@poolzin/pool-bot 2026.2.0 → 2026.2.2

package/dist/commands/onboard-skills.js

@@ -1,6 +1,7 @@
 import { installSkill } from "../agents/skills-install.js";
 import { buildWorkspaceSkillStatus } from "../agents/skills-status.js";
 import { formatCliCommand } from "../cli/command-format.js";
+import { normalizeSecretInput } from "../utils/normalize-secret-input.js";
 import { detectBinary, resolveNodeManagerOptions } from "./onboard-helpers.js";
 function summarizeInstallFailure(message) {
     const cleaned = message.replace(/^Install failed(?:\s*\([^)]*\))?\s*:?\s*/i, "").trim();
@@ -33,14 +34,13 @@ function upsertSkillEntry(cfg, skillKey, patch) {
 export async function setupSkills(cfg, workspaceDir, runtime, prompter) {
     const report = buildWorkspaceSkillStatus(workspaceDir, { config: cfg });
     const eligible = report.skills.filter((s) => s.eligible);
-    const missing = report.skills.filter((s) => !s.eligible && !s.disabled && !s.blockedByAllowlist);
+    const unsupportedOs = report.skills.filter((s) => !s.disabled && !s.blockedByAllowlist && s.missing.os.length > 0);
+    const missing = report.skills.filter((s) => !s.eligible && !s.disabled && !s.blockedByAllowlist && s.missing.os.length === 0);
     const blocked = report.skills.filter((s) => s.blockedByAllowlist);
-    const needsBrewPrompt = process.platform !== "win32" &&
-        report.skills.some((skill) => skill.install.some((option) => option.kind === "brew")) &&
-        !(await detectBinary("brew"));
     await prompter.note([
         `Eligible: ${eligible.length}`,
         `Missing requirements: ${missing.length}`,
+        `Unsupported on this OS: ${unsupportedOs.length}`,
         `Blocked by allowlist: ${blocked.length}`,
     ].join("\n"), "Skills status");
     const shouldConfigure = await prompter.confirm({
@@ -49,36 +49,7 @@ export async function setupSkills(cfg, workspaceDir, runtime, prompter) {
     });
     if (!shouldConfigure)
         return cfg;
-    if (needsBrewPrompt) {
-        await prompter.note([
-            "Many skill dependencies are shipped via Homebrew.",
-            "Without brew, you'll need to build from source or download releases manually.",
-        ].join("\n"), "Homebrew recommended");
-        const showBrewInstall = await prompter.confirm({
-            message: "Show Homebrew install command?",
-            initialValue: true,
-        });
-        if (showBrewInstall) {
-            await prompter.note([
-                "Run:",
-                '/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"',
-            ].join("\n"), "Homebrew install");
-        }
-    }
-    const nodeManager = (await prompter.select({
-        message: "Preferred node manager for skill installs",
-        options: resolveNodeManagerOptions(),
-    }));
-    let next = {
-        ...cfg,
-        skills: {
-            ...cfg.skills,
-            install: {
-                ...cfg.skills?.install,
-                nodeManager,
-            },
-        },
-    };
+    let next = cfg;
     const installable = missing.filter((skill) => skill.install.length > 0 && skill.missing.bins.length > 0);
     if (installable.length > 0) {
         const toInstall = await prompter.multiselect({
@@ -96,8 +67,50 @@ export async function setupSkills(cfg, workspaceDir, runtime, prompter) {
                 })),
             ],
         });
-        const selected = toInstall.filter((name) => name !== "__skip__");
-        for (const name of selected) {
+        const selectedSkills = toInstall.filter((name) => name !== "__skip__");
+        const needsBrewPrompt = process.platform !== "win32" &&
+            selectedSkills.some((name) => {
+                const skill = installable.find((s) => s.name === name);
+                return skill?.install.some((option) => option.kind === "brew");
+            }) &&
+            !(await detectBinary("brew"));
+        if (needsBrewPrompt) {
+            await prompter.note([
+                "Many skill dependencies are shipped via Homebrew.",
+                "Without brew, you'll need to build from source or download releases manually.",
+            ].join("\n"), "Homebrew recommended");
+            const showBrewInstall = await prompter.confirm({
+                message: "Show Homebrew install command?",
+                initialValue: true,
+            });
+            if (showBrewInstall) {
+                await prompter.note([
+                    "Run:",
+                    '/bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"',
+                ].join("\n"), "Homebrew install");
+            }
+        }
+        const needsNodeManagerPrompt = selectedSkills.some((name) => {
+            const skill = installable.find((s) => s.name === name);
+            return skill?.install.some((option) => option.kind === "node");
+        });
+        if (needsNodeManagerPrompt) {
+            const nodeManager = (await prompter.select({
+                message: "Preferred node manager for skill installs",
+                options: resolveNodeManagerOptions(),
+            }));
+            next = {
+                ...next,
+                skills: {
+                    ...next.skills,
+                    install: {
+                        ...next.skills?.install,
+                        nodeManager,
+                    },
+                },
+            };
+        }
+        for (const name of selectedSkills) {
             const target = installable.find((s) => s.name === name);
             if (!target || target.install.length === 0)
                 continue;
@@ -111,13 +124,25 @@ export async function setupSkills(cfg, workspaceDir, runtime, prompter) {
                 installId,
                 config: next,
             });
+            const warnings = result.warnings ?? [];
             if (result.ok) {
-                spin.stop(`Installed ${name}`);
+                if (warnings.length > 0) {
+                    spin.stop(`Installed ${name} (${warnings.length} warning${warnings.length === 1 ? "" : "s"})`);
+                    for (const warning of warnings)
+                        runtime.log(`  ⚠ ${warning}`);
+                }
+                else {
+                    spin.stop(`Installed ${name}`);
+                }
             }
             else {
                 const code = result.code == null ? "" : ` (exit ${result.code})`;
                 const detail = summarizeInstallFailure(result.message);
                 spin.stop(`Install failed: ${name}${code}${detail ? ` — ${detail}` : ""}`);
+                if (warnings.length > 0) {
+                    for (const warning of warnings)
+                        runtime.log(`  ⚠ ${warning}`);
+                }
                 if (result.stderr)
                     runtime.log(result.stderr.trim());
                 else if (result.stdout)
@@ -140,7 +165,7 @@ export async function setupSkills(cfg, workspaceDir, runtime, prompter) {
             message: `Enter ${skill.primaryEnv}`,
             validate: (value) => (value?.trim() ? undefined : "Required"),
         }));
-        next = upsertSkillEntry(next, skill.skillKey, { apiKey: apiKey.trim() });
+        next = upsertSkillEntry(next, skill.skillKey, { apiKey: normalizeSecretInput(apiKey) ?? "" });
     }
     return next;
 }

package/dist/commands/openai-model-default.js

@@ -0,0 +1,41 @@
+import { ensureModelAllowlistEntry } from "./model-allowlist.js";
+export const OPENAI_DEFAULT_MODEL = "openai/gpt-5.1-codex";
+export function applyOpenAIProviderConfig(cfg) {
+    const next = ensureModelAllowlistEntry({
+        cfg,
+        modelRef: OPENAI_DEFAULT_MODEL,
+    });
+    const models = { ...next.agents?.defaults?.models };
+    models[OPENAI_DEFAULT_MODEL] = {
+        ...models[OPENAI_DEFAULT_MODEL],
+        alias: models[OPENAI_DEFAULT_MODEL]?.alias ?? "GPT",
+    };
+    return {
+        ...next,
+        agents: {
+            ...next.agents,
+            defaults: {
+                ...next.agents?.defaults,
+                models,
+            },
+        },
+    };
+}
+export function applyOpenAIConfig(cfg) {
+    const next = applyOpenAIProviderConfig(cfg);
+    return {
+        ...next,
+        agents: {
+            ...next.agents,
+            defaults: {
+                ...next.agents?.defaults,
+                model: next.agents?.defaults?.model && typeof next.agents.defaults.model === "object"
+                    ? {
+                        ...next.agents.defaults.model,
+                        primary: OPENAI_DEFAULT_MODEL,
+                    }
+                    : { primary: OPENAI_DEFAULT_MODEL },
+            },
+        },
+    };
+}

package/dist/compat/legacy-names.js

@@ -3,3 +3,5 @@ export const LEGACY_MANIFEST_KEY = LEGACY_PROJECT_NAME;
 export const LEGACY_PLUGIN_MANIFEST_FILENAME = `${LEGACY_PROJECT_NAME}.plugin.json`;
 export const LEGACY_CANVAS_HANDLER_NAME = `${LEGACY_PROJECT_NAME}CanvasA2UIAction`;
 export const LEGACY_MACOS_APP_SOURCES_DIR = "apps/macos/Sources/Pool-Bot";
+// Alias used by conformance tests; points to the actual macOS app sources directory
+export const MACOS_APP_SOURCES_DIR = "apps/macos/Sources/Clawdbot";

package/dist/config/defaults.js

@@ -5,7 +5,7 @@ import { DEFAULT_AGENT_MAX_CONCURRENT, DEFAULT_SUBAGENT_MAX_CONCURRENT } from ".
 let defaultWarnState = { warned: false };
 const DEFAULT_MODEL_ALIASES = {
     // Anthropic (pi-ai catalog uses "latest" ids without date suffix)
-    opus: "anthropic/claude-opus-4-5",
+    opus: "anthropic/claude-opus-4-6",
     sonnet: "anthropic/claude-sonnet-4-5",
     // OpenAI
     gpt: "openai/gpt-5.2",
@@ -145,7 +145,8 @@ export function applyModelDefaults(cfg) {
                 if (raw.contextWindow !== contextWindow)
                     modelMutated = true;
                 const defaultMaxTokens = Math.min(DEFAULT_MODEL_MAX_TOKENS, contextWindow);
-                const maxTokens = isPositiveNumber(raw.maxTokens) ? raw.maxTokens : defaultMaxTokens;
+                const rawMaxTokens = isPositiveNumber(raw.maxTokens) ? raw.maxTokens : defaultMaxTokens;
+                const maxTokens = Math.min(rawMaxTokens, contextWindow);
                 if (raw.maxTokens !== maxTokens)
                     modelMutated = true;
                 if (!modelMutated)

package/dist/config/paths.js

@@ -1,5 +1,7 @@
+import fs from "node:fs";
 import os from "node:os";
 import path from "node:path";
+import { expandHomePrefix, resolveRequiredHomeDir } from "../infra/home-dir.js";
 /**
  * Nix mode detection: When CLAWDBOT_NIX_MODE=1, the gateway is running under Nix.
  * In this mode:
@@ -11,32 +13,73 @@ export function resolveIsNixMode(env = process.env) {
     return env.CLAWDBOT_NIX_MODE === "1";
 }
 export const isNixMode = resolveIsNixMode();
-const LEGACY_STATE_DIRNAME = ".poolbot";
+const LEGACY_STATE_DIRNAMES = [".clawdbot", ".moltbot", ".moldbot"];
 const NEW_STATE_DIRNAME = ".poolbot";
 const CONFIG_FILENAME = "poolbot.json";
-function legacyStateDir(homedir = os.homedir) {
-    return path.join(homedir(), LEGACY_STATE_DIRNAME);
+const LEGACY_CONFIG_FILENAMES = ["clawdbot.json", "moltbot.json", "moldbot.json"];
+function resolveDefaultHomeDir() {
+    return resolveRequiredHomeDir(process.env, os.homedir);
 }
-function newStateDir(homedir = os.homedir) {
+/** Build a homedir thunk that respects CLAWDBOT_HOME for the given env. */
+function envHomedir(env) {
+    return () => resolveRequiredHomeDir(env, os.homedir);
+}
+function legacyStateDirs(homedir = resolveDefaultHomeDir) {
+    return LEGACY_STATE_DIRNAMES.map((dir) => path.join(homedir(), dir));
+}
+function newStateDir(homedir = resolveDefaultHomeDir) {
     return path.join(homedir(), NEW_STATE_DIRNAME);
 }
+export function resolveLegacyStateDir(homedir = resolveDefaultHomeDir) {
+    return legacyStateDirs(homedir)[0] ?? newStateDir(homedir);
+}
+export function resolveLegacyStateDirs(homedir = resolveDefaultHomeDir) {
+    return legacyStateDirs(homedir);
+}
+export function resolveNewStateDir(homedir = resolveDefaultHomeDir) {
+    return newStateDir(homedir);
+}
 /**
  * State directory for mutable data (sessions, logs, caches).
  * Can be overridden via MOLTBOT_STATE_DIR (preferred) or CLAWDBOT_STATE_DIR (legacy).
- * Default: ~/.poolbot (legacy default for compatibility)
+ * Default: ~/.poolbot
  */
-export function resolveStateDir(env = process.env, homedir = os.homedir) {
+export function resolveStateDir(env = process.env, homedir = envHomedir(env)) {
+    const effectiveHomedir = () => resolveRequiredHomeDir(env, homedir);
     const override = env.MOLTBOT_STATE_DIR?.trim() || env.CLAWDBOT_STATE_DIR?.trim();
-    if (override)
-        return resolveUserPath(override);
-    return legacyStateDir(homedir);
+    if (override) {
+        return resolveUserPath(override, env, effectiveHomedir);
+    }
+    const newDir = newStateDir(effectiveHomedir);
+    const legacyDirs = legacyStateDirs(effectiveHomedir);
+    const hasNew = fs.existsSync(newDir);
+    if (hasNew) {
+        return newDir;
+    }
+    const existingLegacy = legacyDirs.find((dir) => {
+        try {
+            return fs.existsSync(dir);
+        }
+        catch {
+            return false;
+        }
+    });
+    if (existingLegacy) {
+        return existingLegacy;
+    }
+    return newDir;
 }
-function resolveUserPath(input) {
+function resolveUserPath(input, env = process.env, homedir = envHomedir(env)) {
     const trimmed = input.trim();
-    if (!trimmed)
+    if (!trimmed) {
         return trimmed;
+    }
     if (trimmed.startsWith("~")) {
-        const expanded = trimmed.replace(/^~(?=$|[\\/])/, os.homedir());
+        const expanded = expandHomePrefix(trimmed, {
+            home: resolveRequiredHomeDir(env, homedir),
+            env,
+            homedir,
+        });
         return path.resolve(expanded);
     }
     return path.resolve(trimmed);
@@ -47,32 +90,88 @@ export const STATE_DIR = resolveStateDir();
  * Can be overridden via MOLTBOT_CONFIG_PATH (preferred) or CLAWDBOT_CONFIG_PATH (legacy).
  * Default: ~/.poolbot/poolbot.json (or $*_STATE_DIR/poolbot.json)
  */
-export function resolveConfigPath(env = process.env, stateDir = resolveStateDir(env, os.homedir)) {
+export function resolveCanonicalConfigPath(env = process.env, stateDir = resolveStateDir(env, envHomedir(env))) {
     const override = env.MOLTBOT_CONFIG_PATH?.trim() || env.CLAWDBOT_CONFIG_PATH?.trim();
-    if (override)
-        return resolveUserPath(override);
+    if (override) {
+        return resolveUserPath(override, env, envHomedir(env));
+    }
     return path.join(stateDir, CONFIG_FILENAME);
 }
-export const CONFIG_PATH = resolveConfigPath();
 /**
- * Resolve default config path candidates across new + legacy locations.
- * Order: explicit config path → state-dir-derived paths → new default → legacy default.
+ * Resolve the active config path by preferring existing config candidates
+ * before falling back to the canonical path.
  */
-export function resolveDefaultConfigCandidates(env = process.env, homedir = os.homedir) {
+export function resolveConfigPathCandidate(env = process.env, homedir = envHomedir(env)) {
+    const candidates = resolveDefaultConfigCandidates(env, homedir);
+    const existing = candidates.find((candidate) => {
+        try {
+            return fs.existsSync(candidate);
+        }
+        catch {
+            return false;
+        }
+    });
+    if (existing) {
+        return existing;
+    }
+    return resolveCanonicalConfigPath(env, resolveStateDir(env, homedir));
+}
+/**
+ * Active config path (prefers existing config files).
+ */
+export function resolveConfigPath(env = process.env, stateDir = resolveStateDir(env, envHomedir(env)), homedir = envHomedir(env)) {
+    const override = env.MOLTBOT_CONFIG_PATH?.trim() || env.CLAWDBOT_CONFIG_PATH?.trim();
+    if (override) {
+        return resolveUserPath(override, env, homedir);
+    }
+    const stateOverride = env.MOLTBOT_STATE_DIR?.trim() || env.CLAWDBOT_STATE_DIR?.trim();
+    const candidates = [
+        path.join(stateDir, CONFIG_FILENAME),
+        ...LEGACY_CONFIG_FILENAMES.map((name) => path.join(stateDir, name)),
+    ];
+    const existing = candidates.find((candidate) => {
+        try {
+            return fs.existsSync(candidate);
+        }
+        catch {
+            return false;
+        }
+    });
+    if (existing) {
+        return existing;
+    }
+    if (stateOverride) {
+        return path.join(stateDir, CONFIG_FILENAME);
+    }
+    const defaultStateDir = resolveStateDir(env, homedir);
+    if (path.resolve(stateDir) === path.resolve(defaultStateDir)) {
+        return resolveConfigPathCandidate(env, homedir);
+    }
+    return path.join(stateDir, CONFIG_FILENAME);
+}
+export const CONFIG_PATH = resolveConfigPathCandidate();
+/**
+ * Resolve default config path candidates across default locations.
+ * Order: explicit config path → state-dir-derived paths → new default.
+ */
+export function resolveDefaultConfigCandidates(env = process.env, homedir = envHomedir(env)) {
+    const effectiveHomedir = () => resolveRequiredHomeDir(env, homedir);
     const explicit = env.MOLTBOT_CONFIG_PATH?.trim() || env.CLAWDBOT_CONFIG_PATH?.trim();
-    if (explicit)
-        return [resolveUserPath(explicit)];
+    if (explicit) {
+        return [resolveUserPath(explicit, env, effectiveHomedir)];
+    }
     const candidates = [];
-    const poolbotStateDir = env.MOLTBOT_STATE_DIR?.trim();
+    const poolbotStateDir = env.MOLTBOT_STATE_DIR?.trim() || env.CLAWDBOT_STATE_DIR?.trim();
     if (poolbotStateDir) {
-        candidates.push(path.join(resolveUserPath(poolbotStateDir), CONFIG_FILENAME));
+        const resolved = resolveUserPath(poolbotStateDir, env, effectiveHomedir);
+        candidates.push(path.join(resolved, CONFIG_FILENAME));
+        candidates.push(...LEGACY_CONFIG_FILENAMES.map((name) => path.join(resolved, name)));
     }
-    const legacyStateDirOverride = env.CLAWDBOT_STATE_DIR?.trim();
-    if (legacyStateDirOverride) {
-        candidates.push(path.join(resolveUserPath(legacyStateDirOverride), CONFIG_FILENAME));
+    const defaultDirs = [newStateDir(effectiveHomedir), ...legacyStateDirs(effectiveHomedir)];
+    for (const dir of defaultDirs) {
+        candidates.push(path.join(dir, CONFIG_FILENAME));
+        candidates.push(...LEGACY_CONFIG_FILENAMES.map((name) => path.join(dir, name)));
     }
-    candidates.push(path.join(newStateDir(homedir), CONFIG_FILENAME));
-    candidates.push(path.join(legacyStateDir(homedir), CONFIG_FILENAME));
     return candidates;
 }
 export const DEFAULT_GATEWAY_PORT = 18789;
@@ -93,28 +192,30 @@ const OAUTH_FILENAME = "oauth.json";
  * Precedence:
  * - `CLAWDBOT_OAUTH_DIR` (explicit override)
  * - `$*_STATE_DIR/credentials` (canonical server/default)
- * - `~/.poolbot/credentials` (legacy default)
  */
-export function resolveOAuthDir(env = process.env, stateDir = resolveStateDir(env, os.homedir)) {
+export function resolveOAuthDir(env = process.env, stateDir = resolveStateDir(env, envHomedir(env))) {
     const override = env.CLAWDBOT_OAUTH_DIR?.trim();
-    if (override)
-        return resolveUserPath(override);
+    if (override) {
+        return resolveUserPath(override, env, envHomedir(env));
+    }
     return path.join(stateDir, "credentials");
 }
-export function resolveOAuthPath(env = process.env, stateDir = resolveStateDir(env, os.homedir)) {
+export function resolveOAuthPath(env = process.env, stateDir = resolveStateDir(env, envHomedir(env))) {
     return path.join(resolveOAuthDir(env, stateDir), OAUTH_FILENAME);
 }
 export function resolveGatewayPort(cfg, env = process.env) {
     const envRaw = env.CLAWDBOT_GATEWAY_PORT?.trim();
     if (envRaw) {
         const parsed = Number.parseInt(envRaw, 10);
-        if (Number.isFinite(parsed) && parsed > 0)
+        if (Number.isFinite(parsed) && parsed > 0) {
             return parsed;
+        }
     }
     const configPort = cfg?.gateway?.port;
     if (typeof configPort === "number" && Number.isFinite(configPort)) {
-        if (configPort > 0)
+        if (configPort > 0) {
             return configPort;
+        }
     }
     return DEFAULT_GATEWAY_PORT;
 }

package/dist/config/plugin-auto-enable.js

@@ -1,6 +1,7 @@
-import { getChatChannelMeta, listChatChannels, normalizeChatChannelId, } from "../channels/registry.js";
-import { getChannelPluginCatalogEntry, listChannelPluginCatalogEntries, } from "../channels/plugins/catalog.js";
 import { normalizeProviderId } from "../agents/model-selection.js";
+import { getChannelPluginCatalogEntry, listChannelPluginCatalogEntries, } from "../channels/plugins/catalog.js";
+import { getChatChannelMeta, listChatChannels, normalizeChatChannelId, } from "../channels/registry.js";
+import { isRecord } from "../utils.js";
 import { hasAnyWhatsAppAuth } from "../web/accounts.js";
 const CHANNEL_PLUGIN_IDS = Array.from(new Set([
     ...listChatChannels().map((meta) => meta.id),
@@ -11,10 +12,8 @@ const PROVIDER_PLUGIN_IDS = [
     { pluginId: "google-gemini-cli-auth", providerId: "google-gemini-cli" },
     { pluginId: "qwen-portal-auth", providerId: "qwen-portal" },
     { pluginId: "copilot-proxy", providerId: "copilot-proxy" },
+    { pluginId: "minimax-portal-auth", providerId: "minimax-portal" },
 ];
-function isRecord(value) {
-    return Boolean(value && typeof value === "object" && !Array.isArray(value));
-}
 function hasNonEmptyString(value) {
     return typeof value === "string" && value.trim().length > 0;
 }
@@ -63,6 +62,21 @@ function isDiscordConfigured(cfg, env) {
         return true;
     return recordHasKeys(entry);
 }
+function isIrcConfigured(cfg, env) {
+    if (hasNonEmptyString(env.IRC_HOST) && hasNonEmptyString(env.IRC_NICK)) {
+        return true;
+    }
+    const entry = resolveChannelConfig(cfg, "irc");
+    if (!entry)
+        return false;
+    if (hasNonEmptyString(entry.host) || hasNonEmptyString(entry.nick)) {
+        return true;
+    }
+    if (accountsHaveKeys(entry.accounts, ["host", "nick"])) {
+        return true;
+    }
+    return recordHasKeys(entry);
+}
 function isSlackConfigured(cfg, env) {
     if (hasNonEmptyString(env.SLACK_BOT_TOKEN) ||
         hasNonEmptyString(env.SLACK_APP_TOKEN) ||
@@ -124,6 +138,8 @@ export function isChannelConfigured(cfg, channelId, env = process.env) {
             return isTelegramConfigured(cfg, env);
         case "discord":
             return isDiscordConfigured(cfg, env);
+        case "irc":
+            return isIrcConfigured(cfg, env);
         case "slack":
             return isSlackConfigured(cfg, env);
         case "signal":

package/dist/config/redact-snapshot.js

@@ -0,0 +1,153 @@
+/**
+ * Sentinel value used to replace sensitive config fields in gateway responses.
+ * Write-side handlers (config.set, config.apply, config.patch) detect this
+ * sentinel and restore the original value from the on-disk config, so a
+ * round-trip through the Web UI does not corrupt credentials.
+ */
+export const REDACTED_SENTINEL = "__POOLBOT_REDACTED__";
+/**
+ * Patterns that identify sensitive config field names.
+ * Aligned with the UI-hint logic in schema.ts.
+ */
+const SENSITIVE_KEY_PATTERNS = [/token/i, /password/i, /secret/i, /api.?key/i];
+function isSensitiveKey(key) {
+    return SENSITIVE_KEY_PATTERNS.some((pattern) => pattern.test(key));
+}
+/**
+ * Deep-walk an object and replace values whose key matches a sensitive pattern
+ * with the redaction sentinel.
+ */
+function redactObject(obj) {
+    if (obj === null || obj === undefined) {
+        return obj;
+    }
+    if (typeof obj !== "object") {
+        return obj;
+    }
+    if (Array.isArray(obj)) {
+        return obj.map(redactObject);
+    }
+    const result = {};
+    for (const [key, value] of Object.entries(obj)) {
+        if (isSensitiveKey(key) && value !== null && value !== undefined) {
+            result[key] = REDACTED_SENTINEL;
+        }
+        else if (typeof value === "object" && value !== null) {
+            result[key] = redactObject(value);
+        }
+        else {
+            result[key] = value;
+        }
+    }
+    return result;
+}
+export function redactConfigObject(value) {
+    return redactObject(value);
+}
+/**
+ * Collect all sensitive string values from a config object.
+ * Used for text-based redaction of the raw JSON5 source.
+ */
+function collectSensitiveValues(obj) {
+    const values = [];
+    if (obj === null || obj === undefined || typeof obj !== "object") {
+        return values;
+    }
+    if (Array.isArray(obj)) {
+        for (const item of obj) {
+            values.push(...collectSensitiveValues(item));
+        }
+        return values;
+    }
+    for (const [key, value] of Object.entries(obj)) {
+        if (isSensitiveKey(key) && typeof value === "string" && value.length > 0) {
+            values.push(value);
+        }
+        else if (typeof value === "object" && value !== null) {
+            values.push(...collectSensitiveValues(value));
+        }
+    }
+    return values;
+}
+/**
+ * Replace known sensitive values in a raw JSON5 string with the sentinel.
+ * Values are replaced longest-first to avoid partial matches.
+ */
+function redactRawText(raw, config) {
+    const sensitiveValues = collectSensitiveValues(config);
+    sensitiveValues.sort((a, b) => b.length - a.length);
+    let result = raw;
+    for (const value of sensitiveValues) {
+        const escaped = value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+        result = result.replace(new RegExp(escaped, "g"), REDACTED_SENTINEL);
+    }
+    const keyValuePattern = /(^|[{\s,])((["'])([^"']+)\3|([A-Za-z0-9_$.-]+))(\s*:\s*)(["'])([^"']*)\7/g;
+    result = result.replace(keyValuePattern, (match, prefix, keyExpr, _keyQuote, keyQuoted, keyBare, sep, valQuote, val) => {
+        const key = (keyQuoted ?? keyBare);
+        if (!key || !isSensitiveKey(key)) {
+            return match;
+        }
+        if (val === REDACTED_SENTINEL) {
+            return match;
+        }
+        return `${prefix}${keyExpr}${sep}${valQuote}${REDACTED_SENTINEL}${valQuote}`;
+    });
+    return result;
+}
+/**
+ * Returns a copy of the config snapshot with all sensitive fields
+ * replaced by {@link REDACTED_SENTINEL}. The `hash` is preserved
+ * (it tracks config identity, not content).
+ *
+ * Both `config` (the parsed object) and `raw` (the JSON5 source) are scrubbed
+ * so no credential can leak through either path.
+ */
+export function redactConfigSnapshot(snapshot) {
+    const redactedConfig = redactConfigObject(snapshot.config);
+    const redactedRaw = snapshot.raw ? redactRawText(snapshot.raw, snapshot.config) : null;
+    const redactedParsed = snapshot.parsed ? redactConfigObject(snapshot.parsed) : snapshot.parsed;
+    return {
+        ...snapshot,
+        config: redactedConfig,
+        raw: redactedRaw,
+        parsed: redactedParsed,
+    };
+}
+/**
+ * Deep-walk `incoming` and replace any {@link REDACTED_SENTINEL} values
+ * (on sensitive keys) with the corresponding value from `original`.
+ *
+ * This is called by config.set / config.apply / config.patch before writing,
+ * so that credentials survive a Web UI round-trip unmodified.
+ */
+export function restoreRedactedValues(incoming, original) {
+    if (incoming === null || incoming === undefined) {
+        return incoming;
+    }
+    if (typeof incoming !== "object") {
+        return incoming;
+    }
+    if (Array.isArray(incoming)) {
+        const origArr = Array.isArray(original) ? original : [];
+        return incoming.map((item, i) => restoreRedactedValues(item, origArr[i]));
+    }
+    const orig = original && typeof original === "object" && !Array.isArray(original)
+        ? original
+        : {};
+    const result = {};
+    for (const [key, value] of Object.entries(incoming)) {
+        if (isSensitiveKey(key) && value === REDACTED_SENTINEL) {
+            if (!(key in orig)) {
+                throw new Error(`config write rejected: "${key}" is redacted; set an explicit value instead of ${REDACTED_SENTINEL}`);
+            }
+            result[key] = orig[key];
+        }
+        else if (typeof value === "object" && value !== null) {
+            result[key] = restoreRedactedValues(value, orig[key]);
+        }
+        else {
+            result[key] = value;
+        }
+    }
+    return result;
+}