@qqbrowser/openclaw-qbot 0.0.139 → 0.0.142

package/dist/audit-C7RP7G_g.js

@@ -34,3 +34,4 @@ Native skill commands are enabled on at least one configured chat surface; treat
 `)}`,remediation:`Update the plugin manifest so all openclaw.extensions entries stay inside the plugin directory.`});let c=await Tt({dirPath:r,includeFiles:o,summaryCache:e.summaryCache}).catch(e=>(t.push({checkId:`plugins.code_safety.scan_failed`,severity:`warn`,title:`Plugin "${i}" code scan failed`,detail:`Static code scan could not complete: ${String(e)}`,remediation:"Check file permissions and plugin layout, then rerun `openclaw security audit --deep`."}),null));if(c){if(c.critical>0){let e=Y(c.findings.filter(e=>e.severity===`critical`),r);t.push({checkId:`plugins.code_safety`,severity:`critical`,title:`Plugin "${i}" contains dangerous code patterns`,detail:`Found ${c.critical} critical issue(s) in ${c.scannedFiles} scanned file(s):\n${e}`,remediation:`Review the plugin source code carefully before use. If untrusted, remove the plugin from your OpenClaw extensions state directory.`})}else if(c.warn>0){let e=Y(c.findings.filter(e=>e.severity===`warn`),r);t.push({checkId:`plugins.code_safety`,severity:`warn`,title:`Plugin "${i}" contains suspicious code patterns`,detail:`Found ${c.warn} warning(s) in ${c.scannedFiles} scanned file(s):\n${e}`,remediation:`Review the flagged code to ensure it is intentional and safe.`})}}}return t}async function Bt(e){let t=[],n=z.join(e.stateDir,`extensions`),r=new Set,i=L(e.cfg);for(let a of i){let i=j(a,{config:e.cfg});for(let a of i){if(a.skill.source===`openclaw-bundled`)continue;let i=z.resolve(a.skill.baseDir);if(k(n,i)||r.has(i))continue;r.add(i);let o=a.skill.name,s=await Tt({dirPath:i,summaryCache:e.summaryCache}).catch(e=>(t.push({checkId:`skills.code_safety.scan_failed`,severity:`warn`,title:`Skill "${o}" code scan failed`,detail:`Static code scan could not complete for ${i}: ${String(e)}`,remediation:"Check file permissions and skill layout, then rerun `openclaw security audit --deep`."}),null));if(s){if(s.critical>0){let e=Y(s.findings.filter(e=>e.severity===`critical`),i);t.push({checkId:`skills.code_safety`,severity:`critical`,title:`Skill "${o}" contains dangerous code patterns`,detail:`Found ${s.critical} critical issue(s) in ${s.scannedFiles} scanned file(s) under ${i}:\n${e}`,remediation:`Review the skill source code before use. If untrusted, remove "${i}".`})}else if(s.warn>0){let e=Y(s.findings.filter(e=>e.severity===`warn`),i);t.push({checkId:`skills.code_safety`,severity:`warn`,title:`Skill "${o}" contains suspicious code patterns`,detail:`Found ${s.warn} warning(s) in ${s.scannedFiles} scanned file(s) under ${i}:\n${e}`,remediation:`Review flagged lines to ensure the behavior is intentional and safe.`})}}}}return t}function Vt(e){let t=[];if(e.gateway?.controlUi?.allowInsecureAuth===!0&&t.push(`gateway.controlUi.allowInsecureAuth=true`),e.gateway?.controlUi?.dangerouslyAllowHostHeaderOriginFallback===!0&&t.push(`gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback=true`),e.gateway?.controlUi?.dangerouslyDisableDeviceAuth===!0&&t.push(`gateway.controlUi.dangerouslyDisableDeviceAuth=true`),e.hooks?.gmail?.allowUnsafeExternalContent===!0&&t.push(`hooks.gmail.allowUnsafeExternalContent=true`),Array.isArray(e.hooks?.mappings))for(let[n,r]of e.hooks.mappings.entries())r?.allowUnsafeExternalContent===!0&&t.push(`hooks.mappings[${n}].allowUnsafeExternalContent=true`);return e.tools?.exec?.applyPatch?.workspaceOnly===!1&&t.push(`tools.exec.applyPatch.workspaceOnly=false`),t}function Ht(e){let t=0,n=0,r=0;for(let i of e)i.severity===`critical`?t+=1:i.severity===`warn`?n+=1:r+=1;return{critical:t,warn:n,info:r}}function Ut(e){return Array.isArray(e)?e.map(e=>String(e).trim()).filter(Boolean):[]}function Q(e){if(!(!e||typeof e!=`object`||Array.isArray(e)))return e}function $(e){return typeof e==`string`&&e.trim().length>0}function Wt(e){let t=Q(Q(e.channels)?.feishu);if(!t||t.enabled===!1)return!1;let n=Q(t.tools),r=n?.doc!==!1,i=$(t.appId),a=D(t.appSecret,e.secrets?.defaults),o=i&&a,s=Q(t.accounts);if(!s||Object.keys(s).length===0)return r&&o;for(let t of Object.values(s)){let r=Q(t)??{};if(r.enabled!==!1&&(Q(r.tools)??n)?.doc!==!1&&($(r.appId)||i)&&(D(r.appSecret,e.secrets?.defaults)||a))return!0}return!1}async function Gt(e){let t=[],n=await c(e.stateDir,{env:e.env,platform:e.platform,exec:e.execIcacls});n.ok&&(n.isSymlink&&t.push({checkId:`fs.state_dir.symlink`,severity:`warn`,title:`State dir is a symlink`,detail:`${e.stateDir} is a symlink; treat this as an extra trust boundary.`}),n.worldWritable?t.push({checkId:`fs.state_dir.perms_world_writable`,severity:`critical`,title:`State dir is world-writable`,detail:`${u(e.stateDir,n)}; other users can write into your OpenClaw state.`,remediation:s({targetPath:e.stateDir,perms:n,isDir:!0,posixMode:448,env:e.env})}):n.groupWritable?t.push({checkId:`fs.state_dir.perms_group_writable`,severity:`warn`,title:`State dir is group-writable`,detail:`${u(e.stateDir,n)}; group users can write into your OpenClaw state.`,remediation:s({targetPath:e.stateDir,perms:n,isDir:!0,posixMode:448,env:e.env})}):(n.groupReadable||n.worldReadable)&&t.push({checkId:`fs.state_dir.perms_readable`,severity:`warn`,title:`State dir is readable by others`,detail:`${u(e.stateDir,n)}; consider restricting to 700.`,remediation:s({targetPath:e.stateDir,perms:n,isDir:!0,posixMode:448,env:e.env})}));let r=await c(e.configPath,{env:e.env,platform:e.platform,exec:e.execIcacls});if(r.ok){let n=r.isSymlink;r.isSymlink&&t.push({checkId:`fs.config.symlink`,severity:`warn`,title:`Config file is a symlink`,detail:`${e.configPath} is a symlink; make sure you trust its target.`}),r.worldWritable||r.groupWritable?t.push({checkId:`fs.config.perms_writable`,severity:`critical`,title:`Config file is writable by others`,detail:`${u(e.configPath,r)}; another user could change gateway/auth/tool policies.`,remediation:s({targetPath:e.configPath,perms:r,isDir:!1,posixMode:384,env:e.env})}):!n&&r.worldReadable?t.push({checkId:`fs.config.perms_world_readable`,severity:`critical`,title:`Config file is world-readable`,detail:`${u(e.configPath,r)}; config can contain tokens and private settings.`,remediation:s({targetPath:e.configPath,perms:r,isDir:!1,posixMode:384,env:e.env})}):!n&&r.groupReadable&&t.push({checkId:`fs.config.perms_group_readable`,severity:`warn`,title:`Config file is group-readable`,detail:`${u(e.configPath,r)}; config can contain tokens and private settings.`,remediation:s({targetPath:e.configPath,perms:r,isDir:!1,posixMode:384,env:e.env})})}return t}function Kt(e,t){let n=[],i=typeof e.gateway?.bind==`string`?e.gateway.bind:`loopback`,a=e.gateway?.tailscale?.mode??`off`,o=r({authConfig:e.gateway?.auth,tailscaleMode:a,env:t}),s=e.gateway?.controlUi?.enabled!==!1,c=(e.gateway?.controlUi?.allowedOrigins??[]).map(e=>e.trim()).filter(Boolean),l=e.gateway?.controlUi?.dangerouslyAllowHostHeaderOriginFallback===!0,u=Array.isArray(e.gateway?.trustedProxies)?e.gateway.trustedProxies:[],d=typeof o.token==`string`&&o.token.trim().length>0,f=typeof o.password==`string`&&o.password.trim().length>0,p=$(t.OPENCLAW_GATEWAY_TOKEN)||$(t.CLAWDBOT_GATEWAY_TOKEN),m=$(t.OPENCLAW_GATEWAY_PASSWORD)||$(t.CLAWDBOT_GATEWAY_PASSWORD),h=D(e.gateway?.auth?.token,e.secrets?.defaults),g=D(e.gateway?.auth?.password,e.secrets?.defaults),_=D(e.gateway?.remote?.token,e.secrets?.defaults),v=e.gateway?.auth?.mode,y=d||p||h||_,b=v===`password`||v!==`token`&&v!==`none`&&v!==`trusted-proxy`&&!y,x=y,S=f||b&&(m||g),C=v===`token`?x:v===`password`?S:v===`none`||v===`trusted-proxy`?!1:x||S,w=o.allowTailscale&&a===`serve`,T=C||w,E=e.gateway?.allowRealIpFallback===!0,O=e.discovery?.mdns?.mode??`minimal`,k=Array.isArray(e.gateway?.tools?.allow)?e.gateway?.tools?.allow:[],ee=new Set(k.map(e=>typeof e==`string`?e.trim().toLowerCase():``).filter(Boolean)),A=fe.filter(e=>ee.has(e));if(A.length>0){let e=i!==`loopback`||a===`funnel`;n.push({checkId:`gateway.tools_invoke_http.dangerous_allow`,severity:e?`critical`:`warn`,title:`Gateway HTTP /tools/invoke re-enables dangerous tools`,detail:`gateway.tools.allow includes ${A.join(`, `)} which removes them from the default HTTP deny list. This can allow remote session spawning / control-plane actions via HTTP and increases RCE blast radius if the gateway is reachable.`,remediation:`Remove these entries from gateway.tools.allow (recommended). If you keep them enabled, keep gateway.bind loopback-only (or tailnet-only), restrict network exposure, and treat the gateway token/password as full-admin.`})}if(i!==`loopback`&&!C&&o.mode!==`trusted-proxy`&&n.push({checkId:`gateway.bind_no_auth`,severity:`critical`,title:`Gateway binds beyond loopback without auth`,detail:`gateway.bind="${i}" but no gateway.auth token/password is configured.`,remediation:`Set gateway.auth (token recommended) or bind to loopback.`}),i===`loopback`&&s&&u.length===0&&n.push({checkId:`gateway.trusted_proxies_missing`,severity:`warn`,title:`Reverse proxy headers are not trusted`,detail:`gateway.bind is loopback and gateway.trustedProxies is empty. If you expose the Control UI through a reverse proxy, configure trusted proxies so local-client checks cannot be spoofed.`,remediation:`Set gateway.trustedProxies to your proxy IPs or keep the Control UI local-only.`}),i===`loopback`&&s&&!T&&n.push({checkId:`gateway.loopback_no_auth`,severity:`critical`,title:`Gateway auth missing on loopback`,detail:`gateway.bind is loopback but no gateway auth secret is configured. If the Control UI is exposed through a reverse proxy, unauthenticated access is possible.`,remediation:`Set gateway.auth (token recommended) or keep the Control UI local-only.`}),i!==`loopback`&&s&&c.length===0&&!l&&n.push({checkId:`gateway.control_ui.allowed_origins_required`,severity:`critical`,title:`Non-loopback Control UI missing explicit allowed origins`,detail:`Control UI is enabled on a non-loopback bind but gateway.controlUi.allowedOrigins is empty. Strict origin policy requires explicit allowed origins for non-loopback deployments.`,remediation:`Set gateway.controlUi.allowedOrigins to full trusted origins (for example https://control.example.com). If your deployment intentionally relies on Host-header origin fallback, set gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback=true.`}),c.includes(`*`)){let e=i!==`loopback`;n.push({checkId:`gateway.control_ui.allowed_origins_wildcard`,severity:e?`critical`:`warn`,title:`Control UI allowed origins contains wildcard`,detail:`gateway.controlUi.allowedOrigins includes "*" which effectively disables origin allowlisting for Control UI/WebChat requests.`,remediation:`Replace wildcard origins with explicit trusted origins (for example https://control.example.com).`})}if(l){let e=i!==`loopback`;n.push({checkId:`gateway.control_ui.host_header_origin_fallback`,severity:e?`critical`:`warn`,title:`DANGEROUS: Host-header origin fallback enabled`,detail:`gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback=true enables Host-header origin fallback for Control UI/WebChat websocket checks and weakens DNS rebinding protections.`,remediation:`Disable gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback and configure explicit gateway.controlUi.allowedOrigins.`})}if(E){let e=u.some(e=>!qt(e)),t=i!==`loopback`||o.mode===`trusted-proxy`&&e;n.push({checkId:`gateway.real_ip_fallback_enabled`,severity:t?`critical`:`warn`,title:`X-Real-IP fallback is enabled`,detail:`gateway.allowRealIpFallback=true trusts X-Real-IP when trusted proxies omit X-Forwarded-For. Misconfigured proxies that forward client-supplied X-Real-IP can spoof source IP and local-client checks.`,remediation:`Keep gateway.allowRealIpFallback=false (default). Only enable this when your trusted proxy always overwrites X-Real-IP and cannot provide X-Forwarded-For.`})}if(O===`full`){let e=i!==`loopback`;n.push({checkId:`discovery.mdns_full_mode`,severity:e?`critical`:`warn`,title:`mDNS full mode can leak host metadata`,detail:`discovery.mdns.mode="full" publishes cliPath/sshPort in local-network TXT records. This can reveal usernames, filesystem layout, and management ports.`,remediation:`Prefer discovery.mdns.mode="minimal" (recommended) or "off", especially when gateway.bind is not loopback.`})}a===`funnel`?n.push({checkId:`gateway.tailscale_funnel`,severity:`critical`,title:`Tailscale Funnel exposure enabled`,detail:`gateway.tailscale.mode="funnel" exposes the Gateway publicly; keep auth strict and treat it as internet-facing.`,remediation:`Prefer tailscale.mode="serve" (tailnet-only) or set tailscale.mode="off".`}):a===`serve`&&n.push({checkId:`gateway.tailscale_serve`,severity:`info`,title:`Tailscale Serve exposure enabled`,detail:`gateway.tailscale.mode="serve" exposes the Gateway to your tailnet (loopback behind Tailscale).`}),e.gateway?.controlUi?.allowInsecureAuth===!0&&n.push({checkId:`gateway.control_ui.insecure_auth`,severity:`warn`,title:`Control UI insecure auth toggle enabled`,detail:`gateway.controlUi.allowInsecureAuth=true does not bypass secure context or device identity checks; only dangerouslyDisableDeviceAuth disables Control UI device identity checks.`,remediation:`Disable it or switch to HTTPS (Tailscale Serve) or localhost.`}),e.gateway?.controlUi?.dangerouslyDisableDeviceAuth===!0&&n.push({checkId:`gateway.control_ui.device_auth_disabled`,severity:`critical`,title:`DANGEROUS: Control UI device auth disabled`,detail:`gateway.controlUi.dangerouslyDisableDeviceAuth=true disables device identity checks for the Control UI.`,remediation:`Disable it unless you are in a short-lived break-glass scenario.`}),Wt(e)&&n.push({checkId:`channels.feishu.doc_owner_open_id`,severity:`warn`,title:`Feishu doc create can grant requester permissions`,detail:`channels.feishu tools include "doc"; feishu_doc action "create" can grant document access to the trusted requesting Feishu user.`,remediation:`Disable channels.feishu.tools.doc when not needed, and restrict tool access for untrusted prompts.`});let j=Vt(e);j.length>0&&n.push({checkId:`config.insecure_or_dangerous_flags`,severity:`warn`,title:`Insecure or dangerous config flags enabled`,detail:`Detected ${j.length} enabled flag(s): ${j.join(`, `)}.`,remediation:`Disable these flags when not actively debugging, or keep deployment scoped to trusted/local-only networks.`});let M=typeof o.token==`string`&&o.token.trim().length>0?o.token.trim():null;if(o.mode===`token`&&M&&M.length<24&&n.push({checkId:`gateway.token_too_short`,severity:`warn`,title:`Gateway token looks short`,detail:`gateway auth token is ${M.length} chars; prefer a long random token.`}),o.mode===`trusted-proxy`){let t=e.gateway?.trustedProxies??[],r=e.gateway?.auth?.trustedProxy;n.push({checkId:`gateway.trusted_proxy_auth`,severity:`critical`,title:`Trusted-proxy auth mode enabled`,detail:`gateway.auth.mode="trusted-proxy" delegates authentication to a reverse proxy. Ensure your proxy (Pomerium, Caddy, nginx) handles auth correctly and that gateway.trustedProxies only contains IPs of your actual proxy servers.`,remediation:`Verify: (1) Your proxy terminates TLS and authenticates users. (2) gateway.trustedProxies is restricted to proxy IPs only. (3) Direct access to the Gateway port is blocked by firewall. See /gateway/trusted-proxy-auth for setup guidance.`}),t.length===0&&n.push({checkId:`gateway.trusted_proxy_no_proxies`,severity:`critical`,title:`Trusted-proxy auth enabled but no trusted proxies configured`,detail:`gateway.auth.mode="trusted-proxy" but gateway.trustedProxies is empty. All requests will be rejected.`,remediation:`Set gateway.trustedProxies to the IP(s) of your reverse proxy.`}),r?.userHeader||n.push({checkId:`gateway.trusted_proxy_no_user_header`,severity:`critical`,title:`Trusted-proxy auth missing userHeader config`,detail:`gateway.auth.mode="trusted-proxy" but gateway.auth.trustedProxy.userHeader is not configured.`,remediation:`Set gateway.auth.trustedProxy.userHeader to the header name your proxy uses (e.g., "x-forwarded-user", "x-pomerium-claim-email").`}),(r?.allowUsers??[]).length===0&&n.push({checkId:`gateway.trusted_proxy_no_allowlist`,severity:`warn`,title:`Trusted-proxy auth allows all authenticated users`,detail:`gateway.auth.trustedProxy.allowUsers is empty, so any user authenticated by your proxy can access the Gateway.`,remediation:`Consider setting gateway.auth.trustedProxy.allowUsers to restrict access to specific users (e.g., ["nick@example.com"]).`})}return i!==`loopback`&&o.mode!==`trusted-proxy`&&!e.gateway?.auth?.rateLimit&&n.push({checkId:`gateway.auth_no_rate_limit`,severity:`warn`,title:`No auth rate limiting configured`,detail:`gateway.bind is not loopback but no gateway.auth.rateLimit is configured. Without rate limiting, brute-force auth attacks are not mitigated.`,remediation:`Set gateway.auth.rateLimit (e.g. { maxAttempts: 10, windowMs: 60000, lockoutMs: 300000 }).`}),n}function qt(e){let t=e.trim();if(!t)return!1;if(!t.includes(`/`))return t===`127.0.0.1`||t.toLowerCase()===`::1`;let[n,r]=t.split(`/`,2);if(!n||!r)return!1;let i=Ce(n.trim()),a=Number.parseInt(r.trim(),10);return Number.isInteger(a)?i===4?n.trim()===`127.0.0.1`&&a===32:i===6?a===128&&n.trim().toLowerCase()===`::1`:!1:!1}function Jt(e,t){let r=[],a;try{a=v(e.browser,e)}catch(e){return r.push({checkId:`browser.control_invalid_config`,severity:`warn`,title:`Browser control config looks invalid`,detail:String(e),remediation:`Fix browser.cdpUrl in ${n()} and re-run "${O(`openclaw security audit --deep`)}".`}),r}if(!a.enabled)return r;let o=i(e,t),s=e.gateway?.auth?.mode,c=!!o.token||$(t.OPENCLAW_GATEWAY_TOKEN)||$(t.CLAWDBOT_GATEWAY_TOKEN)||D(e.gateway?.auth?.token,e.secrets?.defaults),l=s===`password`||s!==`token`&&s!==`none`&&s!==`trusted-proxy`&&!c,u=!!o.password||l&&($(t.OPENCLAW_GATEWAY_PASSWORD)||$(t.CLAWDBOT_GATEWAY_PASSWORD)||D(e.gateway?.auth?.password,e.secrets?.defaults));!c&&!u&&r.push({checkId:`browser.control_no_auth`,severity:`critical`,title:`Browser control has no auth`,detail:`Browser control HTTP routes are enabled but no gateway.auth token/password is configured. Any local process (or SSRF to loopback) can call browser control endpoints.`,remediation:`Set gateway.auth.token (recommended) or gateway.auth.password so browser control HTTP routes require authentication. Restarting the gateway will auto-generate gateway.auth.token when browser control is enabled.`});for(let e of Object.keys(a.profiles)){let t=g(a,e);if(!t||t.cdpIsLoopback)continue;let n;try{n=new URL(t.cdpUrl)}catch{continue}n.protocol===`http:`&&r.push({checkId:`browser.remote_cdp_http`,severity:`warn`,title:`Remote CDP uses HTTP`,detail:`browser profile "${e}" uses http CDP (${t.cdpUrl}); this is OK only if it's tailnet-only or behind an encrypted tunnel.`,remediation:`Prefer HTTPS/TLS or a tailnet-only endpoint for remote CDP.`})}return r}function Yt(e){return e.logging?.redactSensitive===`off`?[{checkId:`logging.redact_off`,severity:`warn`,title:`Tool summary redaction is disabled`,detail:`logging.redactSensitive="off" can leak secrets into logs and status output.`,remediation:`Set logging.redactSensitive="tools".`}]:[]}function Xt(e){let t=[],n=e.tools?.elevated?.enabled,r=e.tools?.elevated?.allowFrom??{},i=Object.keys(r).length>0;if(n===!1||!i)return t;for(let[e,n]of Object.entries(r)){let r=Ut(n);r.includes(`*`)?t.push({checkId:`tools.elevated.allowFrom.${e}.wildcard`,severity:`critical`,title:`Elevated exec allowlist contains wildcard`,detail:`tools.elevated.allowFrom.${e} includes "*" which effectively approves everyone on that channel for elevated mode.`}):r.length>25&&t.push({checkId:`tools.elevated.allowFrom.${e}.large`,severity:`warn`,title:`Elevated exec allowlist is large`,detail:`tools.elevated.allowFrom.${e} has ${r.length} entries; consider tightening elevated access.`})}return t}function Zt(e){let t=[],n=e.tools?.exec?.host,r=x(e).mode;n===`sandbox`&&r===`off`&&t.push({checkId:`tools.exec.host_sandbox_no_sandbox_defaults`,severity:`warn`,title:`Exec host is sandbox but sandbox mode is off`,detail:`tools.exec.host is explicitly set to sandbox while agents.defaults.sandbox.mode=off. In this mode, exec runs directly on the gateway host.`,remediation:'Enable sandbox mode (`agents.defaults.sandbox.mode="non-main"` or `"all"`) or set tools.exec.host to "gateway" with approvals.'});let i=Array.isArray(e.agents?.list)?e.agents.list:[],a=i.filter(t=>t&&typeof t==`object`&&typeof t.id==`string`&&t.tools?.exec?.host===`sandbox`&&x(e,t.id).mode===`off`).map(e=>e.id).slice(0,5);a.length>0&&t.push({checkId:`tools.exec.host_sandbox_no_sandbox_agents`,severity:`warn`,title:`Agent exec host uses sandbox while sandbox mode is off`,detail:`agents.list.*.tools.exec.host is set to sandbox for: ${a.join(`, `)}. With sandbox mode off, exec runs directly on the gateway host.`,remediation:'Enable sandbox mode for these agents (`agents.list[].sandbox.mode`) or set their tools.exec.host to "gateway".'});let o=e=>Array.isArray(e)?Array.from(new Set(e.map(e=>typeof e==`string`?e.trim().toLowerCase():``).filter(e=>e.length>0))).toSorted():[],s=e=>Array.isArray(e)?b(e.filter(e=>typeof e==`string`)):[],c=e=>{let t=e.trim();if(!t)return null;if(!z.isAbsolute(t))return`relative path (trust boundary depends on process cwd)`;let n=z.resolve(t).replace(/\\/g,`/`).toLowerCase();return n===`/tmp`||n.startsWith(`/tmp/`)||n===`/var/tmp`||n.startsWith(`/var/tmp/`)||n===`/private/tmp`||n.startsWith(`/private/tmp/`)?`temporary directory is mutable and easy to poison`:n===`/usr/local/bin`||n===`/opt/homebrew/bin`||n===`/opt/local/bin`||n===`/home/linuxbrew/.linuxbrew/bin`?`package-manager bin directory (often user-writable)`:n.startsWith(`/users/`)||n.startsWith(`/home/`)||n.includes(`/.local/bin`)||/^[a-z]:\/users\//.test(n)?`home-scoped bin directory (typically user-writable)`:null},l=e.tools?.exec,u=[],d=(e,t)=>{for(let n of s(t)){let t=c(n);t&&u.push(`- ${e}.safeBinTrustedDirs: ${n} (${t})`)}};d(`tools.exec`,l?.safeBinTrustedDirs);for(let e of i)!e||typeof e!=`object`||typeof e.id!=`string`||d(`agents.list.${e.id}.tools.exec`,e.tools?.exec?.safeBinTrustedDirs);let f=[],p=o(l?.safeBins);if(p.length>0){let e=ae({global:l})??{},t=oe(p).filter(t=>!e[t]);t.length>0&&f.push(`- tools.exec.safeBins: ${t.join(`, `)}`)}for(let e of i){if(!e||typeof e!=`object`||typeof e.id!=`string`)continue;let t=e.tools?.exec,n=o(t?.safeBins);if(n.length===0)continue;let r=ae({global:l,local:t})??{},i=oe(n).filter(e=>!r[e]);i.length!==0&&f.push(`- agents.list.${e.id}.tools.exec.safeBins: ${i.join(`, `)}`)}return f.length>0&&t.push({checkId:`tools.exec.safe_bins_interpreter_unprofiled`,severity:`warn`,title:`safeBins includes interpreter/runtime binaries without explicit profiles`,detail:`Detected interpreter-like safeBins entries missing explicit profiles:\n${f.join(`
 `)}\nThese entries can turn safeBins into a broad execution surface when used with permissive argv profiles.`,remediation:`Remove interpreter/runtime bins from safeBins (prefer allowlist entries) or define hardened tools.exec.safeBinProfiles.<bin> rules.`}),u.length>0&&t.push({checkId:`tools.exec.safe_bin_trusted_dirs_risky`,severity:`warn`,title:`safeBinTrustedDirs includes risky mutable directories`,detail:`Detected risky safeBinTrustedDirs entries:\n${u.slice(0,10).join(`
 `)}`+(u.length>10?`\n- +${u.length-10} more entries.`:``),remediation:`Prefer root-owned immutable bins, keep default trust dirs (/bin, /usr/bin), and avoid trusting temporary/home/package-manager paths unless tightly controlled.`}),t}async function Qt(e){let t=ie({config:e.cfg}).url,n=e.cfg.gateway?.mode===`remote`,r=typeof e.cfg.gateway?.remote?.url==`string`?e.cfg.gateway.remote.url.trim():``,i=me(!n||n&&!r?{cfg:e.cfg,env:e.env,mode:`local`}:{cfg:e.cfg,env:e.env,mode:`remote`}),a=await e.probe({url:t,auth:i.auth,timeoutMs:e.timeoutMs}).catch(e=>({ok:!1,url:t,connectLatencyMs:null,error:String(e),close:null,health:null,status:null,presence:null,configSnapshot:null}));return i.warning&&!a.ok&&(a.error=a.error?`${a.error}; ${i.warning}`:i.warning),{deep:{gateway:{attempted:!0,url:t,ok:a.ok,error:a.ok?null:a.error,close:a.close?{code:a.close.code,reason:a.close.reason}:null}},authWarning:i.warning}}async function $t(t){let r=t.config,i=t.sourceConfig??t.config,a=t.env??process.env,o=t.platform??process.platform,s=t.includeFilesystem!==!1,c=t.includeChannelSecurity!==!1,l=t.deep===!0,u=Math.max(250,t.deepTimeoutMs??5e3),d=t.stateDir??e(a),f=t.configPath??n(a,d),p=s?t.configSnapshot===void 0?await Rt({env:a,configPath:f}).catch(()=>null):t.configSnapshot:null;return{cfg:r,sourceConfig:i,env:a,platform:o,includeFilesystem:s,includeChannelSecurity:c,deep:l,deepTimeoutMs:u,stateDir:d,configPath:f,execIcacls:t.execIcacls,execDockerRawFn:t.execDockerRawFn,probeGatewayFn:t.probeGatewayFn,plugins:t.plugins,configSnapshot:p,codeSafetySummaryCache:t.codeSafetySummaryCache??new Map}}async function en(e){let t=[],n=await $t(e),{cfg:r,env:i,platform:a,stateDir:o,configPath:s}=n;if(t.push(...Ze(r)),t.push(...Qe({stateDir:o,configPath:s})),t.push(...Kt(r,i)),t.push(...Jt(r,i)),t.push(...Yt(r)),t.push(...Xt(r)),t.push(...Zt(r)),t.push(...et(r,i)),t.push(...nt(r,i)),t.push(...tt(r)),t.push(...rt(r)),t.push(...it(r)),t.push(...at(r)),t.push(...ot(r)),t.push(...st(r)),t.push(...$e(r)),t.push(...ct(r)),t.push(...lt({cfg:r,env:i})),t.push(...ut(r)),t.push(...dt(r)),n.includeFilesystem&&(t.push(...await Gt({stateDir:o,configPath:s,env:i,platform:a,execIcacls:n.execIcacls})),n.configSnapshot&&t.push(...await It({configSnapshot:n.configSnapshot,env:i,platform:a,execIcacls:n.execIcacls})),t.push(...await Lt({cfg:r,env:i,stateDir:o,platform:a,execIcacls:n.execIcacls})),t.push(...await Ft({cfg:r})),t.push(...await Nt({execDockerRawFn:n.execDockerRawFn})),t.push(...await Pt({cfg:r,stateDir:o})),n.deep&&(t.push(...await zt({stateDir:o,summaryCache:n.codeSafetySummaryCache})),t.push(...await Bt({cfg:r,stateDir:o,summaryCache:n.codeSafetySummaryCache})))),n.includeChannelSecurity){let e=n.plugins??ne();t.push(...await De({cfg:r,sourceConfig:n.sourceConfig,plugins:e}))}let c=n.deep?await Qt({cfg:r,env:i,timeoutMs:n.deepTimeoutMs,probe:n.probeGatewayFn??pe}):void 0,l=c?.deep;l?.gateway?.attempted&&!l.gateway.ok&&t.push({checkId:`gateway.probe_failed`,severity:`warn`,title:`Gateway probe failed (deep)`,detail:l.gateway.error??`gateway unreachable`,remediation:`Run "${O(`openclaw status --all`)}" to debug connectivity/auth, then re-run "${O(`openclaw security audit --deep`)}".`}),c?.authWarning&&t.push({checkId:`gateway.probe_auth_secretref_unavailable`,severity:`warn`,title:`Gateway probe auth SecretRef is unavailable`,detail:c.authWarning,remediation:`Set OPENCLAW_GATEWAY_TOKEN/OPENCLAW_GATEWAY_PASSWORD in this shell or resolve the external secret provider, then re-run "${O(`openclaw security audit --deep`)}".`});let u=Ht(t);return{ts:Date.now(),summary:u,findings:t,deep:l}}export{Vt as n,mt as r,en as t};
+//# sourceMappingURL=audit-C7RP7G_g.js.map

package/dist/audit-jkdcAUep.js

@@ -34,3 +34,4 @@ Native skill commands are enabled on at least one configured chat surface; treat
 `)}`,remediation:`Update the plugin manifest so all openclaw.extensions entries stay inside the plugin directory.`});let c=await Tt({dirPath:r,includeFiles:o,summaryCache:e.summaryCache}).catch(e=>(t.push({checkId:`plugins.code_safety.scan_failed`,severity:`warn`,title:`Plugin "${i}" code scan failed`,detail:`Static code scan could not complete: ${String(e)}`,remediation:"Check file permissions and plugin layout, then rerun `openclaw security audit --deep`."}),null));if(c){if(c.critical>0){let e=Y(c.findings.filter(e=>e.severity===`critical`),r);t.push({checkId:`plugins.code_safety`,severity:`critical`,title:`Plugin "${i}" contains dangerous code patterns`,detail:`Found ${c.critical} critical issue(s) in ${c.scannedFiles} scanned file(s):\n${e}`,remediation:`Review the plugin source code carefully before use. If untrusted, remove the plugin from your OpenClaw extensions state directory.`})}else if(c.warn>0){let e=Y(c.findings.filter(e=>e.severity===`warn`),r);t.push({checkId:`plugins.code_safety`,severity:`warn`,title:`Plugin "${i}" contains suspicious code patterns`,detail:`Found ${c.warn} warning(s) in ${c.scannedFiles} scanned file(s):\n${e}`,remediation:`Review the flagged code to ensure it is intentional and safe.`})}}}return t}async function Bt(e){let t=[],n=B.join(e.stateDir,`extensions`),r=new Set,i=ue(e.cfg);for(let a of i){let i=j(a,{config:e.cfg});for(let a of i){if(a.skill.source===`openclaw-bundled`)continue;let i=B.resolve(a.skill.baseDir);if(k(n,i)||r.has(i))continue;r.add(i);let o=a.skill.name,s=await Tt({dirPath:i,summaryCache:e.summaryCache}).catch(e=>(t.push({checkId:`skills.code_safety.scan_failed`,severity:`warn`,title:`Skill "${o}" code scan failed`,detail:`Static code scan could not complete for ${i}: ${String(e)}`,remediation:"Check file permissions and skill layout, then rerun `openclaw security audit --deep`."}),null));if(s){if(s.critical>0){let e=Y(s.findings.filter(e=>e.severity===`critical`),i);t.push({checkId:`skills.code_safety`,severity:`critical`,title:`Skill "${o}" contains dangerous code patterns`,detail:`Found ${s.critical} critical issue(s) in ${s.scannedFiles} scanned file(s) under ${i}:\n${e}`,remediation:`Review the skill source code before use. If untrusted, remove "${i}".`})}else if(s.warn>0){let e=Y(s.findings.filter(e=>e.severity===`warn`),i);t.push({checkId:`skills.code_safety`,severity:`warn`,title:`Skill "${o}" contains suspicious code patterns`,detail:`Found ${s.warn} warning(s) in ${s.scannedFiles} scanned file(s) under ${i}:\n${e}`,remediation:`Review flagged lines to ensure the behavior is intentional and safe.`})}}}}return t}function Vt(e){let t=[];if(e.gateway?.controlUi?.allowInsecureAuth===!0&&t.push(`gateway.controlUi.allowInsecureAuth=true`),e.gateway?.controlUi?.dangerouslyAllowHostHeaderOriginFallback===!0&&t.push(`gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback=true`),e.gateway?.controlUi?.dangerouslyDisableDeviceAuth===!0&&t.push(`gateway.controlUi.dangerouslyDisableDeviceAuth=true`),e.hooks?.gmail?.allowUnsafeExternalContent===!0&&t.push(`hooks.gmail.allowUnsafeExternalContent=true`),Array.isArray(e.hooks?.mappings))for(let[n,r]of e.hooks.mappings.entries())r?.allowUnsafeExternalContent===!0&&t.push(`hooks.mappings[${n}].allowUnsafeExternalContent=true`);return e.tools?.exec?.applyPatch?.workspaceOnly===!1&&t.push(`tools.exec.applyPatch.workspaceOnly=false`),t}function Ht(e){let t=0,n=0,r=0;for(let i of e)i.severity===`critical`?t+=1:i.severity===`warn`?n+=1:r+=1;return{critical:t,warn:n,info:r}}function Ut(e){return Array.isArray(e)?e.map(e=>String(e).trim()).filter(Boolean):[]}function Q(e){if(!(!e||typeof e!=`object`||Array.isArray(e)))return e}function $(e){return typeof e==`string`&&e.trim().length>0}function Wt(e){let t=Q(Q(e.channels)?.feishu);if(!t||t.enabled===!1)return!1;let n=Q(t.tools),r=n?.doc!==!1,i=$(t.appId),a=O(t.appSecret,e.secrets?.defaults),o=i&&a,s=Q(t.accounts);if(!s||Object.keys(s).length===0)return r&&o;for(let t of Object.values(s)){let r=Q(t)??{};if(r.enabled!==!1&&(Q(r.tools)??n)?.doc!==!1&&($(r.appId)||i)&&(O(r.appSecret,e.secrets?.defaults)||a))return!0}return!1}async function Gt(e){let t=[],n=await p(e.stateDir,{env:e.env,platform:e.platform,exec:e.execIcacls});n.ok&&(n.isSymlink&&t.push({checkId:`fs.state_dir.symlink`,severity:`warn`,title:`State dir is a symlink`,detail:`${e.stateDir} is a symlink; treat this as an extra trust boundary.`}),n.worldWritable?t.push({checkId:`fs.state_dir.perms_world_writable`,severity:`critical`,title:`State dir is world-writable`,detail:`${y(e.stateDir,n)}; other users can write into your OpenClaw state.`,remediation:x({targetPath:e.stateDir,perms:n,isDir:!0,posixMode:448,env:e.env})}):n.groupWritable?t.push({checkId:`fs.state_dir.perms_group_writable`,severity:`warn`,title:`State dir is group-writable`,detail:`${y(e.stateDir,n)}; group users can write into your OpenClaw state.`,remediation:x({targetPath:e.stateDir,perms:n,isDir:!0,posixMode:448,env:e.env})}):(n.groupReadable||n.worldReadable)&&t.push({checkId:`fs.state_dir.perms_readable`,severity:`warn`,title:`State dir is readable by others`,detail:`${y(e.stateDir,n)}; consider restricting to 700.`,remediation:x({targetPath:e.stateDir,perms:n,isDir:!0,posixMode:448,env:e.env})}));let r=await p(e.configPath,{env:e.env,platform:e.platform,exec:e.execIcacls});if(r.ok){let n=r.isSymlink;r.isSymlink&&t.push({checkId:`fs.config.symlink`,severity:`warn`,title:`Config file is a symlink`,detail:`${e.configPath} is a symlink; make sure you trust its target.`}),r.worldWritable||r.groupWritable?t.push({checkId:`fs.config.perms_writable`,severity:`critical`,title:`Config file is writable by others`,detail:`${y(e.configPath,r)}; another user could change gateway/auth/tool policies.`,remediation:x({targetPath:e.configPath,perms:r,isDir:!1,posixMode:384,env:e.env})}):!n&&r.worldReadable?t.push({checkId:`fs.config.perms_world_readable`,severity:`critical`,title:`Config file is world-readable`,detail:`${y(e.configPath,r)}; config can contain tokens and private settings.`,remediation:x({targetPath:e.configPath,perms:r,isDir:!1,posixMode:384,env:e.env})}):!n&&r.groupReadable&&t.push({checkId:`fs.config.perms_group_readable`,severity:`warn`,title:`Config file is group-readable`,detail:`${y(e.configPath,r)}; config can contain tokens and private settings.`,remediation:x({targetPath:e.configPath,perms:r,isDir:!1,posixMode:384,env:e.env})})}return t}function Kt(e,t){let n=[],r=typeof e.gateway?.bind==`string`?e.gateway.bind:`loopback`,i=e.gateway?.tailscale?.mode??`off`,a=c({authConfig:e.gateway?.auth,tailscaleMode:i,env:t}),o=e.gateway?.controlUi?.enabled!==!1,s=(e.gateway?.controlUi?.allowedOrigins??[]).map(e=>e.trim()).filter(Boolean),l=e.gateway?.controlUi?.dangerouslyAllowHostHeaderOriginFallback===!0,u=Array.isArray(e.gateway?.trustedProxies)?e.gateway.trustedProxies:[],d=typeof a.token==`string`&&a.token.trim().length>0,f=typeof a.password==`string`&&a.password.trim().length>0,p=$(t.OPENCLAW_GATEWAY_TOKEN)||$(t.CLAWDBOT_GATEWAY_TOKEN),m=$(t.OPENCLAW_GATEWAY_PASSWORD)||$(t.CLAWDBOT_GATEWAY_PASSWORD),h=O(e.gateway?.auth?.token,e.secrets?.defaults),g=O(e.gateway?.auth?.password,e.secrets?.defaults),_=O(e.gateway?.remote?.token,e.secrets?.defaults),v=e.gateway?.auth?.mode,y=d||p||h||_,b=v===`password`||v!==`token`&&v!==`none`&&v!==`trusted-proxy`&&!y,x=y,S=f||b&&(m||g),C=v===`token`?x:v===`password`?S:v===`none`||v===`trusted-proxy`?!1:x||S,w=a.allowTailscale&&i===`serve`,T=C||w,E=e.gateway?.allowRealIpFallback===!0,D=e.discovery?.mdns?.mode??`minimal`,k=Array.isArray(e.gateway?.tools?.allow)?e.gateway?.tools?.allow:[],ee=new Set(k.map(e=>typeof e==`string`?e.trim().toLowerCase():``).filter(Boolean)),A=de.filter(e=>ee.has(e));if(A.length>0){let e=r!==`loopback`||i===`funnel`;n.push({checkId:`gateway.tools_invoke_http.dangerous_allow`,severity:e?`critical`:`warn`,title:`Gateway HTTP /tools/invoke re-enables dangerous tools`,detail:`gateway.tools.allow includes ${A.join(`, `)} which removes them from the default HTTP deny list. This can allow remote session spawning / control-plane actions via HTTP and increases RCE blast radius if the gateway is reachable.`,remediation:`Remove these entries from gateway.tools.allow (recommended). If you keep them enabled, keep gateway.bind loopback-only (or tailnet-only), restrict network exposure, and treat the gateway token/password as full-admin.`})}if(r!==`loopback`&&!C&&a.mode!==`trusted-proxy`&&n.push({checkId:`gateway.bind_no_auth`,severity:`critical`,title:`Gateway binds beyond loopback without auth`,detail:`gateway.bind="${r}" but no gateway.auth token/password is configured.`,remediation:`Set gateway.auth (token recommended) or bind to loopback.`}),r===`loopback`&&o&&u.length===0&&n.push({checkId:`gateway.trusted_proxies_missing`,severity:`warn`,title:`Reverse proxy headers are not trusted`,detail:`gateway.bind is loopback and gateway.trustedProxies is empty. If you expose the Control UI through a reverse proxy, configure trusted proxies so local-client checks cannot be spoofed.`,remediation:`Set gateway.trustedProxies to your proxy IPs or keep the Control UI local-only.`}),r===`loopback`&&o&&!T&&n.push({checkId:`gateway.loopback_no_auth`,severity:`critical`,title:`Gateway auth missing on loopback`,detail:`gateway.bind is loopback but no gateway auth secret is configured. If the Control UI is exposed through a reverse proxy, unauthenticated access is possible.`,remediation:`Set gateway.auth (token recommended) or keep the Control UI local-only.`}),r!==`loopback`&&o&&s.length===0&&!l&&n.push({checkId:`gateway.control_ui.allowed_origins_required`,severity:`critical`,title:`Non-loopback Control UI missing explicit allowed origins`,detail:`Control UI is enabled on a non-loopback bind but gateway.controlUi.allowedOrigins is empty. Strict origin policy requires explicit allowed origins for non-loopback deployments.`,remediation:`Set gateway.controlUi.allowedOrigins to full trusted origins (for example https://control.example.com). If your deployment intentionally relies on Host-header origin fallback, set gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback=true.`}),s.includes(`*`)){let e=r!==`loopback`;n.push({checkId:`gateway.control_ui.allowed_origins_wildcard`,severity:e?`critical`:`warn`,title:`Control UI allowed origins contains wildcard`,detail:`gateway.controlUi.allowedOrigins includes "*" which effectively disables origin allowlisting for Control UI/WebChat requests.`,remediation:`Replace wildcard origins with explicit trusted origins (for example https://control.example.com).`})}if(l){let e=r!==`loopback`;n.push({checkId:`gateway.control_ui.host_header_origin_fallback`,severity:e?`critical`:`warn`,title:`DANGEROUS: Host-header origin fallback enabled`,detail:`gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback=true enables Host-header origin fallback for Control UI/WebChat websocket checks and weakens DNS rebinding protections.`,remediation:`Disable gateway.controlUi.dangerouslyAllowHostHeaderOriginFallback and configure explicit gateway.controlUi.allowedOrigins.`})}if(E){let e=u.some(e=>!qt(e)),t=r!==`loopback`||a.mode===`trusted-proxy`&&e;n.push({checkId:`gateway.real_ip_fallback_enabled`,severity:t?`critical`:`warn`,title:`X-Real-IP fallback is enabled`,detail:`gateway.allowRealIpFallback=true trusts X-Real-IP when trusted proxies omit X-Forwarded-For. Misconfigured proxies that forward client-supplied X-Real-IP can spoof source IP and local-client checks.`,remediation:`Keep gateway.allowRealIpFallback=false (default). Only enable this when your trusted proxy always overwrites X-Real-IP and cannot provide X-Forwarded-For.`})}if(D===`full`){let e=r!==`loopback`;n.push({checkId:`discovery.mdns_full_mode`,severity:e?`critical`:`warn`,title:`mDNS full mode can leak host metadata`,detail:`discovery.mdns.mode="full" publishes cliPath/sshPort in local-network TXT records. This can reveal usernames, filesystem layout, and management ports.`,remediation:`Prefer discovery.mdns.mode="minimal" (recommended) or "off", especially when gateway.bind is not loopback.`})}i===`funnel`?n.push({checkId:`gateway.tailscale_funnel`,severity:`critical`,title:`Tailscale Funnel exposure enabled`,detail:`gateway.tailscale.mode="funnel" exposes the Gateway publicly; keep auth strict and treat it as internet-facing.`,remediation:`Prefer tailscale.mode="serve" (tailnet-only) or set tailscale.mode="off".`}):i===`serve`&&n.push({checkId:`gateway.tailscale_serve`,severity:`info`,title:`Tailscale Serve exposure enabled`,detail:`gateway.tailscale.mode="serve" exposes the Gateway to your tailnet (loopback behind Tailscale).`}),e.gateway?.controlUi?.allowInsecureAuth===!0&&n.push({checkId:`gateway.control_ui.insecure_auth`,severity:`warn`,title:`Control UI insecure auth toggle enabled`,detail:`gateway.controlUi.allowInsecureAuth=true does not bypass secure context or device identity checks; only dangerouslyDisableDeviceAuth disables Control UI device identity checks.`,remediation:`Disable it or switch to HTTPS (Tailscale Serve) or localhost.`}),e.gateway?.controlUi?.dangerouslyDisableDeviceAuth===!0&&n.push({checkId:`gateway.control_ui.device_auth_disabled`,severity:`critical`,title:`DANGEROUS: Control UI device auth disabled`,detail:`gateway.controlUi.dangerouslyDisableDeviceAuth=true disables device identity checks for the Control UI.`,remediation:`Disable it unless you are in a short-lived break-glass scenario.`}),Wt(e)&&n.push({checkId:`channels.feishu.doc_owner_open_id`,severity:`warn`,title:`Feishu doc create can grant requester permissions`,detail:`channels.feishu tools include "doc"; feishu_doc action "create" can grant document access to the trusted requesting Feishu user.`,remediation:`Disable channels.feishu.tools.doc when not needed, and restrict tool access for untrusted prompts.`});let j=Vt(e);j.length>0&&n.push({checkId:`config.insecure_or_dangerous_flags`,severity:`warn`,title:`Insecure or dangerous config flags enabled`,detail:`Detected ${j.length} enabled flag(s): ${j.join(`, `)}.`,remediation:`Disable these flags when not actively debugging, or keep deployment scoped to trusted/local-only networks.`});let M=typeof a.token==`string`&&a.token.trim().length>0?a.token.trim():null;if(a.mode===`token`&&M&&M.length<24&&n.push({checkId:`gateway.token_too_short`,severity:`warn`,title:`Gateway token looks short`,detail:`gateway auth token is ${M.length} chars; prefer a long random token.`}),a.mode===`trusted-proxy`){let t=e.gateway?.trustedProxies??[],r=e.gateway?.auth?.trustedProxy;n.push({checkId:`gateway.trusted_proxy_auth`,severity:`critical`,title:`Trusted-proxy auth mode enabled`,detail:`gateway.auth.mode="trusted-proxy" delegates authentication to a reverse proxy. Ensure your proxy (Pomerium, Caddy, nginx) handles auth correctly and that gateway.trustedProxies only contains IPs of your actual proxy servers.`,remediation:`Verify: (1) Your proxy terminates TLS and authenticates users. (2) gateway.trustedProxies is restricted to proxy IPs only. (3) Direct access to the Gateway port is blocked by firewall. See /gateway/trusted-proxy-auth for setup guidance.`}),t.length===0&&n.push({checkId:`gateway.trusted_proxy_no_proxies`,severity:`critical`,title:`Trusted-proxy auth enabled but no trusted proxies configured`,detail:`gateway.auth.mode="trusted-proxy" but gateway.trustedProxies is empty. All requests will be rejected.`,remediation:`Set gateway.trustedProxies to the IP(s) of your reverse proxy.`}),r?.userHeader||n.push({checkId:`gateway.trusted_proxy_no_user_header`,severity:`critical`,title:`Trusted-proxy auth missing userHeader config`,detail:`gateway.auth.mode="trusted-proxy" but gateway.auth.trustedProxy.userHeader is not configured.`,remediation:`Set gateway.auth.trustedProxy.userHeader to the header name your proxy uses (e.g., "x-forwarded-user", "x-pomerium-claim-email").`}),(r?.allowUsers??[]).length===0&&n.push({checkId:`gateway.trusted_proxy_no_allowlist`,severity:`warn`,title:`Trusted-proxy auth allows all authenticated users`,detail:`gateway.auth.trustedProxy.allowUsers is empty, so any user authenticated by your proxy can access the Gateway.`,remediation:`Consider setting gateway.auth.trustedProxy.allowUsers to restrict access to specific users (e.g., ["nick@example.com"]).`})}return r!==`loopback`&&a.mode!==`trusted-proxy`&&!e.gateway?.auth?.rateLimit&&n.push({checkId:`gateway.auth_no_rate_limit`,severity:`warn`,title:`No auth rate limiting configured`,detail:`gateway.bind is not loopback but no gateway.auth.rateLimit is configured. Without rate limiting, brute-force auth attacks are not mitigated.`,remediation:`Set gateway.auth.rateLimit (e.g. { maxAttempts: 10, windowMs: 60000, lockoutMs: 300000 }).`}),n}function qt(e){let t=e.trim();if(!t)return!1;if(!t.includes(`/`))return t===`127.0.0.1`||t.toLowerCase()===`::1`;let[n,r]=t.split(`/`,2);if(!n||!r)return!1;let i=Se(n.trim()),a=Number.parseInt(r.trim(),10);return Number.isInteger(a)?i===4?n.trim()===`127.0.0.1`&&a===32:i===6?a===128&&n.trim().toLowerCase()===`::1`:!1:!1}function Jt(e,t){let i=[],a;try{a=s(e.browser,e)}catch(e){return i.push({checkId:`browser.control_invalid_config`,severity:`warn`,title:`Browser control config looks invalid`,detail:String(e),remediation:`Fix browser.cdpUrl in ${n()} and re-run "${S(`openclaw security audit --deep`)}".`}),i}if(!a.enabled)return i;let o=d(e,t),c=e.gateway?.auth?.mode,l=!!o.token||$(t.OPENCLAW_GATEWAY_TOKEN)||$(t.CLAWDBOT_GATEWAY_TOKEN)||O(e.gateway?.auth?.token,e.secrets?.defaults),u=c===`password`||c!==`token`&&c!==`none`&&c!==`trusted-proxy`&&!l,f=!!o.password||u&&($(t.OPENCLAW_GATEWAY_PASSWORD)||$(t.CLAWDBOT_GATEWAY_PASSWORD)||O(e.gateway?.auth?.password,e.secrets?.defaults));!l&&!f&&i.push({checkId:`browser.control_no_auth`,severity:`critical`,title:`Browser control has no auth`,detail:`Browser control HTTP routes are enabled but no gateway.auth token/password is configured. Any local process (or SSRF to loopback) can call browser control endpoints.`,remediation:`Set gateway.auth.token (recommended) or gateway.auth.password so browser control HTTP routes require authentication. Restarting the gateway will auto-generate gateway.auth.token when browser control is enabled.`});for(let e of Object.keys(a.profiles)){let t=r(a,e);if(!t||t.cdpIsLoopback)continue;let n;try{n=new URL(t.cdpUrl)}catch{continue}n.protocol===`http:`&&i.push({checkId:`browser.remote_cdp_http`,severity:`warn`,title:`Remote CDP uses HTTP`,detail:`browser profile "${e}" uses http CDP (${t.cdpUrl}); this is OK only if it's tailnet-only or behind an encrypted tunnel.`,remediation:`Prefer HTTPS/TLS or a tailnet-only endpoint for remote CDP.`})}return i}function Yt(e){return e.logging?.redactSensitive===`off`?[{checkId:`logging.redact_off`,severity:`warn`,title:`Tool summary redaction is disabled`,detail:`logging.redactSensitive="off" can leak secrets into logs and status output.`,remediation:`Set logging.redactSensitive="tools".`}]:[]}function Xt(e){let t=[],n=e.tools?.elevated?.enabled,r=e.tools?.elevated?.allowFrom??{},i=Object.keys(r).length>0;if(n===!1||!i)return t;for(let[e,n]of Object.entries(r)){let r=Ut(n);r.includes(`*`)?t.push({checkId:`tools.elevated.allowFrom.${e}.wildcard`,severity:`critical`,title:`Elevated exec allowlist contains wildcard`,detail:`tools.elevated.allowFrom.${e} includes "*" which effectively approves everyone on that channel for elevated mode.`}):r.length>25&&t.push({checkId:`tools.elevated.allowFrom.${e}.large`,severity:`warn`,title:`Elevated exec allowlist is large`,detail:`tools.elevated.allowFrom.${e} has ${r.length} entries; consider tightening elevated access.`})}return t}function Zt(e){let t=[],n=e.tools?.exec?.host,r=i(e).mode;n===`sandbox`&&r===`off`&&t.push({checkId:`tools.exec.host_sandbox_no_sandbox_defaults`,severity:`warn`,title:`Exec host is sandbox but sandbox mode is off`,detail:`tools.exec.host is explicitly set to sandbox while agents.defaults.sandbox.mode=off. In this mode, exec runs directly on the gateway host.`,remediation:'Enable sandbox mode (`agents.defaults.sandbox.mode="non-main"` or `"all"`) or set tools.exec.host to "gateway" with approvals.'});let a=Array.isArray(e.agents?.list)?e.agents.list:[],o=a.filter(t=>t&&typeof t==`object`&&typeof t.id==`string`&&t.tools?.exec?.host===`sandbox`&&i(e,t.id).mode===`off`).map(e=>e.id).slice(0,5);o.length>0&&t.push({checkId:`tools.exec.host_sandbox_no_sandbox_agents`,severity:`warn`,title:`Agent exec host uses sandbox while sandbox mode is off`,detail:`agents.list.*.tools.exec.host is set to sandbox for: ${o.join(`, `)}. With sandbox mode off, exec runs directly on the gateway host.`,remediation:'Enable sandbox mode for these agents (`agents.list[].sandbox.mode`) or set their tools.exec.host to "gateway".'});let s=e=>Array.isArray(e)?Array.from(new Set(e.map(e=>typeof e==`string`?e.trim().toLowerCase():``).filter(e=>e.length>0))).toSorted():[],c=e=>Array.isArray(e)?l(e.filter(e=>typeof e==`string`)):[],u=e=>{let t=e.trim();if(!t)return null;if(!B.isAbsolute(t))return`relative path (trust boundary depends on process cwd)`;let n=B.resolve(t).replace(/\\/g,`/`).toLowerCase();return n===`/tmp`||n.startsWith(`/tmp/`)||n===`/var/tmp`||n.startsWith(`/var/tmp/`)||n===`/private/tmp`||n.startsWith(`/private/tmp/`)?`temporary directory is mutable and easy to poison`:n===`/usr/local/bin`||n===`/opt/homebrew/bin`||n===`/opt/local/bin`||n===`/home/linuxbrew/.linuxbrew/bin`?`package-manager bin directory (often user-writable)`:n.startsWith(`/users/`)||n.startsWith(`/home/`)||n.includes(`/.local/bin`)||/^[a-z]:\/users\//.test(n)?`home-scoped bin directory (typically user-writable)`:null},d=e.tools?.exec,f=[],p=(e,t)=>{for(let n of c(t)){let t=u(n);t&&f.push(`- ${e}.safeBinTrustedDirs: ${n} (${t})`)}};p(`tools.exec`,d?.safeBinTrustedDirs);for(let e of a)!e||typeof e!=`object`||typeof e.id!=`string`||p(`agents.list.${e.id}.tools.exec`,e.tools?.exec?.safeBinTrustedDirs);let m=[],h=s(d?.safeBins);if(h.length>0){let e=N({global:d})??{},t=re(h).filter(t=>!e[t]);t.length>0&&m.push(`- tools.exec.safeBins: ${t.join(`, `)}`)}for(let e of a){if(!e||typeof e!=`object`||typeof e.id!=`string`)continue;let t=e.tools?.exec,n=s(t?.safeBins);if(n.length===0)continue;let r=N({global:d,local:t})??{},i=re(n).filter(e=>!r[e]);i.length!==0&&m.push(`- agents.list.${e.id}.tools.exec.safeBins: ${i.join(`, `)}`)}return m.length>0&&t.push({checkId:`tools.exec.safe_bins_interpreter_unprofiled`,severity:`warn`,title:`safeBins includes interpreter/runtime binaries without explicit profiles`,detail:`Detected interpreter-like safeBins entries missing explicit profiles:\n${m.join(`
 `)}\nThese entries can turn safeBins into a broad execution surface when used with permissive argv profiles.`,remediation:`Remove interpreter/runtime bins from safeBins (prefer allowlist entries) or define hardened tools.exec.safeBinProfiles.<bin> rules.`}),f.length>0&&t.push({checkId:`tools.exec.safe_bin_trusted_dirs_risky`,severity:`warn`,title:`safeBinTrustedDirs includes risky mutable directories`,detail:`Detected risky safeBinTrustedDirs entries:\n${f.slice(0,10).join(`
 `)}`+(f.length>10?`\n- +${f.length-10} more entries.`:``),remediation:`Prefer root-owned immutable bins, keep default trust dirs (/bin, /usr/bin), and avoid trusting temporary/home/package-manager paths unless tightly controlled.`}),t}async function Qt(e){let t=ae({config:e.cfg}).url,n=e.cfg.gateway?.mode===`remote`,r=typeof e.cfg.gateway?.remote?.url==`string`?e.cfg.gateway.remote.url.trim():``,i=pe(!n||n&&!r?{cfg:e.cfg,env:e.env,mode:`local`}:{cfg:e.cfg,env:e.env,mode:`remote`}),a=await e.probe({url:t,auth:i.auth,timeoutMs:e.timeoutMs}).catch(e=>({ok:!1,url:t,connectLatencyMs:null,error:String(e),close:null,health:null,status:null,presence:null,configSnapshot:null}));return i.warning&&!a.ok&&(a.error=a.error?`${a.error}; ${i.warning}`:i.warning),{deep:{gateway:{attempted:!0,url:t,ok:a.ok,error:a.ok?null:a.error,close:a.close?{code:a.close.code,reason:a.close.reason}:null}},authWarning:i.warning}}async function $t(t){let r=t.config,i=t.sourceConfig??t.config,a=t.env??process.env,o=t.platform??process.platform,s=t.includeFilesystem!==!1,c=t.includeChannelSecurity!==!1,l=t.deep===!0,u=Math.max(250,t.deepTimeoutMs??5e3),d=t.stateDir??e(a),f=t.configPath??n(a,d),p=s?t.configSnapshot===void 0?await Rt({env:a,configPath:f}).catch(()=>null):t.configSnapshot:null;return{cfg:r,sourceConfig:i,env:a,platform:o,includeFilesystem:s,includeChannelSecurity:c,deep:l,deepTimeoutMs:u,stateDir:d,configPath:f,execIcacls:t.execIcacls,execDockerRawFn:t.execDockerRawFn,probeGatewayFn:t.probeGatewayFn,plugins:t.plugins,configSnapshot:p,codeSafetySummaryCache:t.codeSafetySummaryCache??new Map}}async function en(e){let t=[],n=await $t(e),{cfg:r,env:i,platform:a,stateDir:o,configPath:s}=n;if(t.push(...Ze(r)),t.push(...Qe({stateDir:o,configPath:s})),t.push(...Kt(r,i)),t.push(...Jt(r,i)),t.push(...Yt(r)),t.push(...Xt(r)),t.push(...Zt(r)),t.push(...et(r,i)),t.push(...nt(r,i)),t.push(...tt(r)),t.push(...rt(r)),t.push(...it(r)),t.push(...at(r)),t.push(...ot(r)),t.push(...st(r)),t.push(...$e(r)),t.push(...ct(r)),t.push(...lt({cfg:r,env:i})),t.push(...ut(r)),t.push(...dt(r)),n.includeFilesystem&&(t.push(...await Gt({stateDir:o,configPath:s,env:i,platform:a,execIcacls:n.execIcacls})),n.configSnapshot&&t.push(...await It({configSnapshot:n.configSnapshot,env:i,platform:a,execIcacls:n.execIcacls})),t.push(...await Lt({cfg:r,env:i,stateDir:o,platform:a,execIcacls:n.execIcacls})),t.push(...await Ft({cfg:r})),t.push(...await Nt({execDockerRawFn:n.execDockerRawFn})),t.push(...await Pt({cfg:r,stateDir:o})),n.deep&&(t.push(...await zt({stateDir:o,summaryCache:n.codeSafetySummaryCache})),t.push(...await Bt({cfg:r,stateDir:o,summaryCache:n.codeSafetySummaryCache})))),n.includeChannelSecurity){let e=n.plugins??ne();t.push(...await Ee({cfg:r,sourceConfig:n.sourceConfig,plugins:e}))}let c=n.deep?await Qt({cfg:r,env:i,timeoutMs:n.deepTimeoutMs,probe:n.probeGatewayFn??fe}):void 0,l=c?.deep;l?.gateway?.attempted&&!l.gateway.ok&&t.push({checkId:`gateway.probe_failed`,severity:`warn`,title:`Gateway probe failed (deep)`,detail:l.gateway.error??`gateway unreachable`,remediation:`Run "${S(`openclaw status --all`)}" to debug connectivity/auth, then re-run "${S(`openclaw security audit --deep`)}".`}),c?.authWarning&&t.push({checkId:`gateway.probe_auth_secretref_unavailable`,severity:`warn`,title:`Gateway probe auth SecretRef is unavailable`,detail:c.authWarning,remediation:`Set OPENCLAW_GATEWAY_TOKEN/OPENCLAW_GATEWAY_PASSWORD in this shell or resolve the external secret provider, then re-run "${S(`openclaw security audit --deep`)}".`});let u=Ht(t);return{ts:Date.now(),summary:u,findings:t,deep:l}}export{Vt as n,mt as r,en as t};
+//# sourceMappingURL=audit-jkdcAUep.js.map

package/dist/audit-membership-runtime-BpRsMj5-.js

@@ -1 +1,2 @@
 import{r as e}from"./utils-R-mFyVJi.js";import"./proxy-env-DrC3TIGh.js";import{r as t}from"./fetch-D0rZDHKO.js";import{n,t as r}from"./fetch-DsjPfQlp.js";async function i(i){let a=r(i.proxyUrl?n(i.proxyUrl):void 0,{network:i.network}),o=`https://api.telegram.org/bot${i.token}`,s=[];for(let n of i.groupIds)try{let r=await t(`${o}/getChatMember?chat_id=${encodeURIComponent(n)}&user_id=${encodeURIComponent(String(i.botId))}`,{},i.timeoutMs,a),c=await r.json();if(!r.ok||!e(c)||!c.ok){let t=e(c)&&!c.ok&&typeof c.description==`string`?c.description:`getChatMember failed (${r.status})`;s.push({chatId:n,ok:!1,status:null,error:t,matchKey:n,matchSource:`id`});continue}let l=e(c.result)?c.result.status??null:null,u=l===`creator`||l===`administrator`||l===`member`;s.push({chatId:n,ok:u,status:l,error:u?null:`bot not in group`,matchKey:n,matchSource:`id`})}catch(e){s.push({chatId:n,ok:!1,status:null,error:e instanceof Error?e.message:String(e),matchKey:n,matchSource:`id`})}return{ok:s.every(e=>e.ok),checkedGroups:s.length,unresolvedGroups:0,hasWildcardUnmentionedGroups:!1,groups:s}}export{i as auditTelegramGroupMembershipImpl};
+//# sourceMappingURL=audit-membership-runtime-BpRsMj5-.js.map

package/dist/audit-membership-runtime-BsfLZNBj.js

@@ -1 +1,2 @@
 import"./subsystem-BLbY429l.js";import"./paths-BjD3T_xq.js";import"./boolean-D15s2V33.js";import{u as e}from"./utils-CGdo13HV.js";import"./logger-kQAOe3qp.js";import{n as t}from"./fetch-timeout-CdYxWG9w.js";import{n}from"./proxy-fetch-gWETR3cl.js";import"./fetch-Dh-apy46.js";import{t as r}from"./fetch-Ce-scEU-.js";async function i(i){let a=r(i.proxyUrl?n(i.proxyUrl):void 0,{network:i.network}),o=`https://api.telegram.org/bot${i.token}`,s=[];for(let n of i.groupIds)try{let r=await t(`${o}/getChatMember?chat_id=${encodeURIComponent(n)}&user_id=${encodeURIComponent(String(i.botId))}`,{},i.timeoutMs,a),c=await r.json();if(!r.ok||!e(c)||!c.ok){let t=e(c)&&!c.ok&&typeof c.description==`string`?c.description:`getChatMember failed (${r.status})`;s.push({chatId:n,ok:!1,status:null,error:t,matchKey:n,matchSource:`id`});continue}let l=e(c.result)?c.result.status??null:null,u=l===`creator`||l===`administrator`||l===`member`;s.push({chatId:n,ok:u,status:l,error:u?null:`bot not in group`,matchKey:n,matchSource:`id`})}catch(e){s.push({chatId:n,ok:!1,status:null,error:e instanceof Error?e.message:String(e),matchKey:n,matchSource:`id`})}return{ok:s.every(e=>e.ok),checkedGroups:s.length,unresolvedGroups:0,hasWildcardUnmentionedGroups:!1,groups:s}}export{i as auditTelegramGroupMembershipImpl};
+//# sourceMappingURL=audit-membership-runtime-BsfLZNBj.js.map

package/dist/audit-membership-runtime-DRHirRmx.js

@@ -1 +1,2 @@
 import"./paths-B4IRk3wi.js";import"./subsystem-C5XF2Fy5.js";import{d as e}from"./utils-UGOV_184.js";import"./boolean-Ch3DfXPy.js";import"./env-D7wNuBx1.js";import"./logger-Bl8URnrW.js";import{n as t}from"./fetch-timeout-u8g99Ax0.js";import{n}from"./proxy-fetch-BADsUK4d.js";import"./fetch-Dikjvc5M.js";import{t as r}from"./fetch-Bn0mWg6a.js";async function i(i){let a=r(i.proxyUrl?n(i.proxyUrl):void 0,{network:i.network}),o=`https://api.telegram.org/bot${i.token}`,s=[];for(let n of i.groupIds)try{let r=await t(`${o}/getChatMember?chat_id=${encodeURIComponent(n)}&user_id=${encodeURIComponent(String(i.botId))}`,{},i.timeoutMs,a),c=await r.json();if(!r.ok||!e(c)||!c.ok){let t=e(c)&&!c.ok&&typeof c.description==`string`?c.description:`getChatMember failed (${r.status})`;s.push({chatId:n,ok:!1,status:null,error:t,matchKey:n,matchSource:`id`});continue}let l=e(c.result)?c.result.status??null:null,u=l===`creator`||l===`administrator`||l===`member`;s.push({chatId:n,ok:u,status:l,error:u?null:`bot not in group`,matchKey:n,matchSource:`id`})}catch(e){s.push({chatId:n,ok:!1,status:null,error:e instanceof Error?e.message:String(e),matchKey:n,matchSource:`id`})}return{ok:s.every(e=>e.ok),checkedGroups:s.length,unresolvedGroups:0,hasWildcardUnmentionedGroups:!1,groups:s}}export{i as auditTelegramGroupMembershipImpl};
+//# sourceMappingURL=audit-membership-runtime-DRHirRmx.js.map

package/dist/audit-membership-runtime-g0dEWJTp.js

@@ -1 +1,2 @@
 import"./paths-BpQOWYiT.js";import{f as e}from"./logger-DwWqfo66.js";import"./proxy-env-BNhTHkd_.js";import{n as t}from"./fetch-timeout-Cj8_oAls.js";import{n}from"./proxy-fetch-DnjU1fEB.js";import"./fetch-DHo17YmK.js";import{t as r}from"./fetch-hy0JKSsm.js";async function i(i){let a=r(i.proxyUrl?n(i.proxyUrl):void 0,{network:i.network}),o=`https://api.telegram.org/bot${i.token}`,s=[];for(let n of i.groupIds)try{let r=await t(`${o}/getChatMember?chat_id=${encodeURIComponent(n)}&user_id=${encodeURIComponent(String(i.botId))}`,{},i.timeoutMs,a),c=await r.json();if(!r.ok||!e(c)||!c.ok){let t=e(c)&&!c.ok&&typeof c.description==`string`?c.description:`getChatMember failed (${r.status})`;s.push({chatId:n,ok:!1,status:null,error:t,matchKey:n,matchSource:`id`});continue}let l=e(c.result)?c.result.status??null:null,u=l===`creator`||l===`administrator`||l===`member`;s.push({chatId:n,ok:u,status:l,error:u?null:`bot not in group`,matchKey:n,matchSource:`id`})}catch(e){s.push({chatId:n,ok:!1,status:null,error:e instanceof Error?e.message:String(e),matchKey:n,matchSource:`id`})}return{ok:s.every(e=>e.ok),checkedGroups:s.length,unresolvedGroups:0,hasWildcardUnmentionedGroups:!1,groups:s}}export{i as auditTelegramGroupMembershipImpl};
+//# sourceMappingURL=audit-membership-runtime-g0dEWJTp.js.map

package/dist/audit-membership-runtime-kdyToskD.js

@@ -1 +1,2 @@
 import"./paths-CChBdtE8.js";import"./subsystem-Bc2XrjUz.js";import{c as e}from"./utils-D3t-vPka.js";import"./boolean-DypnRoRK.js";import"./proxy-env-DcmW_urA.js";import"./logger-5W0OocJW.js";import{n as t}from"./fetch-timeout-DoOI_izT.js";import{n}from"./proxy-fetch-BZ9O8Dvj.js";import"./fetch-_g8lZ8K8.js";import{t as r}from"./fetch-BJT3BrkJ.js";async function i(i){let a=r(i.proxyUrl?n(i.proxyUrl):void 0,{network:i.network}),o=`https://api.telegram.org/bot${i.token}`,s=[];for(let n of i.groupIds)try{let r=await t(`${o}/getChatMember?chat_id=${encodeURIComponent(n)}&user_id=${encodeURIComponent(String(i.botId))}`,{},i.timeoutMs,a),c=await r.json();if(!r.ok||!e(c)||!c.ok){let t=e(c)&&!c.ok&&typeof c.description==`string`?c.description:`getChatMember failed (${r.status})`;s.push({chatId:n,ok:!1,status:null,error:t,matchKey:n,matchSource:`id`});continue}let l=e(c.result)?c.result.status??null:null,u=l===`creator`||l===`administrator`||l===`member`;s.push({chatId:n,ok:u,status:l,error:u?null:`bot not in group`,matchKey:n,matchSource:`id`})}catch(e){s.push({chatId:n,ok:!1,status:null,error:e instanceof Error?e.message:String(e),matchKey:n,matchSource:`id`})}return{ok:s.every(e=>e.ok),checkedGroups:s.length,unresolvedGroups:0,hasWildcardUnmentionedGroups:!1,groups:s}}export{i as auditTelegramGroupMembershipImpl};
+//# sourceMappingURL=audit-membership-runtime-kdyToskD.js.map

package/dist/auth-choice-B7LSoXZ_.js

@@ -6,3 +6,4 @@ import"./subsystem-BLbY429l.js";import"./paths-BjD3T_xq.js";import"./boolean-D15
 `)),o.exit(1),null;if(r===`vllm`)return o.error([`Auth choice "vllm" requires interactive mode.`,`Use interactive onboard/configure to enter base URL, API key, and model ID.`].join(`
 `)),o.exit(1),null;if(r===`ollama`)return xe({nextConfig:K,opts:a,runtime:o});if(r===`apiKey`){let e=await Z({provider:`anthropic`,cfg:s,flagValue:a.anthropicApiKey,flagName:`--anthropic-api-key`,envVar:`ANTHROPIC_API_KEY`,runtime:o});return!e||!await Q(e,e=>U(e,void 0,Y))?null:j(K,{profileId:`anthropic:default`,provider:`anthropic`,mode:`api_key`})}if(r===`token`){let e=a.tokenProvider?.trim();if(!e)return o.error(`Missing --token-provider for --auth-choice token.`),o.exit(1),null;let r=t(e);if(r!==`anthropic`)return o.error(`Only --token-provider anthropic is supported for --auth-choice token.`),o.exit(1),null;let s=i(a.token);if(!s)return o.error(`Missing --token for --auth-choice token.`),o.exit(1),null;let l=z(s);if(l)return o.error(l),o.exit(1),null;let u,d=a.tokenExpiresIn?.trim();if(d)try{u=Date.now()+c(d,{defaultUnit:`d`})}catch(e){return o.error(`Invalid --token-expires-in: ${String(e)}`),o.exit(1),null}let f=a.tokenProfileId?.trim()||W({provider:r,name:``});return n({profileId:f,credential:{type:`token`,provider:r,token:s.trim(),...u?{expires:u}:{}}}),j(K,{profileId:f,provider:r,mode:`token`})}if(r===`gemini-api-key`){let e=await Z({provider:`google`,cfg:s,flagValue:a.geminiApiKey,flagName:`--gemini-api-key`,envVar:`GEMINI_API_KEY`,runtime:o});return!e||!await Q(e,e=>de(e,void 0,Y))?null:(K=j(K,{profileId:`google:default`,provider:`google`,mode:`api_key`}),be(K).next)}if(r===`zai-api-key`||r===`zai-coding-global`||r===`zai-coding-cn`||r===`zai-global`||r===`zai-cn`){let e=await Z({provider:`zai`,cfg:s,flagValue:a.zaiApiKey,flagName:`--zai-api-key`,envVar:`ZAI_API_KEY`,runtime:o});if(!e||!await Q(e,e=>N(e,void 0,Y)))return null;K=j(K,{profileId:`zai:default`,provider:`zai`,mode:`api_key`});let t,n;if(r===`zai-coding-global`)t=`coding-global`;else if(r===`zai-coding-cn`)t=`coding-cn`;else if(r===`zai-global`)t=`global`;else if(r===`zai-cn`)t=`cn`;else{let r=await ve({apiKey:e.key});r?(t=r.endpoint,n=r.modelId):t=`global`}return ie(K,{endpoint:t,...n?{modelId:n}:{}})}if(r===`xiaomi-api-key`){let e=await Z({provider:`xiaomi`,cfg:s,flagValue:a.xiaomiApiKey,flagName:`--xiaomi-api-key`,envVar:`XIAOMI_API_KEY`,runtime:o});return!e||!await Q(e,e=>d(e,void 0,Y))?null:(K=j(K,{profileId:`xiaomi:default`,provider:`xiaomi`,mode:`api_key`}),x(K))}if(r===`xai-api-key`){let e=await Z({provider:`xai`,cfg:s,flagValue:a.xaiApiKey,flagName:`--xai-api-key`,envVar:`XAI_API_KEY`,runtime:o});return!e||!await Q(e,e=>F(e,void 0,Y))?null:(K=j(K,{profileId:`xai:default`,provider:`xai`,mode:`api_key`}),te(K))}if(r===`mistral-api-key`){let e=await Z({provider:`mistral`,cfg:s,flagValue:a.mistralApiKey,flagName:`--mistral-api-key`,envVar:`MISTRAL_API_KEY`,runtime:o});return!e||!await Q(e,e=>A(e,void 0,Y))?null:(K=j(K,{profileId:`mistral:default`,provider:`mistral`,mode:`api_key`}),_(K))}if(r===`volcengine-api-key`){let e=await Z({provider:`volcengine`,cfg:s,flagValue:a.volcengineApiKey,flagName:`--volcengine-api-key`,envVar:`VOLCANO_ENGINE_API_KEY`,runtime:o});return!e||!await Q(e,e=>se(e,void 0,Y))?null:(K=j(K,{profileId:`volcengine:default`,provider:`volcengine`,mode:`api_key`}),G(K,`volcengine-plan/ark-code-latest`))}if(r===`byteplus-api-key`){let e=await Z({provider:`byteplus`,cfg:s,flagValue:a.byteplusApiKey,flagName:`--byteplus-api-key`,envVar:`BYTEPLUS_API_KEY`,runtime:o});return!e||!await Q(e,e=>E(e,void 0,Y))?null:(K=j(K,{profileId:`byteplus:default`,provider:`byteplus`,mode:`api_key`}),G(K,`byteplus-plan/ark-code-latest`))}if(r===`qianfan-api-key`){let e=await Z({provider:`qianfan`,cfg:s,flagValue:a.qianfanApiKey,flagName:`--qianfan-api-key`,envVar:`QIANFAN_API_KEY`,runtime:o});return!e||!await Q(e,e=>p(e,void 0,Y))?null:(K=j(K,{profileId:`qianfan:default`,provider:`qianfan`,mode:`api_key`}),ce(K))}if(r===`modelstudio-api-key-cn`){let e=await Z({provider:`modelstudio`,cfg:s,flagValue:a.modelstudioApiKeyCn,flagName:`--modelstudio-api-key-cn`,envVar:`MODELSTUDIO_API_KEY`,runtime:o});return!e||!await Q(e,e=>C(e,void 0,Y))?null:(K=j(K,{profileId:`modelstudio:default`,provider:`modelstudio`,mode:`api_key`}),y(K))}if(r===`modelstudio-api-key`){let e=await Z({provider:`modelstudio`,cfg:s,flagValue:a.modelstudioApiKey,flagName:`--modelstudio-api-key`,envVar:`MODELSTUDIO_API_KEY`,runtime:o});return!e||!await Q(e,e=>C(e,void 0,Y))?null:(K=j(K,{profileId:`modelstudio:default`,provider:`modelstudio`,mode:`api_key`}),me(K))}if(r===`openai-api-key`){let e=await Z({provider:`openai`,cfg:s,flagValue:a.openaiApiKey,flagName:`--openai-api-key`,envVar:`OPENAI_API_KEY`,runtime:o});return!e||!await Q(e,e=>_e(e,void 0,Y))?null:(K=j(K,{profileId:`openai:default`,provider:`openai`,mode:`api_key`}),ye(K))}if(r===`openrouter-api-key`){let e=await Z({provider:`openrouter`,cfg:s,flagValue:a.openrouterApiKey,flagName:`--openrouter-api-key`,envVar:`OPENROUTER_API_KEY`,runtime:o});return!e||!await Q(e,e=>v(e,void 0,Y))?null:(K=j(K,{profileId:`openrouter:default`,provider:`openrouter`,mode:`api_key`}),ae(K))}if(r===`kilocode-api-key`){let e=await Z({provider:`kilocode`,cfg:s,flagValue:a.kilocodeApiKey,flagName:`--kilocode-api-key`,envVar:`KILOCODE_API_KEY`,runtime:o});return!e||!await Q(e,e=>O(e,void 0,Y))?null:(K=j(K,{profileId:`kilocode:default`,provider:`kilocode`,mode:`api_key`}),fe(K))}if(r===`litellm-api-key`){let e=await Z({provider:`litellm`,cfg:s,flagValue:a.litellmApiKey,flagName:`--litellm-api-key`,envVar:`LITELLM_API_KEY`,runtime:o});return!e||!await Q(e,e=>R(e,void 0,Y))?null:(K=j(K,{profileId:`litellm:default`,provider:`litellm`,mode:`api_key`}),re(K))}if(r===`ai-gateway-api-key`){let e=await Z({provider:`vercel-ai-gateway`,cfg:s,flagValue:a.aiGatewayApiKey,flagName:`--ai-gateway-api-key`,envVar:`AI_GATEWAY_API_KEY`,runtime:o});return!e||!await Q(e,e=>m(e,void 0,Y))?null:(K=j(K,{profileId:`vercel-ai-gateway:default`,provider:`vercel-ai-gateway`,mode:`api_key`}),h(K))}if(r===`cloudflare-ai-gateway-api-key`){let e=a.cloudflareAiGatewayAccountId?.trim()??``,t=a.cloudflareAiGatewayGatewayId?.trim()??``;if(!e||!t)return o.error([`Auth choice "cloudflare-ai-gateway-api-key" requires Account ID and Gateway ID.`,`Use --cloudflare-ai-gateway-account-id and --cloudflare-ai-gateway-gateway-id.`].join(`
 `)),o.exit(1),null;let n=await Z({provider:`cloudflare-ai-gateway`,cfg:s,flagValue:a.cloudflareAiGatewayApiKey,flagName:`--cloudflare-ai-gateway-api-key`,envVar:`CLOUDFLARE_AI_GATEWAY_API_KEY`,runtime:o});if(!n)return null;if(n.source!==`profile`){let r=X(n);if(!r)return null;await L(e,t,r,void 0,Y)}return K=j(K,{profileId:`cloudflare-ai-gateway:default`,provider:`cloudflare-ai-gateway`,mode:`api_key`}),S(K,{accountId:e,gatewayId:t})}let $=async e=>{let t=await Z({provider:`moonshot`,cfg:s,flagValue:a.moonshotApiKey,flagName:`--moonshot-api-key`,envVar:`MOONSHOT_API_KEY`,runtime:o});return!t||!await Q(t,e=>pe(e,void 0,Y))?null:(K=j(K,{profileId:`moonshot:default`,provider:`moonshot`,mode:`api_key`}),e(K))};if(r===`moonshot-api-key`)return await $(oe);if(r===`moonshot-api-key-cn`)return await $(P);if(r===`kimi-code-api-key`){let e=await Z({provider:`kimi-coding`,cfg:s,flagValue:a.kimiCodeApiKey,flagName:`--kimi-code-api-key`,envVar:`KIMI_API_KEY`,runtime:o});return!e||!await Q(e,e=>V(e,void 0,Y))?null:(K=j(K,{profileId:`kimi-coding:default`,provider:`kimi-coding`,mode:`api_key`}),w(K))}if(r===`synthetic-api-key`){let e=await Z({provider:`synthetic`,cfg:s,flagValue:a.syntheticApiKey,flagName:`--synthetic-api-key`,envVar:`SYNTHETIC_API_KEY`,runtime:o});return!e||!await Q(e,e=>he(e,void 0,Y))?null:(K=j(K,{profileId:`synthetic:default`,provider:`synthetic`,mode:`api_key`}),ne(K))}if(r===`venice-api-key`){let e=await Z({provider:`venice`,cfg:s,flagValue:a.veniceApiKey,flagName:`--venice-api-key`,envVar:`VENICE_API_KEY`,runtime:o});return!e||!await Q(e,e=>ee(e,void 0,Y))?null:(K=j(K,{profileId:`venice:default`,provider:`venice`,mode:`api_key`}),f(K))}if(r===`minimax-cloud`||r===`minimax-api`||r===`minimax-api-key-cn`||r===`minimax-api-lightning`){let e=r===`minimax-api-key-cn`,t=e?`minimax-cn`:`minimax`,n=`${t}:default`,i=await Z({provider:t,cfg:s,flagValue:a.minimaxApiKey,flagName:`--minimax-api-key`,envVar:`MINIMAX_API_KEY`,runtime:o});if(!i||!await Q(i,e=>M(e,void 0,n,Y)))return null;K=j(K,{profileId:n,provider:t,mode:`api_key`});let c=r===`minimax-api-lightning`?`MiniMax-M2.5-highspeed`:`MiniMax-M2.5`;return e?ue(K,c):I(K,c)}if(r===`minimax`)return B(K);if(r===`opencode-zen`){let e=await Z({provider:`opencode`,cfg:s,flagValue:a.opencodeZenApiKey,flagName:`--opencode-zen-api-key`,envVar:`OPENCODE_API_KEY (or OPENCODE_ZEN_API_KEY)`,runtime:o});return!e||!await Q(e,e=>ge(e,void 0,Y))?null:(K=j(K,{profileId:`opencode:default`,provider:`opencode`,mode:`api_key`}),le(K))}if(r===`opencode-go`){let e=await Z({provider:`opencode-go`,cfg:s,flagValue:a.opencodeGoApiKey,flagName:`--opencode-go-api-key`,envVar:`OPENCODE_API_KEY`,runtime:o});return!e||!await Q(e,e=>T(e,void 0,Y))?null:(K=j(K,{profileId:`opencode-go:default`,provider:`opencode-go`,mode:`api_key`}),H(K))}if(r===`together-api-key`){let e=await Z({provider:`together`,cfg:s,flagValue:a.togetherApiKey,flagName:`--together-api-key`,envVar:`TOGETHER_API_KEY`,runtime:o});return!e||!await Q(e,e=>b(e,void 0,Y))?null:(K=j(K,{profileId:`together:default`,provider:`together`,mode:`api_key`}),g(K))}if(r===`huggingface-api-key`){let e=await Z({provider:`huggingface`,cfg:s,flagValue:a.huggingfaceApiKey,flagName:`--huggingface-api-key`,envVar:`HF_TOKEN`,runtime:o});return!e||!await Q(e,e=>D(e,void 0,Y))?null:(K=j(K,{profileId:`huggingface:default`,provider:`huggingface`,mode:`api_key`}),k(K))}if(r===`custom-api-key`)try{let e=Se({baseUrl:a.customBaseUrl,modelId:a.customModelId,compatibility:a.customCompatibility,apiKey:a.customApiKey,providerId:a.customProviderId}),t=await Z({provider:we({config:K,baseUrl:e.baseUrl,providerId:e.providerId}).providerId,cfg:s,flagValue:e.apiKey,flagName:`--custom-api-key`,envVar:`CUSTOM_API_KEY`,envVarName:`CUSTOM_API_KEY`,runtime:o,required:!1}),n;if(t)if(q===`ref`){let e=X(t);if(!e)return null;n=e}else n=t.key;let r=Ce({config:K,baseUrl:e.baseUrl,modelId:e.modelId,compatibility:e.compatibility,apiKey:n,providerId:e.providerId});return r.providerIdRenamedFrom&&r.providerId&&o.log(`Custom provider ID "${r.providerIdRenamedFrom}" already exists for a different base URL. Using "${r.providerId}".`),r.config}catch(e){if(e instanceof Te){switch(e.code){case`missing_required`:case`invalid_compatibility`:o.error(e.message);break;default:o.error(`Invalid custom provider config: ${e.message}`);break}return o.exit(1),null}let t=e instanceof Error?e.message:String(e);return o.error(`Invalid custom provider config: ${t}`),o.exit(1),null}return r===`oauth`||r===`chutes`||r===`openai-codex`||r===`qwen-portal`||r===`minimax-portal`?(o.error(`OAuth requires interactive mode.`),o.exit(1),null):K}export{Y as applyNonInteractiveAuthChoice};
+//# sourceMappingURL=auth-choice-B7LSoXZ_.js.map

package/dist/auth-choice-CxMH4c-u.js

@@ -6,3 +6,4 @@ import"./paths-B4IRk3wi.js";import"./subsystem-C5XF2Fy5.js";import"./utils-UGOV_
 `)),i.exit(1),null;if(n===`vllm`)return i.error([`Auth choice "vllm" requires interactive mode.`,`Use interactive onboard/configure to enter base URL, API key, and model ID.`].join(`
 `)),i.exit(1),null;if(n===`ollama`)return xe({nextConfig:K,opts:r,runtime:i});if(n===`apiKey`){let e=await Z({provider:`anthropic`,cfg:o,flagValue:r.anthropicApiKey,flagName:`--anthropic-api-key`,envVar:`ANTHROPIC_API_KEY`,runtime:i});return!e||!await Q(e,e=>U(e,void 0,Y))?null:j(K,{profileId:`anthropic:default`,provider:`anthropic`,mode:`api_key`})}if(n===`token`){let t=r.tokenProvider?.trim();if(!t)return i.error(`Missing --token-provider for --auth-choice token.`),i.exit(1),null;let n=a(t);if(n!==`anthropic`)return i.error(`Only --token-provider anthropic is supported for --auth-choice token.`),i.exit(1),null;let o=s(r.token);if(!o)return i.error(`Missing --token for --auth-choice token.`),i.exit(1),null;let l=z(o);if(l)return i.error(l),i.exit(1),null;let u,d=r.tokenExpiresIn?.trim();if(d)try{u=Date.now()+c(d,{defaultUnit:`d`})}catch(e){return i.error(`Invalid --token-expires-in: ${String(e)}`),i.exit(1),null}let f=r.tokenProfileId?.trim()||W({provider:n,name:``});return e({profileId:f,credential:{type:`token`,provider:n,token:o.trim(),...u?{expires:u}:{}}}),j(K,{profileId:f,provider:n,mode:`token`})}if(n===`gemini-api-key`){let e=await Z({provider:`google`,cfg:o,flagValue:r.geminiApiKey,flagName:`--gemini-api-key`,envVar:`GEMINI_API_KEY`,runtime:i});return!e||!await Q(e,e=>de(e,void 0,Y))?null:(K=j(K,{profileId:`google:default`,provider:`google`,mode:`api_key`}),be(K).next)}if(n===`zai-api-key`||n===`zai-coding-global`||n===`zai-coding-cn`||n===`zai-global`||n===`zai-cn`){let e=await Z({provider:`zai`,cfg:o,flagValue:r.zaiApiKey,flagName:`--zai-api-key`,envVar:`ZAI_API_KEY`,runtime:i});if(!e||!await Q(e,e=>N(e,void 0,Y)))return null;K=j(K,{profileId:`zai:default`,provider:`zai`,mode:`api_key`});let t,a;if(n===`zai-coding-global`)t=`coding-global`;else if(n===`zai-coding-cn`)t=`coding-cn`;else if(n===`zai-global`)t=`global`;else if(n===`zai-cn`)t=`cn`;else{let n=await ve({apiKey:e.key});n?(t=n.endpoint,a=n.modelId):t=`global`}return ie(K,{endpoint:t,...a?{modelId:a}:{}})}if(n===`xiaomi-api-key`){let e=await Z({provider:`xiaomi`,cfg:o,flagValue:r.xiaomiApiKey,flagName:`--xiaomi-api-key`,envVar:`XIAOMI_API_KEY`,runtime:i});return!e||!await Q(e,e=>d(e,void 0,Y))?null:(K=j(K,{profileId:`xiaomi:default`,provider:`xiaomi`,mode:`api_key`}),x(K))}if(n===`xai-api-key`){let e=await Z({provider:`xai`,cfg:o,flagValue:r.xaiApiKey,flagName:`--xai-api-key`,envVar:`XAI_API_KEY`,runtime:i});return!e||!await Q(e,e=>F(e,void 0,Y))?null:(K=j(K,{profileId:`xai:default`,provider:`xai`,mode:`api_key`}),te(K))}if(n===`mistral-api-key`){let e=await Z({provider:`mistral`,cfg:o,flagValue:r.mistralApiKey,flagName:`--mistral-api-key`,envVar:`MISTRAL_API_KEY`,runtime:i});return!e||!await Q(e,e=>A(e,void 0,Y))?null:(K=j(K,{profileId:`mistral:default`,provider:`mistral`,mode:`api_key`}),_(K))}if(n===`volcengine-api-key`){let e=await Z({provider:`volcengine`,cfg:o,flagValue:r.volcengineApiKey,flagName:`--volcengine-api-key`,envVar:`VOLCANO_ENGINE_API_KEY`,runtime:i});return!e||!await Q(e,e=>se(e,void 0,Y))?null:(K=j(K,{profileId:`volcengine:default`,provider:`volcengine`,mode:`api_key`}),G(K,`volcengine-plan/ark-code-latest`))}if(n===`byteplus-api-key`){let e=await Z({provider:`byteplus`,cfg:o,flagValue:r.byteplusApiKey,flagName:`--byteplus-api-key`,envVar:`BYTEPLUS_API_KEY`,runtime:i});return!e||!await Q(e,e=>E(e,void 0,Y))?null:(K=j(K,{profileId:`byteplus:default`,provider:`byteplus`,mode:`api_key`}),G(K,`byteplus-plan/ark-code-latest`))}if(n===`qianfan-api-key`){let e=await Z({provider:`qianfan`,cfg:o,flagValue:r.qianfanApiKey,flagName:`--qianfan-api-key`,envVar:`QIANFAN_API_KEY`,runtime:i});return!e||!await Q(e,e=>p(e,void 0,Y))?null:(K=j(K,{profileId:`qianfan:default`,provider:`qianfan`,mode:`api_key`}),ce(K))}if(n===`modelstudio-api-key-cn`){let e=await Z({provider:`modelstudio`,cfg:o,flagValue:r.modelstudioApiKeyCn,flagName:`--modelstudio-api-key-cn`,envVar:`MODELSTUDIO_API_KEY`,runtime:i});return!e||!await Q(e,e=>C(e,void 0,Y))?null:(K=j(K,{profileId:`modelstudio:default`,provider:`modelstudio`,mode:`api_key`}),y(K))}if(n===`modelstudio-api-key`){let e=await Z({provider:`modelstudio`,cfg:o,flagValue:r.modelstudioApiKey,flagName:`--modelstudio-api-key`,envVar:`MODELSTUDIO_API_KEY`,runtime:i});return!e||!await Q(e,e=>C(e,void 0,Y))?null:(K=j(K,{profileId:`modelstudio:default`,provider:`modelstudio`,mode:`api_key`}),me(K))}if(n===`openai-api-key`){let e=await Z({provider:`openai`,cfg:o,flagValue:r.openaiApiKey,flagName:`--openai-api-key`,envVar:`OPENAI_API_KEY`,runtime:i});return!e||!await Q(e,e=>_e(e,void 0,Y))?null:(K=j(K,{profileId:`openai:default`,provider:`openai`,mode:`api_key`}),ye(K))}if(n===`openrouter-api-key`){let e=await Z({provider:`openrouter`,cfg:o,flagValue:r.openrouterApiKey,flagName:`--openrouter-api-key`,envVar:`OPENROUTER_API_KEY`,runtime:i});return!e||!await Q(e,e=>v(e,void 0,Y))?null:(K=j(K,{profileId:`openrouter:default`,provider:`openrouter`,mode:`api_key`}),ae(K))}if(n===`kilocode-api-key`){let e=await Z({provider:`kilocode`,cfg:o,flagValue:r.kilocodeApiKey,flagName:`--kilocode-api-key`,envVar:`KILOCODE_API_KEY`,runtime:i});return!e||!await Q(e,e=>O(e,void 0,Y))?null:(K=j(K,{profileId:`kilocode:default`,provider:`kilocode`,mode:`api_key`}),fe(K))}if(n===`litellm-api-key`){let e=await Z({provider:`litellm`,cfg:o,flagValue:r.litellmApiKey,flagName:`--litellm-api-key`,envVar:`LITELLM_API_KEY`,runtime:i});return!e||!await Q(e,e=>R(e,void 0,Y))?null:(K=j(K,{profileId:`litellm:default`,provider:`litellm`,mode:`api_key`}),re(K))}if(n===`ai-gateway-api-key`){let e=await Z({provider:`vercel-ai-gateway`,cfg:o,flagValue:r.aiGatewayApiKey,flagName:`--ai-gateway-api-key`,envVar:`AI_GATEWAY_API_KEY`,runtime:i});return!e||!await Q(e,e=>m(e,void 0,Y))?null:(K=j(K,{profileId:`vercel-ai-gateway:default`,provider:`vercel-ai-gateway`,mode:`api_key`}),h(K))}if(n===`cloudflare-ai-gateway-api-key`){let e=r.cloudflareAiGatewayAccountId?.trim()??``,t=r.cloudflareAiGatewayGatewayId?.trim()??``;if(!e||!t)return i.error([`Auth choice "cloudflare-ai-gateway-api-key" requires Account ID and Gateway ID.`,`Use --cloudflare-ai-gateway-account-id and --cloudflare-ai-gateway-gateway-id.`].join(`
 `)),i.exit(1),null;let n=await Z({provider:`cloudflare-ai-gateway`,cfg:o,flagValue:r.cloudflareAiGatewayApiKey,flagName:`--cloudflare-ai-gateway-api-key`,envVar:`CLOUDFLARE_AI_GATEWAY_API_KEY`,runtime:i});if(!n)return null;if(n.source!==`profile`){let r=X(n);if(!r)return null;await L(e,t,r,void 0,Y)}return K=j(K,{profileId:`cloudflare-ai-gateway:default`,provider:`cloudflare-ai-gateway`,mode:`api_key`}),S(K,{accountId:e,gatewayId:t})}let $=async e=>{let t=await Z({provider:`moonshot`,cfg:o,flagValue:r.moonshotApiKey,flagName:`--moonshot-api-key`,envVar:`MOONSHOT_API_KEY`,runtime:i});return!t||!await Q(t,e=>pe(e,void 0,Y))?null:(K=j(K,{profileId:`moonshot:default`,provider:`moonshot`,mode:`api_key`}),e(K))};if(n===`moonshot-api-key`)return await $(oe);if(n===`moonshot-api-key-cn`)return await $(P);if(n===`kimi-code-api-key`){let e=await Z({provider:`kimi-coding`,cfg:o,flagValue:r.kimiCodeApiKey,flagName:`--kimi-code-api-key`,envVar:`KIMI_API_KEY`,runtime:i});return!e||!await Q(e,e=>V(e,void 0,Y))?null:(K=j(K,{profileId:`kimi-coding:default`,provider:`kimi-coding`,mode:`api_key`}),w(K))}if(n===`synthetic-api-key`){let e=await Z({provider:`synthetic`,cfg:o,flagValue:r.syntheticApiKey,flagName:`--synthetic-api-key`,envVar:`SYNTHETIC_API_KEY`,runtime:i});return!e||!await Q(e,e=>he(e,void 0,Y))?null:(K=j(K,{profileId:`synthetic:default`,provider:`synthetic`,mode:`api_key`}),ne(K))}if(n===`venice-api-key`){let e=await Z({provider:`venice`,cfg:o,flagValue:r.veniceApiKey,flagName:`--venice-api-key`,envVar:`VENICE_API_KEY`,runtime:i});return!e||!await Q(e,e=>ee(e,void 0,Y))?null:(K=j(K,{profileId:`venice:default`,provider:`venice`,mode:`api_key`}),f(K))}if(n===`minimax-cloud`||n===`minimax-api`||n===`minimax-api-key-cn`||n===`minimax-api-lightning`){let e=n===`minimax-api-key-cn`,t=e?`minimax-cn`:`minimax`,a=`${t}:default`,s=await Z({provider:t,cfg:o,flagValue:r.minimaxApiKey,flagName:`--minimax-api-key`,envVar:`MINIMAX_API_KEY`,runtime:i});if(!s||!await Q(s,e=>M(e,void 0,a,Y)))return null;K=j(K,{profileId:a,provider:t,mode:`api_key`});let c=n===`minimax-api-lightning`?`MiniMax-M2.5-highspeed`:`MiniMax-M2.5`;return e?ue(K,c):I(K,c)}if(n===`minimax`)return B(K);if(n===`opencode-zen`){let e=await Z({provider:`opencode`,cfg:o,flagValue:r.opencodeZenApiKey,flagName:`--opencode-zen-api-key`,envVar:`OPENCODE_API_KEY (or OPENCODE_ZEN_API_KEY)`,runtime:i});return!e||!await Q(e,e=>ge(e,void 0,Y))?null:(K=j(K,{profileId:`opencode:default`,provider:`opencode`,mode:`api_key`}),le(K))}if(n===`opencode-go`){let e=await Z({provider:`opencode-go`,cfg:o,flagValue:r.opencodeGoApiKey,flagName:`--opencode-go-api-key`,envVar:`OPENCODE_API_KEY`,runtime:i});return!e||!await Q(e,e=>T(e,void 0,Y))?null:(K=j(K,{profileId:`opencode-go:default`,provider:`opencode-go`,mode:`api_key`}),H(K))}if(n===`together-api-key`){let e=await Z({provider:`together`,cfg:o,flagValue:r.togetherApiKey,flagName:`--together-api-key`,envVar:`TOGETHER_API_KEY`,runtime:i});return!e||!await Q(e,e=>b(e,void 0,Y))?null:(K=j(K,{profileId:`together:default`,provider:`together`,mode:`api_key`}),g(K))}if(n===`huggingface-api-key`){let e=await Z({provider:`huggingface`,cfg:o,flagValue:r.huggingfaceApiKey,flagName:`--huggingface-api-key`,envVar:`HF_TOKEN`,runtime:i});return!e||!await Q(e,e=>D(e,void 0,Y))?null:(K=j(K,{profileId:`huggingface:default`,provider:`huggingface`,mode:`api_key`}),k(K))}if(n===`custom-api-key`)try{let e=Se({baseUrl:r.customBaseUrl,modelId:r.customModelId,compatibility:r.customCompatibility,apiKey:r.customApiKey,providerId:r.customProviderId}),t=await Z({provider:we({config:K,baseUrl:e.baseUrl,providerId:e.providerId}).providerId,cfg:o,flagValue:e.apiKey,flagName:`--custom-api-key`,envVar:`CUSTOM_API_KEY`,envVarName:`CUSTOM_API_KEY`,runtime:i,required:!1}),n;if(t)if(q===`ref`){let e=X(t);if(!e)return null;n=e}else n=t.key;let a=Ce({config:K,baseUrl:e.baseUrl,modelId:e.modelId,compatibility:e.compatibility,apiKey:n,providerId:e.providerId});return a.providerIdRenamedFrom&&a.providerId&&i.log(`Custom provider ID "${a.providerIdRenamedFrom}" already exists for a different base URL. Using "${a.providerId}".`),a.config}catch(e){if(e instanceof Te){switch(e.code){case`missing_required`:case`invalid_compatibility`:i.error(e.message);break;default:i.error(`Invalid custom provider config: ${e.message}`);break}return i.exit(1),null}let t=e instanceof Error?e.message:String(e);return i.error(`Invalid custom provider config: ${t}`),i.exit(1),null}return n===`oauth`||n===`chutes`||n===`openai-codex`||n===`qwen-portal`||n===`minimax-portal`?(i.error(`OAuth requires interactive mode.`),i.exit(1),null):K}export{Y as applyNonInteractiveAuthChoice};
+//# sourceMappingURL=auth-choice-CxMH4c-u.js.map

package/dist/auth-choice-DvTApGhx.js

@@ -18,3 +18,4 @@ Default proxy runs on http://localhost:4000`,noteTitle:`LiteLLM`}),!0),d&&(t=B(t
 `),`Chutes OAuth`);let s=e.prompter.progress(`Starting OAuth flow…`);try{let{onAuth:c,onPrompt:l}=Y({isRemote:n,prompter:e.prompter,runtime:e.runtime,spin:s,openUrl:x,localBrowserMessage:`Complete sign-in in browser…`}),u=await fn({app:{clientId:a,clientSecret:o,redirectUri:r,scopes:i.split(/\s+/).filter(Boolean)},manual:n,onAuth:c,onPrompt:l,onProgress:e=>s.update(e)});s.stop(`Chutes OAuth complete`);let d=await j(`chutes`,u,e.agentDir);t=B(t,{profileId:d,provider:`chutes`,mode:`oauth`})}catch(t){s.stop(`Chutes OAuth failed`),e.runtime.error(String(t)),await e.prompter.note([`Trouble with OAuth?`,`Verify CHUTES_CLIENT_ID (and CHUTES_CLIENT_SECRET if required).`,`Verify the OAuth app redirect URI includes: ${r}`,`Chutes docs: https://chutes.ai/docs/sign-in-with-chutes/overview`].join(`
 `),`OAuth help`)}return{config:t}}return null}async function mn(e){if(e.authChoice!==`ollama`)return null;let{config:t,defaultModelId:n}=await Ut({cfg:e.config,prompter:e.prompter,agentDir:e.agentDir}),r=`ollama/${n}`,i=q(t,r);return e.setDefaultModel?(await Wt({config:i,prompter:e.prompter}),{config:i}):{config:t,agentModelOverride:r}}async function hn(e){let t=S(e.opts?.secretInputMode),n=O(e),r=e.authChoice;if(r===`apiKey`&&e.opts?.tokenProvider===`openai`&&(r=`openai-api-key`),r===`openai-api-key`){let r=e.config,i;return await T({token:e.opts?.token,tokenProvider:e.opts?.tokenProvider,secretInputMode:t,config:r,expectedProviders:[`openai`],provider:`openai`,envLabel:`OPENAI_API_KEY`,promptMessage:`Enter OpenAI API key`,normalize:C,validate:w,prompter:e.prompter,setCredential:async(t,n)=>Ot(t,e.agentDir,{secretInputMode:n})}),r=B(r,{profileId:`openai:default`,provider:`openai`,mode:`api_key`}),await(async()=>{let t=await E({config:r,setDefaultModel:e.setDefaultModel,defaultModel:Z,applyDefaultConfig:Rt,applyProviderConfig:Bt,noteDefault:Z,noteAgentModel:n,prompter:e.prompter});return r=t.config,i=t.agentModelOverride??i,{config:r,agentModelOverride:i}})()}if(e.authChoice===`openai-codex`){let t=e.config,r,i;try{i=await At({prompter:e.prompter,runtime:e.runtime,isRemote:J(),openUrl:async e=>{await x(e)},localBrowserMessage:`Complete sign-in in browser…`})}catch{return{config:t,agentModelOverride:r}}if(i){let a=await j(`openai-codex`,i,e.agentDir,{syncSiblingAgents:!0});if(t=B(t,{profileId:a,provider:`openai-codex`,mode:`oauth`}),e.setDefaultModel){let n=ue(t);t=n.next,n.changed&&await e.prompter.note(`Default model set to ${k}`,`Model configured`)}else r=k,await n(k)}return{config:t,agentModelOverride:r}}return null}async function gn(e){return await Q(e,{authChoice:`qwen-portal`,pluginId:`qwen-portal-auth`,providerId:`qwen-portal`,methodId:`device`,label:`Qwen`})}function _n(e,t){let n=e.agents?.defaults?.model,r=n&&typeof n==`object`&&`fallbacks`in n?n.fallbacks:void 0;return{...e,agents:{...e.agents,defaults:{...e.agents?.defaults,model:{...r?{fallbacks:r}:void 0,primary:t}}}}}async function vn(e){if(e.authChoice!==`vllm`)return null;let{config:t,modelRef:n}=await Ht({cfg:e.config,prompter:e.prompter,agentDir:e.agentDir});return e.setDefaultModel?(await e.prompter.note(`Default model set to ${n}`,`Model configured`),{config:_n(t,n)}):{config:t,agentModelOverride:n}}const yn=`volcengine-plan/ark-code-latest`;async function bn(e){if(e.authChoice!==`volcengine-api-key`)return null;let t=S(e.opts?.secretInputMode);return await T({token:e.opts?.volcengineApiKey,tokenProvider:`volcengine`,secretInputMode:t,config:e.config,expectedProviders:[`volcengine`],provider:`volcengine`,envLabel:`VOLCANO_ENGINE_API_KEY`,promptMessage:`Enter Volcano Engine API key`,normalize:C,validate:w,prompter:e.prompter,setCredential:async(t,n)=>Ne(t,e.agentDir,{secretInputMode:n})}),{config:Vt(B(e.config,{profileId:`volcengine:default`,provider:`volcengine`,mode:`api_key`}),yn),agentModelOverride:yn}}async function xn(e){if(e.authChoice!==`xai-api-key`)return null;let t=e.config,n,r=O(e),i=S(e.opts?.secretInputMode);await T({token:e.opts?.xaiApiKey,tokenProvider:`xai`,secretInputMode:i,config:t,expectedProviders:[`xai`],provider:`xai`,envLabel:`XAI_API_KEY`,promptMessage:`Enter xAI API key`,normalize:C,validate:w,prompter:e.prompter,setCredential:async(t,n)=>st(t,e.agentDir,{secretInputMode:n})}),t=B(t,{profileId:`xai:default`,provider:`xai`,mode:`api_key`});{let i=await E({config:t,setDefaultModel:e.setDefaultModel,defaultModel:P,applyDefaultConfig:Ce,applyProviderConfig:Be,noteDefault:P,noteAgentModel:r,prompter:e.prompter});t=i.config,n=i.agentModelOverride??n}return{config:t,agentModelOverride:n}}async function Sn(e){let t=[Jt,vn,mn,hn,pn,tn,cn,on,sn,an,gn,xn,bn,rn];for(let n of t){let t=await n(e);if(t)return t}return{config:e.config}}async function $(e,t,n){let r=c({cfg:e,agentId:n?.agentId}),i=[],a=await ie({config:e,useCache:!1});a.length>0&&(a.some(e=>e.provider===r.provider&&e.id===r.model)||i.push(`Model not found: ${r.provider}/${r.model}. Update agents.defaults.model or run /models list.`));let s=o(n?.agentDir),l=v(s,r.provider).length>0,f=d(r.provider),p=u(e,r.provider);!l&&!f&&!p&&i.push(`No auth configured for provider "${r.provider}". The agent may fail until credentials are added.`),r.provider===`openai`&&v(s,`openai-codex`).length>0&&i.push(`Detected OpenAI Codex OAuth. Consider setting agents.defaults.model to ${k}.`),i.length>0&&await t.note(i.join(`
 `),`Model check`)}const Cn={oauth:`anthropic`,"setup-token":`anthropic`,"claude-cli":`anthropic`,token:`anthropic`,apiKey:`anthropic`,vllm:`vllm`,ollama:`ollama`,"openai-codex":`openai-codex`,"codex-cli":`openai-codex`,chutes:`chutes`,"openai-api-key":`openai`,"openrouter-api-key":`openrouter`,"kilocode-api-key":`kilocode`,"ai-gateway-api-key":`vercel-ai-gateway`,"cloudflare-ai-gateway-api-key":`cloudflare-ai-gateway`,"moonshot-api-key":`moonshot`,"moonshot-api-key-cn":`moonshot`,"kimi-code-api-key":`kimi-coding`,"gemini-api-key":`google`,"google-gemini-cli":`google-gemini-cli`,"mistral-api-key":`mistral`,"zai-api-key":`zai`,"zai-coding-global":`zai`,"zai-coding-cn":`zai`,"zai-global":`zai`,"zai-cn":`zai`,"xiaomi-api-key":`xiaomi`,"synthetic-api-key":`synthetic`,"venice-api-key":`venice`,"together-api-key":`together`,"huggingface-api-key":`huggingface`,"github-copilot":`github-copilot`,"copilot-proxy":`copilot-proxy`,"minimax-cloud":`minimax`,"minimax-api":`minimax`,"minimax-api-key-cn":`minimax-cn`,"minimax-api-lightning":`minimax`,minimax:`lmstudio`,"opencode-zen":`opencode`,"opencode-go":`opencode-go`,"xai-api-key":`xai`,"litellm-api-key":`litellm`,"qwen-portal":`qwen-portal`,"volcengine-api-key":`volcengine`,"byteplus-api-key":`byteplus`,"minimax-portal":`minimax-portal`,"qianfan-api-key":`qianfan`,"custom-api-key":`custom`};function wn(e){return Cn[e]}var Tn=e({applyAuthChoice:()=>Sn,resolvePreferredProviderForAuthChoice:()=>wn,warnIfModelConfigLooksOff:()=>$});export{Sn as i,wn as n,$ as r,Tn as t};
+//# sourceMappingURL=auth-choice-DvTApGhx.js.map

package/dist/auth-choice-EQdNd7jO.js

@@ -18,3 +18,4 @@ Default proxy runs on http://localhost:4000`,noteTitle:`LiteLLM`}),!0),f&&(t=B(t
 `),`Chutes OAuth`);let s=e.prompter.progress(`Starting OAuth flow…`);try{let{onAuth:c,onPrompt:l}=J({isRemote:n,prompter:e.prompter,runtime:e.runtime,spin:s,openUrl:y,localBrowserMessage:`Complete sign-in in browser…`}),u=await fn({app:{clientId:a,clientSecret:o,redirectUri:r,scopes:i.split(/\s+/).filter(Boolean)},manual:n,onAuth:c,onPrompt:l,onProgress:e=>s.update(e)});s.stop(`Chutes OAuth complete`);let d=await j(`chutes`,u,e.agentDir);t=B(t,{profileId:d,provider:`chutes`,mode:`oauth`})}catch(t){s.stop(`Chutes OAuth failed`),e.runtime.error(String(t)),await e.prompter.note([`Trouble with OAuth?`,`Verify CHUTES_CLIENT_ID (and CHUTES_CLIENT_SECRET if required).`,`Verify the OAuth app redirect URI includes: ${r}`,`Chutes docs: https://chutes.ai/docs/sign-in-with-chutes/overview`].join(`
 `),`OAuth help`)}return{config:t}}return null}async function mn(e){if(e.authChoice!==`ollama`)return null;let{config:t,defaultModelId:n}=await Ut({cfg:e.config,prompter:e.prompter,agentDir:e.agentDir}),r=`ollama/${n}`,i=K(t,r);return e.setDefaultModel?(await Wt({config:i,prompter:e.prompter}),{config:i}):{config:t,agentModelOverride:r}}async function hn(e){let t=b(e.opts?.secretInputMode),n=E(e),r=e.authChoice;if(r===`apiKey`&&e.opts?.tokenProvider===`openai`&&(r=`openai-api-key`),r===`openai-api-key`){let r=e.config,i;return await C({token:e.opts?.token,tokenProvider:e.opts?.tokenProvider,secretInputMode:t,config:r,expectedProviders:[`openai`],provider:`openai`,envLabel:`OPENAI_API_KEY`,promptMessage:`Enter OpenAI API key`,normalize:x,validate:S,prompter:e.prompter,setCredential:async(t,n)=>kt(t,e.agentDir,{secretInputMode:n})}),r=B(r,{profileId:`openai:default`,provider:`openai`,mode:`api_key`}),await(async()=>{let t=await w({config:r,setDefaultModel:e.setDefaultModel,defaultModel:X,applyDefaultConfig:zt,applyProviderConfig:Vt,noteDefault:X,noteAgentModel:n,prompter:e.prompter});return r=t.config,i=t.agentModelOverride??i,{config:r,agentModelOverride:i}})()}if(e.authChoice===`openai-codex`){let t=e.config,r,i;try{i=await jt({prompter:e.prompter,runtime:e.runtime,isRemote:q(),openUrl:async e=>{await y(e)},localBrowserMessage:`Complete sign-in in browser…`})}catch{return{config:t,agentModelOverride:r}}if(i){let a=await j(`openai-codex`,i,e.agentDir,{syncSiblingAgents:!0});if(t=B(t,{profileId:a,provider:`openai-codex`,mode:`oauth`}),e.setDefaultModel){let n=fe(t);t=n.next,n.changed&&await e.prompter.note(`Default model set to ${D}`,`Model configured`)}else r=D,await n(D)}return{config:t,agentModelOverride:r}}return null}async function gn(e){return await Q(e,{authChoice:`qwen-portal`,pluginId:`qwen-portal-auth`,providerId:`qwen-portal`,methodId:`device`,label:`Qwen`})}function _n(e,t){let n=e.agents?.defaults?.model,r=n&&typeof n==`object`&&`fallbacks`in n?n.fallbacks:void 0;return{...e,agents:{...e.agents,defaults:{...e.agents?.defaults,model:{...r?{fallbacks:r}:void 0,primary:t}}}}}async function vn(e){if(e.authChoice!==`vllm`)return null;let{config:t,modelRef:n}=await Ht({cfg:e.config,prompter:e.prompter,agentDir:e.agentDir});return e.setDefaultModel?(await e.prompter.note(`Default model set to ${n}`,`Model configured`),{config:_n(t,n)}):{config:t,agentModelOverride:n}}const yn=`volcengine-plan/ark-code-latest`;async function bn(e){if(e.authChoice!==`volcengine-api-key`)return null;let t=b(e.opts?.secretInputMode);return await C({token:e.opts?.volcengineApiKey,tokenProvider:`volcengine`,secretInputMode:t,config:e.config,expectedProviders:[`volcengine`],provider:`volcengine`,envLabel:`VOLCANO_ENGINE_API_KEY`,promptMessage:`Enter Volcano Engine API key`,normalize:x,validate:S,prompter:e.prompter,setCredential:async(t,n)=>Ne(t,e.agentDir,{secretInputMode:n})}),{config:Z(B(e.config,{profileId:`volcengine:default`,provider:`volcengine`,mode:`api_key`}),yn),agentModelOverride:yn}}async function xn(e){if(e.authChoice!==`xai-api-key`)return null;let t=e.config,n,r=E(e),i=b(e.opts?.secretInputMode);await C({token:e.opts?.xaiApiKey,tokenProvider:`xai`,secretInputMode:i,config:t,expectedProviders:[`xai`],provider:`xai`,envLabel:`XAI_API_KEY`,promptMessage:`Enter xAI API key`,normalize:x,validate:S,prompter:e.prompter,setCredential:async(t,n)=>st(t,e.agentDir,{secretInputMode:n})}),t=B(t,{profileId:`xai:default`,provider:`xai`,mode:`api_key`});{let i=await w({config:t,setDefaultModel:e.setDefaultModel,defaultModel:P,applyDefaultConfig:Te,applyProviderConfig:Be,noteDefault:P,noteAgentModel:r,prompter:e.prompter});t=i.config,n=i.agentModelOverride??n}return{config:t,agentModelOverride:n}}async function Sn(e){let t=[Jt,vn,mn,hn,pn,tn,cn,on,sn,an,gn,xn,bn,rn];for(let n of t){let t=await n(e);if(t)return t}return{config:e.config}}async function $(e,t,n){let a=f({cfg:e,agentId:n?.agentId}),s=[],l=await oe({config:e,useCache:!1});l.length>0&&(l.some(e=>e.provider===a.provider&&e.id===a.model)||s.push(`Model not found: ${a.provider}/${a.model}. Update agents.defaults.model or run /models list.`));let u=c(n?.agentDir),d=o(u,a.provider).length>0,p=r(a.provider),m=i(e,a.provider);!d&&!p&&!m&&s.push(`No auth configured for provider "${a.provider}". The agent may fail until credentials are added.`),a.provider===`openai`&&o(u,`openai-codex`).length>0&&s.push(`Detected OpenAI Codex OAuth. Consider setting agents.defaults.model to ${D}.`),s.length>0&&await t.note(s.join(`
 `),`Model check`)}const Cn={oauth:`anthropic`,"setup-token":`anthropic`,"claude-cli":`anthropic`,token:`anthropic`,apiKey:`anthropic`,vllm:`vllm`,ollama:`ollama`,"openai-codex":`openai-codex`,"codex-cli":`openai-codex`,chutes:`chutes`,"openai-api-key":`openai`,"openrouter-api-key":`openrouter`,"kilocode-api-key":`kilocode`,"ai-gateway-api-key":`vercel-ai-gateway`,"cloudflare-ai-gateway-api-key":`cloudflare-ai-gateway`,"moonshot-api-key":`moonshot`,"moonshot-api-key-cn":`moonshot`,"kimi-code-api-key":`kimi-coding`,"gemini-api-key":`google`,"google-gemini-cli":`google-gemini-cli`,"mistral-api-key":`mistral`,"zai-api-key":`zai`,"zai-coding-global":`zai`,"zai-coding-cn":`zai`,"zai-global":`zai`,"zai-cn":`zai`,"xiaomi-api-key":`xiaomi`,"synthetic-api-key":`synthetic`,"venice-api-key":`venice`,"together-api-key":`together`,"huggingface-api-key":`huggingface`,"github-copilot":`github-copilot`,"copilot-proxy":`copilot-proxy`,"minimax-cloud":`minimax`,"minimax-api":`minimax`,"minimax-api-key-cn":`minimax-cn`,"minimax-api-lightning":`minimax`,minimax:`lmstudio`,"opencode-zen":`opencode`,"opencode-go":`opencode-go`,"xai-api-key":`xai`,"litellm-api-key":`litellm`,"qwen-portal":`qwen-portal`,"volcengine-api-key":`volcengine`,"byteplus-api-key":`byteplus`,"minimax-portal":`minimax-portal`,"qianfan-api-key":`qianfan`,"custom-api-key":`custom`};function wn(e){return Cn[e]}var Tn=e({applyAuthChoice:()=>Sn,resolvePreferredProviderForAuthChoice:()=>wn,warnIfModelConfigLooksOff:()=>$});export{Sn as i,wn as n,$ as r,Tn as t};
+//# sourceMappingURL=auth-choice-EQdNd7jO.js.map

package/dist/auth-choice-options-B3WQyS7I.js

@@ -1 +1,2 @@
 import{n as e,t}from"./onboard-provider-auth-flags-CqbipO7D.js";const n=[{value:`openai`,label:`OpenAI`,hint:`Codex OAuth + API key`,choices:[`openai-codex`,`openai-api-key`]},{value:`anthropic`,label:`Anthropic`,hint:`setup-token + API key`,choices:[`token`,`apiKey`]},{value:`chutes`,label:`Chutes`,hint:`OAuth`,choices:[`chutes`]},{value:`vllm`,label:`vLLM`,hint:`Local/self-hosted OpenAI-compatible`,choices:[`vllm`]},{value:`ollama`,label:`Ollama`,hint:`Cloud and local open models`,choices:[`ollama`]},{value:`minimax`,label:`MiniMax`,hint:`M2.5 (recommended)`,choices:[`minimax-portal`,`minimax-api`,`minimax-api-key-cn`,`minimax-api-lightning`]},{value:`moonshot`,label:`Moonshot AI (Kimi K2.5)`,hint:`Kimi K2.5 + Kimi Coding`,choices:[`moonshot-api-key`,`moonshot-api-key-cn`,`kimi-code-api-key`]},{value:`google`,label:`Google`,hint:`Gemini API key + OAuth`,choices:[`gemini-api-key`,`google-gemini-cli`]},{value:`xai`,label:`xAI (Grok)`,hint:`API key`,choices:[`xai-api-key`]},{value:`mistral`,label:`Mistral AI`,hint:`API key`,choices:[`mistral-api-key`]},{value:`volcengine`,label:`Volcano Engine`,hint:`API key`,choices:[`volcengine-api-key`]},{value:`byteplus`,label:`BytePlus`,hint:`API key`,choices:[`byteplus-api-key`]},{value:`openrouter`,label:`OpenRouter`,hint:`API key`,choices:[`openrouter-api-key`]},{value:`kilocode`,label:`Kilo Gateway`,hint:`API key (OpenRouter-compatible)`,choices:[`kilocode-api-key`]},{value:`qwen`,label:`Qwen`,hint:`OAuth`,choices:[`qwen-portal`]},{value:`zai`,label:`Z.AI`,hint:`GLM Coding Plan / Global / CN`,choices:[`zai-coding-global`,`zai-coding-cn`,`zai-global`,`zai-cn`]},{value:`qianfan`,label:`Qianfan`,hint:`API key`,choices:[`qianfan-api-key`]},{value:`modelstudio`,label:`Alibaba Cloud Model Studio`,hint:`Coding Plan API key (CN / Global)`,choices:[`modelstudio-api-key-cn`,`modelstudio-api-key`]},{value:`copilot`,label:`Copilot`,hint:`GitHub + local proxy`,choices:[`github-copilot`,`copilot-proxy`]},{value:`ai-gateway`,label:`Vercel AI Gateway`,hint:`API key`,choices:[`ai-gateway-api-key`]},{value:`opencode`,label:`OpenCode`,hint:`Shared API key for Zen + Go catalogs`,choices:[`opencode-zen`,`opencode-go`]},{value:`xiaomi`,label:`Xiaomi`,hint:`API key`,choices:[`xiaomi-api-key`]},{value:`synthetic`,label:`Synthetic`,hint:`Anthropic-compatible (multi-model)`,choices:[`synthetic-api-key`]},{value:`together`,label:`Together AI`,hint:`API key`,choices:[`together-api-key`]},{value:`huggingface`,label:`Hugging Face`,hint:`Inference API (HF token)`,choices:[`huggingface-api-key`]},{value:`venice`,label:`Venice AI`,hint:`Privacy-focused (uncensored models)`,choices:[`venice-api-key`]},{value:`litellm`,label:`LiteLLM`,hint:`Unified LLM gateway (100+ providers)`,choices:[`litellm-api-key`]},{value:`cloudflare-ai-gateway`,label:`Cloudflare AI Gateway`,hint:`Account ID + Gateway ID + API key`,choices:[`cloudflare-ai-gateway-api-key`]},{value:`custom`,label:`Custom Provider`,hint:`Any OpenAI or Anthropic compatible endpoint`,choices:[`custom-api-key`]}],r={"litellm-api-key":`Unified gateway for 100+ LLM providers`,"cloudflare-ai-gateway-api-key":`Account ID + Gateway ID + API key`,"venice-api-key":`Privacy-focused inference (uncensored models)`,"together-api-key":`Access to Llama, DeepSeek, Qwen, and more open models`,"huggingface-api-key":`Inference Providers — OpenAI-compatible chat`,"opencode-zen":`Shared OpenCode key; curated Zen catalog`,"opencode-go":`Shared OpenCode key; Kimi/GLM/MiniMax Go catalog`},i={"moonshot-api-key":`Kimi API key (.ai)`,"moonshot-api-key-cn":`Kimi API key (.cn)`,"kimi-code-api-key":`Kimi Code API key (subscription)`,"cloudflare-ai-gateway-api-key":`Cloudflare AI Gateway`,"opencode-zen":`OpenCode Zen catalog`,"opencode-go":`OpenCode Go catalog`};function a(){return t.map(e=>({value:e.authChoice,label:i[e.authChoice]??e.description,...r[e.authChoice]?{hint:r[e.authChoice]}:{}}))}const o=[{value:`token`,label:`Anthropic token (paste setup-token)`,hint:"run `claude setup-token` elsewhere, then paste the token here"},{value:`openai-codex`,label:`OpenAI Codex (ChatGPT OAuth)`},{value:`chutes`,label:`Chutes (OAuth)`},{value:`vllm`,label:`vLLM (custom URL + model)`,hint:`Local/self-hosted OpenAI-compatible server`},{value:`ollama`,label:`Ollama`,hint:`Cloud and local open models`},...a(),{value:`moonshot-api-key-cn`,label:`Kimi API key (.cn)`},{value:`github-copilot`,label:`GitHub Copilot (GitHub device login)`,hint:`Uses GitHub device flow`},{value:`gemini-api-key`,label:`Google Gemini API key`},{value:`google-gemini-cli`,label:`Google Gemini CLI OAuth`,hint:`Unofficial flow; review account-risk warning before use`},{value:`zai-api-key`,label:`Z.AI API key`},{value:`zai-coding-global`,label:`Coding-Plan-Global`,hint:`GLM Coding Plan Global (api.z.ai)`},{value:`zai-coding-cn`,label:`Coding-Plan-CN`,hint:`GLM Coding Plan CN (open.bigmodel.cn)`},{value:`zai-global`,label:`Global`,hint:`Z.AI Global (api.z.ai)`},{value:`zai-cn`,label:`CN`,hint:`Z.AI CN (open.bigmodel.cn)`},{value:`xiaomi-api-key`,label:`Xiaomi API key`},{value:`minimax-portal`,label:`MiniMax OAuth`,hint:`Oauth plugin for MiniMax`},{value:`qwen-portal`,label:`Qwen OAuth`},{value:`copilot-proxy`,label:`Copilot Proxy (local)`,hint:`Local proxy for VS Code Copilot models`},{value:`apiKey`,label:`Anthropic API key`},{value:`opencode-zen`,label:`OpenCode Zen catalog`,hint:`Claude, GPT, Gemini via opencode.ai/zen`},{value:`minimax-api`,label:`MiniMax M2.5`},{value:`minimax-api-key-cn`,label:`MiniMax M2.5 (CN)`,hint:`China endpoint (api.minimaxi.com)`},{value:`minimax-api-lightning`,label:`MiniMax M2.5 Highspeed`,hint:`Official fast tier (legacy: Lightning)`},{value:`qianfan-api-key`,label:`Qianfan API key`},{value:`modelstudio-api-key-cn`,label:`Coding Plan API Key for China (subscription)`,hint:`Endpoint: coding.dashscope.aliyuncs.com`},{value:`modelstudio-api-key`,label:`Coding Plan API Key for Global/Intl (subscription)`,hint:`Endpoint: coding-intl.dashscope.aliyuncs.com`},{value:`custom-api-key`,label:`Custom Provider`}];function s(t){let n=t?.includeSkip??!0,r=t?.includeLegacyAliases??!1,i=o.map(e=>e.value);return n&&i.push(`skip`),r&&i.push(...e),i.join(`|`)}function c(e){e.store;let t=[...o];return e.includeSkip&&t.push({value:`skip`,label:`Skip for now`}),t}function l(e){let t=c({...e,includeSkip:!1}),r=new Map(t.map(e=>[e.value,e]));return{groups:n.map(e=>({...e,options:e.choices.map(e=>r.get(e)).filter(e=>!!e)})),skipOption:e.includeSkip?{value:`skip`,label:`Skip for now`}:void 0}}export{s as n,l as t};
+//# sourceMappingURL=auth-choice-options-B3WQyS7I.js.map

package/dist/auth-choice-options-Dw14noox.js

@@ -1 +1,2 @@
 import{n as e,t}from"./onboard-provider-auth-flags-Dvwzdz37.js";const n=[{value:`openai`,label:`OpenAI`,hint:`Codex OAuth + API key`,choices:[`openai-codex`,`openai-api-key`]},{value:`anthropic`,label:`Anthropic`,hint:`setup-token + API key`,choices:[`token`,`apiKey`]},{value:`chutes`,label:`Chutes`,hint:`OAuth`,choices:[`chutes`]},{value:`vllm`,label:`vLLM`,hint:`Local/self-hosted OpenAI-compatible`,choices:[`vllm`]},{value:`ollama`,label:`Ollama`,hint:`Cloud and local open models`,choices:[`ollama`]},{value:`minimax`,label:`MiniMax`,hint:`M2.5 (recommended)`,choices:[`minimax-portal`,`minimax-api`,`minimax-api-key-cn`,`minimax-api-lightning`]},{value:`moonshot`,label:`Moonshot AI (Kimi K2.5)`,hint:`Kimi K2.5 + Kimi Coding`,choices:[`moonshot-api-key`,`moonshot-api-key-cn`,`kimi-code-api-key`]},{value:`google`,label:`Google`,hint:`Gemini API key + OAuth`,choices:[`gemini-api-key`,`google-gemini-cli`]},{value:`xai`,label:`xAI (Grok)`,hint:`API key`,choices:[`xai-api-key`]},{value:`mistral`,label:`Mistral AI`,hint:`API key`,choices:[`mistral-api-key`]},{value:`volcengine`,label:`Volcano Engine`,hint:`API key`,choices:[`volcengine-api-key`]},{value:`byteplus`,label:`BytePlus`,hint:`API key`,choices:[`byteplus-api-key`]},{value:`openrouter`,label:`OpenRouter`,hint:`API key`,choices:[`openrouter-api-key`]},{value:`kilocode`,label:`Kilo Gateway`,hint:`API key (OpenRouter-compatible)`,choices:[`kilocode-api-key`]},{value:`qwen`,label:`Qwen`,hint:`OAuth`,choices:[`qwen-portal`]},{value:`zai`,label:`Z.AI`,hint:`GLM Coding Plan / Global / CN`,choices:[`zai-coding-global`,`zai-coding-cn`,`zai-global`,`zai-cn`]},{value:`qianfan`,label:`Qianfan`,hint:`API key`,choices:[`qianfan-api-key`]},{value:`modelstudio`,label:`Alibaba Cloud Model Studio`,hint:`Coding Plan API key (CN / Global)`,choices:[`modelstudio-api-key-cn`,`modelstudio-api-key`]},{value:`copilot`,label:`Copilot`,hint:`GitHub + local proxy`,choices:[`github-copilot`,`copilot-proxy`]},{value:`ai-gateway`,label:`Vercel AI Gateway`,hint:`API key`,choices:[`ai-gateway-api-key`]},{value:`opencode`,label:`OpenCode`,hint:`Shared API key for Zen + Go catalogs`,choices:[`opencode-zen`,`opencode-go`]},{value:`xiaomi`,label:`Xiaomi`,hint:`API key`,choices:[`xiaomi-api-key`]},{value:`synthetic`,label:`Synthetic`,hint:`Anthropic-compatible (multi-model)`,choices:[`synthetic-api-key`]},{value:`together`,label:`Together AI`,hint:`API key`,choices:[`together-api-key`]},{value:`huggingface`,label:`Hugging Face`,hint:`Inference API (HF token)`,choices:[`huggingface-api-key`]},{value:`venice`,label:`Venice AI`,hint:`Privacy-focused (uncensored models)`,choices:[`venice-api-key`]},{value:`litellm`,label:`LiteLLM`,hint:`Unified LLM gateway (100+ providers)`,choices:[`litellm-api-key`]},{value:`cloudflare-ai-gateway`,label:`Cloudflare AI Gateway`,hint:`Account ID + Gateway ID + API key`,choices:[`cloudflare-ai-gateway-api-key`]},{value:`custom`,label:`Custom Provider`,hint:`Any OpenAI or Anthropic compatible endpoint`,choices:[`custom-api-key`]}],r={"litellm-api-key":`Unified gateway for 100+ LLM providers`,"cloudflare-ai-gateway-api-key":`Account ID + Gateway ID + API key`,"venice-api-key":`Privacy-focused inference (uncensored models)`,"together-api-key":`Access to Llama, DeepSeek, Qwen, and more open models`,"huggingface-api-key":`Inference Providers — OpenAI-compatible chat`,"opencode-zen":`Shared OpenCode key; curated Zen catalog`,"opencode-go":`Shared OpenCode key; Kimi/GLM/MiniMax Go catalog`},i={"moonshot-api-key":`Kimi API key (.ai)`,"moonshot-api-key-cn":`Kimi API key (.cn)`,"kimi-code-api-key":`Kimi Code API key (subscription)`,"cloudflare-ai-gateway-api-key":`Cloudflare AI Gateway`,"opencode-zen":`OpenCode Zen catalog`,"opencode-go":`OpenCode Go catalog`};function a(){return t.map(e=>({value:e.authChoice,label:i[e.authChoice]??e.description,...r[e.authChoice]?{hint:r[e.authChoice]}:{}}))}const o=[{value:`token`,label:`Anthropic token (paste setup-token)`,hint:"run `claude setup-token` elsewhere, then paste the token here"},{value:`openai-codex`,label:`OpenAI Codex (ChatGPT OAuth)`},{value:`chutes`,label:`Chutes (OAuth)`},{value:`vllm`,label:`vLLM (custom URL + model)`,hint:`Local/self-hosted OpenAI-compatible server`},{value:`ollama`,label:`Ollama`,hint:`Cloud and local open models`},...a(),{value:`moonshot-api-key-cn`,label:`Kimi API key (.cn)`},{value:`github-copilot`,label:`GitHub Copilot (GitHub device login)`,hint:`Uses GitHub device flow`},{value:`gemini-api-key`,label:`Google Gemini API key`},{value:`google-gemini-cli`,label:`Google Gemini CLI OAuth`,hint:`Unofficial flow; review account-risk warning before use`},{value:`zai-api-key`,label:`Z.AI API key`},{value:`zai-coding-global`,label:`Coding-Plan-Global`,hint:`GLM Coding Plan Global (api.z.ai)`},{value:`zai-coding-cn`,label:`Coding-Plan-CN`,hint:`GLM Coding Plan CN (open.bigmodel.cn)`},{value:`zai-global`,label:`Global`,hint:`Z.AI Global (api.z.ai)`},{value:`zai-cn`,label:`CN`,hint:`Z.AI CN (open.bigmodel.cn)`},{value:`xiaomi-api-key`,label:`Xiaomi API key`},{value:`minimax-portal`,label:`MiniMax OAuth`,hint:`Oauth plugin for MiniMax`},{value:`qwen-portal`,label:`Qwen OAuth`},{value:`copilot-proxy`,label:`Copilot Proxy (local)`,hint:`Local proxy for VS Code Copilot models`},{value:`apiKey`,label:`Anthropic API key`},{value:`opencode-zen`,label:`OpenCode Zen catalog`,hint:`Claude, GPT, Gemini via opencode.ai/zen`},{value:`minimax-api`,label:`MiniMax M2.5`},{value:`minimax-api-key-cn`,label:`MiniMax M2.5 (CN)`,hint:`China endpoint (api.minimaxi.com)`},{value:`minimax-api-lightning`,label:`MiniMax M2.5 Highspeed`,hint:`Official fast tier (legacy: Lightning)`},{value:`qianfan-api-key`,label:`Qianfan API key`},{value:`modelstudio-api-key-cn`,label:`Coding Plan API Key for China (subscription)`,hint:`Endpoint: coding.dashscope.aliyuncs.com`},{value:`modelstudio-api-key`,label:`Coding Plan API Key for Global/Intl (subscription)`,hint:`Endpoint: coding-intl.dashscope.aliyuncs.com`},{value:`custom-api-key`,label:`Custom Provider`}];function s(t){let n=t?.includeSkip??!0,r=t?.includeLegacyAliases??!1,i=o.map(e=>e.value);return n&&i.push(`skip`),r&&i.push(...e),i.join(`|`)}function c(e){e.store;let t=[...o];return e.includeSkip&&t.push({value:`skip`,label:`Skip for now`}),t}function l(e){let t=c({...e,includeSkip:!1}),r=new Map(t.map(e=>[e.value,e]));return{groups:n.map(e=>({...e,options:e.choices.map(e=>r.get(e)).filter(e=>!!e)})),skipOption:e.includeSkip?{value:`skip`,label:`Skip for now`}:void 0}}export{s as n,l as t};
+//# sourceMappingURL=auth-choice-options-Dw14noox.js.map

package/dist/auth-choice-prompt-uegl56cf.js

@@ -1 +1,2 @@
 import{t as e}from"./rolldown-runtime-CNxR59P3.js";import{t}from"./auth-choice-options-B3WQyS7I.js";var n=e({promptAuthChoiceGrouped:()=>i});const r=`__back`;async function i(e){let{groups:n,skipOption:i}=t(e),a=n.filter(e=>e.options.length>0);for(;;){let t=[...a.map(e=>({value:e.value,label:e.label,hint:e.hint})),...i?[i]:[]],n=await e.prompter.select({message:`Model/auth provider`,options:t});if(n===`skip`)return`skip`;let o=a.find(e=>e.value===n);if(!o||o.options.length===0){await e.prompter.note(`No auth methods available for that provider.`,`Model/auth choice`);continue}if(o.options.length===1)return o.options[0].value;let s=await e.prompter.select({message:`${o.label} auth method`,options:[...o.options,{value:r,label:`Back`}]});if(s!==r)return s}}export{i as n,n as t};
+//# sourceMappingURL=auth-choice-prompt-uegl56cf.js.map

package/dist/auth-choice-prompt-xYj13czb.js

@@ -1 +1,2 @@
 import{t as e}from"./rolldown-runtime-CNxR59P3.js";import{t}from"./auth-choice-options-Dw14noox.js";var n=e({promptAuthChoiceGrouped:()=>i});const r=`__back`;async function i(e){let{groups:n,skipOption:i}=t(e),a=n.filter(e=>e.options.length>0);for(;;){let t=[...a.map(e=>({value:e.value,label:e.label,hint:e.hint})),...i?[i]:[]],n=await e.prompter.select({message:`Model/auth provider`,options:t});if(n===`skip`)return`skip`;let o=a.find(e=>e.value===n);if(!o||o.options.length===0){await e.prompter.note(`No auth methods available for that provider.`,`Model/auth choice`);continue}if(o.options.length===1)return o.options[0].value;let s=await e.prompter.select({message:`${o.label} auth method`,options:[...o.options,{value:r,label:`Back`}]});if(s!==r)return s}}export{i as n,n as t};
+//# sourceMappingURL=auth-choice-prompt-xYj13czb.js.map

package/dist/auth-choice.apply-helpers-B7S-PcH_.js

@@ -1,2 +1,3 @@
 import{Jc as e,_o as t,fl as n,so as r}from"./auth-profiles-T8DuH3ax.js";import{s as i}from"./types.secrets-D4tbc3Wq.js";import{At as a,Dt as o,Et as s,Ot as c}from"./plugins-DNlgeTTc.js";import{t as l}from"./provider-env-vars-Dt0Q29Su.js";const u={head:4,tail:4};function d(e){let t=String(e??``).trim();if(!t)return``;let n=t.match(/^(?:export\s+)?[A-Za-z_][A-Za-z0-9_]*\s*=\s*(.+)$/),r=n?n[1].trim():t,i=r.length>=2&&(r.startsWith(`"`)&&r.endsWith(`"`)||r.startsWith(`'`)&&r.endsWith(`'`)||r.startsWith("`")&&r.endsWith("`"))?r.slice(1,-1):r;return(i.endsWith(`;`)?i.slice(0,-1):i).trim()}const f=e=>d(e).length>0?void 0:`Required`;function p(e,t={}){let n=e.trim();if(!n)return`…`;let r=t.head??u.head,i=t.tail??u.tail;if(n.length<=r+i){let e=Math.min(2,n.length),t=Math.min(2,n.length-e);return t<=0?`${n.slice(0,e)}…`:`${n.slice(0,e)}…${n.slice(-t)}`}return`${n.slice(0,r)}…${n.slice(-i)}`}function m(t){let n=t.modelRef.trim();if(!n)return t.cfg;let r={...t.cfg.agents?.defaults?.models},i=new Set([n]),a=e(n,t.defaultProvider??`anthropic`);a&&i.add(a);for(let e of i)r[e]={...r[e]};return{...t.cfg,agents:{...t.cfg.agents,defaults:{...t.cfg.agents?.defaults,models:r}}}}async function h(e){if(e.setDefaultModel){let t=e.applyDefaultConfig(e.config);return e.noteDefault&&await e.prompter.note(`Default model set to ${e.noteDefault}`,`Model configured`),{config:t}}let t=m({cfg:e.applyProviderConfig(e.config),modelRef:e.defaultModel});return await e.noteAgentModel(e.defaultModel),{config:t,agentModelOverride:e.defaultModel}}const g=/(?:^|:\s)([A-Z][A-Z0-9_]*)$/;function _(e){return e instanceof Error&&typeof e.message==`string`&&e.message.trim()?e.message:String(e)}function v(e){return g.exec(e.trim())?.[1]}function y(e){return l[e]?.find(e=>e.trim().length>0)}function b(e){return`/providers/${t(e)}/apiKey`}function x(e){let t=e.preferredEnvVar??y(e.provider);if(!t)throw Error(`No default environment variable mapping found for provider "${e.provider}". Set a provider-specific env var, or re-run onboarding in an interactive terminal to configure a ref.`);let n=process.env[t]?.trim();if(!n)throw Error(`Environment variable "${t}" is required for --secret-input-mode ref in non-interactive onboarding.`);return{ref:{source:`env`,provider:a(e.config,`env`,{preferFirstProviderForSource:!0}),id:t},resolvedValue:n}}async function S(e){let t=e.preferredEnvVar??y(e.provider)??``,n=b(e.provider),l=`env`;for(;;){let u=await e.prompter.select({message:e.copy?.sourceMessage??`Where is this API key stored?`,initialValue:l,options:[{value:`env`,label:`Environment variable`,hint:`Reference a variable from your runtime environment`},{value:`provider`,label:`Configured secret provider`,hint:`Use a configured file or exec secret provider`}]})===`provider`?`provider`:`env`;if(l=u,u===`env`){let n=await e.prompter.text({message:e.copy?.envVarMessage??`Environment variable name`,initialValue:t||void 0,placeholder:e.copy?.envVarPlaceholder??`OPENAI_API_KEY`,validate:t=>{let n=t.trim();if(!i(n))return e.copy?.envVarFormatError??`Use an env var name like "OPENAI_API_KEY" (uppercase letters, numbers, underscores).`;if(!process.env[n]?.trim())return e.copy?.envVarMissingError?.(n)??`Environment variable "${n}" is missing or empty in this session.`}}),o=String(n??``).trim(),s=o&&i(o)?o:t;if(!s)throw Error(`No valid environment variable name provided for provider "${e.provider}".`);let c={source:`env`,provider:a(e.config,`env`,{preferFirstProviderForSource:!0}),id:s},l=await r(c,{config:e.config,env:process.env});return await e.prompter.note(e.copy?.envValidatedMessage?.(s)??`Validated environment variable ${s}. OpenClaw will store a reference, not the key value.`,`Reference validated`),{ref:c,resolvedValue:l}}let d=Object.entries(e.config.secrets?.providers??{}).filter(([,e])=>e?.source===`file`||e?.source===`exec`);if(d.length===0){await e.prompter.note(e.copy?.noProvidersMessage??`No file/exec secret providers are configured yet. Add one under secrets.providers, or select Environment variable.`,`No providers configured`);continue}let f=a(e.config,`file`,{preferFirstProviderForSource:!0}),p=await e.prompter.select({message:`Select secret provider`,initialValue:d.find(([e])=>e===f)?.[0]??d[0]?.[0],options:d.map(([e,t])=>({value:e,label:e,hint:t?.source===`exec`?`Exec provider`:`File provider`}))}),m=e.config.secrets?.providers?.[p];if(!m||m.source!==`file`&&m.source!==`exec`){await e.prompter.note(`Provider "${p}" is not a file/exec provider.`,`Invalid provider`);continue}let h=m.source===`file`?`Secret id (JSON pointer for json mode, or 'value' for singleValue mode)`:`Secret id for the exec provider`,g=m.source===`file`?m.mode===`singleValue`?`value`:n:`${e.provider}/apiKey`,v=await e.prompter.text({message:h,initialValue:g,placeholder:m.source===`file`?`/providers/openai/apiKey`:`openai/api-key`,validate:e=>{let t=e.trim();if(!t)return`Secret id cannot be empty.`;if(m.source===`file`&&m.mode!==`singleValue`&&!c(t))return`Use an absolute JSON pointer like "/providers/openai/apiKey".`;if(m.source===`file`&&m.mode===`singleValue`&&t!==`value`)return`singleValue mode expects id "value".`;if(m.source===`exec`&&!o(t))return s()}}),y=String(v??``).trim()||g,b={source:m.source,provider:p,id:y};try{let t=await r(b,{config:e.config,env:process.env});return await e.prompter.note(e.copy?.providerValidatedMessage?.(p,y,m.source)??`Validated ${m.source} reference ${p}:${y}. OpenClaw will store a reference, not the key value.`,`Reference validated`),{ref:b,resolvedValue:t}}catch(t){await e.prompter.note([`Could not validate provider reference ${p}:${y}.`,_(t),`Check your provider configuration and try again.`].join(`
 `),`Reference check failed`)}}}function C(e){return async t=>{e.agentId&&await e.prompter.note(`Default model set to ${t} for agent "${e.agentId}".`,`Model configured`)}}function w(e){return{get config(){return e.getConfig()},set config(t){e.setConfig(t)},get agentModelOverride(){return e.getAgentModelOverride()},set agentModelOverride(t){e.setAgentModelOverride(t)}}}function T(e,t){let n=C(e);return async r=>{let i=await h({config:t.config,setDefaultModel:e.setDefaultModel,noteAgentModel:n,prompter:e.prompter,...r});t.config=i.config,t.agentModelOverride=i.agentModelOverride??t.agentModelOverride}}function E(e,t,n,r,i){return T(e,w({getConfig:t,setConfig:n,getAgentModelOverride:r,setAgentModelOverride:i}))}function D(e){return String(e??``).trim().toLowerCase()||void 0}function O(e){let t=String(e??``).trim().toLowerCase();if(t===`plaintext`||t===`ref`)return t}async function k(e){return e.explicitMode?e.explicitMode:typeof e.prompter.select==`function`&&await e.prompter.select({message:e.copy?.modeMessage??`How do you want to provide this API key?`,initialValue:`plaintext`,options:[{value:`plaintext`,label:e.copy?.plaintextLabel??`Paste API key now`,hint:e.copy?.plaintextHint??`Stores the key directly in OpenClaw config`},{value:`ref`,label:e.copy?.refLabel??`Use external secret provider`,hint:e.copy?.refHint??`Stores a reference to env or configured external secret providers`}]})===`ref`?`ref`:`plaintext`}async function A(e){let t=D(e.tokenProvider),n=e.expectedProviders.map(e=>D(e)).filter(e=>!!e);if(!e.token||!t||!n.includes(t))return;let r=e.normalize(e.token);return await e.setCredential(r,e.secretInputMode),r}async function j(e){return await A({token:e.token,tokenProvider:e.tokenProvider,secretInputMode:e.secretInputMode,expectedProviders:e.expectedProviders,normalize:e.normalize,setCredential:e.setCredential})||(e.noteMessage&&await e.prompter.note(e.noteMessage,e.noteTitle),await M({config:e.config,provider:e.provider,envLabel:e.envLabel,promptMessage:e.promptMessage,normalize:e.normalize,validate:e.validate,prompter:e.prompter,secretInputMode:e.secretInputMode,setCredential:e.setCredential}))}async function M(e){let t=await k({prompter:e.prompter,explicitMode:e.secretInputMode}),r=n(e.provider);if(t===`ref`){if(typeof e.prompter.select!=`function`){let n=x({config:e.config,provider:e.provider,preferredEnvVar:r?.source?v(r.source):void 0});return await e.setCredential(n.ref,t),n.resolvedValue}let n=await S({provider:e.provider,config:e.config,prompter:e.prompter,preferredEnvVar:r?.source?v(r.source):void 0});return await e.setCredential(n.ref,t),n.resolvedValue}if(r&&t===`plaintext`&&await e.prompter.confirm({message:`Use existing ${e.envLabel} (${r.source}, ${p(r.apiKey)})?`,initialValue:!0}))return await e.setCredential(r.apiKey,t),r.apiKey;let i=await e.prompter.text({message:e.promptMessage,validate:e.validate}),a=e.normalize(String(i??``));return await e.setCredential(a,t),a}export{O as a,k as c,d,f,j as i,h as l,E as n,D as o,M as r,S as s,C as t,m as u};
+//# sourceMappingURL=auth-choice.apply-helpers-B7S-PcH_.js.map

package/dist/auth-choice.apply-helpers-gaL-oSft.js

@@ -1,2 +1,3 @@
 import{Cs as e,M as t,Ns as n,m as r}from"./model-selection-BlC_rXAN.js";import{s as i}from"./types.secrets-C-5U96pc.js";import{At as a,Dt as o,Et as s,Ot as c}from"./plugins-CYLrFT4h.js";import{t as l}from"./provider-env-vars-D8p6Ohpj.js";const u={head:4,tail:4};function d(e){let t=String(e??``).trim();if(!t)return``;let n=t.match(/^(?:export\s+)?[A-Za-z_][A-Za-z0-9_]*\s*=\s*(.+)$/),r=n?n[1].trim():t,i=r.length>=2&&(r.startsWith(`"`)&&r.endsWith(`"`)||r.startsWith(`'`)&&r.endsWith(`'`)||r.startsWith("`")&&r.endsWith("`"))?r.slice(1,-1):r;return(i.endsWith(`;`)?i.slice(0,-1):i).trim()}const f=e=>d(e).length>0?void 0:`Required`;function p(e,t={}){let n=e.trim();if(!n)return`…`;let r=t.head??u.head,i=t.tail??u.tail;if(n.length<=r+i){let e=Math.min(2,n.length),t=Math.min(2,n.length-e);return t<=0?`${n.slice(0,e)}…`:`${n.slice(0,e)}…${n.slice(-t)}`}return`${n.slice(0,r)}…${n.slice(-i)}`}function m(e){let t=e.modelRef.trim();if(!t)return e.cfg;let n={...e.cfg.agents?.defaults?.models},i=new Set([t]),a=r(t,e.defaultProvider??`anthropic`);a&&i.add(a);for(let e of i)n[e]={...n[e]};return{...e.cfg,agents:{...e.cfg.agents,defaults:{...e.cfg.agents?.defaults,models:n}}}}async function h(e){if(e.setDefaultModel){let t=e.applyDefaultConfig(e.config);return e.noteDefault&&await e.prompter.note(`Default model set to ${e.noteDefault}`,`Model configured`),{config:t}}let t=m({cfg:e.applyProviderConfig(e.config),modelRef:e.defaultModel});return await e.noteAgentModel(e.defaultModel),{config:t,agentModelOverride:e.defaultModel}}const g=/(?:^|:\s)([A-Z][A-Z0-9_]*)$/;function _(e){return e instanceof Error&&typeof e.message==`string`&&e.message.trim()?e.message:String(e)}function v(e){return g.exec(e.trim())?.[1]}function y(e){return l[e]?.find(e=>e.trim().length>0)}function b(e){return`/providers/${n(e)}/apiKey`}function x(e){let t=e.preferredEnvVar??y(e.provider);if(!t)throw Error(`No default environment variable mapping found for provider "${e.provider}". Set a provider-specific env var, or re-run onboarding in an interactive terminal to configure a ref.`);let n=process.env[t]?.trim();if(!n)throw Error(`Environment variable "${t}" is required for --secret-input-mode ref in non-interactive onboarding.`);return{ref:{source:`env`,provider:a(e.config,`env`,{preferFirstProviderForSource:!0}),id:t},resolvedValue:n}}async function S(t){let n=t.preferredEnvVar??y(t.provider)??``,r=b(t.provider),l=`env`;for(;;){let u=await t.prompter.select({message:t.copy?.sourceMessage??`Where is this API key stored?`,initialValue:l,options:[{value:`env`,label:`Environment variable`,hint:`Reference a variable from your runtime environment`},{value:`provider`,label:`Configured secret provider`,hint:`Use a configured file or exec secret provider`}]})===`provider`?`provider`:`env`;if(l=u,u===`env`){let r=await t.prompter.text({message:t.copy?.envVarMessage??`Environment variable name`,initialValue:n||void 0,placeholder:t.copy?.envVarPlaceholder??`OPENAI_API_KEY`,validate:e=>{let n=e.trim();if(!i(n))return t.copy?.envVarFormatError??`Use an env var name like "OPENAI_API_KEY" (uppercase letters, numbers, underscores).`;if(!process.env[n]?.trim())return t.copy?.envVarMissingError?.(n)??`Environment variable "${n}" is missing or empty in this session.`}}),o=String(r??``).trim(),s=o&&i(o)?o:n;if(!s)throw Error(`No valid environment variable name provided for provider "${t.provider}".`);let c={source:`env`,provider:a(t.config,`env`,{preferFirstProviderForSource:!0}),id:s},l=await e(c,{config:t.config,env:process.env});return await t.prompter.note(t.copy?.envValidatedMessage?.(s)??`Validated environment variable ${s}. OpenClaw will store a reference, not the key value.`,`Reference validated`),{ref:c,resolvedValue:l}}let d=Object.entries(t.config.secrets?.providers??{}).filter(([,e])=>e?.source===`file`||e?.source===`exec`);if(d.length===0){await t.prompter.note(t.copy?.noProvidersMessage??`No file/exec secret providers are configured yet. Add one under secrets.providers, or select Environment variable.`,`No providers configured`);continue}let f=a(t.config,`file`,{preferFirstProviderForSource:!0}),p=await t.prompter.select({message:`Select secret provider`,initialValue:d.find(([e])=>e===f)?.[0]??d[0]?.[0],options:d.map(([e,t])=>({value:e,label:e,hint:t?.source===`exec`?`Exec provider`:`File provider`}))}),m=t.config.secrets?.providers?.[p];if(!m||m.source!==`file`&&m.source!==`exec`){await t.prompter.note(`Provider "${p}" is not a file/exec provider.`,`Invalid provider`);continue}let h=m.source===`file`?`Secret id (JSON pointer for json mode, or 'value' for singleValue mode)`:`Secret id for the exec provider`,g=m.source===`file`?m.mode===`singleValue`?`value`:r:`${t.provider}/apiKey`,v=await t.prompter.text({message:h,initialValue:g,placeholder:m.source===`file`?`/providers/openai/apiKey`:`openai/api-key`,validate:e=>{let t=e.trim();if(!t)return`Secret id cannot be empty.`;if(m.source===`file`&&m.mode!==`singleValue`&&!c(t))return`Use an absolute JSON pointer like "/providers/openai/apiKey".`;if(m.source===`file`&&m.mode===`singleValue`&&t!==`value`)return`singleValue mode expects id "value".`;if(m.source===`exec`&&!o(t))return s()}}),y=String(v??``).trim()||g,b={source:m.source,provider:p,id:y};try{let n=await e(b,{config:t.config,env:process.env});return await t.prompter.note(t.copy?.providerValidatedMessage?.(p,y,m.source)??`Validated ${m.source} reference ${p}:${y}. OpenClaw will store a reference, not the key value.`,`Reference validated`),{ref:b,resolvedValue:n}}catch(e){await t.prompter.note([`Could not validate provider reference ${p}:${y}.`,_(e),`Check your provider configuration and try again.`].join(`
 `),`Reference check failed`)}}}function C(e){return async t=>{e.agentId&&await e.prompter.note(`Default model set to ${t} for agent "${e.agentId}".`,`Model configured`)}}function w(e){return{get config(){return e.getConfig()},set config(t){e.setConfig(t)},get agentModelOverride(){return e.getAgentModelOverride()},set agentModelOverride(t){e.setAgentModelOverride(t)}}}function T(e,t){let n=C(e);return async r=>{let i=await h({config:t.config,setDefaultModel:e.setDefaultModel,noteAgentModel:n,prompter:e.prompter,...r});t.config=i.config,t.agentModelOverride=i.agentModelOverride??t.agentModelOverride}}function E(e,t,n,r,i){return T(e,w({getConfig:t,setConfig:n,getAgentModelOverride:r,setAgentModelOverride:i}))}function D(e){return String(e??``).trim().toLowerCase()||void 0}function O(e){let t=String(e??``).trim().toLowerCase();if(t===`plaintext`||t===`ref`)return t}async function k(e){return e.explicitMode?e.explicitMode:typeof e.prompter.select==`function`&&await e.prompter.select({message:e.copy?.modeMessage??`How do you want to provide this API key?`,initialValue:`plaintext`,options:[{value:`plaintext`,label:e.copy?.plaintextLabel??`Paste API key now`,hint:e.copy?.plaintextHint??`Stores the key directly in OpenClaw config`},{value:`ref`,label:e.copy?.refLabel??`Use external secret provider`,hint:e.copy?.refHint??`Stores a reference to env or configured external secret providers`}]})===`ref`?`ref`:`plaintext`}async function A(e){let t=D(e.tokenProvider),n=e.expectedProviders.map(e=>D(e)).filter(e=>!!e);if(!e.token||!t||!n.includes(t))return;let r=e.normalize(e.token);return await e.setCredential(r,e.secretInputMode),r}async function j(e){return await A({token:e.token,tokenProvider:e.tokenProvider,secretInputMode:e.secretInputMode,expectedProviders:e.expectedProviders,normalize:e.normalize,setCredential:e.setCredential})||(e.noteMessage&&await e.prompter.note(e.noteMessage,e.noteTitle),await M({config:e.config,provider:e.provider,envLabel:e.envLabel,promptMessage:e.promptMessage,normalize:e.normalize,validate:e.validate,prompter:e.prompter,secretInputMode:e.secretInputMode,setCredential:e.setCredential}))}async function M(e){let n=await k({prompter:e.prompter,explicitMode:e.secretInputMode}),r=t(e.provider);if(n===`ref`){if(typeof e.prompter.select!=`function`){let t=x({config:e.config,provider:e.provider,preferredEnvVar:r?.source?v(r.source):void 0});return await e.setCredential(t.ref,n),t.resolvedValue}let t=await S({provider:e.provider,config:e.config,prompter:e.prompter,preferredEnvVar:r?.source?v(r.source):void 0});return await e.setCredential(t.ref,n),t.resolvedValue}if(r&&n===`plaintext`&&await e.prompter.confirm({message:`Use existing ${e.envLabel} (${r.source}, ${p(r.apiKey)})?`,initialValue:!0}))return await e.setCredential(r.apiKey,n),r.apiKey;let i=await e.prompter.text({message:e.promptMessage,validate:e.validate}),a=e.normalize(String(i??``));return await e.setCredential(a,n),a}export{O as a,k as c,d,f,j as i,h as l,E as n,D as o,M as r,S as s,C as t,m as u};
+//# sourceMappingURL=auth-choice.apply-helpers-gaL-oSft.js.map

package/dist/auth-profiles-T8DuH3ax.js

@@ -63,3 +63,4 @@ stat -c "%F|%s|%Y" -- "$2"`,args:[t.canonicalParentPath,t.basename],allowFailure
 `)}function lH(){try{if(Mn(`which rg`,{encoding:`utf8`,stdio:[`ignore`,`pipe`,`ignore`],timeout:2e3}).trim())return}catch{}if(O.platform()===`darwin`)return{command:`/usr/bin/true`}}let uH=!1,dH=null;function fH(e,t){if(e===null)return!1;try{return JSON.stringify(e)===JSON.stringify(t)}catch{return!1}}let pH=null;async function mH(){return pH||=(await import(`@anthropic-ai/sandbox-runtime`)).SandboxManager,pH}const hH={network:{allowedDomains:[`github.com`,`*.github.com`,`*.githubusercontent.com`,`npmjs.org`,`*.npmjs.org`,`registry.npmjs.org`,`pypi.org`,`*.pypi.org`,`api.anthropic.com`,`*.openai.com`,`*.qq.com`,`*.imtt.qq.com`],deniedDomains:[],allowLocalBinding:!0},filesystem:{denyRead:[`~/.ssh`,`~/.gnupg`,`~/.aws/credentials`],allowWrite:[`.`,`/tmp`,`/private/tmp`,`/var/tmp`,`/private/var/tmp`],denyWrite:[`.env`,`.env.local`,`.env.production`]}};function gH(e,t){return e.map(e=>e===`.`?t?k.resolve(t):process.cwd():e===`~`||e.startsWith(`~/`)?k.resolve(O.homedir(),e.slice(e.startsWith(`~/`)?2:1)):e)}function _H(e,t){let n=lH(),r=n?{ripgrep:n}:{};if(!e)return{...hH,filesystem:{...hH.filesystem,allowWrite:gH(hH.filesystem?.allowWrite??[],t)},...r};let i=e.allowWrite??hH.filesystem?.allowWrite??[],a=e.allowedDomains?.includes(`*`);return{network:{allowedDomains:a?void 0:e.allowedDomains??hH.network?.allowedDomains??[],deniedDomains:a?[]:e.deniedDomains??hH.network?.deniedDomains??[],allowLocalBinding:e.allowLocalBinding??hH.network?.allowLocalBinding??!0,allowUnixSockets:e.allowUnixSockets},filesystem:{denyRead:e.denyRead??hH.filesystem?.denyRead??[],allowWrite:gH(i,t),denyWrite:e.denyWrite??hH.filesystem?.denyWrite??[]},...r}}async function vH(e){let t=e??_H();if(!(uH&&fH(dH,t)))try{await(await mH()).initialize(t,void 0,!0),uH=!0,dH=t,console.log(`[QBotClaw:SRT:Init] ✅ sandbox-runtime 初始化成功 | config=${JSON.stringify(t,null,2)}`),wH()}catch(e){let t=e instanceof Error?e.message:JSON.stringify(e);throw console.log(`[QBotClaw:SRT:Init] ❌ sandbox-runtime 初始化失败: ${t}`),e}}async function yH(e){uH||await vH();try{return await(await mH()).wrapWithSandbox(e)}catch(e){let t=e instanceof Error?e.message:JSON.stringify(e);throw console.log(`[QBotClaw:SRT:Exec] ❌ wrapWithSandbox 失败: ${t}`),e}}async function bH(){if(uH)try{await(await mH()).reset(),uH=!1,dH=null}catch(e){let t=e instanceof Error?e.message:JSON.stringify(e);console.log(`[QBotClaw:SRT:Cleanup] ❌ sandbox-runtime 重置失败: ${t}`)}}async function xH(e){if(!uH)return[];try{return(await mH()).getSandboxViolationStore().getViolationsForCommand(e)}catch{return[]}}async function SH(){if(uH)try{(await mH()).cleanupAfterCommand()}catch{}}let CH=!1;function wH(){if(!CH){CH=!0,process.on(`exit`,()=>{uH&&(console.log(`[QBotClaw:SRT:Cleanup] 🧹 进程退出，执行 SRT 清理...`),bH())});for(let e of[`SIGTERM`,`SIGINT`])process.on(e,()=>{bH().finally(()=>{process.kill(process.pid,e)})})}}async function TH(e,t,n){if(await j.mkdir(e,{recursive:!0}),t){let n=E(t),r=[pe,xe,fe,Se,le,Ce,me];for(let t of r){let r=k.join(n,t),i=k.join(e,t);try{await j.access(i)}catch{try{let e=await Ue({absolutePath:r,rootPath:n,boundaryLabel:`sandbox seed workspace`});if(!e.ok)continue;try{let t=A.readFileSync(e.fd,`utf-8`);await j.writeFile(i,t,{encoding:`utf-8`,flag:`wx`})}finally{A.closeSync(e.fd)}}catch{}}}}await ce({dir:e,ensureBootstrapFiles:!n})}async function EH(e){let{cfg:t,rawSessionKey:n}=e,r=E(e.workspaceDir?.trim()||be),i=E(t.workspaceRoot),a=yF(t.scope,n),s=t.scope===`shared`?i:vF(i,a),c=t.workspaceAccess===`rw`?r:s;if(c===s){if(await TH(s,r,e.config?.agents?.defaults?.skipBootstrap),t.workspaceAccess!==`rw`)try{await At({sourceWorkspaceDir:r,targetWorkspaceDir:s,config:e.config})}catch(e){let t=e instanceof Error?e.message:JSON.stringify(e);o.error?.(`Sandbox skill sync failed: ${t}`)}}else await j.mkdir(c,{recursive:!0});return{agentWorkspaceDir:r,scopeKey:a,sandboxWorkspaceDir:s,workspaceDir:c}}async function DH(e){if(e.docker.user?.trim())return e.docker;let t=e.stat??(e=>j.stat(e));try{let n=await t(e.workspaceDir),r=Number.isInteger(n.uid)?n.uid:null,i=Number.isInteger(n.gid)?n.gid:null;return r===null||i===null||r<0||i<0?e.docker:{...e.docker,user:`${r}:${i}`}}catch{return e.docker}}function OH(e){let t=e.sessionKey?.trim();if(!t)return null;let n=sH({cfg:e.config,sessionKey:t});if(!n.sandboxed)return console.log(`[QBotClaw:Sandbox:Init] ❌ 沙箱未启用 | mode=${n.mode} | sessionKey=${t} | sandboxed=false`),null;let r=sT(e.config,n.agentId);return console.log(`[QBotClaw:Sandbox:Init] ✅ 沙箱已启用 | mode=${n.mode} | agentId=${n.agentId} | scope=${r.scope}`),{rawSessionKey:t,runtime:n,cfg:r}}async function kH(e){let t=OH(e);if(!t)return null;let{rawSessionKey:n,cfg:r}=t;if(r.runtime===`srt`){let t=E(e.workspaceDir?.trim()||be);await j.mkdir(t,{recursive:!0});let i=e.config?.agents?.defaults?.sandbox?.srt,a=_H(i,t);try{await vH(a)}catch(e){let t=e instanceof Error?e.message:JSON.stringify(e);return console.log(`[QBotClaw:SRT:Init] ❌ SRT 初始化失败，回退到非沙箱模式: ${t}`),o.error?.(`SRT sandbox initialization failed: ${t}`),null}let s={enabled:!0,runtime:`srt`,sessionKey:n,workspaceDir:t,agentWorkspaceDir:t,workspaceAccess:r.workspaceAccess===`none`?`rw`:r.workspaceAccess,containerName:`srt-sandbox-${n}`,containerWorkdir:t,docker:r.docker,tools:r.tools,browserAllowHostControl:r.browser.allowHostControl};if(i?.skillMounts!==!1){let n=[{hostRoot:t,containerRoot:t,writable:s.workspaceAccess===`rw`,source:`workspace`}];for(let e of r.docker.binds??[]){let t=e.split(`:`);if(t.length>=2&&t[0]&&t[1]){let e=E(t[0]);n.push({hostRoot:e,containerRoot:e,writable:!t[2]?.includes(`ro`),source:`bind`})}}let c=gH(i?.allowWrite??a.filesystem?.allowWrite??[],t),l=new Set(n.map(e=>e.hostRoot));for(let e of c){if(l.has(e))continue;let t=!1;for(let n of l)if(e.startsWith(n+k.sep)||e===n){t=!0;break}t||(l.add(e),n.push({hostRoot:e,containerRoot:e,writable:!0,source:`allowWrite`}))}let u=E(`~`);l.has(u)||(l.add(u),n.push({hostRoot:u,containerRoot:u,writable:!1,source:`bind`}));try{let r=kt(t,{config:e.config}),i=new Set;i.add(k.resolve(t));for(let e of r){let t=k.resolve(k.dirname(e.skill.baseDir));if(i.has(t))continue;let r=!1;for(let e of i)if(t.startsWith(e+k.sep)||t===e){r=!0;break}r||(i.add(t),n.push({hostRoot:t,containerRoot:t,writable:!1,source:`bind`}))}}catch(e){let t=e instanceof Error?e.message:JSON.stringify(e);console.log(`[QBotClaw:SRT:Init] ⚠️ Skills 源目录收集失败（非致命）: ${t}`),o.error?.(`SRT sandbox skill mount collection failed: ${t}`)}s.fsBridge=ID({workspaceDir:t,containerWorkdir:t,mounts:n,denyReadPaths:(i?.denyRead??a.filesystem?.denyRead??[]).map(e=>E(e))})}else s.fsBridge=FD(t);return s}await zI(r);let{agentWorkspaceDir:i,scopeKey:a,workspaceDir:s}=await EH({cfg:r,rawSessionKey:n,config:e.config,workspaceDir:e.workspaceDir}),c=await DH({docker:r.docker,workspaceDir:s}),l=c===r.docker?r:{...r,docker:c},u=await lI({sessionKey:n,workspaceDir:s,agentWorkspaceDir:i,cfg:l});console.log(`[QBotClaw:Sandbox:Init] 🐳 沙箱容器就绪 | containerName=${u}`);let d=await xI({scopeKey:a,workspaceDir:s,agentWorkspaceDir:i,cfg:l,evaluateEnabled:e.config?.browser?.evaluateEnabled??!0,bridgeAuth:r.browser.enabled?await(async()=>{let t=e.config??H(),n=dD(t);try{n=(await pD({cfg:t})).auth}catch(e){let t=e instanceof Error?e.message:JSON.stringify(e);o.error?.(`Sandbox browser auth ensure failed: ${t}`)}return n})():void 0}),f={enabled:!0,runtime:`docker`,sessionKey:n,workspaceDir:s,agentWorkspaceDir:i,workspaceAccess:l.workspaceAccess,containerName:u,containerWorkdir:l.docker.workdir,docker:l.docker,tools:l.tools,browserAllowHostControl:l.browser.allowHostControl,browser:d??void 0};return f.fsBridge=AI({sandbox:f}),f}async function AH(e){let t=OH(e);if(!t)return null;let{rawSessionKey:n,cfg:r}=t,{workspaceDir:i}=await EH({cfg:r,rawSessionKey:n,config:e.config,workspaceDir:e.workspaceDir});return{workspaceDir:i,containerWorkdir:r.docker.workdir}}async function jH(e){let t=await e.read(),n=[];for(let r of t.entries){let t=await tI(r.containerName),i=r.image;if(t.exists)try{let e=await $([`inspect`,`-f`,`{{.Config.Image}}`,r.containerName],{allowFailure:!0});e.code===0&&(i=e.stdout.trim())}catch{}let a=bF(r.sessionKey),o=e.resolveConfiguredImage(a);n.push({...r,image:i,running:t.running,imageMatch:i===o})}return n}async function MH(){let e=H();return jH({read:cF,resolveConfiguredImage:t=>sT(e,t).docker.image})}async function NH(){let e=H();return jH({read:mF,resolveConfiguredImage:t=>sT(e,t).browser.image})}async function PH(e){try{await $([`rm`,`-f`,e],{allowFailure:!0})}catch{console.log(`[QBotClaw:Sandbox:Cleanup] ⚠️ Docker 容器移除失败（已忽略） | containerName=${e}`)}await pF(e)}async function FH(e){try{await $([`rm`,`-f`,e],{allowFailure:!0})}catch{}await gF(e);for(let[t,n]of yP.entries())n.containerName===e&&(await vP(n.bridge.server).catch(()=>void 0),yP.delete(t))}function IH(e){if(typeof e!=`object`||!e)return JSON.stringify(e)??`null`;if(Array.isArray(e))return`[${e.map(e=>IH(e)).join(`,`)}]`;let t=e;return`{${Object.keys(t).toSorted().map(e=>`${JSON.stringify(e)}:${IH(t[e])}`).join(`,`)}}`}const LH=/\b(?:daily|weekly|monthly)(?:\/(?:daily|weekly|monthly))* (?:usage )?limit(?:s)?(?: (?:exhausted|reached|exceeded))?\b/i,RH={rateLimit:[/rate[_ ]limit|too many requests|429/,`model_cooldown`,`exceeded your current quota`,`resource has been exhausted`,`quota exceeded`,`resource_exhausted`,`usage limit`,/\btpm\b/i,`tokens per minute`,`tokens per day`],overloaded:[/overloaded_error|"type"\s*:\s*"overloaded_error"/i,`overloaded`,/service[_ ]unavailable.*(?:overload|capacity|high[_ ]demand)|(?:overload|capacity|high[_ ]demand).*service[_ ]unavailable/i,`high demand`],timeout:[`timeout`,`timed out`,`service unavailable`,`deadline exceeded`,`context deadline exceeded`,`connection error`,`network error`,`network request failed`,`fetch failed`,`socket hang up`,/\beconn(?:refused|reset|aborted)\b/i,/\benotfound\b/i,/\beai_again\b/i,/without sending (?:any )?chunks?/i,/\bstop reason:\s*(?:abort|error|malformed_response)\b/i,/\breason:\s*(?:abort|error|malformed_response)\b/i,/\bunhandled stop reason:\s*(?:abort|error|malformed_response)\b/i],billing:[/["']?(?:status|code)["']?\s*[:=]\s*402\b|\bhttp\s*402\b|\berror(?:\s+code)?\s*[:=]?\s*402\b|\b(?:got|returned|received)\s+(?:a\s+)?402\b|^\s*402\s+payment/i,`payment required`,`insufficient credits`,/insufficient[_ ]quota/i,`credit balance`,`plans & billing`,`insufficient balance`,`insufficient usd or diem balance`],authPermanent:[/api[_ ]?key[_ ]?(?:revoked|invalid|deactivated|deleted)/i,`invalid_api_key`,`key has been disabled`,`key has been revoked`,`account has been deactivated`,/could not (?:authenticate|validate).*(?:api[_ ]?key|credentials)/i,`permission_error`,`not allowed for this organization`],auth:[/invalid[_ ]?api[_ ]?key/,`incorrect api key`,`invalid token`,`authentication`,`re-authenticate`,`oauth token refresh failed`,`unauthorized`,`forbidden`,`access denied`,`insufficient permissions`,`insufficient permission`,/missing scopes?:/i,`expired`,`token has expired`,/\b401\b/,/\b403\b/,`no credentials found`,`no api key found`],format:[`string should match pattern`,`tool_use.id`,`tool_use_id`,`messages.1.content.1.tool_use.id`,`invalid request format`,/tool call id was.*must be/i]},zH=/^(?:error[:\s-]+)?billing(?:\s+error)?(?:[:\s-]+|$)|^(?:error[:\s-]+)?(?:credit balance|insufficient credits?|payment required|http\s*402\b)/i,BH=/["']?(?:status|code)["']?\s*[:=]\s*402\b|\bhttp\s*402\b|\berror(?:\s+code)?\s*[:=]?\s*402\b|^\s*402\s+payment/i;function VH(e,t){if(!e)return!1;let n=e.toLowerCase();return t.some(e=>e instanceof RegExp?e.test(n):n.includes(e))}function HH(e){return VH(e,RH.format)}function UH(e){return VH(e,RH.rateLimit)}function WH(e){return VH(e,RH.timeout)}function GH(e){return LH.test(e)}function KH(e){let t=e.toLowerCase();return t?e.length>512?BH.test(t):VH(t,RH.billing)?!0:zH.test(e)?t.includes(`upgrade`)||t.includes(`credits`)||t.includes(`payment`)||t.includes(`plan`):!1:!1}function qH(e){return VH(e,RH.authPermanent)}function JH(e){return VH(e,RH.auth)}function YH(e){return VH(e,RH.overloaded)}const XH=s(`errors`);function ZH(e,t){let n=e?.trim(),r=t?.trim(),i=n&&r?`${n} (${r})`:n||void 0;return i?`⚠️ ${i} returned a billing error — your API key has run out of credits or has an insufficient balance. Check your ${n} billing dashboard and top up or switch to a different API key.`:`⚠️ API provider returned a billing error — your API key has run out of credits or has an insufficient balance. Check your provider's billing dashboard and top up or switch to a different API key.`}const QH=ZH();function $H(e){if(UH(e))return`⚠️ API rate limit reached. Please try again later.`;if(YH(e))return`The AI service is temporarily overloaded. Please try again in a moment.`}function eU(e){if(!e)return!1;let t=e.toLowerCase();return t.includes(`reasoning is mandatory`)||t.includes(`reasoning is required`)||t.includes(`requires reasoning`)||t.includes(`reasoning`)&&t.includes(`cannot be disabled`)}function tU(e){let t=e.toLowerCase();return/\btpm\b/i.test(t)||t.includes(`tokens per minute`)}function nU(e){if(!e)return!1;let t=e.toLowerCase();if(tU(e)||eU(e))return!1;let n=t.includes(`request size exceeds`),r=t.includes(`context window`)||t.includes(`context length`)||t.includes(`maximum context length`);return t.includes(`request_too_large`)||t.includes(`request exceeds the maximum size`)||t.includes(`context length exceeded`)||t.includes(`maximum context length`)||t.includes(`prompt is too long`)||t.includes(`exceeds model context window`)||t.includes(`model token limit`)||n&&r||t.includes(`context overflow:`)||t.includes(`exceed context limit`)||t.includes(`exceeds the model's maximum context`)||t.includes(`max_tokens`)&&t.includes(`exceed`)&&t.includes(`context`)||t.includes(`input length`)&&t.includes(`exceed`)&&t.includes(`context`)||t.includes(`is longer than`)&&r||t.includes(`413`)&&t.includes(`too large`)||t.includes(`context_window_exceeded`)||e.includes(`上下文过长`)||e.includes(`上下文超出`)||e.includes(`上下文长度超`)||e.includes(`超出最大上下文`)||e.includes(`请压缩上下文`)}const rU=/context window.*(too small|minimum is)/i,iU=/context.*overflow|context window.*(too (?:large|long)|exceed|over|limit|max(?:imum)?|requested|sent|tokens)|prompt.*(too (?:large|long)|exceed|over|limit|max(?:imum)?)|(?:request|input).*(?:context|window|length|token).*(too (?:large|long)|exceed|over|limit|max(?:imum)?)|(?:input|request).*(?:is longer|longer than).*(?:context|window|length)/i,aU=/rate limit|too many requests|requests per (?:minute|hour|day)|quota|throttl|429\b|tokens per day/i;function oU(e){return!e||tU(e)||eU(e)||KH(e)||rU.test(e)||UH(e)?!1:nU(e)?!0:aU.test(e)?!1:iU.test(e)}function sU(e){if(!e)return!1;let t=e.toLowerCase();return t.includes(`summarization failed`)||t.includes(`auto-compaction`)||t.includes(`compaction failed`)||t.includes(`compaction`)?oU(e)?!0:t.includes(`context overflow`):!1}const cU=/^(?:error|api\s*error|apierror|openai\s*error|anthropic\s*error|gateway\s*error)[:\s-]+/i,lU=/<\s*\/?\s*final\s*>/gi,uU=/^(?:error|api\s*error|openai\s*error|anthropic\s*error|gateway\s*error|request failed|failed|exception)[:\s-]+/i,dU=/^(?:context overflow:|request_too_large\b|request size exceeds\b|request exceeds the maximum size\b|context length exceeded\b|maximum context length\b|prompt is too long\b|exceeds model context window\b)/i,fU=/^(?:http\s*)?(\d{3})\s+(.+)$/i,pU=/^(?:http\s*)?(\d{3})(?:\s+([\s\S]+))?$/i,mU=/^\s*(?:<!doctype\s+html\b|<html\b)/i,hU=new Set([521,522,523,524,525,526,530]),gU=new Set([499,500,502,503,504,521,522,523,524,529]),_U=[`error`,`bad request`,`not found`,`unauthorized`,`forbidden`,`internal server`,`service unavailable`,`gateway`,`rate limit`,`overloaded`,`timeout`,`timed out`,`invalid`,`too many requests`,`permission`],vU=[`insufficient credits`,`insufficient quota`,`credit balance`,`insufficient balance`,`plans & billing`,`add more credits`,`top up`],yU=[`upgrade your plan`,`upgrade plan`,`current plan`,`subscription`],bU=[`daily`,`weekly`,`monthly`],xU=[`try again`,`retry`,`temporary`,`cooldown`],SU=[`usage limit`,`rate limit`,`organization usage`],CU=[`organization`,`workspace`],wU=[`billing period`,`exceeded`,`reached`,`exhausted`],TU=/["']?(?:status|code)["']?\s*[:=]\s*402\b|\bhttp\s*402\b|\berror(?:\s+code)?\s*[:=]?\s*402\b|\b(?:got|returned|received)\s+(?:a\s+)?402\b|^\s*402\s+payment required\b|^\s*402\s+.*used up your points\b/i,EU=/^(?:error[:\s-]+)?(?:(?:http\s*)?402(?:\s+payment required)?|payment required)(?:[:\s-]+|$)/i;function DU(e,t){return t.some(t=>e.includes(t))}function OU(e){return DU(e,vU)||DU(e,yU)&&e.includes(`limit`)||e.includes(`billing hard limit`)||e.includes(`hard limit reached`)||e.includes(`maximum allowed`)&&e.includes(`limit`)}function kU(e){let t=DU(e,bU),n=e.includes(`spend limit`)||e.includes(`spending limit`),r=DU(e,CU);return DU(e,xU)&&DU(e,SU)||t&&(e.includes(`usage limit`)||n)||t&&e.includes(`limit`)&&e.includes(`reset`)||r&&e.includes(`limit`)&&(n||DU(e,wU))}function AU(e){return e.trim().toLowerCase().replace(EU,``).trim()}function jU(e){let t=AU(e);return!t||OU(t)?`billing`:UH(t)||kU(t)?`rate_limit`:`billing`}function MU(e){return TU.test(e)?jU(e):null}function NU(e){let t=e.match(pU);if(!t)return null;let n=Number(t[1]);return Number.isFinite(n)?{code:n,rest:(t[2]??``).trim()}:null}function PU(e){let t=e.trim();if(!t)return!1;let n=NU(t);return!n||n.code<500?!1:hU.has(n.code)?!0:n.code<600&&mU.test(n.rest)&&/<\/html>/i.test(n.rest)}function FU(e){let t=e.trim();if(!t)return!1;let n=NU(t);return n?gU.has(n.code):!1}function IU(e,t){return typeof e!=`number`||!Number.isFinite(e)?null:e===402?t?jU(t):`billing`:e===429?`rate_limit`:e===401||e===403?t&&qH(t)?`auth_permanent`:`auth`:e===408?`timeout`:e===503||e===499?t&&YH(t)?`overloaded`:`timeout`:e===502||e===504?`timeout`:e===529?`overloaded`:e===400?t&&KH(t)?`billing`:`format`:null}function LU(e){return e&&e.replace(lU,``)}function RU(e){let t=e.trim();if(!t)return e;let n=t.split(/\n{2,}/);if(n.length<2)return e;let r=e=>e.trim().replace(/\s+/g,` `),i=[],a=null;for(let e of n){let t=r(e);a&&t===a||(i.push(e.trim()),a=t)}return i.length===n.length?e:i.join(`
 
 `)}function zU(e){if(PU(e))return!0;let t=e.match(fU);if(!t)return!1;let n=Number(t[1]);if(!Number.isFinite(n)||n<400)return!1;let r=t[2].toLowerCase();return _U.some(e=>r.includes(e))}function BU(e){return nU(e)?WU(e)||zU(e)||uU.test(e)||dU.test(e):!1}function VU(e){if(!e||typeof e!=`object`||Array.isArray(e))return!1;let t=e;if(t.type===`error`||typeof t.request_id==`string`||typeof t.requestId==`string`)return!0;if(`error`in t){let e=t.error;if(e&&typeof e==`object`&&!Array.isArray(e)){let t=e;if(typeof t.message==`string`||typeof t.type==`string`||typeof t.code==`string`)return!0}}return!1}function HU(e){if(!e)return null;let t=e.trim();if(!t)return null;let n=[t];cU.test(t)&&n.push(t.replace(cU,``).trim());for(let e of n)if(!(!e.startsWith(`{`)||!e.endsWith(`}`)))try{let t=JSON.parse(e);if(VU(t))return t}catch{}return null}function UU(e){if(!e)return null;let t=HU(e);return t?IH(t):null}function WU(e){return UU(e)!==null}function GU(e){if(!e)return null;let t=e.trim();if(!t)return null;let n,r=t,i=r.match(/^(\d{3})\s+(.+)$/s);i&&(n=i[1],r=i[2].trim());let a=HU(r);if(!a)return null;let o=typeof a.request_id==`string`?a.request_id:typeof a.requestId==`string`?a.requestId:void 0,s=typeof a.type==`string`?a.type:void 0,c=typeof a.message==`string`?a.message:void 0,l,u;if(a.error&&typeof a.error==`object`&&!Array.isArray(a.error)){let e=a.error;typeof e.type==`string`&&(l=e.type),typeof e.code==`string`&&!l&&(l=e.code),typeof e.message==`string`&&(u=e.message)}return{httpCode:n,type:l??s,message:u??c,requestId:o}}function KU(e){let t=(e??``).trim();if(!t)return`LLM request failed with an unknown error.`;let n=NU(t);if(n&&PU(t))return`The AI service is temporarily unavailable (HTTP ${n.code}). Please try again in a moment.`;let r=t.match(fU);if(r){let e=r[2].trim();if(!e.startsWith(`{`))return`HTTP ${r[1]}: ${e}`}let i=GU(t);if(i?.message){let e=i.httpCode?`HTTP ${i.httpCode}`:`LLM error`,t=i.type?` ${i.type}`:``,n=i.requestId?` (request_id: ${i.requestId})`:``;return`${e}${t}: ${i.message}${n}`}return t.length>600?`${t.slice(0,600)}…`:t}function qU(e,t){let n=(e.errorMessage??``).trim();if(e.stopReason!==`error`&&!n)return;if(!n)return`LLM request failed with an unknown error.`;let r=n.match(/unknown tool[:\s]+["']?([a-z0-9_-]+)["']?/i)??n.match(/tool\s+["']?([a-z0-9_-]+)["']?\s+(?:not found|is not available)/i);if(r?.[1]){let e=cH({cfg:t?.cfg,sessionKey:t?.sessionKey,toolName:r[1]});if(e)return e}if(nU(n))return`Context overflow: prompt too large for the model. Try /reset (or /new) to start a fresh session, or use a larger-context model.`;if(eU(n))return`Reasoning is required for this model endpoint. Use /think minimal (or any non-off level) and try again.`;if(/incorrect role information|roles must alternate|400.*role|"message".*role.*information/i.test(n))return`Message ordering conflict - please try again. If this persists, use /new to start a fresh session.`;if(tW(n))return`Session history looks corrupted (tool call input missing). Use /new to start a fresh session. If this keeps happening, reset the session or delete the corrupted session transcript.`;let i=n.match(/"type":"invalid_request_error".*?"message":"([^"]+)"/);return i?.[1]?`LLM request rejected: ${i[1]}`:$H(n)||(WH(n)?`LLM request timed out.`:KH(n)?ZH(t?.provider,t?.model??e.model):zU(n)||WU(n)?KU(n):(n.length>600&&XH.warn(`Long error truncated: ${n.slice(0,200)}`),n.length>600?`${n.slice(0,600)}…`:n))}function JU(e,t){if(!e)return e;let n=t?.errorContext??!1,r=LU(e),i=r.trim();if(!i)return``;if(n){if(/incorrect role information|roles must alternate/i.test(i))return`Message ordering conflict - please try again. If this persists, use /new to start a fresh session.`;if(BU(i))return`Context overflow: prompt too large for the model. Try /reset (or /new) to start a fresh session, or use a larger-context model.`;if(KH(i))return QH;if(WU(i)||zU(i))return KU(i);if(uU.test(i))return $H(i)||(WH(i)?`LLM request timed out.`:KU(i))}return RU(r.replace(/^(?:[ \t]*\r?\n)+/,``))}function YU(e){return!e||e.stopReason!==`error`?!1:UH(e.errorMessage??``)}const XU=/tool_(?:use|call)\.(?:input|arguments).*?(?:field required|required)/i,ZU=/messages\.\d+\.content\.\d+\.tool_(?:use|call)\.(?:input|arguments)/i,QU=/image dimensions exceed max allowed size for many-image requests:\s*(\d+)\s*pixels/i,$U=/messages\.(\d+)\.content\.(\d+)\.image/i,eW=/image exceeds\s*(\d+(?:\.\d+)?)\s*mb/i;function tW(e){return e?XU.test(e)||ZU.test(e):!1}function nW(e){return!e||e.stopReason!==`error`?!1:KH(e.errorMessage??``)}function rW(e){if(!e)return!1;let t=e.toLowerCase();return t.includes(`"type":"api_error"`)&&t.includes(`internal server error`)}function iW(e){if(!e||!e.toLowerCase().includes(`image dimensions exceed max allowed size`))return null;let t=e.match(QU),n=e.match($U);return{maxDimensionPx:t?.[1]?Number.parseInt(t[1],10):void 0,messageIndex:n?.[1]?Number.parseInt(n[1],10):void 0,contentIndex:n?.[2]?Number.parseInt(n[2],10):void 0,raw:e}}function aW(e){return!!iW(e)}function oW(e){if(!e)return null;let t=e.toLowerCase();if(!t.includes(`image exceeds`)||!t.includes(`mb`))return null;let n=e.match(eW);return{maxMb:n?.[1]?Number.parseFloat(n[1]):void 0,raw:e}}function sW(e){return e?!!oW(e):!1}function cW(e){return!aW(e)&&HH(e)}function lW(e){return!e||e.stopReason!==`error`?!1:JH(e.errorMessage??``)}function uW(e){if(!e)return!1;let t=e.toLowerCase();return!!(t.includes(`unknown model`)||t.includes(`model not found`)||t.includes(`model_not_found`)||t.includes(`not_found_error`)||t.includes(`does not exist`)&&t.includes(`model`)||t.includes(`invalid model`)&&!t.includes(`invalid model reference`)||/models\/[^\s]+ is not found/i.test(e)||/\b404\b/.test(e)&&/not[-_ ]?found/i.test(e))}function dW(e){if(!e)return!1;let t=e.toLowerCase();return t.includes(`session not found`)||t.includes(`session does not exist`)||t.includes(`session expired`)||t.includes(`session invalid`)||t.includes(`conversation not found`)||t.includes(`conversation does not exist`)||t.includes(`conversation expired`)||t.includes(`conversation invalid`)||t.includes(`no such session`)||t.includes(`invalid session`)||t.includes(`session id not found`)||t.includes(`conversation id not found`)}function fW(e){return aW(e)||sW(e)?null:dW(e)?`session_expired`:uW(e)?`model_not_found`:MU(e)||(GH(e)?KH(e)?`billing`:`rate_limit`:UH(e)?`rate_limit`:YH(e)?`overloaded`:FU(e)?NU(e.trim())?.code===529?`overloaded`:`timeout`:rW(e)?`timeout`:cW(e)?`format`:KH(e)?`billing`:WH(e)?`timeout`:qH(e)?`auth_permanent`:JH(e)?`auth`:null)}function pW(e){return fW(e)!==null}function mW(e){return!e||e.stopReason!==`error`?!1:pW(e.errorMessage??``)}function hW(e){return e===`google-gemini-cli`||e===`google-generative-ai`}function gW(e){if(!e)return null;let t=null;if(typeof e==`string`){let n=e.trim();if(!n.startsWith(`{`)||!n.endsWith(`}`))return null;try{t=JSON.parse(n)}catch{return null}}else typeof e==`object`&&(t=e);if(!t)return null;let n=typeof t.id==`string`?t.id:``,r=typeof t.type==`string`?t.type:``;return n.startsWith(`rs_`)&&(r===`reasoning`||r.startsWith(`reasoning.`))?{id:n,type:r}:null}function _W(e,t){for(let n=t+1;n<e.length;n++){let t=e[n];if(!t||typeof t!=`object`||t.type!==`thinking`)return!0}return!1}function vW(e){let t=e.indexOf(`|`);return t<=0||t>=e.length-1?{callId:e}:{callId:e.slice(0,t),itemId:e.slice(t+1)}}function yW(e){return e===`toolCall`||e===`toolUse`||e===`functionCall`}function bW(e){let t=!1,n=[],r=null;for(let i of e){if(!i||typeof i!=`object`){r=null,n.push(i);continue}let e=i.role;if(e===`assistant`){let e=i;if(!Array.isArray(e.content)){r=null,n.push(i);continue}let a=new Map,o=!1,s=!1,c=e.content.map(e=>{if(!e||typeof e!=`object`)return e;let t=e;if(t.type===`thinking`&&gW(t.thinkingSignature))return o=!0,e;let n=e;if(!yW(n.type)||typeof n.id!=`string`)return e;let r=vW(n.id);return o||!r.itemId||!r.itemId.startsWith(`fc_`)?e:(s=!0,a.set(n.id,r.callId),{...e,id:r.callId})});if(r=a.size>0?a:null,!s){n.push(i);continue}t=!0,n.push({...e,content:c});continue}if(e===`toolResult`&&r&&r.size>0){let e=i,a=!1,o={};if(typeof e.toolCallId==`string`){let t=r.get(e.toolCallId);t&&t!==e.toolCallId&&(o.toolCallId=t,a=!0)}if(typeof e.toolUseId==`string`){let t=r.get(e.toolUseId);t&&t!==e.toolUseId&&(o.toolUseId=t,a=!0)}if(!a){n.push(i);continue}t=!0,n.push({...e,...o});continue}r=null,n.push(i)}return t?n:e}function xW(e){let t=[];for(let n of e){if(!n||typeof n!=`object`){t.push(n);continue}if(n.role!==`assistant`){t.push(n);continue}let e=n;if(!Array.isArray(e.content)){t.push(n);continue}let r=!1,i=[];for(let t=0;t<e.content.length;t++){let n=e.content[t];if(!n||typeof n!=`object`){i.push(n);continue}let a=n;if(a.type!==`thinking`){i.push(n);continue}if(!gW(a.thinkingSignature)){i.push(n);continue}if(_W(e.content,t)){i.push(n);continue}r=!0}if(!r){t.push(n);continue}i.length!==0&&t.push({...e,content:i})}return t}const SW=new Set([`toolCall`,`toolUse`,`functionCall`]);function CW(e,t=`strict`){if(!e||typeof e!=`string`)return t===`strict9`?`defaultid`:`defaulttoolid`;if(t===`strict9`){let t=e.replace(/[^a-zA-Z0-9]/g,``);return t.length>=9?t.slice(0,9):t.length>0?EW(t,9):EW(`sanitized`,9)}let n=e.replace(/[^a-zA-Z0-9]/g,``);return n.length>0?n:`sanitizedtoolid`}function wW(e){let t=e.content;if(!Array.isArray(t))return[];let n=[];for(let e of t){if(!e||typeof e!=`object`)continue;let t=e;typeof t.id!=`string`||!t.id||typeof t.type==`string`&&SW.has(t.type)&&n.push({id:t.id,name:typeof t.name==`string`?t.name:void 0})}return n}function TW(e){let t=e.toolCallId;if(typeof t==`string`&&t)return t;let n=e.toolUseId;return typeof n==`string`&&n?n:null}function EW(e,t=8){return Vn(`sha256`).update(e).digest(`hex`).slice(0,t)}function DW(e){if(e.mode===`strict9`){let t=CW(e.id,e.mode),n=t.length>=9?t.slice(0,9):``;if(n&&!e.used.has(n))return n;for(let t=0;t<1e3;t+=1){let n=EW(`${e.id}:${t}`,9);if(!e.used.has(n))return n}return EW(`${e.id}:${Date.now()}`,9)}let t=CW(e.id,e.mode).slice(0,40);if(!e.used.has(t))return t;let n=EW(e.id),r=e.mode===`strict`?``:`_`,i=40-r.length-n.length,a=`${t.length>i?t.slice(0,i):t}${r}${n}`;if(!e.used.has(a))return a;for(let t=2;t<1e3;t+=1){let n=e.mode===`strict`?`x${t}`:`_${t}`,r=`${a.slice(0,40-n.length)}${n}`;if(!e.used.has(r))return r}let o=e.mode===`strict`?`t${Date.now()}`:`_${Date.now()}`;return`${a.slice(0,40-o.length)}${o}`}function OW(e){let t=e.message.content;if(!Array.isArray(t))return e.message;let n=!1,r=t.map(t=>{if(!t||typeof t!=`object`)return t;let r=t,i=r.type,a=r.id;if(i!==`functionCall`&&i!==`toolUse`&&i!==`toolCall`||typeof a!=`string`||!a)return t;let o=e.resolve(a);return o===a?t:(n=!0,{...t,id:o})});return n?{...e.message,content:r}:e.message}function kW(e){let t=typeof e.message.toolCallId==`string`&&e.message.toolCallId?e.message.toolCallId:void 0,n=e.message.toolUseId,r=typeof n==`string`&&n?n:void 0,i=t?e.resolve(t):void 0,a=r?e.resolve(r):void 0;return i===t&&a===r?e.message:{...e.message,...i&&{toolCallId:i},...a&&{toolUseId:a}}}function AW(e,t=`strict`){let n=new Map,r=new Set,i=e=>{let i=n.get(e);if(i)return i;let a=DW({id:e,used:r,mode:t});return n.set(e,a),r.add(a),a},a=!1,o=e.map(e=>{if(!e||typeof e!=`object`)return e;let t=e.role;if(t===`assistant`){let t=OW({message:e,resolve:i});return t!==e&&(a=!0),t}if(t===`toolResult`){let t=kW({message:e,resolve:i});return t!==e&&(a=!0),t}return e});return a?o:e}function jW(e){let t=0;for(let n=0;n<e.length;n+=1)e.charCodeAt(n)<=32||(t+=1);if(t===0)return 0;let n=0,r=e.length-1;for(;r>=0&&e.charCodeAt(r)<=32;)--r;if(r>=0&&e[r]===`=`){for(n=1,--r;r>=0&&e.charCodeAt(r)<=32;)--r;r>=0&&e[r]===`=`&&(n=2)}let i=Math.floor(t*3/4)-n;return Math.max(0,i)}const MW=/^[A-Za-z0-9+/]+={0,2}$/;function NW(e){let t=e.replace(/\s+/g,``);if(!(!t||t.length%4!=0||!MW.test(t)))return t}function PW(e){let t=e?.agents?.defaults?.imageMaxDimensionPx;return typeof t!=`number`||!Number.isFinite(t)?{}:{maxDimensionPx:Math.max(1,Math.floor(t))}}const FW=s(`agents/tool-images`);function IW(e){if(!e||typeof e!=`object`)return!1;let t=e;return t.type===`image`&&typeof t.data==`string`&&typeof t.mimeType==`string`}function LW(e){if(!e||typeof e!=`object`)return!1;let t=e;return t.type===`text`&&typeof t.text==`string`}function RW(e){let t=e.trim();if(t){if(t.startsWith(`/9j/`))return`image/jpeg`;if(t.startsWith(`iVBOR`))return`image/png`;if(t.startsWith(`R0lGOD`))return`image/gif`}}function zW(e){return!Number.isFinite(e)||e<1024?`${Math.max(0,Math.round(e))}B`:e<1024*1024?`${(e/1024).toFixed(1)}KB`:`${(e/(1024*1024)).toFixed(2)}MB`}function BW(e){for(let t of e.split(/\r?\n/u)){let e=t.trim();if(!e.startsWith(`MEDIA:`))continue;let n=e.slice(6).trim();if(n)return(n.match(/^`([^`]+)`$/u)?.[1]??n).trim()}}function VW(e){let t=e.trim();if(!t)return;try{let e=new URL(t).pathname.split(`/`).filter(Boolean).at(-1);return e&&e.length>0?e:void 0}catch{}let n=t.replaceAll(`\\`,`/`).split(`/`).filter(Boolean).at(-1);return n&&n.length>0?n:void 0}function HW(e){let t=e.block;for(let e of[`fileName`,`filename`,`path`,`url`]){let n=t[e];if(typeof n!=`string`||n.trim().length===0)continue;let r=VW(n);if(r)return r}if(typeof t.name==`string`&&t.name.trim().length>0)return t.name.trim();if(e.mediaPathHint){let t=VW(e.mediaPathHint);if(t)return t}if(typeof e.label==`string`&&e.label.startsWith(`read:`)){let t=VW(e.label.slice(5));if(t)return t}}async function UW(e){let t=Buffer.from(e.base64,`base64`),n=await xN(t),r=n?.width,i=n?.height,a=t.byteLength>e.maxBytes,o=typeof r==`number`&&typeof i==`number`,s=o&&(r>e.maxDimensionPx||i>e.maxDimensionPx);if(o&&!a&&r<=e.maxDimensionPx&&i<=e.maxDimensionPx)return{base64:e.base64,mimeType:e.mimeType,resized:!1,width:r,height:i};let c=o?Math.max(r??0,i??0):e.maxDimensionPx,l=c>0?Math.min(e.maxDimensionPx,c):e.maxDimensionPx,u=fN(e.maxDimensionPx,l),d=null;for(let n of u)for(let o of dN){let c=await CN({buffer:t,maxSide:n,quality:o,withoutEnlargement:!0});if((!d||c.byteLength<d.size)&&(d={buffer:c,size:c.byteLength}),c.byteLength<=e.maxBytes){let l=typeof r==`number`&&typeof i==`number`?`${r}x${i}px`:`unknown`,u=e.fileName?`${e.fileName} ${l}`:l,d=t.byteLength>0?Number(((t.byteLength-c.byteLength)/t.byteLength*100).toFixed(1)):0;return FW.info(`Image resized to fit limits: ${u} ${zW(t.byteLength)} -> ${zW(c.byteLength)} (-${d}%)`,{label:e.label,fileName:e.fileName,sourceMimeType:e.mimeType,sourceWidth:r,sourceHeight:i,sourceBytes:t.byteLength,maxBytes:e.maxBytes,maxDimensionPx:e.maxDimensionPx,triggerOverBytes:a,triggerOverDimensions:s,outputMimeType:`image/jpeg`,outputBytes:c.byteLength,outputQuality:o,outputMaxSide:n,byteReductionPct:d}),{base64:c.toString(`base64`),mimeType:`image/jpeg`,resized:!0,width:r,height:i}}}let f=d?.buffer??t,p=(e.maxBytes/(1024*1024)).toFixed(0),m=(f.byteLength/(1024*1024)).toFixed(2),h=typeof r==`number`&&typeof i==`number`?`${r}x${i}px`:`unknown`,g=e.fileName?`${e.fileName} ${h}`:h;throw FW.warn(`Image resize failed to fit limits: ${g} best=${zW(f.byteLength)} limit=${zW(e.maxBytes)}`,{label:e.label,fileName:e.fileName,sourceMimeType:e.mimeType,sourceWidth:r,sourceHeight:i,sourceBytes:t.byteLength,maxDimensionPx:e.maxDimensionPx,maxBytes:e.maxBytes,smallestCandidateBytes:f.byteLength,triggerOverBytes:a,triggerOverDimensions:s}),Error(`Image could not be reduced below ${p}MB (got ${m}MB)`)}async function WW(e,t,n={}){let r=Math.max(n.maxDimensionPx??1200,1),i=Math.max(n.maxBytes??5242880,1),a=[],o;for(let n of e){if(LW(n)){let e=BW(n.text);e&&(o=e)}if(!IW(n)){a.push(n);continue}let e=n.data.trim();if(!e){a.push({type:`text`,text:`[${t}] omitted empty image payload`});continue}let s=NW(e);if(!s){a.push({type:`text`,text:`[${t}] omitted image payload: invalid base64`});continue}try{let e=RW(s)??n.mimeType,c=await UW({base64:s,mimeType:e,maxDimensionPx:r,maxBytes:i,label:t,fileName:HW({block:n,label:t,mediaPathHint:o})});a.push({...n,data:c.base64,mimeType:c.resized?c.mimeType:e})}catch(e){a.push({type:`text`,text:`[${t}] omitted image payload: ${String(e)}`})}}return a}async function GW(e,t,n={}){if(e.length===0)return{images:e,dropped:0};let r=(await WW(e,t,n)).filter(IW);return{images:r,dropped:Math.max(0,e.length-r.length)}}async function KW(e,t,n={}){let r=Array.isArray(e.content)?e.content:[];if(!r.some(e=>IW(e)||LW(e)))return e;let i=await WW(r,t,n);return{...e,content:i}}async function qW(e,t,n){let r=(n?.sanitizeMode??`full`)===`full`,i={maxDimensionPx:n?.maxDimensionPx,maxBytes:n?.maxBytes},a=n?.sanitizeToolCallIds===!0?AW(e,n.toolCallIdMode):e,o=[];for(let e of a){if(!e||typeof e!=`object`){o.push(e);continue}let a=e.role;if(a===`toolResult`){let n=e,r=await WW(Array.isArray(n.content)?n.content:[],t,i);o.push({...n,content:r});continue}if(a===`user`){let n=e,r=n.content;if(Array.isArray(r)){let e=await WW(r,t,i);o.push({...n,content:e});continue}}if(a===`assistant`){let a=e;if(a.stopReason===`error`){let e=a.content;if(Array.isArray(e)){let n=await WW(e,t,i);o.push({...a,content:n})}else o.push(a);continue}let s=a.content;if(Array.isArray(s)){if(!r){let e=await WW(s,t,i);o.push({...a,content:e});continue}let e=await WW((n?.preserveSignatures?s:QC(s,n?.sanitizeThoughtSignatures)).filter(e=>{if(!e||typeof e!=`object`)return!0;let t=e;return t.type!==`text`||typeof t.text!=`string`?!0:t.text.trim().length>0}),t,i);if(e.length===0)continue;o.push({...a,content:e});continue}}o.push(e)}return o}function JW(e){return e.trim().toLowerCase().replace(/\p{Emoji_Presentation}|\p{Extended_Pictographic}/gu,``).replace(/\s+/g,` `).trim()}function YW(e,t){return t.length===0||!e||e.length<10?!1:t.some(t=>!t||t.length<10?!1:e.includes(t)||t.includes(e))}function XW(e,t){if(t.length===0)return!1;let n=JW(e);return!n||n.length<10?!1:YW(n,t.map(JW))}function ZW(e){if(!e)return``;let t=e.trim().toLowerCase();return t===`z.ai`||t===`z-ai`?`zai`:t}function QW(e){return ZW(e)===`zai`}const $W=[`openai/gpt-5.4`,`openai/gpt-5.4-pro`,`openai/gpt-5.2`,`openai-codex/gpt-5.4`,`openai-codex/gpt-5.3-codex`,`openai-codex/gpt-5.3-codex-spark`,`openai-codex/gpt-5.2-codex`,`openai-codex/gpt-5.1-codex`,`github-copilot/gpt-5.2-codex`,`github-copilot/gpt-5.2`],eG=new Set($W.map(e=>e.toLowerCase())),tG=new Set($W.map(e=>e.split(`/`)[1]?.toLowerCase()).filter(e=>!!e));function nG(e){if(!e)return;let t=e.trim().toLowerCase(),n=t.replace(/[\s_-]+/g,``);if(n===`adaptive`||n===`auto`)return`adaptive`;if(n===`xhigh`||n===`extrahigh`)return`xhigh`;if([`off`].includes(t))return`off`;if([`on`,`enable`,`enabled`].includes(t))return`low`;if([`min`,`minimal`].includes(t))return`minimal`;if([`low`,`thinkhard`,`think-hard`,`think_hard`].includes(t))return`low`;if([`mid`,`med`,`medium`,`thinkharder`,`think-harder`,`harder`].includes(t))return`medium`;if([`high`,`ultra`,`ultrathink`,`think-hard`,`thinkhardest`,`highest`,`max`].includes(t))return`high`;if([`think`].includes(t))return`minimal`}function rG(e,t){let n=t?.trim().toLowerCase();if(!n)return!1;let r=e?.trim().toLowerCase();return r?eG.has(`${r}/${n}`):tG.has(n)}function iG(e,t){let n=[`off`,`minimal`,`low`,`medium`,`high`];return rG(e,t)&&n.push(`xhigh`),n.push(`adaptive`),n}function aG(e,t){return QW(e)?[`off`,`on`]:iG(e,t)}function oG(e,t,n=`, `){return aG(e,t).join(n)}function sG(){let e=[...$W];return e.length===0?`unknown model`:e.length===1?e[0]:e.length===2?`${e[0]} or ${e[1]}`:`${e.slice(0,-1).join(`, `)} or ${e[e.length-1]}`}function cG(e){if(!e)return;let t=e.toLowerCase();if([`off`,`false`,`no`,`0`].includes(t))return`off`;if([`full`,`all`,`everything`].includes(t))return`full`;if([`on`,`minimal`,`true`,`yes`,`1`].includes(t))return`on`}function lG(e){return cG(e)}function uG(e){if(!e)return;let t=e.toLowerCase();if([`off`,`false`,`no`,`0`,`disable`,`disabled`].includes(t))return`off`;if([`on`,`true`,`yes`,`1`,`enable`,`enabled`].includes(t)||[`tokens`,`token`,`tok`,`minimal`,`min`].includes(t))return`tokens`;if([`full`,`session`].includes(t))return`full`}function dG(e){return uG(e)??`off`}function fG(e){if(!e)return;let t=e.toLowerCase();if([`off`,`false`,`no`,`0`].includes(t))return`off`;if([`full`,`auto`,`auto-approve`,`autoapprove`].includes(t))return`full`;if([`ask`,`prompt`,`approval`,`approve`].includes(t))return`ask`;if([`on`,`true`,`yes`,`1`].includes(t))return`on`}function pG(e){if(!e)return;let t=e.toLowerCase();if([`off`,`false`,`no`,`0`,`hide`,`hidden`,`disable`,`disabled`].includes(t))return`off`;if([`on`,`true`,`yes`,`1`,`show`,`visible`,`enable`,`enabled`].includes(t))return`on`;if([`stream`,`streaming`,`draft`,`live`].includes(t))return`stream`}function mG(e){let t=e.match(/supported values are:\s*([^\n.]+)/i)??e.match(/supported values:\s*([^\n.]+)/i);if(!t?.[1])return[];let n=t[1],r=Array.from(n.matchAll(/['"]([^'"]+)['"]/g)).map(e=>e[1]?.trim());return r.length>0?r.filter(e=>!!e):n.split(/,|\band\b/gi).map(e=>e.replace(/^[^a-zA-Z]+|[^a-zA-Z]+$/g,``).trim()).filter(Boolean)}function hG(e){let t=e.message?.trim();if(!t)return;let n=mG(t);if(n.length===0)return/not supported/i.test(t)&&!e.attempted.has(`off`)?`off`:void 0;for(let t of n){let n=nG(t);if(n&&!e.attempted.has(n))return n}}function gG(e){let t=[];for(let n=0;n<e.length;n++){let r=e[n];if(!r||typeof r!=`object`){t.push(r);continue}if(r.role!==`assistant`){t.push(r);continue}let i=r,a=e[n+1];if((a&&typeof a==`object`?a.role:void 0)!==`user`){t.push(r);continue}let o=a,s=new Set;if(Array.isArray(o.content))for(let e of o.content)e&&e.type===`toolResult`&&e.toolUseId&&s.add(e.toolUseId);let c=Array.isArray(i.content)?i.content:[],l=c.filter(e=>e?e.type===`toolUse`?s.has(e.id||``):!0:!1);c.length>0&&l.length===0?t.push({...i,content:[{type:`text`,text:`[tool calls omitted]`}]}):t.push({...i,content:l})}return t}function _G(e){let{messages:t,role:n,merge:r}=e;if(!Array.isArray(t)||t.length===0)return t;let i=[],a;for(let e of t){if(!e||typeof e!=`object`){i.push(e);continue}let t=e.role;if(!t){i.push(e);continue}if(t===a&&a===n){let t=i[i.length-1],n=e;if(t&&typeof t==`object`){let e=t;i[i.length-1]=r(e,n);continue}}i.push(e),a=t}return i}function vG(e,t){let n=[...Array.isArray(e.content)?e.content:[],...Array.isArray(t.content)?t.content:[]];return{...e,content:n,...t.usage&&{usage:t.usage},...t.stopReason&&{stopReason:t.stopReason},...t.errorMessage&&{errorMessage:t.errorMessage}}}function yG(e){return _G({messages:e,role:`assistant`,merge:vG})}function bG(e,t){let n=[...Array.isArray(e.content)?e.content:[],...Array.isArray(t.content)?t.content:[]];return{...t,content:n,timestamp:t.timestamp??e.timestamp}}function xG(e){return _G({messages:gG(e),role:`user`,merge:bG})}const SG=64e3,CG=8e3,wG=/\brequest[_ ]?id\b\s*[:=]\s*["'()]*([A-Za-z0-9._:-]+)/i,TG=[String.raw`\b(?:x-)?api[-_]?key\b\s*[:=]\s*(["']?)([^\s"'\\;]+)\1`,String.raw`"(?:api[-_]?key|api_key)"\s*:\s*"([^"]+)"`,String.raw`(?:\bCookie\b\s*[:=]\s*[^;=\s]+=|;\s*[^;=\s]+=)([^;\s\r\n]+)`];function EG(){let e=r()?.redactPatterns;return Array.isArray(e)?e.filter(e=>typeof e==`string`):[]}function DG(e,t){let n=e?.trim();if(n)return n.length>t?`${n.slice(0,t)}…`:n}function OG(e){let t=e?.trim();if(t)return t.length>SG?t.slice(0,SG):t}function kG(e,t=200){let n=e?.trim();if(!n)return;let r=Array.from(n).filter(e=>{let t=e.charCodeAt(0);return!(t<=8||t===11||t===12||t>=14&&t<=31||t===127)}).join(``).replace(/[\r\n\t]+/g,` `).replace(/\s+/g,` `).trim();return r.length>t?`${r.slice(0,t)}…`:r}function AG(e,t){return!e||!t?e:e.split(t).join(XC(t,{len:12}))}function jG(e){if(!e)return e;let t=EG();return ln(e,{mode:`tools`,patterns:[...un(),...t,...TG]})}function MG(e){if(e)return e.match(wG)?.[1]?.trim()||void 0}function NG(e){let t=e.message&&e.message.length>CG?e.message.slice(0,CG):e.message;return(e.httpCode||e.type||t?IH({httpCode:e.httpCode,type:e.type,message:t}):null)||(e.requestId?e.raw.split(e.requestId).join(`<request_id>`):UU(e.raw))}function PG(e){let t=OG(e);if(!t)return{};try{let e=GU(t),n=e?.requestId??MG(t),r=n?XC(n,{len:12}):void 0,i=NG({raw:t,requestId:n,httpCode:e?.httpCode,type:e?.type,message:e?.message}),a=AG(jG(t),n),o=AG(jG(e?.message),n);return{rawErrorPreview:DG(a,400),rawErrorHash:XC(t,{len:12}),rawErrorFingerprint:i?XC(i,{len:12}):void 0,httpCode:e?.httpCode,providerErrorType:e?.type,providerErrorMessagePreview:DG(o,200),requestIdHash:r}}catch{return{}}}function FG(e){let t=PG(e);return{textPreview:t.rawErrorPreview,textHash:t.rawErrorHash,textFingerprint:t.rawErrorFingerprint,httpCode:t.httpCode,providerErrorType:t.providerErrorType,providerErrorMessagePreview:t.providerErrorMessagePreview,requestIdHash:t.requestIdHash}}const IG=s(`agent/embedded`);function LG(e){let t=e.reason===`billing`||e.reason===`auth_permanent`?`disabled`:`cooldown`,n=e.previous?.cooldownUntil,r=e.previous?.disabledUntil,i=t===`disabled`?typeof r==`number`&&Number.isFinite(r)&&r>e.now&&r===e.next.disabledUntil:typeof n==`number`&&Number.isFinite(n)&&n>e.now&&n===e.next.cooldownUntil,a=XC(e.profileId,{len:12}),o=kG(e.runId)??`-`,s=kG(e.provider)??`-`;IG.warn(`auth profile failure state updated`,{event:`auth_profile_failure_state_updated`,tags:[`error_handling`,`auth_profiles`,t],runId:e.runId,profileId:a,provider:e.provider,reason:e.reason,windowType:t,windowReused:i,previousErrorCount:e.previous?.errorCount,errorCount:e.next.errorCount,previousCooldownUntil:n,cooldownUntil:e.next.cooldownUntil,previousDisabledUntil:r,disabledUntil:e.next.disabledUntil,previousDisabledReason:e.previous?.disabledReason,disabledReason:e.next.disabledReason,failureCounts:e.next.failureCounts,consoleMessage:`auth profile failure state updated: runId=${o} profile=${a} provider=${s} reason=${e.reason} window=${t} reused=${String(i)}`})}const RG=[`auth_permanent`,`auth`,`billing`,`format`,`model_not_found`,`overloaded`,`timeout`,`rate_limit`,`unknown`],zG=new Set(RG),BG=new Map(RG.map((e,t)=>[e,t]));function VG(e){let t=N(e??``);return t===`openrouter`||t===`kilocode`}function HG(e){let t=[e.cooldownUntil,e.disabledUntil].filter(e=>typeof e==`number`).filter(e=>Number.isFinite(e)&&e>0);return t.length===0?null:Math.max(...t)}function UG(e,t,n){if(VG(e.profiles[t]?.provider))return!1;let r=e.usageStats?.[t];if(!r)return!1;let i=HG(r);return i?(n??Date.now())<i:!1}function WG(e,t){return typeof e==`number`&&Number.isFinite(e)&&e>0&&t<e}function GG(e){let t=e.now??Date.now(),n=new Map,r=(e,t)=>{!zG.has(e)||t<=0||!Number.isFinite(t)||n.set(e,(n.get(e)??0)+t)};for(let n of e.profileIds){let i=e.store.usageStats?.[n];if(!i)continue;if(WG(i.disabledUntil,t)&&i.disabledReason&&zG.has(i.disabledReason)){r(i.disabledReason,1e3);continue}if(!WG(i.cooldownUntil,t))continue;let a=!1;for(let[e,t]of Object.entries(i.failureCounts??{})){let n=e,i=typeof t==`number`?t:0;!zG.has(n)||i<=0||(r(n,i),a=!0)}a||r(`unknown`,1)}if(n.size===0)return null;let i=null,a=-1,o=2**53-1;for(let e of RG){let t=n.get(e);if(typeof t!=`number`)continue;let r=BG.get(e)??2**53-1;(t>a||t===a&&r<o)&&(i=e,a=t,o=r)}return i}function KG(e,t){let n=null;for(let r of t){let t=e.usageStats?.[r];if(!t)continue;let i=HG(t);typeof i!=`number`||!Number.isFinite(i)||i<=0||(n===null||i<n)&&(n=i)}return n}function qG(e,t){let n=e.usageStats;if(!n)return!1;let r=t??Date.now(),i=!1;for(let[e,t]of Object.entries(n)){if(!t)continue;let a=!1,o=typeof t.cooldownUntil==`number`&&Number.isFinite(t.cooldownUntil)&&t.cooldownUntil>0&&r>=t.cooldownUntil,s=typeof t.disabledUntil==`number`&&Number.isFinite(t.disabledUntil)&&t.disabledUntil>0&&r>=t.disabledUntil;o&&(t.cooldownUntil=void 0,a=!0),s&&(t.disabledUntil=void 0,t.disabledReason=void 0,a=!0),a&&!HG(t)&&(t.errorCount=0,t.failureCounts=void 0),a&&(n[e]=t,i=!0)}return i}async function JG(e){let{store:t,profileId:n,agentDir:r}=e,i=await ll({agentDir:r,updater:e=>e.profiles[n]?(eK(e,n,e=>$G(e,{lastUsed:Date.now()})),!0):!1});if(i){t.usageStats=i.usageStats;return}t.profiles[n]&&(eK(t,n,e=>$G(e,{lastUsed:Date.now()})),Tl(t,r))}function YG(e){let t=Math.max(1,e);return Math.min(3600*1e3,60*1e3*5**Math.min(t-1,3))}function XG(e){let t={billingBackoffHours:5,billingMaxHours:24,failureWindowHours:24},n=(e,t)=>typeof e==`number`&&Number.isFinite(e)&&e>0?e:t,r=e.cfg?.auth?.cooldowns,i=n((()=>{let t=r?.billingBackoffHoursByProvider;if(t){for(let[n,r]of Object.entries(t))if(N(n)===e.providerId)return r}})()??r?.billingBackoffHours,t.billingBackoffHours),a=n(r?.billingMaxHours,t.billingMaxHours),o=n(r?.failureWindowHours,t.failureWindowHours);return{billingBackoffMs:i*60*60*1e3,billingMaxMs:a*60*60*1e3,failureWindowMs:o*60*60*1e3}}function ZG(e){let t=Math.max(1,e.errorCount),n=Math.max(6e4,e.baseMs),r=Math.max(n,e.maxMs),i=n*2**Math.min(t-1,10);return Math.min(r,i)}function QG(e,t){if(VG(e.profiles[t]?.provider))return null;let n=e.usageStats?.[t];return n?HG(n):null}function $G(e,t){return{...e,errorCount:0,cooldownUntil:void 0,disabledUntil:void 0,disabledReason:void 0,failureCounts:void 0,...t}}function eK(e,t,n){e.usageStats=e.usageStats??{},e.usageStats[t]=n(e.usageStats[t])}function tK(e){let{existingUntil:t,now:n,recomputedUntil:r}=e;return typeof t==`number`&&Number.isFinite(t)&&t>n?t:r}function nK(e){let t=e.cfgResolved.failureWindowMs,n=typeof e.existing.lastFailureAt==`number`&&e.existing.lastFailureAt>0&&e.now-e.existing.lastFailureAt>t,r=HG(e.existing),i=typeof r==`number`&&e.now>=r,a=n||i,o=(a?0:e.existing.errorCount??0)+1,s=a?{}:{...e.existing.failureCounts};s[e.reason]=(s[e.reason]??0)+1;let c={...e.existing,errorCount:o,failureCounts:s,lastFailureAt:e.now};if(e.reason===`billing`||e.reason===`auth_permanent`){let t=ZG({errorCount:s[e.reason]??1,baseMs:e.cfgResolved.billingBackoffMs,maxMs:e.cfgResolved.billingMaxMs});c.disabledUntil=tK({existingUntil:e.existing.disabledUntil,now:e.now,recomputedUntil:e.now+t}),c.disabledReason=e.reason}else{let t=YG(o);c.cooldownUntil=tK({existingUntil:e.existing.cooldownUntil,now:e.now,recomputedUntil:e.now+t})}return c}async function rK(e){let{store:t,profileId:n,reason:r,agentDir:i,cfg:a,runId:o}=e,s=t.profiles[n];if(!s||VG(s.provider))return;let c,l,u=0,d=await ll({agentDir:i,updater:e=>{let t=e.profiles[n];if(!t||VG(t.provider))return!1;let i=Date.now(),o=XG({cfg:a,providerId:N(t.provider)});l=e.usageStats?.[n],u=i;let s=nK({existing:l??{},now:i,reason:r,cfgResolved:o});return c=s,eK(e,n,()=>s),!0}});if(d){t.usageStats=d.usageStats,c&&LG({runId:o,profileId:n,provider:s.provider,reason:r,previous:l,next:c,now:u});return}if(!t.profiles[n])return;let f=Date.now(),p=XG({cfg:a,providerId:N(t.profiles[n]?.provider??``)});l=t.usageStats?.[n];let m=nK({existing:l??{},now:f,reason:r,cfgResolved:p});c=m,eK(t,n,()=>m),Tl(t,i),LG({runId:o,profileId:n,provider:t.profiles[n]?.provider??s.provider,reason:r,previous:l,next:c,now:f})}function iK(e){let t=tc(e.provider),n=e.store.profiles[e.profileId];if(!n)return{eligible:!1,reasonCode:`profile_missing`};if(tc(n.provider)!==t)return{eligible:!1,reasonCode:`provider_mismatch`};let r=e.cfg?.auth?.profiles?.[e.profileId];if(r){if(tc(r.provider)!==t)return{eligible:!1,reasonCode:`provider_mismatch`};if(r.mode!==n.type&&!(r.mode===`oauth`&&n.type===`token`))return{eligible:!1,reasonCode:`mode_mismatch`}}let i=MC({credential:n,now:e.now});return{eligible:i.eligible,reasonCode:i.reasonCode}}function aK(e){let{cfg:t,store:n,provider:r,preferredProfile:i}=e,a=N(r),o=tc(r),s=Date.now();qG(n,s);let c=nc(n.order,a),l=nc(t?.auth?.order,a),u=c??l,d=t?.auth?.profiles?Object.entries(t.auth.profiles).filter(([,e])=>tc(e.provider)===o).map(([e])=>e):[],f=u??(d.length>0?d:Al(n,r));if(f.length===0)return[];let p=e=>iK({cfg:t,store:n,provider:o,profileId:e,now:s}).eligible,m=f.filter(p),h=f.every(e=>!n.profiles[e]);m.length===0&&d.length>0&&h&&(m=Al(n,r).filter(p));let g=El(m);if(u&&u.length>0){let e=[],t=[];for(let r of g)if(UG(n,r)){let e=HG(n.usageStats?.[r]??{})??s;t.push({profileId:r,cooldownUntil:e})}else e.push(r);let r=t.toSorted((e,t)=>e.cooldownUntil-t.cooldownUntil).map(e=>e.profileId),a=[...e,...r];return i&&a.includes(i)?[i,...a.filter(e=>e!==i)]:a}let _=oK(g,n);return i&&_.includes(i)?[i,..._.filter(e=>e!==i)]:_}function oK(e,t){let n=Date.now(),r=[],i=[];for(let n of e)UG(t,n)?i.push(n):r.push(n);let a=r.map(e=>{let n=t.profiles[e]?.type;return{profileId:e,typeScore:n===`oauth`?0:n===`token`?1:n===`api_key`?2:3,lastUsed:t.usageStats?.[e]?.lastUsed??0}}).toSorted((e,t)=>e.typeScore===t.typeScore?e.lastUsed-t.lastUsed:e.typeScore-t.typeScore).map(e=>e.profileId),o=i.map(e=>({profileId:e,cooldownUntil:HG(t.usageStats?.[e]??{})??n})).toSorted((e,t)=>e.cooldownUntil-t.cooldownUntil).map(e=>e.profileId);return[...a,...o]}var sK=e({CLAUDE_CLI_PROFILE_ID:()=>fr,CODEX_CLI_PROFILE_ID:()=>pr,ensureAuthProfileStore:()=>wl});export{sU as $,JC as $a,Sc as $c,eE as $i,Jr as $l,aL as $n,Tg as $o,lA as $r,Ud as $s,lB as $t,JW as A,Xw as Aa,Qc as Ac,XE as Ai,Ya as Al,rz as An,Vx as Ao,aN as Ar,zp as As,IV as At,bW as B,xw as Ba,lc as Bc,yE as Bi,Mi as Bl,tR as Bn,Jx as Bo,SM as Br,ip as Bs,dV as Bt,nG as C,sT as Ca,kl as Cc,WD as Ci,To as Cl,gz as Cn,CS as Co,iP as Cr,wm as Cs,eH as Ct,rG as D,Kw as Da,Cl as Dc,QE as Di,eo as Dl,sz as Dn,zx as Do,kN as Dr,nm as Ds,YV as Dt,dG as E,Ww as Ea,bl as Ec,lD as Ei,$a as El,oz as En,Yx as Eo,TN as Er,um as Es,XV as Et,NW as F,kw as Fa,vc as Fc,UE as Fi,ia as Fl,aR as Fn,Kx as Fo,iN as Fr,Rf as Fs,jV as Ft,IU as G,aw as Ga,N as Gc,pE as Gi,Ti as Gl,TL as Gn,Hv as Go,zA as Gr,Df as Gs,kB as Gt,hW as H,fw as Ha,ec as Hc,DE as Hi,Ii as Hl,UL as Hn,Eb as Ho,yM as Hr,xp as Hs,qB as Ht,jW as I,Nw as Ia,dc as Ic,WE as Ii,aa as Il,cR as In,qx as Io,JM as Ir,Pp as Is,GV as It,KU as J,tw as Ja,uc as Jc,aE as Ji,xi as Jl,pL as Jn,Pv as Jo,bA as Jr,mf as Js,DB as Jt,qU as K,iw as Ka,cc as Kc,fE as Ki,Ci as Kl,bL as Kn,Ov as Ko,LA as Kr,Of as Ks,jB as Kt,wW as L,jw as La,fc as Lc,NE as Li,Ji as Ll,nR as Ln,rx as Lo,jM as Lr,Np as Ls,MV as Lt,GW as M,Rw as Ma,Zc as Mc,KE as Mi,Qa as Ml,QR as Mn,wx as Mo,eN as Mr,Up as Ms,OV as Mt,KW as N,Iw as Na,Lc as Nc,GE as Ni,Qi as Nl,ZR as Nn,Ux as No,XM as Nr,Hp as Ns,WV as Nt,XW as O,Gw as Oa,sl as Oc,$E as Oi,to as Ol,iz as On,Dx as Oo,CN as Or,lm as Os,JV as Ot,PW as P,zw as Pa,Dc as Pc,zE as Pi,$i as Pl,NR as Pn,Gx as Po,QM as Pr,Lp as Ps,TV as Pt,cW as Q,YC as Qa,pc as Qc,sE as Qi,Zr as Ql,QI as Qn,X_ as Qo,cA as Qr,rf as Qs,sB as Qt,TW as R,Mw as Ra,nc as Rc,RE as Ri,Xi as Rl,ZL as Rn,Rx as Ro,EM as Rr,Ep as Rs,UV as Rt,pG as S,uT as Sa,Ol as Sc,GD as Si,zo as Sl,mz as Sn,wS as So,mP as Sr,Om as Ss,rH as St,lG as T,$w as Ta,wl as Tc,dD as Ti,Mo as Tl,cz as Tn,Zx as To,xN as Tr,fm as Ts,ZV as Tt,QH as U,cw as Ua,sc as Uc,EE as Ui,Ai as Ul,WL as Un,zv as Uo,uM as Ur,bp as Us,NB as Ut,xW as V,dw as Va,ic as Vc,TE as Vi,Ni as Vl,JL as Vn,Rb as Vo,CM as Vr,np as Vs,uV as Vt,fW as W,pw as Wa,wc as Wc,_E as Wi,vi as Wl,GL as Wn,Bv as Wo,Dj as Wr,sp as Ws,MB as Wt,lW as X,ow as Xa,hc as Xc,iE as Xi,Yr as Xl,XI as Xn,Rv as Xo,gA as Xr,bf as Xs,EB as Xt,UU as Y,ew as Ya,mc as Yc,oE as Yi,_i as Yl,mL as Yn,Lv as Yo,pA as Yr,yf as Ys,OB as Yt,nW as Z,XC as Za,Cc as Zc,cE as Zi,Xr as Zl,oL as Zn,wv as Zo,dA as Zr,sf as Zs,oB as Zt,oG as _,ST as _a,Fl as _c,uO as _i,ts as _l,Tz as _n,LS as _o,HP as _r,Sh as _s,kH as _t,KG as a,zT as aa,_d as ac,Tk as ai,qs as al,Zz as an,wC as ao,sL as ar,Qh as as,WU as at,Dr as au,iG as b,_T as ba,jl as bc,KD as bi,_o as bl,Sz as bn,ES as bo,EP as br,Nm as bs,yH as bt,JG as c,XT as ca,$u as cc,nk as ci,fs as cl,Gz as cn,_C as co,BI as cr,Uh as cs,oW as ct,Sr as cu,PG as d,IT as da,hu as dc,vO as di,gs as dl,zz as dn,BS as do,YI as dr,Th as ds,WH as dt,yr as du,VT as ea,Td as ec,Fk as ei,gc as el,cB as en,MC as eo,$I as er,I as es,nU as et,Kr as eu,FG as f,LT as fa,Ql as fc,bO as fi,ys as fl,Vz as fn,zS as fo,JI as fr,wh as fs,NH as ft,vr as fu,hG as g,wT as ga,Rl as gc,dO as gi,ns as gl,Ez as gn,KS as go,eF as gr,Ah as gs,AH as gt,yG as h,CT as ha,Bl as hc,qD as hi,rs as hl,Nz as hn,WS as ho,tF as hr,Oh as hs,PH as ht,pr as hu,qG as i,$T as ia,hd as ic,bk as ii,Ls as il,iB as in,CC as io,tL as ir,Kh as is,YU as it,Tr as iu,qW as j,Yw as ja,el as jc,ZE as ji,Za as jl,tz as jn,H as jo,ZM as jr,Wp as js,DV as jt,YW as k,Jw as ka,ll as kc,YE as ki,qa as kl,az as kn,Bx as ko,lN as kr,dm as ks,qV as kt,QG as l,QT as la,Xu as lc,rk as li,Ss as ll,qz as ln,gC as lo,HI as lr,ph as ls,JU as lt,xr as lu,xG as m,TT as ma,Vl as mc,gO as mi,ds as ml,Pz as mn,VS as mo,kF as mr,jh as ms,FH as mt,fr as mu,iK as n,rE as na,yd as nc,vk as ni,xc as nl,TB as nn,bC as no,eL as nr,ag as ns,pW as nt,kr as nu,UG as o,RT as oa,gd as oc,qO as oi,xs as ol,Qz as on,QS as oo,cL as or,Vh as os,FU as ot,Or as ou,kG as p,MT as pa,$l as pc,yO as pi,bs as pl,Rz as pn,US as po,JF as pr,kh as ps,MH as pt,_r as pu,ZH as q,$C as qa,bc as qc,uE as qi,Ei as ql,yL as qn,Fv as qo,xA as qr,kf as qs,AB as qt,aK as r,JT as ra,pd as rc,wk as ri,js as rl,uB as rn,DC as ro,rL as rr,ig as rs,oU as rt,jr as ru,rK as s,YT as sa,md as sc,YO as si,us as sl,Jz as sn,vC as so,UI as sr,Zh as ss,iW as st,Cr as su,sK as t,W as ta,vd as tc,Ek as ti,_c as tl,rB as tn,kC as to,lL as tr,sg as ts,mW as tt,Gr as tu,GG as u,NT as ua,Zu as uc,TO as ui,vs as ul,Fz as un,qS as uo,VI as ur,Ch as us,KH as ut,br as uu,sG as v,pT as va,El as vc,iO as vi,$o as vl,wz as vn,DS as vo,OP as vr,fh as vs,SH as vt,uG as w,rT as wa,cl as wc,pD as wi,Io as wl,dz as wn,Qx as wo,wN as wr,pm as ws,nH as wt,fG as x,dT as xa,Dl as xc,VD as xi,so as xl,_z as xn,TS as xo,hP as xr,Pm as xs,sH as xt,aG as y,mT as ya,Al as yc,lO as yi,go as yl,xz as yn,OS as yo,TP as yr,Mm as ys,xH as yt,AW as z,bw as za,yc as zc,vE as zi,Oi as zl,QL as zn,Wx as zo,DM as zr,rp as zs,mV as zt};
+//# sourceMappingURL=auth-profiles-T8DuH3ax.js.map

package/dist/auth-token-9OTF1FmL.js

@@ -1 +1,2 @@
 import{g as e}from"./paths-B4IRk3wi.js";import{t}from"./subsystem-C5XF2Fy5.js";import{B as n,G as r,H as i,I as a,J as o,K as s,Kl as c,L as l,Q as u,R as d,St as f,U as p,V as ee,W as te,X as m,Y as ne,Z as re,bt as h,d as ie,lu as ae,nt as oe,nu as se,q as ce,rt as le,tt as ue,vt as de,xt as fe,yt as g,z as pe}from"./model-selection-BlC_rXAN.js";import{i as me,t as he}from"./types.secrets-C-5U96pc.js";import{t as ge}from"./provider-env-vars-D8p6Ohpj.js";import{a as _,i as v,n as y,o as b,r as x}from"./oauth-env-DSLBTWb1.js";import _e from"node:fs";import S from"node:path";const ve=`https://api.minimax.io/anthropic`,ye=`https://api.minimaxi.com/anthropic`,C=`kimi-k2.5`,w=`moonshot/${C}`,be=`k2p5`,T=`kimi-coding/${be}`,E=`qianfan/${a}`,D=`https://api.z.ai/api/coding/paas/v4`,O=`https://open.bigmodel.cn/api/coding/paas/v4`,k=`https://api.z.ai/api/paas/v4`,A=`https://open.bigmodel.cn/api/paas/v4`;function j(e){switch(e){case`coding-cn`:return O;case`global`:return k;case`cn`:return A;case`coding-global`:return D;default:return k}}const xe={input:.3,output:1.2,cacheRead:.03,cacheWrite:.12},Se={input:0,output:0,cacheRead:0,cacheWrite:0},Ce={input:0,output:0,cacheRead:0,cacheWrite:0},we={input:0,output:0,cacheRead:0,cacheWrite:0},Te={"MiniMax-M2.5":{name:`MiniMax M2.5`,reasoning:!0},"MiniMax-M2.5-highspeed":{name:`MiniMax M2.5 Highspeed`,reasoning:!0}},Ee={"glm-5":{name:`GLM-5`,reasoning:!0},"glm-4.7":{name:`GLM-4.7`,reasoning:!0},"glm-4.7-flash":{name:`GLM-4.7 Flash`,reasoning:!0},"glm-4.7-flashx":{name:`GLM-4.7 FlashX`,reasoning:!0}};function M(e){let t=Te[e.id];return{id:e.id,name:e.name??t?.name??`MiniMax ${e.id}`,reasoning:e.reasoning??t?.reasoning??!1,input:[`text`],cost:e.cost,contextWindow:e.contextWindow,maxTokens:e.maxTokens}}function De(e){return M({id:e,cost:xe,contextWindow:2e5,maxTokens:8192})}function Oe(){return{id:C,name:`Kimi K2.5`,reasoning:!1,input:[`text`,`image`],cost:Ce,contextWindow:256e3,maxTokens:8192}}const N=`mistral-large-latest`,P=`mistral/${N}`,ke={input:0,output:0,cacheRead:0,cacheWrite:0};function Ae(){return{id:N,name:`Mistral Large`,reasoning:!1,input:[`text`,`image`],cost:ke,contextWindow:262144,maxTokens:262144}}function F(e){let t=Ee[e.id];return{id:e.id,name:e.name??t?.name??`GLM ${e.id}`,reasoning:e.reasoning??t?.reasoning??!0,input:[`text`],cost:e.cost??we,contextWindow:e.contextWindow??204800,maxTokens:e.maxTokens??131072}}const I=`grok-4`,L=`xai/${I}`,je={input:0,output:0,cacheRead:0,cacheWrite:0};function Me(){return{id:I,name:`Grok 4`,reasoning:!1,input:[`text`],cost:je,contextWindow:131072,maxTokens:8192}}const R=`modelstudio/qwen3.5-plus`,Ne={input:0,output:0,cacheRead:0,cacheWrite:0},Pe={"qwen3.5-plus":{name:`qwen3.5-plus`,reasoning:!1,input:[`text`,`image`],contextWindow:1e6,maxTokens:65536},"qwen3-max-2026-01-23":{name:`qwen3-max-2026-01-23`,reasoning:!1,input:[`text`],contextWindow:262144,maxTokens:65536},"qwen3-coder-next":{name:`qwen3-coder-next`,reasoning:!1,input:[`text`],contextWindow:262144,maxTokens:65536},"qwen3-coder-plus":{name:`qwen3-coder-plus`,reasoning:!1,input:[`text`],contextWindow:1e6,maxTokens:65536},"MiniMax-M2.5":{name:`MiniMax-M2.5`,reasoning:!1,input:[`text`],contextWindow:1e6,maxTokens:65536},"glm-5":{name:`glm-5`,reasoning:!1,input:[`text`],contextWindow:202752,maxTokens:16384},"glm-4.7":{name:`glm-4.7`,reasoning:!1,input:[`text`],contextWindow:202752,maxTokens:16384},"kimi-k2.5":{name:`kimi-k2.5`,reasoning:!1,input:[`text`,`image`],contextWindow:262144,maxTokens:32768}};function z(e){let t=Pe[e.id];return{id:e.id,name:e.name??t?.name??e.id,reasoning:e.reasoning??t?.reasoning??!1,input:e.input??[...t?.input??[`text`]],cost:e.cost??Ne,contextWindow:e.contextWindow??t?.contextWindow??262144,maxTokens:e.maxTokens??t?.maxTokens??65536}}const B=e=>e??se(),Fe=/^\$\{([A-Z][A-Z0-9_]*)\}$/;function V(e){return{source:`env`,provider:he,id:e}}function Ie(e){let t=Fe.exec(e);return t?V(t[1]):null}function Le(e){let t=ge[e]?.find(e=>e.trim().length>0);if(!t)throw Error(`Provider "${e}" does not have a default env var mapping for secret-input-mode=ref.`);return V(t)}function Re(e,t,n){let r=me(t);if(r)return r;let i=ae(t);return Ie(i)||(n?.secretInputMode===`ref`?Le(e):i)}function H(e,t,n,r){let i=Re(e,t,r);return typeof i==`string`?{type:`api_key`,provider:e,key:i,...n?{metadata:n}:{}}:{type:`api_key`,provider:e,keyRef:i,...n?{metadata:n}:{}}}function U(e){try{return _e.realpathSync(S.resolve(e))}catch{return null}}function ze(t){let n=S.resolve(t),r=S.dirname(n),i=S.dirname(r),a=S.basename(n)===`agent`&&S.basename(i)===`agents`?i:S.join(e(),`agents`),o=(()=>{try{return _e.readdirSync(a,{withFileTypes:!0})}catch{return[]}})().filter(e=>e.isDirectory()||e.isSymbolicLink()).map(e=>S.join(a,e.name,`agent`)),s=new Set,c=[];for(let e of[n,...o]){let t=U(e);t&&!s.has(t)&&(s.add(t),c.push(t))}return c}async function Be(e,t,n,r){let i=`${e}:${typeof t.email==`string`&&t.email.trim()?t.email.trim():`default`}`,a=S.resolve(B(n)),o=r?.syncSiblingAgents?ze(a):[a],s={type:`oauth`,provider:e,...t};if(c({profileId:i,credential:s,agentDir:a}),r?.syncSiblingAgents){let e=U(a);for(let t of o){let n=U(t);if(!(n&&e&&n===e))try{c({profileId:i,credential:s,agentDir:t})}catch{}}}return i}async function Ve(e,t,n){c({profileId:`anthropic:default`,credential:H(`anthropic`,e,void 0,n),agentDir:B(t)})}async function He(e,t,n){c({profileId:`openai:default`,credential:H(`openai`,e,void 0,n),agentDir:B(t)})}async function Ue(e,t,n){c({profileId:`google:default`,credential:H(`google`,e,void 0,n),agentDir:B(t)})}async function We(e,t,n=`minimax:default`,r){c({profileId:n,credential:H(n.split(`:`)[0]??`minimax`,e,void 0,r),agentDir:B(t)})}async function Ge(e,t,n){c({profileId:`moonshot:default`,credential:H(`moonshot`,e,void 0,n),agentDir:B(t)})}async function Ke(e,t,n){c({profileId:`kimi-coding:default`,credential:H(`kimi-coding`,e,void 0,n),agentDir:B(t)})}async function qe(e,t,n){c({profileId:`volcengine:default`,credential:H(`volcengine`,e,void 0,n),agentDir:B(t)})}async function Je(e,t,n){c({profileId:`byteplus:default`,credential:H(`byteplus`,e,void 0,n),agentDir:B(t)})}async function Ye(e,t,n){c({profileId:`synthetic:default`,credential:H(`synthetic`,e,void 0,n),agentDir:B(t)})}async function Xe(e,t,n){c({profileId:`venice:default`,credential:H(`venice`,e,void 0,n),agentDir:B(t)})}const W=`zai/glm-5`,G=`xiaomi/mimo-v2-flash`,K=`openrouter/auto`,q=`huggingface/deepseek-ai/DeepSeek-R1`,J=`together/moonshotai/Kimi-K2.5`,Y=`litellm/claude-opus-4-6`,X=`vercel-ai-gateway/anthropic/claude-opus-4.6`;async function Ze(e,t,n){c({profileId:`zai:default`,credential:H(`zai`,e,void 0,n),agentDir:B(t)})}async function Qe(e,t,n){c({profileId:`xiaomi:default`,credential:H(`xiaomi`,e,void 0,n),agentDir:B(t)})}async function $e(e,t,n){c({profileId:`openrouter:default`,credential:H(`openrouter`,typeof e==`string`&&e===`undefined`?``:e,void 0,n),agentDir:B(t)})}async function et(e,t,n,r,i){c({profileId:`cloudflare-ai-gateway:default`,credential:H(`cloudflare-ai-gateway`,n,{accountId:e.trim(),gatewayId:t.trim()},i),agentDir:B(r)})}async function tt(e,t,n){c({profileId:`litellm:default`,credential:H(`litellm`,e,void 0,n),agentDir:B(t)})}async function nt(e,t,n){c({profileId:`vercel-ai-gateway:default`,credential:H(`vercel-ai-gateway`,e,void 0,n),agentDir:B(t)})}async function rt(e,t,n){await at(e,t,n)}async function it(e,t,n){await at(e,t,n)}async function at(e,t,n){let r=B(t);for(let t of[`opencode`,`opencode-go`])c({profileId:`${t}:default`,credential:H(t,e,void 0,n),agentDir:r})}async function ot(e,t,n){c({profileId:`together:default`,credential:H(`together`,e,void 0,n),agentDir:B(t)})}async function st(e,t,n){c({profileId:`huggingface:default`,credential:H(`huggingface`,e,void 0,n),agentDir:B(t)})}function ct(e,t,n){c({profileId:`qianfan:default`,credential:H(`qianfan`,e,void 0,n),agentDir:B(t)})}function lt(e,t,n){c({profileId:`modelstudio:default`,credential:H(`modelstudio`,e,void 0,n),agentDir:B(t)})}function ut(e,t,n){c({profileId:`xai:default`,credential:H(`xai`,e,void 0,n),agentDir:B(t)})}async function dt(e,t,n){c({profileId:`mistral:default`,credential:H(`mistral`,e,void 0,n),agentDir:B(t)})}async function ft(e,t,n){c({profileId:`kilocode:default`,credential:H(`kilocode`,e,void 0,n),agentDir:B(t)})}function pt(e){let t={...e.agents?.defaults?.models};return t[X]={...t[X],alias:t[`vercel-ai-gateway/anthropic/claude-opus-4.6`]?.alias??`Vercel AI Gateway`},{...e,agents:{...e.agents,defaults:{...e.agents?.defaults,models:t}}}}function mt(e,t){let n={...e.agents?.defaults?.models};n[h]={...n[h],alias:n[h]?.alias??`Cloudflare AI Gateway`};let r=fe(),i=e.models?.providers?.[`cloudflare-ai-gateway`],a=t?.accountId&&t?.gatewayId?f({accountId:t.accountId,gatewayId:t.gatewayId}):typeof i?.baseUrl==`string`?i.baseUrl:void 0;return a?v(e,{agentModels:n,providerId:`cloudflare-ai-gateway`,api:`anthropic-messages`,baseUrl:a,defaultModel:r}):{...e,agents:{...e.agents,defaults:{...e.agents?.defaults,models:n}}}}function ht(e){return y(pt(e),X)}function gt(e,t){return y(mt(e,t),h)}const _t=`claude-opus-4-6`,vt={input:0,output:0,cacheRead:0,cacheWrite:0};function yt(){return{id:_t,name:`Claude Opus 4.6`,reasoning:!0,input:[`text`,`image`],cost:vt,contextWindow:128e3,maxTokens:8192}}function bt(e){let t={...e.agents?.defaults?.models};t[Y]={...t[Y],alias:t[`litellm/claude-opus-4-6`]?.alias??`LiteLLM`};let n=yt(),r=e.models?.providers?.litellm;return v(e,{agentModels:t,providerId:`litellm`,api:`openai-completions`,baseUrl:(typeof r?.baseUrl==`string`?r.baseUrl.trim():``)||`http://localhost:4000`,defaultModel:n,defaultModelId:_t})}function xt(e){return y(bt(e),Y)}function St(e,t){let n=`zai/${t?.modelId?.trim()||`glm-5`}`,r={...e.agents?.defaults?.models};r[n]={...r[n],alias:r[n]?.alias??`GLM`};let i={...e.models?.providers},a=i.zai,o=Array.isArray(a?.models)?a.models:[],s=[F({id:`glm-5`}),F({id:`glm-4.7`}),F({id:`glm-4.7-flash`}),F({id:`glm-4.7-flashx`})],c=[...o],l=new Set(o.map(e=>e.id));for(let e of s)l.has(e.id)||(c.push(e),l.add(e.id));let{apiKey:u,...d}=a??{},f=(typeof u==`string`?u:void 0)?.trim(),p=t?.endpoint?j(t.endpoint):(typeof a?.baseUrl==`string`?a.baseUrl:``)||j();return i.zai={...d,baseUrl:p,api:`openai-completions`,...f?{apiKey:f}:{},models:c.length>0?c:s},x(e,{agentModels:r,providers:i})}function Ct(e,t){let n=t?.modelId?.trim()||`glm-5`,r=n===`glm-5`?W:`zai/${n}`;return y(St(e,t),r)}function wt(e){let t={...e.agents?.defaults?.models};return t[K]={...t[K],alias:t[`openrouter/auto`]?.alias??`OpenRouter`},{...e,agents:{...e.agents,defaults:{...e.agents?.defaults,models:t}}}}function Tt(e){return y(wt(e),K)}function Et(e){return Ot(e,`https://api.moonshot.ai/v1`)}function Dt(e){return Ot(e,`https://api.moonshot.cn/v1`)}function Ot(e,t){let n={...e.agents?.defaults?.models};return n[w]={...n[w],alias:n[w]?.alias??`Kimi`},v(e,{agentModels:n,providerId:`moonshot`,api:`openai-completions`,baseUrl:t,defaultModel:Oe(),defaultModelId:C})}function kt(e){return y(Et(e),w)}function At(e){return y(Dt(e),w)}function jt(e){let t={...e.agents?.defaults?.models};t[T]={...t[T],alias:t[T]?.alias??`Kimi for Coding`};let n=pe().models[0];return v(e,{agentModels:t,providerId:`kimi-coding`,api:`anthropic-messages`,baseUrl:`https://api.kimi.com/coding/`,defaultModel:n,defaultModelId:be})}function Mt(e){return y(jt(e),T)}function Nt(e){let t={...e.agents?.defaults?.models};t[s]={...t[s],alias:t[s]?.alias??`MiniMax M2.5`};let n={...e.models?.providers},i=n.synthetic,a=Array.isArray(i?.models)?i.models:[],c=ce.map(o),l=[...a,...c.filter(e=>!a.some(t=>t.id===e.id))],{apiKey:u,...d}=i??{},f=(typeof u==`string`?u:void 0)?.trim();return n.synthetic={...d,baseUrl:r,api:`anthropic-messages`,...f?{apiKey:f}:{},models:l.length>0?l:c},x(e,{agentModels:t,providers:n})}function Pt(e){return y(Nt(e),s)}function Ft(e){let t={...e.agents?.defaults?.models};t[G]={...t[G],alias:t[`xiaomi/mimo-v2-flash`]?.alias??`Xiaomi`};let n=ee();return _(e,{agentModels:t,providerId:`xiaomi`,api:n.api??`openai-completions`,baseUrl:n.baseUrl,defaultModels:n.models??[],defaultModelId:l})}function It(e){return y(Ft(e),G)}function Lt(e){let t={...e.agents?.defaults?.models};return t[m]={...t[m],alias:t[m]?.alias??`Kimi K2.5`},b(e,{agentModels:t,providerId:`venice`,api:`openai-completions`,baseUrl:ne,catalogModels:re.map(u)})}function Rt(e){return y(Lt(e),m)}function zt(e){let t={...e.agents?.defaults?.models};return t[J]={...t[J],alias:t[`together/moonshotai/Kimi-K2.5`]?.alias??`Together AI`},b(e,{agentModels:t,providerId:`together`,api:`openai-completions`,baseUrl:i,catalogModels:p.map(te)})}function Bt(e){return y(zt(e),J)}function Vt(e){let t={...e.agents?.defaults?.models};return t[q]={...t[q],alias:t[`huggingface/deepseek-ai/DeepSeek-R1`]?.alias??`Hugging Face`},b(e,{agentModels:t,providerId:`huggingface`,api:`openai-completions`,baseUrl:ue,catalogModels:oe.map(le)})}function Ht(e){return y(Vt(e),q)}function Ut(e){let t={...e.agents?.defaults?.models};return t[L]={...t[L],alias:t[L]?.alias??`Grok`},v(e,{agentModels:t,providerId:`xai`,api:`openai-completions`,baseUrl:`https://api.x.ai/v1`,defaultModel:Me(),defaultModelId:I})}function Wt(e){return y(Ut(e),L)}function Gt(e){let t={...e.agents?.defaults?.models};return t[P]={...t[P],alias:t[P]?.alias??`Mistral`},v(e,{agentModels:t,providerId:`mistral`,api:`openai-completions`,baseUrl:`https://api.mistral.ai/v1`,defaultModel:Ae(),defaultModelId:N})}function Kt(e){return y(Gt(e),P)}function qt(e){let t={...e.agents?.defaults?.models};return t[g]={...t[g],alias:t[g]?.alias??`Kilo Gateway`},b(e,{agentModels:t,providerId:`kilocode`,api:`openai-completions`,baseUrl:de,catalogModels:d().models??[]})}function Jt(e){return y(qt(e),g)}function Yt(e,t){let n=t.provider.toLowerCase(),r={...e.auth?.profiles,[t.profileId]:{provider:t.provider,mode:t.mode,...t.email?{email:t.email}:{}}},i=Object.entries(e.auth?.profiles??{}).filter(([,e])=>e.provider.toLowerCase()===n).map(([e,t])=>({profileId:e,mode:t.mode})),a=e.auth?.order?.[t.provider],o=t.preferProfileFirst??!0,s=a&&o?[t.profileId,...a.filter(e=>e!==t.profileId)]:a,c=i.some(({profileId:e,mode:n})=>e!==t.profileId&&n!==t.mode),l=a===void 0&&o&&c?[t.profileId,...i.map(({profileId:e})=>e).filter(e=>e!==t.profileId)]:void 0,u=a===void 0?l?{...e.auth?.order,[t.provider]:l}:e.auth?.order:{...e.auth?.order,[t.provider]:s?.includes(t.profileId)?s:[...s??[],t.profileId]};return{...e,auth:{...e.auth,profiles:r,...u?{order:u}:{}}}}function Xt(e){let t={...e.agents?.defaults?.models};t[E]={...t[E],alias:t[E]?.alias??`QIANFAN`};let r=n(),i=e.models?.providers?.qianfan,o=(typeof i?.baseUrl==`string`?i.baseUrl.trim():``)||`https://qianfan.baidubce.com/v2`;return _(e,{agentModels:t,providerId:`qianfan`,api:typeof i?.api==`string`?i.api:`openai-completions`,baseUrl:o,defaultModels:r.models??[],defaultModelId:a})}function Zt(e){return y(Xt(e),E)}function Qt(e,t){let n={...e.agents?.defaults?.models};for(let e of[`qwen3.5-plus`,`qwen3-max-2026-01-23`,`qwen3-coder-next`,`qwen3-coder-plus`,`MiniMax-M2.5`,`glm-5`,`glm-4.7`,`kimi-k2.5`]){let t=`modelstudio/${e}`;n[t]||(n[t]={})}n[R]={...n[R],alias:n[R]?.alias??`Qwen`};let r={...e.models?.providers},i=r.modelstudio,a=Array.isArray(i?.models)?i.models:[],o=[z({id:`qwen3.5-plus`}),z({id:`qwen3-max-2026-01-23`}),z({id:`qwen3-coder-next`}),z({id:`qwen3-coder-plus`}),z({id:`MiniMax-M2.5`}),z({id:`glm-5`}),z({id:`glm-4.7`}),z({id:`kimi-k2.5`})],s=[...a],c=new Set(a.map(e=>e.id));for(let e of o)c.has(e.id)||(s.push(e),c.add(e.id));let{apiKey:l,...u}=i??{},d=(typeof l==`string`?l:void 0)?.trim();return r.modelstudio={...u,baseUrl:t,api:`openai-completions`,...d?{apiKey:d}:{},models:s.length>0?s:o},x(e,{agentModels:n,providers:r})}function $t(e){return Qt(e,`https://coding-intl.dashscope.aliyuncs.com/v1`)}function en(e){return Qt(e,`https://coding.dashscope.aliyuncs.com/v1`)}function tn(e){return y($t(e),R)}function nn(e){return y(en(e),R)}function Z(e){let t={...e.agents?.defaults?.models};t[`anthropic/claude-opus-4-6`]={...t[`anthropic/claude-opus-4-6`],alias:t[`anthropic/claude-opus-4-6`]?.alias??`Opus`},t[`lmstudio/minimax-m2.5-gs32`]={...t[`lmstudio/minimax-m2.5-gs32`],alias:t[`lmstudio/minimax-m2.5-gs32`]?.alias??`Minimax`};let n={...e.models?.providers};return n.lmstudio||={baseUrl:`http://127.0.0.1:1234/v1`,apiKey:`lmstudio`,api:`openai-responses`,models:[M({id:`minimax-m2.5-gs32`,name:`MiniMax M2.5 GS32`,reasoning:!1,cost:Se,contextWindow:196608,maxTokens:8192})]},x(e,{agentModels:t,providers:n})}function rn(e){return y(Z(e),`lmstudio/minimax-m2.5-gs32`)}function an(e,t=`MiniMax-M2.5`){return Q(e,{providerId:`minimax`,modelId:t,baseUrl:ve})}function on(e,t=`MiniMax-M2.5`){return ln(e,{providerId:`minimax`,modelId:t,baseUrl:ve})}function sn(e,t=`MiniMax-M2.5`){return Q(e,{providerId:`minimax-cn`,modelId:t,baseUrl:ye})}function cn(e,t=`MiniMax-M2.5`){return ln(e,{providerId:`minimax-cn`,modelId:t,baseUrl:ye})}function Q(e,t){let n={...e.models?.providers},r=n[t.providerId],i=r?.models??[],a=De(t.modelId),o=i.some(e=>e.id===t.modelId)?i:[...i,a],{apiKey:s,...c}=r??{baseUrl:t.baseUrl,models:[]},l=typeof s==`string`?s:void 0,u=l?.trim()===`minimax`?``:l;n[t.providerId]={...c,baseUrl:t.baseUrl,api:`anthropic-messages`,authHeader:!0,...u?.trim()?{apiKey:u}:{},models:o.length>0?o:[a]};let d={...e.agents?.defaults?.models},f=`${t.providerId}/${t.modelId}`;return d[f]={...d[f],alias:`Minimax`},{...e,agents:{...e.agents,defaults:{...e.agents?.defaults,models:d}},models:{mode:e.models?.mode??`merge`,providers:n}}}function ln(e,t){return y(Q(e,t),`${t.providerId}/${t.modelId}`)}t(`opencode-zen-models`);const $=`opencode/claude-opus-4-6`;function un(e){let t={...e.agents?.defaults?.models};return t[$]={...t[$],alias:t[$]?.alias??`Opus`},{...e,agents:{...e.agents,defaults:{...e.agents?.defaults,models:t}}}}function dn(e){return y(un(e),$)}function fn(e){if(typeof e==`string`)return e;if(e&&typeof e==`object`&&typeof e.primary==`string`)return e.primary}function pn(e){let t=fn(e.cfg.agents?.defaults?.model)?.trim();return(t&&e.legacyModels?.has(t)?e.model:t)===e.model?{next:e.cfg,changed:!1}:{next:{...e.cfg,agents:{...e.cfg.agents,defaults:{...e.cfg.agents?.defaults,model:e.cfg.agents?.defaults?.model&&typeof e.cfg.agents.defaults.model==`object`?{...e.cfg.agents.defaults.model,primary:e.model}:{primary:e.model}}}},changed:!0}}const mn=`opencode-go/kimi-k2.5`,hn={"opencode-go/kimi-k2.5":`Kimi`,"opencode-go/glm-5":`GLM`,"opencode-go/minimax-m2.5":`MiniMax`};function gn(e){let t={...e.agents?.defaults?.models};for(let[e,n]of Object.entries(hn))t[e]={...t[e],alias:t[e]?.alias??n};return{...e,agents:{...e.agents,defaults:{...e.agents?.defaults,models:t}}}}function _n(e){return y(gn(e),mn)}function vn(e){let t=e.trim();return t&&t.toLowerCase().replace(/[^a-z0-9._-]+/g,`-`).replace(/-+/g,`-`).replace(/^-+|-+$/g,``)||`default`}function yn(e){return`${ie(e.provider)}:${vn(e.name)}`}function bn(e){let t=e.trim();if(!t)return`Required`;if(!t.startsWith(`sk-ant-oat01-`))return`Expected token starting with sk-ant-oat01-`;if(t.length<80)return`Token looks too short; paste the full setup-token`}export{pt as $,Et as A,Qe as At,Rt as B,O as Bt,Gt as C,ct as Ct,en as D,nt as Dt,$t as E,Xe as Et,Xt as F,R as Ft,Ft as G,Wt as H,k as Ht,Pt as I,w as It,xt as J,Ct as K,Nt as L,E as Lt,Tt as M,Be as Mt,wt as N,T as Nt,kt as O,qe as Ot,Zt as P,P as Pt,ht as Q,Bt as R,L as Rt,Kt as S,$e as St,nn as T,ot as Tt,Ut as U,Lt as V,D as Vt,It as W,gt as X,bt as Y,mt as Z,Vt as _,lt as _t,mn as a,G as at,Mt as b,it as bt,un as c,Je as ct,an as d,st as dt,q as et,sn as f,ft,Ht as g,dt as gt,Yt as h,We as ht,gn as i,X as it,Dt as j,Ze as jt,At as k,ut as kt,on as l,et as lt,Z as m,tt as mt,bn as n,K as nt,pn as o,W as ot,rn as p,Ke as pt,St as q,_n as r,J as rt,dn as s,Ve as st,yn as t,Y as tt,cn as u,Ue as ut,Jt as v,Ge as vt,tn as w,Ye as wt,jt as x,rt as xt,qt as y,He as yt,zt as z,A as zt};
+//# sourceMappingURL=auth-token-9OTF1FmL.js.map