@sentry/junior 0.74.1 → 0.76.0

package/dist/chunk-NFTMTIP3.js

@@ -0,0 +1,964 @@
+import {
+  createPluginLogger,
+  createPluginState
+} from "./chunk-56TBVRJG.js";
+import {
+  getDb
+} from "./chunk-NYKJ3KON.js";
+import {
+  SANDBOX_WORKSPACE_ROOT
+} from "./chunk-G3E7SCME.js";
+import {
+  isConversationChannel,
+  isConversationScopedChannel,
+  isDmChannel,
+  normalizeSlackConversationId
+} from "./chunk-Q6XFTRV5.js";
+import {
+  botConfig,
+  completeObject,
+  embedTexts
+} from "./chunk-T77LUIX3.js";
+import {
+  isActorUserId,
+  parseActorUserId
+} from "./chunk-VALUBQ7R.js";
+import {
+  logInfo,
+  logWarn
+} from "./chunk-EJN6G5A2.js";
+
+// src/chat/plugins/agent-hooks.ts
+import { promptMessageSchema } from "@sentry/junior-plugin-api";
+
+// src/chat/plugins/model.ts
+function createPluginModel(pluginName, options = {}, runtime = {}) {
+  return {
+    async completeObject(input) {
+      const modelId = options.structuredModelId ?? (options.structuredModel === "default" ? botConfig.modelId : botConfig.fastModelId);
+      const result = await completeObject({
+        modelId,
+        schema: input.schema,
+        prompt: input.prompt,
+        ...input.system !== void 0 ? { system: input.system } : {},
+        ...input.maxTokens !== void 0 ? { maxTokens: input.maxTokens } : {},
+        signal: runtime.signal,
+        metadata: {
+          pluginName,
+          pluginModelRole: "structured"
+        }
+      });
+      return { object: result.object };
+    }
+  };
+}
+function createPluginEmbedder(pluginName, runtime = {}) {
+  return {
+    async embedTexts(input) {
+      return await embedTexts({
+        modelId: botConfig.embeddingModelId,
+        texts: input.texts,
+        signal: runtime.signal,
+        metadata: {
+          pluginName,
+          pluginModelRole: "embedding"
+        }
+      });
+    }
+  };
+}
+
+// src/chat/tools/slack/context.ts
+function getSlackToolContext(context) {
+  if (context.source.platform !== "slack") {
+    return void 0;
+  }
+  if (context.destination.platform !== "slack") {
+    throw new TypeError("Slack source requires a Slack destination");
+  }
+  return {
+    destination: context.destination,
+    source: context.source,
+    requester: context.requester?.platform === "slack" ? context.requester : void 0,
+    destinationChannelId: context.destination.channelId,
+    messageTs: context.source.messageTs,
+    sourceChannelId: context.source.channelId,
+    teamId: context.source.teamId,
+    threadTs: context.source.threadTs
+  };
+}
+
+// src/chat/credentials/subject.ts
+import { createHmac, timingSafeEqual } from "crypto";
+var CREDENTIAL_SUBJECT_HMAC_CONTEXT = "junior.credential_subject.v1";
+var CREDENTIAL_SUBJECT_SIGNATURE_VERSION = "v1";
+function getCredentialSubjectSecret() {
+  return process.env.JUNIOR_SECRET?.trim() || void 0;
+}
+function buildPayload(input) {
+  return [
+    CREDENTIAL_SUBJECT_HMAC_CONTEXT,
+    input.allowedWhen,
+    input.teamId,
+    input.channelId,
+    input.userId
+  ].join("\0");
+}
+function signPayload(secret, payload) {
+  const digest = createHmac("sha256", secret).update(payload).digest("hex");
+  return `${CREDENTIAL_SUBJECT_SIGNATURE_VERSION}=${digest}`;
+}
+function timingSafeMatch(expected, actual) {
+  const expectedBuffer = Buffer.from(expected);
+  const actualBuffer = Buffer.from(actual);
+  if (expectedBuffer.length !== actualBuffer.length) {
+    return false;
+  }
+  return timingSafeEqual(expectedBuffer, actualBuffer);
+}
+function createSlackDirectCredentialSubject(input) {
+  const channelId = normalizeSlackConversationId(input.channelId);
+  const teamId = input.teamId?.trim();
+  const userId = parseActorUserId(input.userId);
+  if (!channelId || !teamId || !userId || !isDmChannel(channelId)) {
+    return void 0;
+  }
+  return {
+    type: "user",
+    userId,
+    allowedWhen: "private-direct-conversation"
+  };
+}
+function bindSlackDirectCredentialSubject(input) {
+  const channelId = normalizeSlackConversationId(input.channelId);
+  const teamId = input.teamId.trim();
+  const secret = getCredentialSubjectSecret();
+  const { subject } = input;
+  const userId = parseActorUserId(subject.userId);
+  if (!channelId || !teamId || !secret || !isDmChannel(channelId) || subject.type !== "user" || !userId || subject.allowedWhen !== "private-direct-conversation") {
+    return void 0;
+  }
+  return {
+    type: "user",
+    userId,
+    allowedWhen: subject.allowedWhen,
+    binding: {
+      type: "slack-direct-conversation",
+      teamId,
+      channelId,
+      signature: signPayload(
+        secret,
+        buildPayload({
+          allowedWhen: subject.allowedWhen,
+          teamId,
+          channelId,
+          userId
+        })
+      )
+    }
+  };
+}
+function verifySlackDirectCredentialSubject(input) {
+  const channelId = normalizeSlackConversationId(input.channelId);
+  const secret = getCredentialSubjectSecret();
+  if (!channelId || !secret) {
+    return false;
+  }
+  const { subject } = input;
+  const binding = subject.binding;
+  if (subject.type !== "user" || !isActorUserId(subject.userId) || subject.allowedWhen !== "private-direct-conversation" || !binding || binding.type !== "slack-direct-conversation" || typeof binding.signature !== "string" || !binding.signature || binding.teamId !== input.teamId || binding.channelId !== channelId) {
+    return false;
+  }
+  const expected = signPayload(
+    secret,
+    buildPayload({
+      allowedWhen: subject.allowedWhen,
+      teamId: binding.teamId,
+      channelId: binding.channelId,
+      userId: subject.userId
+    })
+  );
+  return timingSafeMatch(expected, binding.signature);
+}
+
+// src/chat/tools/channel-capabilities.ts
+function resolveChannelCapabilities(channelId) {
+  return {
+    canCreateCanvas: isConversationScopedChannel(channelId),
+    canPostToChannel: isConversationChannel(channelId),
+    canAddReactions: isConversationScopedChannel(channelId)
+  };
+}
+
+// src/chat/plugins/agent-hooks.ts
+import { z } from "zod";
+var PluginHookDeniedError = class extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "PluginHookDeniedError";
+  }
+};
+var registeredPlugins = [];
+var PLUGIN_NAME_RE = /^[a-z][a-z0-9-]*$/;
+var PLUGIN_TOOL_NAME_RE = /^[a-z][A-Za-z0-9]*$/;
+var OPERATIONAL_REPORT_MAX_METRICS = 8;
+var OPERATIONAL_REPORT_MAX_RECORD_SETS = 8;
+var OPERATIONAL_REPORT_MAX_FIELDS = 8;
+var OPERATIONAL_REPORT_MAX_RECORDS = 25;
+var OPERATIONAL_REPORT_MAX_LABEL_LENGTH = 80;
+var OPERATIONAL_REPORT_MAX_VALUE_LENGTH = 160;
+var PLUGIN_ROUTE_METHODS = /* @__PURE__ */ new Set([
+  "GET",
+  "POST",
+  "PUT",
+  "PATCH",
+  "DELETE",
+  "HEAD",
+  "OPTIONS",
+  "ALL"
+]);
+var PLUGIN_PROMPT_CONTRIBUTION_TOTAL_MAX_CHARS = 16e3;
+var systemPromptMessageArraySchema = z.array(promptMessageSchema);
+var userPromptMessageArraySchema = z.array(promptMessageSchema);
+function isRecord(value) {
+  return Boolean(value && typeof value === "object" && !Array.isArray(value));
+}
+function basePluginContext(plugin) {
+  const name = plugin.manifest.name;
+  return {
+    plugin: { name },
+    log: createPluginLogger(name),
+    db: getDb()
+  };
+}
+function systemPromptPluginContext(plugin) {
+  return {
+    ...basePluginContext(plugin)
+  };
+}
+function invocationPluginContext(plugin, context) {
+  const base = basePluginContext(plugin);
+  const common = {
+    ...base,
+    conversationId: context.conversationId,
+    embedder: createPluginEmbedder(plugin.manifest.name),
+    source: context.source,
+    text: context.userText ?? "",
+    state: createPluginState(plugin.manifest.name)
+  };
+  if (context.source.platform === "slack") {
+    if (context.destination.platform !== "slack") {
+      throw new TypeError(
+        "Slack plugin prompt context requires Slack destination"
+      );
+    }
+    return {
+      ...common,
+      destination: context.destination,
+      requester: context.requester?.platform === "slack" ? context.requester : void 0
+    };
+  }
+  if (context.destination.platform !== "local") {
+    throw new TypeError(
+      "Local plugin prompt context requires local destination"
+    );
+  }
+  return {
+    ...common,
+    destination: context.destination,
+    requester: context.requester?.platform === "local" ? context.requester : void 0
+  };
+}
+function safeErrorMessage(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+function toPromptContributionContext(args) {
+  return {
+    id: `${args.hookName}:${args.index}`,
+    pluginName: args.pluginName,
+    text: args.message.text
+  };
+}
+function logInvalidPromptContributions(args) {
+  logWarn(
+    "plugin_prompt_contribution_result_invalid",
+    {},
+    {
+      "app.plugin.hook": args.hookName,
+      "app.plugin.name": args.pluginName,
+      "app.plugin.validation_reason": "invalid_shape"
+    },
+    "Plugin prompt contribution result invalid"
+  );
+}
+function validatePlugins(plugins) {
+  const seen = /* @__PURE__ */ new Set();
+  for (const plugin of plugins) {
+    const name = plugin.manifest.name;
+    if (!PLUGIN_NAME_RE.test(name)) {
+      throw new Error(
+        `Plugin name "${name}" must be a lowercase plugin identifier`
+      );
+    }
+    if (seen.has(name)) {
+      throw new Error(`Duplicate plugin name "${name}"`);
+    }
+    for (const [taskName, task] of Object.entries(plugin.tasks ?? {})) {
+      if (!PLUGIN_TOOL_NAME_RE.test(taskName)) {
+        throw new Error(
+          `Plugin task "${taskName}" from plugin "${name}" must be a camelCase identifier`
+        );
+      }
+      if (typeof task.run !== "function") {
+        throw new Error(
+          `Plugin task "${taskName}" from plugin "${name}" must define a run function`
+        );
+      }
+    }
+    seen.add(name);
+  }
+}
+function setPlugins(nextPlugins) {
+  validatePlugins(nextPlugins);
+  const previous = registeredPlugins;
+  registeredPlugins = [...nextPlugins].sort(
+    (left, right) => left.manifest.name.localeCompare(right.manifest.name)
+  );
+  return previous;
+}
+function getPlugins() {
+  return [...registeredPlugins];
+}
+async function getPluginSystemPromptContributions(source) {
+  const contributions = [];
+  let totalChars = 0;
+  for (const plugin of getPlugins()) {
+    const pluginName = plugin.manifest.name;
+    const hook = plugin.hooks?.systemPrompt;
+    if (!hook) {
+      continue;
+    }
+    try {
+      const pluginContributions = await hook({
+        ...systemPromptPluginContext(plugin),
+        platform: source.platform
+      });
+      const result = systemPromptMessageArraySchema.safeParse(pluginContributions);
+      if (!result.success) {
+        logInvalidPromptContributions({
+          hookName: "systemPrompt",
+          pluginName
+        });
+        continue;
+      }
+      const acceptedContributions = result.data.map(
+        (message, index) => toPromptContributionContext({
+          hookName: "systemPrompt",
+          index,
+          message,
+          pluginName
+        })
+      );
+      const pluginContributionChars = acceptedContributions.reduce(
+        (sum, contribution) => sum + contribution.text.length,
+        0
+      );
+      if (totalChars + pluginContributionChars > PLUGIN_PROMPT_CONTRIBUTION_TOTAL_MAX_CHARS) {
+        logWarn(
+          "plugin_system_prompt_contribution_budget_exceeded",
+          {},
+          {
+            "app.plugin.name": pluginName
+          },
+          "Plugin system prompt contributions exceeded budget"
+        );
+        continue;
+      }
+      totalChars += pluginContributionChars;
+      contributions.push(...acceptedContributions);
+    } catch (error) {
+      logWarn(
+        "plugin_system_prompt_hook_failed",
+        {},
+        {
+          "app.plugin.name": pluginName,
+          "exception.message": safeErrorMessage(error)
+        },
+        "Plugin system prompt hook failed"
+      );
+    }
+  }
+  return contributions;
+}
+async function getPluginUserPromptContributions(args) {
+  const contributions = [];
+  let totalChars = 0;
+  for (const plugin of getPlugins()) {
+    const pluginName = plugin.manifest.name;
+    const hook = plugin.hooks?.userPrompt;
+    if (!hook) {
+      continue;
+    }
+    try {
+      const rawResult = await hook({
+        ...invocationPluginContext(plugin, args.context)
+      });
+      if (rawResult === void 0) {
+        continue;
+      }
+      const result = userPromptMessageArraySchema.safeParse(rawResult);
+      if (!result.success) {
+        logInvalidPromptContributions({
+          hookName: "userPrompt",
+          pluginName
+        });
+        continue;
+      }
+      const acceptedContributions = result.data.map(
+        (message, index) => toPromptContributionContext({
+          hookName: "userPrompt",
+          index,
+          message,
+          pluginName
+        })
+      );
+      const pluginContributionChars = acceptedContributions.reduce(
+        (sum, contribution) => sum + contribution.text.length,
+        0
+      );
+      if (totalChars + pluginContributionChars > PLUGIN_PROMPT_CONTRIBUTION_TOTAL_MAX_CHARS) {
+        logWarn(
+          "plugin_user_prompt_contribution_budget_exceeded",
+          {},
+          {
+            "app.plugin.name": pluginName
+          },
+          "Plugin user prompt contributions exceeded budget"
+        );
+        continue;
+      }
+      totalChars += pluginContributionChars;
+      contributions.push(...acceptedContributions);
+    } catch (error) {
+      logWarn(
+        "plugin_user_prompt_hook_failed",
+        {},
+        {
+          "app.plugin.name": pluginName,
+          "exception.message": safeErrorMessage(error)
+        },
+        "Plugin user prompt hook failed"
+      );
+    }
+  }
+  return contributions;
+}
+function getPluginTools(context) {
+  const tools = {};
+  for (const plugin of getPlugins()) {
+    const pluginName = plugin.manifest.name;
+    const hook = plugin.hooks?.tools;
+    if (!hook) {
+      continue;
+    }
+    const slackToolContext = getSlackToolContext(context);
+    const credentialSubject = slackToolContext ? createSlackDirectCredentialSubject({
+      channelId: slackToolContext.sourceChannelId,
+      teamId: slackToolContext.teamId,
+      userId: slackToolContext.requester?.userId
+    }) : void 0;
+    const slackContext = slackToolContext ? {
+      channelCapabilities: resolveChannelCapabilities(
+        slackToolContext.sourceChannelId
+      ),
+      ...credentialSubject ? { credentialSubject } : {}
+    } : void 0;
+    let pluginContext;
+    if (context.source.platform === "slack") {
+      if (context.destination.platform !== "slack") {
+        throw new TypeError(
+          "Slack plugin tool context requires Slack destination"
+        );
+      }
+      pluginContext = {
+        ...basePluginContext(plugin),
+        requester: context.requester?.platform === "slack" ? context.requester : void 0,
+        conversationId: context.conversationId,
+        destination: context.destination,
+        slack: slackContext,
+        source: context.source,
+        userText: context.userText,
+        embedder: createPluginEmbedder(pluginName),
+        model: createPluginModel(pluginName, plugin.model),
+        state: createPluginState(pluginName)
+      };
+    } else {
+      if (context.destination.platform !== "local") {
+        throw new TypeError(
+          "Local plugin tool context requires local destination"
+        );
+      }
+      pluginContext = {
+        ...basePluginContext(plugin),
+        requester: context.requester?.platform === "local" ? context.requester : void 0,
+        conversationId: context.conversationId,
+        destination: context.destination,
+        source: context.source,
+        userText: context.userText,
+        embedder: createPluginEmbedder(pluginName),
+        model: createPluginModel(pluginName, plugin.model),
+        state: createPluginState(pluginName)
+      };
+    }
+    const pluginTools = hook(pluginContext);
+    for (const [name, tool] of Object.entries(pluginTools)) {
+      if (!PLUGIN_TOOL_NAME_RE.test(name)) {
+        throw new Error(
+          `Plugin tool "${name}" from plugin "${pluginName}" must be a camelCase identifier`
+        );
+      }
+      if (tools[name]) {
+        throw new Error(
+          `Duplicate plugin tool "${name}" from plugin "${pluginName}"`
+        );
+      }
+      tools[name] = tool;
+    }
+  }
+  return tools;
+}
+function routeMethods(route, pluginName) {
+  const methods = Array.isArray(route.method) ? route.method : [route.method ?? "ALL"];
+  if (methods.length === 0) {
+    throw new Error(
+      `Plugin route "${route.path}" from plugin "${pluginName}" must declare at least one method`
+    );
+  }
+  for (const method of methods) {
+    if (!PLUGIN_ROUTE_METHODS.has(method)) {
+      throw new Error(
+        `Plugin route "${route.path}" from plugin "${pluginName}" has invalid method "${String(method)}"`
+      );
+    }
+  }
+  if (methods.includes("ALL") && methods.length > 1) {
+    throw new Error(
+      `Plugin route "${route.path}" from plugin "${pluginName}" must not combine ALL with explicit methods`
+    );
+  }
+  return methods;
+}
+function getPluginRoutes() {
+  const routes = [];
+  const seen = /* @__PURE__ */ new Set();
+  const methodsByPath = /* @__PURE__ */ new Map();
+  for (const plugin of getPlugins()) {
+    const pluginName = plugin.manifest.name;
+    const hook = plugin.hooks?.routes;
+    if (!hook) {
+      continue;
+    }
+    const pluginRoutes = hook({
+      ...basePluginContext(plugin)
+    });
+    if (!Array.isArray(pluginRoutes)) {
+      throw new Error(
+        `Plugin routes hook from plugin "${pluginName}" must return an array`
+      );
+    }
+    for (const route of pluginRoutes) {
+      if (!isRecord(route)) {
+        throw new Error(
+          `Plugin route from plugin "${pluginName}" must be an object`
+        );
+      }
+      if (typeof route.path !== "string" || !route.path.startsWith("/")) {
+        throw new Error(
+          `Plugin route "${route.path}" from plugin "${pluginName}" must start with /`
+        );
+      }
+      if (typeof route.handler !== "function") {
+        throw new Error(
+          `Plugin route "${route.path}" from plugin "${pluginName}" must provide a handler`
+        );
+      }
+      const methods = routeMethods(route, pluginName);
+      const pathMethods = methodsByPath.get(route.path) ?? /* @__PURE__ */ new Set();
+      if (pathMethods.has("ALL") || methods.includes("ALL") && pathMethods.size > 0) {
+        throw new Error(
+          `Plugin route "${route.path}" conflicts with an ALL route for the same path`
+        );
+      }
+      for (const method of methods) {
+        const key = `${method}:${route.path}`;
+        if (seen.has(key)) {
+          throw new Error(`Duplicate plugin route "${method} ${route.path}"`);
+        }
+        seen.add(key);
+        pathMethods.add(method);
+      }
+      methodsByPath.set(route.path, pathMethods);
+      routes.push({
+        ...route,
+        pluginName
+      });
+    }
+  }
+  return routes;
+}
+function trustedSlackConversationUrl(pluginName, link) {
+  const url = typeof link?.url === "string" ? link.url.trim() : "";
+  if (!url) {
+    return void 0;
+  }
+  let parsed;
+  try {
+    parsed = new URL(url);
+  } catch (error) {
+    throw new Error(
+      `Plugin "${pluginName}" slackConversationLink must return an absolute http(s) URL`,
+      { cause: error }
+    );
+  }
+  if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+    throw new Error(
+      `Plugin "${pluginName}" slackConversationLink must return an absolute http(s) URL`
+    );
+  }
+  return parsed.toString();
+}
+function getPluginSlackConversationLink(conversationId) {
+  for (const plugin of getPlugins()) {
+    const pluginName = plugin.manifest.name;
+    const hook = plugin.hooks?.slackConversationLink;
+    if (!hook) {
+      continue;
+    }
+    const link = hook({
+      ...basePluginContext(plugin),
+      conversationId
+    });
+    const url = trustedSlackConversationUrl(pluginName, link);
+    if (url) {
+      return { url };
+    }
+  }
+  return void 0;
+}
+function pluginReadState(state) {
+  return {
+    get: state.get
+  };
+}
+function operationalReportText(value, maxLength) {
+  if (typeof value !== "string") {
+    return void 0;
+  }
+  const trimmed = value.trim();
+  if (!trimmed) {
+    return void 0;
+  }
+  return trimmed.length <= maxLength ? trimmed : `${trimmed.slice(0, Math.max(0, maxLength - 3))}...`;
+}
+function operationalReportTone(tone) {
+  return tone === "danger" || tone === "good" || tone === "neutral" || tone === "warning" ? tone : void 0;
+}
+function sanitizeOperationalReport(args) {
+  const metrics = args.report.metrics?.slice(0, OPERATIONAL_REPORT_MAX_METRICS).map((metric) => {
+    const label = operationalReportText(
+      metric.label,
+      OPERATIONAL_REPORT_MAX_LABEL_LENGTH
+    );
+    const value = operationalReportText(
+      metric.value,
+      OPERATIONAL_REPORT_MAX_VALUE_LENGTH
+    );
+    if (!label || !value) {
+      return void 0;
+    }
+    const sanitizedMetric = { label, value };
+    const tone = operationalReportTone(metric.tone);
+    if (tone) {
+      sanitizedMetric.tone = tone;
+    }
+    return sanitizedMetric;
+  }).filter((metric) => Boolean(metric));
+  const recordSets = args.report.recordSets?.slice(0, OPERATIONAL_REPORT_MAX_RECORD_SETS).map((recordSet, recordSetIndex) => {
+    const title2 = operationalReportText(
+      recordSet.title,
+      OPERATIONAL_REPORT_MAX_LABEL_LENGTH
+    );
+    if (!title2) {
+      return void 0;
+    }
+    const fields = recordSet.fields?.slice(0, OPERATIONAL_REPORT_MAX_FIELDS).map((field) => {
+      const key = operationalReportText(
+        field.key,
+        OPERATIONAL_REPORT_MAX_LABEL_LENGTH
+      );
+      const label = operationalReportText(
+        field.label,
+        OPERATIONAL_REPORT_MAX_LABEL_LENGTH
+      );
+      return key && label ? { key, label } : void 0;
+    }).filter((field) => Boolean(field));
+    const records = recordSet.records?.slice(0, OPERATIONAL_REPORT_MAX_RECORDS).map((record, recordIndex) => {
+      const id = operationalReportText(
+        record.id,
+        OPERATIONAL_REPORT_MAX_LABEL_LENGTH
+      ) ?? `${recordSetIndex}:${recordIndex}`;
+      const values = Object.fromEntries(
+        (fields ?? []).map((field) => [
+          field.key,
+          operationalReportText(
+            record.values[field.key],
+            OPERATIONAL_REPORT_MAX_VALUE_LENGTH
+          ) ?? ""
+        ])
+      );
+      const sanitizedRecord = {
+        id,
+        values
+      };
+      const tone = operationalReportTone(record.tone);
+      if (tone) {
+        sanitizedRecord.tone = tone;
+      }
+      return sanitizedRecord;
+    });
+    const sanitizedRecordSet = { title: title2 };
+    if (fields?.length) {
+      sanitizedRecordSet.fields = fields;
+    }
+    const emptyText = operationalReportText(
+      recordSet.emptyText,
+      OPERATIONAL_REPORT_MAX_VALUE_LENGTH
+    );
+    if (emptyText) {
+      sanitizedRecordSet.emptyText = emptyText;
+    }
+    if (records?.length) {
+      sanitizedRecordSet.records = records;
+    }
+    return sanitizedRecordSet;
+  }).filter(
+    (recordSet) => Boolean(recordSet)
+  );
+  const sanitized = {
+    pluginName: args.pluginName
+  };
+  const generatedAt = operationalReportText(
+    args.report.generatedAt,
+    OPERATIONAL_REPORT_MAX_VALUE_LENGTH
+  );
+  if (generatedAt) {
+    sanitized.generatedAt = generatedAt;
+  }
+  if (recordSets?.length) {
+    sanitized.recordSets = recordSets;
+  }
+  if (metrics?.length) {
+    sanitized.metrics = metrics;
+  }
+  const title = operationalReportText(
+    args.report.title,
+    OPERATIONAL_REPORT_MAX_LABEL_LENGTH
+  );
+  if (title) {
+    sanitized.title = title;
+  }
+  return sanitized;
+}
+function failedOperationalReport(args) {
+  return {
+    generatedAt: new Date(args.nowMs).toISOString(),
+    pluginName: args.pluginName,
+    metrics: [{ label: "report", tone: "danger", value: "failed" }],
+    title: args.pluginName,
+    recordSets: [
+      {
+        emptyText: "This plugin report failed to load.",
+        title: "Error"
+      }
+    ]
+  };
+}
+async function getPluginOperationalReports(nowMs, conversations) {
+  const reports = [];
+  for (const plugin of getPlugins()) {
+    const pluginName = plugin.manifest.name;
+    const hook = plugin.hooks?.operationalReport;
+    if (!hook) {
+      continue;
+    }
+    try {
+      const state = createPluginState(pluginName);
+      const report = await hook({
+        ...basePluginContext(plugin),
+        conversations,
+        nowMs,
+        state: pluginReadState(state)
+      });
+      if (!report) {
+        continue;
+      }
+      reports.push(
+        sanitizeOperationalReport({
+          pluginName,
+          report
+        })
+      );
+    } catch (error) {
+      const log = createPluginLogger(pluginName);
+      log.error("Plugin operational report failed", {
+        error: error instanceof Error ? error.message : String(error)
+      });
+      reports.push(failedOperationalReport({ nowMs, pluginName }));
+    }
+  }
+  return reports;
+}
+function normalizeEnv(value) {
+  if (!isRecord(value)) {
+    return {};
+  }
+  const env = {};
+  for (const [key, rawValue] of Object.entries(value)) {
+    if (typeof rawValue === "string") {
+      env[key] = rawValue;
+    }
+  }
+  return env;
+}
+function createSandboxCapability(sandbox) {
+  return {
+    root: SANDBOX_WORKSPACE_ROOT,
+    juniorRoot: `${SANDBOX_WORKSPACE_ROOT}/.junior`,
+    async readFile(filePath) {
+      return await sandbox.readFileToBuffer({ path: filePath }) ?? null;
+    },
+    async run(input) {
+      const result = await sandbox.runCommand(input);
+      const [stdout, stderr] = await Promise.all([
+        result.stdout(),
+        result.stderr()
+      ]);
+      return {
+        exitCode: result.exitCode,
+        stdout,
+        stderr
+      };
+    },
+    async writeFile(input) {
+      await sandbox.writeFiles([
+        {
+          path: input.path,
+          content: input.content,
+          ...input.mode !== void 0 ? { mode: input.mode } : {}
+        }
+      ]);
+    }
+  };
+}
+function createPluginHookRunner(input = {}) {
+  const loaded = getPlugins();
+  return {
+    async prepareSandbox(sandbox) {
+      const sandboxCapability = createSandboxCapability(sandbox);
+      for (const plugin of loaded) {
+        const pluginName = plugin.manifest.name;
+        const hook = plugin.hooks?.sandboxPrepare;
+        if (!hook) {
+          continue;
+        }
+        logInfo(
+          "agent_plugin_hook_sandbox_prepare",
+          {},
+          { "app.plugin.name": pluginName },
+          "Running agent plugin sandbox prepare hook"
+        );
+        await hook({
+          ...basePluginContext(plugin),
+          requester: input.requester,
+          sandbox: sandboxCapability
+        });
+      }
+    },
+    async beforeToolExecute(tool) {
+      let nextInput = { ...tool.input };
+      const env = normalizeEnv(nextInput.env);
+      for (const plugin of loaded) {
+        const pluginName = plugin.manifest.name;
+        const hook = plugin.hooks?.beforeToolExecute;
+        if (!hook) {
+          continue;
+        }
+        let replacement;
+        let denied;
+        await hook({
+          ...basePluginContext(plugin),
+          requester: input.requester,
+          tool: {
+            name: tool.name,
+            input: nextInput
+          },
+          env: {
+            get(key) {
+              return env[key];
+            },
+            set(key, value) {
+              env[key] = value;
+            }
+          },
+          decision: {
+            deny(message) {
+              denied = message;
+            },
+            replaceInput(input2) {
+              replacement = input2;
+            }
+          }
+        });
+        if (denied) {
+          throw new PluginHookDeniedError(denied);
+        }
+        if (replacement !== void 0) {
+          if (!isRecord(replacement)) {
+            throw new Error(
+              `Plugin "${pluginName}" replaced tool input with a non-object value`
+            );
+          }
+          nextInput = { ...replacement };
+          Object.assign(env, normalizeEnv(nextInput.env));
+        }
+      }
+      return {
+        input: {
+          ...nextInput,
+          ...Object.keys(env).length > 0 ? { env } : {}
+        },
+        env
+      };
+    }
+  };
+}
+
+export {
+  createPluginModel,
+  createPluginEmbedder,
+  getSlackToolContext,
+  bindSlackDirectCredentialSubject,
+  verifySlackDirectCredentialSubject,
+  resolveChannelCapabilities,
+  PluginHookDeniedError,
+  validatePlugins,
+  setPlugins,
+  getPlugins,
+  getPluginSystemPromptContributions,
+  getPluginUserPromptContributions,
+  getPluginTools,
+  getPluginRoutes,
+  getPluginSlackConversationLink,
+  getPluginOperationalReports,
+  createPluginHookRunner
+};