@poolzin/pool-bot 2026.3.23 → 2026.3.24

package/dist/commands/backup.js

@@ -0,0 +1,166 @@
+/**
+ * Backup Command
+ *
+ * Create and restore backups of Pool Bot data.
+ */
+import { createBackup, restoreBackup, listBackups, deleteBackup, getBackupDir, } from "../infra/backup.js";
+function formatDuration(ms) {
+    if (ms < 1000)
+        return `${ms}ms`;
+    const seconds = Math.floor(ms / 1000);
+    if (seconds < 60)
+        return `${seconds}s`;
+    const minutes = Math.floor(seconds / 60);
+    const remainingSeconds = seconds % 60;
+    return `${minutes}m ${remainingSeconds}s`;
+}
+export function registerBackupCommand(program) {
+    const backupCmd = program.command("backup");
+    // Create backup
+    backupCmd
+        .command("create")
+        .description("Create a new backup")
+        .option("--no-sessions", "Exclude sessions from backup")
+        .option("--no-config", "Exclude config from backup")
+        .option("--no-credentials", "Exclude credentials from backup")
+        .option("--output <dir>", "Output directory for backup")
+        .action(async (options) => {
+        console.log("🎱 Pool Bot - Creating backup...\n");
+        const result = await createBackup({
+            includeSessions: options.sessions !== false,
+            includeConfig: options.config !== false,
+            includeCredentials: options.credentials !== false,
+            destinationDir: options.output,
+        });
+        if (result.success) {
+            console.log("✅ Backup created successfully!\n");
+            console.log(`📦 Backup Path: ${result.backupPath}`);
+            console.log(`⏱️  Duration: ${formatDuration(result.duration)}`);
+            console.log(`💾 Total Size: ${(result.totalSize / 1024 / 1024).toFixed(2)} MB`);
+            console.log(`\n📊 Contents:`);
+            if (result.metadata.includesSessions) {
+                console.log(`   - Sessions: ${result.sessionsBackedUp || 0} files`);
+            }
+            if (result.metadata.includesConfig) {
+                console.log(`   - Config: ${result.configBackedUp ? "Yes" : "No"}`);
+            }
+            if (result.metadata.includesCredentials) {
+                console.log(`   - Credentials: ${result.credentialsBackedUp ? "Yes" : "No"}`);
+            }
+        }
+        else {
+            console.error("❌ Backup failed!\n");
+            console.error(`Error: ${result.error}`);
+            process.exit(1);
+        }
+    });
+    // Restore backup
+    backupCmd
+        .command("restore <backupPath>")
+        .description("Restore from a backup")
+        .option("--no-sessions", "Do not restore sessions")
+        .option("--no-config", "Do not restore config")
+        .option("--no-credentials", "Do not restore credentials")
+        .option("--dry-run", "Show what would be restored without actually restoring")
+        .action(async (backupPath, options) => {
+        console.log("🎱 Pool Bot - Restoring backup...\n");
+        const result = await restoreBackup({
+            backupPath,
+            restoreSessions: options.sessions !== false,
+            restoreConfig: options.config !== false,
+            restoreCredentials: options.credentials !== false,
+            dryRun: options.dryRun,
+        });
+        if (result.success) {
+            if (options.dryRun) {
+                console.log("🔍 Dry Run - No changes made\n");
+                console.log("📊 Would restore:");
+                if (result.sessionsRestored) {
+                    console.log(`   - Sessions: ${result.sessionsRestored} files`);
+                }
+                if (result.configRestored) {
+                    console.log(`   - Config: Yes`);
+                }
+                if (result.credentialsRestored) {
+                    console.log(`   - Credentials: Yes`);
+                }
+            }
+            else {
+                console.log("✅ Backup restored successfully!\n");
+                console.log(`⏱️  Duration: ${formatDuration(result.duration)}`);
+                console.log(`\n📊 Restored:`);
+                if (result.sessionsRestored) {
+                    console.log(`   - Sessions: ${result.sessionsRestored} files`);
+                }
+                if (result.configRestored) {
+                    console.log(`   - Config: Yes`);
+                }
+                if (result.credentialsRestored) {
+                    console.log(`   - Credentials: Yes`);
+                }
+            }
+        }
+        else {
+            console.error("❌ Restore failed!\n");
+            console.error(`Error: ${result.error}`);
+            process.exit(1);
+        }
+    });
+    // List backups
+    backupCmd
+        .command("list")
+        .description("List available backups")
+        .option("--dir <dir>", "Backup directory", getBackupDir())
+        .action(async (options) => {
+        console.log("🎱 Pool Bot - Available backups:\n");
+        const backups = await listBackups(options.dir);
+        if (backups.length === 0) {
+            console.log("No backups found.\n");
+            return;
+        }
+        console.log(`📂 Backup Directory: ${options.dir}\n`);
+        console.log("┌─────┬──────────────────────┬──────────────┬──────────┬─────────┐");
+        console.log("│ #   │ Created              │ Sessions     │ Size     │ Path    │");
+        console.log("├─────┼──────────────────────┼──────────────┼──────────┼─────────┤");
+        backups.forEach((backup, index) => {
+            const date = new Date(backup.createdAt).toLocaleString();
+            const sessions = backup.metadata.sessionCount || 0;
+            const size = (backup.size / 1024 / 1024).toFixed(2);
+            const pathDisplay = backup.path.length > 40 ? "..." + backup.path.slice(-37) : backup.path;
+            console.log(`│ ${String(index + 1).padEnd(3)} │ ${date.padEnd(20)} │ ${String(sessions).padEnd(12)} │ ${(size + " MB").padEnd(8)} │ ${pathDisplay.padEnd(7)} │`);
+        });
+        console.log("└─────┴──────────────────────┴──────────────┴──────────┴─────────┘\n");
+        console.log(`Total: ${backups.length} backup(s)\n`);
+    });
+    // Delete backup
+    backupCmd
+        .command("delete <backupPath>")
+        .description("Delete a backup")
+        .option("--force", "Skip confirmation")
+        .action(async (backupPath, options) => {
+        if (!options.force) {
+            const readline = await import("node:readline");
+            const rl = readline.createInterface({
+                input: process.stdin,
+                output: process.stdout,
+            });
+            const answer = await new Promise((resolve) => {
+                rl.question(`⚠️  Are you sure you want to delete this backup?\n   ${backupPath}\n\n   Type 'yes' to confirm: `, resolve);
+            });
+            rl.close();
+            if (answer.toLowerCase() !== "yes") {
+                console.log("\n❌ Deletion cancelled.\n");
+                return;
+            }
+        }
+        const success = await deleteBackup(backupPath);
+        if (success) {
+            console.log("✅ Backup deleted successfully.\n");
+        }
+        else {
+            console.error("❌ Failed to delete backup.\n");
+            process.exit(1);
+        }
+    });
+    return backupCmd;
+}

package/dist/commands/channel-account-context.js

@@ -0,0 +1,15 @@
+import { resolveChannelDefaultAccountId } from "../channels/plugins/helpers.js";
+export async function resolveDefaultChannelAccountContext(plugin, cfg) {
+    const accountIds = plugin.config.listAccountIds(cfg);
+    const defaultAccountId = resolveChannelDefaultAccountId({
+        plugin,
+        cfg,
+        accountIds,
+    });
+    const account = plugin.config.resolveAccount(cfg, defaultAccountId);
+    const enabled = plugin.config.isEnabled ? plugin.config.isEnabled(account, cfg) : true;
+    const configured = plugin.config.isConfigured
+        ? await plugin.config.isConfigured(account, cfg)
+        : true;
+    return { accountIds, defaultAccountId, account, enabled, configured };
+}

package/dist/commands/channel-account.js

@@ -0,0 +1,190 @@
+/**
+ * Channel Account Context CLI
+ *
+ * Manage multiple accounts per channel.
+ */
+import { addChannelAccount, removeChannelAccount, getChannelAccount, getChannelAccounts, getActiveChannelAccount, setActiveChannelAccount, updateChannelAccount, getChannelAccountStats, } from "../infra/channel-account-context.js";
+function formatAccount(account) {
+    const status = account.isActive ? "🟢 Active" : "⚪ Inactive";
+    const lastUsed = account.lastUsedAt ? new Date(account.lastUsedAt).toLocaleString() : "Never";
+    return `${status} | ${account.accountName} | ${account.channelType} | Last: ${lastUsed}`;
+}
+export function registerChannelAccountCommand(program) {
+    const accountCmd = program
+        .command("channel-account")
+        .description("Manage channel accounts (multi-account support)");
+    // List accounts
+    accountCmd
+        .command("list [channelId]")
+        .description("List channel accounts")
+        .action(async (channelId) => {
+        console.log("🎱 Pool Bot - Channel Accounts\n");
+        if (channelId) {
+            const accounts = await getChannelAccounts(channelId);
+            const active = await getActiveChannelAccount(channelId);
+            console.log(`Channel: ${channelId}`);
+            console.log(`Active Account: ${active ? active.accountName : "None"}\n`);
+            if (accounts.length === 0) {
+                console.log("No accounts found for this channel.\n");
+                return;
+            }
+            accounts.forEach((account) => {
+                console.log(formatAccount(account));
+            });
+            console.log(`\nTotal: ${accounts.length} account(s)\n`);
+        }
+        else {
+            const stats = await getChannelAccountStats();
+            console.log("📊 Account Statistics:");
+            console.log(`   Total Accounts: ${stats.totalAccounts}`);
+            console.log(`   Channels: ${stats.channelsWithAccounts}`);
+            console.log(`   Active Accounts: ${stats.activeAccounts}`);
+            console.log("\nAccounts by Channel Type:");
+            Object.entries(stats.accountsByChannelType).forEach(([type, count]) => {
+                console.log(`   ${type}: ${count}`);
+            });
+            console.log();
+        }
+    });
+    // Add account
+    accountCmd
+        .command("add <channelId> <channelType> <accountName>")
+        .description("Add a new channel account")
+        .option("--metadata <json>", "Additional metadata (JSON)")
+        .action(async (channelId, channelType, accountName, options) => {
+        console.log("🎱 Pool Bot - Adding Channel Account\n");
+        let metadata;
+        if (options.metadata) {
+            try {
+                metadata = JSON.parse(options.metadata);
+            }
+            catch {
+                console.error("Error: Invalid JSON for metadata\n");
+                process.exit(1);
+            }
+        }
+        const account = await addChannelAccount({
+            channelId,
+            channelType,
+            accountName,
+            metadata,
+        });
+        console.log(`✅ Account added successfully!\n`);
+        console.log(`Account ID: ${account.id}`);
+        console.log(`Channel: ${account.channelId}`);
+        console.log(`Type: ${account.channelType}`);
+        console.log(`Name: ${account.accountName}`);
+        console.log(`Status: ${account.isActive ? "Active" : "Inactive"}\n`);
+        console.log(`💡 Use "poolbot channel-account switch ${channelId} ${account.id}" to activate\n`);
+    });
+    // Switch account
+    accountCmd
+        .command("switch <channelId> <accountId>")
+        .description("Switch active account for a channel")
+        .action(async (channelId, accountId) => {
+        console.log("🎱 Pool Bot - Switching Account\n");
+        const success = await setActiveChannelAccount(channelId, accountId);
+        if (success) {
+            console.log(`✅ Switched to account ${accountId}\n`);
+        }
+        else {
+            console.error(`❌ Account not found: ${accountId}\n`);
+            process.exit(1);
+        }
+    });
+    // Remove account
+    accountCmd
+        .command("remove <channelId> <accountId>")
+        .description("Remove a channel account")
+        .action(async (channelId, accountId) => {
+        console.log("🎱 Pool Bot - Removing Account\n");
+        const success = await removeChannelAccount(channelId, accountId);
+        if (success) {
+            console.log(`✅ Account removed successfully\n`);
+        }
+        else {
+            console.error(`❌ Account not found\n`);
+            process.exit(1);
+        }
+    });
+    // Show account
+    accountCmd
+        .command("show <channelId> <accountId>")
+        .description("Show account details")
+        .action(async (channelId, accountId) => {
+        console.log(`🎱 Pool Bot - Account Details\n`);
+        const account = await getChannelAccount(channelId, accountId);
+        if (!account) {
+            console.error(`❌ Account not found\n`);
+            process.exit(1);
+        }
+        console.log(`Account ID: ${account.id}`);
+        console.log(`Channel: ${account.channelId}`);
+        console.log(`Type: ${account.channelType}`);
+        console.log(`Name: ${account.accountName}`);
+        console.log(`Status: ${account.isActive ? "Active 🟢" : "Inactive ⚪"}`);
+        console.log(`Created: ${new Date(account.createdAt).toLocaleString()}`);
+        console.log(`Updated: ${new Date(account.updatedAt).toLocaleString()}`);
+        console.log(`Last Used: ${account.lastUsedAt ? new Date(account.lastUsedAt).toLocaleString() : "Never"}`);
+        if (account.metadata && Object.keys(account.metadata).length > 0) {
+            console.log("\nMetadata:");
+            Object.entries(account.metadata).forEach(([key, value]) => {
+                console.log(`  ${key}: ${value}`);
+            });
+        }
+        console.log();
+    });
+    // Update account
+    accountCmd
+        .command("update <channelId> <accountId>")
+        .description("Update account details")
+        .option("--name <name>", "New account name")
+        .option("--metadata <json>", "New metadata (JSON, merges with existing)")
+        .action(async (channelId, accountId, options) => {
+        console.log("🎱 Pool Bot - Updating Account\n");
+        let metadata;
+        if (options.metadata) {
+            try {
+                metadata = JSON.parse(options.metadata);
+            }
+            catch {
+                console.error("Error: Invalid JSON for metadata\n");
+                process.exit(1);
+            }
+        }
+        const account = await updateChannelAccount({
+            channelId,
+            accountId,
+            accountName: options.name,
+            metadata,
+        });
+        if (!account) {
+            console.error(`❌ Account not found\n`);
+            process.exit(1);
+        }
+        console.log(`✅ Account updated successfully\n`);
+    });
+    // Stats
+    accountCmd
+        .command("stats")
+        .description("Show account statistics")
+        .action(async () => {
+        console.log("🎱 Pool Bot - Account Statistics\n");
+        const stats = await getChannelAccountStats();
+        console.log("📊 Statistics:");
+        console.log(`   Total Accounts: ${stats.totalAccounts}`);
+        console.log(`   Channels with Accounts: ${stats.channelsWithAccounts}`);
+        console.log(`   Active Accounts: ${stats.activeAccounts}`);
+        console.log("\nAccounts by Channel Type:");
+        if (Object.keys(stats.accountsByChannelType).length === 0) {
+            console.log("   No accounts yet");
+        }
+        else {
+            Object.entries(stats.accountsByChannelType).forEach(([type, count]) => {
+                console.log(`   ${type}: ${count}`);
+            });
+        }
+        console.log();
+    });
+    return accountCmd;
+}

package/dist/commands/gateway-install-token.js

@@ -0,0 +1,117 @@
+import { formatCliCommand } from "../cli/command-format.js";
+import { readConfigFileSnapshot, writeConfigFile } from "../config/config.js";
+import { resolveSecretInputRef } from "../config/types.secrets.js";
+import { shouldRequireGatewayTokenForInstall } from "../gateway/auth-install-policy.js";
+import { hasAmbiguousGatewayAuthModeConfig } from "../gateway/auth-mode-policy.js";
+import { resolveGatewayAuth } from "../gateway/auth.js";
+import { readGatewayTokenEnv } from "../gateway/credentials.js";
+import { secretRefKey } from "../secrets/ref-contract.js";
+import { resolveSecretRefValues } from "../secrets/resolve.js";
+import { randomToken } from "./onboard-helpers.js";
+function formatAmbiguousGatewayAuthModeReason() {
+    return [
+        "gateway.auth.token and gateway.auth.password are both configured while gateway.auth.mode is unset.",
+        `Set ${formatCliCommand("openclaw config set gateway.auth.mode token")} or ${formatCliCommand("openclaw config set gateway.auth.mode password")}.`,
+    ].join(" ");
+}
+export async function resolveGatewayInstallToken(options) {
+    const cfg = options.config;
+    const warnings = [];
+    const tokenRef = resolveSecretInputRef({
+        value: cfg.gateway?.auth?.token,
+        defaults: cfg.secrets?.defaults,
+    }).ref;
+    const tokenRefConfigured = Boolean(tokenRef);
+    const configToken = tokenRef || typeof cfg.gateway?.auth?.token !== "string"
+        ? undefined
+        : cfg.gateway.auth.token.trim() || undefined;
+    const explicitToken = options.explicitToken?.trim() || undefined;
+    const envToken = readGatewayTokenEnv(options.env);
+    if (hasAmbiguousGatewayAuthModeConfig(cfg)) {
+        return {
+            token: undefined,
+            tokenRefConfigured,
+            unavailableReason: formatAmbiguousGatewayAuthModeReason(),
+            warnings,
+        };
+    }
+    const resolvedAuth = resolveGatewayAuth({
+        authConfig: cfg.gateway?.auth,
+        tailscaleMode: cfg.gateway?.tailscale?.mode ?? "off",
+    });
+    const needsToken = shouldRequireGatewayTokenForInstall(cfg, options.env) && !resolvedAuth.allowTailscale;
+    let token = explicitToken || configToken || (tokenRef ? undefined : envToken);
+    let unavailableReason;
+    if (tokenRef && !token && needsToken) {
+        try {
+            const resolved = await resolveSecretRefValues([tokenRef], {
+                config: cfg,
+                env: options.env,
+            });
+            const value = resolved.get(secretRefKey(tokenRef));
+            if (typeof value !== "string" || value.trim().length === 0) {
+                throw new Error("gateway.auth.token resolved to an empty or non-string value.");
+            }
+            warnings.push("gateway.auth.token is SecretRef-managed; install will not persist a resolved token in service environment. Ensure the SecretRef is resolvable in the daemon runtime context.");
+        }
+        catch (err) {
+            unavailableReason = `gateway.auth.token SecretRef is configured but unresolved (${String(err)}).`;
+        }
+    }
+    const allowAutoGenerate = options.autoGenerateWhenMissing ?? false;
+    const persistGeneratedToken = options.persistGeneratedToken ?? false;
+    if (!token && needsToken && !tokenRef && allowAutoGenerate) {
+        token = randomToken();
+        warnings.push(persistGeneratedToken
+            ? "No gateway token found. Auto-generated one and saving to config."
+            : "No gateway token found. Auto-generated one for this run without saving to config.");
+        if (persistGeneratedToken) {
+            // Persist token in config so daemon and CLI share a stable credential source.
+            try {
+                const snapshot = await readConfigFileSnapshot();
+                if (snapshot.exists && !snapshot.valid) {
+                    warnings.push("Warning: config file exists but is invalid; skipping token persistence.");
+                }
+                else {
+                    const baseConfig = snapshot.exists ? snapshot.config : {};
+                    const existingTokenRef = resolveSecretInputRef({
+                        value: baseConfig.gateway?.auth?.token,
+                        defaults: baseConfig.secrets?.defaults,
+                    }).ref;
+                    const baseConfigToken = existingTokenRef || typeof baseConfig.gateway?.auth?.token !== "string"
+                        ? undefined
+                        : baseConfig.gateway.auth.token.trim() || undefined;
+                    if (!existingTokenRef && !baseConfigToken) {
+                        await writeConfigFile({
+                            ...baseConfig,
+                            gateway: {
+                                ...baseConfig.gateway,
+                                auth: {
+                                    ...baseConfig.gateway?.auth,
+                                    mode: baseConfig.gateway?.auth?.mode ?? "token",
+                                    token,
+                                },
+                            },
+                        });
+                    }
+                    else if (baseConfigToken) {
+                        token = baseConfigToken;
+                    }
+                    else {
+                        token = undefined;
+                        warnings.push("Warning: gateway.auth.token is SecretRef-managed; skipping plaintext token persistence.");
+                    }
+                }
+            }
+            catch (err) {
+                warnings.push(`Warning: could not persist token to config: ${String(err)}`);
+            }
+        }
+    }
+    return {
+        token,
+        tokenRefConfigured,
+        unavailableReason,
+        warnings,
+    };
+}

package/dist/commands/oauth-tls-preflight.js

@@ -0,0 +1,121 @@
+import path from "node:path";
+import { formatCliCommand } from "../cli/command-format.js";
+import { note } from "../terminal/note.js";
+const TLS_CERT_ERROR_CODES = new Set([
+    "UNABLE_TO_GET_ISSUER_CERT_LOCALLY",
+    "UNABLE_TO_VERIFY_LEAF_SIGNATURE",
+    "CERT_HAS_EXPIRED",
+    "DEPTH_ZERO_SELF_SIGNED_CERT",
+    "SELF_SIGNED_CERT_IN_CHAIN",
+    "ERR_TLS_CERT_ALTNAME_INVALID",
+]);
+const TLS_CERT_ERROR_PATTERNS = [
+    /unable to get local issuer certificate/i,
+    /unable to verify the first certificate/i,
+    /self[- ]signed certificate/i,
+    /certificate has expired/i,
+];
+const OPENAI_AUTH_PROBE_URL = "https://auth.openai.com/oauth/authorize?response_type=code&client_id=openclaw-preflight&redirect_uri=http%3A%2F%2Flocalhost%3A1455%2Fauth%2Fcallback&scope=openid+profile+email";
+function asRecord(value) {
+    return value && typeof value === "object" ? value : null;
+}
+function extractFailure(error) {
+    const root = asRecord(error);
+    const rootCause = asRecord(root?.cause);
+    const code = typeof rootCause?.code === "string" ? rootCause.code : undefined;
+    const message = typeof rootCause?.message === "string"
+        ? rootCause.message
+        : typeof root?.message === "string"
+            ? root.message
+            : String(error);
+    const isTlsCertError = (code ? TLS_CERT_ERROR_CODES.has(code) : false) ||
+        TLS_CERT_ERROR_PATTERNS.some((pattern) => pattern.test(message));
+    return {
+        code,
+        message,
+        kind: isTlsCertError ? "tls-cert" : "network",
+    };
+}
+function resolveHomebrewPrefixFromExecPath(execPath) {
+    const marker = `${path.sep}Cellar${path.sep}`;
+    const idx = execPath.indexOf(marker);
+    if (idx > 0) {
+        return execPath.slice(0, idx);
+    }
+    const envPrefix = process.env.HOMEBREW_PREFIX?.trim();
+    return envPrefix ? envPrefix : null;
+}
+function resolveCertBundlePath() {
+    const prefix = resolveHomebrewPrefixFromExecPath(process.execPath);
+    if (!prefix) {
+        return null;
+    }
+    return path.join(prefix, "etc", "openssl@3", "cert.pem");
+}
+function hasOpenAICodexOAuthProfile(cfg) {
+    const profiles = cfg.auth?.profiles;
+    if (!profiles) {
+        return false;
+    }
+    return Object.values(profiles).some((profile) => profile.provider === "openai-codex" && profile.mode === "oauth");
+}
+function shouldRunOpenAIOAuthTlsPrerequisites(params) {
+    if (params.deep === true) {
+        return true;
+    }
+    return hasOpenAICodexOAuthProfile(params.cfg);
+}
+export async function runOpenAIOAuthTlsPreflight(options) {
+    const timeoutMs = options?.timeoutMs ?? 5000;
+    const fetchImpl = options?.fetchImpl ?? fetch;
+    try {
+        await fetchImpl(OPENAI_AUTH_PROBE_URL, {
+            method: "GET",
+            redirect: "manual",
+            signal: AbortSignal.timeout(timeoutMs),
+        });
+        return { ok: true };
+    }
+    catch (error) {
+        const failure = extractFailure(error);
+        return {
+            ok: false,
+            kind: failure.kind,
+            code: failure.code,
+            message: failure.message,
+        };
+    }
+}
+export function formatOpenAIOAuthTlsPreflightFix(result) {
+    if (result.kind !== "tls-cert") {
+        return [
+            "OpenAI OAuth prerequisites check failed due to a network error before the browser flow.",
+            `Cause: ${result.message}`,
+            "Verify DNS/firewall/proxy access to auth.openai.com and retry.",
+        ].join("\n");
+    }
+    const certBundlePath = resolveCertBundlePath();
+    const lines = [
+        "OpenAI OAuth prerequisites check failed: Node/OpenSSL cannot validate TLS certificates.",
+        `Cause: ${result.code ? `${result.code} (${result.message})` : result.message}`,
+        "",
+        "Fix (Homebrew Node/OpenSSL):",
+        `- ${formatCliCommand("brew postinstall ca-certificates")}`,
+        `- ${formatCliCommand("brew postinstall openssl@3")}`,
+    ];
+    if (certBundlePath) {
+        lines.push(`- Verify cert bundle exists: ${certBundlePath}`);
+    }
+    lines.push("- Retry the OAuth login flow.");
+    return lines.join("\n");
+}
+export async function noteOpenAIOAuthTlsPrerequisites(params) {
+    if (!shouldRunOpenAIOAuthTlsPrerequisites(params)) {
+        return;
+    }
+    const result = await runOpenAIOAuthTlsPreflight({ timeoutMs: 4000 });
+    if (result.ok || result.kind !== "tls-cert") {
+        return;
+    }
+    note(formatOpenAIOAuthTlsPreflightFix(result), "OAuth TLS prerequisites");
+}