@sentry/junior 0.33.0 → 0.35.0

package/dist/{chunk-3M7ZD6FF.js → chunk-ERH4OYNB.js}

@@ -7,7 +7,7 @@ import {
   serializeGenAiAttribute,
   setSpanAttributes,
   withSpan
-} from "./chunk-XARRBRQV.js";
+} from "./chunk-QZRPUFO6.js";
 
 // src/chat/state/adapter.ts
 import { createMemoryState } from "@chat-adapter/state-memory";
@@ -128,68 +128,73 @@ async function completeText(params) {
   const apiKey = getPiGatewayApiKeyOverride();
   const requestMessagesAttribute = serializeGenAiAttribute(params.messages);
   const systemInstructionsAttribute = params.system ? serializeGenAiAttribute([{ type: "text", content: params.system }]) : void 0;
-  const startAttributes = {
+  const baseAttributes = {
     "gen_ai.provider.name": GEN_AI_PROVIDER_NAME,
     "gen_ai.operation.name": GEN_AI_OPERATION_CHAT,
     "gen_ai.request.model": params.modelId,
+    ...params.thinkingLevel ? { "app.ai.reasoning_effort": params.thinkingLevel } : {}
+  };
+  const startAttributes = {
+    ...baseAttributes,
     ...systemInstructionsAttribute ? { "gen_ai.system_instructions": systemInstructionsAttribute } : {},
     ...requestMessagesAttribute ? { "gen_ai.input.messages": requestMessagesAttribute } : {},
-    "app.ai.auth_mode": apiKey ? "oidc" : "api_key",
-    ...params.thinkingLevel ? { "app.ai.reasoning_effort": params.thinkingLevel } : {}
+    "app.ai.auth_mode": apiKey ? "oidc" : "api_key"
   };
-  setSpanAttributes(startAttributes);
-  const message = await completeSimple(
-    model,
-    {
-      systemPrompt: params.system,
-      messages: params.messages
+  return withSpan(
+    "ai.chat_completion",
+    "gen_ai.chat",
+    { modelId: params.modelId },
+    async () => {
+      const message = await completeSimple(
+        model,
+        {
+          systemPrompt: params.system,
+          messages: params.messages
+        },
+        {
+          ...apiKey ? { apiKey } : {},
+          temperature: params.temperature,
+          maxTokens: params.maxTokens,
+          reasoning: params.thinkingLevel,
+          signal: params.signal,
+          metadata: params.metadata
+        }
+      );
+      const outputText = extractText(message);
+      const outputMessagesAttribute = serializeGenAiAttribute([
+        {
+          role: "assistant",
+          content: outputText ? [{ type: "text", text: outputText }] : []
+        }
+      ]);
+      const usageAttributes = extractGenAiUsageAttributes(message);
+      const endAttributes = {
+        ...baseAttributes,
+        ...outputMessagesAttribute ? { "gen_ai.output.messages": outputMessagesAttribute } : {},
+        ...usageAttributes,
+        ...message.stopReason ? { "gen_ai.response.finish_reasons": [message.stopReason] } : {}
+      };
+      setSpanAttributes(endAttributes);
+      if (message.stopReason === "error") {
+        const providerMessage = message.errorMessage?.trim() || "Unknown provider error";
+        logWarn(
+          "ai_completion_provider_error",
+          {},
+          {
+            ...baseAttributes,
+            "error.message": providerMessage
+          },
+          "AI completion returned provider error"
+        );
+        throw new Error(`AI provider error: ${providerMessage}`);
+      }
+      return {
+        message,
+        text: outputText
+      };
     },
-    {
-      ...apiKey ? { apiKey } : {},
-      temperature: params.temperature,
-      maxTokens: params.maxTokens,
-      reasoning: params.thinkingLevel,
-      signal: params.signal,
-      metadata: params.metadata
-    }
+    startAttributes
   );
-  const outputText = extractText(message);
-  const outputMessagesAttribute = serializeGenAiAttribute([
-    {
-      role: "assistant",
-      content: outputText ? [{ type: "text", text: outputText }] : []
-    }
-  ]);
-  const usageAttributes = extractGenAiUsageAttributes(message);
-  const endAttributes = {
-    "gen_ai.provider.name": GEN_AI_PROVIDER_NAME,
-    "gen_ai.operation.name": GEN_AI_OPERATION_CHAT,
-    "gen_ai.request.model": params.modelId,
-    ...outputMessagesAttribute ? { "gen_ai.output.messages": outputMessagesAttribute } : {},
-    ...usageAttributes,
-    ...message.stopReason ? { "gen_ai.response.finish_reasons": [message.stopReason] } : {},
-    ...params.thinkingLevel ? { "app.ai.reasoning_effort": params.thinkingLevel } : {}
-  };
-  setSpanAttributes(endAttributes);
-  if (message.stopReason === "error") {
-    const providerMessage = message.errorMessage?.trim() || "Unknown provider error";
-    logWarn(
-      "ai_completion_provider_error",
-      {},
-      {
-        "gen_ai.provider.name": GEN_AI_PROVIDER_NAME,
-        "gen_ai.operation.name": GEN_AI_OPERATION_CHAT,
-        "gen_ai.request.model": params.modelId,
-        "error.message": providerMessage
-      },
-      "AI completion returned provider error"
-    );
-    throw new Error(`AI provider error: ${providerMessage}`);
-  }
-  return {
-    message,
-    text: outputText
-  };
 }
 async function completeObject(params) {
   const startedAt = Date.now();
@@ -256,6 +261,14 @@ async function completeObject(params) {
 var MIN_AGENT_TURN_TIMEOUT_MS = 10 * 1e3;
 var DEFAULT_AGENT_TURN_TIMEOUT_MS = 12 * 60 * 1e3;
 var DEFAULT_FUNCTION_MAX_DURATION_SECONDS = 800;
+var ADVISOR_THINKING_LEVELS = [
+  "minimal",
+  "low",
+  "medium",
+  "high",
+  "xhigh"
+];
+var DEFAULT_ADVISOR_THINKING_LEVEL = "xhigh";
 var FUNCTION_TIMEOUT_BUFFER_SECONDS = 20;
 var DEFAULT_ASSISTANT_LOADING_MESSAGES = [
   "Consulting the orb",
@@ -314,17 +327,39 @@ function parseLoadingMessages(rawValue) {
     return value.trim();
   });
 }
+function parseAdvisorThinkingLevel(rawValue) {
+  const value = toOptionalTrimmed(rawValue);
+  if (!value) {
+    return DEFAULT_ADVISOR_THINKING_LEVEL;
+  }
+  if (ADVISOR_THINKING_LEVELS.includes(value)) {
+    return value;
+  }
+  throw new Error(
+    `AI_ADVISOR_THINKING_LEVEL must be one of: minimal, low, medium, high, xhigh`
+  );
+}
 var DEFAULT_MODEL_ID = getModel("vercel-ai-gateway", "openai/gpt-5.4").id;
 var DEFAULT_FAST_MODEL_ID = getModel(
   "vercel-ai-gateway",
   "openai/gpt-5.4-mini"
 ).id;
+var DEFAULT_ADVISOR_MODEL_ID = getModel(
+  "vercel-ai-gateway",
+  "openai/gpt-5.5"
+).id;
 function validateGatewayModelId(raw) {
   const trimmed = toOptionalTrimmed(raw);
   if (trimmed === void 0) return void 0;
   resolveGatewayModel(trimmed);
   return trimmed;
 }
+function readAdvisorConfig(env) {
+  return {
+    modelId: validateGatewayModelId(env.AI_ADVISOR_MODEL) ?? DEFAULT_ADVISOR_MODEL_ID,
+    thinkingLevel: parseAdvisorThinkingLevel(env.AI_ADVISOR_THINKING_LEVEL)
+  };
+}
 function readBotConfig(env) {
   const functionMaxDurationSeconds = resolveFunctionMaxDurationSeconds(env);
   const maxTurnTimeoutMs = resolveMaxTurnTimeoutMs(functionMaxDurationSeconds);
@@ -337,7 +372,8 @@ function readBotConfig(env) {
     turnTimeoutMs: parseAgentTurnTimeoutMs(
       env.AGENT_TURN_TIMEOUT_MS,
       maxTurnTimeoutMs
-    )
+    ),
+    advisor: readAdvisorConfig(env)
   };
 }
 function readChatConfig(env = process.env) {

package/dist/{chunk-EHXMTKBA.js → chunk-LAD5O3RX.js}

@@ -2,7 +2,7 @@ import {
   getPluginForSkillPath,
   getPluginSkillRoots,
   logWarn
-} from "./chunk-XARRBRQV.js";
+} from "./chunk-QZRPUFO6.js";
 import {
   skillRoots
 } from "./chunk-XPXD3FCE.js";

package/dist/{chunk-XARRBRQV.js → chunk-QZRPUFO6.js}

@@ -971,6 +971,9 @@ function setLogContext(context) {
   );
   contextStorage.enterWith(merged);
 }
+function getLogContextAttributes() {
+  return contextStorage.getStore() ?? {};
+}
 function createLogContextFromRequest(request, context = {}) {
   const url = new URL(request.url);
   return {
@@ -1052,20 +1055,20 @@ async function withSpan(name, op, context, callback, attributes = {}) {
       normalizedAttributes[key] = normalizedValue;
     }
   }
-  return withLogContext(
-    context,
-    () => sentry_exports.startSpan(
+  return withLogContext(context, () => {
+    const inheritedAttributes = getLogContextAttributes();
+    return sentry_exports.startSpan(
       {
         name,
         op,
         attributes: {
-          ...toSpanAttributes(context),
+          ...inheritedAttributes,
           ...normalizedAttributes
         }
       },
       callback
-    )
-  );
+    );
+  });
 }
 function setSpanAttributes(attributes) {
   const sentry = sentry_exports;
@@ -1246,6 +1249,7 @@ var SHORT_CONFIG_KEY_RE = /^[a-z0-9]+(\.[a-z0-9-]+)*$/;
 var TARGET_FLAG_RE = /^-{1,2}[A-Za-z0-9][A-Za-z0-9-]*$/;
 var AUTH_TOKEN_ENV_RE = /^[A-Z][A-Z0-9_]*$/;
 var ENV_VAR_NAME_RE = /^[A-Z_][A-Z0-9_]*$/;
+var ENV_PLACEHOLDER_RE = /\$\{([A-Z_][A-Z0-9_]*)\}/g;
 var API_DOMAIN_RE = /^(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?$/;
 var RUNTIME_POSTINSTALL_CMD_RE = /^[A-Za-z0-9._/-]+$/;
 var RESERVED_AUTHORIZE_PARAM_KEYS = /* @__PURE__ */ new Set([
@@ -1340,7 +1344,7 @@ var stringMapSchema = z.record(z.string(), z.unknown()).transform((record, ctx)
     seen.add(normalizedKey);
     result[key] = rawValue.trim();
   }
-  return Object.keys(result).length > 0 ? result : void 0;
+  return result;
 });
 var apiDomainsSchema = z.array(z.unknown()).min(1, {
   error: "must be a non-empty array of strings"
@@ -1433,6 +1437,8 @@ var manifestSourceSchema = z.object({
   "config-keys": z.array(z.string(), {
     error: "must be an array when provided"
   }).optional(),
+  "api-domains": apiDomainsSchema.optional(),
+  "api-headers": stringMapSchema.optional(),
   credentials: z.record(z.string(), z.unknown(), {
     error: "must be an object when provided"
   }).optional(),
@@ -1470,7 +1476,11 @@ function normalizeStringMap(value, prefix, options = {}) {
   if (!value) {
     return void 0;
   }
-  for (const key of Object.keys(value)) {
+  const keys = Object.keys(value);
+  if (keys.length === 0) {
+    return void 0;
+  }
+  for (const key of keys) {
     const normalizedKey = key.toLowerCase();
     if (options.reservedKeys?.has(normalizedKey)) {
       throw new Error(`${prefix}.${key} is reserved by the runtime`);
@@ -1481,6 +1491,31 @@ function normalizeStringMap(value, prefix, options = {}) {
   }
   return value;
 }
+function assertDeclaredEnvReferences(value, envVars, context) {
+  for (const match of value.matchAll(ENV_PLACEHOLDER_RE)) {
+    const name = match[1];
+    if (!Object.prototype.hasOwnProperty.call(envVars, name)) {
+      throw new Error(
+        `${context} references env var ${name} which is not declared in env-vars`
+      );
+    }
+    if (envVars[name]?.default !== void 0) {
+      throw new Error(
+        `${context} references env var ${name}, but API header env vars must not declare defaults`
+      );
+    }
+  }
+}
+function normalizeRequiredApiHeaders(value, prefix, envVars) {
+  const apiHeaders = normalizeStringMap(value, prefix);
+  if (!apiHeaders) {
+    throw new Error(`${prefix} must contain at least one header`);
+  }
+  for (const [key, headerValue] of Object.entries(apiHeaders)) {
+    assertDeclaredEnvReferences(headerValue, envVars, `${prefix}.${key}`);
+  }
+  return apiHeaders;
+}
 function normalizeCredentials(data, name) {
   const schema = data.type === "oauth-bearer" ? oauthBearerCredentialsSchema : data.type === "github-app" ? githubAppCredentialsSchema : void 0;
   if (!schema) {
@@ -1493,30 +1528,28 @@ function normalizeCredentials(data, name) {
     throw new Error(issueMessage(result.error, `Plugin ${name} credentials`));
   }
   if (result.data.type === "oauth-bearer") {
+    const apiHeaders2 = result.data["api-headers"] ? normalizeStringMap(
+      result.data["api-headers"],
+      `Plugin ${name} credentials.api-headers`,
+      { forbiddenKeys: FORBIDDEN_API_HEADER_NAMES }
+    ) : void 0;
     return {
       type: "oauth-bearer",
       apiDomains: result.data["api-domains"],
-      ...result.data["api-headers"] ? {
-        apiHeaders: normalizeStringMap(
-          result.data["api-headers"],
-          `Plugin ${name} credentials.api-headers`,
-          { forbiddenKeys: FORBIDDEN_API_HEADER_NAMES }
-        )
-      } : {},
+      ...apiHeaders2 ? { apiHeaders: apiHeaders2 } : {},
       authTokenEnv: result.data["auth-token-env"],
       ...result.data["auth-token-placeholder"] ? { authTokenPlaceholder: result.data["auth-token-placeholder"] } : {}
     };
   }
+  const apiHeaders = result.data["api-headers"] ? normalizeStringMap(
+    result.data["api-headers"],
+    `Plugin ${name} credentials.api-headers`,
+    { forbiddenKeys: FORBIDDEN_API_HEADER_NAMES }
+  ) : void 0;
   return {
     type: "github-app",
     apiDomains: result.data["api-domains"],
-    ...result.data["api-headers"] ? {
-      apiHeaders: normalizeStringMap(
-        result.data["api-headers"],
-        `Plugin ${name} credentials.api-headers`,
-        { forbiddenKeys: FORBIDDEN_API_HEADER_NAMES }
-      )
-    } : {},
+    ...apiHeaders ? { apiHeaders } : {},
     authTokenEnv: result.data["auth-token-env"],
     ...result.data["auth-token-placeholder"] ? { authTokenPlaceholder: result.data["auth-token-placeholder"] } : {},
     appIdEnv: result.data["app-id-env"],
@@ -1650,7 +1683,6 @@ function normalizeRuntimePostinstall(commands, name) {
   }
   return parsed.length > 0 ? parsed : void 0;
 }
-var ENV_PLACEHOLDER_RE = /\$\{([A-Z_][A-Z0-9_]*)\}/g;
 var envVarDeclarationSchema = z.preprocess(
   (value) => value === null || value === void 0 ? {} : value,
   z.object({
@@ -1714,16 +1746,13 @@ function normalizeMcp(data, envVars, name) {
   if (!result.success) {
     throw new Error(issueMessage(result.error, `Plugin ${name} mcp`));
   }
+  const headers = result.data.headers ? normalizeStringMap(result.data.headers, `Plugin ${name} mcp.headers`, {
+    forbiddenKeys: FORBIDDEN_API_HEADER_NAMES
+  }) : void 0;
   return {
     transport: "http",
     url: result.data.url,
-    ...result.data.headers ? {
-      headers: normalizeStringMap(
-        result.data.headers,
-        `Plugin ${name} mcp.headers`,
-        { forbiddenKeys: FORBIDDEN_API_HEADER_NAMES }
-      )
-    } : {},
+    ...headers ? { headers } : {},
     ...result.data["allowed-tools"] ? { allowedTools: result.data["allowed-tools"] } : {}
   };
 }
@@ -1761,6 +1790,16 @@ function parsePluginManifest(raw, dir) {
         `Plugin ${parsedYaml.name ?? "unknown"} config-keys must be an array when provided`
       );
     }
+    if (path3 === "api-domains") {
+      throw new Error(
+        `Plugin ${parsedYaml.name ?? "unknown"} api-domains must be a non-empty array of domains`
+      );
+    }
+    if (path3 === "api-headers") {
+      throw new Error(
+        `Plugin ${parsedYaml.name ?? "unknown"} api-headers must be an object when provided`
+      );
+    }
     if (path3 === "credentials") {
       throw new Error(
         `Plugin ${parsedYaml.name ?? "unknown"} credentials must be an object when provided`
@@ -1813,16 +1852,29 @@ function parsePluginManifest(raw, dir) {
     }
     return `${data.name}.${key}`;
   });
+  const envVars = data["env-vars"] ? normalizeEnvVars(data["env-vars"], data.name) : {};
+  const apiHeaders = data["api-headers"] ? normalizeRequiredApiHeaders(
+    data["api-headers"],
+    `Plugin ${data.name} api-headers`,
+    envVars
+  ) : void 0;
+  if (apiHeaders && !data["api-domains"]) {
+    throw new Error(`Plugin ${data.name} api-headers requires api-domains`);
+  }
+  if (data["api-domains"] && !apiHeaders) {
+    throw new Error(`Plugin ${data.name} api-domains requires api-headers`);
+  }
   const credentials = data.credentials ? normalizeCredentials(data.credentials, data.name) : void 0;
   const runtimeDependencies = data["runtime-dependencies"] ? normalizeRuntimeDependencies(data["runtime-dependencies"], data.name) : void 0;
   const runtimePostinstall = data["runtime-postinstall"] ? normalizeRuntimePostinstall(data["runtime-postinstall"], data.name) : void 0;
-  const envVars = data["env-vars"] ? normalizeEnvVars(data["env-vars"], data.name) : {};
   const mcp = data.mcp ? normalizeMcp(data.mcp, envVars, data.name) : void 0;
   const manifest = {
     name: data.name,
     description: data.description,
     capabilities,
     configKeys,
+    ...data["api-domains"] ? { apiDomains: data["api-domains"] } : {},
+    ...apiHeaders ? { apiHeaders } : {},
     ...Object.keys(envVars).length > 0 ? { envVars } : {},
     ...credentials ? { credentials } : {},
     ...runtimeDependencies ? { runtimeDependencies } : {},
@@ -1903,7 +1955,76 @@ import { readFileSync, readdirSync, statSync } from "fs";
 import path2 from "path";
 
 // src/chat/plugins/auth/github-app-broker.ts
-import { createPrivateKey, createSign, randomUUID } from "crypto";
+import { createPrivateKey, createSign, randomUUID as randomUUID2 } from "crypto";
+
+// src/chat/credentials/header-transforms.ts
+function mergeHeaderTransforms(transforms) {
+  const byDomain = /* @__PURE__ */ new Map();
+  for (const transform of transforms) {
+    byDomain.set(transform.domain, {
+      ...byDomain.get(transform.domain) ?? {},
+      ...transform.headers
+    });
+  }
+  return [...byDomain.entries()].map(([domain, headers]) => ({
+    domain,
+    headers
+  }));
+}
+
+// src/chat/plugins/auth/api-headers-broker.ts
+import { randomUUID } from "crypto";
+var MAX_LEASE_MS = 60 * 60 * 1e3;
+var ENV_PLACEHOLDER_RE2 = /\$\{([A-Z_][A-Z0-9_]*)\}/g;
+function resolveHeaders(provider, headers) {
+  return Object.fromEntries(
+    Object.entries(headers).map(([key, value]) => {
+      const resolved = value.replace(ENV_PLACEHOLDER_RE2, (_match, name) => {
+        const envName = name;
+        const envValue = process.env[envName]?.trim();
+        if (!envValue) {
+          throw new Error(
+            `Missing ${envName} for API header provider "${provider}"`
+          );
+        }
+        return envValue;
+      });
+      return [key, resolved];
+    })
+  );
+}
+function resolveApiHeaderTransforms(manifest) {
+  const { apiDomains, apiHeaders } = manifest;
+  if (!apiDomains || !apiHeaders) {
+    return [];
+  }
+  const resolvedHeaders = resolveHeaders(manifest.name, apiHeaders);
+  return apiDomains.map((domain) => ({
+    domain,
+    headers: resolvedHeaders
+  }));
+}
+function createApiHeadersBroker(manifest) {
+  const provider = manifest.name;
+  return {
+    async issue(input) {
+      const headerTransforms = resolveApiHeaderTransforms(manifest);
+      if (headerTransforms.length === 0) {
+        throw new Error(`No API headers configured for plugin "${provider}"`);
+      }
+      return {
+        id: randomUUID(),
+        provider,
+        env: {},
+        headerTransforms,
+        expiresAt: new Date(Date.now() + MAX_LEASE_MS).toISOString(),
+        metadata: {
+          reason: input.reason
+        }
+      };
+    }
+  };
+}
 
 // src/chat/plugins/auth/auth-token-placeholder.ts
 var DEFAULT_PLACEHOLDERS = {
@@ -1915,7 +2036,7 @@ function resolveAuthTokenPlaceholder(credentials) {
 }
 
 // src/chat/plugins/auth/github-app-broker.ts
-var MAX_LEASE_MS = 60 * 60 * 1e3;
+var MAX_LEASE_MS2 = 60 * 60 * 1e3;
 function base64Url(input) {
   return Buffer.from(input).toString("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
 }
@@ -2060,6 +2181,7 @@ function createGitHubAppBroker(manifest, credentials) {
   } = credentials;
   const apiBase = `https://${apiDomains[0]}`;
   const placeholder = resolveAuthTokenPlaceholder(credentials);
+  const pluginHeaderTransforms = () => resolveApiHeaderTransforms(manifest);
   const GIT_DOMAIN = "github.com";
   const GIT_CAPABILITIES = /* @__PURE__ */ new Set([
     `${provider}.contents.read`,
@@ -2097,16 +2219,19 @@ function createGitHubAppBroker(manifest, credentials) {
       const now = Date.now();
       if (cached && cached.expiresAt - now > 2 * 60 * 1e3) {
         return {
-          id: randomUUID(),
+          id: randomUUID2(),
           provider,
           env: { [authTokenEnv]: placeholder },
-          headerTransforms: leaseDomains.map((domain) => ({
-            domain,
-            headers: {
-              ...apiHeaders ?? {},
-              Authorization: authorizationFor(domain, cached.token)
-            }
-          })),
+          headerTransforms: mergeHeaderTransforms([
+            ...pluginHeaderTransforms(),
+            ...leaseDomains.map((domain) => ({
+              domain,
+              headers: {
+                ...apiHeaders ?? {},
+                Authorization: authorizationFor(domain, cached.token)
+              }
+            }))
+          ]),
           expiresAt: new Date(cached.expiresAt).toISOString(),
           metadata: {
             installationId: String(cached.installationId),
@@ -2130,7 +2255,7 @@ function createGitHubAppBroker(manifest, credentials) {
       const providerExpiresAtMs = Date.parse(accessTokenResponse.expires_at);
       const expiresAtMs = Math.min(
         providerExpiresAtMs,
-        Date.now() + MAX_LEASE_MS
+        Date.now() + MAX_LEASE_MS2
       );
       tokenCache.set(cacheKey, {
         installationId,
@@ -2138,16 +2263,22 @@ function createGitHubAppBroker(manifest, credentials) {
         expiresAt: expiresAtMs
       });
       return {
-        id: randomUUID(),
+        id: randomUUID2(),
         provider,
         env: { [authTokenEnv]: placeholder },
-        headerTransforms: leaseDomains.map((domain) => ({
-          domain,
-          headers: {
-            ...apiHeaders ?? {},
-            Authorization: authorizationFor(domain, accessTokenResponse.token)
-          }
-        })),
+        headerTransforms: mergeHeaderTransforms([
+          ...pluginHeaderTransforms(),
+          ...leaseDomains.map((domain) => ({
+            domain,
+            headers: {
+              ...apiHeaders ?? {},
+              Authorization: authorizationFor(
+                domain,
+                accessTokenResponse.token
+              )
+            }
+          }))
+        ]),
         expiresAt: new Date(expiresAtMs).toISOString(),
         metadata: {
           installationId: String(installationId),
@@ -2159,7 +2290,7 @@ function createGitHubAppBroker(manifest, credentials) {
 }
 
 // src/chat/plugins/auth/oauth-bearer-broker.ts
-import { randomUUID as randomUUID2 } from "crypto";
+import { randomUUID as randomUUID3 } from "crypto";
 
 // src/chat/credentials/broker.ts
 var CredentialUnavailableError = class extends Error {
@@ -2270,7 +2401,7 @@ function parseOAuthTokenResponse(data, fallbackScope) {
 }
 
 // src/chat/plugins/auth/oauth-bearer-broker.ts
-var MAX_LEASE_MS2 = 60 * 60 * 1e3;
+var MAX_LEASE_MS3 = 60 * 60 * 1e3;
 var REFRESH_BUFFER_MS = 5 * 60 * 1e3;
 async function refreshAccessToken(refreshToken, oauth, fallbackScope) {
   const clientId = process.env[oauth.clientIdEnv]?.trim();
@@ -2302,21 +2433,25 @@ async function refreshAccessToken(refreshToken, oauth, fallbackScope) {
   return parseOAuthTokenResponse(data, fallbackScope);
 }
 function getLeaseExpiry(expiresAt) {
-  return expiresAt ? Math.min(expiresAt, Date.now() + MAX_LEASE_MS2) : Date.now() + MAX_LEASE_MS2;
+  return expiresAt ? Math.min(expiresAt, Date.now() + MAX_LEASE_MS3) : Date.now() + MAX_LEASE_MS3;
 }
 function createOAuthBearerBroker(manifest, credentials, deps) {
   const provider = manifest.name;
   const { apiDomains, apiHeaders, authTokenEnv } = credentials;
   const authTokenPlaceholder = resolveAuthTokenPlaceholder(credentials);
+  const pluginHeaderTransforms = () => resolveApiHeaderTransforms(manifest);
   function buildLease(token, expiresAtMs, reason) {
     return {
-      id: randomUUID2(),
+      id: randomUUID3(),
       provider,
       env: { [authTokenEnv]: authTokenPlaceholder },
-      headerTransforms: apiDomains.map((domain) => ({
-        domain,
-        headers: { ...apiHeaders ?? {}, Authorization: `Bearer ${token}` }
-      })),
+      headerTransforms: mergeHeaderTransforms([
+        ...pluginHeaderTransforms(),
+        ...apiDomains.map((domain) => ({
+          domain,
+          headers: { ...apiHeaders ?? {}, Authorization: `Bearer ${token}` }
+        }))
+      ]),
       expiresAt: new Date(expiresAtMs).toISOString(),
       metadata: { reason }
     };
@@ -2327,7 +2462,7 @@ function createOAuthBearerBroker(manifest, credentials, deps) {
       const oauth = manifest.oauth;
       if (!oauth) {
         if (envToken) {
-          return buildLease(envToken, Date.now() + MAX_LEASE_MS2, input.reason);
+          return buildLease(envToken, Date.now() + MAX_LEASE_MS3, input.reason);
         }
         throw new CredentialUnavailableError(
           provider,
@@ -2734,11 +2869,15 @@ function createPluginBroker(provider, deps) {
     throw new Error(`Unknown plugin provider: "${provider}"`);
   }
   const { credentials, name } = plugin.manifest;
-  if (!credentials) {
-    throw new Error(`Provider "${name}" has no credentials configured`);
+  if (!credentials && !plugin.manifest.apiHeaders) {
+    throw new Error(
+      `Provider "${name}" has no credentials or API headers configured`
+    );
   }
   let broker;
-  if (credentials.type === "oauth-bearer") {
+  if (!credentials) {
+    broker = createApiHeadersBroker(plugin.manifest);
+  } else if (credentials.type === "oauth-bearer") {
     broker = createOAuthBearerBroker(plugin.manifest, credentials, deps);
   } else if (credentials.type === "github-app") {
     broker = createGitHubAppBroker(plugin.manifest, credentials);
@@ -2773,6 +2912,7 @@ export {
   serializeGenAiAttribute,
   extractGenAiUsageSummary,
   extractGenAiUsageAttributes,
+  mergeHeaderTransforms,
   resolveAuthTokenPlaceholder,
   parsePluginManifest,
   CredentialUnavailableError,

package/dist/cli/check.js

@@ -1,9 +1,9 @@
 import {
   parseSkillFile
-} from "../chunk-EHXMTKBA.js";
+} from "../chunk-LAD5O3RX.js";
 import {
   parsePluginManifest
-} from "../chunk-XARRBRQV.js";
+} from "../chunk-QZRPUFO6.js";
 import "../chunk-Z3YD6NHK.js";
 import "../chunk-XPXD3FCE.js";
 import "../chunk-2KG3PWR4.js";