@sentry/junior 0.24.1 → 0.25.0

package/dist/app.js

@@ -1,12 +1,10 @@
 import {
   discoverSkills,
   findSkillByName,
-  getCapabilityProvider,
-  listCapabilityProviders,
   loadSkillsByName,
   logCapabilityCatalogLoadedOnce,
   parseSkillInvocation
-} from "./chunk-O5N42P7K.js";
+} from "./chunk-ICIRAL6Y.js";
 import {
   SANDBOX_DATA_ROOT,
   SANDBOX_SKILLS_ROOT,
@@ -27,7 +25,7 @@ import {
   sandboxSkillDir,
   sandboxSkillFile,
   toOptionalTrimmed
-} from "./chunk-RMVXZMXQ.js";
+} from "./chunk-A75TWGF2.js";
 import {
   CredentialUnavailableError,
   buildOAuthTokenRequest,
@@ -59,7 +57,7 @@ import {
   toOptionalString,
   withContext,
   withSpan
-} from "./chunk-I3WA75AD.js";
+} from "./chunk-RZJDO55D.js";
 import "./chunk-Z3YD6NHK.js";
 import {
   discoverInstalledPluginPackageContent,
@@ -1219,234 +1217,6 @@ async function addReactionToMessage(input) {
   return { ok: true };
 }
 
-// src/chat/respond-helpers.ts
-var MAX_INLINE_ATTACHMENT_BASE64_CHARS = 12e4;
-function getSessionIdentifiers(context) {
-  return {
-    conversationId: context.correlation?.conversationId ?? context.correlation?.threadId ?? context.correlation?.runId,
-    sessionId: context.correlation?.turnId
-  };
-}
-function isExecutionDeferralResponse(text) {
-  return /\b(want me to proceed|do you want me to proceed|shall i proceed|can i proceed|should i proceed|let me do that now|give me a moment|tag me again|fresh invocation)\b/i.test(
-    text
-  );
-}
-function isToolAccessDisclaimerResponse(text) {
-  return /\b(i (don't|do not) have access to (active )?tool|tool results came back empty|prior results .* empty|cannot access .*tool|need to (run|load) .*tool .* first)\b/i.test(
-    text
-  );
-}
-function isExecutionEscapeResponse(text) {
-  const trimmed = text.trim();
-  if (!trimmed) return false;
-  return isExecutionDeferralResponse(trimmed) || isToolAccessDisclaimerResponse(trimmed);
-}
-function parseJsonCandidate(text) {
-  const trimmed = text.trim();
-  if (!trimmed) return void 0;
-  try {
-    return JSON.parse(trimmed);
-  } catch {
-    const fenced = trimmed.match(/^```(?:json)?\s*([\s\S]*?)\s*```$/i);
-    if (!fenced) return void 0;
-    try {
-      return JSON.parse(fenced[1]);
-    } catch {
-      return void 0;
-    }
-  }
-}
-function isToolPayloadShape(payload) {
-  if (!payload || typeof payload !== "object") return false;
-  const record = payload;
-  const type = typeof record.type === "string" ? record.type.toLowerCase() : "";
-  if (type.startsWith("tool-")) return true;
-  if (type === "tool_use" || type === "tool_call" || type === "tool_result" || type === "tool_error")
-    return true;
-  const hasToolName = typeof record.toolName === "string" || typeof record.name === "string";
-  const hasToolInput = Object.prototype.hasOwnProperty.call(record, "input") || Object.prototype.hasOwnProperty.call(record, "args");
-  if (hasToolName && hasToolInput) return true;
-  return false;
-}
-function isRawToolPayloadResponse(text) {
-  const parsed = parseJsonCandidate(text);
-  if (Array.isArray(parsed)) {
-    return parsed.some((entry) => isToolPayloadShape(entry));
-  }
-  if (isToolPayloadShape(parsed)) {
-    return true;
-  }
-  const compact = text.replace(/\s+/g, " ");
-  return /"type"\s*:\s*"tool[-_](use|call|result|error)"/i.test(compact);
-}
-function toObservablePromptPart(part) {
-  if (part.type === "text") {
-    return {
-      type: "text",
-      text: part.text
-    };
-  }
-  return {
-    type: "image",
-    mimeType: part.mimeType,
-    data: `[omitted:${part.data.length}]`
-  };
-}
-function summarizeMessageText(text) {
-  const normalized = text.trim().replace(/\s+/g, " ");
-  if (!normalized) {
-    return "[empty]";
-  }
-  return normalized.length > 1200 ? `${normalized.slice(0, 1200)}...` : normalized;
-}
-function buildUserTurnText(userInput, conversationContext, metadata) {
-  const trimmedContext = conversationContext?.trim();
-  const hasSessionContext = Boolean(metadata?.sessionContext?.conversationId);
-  const hasTurnContext = Boolean(metadata?.turnContext?.traceId);
-  if (!trimmedContext && !hasSessionContext && !hasTurnContext) {
-    return userInput;
-  }
-  const sections = [
-    "<current-message>",
-    userInput,
-    "</current-message>"
-  ];
-  if (trimmedContext) {
-    sections.push(
-      "",
-      "<thread-conversation-context>",
-      "Use this context for continuity across prior thread turns.",
-      trimmedContext,
-      "</thread-conversation-context>"
-    );
-  }
-  if (metadata?.sessionContext?.conversationId) {
-    sections.push(
-      "",
-      "<session-context>",
-      `- gen_ai.conversation.id: ${metadata.sessionContext.conversationId}`,
-      "</session-context>"
-    );
-  }
-  if (metadata?.turnContext?.traceId) {
-    sections.push(
-      "",
-      "<turn-context>",
-      `- trace_id: ${metadata.turnContext.traceId}`,
-      "</turn-context>"
-    );
-  }
-  return sections.join("\n");
-}
-function encodeNonImageAttachmentForPrompt(attachment) {
-  const base64 = attachment.data.toString("base64");
-  const wasTruncated = base64.length > MAX_INLINE_ATTACHMENT_BASE64_CHARS;
-  const encodedPayload = wasTruncated ? `${base64.slice(0, MAX_INLINE_ATTACHMENT_BASE64_CHARS)}...` : base64;
-  return [
-    "<attachment>",
-    `filename: ${attachment.filename ?? "unnamed"}`,
-    `media_type: ${attachment.mediaType}`,
-    "encoding: base64",
-    `truncated: ${wasTruncated ? "true" : "false"}`,
-    "<data_base64>",
-    encodedPayload,
-    "</data_base64>",
-    "</attachment>"
-  ].join("\n");
-}
-function buildExecutionFailureMessage(toolErrorCount) {
-  if (toolErrorCount > 0) {
-    return "I couldn't complete this because one or more required tools failed in this turn. I've logged the failure details.";
-  }
-  return "I couldn't complete this request in this turn due to an execution failure. I've logged the details for debugging.";
-}
-function isToolResultMessage(value) {
-  return typeof value === "object" && value !== null && value.role === "toolResult";
-}
-function normalizeToolNameFromResult(result) {
-  if (!result || typeof result !== "object") return void 0;
-  const record = result;
-  if (typeof record.toolName === "string" && record.toolName.length > 0) {
-    return record.toolName;
-  }
-  if (typeof record.name === "string" && record.name.length > 0) {
-    return record.name;
-  }
-  return void 0;
-}
-function isToolResultError(result) {
-  if (!result || typeof result !== "object") return false;
-  return Boolean(result.isError);
-}
-function isAssistantMessage(value) {
-  return typeof value === "object" && value !== null && value.role === "assistant";
-}
-function getPiMessageRole(value) {
-  if (!value || typeof value !== "object") {
-    return void 0;
-  }
-  const role = value.role;
-  return typeof role === "string" ? role : void 0;
-}
-function extractAssistantText(message) {
-  const content = message.content ?? [];
-  return content.filter(
-    (part) => part.type === "text" && typeof part.text === "string"
-  ).map((part) => part.text).join("\n");
-}
-function getTerminalAssistantMessages(messages) {
-  let lastToolResultIndex = -1;
-  for (let index = messages.length - 1; index >= 0; index -= 1) {
-    if (isToolResultMessage(messages[index])) {
-      lastToolResultIndex = index;
-      break;
-    }
-  }
-  return messages.slice(lastToolResultIndex + 1).filter(isAssistantMessage);
-}
-function hasCompletedAssistantTurn(messages) {
-  const message = getTerminalAssistantMessages(messages).at(-1);
-  if (!message) {
-    return false;
-  }
-  const stopReason = message.stopReason;
-  return typeof stopReason === "string" && stopReason !== "error" && extractAssistantText(message).trim().length > 0;
-}
-function upsertActiveSkill(activeSkills, next) {
-  const existing = activeSkills.find((skill) => skill.name === next.name);
-  if (existing) {
-    existing.body = next.body;
-    existing.description = next.description;
-    existing.skillPath = next.skillPath;
-    existing.allowedTools = next.allowedTools;
-    existing.requiresCapabilities = next.requiresCapabilities;
-    existing.usesConfig = next.usesConfig;
-    existing.pluginProvider = next.pluginProvider;
-    return;
-  }
-  activeSkills.push(next);
-}
-function collectRelevantConfigurationKeys(activeSkills, explicitSkill) {
-  const keys = /* @__PURE__ */ new Set();
-  for (const skill of [
-    ...activeSkills,
-    ...explicitSkill ? [explicitSkill] : []
-  ]) {
-    for (const key of skill.usesConfig ?? []) {
-      keys.add(key);
-    }
-  }
-  return [...keys].sort((a, b) => a.localeCompare(b));
-}
-function trimTrailingAssistantMessages(messages) {
-  let end = messages.length;
-  while (end > 0 && getPiMessageRole(messages[end - 1]) === "assistant") {
-    end -= 1;
-  }
-  return end === messages.length ? [...messages] : messages.slice(0, end);
-}
-
 // src/chat/oauth-flow.ts
 var OAUTH_STATE_TTL_MS = 10 * 60 * 1e3;
 function formatProviderLabel(provider) {
@@ -1560,7 +1330,9 @@ async function startOAuthFlow(provider, input) {
       ...input.channelId ? { channelId: input.channelId } : {},
       ...input.threadTs ? { threadTs: input.threadTs } : {},
       ...input.userMessage ? { pendingMessage: input.userMessage } : {},
-      ...configuration && Object.keys(configuration).length > 0 ? { configuration } : {}
+      ...configuration && Object.keys(configuration).length > 0 ? { configuration } : {},
+      ...input.resumeConversationId ? { resumeConversationId: input.resumeConversationId } : {},
+      ...input.resumeSessionId ? { resumeSessionId: input.resumeSessionId } : {}
     },
     OAUTH_STATE_TTL_MS
   );
@@ -1597,61 +1369,6 @@ async function startOAuthFlow(provider, input) {
     })
   };
 }
-function extractOAuthStartedPayload(value) {
-  if (typeof value === "string") {
-    const parsed = parseJsonCandidate(value);
-    return parsed === void 0 ? void 0 : extractOAuthStartedPayload(parsed);
-  }
-  if (Array.isArray(value)) {
-    for (const entry of value) {
-      const found = extractOAuthStartedPayload(entry);
-      if (found) {
-        return found;
-      }
-    }
-    return void 0;
-  }
-  if (!value || typeof value !== "object") {
-    return void 0;
-  }
-  const record = value;
-  if (record.oauth_started === true) {
-    const message = typeof record.message === "string" ? record.message.trim() : void 0;
-    return message ? { message } : {};
-  }
-  const content = record.content;
-  if (Array.isArray(content)) {
-    for (const part of content) {
-      const text = part && typeof part === "object" && part.type === "text" && typeof part.text === "string" ? part.text : part;
-      const found = extractOAuthStartedPayload(text);
-      if (found) {
-        return found;
-      }
-    }
-  }
-  for (const key of ["details", "output", "result", "stdout"]) {
-    if (!(key in record)) {
-      continue;
-    }
-    const found = extractOAuthStartedPayload(record[key]);
-    if (found) {
-      return found;
-    }
-  }
-  return void 0;
-}
-function extractOAuthStartedMessageFromToolResults(toolResults) {
-  for (const result of toolResults) {
-    if (normalizeToolNameFromResult(result) !== "bash" || isToolResultError(result)) {
-      continue;
-    }
-    const found = extractOAuthStartedPayload(result);
-    if (found?.message) {
-      return found.message;
-    }
-  }
-  return void 0;
-}
 
 // src/chat/mcp/oauth-provider.ts
 function createClientMetadata(callbackUrl) {
@@ -2375,7 +2092,7 @@ function getPiGatewayApiKeyOverride() {
 function extractText(message) {
   return (message.content ?? []).filter((part) => part.type === "text" && typeof part.text === "string").map((part) => part.text ?? "").join("").trim();
 }
-function parseJsonCandidate2(text) {
+function parseJsonCandidate(text) {
   const trimmed = text.trim();
   if (!trimmed) return void 0;
   try {
@@ -2542,7 +2259,7 @@ async function completeObject(params) {
     );
     throw error;
   }
-  const candidate = parseJsonCandidate2(text);
+  const candidate = parseJsonCandidate(text);
   const parsed = params.schema.safeParse(candidate);
   if (!parsed.success) {
     const preview = text.length > 400 ? `${text.slice(0, 400)}...` : text;
@@ -3494,6 +3211,9 @@ function formatAvailableSkillsForPrompt(skills) {
       `    <description>${escapeXml(skill.description)}</description>`
     );
     lines.push(`    <location>${escapeXml(skillLocation)}</location>`);
+    if (skill.pluginProvider) {
+      lines.push(`    <provider>${escapeXml(skill.pluginProvider)}</provider>`);
+    }
     if (skill.usesConfig && skill.usesConfig.length > 0) {
       lines.push(
         `    <uses_config>${escapeXml(skill.usesConfig.join(" "))}</uses_config>`
@@ -3515,11 +3235,6 @@ function formatLoadedSkillsForPrompt(skills) {
       `  <skill name="${escapeXml(skill.name)}" location="${escapeXml(`${skillDir}/SKILL.md`)}">`
     );
     lines.push(`References are relative to ${escapeXml(skillDir)}.`);
-    if (skill.requiresCapabilities && skill.requiresCapabilities.length > 0) {
-      lines.push(
-        `Requires capabilities: ${escapeXml(skill.requiresCapabilities.join(", "))}.`
-      );
-    }
     if (skill.usesConfig && skill.usesConfig.length > 0) {
       lines.push(
         `Uses config keys: ${escapeXml(skill.usesConfig.join(", "))}.`
@@ -3533,18 +3248,20 @@ function formatLoadedSkillsForPrompt(skills) {
   return lines.join("\n");
 }
 function formatProviderCatalogForPrompt() {
-  const providers = listCapabilityProviders();
+  const providers = getPluginProviders().map((plugin) => plugin.manifest);
   if (providers.length === 0) {
     return "- none";
   }
   const lines = [];
   for (const provider of providers) {
-    lines.push(`- provider: ${escapeXml(provider.provider)}`);
+    lines.push(`- provider: ${escapeXml(provider.name)}`);
     lines.push(
       `  - config_keys: ${provider.configKeys.length > 0 ? escapeXml(provider.configKeys.join(", ")) : "none"}`
     );
     lines.push(
-      `  - capabilities: ${provider.capabilities.length > 0 ? escapeXml(provider.capabilities.join(", ")) : "none"}`
+      `  - default_context: ${provider.target ? escapeXml(
+        `${provider.target.type} via ${provider.target.configKey}`
+      ) : "none"}`
     );
   }
   return lines.join("\n");
@@ -3731,13 +3448,25 @@ function buildSystemPrompt(params) {
       ].join("\n")
     ),
     renderTag(
-      "provider-capabilities",
+      "provider-config",
       [
-        "Use this catalog to map provider intents to valid config keys and capability names.",
+        "Use this catalog to map already-chosen provider work to valid config keys and provider defaults.",
+        "Do not use this catalog by itself to decide which domain skill matches an operational task.",
         "When user intent is to set a provider default, choose a config key from this catalog and use jr-rpc config set.",
+        "The `jr-rpc` config command is a built-in bash custom command when conversation config is available; do not claim it is missing just because no `jr-rpc` skill is loaded.",
         formatProviderCatalogForPrompt()
       ].join("\n")
     ),
+    renderTag(
+      "skill-routing",
+      [
+        "- Choose the skill that matches the requested operation, not incidental nouns, product names, organization names, or channel context.",
+        "- When multiple skills seem adjacent, prefer the one whose description matches the user's requested action most directly.",
+        "- If the task needs evidence from a specialized external system or workflow, load the matching skill before drawing conclusions.",
+        "- The provider-config catalog is for exact config keys and provider defaults after skill selection. It is not a shortcut for choosing a domain.",
+        "- Never start provider auth speculatively. First load the skill that owns the operation, then let runtime-managed credential injection handle authenticated provider commands for that skill."
+      ].join("\n")
+    ),
     renderTag(
       "tool-usage",
       [
@@ -3750,6 +3479,8 @@ function buildSystemPrompt(params) {
         "- Prefer a single result-focused reply after tool work completes. Only send an interim reply when you need user input or have a concrete blocking problem to report.",
         "- For external/factual research requests that require tools, do not send any preliminary conclusion, 'let me check', or progress narration before the evidence-gathering work is done. Use assistant status for in-progress work and make the first visible reply the researched answer.",
         "- For evidence-gathering tasks, never state a factual conclusion before you have actually gathered and checked the sources.",
+        "- When the user provides multiple sources, synthesize them explicitly as one combined answer instead of anchoring the reply on a single page or API call.",
+        "- When the user provides explicit URLs or named sources, briefly anchor the answer to those provided sources (for example, 'Across the provided Slack docs...') so the summary reads as researched rather than generic memory.",
         "- Do not include internal process chatter such as 'let me find', 'fetching now', 'good, I have sources', 'trying smaller limits', or 'I now have sufficient context' in the final user-facing reply.",
         "- Use `attachFile` for files that actually exist in the sandbox (for example screenshots, PDFs, logs), or for `attachment_path` values returned by `imageGenerate`.",
         "- If the user asks to see/share/show a screenshot or file, attach the file with `attachFile` instead of only reporting its path.",
@@ -3767,14 +3498,14 @@ function buildSystemPrompt(params) {
         "- Use `slackMessageAddReaction` for rare lightweight acknowledgements. It reacts to the current inbound message via runtime context; never pick a target message yourself.",
         "- If the user explicitly asks for an emoji reaction instead of text, use `slackMessageAddReaction` with a Slack emoji alias name (for example `thumbsup`, `white_check_mark`, or `eyes`, not unicode emoji), and avoid redundant acknowledgment text.",
         "- Suggested acknowledgement reactions include `wave`, `white_check_mark`, `thumbsup`, and `eyes`, but choose what best fits the request.",
-        "- If a loaded skill or `loadSkill` result declares `requires_capabilities`, run `jr-rpc issue-credential <capability> [--target <value>]` as a bash command before authenticated bash/API work for that skill.",
-        "- Use the minimum declared capability needed for the current operation.",
-        "- If `jr-rpc issue-credential` returns `oauth_started`, relay its `message` to the user and stop. The runtime will resume after authorization.",
-        "- For disconnect + reconnect requests, run `jr-rpc delete-token <provider>` first, then `jr-rpc issue-credential` \u2014 the system handles the reconnect without auto-resuming the reconnect message.",
-        "- Use `jr-rpc oauth-start <provider>` only when the user explicitly asks to connect a provider and there is no task to resume after authorization.",
-        "- Provider-targeted capabilities may need `--target <value>` or a provider-specific configured default target key when the provider catalog shows one.",
+        "- After the matching plugin-owned skill is loaded, authenticated bash commands for that skill get provider credentials injected automatically for the current turn.",
+        "- Resolve repo/project/org defaults before authenticated provider commands so the runtime can narrow injected credentials correctly.",
+        "- If no loaded skill clearly owns the authenticated command, load the matching skill first instead of guessing from the provider catalog.",
+        "- If provider authorization is required, the runtime sends the private authorization link itself and resumes the paused turn after authorization.",
+        "- Do not try to manage provider auth directly. Run the real provider command and let the runtime handle authorization, reconnect, and resume behavior.",
+        "- Provider-targeted commands may need `--target <value>` or a provider-specific configured default target key when the provider catalog shows one.",
         "- To persist or read conversation defaults, choose a config key from the provider catalog or active skill metadata and run `jr-rpc config get|set|unset|list ...` as a bash command.",
-        "- Capabilities must match the exact provider-qualified tokens declared by the loaded skill or provider catalog.",
+        "- `jr-rpc` config commands are built into the bash runtime for conversation-scoped config work; they do not require a separate helper binary in the sandbox.",
         "- When your work is complete, provide the exact user-facing markdown response.",
         "- Do not use reaction-based progress signals; Assistants API status already covers in-progress UX.",
         "- Prefer `webSearch` before `webFetch` when the user gave no URL.",
@@ -3792,6 +3523,8 @@ function buildSystemPrompt(params) {
         "- If an explicitly invoked skill is present in <loaded_skills>, never say the skill is unavailable, missing, or unsupported in this environment.",
         "- Otherwise, for an explicitly invoked skill, call `loadSkill` for that exact skill before applying skill-specific behavior.",
         "- For requests without an explicit trigger where a skill clearly matches, call `loadSkill` before applying skill-specific behavior.",
+        "- When multiple skills appear relevant, prefer the skill whose description best matches the requested action rather than incidental domain nouns in the prompt.",
+        "- For explicit config tasks, you may load the helper skill that owns config commands, but do not use helper skills to choose the provider for unrelated operational work.",
         "- Do not claim to have used a skill unless it is present in <loaded_skills> or `loadSkill` succeeded in this turn.",
         "- Never apply skill-specific behavior unless the skill is present in <loaded_skills> or `loadSkill` succeeded in this turn.",
         "- Load only the best matching skill first; do not load multiple skills upfront.",
@@ -3834,74 +3567,35 @@ var ProviderCredentialRouter = class {
     this.brokersByProvider = input.brokersByProvider;
   }
   async issue(input) {
-    const provider = getCapabilityProvider(input.capability)?.provider;
-    if (!provider) {
-      throw new Error(`Unsupported capability: ${input.capability}`);
-    }
-    const broker = this.brokersByProvider[provider];
+    const broker = this.brokersByProvider[input.provider];
     if (!broker) {
-      throw new Error(`No credential broker registered for provider: ${provider}`);
+      throw new Error(
+        `No credential broker registered for provider: ${input.provider}`
+      );
     }
-    return await broker.issue(input);
+    return await broker.issue({
+      reason: input.reason,
+      requesterId: input.requesterId
+    });
   }
 };
 
-// src/chat/capabilities/target.ts
-function escapeRegExp(value) {
-  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
-}
-function normalizeTargetValue(value) {
-  let normalized = value.trim();
-  if (normalized.startsWith('"') && normalized.endsWith('"') || normalized.startsWith("'") && normalized.endsWith("'")) {
-    normalized = normalized.slice(1, -1).trim();
-  }
-  return normalized || void 0;
-}
-function extractFlagValue(text, flags) {
-  if (flags.length === 0) {
-    return void 0;
-  }
-  const pattern = flags.map(escapeRegExp).join("|");
-  const match = new RegExp(
-    String.raw`(?:^|\s)(?:${pattern})(?:\s+|=)([^\s]+)`
-  ).exec(text);
-  return match ? normalizeTargetValue(match[1] ?? "") : void 0;
-}
-function createCapabilityTarget(type, value) {
-  const normalizedType = type.trim();
-  const normalizedValue = normalizeTargetValue(value);
-  if (!normalizedType || !normalizedValue) {
-    return void 0;
-  }
-  return {
-    type: normalizedType,
-    value: normalizedValue
-  };
-}
-function extractCapabilityTarget(params) {
-  const flags = params.target.commandFlags ?? [];
-  if (params.commandText) {
-    const value = extractFlagValue(params.commandText, flags);
-    if (value) {
-      return createCapabilityTarget(params.target.type, value);
-    }
-  }
-  if (params.invocationArgs) {
-    const value = extractFlagValue(params.invocationArgs, flags);
-    if (value) {
-      return createCapabilityTarget(params.target.type, value);
-    }
+// src/chat/capabilities/runtime.ts
+function toHeaderTransforms(lease) {
+  if (!Array.isArray(lease.headerTransforms) || lease.headerTransforms.length === 0) {
+    return [];
   }
-  return void 0;
+  return lease.headerTransforms.filter(
+    (transform) => Boolean(transform?.domain?.trim()) && transform.headers && typeof transform.headers === "object" && Object.keys(transform.headers).length > 0
+  ).map((transform) => ({
+    domain: transform.domain.trim(),
+    headers: transform.headers
+  }));
 }
-
-// src/chat/capabilities/runtime.ts
 var SkillCapabilityRuntime = class {
   router;
-  invocationArgs;
   requesterId;
-  resolveConfiguration;
-  enabledByCapability = /* @__PURE__ */ new Map();
+  enabledByProvider = /* @__PURE__ */ new Map();
   constructor(params) {
     if (params.router) {
       this.router = params.router;
@@ -3914,136 +3608,21 @@ var SkillCapabilityRuntime = class {
         "SkillCapabilityRuntime requires either router or broker"
       );
     }
-    this.invocationArgs = params.invocationArgs;
     this.requesterId = params.requesterId;
-    this.resolveConfiguration = params.resolveConfiguration;
   }
-  async resolveCapabilityTarget(input) {
-    const activeSkill = input.activeSkill;
-    const explicitTarget = input.targetRef ? createCapabilityTarget(input.target.type, input.targetRef) : void 0;
-    if (explicitTarget) {
-      return explicitTarget;
-    }
-    const inferredTarget = extractCapabilityTarget({
-      invocationArgs: this.invocationArgs,
-      target: input.target
-    });
-    if (inferredTarget) {
-      return inferredTarget;
-    }
-    if (!this.resolveConfiguration) {
-      return void 0;
-    }
-    const configuredValue = await this.resolveConfiguration(
-      input.target.configKey
-    );
-    if (typeof configuredValue !== "string" || configuredValue.trim().length === 0) {
-      return void 0;
-    }
-    const configuredTarget = createCapabilityTarget(
-      input.target.type,
-      configuredValue
-    );
-    if (!configuredTarget) {
-      logWarn(
-        "config_value_invalid_for_capability_target",
-        {},
-        {
-          "app.skill.name": activeSkill?.name,
-          "app.config.key": input.target.configKey
-        },
-        `Configured ${input.target.configKey} is invalid for capability target resolution`
-      );
+  async enableCredentialsForTurn(input) {
+    const provider = input.activeSkill?.pluginProvider;
+    if (!provider) {
       return void 0;
     }
-    const declaredConfig = activeSkill?.usesConfig ?? [];
-    if (activeSkill && !declaredConfig.includes(input.target.configKey)) {
-      logWarn(
-        "config_key_not_declared_for_skill",
-        {},
-        {
-          "app.skill.name": activeSkill.name,
-          "app.config.key": input.target.configKey
-        },
-        "Configuration key used by runtime is not declared in active skill frontmatter (soft enforcement)"
-      );
-    }
-    return configuredTarget;
-  }
-  capabilityCacheKey(capability, target) {
-    const scope = target ? `${target.type}:${target.value.trim()}` : "none";
-    return `${capability}:${scope}`;
-  }
-  async issueCapabilityLease(input) {
-    const capabilityProvider = getCapabilityProvider(input.capability);
-    if (!capabilityProvider) {
-      throw new Error(
-        `Unsupported capability for lease issuance: ${input.capability}`
-      );
-    }
-    const activeSkill = input.activeSkill;
-    const target = capabilityProvider.target ? await this.resolveCapabilityTarget({
-      activeSkill,
-      target: capabilityProvider.target,
-      targetRef: input.targetRef
-    }) : void 0;
-    return await this.router.issue({
-      capability: input.capability,
-      target,
-      reason: input.reason,
-      requesterId: this.requesterId
-    });
-  }
-  toHeaderTransforms(lease) {
-    if (Array.isArray(lease.headerTransforms) && lease.headerTransforms.length > 0) {
-      return lease.headerTransforms.filter(
-        (transform) => Boolean(transform?.domain?.trim()) && transform.headers && typeof transform.headers === "object" && Object.keys(transform.headers).length > 0
-      ).map((transform) => ({
-        domain: transform.domain.trim(),
-        headers: transform.headers
-      }));
-    }
-    return [];
-  }
-  async enableCapabilityForTurn(input) {
     if (!this.requesterId) {
-      throw new Error("jr-rpc issue-credential requires requester context");
-    }
-    const capability = input.capability.trim();
-    if (!capability) {
-      throw new Error("jr-rpc issue-credential requires a capability argument");
-    }
-    const capabilityProvider = getCapabilityProvider(capability);
-    if (!capabilityProvider) {
-      throw new Error(
-        `Unsupported capability for jr-rpc issue-credential: ${capability}`
-      );
-    }
-    const activeSkill = input.activeSkill;
-    const capabilityTarget = capabilityProvider.target ? await this.resolveCapabilityTarget({
-      activeSkill,
-      target: capabilityProvider.target,
-      targetRef: input.targetRef
-    }) : void 0;
-    if (capabilityProvider.target && !capabilityTarget?.value.trim()) {
-      throw new Error(
-        `jr-rpc issue-credential requires ${capabilityProvider.target.type} target context; use --target <value>`
-      );
+      throw new Error("Credential enablement requires requester context");
     }
-    const declared = activeSkill?.requiresCapabilities ?? [];
-    if (activeSkill && !declared.includes(capability)) {
-      logWarn(
-        "capability_not_declared_for_skill",
-        {},
-        {
-          "app.skill.name": activeSkill.name,
-          "app.capability.name": capability
-        },
-        "Capability issued even though it is not declared in the active skill (soft enforcement)"
-      );
+    const plugin = getPluginDefinition(provider);
+    if (!plugin?.manifest.credentials) {
+      return void 0;
     }
-    const cacheKey = this.capabilityCacheKey(capability, capabilityTarget);
-    const existing = this.enabledByCapability.get(cacheKey);
+    const existing = this.enabledByProvider.get(provider);
     const now = Date.now();
     if (existing && existing.expiresAtMs - now > 1e4) {
       return {
@@ -4055,31 +3634,30 @@ var SkillCapabilityRuntime = class {
       "credential_issue_request",
       {},
       {
-        "app.skill.name": activeSkill?.name,
-        "app.capability.name": capability
+        "app.skill.name": input.activeSkill?.name,
+        "app.credential.provider": provider
       },
-      "Issuing capability credential for current turn"
+      "Issuing provider credential for current turn"
     );
     try {
-      const lease = await this.issueCapabilityLease({
-        activeSkill,
-        capability,
-        targetRef: input.targetRef,
-        reason: input.reason
+      const lease = await this.router.issue({
+        provider,
+        reason: input.reason,
+        requesterId: this.requesterId
       });
-      const transforms = this.toHeaderTransforms(lease);
+      const transforms = toHeaderTransforms(lease);
       if (transforms.length === 0) {
         throw new Error(
-          `Credential lease for ${capability} did not include header transforms`
+          `Credential lease for ${provider} did not include header transforms`
         );
       }
       const expiresAtMs = Date.parse(lease.expiresAt);
       if (!Number.isFinite(expiresAtMs)) {
         throw new Error(
-          `Credential lease for ${capability} returned invalid expiresAt`
+          `Credential lease for ${provider} returned invalid expiresAt`
         );
       }
-      this.enabledByCapability.set(cacheKey, {
+      this.enabledByProvider.set(provider, {
         expiresAtMs,
         transforms,
         env: lease.env
@@ -4088,13 +3666,12 @@ var SkillCapabilityRuntime = class {
         "credential_issue_success",
         {},
         {
-          "app.skill.name": activeSkill?.name,
-          "app.capability.name": capability,
+          "app.skill.name": input.activeSkill?.name,
           "app.credential.provider": lease.provider,
           "app.credential.expires_at": lease.expiresAt,
           "app.credential.delivery": "header_transform"
         },
-        "Issued capability credential lease"
+        "Issued provider credential lease"
       );
       return { reused: false, expiresAt: lease.expiresAt };
     } catch (error) {
@@ -4102,11 +3679,11 @@ var SkillCapabilityRuntime = class {
         "credential_issue_failed",
         {},
         {
-          "app.skill.name": activeSkill?.name,
-          "app.capability.name": capability,
+          "app.skill.name": input.activeSkill?.name,
+          "app.credential.provider": provider,
           "error.message": error instanceof Error ? error.message : String(error)
         },
-        "Capability credential resolution failed"
+        "Provider credential resolution failed"
       );
       throw error;
     }
@@ -4114,9 +3691,9 @@ var SkillCapabilityRuntime = class {
   getTurnHeaderTransforms() {
     const now = Date.now();
     const headerTransforms = [];
-    for (const [capability, entry] of this.enabledByCapability.entries()) {
+    for (const [provider, entry] of this.enabledByProvider.entries()) {
       if (!Number.isFinite(entry.expiresAtMs) || entry.expiresAtMs <= now) {
-        this.enabledByCapability.delete(capability);
+        this.enabledByProvider.delete(provider);
         continue;
       }
       headerTransforms.push(...entry.transforms);
@@ -4126,9 +3703,9 @@ var SkillCapabilityRuntime = class {
   getTurnEnv() {
     const now = Date.now();
     const env = {};
-    for (const [capability, entry] of this.enabledByCapability.entries()) {
+    for (const [provider, entry] of this.enabledByProvider.entries()) {
       if (!Number.isFinite(entry.expiresAtMs) || entry.expiresAtMs <= now) {
-        this.enabledByCapability.delete(capability);
+        this.enabledByProvider.delete(provider);
         continue;
       }
       Object.assign(env, entry.env);
@@ -4177,7 +3754,6 @@ var TestCredentialBroker = class {
     return {
       id: randomUUID2(),
       provider: this.config.provider,
-      capability: input.capability,
       env: {
         [this.config.envKey]: this.config.placeholder
       },
@@ -4190,8 +3766,7 @@ var TestCredentialBroker = class {
       })),
       expiresAt,
       metadata: {
-        reason: input.reason,
-        target: input.target ? `${input.target.type}:${input.target.value}` : "none"
+        reason: input.reason
       }
     };
   }
@@ -4223,26 +3798,12 @@ function createSkillCapabilityRuntime(options = {}) {
   const router = new ProviderCredentialRouter({ brokersByProvider });
   return new SkillCapabilityRuntime({
     router,
-    invocationArgs: options.invocationArgs,
-    requesterId: options.requesterId,
-    resolveConfiguration: options.resolveConfiguration
+    requesterId: options.requesterId
   });
 }
 
 // src/chat/capabilities/jr-rpc-command.ts
 import { Bash, defineCommand } from "just-bash";
-
-// src/chat/credentials/unlink-provider.ts
-async function unlinkProvider(userId, provider, userTokenStore) {
-  await Promise.all([
-    userTokenStore.delete(userId, provider),
-    deleteMcpStoredOAuthCredentials(userId, provider),
-    deleteMcpServerSessionId(userId, provider),
-    deleteMcpAuthSessionsForUserProvider(userId, provider)
-  ]);
-}
-
-// src/chat/capabilities/jr-rpc-command.ts
 function commandResult(input) {
   let stdout = "";
   if (typeof input.stdout === "string") {
@@ -4286,133 +3847,6 @@ function parsePrefixFlag(extras) {
     error: "jr-rpc config list accepts optional --prefix <value>\n"
   };
 }
-async function handleIssueCredentialCommand(args, deps) {
-  const capability = (args[0] ?? "").trim();
-  if (!capability) {
-    return commandResult({
-      stderr: "jr-rpc issue-credential requires a capability argument\n",
-      exitCode: 2
-    });
-  }
-  let targetRef;
-  const extras = args.slice(1);
-  if (extras.length > 0) {
-    if (extras.length === 2 && extras[0] === "--target") {
-      targetRef = extras[1]?.trim();
-    } else if (extras.length === 1 && extras[0].startsWith("--target=")) {
-      targetRef = extras[0].slice("--target=".length).trim();
-    } else {
-      return {
-        stdout: "",
-        stderr: "jr-rpc issue-credential requires exactly one capability argument and optional --target <value>\n",
-        exitCode: 2
-      };
-    }
-    if (!targetRef) {
-      return {
-        stdout: "",
-        stderr: "jr-rpc issue-credential --target requires a non-empty value\n",
-        exitCode: 2
-      };
-    }
-  }
-  let outcome;
-  try {
-    outcome = await deps.capabilityRuntime.enableCapabilityForTurn({
-      activeSkill: deps.activeSkill,
-      capability,
-      ...targetRef ? { targetRef } : {},
-      reason: `skill:${deps.activeSkill?.name ?? "unknown"}:jr-rpc:issue-credential`
-    });
-  } catch (error) {
-    if (error instanceof CredentialUnavailableError && getPluginOAuthConfig(error.provider) && deps.requesterId) {
-      const authAction = deps.providerAuthActions?.get(error.provider);
-      if (authAction?.kind === "oauth_started") {
-        const providerLabel = formatProviderLabel(error.provider);
-        return commandResult({
-          stdout: {
-            credential_unavailable: true,
-            oauth_started: true,
-            provider: error.provider,
-            private_delivery_sent: authAction.delivered,
-            message: authAction.delivered ? `I've already sent you a private authorization link to connect your ${providerLabel} account. Finish that flow, then return to Slack.` : `I still need to connect your ${providerLabel} account, but I wasn't able to send you a private authorization link. Please send me a direct message and try again.`
-          },
-          exitCode: 0
-        });
-      }
-      if (authAction?.kind === "token_deleted") {
-        const reconnectResult = await startOAuthFlow(error.provider, {
-          requesterId: deps.requesterId,
-          channelId: deps.channelId,
-          threadTs: deps.threadTs,
-          activeSkillName: deps.activeSkill?.name ?? void 0
-          // Intentionally no userMessage — reconnect flows must not auto-resume.
-        });
-        if (!reconnectResult.ok) {
-          return commandResult({
-            stderr: `${reconnectResult.error}
-`,
-            exitCode: 1
-          });
-        }
-        const delivered = !!reconnectResult.delivery;
-        deps.providerAuthActions?.set(error.provider, {
-          kind: "oauth_started",
-          delivered
-        });
-        const providerLabel = formatProviderLabel(error.provider);
-        return commandResult({
-          stdout: {
-            credential_unavailable: true,
-            oauth_started: true,
-            provider: error.provider,
-            private_delivery_sent: delivered,
-            message: delivered ? `I need to connect your ${providerLabel} account first. I've sent you a private authorization link.` : `I need to connect your ${providerLabel} account first, but I wasn't able to send you a private authorization link. Please send me a direct message and try your command again.`
-          },
-          exitCode: 0
-        });
-      }
-      const oauthResult = await startOAuthFlow(error.provider, {
-        requesterId: deps.requesterId,
-        channelId: deps.channelId,
-        threadTs: deps.threadTs,
-        userMessage: deps.userMessage,
-        channelConfiguration: deps.channelConfiguration,
-        activeSkillName: deps.activeSkill?.name ?? void 0
-      });
-      if (oauthResult.ok) {
-        const providerLabel = formatProviderLabel(error.provider);
-        return commandResult({
-          stdout: {
-            credential_unavailable: true,
-            oauth_started: true,
-            provider: error.provider,
-            private_delivery_sent: !!oauthResult.delivery,
-            message: oauthResult.delivery ? `I need to connect your ${providerLabel} account first. I've sent you a private authorization link.` : `I need to connect your ${providerLabel} account first, but I wasn't able to send you a private authorization link. Please send me a direct message and try your command again.`
-          },
-          exitCode: 0
-        });
-      }
-      return {
-        stdout: "",
-        stderr: `${oauthResult.error}
-`,
-        exitCode: 1
-      };
-    }
-    return {
-      stdout: "",
-      stderr: `${error instanceof Error ? error.message : String(error)}
-`,
-      exitCode: 1
-    };
-  }
-  return commandResult({
-    stdout: `${outcome.reused ? "credential_reused" : "credential_enabled"} capability=${capability} expiresAt=${outcome.expiresAt}
-`,
-    exitCode: 0
-  });
-}
 async function handleConfigCommand(args, deps) {
   const usage = [
     "jr-rpc config get <key>",
@@ -4593,142 +4027,15 @@ ${usage}
     exitCode: 2
   });
 }
-function isKnownProvider(provider) {
-  return listCapabilityProviders().some((p) => p.provider === provider) || isPluginProvider(provider);
-}
-async function handleOAuthStartCommand(args, deps) {
-  const provider = (args[0] ?? "").trim();
-  if (!provider) {
-    return commandResult({
-      stderr: "jr-rpc oauth-start requires: <provider>\n",
-      exitCode: 2
-    });
-  }
-  if (args.length > 1) {
-    return commandResult({
-      stderr: "jr-rpc oauth-start accepts only a provider argument\n",
-      exitCode: 2
-    });
-  }
-  if (deps.requesterId && deps.userTokenStore) {
-    const stored = await deps.userTokenStore.get(deps.requesterId, provider);
-    const providerConfig = getPluginOAuthConfig(provider);
-    if (stored && (stored.expiresAt === void 0 || stored.expiresAt > Date.now()) && hasRequiredOAuthScope(stored.scope, providerConfig?.scope)) {
-      const providerLabel = formatProviderLabel(provider);
-      return commandResult({
-        stdout: {
-          ok: true,
-          already_connected: true,
-          provider,
-          message: `Your ${providerLabel} account is already connected.`
-        },
-        exitCode: 0
-      });
-    }
-  }
-  if (!deps.requesterId) {
-    return commandResult({
-      stderr: "jr-rpc oauth-start requires requester context (requesterId)\n",
-      exitCode: 1
-    });
-  }
-  const result = await startOAuthFlow(provider, {
-    requesterId: deps.requesterId,
-    channelId: deps.channelId,
-    threadTs: deps.threadTs,
-    activeSkillName: deps.activeSkill?.name ?? void 0
-  });
-  if (!result.ok) {
-    return commandResult({ stderr: `${result.error}
-`, exitCode: 1 });
-  }
-  deps.providerAuthActions?.set(provider, {
-    kind: "oauth_started",
-    delivered: !!result.delivery
-  });
-  if (!result.delivery) {
-    return commandResult({
-      stdout: {
-        ok: true,
-        private_delivery_sent: false,
-        message: "I wasn't able to send you a private authorization link. Please send me a direct message and try again."
-      },
-      exitCode: 0
-    });
-  }
-  return commandResult({
-    stdout: {
-      ok: true,
-      private_delivery_sent: true
-    },
-    exitCode: 0
-  });
-}
-async function handleDeleteTokenCommand(args, deps) {
-  const provider = (args[0] ?? "").trim();
-  if (!provider) {
-    return commandResult({
-      stderr: "jr-rpc delete-token requires: <provider>\n",
-      exitCode: 2
-    });
-  }
-  if (!isKnownProvider(provider)) {
-    return commandResult({
-      stderr: `Unknown provider: ${provider}
-`,
-      exitCode: 2
-    });
-  }
-  if (!deps.requesterId) {
-    return commandResult({
-      stderr: "jr-rpc delete-token requires requester context (requesterId)\n",
-      exitCode: 1
-    });
-  }
-  if (!deps.userTokenStore) {
-    return commandResult({
-      stderr: "Token storage is not available\n",
-      exitCode: 1
-    });
-  }
-  await unlinkProvider(deps.requesterId, provider, deps.userTokenStore);
-  deps.providerAuthActions?.set(provider, { kind: "token_deleted" });
-  logInfo(
-    "jr_rpc_delete_token",
-    {},
-    {
-      "app.credential.provider": provider,
-      ...deps.activeSkill?.name ? { "app.skill.name": deps.activeSkill.name } : {}
-    },
-    "Deleted user token via jr-rpc"
-  );
-  return commandResult({
-    stdout: `token_deleted provider=${provider}
-`,
-    exitCode: 0
-  });
-}
 function createJrRpcCommand(deps) {
   return defineCommand("jr-rpc", async (args) => {
     const usage = [
-      "jr-rpc issue-credential <capability> [--target <value>]",
-      "jr-rpc oauth-start <provider>",
-      "jr-rpc delete-token <provider>",
       "jr-rpc config get <key>",
       "jr-rpc config set <key> <value> [--json]",
       "jr-rpc config unset <key>",
       "jr-rpc config list [--prefix <value>]"
     ].join("\n");
     const verb = (args[0] ?? "").trim();
-    if (verb === "issue-credential") {
-      return handleIssueCredentialCommand(args.slice(1), deps);
-    }
-    if (verb === "oauth-start") {
-      return handleOAuthStartCommand(args.slice(1), deps);
-    }
-    if (verb === "delete-token") {
-      return handleDeleteTokenCommand(args.slice(1), deps);
-    }
     if (verb === "config") {
       return handleConfigCommand(args.slice(1), deps);
     }
@@ -5810,7 +5117,6 @@ function toLoadedSkill(result, availableSkills) {
     skillPath: metadata?.skillPath ?? result.skill_dir,
     ...metadata?.pluginProvider ? { pluginProvider: metadata.pluginProvider } : {},
     ...metadata?.allowedTools ? { allowedTools: metadata.allowedTools } : {},
-    ...metadata?.requiresCapabilities ? { requiresCapabilities: metadata.requiresCapabilities } : {},
     ...metadata?.usesConfig ? { usesConfig: metadata.usesConfig } : {},
     body: result.instructions
   };
@@ -5837,7 +5143,6 @@ async function loadSkillFromHost(availableSkills, skillName) {
     ok: true,
     skill_name: skill.name,
     description: skill.description,
-    ...skill.requiresCapabilities ? { requires_capabilities: skill.requiresCapabilities } : {},
     skill_dir: skillDir,
     location: skillFilePath,
     instructions: loaded.body
@@ -5845,7 +5150,7 @@ async function loadSkillFromHost(availableSkills, skillName) {
 }
 function createLoadSkillTool(availableSkills, options) {
   return tool({
-    description: "Load a skill by name so its instructions are available for this turn. The result includes `requires_capabilities` when the skill declares authenticated provider access, and `available_tools` when the skill exposes MCP tools for this turn. Use when a request clearly matches a known skill. Do not use when no skill is relevant.",
+    description: "Load a skill by name so its instructions are available for this turn. The result includes `available_tools` when the skill exposes MCP tools for this turn. Use when a request clearly matches a known skill. Do not use when no skill is relevant.",
     inputSchema: Type4.Object({
       skill_name: Type4.String({
         minLength: 1,
@@ -8392,6 +7697,92 @@ fallbackToRealGh();
 `;
 }
 
+// src/chat/sandbox/eval-oauth-stub.ts
+function buildEvalOauthCliStub() {
+  return `#!/usr/bin/env node
+const fs = require("node:fs");
+
+const args = process.argv.slice(2);
+
+function outputText(value) {
+  fs.writeFileSync(process.stdout.fd, value);
+}
+
+if (args.length === 0 || args[0] === "--version" || args[0] === "version") {
+  outputText("eval-oauth 1.0.0 (junior-eval)\\n");
+  process.exit(0);
+}
+
+if (args[0] === "whoami") {
+  outputText("eval-oauth-user\\n");
+  process.exit(0);
+}
+
+process.stderr.write("eval-oauth stub: unsupported command\\n");
+process.exit(1);
+`;
+}
+
+// src/chat/sandbox/eval-sentry-stub.ts
+function buildEvalSentryCliStub() {
+  return `#!/usr/bin/env node
+const fs = require("node:fs");
+const { spawnSync } = require("node:child_process");
+
+const args = process.argv.slice(2);
+const fallbackBinaries = ["/usr/bin/sentry", "/usr/local/bin/sentry", "/bin/sentry"];
+
+function hasFlag(name) {
+  return args.includes(name) || args.some((value) => value.startsWith(name + "="));
+}
+
+function outputJson(value) {
+  fs.writeFileSync(process.stdout.fd, JSON.stringify(value, null, 2) + "\\n");
+}
+
+function outputText(value) {
+  fs.writeFileSync(process.stdout.fd, value);
+}
+
+function fallbackToRealSentry() {
+  for (const binary of fallbackBinaries) {
+    if (!fs.existsSync(binary)) {
+      continue;
+    }
+    const result = spawnSync(binary, args, { stdio: "inherit" });
+    process.exit(result.status ?? 1);
+  }
+  process.stderr.write("sentry stub: unsupported command\\n");
+  process.exit(1);
+}
+
+if (args.length === 0 || args[0] === "--version" || args[0] === "version") {
+  outputText("sentry-cli 2.0.0 (junior-eval)\\n");
+  process.exit(0);
+}
+
+if (args[0] === "issues" && args[1] === "list") {
+  if (hasFlag("--json")) {
+    outputJson([]);
+  } else {
+    outputText("No issues found.\\n");
+  }
+  process.exit(0);
+}
+
+if (args[0] === "organizations" && args[1] === "list") {
+  if (hasFlag("--json")) {
+    outputJson([{ slug: "getsentry", name: "Sentry" }]);
+  } else {
+    outputText("getsentry\\n");
+  }
+  process.exit(0);
+}
+
+fallbackToRealSentry();
+`;
+}
+
 // src/chat/sandbox/skill-sync.ts
 function toPosixRelative(base, absolute) {
   return path5.relative(base, absolute).split(path5.sep).join("/");
@@ -8455,6 +7846,16 @@ async function buildSkillSyncFiles(availableSkills, runtimeBinDir, referenceFile
       path: `${runtimeBinDir}/gh`,
       content: Buffer.from(buildEvalGitHubCliStub(), "utf8")
     });
+    filesToWrite.push({
+      path: `${runtimeBinDir}/sentry`,
+      content: Buffer.from(buildEvalSentryCliStub(), "utf8")
+    });
+  }
+  if (availableSkills.some((skill) => skill.name === "eval-oauth")) {
+    filesToWrite.push({
+      path: `${runtimeBinDir}/eval-oauth`,
+      content: Buffer.from(buildEvalOauthCliStub(), "utf8")
+    });
   }
   return filesToWrite;
 }
@@ -9411,6 +8812,135 @@ function shouldEmitDevAgentTrace() {
   return process.env.NODE_ENV === "development";
 }
 
+// src/chat/credentials/unlink-provider.ts
+async function unlinkProvider(userId, provider, userTokenStore) {
+  await Promise.all([
+    userTokenStore.delete(userId, provider),
+    deleteMcpStoredOAuthCredentials(userId, provider),
+    deleteMcpServerSessionId(userId, provider),
+    deleteMcpAuthSessionsForUserProvider(userId, provider)
+  ]);
+}
+
+// src/chat/services/plugin-auth-orchestration.ts
+var PluginAuthorizationPauseError = class extends Error {
+  provider;
+  constructor(provider) {
+    super(`Plugin authorization started for ${provider}`);
+    this.name = "PluginAuthorizationPauseError";
+    this.provider = provider;
+  }
+};
+function isCommandAuthFailure(details) {
+  if (!details || typeof details !== "object") {
+    return false;
+  }
+  const result = details;
+  if (typeof result.exit_code !== "number" || result.exit_code === 0) {
+    return false;
+  }
+  const text = `${typeof result.stdout === "string" ? result.stdout : ""}
+${typeof result.stderr === "string" ? result.stderr : ""}`.toLowerCase();
+  if (!text.trim()) {
+    return false;
+  }
+  return [
+    /\b401\b/,
+    /\bunauthorized\b/,
+    /\bbad credentials\b/,
+    /\binvalid token\b/,
+    /\btoken (?:expired|revoked)\b/,
+    /\bexpired token\b/,
+    /\bmissing scopes?\b/,
+    /\binsufficient scope\b/,
+    /\binvalid grant\b/,
+    /\breauthoriz/
+  ].some((pattern) => pattern.test(text));
+}
+function commandTargetsProvider(provider, command, details) {
+  const normalizedCommand = command.trim().toLowerCase();
+  if (!normalizedCommand) {
+    return false;
+  }
+  if (provider === "github" && /^(gh|git)\b/.test(normalizedCommand)) {
+    return true;
+  }
+  const plugin = getPluginDefinition(provider);
+  const candidates = /* @__PURE__ */ new Set([provider.toLowerCase()]);
+  const credentials = plugin?.manifest.credentials;
+  if (credentials) {
+    candidates.add(credentials.authTokenEnv.toLowerCase());
+    for (const domain of credentials.apiDomains) {
+      candidates.add(domain.toLowerCase());
+    }
+  }
+  const combinedText = `${normalizedCommand}
+${details.stdout?.toLowerCase() ?? ""}
+${details.stderr?.toLowerCase() ?? ""}`;
+  return [...candidates].some((candidate) => combinedText.includes(candidate));
+}
+function createPluginAuthOrchestration(deps, abortAgent) {
+  let pendingPause;
+  const startAuthorizationPause = async (provider, activeSkill, options) => {
+    if (pendingPause) {
+      throw pendingPause;
+    }
+    if (!deps.requesterId || !getPluginOAuthConfig(provider)) {
+      throw new Error(`Cannot start plugin authorization for ${provider}`);
+    }
+    const providerLabel = formatProviderLabel(provider);
+    const oauthResult = await startOAuthFlow(provider, {
+      requesterId: deps.requesterId,
+      channelId: deps.channelId,
+      threadTs: deps.threadTs,
+      userMessage: deps.userMessage,
+      channelConfiguration: deps.channelConfiguration,
+      activeSkillName: activeSkill?.name ?? void 0,
+      resumeConversationId: deps.conversationId,
+      resumeSessionId: deps.sessionId
+    });
+    if (!oauthResult.ok) {
+      throw new Error(oauthResult.error);
+    }
+    if (!oauthResult.delivery) {
+      throw new Error(
+        `I need to connect your ${providerLabel} account first, but I wasn't able to send you a private authorization link. Please send me a direct message and try again.`
+      );
+    }
+    if (options?.unlinkExistingProvider && deps.requesterId && deps.userTokenStore) {
+      await unlinkProvider(deps.requesterId, provider, deps.userTokenStore);
+    }
+    pendingPause = new PluginAuthorizationPauseError(provider);
+    abortAgent();
+    throw pendingPause;
+  };
+  const handleCredentialUnavailable = async (input) => {
+    if (pendingPause) {
+      throw pendingPause;
+    }
+    if (!deps.requesterId || !getPluginOAuthConfig(input.error.provider)) {
+      throw input.error;
+    }
+    return await startAuthorizationPause(
+      input.error.provider,
+      input.activeSkill
+    );
+  };
+  return {
+    handleCredentialUnavailable,
+    handleCommandFailure: async (input) => {
+      const provider = input.activeSkill?.pluginProvider;
+      if (!provider || !deps.requesterId || !deps.userTokenStore || !getPluginOAuthConfig(provider) || !isCommandAuthFailure(input.details) || !commandTargetsProvider(provider, input.command, input.details)) {
+        return;
+      }
+      await startAuthorizationPause(provider, input.activeSkill, {
+        unlinkExistingProvider: true
+      });
+    },
+    getPendingPause: () => pendingPause
+  };
+}
+
 // src/chat/runtime/tool-status.ts
 function buildToolStatus(toolName, input) {
   const obj = input && typeof input === "object" ? input : void 0;
@@ -9612,7 +9142,7 @@ function handleToolExecutionError(error, toolName, toolCallId, shouldTrace, trac
 }
 
 // src/chat/tools/agent-tools.ts
-function createAgentTools(tools, sandbox, spanContext, onStatus, sandboxExecutor, capabilityRuntime, hooks) {
+function createAgentTools(tools, sandbox, spanContext, onStatus, sandboxExecutor, capabilityRuntime, pluginAuthOrchestration, hooks) {
   const shouldTrace = shouldEmitDevAgentTrace();
   return Object.entries(tools).map(([toolName, toolDef]) => ({
     name: toolName,
@@ -9670,6 +9200,13 @@ function createAgentTools(tools, sandbox, spanContext, onStatus, sandboxExecutor
               experimental_context: sandbox
             });
             const normalized = normalizeToolResult(result, isSandbox);
+            if (bashCommand && pluginAuthOrchestration) {
+              await pluginAuthOrchestration.handleCommandFailure({
+                activeSkill: sandbox.getActiveSkill(),
+                command: bashCommand,
+                details: normalized.details
+              });
+            }
             const toolResultAttribute = serializeGenAiAttribute(
               normalized.details
             );
@@ -9680,6 +9217,9 @@ function createAgentTools(tools, sandbox, spanContext, onStatus, sandboxExecutor
             }
             return normalized;
           } catch (error) {
+            if (error instanceof PluginAuthorizationPauseError) {
+              throw error;
+            }
             handleToolExecutionError(
               error,
               toolName,
@@ -9699,7 +9239,234 @@ function createAgentTools(tools, sandbox, spanContext, onStatus, sandboxExecutor
         }
       );
     }
-  }));
+  }));
+}
+
+// src/chat/respond-helpers.ts
+var MAX_INLINE_ATTACHMENT_BASE64_CHARS = 12e4;
+function getSessionIdentifiers(context) {
+  return {
+    conversationId: context.correlation?.conversationId ?? context.correlation?.threadId ?? context.correlation?.runId,
+    sessionId: context.correlation?.turnId
+  };
+}
+function isExecutionDeferralResponse(text) {
+  return /\b(want me to proceed|do you want me to proceed|shall i proceed|can i proceed|should i proceed|let me do that now|give me a moment|tag me again|fresh invocation)\b/i.test(
+    text
+  );
+}
+function isToolAccessDisclaimerResponse(text) {
+  return /\b(i (don't|do not) have access to (active )?tool|tool results came back empty|prior results .* empty|cannot access .*tool|need to (run|load) .*tool .* first)\b/i.test(
+    text
+  );
+}
+function isExecutionEscapeResponse(text) {
+  const trimmed = text.trim();
+  if (!trimmed) return false;
+  return isExecutionDeferralResponse(trimmed) || isToolAccessDisclaimerResponse(trimmed);
+}
+function parseJsonCandidate2(text) {
+  const trimmed = text.trim();
+  if (!trimmed) return void 0;
+  try {
+    return JSON.parse(trimmed);
+  } catch {
+    const fenced = trimmed.match(/^```(?:json)?\s*([\s\S]*?)\s*```$/i);
+    if (!fenced) return void 0;
+    try {
+      return JSON.parse(fenced[1]);
+    } catch {
+      return void 0;
+    }
+  }
+}
+function isToolPayloadShape(payload) {
+  if (!payload || typeof payload !== "object") return false;
+  const record = payload;
+  const type = typeof record.type === "string" ? record.type.toLowerCase() : "";
+  if (type.startsWith("tool-")) return true;
+  if (type === "tool_use" || type === "tool_call" || type === "tool_result" || type === "tool_error")
+    return true;
+  const hasToolName = typeof record.toolName === "string" || typeof record.name === "string";
+  const hasToolInput = Object.prototype.hasOwnProperty.call(record, "input") || Object.prototype.hasOwnProperty.call(record, "args");
+  if (hasToolName && hasToolInput) return true;
+  return false;
+}
+function isRawToolPayloadResponse(text) {
+  const parsed = parseJsonCandidate2(text);
+  if (Array.isArray(parsed)) {
+    return parsed.some((entry) => isToolPayloadShape(entry));
+  }
+  if (isToolPayloadShape(parsed)) {
+    return true;
+  }
+  const compact = text.replace(/\s+/g, " ");
+  return /"type"\s*:\s*"tool[-_](use|call|result|error)"/i.test(compact);
+}
+function toObservablePromptPart(part) {
+  if (part.type === "text") {
+    return {
+      type: "text",
+      text: part.text
+    };
+  }
+  return {
+    type: "image",
+    mimeType: part.mimeType,
+    data: `[omitted:${part.data.length}]`
+  };
+}
+function summarizeMessageText(text) {
+  const normalized = text.trim().replace(/\s+/g, " ");
+  if (!normalized) {
+    return "[empty]";
+  }
+  return normalized.length > 1200 ? `${normalized.slice(0, 1200)}...` : normalized;
+}
+function buildUserTurnText(userInput, conversationContext, metadata) {
+  const trimmedContext = conversationContext?.trim();
+  const hasSessionContext = Boolean(metadata?.sessionContext?.conversationId);
+  const hasTurnContext = Boolean(metadata?.turnContext?.traceId);
+  if (!trimmedContext && !hasSessionContext && !hasTurnContext) {
+    return userInput;
+  }
+  const sections = [
+    "<current-message>",
+    userInput,
+    "</current-message>"
+  ];
+  if (trimmedContext) {
+    sections.push(
+      "",
+      "<thread-conversation-context>",
+      "Use this context for continuity across prior thread turns.",
+      trimmedContext,
+      "</thread-conversation-context>"
+    );
+  }
+  if (metadata?.sessionContext?.conversationId) {
+    sections.push(
+      "",
+      "<session-context>",
+      `- gen_ai.conversation.id: ${metadata.sessionContext.conversationId}`,
+      "</session-context>"
+    );
+  }
+  if (metadata?.turnContext?.traceId) {
+    sections.push(
+      "",
+      "<turn-context>",
+      `- trace_id: ${metadata.turnContext.traceId}`,
+      "</turn-context>"
+    );
+  }
+  return sections.join("\n");
+}
+function encodeNonImageAttachmentForPrompt(attachment) {
+  const base64 = attachment.data.toString("base64");
+  const wasTruncated = base64.length > MAX_INLINE_ATTACHMENT_BASE64_CHARS;
+  const encodedPayload = wasTruncated ? `${base64.slice(0, MAX_INLINE_ATTACHMENT_BASE64_CHARS)}...` : base64;
+  return [
+    "<attachment>",
+    `filename: ${attachment.filename ?? "unnamed"}`,
+    `media_type: ${attachment.mediaType}`,
+    "encoding: base64",
+    `truncated: ${wasTruncated ? "true" : "false"}`,
+    "<data_base64>",
+    encodedPayload,
+    "</data_base64>",
+    "</attachment>"
+  ].join("\n");
+}
+function buildExecutionFailureMessage(toolErrorCount) {
+  if (toolErrorCount > 0) {
+    return "I couldn't complete this because one or more required tools failed in this turn. I've logged the failure details.";
+  }
+  return "I couldn't complete this request in this turn due to an execution failure. I've logged the details for debugging.";
+}
+function isToolResultMessage(value) {
+  return typeof value === "object" && value !== null && value.role === "toolResult";
+}
+function normalizeToolNameFromResult(result) {
+  if (!result || typeof result !== "object") return void 0;
+  const record = result;
+  if (typeof record.toolName === "string" && record.toolName.length > 0) {
+    return record.toolName;
+  }
+  if (typeof record.name === "string" && record.name.length > 0) {
+    return record.name;
+  }
+  return void 0;
+}
+function isToolResultError(result) {
+  if (!result || typeof result !== "object") return false;
+  return Boolean(result.isError);
+}
+function isAssistantMessage(value) {
+  return typeof value === "object" && value !== null && value.role === "assistant";
+}
+function getPiMessageRole(value) {
+  if (!value || typeof value !== "object") {
+    return void 0;
+  }
+  const role = value.role;
+  return typeof role === "string" ? role : void 0;
+}
+function extractAssistantText(message) {
+  const content = message.content ?? [];
+  return content.filter(
+    (part) => part.type === "text" && typeof part.text === "string"
+  ).map((part) => part.text).join("\n");
+}
+function getTerminalAssistantMessages(messages) {
+  let lastToolResultIndex = -1;
+  for (let index = messages.length - 1; index >= 0; index -= 1) {
+    if (isToolResultMessage(messages[index])) {
+      lastToolResultIndex = index;
+      break;
+    }
+  }
+  return messages.slice(lastToolResultIndex + 1).filter(isAssistantMessage);
+}
+function hasCompletedAssistantTurn(messages) {
+  const message = getTerminalAssistantMessages(messages).at(-1);
+  if (!message) {
+    return false;
+  }
+  const stopReason = message.stopReason;
+  return typeof stopReason === "string" && stopReason !== "error" && extractAssistantText(message).trim().length > 0;
+}
+function upsertActiveSkill(activeSkills, next) {
+  const existing = activeSkills.find((skill) => skill.name === next.name);
+  if (existing) {
+    existing.body = next.body;
+    existing.description = next.description;
+    existing.skillPath = next.skillPath;
+    existing.allowedTools = next.allowedTools;
+    existing.usesConfig = next.usesConfig;
+    existing.pluginProvider = next.pluginProvider;
+    return;
+  }
+  activeSkills.push(next);
+}
+function collectRelevantConfigurationKeys(activeSkills, explicitSkill) {
+  const keys = /* @__PURE__ */ new Set();
+  for (const skill of [
+    ...activeSkills,
+    ...explicitSkill ? [explicitSkill] : []
+  ]) {
+    for (const key of skill.usesConfig ?? []) {
+      keys.add(key);
+    }
+  }
+  return [...keys].sort((a, b) => a.localeCompare(b));
+}
+function trimTrailingAssistantMessages(messages) {
+  let end = messages.length;
+  while (end > 0 && getPiMessageRole(messages[end - 1]) === "assistant") {
+    end -= 1;
+  }
+  return end === messages.length ? [...messages] : messages.slice(0, end);
 }
 
 // src/chat/services/reply-delivery-plan.ts
@@ -9801,7 +9568,6 @@ function buildTurnResult(input) {
   const assistantMessages = newMessages.filter(isAssistantMessage);
   const terminalAssistantMessages = getTerminalAssistantMessages(newMessages);
   const primaryText = terminalAssistantMessages.map((message) => extractAssistantText(message)).join("\n\n").trim();
-  const oauthStartedMessage = extractOAuthStartedMessageFromToolResults(toolResults);
   const toolErrorCount = toolResults.filter((result) => result.isError).length;
   const explicitChannelPostIntent = isExplicitChannelPostIntent(userInput);
   const successfulToolNames = new Set(
@@ -9810,13 +9576,14 @@ function buildTurnResult(input) {
   const channelPostPerformed = successfulToolNames.has(
     "slackChannelPostMessage"
   );
-  const deliveryPlan = buildReplyDeliveryPlan({
+  const reactionPerformed = successfulToolNames.has("slackMessageAddReaction");
+  const baseDeliveryPlan = buildReplyDeliveryPlan({
     explicitChannelPostIntent,
     channelPostPerformed,
     hasFiles: replyFiles.length > 0
   });
-  const deliveryMode = deliveryPlan.mode;
-  if (!primaryText && !oauthStartedMessage) {
+  const sideEffectOnlySuccess = !primaryText && toolErrorCount === 0 && (reactionPerformed || channelPostPerformed || replyFiles.length > 0);
+  if (!primaryText && !sideEffectOnlySuccess) {
     logWarn(
       "ai_model_response_empty",
       {
@@ -9839,12 +9606,17 @@ function buildTurnResult(input) {
   const stopReason = typeof lastAssistant?.stopReason === "string" ? lastAssistant.stopReason : void 0;
   const errorMessage = typeof lastAssistant?.errorMessage === "string" ? lastAssistant.errorMessage : void 0;
   const usedPrimaryText = Boolean(primaryText);
-  const outcome = primaryText || oauthStartedMessage ? stopReason === "error" ? "provider_error" : "success" : "execution_failure";
-  const fallbackText = oauthStartedMessage ?? buildExecutionFailureMessage(toolErrorCount);
-  const responseText = primaryText || fallbackText;
+  const outcome = primaryText ? stopReason === "error" ? "provider_error" : "success" : sideEffectOnlySuccess ? "success" : "execution_failure";
+  const fallbackText = buildExecutionFailureMessage(toolErrorCount);
+  const responseText = primaryText || (sideEffectOnlySuccess ? "" : fallbackText);
   const escapedOrRawPayload = Boolean(primaryText) && (isExecutionEscapeResponse(primaryText) || isRawToolPayloadResponse(primaryText));
   const resolvedText = escapedOrRawPayload ? fallbackText : enforceAttachmentClaimTruth(responseText, replyFiles.length > 0);
-  const resolvedOutcome = escapedOrRawPayload ? oauthStartedMessage ? outcome : "execution_failure" : outcome;
+  const deliveryPlan = reactionPerformed && !resolvedText && replyFiles.length === 0 && !channelPostPerformed ? {
+    ...baseDeliveryPlan,
+    postThreadText: false
+  } : baseDeliveryPlan;
+  const deliveryMode = deliveryPlan.mode;
+  const resolvedOutcome = escapedOrRawPayload ? "execution_failure" : outcome;
   if (shouldTrace) {
     logInfo(
       "agent_message_out",
@@ -10283,11 +10055,9 @@ async function generateAssistantReply(messageText, context = {}) {
       ...persistedConfigurationValues
     };
     const capabilityRuntime = createSkillCapabilityRuntime({
-      invocationArgs: skillInvocation?.args,
-      requesterId: context.requester?.userId,
-      resolveConfiguration: async (key) => configurationValues[key]
+      requesterId: context.requester?.userId
     });
-    const providerAuthActions = /* @__PURE__ */ new Map();
+    const userTokenStore = createUserTokenStore();
     sandboxExecutor = createSandboxExecutor({
       sandboxId: context.sandbox?.sandboxId,
       sandboxDependencyProfileHash: context.sandbox?.sandboxDependencyProfileHash,
@@ -10300,15 +10070,9 @@ async function generateAssistantReply(messageText, context = {}) {
       },
       runBashCustomCommand: async (command) => {
         const result = await maybeExecuteJrRpcCustomCommand(command, {
-          capabilityRuntime,
           activeSkill: skillSandbox.getActiveSkill(),
           channelConfiguration: context.channelConfiguration,
           requesterId: context.requester?.userId,
-          channelId: context.correlation?.channelId,
-          threadTs: context.correlation?.threadTs,
-          userMessage: userInput,
-          userTokenStore: createUserTokenStore(),
-          providerAuthActions,
           onConfigurationValueChanged: (key, value) => {
             if (value === void 0) {
               delete configurationValues[key];
@@ -10408,14 +10172,47 @@ async function generateAssistantReply(messageText, context = {}) {
       },
       () => agent?.abort()
     );
+    const pluginAuth = createPluginAuthOrchestration(
+      {
+        conversationId: sessionConversationId,
+        sessionId,
+        requesterId: context.requester?.userId,
+        channelId: context.correlation?.channelId,
+        threadTs: context.correlation?.threadTs,
+        userMessage: userInput,
+        channelConfiguration: context.channelConfiguration,
+        userTokenStore
+      },
+      () => agent?.abort()
+    );
     mcpToolManager = new McpToolManager(getPluginMcpProviders(), {
       authProviderFactory: mcpAuth.authProviderFactory,
       onAuthorizationRequired: mcpAuth.onAuthorizationRequired
     });
     const turnMcpToolManager = mcpToolManager;
+    const getPendingAuthPause = () => pluginAuth.getPendingPause() ?? mcpAuth.getPendingPause();
     const syncResumeState = () => {
       loadedSkillNamesForResume = activeSkills.map((skill) => skill.name);
     };
+    const enableSkillCredentials = async (skill, reason) => {
+      if (!skill?.pluginProvider) {
+        return;
+      }
+      try {
+        await capabilityRuntime.enableCredentialsForTurn({
+          activeSkill: skill,
+          reason
+        });
+      } catch (error) {
+        if (error instanceof CredentialUnavailableError && context.requester?.userId) {
+          await pluginAuth.handleCredentialUnavailable({
+            activeSkill: skill,
+            error
+          });
+        }
+        throw error;
+      }
+    };
     setTags({
       conversationId: spanContext.conversationId,
       turnId: spanContext.turnId,
@@ -10457,6 +10254,10 @@ async function generateAssistantReply(messageText, context = {}) {
           if (mcpAuth.getPendingPause()) {
             return void 0;
           }
+          await enableSkillCredentials(
+            effective,
+            `skill:${effective.name}:turn:load`
+          );
           if (!effective.pluginProvider) {
             return void 0;
           }
@@ -10491,6 +10292,7 @@ async function generateAssistantReply(messageText, context = {}) {
         timeoutResumeMessages = existingCheckpoint?.piMessages ?? [];
         throw mcpAuth.getPendingPause();
       }
+      await enableSkillCredentials(skill, `skill:${skill.name}:turn:resume`);
     }
     syncResumeState();
     const activeToolSummaries = turnMcpToolManager.getActiveToolCatalog(activeSkills).map(toExposedToolSummary);
@@ -10581,6 +10383,7 @@ async function generateAssistantReply(messageText, context = {}) {
       context.onStatus,
       sandboxExecutor,
       capabilityRuntime,
+      pluginAuth,
       agentToolHooks
     );
     const agentTools = [...baseAgentTools];
@@ -10594,6 +10397,7 @@ async function generateAssistantReply(messageText, context = {}) {
         context.onStatus,
         sandboxExecutor,
         capabilityRuntime,
+        pluginAuth,
         agentToolHooks
       );
       agentTools.length = 0;
@@ -10700,9 +10504,9 @@ async function generateAssistantReply(messageText, context = {}) {
               });
               timeoutResumeMessages = [...agent.state.messages];
             }
-            if (mcpAuth.getPendingPause()) {
+            if (getPendingAuthPause()) {
               timeoutResumeMessages = [...agent.state.messages];
-              throw mcpAuth.getPendingPause();
+              throw getPendingAuthPause();
             }
             throw error;
           } finally {
@@ -10712,9 +10516,9 @@ async function generateAssistantReply(messageText, context = {}) {
           }
           newMessages = agent.state.messages.slice(beforeMessageCount);
           completedAssistantTurn = hasCompletedAssistantTurn(newMessages);
-          if (mcpAuth.getPendingPause() && !completedAssistantTurn) {
+          if (getPendingAuthPause() && !completedAssistantTurn) {
             timeoutResumeMessages = [...agent.state.messages];
-            throw mcpAuth.getPendingPause();
+            throw getPendingAuthPause();
           }
           const outputMessages = newMessages.filter(isAssistantMessage);
           const outputMessagesAttribute = serializeGenAiAttribute(outputMessages);
@@ -10723,7 +10527,9 @@ async function generateAssistantReply(messageText, context = {}) {
             agent.state,
             ...outputMessages
           );
-          turnUsage = usageSummary.inputTokens !== void 0 || usageSummary.outputTokens !== void 0 || usageSummary.totalTokens !== void 0 ? usageSummary : void 0;
+          turnUsage = Object.values(usageSummary).some(
+            (value) => value !== void 0
+          ) ? usageSummary : void 0;
           setSpanAttributes({
             ...outputMessagesAttribute ? { "gen_ai.output.messages": outputMessagesAttribute } : {},
             ...usageSummary.inputTokens !== void 0 ? { "gen_ai.usage.input_tokens": usageSummary.inputTokens } : {},
@@ -10740,8 +10546,8 @@ async function generateAssistantReply(messageText, context = {}) {
     } finally {
       unsubscribe();
     }
-    if (mcpAuth.getPendingPause() && !completedAssistantTurn) {
-      throw mcpAuth.getPendingPause();
+    if (getPendingAuthPause() && !completedAssistantTurn) {
+      throw getPendingAuthPause();
     }
     if (checkpointState.canUseTurnSession && sessionConversationId && sessionId) {
       await persistCompletedCheckpoint({
@@ -10799,7 +10605,7 @@ async function generateAssistantReply(messageText, context = {}) {
         );
       }
     }
-    if (error instanceof McpAuthorizationPauseError && timeoutResumeConversationId && timeoutResumeSessionId) {
+    if ((error instanceof McpAuthorizationPauseError || error instanceof PluginAuthorizationPauseError) && timeoutResumeConversationId && timeoutResumeSessionId) {
       const nextSliceId = await persistAuthPauseCheckpoint({
         conversationId: timeoutResumeConversationId,
         sessionId: timeoutResumeSessionId,
@@ -10817,7 +10623,7 @@ async function generateAssistantReply(messageText, context = {}) {
         }
       });
       throw new RetryableTurnError(
-        "mcp_auth_resume",
+        error instanceof PluginAuthorizationPauseError ? "plugin_auth_resume" : "mcp_auth_resume",
         `conversation=${timeoutResumeConversationId} session=${timeoutResumeSessionId} slice=${nextSliceId}`,
         {
           conversationId: timeoutResumeConversationId,
@@ -10894,13 +10700,19 @@ function formatSlackDuration(durationMs) {
   return `${Math.round(durationSeconds)}s`;
 }
 function resolveTotalTokens(usage) {
-  if (usage?.totalTokens !== void 0) {
-    return usage.totalTokens;
+  if (!usage) {
+    return void 0;
   }
-  if (usage?.inputTokens !== void 0 && usage.outputTokens !== void 0) {
-    return usage.inputTokens + usage.outputTokens;
+  const components = [
+    usage.inputTokens,
+    usage.outputTokens,
+    usage.cachedInputTokens,
+    usage.cacheCreationTokens
+  ].filter((value) => value !== void 0);
+  if (components.length > 0) {
+    return components.reduce((sum, value) => sum + value, 0);
   }
-  return void 0;
+  return usage.totalTokens;
 }
 function buildSlackReplyFooter(args) {
   const items = [];
@@ -11265,7 +11077,7 @@ async function resumeSlackTurn(args) {
     await args.onSuccess?.(reply);
   } catch (error) {
     await status.stop();
-    if (isRetryableTurnError(error, "mcp_auth_resume") && args.onAuthPause) {
+    if ((isRetryableTurnError(error, "mcp_auth_resume") || isRetryableTurnError(error, "plugin_auth_resume")) && args.onAuthPause) {
       deferredPauseHandler = async () => {
         await args.onAuthPause?.(error);
       };
@@ -11880,6 +11692,186 @@ async function buildResumeConversationContext2(channelId, threadTs) {
     excludeMessageId: latestUserMessageId
   });
 }
+async function buildCheckpointConversationContext(conversationId, sessionId) {
+  const conversation = coerceThreadConversationState(
+    await getPersistedThreadState(conversationId)
+  );
+  const userMessage = getTurnUserMessage(conversation, sessionId);
+  return buildConversationContext(conversation, {
+    excludeMessageId: userMessage?.id
+  });
+}
+async function persistCompletedOAuthReplyState(args) {
+  const currentState = await getPersistedThreadState(args.conversationId);
+  const conversation = coerceThreadConversationState(currentState);
+  const artifacts = coerceThreadArtifactsState(currentState);
+  const nextArtifacts = args.reply.artifactStatePatch ? mergeArtifactsState(artifacts, args.reply.artifactStatePatch) : void 0;
+  const userMessage = getTurnUserMessage(conversation, args.sessionId);
+  markConversationMessage(conversation, userMessage?.id, {
+    replied: true,
+    skippedReason: void 0
+  });
+  upsertConversationMessage(conversation, {
+    id: generateConversationId("assistant"),
+    role: "assistant",
+    text: normalizeConversationText(args.reply.text) || "[empty response]",
+    createdAtMs: Date.now(),
+    author: {
+      userName: botConfig.userName,
+      isBot: true
+    },
+    meta: {
+      replied: true
+    }
+  });
+  markTurnCompleted({
+    conversation,
+    nowMs: Date.now(),
+    updateConversationStats
+  });
+  await persistThreadStateById(args.conversationId, {
+    artifacts: nextArtifacts,
+    conversation,
+    sandboxId: args.reply.sandboxId,
+    sandboxDependencyProfileHash: args.reply.sandboxDependencyProfileHash
+  });
+}
+async function persistFailedOAuthReplyState(args) {
+  const currentState = await getPersistedThreadState(args.conversationId);
+  const conversation = coerceThreadConversationState(currentState);
+  markTurnFailed({
+    conversation,
+    nowMs: Date.now(),
+    userMessageId: getTurnUserMessage(conversation, args.sessionId)?.id,
+    markConversationMessage,
+    updateConversationStats
+  });
+  await persistThreadStateById(args.conversationId, {
+    conversation
+  });
+}
+async function resumeCheckpointedOAuthTurn(stored) {
+  if (!stored.resumeConversationId || !stored.resumeSessionId || !stored.channelId || !stored.threadTs) {
+    return false;
+  }
+  const checkpoint = await getAgentTurnSessionCheckpoint(
+    stored.resumeConversationId,
+    stored.resumeSessionId
+  );
+  if (!checkpoint || checkpoint.state !== "awaiting_resume" || checkpoint.resumeReason !== "auth") {
+    return false;
+  }
+  const currentState = await getPersistedThreadState(
+    stored.resumeConversationId
+  );
+  const conversation = coerceThreadConversationState(currentState);
+  const artifacts = coerceThreadArtifactsState(currentState);
+  const userMessage = getTurnUserMessage(conversation, stored.resumeSessionId);
+  if (!userMessage?.author?.userId) {
+    return false;
+  }
+  if (conversation.processing.activeTurnId !== stored.resumeSessionId) {
+    return true;
+  }
+  const conversationContext = await buildCheckpointConversationContext(
+    stored.resumeConversationId,
+    stored.resumeSessionId
+  );
+  const channelConfiguration = getChannelConfigurationServiceById(
+    stored.channelId
+  );
+  const providerLabel = formatProviderLabel(stored.provider);
+  await resumeSlackTurn({
+    messageText: stored.pendingMessage ?? userMessage.text,
+    channelId: stored.channelId,
+    threadTs: stored.threadTs,
+    lockKey: stored.resumeConversationId,
+    initialText: `Your ${providerLabel} account is now connected. Processing your request...`,
+    failureText: "I connected your account but hit an error processing your request. Please try the command again.",
+    replyContext: {
+      assistant: { userName: botConfig.userName },
+      requester: {
+        userId: userMessage.author.userId,
+        userName: userMessage.author.userName,
+        fullName: userMessage.author.fullName
+      },
+      correlation: {
+        channelId: stored.channelId,
+        threadTs: stored.threadTs,
+        requesterId: userMessage.author.userId
+      },
+      toolChannelId: artifacts.assistantContextChannelId ?? stored.channelId,
+      artifactState: artifacts,
+      conversationContext,
+      channelConfiguration,
+      sandbox: getPersistedSandboxState(currentState),
+      threadParticipants: buildThreadParticipants(conversation.messages),
+      ...getTurnUserReplyAttachmentContext(userMessage)
+    },
+    onSuccess: async (reply) => {
+      logInfo(
+        "oauth_callback_resume_complete",
+        {},
+        {
+          "app.credential.provider": stored.provider,
+          "app.ai.outcome": reply.diagnostics.outcome,
+          "app.ai.tool_calls": reply.diagnostics.toolCalls.length
+        },
+        "Auto-resumed checkpointed turn after OAuth callback"
+      );
+      await persistCompletedOAuthReplyState({
+        conversationId: stored.resumeConversationId,
+        sessionId: stored.resumeSessionId,
+        reply
+      });
+    },
+    onFailure: async (error) => {
+      logException(
+        error,
+        "oauth_callback_resume_failed",
+        {},
+        { "app.credential.provider": stored.provider },
+        "Failed to auto-resume checkpointed turn after OAuth callback"
+      );
+      await persistFailedOAuthReplyState({
+        conversationId: stored.resumeConversationId,
+        sessionId: stored.resumeSessionId
+      });
+    },
+    onAuthPause: async (error) => {
+      logException(
+        error,
+        "oauth_callback_resume_reparked_for_auth",
+        {},
+        { "app.credential.provider": stored.provider },
+        "Resumed OAuth turn requested another authorization flow"
+      );
+    },
+    onTimeoutPause: async (error) => {
+      if (!isRetryableTurnError(error, "turn_timeout_resume")) {
+        throw error;
+      }
+      const checkpointVersion = error.metadata?.checkpointVersion;
+      const nextSliceId = error.metadata?.sliceId;
+      if (typeof checkpointVersion !== "number") {
+        throw new Error(
+          "Timed-out OAuth resume did not include a checkpoint version"
+        );
+      }
+      if (!canScheduleTurnTimeoutResume(nextSliceId)) {
+        throw new Error(
+          "Timed-out turn exceeded the automatic resume slice limit"
+        );
+      }
+      await scheduleTurnTimeoutResume({
+        conversationId: stored.resumeConversationId,
+        sessionId: stored.resumeSessionId,
+        expectedCheckpointVersion: checkpointVersion
+      });
+    }
+  });
+  return true;
+}
 async function resumePendingOAuthMessage(stored) {
   if (!stored.pendingMessage || !stored.channelId || !stored.threadTs) return;
   const providerLabel = formatProviderLabel(stored.provider);
@@ -12058,7 +12050,19 @@ async function GET5(request, provider, waitUntil) {
     }
   });
   if (stored.pendingMessage && stored.channelId && stored.threadTs) {
-    waitUntil(() => resumePendingOAuthMessage(stored));
+    waitUntil(async () => {
+      try {
+        const resumed = await resumeCheckpointedOAuthTurn(stored);
+        if (!resumed) {
+          await resumePendingOAuthMessage(stored);
+        }
+      } catch (error) {
+        if (error instanceof ResumeTurnBusyError) {
+          return;
+        }
+        throw error;
+      }
+    });
   } else if (stored.channelId && stored.threadTs) {
     const { channelId, threadTs } = stored;
     waitUntil(
@@ -12382,11 +12386,11 @@ var DIRECTED_FOLLOW_UP_CUE_RE = /\b(?:you said|you just said|your last response|
 var TERSE_CLARIFICATION_RE = /^(?:which one|which ones|why|how so|what do you mean|what did you mean|say more|explain that|clarify that|expand on that|elaborate on that)\??$/i;
 var GENERIC_IMMEDIATE_SIDE_CONVERSATION_RE = /^(?:is that (?:the )?right (?:approach|call|move)|(?:can|could|would) you check on this)\??$/i;
 var RECENT_THREAD_WINDOW = 6;
-function escapeRegExp2(value) {
+function escapeRegExp(value) {
   return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
 function containsAssistantInvocation(text, botUserName) {
-  const escapedUserName = escapeRegExp2(botUserName);
+  const escapedUserName = escapeRegExp(botUserName);
   const plainNameMentionRe = new RegExp(`(^|\\s)@${escapedUserName}\\b`, "i");
   const labeledEntityMentionRe = new RegExp(
     `<@[^>|]+\\|${escapedUserName}>`,
@@ -12605,6 +12609,13 @@ async function decideSubscribedThreadReply(args) {
       reason: "explicit_mention" /* ExplicitMention */
     };
   }
+  if (signals.assistantWasLastSpeaker && signals.humanMessagesSinceLastAssistant === 0 && !signals.currentMessageHasAttachments && (signals.currentMessageHasDirectedFollowUpCue || signals.currentMessageIsTerseClarification)) {
+    return {
+      shouldReply: true,
+      reason: "directed_follow_up" /* DirectedFollowUp */,
+      reasonDetail: signals.currentMessageIsTerseClarification ? "immediate terse clarification" : "immediate directed follow-up cue"
+    };
+  }
   if (signals.assistantWasLastSpeaker && signals.humanMessagesSinceLastAssistant === 0 && !signals.currentMessageHasAttachments && !signals.currentMessageHasDirectedFollowUpCue && !signals.currentMessageIsTerseClarification && isGenericImmediateSideConversation(text)) {
     return {
       shouldReply: false,
@@ -12675,7 +12686,7 @@ async function decideSubscribedThreadReply(args) {
 }
 
 // src/chat/runtime/thread-context.ts
-function escapeRegExp3(value) {
+function escapeRegExp2(value) {
   return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
 function stripLeadingBotMention(text, options = {}) {
@@ -12685,12 +12696,12 @@ function stripLeadingBotMention(text, options = {}) {
     next = next.replace(/^\s*<@[^>]+>[\s,:-]*/, "").trim();
   }
   const mentionByNameRe = new RegExp(
-    `^\\s*@${escapeRegExp3(botConfig.userName)}\\b[\\s,:-]*`,
+    `^\\s*@${escapeRegExp2(botConfig.userName)}\\b[\\s,:-]*`,
     "i"
   );
   next = next.replace(mentionByNameRe, "").trim();
   const mentionByLabeledEntityRe = new RegExp(
-    `^\\s*<@[^>|]+\\|${escapeRegExp3(botConfig.userName)}>[\\s,:-]*`,
+    `^\\s*<@[^>|]+\\|${escapeRegExp2(botConfig.userName)}>[\\s,:-]*`,
     "i"
   );
   next = next.replace(mentionByLabeledEntityRe, "").trim();
@@ -12892,13 +12903,13 @@ function createSlackTurnRuntime(deps) {
           channelId: deps.getChannelId(thread, message),
           runId: deps.getRunId(thread, message)
         });
-        if (isRetryableTurnError(error, "mcp_auth_resume")) {
+        if (isRetryableTurnError(error, "mcp_auth_resume") || isRetryableTurnError(error, "plugin_auth_resume")) {
           deps.logException(
             error,
             "mention_handler_auth_pause",
             errorContext,
             { "app.turn.retryable_reason": error.reason },
-            "onNewMention parked turn for MCP auth resume"
+            "onNewMention parked turn for auth resume"
           );
           return;
         }
@@ -13024,13 +13035,13 @@ function createSlackTurnRuntime(deps) {
           channelId: deps.getChannelId(thread, message),
           runId: deps.getRunId(thread, message)
         });
-        if (isRetryableTurnError(error, "mcp_auth_resume")) {
+        if (isRetryableTurnError(error, "mcp_auth_resume") || isRetryableTurnError(error, "plugin_auth_resume")) {
           deps.logException(
             error,
             "subscribed_message_handler_auth_pause",
             errorContext,
             { "app.turn.retryable_reason": error.reason },
-            "onSubscribedMessage parked turn for MCP auth resume"
+            "onSubscribedMessage parked turn for auth resume"
           );
           return;
         }
@@ -14211,7 +14222,7 @@ function createReplyToThread(deps) {
             );
           }
         } catch (error) {
-          if (isRetryableTurnError(error, "mcp_auth_resume")) {
+          if (isRetryableTurnError(error, "mcp_auth_resume") || isRetryableTurnError(error, "plugin_auth_resume")) {
             shouldPersistFailureState = false;
             throw error;
           }