@remnic/core 1.0.0 → 1.0.1

package/dist/{chunk-LU3GQNDQ.js → chunk-M5ZBBBJI.js}

@@ -9,6 +9,7 @@ import {
 import path from "path";
 import os from "os";
 var _resolveApiKeyForProvider = null;
+var _getRuntimeAuthForModel = null;
 var _resolverLoaded = false;
 var _resolverNextRetryAt = 0;
 var RESOLVER_RETRY_BACKOFF_MS = 6e4;
@@ -32,6 +33,10 @@ async function getGatewayResolver() {
         const mod = await import(importUrl);
         if (typeof mod.resolveApiKeyForProvider === "function") {
           _resolveApiKeyForProvider = mod.resolveApiKeyForProvider;
+          if (typeof mod.getRuntimeAuthForModel === "function") {
+            _getRuntimeAuthForModel = mod.getRuntimeAuthForModel;
+            log.debug("loaded gateway getRuntimeAuthForModel from runtime module");
+          }
           _resolverLoaded = true;
           log.debug("loaded gateway resolveApiKeyForProvider from runtime module");
           return _resolveApiKeyForProvider;
@@ -138,15 +143,21 @@ function resolveFromEnv(providerId) {
   }
   return void 0;
 }
+async function getGatewayRuntimeAuthForModel() {
+  await getGatewayResolver();
+  return _getRuntimeAuthForModel;
+}
 function clearSecretCache() {
   resolvedCache.clear();
   _resolveApiKeyForProvider = null;
+  _getRuntimeAuthForModel = null;
   _resolverLoaded = false;
   _resolverNextRetryAt = 0;
 }
 
 export {
   resolveProviderApiKey,
+  getGatewayRuntimeAuthForModel,
   clearSecretCache
 };
-//# sourceMappingURL=chunk-LU3GQNDQ.js.map
+//# sourceMappingURL=chunk-M5ZBBBJI.js.map

package/dist/chunk-M5ZBBBJI.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/resolve-provider-secret.ts"],"sourcesContent":["import { log } from \"./logger.js\";\nimport { readEnvVar } from \"./runtime/env.js\";\nimport path from \"node:path\";\nimport os from \"node:os\";\n\n/**\n * Resolve a provider API key using OpenClaw's own auth resolution system.\n *\n * This module delegates to the gateway's `resolveApiKeyForProvider()` function,\n * which handles all secret reference formats (SecretRef objects, auth profiles,\n * \"secretref-managed\" markers, environment variables, etc.) using the same\n * codepath the gateway uses for its own agent sessions.\n *\n * For plain-text API keys, a fast path returns them directly without\n * involving the gateway auth system.\n *\n * Results are cached per provider for the gateway process lifetime.\n */\n\ntype ResolveApiKeyFn = (params: {\n  provider: string;\n  cfg?: unknown;\n  agentDir?: string;\n}) => Promise<{ apiKey?: string; source?: string; mode?: string } | null>;\n\n/**\n * Resolve request-ready auth for a model, including provider-owned transforms\n * (e.g., OAuth token exchange, base URL override for openai-codex).\n */\nexport type GetRuntimeAuthForModelFn = (params: {\n  model: { provider: string; id: string; api?: string; baseUrl?: string };\n  cfg?: unknown;\n  workspaceDir?: string;\n}) => Promise<{\n  apiKey?: string;\n  baseUrl?: string;\n  source?: string;\n  mode?: string;\n  profileId?: string;\n} | null>;\n\nlet _resolveApiKeyForProvider: ResolveApiKeyFn | null = null;\nlet _getRuntimeAuthForModel: GetRuntimeAuthForModelFn | null = null;\nlet _resolverLoaded = false;\nlet _resolverNextRetryAt = 0;\nconst RESOLVER_RETRY_BACKOFF_MS = 60_000; // 1 minute between retries after first failure\nconst resolvedCache = new Map<string, string | undefined>();\n\n/**\n * Lazily load the gateway's resolveApiKeyForProvider function.\n * Returns null if not available (e.g., running outside the gateway process).\n */\nasync function getGatewayResolver(): Promise<ResolveApiKeyFn | null> {\n  if (_resolverLoaded) {\n    return _resolveApiKeyForProvider;\n  }\n  // Backoff: don't re-scan filesystem on every call when module wasn't found.\n  // After a failure, wait RESOLVER_RETRY_BACKOFF_MS before trying again.\n  if (_resolverNextRetryAt > 0 && Date.now() < _resolverNextRetryAt) {\n    return null;\n  }\n\n  try {\n    // The gateway bundles this in a runtime chunk — import it dynamically.\n    // This import path is stable across gateway versions since it's a named runtime export.\n    const candidates = [\n      // Try glob-matching the runtime module name (hash varies per build)\n      ...await findRuntimeModules(),\n    ];\n\n    const { pathToFileURL } = await import(\"node:url\");\n    for (const candidate of candidates) {\n      try {\n        // Convert native path to file:// URL for cross-platform ESM import compatibility\n        const importUrl = pathToFileURL(candidate).href;\n        const mod = await import(importUrl);\n        if (typeof mod.resolveApiKeyForProvider === \"function\") {\n          _resolveApiKeyForProvider = mod.resolveApiKeyForProvider;\n          if (typeof mod.getRuntimeAuthForModel === \"function\") {\n            _getRuntimeAuthForModel = mod.getRuntimeAuthForModel;\n            log.debug(\"loaded gateway getRuntimeAuthForModel from runtime module\");\n          }\n          _resolverLoaded = true;\n          log.debug(\"loaded gateway resolveApiKeyForProvider from runtime module\");\n          return _resolveApiKeyForProvider;\n        }\n      } catch {\n        // Try next candidate\n      }\n    }\n  } catch {\n    // Silent\n  }\n\n  // Backoff before retrying — avoid repeated fs scanning.\n  // Retries after RESOLVER_RETRY_BACKOFF_MS so the resolver can\n  // recover if the gateway restarts or the module becomes available.\n  _resolverNextRetryAt = Date.now() + RESOLVER_RETRY_BACKOFF_MS;\n  log.debug(`gateway resolveApiKeyForProvider not available — will retry after ${RESOLVER_RETRY_BACKOFF_MS / 1000}s`);\n  return null;\n}\n\n/**\n * Find the gateway's model-auth runtime module by scanning the dist directory.\n * Uses require.resolve to find the openclaw package regardless of install method.\n */\nasync function findRuntimeModules(): Promise<string[]> {\n  const { readdirSync } = await import(\"node:fs\");\n  const { createRequire } = await import(\"node:module\");\n  const candidates: string[] = [];\n\n  // Discover the openclaw dist directory from the installed package,\n  // regardless of how it was installed (Homebrew, npm global, local, etc.)\n  const distDirs: string[] = [];\n\n  try {\n    // require.resolve finds the package from the current process context\n    const req = createRequire(import.meta.url);\n    const openclawMain = req.resolve(\"openclaw\");\n    const openclawDist = path.join(path.dirname(openclawMain), \"..\", \"dist\");\n    if (openclawDist) distDirs.push(path.resolve(openclawDist));\n  } catch {\n    // openclaw not resolvable from plugin context — try alternate paths\n  }\n\n  // Fallback: infer from the running process (gateway runs from its own dist/)\n  // Use fs.realpathSync to resolve symlinks (e.g., /usr/local/bin/openclaw → actual path)\n  try {\n    const { realpathSync } = await import(\"node:fs\");\n    const mainScript = process.argv[1];\n    if (mainScript) {\n      const realScript = realpathSync(mainScript);\n      if (realScript.includes(\"openclaw\")) {\n        const distDir = path.dirname(realScript);\n        if (!distDirs.includes(distDir)) distDirs.push(distDir);\n      }\n    }\n  } catch {\n    // Silent\n  }\n\n  for (const dir of distDirs) {\n    try {\n      const files = readdirSync(dir);\n      for (const f of files) {\n        if (f.startsWith(\"runtime-model-auth.runtime-\") && f.endsWith(\".js\")) {\n          candidates.push(path.join(dir, f));\n        }\n      }\n    } catch {\n      // Directory doesn't exist — skip\n    }\n  }\n\n  return candidates;\n}\n\n/**\n * Resolve a provider API key from various OpenClaw formats.\n *\n * Resolution order:\n * 1. Plain-text string → returned immediately\n * 2. Gateway's resolveApiKeyForProvider → handles all secret ref formats\n * 3. Environment variable fallback (PROVIDER_NAME_API_KEY)\n * 4. undefined → provider is skipped in the fallback chain\n */\nexport async function resolveProviderApiKey(\n  providerId: string,\n  apiKeyValue: unknown,\n  gatewayConfig?: unknown,\n  agentDir?: string,\n): Promise<string | undefined> {\n  // Check cache first\n  const cacheKey = `provider:${providerId}`;\n  if (resolvedCache.has(cacheKey)) {\n    return resolvedCache.get(cacheKey);\n  }\n\n  let resolved: string | undefined;\n\n  // Fast path: plain-text string that looks like an actual API key\n  if (typeof apiKeyValue === \"string\" && apiKeyValue.trim().length > 0) {\n    // Skip known non-API-key markers used by the gateway for auth modes\n    // that don't use bearer tokens (OAuth, local endpoints, GCP credentials)\n    if (\n      apiKeyValue === \"secretref-managed\" ||\n      apiKeyValue.endsWith(\"-oauth\") ||\n      apiKeyValue.endsWith(\"-local\") ||\n      apiKeyValue === \"lm-studio\" ||\n      apiKeyValue.startsWith(\"gcp-\")\n    ) {\n      // Fall through to gateway resolver / env var fallback\n    } else {\n      resolved = apiKeyValue;\n      resolvedCache.set(cacheKey, resolved);\n      return resolved;\n    }\n  }\n\n  // The API key is either a SecretRef object, \"secretref-managed\", or empty.\n  // Try the gateway's own auth resolution system first.\n  const resolver = await getGatewayResolver();\n  if (resolver) {\n    try {\n      const resolvedAgentDir = agentDir ?? path.join(os.homedir(), \".openclaw\", \"agents\", \"main\", \"agent\");\n      const auth = await resolver({ provider: providerId, cfg: gatewayConfig, agentDir: resolvedAgentDir });\n      if (auth?.apiKey) {\n        resolved = auth.apiKey;\n        log.debug(`resolved API key for provider \"${providerId}\" via gateway auth (source: ${auth.source ?? \"unknown\"}, mode: ${auth.mode ?? \"unknown\"})`);\n        resolvedCache.set(cacheKey, resolved);\n        return resolved;\n      }\n    } catch (err) {\n      log.debug(\n        `gateway auth resolution failed for provider \"${providerId}\": ${err instanceof Error ? err.message : String(err)}`,\n      );\n    }\n  }\n\n  // Environment variable fallback\n  resolved = resolveFromEnv(providerId);\n  if (resolved) {\n    log.debug(`resolved API key for provider \"${providerId}\" from environment variable`);\n  } else {\n    log.debug(`could not resolve API key for provider \"${providerId}\" — skipping`);\n  }\n\n  // Only cache successful resolutions — failures are retried on next call\n  // so providers can recover after transient issues (e.g., 1Password agent restart)\n  if (resolved) {\n    resolvedCache.set(cacheKey, resolved);\n  }\n  return resolved;\n}\n\n/**\n * Try to resolve an API key from environment variables.\n */\nfunction resolveFromEnv(providerId: string): string | undefined {\n  const normalized = providerId.toUpperCase().replace(/[^A-Z0-9]/g, \"_\");\n  const candidates = [\n    `${normalized}_API_KEY`,\n    `${normalized}_TOKEN`,\n  ];\n  for (const envVar of candidates) {\n    const value = readEnvVar(envVar);\n    if (value && value.trim().length > 0) {\n      return value.trim();\n    }\n  }\n  return undefined;\n}\n\n/**\n * Get the gateway's getRuntimeAuthForModel function, if available.\n * This resolves request-ready auth including provider-owned transforms\n * (OAuth token exchange, base URL override for codex/copilot/etc.).\n * Must be called after at least one resolveProviderApiKey() call to\n * trigger the lazy module load.\n */\nexport async function getGatewayRuntimeAuthForModel(): Promise<GetRuntimeAuthForModelFn | null> {\n  // Ensure the runtime module has been loaded\n  await getGatewayResolver();\n  return _getRuntimeAuthForModel;\n}\n\n/**\n * Clear the resolution cache (useful for testing or key rotation).\n */\nexport function clearSecretCache(): void {\n  resolvedCache.clear();\n  _resolveApiKeyForProvider = null;\n  _getRuntimeAuthForModel = null;\n  _resolverLoaded = false;\n  _resolverNextRetryAt = 0;\n}\n"],"mappings":";;;;;;;;AAEA,OAAO,UAAU;AACjB,OAAO,QAAQ;AAsCf,IAAI,4BAAoD;AACxD,IAAI,0BAA2D;AAC/D,IAAI,kBAAkB;AACtB,IAAI,uBAAuB;AAC3B,IAAM,4BAA4B;AAClC,IAAM,gBAAgB,oBAAI,IAAgC;AAM1D,eAAe,qBAAsD;AACnE,MAAI,iBAAiB;AACnB,WAAO;AAAA,EACT;AAGA,MAAI,uBAAuB,KAAK,KAAK,IAAI,IAAI,sBAAsB;AACjE,WAAO;AAAA,EACT;AAEA,MAAI;AAGF,UAAM,aAAa;AAAA;AAAA,MAEjB,GAAG,MAAM,mBAAmB;AAAA,IAC9B;AAEA,UAAM,EAAE,cAAc,IAAI,MAAM,OAAO,KAAU;AACjD,eAAW,aAAa,YAAY;AAClC,UAAI;AAEF,cAAM,YAAY,cAAc,SAAS,EAAE;AAC3C,cAAM,MAAM,MAAM,OAAO;AACzB,YAAI,OAAO,IAAI,6BAA6B,YAAY;AACtD,sCAA4B,IAAI;AAChC,cAAI,OAAO,IAAI,2BAA2B,YAAY;AACpD,sCAA0B,IAAI;AAC9B,gBAAI,MAAM,2DAA2D;AAAA,UACvE;AACA,4BAAkB;AAClB,cAAI,MAAM,6DAA6D;AACvE,iBAAO;AAAA,QACT;AAAA,MACF,QAAQ;AAAA,MAER;AAAA,IACF;AAAA,EACF,QAAQ;AAAA,EAER;AAKA,yBAAuB,KAAK,IAAI,IAAI;AACpC,MAAI,MAAM,0EAAqE,4BAA4B,GAAI,GAAG;AAClH,SAAO;AACT;AAMA,eAAe,qBAAwC;AACrD,QAAM,EAAE,YAAY,IAAI,MAAM,OAAO,IAAS;AAC9C,QAAM,EAAE,cAAc,IAAI,MAAM,OAAO,QAAa;AACpD,QAAM,aAAuB,CAAC;AAI9B,QAAM,WAAqB,CAAC;AAE5B,MAAI;AAEF,UAAM,MAAM,cAAc,YAAY,GAAG;AACzC,UAAM,eAAe,IAAI,QAAQ,UAAU;AAC3C,UAAM,eAAe,KAAK,KAAK,KAAK,QAAQ,YAAY,GAAG,MAAM,MAAM;AACvE,QAAI,aAAc,UAAS,KAAK,KAAK,QAAQ,YAAY,CAAC;AAAA,EAC5D,QAAQ;AAAA,EAER;AAIA,MAAI;AACF,UAAM,EAAE,aAAa,IAAI,MAAM,OAAO,IAAS;AAC/C,UAAM,aAAa,QAAQ,KAAK,CAAC;AACjC,QAAI,YAAY;AACd,YAAM,aAAa,aAAa,UAAU;AAC1C,UAAI,WAAW,SAAS,UAAU,GAAG;AACnC,cAAM,UAAU,KAAK,QAAQ,UAAU;AACvC,YAAI,CAAC,SAAS,SAAS,OAAO,EAAG,UAAS,KAAK,OAAO;AAAA,MACxD;AAAA,IACF;AAAA,EACF,QAAQ;AAAA,EAER;AAEA,aAAW,OAAO,UAAU;AAC1B,QAAI;AACF,YAAM,QAAQ,YAAY,GAAG;AAC7B,iBAAW,KAAK,OAAO;AACrB,YAAI,EAAE,WAAW,6BAA6B,KAAK,EAAE,SAAS,KAAK,GAAG;AACpE,qBAAW,KAAK,KAAK,KAAK,KAAK,CAAC,CAAC;AAAA,QACnC;AAAA,MACF;AAAA,IACF,QAAQ;AAAA,IAER;AAAA,EACF;AAEA,SAAO;AACT;AAWA,eAAsB,sBACpB,YACA,aACA,eACA,UAC6B;AAE7B,QAAM,WAAW,YAAY,UAAU;AACvC,MAAI,cAAc,IAAI,QAAQ,GAAG;AAC/B,WAAO,cAAc,IAAI,QAAQ;AAAA,EACnC;AAEA,MAAI;AAGJ,MAAI,OAAO,gBAAgB,YAAY,YAAY,KAAK,EAAE,SAAS,GAAG;AAGpE,QACE,gBAAgB,uBAChB,YAAY,SAAS,QAAQ,KAC7B,YAAY,SAAS,QAAQ,KAC7B,gBAAgB,eAChB,YAAY,WAAW,MAAM,GAC7B;AAAA,IAEF,OAAO;AACL,iBAAW;AACX,oBAAc,IAAI,UAAU,QAAQ;AACpC,aAAO;AAAA,IACT;AAAA,EACF;AAIA,QAAM,WAAW,MAAM,mBAAmB;AAC1C,MAAI,UAAU;AACZ,QAAI;AACF,YAAM,mBAAmB,YAAY,KAAK,KAAK,GAAG,QAAQ,GAAG,aAAa,UAAU,QAAQ,OAAO;AACnG,YAAM,OAAO,MAAM,SAAS,EAAE,UAAU,YAAY,KAAK,eAAe,UAAU,iBAAiB,CAAC;AACpG,UAAI,MAAM,QAAQ;AAChB,mBAAW,KAAK;AAChB,YAAI,MAAM,kCAAkC,UAAU,+BAA+B,KAAK,UAAU,SAAS,WAAW,KAAK,QAAQ,SAAS,GAAG;AACjJ,sBAAc,IAAI,UAAU,QAAQ;AACpC,eAAO;AAAA,MACT;AAAA,IACF,SAAS,KAAK;AACZ,UAAI;AAAA,QACF,gDAAgD,UAAU,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,MAClH;AAAA,IACF;AAAA,EACF;AAGA,aAAW,eAAe,UAAU;AACpC,MAAI,UAAU;AACZ,QAAI,MAAM,kCAAkC,UAAU,6BAA6B;AAAA,EACrF,OAAO;AACL,QAAI,MAAM,2CAA2C,UAAU,mBAAc;AAAA,EAC/E;AAIA,MAAI,UAAU;AACZ,kBAAc,IAAI,UAAU,QAAQ;AAAA,EACtC;AACA,SAAO;AACT;AAKA,SAAS,eAAe,YAAwC;AAC9D,QAAM,aAAa,WAAW,YAAY,EAAE,QAAQ,cAAc,GAAG;AACrE,QAAM,aAAa;AAAA,IACjB,GAAG,UAAU;AAAA,IACb,GAAG,UAAU;AAAA,EACf;AACA,aAAW,UAAU,YAAY;AAC/B,UAAM,QAAQ,WAAW,MAAM;AAC/B,QAAI,SAAS,MAAM,KAAK,EAAE,SAAS,GAAG;AACpC,aAAO,MAAM,KAAK;AAAA,IACpB;AAAA,EACF;AACA,SAAO;AACT;AASA,eAAsB,gCAA0E;AAE9F,QAAM,mBAAmB;AACzB,SAAO;AACT;AAKO,SAAS,mBAAyB;AACvC,gBAAc,MAAM;AACpB,8BAA4B;AAC5B,4BAA0B;AAC1B,oBAAkB;AAClB,yBAAuB;AACzB;","names":[]}

package/dist/chunk-OOSWAUYB.js

@@ -0,0 +1,47 @@
+import {
+  log
+} from "./chunk-KWBU5S5U.js";
+
+// src/models-json.ts
+import { readFileSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+var _cachedProviders = null;
+var _loadAttempted = false;
+function loadModelsJsonProviders() {
+  if (_loadAttempted) {
+    return _cachedProviders ?? {};
+  }
+  _loadAttempted = true;
+  try {
+    const modelsPath = join(homedir(), ".openclaw", "agents", "main", "agent", "models.json");
+    const raw = readFileSync(modelsPath, "utf-8");
+    const parsed = JSON.parse(raw);
+    const providers = parsed?.providers;
+    if (providers && typeof providers === "object" && !Array.isArray(providers)) {
+      _cachedProviders = providers;
+      log.debug(`loaded ${Object.keys(_cachedProviders).length} providers from models.json`);
+      return _cachedProviders;
+    }
+  } catch (err) {
+    log.debug(
+      `could not load models.json: ${err instanceof Error ? err.message : String(err)}`
+    );
+  }
+  return {};
+}
+function clearModelsJsonCache() {
+  _cachedProviders = null;
+  _loadAttempted = false;
+}
+function __setModelsJsonForTest(providers) {
+  _cachedProviders = providers;
+  _loadAttempted = true;
+}
+
+export {
+  loadModelsJsonProviders,
+  clearModelsJsonCache,
+  __setModelsJsonForTest
+};
+//# sourceMappingURL=chunk-OOSWAUYB.js.map

package/dist/chunk-OOSWAUYB.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/models-json.ts"],"sourcesContent":["import { readFileSync } from \"node:fs\";\nimport { join } from \"node:path\";\nimport { homedir } from \"node:os\";\nimport { log } from \"./logger.js\";\nimport type { ModelProviderConfig } from \"./types.js\";\n\n/**\n * Read the gateway's materialized models.json to get the full provider map,\n * including built-in providers (openai-codex, google-vertex, etc.) that are\n * not declared in the user's openclaw.json but are registered by gateway\n * plugins at runtime.\n *\n * The gateway writes models.json to ~/.openclaw/agents/main/agent/models.json\n * with all providers merged: user-defined (from openclaw.json) + built-in\n * (from plugin catalogs). Each entry has the correct baseUrl, api format,\n * and auth mode for that provider.\n *\n * Results are cached for the process lifetime since models.json only changes\n * when the gateway restarts or `openclaw models` commands run.\n */\n\nlet _cachedProviders: Record<string, ModelProviderConfig> | null = null;\nlet _loadAttempted = false;\n\n/**\n * Load the full providers map from the gateway's models.json.\n * Returns an empty object if the file doesn't exist or can't be parsed.\n */\nexport function loadModelsJsonProviders(): Record<string, ModelProviderConfig> {\n  if (_loadAttempted) {\n    return _cachedProviders ?? {};\n  }\n  _loadAttempted = true;\n\n  try {\n    const modelsPath = join(homedir(), \".openclaw\", \"agents\", \"main\", \"agent\", \"models.json\");\n    const raw = readFileSync(modelsPath, \"utf-8\");\n    const parsed = JSON.parse(raw);\n    const providers = parsed?.providers;\n\n    if (providers && typeof providers === \"object\" && !Array.isArray(providers)) {\n      _cachedProviders = providers as Record<string, ModelProviderConfig>;\n      log.debug(`loaded ${Object.keys(_cachedProviders).length} providers from models.json`);\n      return _cachedProviders;\n    }\n  } catch (err) {\n    log.debug(\n      `could not load models.json: ${err instanceof Error ? err.message : String(err)}`,\n    );\n  }\n\n  return {};\n}\n\n/**\n * Clear the cached providers (useful for testing).\n */\nexport function clearModelsJsonCache(): void {\n  _cachedProviders = null;\n  _loadAttempted = false;\n}\n\n/**\n * Inject a providers map for testing, bypassing file I/O.\n */\nexport function __setModelsJsonForTest(providers: Record<string, ModelProviderConfig>): void {\n  _cachedProviders = providers;\n  _loadAttempted = true;\n}\n"],"mappings":";;;;;AAAA,SAAS,oBAAoB;AAC7B,SAAS,YAAY;AACrB,SAAS,eAAe;AAmBxB,IAAI,mBAA+D;AACnE,IAAI,iBAAiB;AAMd,SAAS,0BAA+D;AAC7E,MAAI,gBAAgB;AAClB,WAAO,oBAAoB,CAAC;AAAA,EAC9B;AACA,mBAAiB;AAEjB,MAAI;AACF,UAAM,aAAa,KAAK,QAAQ,GAAG,aAAa,UAAU,QAAQ,SAAS,aAAa;AACxF,UAAM,MAAM,aAAa,YAAY,OAAO;AAC5C,UAAM,SAAS,KAAK,MAAM,GAAG;AAC7B,UAAM,YAAY,QAAQ;AAE1B,QAAI,aAAa,OAAO,cAAc,YAAY,CAAC,MAAM,QAAQ,SAAS,GAAG;AAC3E,yBAAmB;AACnB,UAAI,MAAM,UAAU,OAAO,KAAK,gBAAgB,EAAE,MAAM,6BAA6B;AACrF,aAAO;AAAA,IACT;AAAA,EACF,SAAS,KAAK;AACZ,QAAI;AAAA,MACF,+BAA+B,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,IACjF;AAAA,EACF;AAEA,SAAO,CAAC;AACV;AAKO,SAAS,uBAA6B;AAC3C,qBAAmB;AACnB,mBAAiB;AACnB;AAKO,SAAS,uBAAuB,WAAsD;AAC3F,qBAAmB;AACnB,mBAAiB;AACnB;","names":[]}

package/dist/{chunk-YAPUAHAY.js → chunk-OTFNI3OO.js}

@@ -1,13 +1,13 @@
+import {
+  CompoundingEngine,
+  SharedContextManager,
+  defaultTierMigrationCycleBudget
+} from "./chunk-UYSKNO6E.js";
 import {
   applyUtilityPromotionRuntimePolicy,
   applyUtilityRankingRuntimeDelta,
   loadUtilityRuntimeValues
 } from "./chunk-IFFFR3MR.js";
-import {
-  CompoundingEngine,
-  SharedContextManager,
-  defaultTierMigrationCycleBudget
-} from "./chunk-TKO4HZCK.js";
 import {
   TierMigrationExecutor
 } from "./chunk-Z5AAYHUC.js";
@@ -25,25 +25,7 @@ import {
 } from "./chunk-ZKYI7UVO.js";
 import {
   HourlySummarizer
-} from "./chunk-CDW777AI.js";
-import {
-  applyRuntimeRetrievalPolicy
-} from "./chunk-G3AG3KZN.js";
-import {
-  buildConsolidationPrompt,
-  findSimilarClusters,
-  parseConsolidationResponse
-} from "./chunk-2CJCWDMR.js";
-import {
-  findUnresolvedEntityRefs
-} from "./chunk-X7XN6YU4.js";
-import {
-  RelevanceStore
-} from "./chunk-BRK4ODMI.js";
-import {
-  RerankCache,
-  rerankLocalOrNoop
-} from "./chunk-C7VW7C3F.js";
+} from "./chunk-LP47L3ZX.js";
 import {
   mergeWithAgentResults,
   runDirectAgent,
@@ -62,6 +44,29 @@ import {
   recencyWindowFromPrompt,
   resolvePromptTagPrefilterAsync
 } from "./chunk-V3RXWQIE.js";
+import {
+  applyRuntimeRetrievalPolicy
+} from "./chunk-G3AG3KZN.js";
+import {
+  buildConsolidationPrompt,
+  findSimilarClusters,
+  parseConsolidationResponse
+} from "./chunk-2CJCWDMR.js";
+import {
+  LastRecallStore,
+  TierMigrationStatusStore,
+  clampGraphRecallExpandedEntries
+} from "./chunk-HG2NKWR2.js";
+import {
+  findUnresolvedEntityRefs
+} from "./chunk-X7XN6YU4.js";
+import {
+  RelevanceStore
+} from "./chunk-BRK4ODMI.js";
+import {
+  RerankCache,
+  rerankLocalOrNoop
+} from "./chunk-C7VW7C3F.js";
 import {
   buildQmdRecallCacheKey,
   getCachedQmdRecall,
@@ -70,11 +75,6 @@ import {
 import {
   createRecallSectionMetricRecorder
 } from "./chunk-L5RPWGFK.js";
-import {
-  LastRecallStore,
-  TierMigrationStatusStore,
-  clampGraphRecallExpandedEntries
-} from "./chunk-HG2NKWR2.js";
 import {
   NegativeExampleStore
 } from "./chunk-GJR6D6KC.js";
@@ -89,7 +89,7 @@ import {
 } from "./chunk-WWIQTB2Y.js";
 import {
   ExtractionEngine
-} from "./chunk-QFQVZOGA.js";
+} from "./chunk-6UJQNRIO.js";
 import {
   parseMemoryActionEligibilityContext
 } from "./chunk-MWGVGUIS.js";
@@ -199,7 +199,7 @@ import {
 } from "./chunk-XYIK4LF6.js";
 import {
   FallbackLlmClient
-} from "./chunk-KT4NEUNF.js";
+} from "./chunk-XUHI52HK.js";
 import {
   BoxBuilder
 } from "./chunk-M5KEYE5E.js";
@@ -10758,4 +10758,4 @@ export {
   resolvePersistedMemoryRelativePath,
   Orchestrator
 };
-//# sourceMappingURL=chunk-YAPUAHAY.js.map
+//# sourceMappingURL=chunk-OTFNI3OO.js.map

package/dist/{chunk-TKO4HZCK.js → chunk-UYSKNO6E.js}

@@ -1849,4 +1849,4 @@ export {
   defaultTierMigrationCycleBudget,
   CompoundingEngine
 };
-//# sourceMappingURL=chunk-TKO4HZCK.js.map
+//# sourceMappingURL=chunk-UYSKNO6E.js.map

package/dist/{chunk-KT4NEUNF.js → chunk-XUHI52HK.js}

@@ -1,6 +1,10 @@
 import {
+  getGatewayRuntimeAuthForModel,
   resolveProviderApiKey
-} from "./chunk-LU3GQNDQ.js";
+} from "./chunk-M5ZBBBJI.js";
+import {
+  loadModelsJsonProviders
+} from "./chunk-OOSWAUYB.js";
 import {
   buildChatCompletionTokenLimit,
   shouldAssumeOpenAiChatCompletions
@@ -122,8 +126,7 @@ var FallbackLlmClient = class {
    */
   getModelChain(agentId) {
     const chain = [];
-    const providers = this.gatewayConfig?.models?.providers;
-    if (!providers) return chain;
+    const providers = this.gatewayConfig?.models?.providers ?? {};
     let modelConfig;
     if (agentId) {
       const persona = this.gatewayConfig?.agents?.list?.find(
@@ -171,7 +174,7 @@ var FallbackLlmClient = class {
     }
     const providerId = parts[0];
     const modelId = parts.slice(1).join("/");
-    const providerConfig = providers[providerId];
+    const providerConfig = providers[providerId] ?? this.resolveFromModelsJson(providerId);
     if (!providerConfig) {
       log.warn(`fallback LLM: provider not found: ${providerId}`);
       return null;
@@ -179,36 +182,91 @@ var FallbackLlmClient = class {
     return { providerId, modelId, providerConfig, modelString };
   }
   /**
-   * Resolve the API key for a provider, handling OpenClaw secret ref formats.
-   * Results are cached per provider so exec calls only happen once.
+   * Look up a provider from the gateway's materialized models.json, which
+   * contains all providers including built-in ones (openai-codex, google-vertex,
+   * etc.) that aren't in the user's openclaw.json but are registered by
+   * gateway plugins. Returns null if the provider isn't found there either.
    */
-  async resolveApiKey(providerId, providerConfig) {
-    return resolveProviderApiKey(providerId, providerConfig.apiKey, this.gatewayConfig);
+  resolveFromModelsJson(providerId) {
+    const allProviders = loadModelsJsonProviders();
+    const config = allProviders[providerId];
+    if (config) {
+      log.debug(`fallback LLM: resolved provider "${providerId}" from models.json (api: ${config.api ?? "default"})`);
+      return config;
+    }
+    return null;
   }
   /**
    * Try to call a single model.
+   *
+   * Uses the gateway's native getRuntimeAuthForModel when available — this
+   * handles all provider-specific auth transforms (OAuth token exchange,
+   * base URL overrides for codex/copilot/etc.) through the same codepath
+   * the gateway itself uses. Falls back to resolveProviderApiKey for
+   * simpler providers or when the runtime module isn't loaded.
    */
   async tryModel(model, messages, options) {
+    const runtimeAuth = await this.resolveRuntimeAuth(model);
+    const effectiveBaseUrl = runtimeAuth?.baseUrl ?? model.providerConfig.baseUrl;
+    const resolvedApiKey = runtimeAuth?.apiKey ?? await this.resolveFallbackApiKey(model);
     const rawKey = model.providerConfig.apiKey;
     const needsResolution = rawKey === "secretref-managed" || typeof rawKey === "object" && rawKey !== null;
-    const resolvedApiKey = await this.resolveApiKey(model.providerId, model.providerConfig);
     if (needsResolution && !resolvedApiKey) {
       throw new Error(`API key for provider "${model.providerId}" could not be resolved from secret ref`);
     }
-    const configWithResolvedKey = resolvedApiKey ? { ...model.providerConfig, apiKey: resolvedApiKey } : model.providerConfig;
-    switch (model.providerConfig.api) {
-      case "anthropic-messages":
-        return await this.callAnthropic(configWithResolvedKey, model.modelId, messages, options);
-      case "openai-completions":
-      default:
-        return await this.callOpenAI(
-          configWithResolvedKey,
-          model.modelId,
-          messages,
-          options,
-          shouldAssumeOpenAiChatCompletions(model.providerConfig.baseUrl)
+    const effectiveConfig = {
+      ...model.providerConfig,
+      baseUrl: effectiveBaseUrl,
+      ...resolvedApiKey ? { apiKey: resolvedApiKey } : {}
+    };
+    if (model.providerConfig.api === "anthropic-messages") {
+      return await this.callAnthropic(effectiveConfig, model.modelId, messages, options);
+    }
+    return await this.callOpenAI(
+      effectiveConfig,
+      model.modelId,
+      messages,
+      options,
+      shouldAssumeOpenAiChatCompletions(effectiveConfig.baseUrl)
+    );
+  }
+  /**
+   * Resolve request-ready auth through the gateway's native runtime, which
+   * handles provider-specific transforms (OAuth token exchange for codex/copilot,
+   * base URL rewrite, etc.). Returns null if the runtime isn't available.
+   */
+  async resolveRuntimeAuth(model) {
+    try {
+      const getRuntimeAuth = await getGatewayRuntimeAuthForModel();
+      if (!getRuntimeAuth) return null;
+      const result = await getRuntimeAuth({
+        model: {
+          provider: model.providerId,
+          id: model.modelId,
+          api: model.providerConfig.api,
+          baseUrl: model.providerConfig.baseUrl
+        },
+        cfg: this.gatewayConfig
+      });
+      if (result?.apiKey || result?.baseUrl) {
+        log.debug(
+          `fallback LLM: resolved runtime auth for "${model.modelString}" (source: ${result.source ?? "unknown"}, mode: ${result.mode ?? "unknown"})`
         );
+        return { apiKey: result.apiKey, baseUrl: result.baseUrl };
+      }
+    } catch (err) {
+      log.debug(
+        `fallback LLM: gateway runtime auth failed for "${model.modelString}": ${err instanceof Error ? err.message : String(err)}`
+      );
     }
+    return null;
+  }
+  /**
+   * Resolve API key through the existing provider-level resolution (env vars,
+   * secret refs, etc.). Used as fallback when gateway runtime auth isn't available.
+   */
+  async resolveFallbackApiKey(model) {
+    return resolveProviderApiKey(model.providerId, model.providerConfig.apiKey, this.gatewayConfig);
   }
   /**
    * Call OpenAI-compatible API.
@@ -312,4 +370,4 @@ var FallbackLlmClient = class {
 export {
   FallbackLlmClient
 };
-//# sourceMappingURL=chunk-KT4NEUNF.js.map
+//# sourceMappingURL=chunk-XUHI52HK.js.map

package/dist/chunk-XUHI52HK.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/fallback-llm.ts"],"sourcesContent":["import { log } from \"./logger.js\";\nimport type { GatewayConfig, ModelProviderConfig, AgentPersona } from \"./types.js\";\nimport { extractJsonCandidates } from \"./json-extract.js\";\nimport {\n  buildChatCompletionTokenLimit,\n  shouldAssumeOpenAiChatCompletions,\n} from \"./openai-chat-compat.js\";\nimport { resolveProviderApiKey, getGatewayRuntimeAuthForModel } from \"./resolve-provider-secret.js\";\nimport { loadModelsJsonProviders } from \"./models-json.js\";\n\nexport interface FallbackLlmOptions {\n  temperature?: number;\n  maxTokens?: number;\n  timeoutMs?: number;\n  /** Override which agent persona's model chain to use (by ID from agents.list[]). */\n  agentId?: string;\n}\n\nexport interface FallbackLlmResponse {\n  content: string;\n  modelUsed: string;\n  usage?: {\n    inputTokens?: number;\n    outputTokens?: number;\n    totalTokens?: number;\n  };\n}\n\ninterface ModelRef {\n  providerId: string;\n  modelId: string;\n  providerConfig: ModelProviderConfig;\n  modelString: string;\n}\n\n/**\n * Generic fallback LLM client that uses the gateway's default AI configuration\n * and walks through the full fallback chain (primary + fallbacks).\n * Supports OpenAI and Anthropic API formats.\n */\nexport class FallbackLlmClient {\n  private gatewayConfig: GatewayConfig | undefined;\n\n  constructor(gatewayConfig?: GatewayConfig) {\n    this.gatewayConfig = gatewayConfig;\n  }\n\n  /**\n   * Check if fallback is available (gateway config has at least one model).\n   */\n  isAvailable(agentId?: string): boolean {\n    const models = this.getModelChain(agentId);\n    return models.length > 0;\n  }\n\n  /**\n   * Make a chat completion request using the gateway's default AI chain.\n   * Tries primary first, then each fallback in order.\n   * When agentId is provided, uses that agent persona's model chain instead of defaults.\n   */\n  async chatCompletion(\n    messages: Array<{ role: \"system\" | \"user\" | \"assistant\"; content: string }>,\n    options: FallbackLlmOptions = {},\n  ): Promise<FallbackLlmResponse | null> {\n    const models = this.getModelChain(options.agentId);\n    if (models.length === 0) {\n      log.warn(\"fallback LLM: no models configured in gateway\");\n      return null;\n    }\n\n    const runChain = async (): Promise<FallbackLlmResponse | null> => {\n      // Try each model in the chain\n      for (let i = 0; i < models.length; i++) {\n        const model = models[i];\n        const isFallback = i > 0;\n\n        try {\n          const result = await this.tryModel(model, messages, options);\n          if (result) {\n            if (isFallback) {\n              log.debug(`fallback LLM: succeeded using ${model.modelString} (fallback ${i})`);\n            }\n            return {\n              content: result.content,\n              modelUsed: model.modelString,\n              usage: result.usage,\n            };\n          }\n        } catch (err) {\n          const errorMsg = err instanceof Error ? err.message : String(err);\n          log.debug(`fallback LLM: ${model.modelString} failed (${errorMsg}), trying next...`);\n          // Continue to next model in chain\n        }\n      }\n\n      log.warn(`fallback LLM: all ${models.length} models in chain failed`);\n      return null;\n    };\n\n    if (typeof options.timeoutMs === \"number\") {\n      if (options.timeoutMs <= 0) {\n        log.warn(\"fallback LLM: timed out before request started\");\n        return null;\n      }\n      let timeoutHandle: ReturnType<typeof setTimeout> | undefined;\n      try {\n        return await Promise.race([\n          runChain(),\n          new Promise<null>((resolve) => {\n            timeoutHandle = setTimeout(() => {\n              log.warn(`fallback LLM: timed out after ${options.timeoutMs}ms`);\n              resolve(null);\n            }, options.timeoutMs);\n          }),\n        ]);\n      } finally {\n        if (timeoutHandle) clearTimeout(timeoutHandle);\n      }\n    }\n\n    return await runChain();\n  }\n\n  /**\n   * Make a request with structured output (Zod schema).\n   * Returns parsed JSON or null on failure.\n   */\n  async parseWithSchema<T>(\n    messages: Array<{ role: \"system\" | \"user\" | \"assistant\"; content: string }>,\n    schema: { parse: (data: unknown) => T },\n    options: FallbackLlmOptions = {},\n  ): Promise<T | null> {\n    const detailed = await this.parseWithSchemaDetailed(messages, schema, options);\n    return detailed?.result ?? null;\n  }\n\n  /**\n   * Like parseWithSchema but also returns the model that was used,\n   * so callers can emit accurate trace events.\n   */\n  async parseWithSchemaDetailed<T>(\n    messages: Array<{ role: \"system\" | \"user\" | \"assistant\"; content: string }>,\n    schema: { parse: (data: unknown) => T },\n    options: FallbackLlmOptions = {},\n  ): Promise<{ result: T; modelUsed: string } | null> {\n    const response = await this.chatCompletion(messages, options);\n    if (!response?.content) return null;\n\n    try {\n      const candidates = extractJsonCandidates(response.content);\n      for (const c of candidates) {\n        try {\n          const parsed = JSON.parse(c);\n          return { result: schema.parse(parsed), modelUsed: response.modelUsed };\n        } catch {\n          // keep trying other candidates\n        }\n      }\n      return null;\n    } catch (err) {\n      log.warn(\"fallback LLM: failed to parse structured output:\", err);\n      return null;\n    }\n  }\n\n  /**\n   * Get the full model chain from gateway config.\n   * Returns array of models in order: [primary, fallback1, fallback2, ...]\n   *\n   * When agentId is provided, looks up the matching entry in agents.list[]\n   * and uses that persona's model chain. Falls back to agents.defaults.model\n   * if agentId is not found or not provided.\n   */\n  private getModelChain(agentId?: string): ModelRef[] {\n    const chain: ModelRef[] = [];\n    const providers = this.gatewayConfig?.models?.providers ?? {};\n\n    // Resolve the model config: agent persona chain or global defaults\n    let modelConfig: { primary?: string; fallbacks?: string[] } | undefined;\n\n    if (agentId) {\n      const persona = this.gatewayConfig?.agents?.list?.find(\n        (a) => a.id === agentId,\n      );\n      if (persona?.model) {\n        modelConfig = persona.model;\n        log.debug(`fallback LLM: using agent persona \"${agentId}\" model chain`);\n      } else {\n        log.warn(\n          `fallback LLM: agent persona \"${agentId}\" not found or has no model config, falling back to defaults`,\n        );\n      }\n    }\n\n    if (!modelConfig) {\n      modelConfig = this.gatewayConfig?.agents?.defaults?.model;\n    }\n\n    // Build list of model strings: primary + fallbacks\n    const modelStrings: string[] = [];\n\n    if (modelConfig?.primary) {\n      modelStrings.push(modelConfig.primary);\n    }\n\n    if (Array.isArray(modelConfig?.fallbacks)) {\n      for (const fb of modelConfig.fallbacks) {\n        if (typeof fb === \"string\" && !modelStrings.includes(fb)) {\n          modelStrings.push(fb);\n        }\n      }\n    }\n\n    // Parse each model string and look up provider config\n    for (const modelString of modelStrings) {\n      const modelRef = this.parseModelString(modelString, providers);\n      if (modelRef) {\n        chain.push(modelRef);\n      }\n    }\n\n    return chain;\n  }\n\n  /**\n   * Parse a \"provider/model\" string and look up its config.\n   */\n  private parseModelString(\n    modelString: string,\n    providers: Record<string, ModelProviderConfig>,\n  ): ModelRef | null {\n    // Parse \"provider/model\" format (e.g., \"openai/gpt-5.2\", \"anthropic/claude-opus-4-6\")\n    const parts = modelString.split(\"/\");\n    if (parts.length < 2) {\n      log.warn(`fallback LLM: invalid model format: ${modelString}`);\n      return null;\n    }\n\n    const providerId = parts[0];\n    const modelId = parts.slice(1).join(\"/\"); // Handle cases like \"openai/gpt-5.2-turbo\"\n\n    // Look up explicit config first; fall back to the gateway's materialized\n    // models.json which contains built-in providers (openai-codex, etc.)\n    const providerConfig = providers[providerId] ?? this.resolveFromModelsJson(providerId);\n    if (!providerConfig) {\n      log.warn(`fallback LLM: provider not found: ${providerId}`);\n      return null;\n    }\n\n    return { providerId, modelId, providerConfig, modelString };\n  }\n\n  /**\n   * Look up a provider from the gateway's materialized models.json, which\n   * contains all providers including built-in ones (openai-codex, google-vertex,\n   * etc.) that aren't in the user's openclaw.json but are registered by\n   * gateway plugins. Returns null if the provider isn't found there either.\n   */\n  private resolveFromModelsJson(providerId: string): ModelProviderConfig | null {\n    const allProviders = loadModelsJsonProviders();\n    const config = allProviders[providerId];\n    if (config) {\n      log.debug(`fallback LLM: resolved provider \"${providerId}\" from models.json (api: ${config.api ?? \"default\"})`);\n      return config;\n    }\n    return null;\n  }\n\n  /**\n   * Try to call a single model.\n   *\n   * Uses the gateway's native getRuntimeAuthForModel when available — this\n   * handles all provider-specific auth transforms (OAuth token exchange,\n   * base URL overrides for codex/copilot/etc.) through the same codepath\n   * the gateway itself uses. Falls back to resolveProviderApiKey for\n   * simpler providers or when the runtime module isn't loaded.\n   */\n  private async tryModel(\n    model: ModelRef,\n    messages: Array<{ role: \"system\" | \"user\" | \"assistant\"; content: string }>,\n    options: FallbackLlmOptions,\n  ): Promise<{ content: string; usage?: FallbackLlmResponse[\"usage\"] } | null> {\n    // Try the gateway's native runtime auth first — it handles all provider-\n    // specific transforms (OAuth exchange, base URL rewrite, etc.)\n    const runtimeAuth = await this.resolveRuntimeAuth(model);\n    const effectiveBaseUrl = runtimeAuth?.baseUrl ?? model.providerConfig.baseUrl;\n    const resolvedApiKey = runtimeAuth?.apiKey ?? await this.resolveFallbackApiKey(model);\n\n    // If the raw key looks like an unresolved secret ref and resolution fails,\n    // skip this provider entirely so the chain falls through to the next.\n    const rawKey = model.providerConfig.apiKey;\n    const needsResolution = rawKey === \"secretref-managed\"\n      || (typeof rawKey === \"object\" && rawKey !== null);\n    if (needsResolution && !resolvedApiKey) {\n      throw new Error(`API key for provider \"${model.providerId}\" could not be resolved from secret ref`);\n    }\n\n    const effectiveConfig: ModelProviderConfig = {\n      ...model.providerConfig,\n      baseUrl: effectiveBaseUrl,\n      ...(resolvedApiKey ? { apiKey: resolvedApiKey } : {}),\n    };\n\n    if (model.providerConfig.api === \"anthropic-messages\") {\n      return await this.callAnthropic(effectiveConfig, model.modelId, messages, options);\n    }\n\n    // For OpenAI-compatible APIs (openai-completions, openai-responses,\n    // openai-codex-responses, ollama, etc.) and unknown formats, use\n    // OpenAI chat completions — the gateway's runtime auth resolver returns\n    // request-ready base URL and credentials for most providers.\n    return await this.callOpenAI(\n      effectiveConfig,\n      model.modelId,\n      messages,\n      options,\n      shouldAssumeOpenAiChatCompletions(effectiveConfig.baseUrl),\n    );\n  }\n\n  /**\n   * Resolve request-ready auth through the gateway's native runtime, which\n   * handles provider-specific transforms (OAuth token exchange for codex/copilot,\n   * base URL rewrite, etc.). Returns null if the runtime isn't available.\n   */\n  private async resolveRuntimeAuth(\n    model: ModelRef,\n  ): Promise<{ apiKey?: string; baseUrl?: string } | null> {\n    try {\n      const getRuntimeAuth = await getGatewayRuntimeAuthForModel();\n      if (!getRuntimeAuth) return null;\n\n      const result = await getRuntimeAuth({\n        model: {\n          provider: model.providerId,\n          id: model.modelId,\n          api: model.providerConfig.api,\n          baseUrl: model.providerConfig.baseUrl,\n        },\n        cfg: this.gatewayConfig,\n      });\n\n      if (result?.apiKey || result?.baseUrl) {\n        log.debug(\n          `fallback LLM: resolved runtime auth for \"${model.modelString}\" (source: ${result.source ?? \"unknown\"}, mode: ${result.mode ?? \"unknown\"})`,\n        );\n        return { apiKey: result.apiKey, baseUrl: result.baseUrl };\n      }\n    } catch (err) {\n      log.debug(\n        `fallback LLM: gateway runtime auth failed for \"${model.modelString}\": ${err instanceof Error ? err.message : String(err)}`,\n      );\n    }\n    return null;\n  }\n\n  /**\n   * Resolve API key through the existing provider-level resolution (env vars,\n   * secret refs, etc.). Used as fallback when gateway runtime auth isn't available.\n   */\n  private async resolveFallbackApiKey(model: ModelRef): Promise<string | undefined> {\n    return resolveProviderApiKey(model.providerId, model.providerConfig.apiKey, this.gatewayConfig);\n  }\n\n  /**\n   * Call OpenAI-compatible API.\n   */\n  private async callOpenAI(\n    config: ModelProviderConfig,\n    modelId: string,\n    messages: Array<{ role: \"system\" | \"user\" | \"assistant\"; content: string }>,\n    options: FallbackLlmOptions,\n    assumeOpenAI: boolean,\n  ): Promise<{ content: string; usage?: FallbackLlmResponse[\"usage\"] } | null> {\n    const base = config.baseUrl.replace(/\\/$/, \"\");\n    const url = base.endsWith(\"/v1\")\n      ? `${base}/chat/completions`\n      : `${base}/v1/chat/completions`;\n\n    const headers: Record<string, string> = {\n      \"Content-Type\": \"application/json\",\n      ...config.headers,\n    };\n\n    // Handle auth — apiKey is already resolved to a string by tryModel()\n    if (config.apiKey && typeof config.apiKey === \"string\") {\n      if (config.authHeader !== false) {\n        headers[\"Authorization\"] = `Bearer ${config.apiKey}`;\n      }\n    }\n\n    const body = {\n      model: modelId,\n      messages,\n      temperature: options.temperature ?? 0.3,\n      ...buildChatCompletionTokenLimit(modelId, options.maxTokens ?? 4096, {\n        assumeOpenAI,\n      }),\n    };\n\n    const response = await fetch(url, {\n      method: \"POST\",\n      headers,\n      body: JSON.stringify(body),\n    });\n\n    if (!response.ok) {\n      const error = await response.text();\n      throw new Error(`OpenAI API error: ${response.status} ${error}`);\n    }\n\n    const data = (await response.json()) as {\n      choices: Array<{\n        message: {\n          content: string;\n        };\n      }>;\n      usage?: {\n        prompt_tokens?: number;\n        completion_tokens?: number;\n        total_tokens?: number;\n      };\n    };\n\n    const content = data.choices?.[0]?.message?.content;\n    if (!content) {\n      throw new Error(\"Empty response from OpenAI API\");\n    }\n\n    return {\n      content,\n      usage: data.usage\n        ? {\n            inputTokens: data.usage.prompt_tokens,\n            outputTokens: data.usage.completion_tokens,\n            totalTokens: data.usage.total_tokens,\n          }\n        : undefined,\n    };\n  }\n\n  /**\n   * Call Anthropic Messages API.\n   */\n  private async callAnthropic(\n    config: ModelProviderConfig,\n    modelId: string,\n    messages: Array<{ role: \"system\" | \"user\" | \"assistant\"; content: string }>,\n    options: FallbackLlmOptions,\n  ): Promise<{ content: string; usage?: FallbackLlmResponse[\"usage\"] } | null> {\n    const url = `${config.baseUrl.replace(/\\/$/, \"\")}/messages`;\n\n    const headers: Record<string, string> = {\n      \"Content-Type\": \"application/json\",\n      \"anthropic-version\": \"2023-06-01\",\n      ...config.headers,\n    };\n\n    // Handle auth - Anthropic uses x-api-key header (apiKey resolved by tryModel)\n    if (config.apiKey && typeof config.apiKey === \"string\") {\n      headers[\"x-api-key\"] = config.apiKey;\n    }\n\n    // Extract system message (Anthropic handles it separately)\n    const systemMessage = messages.find((m) => m.role === \"system\")?.content;\n    const nonSystemMessages = messages.filter((m) => m.role !== \"system\");\n\n    // Convert messages to Anthropic format\n    const anthropicMessages = nonSystemMessages.map((m) => ({\n      role: m.role,\n      content: m.content,\n    }));\n\n    const body: Record<string, unknown> = {\n      model: modelId,\n      messages: anthropicMessages,\n      max_tokens: options.maxTokens ?? 4096,\n      temperature: options.temperature ?? 0.3,\n    };\n\n    if (systemMessage) {\n      body.system = systemMessage;\n    }\n\n    const response = await fetch(url, {\n      method: \"POST\",\n      headers,\n      body: JSON.stringify(body),\n    });\n\n    if (!response.ok) {\n      const error = await response.text();\n      throw new Error(`Anthropic API error: ${response.status} ${error}`);\n    }\n\n    const data = (await response.json()) as {\n      content: Array<{\n        type: string;\n        text: string;\n      }>;\n      usage?: {\n        input_tokens?: number;\n        output_tokens?: number;\n      };\n    };\n\n    const content = data.content?.[0]?.text;\n    if (!content) {\n      throw new Error(\"Empty response from Anthropic API\");\n    }\n\n    return {\n      content,\n      usage: data.usage\n        ? {\n            inputTokens: data.usage.input_tokens,\n            outputTokens: data.usage.output_tokens,\n            totalTokens: (data.usage.input_tokens ?? 0) + (data.usage.output_tokens ?? 0),\n          }\n        : undefined,\n    };\n  }\n}\n"],"mappings":";;;;;;;;;;;;;;;;;;;AAwCO,IAAM,oBAAN,MAAwB;AAAA,EACrB;AAAA,EAER,YAAY,eAA+B;AACzC,SAAK,gBAAgB;AAAA,EACvB;AAAA;AAAA;AAAA;AAAA,EAKA,YAAY,SAA2B;AACrC,UAAM,SAAS,KAAK,cAAc,OAAO;AACzC,WAAO,OAAO,SAAS;AAAA,EACzB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,eACJ,UACA,UAA8B,CAAC,GACM;AACrC,UAAM,SAAS,KAAK,cAAc,QAAQ,OAAO;AACjD,QAAI,OAAO,WAAW,GAAG;AACvB,UAAI,KAAK,+CAA+C;AACxD,aAAO;AAAA,IACT;AAEA,UAAM,WAAW,YAAiD;AAEhE,eAAS,IAAI,GAAG,IAAI,OAAO,QAAQ,KAAK;AACtC,cAAM,QAAQ,OAAO,CAAC;AACtB,cAAM,aAAa,IAAI;AAEvB,YAAI;AACF,gBAAM,SAAS,MAAM,KAAK,SAAS,OAAO,UAAU,OAAO;AAC3D,cAAI,QAAQ;AACV,gBAAI,YAAY;AACd,kBAAI,MAAM,iCAAiC,MAAM,WAAW,cAAc,CAAC,GAAG;AAAA,YAChF;AACA,mBAAO;AAAA,cACL,SAAS,OAAO;AAAA,cAChB,WAAW,MAAM;AAAA,cACjB,OAAO,OAAO;AAAA,YAChB;AAAA,UACF;AAAA,QACF,SAAS,KAAK;AACZ,gBAAM,WAAW,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG;AAChE,cAAI,MAAM,iBAAiB,MAAM,WAAW,YAAY,QAAQ,mBAAmB;AAAA,QAErF;AAAA,MACF;AAEA,UAAI,KAAK,qBAAqB,OAAO,MAAM,yBAAyB;AACpE,aAAO;AAAA,IACT;AAEA,QAAI,OAAO,QAAQ,cAAc,UAAU;AACzC,UAAI,QAAQ,aAAa,GAAG;AAC1B,YAAI,KAAK,gDAAgD;AACzD,eAAO;AAAA,MACT;AACA,UAAI;AACJ,UAAI;AACF,eAAO,MAAM,QAAQ,KAAK;AAAA,UACxB,SAAS;AAAA,UACT,IAAI,QAAc,CAAC,YAAY;AAC7B,4BAAgB,WAAW,MAAM;AAC/B,kBAAI,KAAK,iCAAiC,QAAQ,SAAS,IAAI;AAC/D,sBAAQ,IAAI;AAAA,YACd,GAAG,QAAQ,SAAS;AAAA,UACtB,CAAC;AAAA,QACH,CAAC;AAAA,MACH,UAAE;AACA,YAAI,cAAe,cAAa,aAAa;AAAA,MAC/C;AAAA,IACF;AAEA,WAAO,MAAM,SAAS;AAAA,EACxB;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,gBACJ,UACA,QACA,UAA8B,CAAC,GACZ;AACnB,UAAM,WAAW,MAAM,KAAK,wBAAwB,UAAU,QAAQ,OAAO;AAC7E,WAAO,UAAU,UAAU;AAAA,EAC7B;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,wBACJ,UACA,QACA,UAA8B,CAAC,GACmB;AAClD,UAAM,WAAW,MAAM,KAAK,eAAe,UAAU,OAAO;AAC5D,QAAI,CAAC,UAAU,QAAS,QAAO;AAE/B,QAAI;AACF,YAAM,aAAa,sBAAsB,SAAS,OAAO;AACzD,iBAAW,KAAK,YAAY;AAC1B,YAAI;AACF,gBAAM,SAAS,KAAK,MAAM,CAAC;AAC3B,iBAAO,EAAE,QAAQ,OAAO,MAAM,MAAM,GAAG,WAAW,SAAS,UAAU;AAAA,QACvE,QAAQ;AAAA,QAER;AAAA,MACF;AACA,aAAO;AAAA,IACT,SAAS,KAAK;AACZ,UAAI,KAAK,oDAAoD,GAAG;AAChE,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUQ,cAAc,SAA8B;AAClD,UAAM,QAAoB,CAAC;AAC3B,UAAM,YAAY,KAAK,eAAe,QAAQ,aAAa,CAAC;AAG5D,QAAI;AAEJ,QAAI,SAAS;AACX,YAAM,UAAU,KAAK,eAAe,QAAQ,MAAM;AAAA,QAChD,CAAC,MAAM,EAAE,OAAO;AAAA,MAClB;AACA,UAAI,SAAS,OAAO;AAClB,sBAAc,QAAQ;AACtB,YAAI,MAAM,sCAAsC,OAAO,eAAe;AAAA,MACxE,OAAO;AACL,YAAI;AAAA,UACF,gCAAgC,OAAO;AAAA,QACzC;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,aAAa;AAChB,oBAAc,KAAK,eAAe,QAAQ,UAAU;AAAA,IACtD;AAGA,UAAM,eAAyB,CAAC;AAEhC,QAAI,aAAa,SAAS;AACxB,mBAAa,KAAK,YAAY,OAAO;AAAA,IACvC;AAEA,QAAI,MAAM,QAAQ,aAAa,SAAS,GAAG;AACzC,iBAAW,MAAM,YAAY,WAAW;AACtC,YAAI,OAAO,OAAO,YAAY,CAAC,aAAa,SAAS,EAAE,GAAG;AACxD,uBAAa,KAAK,EAAE;AAAA,QACtB;AAAA,MACF;AAAA,IACF;AAGA,eAAW,eAAe,cAAc;AACtC,YAAM,WAAW,KAAK,iBAAiB,aAAa,SAAS;AAC7D,UAAI,UAAU;AACZ,cAAM,KAAK,QAAQ;AAAA,MACrB;AAAA,IACF;AAEA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKQ,iBACN,aACA,WACiB;AAEjB,UAAM,QAAQ,YAAY,MAAM,GAAG;AACnC,QAAI,MAAM,SAAS,GAAG;AACpB,UAAI,KAAK,uCAAuC,WAAW,EAAE;AAC7D,aAAO;AAAA,IACT;AAEA,UAAM,aAAa,MAAM,CAAC;AAC1B,UAAM,UAAU,MAAM,MAAM,CAAC,EAAE,KAAK,GAAG;AAIvC,UAAM,iBAAiB,UAAU,UAAU,KAAK,KAAK,sBAAsB,UAAU;AACrF,QAAI,CAAC,gBAAgB;AACnB,UAAI,KAAK,qCAAqC,UAAU,EAAE;AAC1D,aAAO;AAAA,IACT;AAEA,WAAO,EAAE,YAAY,SAAS,gBAAgB,YAAY;AAAA,EAC5D;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQQ,sBAAsB,YAAgD;AAC5E,UAAM,eAAe,wBAAwB;AAC7C,UAAM,SAAS,aAAa,UAAU;AACtC,QAAI,QAAQ;AACV,UAAI,MAAM,oCAAoC,UAAU,4BAA4B,OAAO,OAAO,SAAS,GAAG;AAC9G,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWA,MAAc,SACZ,OACA,UACA,SAC2E;AAG3E,UAAM,cAAc,MAAM,KAAK,mBAAmB,KAAK;AACvD,UAAM,mBAAmB,aAAa,WAAW,MAAM,eAAe;AACtE,UAAM,iBAAiB,aAAa,UAAU,MAAM,KAAK,sBAAsB,KAAK;AAIpF,UAAM,SAAS,MAAM,eAAe;AACpC,UAAM,kBAAkB,WAAW,uBAC7B,OAAO,WAAW,YAAY,WAAW;AAC/C,QAAI,mBAAmB,CAAC,gBAAgB;AACtC,YAAM,IAAI,MAAM,yBAAyB,MAAM,UAAU,yCAAyC;AAAA,IACpG;AAEA,UAAM,kBAAuC;AAAA,MAC3C,GAAG,MAAM;AAAA,MACT,SAAS;AAAA,MACT,GAAI,iBAAiB,EAAE,QAAQ,eAAe,IAAI,CAAC;AAAA,IACrD;AAEA,QAAI,MAAM,eAAe,QAAQ,sBAAsB;AACrD,aAAO,MAAM,KAAK,cAAc,iBAAiB,MAAM,SAAS,UAAU,OAAO;AAAA,IACnF;AAMA,WAAO,MAAM,KAAK;AAAA,MAChB;AAAA,MACA,MAAM;AAAA,MACN;AAAA,MACA;AAAA,MACA,kCAAkC,gBAAgB,OAAO;AAAA,IAC3D;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,mBACZ,OACuD;AACvD,QAAI;AACF,YAAM,iBAAiB,MAAM,8BAA8B;AAC3D,UAAI,CAAC,eAAgB,QAAO;AAE5B,YAAM,SAAS,MAAM,eAAe;AAAA,QAClC,OAAO;AAAA,UACL,UAAU,MAAM;AAAA,UAChB,IAAI,MAAM;AAAA,UACV,KAAK,MAAM,eAAe;AAAA,UAC1B,SAAS,MAAM,eAAe;AAAA,QAChC;AAAA,QACA,KAAK,KAAK;AAAA,MACZ,CAAC;AAED,UAAI,QAAQ,UAAU,QAAQ,SAAS;AACrC,YAAI;AAAA,UACF,4CAA4C,MAAM,WAAW,cAAc,OAAO,UAAU,SAAS,WAAW,OAAO,QAAQ,SAAS;AAAA,QAC1I;AACA,eAAO,EAAE,QAAQ,OAAO,QAAQ,SAAS,OAAO,QAAQ;AAAA,MAC1D;AAAA,IACF,SAAS,KAAK;AACZ,UAAI;AAAA,QACF,kDAAkD,MAAM,WAAW,MAAM,eAAe,QAAQ,IAAI,UAAU,OAAO,GAAG,CAAC;AAAA,MAC3H;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAc,sBAAsB,OAA8C;AAChF,WAAO,sBAAsB,MAAM,YAAY,MAAM,eAAe,QAAQ,KAAK,aAAa;AAAA,EAChG;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,WACZ,QACA,SACA,UACA,SACA,cAC2E;AAC3E,UAAM,OAAO,OAAO,QAAQ,QAAQ,OAAO,EAAE;AAC7C,UAAM,MAAM,KAAK,SAAS,KAAK,IAC3B,GAAG,IAAI,sBACP,GAAG,IAAI;AAEX,UAAM,UAAkC;AAAA,MACtC,gBAAgB;AAAA,MAChB,GAAG,OAAO;AAAA,IACZ;AAGA,QAAI,OAAO,UAAU,OAAO,OAAO,WAAW,UAAU;AACtD,UAAI,OAAO,eAAe,OAAO;AAC/B,gBAAQ,eAAe,IAAI,UAAU,OAAO,MAAM;AAAA,MACpD;AAAA,IACF;AAEA,UAAM,OAAO;AAAA,MACX,OAAO;AAAA,MACP;AAAA,MACA,aAAa,QAAQ,eAAe;AAAA,MACpC,GAAG,8BAA8B,SAAS,QAAQ,aAAa,MAAM;AAAA,QACnE;AAAA,MACF,CAAC;AAAA,IACH;AAEA,UAAM,WAAW,MAAM,MAAM,KAAK;AAAA,MAChC,QAAQ;AAAA,MACR;AAAA,MACA,MAAM,KAAK,UAAU,IAAI;AAAA,IAC3B,CAAC;AAED,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,QAAQ,MAAM,SAAS,KAAK;AAClC,YAAM,IAAI,MAAM,qBAAqB,SAAS,MAAM,IAAI,KAAK,EAAE;AAAA,IACjE;AAEA,UAAM,OAAQ,MAAM,SAAS,KAAK;AAalC,UAAM,UAAU,KAAK,UAAU,CAAC,GAAG,SAAS;AAC5C,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,gCAAgC;AAAA,IAClD;AAEA,WAAO;AAAA,MACL;AAAA,MACA,OAAO,KAAK,QACR;AAAA,QACE,aAAa,KAAK,MAAM;AAAA,QACxB,cAAc,KAAK,MAAM;AAAA,QACzB,aAAa,KAAK,MAAM;AAAA,MAC1B,IACA;AAAA,IACN;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,MAAc,cACZ,QACA,SACA,UACA,SAC2E;AAC3E,UAAM,MAAM,GAAG,OAAO,QAAQ,QAAQ,OAAO,EAAE,CAAC;AAEhD,UAAM,UAAkC;AAAA,MACtC,gBAAgB;AAAA,MAChB,qBAAqB;AAAA,MACrB,GAAG,OAAO;AAAA,IACZ;AAGA,QAAI,OAAO,UAAU,OAAO,OAAO,WAAW,UAAU;AACtD,cAAQ,WAAW,IAAI,OAAO;AAAA,IAChC;AAGA,UAAM,gBAAgB,SAAS,KAAK,CAAC,MAAM,EAAE,SAAS,QAAQ,GAAG;AACjE,UAAM,oBAAoB,SAAS,OAAO,CAAC,MAAM,EAAE,SAAS,QAAQ;AAGpE,UAAM,oBAAoB,kBAAkB,IAAI,CAAC,OAAO;AAAA,MACtD,MAAM,EAAE;AAAA,MACR,SAAS,EAAE;AAAA,IACb,EAAE;AAEF,UAAM,OAAgC;AAAA,MACpC,OAAO;AAAA,MACP,UAAU;AAAA,MACV,YAAY,QAAQ,aAAa;AAAA,MACjC,aAAa,QAAQ,eAAe;AAAA,IACtC;AAEA,QAAI,eAAe;AACjB,WAAK,SAAS;AAAA,IAChB;AAEA,UAAM,WAAW,MAAM,MAAM,KAAK;AAAA,MAChC,QAAQ;AAAA,MACR;AAAA,MACA,MAAM,KAAK,UAAU,IAAI;AAAA,IAC3B,CAAC;AAED,QAAI,CAAC,SAAS,IAAI;AAChB,YAAM,QAAQ,MAAM,SAAS,KAAK;AAClC,YAAM,IAAI,MAAM,wBAAwB,SAAS,MAAM,IAAI,KAAK,EAAE;AAAA,IACpE;AAEA,UAAM,OAAQ,MAAM,SAAS,KAAK;AAWlC,UAAM,UAAU,KAAK,UAAU,CAAC,GAAG;AACnC,QAAI,CAAC,SAAS;AACZ,YAAM,IAAI,MAAM,mCAAmC;AAAA,IACrD;AAEA,WAAO;AAAA,MACL;AAAA,MACA,OAAO,KAAK,QACR;AAAA,QACE,aAAa,KAAK,MAAM;AAAA,QACxB,cAAc,KAAK,MAAM;AAAA,QACzB,cAAc,KAAK,MAAM,gBAAgB,MAAM,KAAK,MAAM,iBAAiB;AAAA,MAC7E,IACA;AAAA,IACN;AAAA,EACF;AACF;","names":[]}

package/dist/cli.d.ts

@@ -1,4 +1,4 @@
-import { R as ReplaySource, a as ReplayWarning, b as ReplayTurn, O as Orchestrator, C as CompoundingPromotionReport } from './orchestrator-zTa-Qo-1.js';
+import { R as ReplaySource, a as ReplayWarning, b as ReplayTurn, O as Orchestrator, C as CompoundingPromotionReport } from './orchestrator-CIvLFHx3.js';
 import { M as MemoryGovernanceRunResult, a as MemoryGovernanceSummary, b as MemoryGovernanceMetrics, c as MemoryGovernanceQualityScore, d as MemoryGovernanceReviewQueueEntry, e as MemoryGovernanceAppliedAction, f as MemoryGovernanceTransitionReport, g as MemoryGovernanceManifest, h as MemoryGovernanceRestoreManifest, R as RestoreMemoryGovernanceRunResult } from './memory-projection-store-NxMkbocT.js';
 import { MemoryStatus, MemoryFile, BehaviorSignalEvent, MemoryActionEvent, MemoryLifecycleEvent } from './types.js';
 import { Readable, Writable } from 'node:stream';
@@ -634,7 +634,7 @@ declare function runMemoryGovernanceReportCliCommand(options: MemoryGovernanceRe
 declare function runMemoryGovernanceRestoreCliCommand(options: MemoryGovernanceRestoreCliCommandOptions): Promise<RestoreMemoryGovernanceRunResult>;
 declare function runMemoryReviewDispositionCliCommand(options: MemoryReviewDispositionCliCommandOptions): Promise<{
     memoryId: string;
-    status: "active" | "pending_review" | "rejected" | "quarantined";
+    status: "active" | "pending_review" | "quarantined" | "rejected";
     reasonCode: string | undefined;
 }>;
 declare function runMigrateObservationsCliCommand(options: MigrateObservationsCliCommandOptions): Promise<MigrateObservationsResult>;

package/dist/cli.js

@@ -3643,7 +3643,7 @@ async function runSemanticRulePromoteCliCommand(options) {
   });
 }
 async function runCompoundingPromoteCliCommand(options) {
-  const { CompoundingEngine } = await import("./engine-P26JFSVY.js");
+  const { CompoundingEngine } = await import("./engine-2A6J4XEX.js");
   const config = parseConfig({
     memoryDir: options.memoryDir,
     qmdEnabled: false,

package/dist/{engine-P26JFSVY.js → engine-2A6J4XEX.js}

@@ -1,7 +1,7 @@
 import {
   CompoundingEngine,
   defaultTierMigrationCycleBudget
-} from "./chunk-TKO4HZCK.js";
+} from "./chunk-UYSKNO6E.js";
 import "./chunk-QWUUMMIK.js";
 import "./chunk-U4PV25RD.js";
 import "./chunk-ESSMF2FR.js";
@@ -16,4 +16,4 @@ export {
   CompoundingEngine,
   defaultTierMigrationCycleBudget
 };
-//# sourceMappingURL=engine-P26JFSVY.js.map
+//# sourceMappingURL=engine-2A6J4XEX.js.map

package/dist/explicit-capture.d.ts

@@ -1,4 +1,4 @@
-import { O as Orchestrator } from './orchestrator-zTa-Qo-1.js';
+import { O as Orchestrator } from './orchestrator-CIvLFHx3.js';
 import { MemoryCategory, PluginConfig } from './types.js';
 import './buffer.js';
 import './storage.js';

package/dist/extraction.js

@@ -1,6 +1,6 @@
 import {
   ExtractionEngine
-} from "./chunk-QFQVZOGA.js";
+} from "./chunk-6UJQNRIO.js";
 import "./chunk-MWGVGUIS.js";
 import "./chunk-763GUIOU.js";
 import "./chunk-ONRU4L2N.js";
@@ -8,8 +8,9 @@ import "./chunk-MDDAA2AO.js";
 import "./chunk-2PO5ZRKV.js";
 import "./chunk-VEWZZM3H.js";
 import "./chunk-LK6SGL53.js";
-import "./chunk-KT4NEUNF.js";
-import "./chunk-LU3GQNDQ.js";
+import "./chunk-XUHI52HK.js";
+import "./chunk-M5ZBBBJI.js";
+import "./chunk-OOSWAUYB.js";
 import "./chunk-Y27UJK6V.js";
 import "./chunk-UZB5KHKX.js";
 import "./chunk-MARWOCVP.js";

package/dist/fallback-llm.d.ts

@@ -74,14 +74,33 @@ declare class FallbackLlmClient {
      */
     private parseModelString;
     /**
-     * Resolve the API key for a provider, handling OpenClaw secret ref formats.
-     * Results are cached per provider so exec calls only happen once.
+     * Look up a provider from the gateway's materialized models.json, which
+     * contains all providers including built-in ones (openai-codex, google-vertex,
+     * etc.) that aren't in the user's openclaw.json but are registered by
+     * gateway plugins. Returns null if the provider isn't found there either.
      */
-    private resolveApiKey;
+    private resolveFromModelsJson;
     /**
      * Try to call a single model.
+     *
+     * Uses the gateway's native getRuntimeAuthForModel when available — this
+     * handles all provider-specific auth transforms (OAuth token exchange,
+     * base URL overrides for codex/copilot/etc.) through the same codepath
+     * the gateway itself uses. Falls back to resolveProviderApiKey for
+     * simpler providers or when the runtime module isn't loaded.
      */
     private tryModel;
+    /**
+     * Resolve request-ready auth through the gateway's native runtime, which
+     * handles provider-specific transforms (OAuth token exchange for codex/copilot,
+     * base URL rewrite, etc.). Returns null if the runtime isn't available.
+     */
+    private resolveRuntimeAuth;
+    /**
+     * Resolve API key through the existing provider-level resolution (env vars,
+     * secret refs, etc.). Used as fallback when gateway runtime auth isn't available.
+     */
+    private resolveFallbackApiKey;
     /**
      * Call OpenAI-compatible API.
      */

package/dist/fallback-llm.js

@@ -1,7 +1,8 @@
 import {
   FallbackLlmClient
-} from "./chunk-KT4NEUNF.js";
-import "./chunk-LU3GQNDQ.js";
+} from "./chunk-XUHI52HK.js";
+import "./chunk-M5ZBBBJI.js";
+import "./chunk-OOSWAUYB.js";
 import "./chunk-Y27UJK6V.js";
 import "./chunk-UZB5KHKX.js";
 import "./chunk-MARWOCVP.js";

package/dist/index.d.ts

@@ -1,5 +1,5 @@
 export { parseConfig } from './config.js';
-export { O as Orchestrator, d as defaultWorkspaceDir, s as sanitizeSessionKeyForFilename } from './orchestrator-zTa-Qo-1.js';
+export { O as Orchestrator, d as defaultWorkspaceDir, s as sanitizeSessionKeyForFilename } from './orchestrator-CIvLFHx3.js';
 export { StorageManager } from './storage.js';
 export { ExtractionEngine } from './extraction.js';
 export { QmdClient } from './qmd.js';

package/dist/index.js

@@ -14,32 +14,32 @@ import {
   migrateFromEngram,
   rollbackFromEngramMigration,
   sanitizeSessionKeyForFilename
-} from "./chunk-YAPUAHAY.js";
+} from "./chunk-OTFNI3OO.js";
+import "./chunk-UYSKNO6E.js";
 import "./chunk-IFFFR3MR.js";
-import "./chunk-TKO4HZCK.js";
 import "./chunk-Z5AAYHUC.js";
 import "./chunk-4A24LIM2.js";
 import "./chunk-TPB3I2AC.js";
 import "./chunk-UHGBNIOS.js";
 import "./chunk-ZKYI7UVO.js";
-import "./chunk-CDW777AI.js";
+import "./chunk-LP47L3ZX.js";
 import "./chunk-ETOW6ACV.js";
+import "./chunk-GPGBSNKM.js";
+import "./chunk-V3RXWQIE.js";
 import "./chunk-G3AG3KZN.js";
 import "./chunk-2CJCWDMR.js";
+import "./chunk-HG2NKWR2.js";
 import "./chunk-X7XN6YU4.js";
 import "./chunk-BRK4ODMI.js";
 import "./chunk-C7VW7C3F.js";
-import "./chunk-GPGBSNKM.js";
-import "./chunk-V3RXWQIE.js";
 import "./chunk-YCN4BVDK.js";
 import "./chunk-L5RPWGFK.js";
-import "./chunk-HG2NKWR2.js";
 import "./chunk-GJR6D6KC.js";
 import "./chunk-H63EDPFJ.js";
 import "./chunk-WWIQTB2Y.js";
 import {
   ExtractionEngine
-} from "./chunk-QFQVZOGA.js";
+} from "./chunk-6UJQNRIO.js";
 import "./chunk-MWGVGUIS.js";
 import "./chunk-763GUIOU.js";
 import "./chunk-ONRU4L2N.js";
@@ -93,8 +93,9 @@ import {
 } from "./chunk-YNI4S5WT.js";
 import "./chunk-DORBM6OB.js";
 import "./chunk-XYIK4LF6.js";
-import "./chunk-KT4NEUNF.js";
-import "./chunk-LU3GQNDQ.js";
+import "./chunk-XUHI52HK.js";
+import "./chunk-M5ZBBBJI.js";
+import "./chunk-OOSWAUYB.js";
 import "./chunk-Y27UJK6V.js";
 import "./chunk-UZB5KHKX.js";
 import "./chunk-M5KEYE5E.js";