId
+    });
+    if (res.ok && this.contactManager) {
+      const pendingMessages = this.historyManager?.list(conversationId, { limit: 1 });
+      const senderDid = pendingMessages?.[0]?.sender_did;
+      if (senderDid && senderDid !== this.identity.did) {
+        this.contactManager.add({
+          did: senderDid,
+          conversation_id: res.data?.dm_conversation_id ?? conversationId,
+          trusted: true
+        });
+      }
+    }
+    if (res.ok) {
+      const existing = this.sessionManager?.getByConversationId(conversationId);
+      if (existing) {
+        this.sessionManager?.upsert({
+          session_key: existing.session_key,
+          conversation_id: res.data?.dm_conversation_id ?? conversationId,
+          trust_state: "trusted",
+          remote_did: existing.remote_did,
+          active: existing.active
+        });
+      }
+    }
+    return res;
+  }
+  async revokeConversation(conversationId) {
+    return this.transport.request("POST", "/v1/control/revoke_conversation", {
+      conversation_id: conversationId
+    });
+  }
+  async cancelTask(conversationId, taskId) {
+    const res = await this.transport.request("POST", "/v1/control/cancel_task", {
+      conversation_id: conversationId,
+      task_id: taskId
+    });
+    if (res.ok && res.data) {
+      const session = this.sessionManager?.getByConversationId(conversationId);
+      this.taskThreadManager?.upsert({
+        task_id: taskId,
+        session_key: session?.session_key ?? buildSessionKey({ localDid: this.identity.did, conversationId, remoteDid: session?.remote_did }),
+        conversation_id: conversationId,
+        status: normalizeTaskThreadStatus(res.data.task_state),
+        updated_at: Date.now()
+      });
+    }
+    return res;
+  }
+  async blockSender(conversationId, senderDid) {
+    return this.transport.request("POST", "/v1/control/block_sender", {
+      conversation_id: conversationId,
+      sender_did: senderDid
+    });
+  }
+  async acquireLease(conversationId) {
+    return this.transport.request("POST", "/v1/lease/acquire", {
+      conversation_id: conversationId
+    });
+  }
+  async renewLease(conversationId) {
+    return this.transport.request("POST", "/v1/lease/renew", {
+      conversation_id: conversationId
+    });
+  }
+  async releaseLease(conversationId) {
+    return this.transport.request("POST", "/v1/lease/release", {
+      conversation_id: conversationId
+    });
+  }
+  async uploadArtifact(content) {
+    const presignRes = await this.transport.request("POST", "/v1/artifacts/presign_upload", {
+      size: content.length,
+      content_type: "application/octet-stream"
+    });
+    if (!presignRes.ok || !presignRes.data) throw new Error("Failed to presign upload");
+    const { upload_url, artifact_ref } = presignRes.data;
+    await this.transport.fetchWithAuth(upload_url, {
+      method: "PUT",
+      body: content,
+      contentType: "application/octet-stream"
+    });
+    const { createHash } = await import("crypto");
+    const hash = createHash("sha256").update(content).digest("hex");
+    return { artifact_ref, sha256: hash, size: content.length };
+  }
+  async downloadArtifact(artifactRef, expectedSha256, expectedSize) {
+    const presignRes = await this.transport.request("POST", "/v1/artifacts/presign_download", {
+      artifact_ref: artifactRef
+    });
+    if (!presignRes.ok || !presignRes.data) throw new Error("Failed to presign download");
+    const buffer = Buffer.from(await this.transport.fetchWithAuth(presignRes.data.download_url));
+    if (buffer.length !== expectedSize) {
+      throw new Error(`Size mismatch: expected ${expectedSize}, got ${buffer.length}`);
+    }
+    const { createHash } = await import("crypto");
+    const hash = createHash("sha256").update(buffer).digest("hex");
+    if (hash !== expectedSha256) {
+      throw new Error(`SHA256 mismatch: expected ${expectedSha256}, got ${hash}`);
+    }
+    return buffer;
+  }
+  async getSubscription() {
+    return this.transport.request("GET", "/v1/subscription");
+  }
+  async resolveAlias(alias) {
+    const res = await this.transport.request("GET", `/v1/directory/resolve?alias=${encodeURIComponent(alias)}`);
+    if (res.ok && res.data?.did && res.data.encryption_public_key) {
+      this.agentCardCache.set(res.data.did, {
+        did: res.data.did,
+        encryption_public_key: res.data.encryption_public_key
+      });
+    }
+    return res;
+  }
+  async getAgentCard(did) {
+    const res = await this.transport.request("GET", `/v1/directory/card?did=${encodeURIComponent(did)}`, void 0, true);
+    if (res.ok && res.data?.encryption_public_key) {
+      this.agentCardCache.set(did, {
+        did,
+        encryption_public_key: res.data.encryption_public_key
+      });
+    }
+    return res;
+  }
+  async registerAlias(alias) {
+    return this.transport.request("POST", "/v1/directory/alias", { alias });
+  }
+  async listConversations(opts) {
+    const params = new URLSearchParams();
+    if (opts?.type) params.set("type", opts.type);
+    const qs = params.toString();
+    const res = await this.transport.request("GET", `/v1/conversations/list${qs ? "?" + qs : ""}`);
+    if (res.ok && res.data && this.sessionManager) {
+      for (const conv of res.data.conversations) {
+        if (conv.recipient_encryption_public_key && conv.target_did) {
+          this.agentCardCache.set(conv.target_did, {
+            did: conv.target_did,
+            encryption_public_key: conv.recipient_encryption_public_key
+          });
+        }
+        const trustState = conv.trusted ? "trusted" : conv.type === "pending_dm" ? "pending" : "stranger";
+        this.sessionManager.upsert({
+          session_key: buildSessionKey({
+            localDid: this.identity.did,
+            remoteDid: conv.target_did,
+            conversationId: conv.conversation_id,
+            conversationType: conv.type
+          }),
+          remote_did: conv.target_did,
+          conversation_id: conv.conversation_id,
+          trust_state: trustState,
+          last_remote_activity_at: conv.last_activity_at ?? void 0,
+          updated_at: conv.last_activity_at ?? conv.created_at
+        });
+      }
+    }
+    return res;
+  }
+  async getTaskStatus(conversationId, taskId) {
+    const params = new URLSearchParams({ conversation_id: conversationId, task_id: taskId });
+    const res = await this.transport.request("GET", `/v1/tasks/status?${params.toString()}`);
+    if (res.ok && res.data) {
+      const session = this.sessionManager?.getByConversationId(conversationId);
+      this.taskThreadManager?.upsert({
+        task_id: taskId,
+        session_key: session?.session_key ?? buildSessionKey({ localDid: this.identity.did, conversationId, remoteDid: session?.remote_did }),
+        conversation_id: conversationId,
+        status: res.data.status,
+        updated_at: res.data.last_update_ts_ms,
+        result_summary: res.data.result_summary,
+        error_code: res.data.error?.code,
+        error_message: res.data.error?.message ?? res.data.reason
+      });
+    }
+    return res;
+  }
+  async listTaskThreads(conversationId) {
+    const params = new URLSearchParams({ conversation_id: conversationId });
+    const res = await this.transport.request("GET", `/v1/tasks/list?${params.toString()}`);
+    if (res.ok && res.data) {
+      const session = this.sessionManager?.getByConversationId(conversationId);
+      for (const task of res.data.tasks) {
+        this.taskThreadManager?.upsert({
+          task_id: task.task_id,
+          session_key: session?.session_key ?? buildSessionKey({ localDid: this.identity.did, conversationId, remoteDid: session?.remote_did }),
+          conversation_id: conversationId,
+          title: task.title,
+          status: task.status,
+          updated_at: task.last_update_ts_ms,
+          result_summary: task.result_summary,
+          error_code: task.error?.code,
+          error_message: task.error?.message ?? task.reason
+        });
+      }
+    }
+    return res;
+  }
+  async getProfile() {
+    return this.transport.request("GET", "/v1/directory/profile");
+  }
+  async getDirectorySelf() {
+    return this.transport.request("GET", "/v1/directory/self");
+  }
+  async updateProfile(profile) {
+    const normalizedCard = profile.capability_card ? normalizeCapabilityCard(profile.capability_card) : void 0;
+    const nextCapabilities = profile.capabilities !== void 0 ? profile.capabilities : normalizedCard ? capabilityCardToLegacyCapabilities(normalizedCard) : void 0;
+    return this.transport.request("POST", "/v1/directory/profile", {
+      ...profile,
+      capability_card: normalizedCard,
+      capabilities: nextCapabilities,
+      encryption_public_key: this.identity.encryptionPublicKeyJwk
+    });
+  }
+  async createPublicLink(opts) {
+    return this.transport.request("POST", "/v1/public/link", {
+      slug: opts?.slug,
+      enabled: opts?.enabled
+    });
+  }
+  async getPublicSelf() {
+    return this.transport.request("GET", "/v1/public/self");
+  }
+  async getPublicAgent(slug) {
+    return this.transport.request("GET", `/v1/public/agent/${encodeURIComponent(slug)}`, void 0, true);
+  }
+  async createContactCard(opts) {
+    return this.transport.request("POST", "/v1/public/contact-card", {
+      target_did: opts?.target_did,
+      referrer_did: opts?.referrer_did,
+      intro_note: opts?.intro_note,
+      message_template: opts?.message_template
+    });
+  }
+  async getContactCard(id) {
+    return this.transport.request("GET", `/v1/public/contact-card/${encodeURIComponent(id)}`, void 0, true);
+  }
+  async createTaskShare(opts) {
+    return this.transport.request("POST", "/v1/public/task-share", opts);
+  }
+  async getTaskShare(id) {
+    return this.transport.request("GET", `/v1/public/task-share/${encodeURIComponent(id)}`, void 0, true);
+  }
+  async revokeTaskShare(id) {
+    return this.transport.request("POST", `/v1/public/task-share/${encodeURIComponent(id)}/revoke`);
+  }
+  async ensureEncryptionKeyPublished() {
+    const selfRes = await this.getDirectorySelf();
+    if (!selfRes.ok || !selfRes.data) {
+      return {
+        ok: false,
+        error: selfRes.error ?? {
+          code: ErrorCode2.INTERNAL,
+          message: "Failed to inspect directory card for encryption key publication",
+          hint: ERROR_HINTS[ErrorCode2.INTERNAL]
+        }
+      };
+    }
+    if (this.sameEncryptionPublicKey(selfRes.data.encryption_public_key, this.identity.encryptionPublicKeyJwk)) {
+      this.agentCardCache.set(this.identity.did, {
+        did: this.identity.did,
+        encryption_public_key: this.identity.encryptionPublicKeyJwk
+      });
+      return { ok: true, data: { published: true, status: "already_registered" } };
+    }
+    const updateRes = await this.updateProfile({});
+    if (!updateRes.ok) {
+      return {
+        ok: false,
+        error: updateRes.error ?? {
+          code: ErrorCode2.INTERNAL,
+          message: "Failed to publish encryption public key to directory profile",
+          hint: ERROR_HINTS[ErrorCode2.INTERNAL]
+        }
+      };
+    }
+    this.agentCardCache.set(this.identity.did, {
+      did: this.identity.did,
+      encryption_public_key: this.identity.encryptionPublicKeyJwk
+    });
+    return { ok: true, data: { published: true, status: "updated" } };
+  }
+  async enableDiscovery() {
+    return this.transport.request("POST", "/v1/directory/enable_discovery");
+  }
+  async disableDiscovery() {
+    return this.transport.request("POST", "/v1/directory/disable_discovery");
+  }
+  async browseDirectory(opts) {
+    const params = new URLSearchParams();
+    if (opts?.tag) params.set("tag", opts.tag);
+    if (opts?.query) params.set("q", opts.query);
+    if (opts?.limit != null) params.set("limit", String(opts.limit));
+    if (opts?.offset != null) params.set("offset", String(opts.offset));
+    if (opts?.sort) params.set("sort", opts.sort);
+    const qs = params.toString();
+    return this.transport.request("GET", `/v1/directory/browse${qs ? "?" + qs : ""}`);
+  }
+  async publishPost(opts) {
+    return this.transport.request("POST", "/v1/feed/publish", { text: opts.text, artifact_ref: opts.artifact_ref });
+  }
+  async listFeedPublic(opts) {
+    const params = new URLSearchParams();
+    if (opts?.limit != null) params.set("limit", String(opts.limit));
+    if (opts?.since != null) params.set("since", String(opts.since));
+    const qs = params.toString();
+    return this.transport.request("GET", `/v1/feed/public${qs ? "?" + qs : ""}`, void 0, true);
+  }
+  async listFeedByDid(did, opts) {
+    const params = new URLSearchParams({ did });
+    if (opts?.limit != null) params.set("limit", String(opts.limit));
+    return this.transport.request("GET", `/v1/feed/by_did?${params.toString()}`, void 0, true);
+  }
+  async createChannel(opts) {
+    return this.transport.request("POST", "/v1/channels/create", {
+      name: opts.name,
+      alias: opts.alias,
+      description: opts.description,
+      join_policy: "open",
+      discoverable: opts.discoverable
+    });
+  }
+  async updateChannel(opts) {
+    const alias = opts.alias.replace(/^@ch\//, "");
+    return this.transport.request("PATCH", "/v1/channels/update", {
+      alias,
+      name: opts.name,
+      description: opts.description,
+      discoverable: opts.discoverable
+    });
+  }
+  async deleteChannel(alias) {
+    const a = alias.replace(/^@ch\//, "");
+    return this.transport.request("DELETE", "/v1/channels/delete", { alias: a });
+  }
+  async discoverChannels(opts) {
+    const params = new URLSearchParams();
+    if (opts?.limit != null) params.set("limit", String(opts.limit));
+    if (opts?.query) params.set("q", opts.query);
+    const qs = params.toString();
+    return this.transport.request("GET", `/v1/channels/discover${qs ? "?" + qs : ""}`, void 0, true);
+  }
+  async joinChannel(alias) {
+    return this.transport.request("POST", "/v1/channels/join", { alias });
+  }
+  getDid() {
+    return this.identity.did;
+  }
+  async decryptEnvelopePayload(envelope) {
+    return decryptPayloadForIdentity(envelope.schema, envelope.payload ?? {}, this.identity);
+  }
+  // === Billing: device linking ===
+  async createBillingLinkCode() {
+    return this.transport.request("POST", "/v1/billing/link-code");
+  }
+  async redeemBillingLink(code) {
+    return this.transport.request("POST", "/v1/billing/link", { code });
+  }
+  async unlinkBillingDevice(did) {
+    return this.transport.request("POST", "/v1/billing/unlink", { did });
+  }
+  async getLinkedDevices() {
+    return this.transport.request("GET", "/v1/billing/linked-devices");
+  }
+  // P0: High-level send-task-and-wait
+  async sendTaskAndWait(targetDid, task, opts) {
+    const { v7: uuidv7 } = await import("uuid");
+    const timeout = opts?.timeoutMs ?? 12e4;
+    const pollInterval = opts?.pollIntervalMs ?? 2e3;
+    const taskId = `t_${uuidv7()}`;
+    const startTime = Date.now();
+    const openRes = await this.openConversation(targetDid);
+    if (!openRes.ok || !openRes.data) {
+      return { status: "error", task_id: taskId, error: { code: "E_OPEN_FAILED", message: "Failed to open conversation" }, elapsed_ms: Date.now() - startTime };
+    }
+    let conversationId = openRes.data.conversation_id;
+    if (!openRes.data.trusted) {
+      await this.sendContactRequest(conversationId, task.title);
+      const approvalDeadline = startTime + timeout;
+      while (Date.now() < approvalDeadline) {
+        await sleep2(pollInterval);
+        const reopen = await this.openConversation(targetDid);
+        if (reopen.ok && reopen.data?.trusted) {
+          conversationId = reopen.data.conversation_id;
+          break;
+        }
+      }
+      if (Date.now() >= approvalDeadline) {
+        return { status: "error", task_id: taskId, error: { code: "E_NOT_APPROVED", message: "Contact request not approved within timeout" }, elapsed_ms: Date.now() - startTime };
+      }
+    }
+    const sendRes = await this.sendTask(conversationId, { task_id: taskId, ...task });
+    if (!sendRes.ok) {
+      return { status: "error", task_id: taskId, error: { code: sendRes.error?.code ?? "E_SEND_FAILED", message: sendRes.error?.message ?? "Send failed" }, elapsed_ms: Date.now() - startTime };
+    }
+    const session = this.sessionManager?.getByConversationId(conversationId);
+    this.taskThreadManager?.upsert({
+      task_id: taskId,
+      session_key: session?.session_key ?? buildSessionKey({ localDid: this.identity.did, conversationId, remoteDid: targetDid }),
+      conversation_id: conversationId,
+      title: task.title,
+      status: "queued",
+      started_at: Date.now(),
+      updated_at: Date.now()
+    });
+    const sinceSeq = sendRes.data?.seq ?? 0;
+    const deadline = startTime + timeout;
+    while (Date.now() < deadline) {
+      await sleep2(pollInterval);
+      const statusRes = await this.getTaskStatus(conversationId, taskId);
+      if (statusRes.ok && statusRes.data) {
+        if (statusRes.data.status === "failed" || statusRes.data.status === "cancelled") {
+          return {
+            status: "error",
+            task_id: taskId,
+            error: {
+              code: statusRes.data.error?.code ?? (statusRes.data.status === "cancelled" ? "E_CANCELLED" : "E_TASK_FAILED"),
+              message: statusRes.data.error?.message ?? statusRes.data.reason ?? `Task ${statusRes.data.status}`
+            },
+            elapsed_ms: Date.now() - startTime
+          };
+        }
+      }
+      const fetchRes = await this.fetchInbox(conversationId, { sinceSeq });
+      if (!fetchRes.ok || !fetchRes.data) continue;
+      for (const msg of fetchRes.data.messages) {
+        if (msg.schema === SCHEMA_RESULT2 && msg.payload?.task_id === taskId) {
+          return {
+            status: msg.payload.status === "ok" ? "ok" : "error",
+            task_id: taskId,
+            result: msg.payload.output,
+            error: msg.payload.error,
+            elapsed_ms: Date.now() - startTime
+          };
+        }
+      }
+    }
+    return { status: "error", task_id: taskId, error: { code: "E_TIMEOUT", message: `No result within ${timeout}ms` }, elapsed_ms: timeout };
+  }
+  async sendHandoff(targetDid, handoff, opts) {
+    const { v7: uuidv7 } = await import("uuid");
+    const timeout = opts?.timeoutMs ?? 12e4;
+    const pollInterval = opts?.pollIntervalMs ?? 2e3;
+    const taskId = `t_${uuidv7()}`;
+    const openRes = await this.openConversation(targetDid);
+    if (!openRes.ok || !openRes.data) {
+      return {
+        ok: false,
+        error: {
+          code: "E_OPEN_FAILED",
+          message: openRes.error?.message ?? "Failed to open conversation"
+        }
+      };
+    }
+    let conversationId = openRes.data.conversation_id;
+    if (!openRes.data.trusted) {
+      await this.sendContactRequest(conversationId, handoff.title);
+      const approvalDeadline = Date.now() + timeout;
+      while (Date.now() < approvalDeadline) {
+        await sleep2(pollInterval);
+        const reopen = await this.openConversation(targetDid);
+        if (reopen.ok && reopen.data?.trusted) {
+          conversationId = reopen.data.conversation_id;
+          break;
+        }
+      }
+      if (Date.now() >= approvalDeadline) {
+        return {
+          ok: false,
+          error: {
+            code: "E_NOT_APPROVED",
+            message: "Contact request not approved within timeout"
+          }
+        };
+      }
+    }
+    const summary = opts?.sessionKey ? this.sessionSummaryManager?.get(opts.sessionKey) : opts?.conversationId ? this.sessionSummaryManager?.get(this.sessionManager?.getByConversationId(opts.conversationId)?.session_key || "") : void 0;
+    const handoffPayload = {
+      objective: handoff.objective,
+      carry_forward_summary: (handoff.carry_forward_summary ?? buildSessionSummaryHandoffText(summary)) || void 0,
+      success_criteria: handoff.success_criteria,
+      callback_session_key: handoff.callback_session_key ?? opts?.sessionKey,
+      priority: handoff.priority,
+      delegated_by: this.identity.did,
+      delegated_to: targetDid
+    };
+    const sendRes = await this.sendTask(conversationId, {
+      task_id: taskId,
+      title: handoff.title,
+      description: handoff.description,
+      input: handoff.input,
+      handoff: handoffPayload
+    });
+    if (!sendRes.ok) {
+      return {
+        ok: false,
+        error: {
+          code: sendRes.error?.code ?? "E_SEND_FAILED",
+          message: sendRes.error?.message ?? "Send failed"
+        }
+      };
+    }
+    const session = this.sessionManager?.getByConversationId(conversationId);
+    const sessionKey = session?.session_key ?? buildSessionKey({ localDid: this.identity.did, conversationId, remoteDid: targetDid });
+    this.taskThreadManager?.upsert({
+      task_id: taskId,
+      session_key: sessionKey,
+      conversation_id: conversationId,
+      title: handoff.title,
+      status: "queued",
+      started_at: Date.now(),
+      updated_at: Date.now()
+    });
+    this.taskHandoffManager?.upsert({
+      task_id: taskId,
+      session_key: sessionKey,
+      conversation_id: conversationId,
+      ...handoffPayload,
+      updated_at: Date.now()
+    });
+    return {
+      ok: true,
+      data: {
+        task_id: taskId,
+        conversation_id: conversationId,
+        handoff: handoffPayload
+      }
+    };
+  }
+};
+function normalizeTaskThreadStatus(state) {
+  if (state === "completed") return "processed";
+  if (state === "cancel_requested") return "running";
+  if (state === "cancelled") return "cancelled";
+  if (state === "failed") return "failed";
+  if (state === "running") return "running";
+  return "queued";
+}
+function sleep2(ms) {
+  return new Promise((resolve4) => setTimeout(resolve4, ms));
+}
+
+// src/auth.ts
+var REFRESH_GRACE_MS = 5 * 60 * 1e3;
+async function ensureTokenValid(identityPath, serverUrl) {
+  if (!identityExists(identityPath)) return false;
+  const id = loadIdentity(identityPath);
+  const token = id.accessToken;
+  const expiresAt = id.tokenExpiresAt;
+  if (!token || expiresAt == null) return false;
+  const now = Date.now();
+  if (expiresAt > now + REFRESH_GRACE_MS) return false;
+  const baseUrl = (serverUrl ?? id.serverUrl ?? "https://pingagent.chat").replace(/\/$/, "");
+  try {
+    const res = await fetch(`${baseUrl}/v1/auth/refresh`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({ access_token: token })
+    });
+    const text = await res.text();
+    let data;
+    try {
+      data = text ? JSON.parse(text) : {};
+    } catch {
+      return false;
+    }
+    if (!res.ok || !data.ok || !data.data?.access_token || data.data.expires_ms == null) return false;
+    const newExpiresAt = now + data.data.expires_ms;
+    updateStoredToken(data.data.access_token, newExpiresAt, identityPath);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+// src/store.ts
+import Database from "better-sqlite3";
+import * as fs2 from "fs";
+import * as path3 from "path";
+var SCHEMA_SQL = `
+CREATE TABLE IF NOT EXISTS contacts (
+  did TEXT PRIMARY KEY,
+  alias TEXT,
+  display_name TEXT,
+  notes TEXT,
+  conversation_id TEXT,
+  trusted INTEGER NOT NULL DEFAULT 0,
+  added_at INTEGER NOT NULL,
+  last_message_at INTEGER,
+  tags TEXT
+);
+CREATE INDEX IF NOT EXISTS idx_contacts_alias ON contacts(alias);
+
+CREATE TABLE IF NOT EXISTS messages (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  conversation_id TEXT NOT NULL,
+  message_id TEXT NOT NULL UNIQUE,
+  seq INTEGER,
+  sender_did TEXT NOT NULL,
+  schema TEXT NOT NULL,
+  payload TEXT NOT NULL,
+  ts_ms INTEGER NOT NULL,
+  direction TEXT NOT NULL CHECK(direction IN ('sent', 'received'))
+);
+CREATE INDEX IF NOT EXISTS idx_messages_conv_seq ON messages(conversation_id, seq);
+CREATE INDEX IF NOT EXISTS idx_messages_ts ON messages(ts_ms);
+
+CREATE TABLE IF NOT EXISTS sync_state (
+  conversation_id TEXT PRIMARY KEY,
+  last_synced_seq INTEGER NOT NULL DEFAULT 0,
+  last_synced_at INTEGER
+);
+
+CREATE TABLE IF NOT EXISTS session_state (
+  session_key TEXT PRIMARY KEY,
+  remote_did TEXT,
+  conversation_id TEXT,
+  trust_state TEXT NOT NULL DEFAULT 'stranger',
+  last_message_preview TEXT,
+  last_remote_activity_at INTEGER,
+  last_read_seq INTEGER NOT NULL DEFAULT 0,
+  unread_count INTEGER NOT NULL DEFAULT 0,
+  active INTEGER NOT NULL DEFAULT 0,
+  updated_at INTEGER NOT NULL
+);
+CREATE INDEX IF NOT EXISTS idx_session_state_updated ON session_state(updated_at DESC);
+CREATE INDEX IF NOT EXISTS idx_session_state_conversation ON session_state(conversation_id);
+CREATE INDEX IF NOT EXISTS idx_session_state_remote_did ON session_state(remote_did);
+
+CREATE TABLE IF NOT EXISTS task_threads (
+  task_id TEXT PRIMARY KEY,
+  session_key TEXT NOT NULL,
+  conversation_id TEXT NOT NULL,
+  title TEXT,
+  status TEXT NOT NULL,
+  started_at INTEGER,
+  updated_at INTEGER NOT NULL,
+  result_summary TEXT,
+  error_code TEXT,
+  error_message TEXT
+);
+CREATE INDEX IF NOT EXISTS idx_task_threads_session ON task_threads(session_key, updated_at DESC);
+CREATE INDEX IF NOT EXISTS idx_task_threads_conversation ON task_threads(conversation_id, updated_at DESC);
+
+CREATE TABLE IF NOT EXISTS session_summaries (
+  session_key TEXT PRIMARY KEY,
+  objective TEXT,
+  context TEXT,
+  constraints TEXT,
+  decisions TEXT,
+  open_questions TEXT,
+  next_action TEXT,
+  handoff_ready_text TEXT,
+  updated_at INTEGER NOT NULL
+);
+CREATE INDEX IF NOT EXISTS idx_session_summaries_updated ON session_summaries(updated_at DESC);
+
+CREATE TABLE IF NOT EXISTS task_handoffs (
+  task_id TEXT PRIMARY KEY,
+  session_key TEXT NOT NULL,
+  conversation_id TEXT NOT NULL,
+  objective TEXT,
+  carry_forward_summary TEXT,
+  success_criteria TEXT,
+  callback_session_key TEXT,
+  priority TEXT,
+  delegated_by TEXT,
+  delegated_to TEXT,
+  updated_at INTEGER NOT NULL
+);
+CREATE INDEX IF NOT EXISTS idx_task_handoffs_session ON task_handoffs(session_key, updated_at DESC);
+CREATE INDEX IF NOT EXISTS idx_task_handoffs_conversation ON task_handoffs(conversation_id, updated_at DESC);
+
+CREATE TABLE IF NOT EXISTS trust_policy_audit (
+  id INTEGER PRIMARY KEY AUTOINCREMENT,
+  ts_ms INTEGER NOT NULL,
+  event_type TEXT NOT NULL,
+  policy_scope TEXT,
+  remote_did TEXT,
+  sender_alias TEXT,
+  sender_verification_status TEXT,
+  session_key TEXT,
+  conversation_id TEXT,
+  action TEXT,
+  outcome TEXT,
+  explanation TEXT,
+  matched_rule TEXT,
+  detail_json TEXT
+);
+CREATE INDEX IF NOT EXISTS idx_trust_policy_audit_ts ON trust_policy_audit(ts_ms DESC, id DESC);
+CREATE INDEX IF NOT EXISTS idx_trust_policy_audit_session ON trust_policy_audit(session_key, ts_ms DESC);
+CREATE INDEX IF NOT EXISTS idx_trust_policy_audit_remote ON trust_policy_audit(remote_did, ts_ms DESC);
+
+CREATE TABLE IF NOT EXISTS trust_policy_recommendations (
+  id TEXT PRIMARY KEY,
+  policy TEXT NOT NULL,
+  remote_did TEXT NOT NULL,
+  match TEXT NOT NULL,
+  action TEXT NOT NULL,
+  current_action TEXT NOT NULL,
+  confidence TEXT NOT NULL,
+  reason TEXT NOT NULL,
+  signals_json TEXT NOT NULL,
+  status TEXT NOT NULL DEFAULT 'open',
+  first_seen_at INTEGER NOT NULL,
+  last_seen_at INTEGER NOT NULL,
+  updated_at INTEGER NOT NULL,
+  last_state_change_at INTEGER,
+  applied_at INTEGER,
+  dismissed_at INTEGER
+);
+CREATE INDEX IF NOT EXISTS idx_trust_policy_recommendations_status ON trust_policy_recommendations(status, updated_at DESC);
+CREATE INDEX IF NOT EXISTS idx_trust_policy_recommendations_remote ON trust_policy_recommendations(remote_did, updated_at DESC);
+`;
+var LocalStore = class {
+  db;
+  constructor(dbPath) {
+    const p = getStorePath(dbPath);
+    const dir = path3.dirname(p);
+    if (!fs2.existsSync(dir)) {
+      fs2.mkdirSync(dir, { recursive: true, mode: 448 });
+    }
+    this.db = new Database(p);
+    this.db.pragma("journal_mode = WAL");
+    this.db.exec(SCHEMA_SQL);
+    this.applyMigrations();
+  }
+  getDb() {
+    return this.db;
+  }
+  close() {
+    this.db.close();
+  }
+  applyMigrations() {
+    const alterStatements = [
+      `ALTER TABLE session_state ADD COLUMN remote_did TEXT`,
+      `ALTER TABLE session_state ADD COLUMN conversation_id TEXT`,
+      `ALTER TABLE session_state ADD COLUMN trust_state TEXT NOT NULL DEFAULT 'stranger'`,
+      `ALTER TABLE session_state ADD COLUMN last_message_preview TEXT`,
+      `ALTER TABLE session_state ADD COLUMN last_remote_activity_at INTEGER`,
+      `ALTER TABLE session_state ADD COLUMN last_read_seq INTEGER NOT NULL DEFAULT 0`,
+      `ALTER TABLE session_state ADD COLUMN unread_count INTEGER NOT NULL DEFAULT 0`,
+      `ALTER TABLE session_state ADD COLUMN active INTEGER NOT NULL DEFAULT 0`,
+      `ALTER TABLE session_state ADD COLUMN updated_at INTEGER NOT NULL DEFAULT 0`,
+      `ALTER TABLE task_threads ADD COLUMN title TEXT`,
+      `ALTER TABLE task_threads ADD COLUMN result_summary TEXT`,
+      `ALTER TABLE task_threads ADD COLUMN error_code TEXT`,
+      `ALTER TABLE task_threads ADD COLUMN error_message TEXT`
+    ];
+    for (const sql of alterStatements) {
+      try {
+        this.db.exec(sql);
+      } catch {
+      }
+    }
+  }
+};
+
+// src/trust-policy.ts
+var CONTACT_ACTIONS = /* @__PURE__ */ new Set(["approve", "manual", "reject"]);
+var TASK_ACTIONS = /* @__PURE__ */ new Set(["bridge", "execute", "deny"]);
+function defaultTrustPolicyDoc() {
+  return {
+    version: 1,
+    contact_policy: {
+      enabled: true,
+      default_action: "manual",
+      rules: []
+    },
+    task_policy: {
+      enabled: true,
+      default_action: "bridge",
+      rules: []
+    }
+  };
+}
+function normalizeTrustPolicyDoc(raw) {
+  const base = defaultTrustPolicyDoc();
+  const contactRules = Array.isArray(raw?.contact_policy?.rules) ? raw.contact_policy.rules.filter((rule) => typeof rule?.match === "string" && CONTACT_ACTIONS.has(rule?.action)) : [];
+  const taskRules = Array.isArray(raw?.task_policy?.rules) ? raw.task_policy.rules.filter((rule) => typeof rule?.match === "string" && TASK_ACTIONS.has(rule?.action)) : [];
+  return {
+    version: 1,
+    contact_policy: {
+      enabled: raw?.contact_policy?.enabled !== false,
+      default_action: CONTACT_ACTIONS.has(raw?.contact_policy?.default_action) ? raw.contact_policy.default_action : base.contact_policy.default_action,
+      rules: contactRules
+    },
+    task_policy: {
+      enabled: raw?.task_policy?.enabled !== false,
+      default_action: TASK_ACTIONS.has(raw?.task_policy?.default_action) ? raw.task_policy.default_action : base.task_policy.default_action,
+      rules: taskRules
+    }
+  };
+}
+function matchesTrustPolicyRule(match, context) {
+  if (match === "*") return true;
+  if (match.startsWith("did:agent:")) {
+    return context.sender_did === match;
+  }
+  if (match.startsWith("verification_status:")) {
+    return context.sender_verification_status === match.split(":")[1];
+  }
+  if (match.startsWith("alias:")) {
+    const pattern = match.slice(6);
+    const senderAlias = context.sender_alias ?? "";
+    if (pattern.endsWith("*")) return senderAlias.startsWith(pattern.slice(0, -1));
+    return senderAlias === pattern;
+  }
+  return false;
+}
+function decideContactPolicy(policyDoc, context, opts) {
+  if (policyDoc.contact_policy.enabled) {
+    for (const rule of policyDoc.contact_policy.rules) {
+      if (matchesTrustPolicyRule(rule.match, context)) {
+        return {
+          action: rule.action,
+          source: "rule",
+          matched_rule: rule,
+          explanation: `Matched contact_policy rule ${rule.match} -> ${rule.action}`
+        };
+      }
+    }
+    return {
+      action: policyDoc.contact_policy.default_action,
+      source: "default",
+      explanation: `No contact_policy rule matched; using default_action=${policyDoc.contact_policy.default_action}`
+    };
+  }
+  if (opts?.legacyAutoApproveEnabled) {
+    for (const rule of opts.legacyAutoApproveRules ?? []) {
+      if (rule.action === "approve" && matchesTrustPolicyRule(rule.match, context)) {
+        return {
+          action: "approve",
+          source: "legacy_auto_approve",
+          matched_rule: { match: rule.match, action: "approve" },
+          explanation: `Matched legacy auto_approve rule ${rule.match} -> approve`
+        };
+      }
+    }
+  }
+  return {
+    action: "manual",
+    source: "runtime_default",
+    explanation: "contact_policy disabled and no legacy auto_approve match; defaulting to manual"
+  };
+}
+function decideTaskPolicy(policyDoc, context, opts) {
+  if (policyDoc.task_policy.enabled) {
+    for (const rule of policyDoc.task_policy.rules) {
+      if (matchesTrustPolicyRule(rule.match, context)) {
+        return {
+          action: rule.action,
+          source: "rule",
+          matched_rule: rule,
+          explanation: `Matched task_policy rule ${rule.match} -> ${rule.action}`
+        };
+      }
+    }
+    return {
+      action: policyDoc.task_policy.default_action,
+      source: "default",
+      explanation: `No task_policy rule matched; using default_action=${policyDoc.task_policy.default_action}`
+    };
+  }
+  const runtimeDefault = opts?.runtimeMode === "executor" ? "execute" : "bridge";
+  return {
+    action: runtimeDefault,
+    source: "runtime_default",
+    explanation: `task_policy disabled; defaulting to runtime_mode=${opts?.runtimeMode ?? "bridge"} -> ${runtimeDefault}`
+  };
+}
+
+// src/trust-policy-audit.ts
+function rowToEvent(row) {
+  return {
+    id: row.id,
+    ts_ms: row.ts_ms,
+    event_type: row.event_type,
+    policy_scope: row.policy_scope ?? void 0,
+    remote_did: row.remote_did ?? void 0,
+    sender_alias: row.sender_alias ?? void 0,
+    sender_verification_status: row.sender_verification_status ?? void 0,
+    session_key: row.session_key ?? void 0,
+    conversation_id: row.conversation_id ?? void 0,
+    action: row.action ?? void 0,
+    outcome: row.outcome ?? void 0,
+    explanation: row.explanation ?? void 0,
+    matched_rule: row.matched_rule ?? void 0,
+    detail: row.detail_json ? JSON.parse(row.detail_json) : void 0
+  };
+}
+function buildSummaryFromEvents(events) {
+  const byType = {};
+  const byPolicyScope = {};
+  let latestTsMs = 0;
+  for (const event of events) {
+    byType[event.event_type] = (byType[event.event_type] ?? 0) + 1;
+    if (event.policy_scope) byPolicyScope[event.policy_scope] = (byPolicyScope[event.policy_scope] ?? 0) + 1;
+    latestTsMs = Math.max(latestTsMs, event.ts_ms);
+  }
+  return {
+    total_events: events.length,
+    latest_ts_ms: latestTsMs || void 0,
+    by_type: byType,
+    by_policy_scope: byPolicyScope
+  };
+}
+var TrustPolicyAuditManager = class {
+  constructor(store) {
+    this.store = store;
+  }
+  record(event) {
+    const tsMs = event.ts_ms ?? Date.now();
+    const result = this.store.getDb().prepare(`
+      INSERT INTO trust_policy_audit (
+        ts_ms, event_type, policy_scope, remote_did, sender_alias, sender_verification_status,
+        session_key, conversation_id, action, outcome, explanation, matched_rule, detail_json
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+    `).run(
+      tsMs,
+      event.event_type,
+      event.policy_scope ?? null,
+      event.remote_did ?? null,
+      event.sender_alias ?? null,
+      event.sender_verification_status ?? null,
+      event.session_key ?? null,
+      event.conversation_id ?? null,
+      event.action ?? null,
+      event.outcome ?? null,
+      event.explanation ?? null,
+      event.matched_rule ?? null,
+      event.detail ? JSON.stringify(event.detail) : null
+    );
+    return {
+      id: Number(result.lastInsertRowid),
+      ts_ms: tsMs,
+      event_type: event.event_type,
+      policy_scope: event.policy_scope,
+      remote_did: event.remote_did,
+      sender_alias: event.sender_alias,
+      sender_verification_status: event.sender_verification_status,
+      session_key: event.session_key,
+      conversation_id: event.conversation_id,
+      action: event.action,
+      outcome: event.outcome,
+      explanation: event.explanation,
+      matched_rule: event.matched_rule,
+      detail: event.detail
+    };
+  }
+  listRecent(limit = 50) {
+    const rows = this.store.getDb().prepare("SELECT * FROM trust_policy_audit ORDER BY ts_ms DESC, id DESC LIMIT ?").all(limit);
+    return rows.map(rowToEvent);
+  }
+  listBySession(sessionKey, limit = 50) {
+    const rows = this.store.getDb().prepare("SELECT * FROM trust_policy_audit WHERE session_key = ? ORDER BY ts_ms DESC, id DESC LIMIT ?").all(sessionKey, limit);
+    return rows.map(rowToEvent);
+  }
+  listByRemoteDid(remoteDid, limit = 50) {
+    const rows = this.store.getDb().prepare("SELECT * FROM trust_policy_audit WHERE remote_did = ? ORDER BY ts_ms DESC, id DESC LIMIT ?").all(remoteDid, limit);
+    return rows.map(rowToEvent);
+  }
+  summarize(limit = 200) {
+    return buildSummaryFromEvents(this.listRecent(limit));
+  }
+};
+function aggregateLearning(sessions, tasks, events) {
+  const summaries = /* @__PURE__ */ new Map();
+  function ensure(remoteDid) {
+    if (!remoteDid) return null;
+    const existing = summaries.get(remoteDid);
+    if (existing) return existing;
+    const created = {
+      remote_did: remoteDid,
+      trusted_sessions: 0,
+      pending_sessions: 0,
+      blocked_sessions: 0,
+      revoked_sessions: 0,
+      processed_tasks: 0,
+      failed_tasks: 0,
+      cancelled_tasks: 0,
+      contact_approvals: 0,
+      contact_manual_reviews: 0,
+      contact_rejections: 0,
+      task_bridged: 0,
+      task_executed: 0,
+      task_denied: 0
+    };
+    summaries.set(remoteDid, created);
+    return created;
+  }
+  const remoteBySession = /* @__PURE__ */ new Map();
+  for (const session of sessions) {
+    const summary = ensure(session.remote_did);
+    if (!summary) continue;
+    remoteBySession.set(session.session_key, session.remote_did);
+    summary.last_seen_at = Math.max(summary.last_seen_at ?? 0, session.last_remote_activity_at ?? 0, session.updated_at ?? 0) || summary.last_seen_at;
+    if (session.trust_state === "trusted") summary.trusted_sessions += 1;
+    if (session.trust_state === "pending") summary.pending_sessions += 1;
+    if (session.trust_state === "blocked") summary.blocked_sessions += 1;
+    if (session.trust_state === "revoked") summary.revoked_sessions += 1;
+  }
+  for (const task of tasks) {
+    const remoteDid = remoteBySession.get(task.session_key);
+    const summary = ensure(remoteDid);
+    if (!summary) continue;
+    summary.last_seen_at = Math.max(summary.last_seen_at ?? 0, task.updated_at ?? 0) || summary.last_seen_at;
+    if (task.status === "processed") summary.processed_tasks += 1;
+    if (task.status === "failed") summary.failed_tasks += 1;
+    if (task.status === "cancelled") summary.cancelled_tasks += 1;
+  }
+  for (const event of events) {
+    const summary = ensure(event.remote_did ?? remoteBySession.get(event.session_key ?? ""));
+    if (!summary) continue;
+    summary.last_seen_at = Math.max(summary.last_seen_at ?? 0, event.ts_ms ?? 0) || summary.last_seen_at;
+    if (event.event_type === "contact_auto_approved") summary.contact_approvals += 1;
+    if (event.event_type === "contact_manual_review") summary.contact_manual_reviews += 1;
+    if (event.event_type === "contact_rejected" || event.event_type === "session_blocked") summary.contact_rejections += 1;
+    if (event.event_type === "session_revoked") summary.revoked_sessions += 1;
+    if (event.event_type === "task_bridged") summary.task_bridged += 1;
+    if (event.event_type === "task_executed") summary.task_executed += 1;
+    if (event.event_type === "task_denied") summary.task_denied += 1;
+    if (event.event_type === "task_processed") summary.processed_tasks += 1;
+    if (event.event_type === "task_failed") summary.failed_tasks += 1;
+    if (event.event_type === "task_cancelled") summary.cancelled_tasks += 1;
+  }
+  return [...summaries.values()].sort((a, b) => (b.last_seen_at ?? 0) - (a.last_seen_at ?? 0));
+}
+function recommendationId(policy, remoteDid, action) {
+  return `${policy}:${remoteDid}:${action}`;
+}
+function describePositiveSignals(summary) {
+  const parts = [];
+  if (summary.trusted_sessions > 0) parts.push(`trusted_sessions=${summary.trusted_sessions}`);
+  if (summary.contact_approvals > 0) parts.push(`contact_approvals=${summary.contact_approvals}`);
+  if (summary.processed_tasks > 0) parts.push(`processed_tasks=${summary.processed_tasks}`);
+  return parts.join(", ");
+}
+function describeRiskSignals(summary) {
+  const parts = [];
+  if (summary.blocked_sessions > 0) parts.push(`blocked_sessions=${summary.blocked_sessions}`);
+  if (summary.revoked_sessions > 0) parts.push(`revoked_sessions=${summary.revoked_sessions}`);
+  if (summary.contact_rejections > 0) parts.push(`contact_rejections=${summary.contact_rejections}`);
+  if (summary.task_denied > 0) parts.push(`task_denied=${summary.task_denied}`);
+  if (summary.failed_tasks > 0) parts.push(`failed_tasks=${summary.failed_tasks}`);
+  return parts.join(", ");
+}
+function buildTrustPolicyRecommendations(opts) {
+  const policyDoc = normalizeTrustPolicyDoc(opts.policyDoc);
+  const summaries = aggregateLearning(opts.sessions, opts.tasks, opts.auditEvents);
+  const recommendations = [];
+  for (const summary of summaries) {
+    const contactDecision = decideContactPolicy(policyDoc, { sender_did: summary.remote_did });
+    const taskDecision = decideTaskPolicy(policyDoc, { sender_did: summary.remote_did }, { runtimeMode: opts.runtimeMode });
+    const riskSignals = summary.blocked_sessions + summary.revoked_sessions + summary.contact_rejections + summary.task_denied;
+    const positiveSignals = summary.trusted_sessions + summary.contact_approvals + summary.processed_tasks;
+    if (riskSignals > 0) {
+      if (contactDecision.action !== "reject") {
+        recommendations.push({
+          id: recommendationId("contact", summary.remote_did, "reject"),
+          policy: "contact",
+          remote_did: summary.remote_did,
+          match: summary.remote_did,
+          action: "reject",
+          current_action: contactDecision.action,
+          confidence: riskSignals >= 2 ? "high" : "medium",
+          reason: `Observed repeated negative signals: ${describeRiskSignals(summary)}`,
+          signals: {
+            trusted_sessions: summary.trusted_sessions,
+            blocked_sessions: summary.blocked_sessions,
+            revoked_sessions: summary.revoked_sessions,
+            processed_tasks: summary.processed_tasks,
+            failed_tasks: summary.failed_tasks,
+            cancelled_tasks: summary.cancelled_tasks,
+            contact_approvals: summary.contact_approvals,
+            contact_rejections: summary.contact_rejections,
+            task_denied: summary.task_denied,
+            last_seen_at: summary.last_seen_at
+          }
+        });
+      }
+      if (taskDecision.action !== "deny") {
+        recommendations.push({
+          id: recommendationId("task", summary.remote_did, "deny"),
+          policy: "task",
+          remote_did: summary.remote_did,
+          match: summary.remote_did,
+          action: "deny",
+          current_action: taskDecision.action,
+          confidence: summary.task_denied > 0 || summary.blocked_sessions > 0 || summary.contact_rejections > 0 ? "high" : "medium",
+          reason: `Observed repeated negative task/session signals: ${describeRiskSignals(summary)}`,
+          signals: {
+            trusted_sessions: summary.trusted_sessions,
+            blocked_sessions: summary.blocked_sessions,
+            revoked_sessions: summary.revoked_sessions,
+            processed_tasks: summary.processed_tasks,
+            failed_tasks: summary.failed_tasks,
+            cancelled_tasks: summary.cancelled_tasks,
+            contact_approvals: summary.contact_approvals,
+            contact_rejections: summary.contact_rejections,
+            task_denied: summary.task_denied,
+            last_seen_at: summary.last_seen_at
+          }
+        });
+      }
+      continue;
+    }
+    if (positiveSignals > 0 && contactDecision.action !== "approve" && (summary.trusted_sessions > 0 || summary.contact_approvals > 0 || summary.processed_tasks >= 2)) {
+      recommendations.push({
+        id: recommendationId("contact", summary.remote_did, "approve"),
+        policy: "contact",
+        remote_did: summary.remote_did,
+        match: summary.remote_did,
+        action: "approve",
+        current_action: contactDecision.action,
+        confidence: summary.processed_tasks >= 2 || summary.contact_approvals > 0 ? "high" : "medium",
+        reason: `Observed stable positive collaboration: ${describePositiveSignals(summary)}`,
+        signals: {
+          trusted_sessions: summary.trusted_sessions,
+          blocked_sessions: summary.blocked_sessions,
+          revoked_sessions: summary.revoked_sessions,
+          processed_tasks: summary.processed_tasks,
+          failed_tasks: summary.failed_tasks,
+          cancelled_tasks: summary.cancelled_tasks,
+          contact_approvals: summary.contact_approvals,
+          contact_rejections: summary.contact_rejections,
+          task_denied: summary.task_denied,
+          last_seen_at: summary.last_seen_at
+        }
+      });
+    }
+    const desiredTaskAction = opts.runtimeMode === "executor" ? "execute" : "bridge";
+    if (summary.processed_tasks >= 2 && summary.failed_tasks === 0 && summary.cancelled_tasks === 0 && summary.task_denied === 0 && taskDecision.action !== desiredTaskAction) {
+      recommendations.push({
+        id: recommendationId("task", summary.remote_did, desiredTaskAction),
+        policy: "task",
+        remote_did: summary.remote_did,
+        match: summary.remote_did,
+        action: desiredTaskAction,
+        current_action: taskDecision.action,
+        confidence: "high",
+        reason: `Observed successful task flow without negative outcomes: processed_tasks=${summary.processed_tasks}`,
+        signals: {
+          trusted_sessions: summary.trusted_sessions,
+          blocked_sessions: summary.blocked_sessions,
+          revoked_sessions: summary.revoked_sessions,
+          processed_tasks: summary.processed_tasks,
+          failed_tasks: summary.failed_tasks,
+          cancelled_tasks: summary.cancelled_tasks,
+          contact_approvals: summary.contact_approvals,
+          contact_rejections: summary.contact_rejections,
+          task_denied: summary.task_denied,
+          last_seen_at: summary.last_seen_at
+        }
+      });
+    }
+  }
+  recommendations.sort((a, b) => {
+    const confidenceScore = (value) => value === "high" ? 2 : 1;
+    const delta = confidenceScore(b.confidence) - confidenceScore(a.confidence);
+    if (delta !== 0) return delta;
+    return (b.signals.last_seen_at ?? 0) - (a.signals.last_seen_at ?? 0);
+  });
+  return recommendations.slice(0, opts.limit ?? 20);
+}
+function upsertTrustPolicyRecommendation(policyDoc, recommendation) {
+  const doc = normalizeTrustPolicyDoc(policyDoc);
+  if (recommendation.policy === "contact") {
+    return normalizeTrustPolicyDoc({
+      ...doc,
+      contact_policy: {
+        ...doc.contact_policy,
+        enabled: true,
+        rules: [
+          { match: recommendation.match, action: recommendation.action },
+          ...doc.contact_policy.rules.filter((rule) => rule.match !== recommendation.match)
+        ]
+      }
+    });
+  }
+  return normalizeTrustPolicyDoc({
+    ...doc,
+    task_policy: {
+      ...doc.task_policy,
+      enabled: true,
+      rules: [
+        { match: recommendation.match, action: recommendation.action },
+        ...doc.task_policy.rules.filter((rule) => rule.match !== recommendation.match)
+      ]
+    }
+  });
+}
+function summarizeTrustPolicyAudit(events) {
+  return buildSummaryFromEvents(events);
+}
+
+// src/trust-policy-recommendations.ts
+function getTrustRecommendationActionLabel(recommendation) {
+  if (recommendation.status === "dismissed" || recommendation.status === "superseded") {
+    return "Reopen";
+  }
+  if (recommendation.status === "applied") {
+    return "Applied";
+  }
+  if (recommendation.policy === "contact") {
+    if (recommendation.action === "approve") return "Approve + remember sender";
+    if (recommendation.action === "manual") return "Keep contact manual";
+    if (recommendation.action === "reject") return "Block this sender";
+  }
+  if (recommendation.policy === "task") {
+    if (recommendation.action === "bridge") return "Keep tasks manual";
+    if (recommendation.action === "execute") return "Allow tasks from this sender";
+    if (recommendation.action === "deny") return "Block tasks from this sender";
+  }
+  return `${recommendation.policy}:${recommendation.action}`;
+}
+function rowToRecommendation(row) {
+  return {
+    id: row.id,
+    policy: row.policy,
+    remote_did: row.remote_did,
+    match: row.match,
+    action: row.action,
+    current_action: row.current_action,
+    confidence: row.confidence,
+    reason: row.reason,
+    signals: JSON.parse(row.signals_json),
+    status: row.status,
+    first_seen_at: row.first_seen_at,
+    last_seen_at: row.last_seen_at,
+    updated_at: row.updated_at,
+    last_state_change_at: row.last_state_change_at ?? void 0,
+    applied_at: row.applied_at ?? void 0,
+    dismissed_at: row.dismissed_at ?? void 0
+  };
+}
+var TrustRecommendationManager = class {
+  constructor(store) {
+    this.store = store;
+  }
+  upsertRecommendation(recommendation, now, opts) {
+    const existing = this.get(recommendation.id);
+    const status = opts?.status ?? (opts?.preserveState !== false ? existing?.status : void 0) ?? (recommendation.current_action === recommendation.action ? "applied" : "open");
+    const lastStateChangeAt = existing?.status !== status ? now : existing?.last_state_change_at ?? now;
+    const appliedAt = status === "applied" ? existing?.applied_at ?? now : void 0;
+    const dismissedAt = status === "dismissed" ? existing?.dismissed_at ?? now : void 0;
+    this.store.getDb().prepare(`
+      INSERT INTO trust_policy_recommendations (
+        id, policy, remote_did, match, action, current_action, confidence, reason, signals_json,
+        status, first_seen_at, last_seen_at, updated_at, last_state_change_at, applied_at, dismissed_at
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+      ON CONFLICT(id) DO UPDATE SET
+        policy = excluded.policy,
+        remote_did = excluded.remote_did,
+        match = excluded.match,
+        action = excluded.action,
+        current_action = excluded.current_action,
+        confidence = excluded.confidence,
+        reason = excluded.reason,
+        signals_json = excluded.signals_json,
+        status = excluded.status,
+        last_seen_at = excluded.last_seen_at,
+        updated_at = excluded.updated_at,
+        last_state_change_at = excluded.last_state_change_at,
+        applied_at = COALESCE(excluded.applied_at, trust_policy_recommendations.applied_at),
+        dismissed_at = COALESCE(excluded.dismissed_at, trust_policy_recommendations.dismissed_at)
+    `).run(
+      recommendation.id,
+      recommendation.policy,
+      recommendation.remote_did,
+      recommendation.match,
+      recommendation.action,
+      recommendation.current_action,
+      recommendation.confidence,
+      recommendation.reason,
+      JSON.stringify(recommendation.signals),
+      status,
+      existing?.first_seen_at ?? now,
+      now,
+      now,
+      lastStateChangeAt,
+      appliedAt ?? null,
+      dismissedAt ?? null
+    );
+    return this.get(recommendation.id);
+  }
+  sync(input) {
+    const now = Date.now();
+    const computed = buildTrustPolicyRecommendations({
+      policyDoc: input.policyDoc,
+      sessions: input.sessions,
+      tasks: input.tasks,
+      auditEvents: input.auditEvents,
+      runtimeMode: input.runtimeMode,
+      limit: input.limit ?? 50
+    });
+    const activeIds = /* @__PURE__ */ new Set();
+    const synced = [];
+    for (const recommendation of computed) {
+      activeIds.add(recommendation.id);
+      synced.push(this.upsertRecommendation(recommendation, now));
+    }
+    const openRows = this.store.getDb().prepare("SELECT id FROM trust_policy_recommendations WHERE status = ?").all("open");
+    for (const row of openRows) {
+      if (!activeIds.has(row.id)) {
+        this.store.getDb().prepare("UPDATE trust_policy_recommendations SET status = ?, updated_at = ?, last_state_change_at = ? WHERE id = ?").run("superseded", now, now, row.id);
+      }
+    }
+    return this.list({ limit: input.limit ?? 50 });
+  }
+  get(id) {
+    const row = this.store.getDb().prepare("SELECT * FROM trust_policy_recommendations WHERE id = ?").get(id);
+    return row ? rowToRecommendation(row) : null;
+  }
+  list(opts) {
+    const conditions = [];
+    const params = [];
+    if (opts?.status) {
+      const statuses = Array.isArray(opts.status) ? opts.status : [opts.status];
+      conditions.push(`status IN (${statuses.map(() => "?").join(",")})`);
+      params.push(...statuses);
+    }
+    if (opts?.remoteDid) {
+      conditions.push("remote_did = ?");
+      params.push(opts.remoteDid);
+    }
+    const where = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
+    const rows = this.store.getDb().prepare(`SELECT * FROM trust_policy_recommendations ${where} ORDER BY updated_at DESC, last_seen_at DESC LIMIT ?`).all(...params, opts?.limit ?? 50);
+    return rows.map(rowToRecommendation);
+  }
+  apply(id) {
+    const existing = this.get(id);
+    if (!existing) return null;
+    const now = Date.now();
+    this.store.getDb().prepare("UPDATE trust_policy_recommendations SET status = ?, updated_at = ?, last_state_change_at = ?, applied_at = ? WHERE id = ?").run("applied", now, now, now, id);
+    return this.get(id);
+  }
+  dismiss(id) {
+    const existing = this.get(id);
+    if (!existing) return null;
+    const now = Date.now();
+    this.store.getDb().prepare("UPDATE trust_policy_recommendations SET status = ?, updated_at = ?, last_state_change_at = ?, dismissed_at = ? WHERE id = ?").run("dismissed", now, now, now, id);
+    return this.get(id);
+  }
+  reopen(id) {
+    const existing = this.get(id);
+    if (!existing) return null;
+    const now = Date.now();
+    this.store.getDb().prepare("UPDATE trust_policy_recommendations SET status = ?, updated_at = ?, last_state_change_at = ? WHERE id = ?").run("open", now, now, id);
+    return this.get(id);
+  }
+  summarize() {
+    const rows = this.store.getDb().prepare("SELECT status, COUNT(*) AS count FROM trust_policy_recommendations GROUP BY status").all();
+    const byStatus = {};
+    let total = 0;
+    for (const row of rows) {
+      byStatus[row.status] = row.count;
+      total += row.count;
+    }
+    return { total, by_status: byStatus };
+  }
+};
+
+// src/a2a-adapter.ts
+import {
+  A2AClient
+} from "@pingagent/a2a";
+var A2AAdapter = class {
+  client;
+  cachedCard = null;
+  constructor(opts) {
+    this.client = new A2AClient({
+      agentUrl: opts.agentUrl,
+      authToken: opts.authToken ? `Bearer ${opts.authToken}` : void 0,
+      timeoutMs: opts.timeoutMs
+    });
+  }
+  async getAgentCard() {
+    if (!this.cachedCard) {
+      this.cachedCard = await this.client.fetchAgentCard();
+    }
+    return this.cachedCard;
+  }
+  /**
+   * Send a task to the external A2A agent and optionally wait for completion.
+   */
+  async sendTask(opts) {
+    const parts = [];
+    parts.push({ kind: "text", text: opts.title });
+    if (opts.description) {
+      parts.push({ kind: "text", text: opts.description });
+    }
+    if (opts.input) {
+      parts.push({
+        kind: "data",
+        data: typeof opts.input === "object" ? opts.input : { value: opts.input }
+      });
+    }
+    const messageId = `msg_${Date.now()}_${Math.random().toString(36).slice(2, 8)}`;
+    const message = {
+      kind: "message",
+      messageId,
+      role: "user",
+      parts
+    };
+    if (opts.wait) {
+      const task = await this.client.sendAndWait(
+        { message, configuration: { blocking: true } },
+        { maxPollMs: opts.timeoutMs ?? 12e4 }
+      );
+      return this.convertTask(task);
+    }
+    const result = await this.client.sendMessage({ message });
+    if (result.kind === "task") {
+      return this.convertTask(result);
+    }
+    return {
+      taskId: result.messageId,
+      state: "completed",
+      summary: this.extractText(result.parts)
+    };
+  }
+  async getTaskStatus(taskId) {
+    const task = await this.client.getTask(taskId);
+    return this.convertTask(task);
+  }
+  async cancelTask(taskId) {
+    const task = await this.client.cancelTask(taskId);
+    return this.convertTask(task);
+  }
+  async sendText(text, opts) {
+    const result = await this.client.sendText(text, { blocking: opts?.blocking });
+    if (result.kind === "task") {
+      return this.convertTask(result);
+    }
+    return {
+      taskId: result.messageId,
+      state: "completed",
+      summary: this.extractText(result.parts)
+    };
+  }
+  convertTask(task) {
+    const summary = task.artifacts?.flatMap((a) => a.parts).filter((p) => p.kind === "text").map((p) => p.text).join("\n");
+    const output = task.artifacts?.flatMap((a) => a.parts).filter((p) => p.kind === "data").map((p) => p.data);
+    return {
+      taskId: task.id,
+      contextId: task.contextId,
+      state: task.status.state,
+      summary: summary || void 0,
+      output: output && output.length > 0 ? output.length === 1 ? output[0] : output : void 0,
+      timestamp: task.status.timestamp
+    };
+  }
+  extractText(parts) {
+    return parts.filter((p) => p.kind === "text").map((p) => p.text).join("\n") || void 0;
+  }
+};
+
+// src/ws-subscription.ts
+import WebSocket from "ws";
+var RECONNECT_BASE_MS = 1e3;
+var RECONNECT_MAX_MS = 3e4;
+var RECONNECT_JITTER = 0.2;
+var LIST_CONVERSATIONS_INTERVAL_MS = 6e4;
+var DEFAULT_HEARTBEAT = {
+  enable: true,
+  idleThresholdMs: 1e4,
+  pingIntervalMs: 15e3,
+  pongTimeoutMs: 1e4,
+  maxMissedPongs: 2,
+  tickMs: 5e3,
+  jitter: 0.2
+};
+var WsSubscription = class {
+  opts;
+  connections = /* @__PURE__ */ new Map();
+  reconnectTimers = /* @__PURE__ */ new Map();
+  reconnectAttempts = /* @__PURE__ */ new Map();
+  listInterval = null;
+  stopped = false;
+  /** Conversation IDs that were explicitly stopped (e.g. revoke); do not reconnect. */
+  stoppedConversations = /* @__PURE__ */ new Set();
+  lastParseErrorAtByConv = /* @__PURE__ */ new Map();
+  lastFrameAtByConv = /* @__PURE__ */ new Map();
+  heartbeatTimer = null;
+  heartbeatStates = /* @__PURE__ */ new Map();
+  constructor(opts) {
+    this.opts = opts;
+  }
+  start() {
+    this.stopped = false;
+    this.connectAll();
+    this.listInterval = setInterval(() => this.syncConnections(), LIST_CONVERSATIONS_INTERVAL_MS);
+    const hb = this.opts.heartbeat ?? {};
+    if (hb.enable ?? DEFAULT_HEARTBEAT.enable) {
+      this.heartbeatTimer = setInterval(() => this.heartbeatTick(), hb.tickMs ?? DEFAULT_HEARTBEAT.tickMs);
+    }
+  }
+  stop() {
+    this.stopped = true;
+    if (this.listInterval) {
+      clearInterval(this.listInterval);
+      this.listInterval = null;
+    }
+    if (this.heartbeatTimer) {
+      clearInterval(this.heartbeatTimer);
+      this.heartbeatTimer = null;
+    }
+    for (const timer of this.reconnectTimers.values()) {
+      clearTimeout(timer);
+    }
+    this.reconnectTimers.clear();
+    for (const [convId, ws] of this.connections) {
+      ws.removeAllListeners();
+      if (ws.readyState === WebSocket.OPEN || ws.readyState === WebSocket.CONNECTING) {
+        ws.close();
+      }
+      this.connections.delete(convId);
+    }
+    this.reconnectAttempts.clear();
+    this.stoppedConversations.clear();
+    this.lastParseErrorAtByConv.clear();
+    this.lastFrameAtByConv.clear();
+    for (const state of this.heartbeatStates.values()) {
+      if (state.pongTimeout) clearTimeout(state.pongTimeout);
+    }
+    this.heartbeatStates.clear();
+  }
+  /**
+   * Stop a single conversation's WebSocket and do not reconnect.
+   * Used when the conversation is revoked or the client no longer wants to subscribe.
+   */
+  stopConversation(conversationId) {
+    this.stoppedConversations.add(conversationId);
+    const timer = this.reconnectTimers.get(conversationId);
+    if (timer) {
+      clearTimeout(timer);
+      this.reconnectTimers.delete(conversationId);
+    }
+    const hbState = this.heartbeatStates.get(conversationId);
+    if (hbState?.pongTimeout) clearTimeout(hbState.pongTimeout);
+    this.heartbeatStates.delete(conversationId);
+    const ws = this.connections.get(conversationId);
+    if (ws) {
+      ws.removeAllListeners();
+      if (ws.readyState === WebSocket.OPEN || ws.readyState === WebSocket.CONNECTING) {
+        ws.close();
+      }
+      this.connections.delete(conversationId);
+    }
+    this.lastParseErrorAtByConv.delete(conversationId);
+    this.lastFrameAtByConv.delete(conversationId);
+  }
+  wsUrl(conversationId) {
+    const base = this.opts.serverUrl.replace(/^http/, "ws").replace(/\/$/, "");
+    return `${base}/v1/ws?conversation_id=${encodeURIComponent(conversationId)}`;
+  }
+  async connectAsync(conversationId) {
+    if (this.stopped || this.stoppedConversations.has(conversationId) || this.connections.has(conversationId)) return;
+    const token = await Promise.resolve(this.opts.getAccessToken());
+    const url = this.wsUrl(conversationId);
+    const ws = new WebSocket(url, {
+      headers: { Authorization: `Bearer ${token}` }
+    });
+    this.connections.set(conversationId, ws);
+    const hb = this.opts.heartbeat ?? {};
+    const hbEnabled = hb.enable ?? DEFAULT_HEARTBEAT.enable;
+    if (hbEnabled) {
+      const now = Date.now();
+      this.heartbeatStates.set(conversationId, {
+        lastRxAt: now,
+        lastPingAt: 0,
+        nextPingAt: now + (hb.idleThresholdMs ?? DEFAULT_HEARTBEAT.idleThresholdMs),
+        missedPongs: 0,
+        pongTimeout: null
+      });
+    }
+    ws.on("open", () => {
+      this.reconnectAttempts.set(conversationId, 0);
+      this.opts.onOpen?.(conversationId);
+    });
+    ws.on("message", (data) => {
+      try {
+        const state = this.heartbeatStates.get(conversationId);
+        if (state) {
+          state.lastRxAt = Date.now();
+          state.missedPongs = 0;
+          if (state.pongTimeout) {
+            clearTimeout(state.pongTimeout);
+            state.pongTimeout = null;
+          }
+        }
+        const rawText = typeof data === "string" ? data : Buffer.isBuffer(data) ? data.toString() : Array.isArray(data) ? Buffer.concat(data).toString() : data instanceof ArrayBuffer ? Buffer.from(new Uint8Array(data)).toString() : (
+          // Fallback: try best-effort stringification
+          String(data)
+        );
+        this.lastFrameAtByConv.set(conversationId, Date.now());
+        const msg = JSON.parse(rawText);
+        if (msg.type === "ws_connected") {
+          this.opts.onDebug?.({
+            event: "ws_connected",
+            conversationId,
+            detail: {
+              your_did: msg.your_did,
+              server_ts_ms: msg.server_ts_ms,
+              conversation_id: msg.conversation_id
+            }
+          });
+        } else if (msg.type === "ws_message" && msg.envelope) {
+          const env = msg.envelope;
+          const ignoreSelf = this.opts.ignoreSelfMessages ?? true;
+          if (!ignoreSelf || env.sender_did !== this.opts.myDid) {
+            Promise.resolve(this.opts.onMessage(env, conversationId)).catch((error) => {
+              this.opts.onError?.(error instanceof Error ? error : new Error(String(error)));
+            });
+          } else {
+            this.opts.onDebug?.({
+              event: "ws_message_ignored_self",
+              conversationId,
+              detail: { sender_did: env.sender_did, message_id: env.message_id, seq: env.seq }
+            });
+          }
+        } else if (msg.type === "ws_control" && msg.control) {
+          this.opts.onControl?.(msg.control, conversationId);
+          this.opts.onDebug?.({ event: "ws_control", conversationId, detail: msg.control });
+        } else if (msg.type === "ws_receipt" && msg.receipt) {
+          this.opts.onDebug?.({ event: "ws_receipt", conversationId, detail: msg.receipt });
+        } else if (msg?.type) {
+          this.opts.onDebug?.({ event: "ws_unknown_type", conversationId, detail: { type: msg.type } });
+        }
+      } catch (e) {
+        const now = Date.now();
+        const last = this.lastParseErrorAtByConv.get(conversationId) ?? 0;
+        if (now - last > 3e4) {
+          this.lastParseErrorAtByConv.set(conversationId, now);
+          this.opts.onDebug?.({
+            event: "ws_parse_error",
+            conversationId,
+            detail: {
+              message: e?.message ?? String(e),
+              last_frame_at_ms: this.lastFrameAtByConv.get(conversationId) ?? null
+            }
+          });
+        }
+      }
+    });
+    ws.on("pong", () => {
+      const state = this.heartbeatStates.get(conversationId);
+      if (!state) return;
+      state.lastRxAt = Date.now();
+      state.missedPongs = 0;
+      if (state.pongTimeout) {
+        clearTimeout(state.pongTimeout);
+        state.pongTimeout = null;
+      }
+    });
+    ws.on("close", () => {
+      this.connections.delete(conversationId);
+      const state = this.heartbeatStates.get(conversationId);
+      if (state?.pongTimeout) clearTimeout(state.pongTimeout);
+      this.heartbeatStates.delete(conversationId);
+      if (!this.stopped && !this.stoppedConversations.has(conversationId)) {
+        this.scheduleReconnect(conversationId);
+      }
+    });
+    ws.on("error", (err) => {
+      this.opts.onError?.(err);
+    });
+  }
+  heartbeatTick() {
+    const hb = this.opts.heartbeat ?? {};
+    const hbEnabled = hb.enable ?? DEFAULT_HEARTBEAT.enable;
+    if (!hbEnabled) return;
+    const idleThresholdMs = hb.idleThresholdMs ?? DEFAULT_HEARTBEAT.idleThresholdMs;
+    const pingIntervalMs = hb.pingIntervalMs ?? DEFAULT_HEARTBEAT.pingIntervalMs;
+    const pongTimeoutMs = hb.pongTimeoutMs ?? DEFAULT_HEARTBEAT.pongTimeoutMs;
+    const maxMissedPongs = hb.maxMissedPongs ?? DEFAULT_HEARTBEAT.maxMissedPongs;
+    const jitter = hb.jitter ?? DEFAULT_HEARTBEAT.jitter;
+    const now = Date.now();
+    for (const [conversationId, ws] of this.connections) {
+      if (ws.readyState !== WebSocket.OPEN) continue;
+      const state = this.heartbeatStates.get(conversationId);
+      if (!state) continue;
+      if (state.pongTimeout) continue;
+      const idleFor = now - state.lastRxAt;
+      if (idleFor < idleThresholdMs) continue;
+      if (now < state.nextPingAt) continue;
+      if (state.lastPingAt !== 0 && now - state.lastPingAt < pingIntervalMs * 0.5) {
+        continue;
+      }
+      try {
+        ws.send(JSON.stringify({ type: "hb" }));
+      } catch {
+      }
+      ws.ping();
+      state.lastPingAt = now;
+      const jitterFactor = 1 + (Math.random() - 0.5) * 2 * jitter;
+      state.nextPingAt = now + Math.max(1e3, pingIntervalMs * jitterFactor);
+      state.pongTimeout = setTimeout(() => {
+        state.missedPongs += 1;
+        state.pongTimeout = null;
+        if (state.missedPongs >= maxMissedPongs) {
+          try {
+            ws.close(1001, "pong timeout");
+          } catch {
+          }
+        }
+      }, pongTimeoutMs);
+    }
+  }
+  scheduleReconnect(conversationId) {
+    if (this.reconnectTimers.has(conversationId)) return;
+    const attempt = this.reconnectAttempts.get(conversationId) ?? 0;
+    this.reconnectAttempts.set(conversationId, attempt + 1);
+    const tryConnect = () => {
+      this.reconnectTimers.delete(conversationId);
+      if (this.stopped) return;
+      void this.connectAsync(conversationId);
+    };
+    const delay = Math.min(
+      RECONNECT_BASE_MS * Math.pow(2, attempt) + (Math.random() - 0.5) * RECONNECT_JITTER * RECONNECT_BASE_MS,
+      RECONNECT_MAX_MS
+    );
+    const timer = setTimeout(tryConnect, delay);
+    this.reconnectTimers.set(conversationId, timer);
+  }
+  isSubscribableConversationType(type) {
+    return type === "dm" || type === "pending_dm" || type === "channel" || type === "group";
+  }
+  async connectAll() {
+    try {
+      const convos = await this.opts.listConversations();
+      const subscribable = convos.filter((c) => this.isSubscribableConversationType(c.type));
+      for (const c of subscribable) {
+        void this.connectAsync(c.conversation_id);
+      }
+    } catch (err) {
+      this.opts.onError?.(err instanceof Error ? err : new Error(String(err)));
+    }
+  }
+  async syncConnections() {
+    if (this.stopped) return;
+    try {
+      const convos = await this.opts.listConversations();
+      const subscribableIds = new Set(
+        convos.filter((c) => this.isSubscribableConversationType(c.type)).map((c) => c.conversation_id)
+      );
+      for (const convId of subscribableIds) {
+        if (!this.stoppedConversations.has(convId) && !this.connections.has(convId)) {
+          void this.connectAsync(convId);
+        }
+      }
+      for (const convId of this.connections.keys()) {
+        if (!subscribableIds.has(convId) || this.stoppedConversations.has(convId)) {
+          const ws = this.connections.get(convId);
+          if (ws) {
+            ws.removeAllListeners();
+            ws.close();
+            this.connections.delete(convId);
+          }
+        }
+      }
+    } catch {
+    }
+  }
+};
+
+// src/openclaw-session-bindings.ts
+import * as fs3 from "fs";
+import * as os2 from "os";
+import * as path4 from "path";
+function resolvePath(p) {
+  if (!p) return null;
+  if (p.startsWith("~")) return path4.join(os2.homedir(), p.slice(1));
+  return path4.resolve(p);
+}
+function ensureDirForFile(filePath) {
+  const dir = path4.dirname(filePath);
+  if (!fs3.existsSync(dir)) fs3.mkdirSync(dir, { recursive: true });
+}
+function getDefaultActiveSessionFile() {
+  return path4.join(os2.homedir(), ".openclaw", "workspace", "ACTIVE_GROUP.md");
+}
+function getDefaultIngressStorePath() {
+  return path4.join(os2.homedir(), ".openclaw", "pingagent-im-ingress", "messages.jsonl");
+}
+function getDefaultSessionMapPath(storePath) {
+  const base = resolvePath(storePath) || getDefaultIngressStorePath();
+  return path4.join(path4.dirname(base), "session-map.json");
+}
+function getDefaultSessionBindingAlertsPath(storePath) {
+  const base = resolvePath(storePath) || getDefaultIngressStorePath();
+  return path4.join(path4.dirname(base), "session-map-alerts.json");
+}
+function getActiveSessionFilePath() {
+  return resolvePath(process.env.IM_INGRESS_ACTIVE_GROUP_FILE?.trim()) || getDefaultActiveSessionFile();
+}
+function getSessionMapFilePath() {
+  return resolvePath(process.env.IM_INGRESS_SESSION_MAP_FILE?.trim()) || getDefaultSessionMapPath(process.env.IM_INGRESS_STORE_PATH?.trim());
+}
+function getSessionBindingAlertsFilePath() {
+  return resolvePath(process.env.IM_INGRESS_SESSION_BINDING_ALERTS_FILE?.trim()) || getDefaultSessionBindingAlertsPath(process.env.IM_INGRESS_STORE_PATH?.trim());
+}
+function readCurrentActiveSessionKey(filePath = getActiveSessionFilePath()) {
+  try {
+    if (!fs3.existsSync(filePath)) return null;
+    const raw = fs3.readFileSync(filePath, "utf-8");
+    const first = String(raw ?? "").split(/\r?\n/).map((s) => s.trim()).filter(Boolean)[0];
+    return first || null;
+  } catch {
+    return null;
+  }
+}
+function readSessionBindings(filePath = getSessionMapFilePath()) {
+  try {
+    if (!fs3.existsSync(filePath)) return [];
+    const raw = JSON.parse(fs3.readFileSync(filePath, "utf-8"));
+    return Object.entries(raw ?? {}).map(([conversation_id, session_key]) => ({
+      conversation_id: String(conversation_id ?? "").trim(),
+      session_key: String(session_key ?? "").trim()
+    })).filter((row) => row.conversation_id && row.session_key).sort((a, b) => a.conversation_id.localeCompare(b.conversation_id));
+  } catch {
+    return [];
+  }
+}
+function writeSessionBindings(entries, filePath = getSessionMapFilePath()) {
+  ensureDirForFile(filePath);
+  const obj = Object.fromEntries(
+    entries.filter((row) => row.conversation_id && row.session_key).map((row) => [row.conversation_id, row.session_key])
+  );
+  fs3.writeFileSync(filePath, JSON.stringify(obj, null, 2), "utf-8");
+  return filePath;
+}
+function setSessionBinding(conversationId, sessionKey, filePath = getSessionMapFilePath()) {
+  const entries = readSessionBindings(filePath).filter((row) => row.conversation_id !== conversationId);
+  const binding = { conversation_id: conversationId, session_key: sessionKey };
+  entries.push(binding);
+  writeSessionBindings(entries, filePath);
+  clearSessionBindingAlert(conversationId);
+  return { path: filePath, binding };
+}
+function removeSessionBinding(conversationId, filePath = getSessionMapFilePath()) {
+  const entries = readSessionBindings(filePath);
+  const next = entries.filter((row) => row.conversation_id !== conversationId);
+  const removed = next.length !== entries.length;
+  if (removed) writeSessionBindings(next, filePath);
+  clearSessionBindingAlert(conversationId);
+  return { path: filePath, removed };
+}
+function readSessionBindingAlerts(filePath = getSessionBindingAlertsFilePath()) {
+  try {
+    if (!fs3.existsSync(filePath)) return [];
+    const raw = JSON.parse(fs3.readFileSync(filePath, "utf-8"));
+    return Object.entries(raw ?? {}).map(([conversation_id, value]) => {
+      const row = value;
+      return {
+        conversation_id: String(conversation_id ?? "").trim(),
+        session_key: String(row?.session_key ?? "").trim(),
+        status: "missing_session",
+        message: String(row?.message ?? "").trim(),
+        detected_at: String(row?.detected_at ?? "").trim()
+      };
+    }).filter((row) => row.conversation_id && row.session_key && row.message).sort((a, b) => a.conversation_id.localeCompare(b.conversation_id));
+  } catch {
+    return [];
+  }
+}
+function writeSessionBindingAlerts(entries, filePath = getSessionBindingAlertsFilePath()) {
+  ensureDirForFile(filePath);
+  const obj = Object.fromEntries(
+    entries.map((row) => [row.conversation_id, {
+      session_key: row.session_key,
+      status: row.status,
+      message: row.message,
+      detected_at: row.detected_at
+    }])
+  );
+  fs3.writeFileSync(filePath, JSON.stringify(obj, null, 2), "utf-8");
+  return filePath;
+}
+function upsertSessionBindingAlert(alert, filePath = getSessionBindingAlertsFilePath()) {
+  const entries = readSessionBindingAlerts(filePath).filter((row) => row.conversation_id !== alert.conversation_id);
+  entries.push(alert);
+  writeSessionBindingAlerts(entries, filePath);
+  return { path: filePath, alert };
+}
+function clearSessionBindingAlert(conversationId, filePath = getSessionBindingAlertsFilePath()) {
+  const entries = readSessionBindingAlerts(filePath);
+  const next = entries.filter((row) => row.conversation_id !== conversationId);
+  const removed = next.length !== entries.length;
+  if (removed) writeSessionBindingAlerts(next, filePath);
+  return { path: filePath, removed };
+}
+
+// src/openclaw-runtime.ts
+import * as fs4 from "fs";
+import * as os3 from "os";
+import * as path5 from "path";
+function resolvePath2(p) {
+  if (!p) return null;
+  if (p.startsWith("~")) return path5.join(os3.homedir(), p.slice(1));
+  return path5.resolve(p);
+}
+function getDefaultIngressRuntimeStatusPath(storePath) {
+  const base = resolvePath2(storePath) || path5.join(os3.homedir(), ".openclaw", "pingagent-im-ingress", "messages.jsonl");
+  return path5.join(path5.dirname(base), "runtime-status.json");
+}
+function getIngressRuntimeStatusFilePath() {
+  return resolvePath2(process.env.IM_INGRESS_RUNTIME_STATUS_FILE?.trim()) || getDefaultIngressRuntimeStatusPath(process.env.IM_INGRESS_STORE_PATH?.trim());
+}
+function readIngressRuntimeStatus(filePath = getIngressRuntimeStatusFilePath()) {
+  try {
+    if (!fs4.existsSync(filePath)) return null;
+    const raw = JSON.parse(fs4.readFileSync(filePath, "utf-8"));
+    return {
+      receive_mode: raw?.receive_mode === "polling_degraded" ? "polling_degraded" : "webhook",
+      reason: raw?.reason ? String(raw.reason) : null,
+      hooks_url: raw?.hooks_url ? String(raw.hooks_url) : null,
+      hooks_last_error: raw?.hooks_last_error ? String(raw.hooks_last_error) : null,
+      hooks_last_error_at: raw?.hooks_last_error_at ? String(raw.hooks_last_error_at) : null,
+      hooks_last_probe_ok_at: raw?.hooks_last_probe_ok_at ? String(raw.hooks_last_probe_ok_at) : null,
+      fallback_last_injected_at: raw?.fallback_last_injected_at ? String(raw.fallback_last_injected_at) : null,
+      fallback_last_injected_conversation_id: raw?.fallback_last_injected_conversation_id ? String(raw.fallback_last_injected_conversation_id) : null,
+      active_work_session: raw?.active_work_session ? String(raw.active_work_session) : null,
+      sessions_send_available: raw?.sessions_send_available === true,
+      hooks_fix_hint: raw?.hooks_fix_hint ? String(raw.hooks_fix_hint) : null,
+      status_updated_at: raw?.status_updated_at ? String(raw.status_updated_at) : null
+    };
+  } catch {
+    return null;
+  }
+}
+
+export {
+  HttpTransport,
+  getRootDir,
+  getProfile,
+  getIdentityPath,
+  getStorePath,
+  ensureIdentityEncryptionKeys,
+  generateIdentity,
+  identityExists,
+  loadIdentity,
+  saveIdentity,
+  updateStoredToken,
+  ContactManager,
+  HistoryManager,
+  previewFromPayload,
+  buildSessionKey,
+  SessionManager,
+  buildSessionSummaryHandoffText,
+  SessionSummaryManager,
+  TaskThreadManager,
+  TaskHandoffManager,
+  normalizeCapabilityCard,
+  capabilityCardToLegacyCapabilities,
+  formatCapabilityCardSummary,
+  isEncryptedPayload,
+  shouldEncryptConversationPayload,
+  encryptPayloadForRecipients,
+  decryptPayloadForIdentity,
+  PingAgentClient,
+  ensureTokenValid,
+  LocalStore,
+  defaultTrustPolicyDoc,
+  normalizeTrustPolicyDoc,
+  matchesTrustPolicyRule,
+  decideContactPolicy,
+  decideTaskPolicy,
+  TrustPolicyAuditManager,
+  buildTrustPolicyRecommendations,
+  upsertTrustPolicyRecommendation,
+  summarizeTrustPolicyAudit,
+  getTrustRecommendationActionLabel,
+  TrustRecommendationManager,
+  A2AAdapter,
+  WsSubscription,
+  getActiveSessionFilePath,
+  getSessionMapFilePath,
+  getSessionBindingAlertsFilePath,
+  readCurrentActiveSessionKey,
+  readSessionBindings,
+  writeSessionBindings,
+  setSessionBinding,
+  removeSessionBinding,
+  readSessionBindingAlerts,
+  writeSessionBindingAlerts,
+  upsertSessionBindingAlert,
+  clearSessionBindingAlert,
+  getIngressRuntimeStatusFilePath,
+  readIngressRuntimeStatus
+};