@sentry/junior 0.64.0 → 0.65.1

package/dist/{chunk-WDPWFMCE.js → chunk-657CJCUO.js}

@@ -1363,6 +1363,11 @@ function inlineCredentialsSource(credentials) {
     setDefined(result, "app-id-env", credentials.appIdEnv);
     setDefined(result, "private-key-env", credentials.privateKeyEnv);
     setDefined(result, "installation-id-env", credentials.installationIdEnv);
+    setDefined(
+      result,
+      "system-read-permissions",
+      credentials.systemReadPermissions
+    );
   }
   return result;
 }
@@ -1441,6 +1446,103 @@ function inlineManifestSource(manifest) {
   return result;
 }
 
+// src/chat/plugins/github-permissions.ts
+var KNOWN_GITHUB_PERMISSION_SCOPES = /* @__PURE__ */ new Set([
+  "actions",
+  "administration",
+  "checks",
+  "codespaces",
+  "contents",
+  "deployments",
+  "environments",
+  "issues",
+  "metadata",
+  "packages",
+  "pages",
+  "pull_requests",
+  "repository_hooks",
+  "repository_projects",
+  "secret_scanning_alerts",
+  "secrets",
+  "security_events",
+  "statuses",
+  "vulnerability_alerts",
+  "workflows"
+]);
+var DEFAULT_GITHUB_SYSTEM_READ_SCOPES = /* @__PURE__ */ new Set([
+  "actions",
+  "checks",
+  "contents",
+  "issues",
+  "metadata",
+  "pull_requests",
+  "statuses"
+]);
+function normalizeGitHubPermissionScope(rawScope) {
+  return rawScope.trim().replace(/-/g, "_");
+}
+function normalizeGitHubSystemReadPermissionScopes(scopes, context) {
+  return scopes.map((rawScope) => {
+    const scope = normalizeGitHubPermissionScope(rawScope);
+    if (!KNOWN_GITHUB_PERMISSION_SCOPES.has(scope)) {
+      throw new Error(`${context} contains unsupported scope "${rawScope}"`);
+    }
+    return scope;
+  });
+}
+function githubCapabilitiesToPermissions(capabilities, pluginName) {
+  const permissions = {};
+  const prefix = `${pluginName}.`;
+  for (const capability of capabilities) {
+    if (!capability.startsWith(prefix)) {
+      throw new Error(`Unsupported GitHub capability: ${capability}`);
+    }
+    const suffix = capability.slice(prefix.length);
+    const lastDot = suffix.lastIndexOf(".");
+    if (lastDot === -1) {
+      throw new Error(`Unsupported GitHub capability: ${capability}`);
+    }
+    const scopeRaw = suffix.slice(0, lastDot);
+    const level = suffix.slice(lastDot + 1);
+    if (level !== "read" && level !== "write") {
+      throw new Error(`Unsupported GitHub capability: ${capability}`);
+    }
+    const scope = normalizeGitHubPermissionScope(scopeRaw);
+    if (!KNOWN_GITHUB_PERMISSION_SCOPES.has(scope)) {
+      throw new Error(`Unsupported GitHub capability: ${capability}`);
+    }
+    const existing = permissions[scope];
+    permissions[scope] = existing === "write" || level === "write" ? "write" : "read";
+  }
+  return permissions;
+}
+function githubSystemReadPermissionsFromScopes(scopes) {
+  const readOnly = {
+    metadata: "read"
+  };
+  for (const scope of normalizeGitHubSystemReadPermissionScopes(
+    scopes,
+    "GitHub system read permissions"
+  )) {
+    readOnly[scope] = "read";
+  }
+  return readOnly;
+}
+function githubInstallationReadPermissions(permissions, allowedScopes) {
+  const readOnly = {
+    metadata: "read"
+  };
+  for (const [scope, level] of Object.entries(permissions ?? {})) {
+    if (!allowedScopes.has(scope) || !KNOWN_GITHUB_PERMISSION_SCOPES.has(scope)) {
+      continue;
+    }
+    if (level === "read" || level === "write" || level === "admin") {
+      readOnly[scope] = "read";
+    }
+  }
+  return readOnly;
+}
+
 // src/chat/plugins/manifest.ts
 var PLUGIN_NAME_RE = /^[a-z][a-z0-9-]*$/;
 var SHORT_CAPABILITY_RE = /^[a-z0-9-]+(\.[a-z0-9-]+)*$/;
@@ -1580,7 +1682,10 @@ var githubAppCredentialsSchema = baseCredentialsSchema.extend({
   type: z.literal("github-app"),
   "app-id-env": envVarString,
   "private-key-env": envVarString,
-  "installation-id-env": envVarString
+  "installation-id-env": envVarString,
+  "system-read-permissions": nonEmptyStringArraySchema(
+    "system-read-permissions"
+  ).optional()
 });
 var runtimeDependencyEntrySchema = z.object({
   type: z.enum(["npm", "system"]),
@@ -1704,6 +1809,11 @@ function manifestConfigPatch(config) {
         "installation-id-env",
         config.credentials.installationIdEnv
       );
+      setDefined2(
+        credentials,
+        "system-read-permissions",
+        config.credentials.systemReadPermissions
+      );
       result.credentials = credentials;
     }
   }
@@ -1913,6 +2023,21 @@ function assertCommandEnvDoesNotExposeHostSecretRefs(commandEnv, apiHeaders, cre
     }
   }
 }
+function assertCommandEnvHostRefsAreExplicitlyExposed(commandEnv, envVars, pluginName) {
+  if (!commandEnv) {
+    return;
+  }
+  for (const [key, value] of Object.entries(commandEnv)) {
+    for (const name of envReferences(value)) {
+      const declaration = envVars[name];
+      if (declaration && declaration.default === void 0 && declaration.exposeToCommandEnv !== true) {
+        throw new Error(
+          `Plugin ${pluginName} command-env.${key} references env var ${name}, but env-vars.${name} must set expose-to-command-env: true before host env can be exposed to sandbox`
+        );
+      }
+    }
+  }
+}
 function normalizeCredentials(data, name) {
   const schema = data.type === "oauth-bearer" ? oauthBearerCredentialsSchema : data.type === "github-app" ? githubAppCredentialsSchema : void 0;
   if (!schema) {
@@ -1947,6 +2072,10 @@ function normalizeCredentials(data, name) {
     `Plugin ${name} credentials.api-headers`,
     { forbiddenKeys: FORBIDDEN_API_HEADER_NAMES }
   ) : void 0;
+  const systemReadPermissions = result.data["system-read-permissions"] ? normalizeGitHubSystemReadPermissionScopes(
+    result.data["system-read-permissions"],
+    `Plugin ${name} credentials.system-read-permissions`
+  ) : void 0;
   return {
     type: "github-app",
     domains,
@@ -1955,7 +2084,8 @@ function normalizeCredentials(data, name) {
     ...result.data["auth-token-placeholder"] ? { authTokenPlaceholder: result.data["auth-token-placeholder"] } : {},
     appIdEnv: result.data["app-id-env"],
     privateKeyEnv: result.data["private-key-env"],
-    installationIdEnv: result.data["installation-id-env"]
+    installationIdEnv: result.data["installation-id-env"],
+    ...systemReadPermissions ? { systemReadPermissions } : {}
   };
 }
 function normalizeRuntimeDependencies(entries, name) {
@@ -2087,7 +2217,9 @@ function normalizeRuntimePostinstall(commands, name) {
 var envVarDeclarationSchema = z.preprocess(
   (value) => value === null || value === void 0 ? {} : value,
   z.object({
-    default: z.string().optional()
+    default: z.string().optional(),
+    "expose-to-command-env": z.boolean().optional(),
+    exposeToCommandEnv: z.boolean().optional()
   }).strict()
 );
 function normalizeEnvVars(data, pluginName) {
@@ -2109,6 +2241,9 @@ function normalizeEnvVars(data, pluginName) {
     if (parsed.data.default !== void 0) {
       decl.default = parsed.data.default;
     }
+    if (parsed.data["expose-to-command-env"] === true || parsed.data.exposeToCommandEnv === true) {
+      decl.exposeToCommandEnv = true;
+    }
     normalized[name] = decl;
   }
   return normalized;
@@ -2267,11 +2402,6 @@ function parseManifestSource(parsedSource, dir, config) {
     envVars
   ) : void 0;
   const credentials = data.credentials ? normalizeCredentials(data.credentials, data.name) : void 0;
-  if (commandEnv && !credentials && !apiHeaders) {
-    throw new Error(
-      `Plugin ${data.name} command-env requires credentials or api-headers`
-    );
-  }
   const runtimeDependencies = data["runtime-dependencies"] ? normalizeRuntimeDependencies(data["runtime-dependencies"], data.name) : void 0;
   const runtimePostinstall = data["runtime-postinstall"] ? normalizeRuntimePostinstall(data["runtime-postinstall"], data.name) : void 0;
   const mcp = data.mcp ? normalizeMcp(data.mcp, envVars, data.name) : void 0;
@@ -2334,6 +2464,11 @@ function parseManifestSource(parsedSource, dir, config) {
     manifest.oauth,
     data.name
   );
+  assertCommandEnvHostRefsAreExplicitlyExposed(
+    data["command-env"],
+    envVars,
+    data.name
+  );
   if (data.target) {
     const result = targetSourceSchema.safeParse(data.target);
     if (!result.success) {
@@ -2600,54 +2735,6 @@ function resolveGitHubApiDomain(credentials) {
   }
   return apiDomain;
 }
-var KNOWN_SCOPES = /* @__PURE__ */ new Set([
-  "actions",
-  "administration",
-  "checks",
-  "codespaces",
-  "contents",
-  "deployments",
-  "environments",
-  "issues",
-  "metadata",
-  "packages",
-  "pages",
-  "pull_requests",
-  "repository_hooks",
-  "repository_projects",
-  "secret_scanning_alerts",
-  "secrets",
-  "security_events",
-  "statuses",
-  "vulnerability_alerts",
-  "workflows"
-]);
-function capabilitiesToPermissions(capabilities, pluginName) {
-  const permissions = {};
-  const prefix = `${pluginName}.`;
-  for (const capability of capabilities) {
-    if (!capability.startsWith(prefix)) {
-      throw new Error(`Unsupported GitHub capability: ${capability}`);
-    }
-    const suffix = capability.slice(prefix.length);
-    const lastDot = suffix.lastIndexOf(".");
-    if (lastDot === -1) {
-      throw new Error(`Unsupported GitHub capability: ${capability}`);
-    }
-    const scopeRaw = suffix.slice(0, lastDot);
-    const level = suffix.slice(lastDot + 1);
-    if (level !== "read" && level !== "write") {
-      throw new Error(`Unsupported GitHub capability: ${capability}`);
-    }
-    const scope = scopeRaw.replace(/-/g, "_");
-    if (!KNOWN_SCOPES.has(scope)) {
-      throw new Error(`Unsupported GitHub capability: ${capability}`);
-    }
-    const existing = permissions[scope];
-    permissions[scope] = existing === "write" || level === "write" ? "write" : "read";
-  }
-  return permissions;
-}
 function createGitHubAppBroker(manifest, credentials) {
   const provider = manifest.name;
   const {
@@ -2674,7 +2761,23 @@ function createGitHubAppBroker(manifest, credentials) {
     const normalizedApiDomain = apiDomain.toLowerCase();
     return normalizedDomain === "github.com" || normalizedApiDomain.startsWith("api.") && normalizedDomain === normalizedApiDomain.slice("api.".length);
   }
-  const permissions = manifest.capabilities?.length ? capabilitiesToPermissions(manifest.capabilities, provider) : void 0;
+  const permissions = manifest.capabilities?.length ? githubCapabilitiesToPermissions(manifest.capabilities, provider) : void 0;
+  const systemReadPermissions = credentials.systemReadPermissions?.length ? githubSystemReadPermissionsFromScopes(credentials.systemReadPermissions) : void 0;
+  async function resolveTokenPermissions(params) {
+    if (!params.systemActor) {
+      return permissions;
+    }
+    if (systemReadPermissions) {
+      return systemReadPermissions;
+    }
+    const installation = await githubRequest(apiBase, `/app/installations/${params.installationId}`, {
+      token: params.appJwt
+    });
+    return githubInstallationReadPermissions(
+      installation.permissions,
+      DEFAULT_GITHUB_SYSTEM_READ_SCOPES
+    );
+  }
   function createLease(params) {
     return {
       id: randomUUID2(),
@@ -2714,9 +2817,14 @@ function createGitHubAppBroker(manifest, credentials) {
   return {
     async issue(input) {
       const installationId = resolveInstallationId();
-      const tokenRequestBody = permissions ? { permissions } : {};
       const appId = resolveAppId(appIdEnv);
       const appJwt = createAppJwt(appId, privateKeyEnv);
+      const tokenPermissions = await resolveTokenPermissions({
+        appJwt,
+        installationId,
+        systemActor: input.context.actor.type === "system"
+      });
+      const tokenRequestBody = tokenPermissions ? { permissions: tokenPermissions } : {};
       const accessTokenResponse = await githubRequest(apiBase, `/app/installations/${installationId}/access_tokens`, {
         method: "POST",
         token: appJwt,
@@ -2750,6 +2858,79 @@ var CredentialUnavailableError = class extends Error {
   }
 };
 
+// src/chat/credentials/context.ts
+function credentialUserSubjectId(context) {
+  if (context.actor.type === "user") {
+    return context.actor.userId;
+  }
+  return context.subject?.userId;
+}
+function parseCredentialContext(value) {
+  if (!value || typeof value !== "object") {
+    return void 0;
+  }
+  const record = value;
+  const actor = parseActor(record.actor);
+  if (!actor) {
+    return void 0;
+  }
+  if (actor.type === "user") {
+    if ("subject" in record && record.subject !== void 0) {
+      return void 0;
+    }
+    return { actor };
+  }
+  if (!("subject" in record) || record.subject === void 0) {
+    return { actor };
+  }
+  const subject = parseSubject(record.subject);
+  if (!subject) {
+    return void 0;
+  }
+  return {
+    actor,
+    subject
+  };
+}
+function parseActor(value) {
+  if (value && typeof value === "object") {
+    const record = value;
+    if (record.type === "user" && typeof record.userId === "string" && record.userId) {
+      return { type: "user", userId: record.userId };
+    }
+    if (record.type === "system" && typeof record.id === "string" && record.id) {
+      return { type: "system", id: record.id };
+    }
+  }
+  return void 0;
+}
+function parseSubject(value) {
+  if (value && typeof value === "object") {
+    const record = value;
+    if (record.type === "user" && typeof record.userId === "string" && record.userId && record.allowedWhen === "private-direct-conversation") {
+      if (!record.binding || typeof record.binding !== "object") {
+        return void 0;
+      }
+      const binding = record.binding;
+      if (binding.type !== "slack-direct-conversation" || typeof binding.teamId !== "string" || !binding.teamId || typeof binding.channelId !== "string" || !binding.channelId || typeof binding.signature !== "string" || !binding.signature) {
+        return void 0;
+      }
+      return {
+        type: "user",
+        userId: record.userId,
+        allowedWhen: "private-direct-conversation",
+        binding: {
+          type: "slack-direct-conversation",
+          teamId: binding.teamId,
+          channelId: binding.channelId,
+          signature: binding.signature
+        }
+      };
+    }
+  }
+  return void 0;
+}
+
 // src/chat/credentials/oauth-scope.ts
 function parseScope(scope) {
   if (!scope) {
@@ -2911,6 +3092,7 @@ function createOAuthBearerBroker(manifest, credentials, deps) {
     async issue(input) {
       const envToken = process.env[authTokenEnv]?.trim();
       const oauth = manifest.oauth;
+      const userSubjectId = credentialUserSubjectId(input.context);
       if (!oauth) {
         if (envToken) {
           return buildLease(envToken, Date.now() + MAX_LEASE_MS3, input.reason);
@@ -2920,11 +3102,8 @@ function createOAuthBearerBroker(manifest, credentials, deps) {
           `No ${provider} credentials available.`
         );
       }
-      if (input.requesterId) {
-        const stored = await deps.userTokenStore.get(
-          input.requesterId,
-          provider
-        );
+      if (userSubjectId) {
+        const stored = await deps.userTokenStore.get(userSubjectId, provider);
         if (stored) {
           if (!hasRequiredOAuthScope(stored.scope, oauth.scope)) {
             throw new CredentialUnavailableError(
@@ -2946,11 +3125,7 @@ function createOAuthBearerBroker(manifest, credentials, deps) {
                   `Your ${provider} connection needs to be reauthorized.`
                 );
               }
-              await deps.userTokenStore.set(
-                input.requesterId,
-                provider,
-                refreshed
-              );
+              await deps.userTokenStore.set(userSubjectId, provider, refreshed);
               return buildLease(
                 refreshed.accessToken,
                 getLeaseExpiry(refreshed.expiresAt),
@@ -3442,6 +3617,7 @@ export {
   resolveAuthTokenPlaceholder,
   parsePluginManifest,
   CredentialUnavailableError,
+  parseCredentialContext,
   hasRequiredOAuthScope,
   buildOAuthTokenRequest,
   parseOAuthTokenResponse,

package/dist/chunk-6YY4Q3D4.js

@@ -0,0 +1,12 @@
+// src/deployment.ts
+var JUNIOR_HEARTBEAT_ROUTE = "/api/internal/heartbeat";
+var JUNIOR_HEARTBEAT_CRON_SCHEDULE = "* * * * *";
+var JUNIOR_CONVERSATION_WORK_CALLBACK_ROUTE = "/api/internal/agent/continue";
+var LEGACY_JUNIOR_CONVERSATION_WORK_FUNCTION = "api/internal/agent/continue.ts";
+
+export {
+  JUNIOR_HEARTBEAT_ROUTE,
+  JUNIOR_HEARTBEAT_CRON_SCHEDULE,
+  JUNIOR_CONVERSATION_WORK_CALLBACK_ROUTE,
+  LEGACY_JUNIOR_CONVERSATION_WORK_FUNCTION
+};

package/dist/chunk-75UZ4JLC.js

@@ -0,0 +1,213 @@
+// src/plugins.ts
+function cloneManifests(manifests) {
+  return manifests ? structuredClone(manifests) : void 0;
+}
+function cloneInlineManifests(registrations) {
+  const inlineManifests = registrations.flatMap(
+    (plugin) => plugin.manifest ? [
+      {
+        manifest: {
+          ...structuredClone(plugin.manifest),
+          capabilities: plugin.manifest.capabilities?.map(
+            (capability) => capability.includes(".") ? capability : `${plugin.manifest.name}.${capability}`
+          ) ?? [],
+          configKeys: plugin.manifest.configKeys?.map(
+            (key) => key.includes(".") ? key : `${plugin.manifest.name}.${key}`
+          ) ?? [],
+          ...plugin.manifest.target ? {
+            target: {
+              ...plugin.manifest.target,
+              configKey: plugin.manifest.target.configKey.includes(".") ? plugin.manifest.target.configKey : `${plugin.manifest.name}.${plugin.manifest.target.configKey}`
+            }
+          } : {}
+        },
+        ...plugin.packageName ? { packageName: plugin.packageName } : {}
+      }
+    ] : []
+  );
+  return inlineManifests.length > 0 ? inlineManifests : void 0;
+}
+function assertUniquePluginNames(registrations) {
+  const seen = /* @__PURE__ */ new Set();
+  for (const plugin of registrations) {
+    if (seen.has(plugin.name)) {
+      throw new Error(`Duplicate plugin registration name "${plugin.name}"`);
+    }
+    seen.add(plugin.name);
+  }
+}
+function assertUniquePackageNames(packageNames) {
+  const seen = /* @__PURE__ */ new Set();
+  for (const packageName of packageNames) {
+    if (seen.has(packageName)) {
+      throw new Error(`Duplicate plugin package name "${packageName}"`);
+    }
+    seen.add(packageName);
+  }
+}
+function normalizePluginInput(input) {
+  if (typeof input === "string") {
+    return { packageName: input };
+  }
+  return { registration: input };
+}
+function defineJuniorPlugins(inputs, options = {}) {
+  const normalized = inputs.map(normalizePluginInput);
+  const packageNames = normalized.flatMap(
+    (input) => input.packageName ? [input.packageName] : []
+  );
+  const registrations = normalized.flatMap(
+    (input) => input.registration ? [input.registration] : []
+  );
+  assertUniquePackageNames(packageNames);
+  assertUniquePluginNames(registrations);
+  const manifests = cloneManifests(options.manifests);
+  return {
+    packageNames,
+    registrations: registrations.map((plugin) => ({ ...plugin })),
+    ...manifests ? { manifests } : {}
+  };
+}
+function pluginCatalogConfigFromPluginSet(pluginSet) {
+  if (!pluginSet) {
+    return void 0;
+  }
+  const packages = [
+    .../* @__PURE__ */ new Set([
+      ...pluginSet.packageNames,
+      ...pluginSet.registrations.flatMap(
+        (plugin) => plugin.packageName ? [plugin.packageName] : []
+      )
+    ])
+  ];
+  const manifests = cloneManifests(pluginSet.manifests);
+  const inlineManifests = cloneInlineManifests(pluginSet.registrations);
+  if (packages.length === 0 && !manifests && !inlineManifests) {
+    return void 0;
+  }
+  return {
+    ...inlineManifests ? { inlineManifests } : {},
+    ...packages.length > 0 ? { packages } : {},
+    ...manifests ? { manifests } : {}
+  };
+}
+function trustedPluginRegistrationsFromPluginSet(pluginSet) {
+  return pluginSet?.registrations.filter(
+    (plugin) => plugin.hooks || plugin.legacyStatePrefixes
+  ) ?? [];
+}
+
+// src/chat/task-execution/vercel-queue.ts
+import { QueueClient } from "@vercel/queue";
+
+// src/chat/task-execution/queue-signing.ts
+import { createHmac, timingSafeEqual } from "crypto";
+var CONVERSATION_WORK_QUEUE_SIGNATURE_CONTEXT = "junior.conversation_work_queue.v1";
+var CONVERSATION_WORK_QUEUE_SIGNATURE_VERSION = "v1";
+var CONVERSATION_WORK_QUEUE_SIGNATURE_MAX_SKEW_MS = 60 * 60 * 1e3;
+function getConversationWorkQueueSecret() {
+  return process.env.JUNIOR_SECRET?.trim() || void 0;
+}
+function buildSignedPayload(message, signedAtMs) {
+  return [
+    CONVERSATION_WORK_QUEUE_SIGNATURE_CONTEXT,
+    signedAtMs,
+    message.conversationId
+  ].join(":");
+}
+function signPayload(message, signedAtMs, secret) {
+  return createHmac("sha256", secret).update(buildSignedPayload(message, signedAtMs)).digest("hex");
+}
+function timingSafeMatch(expected, actual) {
+  const expectedBuffer = Buffer.from(expected);
+  const actualBuffer = Buffer.from(actual);
+  if (expectedBuffer.length !== actualBuffer.length) {
+    return false;
+  }
+  return timingSafeEqual(expectedBuffer, actualBuffer);
+}
+function parseSignedConversationQueueMessage(value) {
+  if (!value || typeof value !== "object") {
+    return void 0;
+  }
+  const record = value;
+  if (typeof record.conversationId !== "string" || !record.conversationId.trim() || record.signatureVersion !== CONVERSATION_WORK_QUEUE_SIGNATURE_VERSION || typeof record.signedAtMs !== "number" || !Number.isFinite(record.signedAtMs) || typeof record.signature !== "string" || !record.signature.trim()) {
+    return void 0;
+  }
+  return {
+    conversationId: record.conversationId,
+    signature: record.signature,
+    signatureVersion: CONVERSATION_WORK_QUEUE_SIGNATURE_VERSION,
+    signedAtMs: record.signedAtMs
+  };
+}
+function signConversationQueueMessage(message, nowMs = Date.now()) {
+  const secret = getConversationWorkQueueSecret();
+  if (!secret) {
+    throw new Error(
+      "Cannot sign conversation queue message without JUNIOR_SECRET"
+    );
+  }
+  return {
+    ...message,
+    signedAtMs: nowMs,
+    signatureVersion: CONVERSATION_WORK_QUEUE_SIGNATURE_VERSION,
+    signature: signPayload(message, nowMs, secret)
+  };
+}
+function verifySignedConversationQueueMessage(value, nowMs = Date.now()) {
+  const message = parseSignedConversationQueueMessage(value);
+  const secret = getConversationWorkQueueSecret();
+  if (!message || !secret || !Number.isFinite(nowMs) || Math.abs(nowMs - message.signedAtMs) > CONVERSATION_WORK_QUEUE_SIGNATURE_MAX_SKEW_MS) {
+    return void 0;
+  }
+  const expected = signPayload(message, message.signedAtMs, secret);
+  if (!timingSafeMatch(expected, message.signature)) {
+    return void 0;
+  }
+  return { conversationId: message.conversationId };
+}
+
+// src/chat/task-execution/vercel-queue.ts
+var DEFAULT_CONVERSATION_WORK_QUEUE_TOPIC = "junior_conversation_work";
+var defaultQueue;
+function getTopic(options) {
+  return options.topic || process.env.JUNIOR_CONVERSATION_WORK_QUEUE_TOPIC?.trim() || DEFAULT_CONVERSATION_WORK_QUEUE_TOPIC;
+}
+function toDelaySeconds(options) {
+  if (!options?.delayMs || options.delayMs <= 0) {
+    return void 0;
+  }
+  return Math.ceil(options.delayMs / 1e3);
+}
+function createVercelConversationWorkQueue(options = {}) {
+  const topic = getTopic(options);
+  const client = options.client ?? new QueueClient();
+  return {
+    async send(message, sendOptions) {
+      const result = await client.send(
+        topic,
+        signConversationQueueMessage(message),
+        {
+          idempotencyKey: sendOptions?.idempotencyKey,
+          delaySeconds: toDelaySeconds(sendOptions),
+          retentionSeconds: options.retentionSeconds
+        }
+      );
+      return result.messageId ? { messageId: result.messageId } : {};
+    }
+  };
+}
+function getVercelConversationWorkQueue() {
+  defaultQueue ??= createVercelConversationWorkQueue();
+  return defaultQueue;
+}
+
+export {
+  defineJuniorPlugins,
+  pluginCatalogConfigFromPluginSet,
+  trustedPluginRegistrationsFromPluginSet,
+  verifySignedConversationQueueMessage,
+  DEFAULT_CONVERSATION_WORK_QUEUE_TOPIC,
+  getVercelConversationWorkQueue
+};

package/dist/{chunk-D23WCM66.js → chunk-F57QSMOJ.js}

@@ -2,7 +2,7 @@ import {
   getPluginForSkillPath,
   getPluginSkillRoots,
   logWarn
-} from "./chunk-WDPWFMCE.js";
+} from "./chunk-657CJCUO.js";
 import {
   skillRoots
 } from "./chunk-KVZL5NZS.js";

package/dist/{chunk-WZFQQ6SP.js → chunk-HRQQS63X.js}

@@ -2,12 +2,12 @@ import {
   SANDBOX_WORKSPACE_ROOT,
   getStateAdapter,
   toOptionalTrimmed
-} from "./chunk-IGVHCX2U.js";
+} from "./chunk-ZOV3XJAH.js";
 import {
   getPluginRuntimeDependencies,
   getPluginRuntimePostinstall,
   withSpan
-} from "./chunk-WDPWFMCE.js";
+} from "./chunk-657CJCUO.js";
 
 // src/chat/sandbox/runtime-dependency-snapshots.ts
 import { createHash } from "crypto";