@sentry/junior 0.68.0 → 0.69.0

package/dist/app.js

@@ -1,8 +1,6 @@
 import {
   GET,
   JUNIOR_PERSONALITY,
-  SlackActionError,
-  TURN_CONTEXT_TAG,
   abandonAgentTurnSessionRecord,
   bindSlackDirectCredentialSubject,
   buildSentryConversationUrl,
@@ -13,7 +11,6 @@ import {
   createAgentPluginHookRunner,
   createAgentPluginLogger,
   createPluginState,
-  downloadPrivateSlackFile,
   escapeXml,
   failAgentTurnSessionRecord,
   getAgentPluginRoutes,
@@ -21,23 +18,17 @@ import {
   getAgentPluginTools,
   getAgentPlugins,
   getAgentTurnSessionRecord,
-  getFilePermalink,
-  getHeaderString,
   getInterruptionMarker,
-  getSlackClient,
-  isConversationChannel,
-  isConversationScopedChannel,
-  isDmChannel,
   listAgentTurnSessionSummaries,
   listAgentTurnSessionSummariesForConversation,
   loadConnectedMcpProviders,
   loadProjection,
-  normalizeSlackConversationId,
   normalizeSlackStatusText,
   recordAgentTurnSessionSummary,
   recordAuthorizationCompleted,
   recordAuthorizationRequested,
   recordMcpProviderConnected,
+  resolveChannelCapabilities,
   resolveSlackChannelTypeFromMessage,
   resolveSlackConversationContext,
   setAgentPlugins,
@@ -45,15 +36,14 @@ import {
   truncateStatusText,
   upsertAgentTurnSessionRecord,
   validateAgentPlugins,
-  verifySlackDirectCredentialSubject,
-  withSlackRetries
-} from "./chunk-UQQSW7QB.js";
+  verifySlackDirectCredentialSubject
+} from "./chunk-N3MORKTH.js";
 import {
   discoverSkills,
   findSkillByName,
   loadSkillsByName,
   parseSkillInvocation
-} from "./chunk-V47RLIO2.js";
+} from "./chunk-GT67ZWZQ.js";
 import {
   buildNonInteractiveShellScript,
   createSandboxInstance,
@@ -62,104 +52,143 @@ import {
   isSnapshotMissingError,
   resolveRuntimeDependencySnapshot,
   runNonInteractiveCommand
-} from "./chunk-PIVOJIUD.js";
+} from "./chunk-B5HKWWQB.js";
 import {
   ACTIVE_LOCK_TTL_MS,
+  SANDBOX_DATA_ROOT,
+  SANDBOX_SKILLS_ROOT,
+  SANDBOX_WORKSPACE_ROOT,
+  getStateAdapter,
+  sandboxSkillDir,
+  sandboxSkillFile
+} from "./chunk-R62YWUNO.js";
+import {
+  CredentialUnavailableError,
+  buildActorIdentity,
+  buildOAuthTokenRequest,
+  createPluginBroker,
+  credentialContextSchema,
+  getPluginCapabilityProviders,
+  getPluginCatalogSignature,
+  getPluginDefinition,
+  getPluginMcpProviders,
+  getPluginOAuthConfig,
+  getPluginProviders,
+  hasRequiredOAuthScope,
+  isActorUserId,
+  isPluginConfigKey,
+  isPluginProvider,
+  parseActorUserId,
+  parseOAuthTokenResponse,
+  resolveAuthTokenPlaceholder,
+  resolvePluginCommandEnv,
+  setPluginCatalogConfig,
+  slackActorIdentity
+} from "./chunk-UXG6TU2U.js";
+import {
+  defineJuniorPlugins,
+  getVercelConversationWorkQueue,
+  pluginCatalogConfigFromPluginSet,
+  pluginHookRegistrationsFromPluginSet,
+  resolveConversationWorkQueueTopic,
+  verifySignedConversationQueueMessage
+} from "./chunk-IGLNC5H6.js";
+import {
+  SlackActionError,
+  createSlackDestination,
+  destinationKey,
+  downloadPrivateSlackFile,
+  getFilePermalink,
+  getHeaderString,
+  getSlackClient,
+  isConversationScopedChannel,
+  isDmChannel,
+  normalizeSlackConversationId,
+  parseDestination,
+  sameDestination,
+  withSlackRetries
+} from "./chunk-76YMBKW7.js";
+import {
   FUNCTION_TIMEOUT_BUFFER_SECONDS,
   GEN_AI_PROVIDER_NAME,
   GEN_AI_SERVER_ADDRESS,
   GEN_AI_SERVER_PORT,
   MISSING_GATEWAY_CREDENTIALS_ERROR,
-  SANDBOX_DATA_ROOT,
-  SANDBOX_SKILLS_ROOT,
-  SANDBOX_WORKSPACE_ROOT,
   botConfig,
+  buildUserTurnText,
   completeObject,
   completeText,
+  encodeNonImageAttachmentForPrompt,
+  extractAssistantText,
   getChatConfig,
   getGatewayApiKey,
   getPiGatewayApiKeyOverride,
+  getPiMessageRole,
   getRuntimeMetadata,
+  getSessionIdentifiers,
   getSlackBotToken,
   getSlackClientId,
   getSlackClientSecret,
   getSlackReactionConfig,
   getSlackSigningSecret,
-  getStateAdapter,
+  getTerminalAssistantMessages,
+  hasRuntimeTurnContext,
+  isAssistantMessage,
+  isExecutionEscapeResponse,
+  isProviderRetryError,
+  isRawToolPayloadResponse,
+  isToolResultError,
+  isToolResultMessage,
+  nextProviderRetry,
   normalizeSlackEmojiName,
+  normalizeToolNameFromResult,
   parseSlackThreadId,
+  prependMissingRuntimeTurnContext,
   resolveConversationPrivacy,
   resolveGatewayModel,
   resolveSlackChannelIdFromMessage,
   resolveSlackChannelIdFromThreadId,
-  sandboxSkillDir,
-  sandboxSkillFile,
   setSlackReactionConfig,
+  stripRuntimeTurnContext,
+  summarizeMessageText,
   toGenAiMessageMetadata,
   toGenAiMessagesTraceAttributes,
   toGenAiPayloadMetadata,
   toGenAiPayloadTraceAttributes,
-  toGenAiTextMetadata
-} from "./chunk-EBVQXCD2.js";
+  toGenAiTextMetadata,
+  toObservablePromptPart,
+  trimTrailingAssistantMessages,
+  upsertActiveSkill
+} from "./chunk-JS4HURDT.js";
 import {
-  CredentialUnavailableError,
-  buildActorIdentity,
-  buildOAuthTokenRequest,
   buildTurnFailureResponse,
   createChatSdkLogger,
-  createPluginBroker,
   createRequestContext,
   extractGenAiUsageAttributes,
   extractGenAiUsageSummary,
   getActiveTraceId,
   getLogContextAttributes,
-  getPluginCapabilityProviders,
-  getPluginCatalogSignature,
-  getPluginDefinition,
-  getPluginMcpProviders,
-  getPluginOAuthConfig,
-  getPluginProviders,
-  hasRequiredOAuthScope,
-  isActorUserId,
-  isPluginConfigKey,
-  isPluginProvider,
+  homeDir,
   isRecord,
+  listReferenceFiles,
   logError,
   logException,
   logInfo,
   logWarn,
   normalizeGenAiFinishReason,
-  parseActorUserId,
-  parseCredentialContext,
-  parseOAuthTokenResponse,
-  resolveAuthTokenPlaceholder,
-  resolvePluginCommandEnv,
   serializeGenAiAttribute,
-  setPluginCatalogConfig,
   setSentryUser,
   setSpanAttributes,
   setSpanStatus,
   setTags,
-  slackActorIdentity,
   toOptionalNumber,
   toOptionalString,
   withContext,
   withSpan
-} from "./chunk-OIIXZOOC.js";
+} from "./chunk-BBXYXOJW.js";
 import {
   sentry_exports
 } from "./chunk-Z3YD6NHK.js";
-import {
-  defineJuniorPlugins,
-  getVercelConversationWorkQueue,
-  pluginCatalogConfigFromPluginSet,
-  trustedPluginRegistrationsFromPluginSet,
-  verifySignedConversationQueueMessage
-} from "./chunk-75UZ4JLC.js";
-import {
-  homeDir,
-  listReferenceFiles
-} from "./chunk-KVZL5NZS.js";
 import "./chunk-2KG3PWR4.js";
 
 // src/app.ts
@@ -3240,6 +3269,11 @@ async function listThreadReplies(input) {
   return replies.slice(0, targetLimit);
 }
 
+// src/chat/tools/slack/context.ts
+function getSlackDeliveryChannelId(context) {
+  return context.deliveryChannelId ?? context.channelId;
+}
+
 // src/chat/tools/slack/channel-list-messages.ts
 function createSlackChannelListMessagesTool(context) {
   return tool({
@@ -3292,7 +3326,7 @@ function createSlackChannelListMessagesTool(context) {
       inclusive,
       max_pages
     }) => {
-      const targetChannelId = context.channelId;
+      const targetChannelId = getSlackDeliveryChannelId(context);
       if (!targetChannelId) {
         return {
           ok: false,
@@ -3600,7 +3634,7 @@ function createSlackChannelPostMessageTool(context, state) {
       })
     }),
     execute: async ({ text }) => {
-      const targetChannelId = context.channelId;
+      const targetChannelId = getSlackDeliveryChannelId(context);
       if (!targetChannelId) {
         return {
           ok: false,
@@ -3971,7 +4005,7 @@ function createSlackCanvasCreateTool(context, state) {
       })
     }),
     execute: async ({ title, markdown }) => {
-      const targetChannelId = context.channelId;
+      const targetChannelId = getSlackDeliveryChannelId(context);
       if (!isConversationScopedChannel(targetChannelId)) {
         logError(
           "slack_canvas_create_invalid_context",
@@ -4860,7 +4894,10 @@ function createSlackThreadReadTool(context) {
           error: "Provide either a Slack message `url` or both `channel_id` and `ts`."
         };
       }
-      const access = checkChannelAccess(channelId, context.channelId);
+      const access = checkChannelAccess(
+        channelId,
+        getSlackDeliveryChannelId(context)
+      );
       if (!access.allowed) {
         return {
           ok: false,
@@ -5205,263 +5242,6 @@ import {
 } from "@earendil-works/pi-agent-core";
 import { Type as Type21 } from "@sinclair/typebox";
 
-// src/chat/respond-helpers.ts
-var MAX_INLINE_ATTACHMENT_BASE64_CHARS = 12e4;
-var RUNTIME_TURN_CONTEXT_START = `<${TURN_CONTEXT_TAG}>`;
-function getSessionIdentifiers(context) {
-  return {
-    conversationId: context.correlation?.conversationId ?? context.correlation?.threadId ?? context.correlation?.runId,
-    sessionId: context.correlation?.turnId
-  };
-}
-function isExecutionDeferralResponse(text) {
-  return /\b(want me to proceed|do you want me to proceed|shall i proceed|can i proceed|should i proceed|let me do that now|give me a moment|tag me again|fresh invocation)\b/i.test(
-    text
-  );
-}
-function isToolAccessDisclaimerResponse(text) {
-  return /\b(i (don't|do not) have access to (active )?tool|tool results came back empty|prior results .* empty|cannot access .*tool|need to (run|load) .*tool .* first)\b/i.test(
-    text
-  );
-}
-function isExecutionEscapeResponse(text) {
-  const trimmed = text.trim();
-  if (!trimmed) return false;
-  return isExecutionDeferralResponse(trimmed) || isToolAccessDisclaimerResponse(trimmed);
-}
-function parseJsonCandidate(text) {
-  const trimmed = text.trim();
-  if (!trimmed) return void 0;
-  try {
-    return JSON.parse(trimmed);
-  } catch {
-    const fenced = trimmed.match(/^```(?:json)?\s*([\s\S]*?)\s*```$/i);
-    if (!fenced) return void 0;
-    try {
-      return JSON.parse(fenced[1]);
-    } catch {
-      return void 0;
-    }
-  }
-}
-function isToolPayloadShape(payload) {
-  if (!payload || typeof payload !== "object") return false;
-  const record = payload;
-  const type = typeof record.type === "string" ? record.type.toLowerCase() : "";
-  if (type.startsWith("tool-")) return true;
-  if (type === "tool_use" || type === "tool_call" || type === "tool_result" || type === "tool_error")
-    return true;
-  const hasToolName = typeof record.toolName === "string" || typeof record.name === "string";
-  const hasToolInput = Object.prototype.hasOwnProperty.call(record, "input") || Object.prototype.hasOwnProperty.call(record, "args");
-  if (hasToolName && hasToolInput) return true;
-  return false;
-}
-function isRawToolPayloadResponse(text) {
-  const parsed = parseJsonCandidate(text);
-  if (Array.isArray(parsed)) {
-    return parsed.some((entry) => isToolPayloadShape(entry));
-  }
-  if (isToolPayloadShape(parsed)) {
-    return true;
-  }
-  const compact = text.replace(/\s+/g, " ");
-  return /"type"\s*:\s*"tool[-_](use|call|result|error)"/i.test(compact);
-}
-function toObservablePromptPart(part) {
-  if (part.type === "text") {
-    return {
-      type: "text",
-      text: part.text
-    };
-  }
-  return {
-    type: "image",
-    mimeType: part.mimeType,
-    data: `[omitted:${part.data.length}]`
-  };
-}
-function summarizeMessageText(text) {
-  const normalized = text.trim().replace(/\s+/g, " ");
-  if (!normalized) {
-    return "[empty]";
-  }
-  return normalized.length > 1200 ? `${normalized.slice(0, 1200)}...` : normalized;
-}
-function isStructuredThreadContext(context) {
-  return /^<thread-(compactions|transcript)>/.test(context);
-}
-function renderThreadContextForPrompt(context) {
-  if (isStructuredThreadContext(context)) {
-    return context;
-  }
-  return ["<thread-background>", context, "</thread-background>"].join("\n");
-}
-function buildUserTurnText(userInput, conversationContext) {
-  const trimmedContext = conversationContext?.trim();
-  if (!trimmedContext) {
-    return userInput;
-  }
-  return [
-    renderThreadContextForPrompt(trimmedContext),
-    "",
-    "<current-instruction>",
-    userInput,
-    "</current-instruction>"
-  ].join("\n");
-}
-function encodeNonImageAttachmentForPrompt(attachment) {
-  const base64 = attachment.data.toString("base64");
-  const wasTruncated = base64.length > MAX_INLINE_ATTACHMENT_BASE64_CHARS;
-  const encodedPayload = wasTruncated ? `${base64.slice(0, MAX_INLINE_ATTACHMENT_BASE64_CHARS)}...` : base64;
-  return [
-    "<attachment>",
-    `filename: ${attachment.filename ?? "unnamed"}`,
-    `media_type: ${attachment.mediaType}`,
-    "encoding: base64",
-    `truncated: ${wasTruncated ? "true" : "false"}`,
-    "<data_base64>",
-    encodedPayload,
-    "</data_base64>",
-    "</attachment>"
-  ].join("\n");
-}
-function isToolResultMessage(value) {
-  return typeof value === "object" && value !== null && value.role === "toolResult";
-}
-function normalizeToolNameFromResult(result) {
-  if (!result || typeof result !== "object") return void 0;
-  const record = result;
-  if (typeof record.toolName === "string" && record.toolName.length > 0) {
-    return record.toolName;
-  }
-  if (typeof record.name === "string" && record.name.length > 0) {
-    return record.name;
-  }
-  return void 0;
-}
-function isToolResultError(result) {
-  if (!result || typeof result !== "object") return false;
-  return Boolean(result.isError);
-}
-function isAssistantMessage(value) {
-  return typeof value === "object" && value !== null && value.role === "assistant";
-}
-function getPiMessageRole(value) {
-  if (!value || typeof value !== "object") {
-    return void 0;
-  }
-  const role = value.role;
-  return typeof role === "string" ? role : void 0;
-}
-function getUserMessageContent(message) {
-  const record = message;
-  return record.role === "user" && Array.isArray(record.content) ? record.content : void 0;
-}
-function isRuntimeTurnContextPart(part, marker) {
-  return part !== null && typeof part === "object" && part.type === "text" && typeof part.text === "string" && part.text.startsWith(marker);
-}
-function prependRuntimeTurnContext(message, turnContextPrompt) {
-  const content = getUserMessageContent(message);
-  if (!content) {
-    return void 0;
-  }
-  const contextIndex = content.findIndex(
-    (part) => isRuntimeTurnContextPart(part, RUNTIME_TURN_CONTEXT_START)
-  );
-  if (contextIndex >= 0) {
-    return void 0;
-  }
-  return {
-    ...message,
-    content: [{ type: "text", text: turnContextPrompt }, ...content]
-  };
-}
-function prependMissingRuntimeTurnContext(messages, turnContextPrompt) {
-  if (hasRuntimeTurnContext(messages)) {
-    return messages;
-  }
-  for (let index = messages.length - 1; index >= 0; index -= 1) {
-    const updated = prependRuntimeTurnContext(
-      messages[index],
-      turnContextPrompt
-    );
-    if (!updated) {
-      continue;
-    }
-    const nextMessages = [...messages];
-    nextMessages[index] = updated;
-    return nextMessages;
-  }
-  return [
-    ...messages,
-    {
-      role: "user",
-      content: [{ type: "text", text: turnContextPrompt }],
-      timestamp: Date.now()
-    }
-  ];
-}
-function hasRuntimeTurnContext(messages) {
-  return messages.some(
-    (message) => getUserMessageContent(message)?.some(
-      (part) => isRuntimeTurnContextPart(part, RUNTIME_TURN_CONTEXT_START)
-    )
-  );
-}
-function stripRuntimeTurnContext(messages) {
-  return messages.flatMap((message) => {
-    const content = getUserMessageContent(message);
-    if (!content) {
-      return [message];
-    }
-    const nextContent = content.filter(
-      (part) => !isRuntimeTurnContextPart(part, RUNTIME_TURN_CONTEXT_START)
-    );
-    if (nextContent.length === content.length) {
-      return [message];
-    }
-    if (nextContent.length === 0) {
-      return [];
-    }
-    return [{ ...message, content: nextContent }];
-  });
-}
-function extractAssistantText(message) {
-  const content = message.content ?? [];
-  return content.filter(
-    (part) => part.type === "text" && typeof part.text === "string"
-  ).map((part) => part.text).join("\n");
-}
-function getTerminalAssistantMessages(messages) {
-  let lastToolResultIndex = -1;
-  for (let index = messages.length - 1; index >= 0; index -= 1) {
-    if (isToolResultMessage(messages[index])) {
-      lastToolResultIndex = index;
-      break;
-    }
-  }
-  return messages.slice(lastToolResultIndex + 1).filter(isAssistantMessage);
-}
-function upsertActiveSkill(activeSkills, next) {
-  const existing = activeSkills.find((skill) => skill.name === next.name);
-  if (existing) {
-    existing.body = next.body;
-    existing.description = next.description;
-    existing.skillPath = next.skillPath;
-    existing.allowedTools = next.allowedTools;
-    existing.pluginProvider = next.pluginProvider;
-    return;
-  }
-  activeSkills.push(next);
-}
-function trimTrailingAssistantMessages(messages) {
-  let end = messages.length;
-  while (end > 0 && getPiMessageRole(messages[end - 1]) === "assistant") {
-    end -= 1;
-  }
-  return end === messages.length ? [...messages] : messages.slice(0, end);
-}
-
 // src/chat/state/ttl.ts
 var JUNIOR_THREAD_STATE_TTL_MS = 7 * 24 * 60 * 60 * 1e3;
 
@@ -6431,18 +6211,20 @@ function createTools(availableSkills, hooks = {}, context) {
     tools.searchMcpTools = createSearchMcpToolsTool(context.mcpToolManager);
     tools.callMcpTool = createCallMcpToolTool(context.mcpToolManager);
   }
-  const { channelCapabilities } = context;
-  if (channelCapabilities.canCreateCanvas) {
+  const outputChannelId = getSlackDeliveryChannelId(context);
+  const outputCapabilities = resolveChannelCapabilities(outputChannelId);
+  const rawChannelCapabilities = resolveChannelCapabilities(context.channelId);
+  if (outputCapabilities.canCreateCanvas) {
     tools.slackCanvasCreate = createSlackCanvasCreateTool(context, state);
   }
-  if (channelCapabilities.canPostToChannel) {
+  if (outputCapabilities.canPostToChannel) {
     tools.slackChannelPostMessage = createSlackChannelPostMessageTool(
       context,
       state
     );
     tools.slackChannelListMessages = createSlackChannelListMessagesTool(context);
   }
-  if (channelCapabilities.canAddReactions) {
+  if (rawChannelCapabilities.canAddReactions) {
     tools.slackMessageAddReaction = createSlackMessageAddReactionTool(
       context,
       state
@@ -6452,24 +6234,13 @@ function createTools(availableSkills, hooks = {}, context) {
     getAgentPluginTools(context)
   )) {
     if (tools[name]) {
-      throw new Error(
-        `Trusted plugin tool "${name}" conflicts with a core tool`
-      );
+      throw new Error(`Plugin tool "${name}" conflicts with a core tool`);
     }
     tools[name] = pluginTool;
   }
   return tools;
 }
 
-// src/chat/tools/channel-capabilities.ts
-function resolveChannelCapabilities(channelId) {
-  return {
-    canCreateCanvas: isConversationScopedChannel(channelId),
-    canPostToChannel: isConversationChannel(channelId),
-    canAddReactions: isConversationScopedChannel(channelId)
-  };
-}
-
 // src/chat/pi/traced-stream.ts
 import {
   streamSimple
@@ -6581,6 +6352,33 @@ import fs3 from "fs/promises";
 // src/chat/oauth-flow.ts
 import { randomBytes } from "crypto";
 var OAUTH_STATE_TTL_MS = 10 * 60 * 1e3;
+function optionalString(value) {
+  return typeof value === "string" ? value : void 0;
+}
+function parseOAuthStatePayload(value) {
+  if (!isRecord(value)) {
+    return void 0;
+  }
+  if (typeof value.userId !== "string" || typeof value.provider !== "string") {
+    return void 0;
+  }
+  const destination = parseDestination(value.destination);
+  if (value.destination !== void 0 && !destination) {
+    return void 0;
+  }
+  return {
+    userId: value.userId,
+    provider: value.provider,
+    ...optionalString(value.channelId) ? { channelId: optionalString(value.channelId) } : {},
+    ...destination ? { destination } : {},
+    ...optionalString(value.threadTs) ? { threadTs: optionalString(value.threadTs) } : {},
+    ...optionalString(value.pendingMessage) ? { pendingMessage: optionalString(value.pendingMessage) } : {},
+    ...isRecord(value.configuration) ? { configuration: value.configuration } : {},
+    ...optionalString(value.resumeConversationId) ? { resumeConversationId: optionalString(value.resumeConversationId) } : {},
+    ...optionalString(value.resumeSessionId) ? { resumeSessionId: optionalString(value.resumeSessionId) } : {},
+    ...optionalString(value.scope) ? { scope: optionalString(value.scope) } : {}
+  };
+}
 function formatProviderLabel(provider) {
   return provider.charAt(0).toUpperCase() + provider.slice(1);
 }
@@ -6684,17 +6482,20 @@ async function startOAuthFlow(provider, input) {
   }
   const configuration = input.userMessage && input.channelConfiguration ? await input.channelConfiguration.resolveValues() : void 0;
   const state = randomBytes(32).toString("hex");
+  const requestedScope = input.scope ?? providerConfig.scope;
   await getStateAdapter().set(
     `oauth-state:${state}`,
     {
       userId: input.requesterId,
       provider,
       ...input.channelId ? { channelId: input.channelId } : {},
+      ...input.destination ? { destination: input.destination } : {},
       ...input.threadTs ? { threadTs: input.threadTs } : {},
       ...input.userMessage ? { pendingMessage: input.userMessage } : {},
       ...configuration && Object.keys(configuration).length > 0 ? { configuration } : {},
       ...input.resumeConversationId ? { resumeConversationId: input.resumeConversationId } : {},
-      ...input.resumeSessionId ? { resumeSessionId: input.resumeSessionId } : {}
+      ...input.resumeSessionId ? { resumeSessionId: input.resumeSessionId } : {},
+      ...requestedScope ? { scope: requestedScope } : {}
     },
     OAUTH_STATE_TTL_MS
   );
@@ -6704,8 +6505,8 @@ async function startOAuthFlow(provider, input) {
     redirect_uri: `${baseUrl}${providerConfig.callbackPath}`,
     response_type: "code"
   });
-  if (providerConfig.scope) {
-    authorizeParams.set("scope", providerConfig.scope);
+  if (requestedScope) {
+    authorizeParams.set("scope", requestedScope);
   }
   for (const [key, value] of Object.entries(
     providerConfig.authorizeParams ?? {}
@@ -6734,22 +6535,87 @@ async function startOAuthFlow(provider, input) {
 
 // src/chat/sandbox/egress-session.ts
 import { createHmac, randomUUID, timingSafeEqual } from "crypto";
+
+// src/chat/sandbox/egress-schemas.ts
+import { z } from "zod";
+import {
+  agentPluginAuthorizationSchema,
+  agentPluginCredentialHeaderTransformSchema,
+  agentPluginGrantSchema,
+  agentPluginProviderAccountSchema
+} from "@sentry/junior-plugin-api";
+var finiteNumberSchema = z.number().refine(Number.isFinite);
+var providerNameSchema = z.string().regex(/^[a-z][a-z0-9-]*$/);
+var sandboxEgressGrantSchema = agentPluginGrantSchema;
+var sandboxEgressCredentialContextSchema = z.object({
+  credentials: credentialContextSchema,
+  egressId: z.string().min(1),
+  expiresAtMs: finiteNumberSchema,
+  contextId: z.string().min(1)
+}).strict();
+var sandboxEgressCredentialLeaseSchema = z.object({
+  account: agentPluginProviderAccountSchema.optional(),
+  authorization: agentPluginAuthorizationSchema.optional(),
+  grant: sandboxEgressGrantSchema,
+  provider: providerNameSchema,
+  expiresAt: z.string().min(1),
+  headerTransforms: z.array(agentPluginCredentialHeaderTransformSchema).min(1)
+}).strict();
+var sandboxEgressAuthRequiredSignalSchema = z.object({
+  authorization: agentPluginAuthorizationSchema.optional(),
+  grant: sandboxEgressGrantSchema,
+  provider: providerNameSchema,
+  message: z.string().optional(),
+  createdAtMs: finiteNumberSchema
+}).strict().superRefine((signal, ctx) => {
+  if (signal.authorization && signal.authorization.provider !== signal.provider) {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: "Auth signal authorization provider must match provider",
+      path: ["authorization", "provider"]
+    });
+  }
+});
+var sandboxEgressPermissionDeniedSignalSchema = z.object({
+  account: agentPluginProviderAccountSchema.optional(),
+  acceptedPermissions: z.string().optional(),
+  grant: sandboxEgressGrantSchema,
+  message: z.string().min(1),
+  provider: providerNameSchema,
+  source: z.literal("upstream"),
+  sso: z.string().optional(),
+  status: z.literal(403),
+  upstreamHost: z.string().min(1),
+  upstreamPath: z.string().min(1),
+  createdAtMs: finiteNumberSchema
+}).strict();
+function parseSandboxEgressAuthRequiredSignal(value) {
+  const result = sandboxEgressAuthRequiredSignalSchema.safeParse(value);
+  return result.success ? result.data : void 0;
+}
+function parseSandboxEgressPermissionDeniedSignal(value) {
+  const result = sandboxEgressPermissionDeniedSignalSchema.safeParse(value);
+  return result.success ? result.data : void 0;
+}
+
+// src/chat/sandbox/egress-session.ts
 var SANDBOX_EGRESS_PROXY_PATH = "/api/internal/sandbox-egress";
 var SANDBOX_EGRESS_TOKEN_VERSION = "v1";
 var SANDBOX_EGRESS_HMAC_CONTEXT = "junior.sandbox_egress.v1";
+var SANDBOX_EGRESS_AUTH_SIGNAL_PREFIX = "sandbox-egress-auth-required";
+var SANDBOX_EGRESS_PERMISSION_SIGNAL_PREFIX = "sandbox-egress-permission-denied";
 var SANDBOX_EGRESS_LEASE_PREFIX = "sandbox-egress-lease";
 var DEFAULT_SESSION_TTL_MS = 30 * 60 * 1e3;
-function leaseKey(provider, context) {
+function leaseKey(provider, grantName, context) {
   const actor = context.credentials.actor;
   const actorKey = actor.type === "user" ? `user:${actor.userId}` : `system:${actor.id}`;
-  return `${SANDBOX_EGRESS_LEASE_PREFIX}:${provider}:${actorKey}:${context.egressId}:${context.contextId}`;
+  return `${SANDBOX_EGRESS_LEASE_PREFIX}:${provider}:${grantName}:${actorKey}:${context.egressId}:${context.contextId}`;
 }
-function getSandboxEgressSecret() {
-  const secret = process.env.JUNIOR_SECRET?.trim();
-  if (secret) {
-    return secret;
-  }
-  throw new Error("Cannot determine sandbox egress secret (set JUNIOR_SECRET)");
+function authSignalKey(egressId, access) {
+  return `${SANDBOX_EGRESS_AUTH_SIGNAL_PREFIX}:${egressId}:${access}`;
+}
+function permissionSignalKey(egressId, access) {
+  return `${SANDBOX_EGRESS_PERMISSION_SIGNAL_PREFIX}:${egressId}:${access}`;
 }
 function base64Url(input) {
   return Buffer.from(input, "utf8").toString("base64url");
@@ -6769,49 +6635,32 @@ function timingSafeMatch(expected, actual) {
   return timingSafeEqual(expectedBuffer, actualBuffer);
 }
 function parseSandboxEgressContext(value) {
-  if (!value || typeof value !== "object") {
+  const result = sandboxEgressCredentialContextSchema.safeParse(value);
+  if (!result.success) {
     return void 0;
   }
-  const record = value;
-  const credentials = parseCredentialContext(record.credentials);
-  if (!credentials || typeof record.egressId !== "string" || !record.egressId || typeof record.expiresAtMs !== "number" || !Number.isFinite(record.expiresAtMs) || typeof record.contextId !== "string" || !record.contextId) {
-    return void 0;
-  }
-  if (record.expiresAtMs <= Date.now()) {
+  if (result.data.expiresAtMs <= Date.now()) {
     return void 0;
   }
-  return {
-    credentials,
-    egressId: record.egressId,
-    expiresAtMs: record.expiresAtMs,
-    contextId: record.contextId
-  };
+  return result.data;
 }
 function parseLease(value) {
-  if (!value || typeof value !== "object") {
-    return void 0;
-  }
-  const record = value;
-  if (typeof record.provider !== "string" || typeof record.expiresAt !== "string" || !Array.isArray(record.headerTransforms)) {
+  const result = sandboxEgressCredentialLeaseSchema.safeParse(value);
+  if (!result.success) {
     return void 0;
   }
-  const expiresAtMs = Date.parse(record.expiresAt);
+  const expiresAtMs = Date.parse(result.data.expiresAt);
   if (!Number.isFinite(expiresAtMs) || expiresAtMs <= Date.now()) {
     return void 0;
   }
-  const headerTransforms = record.headerTransforms.filter(
-    (transform) => Boolean(
-      transform && typeof transform.domain === "string" && transform.headers && typeof transform.headers === "object"
-    )
-  );
-  if (headerTransforms.length === 0) {
-    return void 0;
+  return result.data;
+}
+function getSandboxEgressSecret() {
+  const secret = process.env.JUNIOR_SECRET?.trim();
+  if (secret) {
+    return secret;
   }
-  return {
-    provider: record.provider,
-    expiresAt: record.expiresAt,
-    headerTransforms
-  };
+  throw new Error("Cannot determine sandbox egress secret (set JUNIOR_SECRET)");
 }
 function createSandboxEgressCredentialToken(input) {
   const ttlMs = Math.max(1, input.ttlMs ?? DEFAULT_SESSION_TTL_MS);
@@ -6861,17 +6710,94 @@ async function setSandboxEgressCredentialLease(context, lease) {
   );
   const state = getStateAdapter();
   await state.connect();
-  await state.set(leaseKey(lease.provider, context), lease, ttlMs);
-}
-async function getSandboxEgressCredentialLease(provider, context) {
-  const state = getStateAdapter();
+  await state.set(
+    leaseKey(lease.provider, lease.grant.name, context),
+    lease,
+    ttlMs
+  );
+}
+async function getSandboxEgressCredentialLease(provider, grantName, context) {
+  const state = getStateAdapter();
+  await state.connect();
+  return parseLease(await state.get(leaseKey(provider, grantName, context)));
+}
+async function clearSandboxEgressCredentialLease(provider, grantName, context) {
+  const state = getStateAdapter();
+  await state.connect();
+  await state.delete(leaseKey(provider, grantName, context));
+}
+async function setSandboxEgressAuthRequiredSignal(context, signal) {
+  const ttlMs = Math.max(1, context.expiresAtMs - Date.now());
+  const state = getStateAdapter();
+  await state.connect();
+  await state.set(
+    authSignalKey(context.egressId, signal.grant.access),
+    {
+      ...signal,
+      createdAtMs: Date.now()
+    },
+    ttlMs
+  );
+}
+async function setSandboxEgressPermissionDeniedSignal(context, signal) {
+  const ttlMs = Math.max(1, context.expiresAtMs - Date.now());
+  const state = getStateAdapter();
+  await state.connect();
+  await state.set(
+    permissionSignalKey(context.egressId, signal.grant.access),
+    {
+      ...signal,
+      createdAtMs: Date.now()
+    },
+    ttlMs
+  );
+}
+async function clearSandboxEgressSignals(egressId) {
+  if (!egressId) {
+    return;
+  }
+  const state = getStateAdapter();
+  await state.connect();
+  await Promise.all([
+    state.delete(authSignalKey(egressId, "read")),
+    state.delete(authSignalKey(egressId, "write")),
+    state.delete(permissionSignalKey(egressId, "read")),
+    state.delete(permissionSignalKey(egressId, "write"))
+  ]);
+}
+async function consumeSandboxEgressAuthRequiredSignal(egressId) {
+  if (!egressId) {
+    return void 0;
+  }
+  const state = getStateAdapter();
   await state.connect();
-  return parseLease(await state.get(leaseKey(provider, context)));
+  const [writeSignal, readSignal] = await Promise.all([
+    state.get(authSignalKey(egressId, "write")),
+    state.get(authSignalKey(egressId, "read"))
+  ]);
+  const signal = parseSandboxEgressAuthRequiredSignal(writeSignal) ?? parseSandboxEgressAuthRequiredSignal(readSignal);
+  await Promise.all([
+    state.delete(authSignalKey(egressId, "read")),
+    state.delete(authSignalKey(egressId, "write"))
+  ]);
+  return signal;
 }
-async function clearSandboxEgressCredentialLease(provider, context) {
+async function consumeSandboxEgressPermissionDeniedSignal(egressId) {
+  if (!egressId) {
+    return void 0;
+  }
   const state = getStateAdapter();
   await state.connect();
-  await state.delete(leaseKey(provider, context));
+  const [writeSignal, readSignal] = await Promise.all([
+    state.get(permissionSignalKey(egressId, "write")),
+    state.get(permissionSignalKey(egressId, "read"))
+  ]);
+  const signal = parseSandboxEgressPermissionDeniedSignal(writeSignal) ?? parseSandboxEgressPermissionDeniedSignal(readSignal);
+  await Promise.all([
+    state.delete(permissionSignalKey(egressId, "read")),
+    state.delete(permissionSignalKey(egressId, "write"))
+  ]);
+  return signal;
 }
 
 // src/chat/sandbox/egress-policy.ts
@@ -6929,7 +6855,7 @@ async function resolveSandboxCommandEnvironment() {
   )) {
     Object.assign(env, resolvePluginCommandEnv(plugin.manifest));
     const credentials = plugin.manifest.credentials;
-    if (credentials) {
+    if (credentials?.authTokenEnv) {
       env[credentials.authTokenEnv] = resolveAuthTokenPlaceholder(credentials);
     }
   }
@@ -7829,10 +7755,6 @@ function createSandboxSessionManager(options) {
         let timeoutId;
         let onAbort;
         try {
-          if (input.signal?.aborted) {
-            return getCommandAbortedResult();
-          }
-          await refreshNetworkPolicy(sandboxInstance);
           if (input.signal?.aborted) {
             return getCommandAbortedResult();
           }
@@ -7943,6 +7865,9 @@ function createSandboxSessionManager(options) {
     getSandboxId() {
       return sandbox ? sandbox.sandboxId : sandboxIdHint;
     },
+    getSandboxEgressId() {
+      return sandbox?.sandboxEgressId;
+    },
     getDependencyProfileHash() {
       return dependencyProfileHash;
     },
@@ -8075,6 +8000,8 @@ function createSandboxExecutor(options) {
       "app.sandbox.command_length": command.length
     });
     const executeBash = (await sessionManager.ensureToolExecutors()).bash;
+    const activeEgressId = sessionManager.getSandboxEgressId();
+    await clearSandboxEgressSignals(activeEgressId);
     const result = await withSandboxSpan(
       "bash",
       "process.exec",
@@ -8112,6 +8039,8 @@ function createSandboxExecutor(options) {
         }
       }
     );
+    const authRequired = result.exitCode !== 0 ? await consumeSandboxEgressAuthRequiredSignal(activeEgressId) : void 0;
+    const permissionDenied = result.exitCode !== 0 ? await consumeSandboxEgressPermissionDeniedSignal(activeEgressId) : void 0;
     return {
       result: {
         ok: result.exitCode === 0,
@@ -8123,7 +8052,9 @@ function createSandboxExecutor(options) {
         stdout: result.stdout,
         stderr: result.stderr,
         stdout_truncated: result.stdoutTruncated,
-        stderr_truncated: result.stderrTruncated
+        stderr_truncated: result.stderrTruncated,
+        ...authRequired ? { auth_required: authRequired } : {},
+        ...permissionDenied ? { permission_denied: permissionDenied } : {}
       }
     };
   };
@@ -8544,13 +8475,90 @@ function toToolContentText(value) {
     return String(value);
   }
 }
+function isRecord3(value) {
+  return Boolean(value && typeof value === "object" && !Array.isArray(value));
+}
+function stringField(record, key) {
+  const value = record[key];
+  return typeof value === "string" ? value : "";
+}
+function stringListField(record, key) {
+  const value = record[key];
+  return Array.isArray(value) ? value.filter((item) => typeof item === "string") : [];
+}
+function accountText(value) {
+  if (!isRecord3(value)) {
+    return void 0;
+  }
+  const label = stringField(value, "label") || stringField(value, "id");
+  const id = stringField(value, "id");
+  if (!label) {
+    return void 0;
+  }
+  return id && id !== label ? `${label} (${id})` : label;
+}
+function upstreamPermissionDeniedText(value) {
+  if (!isRecord3(value) || !isRecord3(value.permission_denied)) {
+    return void 0;
+  }
+  const signal = value.permission_denied;
+  if (signal.source !== "upstream" || signal.status !== 403) {
+    return void 0;
+  }
+  const provider = stringField(signal, "provider");
+  const message = stringField(signal, "message");
+  const upstreamHost = stringField(signal, "upstreamHost");
+  const upstreamPath2 = stringField(signal, "upstreamPath");
+  if (!provider || !message || !upstreamHost || !upstreamPath2) {
+    return void 0;
+  }
+  const grant = isRecord3(signal.grant) ? signal.grant : {};
+  const grantName = stringField(grant, "name");
+  const grantAccess = stringField(grant, "access");
+  const grantReason = stringField(grant, "reason");
+  const grantRequirements = stringListField(grant, "requirements");
+  const account = accountText(signal.account);
+  const command = stringField(value, "command");
+  const stderr = stringField(value, "stderr").trim();
+  const stdout = stringField(value, "stdout").trim();
+  const acceptedPermissions = stringField(signal, "acceptedPermissions");
+  const sso = stringField(signal, "sso");
+  return [
+    "Upstream permission denied.",
+    message,
+    "",
+    `Provider: ${provider}`,
+    ...account ? [`Provider account: ${account}`] : [],
+    `Grant: ${grantName || "unknown"}${grantAccess ? ` (${grantAccess}${grantReason ? `, ${grantReason}` : ""})` : ""}`,
+    ...grantRequirements.length > 0 ? [
+      "Provider requirements:",
+      ...grantRequirements.map((item) => `- ${item}`)
+    ] : [],
+    `Upstream: ${upstreamHost}${upstreamPath2}`,
+    "Status: 403",
+    ...acceptedPermissions ? [`Accepted provider permissions: ${acceptedPermissions}`] : [],
+    ...sso ? [`Provider SSO: ${sso}`] : [],
+    ...command ? [`Command: ${command}`] : [],
+    "",
+    "Junior had a credential lease for this grant and forwarded the request. Do not diagnose this as a missing user token or a local Junior runtime block; diagnose provider-side permissions, installation scope, SSO, or requester-provider account access.",
+    ...stderr ? ["", `stderr:
+${stderr}`] : [],
+    ...stdout ? ["", `stdout:
+${stdout}`] : []
+  ].join("\n");
+}
 function normalizeToolResult(result, isSandboxResult) {
   const unwrapped = isSandboxResult && result && typeof result === "object" && "result" in result ? result.result : result;
   if (isStructuredToolExecutionResult(unwrapped)) {
     return unwrapped;
   }
   return {
-    content: [{ type: "text", text: toToolContentText(unwrapped) }],
+    content: [
+      {
+        type: "text",
+        text: upstreamPermissionDeniedText(unwrapped) ?? toToolContentText(unwrapped)
+      }
+    ],
     details: unwrapped
   };
 }
@@ -8609,11 +8617,16 @@ function parseMcpAuthSession(value) {
     if (typeof parsed.authSessionId !== "string" || typeof parsed.provider !== "string" || typeof parsed.userId !== "string" || typeof parsed.conversationId !== "string" || typeof parsed.sessionId !== "string" || typeof parsed.userMessage !== "string" || typeof parsed.createdAtMs !== "number" || typeof parsed.updatedAtMs !== "number") {
       return void 0;
     }
+    const destination = parsed.destination === void 0 ? void 0 : parseDestination(parsed.destination);
+    if (parsed.destination !== void 0 && !destination) {
+      return void 0;
+    }
     return {
       authSessionId: parsed.authSessionId,
       provider: parsed.provider,
       userId: parsed.userId,
       conversationId: parsed.conversationId,
+      ...destination ? { destination } : {},
       sessionId: parsed.sessionId,
       userMessage: parsed.userMessage,
       createdAtMs: parsed.createdAtMs,
@@ -8709,6 +8722,7 @@ async function patchMcpAuthSession(authSessionId, patch) {
     provider: current.provider,
     userId: current.userId,
     conversationId: current.conversationId,
+    ...current.destination ? { destination: current.destination } : {},
     sessionId: current.sessionId,
     userMessage: current.userMessage,
     createdAtMs: current.createdAtMs,
@@ -8830,14 +8844,14 @@ function canReusePendingAuthLink(args) {
   if (!pendingAuth) {
     return false;
   }
-  return pendingAuth.kind === args.kind && pendingAuth.provider === args.provider && pendingAuth.requesterId === args.requesterId && pendingAuth.linkSentAtMs + AUTH_LINK_REUSE_WINDOW_MS > (args.nowMs ?? Date.now());
+  return pendingAuth.kind === args.kind && pendingAuth.provider === args.provider && pendingAuth.requesterId === args.requesterId && pendingAuth.scope === args.scope && pendingAuth.linkSentAtMs + AUTH_LINK_REUSE_WINDOW_MS > (args.nowMs ?? Date.now());
 }
 function getConversationPendingAuth(args) {
   const pendingAuth = args.conversation.processing.pendingAuth;
   if (!pendingAuth) {
     return void 0;
   }
-  if (pendingAuth.kind !== args.kind || pendingAuth.provider !== args.provider || pendingAuth.requesterId !== args.requesterId) {
+  if (pendingAuth.kind !== args.kind || pendingAuth.provider !== args.provider || pendingAuth.requesterId !== args.requesterId || pendingAuth.scope !== args.scope) {
     return void 0;
   }
   return pendingAuth;
@@ -8873,6 +8887,148 @@ function isPendingAuthLatestRequest(conversation, pendingAuth) {
   return false;
 }
 
+// src/chat/plugins/credential-hooks.ts
+import {
+  agentPluginAuthorizationSchema as agentPluginAuthorizationSchema2,
+  agentPluginCredentialResultSchema,
+  agentPluginGrantSchema as agentPluginGrantSchema2,
+  agentPluginProviderAccountSchema as agentPluginProviderAccountSchema2
+} from "@sentry/junior-plugin-api";
+function parseSchema(schema, value, message) {
+  const result = schema.safeParse(value);
+  if (!result.success) {
+    throw new Error(message);
+  }
+  return result.data;
+}
+function parseAuthorization(value, pluginName) {
+  if (value === void 0) {
+    return void 0;
+  }
+  const authorization = parseSchema(
+    agentPluginAuthorizationSchema2,
+    value,
+    `Plugin "${pluginName}" grant authorization is invalid`
+  );
+  if (authorization.provider !== pluginName) {
+    throw new Error(
+      `Plugin "${pluginName}" grant authorization provider must match the issuing plugin`
+    );
+  }
+  return authorization;
+}
+function parseGrant(value, pluginName) {
+  return parseSchema(
+    agentPluginGrantSchema2,
+    value,
+    `Plugin "${pluginName}" grantForEgress returned an invalid grant`
+  );
+}
+function agentPluginFor(provider) {
+  return getAgentPlugins().find((candidate) => candidate.name === provider);
+}
+function parseCredentialResult(value, pluginName) {
+  const result = parseSchema(
+    agentPluginCredentialResultSchema,
+    value,
+    `Plugin "${pluginName}" issueCredential result is invalid`
+  );
+  if (result.type === "lease") {
+    parseAuthorization(result.lease.authorization, pluginName);
+    return result;
+  }
+  if (result.type === "unavailable") {
+    return result;
+  }
+  parseAuthorization(result.authorization, pluginName);
+  return result;
+}
+async function selectPluginGrant(input) {
+  const plugin = agentPluginFor(input.provider);
+  const hook = plugin?.hooks?.grantForEgress;
+  if (!plugin || !hook) {
+    return void 0;
+  }
+  const result = await hook({
+    plugin: { name: plugin.name },
+    log: createAgentPluginLogger(plugin.name),
+    request: {
+      method: input.method,
+      url: input.upstreamUrl.toString()
+    }
+  });
+  return result === void 0 ? void 0 : parseGrant(result, plugin.name);
+}
+function hasEgressCredentialHooks(provider) {
+  const hooks = agentPluginFor(provider)?.hooks;
+  return Boolean(hooks?.grantForEgress || hooks?.issueCredential);
+}
+async function resolvePluginOAuthAccount(input) {
+  const plugin = agentPluginFor(input.provider);
+  const hook = plugin?.hooks?.resolveOAuthAccount;
+  if (!plugin || !hook) {
+    return void 0;
+  }
+  const account = await hook({
+    plugin: { name: plugin.name },
+    log: createAgentPluginLogger(plugin.name),
+    tokens: input.tokens
+  });
+  return account === void 0 ? void 0 : parseSchema(
+    agentPluginProviderAccountSchema2,
+    account,
+    `Plugin "${plugin.name}" resolveOAuthAccount returned an invalid account`
+  );
+}
+async function issuePluginCredential(input) {
+  const plugin = agentPluginFor(input.provider);
+  const hook = plugin?.hooks?.issueCredential;
+  if (!plugin || !hook) {
+    throw new Error(`Plugin "${input.provider}" has no issueCredential hook`);
+  }
+  const currentUserId = input.actor.type === "user" ? input.actor.userId : void 0;
+  const credentialSubjectUserId = input.credentialSubject?.userId;
+  const result = await hook({
+    plugin: { name: plugin.name },
+    log: createAgentPluginLogger(plugin.name),
+    actor: input.actor,
+    grant: input.grant,
+    ...input.credentialSubject ? { credentialSubject: input.credentialSubject } : {},
+    tokens: {
+      ...currentUserId ? {
+        currentUser: {
+          userId: currentUserId,
+          get: async () => await input.userTokenStore.get(currentUserId, plugin.name),
+          set: async (tokens) => {
+            await input.userTokenStore.set(
+              currentUserId,
+              plugin.name,
+              tokens
+            );
+          }
+        }
+      } : {},
+      ...credentialSubjectUserId ? {
+        credentialSubject: {
+          userId: credentialSubjectUserId,
+          get: async () => await input.userTokenStore.get(
+            credentialSubjectUserId,
+            plugin.name
+          ),
+          set: async (tokens) => {
+            await input.userTokenStore.set(
+              credentialSubjectUserId,
+              plugin.name,
+              tokens
+            );
+          }
+        }
+      } : {}
+    }
+  });
+  return parseCredentialResult(result, plugin.name);
+}
+
 // src/chat/services/plugin-auth-orchestration.ts
 var PluginAuthorizationPauseError = class extends AuthorizationPauseError {
   constructor(provider, disposition) {
@@ -8901,7 +9057,6 @@ ${typeof result.stderr === "string" ? result.stderr : ""}`.toLowerCase();
     return false;
   }
   return [
-    /\bjunior-auth-required\b/,
     /\b401\b/,
     /\bunauthorized\b/,
     /\bbad credentials\b/,
@@ -8923,18 +9078,20 @@ function commandText(details) {
   return `${typeof result.stdout === "string" ? result.stdout : ""}
 ${typeof result.stderr === "string" ? result.stderr : ""}`;
 }
-function isGitHubSmartHttpAuthFailure(provider, command, details) {
-  if (provider !== "github" || !/^\s*(?:gh|git)\b/i.test(command)) {
-    return false;
+function pluginAuthRequiredSignal(details) {
+  if (!details || typeof details !== "object") {
+    return void 0;
   }
-  const text = commandText(details).toLowerCase();
-  return /\bgzip:\s*invalid header\b/.test(text);
-}
-function explicitAuthRequiredProvider(details) {
-  const match = /\bjunior-auth-required\s+provider=([a-z0-9-]+)\b/.exec(
-    commandText(details).toLowerCase()
-  );
-  return match?.[1];
+  const signal = details.auth_required;
+  const parsedSignal = parseSandboxEgressAuthRequiredSignal(signal);
+  if (!parsedSignal) {
+    return void 0;
+  }
+  return {
+    provider: parsedSignal.provider,
+    grant: parsedSignal.grant,
+    ...parsedSignal.authorization ? { authorization: parsedSignal.authorization } : {}
+  };
 }
 function registeredProviderNames() {
   const providers = /* @__PURE__ */ new Set();
@@ -8954,15 +9111,14 @@ function commandTargetsProvider(provider, command, details) {
   if (!normalizedCommand) {
     return false;
   }
-  if (provider === "github" && /^(gh|git)\b/.test(normalizedCommand)) {
-    return true;
-  }
   const plugin = getPluginDefinition(provider);
   const candidates = /* @__PURE__ */ new Set([provider.toLowerCase()]);
   const manifest = plugin?.manifest;
   const credentials = manifest?.credentials;
   if (credentials) {
-    candidates.add(credentials.authTokenEnv.toLowerCase());
+    if (credentials.authTokenEnv) {
+      candidates.add(credentials.authTokenEnv.toLowerCase());
+    }
     for (const domain of credentials.domains) {
       candidates.add(domain.toLowerCase());
     }
@@ -8982,14 +9138,11 @@ function authorizationId(args) {
   return `${args.sessionId}:${args.kind}:${args.provider}`;
 }
 function buildCredentialFailureError(provider, command) {
-  const providerLabel = provider === "github" ? "GitHub" : formatProviderLabel(provider);
-  const plugin = getPluginDefinition(provider);
-  const credentialType = plugin?.manifest.credentials?.type;
+  const providerLabel = formatProviderLabel(provider);
   const commandSummary = formatCommand(command);
-  const remediation = provider === "github" && credentialType === "github-app" ? "Verify the GitHub App installation covers the target repository and the host GitHub App environment variables are current." : `Verify the ${providerLabel} provider credentials before retrying.`;
   return new PluginCredentialFailureError(
     provider,
-    `${providerLabel} credentials were rejected while running \`${commandSummary}\`. ${remediation}`
+    `${providerLabel} credentials were rejected while running \`${commandSummary}\`. Verify the ${providerLabel} provider credentials before retrying.`
   );
 }
 function createPluginAuthOrchestration(deps, abortAgent) {
@@ -9009,16 +9162,19 @@ function createPluginAuthOrchestration(deps, abortAgent) {
       pendingAuth: deps.currentPendingAuth,
       kind: "plugin",
       provider,
-      requesterId: deps.requesterId
+      requesterId: deps.requesterId,
+      ...options?.scope ? { scope: options.scope } : {}
     });
     if (!reusingPendingLink) {
       const oauthResult = await startOAuthFlow(provider, {
         requesterId: deps.requesterId,
         channelId: deps.channelId,
+        destination: deps.destination,
         threadTs: deps.threadTs,
         userMessage: deps.userMessage,
         channelConfiguration: deps.channelConfiguration,
         activeSkillName: activeSkill?.name ?? void 0,
+        ...options?.scope ? { scope: options.scope } : {},
         resumeConversationId: deps.conversationId,
         resumeSessionId: deps.sessionId
       });
@@ -9039,6 +9195,7 @@ function createPluginAuthOrchestration(deps, abortAgent) {
         kind: "plugin",
         provider,
         requesterId: deps.requesterId,
+        ...options?.scope ? { scope: options.scope } : {},
         sessionId: deps.sessionId,
         linkSentAtMs: reusingPendingLink ? deps.currentPendingAuth.linkSentAtMs : Date.now()
       });
@@ -9068,8 +9225,9 @@ function createPluginAuthOrchestration(deps, abortAgent) {
   return {
     handleCommandFailure: async (input) => {
       const providers = registeredProviderNames();
-      const explicitProvider = explicitAuthRequiredProvider(input.details);
-      const provider = explicitProvider && providers.includes(explicitProvider) ? explicitProvider : providers.find(
+      const parsedAuthSignal = pluginAuthRequiredSignal(input.details);
+      const authSignal = parsedAuthSignal && providers.includes(parsedAuthSignal.provider) ? parsedAuthSignal : void 0;
+      const provider = authSignal ? authSignal.provider : providers.find(
         (availableProvider) => commandTargetsProvider(
           availableProvider,
           input.command,
@@ -9079,20 +9237,30 @@ function createPluginAuthOrchestration(deps, abortAgent) {
       if (!provider) {
         return;
       }
-      const authFailure = isCommandAuthFailure(input.details) || isGitHubSmartHttpAuthFailure(provider, input.command, input.details);
+      const authFailure = Boolean(authSignal) || isCommandAuthFailure(input.details);
       if (!authFailure) {
         return;
       }
+      const providerOAuth = getPluginOAuthConfig(provider);
+      const authorization = authSignal?.authorization ?? (!authSignal && !hasEgressCredentialHooks(provider) && providerOAuth ? {
+        type: "oauth",
+        provider,
+        ...providerOAuth.scope ? { scope: providerOAuth.scope } : {}
+      } : void 0);
       if (!deps.requesterId || !deps.userTokenStore) {
         if (deps.authorizationFlowMode === "disabled") {
           throw new AuthorizationFlowDisabledError("plugin", provider);
         }
         throw buildCredentialFailureError(provider, input.command);
       }
-      if (!getPluginOAuthConfig(provider)) {
+      if (authorization?.type !== "oauth") {
+        throw buildCredentialFailureError(provider, input.command);
+      }
+      if (!getPluginOAuthConfig(authorization.provider)) {
         throw buildCredentialFailureError(provider, input.command);
       }
-      await startAuthorizationPause(provider, input.activeSkill, {
+      await startAuthorizationPause(authorization.provider, input.activeSkill, {
+        ...authorization.scope ? { scope: authorization.scope } : {},
         unlinkExistingProvider: true
       });
     },
@@ -9579,6 +9747,7 @@ function coercePendingAuthState(value) {
   const kind = value.kind;
   const provider = toOptionalString(value.provider);
   const requesterId = toOptionalString(value.requesterId);
+  const scope = toOptionalString(value.scope);
   const sessionId = toOptionalString(value.sessionId);
   const linkSentAtMs = toOptionalNumber(value.linkSentAtMs);
   if (kind !== "mcp" && kind !== "plugin" || !provider || !requesterId || !sessionId || typeof linkSentAtMs !== "number") {
@@ -9588,6 +9757,7 @@ function coercePendingAuthState(value) {
     kind,
     provider,
     requesterId,
+    ...scope ? { scope } : {},
     sessionId,
     linkSentAtMs
   };
@@ -10170,29 +10340,8 @@ function buildTurnResult(input) {
   };
 }
 
-// src/chat/services/provider-retry.ts
-var RETRYABLE_PROVIDER_ERROR_PATTERN = /overloaded|provider.?returned.?error|rate.?limit|too many requests|429|500|502|503|504|service.?unavailable|server.?error|internal.?error|network.?error|connection.?error|connection.?refused|connection.?lost|websocket.?closed|websocket.?error|other side closed|fetch failed|upstream.?connect|reset before headers|socket hang up|ended without|stream ended before message_stop|http2 request did not get a response|timed? out|timeout|terminated|retry delay/i;
-var NON_RETRYABLE_PROVIDER_ERROR_PATTERN = /invalid.?api.?key|authentication|authorization|permission|forbidden|context.?length|context.?window|content.?policy|validation|bad request|400|401|403/i;
-function isRetryableProviderError(message) {
-  if (message?.stopReason !== "error" || !message.errorMessage) {
-    return false;
-  }
-  if (NON_RETRYABLE_PROVIDER_ERROR_PATTERN.test(message.errorMessage)) {
-    return false;
-  }
-  return RETRYABLE_PROVIDER_ERROR_PATTERN.test(message.errorMessage);
-}
-function trimRetryableProviderErrorTail(messages) {
-  const trimmed = trimTrailingAssistantMessages(messages);
-  if (trimmed.length === messages.length) {
-    return void 0;
-  }
-  const tailRole = getPiMessageRole(trimmed.at(-1));
-  return tailRole === "user" || tailRole === "toolResult" ? trimmed : void 0;
-}
-
 // src/chat/services/turn-thinking-level.ts
-import { z } from "zod";
+import { z as z2 } from "zod";
 var CLASSIFIER_CONFIDENCE_THRESHOLD = 0.75;
 var MAX_ROUTER_CONTEXT_CHARS = 8e3;
 var ROUTER_CONTEXT_HEAD_CHARS = 3e3;
@@ -10224,13 +10373,13 @@ function coerceClassifierConfidence(value) {
   }
   return CONFIDENCE_LABELS[trimmed] ?? value;
 }
-var turnExecutionProfileSchema = z.object({
-  thinking_level: z.enum(TURN_THINKING_LEVELS),
-  confidence: z.preprocess(
+var turnExecutionProfileSchema = z2.object({
+  thinking_level: z2.enum(TURN_THINKING_LEVELS),
+  confidence: z2.preprocess(
     coerceClassifierConfidence,
-    z.number().min(0).max(1)
+    z2.number().min(0).max(1)
   ),
-  reason: z.string().min(1)
+  reason: z2.string().min(1)
 });
 var DEFAULT_THINKING_LEVEL = "medium";
 var THINKING_LEVEL_RANK = {
@@ -10546,6 +10695,7 @@ async function persistRunningSessionRecord(args) {
       conversationId: args.conversationId,
       cumulativeDurationMs: latestSessionRecord?.cumulativeDurationMs,
       cumulativeUsage: latestSessionRecord?.cumulativeUsage,
+      ...args.destination ?? latestSessionRecord?.destination ? { destination: args.destination ?? latestSessionRecord?.destination } : {},
       sessionId: args.sessionId,
       sliceId: args.sliceId,
       state: "running",
@@ -10586,6 +10736,7 @@ async function persistCompletedSessionRecord(args) {
         latestSessionRecord?.cumulativeUsage,
         args.currentUsage
       ),
+      ...args.destination ?? latestSessionRecord?.destination ? { destination: args.destination ?? latestSessionRecord?.destination } : {},
       sessionId: args.sessionId,
       sliceId: args.sliceId,
       state: "completed",
@@ -10632,6 +10783,7 @@ async function persistAuthPauseSessionRecord(args) {
         latestSessionRecord?.cumulativeUsage,
         args.currentUsage
       ),
+      ...args.destination ?? latestSessionRecord?.destination ? { destination: args.destination ?? latestSessionRecord?.destination } : {},
       sessionId: args.sessionId,
       sliceId: nextSliceId,
       state: "awaiting_resume",
@@ -10688,6 +10840,9 @@ async function persistTimeoutSessionRecord(args) {
         conversationId: args.conversationId,
         cumulativeDurationMs,
         cumulativeUsage,
+        ...args.destination ?? latestSessionRecord?.destination ? {
+          destination: args.destination ?? latestSessionRecord?.destination
+        } : {},
         sessionId: args.sessionId,
         sliceId: args.currentSliceId,
         state: "failed",
@@ -10706,6 +10861,7 @@ async function persistTimeoutSessionRecord(args) {
       conversationId: args.conversationId,
       cumulativeDurationMs,
       cumulativeUsage,
+      ...args.destination ?? latestSessionRecord?.destination ? { destination: args.destination ?? latestSessionRecord?.destination } : {},
       sessionId: args.sessionId,
       sliceId: nextSliceId,
       state: "awaiting_resume",
@@ -10756,6 +10912,7 @@ async function persistYieldSessionRecord(args) {
         latestSessionRecord?.cumulativeUsage,
         args.currentUsage
       ),
+      ...args.destination ?? latestSessionRecord?.destination ? { destination: args.destination ?? latestSessionRecord?.destination } : {},
       sessionId: args.sessionId,
       sliceId: args.currentSliceId,
       state: "awaiting_resume",
@@ -10971,6 +11128,7 @@ async function createMcpOAuthClientProvider(input) {
     provider: input.provider,
     userId: input.userId,
     conversationId: input.conversationId,
+    ...input.destination ? { destination: input.destination } : {},
     sessionId: input.sessionId,
     userMessage: input.userMessage,
     ...input.channelId ? { channelId: input.channelId } : {},
@@ -10990,6 +11148,7 @@ async function createMcpOAuthClientProvider(input) {
       provider: input.provider,
       userId: input.userId,
       conversationId: input.conversationId,
+      ...input.destination ? { destination: input.destination } : {},
       sessionId: input.sessionId,
       userMessage: input.userMessage,
       ...input.channelId ? { channelId: input.channelId } : {},
@@ -11065,6 +11224,7 @@ function createMcpAuthOrchestration(deps, abortAgent) {
     const provider = await createMcpOAuthClientProvider({
       provider: plugin.manifest.name,
       conversationId: deps.conversationId,
+      destination: deps.destination,
       sessionId: deps.sessionId,
       userId: deps.requesterId,
       userMessage: deps.userMessage,
@@ -11161,7 +11321,6 @@ function createMcpAuthOrchestration(deps, abortAgent) {
 }
 
 // src/chat/respond.ts
-var PROVIDER_RETRY_DELAYS_MS = [1e3, 2e3];
 var AGENT_ABORT_SETTLE_GRACE_MS = 5e3;
 function sleep2(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));
@@ -11652,6 +11811,7 @@ async function generateAssistantReply(messageText2, context = {}) {
         sessionId,
         requesterId: authRequesterId,
         channelId: context.correlation?.channelId,
+        destination: context.destination,
         threadTs: context.correlation?.threadTs,
         toolChannelId: context.toolChannelId,
         userMessage: userInput,
@@ -11670,6 +11830,7 @@ async function generateAssistantReply(messageText2, context = {}) {
         sessionId,
         requesterId: authRequesterId,
         channelId: context.correlation?.channelId,
+        destination: context.destination,
         threadTs: context.correlation?.threadTs,
         userMessage: userInput,
         channelConfiguration: context.channelConfiguration,
@@ -11696,8 +11857,6 @@ async function generateAssistantReply(messageText2, context = {}) {
       assistantUserName: botConfig.userName,
       modelId: botConfig.modelId
     });
-    const toolChannelId = context.toolChannelId ?? context.correlation?.channelId;
-    const channelCapabilities = resolveChannelCapabilities(toolChannelId);
     const loadableSkills = availableSkills.filter(
       (skill) => skill.disableModelInvocation !== true || skill.name === invokedSkill?.name
     );
@@ -11748,8 +11907,10 @@ async function generateAssistantReply(messageText2, context = {}) {
         }
       },
       {
-        channelId: toolChannelId,
-        channelCapabilities,
+        channelId: context.correlation?.channelId,
+        conversationId: sessionConversationId,
+        deliveryChannelId: context.toolChannelId,
+        destination: context.destination,
         requester: actorRequester,
         teamId: context.correlation?.teamId,
         messageTs: context.correlation?.messageTs,
@@ -11889,6 +12050,7 @@ async function generateAssistantReply(messageText2, context = {}) {
       const persisted = await persistRunningSessionRecord({
         channelName: context.correlation?.channelName,
         conversationId: sessionConversationId,
+        destination: context.destination,
         sessionId,
         sliceId: currentSliceId,
         messages,
@@ -12154,26 +12316,24 @@ async function generateAssistantReply(messageText2, context = {}) {
               throw getPendingAuthPause();
             }
             const lastAssistant = outputMessages.at(-1);
-            const retryDelayMs = PROVIDER_RETRY_DELAYS_MS[attempt];
-            if (retryDelayMs === void 0 || !isRetryableProviderError(lastAssistant)) {
+            const providerRetry = nextProviderRetry({
+              attempt,
+              lastAssistant,
+              messages: agent.state.messages
+            });
+            if (!providerRetry) {
               break;
             }
             retryUsage = turnUsage;
-            const retryMessages = trimRetryableProviderErrorTail(
-              agent.state.messages
-            );
-            if (!retryMessages) {
-              break;
-            }
-            agent.state.messages = retryMessages;
-            await persistSafeBoundary(retryMessages);
+            agent.state.messages = providerRetry.messages;
+            await persistSafeBoundary(providerRetry.messages);
             logWarn(
               "agent_turn_provider_retry",
               spanContext,
               {},
               "Retrying transient provider failure"
             );
-            await sleep2(retryDelayMs);
+            await sleep2(providerRetry.delayMs);
             run = agent.continue();
           }
         },
@@ -12203,6 +12363,7 @@ async function generateAssistantReply(messageText2, context = {}) {
         conversationId: sessionConversationId,
         currentDurationMs: Date.now() - replyStartedAtMs,
         currentUsage: turnUsage,
+        destination: context.destination,
         sessionId,
         sliceId: currentSliceId,
         allMessages: agent.state.messages,
@@ -12236,6 +12397,7 @@ async function generateAssistantReply(messageText2, context = {}) {
       const sessionRecord = await persistYieldSessionRecord({
         channelName: context.correlation?.channelName,
         conversationId: timeoutResumeConversationId,
+        destination: context.destination,
         sessionId: timeoutResumeSessionId,
         currentSliceId: timeoutResumeSliceId,
         currentDurationMs: Date.now() - replyStartedAtMs,
@@ -12260,6 +12422,7 @@ async function generateAssistantReply(messageText2, context = {}) {
       const sessionRecord = await persistTimeoutSessionRecord({
         channelName: context.correlation?.channelName,
         conversationId: timeoutResumeConversationId,
+        destination: context.destination,
         sessionId: timeoutResumeSessionId,
         currentSliceId: timeoutResumeSliceId,
         currentDurationMs: Date.now() - replyStartedAtMs,
@@ -12303,6 +12466,7 @@ async function generateAssistantReply(messageText2, context = {}) {
       const sessionRecord = await persistAuthPauseSessionRecord({
         channelName: context.correlation?.channelName,
         conversationId: timeoutResumeConversationId,
+        destination: context.destination,
         sessionId: timeoutResumeSessionId,
         currentSliceId: timeoutResumeSliceId,
         currentDurationMs: Date.now() - replyStartedAtMs,
@@ -12335,6 +12499,9 @@ async function generateAssistantReply(messageText2, context = {}) {
     if (isRetryableTurnError(error)) {
       throw error;
     }
+    if (isProviderRetryError(error)) {
+      throw error;
+    }
     if (isTurnInputCommitLostError(error)) {
       throw error;
     }
@@ -13136,11 +13303,80 @@ async function verifyDispatchCallbackRequest(request) {
 
 // src/chat/agent-dispatch/store.ts
 import { createHash } from "crypto";
+import {
+  agentPluginCredentialSubjectSchema,
+  destinationSchema
+} from "@sentry/junior-plugin-api";
+import { z as z3 } from "zod";
 var DISPATCH_PREFIX = "junior:agent_dispatch";
 var DISPATCH_LOCK_TTL_MS = 10 * 60 * 1e3;
 var DISPATCH_INDEX_LOCK_TTL_MS = 1e4;
 var DISPATCH_INDEX_MAX_LENGTH = 1e4;
 var DEFAULT_MAX_ATTEMPTS = 5;
+var nonEmptyExactStringSchema = z3.string().min(1).refine(
+  (value) => value === value.trim() && value.toLowerCase() !== "unknown"
+);
+var dispatchStatusSchema = z3.enum([
+  "pending",
+  "running",
+  "awaiting_resume",
+  "completed",
+  "failed",
+  "blocked"
+]);
+var dispatchActorSchema = z3.object({
+  type: z3.literal("system"),
+  id: nonEmptyExactStringSchema
+}).strict();
+var credentialSubjectBindingSchema = z3.object({
+  type: z3.literal("slack-direct-conversation"),
+  teamId: z3.string().min(1),
+  channelId: z3.string().min(1),
+  signature: z3.string().min(1)
+}).strict();
+var boundCredentialSubjectSchema = agentPluginCredentialSubjectSchema.extend({
+  binding: credentialSubjectBindingSchema
+}).strict();
+var dispatchRecordSchema = z3.object({
+  actor: dispatchActorSchema,
+  attempt: z3.number().int().nonnegative(),
+  createdAtMs: z3.number().finite(),
+  credentialSubject: boundCredentialSubjectSchema.optional(),
+  destination: destinationSchema,
+  errorMessage: z3.string().optional(),
+  id: nonEmptyExactStringSchema,
+  idempotencyKey: z3.string().min(1),
+  input: z3.string().min(1),
+  lastCallbackAtMs: z3.number().finite().optional(),
+  leaseExpiresAtMs: z3.number().finite().optional(),
+  maxAttempts: z3.number().int().positive(),
+  metadata: z3.record(z3.string(), z3.string()).optional(),
+  plugin: nonEmptyExactStringSchema,
+  resultMessageTs: z3.string().optional(),
+  status: dispatchStatusSchema,
+  updatedAtMs: z3.number().finite(),
+  version: z3.number().int().positive()
+}).strict().superRefine((record, ctx) => {
+  const subject = record.credentialSubject;
+  if (!subject) {
+    return;
+  }
+  if (!record.destination.channelId.startsWith("D")) {
+    ctx.addIssue({
+      code: z3.ZodIssueCode.custom,
+      message: "Dispatch credentialSubject requires a private direct Slack destination",
+      path: ["credentialSubject"]
+    });
+    return;
+  }
+  if (subject.binding.teamId !== record.destination.teamId || subject.binding.channelId !== record.destination.channelId) {
+    ctx.addIssue({
+      code: z3.ZodIssueCode.custom,
+      message: "Dispatch credentialSubject binding must match destination",
+      path: ["credentialSubject", "binding"]
+    });
+  }
+});
 function getDispatchStorageKey(id) {
   return `${DISPATCH_PREFIX}:record:${id}`;
 }
@@ -13166,8 +13402,12 @@ function buildDispatchId(plugin, idempotencyKey) {
   const digest = createHash("sha256").update(plugin).update("\0").update(idempotencyKey).digest("hex").slice(0, 32);
   return `dispatch_${digest}`;
 }
+function parseDispatchRecord(value) {
+  const parsed = dispatchRecordSchema.safeParse(value);
+  return parsed.success ? parsed.data : void 0;
+}
 function getDispatchDestinationLockId(destination) {
-  return `slack:${destination.teamId}:${destination.channelId}`;
+  return destinationKey(destination);
 }
 function getDispatchConversationId(dispatch) {
   return `agent-dispatch:${dispatch.id}`;
@@ -13234,22 +13474,28 @@ async function syncIncompleteDispatchIndex(state, record) {
   });
 }
 async function putRecord(state, record) {
+  const next = parseDispatchRecord(record);
+  if (!next) {
+    throw new Error("Dispatch record is invalid.");
+  }
   await state.set(
-    getDispatchStorageKey(record.id),
-    record,
+    getDispatchStorageKey(next.id),
+    next,
     JUNIOR_THREAD_STATE_TTL_MS
   );
-  await syncIncompleteDispatchIndex(state, record);
+  await syncIncompleteDispatchIndex(state, next);
 }
 async function getDispatchRecord(id) {
   const state = getStateAdapter();
   await state.connect();
-  return await state.get(getDispatchStorageKey(id)) ?? void 0;
+  return parseDispatchRecord(await state.get(getDispatchStorageKey(id)));
 }
 async function createOrGetDispatch(args) {
   const id = buildDispatchId(args.plugin, args.options.idempotencyKey);
   return await withDispatchLock(id, async (state) => {
-    const existing = await state.get(getDispatchStorageKey(id)) ?? void 0;
+    const existing = parseDispatchRecord(
+      await state.get(getDispatchStorageKey(id))
+    );
     if (existing) {
       return { record: existing, status: "already_exists" };
     }
@@ -13344,9 +13590,12 @@ async function persistRuntimePatch(args) {
 }
 async function markDispatch(args) {
   return await withDispatchLock(args.dispatch.id, async (state) => {
-    const current = await state.get(
-      getDispatchStorageKey(args.dispatch.id)
-    ) ?? args.dispatch;
+    const current = parseDispatchRecord(
+      await state.get(getDispatchStorageKey(args.dispatch.id))
+    );
+    if (!current) {
+      throw new Error("Dispatch record is missing or invalid.");
+    }
     return await updateDispatchRecord(state, {
       ...current,
       status: args.status,
@@ -13372,7 +13621,9 @@ async function runAgentDispatchSlice(callback, deps = {}) {
   const scheduleCallback = deps.scheduleCallback ?? scheduleDispatchCallback;
   const nowMs = Date.now();
   const claimedDispatch = await withDispatchLock(callback.id, async (state) => {
-    const current = await state.get(getDispatchStorageKey(callback.id)) ?? void 0;
+    const current = parseDispatchRecord(
+      await state.get(getDispatchStorageKey(callback.id))
+    );
     if (!current || !canClaimDispatch(current, nowMs) || current.version !== callback.expectedVersion) {
       return void 0;
     }
@@ -13407,10 +13658,10 @@ async function runAgentDispatchSlice(callback, deps = {}) {
     const startedDispatch = await withDispatchLock(
       dispatch.id,
       async (state) => {
-        const current = await state.get(
-          getDispatchStorageKey(dispatch.id)
-        ) ?? dispatch;
-        if (current.status !== "running" || current.version !== dispatch.version || current.attempt >= current.maxAttempts) {
+        const current = parseDispatchRecord(
+          await state.get(getDispatchStorageKey(dispatch.id))
+        );
+        if (!current || current.status !== "running" || current.version !== dispatch.version || current.attempt >= current.maxAttempts) {
           return void 0;
         }
         return await updateDispatchRecord(state, {
@@ -13462,6 +13713,7 @@ async function runAgentDispatchSlice(callback, deps = {}) {
       conversationContext,
       artifactState: artifacts,
       piMessages: conversation.piMessages,
+      destination: dispatch.destination,
       correlation: {
         conversationId,
         threadId: conversationId,
@@ -13729,14 +13981,16 @@ function normalizeMessage(value) {
   const conversationId = toOptionalString(value.conversationId);
   const inboundMessageId = toOptionalString(value.inboundMessageId);
   const source = normalizeSource(value.source);
+  const destination = parseDestination(value.destination);
   const createdAtMs = toOptionalNumber(value.createdAtMs);
   const receivedAtMs = toOptionalNumber(value.receivedAtMs);
   const input = normalizeInput(value.input);
-  if (!conversationId || !inboundMessageId || !source || typeof createdAtMs !== "number" || typeof receivedAtMs !== "number" || !input) {
+  if (!conversationId || !destination || !inboundMessageId || !source || typeof createdAtMs !== "number" || typeof receivedAtMs !== "number" || !input) {
     return void 0;
   }
   return {
     conversationId,
+    destination,
     inboundMessageId,
     source,
     createdAtMs,
@@ -13768,14 +14022,16 @@ function normalizeWorkState(conversationId, value) {
     return void 0;
   }
   const storedConversationId = toOptionalString(value.conversationId);
+  const destination = parseDestination(value.destination);
   const updatedAtMs = toOptionalNumber(value.updatedAtMs);
-  if (storedConversationId !== conversationId || typeof updatedAtMs !== "number") {
+  if (storedConversationId !== conversationId || !destination || typeof updatedAtMs !== "number") {
     return void 0;
   }
   const messages = Array.isArray(value.messages) ? value.messages.map(normalizeMessage).filter((message) => Boolean(message)).filter((message) => message.conversationId === conversationId).sort(compareMessages) : [];
   return {
     schemaVersion: CONVERSATION_WORK_SCHEMA_VERSION,
     conversationId,
+    destination,
     messages,
     needsRun: value.needsRun === true,
     updatedAtMs,
@@ -13787,6 +14043,7 @@ function emptyWorkState(args) {
   return {
     schemaVersion: CONVERSATION_WORK_SCHEMA_VERSION,
     conversationId: args.conversationId,
+    destination: args.destination,
     messages: [],
     needsRun: false,
     updatedAtMs: args.nowMs
@@ -13900,10 +14157,15 @@ async function withConversationMutation(args, callback) {
   }
 }
 async function readWorkState(state, conversationId) {
-  return normalizeWorkState(
-    conversationId,
-    await state.get(stateKey(conversationId))
-  );
+  const raw = await state.get(stateKey(conversationId));
+  if (raw == null) {
+    return void 0;
+  }
+  const work = normalizeWorkState(conversationId, raw);
+  if (!work) {
+    throw new Error(`Conversation work state is invalid for ${conversationId}`);
+  }
+  return work;
 }
 async function writeWorkState(state, work) {
   await state.set(
@@ -13920,6 +14182,14 @@ async function writeWorkState(state, work) {
 function hasRunnableWork(state) {
   return state.needsRun || pendingMessages(state).length > 0;
 }
+function assertSameConversationDestination(args) {
+  if (sameDestination(args.current, args.next)) {
+    return;
+  }
+  throw new Error(
+    `Conversation work destination changed for ${args.conversationId}`
+  );
+}
 async function getConversationWorkState(args) {
   const state = await getConnectedState(args.state);
   return await readWorkState(state, args.conversationId);
@@ -13937,8 +14207,14 @@ async function appendInboundMessage(args) {
     async (state) => {
       const current = await readWorkState(state, args.message.conversationId) ?? emptyWorkState({
         conversationId: args.message.conversationId,
+        destination: args.message.destination,
         nowMs
       });
+      assertSameConversationDestination({
+        conversationId: args.message.conversationId,
+        current: current.destination,
+        next: args.message.destination
+      });
       const existing = current.messages.find(
         (message) => message.inboundMessageId === args.message.inboundMessageId
       );
@@ -13981,7 +14257,10 @@ async function appendAndEnqueueInboundMessage(args) {
     idempotencyKey = duplicateInboundNudgeIdempotencyKey(args.message, nowMs);
   }
   const queueResult = await args.queue.send(
-    { conversationId: args.message.conversationId },
+    {
+      conversationId: args.message.conversationId,
+      destination: args.message.destination
+    },
     { idempotencyKey }
   );
   await markConversationWorkEnqueued({
@@ -13998,8 +14277,16 @@ async function requestConversationWork(args) {
   const nowMs = args.nowMs ?? now();
   return await withConversationMutation(args, async (state) => {
     const existing = await readWorkState(state, args.conversationId);
+    if (existing) {
+      assertSameConversationDestination({
+        conversationId: args.conversationId,
+        current: existing.destination,
+        next: args.destination
+      });
+    }
     const current = existing ?? emptyWorkState({
       conversationId: args.conversationId,
+      destination: args.destination,
       nowMs
     });
     await writeWorkState(state, {
@@ -14155,6 +14442,11 @@ async function requestConversationContinuation(args) {
     if (!current || current.lease?.leaseToken !== args.leaseToken) {
       return false;
     }
+    assertSameConversationDestination({
+      conversationId: args.conversationId,
+      current: current.destination,
+      next: args.destination
+    });
     await writeWorkState(state, {
       ...current,
       needsRun: true,
@@ -14232,8 +14524,12 @@ async function getAwaitingTurnContinuationRequest(args) {
   if (!sessionRecord || sessionRecord.state !== "awaiting_resume" || sessionRecord.resumeReason !== "timeout" && sessionRecord.resumeReason !== "yield" || sessionRecord.resumeReason === "timeout" && sessionRecord.sliceId < 2) {
     return void 0;
   }
+  if (!sessionRecord.destination) {
+    return void 0;
+  }
   return {
     conversationId: args.conversationId,
+    destination: sessionRecord.destination,
     sessionId: args.sessionId,
     expectedVersion: sessionRecord.version
   };
@@ -14261,12 +14557,17 @@ function parseTurnTimeoutResumeRequest(value) {
     return void 0;
   }
   const record = value;
-  const expectedVersion = typeof record.expectedVersion === "number" ? record.expectedVersion : record.expectedCheckpointVersion;
-  if (typeof record.conversationId !== "string" || typeof record.sessionId !== "string" || typeof expectedVersion !== "number") {
+  const destination = parseDestination(record.destination);
+  let expectedVersion = record.expectedVersion;
+  if (typeof expectedVersion !== "number") {
+    expectedVersion = record.expectedCheckpointVersion;
+  }
+  if (typeof record.conversationId !== "string" || typeof record.sessionId !== "string" || typeof expectedVersion !== "number" || !destination) {
     return void 0;
   }
   return {
     conversationId: record.conversationId,
+    destination,
     sessionId: record.sessionId,
     expectedVersion
   };
@@ -14275,12 +14576,16 @@ async function scheduleTurnTimeoutResume(request, options = {}) {
   const nowMs = options.nowMs ?? Date.now();
   await requestConversationWork({
     conversationId: request.conversationId,
+    destination: request.destination,
     nowMs,
     state: options.state
   });
   const queue = options.queue ?? getVercelConversationWorkQueue();
   await queue.send(
-    { conversationId: request.conversationId },
+    {
+      conversationId: request.conversationId,
+      destination: request.destination
+    },
     {
       idempotencyKey: [
         "timeout",
@@ -14326,7 +14631,10 @@ function heartbeatIdempotencyKey(reason, conversationId, nowMs) {
 }
 async function sendRecoveryNudge(args) {
   await args.queue.send(
-    { conversationId: args.conversationId },
+    {
+      conversationId: args.conversationId,
+      destination: args.destination
+    },
     { idempotencyKey: args.idempotencyKey }
   );
   await markConversationWorkEnqueued({
@@ -14364,6 +14672,7 @@ async function recoverConversationWork(args) {
         }
         await sendRecoveryNudge({
           conversationId,
+          destination: work.destination,
           idempotencyKey: heartbeatIdempotencyKey(
             "lease",
             conversationId,
@@ -14390,6 +14699,7 @@ async function recoverConversationWork(args) {
       }
       await sendRecoveryNudge({
         conversationId,
+        destination: work.destination,
         idempotencyKey: heartbeatIdempotencyKey(
           "pending",
           conversationId,
@@ -14419,78 +14729,92 @@ async function recoverConversationWork(args) {
   return result;
 }
 
-// src/chat/slack/ids.ts
-function isSlackTeamId(value) {
-  return /^T[A-Z0-9]+$/.test(value);
+// src/chat/agent-dispatch/validation.ts
+import {
+  dispatchOptionsSchema
+} from "@sentry/junior-plugin-api";
+function hasIssueAtPath(issues, path9) {
+  return issues.some(
+    (issue) => issue.path.length === path9.length && issue.path.every((value, index) => value === path9[index])
+  );
 }
-function isSlackConversationId(value) {
-  return /^(C|G|D)[A-Z0-9]+$/.test(value);
+function hasIssueUnderPath(issues, path9) {
+  return issues.some(
+    (issue) => path9.every((value, index) => issue.path[index] === value)
+  );
 }
-
-// src/chat/agent-dispatch/validation.ts
-var MAX_DISPATCH_INPUT_LENGTH = 32e3;
-var MAX_IDEMPOTENCY_KEY_LENGTH = 512;
-var MAX_METADATA_KEYS = 20;
-var MAX_METADATA_KEY_LENGTH = 128;
-var MAX_METADATA_VALUE_LENGTH = 512;
-function validateDispatchOptions(options) {
-  if (!options.idempotencyKey.trim()) {
-    throw new Error("Dispatch idempotencyKey is required");
+function dispatchOptionsErrorMessage(issues) {
+  if (hasIssueAtPath(issues, [])) {
+    const unknownKeys = issues.some(
+      (issue) => issue.code === "unrecognized_keys"
+    );
+    return unknownKeys ? "Dispatch options must not include unknown fields" : "Dispatch options are required";
   }
-  if (options.idempotencyKey.length > MAX_IDEMPOTENCY_KEY_LENGTH) {
-    throw new Error("Dispatch idempotencyKey exceeds the maximum length");
+  if (issues.some(
+    (issue) => issue.code === "unrecognized_keys" && issue.path[0] === "destination"
+  )) {
+    return "Dispatch destination must not include unknown fields";
+  }
+  if (issues.some(
+    (issue) => issue.code === "unrecognized_keys" && issue.path[0] === "credentialSubject"
+  )) {
+    return "Dispatch credentialSubject binding is runtime-owned";
   }
-  if (options.destination.platform !== "slack") {
-    throw new Error("Dispatch destination platform must be slack");
+  if (hasIssueAtPath(issues, ["destination"])) {
+    return "Dispatch destination platform must be slack";
   }
-  if (!isSlackTeamId(options.destination.teamId)) {
-    throw new Error("Dispatch destination teamId must be a Slack team id");
+  if (hasIssueUnderPath(issues, ["destination", "teamId"])) {
+    return "Dispatch destination teamId must be a Slack team id";
   }
-  if (!isSlackConversationId(options.destination.channelId)) {
-    throw new Error(
-      "Dispatch destination channelId must be a Slack channel id"
+  if (hasIssueUnderPath(issues, ["destination", "channelId"])) {
+    return "Dispatch destination channelId must be a Slack channel id";
+  }
+  if (hasIssueUnderPath(issues, ["idempotencyKey"])) {
+    const tooLong = issues.some(
+      (issue) => issue.path[0] === "idempotencyKey" && issue.code === "too_big"
     );
+    return tooLong ? "Dispatch idempotencyKey exceeds the maximum length" : "Dispatch idempotencyKey is required";
   }
-  if (!options.input.trim()) {
-    throw new Error("Dispatch input is required");
+  if (hasIssueUnderPath(issues, ["input"])) {
+    const tooLong = issues.some(
+      (issue) => issue.path[0] === "input" && issue.code === "too_big"
+    );
+    return tooLong ? "Dispatch input exceeds the maximum length" : "Dispatch input is required";
   }
-  if (options.input.length > MAX_DISPATCH_INPUT_LENGTH) {
-    throw new Error("Dispatch input exceeds the maximum length");
+  if (hasIssueUnderPath(issues, ["credentialSubject", "userId"])) {
+    return "Dispatch credentialSubject userId is required";
   }
-  if (options.credentialSubject) {
-    if (options.credentialSubject.type !== "user") {
-      throw new Error("Dispatch credentialSubject type must be user");
-    }
-    if (!isActorUserId(options.credentialSubject.userId)) {
-      throw new Error("Dispatch credentialSubject userId is required");
-    }
-    if (options.credentialSubject.allowedWhen !== "private-direct-conversation") {
-      throw new Error(
-        "Dispatch credentialSubject allowedWhen must be private-direct-conversation"
-      );
-    }
-    if (!isDmChannel(options.destination.channelId)) {
+  if (hasIssueUnderPath(issues, ["credentialSubject", "allowedWhen"])) {
+    return "Dispatch credentialSubject allowedWhen must be private-direct-conversation";
+  }
+  if (hasIssueUnderPath(issues, ["credentialSubject"])) {
+    return "Dispatch credentialSubject type must be user";
+  }
+  const metadataIssue = issues.find(
+    (issue) => issue.path[0] === "metadata" && (issue.message === "Dispatch metadata has too many keys" || issue.message === "Dispatch metadata key exceeds the maximum length" || issue.message === "Dispatch metadata value exceeds the maximum length")
+  );
+  if (metadataIssue) {
+    return metadataIssue.message;
+  }
+  if (hasIssueUnderPath(issues, ["metadata"])) {
+    return "Dispatch metadata values must be strings";
+  }
+  return "Dispatch options are invalid";
+}
+function validateDispatchOptions(options) {
+  const parsed = dispatchOptionsSchema.safeParse(options);
+  if (!parsed.success) {
+    throw new Error(dispatchOptionsErrorMessage(parsed.error.issues));
+  }
+  const candidate = parsed.data;
+  const { credentialSubject, destination } = candidate;
+  if (credentialSubject !== void 0) {
+    if (!isDmChannel(destination.channelId)) {
       throw new Error(
         "Dispatch credentialSubject requires a private direct Slack destination"
       );
     }
   }
-  const metadata = options.metadata ?? {};
-  const entries = Object.entries(metadata);
-  if (entries.length > MAX_METADATA_KEYS) {
-    throw new Error("Dispatch metadata has too many keys");
-  }
-  for (const [key, value] of entries) {
-    if (!key.trim() || typeof value !== "string") {
-      throw new Error("Dispatch metadata values must be strings");
-    }
-    if (key.length > MAX_METADATA_KEY_LENGTH) {
-      throw new Error("Dispatch metadata key exceeds the maximum length");
-    }
-    if (value.length > MAX_METADATA_VALUE_LENGTH) {
-      throw new Error("Dispatch metadata value exceeds the maximum length");
-    }
-  }
 }
 async function verifyDispatchCredentialSubjectAccess(options) {
   if (!options.credentialSubject) {
@@ -14604,8 +14928,8 @@ function isStaleDispatch(args) {
 }
 async function failDispatch(args) {
   await withDispatchLock(args.record.id, async (state) => {
-    const current = await state.get(
-      getDispatchStorageKey(args.record.id)
+    const current = parseDispatchRecord(
+      await state.get(getDispatchStorageKey(args.record.id))
     ) ?? args.record;
     if (isTerminalDispatchStatus(current.status)) {
       return;
@@ -14737,7 +15061,7 @@ async function recoverStaleDispatches(args) {
   }
   return recovered;
 }
-async function runTrustedPluginHeartbeats(args) {
+async function runPluginHeartbeats(args) {
   let count = 0;
   for (const plugin of getAgentPlugins()) {
     if (count >= (args.limit ?? DEFAULT_PLUGIN_LIMIT)) {
@@ -14763,7 +15087,7 @@ async function runTrustedPluginHeartbeats(args) {
       );
       if (typeof result?.dispatchCount === "number" && result.dispatchCount > 0) {
         logInfo(
-          "trusted_plugin_heartbeat_dispatched",
+          "plugin_heartbeat_dispatched",
           {},
           {
             "app.dispatch.count": result.dispatchCount,
@@ -14775,10 +15099,10 @@ async function runTrustedPluginHeartbeats(args) {
     } catch (error) {
       logException(
         error,
-        "trusted_plugin_heartbeat_failed",
+        "plugin_heartbeat_failed",
         {},
         { "app.plugin.name": plugin.name },
-        "Trusted plugin heartbeat failed"
+        "Plugin heartbeat failed"
       );
     }
   }
@@ -14793,7 +15117,7 @@ async function runHeartbeat(args) {
     nowMs: args.nowMs
   });
   await recoverStaleDispatches({ nowMs: args.nowMs });
-  await runTrustedPluginHeartbeats({ nowMs: args.nowMs });
+  await runPluginHeartbeats({ nowMs: args.nowMs });
 }
 
 // src/handlers/heartbeat.ts
@@ -15325,10 +15649,6 @@ function getWorkspaceTeamId() {
 }
 
 // src/chat/runtime/thread-context.ts
-function toSlackTeamId(value) {
-  const candidate = toOptionalString(value);
-  return candidate && isSlackTeamId(candidate) ? candidate : void 0;
-}
 function escapeRegExp2(value) {
   return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
@@ -15404,14 +15724,6 @@ function getMessageTs(message) {
   const rawRecord = raw;
   return toOptionalString(rawRecord.ts) ?? toOptionalString(rawRecord.event_ts) ?? toOptionalString(rawRecord.message?.ts);
 }
-function getTeamId(message) {
-  const raw = message.raw;
-  if (!raw || typeof raw !== "object") {
-    return void 0;
-  }
-  const rawRecord = raw;
-  return toSlackTeamId(rawRecord.team_id) ?? toSlackTeamId(rawRecord.team) ?? toSlackTeamId(getWorkspaceTeamId()) ?? toSlackTeamId(rawRecord.user_team);
-}
 
 // src/chat/runtime/processing-reaction.ts
 var noProcessingReaction = {
@@ -16114,9 +16426,10 @@ async function persistFailedReplyState(channelId, threadTs, sessionId, expectedV
 }
 async function resumeAuthorizedMcpTurn(args) {
   const { authSession, provider } = args;
-  if (!authSession.channelId || !authSession.threadTs) {
+  if (!authSession.channelId || !authSession.destination || !authSession.threadTs) {
     return;
   }
+  const destination = authSession.destination;
   const threadId = `slack:${authSession.channelId}:${authSession.threadTs}`;
   const currentState = await getPersistedThreadState(threadId);
   const conversation = coerceThreadConversationState(currentState);
@@ -16225,6 +16538,7 @@ async function resumeAuthorizedMcpTurn(args) {
             actor: { type: "user", userId: authSession.userId }
           },
           requester,
+          destination,
           correlation: {
             conversationId: authSession.conversationId,
             turnId: lockedSessionId,
@@ -16313,6 +16627,7 @@ async function resumeAuthorizedMcpTurn(args) {
           }
           await scheduleTurnTimeoutResume({
             conversationId: authSession.conversationId,
+            destination,
             sessionId: lockedSessionId,
             expectedVersion: version
           });
@@ -16410,13 +16725,23 @@ async function buildSkillsSummaryText() {
   }
   return lines.join("\n");
 }
-async function hasConnectedAccount(userId, plugin, userTokenStore) {
-  if (plugin.manifest.credentials?.type === "oauth-bearer") {
+function accountLabel(account) {
+  const label = account.label ?? account.id;
+  return account.url ? `<${account.url}|${label}>` : label;
+}
+function connectedAccountText(plugin, account) {
+  return account ? `*${plugin.manifest.name}*
+Connected as ${accountLabel(account)}` : `*${plugin.manifest.name}*
+${plugin.manifest.description}`;
+}
+async function connectedOAuthTokens(userId, plugin, userTokenStore) {
+  if (plugin.manifest.oauth || plugin.manifest.credentials) {
     const stored = await userTokenStore.get(userId, plugin.manifest.name);
-    return Boolean(
-      stored && hasRequiredOAuthScope(stored.scope, plugin.manifest.oauth?.scope)
-    );
+    return stored && hasRequiredOAuthScope(stored.scope, plugin.manifest.oauth?.scope) ? stored : void 0;
   }
+  return void 0;
+}
+async function hasConnectedMcpAccount(userId, plugin) {
   if (plugin.manifest.mcp) {
     return Boolean(
       (await getMcpStoredOAuthCredentials(userId, plugin.manifest.name))?.tokens
@@ -16431,13 +16756,13 @@ async function buildHomeView(userId, userTokenStore) {
   const providers = getPluginProviders();
   const connectedSections = [];
   for (const plugin of providers) {
-    if (!await hasConnectedAccount(userId, plugin, userTokenStore)) continue;
+    const tokens = await connectedOAuthTokens(userId, plugin, userTokenStore);
+    if (!tokens && !await hasConnectedMcpAccount(userId, plugin)) continue;
     connectedSections.push({
       type: "section",
       text: {
         type: "mrkdwn",
-        text: `*${plugin.manifest.name}*
-${plugin.manifest.description}`
+        text: connectedAccountText(plugin, tokens?.account)
       },
       accessory: {
         type: "button",
@@ -16582,31 +16907,20 @@ async function persistFailedOAuthReplyState(args) {
   });
 }
 async function resumeOAuthSessionRecordTurn(stored) {
-  if (!stored.resumeConversationId || !stored.resumeSessionId || !stored.channelId || !stored.threadTs) {
+  if (!stored.resumeConversationId || !stored.resumeSessionId || !stored.channelId || !stored.destination || !stored.threadTs) {
     return false;
   }
-  const sessionRecord = await getAgentTurnSessionRecord(
-    stored.resumeConversationId,
-    stored.resumeSessionId
-  );
-  if (!sessionRecord) {
-    return false;
-  }
-  if (sessionRecord.state === "completed" || sessionRecord.state === "failed" || sessionRecord.state === "abandoned") {
-    return true;
-  }
-  if (sessionRecord.state !== "awaiting_resume" || sessionRecord.resumeReason !== "auth") {
-    return true;
-  }
-  const currentState = await getPersistedThreadState(
-    stored.resumeConversationId
+  const destination = stored.destination;
+  const currentState = await getPersistedThreadState(
+    stored.resumeConversationId
   );
   const conversation = coerceThreadConversationState(currentState);
   const pendingAuth = getConversationPendingAuth({
     conversation,
     kind: "plugin",
     provider: stored.provider,
-    requesterId: stored.userId
+    requesterId: stored.userId,
+    ...stored.scope ? { scope: stored.scope } : {}
   });
   const resolvedSessionId = pendingAuth?.sessionId ?? stored.resumeSessionId;
   const userMessage2 = resolvedSessionId ? getTurnUserMessage(conversation, resolvedSessionId) : void 0;
@@ -16623,32 +16937,34 @@ async function resumeOAuthSessionRecordTurn(stored) {
       });
       return true;
     }
-  } else {
-    if (!userMessage2?.author?.userId) {
-      return false;
-    }
-    if (conversation.processing.activeTurnId !== stored.resumeSessionId) {
-      return true;
-    }
   }
-  if (!userMessage2?.author?.userId || !resolvedSessionId) {
+  const sessionRecord = await getAgentTurnSessionRecord(
+    stored.resumeConversationId,
+    resolvedSessionId
+  );
+  if (!sessionRecord) {
+    return false;
+  }
+  if (sessionRecord.state === "completed" || sessionRecord.state === "failed" || sessionRecord.state === "abandoned") {
+    return true;
+  }
+  if (sessionRecord.state !== "awaiting_resume" || sessionRecord.resumeReason !== "auth") {
+    return true;
+  }
+  if (!userMessage2?.author?.userId) {
     return false;
   }
+  if (!pendingAuth && conversation.processing.activeTurnId !== stored.resumeSessionId) {
+    return true;
+  }
   await resumeSlackTurn({
-    messageText: stored.pendingMessage ?? userMessage2.text,
+    messageText: pendingAuth ? userMessage2.text : stored.pendingMessage ?? userMessage2.text,
     channelId: stored.channelId,
     threadTs: stored.threadTs,
     messageTs: getTurnUserSlackMessageTs(userMessage2),
     lockKey: stored.resumeConversationId,
     initialText: "",
     beforeStart: async () => {
-      const lockedSessionRecord = await getAgentTurnSessionRecord(
-        stored.resumeConversationId,
-        stored.resumeSessionId
-      );
-      if (!lockedSessionRecord || lockedSessionRecord.state !== "awaiting_resume" || lockedSessionRecord.resumeReason !== "auth") {
-        return false;
-      }
       const lockedState = await getPersistedThreadState(
         stored.resumeConversationId
       );
@@ -16658,12 +16974,20 @@ async function resumeOAuthSessionRecordTurn(stored) {
         conversation: lockedConversation,
         kind: "plugin",
         provider: stored.provider,
-        requesterId: stored.userId
+        requesterId: stored.userId,
+        ...stored.scope ? { scope: stored.scope } : {}
       });
       const lockedSessionId = lockedPendingAuth?.sessionId ?? stored.resumeSessionId;
       if (lockedSessionId !== resolvedSessionId) {
         return false;
       }
+      const lockedSessionRecord = await getAgentTurnSessionRecord(
+        stored.resumeConversationId,
+        lockedSessionId
+      );
+      if (!lockedSessionRecord || lockedSessionRecord.state !== "awaiting_resume" || lockedSessionRecord.resumeReason !== "auth") {
+        return false;
+      }
       if (lockedPendingAuth) {
         if (!isPendingAuthLatestRequest(lockedConversation, lockedPendingAuth)) {
           clearPendingAuth(lockedConversation, lockedPendingAuth.sessionId);
@@ -16711,7 +17035,7 @@ async function resumeOAuthSessionRecordTurn(stored) {
         lockedUserMessage.author.userId
       );
       return {
-        messageText: stored.pendingMessage ?? lockedUserMessage.text,
+        messageText: lockedPendingAuth ? lockedUserMessage.text : stored.pendingMessage ?? lockedUserMessage.text,
         messageTs: getTurnUserSlackMessageTs(lockedUserMessage),
         replyContext: {
           credentialContext: {
@@ -16721,6 +17045,7 @@ async function resumeOAuthSessionRecordTurn(stored) {
             }
           },
           requester,
+          destination,
           correlation: {
             conversationId: stored.resumeConversationId,
             turnId: lockedSessionId,
@@ -16797,6 +17122,7 @@ async function resumeOAuthSessionRecordTurn(stored) {
           }
           await scheduleTurnTimeoutResume({
             conversationId: stored.resumeConversationId,
+            destination,
             sessionId: lockedSessionId,
             expectedVersion: version
           });
@@ -16807,7 +17133,9 @@ async function resumeOAuthSessionRecordTurn(stored) {
   return true;
 }
 async function resumePendingOAuthMessage(stored) {
-  if (!stored.pendingMessage || !stored.channelId || !stored.threadTs) return;
+  if (!stored.pendingMessage || !stored.channelId || !stored.destination || !stored.threadTs) {
+    return;
+  }
   const threadId = `slack:${stored.channelId}:${stored.threadTs}`;
   const conversation = coerceThreadConversationState(
     await getPersistedThreadState(threadId)
@@ -16828,6 +17156,13 @@ async function resumePendingOAuthMessage(stored) {
         actor: { type: "user", userId: stored.userId }
       },
       requester,
+      destination: stored.destination,
+      correlation: {
+        conversationId: threadId,
+        channelId: stored.channelId,
+        threadTs: stored.threadTs,
+        requesterId: stored.userId
+      },
       conversationContext,
       piMessages: conversation.piMessages,
       configuration: stored.configuration
@@ -16887,7 +17222,7 @@ async function GET4(request, provider, waitUntil) {
   }
   const stateAdapter = getStateAdapter();
   const stateKey2 = `oauth-state:${state}`;
-  const stored = await stateAdapter.get(stateKey2);
+  const stored = parseOAuthStatePayload(await stateAdapter.get(stateKey2));
   if (!stored) {
     return htmlErrorResponse(
       "Link expired",
@@ -16921,6 +17256,7 @@ async function GET4(request, provider, waitUntil) {
     );
   }
   const redirectUri = `${baseUrl}${providerConfig.callbackPath}`;
+  const requestedScope = stored.scope ?? providerConfig.scope;
   let tokenResponse;
   try {
     const tokenRequest = buildOAuthTokenRequest({
@@ -16953,13 +17289,12 @@ async function GET4(request, provider, waitUntil) {
       500
     );
   }
-  const tokenData = await tokenResponse.json();
   let parsedTokenResponse;
   try {
-    parsedTokenResponse = parseOAuthTokenResponse(
-      tokenData,
-      providerConfig.scope
-    );
+    const tokenData = await tokenResponse.json();
+    parsedTokenResponse = parseOAuthTokenResponse(tokenData, requestedScope, {
+      treatEmptyScopeAsUnreported: providerConfig.treatEmptyScopeAsUnreported
+    });
   } catch {
     return htmlErrorResponse(
       "Connection failed",
@@ -16967,7 +17302,7 @@ async function GET4(request, provider, waitUntil) {
       500
     );
   }
-  if (!hasRequiredOAuthScope(parsedTokenResponse.scope, providerConfig.scope)) {
+  if (!hasRequiredOAuthScope(parsedTokenResponse.scope, requestedScope)) {
     return htmlErrorResponse(
       "Connection failed",
       `The ${providerLabel} authorization did not grant the access Junior requires. Return to Slack and ask Junior to connect your ${providerLabel} account again.`,
@@ -16975,7 +17310,23 @@ async function GET4(request, provider, waitUntil) {
     );
   }
   const userTokenStore = createUserTokenStore();
-  await userTokenStore.set(stored.userId, provider, parsedTokenResponse);
+  let account;
+  try {
+    account = await resolvePluginOAuthAccount({
+      provider,
+      tokens: parsedTokenResponse
+    });
+  } catch {
+    return htmlErrorResponse(
+      "Connection failed",
+      `Junior could not verify the connected ${providerLabel} account. Please try again.`,
+      500
+    );
+  }
+  await userTokenStore.set(stored.userId, provider, {
+    ...parsedTokenResponse,
+    ...account ? { account } : {}
+  });
   waitUntil(async () => {
     try {
       await publishAppHomeView(getSlackClient(), stored.userId, userTokenStore);
@@ -17023,6 +17374,148 @@ async function GET4(request, provider, waitUntil) {
   });
 }
 
+// src/chat/sandbox/egress-credentials.ts
+var HTTP_READ_METHODS = /* @__PURE__ */ new Set(["GET", "HEAD", "OPTIONS"]);
+var SandboxEgressCredentialNeededError = class extends Error {
+  authorization;
+  grant;
+  provider;
+  constructor(input) {
+    super(input.message);
+    this.name = "SandboxEgressCredentialNeededError";
+    this.authorization = input.authorization;
+    this.grant = input.grant;
+    this.provider = input.provider;
+  }
+};
+function defaultGrantForProvider(input) {
+  const access = HTTP_READ_METHODS.has(
+    input.method.toUpperCase()
+  ) ? "read" : "write";
+  return {
+    source: "broker",
+    grant: {
+      name: "default",
+      access,
+      reason: `sandbox-egress:${input.provider}:${access}`
+    }
+  };
+}
+function oauthAuthorizationForProvider(provider) {
+  const oauth = getPluginOAuthConfig(provider);
+  return oauth ? {
+    type: "oauth",
+    provider,
+    ...oauth.scope ? { scope: oauth.scope } : {}
+  } : void 0;
+}
+function credentialSubjectFromContext(context) {
+  return "subject" in context.credentials && context.credentials.subject ? { type: "user", userId: context.credentials.subject.userId } : void 0;
+}
+function assertLeaseTransformsOwnedByProvider(provider, lease) {
+  for (const transform of lease.headerTransforms) {
+    if (resolveSandboxEgressProviderForHost(transform.domain) !== provider) {
+      throw new Error(
+        `Credential lease for ${provider} included header transform for unowned domain ${transform.domain}`
+      );
+    }
+  }
+}
+async function selectSandboxEgressGrant(input) {
+  if (!hasEgressCredentialHooks(input.provider)) {
+    return defaultGrantForProvider(input);
+  }
+  const pluginGrant = await selectPluginGrant({
+    provider: input.provider,
+    method: input.method,
+    upstreamUrl: input.upstreamUrl
+  });
+  if (!pluginGrant) {
+    throw new Error(
+      `Plugin "${input.provider}" grantForEgress must return a grant for sandbox egress`
+    );
+  }
+  return { source: "plugin", grant: pluginGrant };
+}
+function authorizationForSandboxEgressGrant(provider, selection) {
+  return selection.source === "broker" ? oauthAuthorizationForProvider(provider) : void 0;
+}
+async function sandboxEgressCredentialLease(provider, selection, context) {
+  const { grant } = selection;
+  const cached = await getSandboxEgressCredentialLease(
+    provider,
+    grant.name,
+    context
+  );
+  if (cached) {
+    if (selection.source === "plugin" && cached.grant.access !== grant.access) {
+      throw new Error(
+        `Cached credential lease for ${provider}/${grant.name} has ${cached.grant.access} access, but ${grant.access} was selected`
+      );
+    }
+    return {
+      ...cached,
+      grant
+    };
+  }
+  let lease;
+  if (selection.source === "plugin") {
+    const credentialSubject = credentialSubjectFromContext(context);
+    const pluginResult = await issuePluginCredential({
+      provider,
+      grant,
+      actor: context.credentials.actor,
+      ...credentialSubject ? { credentialSubject } : {},
+      userTokenStore: createUserTokenStore()
+    });
+    if (pluginResult.type === "needed") {
+      throw new SandboxEgressCredentialNeededError({
+        provider,
+        grant,
+        authorization: pluginResult.authorization,
+        message: pluginResult.message
+      });
+    }
+    if (pluginResult.type === "unavailable") {
+      throw new CredentialUnavailableError(provider, pluginResult.message);
+    }
+    lease = pluginResult.lease;
+  } else {
+    lease = await issueProviderCredentialLease({
+      context: context.credentials,
+      provider,
+      reason: grant.reason ?? `sandbox-egress:${provider}:default`
+    });
+  }
+  const headerTransforms = lease.headerTransforms ?? [];
+  if (headerTransforms.length === 0) {
+    throw new Error(
+      `Credential lease for ${provider} did not include header transforms`
+    );
+  }
+  const leaseExpiresAtMs = Date.parse(lease.expiresAt);
+  if (!Number.isFinite(leaseExpiresAtMs) || leaseExpiresAtMs <= Date.now()) {
+    throw new Error(`Credential lease for ${provider} is expired`);
+  }
+  const authorization = selection.source === "broker" ? oauthAuthorizationForProvider(provider) : lease.authorization;
+  const cachedLease = {
+    provider,
+    grant,
+    ...lease.account ? { account: lease.account } : {},
+    ...authorization ? { authorization } : {},
+    expiresAt: lease.expiresAt,
+    headerTransforms
+  };
+  assertLeaseTransformsOwnedByProvider(provider, cachedLease);
+  await setSandboxEgressCredentialLease(context, cachedLease);
+  return cachedLease;
+}
+function hasSandboxEgressLeaseTransformForHost(lease, host) {
+  return lease.headerTransforms.some(
+    (transform) => matchesSandboxEgressDomain(host, transform.domain)
+  );
+}
+
 // src/chat/sandbox/egress-oidc.ts
 import {
   createRemoteJWKSet,
@@ -17126,6 +17619,19 @@ var UPSTREAM_PERMISSION_REJECTION_STATUS = 403;
 function jsonError(message, status) {
   return Response.json({ error: message }, { status });
 }
+function authRequiredResponse(input) {
+  return new Response(
+    `junior-auth-required provider=${input.provider} grant=${input.grant.name} access=${input.grant.access} 401 unauthorized
+${input.message}`,
+    {
+      status: 401,
+      headers: {
+        "content-type": "text/plain; charset=utf-8",
+        "cache-control": "no-store"
+      }
+    }
+  );
+}
 function shouldLogSandboxEgressInfo() {
   const environment = (process.env.SENTRY_ENVIRONMENT ?? process.env.VERCEL_ENV ?? process.env.NODE_ENV ?? "").trim().toLowerCase();
   return environment !== "production";
@@ -17133,7 +17639,10 @@ function shouldLogSandboxEgressInfo() {
 function egressAttributes(input) {
   return {
     ...input.egressId ? { "app.sandbox.egress_id": input.egressId } : {},
-    ...input.provider ? { "app.credential.provider": input.provider } : {},
+    ...input.provider ? { "app.provider.name": input.provider } : {},
+    ...input.grantName ? { "app.grant.name": input.grantName } : {},
+    ...input.grantAccess ? { "app.grant.access": input.grantAccess } : {},
+    ...input.grantReason ? { "app.grant.reason": input.grantReason } : {},
     ...input.host ? { "server.address": input.host } : {},
     ...input.method ? { "http.request.method": input.method } : {},
     ...input.path ? { "url.path": input.path } : {},
@@ -17169,9 +17678,42 @@ function routingAttributes(request, upstreamUrl) {
   };
   if (upstreamUrl) {
     attributes["app.sandbox.egress.upstream_path"] = upstreamUrl.pathname;
+    const gitService = upstreamUrl.searchParams.get("service");
+    if (upstreamUrl.hostname.toLowerCase() === "github.com" && (gitService === "git-upload-pack" || gitService === "git-receive-pack")) {
+      attributes["app.sandbox.egress.git_service"] = gitService;
+    }
   }
   return attributes;
 }
+function displayedUpstreamPath(upstreamUrl) {
+  const gitService = upstreamUrl.searchParams.get("service");
+  if (upstreamUrl.hostname.toLowerCase() === "github.com" && (gitService === "git-upload-pack" || gitService === "git-receive-pack")) {
+    return `${upstreamUrl.pathname}?service=${gitService}`;
+  }
+  return upstreamUrl.pathname;
+}
+function upstreamPermissionAttributes(provider, upstream) {
+  if (provider !== "github") {
+    return {};
+  }
+  return {
+    "app.github.accepted_permissions": upstream.headers.get("x-accepted-github-permissions") ?? void 0,
+    "app.github.sso": upstream.headers.get("x-github-sso") ?? void 0
+  };
+}
+function githubPermissionHeaders(upstream) {
+  const acceptedPermissions = upstream.headers.get(
+    "x-accepted-github-permissions"
+  );
+  const sso = upstream.headers.get("x-github-sso");
+  return {
+    ...acceptedPermissions ? { acceptedPermissions } : {},
+    ...sso ? { sso } : {}
+  };
+}
+function permissionDeniedMessage(provider, grant) {
+  return `${provider} returned HTTP 403 after Junior injected the ${grant.name} grant. Junior forwarded the request; this is not a local runtime block.`;
+}
 function logSandboxEgressUpstreamRequest(input) {
   if (!shouldLogSandboxEgressInfo()) {
     return;
@@ -17182,6 +17724,9 @@ function logSandboxEgressUpstreamRequest(input) {
     {
       ...egressAttributes({
         egressId: input.egressId,
+        grantAccess: input.grantAccess,
+        grantName: input.grantName,
+        grantReason: input.grantReason,
         host: input.upstreamUrl.hostname,
         method: input.request.method,
         path: input.upstreamUrl.pathname,
@@ -17191,7 +17736,7 @@ function logSandboxEgressUpstreamRequest(input) {
       ...routingAttributes(input.request, input.upstreamUrl),
       "app.sandbox.egress.upstream_ok": input.upstream.ok
     },
-    `Sandbox egress ${input.request.method} ${input.upstreamUrl.hostname}${input.upstreamUrl.pathname} -> ${input.upstream.status}`
+    `Sandbox egress ${input.request.method} ${input.upstreamUrl.hostname}${displayedUpstreamPath(input.upstreamUrl)} -> ${input.upstream.status}`
   );
 }
 function normalizeHost(value) {
@@ -17306,35 +17851,6 @@ function responseHeaders(upstream) {
   });
   return headers;
 }
-async function credentialLease(provider, context) {
-  const cached = await getSandboxEgressCredentialLease(provider, context);
-  if (cached) {
-    return cached;
-  }
-  const lease = await issueProviderCredentialLease({
-    context: context.credentials,
-    provider,
-    reason: `sandbox-egress:${provider}`
-  });
-  const headerTransforms = lease.headerTransforms ?? [];
-  if (headerTransforms.length === 0) {
-    throw new Error(
-      `Credential lease for ${provider} did not include header transforms`
-    );
-  }
-  const cachedLease = {
-    provider,
-    expiresAt: lease.expiresAt,
-    headerTransforms
-  };
-  await setSandboxEgressCredentialLease(context, cachedLease);
-  return cachedLease;
-}
-function hasTransformForHost(lease, host) {
-  return lease.headerTransforms.some(
-    (transform) => matchesSandboxEgressDomain(host, transform.domain)
-  );
-}
 function isSandboxEgressForwardedRequest(request) {
   return Boolean(
     request.headers.get(OIDC_TOKEN_HEADER)?.trim() && request.headers.get(FORWARDED_HOST_HEADER)?.trim() && request.headers.get(FORWARDED_SCHEME_HEADER)?.trim()
@@ -17440,17 +17956,72 @@ async function proxySandboxEgressRequest(request, deps = {}) {
       403
     );
   }
+  const grantSelection = await selectSandboxEgressGrant({
+    provider,
+    method: request.method,
+    upstreamUrl
+  });
   let lease;
   try {
-    lease = await credentialLease(provider, credentialContext);
+    lease = await sandboxEgressCredentialLease(
+      provider,
+      grantSelection,
+      credentialContext
+    );
   } catch (error) {
+    if (error instanceof SandboxEgressCredentialNeededError) {
+      await setSandboxEgressAuthRequiredSignal(credentialContext, {
+        provider: error.provider,
+        grant: error.grant,
+        ...error.authorization ? { authorization: error.authorization } : {},
+        message: error.message
+      });
+      logWarn(
+        "sandbox_egress_credential_needed",
+        {},
+        {
+          ...egressAttributes({
+            egressId: activeEgressId,
+            grantAccess: error.grant.access,
+            grantName: error.grant.name,
+            grantReason: error.grant.reason,
+            host: upstreamUrl.hostname,
+            method: request.method,
+            path: upstreamUrl.pathname,
+            provider: error.provider,
+            status: 401
+          }),
+          ...routingAttributes(request, upstreamUrl)
+        },
+        "Sandbox egress grant needs user authorization before issuing a credential lease"
+      );
+      return authRequiredResponse({
+        provider: error.provider,
+        grant: error.grant,
+        message: error.message
+      });
+    }
     if (error instanceof CredentialUnavailableError) {
+      const failedGrant = grantSelection.grant;
+      const authorization = authorizationForSandboxEgressGrant(
+        error.provider,
+        grantSelection
+      );
+      await setSandboxEgressAuthRequiredSignal(credentialContext, {
+        provider: error.provider,
+        grant: failedGrant,
+        ...authorization ? { authorization } : {},
+        message: error.message
+      });
       logWarn(
         "sandbox_egress_credential_unavailable",
         {},
         {
           ...egressAttributes({
             egressId: activeEgressId,
+            grantAccess: failedGrant.access,
+            grantName: failedGrant.name,
+            grantReason: failedGrant.reason,
             host: upstreamUrl.hostname,
             method: request.method,
             path: upstreamUrl.pathname,
@@ -17459,26 +18030,26 @@ async function proxySandboxEgressRequest(request, deps = {}) {
           }),
           ...routingAttributes(request, upstreamUrl)
         },
-        "Sandbox egress provider credential is unavailable"
-      );
-      return new Response(
-        `junior-auth-required provider=${error.provider} 401 unauthorized
-${error.message}`,
-        {
-          status: 401,
-          headers: { "content-type": "text/plain; charset=utf-8" }
-        }
+        "Sandbox egress credential lease is unavailable for selected grant"
       );
+      return authRequiredResponse({
+        provider: error.provider,
+        grant: failedGrant,
+        message: error.message
+      });
     }
     throw error;
   }
-  if (!hasTransformForHost(lease, upstreamUrl.hostname)) {
+  if (!hasSandboxEgressLeaseTransformForHost(lease, upstreamUrl.hostname)) {
     logWarn(
       "sandbox_egress_transform_missing",
       {},
       {
         ...egressAttributes({
           egressId: activeEgressId,
+          grantAccess: lease.grant.access,
+          grantName: lease.grant.name,
+          grantReason: lease.grant.reason,
           host: upstreamUrl.hostname,
           method: request.method,
           path: upstreamUrl.pathname,
@@ -17494,9 +18065,9 @@ ${error.message}`,
     );
     return jsonError("Credential lease does not cover forwarded host", 403);
   }
-  const body = await requestBodyBytes(request);
   const fetchImpl = deps.fetch ?? fetch;
   const headers = requestHeaders(request, lease, upstreamUrl.hostname);
+  const body = await requestBodyBytes(request);
   const intercepted = await deps.interceptHttp?.({
     provider,
     request: new Request(upstreamUrl, {
@@ -17517,6 +18088,9 @@ ${error.message}`,
   });
   logSandboxEgressUpstreamRequest({
     egressId: activeEgressId,
+    grantAccess: lease.grant.access,
+    grantName: lease.grant.name,
+    grantReason: lease.grant.reason,
     provider,
     request,
     upstream,
@@ -17529,6 +18103,9 @@ ${error.message}`,
       {
         ...egressAttributes({
           egressId: activeEgressId,
+          grantAccess: lease.grant.access,
+          grantName: lease.grant.name,
+          grantReason: lease.grant.reason,
           host: upstreamUrl.hostname,
           method: request.method,
           path: upstreamUrl.pathname,
@@ -17536,6 +18113,7 @@ ${error.message}`,
           status: upstream.status
         }),
         ...routingAttributes(request, upstreamUrl),
+        ...upstreamPermissionAttributes(provider, upstream),
         "error.type": `http_${upstream.status}`
       },
       `Sandbox egress upstream returned HTTP ${upstream.status}`
@@ -17548,6 +18126,9 @@ ${error.message}`,
       {
         ...egressAttributes({
           egressId: activeEgressId,
+          grantAccess: lease.grant.access,
+          grantName: lease.grant.name,
+          grantReason: lease.grant.reason,
           host: upstreamUrl.hostname,
           method: request.method,
           path: upstreamUrl.pathname,
@@ -17555,27 +18136,49 @@ ${error.message}`,
           status: upstream.status
         }),
         ...routingAttributes(request, upstreamUrl),
+        ...upstreamPermissionAttributes(provider, upstream),
         ...upstream.status === UPSTREAM_TOKEN_REJECTION_STATUS ? {
           "app.sandbox.egress.www_authenticate": upstream.headers.get("www-authenticate") ?? void 0
         } : {}
       },
       upstream.status === UPSTREAM_TOKEN_REJECTION_STATUS ? "Sandbox egress upstream auth rejected injected credential" : "Sandbox egress upstream permission denied"
     );
-    await clearSandboxEgressCredentialLease(provider, credentialContext);
     if (upstream.status === UPSTREAM_TOKEN_REJECTION_STATUS) {
+      await clearSandboxEgressCredentialLease(
+        provider,
+        lease.grant.name,
+        credentialContext
+      );
+      await setSandboxEgressAuthRequiredSignal(credentialContext, {
+        provider,
+        grant: lease.grant,
+        ...lease.authorization ? { authorization: lease.authorization } : {},
+        message: `Provider rejected the injected ${provider} credential.`
+      });
       await upstream.body?.cancel().catch(() => void 0);
-      return new Response(
-        `junior-auth-required provider=${provider} 401 unauthorized
-Provider rejected the injected ${provider} credential.
-`,
-        {
-          status: 401,
-          headers: {
-            "content-type": "text/plain; charset=utf-8",
-            "cache-control": "no-store"
-          }
-        }
+      return authRequiredResponse({
+        provider,
+        grant: lease.grant,
+        message: `Provider rejected the injected ${provider} credential.
+`
+      });
+    } else {
+      await clearSandboxEgressCredentialLease(
+        provider,
+        lease.grant.name,
+        credentialContext
       );
+      await setSandboxEgressPermissionDeniedSignal(credentialContext, {
+        provider,
+        grant: lease.grant,
+        ...lease.account ? { account: lease.account } : {},
+        message: permissionDeniedMessage(provider, lease.grant),
+        source: "upstream",
+        status: UPSTREAM_PERMISSION_REJECTION_STATUS,
+        upstreamHost: upstreamUrl.hostname,
+        upstreamPath: displayedUpstreamPath(upstreamUrl),
+        ...provider === "github" ? githubPermissionHeaders(upstream) : {}
+      });
     }
   }
   return new Response(upstream.body, {
@@ -17720,6 +18323,7 @@ async function resumeTimedOutTurn(payload, options = {}) {
             }
           },
           requester,
+          destination: payload.destination,
           correlation: {
             conversationId: payload.conversationId,
             turnId: payload.sessionId,
@@ -17787,6 +18391,7 @@ async function resumeTimedOutTurn(payload, options = {}) {
           }
           await scheduleTurnTimeoutResume2({
             conversationId: payload.conversationId,
+            destination: payload.destination,
             sessionId: payload.sessionId,
             expectedVersion: version
           });
@@ -17864,14 +18469,14 @@ async function POST2(request, waitUntil, options = {}) {
 }
 
 // src/chat/services/subscribed-decision.ts
-import { z as z2 } from "zod";
-var replyDecisionSchema = z2.object({
-  should_reply: z2.boolean().describe("Whether Junior should respond to this thread message."),
-  should_unsubscribe: z2.boolean().optional().describe(
+import { z as z4 } from "zod";
+var replyDecisionSchema = z4.object({
+  should_reply: z4.boolean().describe("Whether Junior should respond to this thread message."),
+  should_unsubscribe: z4.boolean().optional().describe(
     "Whether Junior should unsubscribe from this thread because the user clearly asked it to stop participating."
   ),
-  confidence: z2.number().min(0).max(1).describe("Classifier confidence from 0 to 1."),
-  reason: z2.string().optional().describe("Short reason for the decision.")
+  confidence: z4.number().min(0).max(1).describe("Classifier confidence from 0 to 1."),
+  reason: z4.string().optional().describe("Short reason for the decision.")
 });
 var ROUTER_CONFIDENCE_THRESHOLD = 0.8;
 var ROUTER_CLASSIFIER_MAX_TOKENS = 240;
@@ -18181,6 +18786,9 @@ async function decideSubscribedThreadReply(args) {
       reasonDetail: reason
     };
   } catch (error) {
+    if (isProviderRetryError(error)) {
+      throw error;
+    }
     args.logClassifierFailure(error, args.input);
     return {
       shouldReply: false,
@@ -18265,6 +18873,9 @@ async function ensureSlackMessageActorIdentity(message, lookupSlackUser2) {
 
 // src/chat/runtime/slack-runtime.ts
 var THREAD_OPTOUT_ACK = "Understood. I'll stay out of this thread unless someone @mentions me again.";
+function shouldRethrowTurnControlError(error) {
+  return isCooperativeTurnYieldError(error) || isTurnInputCommitLostError(error) || isProviderRetryError(error);
+}
 async function maybeHandleThreadOptOutDecision(args) {
   if (!args.decision?.shouldUnsubscribe) {
     return false;
@@ -18294,7 +18905,7 @@ function getQueuedMessagesFromSlackMessages(messages, options) {
   );
 }
 function createSteeringMessageDrain(hooks, options) {
-  if (!hooks?.drainSteeringMessages) {
+  if (!hooks.drainSteeringMessages) {
     return void 0;
   }
   return async (inject) => {
@@ -18332,7 +18943,7 @@ function createSlackTurnRuntime(deps) {
       if (shouldKeepProcessingReactionForToolInvocation(invocation)) {
         processingReaction.keep();
       }
-      hooks?.onToolInvocation?.(invocation);
+      hooks.onToolInvocation?.(invocation);
     };
   };
   const stopProcessingReactions = async (processingReactions) => {
@@ -18450,7 +19061,7 @@ function createSlackTurnRuntime(deps) {
         );
         await deps.withSpan("chat.turn", "chat.turn", context, async () => {
           await thread.subscribe();
-          const queuedMessages = getQueuedMessages(hooks?.messageContext, {
+          const queuedMessages = getQueuedMessages(hooks.messageContext, {
             explicitMention: true,
             stripLeadingBotMention: deps.stripLeadingBotMention
           });
@@ -18467,7 +19078,7 @@ function createSlackTurnRuntime(deps) {
             );
           };
           const onInputCommitted = async () => {
-            await hooks?.onInputCommitted?.();
+            await hooks.onInputCommitted?.();
             await startQueuedProcessingReactions();
           };
           const drainSteeringMessages = createSteeringMessageDrain(hooks, {
@@ -18483,18 +19094,19 @@ function createSlackTurnRuntime(deps) {
           });
           await deps.replyToThread(thread, message, {
             explicitMention: true,
-            beforeFirstResponsePost: hooks?.beforeFirstResponsePost,
+            beforeFirstResponsePost: hooks.beforeFirstResponsePost,
+            destination: hooks.destination,
             queuedMessages,
             onInputCommitted,
             onToolInvocation: toolInvocationHook,
             onTurnCompleted,
             drainSteeringMessages,
-            onTurnStatePersisted: hooks?.onTurnStatePersisted,
-            shouldYield: hooks?.shouldYield
+            onTurnStatePersisted: hooks.onTurnStatePersisted,
+            shouldYield: hooks.shouldYield
           });
         });
       } catch (error) {
-        if (isCooperativeTurnYieldError(error) || isTurnInputCommitLostError(error)) {
+        if (shouldRethrowTurnControlError(error)) {
           throw error;
         }
         const errorContext = logContext({
@@ -18526,7 +19138,7 @@ function createSlackTurnRuntime(deps) {
             "Sentry did not return an event ID for mention_handler_failed"
           );
         }
-        await hooks?.beforeFirstResponsePost?.();
+        await hooks.beforeFirstResponsePost?.();
         await postFallbackErrorReplyWithLogging({
           thread,
           errorContext,
@@ -18580,7 +19192,7 @@ function createSlackTurnRuntime(deps) {
             channelId,
             runId
           };
-          const queuedMessages = getQueuedMessages(hooks?.messageContext, {
+          const queuedMessages = getQueuedMessages(hooks.messageContext, {
             explicitMention: Boolean(message.isMention),
             stripLeadingBotMention: deps.stripLeadingBotMention
           });
@@ -18639,7 +19251,7 @@ function createSlackTurnRuntime(deps) {
           if (await maybeHandleThreadOptOutDecision({
             thread,
             decision,
-            beforeFirstResponsePost: hooks?.beforeFirstResponsePost
+            beforeFirstResponsePost: hooks.beforeFirstResponsePost
           })) {
             await skipSubscribedMessage({
               thread,
@@ -18679,7 +19291,7 @@ function createSlackTurnRuntime(deps) {
             );
           };
           const onInputCommitted = async () => {
-            await hooks?.onInputCommitted?.();
+            await hooks.onInputCommitted?.();
             await startQueuedProcessingReactions();
           };
           const toolInvocationHook = createToolInvocationHook(
@@ -18688,19 +19300,20 @@ function createSlackTurnRuntime(deps) {
           );
           await deps.replyToThread(thread, message, {
             explicitMention: Boolean(message.isMention),
+            destination: hooks.destination,
             preparedState,
-            beforeFirstResponsePost: hooks?.beforeFirstResponsePost,
+            beforeFirstResponsePost: hooks.beforeFirstResponsePost,
             queuedMessages,
             onInputCommitted,
             onToolInvocation: toolInvocationHook,
             onTurnCompleted,
             drainSteeringMessages,
-            onTurnStatePersisted: hooks?.onTurnStatePersisted,
-            shouldYield: hooks?.shouldYield
+            onTurnStatePersisted: hooks.onTurnStatePersisted,
+            shouldYield: hooks.shouldYield
           });
         });
       } catch (error) {
-        if (isCooperativeTurnYieldError(error) || isTurnInputCommitLostError(error)) {
+        if (shouldRethrowTurnControlError(error)) {
           throw error;
         }
         const errorContext = logContext({
@@ -18732,7 +19345,7 @@ function createSlackTurnRuntime(deps) {
             "Sentry did not return an event ID for subscribed_message_handler_failed"
           );
         }
-        await hooks?.beforeFirstResponsePost?.();
+        await hooks.beforeFirstResponsePost?.();
         await postFallbackErrorReplyWithLogging({
           thread,
           errorContext,
@@ -19857,7 +20470,7 @@ async function loadPiMessagesForTurn(args) {
   return { piMessages: fallback };
 }
 function createReplyToThread(deps) {
-  return async function replyToThread(thread, message, options = {}) {
+  return async function replyToThread(thread, message, options) {
     if (message.author.isMe) {
       return;
     }
@@ -19872,7 +20485,8 @@ function createReplyToThread(deps) {
     const threadTs = getThreadTs(threadId);
     const assistantThreadContext = getAssistantThreadContext(message);
     const messageTs = getMessageTs(message);
-    const teamId = getTeamId(message);
+    const destination = options.destination;
+    const teamId = destination.teamId;
     const runId = getRunId(thread, message);
     const conversationId = threadId ?? runId;
     await withSpan(
@@ -20089,6 +20703,7 @@ function createReplyToThread(deps) {
             state: "running",
             surface: "slack",
             requester,
+            destination,
             traceId: getActiveTraceId()
           }).catch((error) => {
             logException(
@@ -20269,6 +20884,7 @@ function createReplyToThread(deps) {
               omittedImageAttachmentCount,
               userAttachments,
               slackConversation,
+              destination,
               surface: "slack",
               turnDeadlineAtMs: getTurnRequestDeadline()?.deadlineAtMs,
               correlation: {
@@ -20427,6 +21043,7 @@ function createReplyToThread(deps) {
               state: "completed",
               conversationTitle: titleUpdateResult?.title,
               requester,
+              destination,
               traceId: getActiveTraceId()
             });
           }
@@ -20467,10 +21084,11 @@ function createReplyToThread(deps) {
             const conversationIdForResume = error.metadata?.conversationId;
             const sessionIdForResume = error.metadata?.sessionId;
             const version = error.metadata?.version;
-            if (conversationIdForResume && sessionIdForResume && typeof version === "number") {
+            if (conversationIdForResume && sessionIdForResume && typeof version === "number" && destination) {
               try {
                 await deps.services.scheduleTurnTimeoutResume({
                   conversationId: conversationIdForResume,
+                  destination,
                   sessionId: sessionIdForResume,
                   expectedVersion: version
                 });
@@ -20578,6 +21196,7 @@ function createReplyToThread(deps) {
                   startedAtMs: message.metadata.dateSent.getTime(),
                   state: "failed",
                   requester,
+                  destination,
                   traceId: getActiveTraceId()
                 });
                 const sessionRecord = await getAgentTurnSessionRecord(
@@ -21016,7 +21635,7 @@ function nonEmptyString(value) {
   return trimmed || void 0;
 }
 
-// src/chat/queue/thread-message-dispatcher.ts
+// src/chat/slack/attachment-fetchers.ts
 function rehydrateAttachmentFetchers(message, downloadPrivateSlackFile2 = downloadPrivateSlackFile) {
   for (const attachment of message.attachments) {
     if (!attachment.fetchData && attachment.url) {
@@ -21316,6 +21935,7 @@ function createSlackConversationWorker(options) {
         try {
           if (route === "mention") {
             await options.runtime.handleNewMention(thread, latestMessage, {
+              destination: context.destination,
               messageContext,
               drainSteeringMessages,
               onInputCommitted,
@@ -21324,6 +21944,7 @@ function createSlackConversationWorker(options) {
             return;
           }
           await options.runtime.handleSubscribedMessage(thread, latestMessage, {
+            destination: context.destination,
             messageContext,
             drainSteeringMessages,
             onInputCommitted,
@@ -21348,8 +21969,16 @@ function createSlackConversationWorker(options) {
 }
 function buildSlackInboundMessage(args) {
   const authorId = requireSlackAuthorId(args.message);
+  const destination = createSlackDestination({
+    channelId: args.thread.channelId,
+    teamId: args.installation?.teamId
+  });
+  if (!destination) {
+    throw new Error("Slack inbound message requires destination context");
+  }
   return {
     conversationId: args.conversationId,
+    destination,
     inboundMessageId: [
       "slack",
       args.installation?.teamId ?? args.installation?.enterpriseId ?? "unknown",
@@ -22256,7 +22885,11 @@ async function POST3(request, platform, waitUntil) {
 }
 
 // src/chat/task-execution/vercel-callback.ts
-import { handleCallback } from "@vercel/queue";
+import {
+  handleCallback,
+  QueueClient,
+  registerDevConsumer
+} from "@vercel/queue";
 
 // src/chat/task-execution/worker.ts
 var CONVERSATION_WORK_DEFER_DELAY_MS = 15e3;
@@ -22269,7 +22902,10 @@ function nudgeIdempotencyKey(reason, conversationId, nowMs) {
 }
 async function sendWakeNudge(args) {
   await args.options.queue.send(
-    { conversationId: args.conversationId },
+    {
+      conversationId: args.conversationId,
+      destination: args.destination
+    },
     {
       delayMs: args.delayMs,
       idempotencyKey: args.idempotencyKey
@@ -22284,6 +22920,7 @@ async function sendWakeNudge(args) {
 async function requestLostLeaseRecovery(args) {
   const continuationMarked = await requestConversationContinuation({
     conversationId: args.conversationId,
+    destination: args.destination,
     leaseToken: args.leaseToken,
     nowMs: args.nowMs,
     state: args.options.state
@@ -22302,6 +22939,7 @@ async function requestLostLeaseRecovery(args) {
   }
   await sendWakeNudge({
     conversationId: args.conversationId,
+    destination: args.destination,
     idempotencyKey: nudgeIdempotencyKey(
       "lost_lease",
       args.conversationId,
@@ -22345,7 +22983,8 @@ function startLeaseCheckIn(args) {
   timer.unref?.();
   return timer;
 }
-async function processConversationWork(conversationId, options) {
+async function processConversationWork(message, options) {
+  const conversationId = message.conversationId;
   const initial = await getConversationWorkState({
     conversationId,
     state: options.state
@@ -22353,6 +22992,12 @@ async function processConversationWork(conversationId, options) {
   if (!initial || countPendingConversationMessages(initial) === 0 && !initial.needsRun && !initial.lease) {
     return { status: "no_work" };
   }
+  if (!sameDestination(initial.destination, message.destination)) {
+    throw new Error(
+      `Conversation work queue destination changed for ${conversationId}`
+    );
+  }
+  const destination = initial.destination;
   const lease = await startConversationWork({
     conversationId,
     nowMs: now2(options),
@@ -22365,6 +23010,7 @@ async function processConversationWork(conversationId, options) {
     const nudgeNowMs = now2(options);
     await sendWakeNudge({
       conversationId,
+      destination,
       delayMs: CONVERSATION_WORK_DEFER_DELAY_MS,
       idempotencyKey: nudgeIdempotencyKey("active", conversationId, nudgeNowMs),
       nowMs: nudgeNowMs,
@@ -22403,6 +23049,7 @@ async function processConversationWork(conversationId, options) {
   );
   const workerContext = {
     conversationId,
+    destination,
     leaseToken: lease.leaseToken,
     shouldYield: () => leaseLost || now2(options) >= softYieldDeadlineMs,
     checkIn: async () => {
@@ -22430,6 +23077,7 @@ async function processConversationWork(conversationId, options) {
     if (result.status === "lost_lease") {
       await requestLostLeaseRecovery({
         conversationId,
+        destination,
         leaseToken: lease.leaseToken,
         nowMs: now2(options),
         options
@@ -22439,6 +23087,7 @@ async function processConversationWork(conversationId, options) {
     if (leaseLost) {
       await requestLostLeaseRecovery({
         conversationId,
+        destination,
         leaseToken: lease.leaseToken,
         nowMs: now2(options),
         options
@@ -22449,6 +23098,7 @@ async function processConversationWork(conversationId, options) {
       const yieldNowMs = now2(options);
       const continuationMarked = await requestConversationContinuation({
         conversationId,
+        destination,
         leaseToken: lease.leaseToken,
         nowMs: yieldNowMs,
         state: options.state
@@ -22458,6 +23108,7 @@ async function processConversationWork(conversationId, options) {
       }
       await sendWakeNudge({
         conversationId,
+        destination,
         idempotencyKey: nudgeIdempotencyKey(
           "yield",
           conversationId,
@@ -22496,6 +23147,7 @@ async function processConversationWork(conversationId, options) {
       const nudgeNowMs = now2(options);
       await sendWakeNudge({
         conversationId,
+        destination,
         idempotencyKey: nudgeIdempotencyKey(
           "pending",
           conversationId,
@@ -22520,6 +23172,7 @@ async function processConversationWork(conversationId, options) {
     try {
       const continuationMarked = await requestConversationContinuation({
         conversationId,
+        destination,
         leaseToken: lease.leaseToken,
         nowMs: errorNowMs,
         state: options.state
@@ -22527,6 +23180,7 @@ async function processConversationWork(conversationId, options) {
       if (continuationMarked) {
         await sendWakeNudge({
           conversationId,
+          destination,
           idempotencyKey: nudgeIdempotencyKey(
             "error",
             conversationId,
@@ -22561,15 +23215,17 @@ async function processConversationWork(conversationId, options) {
         "Conversation work release failed after runner error"
       );
     }
-    logException(
-      error,
-      "conversation_work_failed",
-      { conversationId },
-      {
-        "app.worker.elapsed_ms": now2(options) - startedAtMs
-      },
-      "Conversation work failed"
-    );
+    if (!isProviderRetryError(error)) {
+      logException(
+        error,
+        "conversation_work_failed",
+        { conversationId },
+        {
+          "app.worker.elapsed_ms": now2(options) - startedAtMs
+        },
+        "Conversation work failed"
+      );
+    }
     throw error;
   } finally {
     clearInterval(timer);
@@ -22578,12 +23234,19 @@ async function processConversationWork(conversationId, options) {
 
 // src/chat/task-execution/vercel-callback.ts
 var CONVERSATION_WORK_VISIBILITY_TIMEOUT_BUFFER_SECONDS = 30;
+var CONVERSATION_WORK_DEV_CONSUMER_GROUP = "junior_conversation_work_dev";
 function parseConversationQueueMessage(message) {
-  if (!message || typeof message !== "object" || typeof message.conversationId !== "string" || !message.conversationId.trim()) {
-    throw new Error("Conversation queue message is missing conversationId");
+  const destination = parseDestination(
+    message?.destination
+  );
+  if (!message || typeof message !== "object" || typeof message.conversationId !== "string" || !message.conversationId.trim() || !destination) {
+    throw new Error(
+      "Conversation queue message is missing destination context"
+    );
   }
   return {
-    conversationId: message.conversationId
+    conversationId: message.conversationId,
+    destination
   };
 }
 function resolveConversationWorkVisibilityTimeoutSeconds(functionMaxDurationSeconds = getChatConfig().functionMaxDurationSeconds) {
@@ -22591,7 +23254,7 @@ function resolveConversationWorkVisibilityTimeoutSeconds(functionMaxDurationSeco
 }
 async function processConversationQueueMessage(message, options) {
   const parsed = parseConversationQueueMessage(message);
-  return await processConversationWork(parsed.conversationId, {
+  return await processConversationWork(parsed, {
     checkInIntervalMs: options.checkInIntervalMs,
     nowMs: options.nowMs,
     queue: options.queue ?? getVercelConversationWorkQueue(),
@@ -22600,22 +23263,35 @@ async function processConversationQueueMessage(message, options) {
     state: options.state
   });
 }
+async function handleConversationQueueMessage(message, options) {
+  const verified = verifySignedConversationQueueMessage(message);
+  if (!verified) {
+    throw new Error("Unauthorized conversation queue message");
+  }
+  await runWithTurnRequestDeadline(
+    () => processConversationQueueMessage(verified, options)
+  );
+}
 function createVercelConversationWorkCallback(options) {
   return handleCallback(
-    async (message) => {
-      const verified = verifySignedConversationQueueMessage(message);
-      if (!verified) {
-        throw new Error("Unauthorized conversation queue message");
-      }
-      await runWithTurnRequestDeadline(
-        () => processConversationQueueMessage(verified, options)
-      );
-    },
+    (message) => handleConversationQueueMessage(message, options),
     {
       visibilityTimeoutSeconds: options.visibilityTimeoutSeconds ?? resolveConversationWorkVisibilityTimeoutSeconds()
     }
   );
 }
+function registerVercelConversationWorkDevConsumer(options) {
+  if (process.env.NODE_ENV !== "development") {
+    return void 0;
+  }
+  return registerDevConsumer({
+    client: new QueueClient(),
+    consumerGroup: CONVERSATION_WORK_DEV_CONSUMER_GROUP,
+    handler: (message) => handleConversationQueueMessage(message, options),
+    topic: resolveConversationWorkQueueTopic(options),
+    visibilityTimeoutSeconds: options.visibilityTimeoutSeconds ?? resolveConversationWorkVisibilityTimeoutSeconds()
+  });
+}
 
 // src/app.ts
 async function defaultWaitUntil() {
@@ -22638,7 +23314,7 @@ async function resolveVirtualConfig() {
     return {
       pluginSet: mod.pluginSet,
       plugins: mod.plugins,
-      trustedPluginRegistrations: mod.trustedPluginRegistrations ?? []
+      pluginHookRegistrations: mod.pluginHookRegistrations ?? []
     };
   } catch (error) {
     if (!isMissingVirtualConfig(error)) {
@@ -22707,20 +23383,20 @@ function validateBuildIncludesPluginPackages(pluginConfig, virtualConfig) {
     `createApp() registered plugin package(s) not bundled by juniorNitro(): ${missing.join(", ")}. Point juniorNitro({ plugins: "./plugins" }) at the runtime plugin module or pass the same defineJuniorPlugins(...) set to juniorNitro({ plugins }) and createApp({ plugins }).`
   );
 }
-function validateBuildIncludesTrustedRegistrations(trustedRegistrations, virtualConfig) {
-  const bundledTrustedRegistrations = virtualConfig?.trustedPluginRegistrations ?? [];
-  if (bundledTrustedRegistrations.length === 0) {
+function validateBuildIncludesPluginHookRegistrations(hookRegistrations, virtualConfig) {
+  const bundledHookRegistrations = virtualConfig?.pluginHookRegistrations ?? [];
+  if (bundledHookRegistrations.length === 0) {
     return;
   }
-  const registered = new Set(trustedRegistrations.map((plugin) => plugin.name));
-  const missing = bundledTrustedRegistrations.filter(
+  const registered = new Set(hookRegistrations.map((plugin) => plugin.name));
+  const missing = bundledHookRegistrations.filter(
     (pluginName) => !registered.has(pluginName)
   );
   if (missing.length === 0) {
     return;
   }
   throw new Error(
-    `createApp() is missing trusted plugin registration(s) bundled by juniorNitro(): ${missing.join(", ")}. Pass a runtime-safe plugin module to juniorNitro({ plugins: "./plugins" }) or pass the same defineJuniorPlugins(...) set to createApp({ plugins }).`
+    `createApp() is missing plugin registration(s) with runtime hooks bundled by juniorNitro(): ${missing.join(", ")}. Pass a runtime-safe plugin module to juniorNitro({ plugins: "./plugins" }) or pass the same defineJuniorPlugins(...) set to createApp({ plugins }).`
   );
 }
 function validatePluginRegistrations(registrations) {
@@ -22736,6 +23412,51 @@ function validatePluginRegistrations(registrations) {
     }
   }
 }
+function validatePluginEgressCredentialHooks(registrations) {
+  const plugins = new Map(
+    registrations.map((registration) => [registration.name, registration])
+  );
+  for (const provider of getPluginProviders()) {
+    const hooks = plugins.get(provider.manifest.name)?.hooks;
+    const hasGrantHook = Boolean(hooks?.grantForEgress);
+    const hasIssueHook = Boolean(hooks?.issueCredential);
+    const hasGenericCredentials = Boolean(
+      provider.manifest.credentials || provider.manifest.apiHeaders
+    );
+    const hasDomains = Boolean(provider.manifest.domains?.length);
+    const hasHookManagedOAuth = Boolean(
+      provider.manifest.oauth && !provider.manifest.credentials
+    );
+    if (!hasGrantHook && !hasIssueHook) {
+      if (hasDomains && !hasGenericCredentials) {
+        throw new Error(
+          `Plugin "${provider.manifest.name}" manifest.domains requires egress credential hooks when no generic credentials or apiHeaders are configured.`
+        );
+      }
+      if (hasHookManagedOAuth) {
+        throw new Error(
+          `Plugin "${provider.manifest.name}" manifest.oauth without oauth-bearer credentials requires egress credential hooks.`
+        );
+      }
+      continue;
+    }
+    if (!hasGrantHook || !hasIssueHook) {
+      throw new Error(
+        `Plugin "${provider.manifest.name}" egress credential hooks must include both grantForEgress and issueCredential.`
+      );
+    }
+    if (hasGenericCredentials) {
+      throw new Error(
+        `Plugin "${provider.manifest.name}" egress credential hooks must use manifest.domains instead of generic credentials or apiHeaders.`
+      );
+    }
+    if (!hasDomains) {
+      throw new Error(
+        `Plugin "${provider.manifest.name}" egress credential hooks require manifest.domains to list sandbox egress hosts.`
+      );
+    }
+  }
+}
 function mountAgentPluginRoutes(app, routes) {
   for (const route of routes) {
     const handler = (c) => route.handler(c.req.raw);
@@ -22753,12 +23474,12 @@ function mountAgentPluginRoutes(app, routes) {
 async function createApp(options) {
   const virtualConfig = await resolveVirtualConfig();
   const configuredPlugins = options?.plugins ?? virtualConfig?.pluginSet;
-  const agentPlugins = trustedPluginRegistrationsFromPluginSet(configuredPlugins);
+  const agentPlugins = pluginHookRegistrationsFromPluginSet(configuredPlugins);
   const pluginConfig = configuredPlugins ? pluginCatalogConfigFromPluginSet(configuredPlugins) : virtualConfig?.plugins ?? resolveEnvPluginCatalogConfig();
   if (configuredPlugins) {
     validateBuildIncludesPluginPackages(pluginConfig, virtualConfig);
   }
-  validateBuildIncludesTrustedRegistrations(agentPlugins, virtualConfig);
+  validateBuildIncludesPluginHookRegistrations(agentPlugins, virtualConfig);
   validateAgentPlugins(agentPlugins);
   const shouldValidatePluginCatalog = hasConfiguredPluginCatalog(pluginConfig) || Boolean(configuredPlugins?.registrations.length) || Boolean(Object.keys(options?.configDefaults ?? {}).length);
   const previousPluginCatalogConfig = setPluginCatalogConfig(pluginConfig);
@@ -22774,6 +23495,9 @@ async function createApp(options) {
     if (shouldValidatePluginCatalog) {
       getPluginCatalogSignature();
       validatePluginRegistrations(configuredPlugins?.registrations ?? []);
+      validatePluginEgressCredentialHooks(
+        configuredPlugins?.registrations ?? []
+      );
     }
     agentPluginRoutes = getAgentPluginRoutes();
   } catch (error) {
@@ -22811,9 +23535,17 @@ async function createApp(options) {
     return POST(c.req.raw, waitUntil);
   });
   let agentContinuePOST;
+  let conversationWorkOptions;
+  const getConversationWorkOptions = () => {
+    conversationWorkOptions ??= options?.conversationWork ?? getProductionConversationWorkOptions();
+    return conversationWorkOptions;
+  };
+  if (process.env.NODE_ENV === "development") {
+    registerVercelConversationWorkDevConsumer(getConversationWorkOptions());
+  }
   app.post("/api/internal/agent/continue", (c) => {
     agentContinuePOST ??= createVercelConversationWorkCallback(
-      options?.conversationWork ?? getProductionConversationWorkOptions()
+      getConversationWorkOptions()
     );
     return agentContinuePOST(c.req.raw);
   });