@sentry/junior 0.68.0 → 0.69.0

package/dist/{chunk-OIIXZOOC.js → chunk-UXG6TU2U.js}

@@ -1,1324 +1,11 @@
 import {
-  sentry_exports
-} from "./chunk-Z3YD6NHK.js";
-import {
-  discoverInstalledPluginPackageContent,
-  normalizePluginPackageNames,
-  pluginRoots
-} from "./chunk-KVZL5NZS.js";
-
-// src/chat/coerce.ts
-function toOptionalString(value) {
-  return typeof value === "string" && value.trim() ? value : void 0;
-}
-function toOptionalNumber(value) {
-  return typeof value === "number" && Number.isFinite(value) ? value : void 0;
-}
-function isRecord(value) {
-  return typeof value === "object" && value !== null;
-}
-
-// src/chat/logging.ts
-import { AsyncLocalStorage } from "async_hooks";
-import path from "path";
-import { styleText } from "util";
-import {
-  ConfigError,
-  configureSync,
-  getConfig,
-  getLogger
-} from "@logtape/logtape";
-var MAX_STRING_VALUE = 1200;
-var SECRETS_RE = [
-  /\b(sk-[A-Za-z0-9_-]{20,})\b/g,
-  /\b(xox[baprs]-[A-Za-z0-9-]{10,})\b/g,
-  /\bBearer\s+([A-Za-z0-9._\-+=]{20,})\b/gi,
-  /\b[A-Z0-9_]+(?:KEY|TOKEN|SECRET|PASSWORD|PASSWD)\s*[=:]\s*([^\s"']{8,})/gi
-];
-var LEGACY_KEY_MAP = {
-  error: "exception.message",
-  "error.stack": "exception.stacktrace",
-  "gen_ai.system": "gen_ai.provider.name",
-  "gen_ai.request.messages": "gen_ai.input.messages",
-  "gen_ai.response.text": "gen_ai.output.messages",
-  "messaging.conversation.id": "messaging.message.conversation_id",
-  bytes: "file.size",
-  media_type: "app.file.mime_type",
-  skillDir: "file.path",
-  root: "file.directory",
-  originalLength: "app.output.original_length",
-  parsedLength: "app.output.parsed_length",
-  directiveMode: "app.output.directive_mode",
-  fileCount: "app.output.file_count",
-  attempt: "app.retry.attempt",
-  steps: "app.ai.steps",
-  toolCalls: "app.ai.tool_calls",
-  toolResults: "app.ai.tool_results",
-  finishReason: "gen_ai.response.finish_reasons",
-  sources: "app.ai.sources",
-  generatedFiles: "app.ai.generated_files",
-  resultFiles: "app.ai.result_files",
-  responseMessages: "app.ai.response_messages",
-  stepDiagnostics: "app.ai.step_diagnostics",
-  inferredSkill: "app.skill.name",
-  inferredScore: "app.skill.score"
-};
-function normalizeGenAiFinishReason(reason) {
-  return reason === "toolUse" ? "tool_use" : reason;
-}
-function normalizeGenAiFinishReasons(value) {
-  if (typeof value === "string" && value.trim()) {
-    return [normalizeGenAiFinishReason(value)];
-  }
-  if (!Array.isArray(value)) {
-    return value;
-  }
-  return value.map(
-    (reason) => typeof reason === "string" ? normalizeGenAiFinishReason(reason) : reason
-  );
-}
-var contextStorage = new AsyncLocalStorage();
-var logRecordSinks = /* @__PURE__ */ new Set();
-var LOGTAPE_BODY_KEY = "__logtape_body";
-var ROOT_LOGGER_CATEGORY = ["junior"];
-var CONSOLE_PRIORITY_KEYS = [
-  "gen_ai.conversation.id",
-  "event.name",
-  "app.log.source",
-  "exception.message",
-  "messaging.message.id",
-  "trace_id",
-  "span_id",
-  "messaging.message.conversation_id",
-  "messaging.destination.name",
-  "app.run.id",
-  "app.message.kind"
-];
-var CONSOLE_PRIORITY_INDEX = new Map(
-  CONSOLE_PRIORITY_KEYS.map((key, index) => [key, index])
-);
-var CONSOLE_ALWAYS_HIDDEN_KEYS = /* @__PURE__ */ new Set([
-  "gen_ai.agent.name",
-  "app.platform",
-  "enduser.id",
-  "enduser.pseudo.id",
-  "http.request.method",
-  "messaging.system",
-  "url.full",
-  "url.path",
-  "user_agent.original"
-]);
-var CONSOLE_DROP_WHEN_COUNTED_KEYS = /* @__PURE__ */ new Set([
-  "app.capability.names",
-  "app.capability.providers",
-  "app.config.keys"
-]);
-var CONSOLE_PREVIEW_KEYS = /* @__PURE__ */ new Set([
-  "gen_ai.input.messages",
-  "gen_ai.output.messages",
-  "gen_ai.tool.call.arguments",
-  "gen_ai.tool.call.result"
-]);
-var SENTRY_TAG_ATTRIBUTE_KEYS = /* @__PURE__ */ new Set([
-  "app.platform",
-  "messaging.system",
-  "app.actor.type",
-  "gen_ai.agent.name",
-  "gen_ai.request.model",
-  "app.skill.name",
-  "http.request.method",
-  "url.path"
-]);
-function getSentryEnvironment() {
-  return (process.env.SENTRY_ENVIRONMENT ?? process.env.VERCEL_ENV ?? process.env.NODE_ENV ?? "").trim().toLowerCase();
-}
-function shouldSuppressInfoLog(level) {
-  return getSentryEnvironment() === "production" && level === "info";
-}
-function shouldEmitConsole(level) {
-  if (process.env.NODE_ENV === "test") {
-    return level === "error";
-  }
-  return true;
-}
-function isDevelopmentLoggingMode() {
-  if (process.env.NODE_ENV !== "development") {
-    return false;
-  }
-  if (process.env.CI) {
-    return false;
-  }
-  return true;
-}
-function shouldUseDevelopmentConsoleFormat() {
-  if (!isDevelopmentLoggingMode()) {
-    return false;
-  }
-  return process.env.JUNIOR_LOG_FORMAT?.trim().toLowerCase() !== "structured";
-}
-function shouldUsePrettyConsole(level) {
-  if (level === "warn" || level === "error") {
-    return false;
-  }
-  return shouldUseDevelopmentConsoleFormat();
-}
-function shouldUseConsoleColor() {
-  if (!shouldUseDevelopmentConsoleFormat()) {
-    return false;
-  }
-  if (process.env.NO_COLOR) {
-    return false;
-  }
-  return process.env.FORCE_COLOR?.trim() === "1" || Boolean(process.stdout?.isTTY) || Boolean(process.stderr?.isTTY);
-}
-function formatConsoleTimestamp(timestamp) {
-  if (shouldUseDevelopmentConsoleFormat()) {
-    return timestamp.toTimeString().slice(0, 8);
-  }
-  return timestamp.toISOString();
-}
-function findNextBlankLineBoundary(input, start) {
-  const lfBoundary = input.indexOf("\n\n", start);
-  const crlfBoundary = input.indexOf("\r\n\r\n", start);
-  if (lfBoundary === -1 && crlfBoundary === -1) {
-    return null;
-  }
-  if (lfBoundary === -1) {
-    return { start: crlfBoundary, end: crlfBoundary + 4 };
-  }
-  if (crlfBoundary === -1 || lfBoundary < crlfBoundary) {
-    return { start: lfBoundary, end: lfBoundary + 2 };
-  }
-  return { start: crlfBoundary, end: crlfBoundary + 4 };
-}
-function redactPrivateKeyBlocks(input) {
-  const beginPrefix = "-----BEGIN ";
-  const footerMarker = "-----";
-  let cursor = 0;
-  let output = "";
-  while (cursor < input.length) {
-    const begin = input.indexOf(beginPrefix, cursor);
-    if (begin === -1) {
-      output += input.slice(cursor);
-      break;
-    }
-    const labelStart = begin + beginPrefix.length;
-    const labelEnd = input.indexOf(footerMarker, labelStart);
-    if (labelEnd === -1) {
-      output += input.slice(cursor);
-      break;
-    }
-    const label = input.slice(labelStart, labelEnd);
-    if (!label.endsWith("PRIVATE KEY")) {
-      output += input.slice(cursor, labelEnd + footerMarker.length);
-      cursor = labelEnd + footerMarker.length;
-      continue;
-    }
-    const header = input.slice(begin, labelEnd + footerMarker.length);
-    const footer = `-----END ${label}-----`;
-    const footerStart = input.indexOf(footer, labelEnd + footerMarker.length);
-    if (footerStart === -1) {
-      const resumeBoundary = findNextBlankLineBoundary(
-        input,
-        labelEnd + footerMarker.length
-      );
-      output += input.slice(cursor, begin);
-      output += `${header}
-...redacted...`;
-      if (!resumeBoundary) {
-        break;
-      }
-      output += input.slice(resumeBoundary.start, resumeBoundary.end);
-      cursor = resumeBoundary.end;
-      continue;
-    }
-    output += input.slice(cursor, begin);
-    output += `${header}
-...redacted...
-${footer}`;
-    cursor = footerStart + footer.length;
-  }
-  return output;
-}
-function redactSecrets(input) {
-  let out = redactPrivateKeyBlocks(input);
-  for (const pattern of SECRETS_RE) {
-    out = out.replace(pattern, (full, token) => {
-      if (typeof token !== "string") {
-        return "***";
-      }
-      if (token.length < 12) {
-        return full.replace(token, "***");
-      }
-      return full.replace(token, `${token.slice(0, 4)}...${token.slice(-4)}`);
-    });
-  }
-  return out;
-}
-function toSnakeCase(value) {
-  return value.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[^a-zA-Z0-9_]+/g, "_").replace(/^_+|_+$/g, "").toLowerCase();
-}
-function isSemanticKey(key) {
-  return /^[a-z][a-z0-9_]*(\.[a-z0-9_][a-z0-9_-]*)+$/.test(key);
-}
-function normalizeAttributeKey(key) {
-  const mapped = LEGACY_KEY_MAP[key];
-  if (mapped) {
-    return mapped;
-  }
-  if (isSemanticKey(key)) {
-    return key;
-  }
-  if (key === "platform") return "app.platform";
-  if (key === "request.id") return "app.request.id";
-  const snake = toSnakeCase(key);
-  if (!snake) {
-    return "app.attribute";
-  }
-  return `app.${snake}`;
-}
-function sanitizePrimitive(value) {
-  if (value === null || value === void 0) return void 0;
-  if (typeof value === "string") {
-    const trimmed = value.trim();
-    if (!trimmed) return void 0;
-    const redacted = redactSecrets(trimmed);
-    return redacted.length > MAX_STRING_VALUE ? `${redacted.slice(0, MAX_STRING_VALUE)}...` : redacted;
-  }
-  if (typeof value === "number") {
-    return Number.isFinite(value) ? value : void 0;
-  }
-  if (typeof value === "boolean") return value;
-  if (value instanceof Error) {
-    return redactSecrets(value.message);
-  }
-  try {
-    const json = JSON.stringify(value);
-    if (!json) return void 0;
-    const redacted = redactSecrets(json);
-    return redacted.length > MAX_STRING_VALUE ? `${redacted.slice(0, MAX_STRING_VALUE)}...` : redacted;
-  } catch {
-    return void 0;
-  }
-}
-function sanitizeValue(value) {
-  if (Array.isArray(value)) {
-    const sanitized = value.filter((entry) => typeof entry === "string").map((entry) => sanitizePrimitive(entry)).filter((entry) => typeof entry === "string");
-    return sanitized.length > 0 ? sanitized : void 0;
-  }
-  return sanitizePrimitive(value);
-}
-function contextToAttributes(context) {
-  const attributes = {
-    "gen_ai.conversation.id": context.conversationId,
-    "app.platform": context.platform,
-    "app.request.id": context.requestId,
-    "messaging.system": context.platform === "slack" ? "slack" : context.platform,
-    "messaging.message.conversation_id": context.slackThreadId,
-    "messaging.destination.name": context.slackChannelId,
-    "enduser.id": context.slackUserId,
-    "enduser.pseudo.id": context.slackUserName,
-    "app.run.id": context.runId,
-    "app.actor.type": context.actorType,
-    "app.actor.id": context.actorId,
-    "gen_ai.agent.name": context.assistantUserName,
-    "gen_ai.request.model": context.modelId,
-    "app.skill.name": context.skillName,
-    "http.request.method": context.httpMethod,
-    "url.path": context.httpPath,
-    "url.full": context.urlFull,
-    "user_agent.original": context.userAgent
-  };
-  const normalized = {};
-  for (const [key, value] of Object.entries(attributes)) {
-    const sanitized = sanitizeValue(value);
-    if (sanitized !== void 0) normalized[key] = sanitized;
-  }
-  return normalized;
-}
-function getTraceCorrelationAttributes() {
-  const sentry = sentry_exports;
-  if (typeof sentry.getActiveSpan !== "function" || typeof sentry.spanToJSON !== "function") {
-    return {};
-  }
-  try {
-    const span = sentry.getActiveSpan();
-    if (!span) return {};
-    const json = sentry.spanToJSON(span);
-    const attrs = {};
-    if (json.trace_id) attrs.trace_id = json.trace_id;
-    if (json.span_id) attrs.span_id = json.span_id;
-    return attrs;
-  } catch {
-    return {};
-  }
-}
-function mergeAttributes(...maps) {
-  const merged = {};
-  for (const map of maps) {
-    if (!map) continue;
-    for (const [rawKey, rawValue] of Object.entries(map)) {
-      const key = normalizeAttributeKey(rawKey);
-      const value = sanitizeValue(
-        key === "gen_ai.response.finish_reasons" ? normalizeGenAiFinishReasons(rawValue) : rawValue
-      );
-      if (value !== void 0) {
-        merged[key] = value;
-      }
-    }
-  }
-  return merged;
-}
-function fromLogTapeLevel(level) {
-  if (level === "warning") {
-    return "warn";
-  }
-  if (level === "fatal") {
-    return "error";
-  }
-  if (level === "trace") {
-    return "debug";
-  }
-  return level;
-}
-function getLogSource(category) {
-  if (category.length <= ROOT_LOGGER_CATEGORY.length) {
-    return void 0;
-  }
-  const sourceParts = category.slice(ROOT_LOGGER_CATEGORY.length);
-  return sourceParts.length > 0 ? sourceParts.join(".") : void 0;
-}
-function toEmittedLogRecord(record) {
-  const properties = { ...record.properties };
-  const rawBody = properties[LOGTAPE_BODY_KEY];
-  delete properties[LOGTAPE_BODY_KEY];
-  const attributes = mergeAttributes(properties);
-  const source = getLogSource(record.category);
-  if (source && attributes["app.log.source"] === void 0) {
-    attributes["app.log.source"] = source;
-  }
-  const body = toOptionalString(rawBody) ?? record.message.map(
-    (segment) => typeof segment === "string" ? segment : String(segment ?? "")
-  ).join("");
-  const eventName = toOptionalString(attributes["event.name"]) ?? "log_record_emitted";
-  return {
-    level: fromLogTapeLevel(record.level),
-    eventName,
-    body,
-    attributes
-  };
-}
-function createConsoleSink() {
-  return (record) => {
-    const emitted = toEmittedLogRecord(record);
-    emitConsole(
-      emitted.level,
-      emitted.eventName,
-      emitted.body,
-      emitted.attributes
-    );
-  };
-}
-function createSentrySink() {
-  return (record) => {
-    const emitted = toEmittedLogRecord(record);
-    emitSentry(emitted.level, emitted.body, emitted.attributes);
-  };
-}
-function createRecordSink() {
-  return (record) => {
-    const emitted = toEmittedLogRecord(record);
-    for (const sink of logRecordSinks) {
-      try {
-        sink(emitted);
-      } catch {
-      }
-    }
-  };
-}
-var rootLogger;
-var ownsLogTapeBackend = false;
-var usesDirectEmissionFallback = false;
-function ensureLoggerBackend() {
-  if (rootLogger || usesDirectEmissionFallback) {
-    return;
-  }
-  if (getConfig() !== null) {
-    usesDirectEmissionFallback = true;
-    return;
-  }
-  try {
-    configureSync({
-      sinks: {
-        console: createConsoleSink(),
-        sentry: createSentrySink(),
-        records: createRecordSink()
-      },
-      loggers: [
-        {
-          category: [...ROOT_LOGGER_CATEGORY],
-          sinks: ["console", "sentry", "records"],
-          lowestLevel: "debug"
-        },
-        {
-          category: ["logtape"],
-          sinks: ["console"],
-          lowestLevel: "error"
-        }
-      ],
-      contextLocalStorage: contextStorage
-    });
-    ownsLogTapeBackend = true;
-    rootLogger = getLogger([...ROOT_LOGGER_CATEGORY]);
-  } catch (error) {
-    if (error instanceof ConfigError && getConfig() !== null) {
-      usesDirectEmissionFallback = true;
-      return;
-    }
-    throw error;
-  }
-}
-function getLogTapeLogger(category = []) {
-  ensureLoggerBackend();
-  if (!rootLogger) {
-    throw new Error("LogTape backend is unavailable");
-  }
-  let logger = rootLogger;
-  for (const part of category) {
-    logger = logger.getChild(part);
-  }
-  return logger;
-}
-function emitSentry(level, body, attributes) {
-  if (shouldSuppressInfoLog(level)) {
-    return;
-  }
-  const sentry = sentry_exports;
-  const loggerFn = sentry.logger?.[level];
-  if (typeof loggerFn === "function") {
-    loggerFn(body, attributes);
-    return;
-  }
-  const sentryWithScope = sentry.withScope;
-  const sentryCaptureMessage = sentry.captureMessage;
-  const sentryLevel = level === "warn" ? "warning" : level;
-  if (typeof sentryWithScope === "function" && typeof sentryCaptureMessage === "function") {
-    sentryWithScope((scope) => {
-      for (const [key, value] of Object.entries(attributes)) {
-        scope.setExtra(key, value);
-      }
-      sentryCaptureMessage(body, sentryLevel);
-    });
-    return;
-  }
-  if (typeof sentryCaptureMessage === "function") {
-    sentryCaptureMessage(body, sentryLevel);
-  }
-}
-function formatConsoleLevel(level) {
-  if (level === "debug") return "DBG";
-  if (level === "info") return "INF";
-  if (level === "warn") return "WRN";
-  return "ERR";
-}
-function consoleLevelStyle(level) {
-  if (level === "error") return "red";
-  if (level === "warn") return "yellow";
-  if (level === "info") return "green";
-  return "blue";
-}
-function quoteConsoleValue(value) {
-  return `"${value.replace(/\\/g, "\\\\").replace(/"/g, '\\"')}"`;
-}
-function formatConsoleValue(value) {
-  if (typeof value === "number" || typeof value === "boolean") {
-    return String(value);
-  }
-  if (Array.isArray(value)) {
-    return quoteConsoleValue(JSON.stringify(value));
-  }
-  if (/^[A-Za-z0-9._:/@+-]+$/.test(value)) {
-    return value;
-  }
-  return quoteConsoleValue(value);
-}
-function shouldShowConsoleDestinationName(eventName) {
-  return /^(app_home_|oauth_|queue_|slash_command_|slack_|webhook_)/.test(
-    eventName
-  );
-}
-function shouldShowConsoleModel(level, eventName) {
-  if (level === "warn" || level === "error") {
-    return true;
-  }
-  return eventName.startsWith("ai_") || eventName.startsWith("assistant_") || eventName === "agent_turn_started" || eventName === "agent_turn_completed" || eventName === "agent_turn_provider_error";
-}
-function shouldHideConsoleAttribute(level, eventName, key, attributes) {
-  if (CONSOLE_ALWAYS_HIDDEN_KEYS.has(key)) {
-    return true;
-  }
-  if (CONSOLE_DROP_WHEN_COUNTED_KEYS.has(key)) {
-    return true;
-  }
-  if (key === "messaging.message.conversation_id" && attributes[key] === attributes["gen_ai.conversation.id"]) {
-    return true;
-  }
-  if (key === "app.message.id" && attributes[key] === attributes["messaging.message.id"]) {
-    return true;
-  }
-  if (key === "messaging.destination.name" && !shouldShowConsoleDestinationName(eventName)) {
-    return true;
-  }
-  if (key === "gen_ai.request.model" && !shouldShowConsoleModel(level, eventName)) {
-    return true;
-  }
-  if (key === "gen_ai.provider.name" && eventName.startsWith("agent_tool_call_") && level !== "warn" && level !== "error") {
-    return true;
-  }
-  if (key === "gen_ai.operation.name" && eventName.startsWith("agent_tool_call_")) {
-    return true;
-  }
-  return false;
-}
-function summarizeConsoleString(value, maxChars) {
-  const collapsed = value.replace(/\s+/g, " ").trim();
-  if (collapsed.length <= maxChars) {
-    return collapsed;
-  }
-  return `${collapsed.slice(0, maxChars)}... [${collapsed.length} chars]`;
-}
-function abbreviateConsoleId(value) {
-  if (value.length <= 20) {
-    return value;
-  }
-  return `${value.slice(0, 12)}...${value.slice(-4)}`;
-}
-function toRelativeConsolePath(value) {
-  const normalized = value.trim();
-  if (!normalized) {
-    return normalized;
-  }
-  try {
-    const relative = path.relative(process.cwd(), normalized);
-    if (relative.length > 0 && !relative.startsWith("..") && !path.isAbsolute(relative)) {
-      return relative;
-    }
-  } catch {
-  }
-  return normalized;
-}
-function pushPrettyConsoleToken(tokens, token) {
-  if (!token || tokens.includes(token)) {
-    return;
-  }
-  tokens.push(token);
-}
-function numericConsoleToken(label, value) {
-  return typeof value === "number" ? `${label}=${value}` : void 0;
-}
-function stringConsoleToken(label, value) {
-  const normalized = toOptionalString(value);
-  return normalized ? `${label}=${normalized}` : void 0;
-}
-function booleanConsoleToken(label, value) {
-  return typeof value === "boolean" ? `${label}=${value ? "yes" : "no"}` : void 0;
-}
-function shouldShowPrettyCorrelation(eventName) {
-  return !(eventName === "plugin_loaded" || eventName === "startup_discovery_summary" || eventName === "capability_catalog_loaded" || eventName.endsWith("_loaded"));
-}
-function getPrettyConsoleSummaryTokens(level, eventName, attributes) {
-  const tokens = [];
-  pushPrettyConsoleToken(
-    tokens,
-    toOptionalString(attributes["app.log.source"]) ?? void 0
-  );
-  pushPrettyConsoleToken(
-    tokens,
-    eventName.startsWith("trusted_plugin_heartbeat") ? stringConsoleToken("plugin", attributes["app.plugin.name"]) : toOptionalString(attributes["app.plugin.name"]) ?? void 0
-  );
-  pushPrettyConsoleToken(
-    tokens,
-    numericConsoleToken("caps", attributes["app.plugin.capability_count"])
-  );
-  pushPrettyConsoleToken(
-    tokens,
-    numericConsoleToken("config", attributes["app.plugin.config_key_count"])
-  );
-  pushPrettyConsoleToken(
-    tokens,
-    booleanConsoleToken("mcp", attributes["app.plugin.has_mcp"])
-  );
-  pushPrettyConsoleToken(
-    tokens,
-    numericConsoleToken("plugins", attributes["app.plugin.count"])
-  );
-  pushPrettyConsoleToken(
-    tokens,
-    numericConsoleToken("dispatches", attributes["app.dispatch.count"])
-  );
-  pushPrettyConsoleToken(
-    tokens,
-    numericConsoleToken("skills", attributes["app.skill.count"])
-  );
-  pushPrettyConsoleToken(
-    tokens,
-    numericConsoleToken("capabilities", attributes["app.capability.count"])
-  );
-  pushPrettyConsoleToken(
-    tokens,
-    numericConsoleToken("config", attributes["app.config.key_count"])
-  );
-  pushPrettyConsoleToken(
-    tokens,
-    numericConsoleToken("chars", attributes["app.message.length"])
-  );
-  pushPrettyConsoleToken(
-    tokens,
-    numericConsoleToken(
-      "attachments",
-      attributes["app.message.attachment_count"]
-    )
-  );
-  const rawAttachmentCount = toOptionalNumber(
-    attributes["app.message.attachment_count"]
-  );
-  const promptAttachmentCount = toOptionalNumber(
-    attributes["app.message.prompt_attachment_count"]
-  );
-  if (promptAttachmentCount !== void 0 && promptAttachmentCount !== rawAttachmentCount) {
-    pushPrettyConsoleToken(
-      tokens,
-      numericConsoleToken("prompt_attachments", promptAttachmentCount)
-    );
-  }
-  const filePath = toOptionalString(attributes["file.path"]);
-  if (filePath && eventName.endsWith("_loaded")) {
-    pushPrettyConsoleToken(tokens, toRelativeConsolePath(filePath));
-  }
-  if (shouldShowPrettyCorrelation(eventName)) {
-    const conversationId = toOptionalString(
-      attributes["gen_ai.conversation.id"]
-    );
-    const messageId = toOptionalString(attributes["messaging.message.id"]);
-    if (conversationId) {
-      pushPrettyConsoleToken(
-        tokens,
-        `conv=${abbreviateConsoleId(conversationId)}`
-      );
-    }
-    if (messageId) {
-      pushPrettyConsoleToken(tokens, `msg=${abbreviateConsoleId(messageId)}`);
-    }
-  }
-  const model = toOptionalString(attributes["gen_ai.request.model"]);
-  if (model && shouldShowConsoleModel(level, eventName)) {
-    pushPrettyConsoleToken(tokens, `model=${model}`);
-  }
-  return tokens;
-}
-function projectConsoleValue(level, key, value) {
-  if ((level === "debug" || level === "info") && CONSOLE_PREVIEW_KEYS.has(key) && typeof value === "string") {
-    return summarizeConsoleString(
-      value,
-      key === "gen_ai.tool.call.result" ? 220 : 140
-    );
-  }
-  return value;
-}
-function projectConsoleAttributes(level, eventName, attributes) {
-  const projected = {};
-  for (const [key, value] of Object.entries(attributes)) {
-    if (shouldHideConsoleAttribute(level, eventName, key, attributes)) {
-      continue;
-    }
-    const nextValue = projectConsoleValue(level, key, value);
-    if (nextValue !== void 0) {
-      projected[key] = nextValue;
-    }
-  }
-  return projected;
-}
-function formatConsoleLine(level, eventName, body, attributes) {
-  const timestamp = /* @__PURE__ */ new Date();
-  const useColor = shouldUseConsoleColor();
-  const levelStyle = consoleLevelStyle(level);
-  const colorize = (text, style) => useColor ? styleText(style, text) : text;
-  if (shouldUsePrettyConsole(level)) {
-    const summaryTokens = getPrettyConsoleSummaryTokens(
-      level,
-      eventName,
-      attributes
-    );
-    const summary = [body, ...summaryTokens].join(" ");
-    return [
-      colorize(formatConsoleTimestamp(timestamp), "gray"),
-      colorize(formatConsoleLevel(level), levelStyle),
-      summary
-    ].join(" ");
-  }
-  const parts = [
-    `${colorize(formatConsoleTimestamp(timestamp), "gray")} ${colorize(formatConsoleLevel(level), levelStyle)} ${body}`
-  ];
-  const projectedAttributes = projectConsoleAttributes(
-    level,
-    eventName,
-    attributes
-  );
-  const sortedAttributes = Object.entries(projectedAttributes).sort(
-    ([left], [right]) => {
-      const leftRank = CONSOLE_PRIORITY_INDEX.get(left);
-      const rightRank = CONSOLE_PRIORITY_INDEX.get(right);
-      if (leftRank !== void 0 || rightRank !== void 0) {
-        if (leftRank === void 0) return 1;
-        if (rightRank === void 0) return -1;
-        return leftRank - rightRank;
-      }
-      return left.localeCompare(right);
-    }
-  );
-  for (const [key, value] of sortedAttributes) {
-    const rendered = `${colorize(key, "cyan")}=${colorize(formatConsoleValue(value), "dim")}`;
-    parts.push(rendered);
-  }
-  return parts.join(" ");
-}
-function emitConsole(level, eventName, body, attributes) {
-  if (!shouldEmitConsole(level)) {
-    return;
-  }
-  const line = formatConsoleLine(level, eventName, body, attributes);
-  if (level === "error") {
-    console.error(line);
-    return;
-  }
-  if (level === "warn") {
-    console.warn(line);
-    return;
-  }
-  if (level === "info") {
-    console.info(line);
-    return;
-  }
-  console.debug(line);
-}
-function emitDirect(level, eventName, body, attributes) {
-  for (const sink of logRecordSinks) {
-    try {
-      sink({
-        level,
-        eventName,
-        body,
-        attributes
-      });
-    } catch {
-    }
-  }
-  emitConsole(level, eventName, body, attributes);
-  emitSentry(level, body, attributes);
-}
-function emitRecord(category, level, eventName, attrs = {}, body) {
-  ensureLoggerBackend();
-  const traceAttributes = getTraceCorrelationAttributes();
-  const normalizedEventName = toSnakeCase(eventName);
-  const message = body ? redactSecrets(body) : normalizedEventName;
-  const source = getLogSource([...ROOT_LOGGER_CATEGORY, ...category]);
-  const contextAttributes = ownsLogTapeBackend ? void 0 : contextStorage.getStore();
-  const attributes = mergeAttributes(contextAttributes, traceAttributes, {
-    "event.name": normalizedEventName,
-    ...source ? { "app.log.source": source } : {},
-    ...attrs
-  });
-  if (usesDirectEmissionFallback) {
-    emitDirect(level, normalizedEventName, message, attributes);
-    return;
-  }
-  const logger = getLogTapeLogger(category);
-  const properties = {
-    [LOGTAPE_BODY_KEY]: message,
-    ...attributes
-  };
-  if (level === "error") {
-    logger.error(`{${LOGTAPE_BODY_KEY}}`, properties);
-    return;
-  }
-  if (level === "warn") {
-    logger.warn(`{${LOGTAPE_BODY_KEY}}`, properties);
-    return;
-  }
-  if (level === "info") {
-    logger.info(`{${LOGTAPE_BODY_KEY}}`, properties);
-    return;
-  }
-  logger.debug(`{${LOGTAPE_BODY_KEY}}`, properties);
-}
-function emit(level, eventName, attrs = {}, body) {
-  emitRecord([], level, eventName, attrs, body);
-}
-var log = {
-  debug(eventName, attrs = {}, body) {
-    emit("debug", eventName, attrs, body);
-  },
-  info(eventName, attrs = {}, body) {
-    emit("info", eventName, attrs, body);
-  },
-  warn(eventName, attrs = {}, body) {
-    emit("warn", eventName, attrs, body);
-  },
-  error(eventName, attrs = {}, body) {
-    emit("error", eventName, attrs, body);
-  },
-  exception(eventName, error, attrs = {}, body, context) {
-    const normalizedError = error instanceof Error ? error : new Error(String(error));
-    emit(
-      "error",
-      eventName,
-      {
-        ...attrs,
-        "error.type": normalizedError.name,
-        "exception.type": normalizedError.name,
-        "exception.message": normalizedError.message,
-        "exception.stacktrace": normalizedError.stack
-      },
-      body ?? normalizedError.message
-    );
-    let eventId;
-    const sentryWithScope = sentry_exports.withScope;
-    const sentryCaptureException = sentry_exports.captureException;
-    if (typeof sentryWithScope === "function" && typeof sentryCaptureException === "function") {
-      sentryWithScope((scope) => {
-        if (context) {
-          setSentryScopeContext(scope, context);
-        }
-        for (const [key, value] of Object.entries(
-          mergeAttributes(contextStorage.getStore(), attrs)
-        )) {
-          scope.setExtra(key, value);
-        }
-        eventId = sentryCaptureException(normalizedError);
-      });
-      return eventId;
-    }
-    if (typeof sentryCaptureException === "function") {
-      if (context) {
-        setSentryUser(sentryUserIdentityFromContext(context));
-      }
-      eventId = sentryCaptureException(normalizedError);
-    }
-    return eventId;
-  }
-};
-var CHAT_SDK_LEVEL_PRIORITY = {
-  debug: 10,
-  info: 20,
-  warn: 30,
-  error: 40
-};
-function resolveChatSdkLogLevel() {
-  if (isDevelopmentLoggingMode()) {
-    return "warn";
-  }
-  return "info";
-}
-function shouldEmitChatSdkLevel(level, minimumLevel) {
-  if (minimumLevel === "silent") {
-    return false;
-  }
-  return CHAT_SDK_LEVEL_PRIORITY[level] >= CHAT_SDK_LEVEL_PRIORITY[minimumLevel];
-}
-function renderChatSdkArgument(value) {
-  if (value === null || value === void 0) {
-    return "";
-  }
-  if (typeof value === "string") {
-    return value;
-  }
-  if (value instanceof Error) {
-    return value.message;
-  }
-  try {
-    return JSON.stringify(value);
-  } catch {
-    return String(value);
-  }
-}
-function formatChatSdkBody(message, args) {
-  const renderedArgs = args.map((arg) => renderChatSdkArgument(arg).trim()).filter((arg) => arg.length > 0);
-  if (renderedArgs.length === 0) {
-    return message;
-  }
-  return `${message} ${renderedArgs.join(" ")}`;
-}
-function createChatSdkLoggerImpl(category, minimumLevel) {
-  const emitChatSdkLog = (level, message, args) => {
-    if (!shouldEmitChatSdkLevel(level, minimumLevel)) {
-      return;
-    }
-    emitRecord(
-      category,
-      level === "warn" ? "warn" : level,
-      level === "error" ? "chat_sdk_error" : level === "warn" ? "chat_sdk_warning" : "chat_sdk_log",
-      args.length > 0 ? {
-        "app.log.args": args.length === 1 ? args[0] : args
-      } : {},
-      formatChatSdkBody(message, args)
-    );
-  };
-  return {
-    child(prefix) {
-      return createChatSdkLoggerImpl([...category, prefix], minimumLevel);
-    },
-    debug(message, ...args) {
-      emitChatSdkLog("debug", message, args);
-    },
-    info(message, ...args) {
-      emitChatSdkLog("info", message, args);
-    },
-    warn(message, ...args) {
-      emitChatSdkLog("warn", message, args);
-    },
-    error(message, ...args) {
-      emitChatSdkLog("error", message, args);
-    }
-  };
-}
-function createChatSdkLogger() {
-  return createChatSdkLoggerImpl(["chat-sdk"], resolveChatSdkLogLevel());
-}
-function withLogContext(context, callback) {
-  const next = mergeAttributes(
-    contextStorage.getStore(),
-    contextToAttributes(context)
-  );
-  return contextStorage.run(next, callback);
-}
-function setLogContext(context) {
-  const merged = mergeAttributes(
-    contextStorage.getStore(),
-    contextToAttributes(context)
-  );
-  contextStorage.enterWith(merged);
-}
-function getLogContextAttributes() {
-  return contextStorage.getStore() ?? {};
-}
-function createLogContextFromRequest(request, context = {}) {
-  const url = new URL(request.url);
-  return {
-    ...context,
-    requestId: context.requestId ?? request.headers.get("x-request-id") ?? void 0,
-    httpMethod: request.method,
-    httpPath: url.pathname,
-    urlFull: url.toString(),
-    userAgent: request.headers.get("user-agent") ?? void 0
-  };
-}
-function toSpanAttributes(context) {
-  const attrs = contextToAttributes(context);
-  return Object.fromEntries(
-    Object.entries(attrs).filter(
-      ([, value]) => typeof value === "string" && value.length > 0
-    )
-  );
-}
-function setSentryTagsFromContext(context) {
-  const attrs = contextToAttributes(context);
-  for (const [key, value] of Object.entries(attrs)) {
-    if (!SENTRY_TAG_ATTRIBUTE_KEYS.has(key)) {
-      continue;
-    }
-    if (typeof value === "string" && value.length > 0) {
-      sentry_exports.setTag(key, value);
-    }
-  }
-}
-function sentryUserIdentityFromContext(context) {
-  if (context.slackUserId) {
-    return {
-      id: context.slackUserId,
-      ...context.slackUserName ? { username: context.slackUserName } : {},
-      ...context.slackUserEmail ? { email: context.slackUserEmail } : {}
-    };
-  }
-  return void 0;
-}
-function sentryUserFromIdentity(identity) {
-  return {
-    id: identity.id,
-    ip_address: null,
-    ...identity.username ? { username: identity.username } : {},
-    ...identity.email ? { email: identity.email } : {}
-  };
-}
-function setSentryUser(identity) {
-  if (!identity) return;
-  sentry_exports.setUser(sentryUserFromIdentity(identity));
-}
-function setSentryScopeContext(scope, context) {
-  const attrs = contextToAttributes(context);
-  for (const [key, value] of Object.entries(attrs)) {
-    if (!SENTRY_TAG_ATTRIBUTE_KEYS.has(key)) {
-      continue;
-    }
-    if (typeof value === "string" && value.length > 0) {
-      scope.setTag(key, value);
-    }
-  }
-  const identity = sentryUserIdentityFromContext(context);
-  if (identity) {
-    scope.setUser(sentryUserFromIdentity(identity));
-  }
-  scope.setContext("app", attrs);
-}
-function toSpanAttributeValue(value) {
-  if (typeof value === "string" || typeof value === "number" || typeof value === "boolean") {
-    return value;
-  }
-  if (!Array.isArray(value)) {
-    return void 0;
-  }
-  const sanitized = value.filter(
-    (entry) => typeof entry === "string"
-  );
-  return sanitized.length > 0 ? sanitized : void 0;
-}
-function normalizeSpanAttributes(attributes) {
-  const normalized = {};
-  for (const [rawKey, value] of Object.entries(attributes)) {
-    const key = normalizeAttributeKey(rawKey);
-    const normalizedValue = toSpanAttributeValue(
-      key === "gen_ai.response.finish_reasons" ? normalizeGenAiFinishReasons(value) : value
-    );
-    if (normalizedValue !== void 0) {
-      normalized[key] = normalizedValue;
-    }
-  }
-  return normalized;
-}
-function logInfo(eventName, context = {}, attributes = {}, body) {
-  log.info(eventName, { ...toSpanAttributes(context), ...attributes }, body);
-}
-function logWarn(eventName, context = {}, attributes = {}, body) {
-  log.warn(eventName, { ...toSpanAttributes(context), ...attributes }, body);
-}
-function logError(eventName, context = {}, attributes = {}, body) {
-  log.error(eventName, { ...toSpanAttributes(context), ...attributes }, body);
-}
-function logException(error, eventName, context = {}, attributes = {}, body) {
-  const normalizedError = error instanceof Error ? error : new Error(String(error));
-  return log.exception(
-    eventName,
-    normalizedError,
-    { ...toSpanAttributes(context), ...attributes },
-    body,
-    context
-  );
-}
-function setTags(context = {}) {
-  setLogContext(context);
-  setSentryTagsFromContext(context);
-  setSentryUser(sentryUserIdentityFromContext(context));
-}
-function createRequestContext(request, context = {}) {
-  return createLogContextFromRequest(request, context);
-}
-async function withContext(context, callback) {
-  return withLogContext(context, callback);
-}
-async function withSpan(name, op, context, callback, attributes = {}) {
-  const normalizedAttributes = normalizeSpanAttributes(attributes);
-  return withLogContext(context, () => {
-    const inheritedAttributes = getLogContextAttributes();
-    return sentry_exports.startSpan(
-      {
-        name,
-        op,
-        attributes: {
-          ...inheritedAttributes,
-          ...normalizedAttributes
-        }
-      },
-      callback
-    );
-  });
-}
-function setSpanAttributes(attributes) {
-  const sentry = sentry_exports;
-  const span = sentry.getActiveSpan?.();
-  if (!span) {
-    return;
-  }
-  const setAttribute = span.setAttribute;
-  if (typeof setAttribute !== "function") {
-    return;
-  }
-  for (const [key, value] of Object.entries(
-    normalizeSpanAttributes(attributes)
-  )) {
-    setAttribute.call(span, key, value);
-  }
-}
-function setSpanStatus(status) {
-  const sentry = sentry_exports;
-  const span = sentry.getActiveSpan?.();
-  if (!span) {
-    return;
-  }
-  const setStatus = span.setStatus;
-  if (typeof setStatus !== "function") {
-    return;
-  }
-  setStatus.call(span, status === "ok" ? "ok" : "internal_error");
-}
-function getActiveTraceId() {
-  const sentry = sentry_exports;
-  if (typeof sentry.getActiveSpan !== "function" || typeof sentry.spanToJSON !== "function") {
-    return void 0;
-  }
-  try {
-    const span = sentry.getActiveSpan();
-    if (!span) {
-      return void 0;
-    }
-    return toOptionalString(sentry.spanToJSON(span).trace_id);
-  } catch {
-    return void 0;
-  }
-}
-var TURN_FAILURE_RESPONSE_TEMPLATE = "I ran into an internal error while processing that. Reference: `event_id={eventId}`.";
-function buildTurnFailureResponse(eventId) {
-  return TURN_FAILURE_RESPONSE_TEMPLATE.replace("{eventId}", eventId);
-}
-var GEN_AI_DEFAULT_MAX_ATTRIBUTE_CHARS = 12e3;
-var GEN_AI_MAX_STRING_CHARS = 2e3;
-var GEN_AI_MAX_ARRAY_ITEMS = 50;
-var GEN_AI_MAX_OBJECT_KEYS = 50;
-function truncateGenAiString(value, maxChars) {
-  return value.length > maxChars ? `${value.slice(0, maxChars)}...` : value;
-}
-function sanitizeGenAiValue(value, seen, depth, keyName) {
-  if (value === null || value === void 0) {
-    return void 0;
-  }
-  if (typeof value === "string") {
-    const shouldTreatAsBlob = (keyName === "data" || keyName === "base64" || keyName?.endsWith("_base64") === true) && value.length > 256;
-    if (shouldTreatAsBlob) {
-      return `[omitted:${value.length}]`;
-    }
-    return truncateGenAiString(redactSecrets(value), GEN_AI_MAX_STRING_CHARS);
-  }
-  if (typeof value === "number") {
-    return Number.isFinite(value) ? value : void 0;
-  }
-  if (typeof value === "boolean") {
-    return value;
-  }
-  if (depth >= 8) {
-    return "[depth_limit]";
-  }
-  if (Array.isArray(value)) {
-    return value.slice(0, GEN_AI_MAX_ARRAY_ITEMS).map((entry) => sanitizeGenAiValue(entry, seen, depth + 1)).filter((entry) => entry !== void 0);
-  }
-  if (typeof value !== "object") {
-    return redactSecrets(String(value));
-  }
-  if (seen.has(value)) {
-    return "[circular]";
-  }
-  seen.add(value);
-  const record = value;
-  const out = {};
-  for (const [key, entryValue] of Object.entries(record).slice(
-    0,
-    GEN_AI_MAX_OBJECT_KEYS
-  )) {
-    const sanitized = sanitizeGenAiValue(entryValue, seen, depth + 1, key);
-    if (sanitized !== void 0) {
-      out[key] = sanitized;
-    }
-  }
-  return out;
-}
-function serializeGenAiAttribute(value, maxChars = GEN_AI_DEFAULT_MAX_ATTRIBUTE_CHARS) {
-  const sanitized = sanitizeGenAiValue(value, /* @__PURE__ */ new WeakSet(), 0);
-  if (sanitized === void 0) {
-    return void 0;
-  }
-  const serialized = typeof sanitized === "string" ? sanitized : JSON.stringify(sanitized);
-  if (!serialized) {
-    return void 0;
-  }
-  return truncateGenAiString(redactSecrets(serialized), maxChars);
-}
-function asRecord(value) {
-  return value && typeof value === "object" ? value : void 0;
-}
-function toFiniteTokenCount(value) {
-  if (typeof value !== "number" || !Number.isFinite(value)) {
-    return void 0;
-  }
-  const rounded = Math.floor(value);
-  return rounded >= 0 ? rounded : void 0;
-}
-function sumTokenCounts(...values) {
-  let total = 0;
-  let hasValue = false;
-  for (const value of values) {
-    if (value === void 0) {
-      continue;
-    }
-    total += value;
-    hasValue = true;
-  }
-  return hasValue ? total : void 0;
-}
-var PI_USAGE_FIELDS = [
-  ["input", "inputTokens"],
-  ["output", "outputTokens"],
-  ["cacheRead", "cachedInputTokens"],
-  ["cacheWrite", "cacheCreationTokens"],
-  ["totalTokens", "totalTokens"]
-];
-function readPiUsage(source) {
-  const record = asRecord(source);
-  if (!record) {
-    return {};
-  }
-  const usage = asRecord(record.usage) ?? record;
-  const summary = {};
-  for (const [piKey, ourKey] of PI_USAGE_FIELDS) {
-    const value = toFiniteTokenCount(usage[piKey]) ?? toFiniteTokenCount(usage[ourKey]);
-    if (value !== void 0) {
-      summary[ourKey] = value;
-    }
-  }
-  return summary;
-}
-function extractGenAiUsageSummary(...sources) {
-  const summary = {};
-  for (const source of sources) {
-    const single = readPiUsage(source);
-    for (const field of Object.keys(single)) {
-      const value = single[field];
-      if (value === void 0) continue;
-      summary[field] = (summary[field] ?? 0) + value;
-    }
-  }
-  return summary;
-}
-function extractGenAiUsageAttributes(...sources) {
-  const { inputTokens, outputTokens, cachedInputTokens, cacheCreationTokens } = extractGenAiUsageSummary(...sources);
-  const semanticInputTokens = sumTokenCounts(
-    inputTokens,
-    cachedInputTokens,
-    cacheCreationTokens
-  );
-  return {
-    ...semanticInputTokens !== void 0 ? { "gen_ai.usage.input_tokens": semanticInputTokens } : {},
-    ...outputTokens !== void 0 ? { "gen_ai.usage.output_tokens": outputTokens } : {},
-    ...cachedInputTokens !== void 0 ? { "gen_ai.usage.cache_read.input_tokens": cachedInputTokens } : {},
-    ...cacheCreationTokens !== void 0 ? { "gen_ai.usage.cache_creation.input_tokens": cacheCreationTokens } : {}
-  };
-}
+  discoverInstalledPluginPackageContent,
+  logInfo,
+  logWarn,
+  normalizePluginPackageNames,
+  pluginRoots,
+  setSpanAttributes
+} from "./chunk-BBXYXOJW.js";
 
 // src/chat/plugins/manifest.ts
 import { z } from "zod";
@@ -1330,7 +17,7 @@ function setDefined(target, key, value) {
     target[key] = value;
   }
 }
-function isRecord2(value) {
+function isRecord(value) {
   return Boolean(value && typeof value === "object" && !Array.isArray(value));
 }
 function unqualifyManifestToken(name, value) {
@@ -1346,7 +33,7 @@ function inlineTokenListSource(name, values) {
   return values.map((value) => unqualifyManifestToken(name, value));
 }
 function inlineCredentialsSource(credentials) {
-  if (credentials === void 0 || !isRecord2(credentials)) {
+  if (credentials === void 0 || !isRecord(credentials)) {
     return credentials;
   }
   const result = {};
@@ -1359,20 +46,10 @@ function inlineCredentialsSource(credentials) {
     "auth-token-placeholder",
     credentials.authTokenPlaceholder
   );
-  if (credentials.type === "github-app") {
-    setDefined(result, "app-id-env", credentials.appIdEnv);
-    setDefined(result, "private-key-env", credentials.privateKeyEnv);
-    setDefined(result, "installation-id-env", credentials.installationIdEnv);
-    setDefined(
-      result,
-      "system-read-permissions",
-      credentials.systemReadPermissions
-    );
-  }
   return result;
 }
 function inlineMcpSource(mcp) {
-  if (mcp === void 0 || !isRecord2(mcp)) {
+  if (mcp === void 0 || !isRecord(mcp)) {
     return mcp;
   }
   const result = {};
@@ -1383,7 +60,7 @@ function inlineMcpSource(mcp) {
   return result;
 }
 function inlineOauthSource(oauth) {
-  if (oauth === void 0 || !isRecord2(oauth)) {
+  if (oauth === void 0 || !isRecord(oauth)) {
     return oauth;
   }
   const result = {};
@@ -1395,10 +72,15 @@ function inlineOauthSource(oauth) {
   setDefined(result, "authorize-params", oauth.authorizeParams);
   setDefined(result, "token-auth-method", oauth.tokenAuthMethod);
   setDefined(result, "token-extra-headers", oauth.tokenExtraHeaders);
+  setDefined(
+    result,
+    "treat-empty-scope-as-unreported",
+    oauth.treatEmptyScopeAsUnreported
+  );
   return result;
 }
 function inlineTargetSource(name, target) {
-  if (target === void 0 || !isRecord2(target)) {
+  if (target === void 0 || !isRecord(target)) {
     return target;
   }
   const result = {};
@@ -1446,103 +128,6 @@ function inlineManifestSource(manifest) {
   return result;
 }
 
-// src/chat/plugins/github-permissions.ts
-var KNOWN_GITHUB_PERMISSION_SCOPES = /* @__PURE__ */ new Set([
-  "actions",
-  "administration",
-  "checks",
-  "codespaces",
-  "contents",
-  "deployments",
-  "environments",
-  "issues",
-  "metadata",
-  "packages",
-  "pages",
-  "pull_requests",
-  "repository_hooks",
-  "repository_projects",
-  "secret_scanning_alerts",
-  "secrets",
-  "security_events",
-  "statuses",
-  "vulnerability_alerts",
-  "workflows"
-]);
-var DEFAULT_GITHUB_SYSTEM_READ_SCOPES = /* @__PURE__ */ new Set([
-  "actions",
-  "checks",
-  "contents",
-  "issues",
-  "metadata",
-  "pull_requests",
-  "statuses"
-]);
-function normalizeGitHubPermissionScope(rawScope) {
-  return rawScope.trim().replace(/-/g, "_");
-}
-function normalizeGitHubSystemReadPermissionScopes(scopes, context) {
-  return scopes.map((rawScope) => {
-    const scope = normalizeGitHubPermissionScope(rawScope);
-    if (!KNOWN_GITHUB_PERMISSION_SCOPES.has(scope)) {
-      throw new Error(`${context} contains unsupported scope "${rawScope}"`);
-    }
-    return scope;
-  });
-}
-function githubCapabilitiesToPermissions(capabilities, pluginName) {
-  const permissions = {};
-  const prefix = `${pluginName}.`;
-  for (const capability of capabilities) {
-    if (!capability.startsWith(prefix)) {
-      throw new Error(`Unsupported GitHub capability: ${capability}`);
-    }
-    const suffix = capability.slice(prefix.length);
-    const lastDot = suffix.lastIndexOf(".");
-    if (lastDot === -1) {
-      throw new Error(`Unsupported GitHub capability: ${capability}`);
-    }
-    const scopeRaw = suffix.slice(0, lastDot);
-    const level = suffix.slice(lastDot + 1);
-    if (level !== "read" && level !== "write") {
-      throw new Error(`Unsupported GitHub capability: ${capability}`);
-    }
-    const scope = normalizeGitHubPermissionScope(scopeRaw);
-    if (!KNOWN_GITHUB_PERMISSION_SCOPES.has(scope)) {
-      throw new Error(`Unsupported GitHub capability: ${capability}`);
-    }
-    const existing = permissions[scope];
-    permissions[scope] = existing === "write" || level === "write" ? "write" : "read";
-  }
-  return permissions;
-}
-function githubSystemReadPermissionsFromScopes(scopes) {
-  const readOnly = {
-    metadata: "read"
-  };
-  for (const scope of normalizeGitHubSystemReadPermissionScopes(
-    scopes,
-    "GitHub system read permissions"
-  )) {
-    readOnly[scope] = "read";
-  }
-  return readOnly;
-}
-function githubInstallationReadPermissions(permissions, allowedScopes) {
-  const readOnly = {
-    metadata: "read"
-  };
-  for (const [scope, level] of Object.entries(permissions ?? {})) {
-    if (!allowedScopes.has(scope) || !KNOWN_GITHUB_PERMISSION_SCOPES.has(scope)) {
-      continue;
-    }
-    if (level === "read" || level === "write" || level === "admin") {
-      readOnly[scope] = "read";
-    }
-  }
-  return readOnly;
-}
-
 // src/chat/plugins/manifest.ts
 var PLUGIN_NAME_RE = /^[a-z][a-z0-9-]*$/;
 var SHORT_CAPABILITY_RE = /^[a-z0-9-]+(\.[a-z0-9-]+)*$/;
@@ -1670,23 +255,14 @@ var domainsSchema = z.array(z.unknown()).min(1, {
   });
 });
 var baseCredentialsSchema = z.object({
-  domains: domainsSchema.optional(),
-  "api-headers": stringMapSchema.optional(),
-  "auth-token-env": envVarString,
-  "auth-token-placeholder": nonEmptyTrimmedString.optional()
+  domains: domainsSchema.optional()
 }).passthrough();
 var oauthBearerCredentialsSchema = baseCredentialsSchema.extend({
+  "api-headers": stringMapSchema.optional(),
+  "auth-token-env": envVarString,
+  "auth-token-placeholder": nonEmptyTrimmedString.optional(),
   type: z.literal("oauth-bearer")
 });
-var githubAppCredentialsSchema = baseCredentialsSchema.extend({
-  type: z.literal("github-app"),
-  "app-id-env": envVarString,
-  "private-key-env": envVarString,
-  "installation-id-env": envVarString,
-  "system-read-permissions": nonEmptyStringArraySchema(
-    "system-read-permissions"
-  ).optional()
-});
 var runtimeDependencyEntrySchema = z.object({
   type: z.enum(["npm", "system"]),
   package: z.string().optional(),
@@ -1713,7 +289,8 @@ var oauthSourceSchema = z.object({
   "token-extra-headers": stringMapSchema.optional(),
   "token-auth-method": nonEmptyTrimmedString.refine((value) => value === "body" || value === "basic", {
     error: 'must be "body" or "basic"'
-  }).optional()
+  }).optional(),
+  "treat-empty-scope-as-unreported": z.boolean().optional()
 }).passthrough();
 var mcpSourceSchema = z.object({
   transport: nonEmptyTrimmedString.refine((value) => value === "http", {
@@ -1798,22 +375,6 @@ function manifestConfigPatch(config) {
         "auth-token-placeholder",
         config.credentials.authTokenPlaceholder
       );
-      setDefined2(credentials, "app-id-env", config.credentials.appIdEnv);
-      setDefined2(
-        credentials,
-        "private-key-env",
-        config.credentials.privateKeyEnv
-      );
-      setDefined2(
-        credentials,
-        "installation-id-env",
-        config.credentials.installationIdEnv
-      );
-      setDefined2(
-        credentials,
-        "system-read-permissions",
-        config.credentials.systemReadPermissions
-      );
       result.credentials = credentials;
     }
   }
@@ -1844,6 +405,11 @@ function manifestConfigPatch(config) {
       setDefined2(oauth, "authorize-params", config.oauth.authorizeParams);
       setDefined2(oauth, "token-auth-method", config.oauth.tokenAuthMethod);
       setDefined2(oauth, "token-extra-headers", config.oauth.tokenExtraHeaders);
+      setDefined2(
+        oauth,
+        "treat-empty-scope-as-unreported",
+        config.oauth.treatEmptyScopeAsUnreported
+      );
       result.oauth = oauth;
     }
   }
@@ -1895,8 +461,8 @@ function applyManifestConfig(source, config) {
     root: true
   }) : source;
 }
-function formatPath(path3) {
-  return path3.map((segment) => String(segment)).join(".");
+function formatPath(path2) {
+  return path2.map((segment) => String(segment)).join(".");
 }
 function issueMessage(error, prefix) {
   const issue = error.issues[0];
@@ -2002,11 +568,8 @@ function assertCommandEnvDoesNotExposeHostSecretRefs(commandEnv, apiHeaders, cre
     }
   }
   if (credentials) {
-    hostOnlyRefs.add(credentials.authTokenEnv);
-    if (credentials.type === "github-app") {
-      hostOnlyRefs.add(credentials.appIdEnv);
-      hostOnlyRefs.add(credentials.privateKeyEnv);
-      hostOnlyRefs.add(credentials.installationIdEnv);
+    if (credentials.authTokenEnv) {
+      hostOnlyRefs.add(credentials.authTokenEnv);
     }
   }
   if (oauth) {
@@ -2039,13 +602,12 @@ function assertCommandEnvHostRefsAreExplicitlyExposed(commandEnv, envVars, plugi
   }
 }
 function normalizeCredentials(data, name) {
-  const schema = data.type === "oauth-bearer" ? oauthBearerCredentialsSchema : data.type === "github-app" ? githubAppCredentialsSchema : void 0;
-  if (!schema) {
+  if (data.type !== "oauth-bearer") {
     throw new Error(
       `Plugin ${name} has unsupported credentials.type: "${String(data.type)}"`
     );
   }
-  const result = schema.safeParse(data);
+  const result = oauthBearerCredentialsSchema.safeParse(data);
   if (!result.success) {
     throw new Error(issueMessage(result.error, `Plugin ${name} credentials`));
   }
@@ -2053,39 +615,17 @@ function normalizeCredentials(data, name) {
     throw new Error(`Plugin ${name} credentials requires domains`);
   }
   const domains = result.data.domains;
-  if (result.data.type === "oauth-bearer") {
-    const apiHeaders2 = result.data["api-headers"] ? normalizeStringMap(
-      result.data["api-headers"],
-      `Plugin ${name} credentials.api-headers`,
-      { forbiddenKeys: FORBIDDEN_API_HEADER_NAMES }
-    ) : void 0;
-    return {
-      type: "oauth-bearer",
-      domains,
-      ...apiHeaders2 ? { apiHeaders: apiHeaders2 } : {},
-      authTokenEnv: result.data["auth-token-env"],
-      ...result.data["auth-token-placeholder"] ? { authTokenPlaceholder: result.data["auth-token-placeholder"] } : {}
-    };
-  }
   const apiHeaders = result.data["api-headers"] ? normalizeStringMap(
     result.data["api-headers"],
     `Plugin ${name} credentials.api-headers`,
     { forbiddenKeys: FORBIDDEN_API_HEADER_NAMES }
   ) : void 0;
-  const systemReadPermissions = result.data["system-read-permissions"] ? normalizeGitHubSystemReadPermissionScopes(
-    result.data["system-read-permissions"],
-    `Plugin ${name} credentials.system-read-permissions`
-  ) : void 0;
   return {
-    type: "github-app",
+    type: "oauth-bearer",
     domains,
     ...apiHeaders ? { apiHeaders } : {},
     authTokenEnv: result.data["auth-token-env"],
-    ...result.data["auth-token-placeholder"] ? { authTokenPlaceholder: result.data["auth-token-placeholder"] } : {},
-    appIdEnv: result.data["app-id-env"],
-    privateKeyEnv: result.data["private-key-env"],
-    installationIdEnv: result.data["installation-id-env"],
-    ...systemReadPermissions ? { systemReadPermissions } : {}
+    ...result.data["auth-token-placeholder"] ? { authTokenPlaceholder: result.data["auth-token-placeholder"] } : {}
   };
 }
 function normalizeRuntimeDependencies(entries, name) {
@@ -2292,74 +832,74 @@ function normalizeMcp(data, envVars, name) {
     ...result.data["allowed-tools"] ? { allowedTools: result.data["allowed-tools"] } : {}
   };
 }
-function parseManifestSource(parsedSource, dir, config) {
+function parseManifestSource(parsedSource, dir, config, options) {
   const source = applyManifestConfig(parsedSource, config);
   const sourceResult = manifestSourceSchema.safeParse(source);
   if (!sourceResult.success) {
     const issue = sourceResult.error.issues[0];
-    const path3 = formatPath(issue?.path ?? []);
-    if (path3 === "name") {
+    const path2 = formatPath(issue?.path ?? []);
+    if (path2 === "name") {
       throw new Error(`Invalid plugin name in ${dir}: "${parsedSource.name}"`);
     }
-    if (path3 === "description") {
+    if (path2 === "description") {
       throw new Error(`Invalid plugin description in ${dir}`);
     }
-    if (path3 === "capabilities") {
+    if (path2 === "capabilities") {
       throw new Error(
         `Plugin ${String(parsedSource.name ?? "unknown")} capabilities must be an array when provided`
       );
     }
-    if (path3 === "config-keys") {
+    if (path2 === "config-keys") {
       throw new Error(
         `Plugin ${String(parsedSource.name ?? "unknown")} config-keys must be an array when provided`
       );
     }
-    if (path3 === "domains") {
+    if (path2 === "domains") {
       throw new Error(
-        `Plugin ${String(parsedSource.name ?? "unknown")} ${path3} must be a non-empty array of domains`
+        `Plugin ${String(parsedSource.name ?? "unknown")} ${path2} must be a non-empty array of domains`
       );
     }
-    if (path3 === "api-headers") {
+    if (path2 === "api-headers") {
       throw new Error(
         `Plugin ${String(parsedSource.name ?? "unknown")} api-headers must be an object when provided`
       );
     }
-    if (path3 === "command-env") {
+    if (path2 === "command-env") {
       throw new Error(
         `Plugin ${String(parsedSource.name ?? "unknown")} command-env must be an object when provided`
       );
     }
-    if (path3 === "credentials") {
+    if (path2 === "credentials") {
       throw new Error(
         `Plugin ${String(parsedSource.name ?? "unknown")} credentials must be an object when provided`
       );
     }
-    if (path3 === "runtime-dependencies") {
+    if (path2 === "runtime-dependencies") {
       throw new Error(
         `Plugin ${String(parsedSource.name ?? "unknown")} runtime-dependencies must be an array`
       );
     }
-    if (path3 === "runtime-postinstall") {
+    if (path2 === "runtime-postinstall") {
       throw new Error(
         `Plugin ${String(parsedSource.name ?? "unknown")} runtime-postinstall must be an array`
       );
     }
-    if (path3 === "env-vars") {
+    if (path2 === "env-vars") {
       throw new Error(
         `Plugin ${String(parsedSource.name ?? "unknown")} env-vars must be an object`
       );
     }
-    if (path3 === "mcp") {
+    if (path2 === "mcp") {
       throw new Error(
         `Plugin ${String(parsedSource.name ?? "unknown")} mcp must be an object`
       );
     }
-    if (path3 === "oauth") {
+    if (path2 === "oauth") {
       throw new Error(
         `Plugin ${String(parsedSource.name ?? "unknown")} oauth must be an object`
       );
     }
-    if (path3 === "target") {
+    if (path2 === "target") {
       throw new Error(
         `Plugin ${String(parsedSource.name ?? "unknown")} target must be an object`
       );
@@ -2391,7 +931,7 @@ function parseManifestSource(parsedSource, dir, config) {
   if (apiHeaders && !domains) {
     throw new Error(`Plugin ${data.name} api-headers requires domains`);
   }
-  if (domains && !apiHeaders && !data.credentials) {
+  if (domains && !apiHeaders && !data.credentials && options?.allowHookManagedEgress !== true) {
     throw new Error(
       `Plugin ${data.name} domains requires credentials or api-headers`
     );
@@ -2420,14 +960,9 @@ function parseManifestSource(parsedSource, dir, config) {
     ...mcp ? { mcp } : {}
   };
   if (data.oauth) {
-    if (!credentials) {
+    if (!credentials && options?.allowHookManagedEgress !== true) {
       throw new Error(`Plugin ${data.name} oauth requires credentials`);
     }
-    if (credentials.type !== "oauth-bearer") {
-      throw new Error(
-        `Plugin ${data.name} oauth requires credentials.type "oauth-bearer"`
-      );
-    }
     const result = oauthSourceSchema.safeParse(data.oauth);
     if (!result.success) {
       throw new Error(issueMessage(result.error, `Plugin ${data.name} oauth`));
@@ -2454,7 +989,8 @@ function parseManifestSource(parsedSource, dir, config) {
       ...result.data.scope ? { scope: result.data.scope } : {},
       ...authorizeParams ? { authorizeParams } : {},
       ...result.data["token-auth-method"] ? { tokenAuthMethod: result.data["token-auth-method"] } : {},
-      ...tokenExtraHeaders ? { tokenExtraHeaders } : {}
+      ...tokenExtraHeaders ? { tokenExtraHeaders } : {},
+      ...result.data["treat-empty-scope-as-unreported"] ? { treatEmptyScopeAsUnreported: true } : {}
     };
   }
   assertCommandEnvDoesNotExposeHostSecretRefs(
@@ -2471,382 +1007,60 @@ function parseManifestSource(parsedSource, dir, config) {
   );
   if (data.target) {
     const result = targetSourceSchema.safeParse(data.target);
-    if (!result.success) {
-      throw new Error(issueMessage(result.error, `Plugin ${data.name} target`));
-    }
-    if (!SHORT_CONFIG_KEY_RE.test(result.data["config-key"])) {
-      throw new Error(
-        `Plugin ${data.name} target.config-key "${result.data["config-key"]}" is invalid`
-      );
-    }
-    const qualifiedKey = `${data.name}.${result.data["config-key"]}`;
-    if (!configKeys.includes(qualifiedKey)) {
-      throw new Error(
-        `Plugin ${data.name} target.config-key "${result.data["config-key"]}" must be listed in config-keys`
-      );
-    }
-    const commandFlags = result.data["command-flags"];
-    if (commandFlags && commandFlags.some((flag) => !TARGET_FLAG_RE.test(flag))) {
-      throw new Error(
-        `Plugin ${data.name} target.command-flags must contain CLI flags like --repo or -R`
-      );
-    }
-    manifest.target = {
-      type: result.data.type,
-      configKey: qualifiedKey,
-      ...commandFlags ? { commandFlags } : {}
-    };
-  }
-  return manifest;
-}
-function parsePluginManifest(raw, dir, config) {
-  let parsedYaml;
-  try {
-    parsedYaml = parseYaml(raw);
-  } catch (error) {
-    throw new Error(
-      `Invalid plugin manifest in ${dir}: ${error instanceof Error ? error.message : String(error)}`
-    );
-  }
-  if (!parsedYaml || typeof parsedYaml !== "object" || Array.isArray(parsedYaml)) {
-    throw new Error(`Invalid plugin manifest in ${dir}: expected an object`);
-  }
-  return parseManifestSource(parsedYaml, dir, config);
-}
-function parseInlinePluginManifest(manifest, dir, config) {
-  return parseManifestSource(inlineManifestSource(manifest), dir, config);
-}
-
-// src/chat/plugins/registry.ts
-import { readFileSync, readdirSync, statSync } from "fs";
-import path2 from "path";
-
-// src/chat/plugins/auth/github-app-broker.ts
-import { createPrivateKey, createSign, randomUUID as randomUUID2 } from "crypto";
-
-// src/chat/credentials/header-transforms.ts
-function mergeHeaderTransforms(transforms) {
-  const byDomain = /* @__PURE__ */ new Map();
-  for (const transform of transforms) {
-    byDomain.set(transform.domain, {
-      ...byDomain.get(transform.domain) ?? {},
-      ...transform.headers
-    });
-  }
-  return [...byDomain.entries()].map(([domain, headers]) => ({
-    domain,
-    headers
-  }));
-}
-
-// src/chat/plugins/command-env.ts
-var ENV_PLACEHOLDER_RE2 = /\$\{([A-Z_][A-Z0-9_]*)\}/g;
-function resolveValue(manifest, value) {
-  let missing = false;
-  const resolved = value.replace(ENV_PLACEHOLDER_RE2, (match, name) => {
-    const envName = name;
-    const declaration = manifest.envVars?.[envName];
-    if (!declaration || declaration.default !== void 0) {
-      return match;
-    }
-    const hostValue = process.env[envName];
-    if (hostValue === void 0 || hostValue === "") {
-      missing = true;
-      return "";
-    }
-    return hostValue;
-  });
-  return missing ? void 0 : resolved;
-}
-function resolvePluginCommandEnv(manifest) {
-  const env = {};
-  for (const [key, value] of Object.entries(manifest.commandEnv ?? {})) {
-    const resolved = resolveValue(manifest, value);
-    if (resolved === void 0) {
-      continue;
-    }
-    env[key] = resolved;
-  }
-  return env;
-}
-
-// src/chat/plugins/auth/api-headers-broker.ts
-import { randomUUID } from "crypto";
-var MAX_LEASE_MS = 60 * 60 * 1e3;
-var ENV_PLACEHOLDER_RE3 = /\$\{([A-Z_][A-Z0-9_]*)\}/g;
-function resolveHeaders(provider, headers) {
-  return Object.fromEntries(
-    Object.entries(headers).map(([key, value]) => {
-      const resolved = value.replace(ENV_PLACEHOLDER_RE3, (_match, name) => {
-        const envName = name;
-        const envValue = process.env[envName]?.trim();
-        if (!envValue) {
-          throw new Error(
-            `Missing ${envName} for API header provider "${provider}"`
-          );
-        }
-        return envValue;
-      });
-      return [key, resolved];
-    })
-  );
-}
-function resolveApiHeaderTransforms(manifest) {
-  const { domains, apiHeaders } = manifest;
-  if (!domains || !apiHeaders) {
-    return [];
-  }
-  const resolvedHeaders = resolveHeaders(manifest.name, apiHeaders);
-  return domains.map((domain) => ({
-    domain,
-    headers: resolvedHeaders
-  }));
-}
-function createApiHeadersBroker(manifest) {
-  const provider = manifest.name;
-  return {
-    async issue(input) {
-      const headerTransforms = resolveApiHeaderTransforms(manifest);
-      if (headerTransforms.length === 0) {
-        throw new Error(`No API headers configured for plugin "${provider}"`);
-      }
-      return {
-        id: randomUUID(),
-        provider,
-        env: resolvePluginCommandEnv(manifest),
-        headerTransforms,
-        expiresAt: new Date(Date.now() + MAX_LEASE_MS).toISOString(),
-        metadata: {
-          reason: input.reason
-        }
-      };
-    }
-  };
-}
-
-// src/chat/plugins/auth/auth-token-placeholder.ts
-var DEFAULT_PLACEHOLDERS = {
-  "oauth-bearer": "host_managed_credential",
-  "github-app": "ghp_host_managed_credential"
-};
-function resolveAuthTokenPlaceholder(credentials) {
-  return credentials.authTokenPlaceholder?.trim() || DEFAULT_PLACEHOLDERS[credentials.type];
-}
-
-// src/chat/plugins/auth/github-app-broker.ts
-var MAX_LEASE_MS2 = 60 * 60 * 1e3;
-function base64Url(input) {
-  return Buffer.from(input).toString("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-}
-function normalizePrivateKey(raw) {
-  let normalized = raw.trim();
-  if (normalized.startsWith('"') && normalized.endsWith('"') || normalized.startsWith("'") && normalized.endsWith("'")) {
-    normalized = normalized.slice(1, -1);
-  }
-  normalized = normalized.replace(/\r\n/g, "\n");
-  if (normalized.includes("\\n")) {
-    normalized = normalized.replace(/\\n/g, "\n");
-  }
-  if (!normalized.includes("-----BEGIN")) {
-    try {
-      const decoded = Buffer.from(normalized, "base64").toString("utf8").trim();
-      if (decoded.includes("-----BEGIN")) {
-        normalized = decoded;
-      }
-    } catch {
+    if (!result.success) {
+      throw new Error(issueMessage(result.error, `Plugin ${data.name} target`));
+    }
+    if (!SHORT_CONFIG_KEY_RE.test(result.data["config-key"])) {
+      throw new Error(
+        `Plugin ${data.name} target.config-key "${result.data["config-key"]}" is invalid`
+      );
+    }
+    const qualifiedKey = `${data.name}.${result.data["config-key"]}`;
+    if (!configKeys.includes(qualifiedKey)) {
+      throw new Error(
+        `Plugin ${data.name} target.config-key "${result.data["config-key"]}" must be listed in config-keys`
+      );
+    }
+    const commandFlags = result.data["command-flags"];
+    if (commandFlags && commandFlags.some((flag) => !TARGET_FLAG_RE.test(flag))) {
+      throw new Error(
+        `Plugin ${data.name} target.command-flags must contain CLI flags like --repo or -R`
+      );
     }
+    manifest.target = {
+      type: result.data.type,
+      configKey: qualifiedKey,
+      ...commandFlags ? { commandFlags } : {}
+    };
   }
-  return normalized;
+  return manifest;
 }
-function getPrivateKey(envName) {
-  const raw = process.env[envName];
-  if (!raw) {
-    throw new Error(`Missing ${envName}`);
-  }
-  const normalized = normalizePrivateKey(raw);
-  let key;
+function parsePluginManifest(raw, dir, config) {
+  let parsedYaml;
   try {
-    key = createPrivateKey({ key: normalized, format: "pem" });
-  } catch {
-    throw new Error(
-      `Invalid ${envName}: expected a PEM-encoded RSA private key (raw PEM, escaped newlines, or base64-encoded PEM)`
-    );
-  }
-  if (key.asymmetricKeyType !== "rsa") {
+    parsedYaml = parseYaml(raw);
+  } catch (error) {
     throw new Error(
-      `Invalid ${envName}: GitHub App signing requires an RSA private key`
+      `Invalid plugin manifest in ${dir}: ${error instanceof Error ? error.message : String(error)}`
     );
   }
-  return key;
-}
-function createAppJwt(appId, privateKeyEnv) {
-  const now = Math.floor(Date.now() / 1e3);
-  const header = { alg: "RS256", typ: "JWT" };
-  const payload = { iat: now - 60, exp: now + 9 * 60, iss: appId };
-  const encodedHeader = base64Url(JSON.stringify(header));
-  const encodedPayload = base64Url(JSON.stringify(payload));
-  const signingInput = `${encodedHeader}.${encodedPayload}`;
-  const signer = createSign("RSA-SHA256");
-  signer.update(signingInput);
-  signer.end();
-  const signature = signer.sign(getPrivateKey(privateKeyEnv)).toString("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
-  return `${signingInput}.${signature}`;
-}
-function resolveAppId(appIdEnv) {
-  const appId = process.env[appIdEnv]?.trim();
-  if (!appId) {
-    throw new Error(`Missing ${appIdEnv}`);
-  }
-  return appId;
-}
-async function githubRequest(apiBase, path3, params) {
-  const response = await fetch(`${apiBase}${path3}`, {
-    method: params.method ?? "GET",
-    headers: {
-      Accept: "application/vnd.github+json",
-      Authorization: `Bearer ${params.token}`,
-      "X-GitHub-Api-Version": "2022-11-28",
-      ...params.body ? { "Content-Type": "application/json" } : {}
-    },
-    ...params.body ? { body: JSON.stringify(params.body) } : {}
-  });
-  const text = await response.text();
-  let parsed = void 0;
-  if (text) {
-    try {
-      parsed = JSON.parse(text);
-    } catch {
-      parsed = void 0;
-    }
-  }
-  if (!response.ok) {
-    const message = parsed && typeof parsed === "object" && "message" in parsed && typeof parsed.message === "string" ? parsed.message : `GitHub API error ${response.status}`;
-    throw new Error(message);
+  if (!parsedYaml || typeof parsedYaml !== "object" || Array.isArray(parsedYaml)) {
+    throw new Error(`Invalid plugin manifest in ${dir}: expected an object`);
   }
-  return parsed;
+  return parseManifestSource(parsedYaml, dir, config);
 }
-function resolveGitHubApiDomain(credentials) {
-  const apiDomain = credentials.domains.find((domain) => {
-    const normalizedDomain = domain.toLowerCase();
-    return normalizedDomain === "api.github.com" || normalizedDomain.startsWith("api.");
+function parseInlinePluginManifest(manifest, dir, config) {
+  return parseManifestSource(inlineManifestSource(manifest), dir, config, {
+    allowHookManagedEgress: true
   });
-  if (!apiDomain) {
-    throw new Error("GitHub App provider requires an API domain");
-  }
-  return apiDomain;
-}
-function createGitHubAppBroker(manifest, credentials) {
-  const provider = manifest.name;
-  const {
-    domains,
-    apiHeaders,
-    authTokenEnv,
-    appIdEnv,
-    privateKeyEnv,
-    installationIdEnv
-  } = credentials;
-  const apiDomain = resolveGitHubApiDomain(credentials);
-  const apiBase = `https://${apiDomain}`;
-  const placeholder = resolveAuthTokenPlaceholder(credentials);
-  const pluginHeaderTransforms = () => resolveApiHeaderTransforms(manifest);
-  const leaseDomains = [...new Set(domains)];
-  function authorizationFor(domain, token) {
-    if (isGitSmartHttpDomain(domain)) {
-      return `Basic ${Buffer.from(`x-access-token:${token}`).toString("base64")}`;
-    }
-    return `Bearer ${token}`;
-  }
-  function isGitSmartHttpDomain(domain) {
-    const normalizedDomain = domain.toLowerCase();
-    const normalizedApiDomain = apiDomain.toLowerCase();
-    return normalizedDomain === "github.com" || normalizedApiDomain.startsWith("api.") && normalizedDomain === normalizedApiDomain.slice("api.".length);
-  }
-  const permissions = manifest.capabilities?.length ? githubCapabilitiesToPermissions(manifest.capabilities, provider) : void 0;
-  const systemReadPermissions = credentials.systemReadPermissions?.length ? githubSystemReadPermissionsFromScopes(credentials.systemReadPermissions) : void 0;
-  async function resolveTokenPermissions(params) {
-    if (!params.systemActor) {
-      return permissions;
-    }
-    if (systemReadPermissions) {
-      return systemReadPermissions;
-    }
-    const installation = await githubRequest(apiBase, `/app/installations/${params.installationId}`, {
-      token: params.appJwt
-    });
-    return githubInstallationReadPermissions(
-      installation.permissions,
-      DEFAULT_GITHUB_SYSTEM_READ_SCOPES
-    );
-  }
-  function createLease(params) {
-    return {
-      id: randomUUID2(),
-      provider,
-      env: {
-        ...resolvePluginCommandEnv(manifest),
-        [authTokenEnv]: placeholder
-      },
-      headerTransforms: mergeHeaderTransforms([
-        ...pluginHeaderTransforms(),
-        ...leaseDomains.map((domain) => ({
-          domain,
-          headers: {
-            ...apiHeaders ?? {},
-            Authorization: authorizationFor(domain, params.token)
-          }
-        }))
-      ]),
-      expiresAt: new Date(params.expiresAtMs).toISOString(),
-      metadata: {
-        installationId: String(params.installationId),
-        reason: params.reason
-      }
-    };
-  }
-  function resolveInstallationId() {
-    const installationIdRaw = process.env[installationIdEnv]?.trim();
-    if (!installationIdRaw) {
-      throw new Error(`Missing ${installationIdEnv}`);
-    }
-    const installationId = Number(installationIdRaw);
-    if (!Number.isFinite(installationId)) {
-      throw new Error(`Invalid ${installationIdEnv}`);
-    }
-    return installationId;
-  }
-  return {
-    async issue(input) {
-      const installationId = resolveInstallationId();
-      const appId = resolveAppId(appIdEnv);
-      const appJwt = createAppJwt(appId, privateKeyEnv);
-      const tokenPermissions = await resolveTokenPermissions({
-        appJwt,
-        installationId,
-        systemActor: input.context.actor.type === "system"
-      });
-      const tokenRequestBody = tokenPermissions ? { permissions: tokenPermissions } : {};
-      const accessTokenResponse = await githubRequest(apiBase, `/app/installations/${installationId}/access_tokens`, {
-        method: "POST",
-        token: appJwt,
-        body: tokenRequestBody
-      });
-      const providerExpiresAtMs = Date.parse(accessTokenResponse.expires_at);
-      const expiresAtMs = Math.min(
-        providerExpiresAtMs,
-        Date.now() + MAX_LEASE_MS2
-      );
-      return createLease({
-        installationId,
-        token: accessTokenResponse.token,
-        expiresAtMs,
-        reason: input.reason
-      });
-    }
-  };
 }
 
+// src/chat/plugins/registry.ts
+import { readFileSync, readdirSync, statSync } from "fs";
+import path from "path";
+
 // src/chat/plugins/auth/oauth-bearer-broker.ts
-import { randomUUID as randomUUID3 } from "crypto";
+import { randomUUID as randomUUID2 } from "crypto";
 
 // src/chat/credentials/broker.ts
 var CredentialUnavailableError = class extends Error {
@@ -2858,6 +1072,9 @@ var CredentialUnavailableError = class extends Error {
   }
 };
 
+// src/chat/credentials/context.ts
+import { z as z2 } from "zod";
+
 // src/chat/services/requester-identity.ts
 var SLACK_USER_ID_PATTERN = /^[UW][A-Z0-9]{5,}$/;
 var EMAIL_PATTERN = /^[^\s@<>]+@[^\s@<>]+\.[^\s@<>]+$/;
@@ -2943,83 +1160,56 @@ function slackActorIdentity(userId, profile) {
 }
 
 // src/chat/credentials/context.ts
+var exactActorIdSchema = z2.string().refine((value) => parseActorUserId(value) === value);
+var credentialSubjectBindingSchema = z2.object({
+  type: z2.literal("slack-direct-conversation"),
+  teamId: z2.string().min(1),
+  channelId: z2.string().min(1),
+  signature: z2.string().min(1)
+}).strict();
+var credentialUserActorSchema = z2.object({
+  type: z2.literal("user"),
+  userId: exactActorIdSchema
+}).strict();
+var credentialSystemActorSchema = z2.object({
+  type: z2.literal("system"),
+  id: exactActorIdSchema
+}).strict();
+var credentialSubjectSchema = z2.object({
+  type: z2.literal("user"),
+  userId: exactActorIdSchema,
+  allowedWhen: z2.literal("private-direct-conversation"),
+  binding: credentialSubjectBindingSchema
+}).strict();
+var credentialContextSchema = z2.union([
+  z2.object({
+    actor: credentialUserActorSchema
+  }).strict(),
+  z2.object({
+    actor: credentialSystemActorSchema,
+    subject: credentialSubjectSchema.optional()
+  }).strict()
+]);
 function credentialUserSubjectId(context) {
   if (context.actor.type === "user") {
     return context.actor.userId;
   }
-  return context.subject?.userId;
-}
-function parseCredentialContext(value) {
-  if (!value || typeof value !== "object") {
-    return void 0;
-  }
-  const record = value;
-  const actor = parseActor(record.actor);
-  if (!actor) {
-    return void 0;
-  }
-  if (actor.type === "user") {
-    if ("subject" in record && record.subject !== void 0) {
-      return void 0;
-    }
-    return { actor };
-  }
-  if (!("subject" in record) || record.subject === void 0) {
-    return { actor };
-  }
-  const subject = parseSubject(record.subject);
-  if (!subject) {
-    return void 0;
-  }
-  return {
-    actor,
-    subject
-  };
-}
-function parseActor(value) {
-  if (value && typeof value === "object") {
-    const record = value;
-    const userId = parseActorUserId(
-      typeof record.userId === "string" ? record.userId : void 0
-    );
-    if (record.type === "user" && userId) {
-      return { type: "user", userId };
-    }
-    const systemId = typeof record.id === "string" && record.id.length > 0 && record.id === record.id.trim() && record.id.toLowerCase() !== "unknown" ? record.id : void 0;
-    if (record.type === "system" && systemId) {
-      return { type: "system", id: systemId };
-    }
-  }
-  return void 0;
+  return "subject" in context ? context.subject?.userId : void 0;
 }
-function parseSubject(value) {
-  if (value && typeof value === "object") {
-    const record = value;
-    const userId = parseActorUserId(
-      typeof record.userId === "string" ? record.userId : void 0
-    );
-    if (record.type === "user" && userId && record.allowedWhen === "private-direct-conversation") {
-      if (!record.binding || typeof record.binding !== "object") {
-        return void 0;
-      }
-      const binding = record.binding;
-      if (binding.type !== "slack-direct-conversation" || typeof binding.teamId !== "string" || !binding.teamId || typeof binding.channelId !== "string" || !binding.channelId || typeof binding.signature !== "string" || !binding.signature) {
-        return void 0;
-      }
-      return {
-        type: "user",
-        userId,
-        allowedWhen: "private-direct-conversation",
-        binding: {
-          type: "slack-direct-conversation",
-          teamId: binding.teamId,
-          channelId: binding.channelId,
-          signature: binding.signature
-        }
-      };
-    }
+
+// src/chat/credentials/header-transforms.ts
+function mergeHeaderTransforms(transforms) {
+  const byDomain = /* @__PURE__ */ new Map();
+  for (const transform of transforms) {
+    byDomain.set(transform.domain, {
+      ...byDomain.get(transform.domain) ?? {},
+      ...transform.headers
+    });
   }
-  return void 0;
+  return [...byDomain.entries()].map(([domain, headers]) => ({
+    domain,
+    headers
+  }));
 }
 
 // src/chat/credentials/oauth-scope.ts
@@ -3045,6 +1235,99 @@ function hasRequiredOAuthScope(storedScope, requiredScope) {
   return required.every((scope) => stored.has(scope));
 }
 
+// src/chat/plugins/command-env.ts
+var ENV_PLACEHOLDER_RE2 = /\$\{([A-Z_][A-Z0-9_]*)\}/g;
+function resolveValue(manifest, value) {
+  let missing = false;
+  const resolved = value.replace(ENV_PLACEHOLDER_RE2, (match, name) => {
+    const envName = name;
+    const declaration = manifest.envVars?.[envName];
+    if (!declaration || declaration.default !== void 0) {
+      return match;
+    }
+    const hostValue = process.env[envName];
+    if (hostValue === void 0 || hostValue === "") {
+      missing = true;
+      return "";
+    }
+    return hostValue;
+  });
+  return missing ? void 0 : resolved;
+}
+function resolvePluginCommandEnv(manifest) {
+  const env = {};
+  for (const [key, value] of Object.entries(manifest.commandEnv ?? {})) {
+    const resolved = resolveValue(manifest, value);
+    if (resolved === void 0) {
+      continue;
+    }
+    env[key] = resolved;
+  }
+  return env;
+}
+
+// src/chat/plugins/auth/auth-token-placeholder.ts
+var DEFAULT_PLACEHOLDERS = {
+  "oauth-bearer": "host_managed_credential"
+};
+function resolveAuthTokenPlaceholder(credentials) {
+  return credentials.authTokenPlaceholder?.trim() || DEFAULT_PLACEHOLDERS[credentials.type];
+}
+
+// src/chat/plugins/auth/api-headers-broker.ts
+import { randomUUID } from "crypto";
+var MAX_LEASE_MS = 60 * 60 * 1e3;
+var ENV_PLACEHOLDER_RE3 = /\$\{([A-Z_][A-Z0-9_]*)\}/g;
+function resolveHeaders(provider, headers) {
+  return Object.fromEntries(
+    Object.entries(headers).map(([key, value]) => {
+      const resolved = value.replace(ENV_PLACEHOLDER_RE3, (_match, name) => {
+        const envName = name;
+        const envValue = process.env[envName]?.trim();
+        if (!envValue) {
+          throw new Error(
+            `Missing ${envName} for API header provider "${provider}"`
+          );
+        }
+        return envValue;
+      });
+      return [key, resolved];
+    })
+  );
+}
+function resolveApiHeaderTransforms(manifest) {
+  const { domains, apiHeaders } = manifest;
+  if (!domains || !apiHeaders) {
+    return [];
+  }
+  const resolvedHeaders = resolveHeaders(manifest.name, apiHeaders);
+  return domains.map((domain) => ({
+    domain,
+    headers: resolvedHeaders
+  }));
+}
+function createApiHeadersBroker(manifest) {
+  const provider = manifest.name;
+  return {
+    async issue(input) {
+      const headerTransforms = resolveApiHeaderTransforms(manifest);
+      if (headerTransforms.length === 0) {
+        throw new Error(`No API headers configured for plugin "${provider}"`);
+      }
+      return {
+        id: randomUUID(),
+        provider,
+        env: resolvePluginCommandEnv(manifest),
+        headerTransforms,
+        expiresAt: new Date(Date.now() + MAX_LEASE_MS).toISOString(),
+        metadata: {
+          reason: input.reason
+        }
+      };
+    }
+  };
+}
+
 // src/chat/plugins/auth/oauth-request.ts
 var DEFAULT_TOKEN_CONTENT_TYPE = "application/x-www-form-urlencoded";
 function requireNonEmptyTokenField(data, field) {
@@ -3092,19 +1375,26 @@ function buildOAuthTokenRequest(input) {
     body: contentTypeToBody(contentType, payload)
   };
 }
-function parseOAuthTokenResponse(data, fallbackScope) {
+function parseOAuthTokenResponse(data, requestedScope, options) {
   const accessToken = requireNonEmptyTokenField(data, "access_token");
   const refreshToken = requireNonEmptyTokenField(data, "refresh_token");
   const expiresIn = data.expires_in;
   const responseScope = data.scope;
   let scope;
   if (responseScope !== void 0) {
-    if (typeof responseScope !== "string" || !responseScope.trim()) {
+    if (typeof responseScope !== "string") {
       throw new Error("OAuth token response returned invalid scope");
     }
-    scope = normalizeOAuthScope(responseScope);
+    const normalized = normalizeOAuthScope(responseScope);
+    if (normalized !== void 0) {
+      scope = normalized;
+    } else if (options?.treatEmptyScopeAsUnreported) {
+      scope = normalizeOAuthScope(requestedScope);
+    } else {
+      throw new Error("OAuth token response returned empty scope");
+    }
   } else {
-    scope = normalizeOAuthScope(fallbackScope);
+    scope = normalizeOAuthScope(requestedScope);
   }
   if (expiresIn === void 0) {
     return { accessToken, refreshToken, ...scope ? { scope } : {} };
@@ -3121,9 +1411,26 @@ function parseOAuthTokenResponse(data, fallbackScope) {
 }
 
 // src/chat/plugins/auth/oauth-bearer-broker.ts
-var MAX_LEASE_MS3 = 60 * 60 * 1e3;
+var MAX_LEASE_MS2 = 60 * 60 * 1e3;
 var REFRESH_BUFFER_MS = 5 * 60 * 1e3;
-async function refreshAccessToken(refreshToken, oauth, fallbackScope) {
+var OAuthRefreshRejectedError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "OAuthRefreshRejectedError";
+  }
+};
+function parseRefreshError(text) {
+  if (!text.trim()) {
+    return void 0;
+  }
+  try {
+    const parsed = JSON.parse(text);
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) && typeof parsed.error === "string" ? parsed.error : void 0;
+  } catch {
+    return void 0;
+  }
+}
+async function refreshAccessToken(refreshToken, oauth, requestedScope) {
   const clientId = process.env[oauth.clientIdEnv]?.trim();
   const clientSecret = process.env[oauth.clientSecretEnv]?.trim();
   if (!clientId || !clientSecret) {
@@ -3147,13 +1454,23 @@ async function refreshAccessToken(refreshToken, oauth, fallbackScope) {
     body: request.body
   });
   if (!response.ok) {
-    throw new Error(`Token refresh failed: ${response.status}`);
+    const errorCode = parseRefreshError(await response.text());
+    if (errorCode === "invalid_grant" || errorCode === "bad_refresh_token") {
+      throw new OAuthRefreshRejectedError(
+        `Token refresh rejected: ${errorCode}`
+      );
+    }
+    throw new Error(
+      `Token refresh failed: ${response.status}${errorCode ? ` ${errorCode}` : ""}`
+    );
   }
   const data = await response.json();
-  return parseOAuthTokenResponse(data, fallbackScope);
+  return parseOAuthTokenResponse(data, requestedScope, {
+    treatEmptyScopeAsUnreported: oauth.treatEmptyScopeAsUnreported
+  });
 }
 function getLeaseExpiry(expiresAt) {
-  return expiresAt ? Math.min(expiresAt, Date.now() + MAX_LEASE_MS3) : Date.now() + MAX_LEASE_MS3;
+  return expiresAt ? Math.min(expiresAt, Date.now() + MAX_LEASE_MS2) : Date.now() + MAX_LEASE_MS2;
 }
 function createOAuthBearerBroker(manifest, credentials, deps) {
   const provider = manifest.name;
@@ -3162,7 +1479,7 @@ function createOAuthBearerBroker(manifest, credentials, deps) {
   const pluginHeaderTransforms = () => resolveApiHeaderTransforms(manifest);
   function buildLease(token, expiresAtMs, reason) {
     return {
-      id: randomUUID3(),
+      id: randomUUID2(),
       provider,
       env: {
         ...resolvePluginCommandEnv(manifest),
@@ -3186,7 +1503,7 @@ function createOAuthBearerBroker(manifest, credentials, deps) {
       const userSubjectId = credentialUserSubjectId(input.context);
       if (!oauth) {
         if (envToken) {
-          return buildLease(envToken, Date.now() + MAX_LEASE_MS3, input.reason);
+          return buildLease(envToken, Date.now() + MAX_LEASE_MS2, input.reason);
         }
         throw new CredentialUnavailableError(
           provider,
@@ -3216,7 +1533,15 @@ function createOAuthBearerBroker(manifest, credentials, deps) {
                   `Your ${provider} connection needs to be reauthorized.`
                 );
               }
-              await deps.userTokenStore.set(userSubjectId, provider, refreshed);
+              const refreshedTokens = {
+                ...refreshed,
+                ...stored.account ? { account: stored.account } : {}
+              };
+              await deps.userTokenStore.set(
+                userSubjectId,
+                provider,
+                refreshedTokens
+              );
               return buildLease(
                 refreshed.accessToken,
                 getLeaseExpiry(refreshed.expiresAt),
@@ -3226,17 +1551,13 @@ function createOAuthBearerBroker(manifest, credentials, deps) {
               if (error instanceof CredentialUnavailableError) {
                 throw error;
               }
-              if (stored.expiresAt > Date.now()) {
-                return buildLease(
-                  stored.accessToken,
-                  getLeaseExpiry(stored.expiresAt),
-                  input.reason
+              if (error instanceof OAuthRefreshRejectedError) {
+                throw new CredentialUnavailableError(
+                  provider,
+                  `Your ${provider} connection has expired.`
                 );
               }
-              throw new CredentialUnavailableError(
-                provider,
-                `Your ${provider} connection has expired.`
-              );
+              throw error;
             }
           }
           if (stored.expiresAt === void 0 || stored.expiresAt > Date.now()) {
@@ -3336,14 +1657,14 @@ function registerYamlPluginManifest(state, raw, pluginDir) {
     state,
     manifest,
     pluginDir,
-    path2.join(pluginDir, "skills")
+    path.join(pluginDir, "skills")
   );
 }
 function normalizePluginRoots(roots) {
   const resolved = [];
   const seen = /* @__PURE__ */ new Set();
   for (const root of roots) {
-    const normalized = path2.resolve(root);
+    const normalized = path.resolve(root);
     if (seen.has(normalized)) {
       continue;
     }
@@ -3402,7 +1723,7 @@ function registerInlineManifests(state, source) {
   for (const definition of source.inlineManifests) {
     const pkg = definition.packageName ? packageContentByName(source.packagedContent, definition.packageName) : void 0;
     const dir = pkg?.dir ?? process.cwd();
-    const skillsDir = pkg?.hasSkillsDir ? path2.join(pkg.dir, "skills") : void 0;
+    const skillsDir = pkg?.hasSkillsDir ? path.join(pkg.dir, "skills") : void 0;
     const manifest = parseInlinePluginManifest(
       definition.manifest,
       dir,
@@ -3441,7 +1762,7 @@ function buildLoadedPluginState(source) {
       continue;
     }
     if (rootStat.isDirectory()) {
-      const manifestPath = path2.join(pluginsRoot, "plugin.yaml");
+      const manifestPath = path.join(pluginsRoot, "plugin.yaml");
       let hasRootManifest = false;
       try {
         hasRootManifest = statSync(manifestPath).isFile();
@@ -3469,14 +1790,14 @@ function buildLoadedPluginState(source) {
       continue;
     }
     for (const entry of entries.sort()) {
-      const pluginDir = path2.join(pluginsRoot, entry);
+      const pluginDir = path.join(pluginsRoot, entry);
       try {
         const stat = statSync(pluginDir);
         if (!stat.isDirectory()) continue;
       } catch {
         continue;
       }
-      const manifestPath = path2.join(pluginDir, "plugin.yaml");
+      const manifestPath = path.join(pluginDir, "plugin.yaml");
       let raw;
       try {
         raw = readFileSync(manifestPath, "utf8");
@@ -3618,6 +1939,7 @@ function getPluginOAuthConfig(provider) {
     ...oauth.authorizeParams ? { authorizeParams: { ...oauth.authorizeParams } } : {},
     ...oauth.tokenAuthMethod ? { tokenAuthMethod: oauth.tokenAuthMethod } : {},
     ...oauth.tokenExtraHeaders ? { tokenExtraHeaders: { ...oauth.tokenExtraHeaders } } : {},
+    ...oauth.treatEmptyScopeAsUnreported ? { treatEmptyScopeAsUnreported: true } : {},
     callbackPath: `/api/oauth/callback/${plugin.manifest.name}`
   };
 }
@@ -3634,13 +1956,13 @@ function getPluginSkillRoots() {
 }
 function getPluginForSkillPath(skillPath) {
   const state = ensurePluginsLoaded();
-  const resolvedSkillPath = path2.resolve(skillPath);
+  const resolvedSkillPath = path.resolve(skillPath);
   return state.pluginDefinitions.find((plugin) => {
     if (!plugin.skillsDir) {
       return false;
     }
-    const resolvedSkillsDir = path2.resolve(plugin.skillsDir);
-    return resolvedSkillPath === resolvedSkillsDir || resolvedSkillPath.startsWith(`${resolvedSkillsDir}${path2.sep}`);
+    const resolvedSkillsDir = path.resolve(plugin.skillsDir);
+    return resolvedSkillPath === resolvedSkillsDir || resolvedSkillPath.startsWith(`${resolvedSkillsDir}${path.sep}`);
   });
 }
 function getPluginDefinition(provider) {
@@ -3666,12 +1988,8 @@ function createPluginBroker(provider, deps) {
   let broker;
   if (!credentials) {
     broker = createApiHeadersBroker(plugin.manifest);
-  } else if (credentials.type === "oauth-bearer") {
-    broker = createOAuthBearerBroker(plugin.manifest, credentials, deps);
-  } else if (credentials.type === "github-app") {
-    broker = createGitHubAppBroker(plugin.manifest, credentials);
   } else {
-    throw new Error(`Unsupported credentials type for plugin "${name}"`);
+    broker = createOAuthBearerBroker(plugin.manifest, credentials, deps);
   }
   setSpanAttributes({
     "app.plugin.name": name,
@@ -3682,30 +2000,6 @@ function createPluginBroker(provider, deps) {
 }
 
 export {
-  toOptionalString,
-  toOptionalNumber,
-  isRecord,
-  normalizeGenAiFinishReason,
-  createChatSdkLogger,
-  getLogContextAttributes,
-  setSentryUser,
-  logInfo,
-  logWarn,
-  logError,
-  logException,
-  setTags,
-  createRequestContext,
-  withContext,
-  withSpan,
-  setSpanAttributes,
-  setSpanStatus,
-  getActiveTraceId,
-  buildTurnFailureResponse,
-  serializeGenAiAttribute,
-  extractGenAiUsageSummary,
-  extractGenAiUsageAttributes,
-  resolvePluginCommandEnv,
-  resolveAuthTokenPlaceholder,
   parsePluginManifest,
   parseInlinePluginManifest,
   CredentialUnavailableError,
@@ -3713,8 +2007,10 @@ export {
   isActorUserId,
   buildActorIdentity,
   slackActorIdentity,
-  parseCredentialContext,
+  credentialContextSchema,
   hasRequiredOAuthScope,
+  resolvePluginCommandEnv,
+  resolveAuthTokenPlaceholder,
   buildOAuthTokenRequest,
   parseOAuthTokenResponse,
   setPluginCatalogConfig,