@sentry/junior 0.4.1 → 0.6.0

package/dist/{chunk-OZFXD5IG.js → chunk-5UJSQX4R.js}

@@ -1,3 +1,7 @@
+import {
+  discoverInstalledPluginPackageContent,
+  discoverProjectRoots
+} from "./chunk-Z5E25LRN.js";
 import {
   logInfo,
   logWarn,
@@ -5,608 +9,231 @@ import {
   withSpan
 } from "./chunk-PY4AI2GZ.js";
 import {
-  discoverInstalledPluginPackageContent,
-  discoverProjectRoots
-} from "./chunk-Z5E25LRN.js";
+  parsePluginManifest
+} from "./chunk-VW26MOSO.js";
 
-// src/chat/config.ts
-var MIN_AGENT_TURN_TIMEOUT_MS = 10 * 1e3;
-var DEFAULT_AGENT_TURN_TIMEOUT_MS = 12 * 60 * 1e3;
-var DEFAULT_QUEUE_CALLBACK_MAX_DURATION_SECONDS = 800;
-var TURN_TIMEOUT_BUFFER_SECONDS = 20;
-function parseAgentTurnTimeoutMs(rawValue, maxTimeoutMs) {
-  const value = Number.parseInt(rawValue ?? "", 10);
-  if (Number.isNaN(value)) {
-    return Math.max(MIN_AGENT_TURN_TIMEOUT_MS, Math.min(DEFAULT_AGENT_TURN_TIMEOUT_MS, maxTimeoutMs));
+// src/chat/plugins/registry.ts
+import { readFileSync, readdirSync, statSync } from "fs";
+import path2 from "path";
+
+// src/chat/home.ts
+import fs from "fs";
+import path from "path";
+function homeDir() {
+  return resolveHomeDir();
+}
+function unique(values) {
+  return [...new Set(values)];
+}
+function pathExists(targetPath) {
+  try {
+    fs.accessSync(targetPath);
+    return true;
+  } catch {
+    return false;
   }
-  return Math.max(MIN_AGENT_TURN_TIMEOUT_MS, Math.min(value, maxTimeoutMs));
 }
-function resolveQueueCallbackMaxDurationSeconds() {
-  const value = Number.parseInt(process.env.QUEUE_CALLBACK_MAX_DURATION_SECONDS ?? "", 10);
-  if (Number.isNaN(value) || value <= 0) {
-    return DEFAULT_QUEUE_CALLBACK_MAX_DURATION_SECONDS;
+function hasAnyDataMarkers(appDir) {
+  return pathExists(path.join(appDir, "SOUL.md")) || pathExists(path.join(appDir, "ABOUT.md"));
+}
+function scoreAppCandidate(appDir) {
+  let score = 0;
+  if (pathExists(path.join(appDir, "SOUL.md"))) {
+    score += 4;
   }
-  return value;
+  if (pathExists(path.join(appDir, "ABOUT.md"))) {
+    score += 2;
+  }
+  if (pathExists(path.join(appDir, "skills"))) {
+    score += 1;
+  }
+  if (pathExists(path.join(appDir, "plugins"))) {
+    score += 1;
+  }
+  return score;
 }
-function resolveMaxTurnTimeoutMs(queueCallbackMaxDurationSeconds) {
-  const budgetSeconds = queueCallbackMaxDurationSeconds - TURN_TIMEOUT_BUFFER_SECONDS;
-  return Math.max(MIN_AGENT_TURN_TIMEOUT_MS, budgetSeconds * 1e3);
+function resolveCandidateAppDirs(cwd, projectRoots) {
+  const roots = projectRoots ?? discoverProjectRoots(cwd);
+  const resolved = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const root of roots) {
+    const appDir = path.resolve(root, "app");
+    if (!pathExists(appDir)) {
+      continue;
+    }
+    if (seen.has(appDir)) {
+      continue;
+    }
+    seen.add(appDir);
+    resolved.push(appDir);
+  }
+  return resolved;
 }
-function buildBotConfig() {
-  const queueCallbackMaxDurationSeconds = resolveQueueCallbackMaxDurationSeconds();
-  const maxTurnTimeoutMs = resolveMaxTurnTimeoutMs(queueCallbackMaxDurationSeconds);
-  return {
-    userName: process.env.JUNIOR_BOT_NAME ?? "junior",
-    modelId: process.env.AI_MODEL ?? "anthropic/claude-sonnet-4.6",
-    fastModelId: process.env.AI_FAST_MODEL ?? process.env.AI_MODEL ?? "anthropic/claude-haiku-4.5",
-    turnTimeoutMs: parseAgentTurnTimeoutMs(process.env.AGENT_TURN_TIMEOUT_MS, maxTurnTimeoutMs)
-  };
+function resolveHomeDir(cwd = process.cwd(), options) {
+  const resolvedCwd = path.resolve(cwd);
+  const directApp = path.resolve(resolvedCwd, "app");
+  if (pathExists(directApp) && hasAnyDataMarkers(directApp)) {
+    return directApp;
+  }
+  const candidates = resolveCandidateAppDirs(
+    resolvedCwd,
+    options?.projectRoots
+  );
+  if (candidates.length === 0) {
+    return directApp;
+  }
+  candidates.sort((left, right) => {
+    const leftScore = scoreAppCandidate(left);
+    const rightScore = scoreAppCandidate(right);
+    if (leftScore !== rightScore) {
+      return rightScore - leftScore;
+    }
+    const leftDistance = path.relative(resolvedCwd, left).split(path.sep).length;
+    const rightDistance = path.relative(resolvedCwd, right).split(path.sep).length;
+    if (leftDistance !== rightDistance) {
+      return leftDistance - rightDistance;
+    }
+    return left.localeCompare(right);
+  });
+  return candidates[0];
 }
-var botConfig = buildBotConfig();
-function toOptionalTrimmed(value) {
-  if (!value) {
-    return void 0;
+function resolveContentRoots(subdir) {
+  if (subdir === "data") {
+    return [homeDir()];
   }
-  const trimmed = value.trim();
-  return trimmed.length > 0 ? trimmed : void 0;
+  return [path.join(homeDir(), subdir)];
 }
-function getSlackBotToken() {
-  return toOptionalTrimmed(process.env.SLACK_BOT_TOKEN) ?? toOptionalTrimmed(process.env.SLACK_BOT_USER_TOKEN);
+function dataRoots() {
+  return unique(resolveContentRoots("data"));
 }
-function getSlackSigningSecret() {
-  return toOptionalTrimmed(process.env.SLACK_SIGNING_SECRET);
+function skillRoots() {
+  return unique(resolveContentRoots("skills"));
 }
-function getSlackClientId() {
-  return toOptionalTrimmed(process.env.SLACK_CLIENT_ID);
+function pluginRoots() {
+  return unique(resolveContentRoots("plugins"));
 }
-function getSlackClientSecret() {
-  return toOptionalTrimmed(process.env.SLACK_CLIENT_SECRET);
+function soulPathCandidates() {
+  const candidates = dataRoots().map((root) => path.join(root, "SOUL.md"));
+  return unique(candidates);
 }
-function hasRedisConfig() {
-  return Boolean(process.env.REDIS_URL);
+function aboutPathCandidates() {
+  const candidates = dataRoots().map((root) => path.join(root, "ABOUT.md"));
+  return unique(candidates);
 }
 
-// src/chat/state.ts
-import { createRedisState } from "@chat-adapter/state-redis";
-import { createMemoryState } from "@chat-adapter/state-memory";
-var MIN_LOCK_TTL_MS = 1e3 * 60 * 5;
-var QUEUE_INGRESS_DEDUP_PREFIX = "junior:queue_ingress";
-var QUEUE_MESSAGE_PROCESSING_PREFIX = "junior:queue_message";
-var AGENT_TURN_SESSION_PREFIX = "junior:agent_turn_session";
-var QUEUE_MESSAGE_PROCESSING_TTL_MS = 30 * 60 * 1e3;
-var QUEUE_MESSAGE_COMPLETED_TTL_MS = 7 * 24 * 60 * 60 * 1e3;
-var QUEUE_MESSAGE_FAILED_TTL_MS = 6 * 60 * 60 * 1e3;
-var AGENT_TURN_SESSION_TTL_MS = 24 * 60 * 60 * 1e3;
-var CLAIM_OR_RECLAIM_PROCESSING_SCRIPT = `
-  local key = KEYS[1]
-  local nowMs = tonumber(ARGV[1])
-  local ttlMs = tonumber(ARGV[2])
-  local payload = ARGV[3]
-  local current = redis.call("get", key)
-
-  if not current then
-    redis.call("set", key, payload, "PX", ttlMs)
-    return 1
-  end
-
-  local ok, parsed = pcall(cjson.decode, current)
-  if not ok or type(parsed) ~= "table" then
-    return 0
-  end
-
-  local status = parsed["status"]
-  if status == "failed" then
-    redis.call("set", key, payload, "PX", ttlMs)
-    return 3
-  end
-  if status ~= "processing" then
-    return 0
-  end
-
-  local updatedAtMs = tonumber(parsed["updatedAtMs"])
-  if not updatedAtMs then
-    return 0
-  end
-
-  if updatedAtMs + ttlMs < nowMs then
-    redis.call("set", key, payload, "PX", ttlMs)
-    return 2
-  end
-
-  return 0
-`;
-var UPDATE_PROCESSING_STATE_IF_OWNER_SCRIPT = `
-  local key = KEYS[1]
-  local ownerToken = ARGV[1]
-  local ttlMs = tonumber(ARGV[2])
-  local payload = ARGV[3]
-  local current = redis.call("get", key)
-
-  if not current then
-    return 0
-  end
-
-  local ok, parsed = pcall(cjson.decode, current)
-  if not ok or type(parsed) ~= "table" then
-    return 0
-  end
-
-  local currentOwner = parsed["ownerToken"]
-  local status = parsed["status"]
-  if currentOwner ~= ownerToken then
-    return 0
-  end
-  if status ~= "processing" then
-    return 0
-  end
+// src/chat/plugins/github-app-broker.ts
+import { createPrivateKey, createSign, randomUUID } from "crypto";
 
-  redis.call("set", key, payload, "PX", ttlMs)
-  return 1
-`;
-function createQueuedStateAdapter(base) {
-  const acquireLock = async (threadId, ttlMs) => {
-    const effectiveTtlMs = Math.max(ttlMs, MIN_LOCK_TTL_MS);
-    const lock = await base.acquireLock(threadId, effectiveTtlMs);
-    return lock;
-  };
-  return {
-    connect: () => base.connect(),
-    disconnect: () => base.disconnect(),
-    subscribe: (threadId) => base.subscribe(threadId),
-    unsubscribe: (threadId) => base.unsubscribe(threadId),
-    isSubscribed: (threadId) => base.isSubscribed(threadId),
-    acquireLock,
-    releaseLock: (lock) => base.releaseLock(lock),
-    extendLock: (lock, ttlMs) => base.extendLock(lock, Math.max(ttlMs, MIN_LOCK_TTL_MS)),
-    get: (key) => base.get(key),
-    set: (key, value, ttlMs) => base.set(key, value, ttlMs),
-    setIfNotExists: (key, value, ttlMs) => base.setIfNotExists(key, value, ttlMs),
-    delete: (key) => base.delete(key)
-  };
+// src/chat/plugins/auth-token-placeholder.ts
+var DEFAULT_PLACEHOLDERS = {
+  "oauth-bearer": "host_managed_credential",
+  "github-app": "ghp_host_managed_credential"
+};
+function resolveAuthTokenPlaceholder(credentials) {
+  return credentials.authTokenPlaceholder?.trim() || DEFAULT_PLACEHOLDERS[credentials.type];
 }
-function createStateAdapter() {
-  if (process.env.JUNIOR_STATE_ADAPTER?.trim().toLowerCase() === "memory") {
-    _redisStateAdapter = void 0;
-    return createQueuedStateAdapter(createMemoryState());
+
+// src/chat/plugins/github-app-broker.ts
+var MAX_LEASE_MS = 60 * 60 * 1e3;
+function normalizeTargetScope(target) {
+  const owner = target?.owner?.trim().toLowerCase();
+  const repo = target?.repo?.trim().toLowerCase();
+  if (!owner || !repo) {
+    return "all";
   }
-  if (!hasRedisConfig()) {
-    throw new Error("REDIS_URL is required for durable Slack thread state");
-  }
-  const redisState = createRedisState({
-    url: process.env.REDIS_URL
-  });
-  _redisStateAdapter = redisState;
-  return createQueuedStateAdapter(redisState);
-}
-var _stateAdapter;
-var _redisStateAdapter;
-function getRedisStateAdapter() {
-  if (!_redisStateAdapter) {
-    getStateAdapter();
-  }
-  if (!_redisStateAdapter) {
-    throw new Error("Redis state adapter is unavailable for this runtime");
-  }
-  return _redisStateAdapter;
+  return `${owner}/${repo}`;
 }
-function queueMessageKey(rawKey) {
-  return `${QUEUE_MESSAGE_PROCESSING_PREFIX}:${rawKey}`;
+function base64Url(input) {
+  return Buffer.from(input).toString("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
 }
-function parseQueueMessageState(value) {
-  if (typeof value !== "string") {
-    return void 0;
+function normalizePrivateKey(raw) {
+  let normalized = raw.trim();
+  if (normalized.startsWith('"') && normalized.endsWith('"') || normalized.startsWith("'") && normalized.endsWith("'")) {
+    normalized = normalized.slice(1, -1);
   }
-  try {
-    const parsed = JSON.parse(value);
-    if (!parsed || parsed.status !== "processing" && parsed.status !== "completed" && parsed.status !== "failed" || typeof parsed.updatedAtMs !== "number") {
-      return void 0;
+  normalized = normalized.replace(/\r\n/g, "\n");
+  if (normalized.includes("\\n")) {
+    normalized = normalized.replace(/\\n/g, "\n");
+  }
+  if (!normalized.includes("-----BEGIN")) {
+    try {
+      const decoded = Buffer.from(normalized, "base64").toString("utf8").trim();
+      if (decoded.includes("-----BEGIN")) {
+        normalized = decoded;
+      }
+    } catch {
     }
-    return {
-      status: parsed.status,
-      updatedAtMs: parsed.updatedAtMs,
-      ...typeof parsed.ownerToken === "string" ? { ownerToken: parsed.ownerToken } : {},
-      ...typeof parsed.queueMessageId === "string" ? { queueMessageId: parsed.queueMessageId } : {},
-      ...typeof parsed.errorMessage === "string" ? { errorMessage: parsed.errorMessage } : {}
-    };
-  } catch {
-    return void 0;
   }
+  return normalized;
 }
-function agentTurnSessionKey(conversationId, sessionId) {
-  return `${AGENT_TURN_SESSION_PREFIX}:${conversationId}:${sessionId}`;
-}
-function isRecord(value) {
-  return typeof value === "object" && value !== null;
-}
-function parseAgentTurnSessionCheckpoint(value) {
-  if (typeof value !== "string") {
-    return void 0;
+function getPrivateKey(envName) {
+  const raw = process.env[envName];
+  if (!raw) {
+    throw new Error(`Missing ${envName}`);
   }
+  const normalized = normalizePrivateKey(raw);
+  let key;
   try {
-    const parsed = JSON.parse(value);
-    if (!isRecord(parsed)) {
-      return void 0;
-    }
-    const status = parsed.state;
-    if (status !== "running" && status !== "awaiting_resume" && status !== "completed" && status !== "failed") {
-      return void 0;
-    }
-    const conversationId = parsed.conversationId;
-    const sessionId = parsed.sessionId;
-    const sliceId = parsed.sliceId;
-    const checkpointVersion = parsed.checkpointVersion;
-    const updatedAtMs = parsed.updatedAtMs;
-    if (typeof conversationId !== "string" || typeof sessionId !== "string" || typeof sliceId !== "number" || typeof checkpointVersion !== "number" || typeof updatedAtMs !== "number") {
-      return void 0;
-    }
-    return {
-      checkpointVersion,
-      conversationId,
-      sessionId,
-      sliceId,
-      state: status,
-      updatedAtMs,
-      piMessages: Array.isArray(parsed.piMessages) ? parsed.piMessages : [],
-      ...typeof parsed.errorMessage === "string" ? { errorMessage: parsed.errorMessage } : {},
-      ...typeof parsed.resumedFromSliceId === "number" ? { resumedFromSliceId: parsed.resumedFromSliceId } : {}
-    };
+    key = createPrivateKey({ key: normalized, format: "pem" });
   } catch {
-    return void 0;
-  }
-}
-function getStateAdapter() {
-  if (!_stateAdapter) {
-    _stateAdapter = createStateAdapter();
-  }
-  return _stateAdapter;
-}
-async function disconnectStateAdapter() {
-  if (!_stateAdapter) {
-    return;
+    throw new Error(
+      `Invalid ${envName}: expected a PEM-encoded RSA private key (raw PEM, escaped newlines, or base64-encoded PEM)`
+    );
   }
-  try {
-    await _stateAdapter.disconnect();
-  } finally {
-    _stateAdapter = void 0;
-    _redisStateAdapter = void 0;
+  if (key.asymmetricKeyType !== "rsa") {
+    throw new Error(
+      `Invalid ${envName}: GitHub App signing requires an RSA private key`
+    );
   }
+  return key;
 }
-async function claimQueueIngressDedup(rawKey, ttlMs) {
-  await getStateAdapter().connect();
-  const key = `${QUEUE_INGRESS_DEDUP_PREFIX}:${rawKey}`;
-  const result = await getRedisStateAdapter().getClient().set(key, "1", {
-    NX: true,
-    PX: ttlMs
-  });
-  return result === "OK";
-}
-async function hasQueueIngressDedup(rawKey) {
-  await getStateAdapter().connect();
-  const key = `${QUEUE_INGRESS_DEDUP_PREFIX}:${rawKey}`;
-  const value = await getRedisStateAdapter().getClient().get(key);
-  return typeof value === "string" && value.length > 0;
-}
-async function getQueueMessageProcessingState(rawKey) {
-  await getStateAdapter().connect();
-  const state = await getStateAdapter().get(queueMessageKey(rawKey));
-  return parseQueueMessageState(state);
+function createAppJwt(appId, privateKeyEnv) {
+  const now = Math.floor(Date.now() / 1e3);
+  const header = { alg: "RS256", typ: "JWT" };
+  const payload = { iat: now - 60, exp: now + 9 * 60, iss: appId };
+  const encodedHeader = base64Url(JSON.stringify(header));
+  const encodedPayload = base64Url(JSON.stringify(payload));
+  const signingInput = `${encodedHeader}.${encodedPayload}`;
+  const signer = createSign("RSA-SHA256");
+  signer.update(signingInput);
+  signer.end();
+  const signature = signer.sign(getPrivateKey(privateKeyEnv)).toString("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+  return `${signingInput}.${signature}`;
 }
-async function acquireQueueMessageProcessingOwnership(args) {
-  await getStateAdapter().connect();
-  const key = queueMessageKey(args.rawKey);
-  const nowMs = Date.now();
-  const payload = JSON.stringify({
-    status: "processing",
-    updatedAtMs: nowMs,
-    ownerToken: args.ownerToken,
-    ...args.queueMessageId ? { queueMessageId: args.queueMessageId } : {}
-  });
-  const result = await getRedisStateAdapter().getClient().eval(CLAIM_OR_RECLAIM_PROCESSING_SCRIPT, {
-    keys: [key],
-    arguments: [String(nowMs), String(QUEUE_MESSAGE_PROCESSING_TTL_MS), payload]
+async function githubRequest(apiBase, path3, params) {
+  const response = await fetch(`${apiBase}${path3}`, {
+    method: params.method ?? "GET",
+    headers: {
+      Accept: "application/vnd.github+json",
+      Authorization: `Bearer ${params.token}`,
+      "X-GitHub-Api-Version": "2022-11-28",
+      ...params.body ? { "Content-Type": "application/json" } : {}
+    },
+    ...params.body ? { body: JSON.stringify(params.body) } : {}
   });
-  if (result === 1) {
-    return "acquired";
-  }
-  if (result === 2) {
-    return "reclaimed";
+  const text = await response.text();
+  let parsed = void 0;
+  if (text) {
+    try {
+      parsed = JSON.parse(text);
+    } catch {
+      parsed = void 0;
+    }
   }
-  if (result === 3) {
-    return "recovered";
+  if (!response.ok) {
+    const message = parsed && typeof parsed === "object" && "message" in parsed && typeof parsed.message === "string" ? parsed.message : `GitHub API error ${response.status}`;
+    throw new Error(message);
   }
-  return "blocked";
-}
-async function refreshQueueMessageProcessingOwnership(args) {
-  await getStateAdapter().connect();
-  const nowMs = Date.now();
-  const payload = JSON.stringify({
-    status: "processing",
-    updatedAtMs: nowMs,
-    ownerToken: args.ownerToken,
-    ...args.queueMessageId ? { queueMessageId: args.queueMessageId } : {}
-  });
-  const result = await getRedisStateAdapter().getClient().eval(UPDATE_PROCESSING_STATE_IF_OWNER_SCRIPT, {
-    keys: [queueMessageKey(args.rawKey)],
-    arguments: [args.ownerToken, String(QUEUE_MESSAGE_PROCESSING_TTL_MS), payload]
-  });
-  return result === 1;
-}
-async function completeQueueMessageProcessingOwnership(args) {
-  await getStateAdapter().connect();
-  const payload = JSON.stringify({
-    status: "completed",
-    updatedAtMs: Date.now(),
-    ownerToken: args.ownerToken,
-    ...args.queueMessageId ? { queueMessageId: args.queueMessageId } : {}
-  });
-  const result = await getRedisStateAdapter().getClient().eval(UPDATE_PROCESSING_STATE_IF_OWNER_SCRIPT, {
-    keys: [queueMessageKey(args.rawKey)],
-    arguments: [args.ownerToken, String(QUEUE_MESSAGE_COMPLETED_TTL_MS), payload]
-  });
-  return result === 1;
-}
-async function failQueueMessageProcessingOwnership(args) {
-  await getStateAdapter().connect();
-  const payload = JSON.stringify({
-    status: "failed",
-    updatedAtMs: Date.now(),
-    ownerToken: args.ownerToken,
-    errorMessage: args.errorMessage,
-    ...args.queueMessageId ? { queueMessageId: args.queueMessageId } : {}
-  });
-  const result = await getRedisStateAdapter().getClient().eval(UPDATE_PROCESSING_STATE_IF_OWNER_SCRIPT, {
-    keys: [queueMessageKey(args.rawKey)],
-    arguments: [args.ownerToken, String(QUEUE_MESSAGE_FAILED_TTL_MS), payload]
-  });
-  return result === 1;
+  return parsed;
 }
-async function getAgentTurnSessionCheckpoint(conversationId, sessionId) {
-  await getStateAdapter().connect();
-  const value = await getStateAdapter().get(agentTurnSessionKey(conversationId, sessionId));
-  return parseAgentTurnSessionCheckpoint(value);
-}
-async function upsertAgentTurnSessionCheckpoint(args) {
-  await getStateAdapter().connect();
-  const existing = await getAgentTurnSessionCheckpoint(args.conversationId, args.sessionId);
-  const checkpoint = {
-    checkpointVersion: (existing?.checkpointVersion ?? 0) + 1,
-    conversationId: args.conversationId,
-    sessionId: args.sessionId,
-    sliceId: args.sliceId,
-    state: args.state,
-    updatedAtMs: Date.now(),
-    piMessages: Array.isArray(args.piMessages) ? args.piMessages : [],
-    ...args.errorMessage ? { errorMessage: args.errorMessage } : {},
-    ...typeof args.resumedFromSliceId === "number" ? { resumedFromSliceId: args.resumedFromSliceId } : {}
-  };
-  const ttlMs = Math.max(1, args.ttlMs ?? AGENT_TURN_SESSION_TTL_MS);
-  await getStateAdapter().set(agentTurnSessionKey(args.conversationId, args.sessionId), JSON.stringify(checkpoint), ttlMs);
-  return checkpoint;
-}
-
-// src/chat/sandbox/runtime-dependency-snapshots.ts
-import { createHash } from "crypto";
-import { Sandbox } from "@vercel/sandbox";
-
-// src/chat/plugins/registry.ts
-import { readFileSync, readdirSync, statSync } from "fs";
-import path2 from "path";
-import { parse as parseYaml } from "yaml";
-
-// src/chat/home.ts
-import fs from "fs";
-import path from "path";
-function homeDir() {
-  return resolveHomeDir();
-}
-function unique(values) {
-  return [...new Set(values)];
-}
-function pathExists(targetPath) {
-  try {
-    fs.accessSync(targetPath);
-    return true;
-  } catch {
-    return false;
-  }
-}
-function hasAnyDataMarkers(appDir) {
-  return pathExists(path.join(appDir, "SOUL.md"));
-}
-function scoreAppCandidate(appDir) {
-  let score = 0;
-  if (pathExists(path.join(appDir, "SOUL.md"))) {
-    score += 4;
-  }
-  if (pathExists(path.join(appDir, "ABOUT.md"))) {
-    score += 2;
-  }
-  if (pathExists(path.join(appDir, "skills"))) {
-    score += 1;
-  }
-  if (pathExists(path.join(appDir, "plugins"))) {
-    score += 1;
-  }
-  return score;
-}
-function resolveCandidateAppDirs(cwd, projectRoots) {
-  const roots = projectRoots ?? discoverProjectRoots(cwd);
-  const resolved = [];
-  const seen = /* @__PURE__ */ new Set();
-  for (const root of roots) {
-    const appDir = path.resolve(root, "app");
-    if (!pathExists(appDir)) {
-      continue;
-    }
-    if (seen.has(appDir)) {
-      continue;
-    }
-    seen.add(appDir);
-    resolved.push(appDir);
-  }
-  return resolved;
-}
-function resolveHomeDir(cwd = process.cwd(), options) {
-  const resolvedCwd = path.resolve(cwd);
-  const directApp = path.resolve(resolvedCwd, "app");
-  if (pathExists(directApp) && hasAnyDataMarkers(directApp)) {
-    return directApp;
-  }
-  const candidates = resolveCandidateAppDirs(resolvedCwd, options?.projectRoots);
-  if (candidates.length === 0) {
-    return directApp;
-  }
-  candidates.sort((left, right) => {
-    const leftScore = scoreAppCandidate(left);
-    const rightScore = scoreAppCandidate(right);
-    if (leftScore !== rightScore) {
-      return rightScore - leftScore;
-    }
-    const leftDistance = path.relative(resolvedCwd, left).split(path.sep).length;
-    const rightDistance = path.relative(resolvedCwd, right).split(path.sep).length;
-    if (leftDistance !== rightDistance) {
-      return leftDistance - rightDistance;
-    }
-    return left.localeCompare(right);
-  });
-  return candidates[0];
-}
-function resolveContentRoots(subdir) {
-  if (subdir === "data") {
-    return [homeDir()];
-  }
-  if (subdir === "skills") {
-    return [path.join(homeDir(), "skills"), path.resolve(process.cwd(), "skills")];
-  }
-  return [path.join(homeDir(), "plugins")];
-}
-function dataRoots() {
-  return unique(resolveContentRoots("data"));
-}
-function skillRoots() {
-  return unique(resolveContentRoots("skills"));
-}
-function pluginRoots() {
-  return unique(resolveContentRoots("plugins"));
-}
-function soulPathCandidates() {
-  const candidates = dataRoots().map((root) => path.join(root, "SOUL.md"));
-  return unique(candidates);
-}
-
-// src/chat/plugins/github-app-broker.ts
-import { createPrivateKey, createSign, randomUUID } from "crypto";
-
-// src/chat/plugins/auth-token-placeholder.ts
-var DEFAULT_PLACEHOLDERS = {
-  "oauth-bearer": "host_managed_credential",
-  "github-app": "ghp_host_managed_credential"
-};
-function resolveAuthTokenPlaceholder(credentials) {
-  return credentials.authTokenPlaceholder?.trim() || DEFAULT_PLACEHOLDERS[credentials.type];
-}
-
-// src/chat/plugins/github-app-broker.ts
-var MAX_LEASE_MS = 60 * 60 * 1e3;
-function normalizeTargetScope(target) {
-  const owner = target?.owner?.trim().toLowerCase();
-  const repo = target?.repo?.trim().toLowerCase();
-  if (!owner || !repo) {
-    return "all";
-  }
-  return `${owner}/${repo}`;
-}
-function base64Url(input) {
-  return Buffer.from(input).toString("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
-function normalizePrivateKey(raw) {
-  let normalized = raw.trim();
-  if (normalized.startsWith('"') && normalized.endsWith('"') || normalized.startsWith("'") && normalized.endsWith("'")) {
-    normalized = normalized.slice(1, -1);
-  }
-  normalized = normalized.replace(/\r\n/g, "\n");
-  if (normalized.includes("\\n")) {
-    normalized = normalized.replace(/\\n/g, "\n");
-  }
-  if (!normalized.includes("-----BEGIN")) {
-    try {
-      const decoded = Buffer.from(normalized, "base64").toString("utf8").trim();
-      if (decoded.includes("-----BEGIN")) {
-        normalized = decoded;
-      }
-    } catch {
-    }
-  }
-  return normalized;
-}
-function getPrivateKey(envName) {
-  const raw = process.env[envName];
-  if (!raw) {
-    throw new Error(`Missing ${envName}`);
-  }
-  const normalized = normalizePrivateKey(raw);
-  let key;
-  try {
-    key = createPrivateKey({ key: normalized, format: "pem" });
-  } catch {
-    throw new Error(
-      `Invalid ${envName}: expected a PEM-encoded RSA private key (raw PEM, escaped newlines, or base64-encoded PEM)`
-    );
-  }
-  if (key.asymmetricKeyType !== "rsa") {
-    throw new Error(
-      `Invalid ${envName}: GitHub App signing requires an RSA private key`
-    );
-  }
-  return key;
-}
-function createAppJwt(appId, privateKeyEnv) {
-  const now = Math.floor(Date.now() / 1e3);
-  const header = { alg: "RS256", typ: "JWT" };
-  const payload = { iat: now - 60, exp: now + 9 * 60, iss: appId };
-  const encodedHeader = base64Url(JSON.stringify(header));
-  const encodedPayload = base64Url(JSON.stringify(payload));
-  const signingInput = `${encodedHeader}.${encodedPayload}`;
-  const signer = createSign("RSA-SHA256");
-  signer.update(signingInput);
-  signer.end();
-  const signature = signer.sign(getPrivateKey(privateKeyEnv)).toString("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-  return `${signingInput}.${signature}`;
-}
-async function githubRequest(apiBase, path3, params) {
-  const response = await fetch(`${apiBase}${path3}`, {
-    method: params.method ?? "GET",
-    headers: {
-      Accept: "application/vnd.github+json",
-      Authorization: `Bearer ${params.token}`,
-      "X-GitHub-Api-Version": "2022-11-28",
-      ...params.body ? { "Content-Type": "application/json" } : {}
-    },
-    ...params.body ? { body: JSON.stringify(params.body) } : {}
-  });
-  const text = await response.text();
-  let parsed = void 0;
-  if (text) {
-    try {
-      parsed = JSON.parse(text);
-    } catch {
-      parsed = void 0;
-    }
-  }
-  if (!response.ok) {
-    const message = parsed && typeof parsed === "object" && "message" in parsed && typeof parsed.message === "string" ? parsed.message : `GitHub API error ${response.status}`;
-    throw new Error(message);
-  }
-  return parsed;
-}
-function capabilityToPermissions(capability, pluginName) {
-  if (capability === `${pluginName}.issues.read`) {
-    return { issues: "read" };
-  }
-  if (capability === `${pluginName}.issues.write` || capability === `${pluginName}.issues.comment` || capability === `${pluginName}.labels.write`) {
-    return { issues: "write" };
-  }
-  throw new Error(`Unsupported GitHub capability: ${capability}`);
+function capabilityToPermissions(capability, pluginName) {
+  if (capability === `${pluginName}.issues.read`) {
+    return { issues: "read" };
+  }
+  if (capability === `${pluginName}.issues.write` || capability === `${pluginName}.issues.comment` || capability === `${pluginName}.labels.write`) {
+    return { issues: "write" };
+  }
+  throw new Error(`Unsupported GitHub capability: ${capability}`);
 }
 function createGitHubAppBroker(manifest, credentials) {
   const tokenCache = /* @__PURE__ */ new Map();
@@ -935,494 +562,23 @@ function createOAuthBearerBroker(manifest, credentials, deps) {
 }
 
 // src/chat/plugins/registry.ts
-var PLUGIN_NAME_RE = /^[a-z][a-z0-9-]*$/;
-var SHORT_CAPABILITY_RE = /^[a-z0-9]+(\.[a-z0-9-]+)*$/;
-var SHORT_CONFIG_KEY_RE = /^[a-z0-9]+(\.[a-z0-9-]+)*$/;
-var AUTH_TOKEN_ENV_RE = /^[A-Z][A-Z0-9_]*$/;
-var API_DOMAIN_RE = /^(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?$/;
-var RUNTIME_POSTINSTALL_CMD_RE = /^[A-Za-z0-9._/-]+$/;
-var RESERVED_AUTHORIZE_PARAM_KEYS = /* @__PURE__ */ new Set([
-  "client_id",
-  "scope",
-  "state",
-  "redirect_uri",
-  "response_type"
-]);
-var FORBIDDEN_API_HEADER_NAMES = /* @__PURE__ */ new Set(["authorization"]);
-var FORBIDDEN_TOKEN_HEADER_NAMES = /* @__PURE__ */ new Set(["authorization"]);
-function toRecord(value, errorMessage) {
-  if (!value || typeof value !== "object" || Array.isArray(value)) {
-    throw new Error(errorMessage);
+var pluginDefinitions = [];
+var capabilityToPlugin = /* @__PURE__ */ new Map();
+var pluginConfigKeys = /* @__PURE__ */ new Set();
+var pluginsByName = /* @__PURE__ */ new Map();
+var packageSkillRoots = /* @__PURE__ */ new Set();
+var pluginsLoaded = false;
+function registerPluginManifest(raw, pluginDir) {
+  const manifest = parsePluginManifest(raw, pluginDir);
+  if (pluginsByName.has(manifest.name)) {
+    return;
   }
-  return value;
-}
-function requireStringField(record, field, errorMessage) {
-  const value = record[field];
-  if (typeof value !== "string" || !value.trim()) {
-    throw new Error(errorMessage);
-  }
-  return value.trim();
-}
-function requireEnvVarField(record, field, pluginName) {
-  const value = requireStringField(
-    record,
-    field,
-    `Plugin ${pluginName} ${field} must be a non-empty string`
-  );
-  if (!AUTH_TOKEN_ENV_RE.test(value)) {
-    throw new Error(
-      `Plugin ${pluginName} ${field} must be an uppercase env var name`
-    );
-  }
-  return value;
-}
-function requireHttpsUrlField(record, field, pluginName) {
-  const value = requireStringField(
-    record,
-    field,
-    `Plugin ${pluginName} oauth.${field} must be a non-empty string`
-  );
-  let parsed;
-  try {
-    parsed = new URL(value);
-  } catch {
-    throw new Error(`Plugin ${pluginName} oauth.${field} must be a valid URL`);
-  }
-  if (parsed.protocol !== "https:") {
-    throw new Error(`Plugin ${pluginName} oauth.${field} must use https`);
-  }
-  return value;
-}
-function normalizeApiDomain(rawDomain, name) {
-  const domain = typeof rawDomain === "string" ? rawDomain.trim().toLowerCase() : "";
-  if (!domain) {
-    throw new Error(
-      `Plugin ${name} credentials.api-domains entries must be non-empty strings`
-    );
-  }
-  if (!API_DOMAIN_RE.test(domain)) {
-    throw new Error(
-      `Plugin ${name} credentials.api-domains entries must be valid domain names`
-    );
-  }
-  return domain;
-}
-function parseStringMap(data, errorLabel, options = {}) {
-  if (data === void 0) {
-    return void 0;
-  }
-  const record = toRecord(
-    data,
-    `${errorLabel} must be an object when provided`
-  );
-  const entries = Object.entries(record);
-  if (entries.length === 0) {
-    return void 0;
-  }
-  const result = {};
-  const seen = /* @__PURE__ */ new Set();
-  for (const [rawKey, rawValue] of entries) {
-    const key = rawKey.trim();
-    if (!key) {
-      throw new Error(`${errorLabel} keys must be non-empty strings`);
-    }
-    if (typeof rawValue !== "string" || !rawValue.trim()) {
-      throw new Error(`${errorLabel}.${key} must be a non-empty string`);
-    }
-    const normalizedKey = key.toLowerCase();
-    if (options.reservedKeys?.has(normalizedKey)) {
-      throw new Error(`${errorLabel}.${key} is reserved by the runtime`);
-    }
-    if (options.forbiddenKeys?.has(normalizedKey)) {
-      throw new Error(`${errorLabel}.${key} is not allowed`);
-    }
-    if (seen.has(normalizedKey)) {
-      throw new Error(`${errorLabel}.${key} is duplicated`);
-    }
-    seen.add(normalizedKey);
-    result[key] = rawValue.trim();
-  }
-  return Object.keys(result).length > 0 ? result : void 0;
-}
-function parseBaseCredentialFields(data, name) {
-  const rawDomains = data["api-domains"];
-  if (!Array.isArray(rawDomains) || rawDomains.length === 0) {
-    throw new Error(
-      `Plugin ${name} credentials.api-domains must be a non-empty array of strings`
-    );
-  }
-  const apiDomains = rawDomains.map(
-    (rawDomain) => normalizeApiDomain(rawDomain, name)
-  );
-  const apiHeaders = parseStringMap(
-    data["api-headers"],
-    `Plugin ${name} credentials.api-headers`,
-    { forbiddenKeys: FORBIDDEN_API_HEADER_NAMES }
-  );
-  const authTokenEnv = requireEnvVarField(data, "auth-token-env", name);
-  const authTokenPlaceholderRaw = data["auth-token-placeholder"];
-  if (authTokenPlaceholderRaw !== void 0 && (typeof authTokenPlaceholderRaw !== "string" || !authTokenPlaceholderRaw.trim())) {
-    throw new Error(
-      `Plugin ${name} credentials.auth-token-placeholder must be a non-empty string when provided`
-    );
-  }
-  return {
-    apiDomains,
-    ...apiHeaders ? { apiHeaders } : {},
-    authTokenEnv,
-    ...typeof authTokenPlaceholderRaw === "string" ? { authTokenPlaceholder: authTokenPlaceholderRaw.trim() } : {}
-  };
-}
-function parseCredentials(data, name) {
-  const type = data.type;
-  if (type === "oauth-bearer") {
-    const base = parseBaseCredentialFields(data, name);
-    return { type: "oauth-bearer", ...base };
-  }
-  if (type === "github-app") {
-    const base = parseBaseCredentialFields(data, name);
-    const appIdEnv = requireEnvVarField(data, "app-id-env", name);
-    const privateKeyEnv = requireEnvVarField(data, "private-key-env", name);
-    const installationIdEnv = requireEnvVarField(
-      data,
-      "installation-id-env",
-      name
-    );
-    return {
-      type: "github-app",
-      ...base,
-      appIdEnv,
-      privateKeyEnv,
-      installationIdEnv
-    };
-  }
-  throw new Error(`Plugin ${name} has unsupported credentials.type: "${type}"`);
-}
-function parseRuntimeDependencies(data, name) {
-  if (data === void 0) {
-    return void 0;
-  }
-  if (!Array.isArray(data)) {
-    throw new Error(`Plugin ${name} runtime-dependencies must be an array`);
-  }
-  const parsed = [];
-  const seen = /* @__PURE__ */ new Set();
-  for (const entry of data) {
-    if (!entry || typeof entry !== "object" || Array.isArray(entry)) {
-      throw new Error(
-        `Plugin ${name} runtime-dependencies entries must be objects`
-      );
-    }
-    const record = entry;
-    const type = record.type;
-    const packageName = record.package;
-    const packageUrl = record.url;
-    const version = record.version;
-    const sha256 = record.sha256;
-    if (typeof type !== "string" || type !== "npm" && type !== "system") {
-      throw new Error(
-        `Plugin ${name} runtime dependency type must be "npm" or "system"`
-      );
-    }
-    const normalizedPackage = typeof packageName === "string" ? packageName.trim() : "";
-    const normalizedUrl = typeof packageUrl === "string" ? packageUrl.trim() : "";
-    if (type === "npm") {
-      if (!normalizedPackage) {
-        throw new Error(
-          `Plugin ${name} runtime dependency package must be a non-empty string`
-        );
-      }
-      if (packageUrl !== void 0 || sha256 !== void 0) {
-        throw new Error(
-          `Plugin ${name} npm runtime dependencies must only include package/version fields`
-        );
-      }
-      const normalizedVersion = typeof version === "string" ? version.trim() : "latest";
-      if (!normalizedVersion) {
-        throw new Error(
-          `Plugin ${name} runtime dependency version must be a non-empty string when provided`
-        );
-      }
-      const dedupeKey2 = `${type}:${normalizedPackage}:${normalizedVersion}`;
-      if (seen.has(dedupeKey2)) {
-        continue;
-      }
-      seen.add(dedupeKey2);
-      parsed.push({
-        type: "npm",
-        package: normalizedPackage,
-        version: normalizedVersion
-      });
-      continue;
-    }
-    if (version !== void 0) {
-      throw new Error(
-        `Plugin ${name} system runtime dependencies must not include a version`
-      );
-    }
-    if (normalizedPackage && normalizedUrl) {
-      throw new Error(
-        `Plugin ${name} system runtime dependencies must specify either package or url, not both`
-      );
-    }
-    if (!normalizedPackage && !normalizedUrl) {
-      throw new Error(
-        `Plugin ${name} system runtime dependencies must specify package or url`
-      );
-    }
-    if (normalizedPackage) {
-      if (sha256 !== void 0) {
-        throw new Error(
-          `Plugin ${name} system runtime dependency package entries must not include sha256`
-        );
-      }
-      const dedupeKey2 = `${type}:package:${normalizedPackage}`;
-      if (seen.has(dedupeKey2)) {
-        continue;
-      }
-      seen.add(dedupeKey2);
-      parsed.push({
-        type: "system",
-        package: normalizedPackage
-      });
-      continue;
-    }
-    if (!/^https:\/\//i.test(normalizedUrl)) {
-      throw new Error(
-        `Plugin ${name} system runtime dependency url must be an https URL`
-      );
-    }
-    const normalizedSha256 = typeof sha256 === "string" ? sha256.trim().toLowerCase() : "";
-    if (!/^[a-f0-9]{64}$/.test(normalizedSha256)) {
-      throw new Error(
-        `Plugin ${name} system runtime dependency url entries must include a valid sha256`
-      );
-    }
-    const dedupeKey = `${type}:url:${normalizedUrl}:${normalizedSha256}`;
-    if (seen.has(dedupeKey)) {
-      continue;
-    }
-    seen.add(dedupeKey);
-    parsed.push({
-      type: "system",
-      url: normalizedUrl,
-      sha256: normalizedSha256
-    });
-  }
-  return parsed.length > 0 ? parsed : void 0;
-}
-function parseRuntimePostinstall(data, name) {
-  if (data === void 0) {
-    return void 0;
-  }
-  if (!Array.isArray(data)) {
-    throw new Error(`Plugin ${name} runtime-postinstall must be an array`);
-  }
-  const parsed = [];
-  for (const entry of data) {
-    if (!entry || typeof entry !== "object" || Array.isArray(entry)) {
-      throw new Error(
-        `Plugin ${name} runtime-postinstall entries must be objects`
-      );
-    }
-    const record = entry;
-    const cmd = typeof record.cmd === "string" ? record.cmd.trim() : "";
-    if (!cmd) {
-      throw new Error(
-        `Plugin ${name} runtime-postinstall cmd must be a non-empty string`
-      );
-    }
-    if (!RUNTIME_POSTINSTALL_CMD_RE.test(cmd)) {
-      throw new Error(
-        `Plugin ${name} runtime-postinstall cmd must be a single executable token (letters, digits, ., _, /, -)`
-      );
-    }
-    const argsRaw = record.args;
-    if (argsRaw !== void 0 && (!Array.isArray(argsRaw) || !argsRaw.every((arg) => typeof arg === "string"))) {
-      throw new Error(
-        `Plugin ${name} runtime-postinstall args must be an array of strings when provided`
-      );
-    }
-    const sudoRaw = record.sudo;
-    if (sudoRaw !== void 0 && typeof sudoRaw !== "boolean") {
-      throw new Error(
-        `Plugin ${name} runtime-postinstall sudo must be a boolean when provided`
-      );
-    }
-    const normalizedArgs = Array.isArray(argsRaw) ? argsRaw.map((arg) => arg.trim()).filter((arg) => arg.length > 0) : void 0;
-    parsed.push({
-      cmd,
-      ...normalizedArgs && normalizedArgs.length > 0 ? { args: normalizedArgs } : {},
-      ...typeof sudoRaw === "boolean" ? { sudo: sudoRaw } : {}
-    });
-  }
-  return parsed.length > 0 ? parsed : void 0;
-}
-function parseManifest(raw, dir) {
-  const data = toRecord(
-    parseYaml(raw),
-    `Invalid plugin manifest in ${dir}: expected an object`
-  );
-  const rawName = data.name;
-  if (typeof rawName !== "string" || !PLUGIN_NAME_RE.test(rawName)) {
-    throw new Error(`Invalid plugin name in ${dir}: "${rawName}"`);
-  }
-  const name = rawName;
-  const rawDescription = data.description;
-  if (typeof rawDescription !== "string" || !rawDescription.trim()) {
-    throw new Error(`Invalid plugin description in ${dir}`);
-  }
-  const description = rawDescription;
-  const rawCapabilities = data.capabilities;
-  if (rawCapabilities !== void 0 && !Array.isArray(rawCapabilities)) {
-    throw new Error(
-      `Plugin ${name} capabilities must be an array when provided`
-    );
-  }
-  const capabilities = [];
-  for (const cap of rawCapabilities ?? []) {
-    if (typeof cap !== "string" || !SHORT_CAPABILITY_RE.test(cap)) {
-      throw new Error(`Invalid capability token "${cap}" in plugin ${name}`);
-    }
-    capabilities.push(`${name}.${cap}`);
-  }
-  const rawConfigKeys = data["config-keys"];
-  if (rawConfigKeys !== void 0 && !Array.isArray(rawConfigKeys)) {
-    throw new Error(
-      `Plugin ${name} config-keys must be an array when provided`
-    );
-  }
-  const configKeys = [];
-  for (const key of rawConfigKeys ?? []) {
-    if (typeof key !== "string" || !SHORT_CONFIG_KEY_RE.test(key)) {
-      throw new Error(`Invalid config key "${key}" in plugin ${name}`);
-    }
-    configKeys.push(`${name}.${key}`);
-  }
-  const credentialsRaw = data.credentials;
-  if (credentialsRaw !== void 0) {
-    toRecord(
-      credentialsRaw,
-      `Plugin ${name} credentials must be an object when provided`
-    );
-  }
-  const credentials = credentialsRaw ? parseCredentials(credentialsRaw, name) : void 0;
-  const runtimeDependencies = parseRuntimeDependencies(
-    data["runtime-dependencies"],
-    name
-  );
-  const runtimePostinstall = parseRuntimePostinstall(
-    data["runtime-postinstall"],
-    name
-  );
-  const manifest = {
-    name,
-    description,
-    capabilities,
-    configKeys,
-    ...credentials ? { credentials } : {},
-    ...runtimeDependencies ? { runtimeDependencies } : {},
-    ...runtimePostinstall ? { runtimePostinstall } : {}
-  };
-  const oauthRaw = data.oauth ? toRecord(data.oauth, `Plugin ${name} oauth must be an object`) : void 0;
-  if (oauthRaw) {
-    if (!credentials) {
-      throw new Error(`Plugin ${name} oauth requires credentials`);
-    }
-    if (credentials.type !== "oauth-bearer") {
-      throw new Error(
-        `Plugin ${name} oauth requires credentials.type "oauth-bearer"`
-      );
-    }
-    const authorizeParams = parseStringMap(
-      oauthRaw["authorize-params"],
-      `Plugin ${name} oauth.authorize-params`,
-      { reservedKeys: RESERVED_AUTHORIZE_PARAM_KEYS }
-    );
-    const tokenExtraHeaders = parseStringMap(
-      oauthRaw["token-extra-headers"],
-      `Plugin ${name} oauth.token-extra-headers`,
-      { forbiddenKeys: FORBIDDEN_TOKEN_HEADER_NAMES }
-    );
-    const tokenAuthMethodRaw = oauthRaw["token-auth-method"];
-    let tokenAuthMethod;
-    if (tokenAuthMethodRaw !== void 0) {
-      const parsedTokenAuthMethod = requireStringField(
-        oauthRaw,
-        "token-auth-method",
-        `Plugin ${name} oauth.token-auth-method must be a non-empty string`
-      );
-      if (parsedTokenAuthMethod !== "body" && parsedTokenAuthMethod !== "basic") {
-        throw new Error(
-          `Plugin ${name} oauth.token-auth-method must be "body" or "basic"`
-        );
-      }
-      tokenAuthMethod = parsedTokenAuthMethod;
-    }
-    manifest.oauth = {
-      clientIdEnv: requireEnvVarField(oauthRaw, "client-id-env", name),
-      clientSecretEnv: requireEnvVarField(oauthRaw, "client-secret-env", name),
-      authorizeEndpoint: requireHttpsUrlField(
-        oauthRaw,
-        "authorize-endpoint",
-        name
-      ),
-      tokenEndpoint: requireHttpsUrlField(oauthRaw, "token-endpoint", name),
-      ...oauthRaw.scope !== void 0 ? {
-        scope: requireStringField(
-          oauthRaw,
-          "scope",
-          `Plugin ${name} oauth.scope must be a non-empty string`
-        )
-      } : {},
-      ...authorizeParams ? { authorizeParams } : {},
-      ...tokenAuthMethod ? { tokenAuthMethod } : {},
-      ...tokenExtraHeaders ? { tokenExtraHeaders } : {}
-    };
-  }
-  const targetRaw = data.target ? toRecord(data.target, `Plugin ${name} target must be an object`) : void 0;
-  if (targetRaw) {
-    if (targetRaw.type !== "repo") {
-      throw new Error(`Plugin ${name} target.type must be "repo"`);
-    }
-    const rawConfigKey = targetRaw["config-key"];
-    if (typeof rawConfigKey !== "string" || !rawConfigKey.trim()) {
-      throw new Error(
-        `Plugin ${name} target.config-key must be a non-empty string`
-      );
-    }
-    if (!SHORT_CONFIG_KEY_RE.test(rawConfigKey)) {
-      throw new Error(
-        `Plugin ${name} target.config-key "${rawConfigKey}" is invalid`
-      );
-    }
-    const qualifiedKey = `${name}.${rawConfigKey}`;
-    if (!configKeys.includes(qualifiedKey)) {
-      throw new Error(
-        `Plugin ${name} target.config-key "${rawConfigKey}" must be listed in config-keys`
-      );
-    }
-    manifest.target = { type: "repo", configKey: qualifiedKey };
-  }
-  return manifest;
-}
-var pluginDefinitions = [];
-var capabilityToPlugin = /* @__PURE__ */ new Map();
-var pluginConfigKeys = /* @__PURE__ */ new Set();
-var pluginsByName = /* @__PURE__ */ new Map();
-var packageSkillRoots = /* @__PURE__ */ new Set();
-var pluginsLoaded = false;
-function registerPluginManifest(raw, pluginDir) {
-  const manifest = parseManifest(raw, pluginDir);
-  if (pluginsByName.has(manifest.name)) {
-    return;
-  }
-  for (const cap of manifest.capabilities) {
-    if (capabilityToPlugin.has(cap)) {
-      throw new Error(
-        `Duplicate capability "${cap}" in plugin "${manifest.name}"`
-      );
-    }
+  for (const cap of manifest.capabilities) {
+    if (capabilityToPlugin.has(cap)) {
+      throw new Error(
+        `Duplicate capability "${cap}" in plugin "${manifest.name}"`
+      );
+    }
   }
   const definition = {
     manifest,
@@ -1525,119 +681,498 @@ function loadPlugins() {
 function ensurePluginsLoaded() {
   loadPlugins();
 }
-loadPlugins();
-function getPluginCapabilityProviders() {
-  ensurePluginsLoaded();
-  return pluginDefinitions.map((plugin) => ({
-    provider: plugin.manifest.name,
-    capabilities: [...plugin.manifest.capabilities],
-    configKeys: [...plugin.manifest.configKeys],
-    ...plugin.manifest.target ? { target: { ...plugin.manifest.target } } : {}
-  }));
+loadPlugins();
+function getPluginCapabilityProviders() {
+  ensurePluginsLoaded();
+  return pluginDefinitions.map((plugin) => ({
+    provider: plugin.manifest.name,
+    capabilities: [...plugin.manifest.capabilities],
+    configKeys: [...plugin.manifest.configKeys],
+    ...plugin.manifest.target ? { target: { ...plugin.manifest.target } } : {}
+  }));
+}
+function getPluginProviders() {
+  ensurePluginsLoaded();
+  return [...pluginDefinitions];
+}
+function getPluginRuntimeDependencies() {
+  ensurePluginsLoaded();
+  const seen = /* @__PURE__ */ new Set();
+  const deps = [];
+  for (const plugin of pluginDefinitions) {
+    for (const dep of plugin.manifest.runtimeDependencies ?? []) {
+      const key = dep.type === "npm" ? `${dep.type}:${dep.package}:${dep.version}` : "package" in dep ? `${dep.type}:package:${dep.package}` : `${dep.type}:url:${dep.url}:${dep.sha256}`;
+      if (seen.has(key)) {
+        continue;
+      }
+      seen.add(key);
+      deps.push(dep);
+    }
+  }
+  return deps.sort((left, right) => {
+    if (left.type !== right.type) {
+      return left.type.localeCompare(right.type);
+    }
+    const leftIdentity = "package" in left ? `package:${left.package}` : `url:${left.url}:${left.sha256}`;
+    const rightIdentity = "package" in right ? `package:${right.package}` : `url:${right.url}:${right.sha256}`;
+    if (leftIdentity !== rightIdentity) {
+      return leftIdentity.localeCompare(rightIdentity);
+    }
+    if (left.type === "npm" && right.type === "npm") {
+      return left.version.localeCompare(right.version);
+    }
+    return 0;
+  });
+}
+function getPluginRuntimePostinstall() {
+  ensurePluginsLoaded();
+  const commands = [];
+  for (const plugin of pluginDefinitions) {
+    for (const command of plugin.manifest.runtimePostinstall ?? []) {
+      commands.push({
+        cmd: command.cmd,
+        ...command.args ? { args: [...command.args] } : {},
+        ...command.sudo !== void 0 ? { sudo: command.sudo } : {}
+      });
+    }
+  }
+  return commands;
+}
+function getPluginOAuthConfig(provider) {
+  ensurePluginsLoaded();
+  const plugin = pluginsByName.get(provider);
+  if (!plugin?.manifest.oauth) return void 0;
+  const oauth = plugin.manifest.oauth;
+  return {
+    clientIdEnv: oauth.clientIdEnv,
+    clientSecretEnv: oauth.clientSecretEnv,
+    authorizeEndpoint: oauth.authorizeEndpoint,
+    tokenEndpoint: oauth.tokenEndpoint,
+    ...oauth.scope ? { scope: oauth.scope } : {},
+    ...oauth.authorizeParams ? { authorizeParams: { ...oauth.authorizeParams } } : {},
+    ...oauth.tokenAuthMethod ? { tokenAuthMethod: oauth.tokenAuthMethod } : {},
+    ...oauth.tokenExtraHeaders ? { tokenExtraHeaders: { ...oauth.tokenExtraHeaders } } : {},
+    callbackPath: `/api/oauth/callback/${plugin.manifest.name}`
+  };
+}
+function getPluginSkillRoots() {
+  ensurePluginsLoaded();
+  return [
+    .../* @__PURE__ */ new Set([
+      ...pluginDefinitions.map((plugin) => plugin.skillsDir),
+      ...packageSkillRoots
+    ])
+  ];
+}
+function isPluginProvider(provider) {
+  ensurePluginsLoaded();
+  return pluginsByName.has(provider);
+}
+function createPluginBroker(provider, deps) {
+  ensurePluginsLoaded();
+  const plugin = pluginsByName.get(provider);
+  if (!plugin) {
+    throw new Error(`Unknown plugin provider: "${provider}"`);
+  }
+  const { credentials, name } = plugin.manifest;
+  if (!credentials) {
+    throw new Error(`Provider "${name}" has no credentials configured`);
+  }
+  let broker;
+  if (credentials.type === "oauth-bearer") {
+    broker = createOAuthBearerBroker(plugin.manifest, credentials, deps);
+  } else if (credentials.type === "github-app") {
+    broker = createGitHubAppBroker(plugin.manifest, credentials);
+  } else {
+    throw new Error(`Unsupported credentials type for plugin "${name}"`);
+  }
+  setSpanAttributes({
+    "app.plugin.name": name,
+    "app.plugin.capabilities": plugin.manifest.capabilities,
+    "app.plugin.has_oauth": Boolean(plugin.manifest.oauth)
+  });
+  return broker;
+}
+
+// src/chat/config.ts
+var MIN_AGENT_TURN_TIMEOUT_MS = 10 * 1e3;
+var DEFAULT_AGENT_TURN_TIMEOUT_MS = 12 * 60 * 1e3;
+var DEFAULT_QUEUE_CALLBACK_MAX_DURATION_SECONDS = 800;
+var TURN_TIMEOUT_BUFFER_SECONDS = 20;
+function parseAgentTurnTimeoutMs(rawValue, maxTimeoutMs) {
+  const value = Number.parseInt(rawValue ?? "", 10);
+  if (Number.isNaN(value)) {
+    return Math.max(MIN_AGENT_TURN_TIMEOUT_MS, Math.min(DEFAULT_AGENT_TURN_TIMEOUT_MS, maxTimeoutMs));
+  }
+  return Math.max(MIN_AGENT_TURN_TIMEOUT_MS, Math.min(value, maxTimeoutMs));
+}
+function resolveQueueCallbackMaxDurationSeconds() {
+  const value = Number.parseInt(process.env.QUEUE_CALLBACK_MAX_DURATION_SECONDS ?? "", 10);
+  if (Number.isNaN(value) || value <= 0) {
+    return DEFAULT_QUEUE_CALLBACK_MAX_DURATION_SECONDS;
+  }
+  return value;
+}
+function resolveMaxTurnTimeoutMs(queueCallbackMaxDurationSeconds) {
+  const budgetSeconds = queueCallbackMaxDurationSeconds - TURN_TIMEOUT_BUFFER_SECONDS;
+  return Math.max(MIN_AGENT_TURN_TIMEOUT_MS, budgetSeconds * 1e3);
+}
+function buildBotConfig() {
+  const queueCallbackMaxDurationSeconds = resolveQueueCallbackMaxDurationSeconds();
+  const maxTurnTimeoutMs = resolveMaxTurnTimeoutMs(queueCallbackMaxDurationSeconds);
+  return {
+    userName: process.env.JUNIOR_BOT_NAME ?? "junior",
+    modelId: process.env.AI_MODEL ?? "anthropic/claude-sonnet-4.6",
+    fastModelId: process.env.AI_FAST_MODEL ?? process.env.AI_MODEL ?? "anthropic/claude-haiku-4.5",
+    turnTimeoutMs: parseAgentTurnTimeoutMs(process.env.AGENT_TURN_TIMEOUT_MS, maxTurnTimeoutMs)
+  };
+}
+var botConfig = buildBotConfig();
+function toOptionalTrimmed(value) {
+  if (!value) {
+    return void 0;
+  }
+  const trimmed = value.trim();
+  return trimmed.length > 0 ? trimmed : void 0;
+}
+function getSlackBotToken() {
+  return toOptionalTrimmed(process.env.SLACK_BOT_TOKEN) ?? toOptionalTrimmed(process.env.SLACK_BOT_USER_TOKEN);
+}
+function getSlackSigningSecret() {
+  return toOptionalTrimmed(process.env.SLACK_SIGNING_SECRET);
+}
+function getSlackClientId() {
+  return toOptionalTrimmed(process.env.SLACK_CLIENT_ID);
+}
+function getSlackClientSecret() {
+  return toOptionalTrimmed(process.env.SLACK_CLIENT_SECRET);
+}
+function hasRedisConfig() {
+  return Boolean(process.env.REDIS_URL);
+}
+
+// src/chat/state.ts
+import { createRedisState } from "@chat-adapter/state-redis";
+import { createMemoryState } from "@chat-adapter/state-memory";
+var MIN_LOCK_TTL_MS = 1e3 * 60 * 5;
+var QUEUE_INGRESS_DEDUP_PREFIX = "junior:queue_ingress";
+var QUEUE_MESSAGE_PROCESSING_PREFIX = "junior:queue_message";
+var AGENT_TURN_SESSION_PREFIX = "junior:agent_turn_session";
+var QUEUE_MESSAGE_PROCESSING_TTL_MS = 30 * 60 * 1e3;
+var QUEUE_MESSAGE_COMPLETED_TTL_MS = 7 * 24 * 60 * 60 * 1e3;
+var QUEUE_MESSAGE_FAILED_TTL_MS = 6 * 60 * 60 * 1e3;
+var AGENT_TURN_SESSION_TTL_MS = 24 * 60 * 60 * 1e3;
+var CLAIM_OR_RECLAIM_PROCESSING_SCRIPT = `
+  local key = KEYS[1]
+  local nowMs = tonumber(ARGV[1])
+  local ttlMs = tonumber(ARGV[2])
+  local payload = ARGV[3]
+  local current = redis.call("get", key)
+
+  if not current then
+    redis.call("set", key, payload, "PX", ttlMs)
+    return 1
+  end
+
+  local ok, parsed = pcall(cjson.decode, current)
+  if not ok or type(parsed) ~= "table" then
+    return 0
+  end
+
+  local status = parsed["status"]
+  if status == "failed" then
+    redis.call("set", key, payload, "PX", ttlMs)
+    return 3
+  end
+  if status ~= "processing" then
+    return 0
+  end
+
+  local updatedAtMs = tonumber(parsed["updatedAtMs"])
+  if not updatedAtMs then
+    return 0
+  end
+
+  if updatedAtMs + ttlMs < nowMs then
+    redis.call("set", key, payload, "PX", ttlMs)
+    return 2
+  end
+
+  return 0
+`;
+var UPDATE_PROCESSING_STATE_IF_OWNER_SCRIPT = `
+  local key = KEYS[1]
+  local ownerToken = ARGV[1]
+  local ttlMs = tonumber(ARGV[2])
+  local payload = ARGV[3]
+  local current = redis.call("get", key)
+
+  if not current then
+    return 0
+  end
+
+  local ok, parsed = pcall(cjson.decode, current)
+  if not ok or type(parsed) ~= "table" then
+    return 0
+  end
+
+  local currentOwner = parsed["ownerToken"]
+  local status = parsed["status"]
+  if currentOwner ~= ownerToken then
+    return 0
+  end
+  if status ~= "processing" then
+    return 0
+  end
+
+  redis.call("set", key, payload, "PX", ttlMs)
+  return 1
+`;
+function createQueuedStateAdapter(base) {
+  const acquireLock = async (threadId, ttlMs) => {
+    const effectiveTtlMs = Math.max(ttlMs, MIN_LOCK_TTL_MS);
+    const lock = await base.acquireLock(threadId, effectiveTtlMs);
+    return lock;
+  };
+  return {
+    connect: () => base.connect(),
+    disconnect: () => base.disconnect(),
+    subscribe: (threadId) => base.subscribe(threadId),
+    unsubscribe: (threadId) => base.unsubscribe(threadId),
+    isSubscribed: (threadId) => base.isSubscribed(threadId),
+    acquireLock,
+    releaseLock: (lock) => base.releaseLock(lock),
+    extendLock: (lock, ttlMs) => base.extendLock(lock, Math.max(ttlMs, MIN_LOCK_TTL_MS)),
+    get: (key) => base.get(key),
+    set: (key, value, ttlMs) => base.set(key, value, ttlMs),
+    setIfNotExists: (key, value, ttlMs) => base.setIfNotExists(key, value, ttlMs),
+    delete: (key) => base.delete(key)
+  };
+}
+function createStateAdapter() {
+  if (process.env.JUNIOR_STATE_ADAPTER?.trim().toLowerCase() === "memory") {
+    _redisStateAdapter = void 0;
+    return createQueuedStateAdapter(createMemoryState());
+  }
+  if (!hasRedisConfig()) {
+    throw new Error("REDIS_URL is required for durable Slack thread state");
+  }
+  const redisState = createRedisState({
+    url: process.env.REDIS_URL
+  });
+  _redisStateAdapter = redisState;
+  return createQueuedStateAdapter(redisState);
+}
+var _stateAdapter;
+var _redisStateAdapter;
+function getRedisStateAdapter() {
+  if (!_redisStateAdapter) {
+    getStateAdapter();
+  }
+  if (!_redisStateAdapter) {
+    throw new Error("Redis state adapter is unavailable for this runtime");
+  }
+  return _redisStateAdapter;
+}
+function queueMessageKey(rawKey) {
+  return `${QUEUE_MESSAGE_PROCESSING_PREFIX}:${rawKey}`;
+}
+function parseQueueMessageState(value) {
+  if (typeof value !== "string") {
+    return void 0;
+  }
+  try {
+    const parsed = JSON.parse(value);
+    if (!parsed || parsed.status !== "processing" && parsed.status !== "completed" && parsed.status !== "failed" || typeof parsed.updatedAtMs !== "number") {
+      return void 0;
+    }
+    return {
+      status: parsed.status,
+      updatedAtMs: parsed.updatedAtMs,
+      ...typeof parsed.ownerToken === "string" ? { ownerToken: parsed.ownerToken } : {},
+      ...typeof parsed.queueMessageId === "string" ? { queueMessageId: parsed.queueMessageId } : {},
+      ...typeof parsed.errorMessage === "string" ? { errorMessage: parsed.errorMessage } : {}
+    };
+  } catch {
+    return void 0;
+  }
+}
+function agentTurnSessionKey(conversationId, sessionId) {
+  return `${AGENT_TURN_SESSION_PREFIX}:${conversationId}:${sessionId}`;
 }
-function getPluginProviders() {
-  ensurePluginsLoaded();
-  return [...pluginDefinitions];
+function isRecord(value) {
+  return typeof value === "object" && value !== null;
 }
-function getPluginRuntimeDependencies() {
-  ensurePluginsLoaded();
-  const seen = /* @__PURE__ */ new Set();
-  const deps = [];
-  for (const plugin of pluginDefinitions) {
-    for (const dep of plugin.manifest.runtimeDependencies ?? []) {
-      const key = dep.type === "npm" ? `${dep.type}:${dep.package}:${dep.version}` : "package" in dep ? `${dep.type}:package:${dep.package}` : `${dep.type}:url:${dep.url}:${dep.sha256}`;
-      if (seen.has(key)) {
-        continue;
-      }
-      seen.add(key);
-      deps.push(dep);
-    }
+function parseAgentTurnSessionCheckpoint(value) {
+  if (typeof value !== "string") {
+    return void 0;
   }
-  return deps.sort((left, right) => {
-    if (left.type !== right.type) {
-      return left.type.localeCompare(right.type);
+  try {
+    const parsed = JSON.parse(value);
+    if (!isRecord(parsed)) {
+      return void 0;
     }
-    const leftIdentity = "package" in left ? `package:${left.package}` : `url:${left.url}:${left.sha256}`;
-    const rightIdentity = "package" in right ? `package:${right.package}` : `url:${right.url}:${right.sha256}`;
-    if (leftIdentity !== rightIdentity) {
-      return leftIdentity.localeCompare(rightIdentity);
+    const status = parsed.state;
+    if (status !== "running" && status !== "awaiting_resume" && status !== "completed" && status !== "failed") {
+      return void 0;
     }
-    if (left.type === "npm" && right.type === "npm") {
-      return left.version.localeCompare(right.version);
+    const conversationId = parsed.conversationId;
+    const sessionId = parsed.sessionId;
+    const sliceId = parsed.sliceId;
+    const checkpointVersion = parsed.checkpointVersion;
+    const updatedAtMs = parsed.updatedAtMs;
+    if (typeof conversationId !== "string" || typeof sessionId !== "string" || typeof sliceId !== "number" || typeof checkpointVersion !== "number" || typeof updatedAtMs !== "number") {
+      return void 0;
     }
-    return 0;
-  });
+    return {
+      checkpointVersion,
+      conversationId,
+      sessionId,
+      sliceId,
+      state: status,
+      updatedAtMs,
+      piMessages: Array.isArray(parsed.piMessages) ? parsed.piMessages : [],
+      ...typeof parsed.errorMessage === "string" ? { errorMessage: parsed.errorMessage } : {},
+      ...typeof parsed.resumedFromSliceId === "number" ? { resumedFromSliceId: parsed.resumedFromSliceId } : {}
+    };
+  } catch {
+    return void 0;
+  }
 }
-function getPluginRuntimePostinstall() {
-  ensurePluginsLoaded();
-  const commands = [];
-  for (const plugin of pluginDefinitions) {
-    for (const command of plugin.manifest.runtimePostinstall ?? []) {
-      commands.push({
-        cmd: command.cmd,
-        ...command.args ? { args: [...command.args] } : {},
-        ...command.sudo !== void 0 ? { sudo: command.sudo } : {}
-      });
-    }
+function getStateAdapter() {
+  if (!_stateAdapter) {
+    _stateAdapter = createStateAdapter();
   }
-  return commands;
+  return _stateAdapter;
 }
-function getPluginOAuthConfig(provider) {
-  ensurePluginsLoaded();
-  const plugin = pluginsByName.get(provider);
-  if (!plugin?.manifest.oauth) return void 0;
-  const oauth = plugin.manifest.oauth;
-  return {
-    clientIdEnv: oauth.clientIdEnv,
-    clientSecretEnv: oauth.clientSecretEnv,
-    authorizeEndpoint: oauth.authorizeEndpoint,
-    tokenEndpoint: oauth.tokenEndpoint,
-    ...oauth.scope ? { scope: oauth.scope } : {},
-    ...oauth.authorizeParams ? { authorizeParams: { ...oauth.authorizeParams } } : {},
-    ...oauth.tokenAuthMethod ? { tokenAuthMethod: oauth.tokenAuthMethod } : {},
-    ...oauth.tokenExtraHeaders ? { tokenExtraHeaders: { ...oauth.tokenExtraHeaders } } : {},
-    callbackPath: `/api/oauth/callback/${plugin.manifest.name}`
-  };
+async function disconnectStateAdapter() {
+  if (!_stateAdapter) {
+    return;
+  }
+  try {
+    await _stateAdapter.disconnect();
+  } finally {
+    _stateAdapter = void 0;
+    _redisStateAdapter = void 0;
+  }
 }
-function getPluginSkillRoots() {
-  ensurePluginsLoaded();
-  return [
-    .../* @__PURE__ */ new Set([
-      ...pluginDefinitions.map((plugin) => plugin.skillsDir),
-      ...packageSkillRoots
-    ])
-  ];
+async function claimQueueIngressDedup(rawKey, ttlMs) {
+  await getStateAdapter().connect();
+  const key = `${QUEUE_INGRESS_DEDUP_PREFIX}:${rawKey}`;
+  const result = await getRedisStateAdapter().getClient().set(key, "1", {
+    NX: true,
+    PX: ttlMs
+  });
+  return result === "OK";
 }
-function isPluginProvider(provider) {
-  ensurePluginsLoaded();
-  return pluginsByName.has(provider);
+async function hasQueueIngressDedup(rawKey) {
+  await getStateAdapter().connect();
+  const key = `${QUEUE_INGRESS_DEDUP_PREFIX}:${rawKey}`;
+  const value = await getRedisStateAdapter().getClient().get(key);
+  return typeof value === "string" && value.length > 0;
 }
-function createPluginBroker(provider, deps) {
-  ensurePluginsLoaded();
-  const plugin = pluginsByName.get(provider);
-  if (!plugin) {
-    throw new Error(`Unknown plugin provider: "${provider}"`);
+async function getQueueMessageProcessingState(rawKey) {
+  await getStateAdapter().connect();
+  const state = await getStateAdapter().get(queueMessageKey(rawKey));
+  return parseQueueMessageState(state);
+}
+async function acquireQueueMessageProcessingOwnership(args) {
+  await getStateAdapter().connect();
+  const key = queueMessageKey(args.rawKey);
+  const nowMs = Date.now();
+  const payload = JSON.stringify({
+    status: "processing",
+    updatedAtMs: nowMs,
+    ownerToken: args.ownerToken,
+    ...args.queueMessageId ? { queueMessageId: args.queueMessageId } : {}
+  });
+  const result = await getRedisStateAdapter().getClient().eval(CLAIM_OR_RECLAIM_PROCESSING_SCRIPT, {
+    keys: [key],
+    arguments: [String(nowMs), String(QUEUE_MESSAGE_PROCESSING_TTL_MS), payload]
+  });
+  if (result === 1) {
+    return "acquired";
   }
-  const { credentials, name } = plugin.manifest;
-  if (!credentials) {
-    throw new Error(`Provider "${name}" has no credentials configured`);
+  if (result === 2) {
+    return "reclaimed";
   }
-  let broker;
-  if (credentials.type === "oauth-bearer") {
-    broker = createOAuthBearerBroker(plugin.manifest, credentials, deps);
-  } else if (credentials.type === "github-app") {
-    broker = createGitHubAppBroker(plugin.manifest, credentials);
-  } else {
-    throw new Error(`Unsupported credentials type for plugin "${name}"`);
+  if (result === 3) {
+    return "recovered";
   }
-  setSpanAttributes({
-    "app.plugin.name": name,
-    "app.plugin.capabilities": plugin.manifest.capabilities,
-    "app.plugin.has_oauth": Boolean(plugin.manifest.oauth)
+  return "blocked";
+}
+async function refreshQueueMessageProcessingOwnership(args) {
+  await getStateAdapter().connect();
+  const nowMs = Date.now();
+  const payload = JSON.stringify({
+    status: "processing",
+    updatedAtMs: nowMs,
+    ownerToken: args.ownerToken,
+    ...args.queueMessageId ? { queueMessageId: args.queueMessageId } : {}
   });
-  return broker;
+  const result = await getRedisStateAdapter().getClient().eval(UPDATE_PROCESSING_STATE_IF_OWNER_SCRIPT, {
+    keys: [queueMessageKey(args.rawKey)],
+    arguments: [args.ownerToken, String(QUEUE_MESSAGE_PROCESSING_TTL_MS), payload]
+  });
+  return result === 1;
+}
+async function completeQueueMessageProcessingOwnership(args) {
+  await getStateAdapter().connect();
+  const payload = JSON.stringify({
+    status: "completed",
+    updatedAtMs: Date.now(),
+    ownerToken: args.ownerToken,
+    ...args.queueMessageId ? { queueMessageId: args.queueMessageId } : {}
+  });
+  const result = await getRedisStateAdapter().getClient().eval(UPDATE_PROCESSING_STATE_IF_OWNER_SCRIPT, {
+    keys: [queueMessageKey(args.rawKey)],
+    arguments: [args.ownerToken, String(QUEUE_MESSAGE_COMPLETED_TTL_MS), payload]
+  });
+  return result === 1;
+}
+async function failQueueMessageProcessingOwnership(args) {
+  await getStateAdapter().connect();
+  const payload = JSON.stringify({
+    status: "failed",
+    updatedAtMs: Date.now(),
+    ownerToken: args.ownerToken,
+    errorMessage: args.errorMessage,
+    ...args.queueMessageId ? { queueMessageId: args.queueMessageId } : {}
+  });
+  const result = await getRedisStateAdapter().getClient().eval(UPDATE_PROCESSING_STATE_IF_OWNER_SCRIPT, {
+    keys: [queueMessageKey(args.rawKey)],
+    arguments: [args.ownerToken, String(QUEUE_MESSAGE_FAILED_TTL_MS), payload]
+  });
+  return result === 1;
+}
+async function getAgentTurnSessionCheckpoint(conversationId, sessionId) {
+  await getStateAdapter().connect();
+  const value = await getStateAdapter().get(agentTurnSessionKey(conversationId, sessionId));
+  return parseAgentTurnSessionCheckpoint(value);
+}
+async function upsertAgentTurnSessionCheckpoint(args) {
+  await getStateAdapter().connect();
+  const existing = await getAgentTurnSessionCheckpoint(args.conversationId, args.sessionId);
+  const checkpoint = {
+    checkpointVersion: (existing?.checkpointVersion ?? 0) + 1,
+    conversationId: args.conversationId,
+    sessionId: args.sessionId,
+    sliceId: args.sliceId,
+    state: args.state,
+    updatedAtMs: Date.now(),
+    piMessages: Array.isArray(args.piMessages) ? args.piMessages : [],
+    ...args.errorMessage ? { errorMessage: args.errorMessage } : {},
+    ...typeof args.resumedFromSliceId === "number" ? { resumedFromSliceId: args.resumedFromSliceId } : {}
+  };
+  const ttlMs = Math.max(1, args.ttlMs ?? AGENT_TURN_SESSION_TTL_MS);
+  await getStateAdapter().set(agentTurnSessionKey(args.conversationId, args.sessionId), JSON.stringify(checkpoint), ttlMs);
+  return checkpoint;
 }
 
+// src/chat/sandbox/runtime-dependency-snapshots.ts
+import { createHash } from "crypto";
+import { Sandbox } from "@vercel/sandbox";
+
 // src/chat/sandbox/paths.ts
 function normalizeWorkspaceRoot(input) {
   const candidate = (input ?? "").trim();
@@ -2196,12 +1731,15 @@ export {
   homeDir,
   skillRoots,
   soulPathCandidates,
+  aboutPathCandidates,
   resolveAuthTokenPlaceholder,
   CredentialUnavailableError,
   buildOAuthTokenRequest,
   parseOAuthTokenResponse,
   getPluginCapabilityProviders,
   getPluginProviders,
+  getPluginRuntimeDependencies,
+  getPluginRuntimePostinstall,
   getPluginOAuthConfig,
   getPluginSkillRoots,
   isPluginProvider,