npm - @sentry/junior - Versions diffs - 0.7.0 → 0.9.0 - Mend

@sentry/junior 0.7.0 → 0.9.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (22) hide show

package/dist/chunk-4G2LA7RO.js +678 -0
package/dist/{chunk-JRKU55W5.js → chunk-DIMXJUSL.js} +10952 -9015
package/dist/{chunk-QHKQ2AWX.js → chunk-I3DYWLM6.js} +15 -6
package/dist/chunk-IJVZEV3K.js +840 -0
package/dist/{chunk-Z5E25LRN.js → chunk-KCLEEKYX.js} +124 -17
package/dist/chunk-VM3CPAZF.js +448 -0
package/dist/chunk-ZBWWHP6Q.js +1436 -0
package/dist/{chunk-PY4AI2GZ.js → chunk-ZW4OVKF5.js} +376 -79
package/dist/cli/check.js +4 -2
package/dist/cli/snapshot-warmup.js +7 -6
package/dist/handlers/queue-callback.js +7 -7
package/dist/handlers/router.d.ts +1 -0
package/dist/handlers/router.js +523 -85
package/dist/handlers/webhooks.js +2 -2
package/dist/next-config.js +1 -1
package/dist/production-XMCJXOOI.js +15 -0
package/package.json +13 -15
package/dist/bot-ZKMCCT3D.js +0 -19
package/dist/chunk-56WI5Q7P.js +0 -330
package/dist/chunk-KT5HARSN.js +0 -164
package/dist/chunk-RKOO42TW.js +0 -1797
package/dist/chunk-VW26MOSO.js +0 -522

package/dist/chunk-ZBWWHP6Q.js ADDED Viewed

@@ -0,0 +1,1436 @@
+import {
+  discoverInstalledPluginPackageContent,
+  pluginRoots
+} from "./chunk-KCLEEKYX.js";
+import {
+  logInfo,
+  logWarn,
+  setSpanAttributes
+} from "./chunk-ZW4OVKF5.js";
+// src/chat/plugins/manifest.ts
+import { z } from "zod";
+import { parse as parseYaml } from "yaml";
+var PLUGIN_NAME_RE = /^[a-z][a-z0-9-]*$/;
+var SHORT_CAPABILITY_RE = /^[a-z0-9-]+(\.[a-z0-9-]+)*$/;
+var SHORT_CONFIG_KEY_RE = /^[a-z0-9]+(\.[a-z0-9-]+)*$/;
+var AUTH_TOKEN_ENV_RE = /^[A-Z][A-Z0-9_]*$/;
+var API_DOMAIN_RE = /^(?:[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]{0,61}[a-z0-9])?$/;
+var RUNTIME_POSTINSTALL_CMD_RE = /^[A-Za-z0-9._/-]+$/;
+var RESERVED_AUTHORIZE_PARAM_KEYS = /* @__PURE__ */ new Set([
+  "client_id",
+  "scope",
+  "state",
+  "redirect_uri",
+  "response_type"
+]);
+var FORBIDDEN_API_HEADER_NAMES = /* @__PURE__ */ new Set(["authorization"]);
+var FORBIDDEN_TOKEN_HEADER_NAMES = /* @__PURE__ */ new Set(["authorization"]);
+var trimmedString = z.string().transform((value) => value.trim());
+var nonEmptyTrimmedString = trimmedString.pipe(
+  z.string().min(1, { error: "must be a non-empty string" })
+);
+var nonEmptyStringArraySchema = (fieldName, options = {}) => z.array(z.string(), {
+  error: "must be an array of strings when provided"
+}).min(1, {
+  error: options.nonEmptyMessage ?? "must be a non-empty array of strings when provided"
+}).transform((values, ctx) => {
+  const result = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const rawValue of values) {
+    const value = rawValue.trim();
+    if (!value) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: `${fieldName} entries must be non-empty strings`
+      });
+      return z.NEVER;
+    }
+    if (seen.has(value)) {
+      continue;
+    }
+    seen.add(value);
+    result.push(value);
+  }
+  return result;
+});
+var envVarString = nonEmptyTrimmedString.refine(
+  (value) => AUTH_TOKEN_ENV_RE.test(value),
+  {
+    error: "must be an uppercase env var name"
+  }
+);
+var httpsUrlString = nonEmptyTrimmedString.superRefine((value, ctx) => {
+  let parsed;
+  try {
+    parsed = new URL(value);
+  } catch {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: "must be a valid URL"
+    });
+    return;
+  }
+  if (parsed.protocol !== "https:") {
+    ctx.addIssue({
+      code: z.ZodIssueCode.custom,
+      message: "must use https"
+    });
+  }
+});
+var stringMapSchema = z.record(z.string(), z.unknown()).transform((record, ctx) => {
+  const entries = Object.entries(record);
+  const result = {};
+  const seen = /* @__PURE__ */ new Set();
+  for (const [rawKey, rawValue] of entries) {
+    const key = rawKey.trim();
+    if (!key) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: "keys must be non-empty strings"
+      });
+      return z.NEVER;
+    }
+    if (typeof rawValue !== "string" || !rawValue.trim()) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: `${key} must be a non-empty string`
+      });
+      return z.NEVER;
+    }
+    const normalizedKey = key.toLowerCase();
+    if (seen.has(normalizedKey)) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: `${key} is duplicated`
+      });
+      return z.NEVER;
+    }
+    seen.add(normalizedKey);
+    result[key] = rawValue.trim();
+  }
+  return Object.keys(result).length > 0 ? result : void 0;
+});
+var apiDomainsSchema = z.array(z.unknown()).min(1, {
+  error: "must be a non-empty array of strings"
+}).transform((domains, ctx) => {
+  return domains.map((rawDomain) => {
+    const domain = typeof rawDomain === "string" ? rawDomain.trim().toLowerCase() : "";
+    if (!domain) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: "entries must be non-empty strings"
+      });
+      return z.NEVER;
+    }
+    if (!API_DOMAIN_RE.test(domain)) {
+      ctx.addIssue({
+        code: z.ZodIssueCode.custom,
+        message: "entries must be valid domain names"
+      });
+      return z.NEVER;
+    }
+    return domain;
+  });
+});
+var baseCredentialsSchema = z.object({
+  "api-domains": apiDomainsSchema,
+  "api-headers": stringMapSchema.optional(),
+  "auth-token-env": envVarString,
+  "auth-token-placeholder": nonEmptyTrimmedString.optional()
+}).passthrough();
+var oauthBearerCredentialsSchema = baseCredentialsSchema.extend({
+  type: z.literal("oauth-bearer")
+});
+var githubAppCredentialsSchema = baseCredentialsSchema.extend({
+  type: z.literal("github-app"),
+  "app-id-env": envVarString,
+  "private-key-env": envVarString,
+  "installation-id-env": envVarString
+});
+var runtimeDependencyEntrySchema = z.object({
+  type: z.enum(["npm", "system"]),
+  package: z.string().optional(),
+  version: z.string().optional(),
+  url: z.string().optional(),
+  sha256: z.string().optional()
+}).passthrough();
+var runtimePostinstallCommandSourceSchema = z.object({
+  cmd: nonEmptyTrimmedString,
+  args: z.array(z.string(), {
+    error: "args must be an array of strings when provided"
+  }).optional(),
+  sudo: z.boolean({
+    error: "sudo must be a boolean when provided"
+  }).optional()
+}).passthrough();
+var oauthSourceSchema = z.object({
+  "client-id-env": envVarString,
+  "client-secret-env": envVarString,
+  "authorize-endpoint": httpsUrlString,
+  "token-endpoint": httpsUrlString,
+  scope: nonEmptyTrimmedString.optional(),
+  "authorize-params": stringMapSchema.optional(),
+  "token-extra-headers": stringMapSchema.optional(),
+  "token-auth-method": nonEmptyTrimmedString.refine((value) => value === "body" || value === "basic", {
+    error: 'must be "body" or "basic"'
+  }).optional()
+}).passthrough();
+var mcpSourceSchema = z.object({
+  transport: nonEmptyTrimmedString.refine((value) => value === "http", {
+    error: 'must be "http"'
+  }),
+  url: httpsUrlString,
+  headers: stringMapSchema.optional(),
+  "allowed-tools": nonEmptyStringArraySchema("allowed-tools").optional()
+}).passthrough();
+var targetSourceSchema = z.object({
+  type: z.literal("repo", {
+    error: 'type must be "repo"'
+  }),
+  "config-key": nonEmptyTrimmedString
+}).passthrough();
+var manifestSourceSchema = z.object({
+  name: z.string().refine((value) => PLUGIN_NAME_RE.test(value), {
+    error: "invalid"
+  }),
+  description: nonEmptyTrimmedString,
+  capabilities: z.array(z.string(), {
+    error: "must be an array when provided"
+  }).optional(),
+  "config-keys": z.array(z.string(), {
+    error: "must be an array when provided"
+  }).optional(),
+  credentials: z.record(z.string(), z.unknown(), {
+    error: "must be an object when provided"
+  }).optional(),
+  "runtime-dependencies": z.array(z.unknown(), {
+    error: "must be an array"
+  }).optional(),
+  "runtime-postinstall": z.array(z.unknown(), {
+    error: "must be an array"
+  }).optional(),
+  mcp: z.record(z.string(), z.unknown(), {
+    error: "must be an object"
+  }).optional(),
+  oauth: z.record(z.string(), z.unknown(), {
+    error: "must be an object"
+  }).optional(),
+  target: z.record(z.string(), z.unknown(), {
+    error: "must be an object"
+  }).optional()
+}).passthrough();
+function formatPath(path2) {
+  return path2.map((segment) => String(segment)).join(".");
+}
+function issueMessage(error, prefix) {
+  const issue = error.issues[0];
+  if (!issue) {
+    return prefix;
+  }
+  const suffix = formatPath(issue.path);
+  return suffix ? `${prefix}.${suffix} ${issue.message}` : `${prefix} ${issue.message}`;
+}
+function normalizeStringMap(value, prefix, options = {}) {
+  if (!value) {
+    return void 0;
+  }
+  for (const key of Object.keys(value)) {
+    const normalizedKey = key.toLowerCase();
+    if (options.reservedKeys?.has(normalizedKey)) {
+      throw new Error(`${prefix}.${key} is reserved by the runtime`);
+    }
+    if (options.forbiddenKeys?.has(normalizedKey)) {
+      throw new Error(`${prefix}.${key} is not allowed`);
+    }
+  }
+  return value;
+}
+function normalizeCredentials(data, name) {
+  const schema = data.type === "oauth-bearer" ? oauthBearerCredentialsSchema : data.type === "github-app" ? githubAppCredentialsSchema : void 0;
+  if (!schema) {
+    throw new Error(
+      `Plugin ${name} has unsupported credentials.type: "${String(data.type)}"`
+    );
+  }
+  const result = schema.safeParse(data);
+  if (!result.success) {
+    throw new Error(issueMessage(result.error, `Plugin ${name} credentials`));
+  }
+  if (result.data.type === "oauth-bearer") {
+    return {
+      type: "oauth-bearer",
+      apiDomains: result.data["api-domains"],
+      ...result.data["api-headers"] ? {
+        apiHeaders: normalizeStringMap(
+          result.data["api-headers"],
+          `Plugin ${name} credentials.api-headers`,
+          { forbiddenKeys: FORBIDDEN_API_HEADER_NAMES }
+        )
+      } : {},
+      authTokenEnv: result.data["auth-token-env"],
+      ...result.data["auth-token-placeholder"] ? { authTokenPlaceholder: result.data["auth-token-placeholder"] } : {}
+    };
+  }
+  return {
+    type: "github-app",
+    apiDomains: result.data["api-domains"],
+    ...result.data["api-headers"] ? {
+      apiHeaders: normalizeStringMap(
+        result.data["api-headers"],
+        `Plugin ${name} credentials.api-headers`,
+        { forbiddenKeys: FORBIDDEN_API_HEADER_NAMES }
+      )
+    } : {},
+    authTokenEnv: result.data["auth-token-env"],
+    ...result.data["auth-token-placeholder"] ? { authTokenPlaceholder: result.data["auth-token-placeholder"] } : {},
+    appIdEnv: result.data["app-id-env"],
+    privateKeyEnv: result.data["private-key-env"],
+    installationIdEnv: result.data["installation-id-env"]
+  };
+}
+function normalizeRuntimeDependencies(entries, name) {
+  const parsed = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const entry of entries) {
+    const result = runtimeDependencyEntrySchema.safeParse(entry);
+    if (!result.success) {
+      throw new Error(
+        issueMessage(
+          result.error,
+          `Plugin ${name} runtime-dependencies entries`
+        )
+      );
+    }
+    const record = result.data;
+    const packageName = typeof record.package === "string" ? record.package.trim() : "";
+    const packageUrl = typeof record.url === "string" ? record.url.trim() : "";
+    const version = record.version;
+    const sha256 = record.sha256;
+    if (record.type === "npm") {
+      if (!packageName) {
+        throw new Error(
+          `Plugin ${name} runtime dependency package must be a non-empty string`
+        );
+      }
+      if (record.url !== void 0 || sha256 !== void 0) {
+        throw new Error(
+          `Plugin ${name} npm runtime dependencies must only include package/version fields`
+        );
+      }
+      const normalizedVersion = typeof version === "string" ? version.trim() : "latest";
+      if (!normalizedVersion) {
+        throw new Error(
+          `Plugin ${name} runtime dependency version must be a non-empty string when provided`
+        );
+      }
+      const dedupeKey2 = `${record.type}:${packageName}:${normalizedVersion}`;
+      if (seen.has(dedupeKey2)) {
+        continue;
+      }
+      seen.add(dedupeKey2);
+      parsed.push({
+        type: "npm",
+        package: packageName,
+        version: normalizedVersion
+      });
+      continue;
+    }
+    if (version !== void 0) {
+      throw new Error(
+        `Plugin ${name} system runtime dependencies must not include a version`
+      );
+    }
+    if (packageName && packageUrl) {
+      throw new Error(
+        `Plugin ${name} system runtime dependencies must specify either package or url, not both`
+      );
+    }
+    if (!packageName && !packageUrl) {
+      throw new Error(
+        `Plugin ${name} system runtime dependencies must specify package or url`
+      );
+    }
+    if (packageName) {
+      if (sha256 !== void 0) {
+        throw new Error(
+          `Plugin ${name} system runtime dependency package entries must not include sha256`
+        );
+      }
+      const dedupeKey2 = `${record.type}:package:${packageName}`;
+      if (seen.has(dedupeKey2)) {
+        continue;
+      }
+      seen.add(dedupeKey2);
+      parsed.push({
+        type: "system",
+        package: packageName
+      });
+      continue;
+    }
+    if (!/^https:\/\//i.test(packageUrl)) {
+      throw new Error(
+        `Plugin ${name} system runtime dependency url must be an https URL`
+      );
+    }
+    const normalizedSha256 = typeof sha256 === "string" ? sha256.trim().toLowerCase() : "";
+    if (!/^[a-f0-9]{64}$/.test(normalizedSha256)) {
+      throw new Error(
+        `Plugin ${name} system runtime dependency url entries must include a valid sha256`
+      );
+    }
+    const dedupeKey = `${record.type}:url:${packageUrl}:${normalizedSha256}`;
+    if (seen.has(dedupeKey)) {
+      continue;
+    }
+    seen.add(dedupeKey);
+    parsed.push({
+      type: "system",
+      url: packageUrl,
+      sha256: normalizedSha256
+    });
+  }
+  return parsed.length > 0 ? parsed : void 0;
+}
+function normalizeRuntimePostinstall(commands, name) {
+  const parsed = [];
+  for (const command of commands) {
+    const result = runtimePostinstallCommandSourceSchema.safeParse(command);
+    if (!result.success) {
+      throw new Error(
+        issueMessage(result.error, `Plugin ${name} runtime-postinstall`)
+      );
+    }
+    if (!RUNTIME_POSTINSTALL_CMD_RE.test(result.data.cmd)) {
+      throw new Error(
+        `Plugin ${name} runtime-postinstall cmd must be a single executable token (letters, digits, ., _, /, -)`
+      );
+    }
+    const normalizedArgs = result.data.args?.map((arg) => arg.trim()).filter((arg) => arg.length > 0);
+    parsed.push({
+      cmd: result.data.cmd,
+      ...normalizedArgs && normalizedArgs.length > 0 ? { args: normalizedArgs } : {},
+      ...typeof result.data.sudo === "boolean" ? { sudo: result.data.sudo } : {}
+    });
+  }
+  return parsed.length > 0 ? parsed : void 0;
+}
+function normalizeMcp(data, name) {
+  const result = mcpSourceSchema.safeParse(data);
+  if (!result.success) {
+    throw new Error(issueMessage(result.error, `Plugin ${name} mcp`));
+  }
+  return {
+    transport: "http",
+    url: result.data.url,
+    ...result.data.headers ? {
+      headers: normalizeStringMap(
+        result.data.headers,
+        `Plugin ${name} mcp.headers`,
+        { forbiddenKeys: FORBIDDEN_API_HEADER_NAMES }
+      )
+    } : {},
+    ...result.data["allowed-tools"] ? { allowedTools: result.data["allowed-tools"] } : {}
+  };
+}
+function parsePluginManifest(raw, dir) {
+  let parsedYaml;
+  try {
+    parsedYaml = parseYaml(raw);
+  } catch (error) {
+    throw new Error(
+      `Invalid plugin manifest in ${dir}: ${error instanceof Error ? error.message : String(error)}`
+    );
+  }
+  if (!parsedYaml || typeof parsedYaml !== "object" || Array.isArray(parsedYaml)) {
+    throw new Error(`Invalid plugin manifest in ${dir}: expected an object`);
+  }
+  const sourceResult = manifestSourceSchema.safeParse(parsedYaml);
+  if (!sourceResult.success) {
+    const issue = sourceResult.error.issues[0];
+    const path2 = formatPath(issue?.path ?? []);
+    if (path2 === "name") {
+      throw new Error(
+        `Invalid plugin name in ${dir}: "${parsedYaml.name}"`
+      );
+    }
+    if (path2 === "description") {
+      throw new Error(`Invalid plugin description in ${dir}`);
+    }
+    if (path2 === "capabilities") {
+      throw new Error(
+        `Plugin ${parsedYaml.name ?? "unknown"} capabilities must be an array when provided`
+      );
+    }
+    if (path2 === "config-keys") {
+      throw new Error(
+        `Plugin ${parsedYaml.name ?? "unknown"} config-keys must be an array when provided`
+      );
+    }
+    if (path2 === "credentials") {
+      throw new Error(
+        `Plugin ${parsedYaml.name ?? "unknown"} credentials must be an object when provided`
+      );
+    }
+    if (path2 === "runtime-dependencies") {
+      throw new Error(
+        `Plugin ${parsedYaml.name ?? "unknown"} runtime-dependencies must be an array`
+      );
+    }
+    if (path2 === "runtime-postinstall") {
+      throw new Error(
+        `Plugin ${parsedYaml.name ?? "unknown"} runtime-postinstall must be an array`
+      );
+    }
+    if (path2 === "mcp") {
+      throw new Error(
+        `Plugin ${parsedYaml.name ?? "unknown"} mcp must be an object`
+      );
+    }
+    if (path2 === "oauth") {
+      throw new Error(
+        `Plugin ${parsedYaml.name ?? "unknown"} oauth must be an object`
+      );
+    }
+    if (path2 === "target") {
+      throw new Error(
+        `Plugin ${parsedYaml.name ?? "unknown"} target must be an object`
+      );
+    }
+    throw new Error(issue?.message ?? `Invalid plugin manifest in ${dir}`);
+  }
+  const data = sourceResult.data;
+  const capabilities = (data.capabilities ?? []).map((cap) => {
+    if (!SHORT_CAPABILITY_RE.test(cap)) {
+      throw new Error(
+        `Invalid capability token "${cap}" in plugin ${data.name}`
+      );
+    }
+    return `${data.name}.${cap}`;
+  });
+  const configKeys = (data["config-keys"] ?? []).map((key) => {
+    if (!SHORT_CONFIG_KEY_RE.test(key)) {
+      throw new Error(`Invalid config key "${key}" in plugin ${data.name}`);
+    }
+    return `${data.name}.${key}`;
+  });
+  const credentials = data.credentials ? normalizeCredentials(data.credentials, data.name) : void 0;
+  const runtimeDependencies = data["runtime-dependencies"] ? normalizeRuntimeDependencies(data["runtime-dependencies"], data.name) : void 0;
+  const runtimePostinstall = data["runtime-postinstall"] ? normalizeRuntimePostinstall(data["runtime-postinstall"], data.name) : void 0;
+  const mcp = data.mcp ? normalizeMcp(data.mcp, data.name) : void 0;
+  const manifest = {
+    name: data.name,
+    description: data.description,
+    capabilities,
+    configKeys,
+    ...credentials ? { credentials } : {},
+    ...runtimeDependencies ? { runtimeDependencies } : {},
+    ...runtimePostinstall ? { runtimePostinstall } : {},
+    ...mcp ? { mcp } : {}
+  };
+  if (data.oauth) {
+    if (!credentials) {
+      throw new Error(`Plugin ${data.name} oauth requires credentials`);
+    }
+    if (credentials.type !== "oauth-bearer") {
+      throw new Error(
+        `Plugin ${data.name} oauth requires credentials.type "oauth-bearer"`
+      );
+    }
+    const result = oauthSourceSchema.safeParse(data.oauth);
+    if (!result.success) {
+      throw new Error(issueMessage(result.error, `Plugin ${data.name} oauth`));
+    }
+    const authorizeParams = result.data["authorize-params"] ? normalizeStringMap(
+      result.data["authorize-params"],
+      `Plugin ${data.name} oauth.authorize-params`,
+      {
+        reservedKeys: RESERVED_AUTHORIZE_PARAM_KEYS
+      }
+    ) : void 0;
+    const tokenExtraHeaders = result.data["token-extra-headers"] ? normalizeStringMap(
+      result.data["token-extra-headers"],
+      `Plugin ${data.name} oauth.token-extra-headers`,
+      {
+        forbiddenKeys: FORBIDDEN_TOKEN_HEADER_NAMES
+      }
+    ) : void 0;
+    manifest.oauth = {
+      clientIdEnv: result.data["client-id-env"],
+      clientSecretEnv: result.data["client-secret-env"],
+      authorizeEndpoint: result.data["authorize-endpoint"],
+      tokenEndpoint: result.data["token-endpoint"],
+      ...result.data.scope ? { scope: result.data.scope } : {},
+      ...authorizeParams ? { authorizeParams } : {},
+      ...result.data["token-auth-method"] ? { tokenAuthMethod: result.data["token-auth-method"] } : {},
+      ...tokenExtraHeaders ? { tokenExtraHeaders } : {}
+    };
+  }
+  if (data.target) {
+    const result = targetSourceSchema.safeParse(data.target);
+    if (!result.success) {
+      throw new Error(issueMessage(result.error, `Plugin ${data.name} target`));
+    }
+    if (!SHORT_CONFIG_KEY_RE.test(result.data["config-key"])) {
+      throw new Error(
+        `Plugin ${data.name} target.config-key "${result.data["config-key"]}" is invalid`
+      );
+    }
+    const qualifiedKey = `${data.name}.${result.data["config-key"]}`;
+    if (!configKeys.includes(qualifiedKey)) {
+      throw new Error(
+        `Plugin ${data.name} target.config-key "${result.data["config-key"]}" must be listed in config-keys`
+      );
+    }
+    manifest.target = { type: "repo", configKey: qualifiedKey };
+  }
+  return manifest;
+}
+// src/chat/plugins/registry.ts
+import { readFileSync, readdirSync, statSync } from "fs";
+import path from "path";
+// src/chat/plugins/auth/github-app-broker.ts
+import { createPrivateKey, createSign, randomUUID } from "crypto";
+// src/chat/plugins/auth/auth-token-placeholder.ts
+var DEFAULT_PLACEHOLDERS = {
+  "oauth-bearer": "host_managed_credential",
+  "github-app": "ghp_host_managed_credential"
+};
+function resolveAuthTokenPlaceholder(credentials) {
+  return credentials.authTokenPlaceholder?.trim() || DEFAULT_PLACEHOLDERS[credentials.type];
+}
+// src/chat/plugins/auth/github-app-broker.ts
+var MAX_LEASE_MS = 60 * 60 * 1e3;
+function normalizeTargetScope(target) {
+  const owner = target?.owner?.trim().toLowerCase();
+  const repo = target?.repo?.trim().toLowerCase();
+  if (!owner || !repo) {
+    return "all";
+  }
+  return `${owner}/${repo}`;
+}
+function base64Url(input) {
+  return Buffer.from(input).toString("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+}
+function normalizePrivateKey(raw) {
+  let normalized = raw.trim();
+  if (normalized.startsWith('"') && normalized.endsWith('"') || normalized.startsWith("'") && normalized.endsWith("'")) {
+    normalized = normalized.slice(1, -1);
+  }
+  normalized = normalized.replace(/\r\n/g, "\n");
+  if (normalized.includes("\\n")) {
+    normalized = normalized.replace(/\\n/g, "\n");
+  }
+  if (!normalized.includes("-----BEGIN")) {
+    try {
+      const decoded = Buffer.from(normalized, "base64").toString("utf8").trim();
+      if (decoded.includes("-----BEGIN")) {
+        normalized = decoded;
+      }
+    } catch {
+    }
+  }
+  return normalized;
+}
+function getPrivateKey(envName) {
+  const raw = process.env[envName];
+  if (!raw) {
+    throw new Error(`Missing ${envName}`);
+  }
+  const normalized = normalizePrivateKey(raw);
+  let key;
+  try {
+    key = createPrivateKey({ key: normalized, format: "pem" });
+  } catch {
+    throw new Error(
+      `Invalid ${envName}: expected a PEM-encoded RSA private key (raw PEM, escaped newlines, or base64-encoded PEM)`
+    );
+  }
+  if (key.asymmetricKeyType !== "rsa") {
+    throw new Error(
+      `Invalid ${envName}: GitHub App signing requires an RSA private key`
+    );
+  }
+  return key;
+}
+function createAppJwt(appId, privateKeyEnv) {
+  const now = Math.floor(Date.now() / 1e3);
+  const header = { alg: "RS256", typ: "JWT" };
+  const payload = { iat: now - 60, exp: now + 9 * 60, iss: appId };
+  const encodedHeader = base64Url(JSON.stringify(header));
+  const encodedPayload = base64Url(JSON.stringify(payload));
+  const signingInput = `${encodedHeader}.${encodedPayload}`;
+  const signer = createSign("RSA-SHA256");
+  signer.update(signingInput);
+  signer.end();
+  const signature = signer.sign(getPrivateKey(privateKeyEnv)).toString("base64").replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
+  return `${signingInput}.${signature}`;
+}
+async function githubRequest(apiBase, path2, params) {
+  const response = await fetch(`${apiBase}${path2}`, {
+    method: params.method ?? "GET",
+    headers: {
+      Accept: "application/vnd.github+json",
+      Authorization: `Bearer ${params.token}`,
+      "X-GitHub-Api-Version": "2022-11-28",
+      ...params.body ? { "Content-Type": "application/json" } : {}
+    },
+    ...params.body ? { body: JSON.stringify(params.body) } : {}
+  });
+  const text = await response.text();
+  let parsed = void 0;
+  if (text) {
+    try {
+      parsed = JSON.parse(text);
+    } catch {
+      parsed = void 0;
+    }
+  }
+  if (!response.ok) {
+    const message = parsed && typeof parsed === "object" && "message" in parsed && typeof parsed.message === "string" ? parsed.message : `GitHub API error ${response.status}`;
+    throw new Error(message);
+  }
+  return parsed;
+}
+var CAPABILITY_ALIASES = {
+  "issues.comment": { permission: "issues", level: "write" },
+  "labels.write": { permission: "issues", level: "write" }
+};
+var KNOWN_SCOPES = /* @__PURE__ */ new Set([
+  "actions",
+  "administration",
+  "checks",
+  "codespaces",
+  "contents",
+  "deployments",
+  "environments",
+  "issues",
+  "metadata",
+  "packages",
+  "pages",
+  "pull_requests",
+  "repository_hooks",
+  "repository_projects",
+  "secret_scanning_alerts",
+  "secrets",
+  "security_events",
+  "statuses",
+  "vulnerability_alerts",
+  "workflows"
+]);
+function capabilityToPermissions(capability, pluginName) {
+  const prefix = `${pluginName}.`;
+  if (!capability.startsWith(prefix)) {
+    throw new Error(`Unsupported GitHub capability: ${capability}`);
+  }
+  const suffix = capability.slice(prefix.length);
+  const alias = CAPABILITY_ALIASES[suffix];
+  if (alias) {
+    return { [alias.permission]: alias.level };
+  }
+  const lastDot = suffix.lastIndexOf(".");
+  if (lastDot === -1) {
+    throw new Error(`Unsupported GitHub capability: ${capability}`);
+  }
+  const scopeRaw = suffix.slice(0, lastDot);
+  const level = suffix.slice(lastDot + 1);
+  if (level !== "read" && level !== "write") {
+    throw new Error(`Unsupported GitHub capability: ${capability}`);
+  }
+  const scope = scopeRaw.replace(/-/g, "_");
+  if (!KNOWN_SCOPES.has(scope)) {
+    throw new Error(`Unsupported GitHub capability: ${capability}`);
+  }
+  return { [scope]: level };
+}
+function createGitHubAppBroker(manifest, credentials) {
+  const tokenCache = /* @__PURE__ */ new Map();
+  const provider = manifest.name;
+  const {
+    apiDomains,
+    apiHeaders,
+    authTokenEnv,
+    appIdEnv,
+    privateKeyEnv,
+    installationIdEnv
+  } = credentials;
+  const apiBase = `https://${apiDomains[0]}`;
+  const placeholder = resolveAuthTokenPlaceholder(credentials);
+  const GIT_DOMAIN = "github.com";
+  const GIT_CAPABILITIES = /* @__PURE__ */ new Set([
+    `${provider}.contents.read`,
+    `${provider}.contents.write`
+  ]);
+  function leaseDomainsFor(capability) {
+    return GIT_CAPABILITIES.has(capability) ? [...apiDomains, GIT_DOMAIN] : apiDomains;
+  }
+  const supportedCapabilities = new Set(manifest.capabilities);
+  return {
+    async issue(input) {
+      if (!supportedCapabilities.has(input.capability)) {
+        throw new Error(
+          `Unsupported ${provider} capability: ${input.capability}`
+        );
+      }
+      const permissions = capabilityToPermissions(input.capability, provider);
+      const appId = process.env[appIdEnv];
+      if (!appId) {
+        throw new Error(`Missing ${appIdEnv}`);
+      }
+      const installationIdRaw = process.env[installationIdEnv]?.trim();
+      if (!installationIdRaw) {
+        throw new Error(`Missing ${installationIdEnv}`);
+      }
+      const installationId = Number(installationIdRaw);
+      if (!Number.isFinite(installationId)) {
+        throw new Error(`Invalid ${installationIdEnv}`);
+      }
+      const targetScope = normalizeTargetScope(input.target);
+      const cacheKey = `${installationId}:${input.capability}:${targetScope}`;
+      const cached = tokenCache.get(cacheKey);
+      const now = Date.now();
+      if (cached && cached.expiresAt - now > 2 * 60 * 1e3) {
+        const domains2 = leaseDomainsFor(input.capability);
+        return {
+          id: randomUUID(),
+          provider,
+          capability: input.capability,
+          env: { [authTokenEnv]: placeholder },
+          headerTransforms: domains2.map((domain) => ({
+            domain,
+            headers: {
+              ...apiHeaders ?? {},
+              Authorization: `Bearer ${cached.token}`
+            }
+          })),
+          expiresAt: new Date(cached.expiresAt).toISOString(),
+          metadata: {
+            installationId: String(cached.installationId),
+            targetScope,
+            reason: input.reason
+          }
+        };
+      }
+      const appJwt = createAppJwt(appId, privateKeyEnv);
+      const repositoryName = input.target?.repo?.trim().toLowerCase();
+      const tokenRequestBody = {
+        permissions
+      };
+      if (repositoryName) {
+        tokenRequestBody.repositories = [repositoryName];
+      }
+      const accessTokenResponse = await githubRequest(apiBase, `/app/installations/${installationId}/access_tokens`, {
+        method: "POST",
+        token: appJwt,
+        body: tokenRequestBody
+      });
+      const providerExpiresAtMs = Date.parse(accessTokenResponse.expires_at);
+      const expiresAtMs = Math.min(
+        providerExpiresAtMs,
+        Date.now() + MAX_LEASE_MS
+      );
+      tokenCache.set(cacheKey, {
+        installationId,
+        token: accessTokenResponse.token,
+        expiresAt: expiresAtMs
+      });
+      const domains = leaseDomainsFor(input.capability);
+      return {
+        id: randomUUID(),
+        provider,
+        capability: input.capability,
+        env: { [authTokenEnv]: placeholder },
+        headerTransforms: domains.map((domain) => ({
+          domain,
+          headers: {
+            ...apiHeaders ?? {},
+            Authorization: `Bearer ${accessTokenResponse.token}`
+          }
+        })),
+        expiresAt: new Date(expiresAtMs).toISOString(),
+        metadata: {
+          installationId: String(installationId),
+          targetScope,
+          reason: input.reason
+        }
+      };
+    }
+  };
+}
+// src/chat/plugins/auth/oauth-bearer-broker.ts
+import { randomUUID as randomUUID2 } from "crypto";
+// src/chat/credentials/broker.ts
+var CredentialUnavailableError = class extends Error {
+  provider;
+  constructor(provider, message) {
+    super(message);
+    this.name = "CredentialUnavailableError";
+    this.provider = provider;
+  }
+};
+// src/chat/plugins/auth/oauth-request.ts
+var DEFAULT_TOKEN_CONTENT_TYPE = "application/x-www-form-urlencoded";
+function requireNonEmptyTokenField(data, field) {
+  const value = data[field];
+  if (typeof value !== "string" || !value.trim()) {
+    throw new Error(`OAuth token response missing ${field}`);
+  }
+  return value;
+}
+function contentTypeToBody(contentType, payload) {
+  const mediaType = contentType.split(";", 1)[0]?.trim().toLowerCase();
+  if (!mediaType || mediaType === DEFAULT_TOKEN_CONTENT_TYPE) {
+    return new URLSearchParams(payload);
+  }
+  if (mediaType === "application/json" || mediaType.endsWith("+json")) {
+    return JSON.stringify(payload);
+  }
+  throw new Error(`Unsupported OAuth token Content-Type: ${contentType}`);
+}
+function buildOAuthTokenRequest(input) {
+  const headers = new Headers({ Accept: "application/json" });
+  for (const [name, value] of Object.entries(input.tokenExtraHeaders ?? {})) {
+    headers.set(name, value);
+  }
+  if (!headers.has("Content-Type")) {
+    headers.set("Content-Type", DEFAULT_TOKEN_CONTENT_TYPE);
+  }
+  const payload = { ...input.payload };
+  if (input.tokenAuthMethod === "basic") {
+    headers.set(
+      "Authorization",
+      `Basic ${Buffer.from(`${input.clientId}:${input.clientSecret}`).toString("base64")}`
+    );
+  } else {
+    payload.client_id = input.clientId;
+    payload.client_secret = input.clientSecret;
+  }
+  const contentType = headers.get("Content-Type") ?? DEFAULT_TOKEN_CONTENT_TYPE;
+  const serializedHeaders = {};
+  headers.forEach((value, key) => {
+    serializedHeaders[key] = value;
+  });
+  return {
+    headers: serializedHeaders,
+    body: contentTypeToBody(contentType, payload)
+  };
+}
+function parseOAuthTokenResponse(data) {
+  const accessToken = requireNonEmptyTokenField(data, "access_token");
+  const refreshToken = requireNonEmptyTokenField(data, "refresh_token");
+  const expiresIn = data.expires_in;
+  if (expiresIn === void 0) {
+    return { accessToken, refreshToken };
+  }
+  if (typeof expiresIn !== "number" || !Number.isFinite(expiresIn) || expiresIn <= 0) {
+    throw new Error("OAuth token response returned invalid expires_in");
+  }
+  return {
+    accessToken,
+    refreshToken,
+    expiresAt: Date.now() + expiresIn * 1e3
+  };
+}
+// src/chat/plugins/auth/oauth-bearer-broker.ts
+var MAX_LEASE_MS2 = 60 * 60 * 1e3;
+var REFRESH_BUFFER_MS = 5 * 60 * 1e3;
+async function refreshAccessToken(refreshToken, oauth) {
+  const clientId = process.env[oauth.clientIdEnv]?.trim();
+  const clientSecret = process.env[oauth.clientSecretEnv]?.trim();
+  if (!clientId || !clientSecret) {
+    throw new Error(
+      `Missing ${oauth.clientIdEnv} or ${oauth.clientSecretEnv} for token refresh`
+    );
+  }
+  const request = buildOAuthTokenRequest({
+    clientId,
+    clientSecret,
+    payload: {
+      grant_type: "refresh_token",
+      refresh_token: refreshToken
+    },
+    tokenAuthMethod: oauth.tokenAuthMethod,
+    tokenExtraHeaders: oauth.tokenExtraHeaders
+  });
+  const response = await fetch(oauth.tokenEndpoint, {
+    method: "POST",
+    headers: request.headers,
+    body: request.body
+  });
+  if (!response.ok) {
+    throw new Error(`Token refresh failed: ${response.status}`);
+  }
+  const data = await response.json();
+  return parseOAuthTokenResponse(data);
+}
+function getLeaseExpiry(expiresAt) {
+  return expiresAt ? Math.min(expiresAt, Date.now() + MAX_LEASE_MS2) : Date.now() + MAX_LEASE_MS2;
+}
+function createOAuthBearerBroker(manifest, credentials, deps) {
+  const provider = manifest.name;
+  const supportedCapabilities = new Set(manifest.capabilities);
+  const { apiDomains, apiHeaders, authTokenEnv } = credentials;
+  const authTokenPlaceholder = resolveAuthTokenPlaceholder(credentials);
+  function buildLease(token, capability, expiresAtMs, reason) {
+    return {
+      id: randomUUID2(),
+      provider,
+      capability,
+      env: { [authTokenEnv]: authTokenPlaceholder },
+      headerTransforms: apiDomains.map((domain) => ({
+        domain,
+        headers: { ...apiHeaders ?? {}, Authorization: `Bearer ${token}` }
+      })),
+      expiresAt: new Date(expiresAtMs).toISOString(),
+      metadata: { reason }
+    };
+  }
+  return {
+    async issue(input) {
+      if (!supportedCapabilities.has(input.capability)) {
+        throw new Error(
+          `Unsupported ${provider} capability: ${input.capability}`
+        );
+      }
+      const envToken = process.env[authTokenEnv]?.trim();
+      const oauth = manifest.oauth;
+      if (!oauth) {
+        if (envToken) {
+          return buildLease(
+            envToken,
+            input.capability,
+            Date.now() + MAX_LEASE_MS2,
+            input.reason
+          );
+        }
+        throw new CredentialUnavailableError(
+          provider,
+          `No ${provider} credentials available.`
+        );
+      }
+      if (input.requesterId) {
+        const stored = await deps.userTokenStore.get(
+          input.requesterId,
+          provider
+        );
+        if (stored) {
+          const now = Date.now();
+          if (stored.expiresAt !== void 0 && stored.expiresAt - now < REFRESH_BUFFER_MS) {
+            try {
+              const refreshed = await refreshAccessToken(
+                stored.refreshToken,
+                oauth
+              );
+              await deps.userTokenStore.set(
+                input.requesterId,
+                provider,
+                refreshed
+              );
+              return buildLease(
+                refreshed.accessToken,
+                input.capability,
+                getLeaseExpiry(refreshed.expiresAt),
+                input.reason
+              );
+            } catch {
+              if (stored.expiresAt > Date.now()) {
+                return buildLease(
+                  stored.accessToken,
+                  input.capability,
+                  getLeaseExpiry(stored.expiresAt),
+                  input.reason
+                );
+              }
+              throw new CredentialUnavailableError(
+                provider,
+                `Your ${provider} connection has expired.`
+              );
+            }
+          }
+          if (stored.expiresAt === void 0 || stored.expiresAt > Date.now()) {
+            return buildLease(
+              stored.accessToken,
+              input.capability,
+              getLeaseExpiry(stored.expiresAt),
+              input.reason
+            );
+          }
+          throw new CredentialUnavailableError(
+            provider,
+            `Your ${provider} connection has expired.`
+          );
+        }
+        throw new CredentialUnavailableError(
+          provider,
+          `No ${provider} credentials available.`
+        );
+      }
+      if (envToken) {
+        return buildLease(
+          envToken,
+          input.capability,
+          getLeaseExpiry(),
+          input.reason
+        );
+      }
+      throw new CredentialUnavailableError(
+        provider,
+        `No ${provider} credentials available.`
+      );
+    }
+  };
+}
+// src/chat/plugins/registry.ts
+var loadedPluginState;
+function getLoggedPluginNames() {
+  const globalState = globalThis;
+  globalState.__juniorLoggedPluginNames ??= /* @__PURE__ */ new Set();
+  return globalState.__juniorLoggedPluginNames;
+}
+function createLoadedPluginState(signature) {
+  return {
+    signature,
+    pluginDefinitions: [],
+    capabilityToPlugin: /* @__PURE__ */ new Map(),
+    pluginConfigKeys: /* @__PURE__ */ new Set(),
+    pluginsByName: /* @__PURE__ */ new Map(),
+    packageSkillRoots: /* @__PURE__ */ new Set()
+  };
+}
+function registerPluginManifest(state, raw, pluginDir) {
+  const manifest = parsePluginManifest(raw, pluginDir);
+  if (state.pluginsByName.has(manifest.name)) {
+    return;
+  }
+  for (const cap of manifest.capabilities) {
+    if (state.capabilityToPlugin.has(cap)) {
+      throw new Error(
+        `Duplicate capability "${cap}" in plugin "${manifest.name}"`
+      );
+    }
+  }
+  const definition = {
+    manifest,
+    dir: pluginDir,
+    skillsDir: path.join(pluginDir, "skills")
+  };
+  state.pluginDefinitions.push(definition);
+  state.pluginsByName.set(manifest.name, definition);
+  for (const cap of manifest.capabilities) {
+    state.capabilityToPlugin.set(cap, definition);
+  }
+  for (const key of manifest.configKeys) {
+    state.pluginConfigKeys.add(key);
+  }
+}
+function normalizePluginRoots(roots) {
+  const resolved = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const root of roots) {
+    const normalized = path.resolve(root);
+    if (seen.has(normalized)) {
+      continue;
+    }
+    seen.add(normalized);
+    resolved.push(normalized);
+  }
+  return resolved;
+}
+function getExtraPluginRoots() {
+  const raw = process.env.JUNIOR_EXTRA_PLUGIN_ROOTS?.trim();
+  if (!raw) {
+    return [];
+  }
+  if (raw.startsWith("[")) {
+    try {
+      const parsed = JSON.parse(raw);
+      if (Array.isArray(parsed)) {
+        return normalizePluginRoots(
+          parsed.filter((value) => typeof value === "string")
+        );
+      }
+    } catch {
+      return [];
+    }
+  }
+  return normalizePluginRoots(
+    raw.split(path.delimiter).map((entry) => entry.trim()).filter((entry) => entry.length > 0)
+  );
+}
+function getPluginCatalogSource() {
+  const packagedContent = discoverInstalledPluginPackageContent();
+  const localRoots = normalizePluginRoots([
+    ...pluginRoots(),
+    ...getExtraPluginRoots()
+  ]);
+  const manifestRoots = normalizePluginRoots([
+    ...localRoots,
+    ...packagedContent.manifestRoots
+  ]);
+  const packagedSkillRoots = normalizePluginRoots(packagedContent.skillRoots);
+  return {
+    manifestRoots,
+    packagedSkillRoots,
+    signature: JSON.stringify({
+      manifestRoots,
+      packagedSkillRoots,
+      packageNames: [...packagedContent.packageNames].sort()
+    })
+  };
+}
+function buildLoadedPluginState(source) {
+  const state = createLoadedPluginState(source.signature);
+  for (const skillRoot of source.packagedSkillRoots) {
+    state.packageSkillRoots.add(skillRoot);
+  }
+  const roots = source.manifestRoots;
+  for (const pluginsRoot of roots) {
+    let entries;
+    let rootStat;
+    try {
+      rootStat = statSync(pluginsRoot);
+    } catch (error) {
+      logWarn(
+        "plugin_root_read_failed",
+        {},
+        {
+          "file.directory": pluginsRoot,
+          "error.message": error instanceof Error ? error.message : String(error)
+        },
+        "Failed to read plugin root"
+      );
+      continue;
+    }
+    if (rootStat.isDirectory()) {
+      const manifestPath = path.join(pluginsRoot, "plugin.yaml");
+      let hasRootManifest = false;
+      try {
+        hasRootManifest = statSync(manifestPath).isFile();
+      } catch {
+        hasRootManifest = false;
+      }
+      if (hasRootManifest) {
+        const rawRootManifest = readFileSync(manifestPath, "utf8");
+        registerPluginManifest(state, rawRootManifest, pluginsRoot);
+        continue;
+      }
+    }
+    try {
+      entries = readdirSync(pluginsRoot);
+    } catch (error) {
+      logWarn(
+        "plugin_root_read_failed",
+        {},
+        {
+          "file.directory": pluginsRoot,
+          "error.message": error instanceof Error ? error.message : String(error)
+        },
+        "Failed to read plugin root"
+      );
+      continue;
+    }
+    for (const entry of entries.sort()) {
+      const pluginDir = path.join(pluginsRoot, entry);
+      try {
+        const stat = statSync(pluginDir);
+        if (!stat.isDirectory()) continue;
+      } catch {
+        continue;
+      }
+      const manifestPath = path.join(pluginDir, "plugin.yaml");
+      let raw;
+      try {
+        raw = readFileSync(manifestPath, "utf8");
+      } catch {
+        continue;
+      }
+      registerPluginManifest(state, raw, pluginDir);
+    }
+  }
+  return state;
+}
+function logLoadedPlugins(state) {
+  const loggedPluginNames = getLoggedPluginNames();
+  for (const plugin of [...state.pluginDefinitions].sort(
+    (left, right) => left.manifest.name.localeCompare(right.manifest.name)
+  )) {
+    if (loggedPluginNames.has(plugin.manifest.name)) {
+      continue;
+    }
+    loggedPluginNames.add(plugin.manifest.name);
+    logInfo(
+      "plugin_loaded",
+      {},
+      {
+        "app.plugin.name": plugin.manifest.name,
+        "app.plugin.capability_count": plugin.manifest.capabilities.length,
+        "app.plugin.config_key_count": plugin.manifest.configKeys.length,
+        "app.plugin.has_mcp": Boolean(plugin.manifest.mcp),
+        "file.directory": plugin.dir,
+        "file.skill_directory": plugin.skillsDir
+      },
+      "Loaded plugin"
+    );
+  }
+}
+function ensurePluginsLoaded() {
+  const source = getPluginCatalogSource();
+  if (loadedPluginState?.signature === source.signature) {
+    return loadedPluginState;
+  }
+  const state = buildLoadedPluginState(source);
+  loadedPluginState = state;
+  logLoadedPlugins(state);
+  return state;
+}
+function getPluginCapabilityProviders() {
+  const state = ensurePluginsLoaded();
+  return state.pluginDefinitions.map((plugin) => ({
+    provider: plugin.manifest.name,
+    capabilities: [...plugin.manifest.capabilities],
+    configKeys: [...plugin.manifest.configKeys],
+    ...plugin.manifest.target ? { target: { ...plugin.manifest.target } } : {}
+  }));
+}
+function getPluginProviders() {
+  return [...ensurePluginsLoaded().pluginDefinitions];
+}
+function getPluginMcpProviders() {
+  return ensurePluginsLoaded().pluginDefinitions.filter(
+    (plugin) => Boolean(plugin.manifest.mcp)
+  );
+}
+function getPluginRuntimeDependencies() {
+  const state = ensurePluginsLoaded();
+  const seen = /* @__PURE__ */ new Set();
+  const deps = [];
+  for (const plugin of state.pluginDefinitions) {
+    for (const dep of plugin.manifest.runtimeDependencies ?? []) {
+      const key = dep.type === "npm" ? `${dep.type}:${dep.package}:${dep.version}` : "package" in dep ? `${dep.type}:package:${dep.package}` : `${dep.type}:url:${dep.url}:${dep.sha256}`;
+      if (seen.has(key)) {
+        continue;
+      }
+      seen.add(key);
+      deps.push(dep);
+    }
+  }
+  return deps.sort((left, right) => {
+    if (left.type !== right.type) {
+      return left.type.localeCompare(right.type);
+    }
+    const leftIdentity = "package" in left ? `package:${left.package}` : `url:${left.url}:${left.sha256}`;
+    const rightIdentity = "package" in right ? `package:${right.package}` : `url:${right.url}:${right.sha256}`;
+    if (leftIdentity !== rightIdentity) {
+      return leftIdentity.localeCompare(rightIdentity);
+    }
+    if (left.type === "npm" && right.type === "npm") {
+      return left.version.localeCompare(right.version);
+    }
+    return 0;
+  });
+}
+function getPluginRuntimePostinstall() {
+  const state = ensurePluginsLoaded();
+  const commands = [];
+  for (const plugin of state.pluginDefinitions) {
+    for (const command of plugin.manifest.runtimePostinstall ?? []) {
+      commands.push({
+        cmd: command.cmd,
+        ...command.args ? { args: [...command.args] } : {},
+        ...command.sudo !== void 0 ? { sudo: command.sudo } : {}
+      });
+    }
+  }
+  return commands;
+}
+function getPluginOAuthConfig(provider) {
+  const plugin = ensurePluginsLoaded().pluginsByName.get(provider);
+  if (!plugin?.manifest.oauth) return void 0;
+  const oauth = plugin.manifest.oauth;
+  return {
+    clientIdEnv: oauth.clientIdEnv,
+    clientSecretEnv: oauth.clientSecretEnv,
+    authorizeEndpoint: oauth.authorizeEndpoint,
+    tokenEndpoint: oauth.tokenEndpoint,
+    ...oauth.scope ? { scope: oauth.scope } : {},
+    ...oauth.authorizeParams ? { authorizeParams: { ...oauth.authorizeParams } } : {},
+    ...oauth.tokenAuthMethod ? { tokenAuthMethod: oauth.tokenAuthMethod } : {},
+    ...oauth.tokenExtraHeaders ? { tokenExtraHeaders: { ...oauth.tokenExtraHeaders } } : {},
+    callbackPath: `/api/oauth/callback/${plugin.manifest.name}`
+  };
+}
+function getPluginSkillRoots() {
+  const state = ensurePluginsLoaded();
+  return [
+    .../* @__PURE__ */ new Set([
+      ...state.pluginDefinitions.map((plugin) => plugin.skillsDir),
+      ...state.packageSkillRoots
+    ])
+  ];
+}
+function getPluginForSkillPath(skillPath) {
+  const state = ensurePluginsLoaded();
+  const resolvedSkillPath = path.resolve(skillPath);
+  return state.pluginDefinitions.find((plugin) => {
+    const resolvedSkillsDir = path.resolve(plugin.skillsDir);
+    return resolvedSkillPath === resolvedSkillsDir || resolvedSkillPath.startsWith(`${resolvedSkillsDir}${path.sep}`);
+  });
+}
+function getPluginDefinition(provider) {
+  return ensurePluginsLoaded().pluginsByName.get(provider);
+}
+function isPluginProvider(provider) {
+  return ensurePluginsLoaded().pluginsByName.has(provider);
+}
+function createPluginBroker(provider, deps) {
+  const plugin = ensurePluginsLoaded().pluginsByName.get(provider);
+  if (!plugin) {
+    throw new Error(`Unknown plugin provider: "${provider}"`);
+  }
+  const { credentials, name } = plugin.manifest;
+  if (!credentials) {
+    throw new Error(`Provider "${name}" has no credentials configured`);
+  }
+  let broker;
+  if (credentials.type === "oauth-bearer") {
+    broker = createOAuthBearerBroker(plugin.manifest, credentials, deps);
+  } else if (credentials.type === "github-app") {
+    broker = createGitHubAppBroker(plugin.manifest, credentials);
+  } else {
+    throw new Error(`Unsupported credentials type for plugin "${name}"`);
+  }
+  setSpanAttributes({
+    "app.plugin.name": name,
+    "app.plugin.capabilities": plugin.manifest.capabilities,
+    "app.plugin.has_oauth": Boolean(plugin.manifest.oauth)
+  });
+  return broker;
+}
+export {
+  resolveAuthTokenPlaceholder,
+  parsePluginManifest,
+  CredentialUnavailableError,
+  buildOAuthTokenRequest,
+  parseOAuthTokenResponse,
+  getPluginCapabilityProviders,
+  getPluginProviders,
+  getPluginMcpProviders,
+  getPluginRuntimeDependencies,
+  getPluginRuntimePostinstall,
+  getPluginOAuthConfig,
+  getPluginSkillRoots,
+  getPluginForSkillPath,
+  getPluginDefinition,
+  isPluginProvider,
+  createPluginBroker
+};