npm - @sentry/junior - Versions diffs - 0.74.1 → 0.76.0 - Mend

@sentry/junior 0.74.1 → 0.76.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (121) hide show

package/README.md +1 -1
package/bin/junior.mjs +4 -66
package/dist/agent-hooks-ZOE7RIED.js +37 -0
package/dist/api-reference.d.ts +3 -1
package/dist/app.js +5516 -5422
package/dist/build/copy-build-content.d.ts +1 -1
package/dist/build/virtual-config.d.ts +2 -2
package/dist/chat/agent-dispatch/context.d.ts +2 -3
package/dist/chat/agent-dispatch/runner.d.ts +2 -0
package/dist/chat/agent-dispatch/types.d.ts +2 -1
package/dist/chat/config.d.ts +3 -0
package/dist/chat/credentials/state-adapter-token-store.d.ts +2 -0
package/dist/chat/credentials/subject.d.ts +3 -3
package/dist/chat/credentials/user-token-store.d.ts +17 -12
package/dist/chat/db.d.ts +8 -0
package/dist/chat/mcp/auth-store.d.ts +2 -1
package/dist/chat/mcp/oauth.d.ts +2 -1
package/dist/chat/oauth-flow.d.ts +3 -1
package/dist/chat/pi/client.d.ts +15 -7
package/dist/chat/plugins/agent-hooks.d.ts +20 -13
package/dist/chat/plugins/auth/oauth-request.d.ts +11 -7
package/dist/chat/plugins/credential-hooks.d.ts +6 -6
package/dist/chat/plugins/logging.d.ts +2 -2
package/dist/chat/plugins/model.d.ts +9 -0
package/dist/chat/plugins/package-discovery.d.ts +2 -1
package/dist/chat/plugins/prompt.d.ts +5 -0
package/dist/chat/plugins/registry.d.ts +4 -0
package/dist/chat/plugins/state.d.ts +3 -5
package/dist/chat/plugins/task-callback.d.ts +5 -0
package/dist/chat/plugins/task-message.d.ts +23 -0
package/dist/chat/plugins/task-queue.d.ts +5 -0
package/dist/chat/plugins/task-runner.d.ts +12 -0
package/dist/chat/plugins/task-signing.d.ts +31 -0
package/dist/chat/plugins/types.d.ts +1 -0
package/dist/chat/plugins/validation.d.ts +5 -0
package/dist/chat/prompt.d.ts +15 -1
package/dist/chat/requester.d.ts +6 -5
package/dist/chat/respond-helpers.d.ts +2 -0
package/dist/chat/respond.d.ts +13 -2
package/dist/chat/runtime/agent-continue-runner.d.ts +4 -0
package/dist/chat/runtime/reply-executor.d.ts +5 -1
package/dist/chat/runtime/slack-resume.d.ts +10 -2
package/dist/chat/runtime/slack-runtime.d.ts +6 -1
package/dist/chat/sandbox/egress-credentials.d.ts +8 -8
package/dist/chat/sandbox/sandbox.d.ts +2 -2
package/dist/chat/sentry.d.ts +1 -0
package/dist/chat/services/mcp-auth-orchestration.d.ts +2 -1
package/dist/chat/services/plugin-auth-orchestration.d.ts +2 -1
package/dist/chat/services/subscribed-decision.d.ts +2 -2
package/dist/chat/services/turn-session-record.d.ts +11 -7
package/dist/chat/sql/db.d.ts +3 -0
package/dist/chat/sql/executor.d.ts +7 -0
package/dist/chat/sql/neon.d.ts +2 -4
package/dist/chat/sql/postgres.d.ts +6 -0
package/dist/chat/state/turn-session.d.ts +8 -5
package/dist/chat/task-execution/state.d.ts +7 -2
package/dist/chat/task-execution/worker.d.ts +1 -1
package/dist/chat/tools/agent-tools.d.ts +9 -2
package/dist/chat/tools/slack/context.d.ts +2 -2
package/dist/chat/tools/types.d.ts +7 -4
package/dist/chat/vercel-queue-client.d.ts +3 -0
package/dist/{chunk-YOHFWWBV.js → chunk-2ECJXSVQ.js} +5 -107
package/dist/{chunk-OR6NQJ5E.js → chunk-4SCWV7TJ.js} +3 -3
package/dist/chunk-4UO6FK4G.js +64 -0
package/dist/chunk-56TBVRJG.js +115 -0
package/dist/{chunk-3BYAPS6B.js → chunk-EJN6G5A2.js} +17 -11
package/dist/{chunk-SQGMG7OD.js → chunk-HHDUKWVG.js} +508 -149
package/dist/{chunk-6UP2Z2RZ.js → chunk-JBASI5VV.js} +7 -7
package/dist/chunk-KNFROR7R.js +127 -0
package/dist/{chunk-HYHKTFG2.js → chunk-KOIMO7S3.js} +186 -910
package/dist/chunk-MLKGABMK.js +9 -0
package/dist/chunk-NFTMTIP3.js +964 -0
package/dist/chunk-NYKJ3KON.js +1082 -0
package/dist/{chunk-SJHUF3DP.js → chunk-OJ53FYVG.js} +2 -10
package/dist/{chunk-KVZL5NZS.js → chunk-Q3XNY442.js} +17 -7
package/dist/{chunk-YRDS7VKO.js → chunk-Q6XFTRV5.js} +2 -2
package/dist/chunk-R6Z5XWY3.js +1076 -0
package/dist/chunk-RV5RYIJW.js +56 -0
package/dist/chunk-SG5WAA7H.js +132 -0
package/dist/chunk-ST6YNAXG.js +54 -0
package/dist/{chunk-GM7HTXYC.js → chunk-T77LUIX3.js} +148 -151
package/dist/{chunk-CYUI7JU5.js → chunk-VALUBQ7R.js} +22 -30
package/dist/chunk-XBBC6W45.js +71 -0
package/dist/chunk-Y2CM7HXH.js +111 -0
package/dist/{chunk-F6HWCPOC.js → chunk-Y5OFBCBZ.js} +1 -1
package/dist/{chunk-M4FLLXXD.js → chunk-Z4CIQ3EB.js} +5 -1
package/dist/{chunk-7Q5YOUUT.js → chunk-ZLMBNBUG.js} +146 -52
package/dist/{chunk-2LUZA3LY.js → chunk-ZQB37HUX.js} +11 -11
package/dist/cli/chat.js +87 -8
package/dist/cli/check.js +8 -7
package/dist/cli/env.js +4 -53
package/dist/cli/init.js +6 -1
package/dist/cli/main.js +84 -0
package/dist/cli/plugins.js +244 -0
package/dist/cli/run.js +5 -52
package/dist/cli/snapshot-warmup.js +12 -11
package/dist/cli/upgrade.js +385 -26
package/dist/db-7A7PFRGL.js +17 -0
package/dist/deployment.d.ts +1 -0
package/dist/handlers/sandbox-egress-route.d.ts +4 -0
package/dist/handlers/slack-webhook.d.ts +4 -0
package/dist/handlers/webhooks.d.ts +6 -13
package/dist/instrumentation.js +14 -18
package/dist/nitro.d.ts +1 -1
package/dist/nitro.js +67 -101
package/dist/plugin-module.d.ts +21 -0
package/dist/plugins-PZMDS7AT.js +15 -0
package/dist/plugins.d.ts +9 -5
package/dist/registry-OIPAJU2O.js +46 -0
package/dist/reporting/conversations.d.ts +3 -3
package/dist/reporting.d.ts +6 -5
package/dist/reporting.js +42 -28
package/dist/{runner-27NP2TEO.js → runner-KPLNHDCV.js} +77 -19
package/dist/sentry-4CP5NNQ5.js +31 -0
package/dist/validation-SLA6IGF7.js +15 -0
package/dist/vercel.js +1 -1
package/package.json +14 -11
package/dist/chat/conversations/configured.d.ts +0 -5
package/dist/chat/conversations/state.d.ts +0 -4
package/dist/chunk-2KG3PWR4.js +0 -17
package/dist/chunk-JL2SLRAT.js +0 -1970

package/dist/{chunk-CYUI7JU5.js → chunk-VALUBQ7R.js} RENAMED Viewed

@@ -1,9 +1,10 @@
 import {
   isSlackTeamId
-} from "./chunk-3BYAPS6B.js";
+} from "./chunk-EJN6G5A2.js";
 // src/chat/requester.ts
 import { z } from "zod";
+import { requesterSchema } from "@sentry/junior-plugin-api";
 var SLACK_USER_ID_PATTERN = /^[UW][A-Z0-9]{5,}$/;
 var EMAIL_PATTERN = /^[^\s@<>]+@[^\s@<>]+\.[^\s@<>]+$/;
 var exactStoredStringSchema = z.string().min(1).refine((value) => value === value.trim());
@@ -15,6 +16,10 @@ var storedSlackRequesterSchema = z.object({
   slackUserName: exactStoredStringSchema.optional(),
   teamId: exactStoredStringSchema.optional()
 }).strict();
+function parseRequester(value) {
+  const result = requesterSchema.safeParse(value);
+  return result.success ? result.data : void 0;
+}
 function clean(value) {
   const trimmed = value?.trim();
   return trimmed ? trimmed : void 0;
@@ -151,45 +156,32 @@ function toStoredSlackRequester(requester) {
     teamId: requester.teamId
   };
 }
-function createRequesterFromStoredSlackRequester(args) {
-  const actorUserId = parseActorUserId(args.userId);
-  const actorTeamId = parseSlackTeamId(args.teamId);
-  if (!actorTeamId || !actorUserId) {
+function createSlackResumeRequester(args) {
+  if (!args.requester) {
+    throw new Error("Stored Slack requester is required for resume");
+  }
+  if (args.requester.platform !== "slack" || args.requester.teamId !== args.teamId || args.requester.userId !== args.userId) {
+    throw new Error("Stored Slack requester did not match resume actor");
+  }
+  const requester = createRequester(args.requester, {
+    platform: "slack",
+    teamId: args.teamId,
+    userId: args.userId
+  });
+  if (!requester || requester.platform !== "slack") {
     throw new Error("Slack requester requires team and user ids");
   }
-  const storedUserId = args.requester?.slackUserId === void 0 ? void 0 : parseActorUserId(args.requester.slackUserId);
-  const storedTeamId = args.requester?.teamId === void 0 ? void 0 : parseSlackTeamId(args.requester.teamId);
-  if (args.requester?.slackUserId !== void 0 && !storedUserId) {
-    throw new Error("Stored Slack requester requires a user id");
-  }
-  if (args.requester?.teamId !== void 0 && !storedTeamId) {
-    throw new Error("Stored Slack requester requires a team id");
-  }
-  if (storedUserId && storedUserId !== actorUserId) {
-    throw new Error("Stored Slack requester must match actor user id");
-  }
-  if (storedTeamId && storedTeamId !== actorTeamId) {
-    throw new Error("Stored Slack requester must match actor team id");
-  }
-  const canUseStoredProfile = Boolean(storedUserId);
-  return createSlackRequester(
-    actorTeamId,
-    actorUserId,
-    canUseStoredProfile ? {
-      email: args.requester?.email,
-      fullName: args.requester?.fullName,
-      userName: args.requester?.slackUserName
-    } : void 0
-  );
+  return requester;
 }
 export {
   storedSlackRequesterSchema,
+  parseRequester,
   parseActorUserId,
   isActorUserId,
   createRequester,
   createSlackRequester,
   parseStoredSlackRequester,
   toStoredSlackRequester,
-  createRequesterFromStoredSlackRequester
+  createSlackResumeRequester
 };

package/dist/chunk-XBBC6W45.js ADDED Viewed

@@ -0,0 +1,71 @@
+import {
+  getPluginProviders
+} from "./chunk-ZLMBNBUG.js";
+// src/chat/plugins/validation.ts
+function validatePluginRegistrations(registrations) {
+  const loadedPlugins = getPluginProviders();
+  const loadedNames = new Set(
+    loadedPlugins.map((plugin) => plugin.manifest.name)
+  );
+  for (const registration of registrations) {
+    if (!loadedNames.has(registration.manifest.name)) {
+      throw new Error(
+        `Plugin registration "${registration.manifest.name}" does not have a matching plugin manifest. Add an inline manifest, packageName, or app-local plugin.yaml with the same name.`
+      );
+    }
+  }
+}
+function validatePluginEgressCredentialHooks(registrations) {
+  const plugins = new Map(
+    registrations.map((registration) => [
+      registration.manifest.name,
+      registration
+    ])
+  );
+  for (const provider of getPluginProviders()) {
+    const hooks = plugins.get(provider.manifest.name)?.hooks;
+    const hasGrantHook = Boolean(hooks?.grantForEgress);
+    const hasIssueHook = Boolean(hooks?.issueCredential);
+    const hasGenericCredentials = Boolean(
+      provider.manifest.credentials || provider.manifest.apiHeaders
+    );
+    const hasDomains = Boolean(provider.manifest.domains?.length);
+    const hasHookManagedOAuth = Boolean(
+      provider.manifest.oauth && !provider.manifest.credentials
+    );
+    if (!hasGrantHook && !hasIssueHook) {
+      if (hasDomains && !hasGenericCredentials) {
+        throw new Error(
+          `Plugin "${provider.manifest.name}" manifest.domains requires egress credential hooks when no generic credentials or apiHeaders are configured.`
+        );
+      }
+      if (hasHookManagedOAuth) {
+        throw new Error(
+          `Plugin "${provider.manifest.name}" manifest.oauth without oauth-bearer credentials requires egress credential hooks.`
+        );
+      }
+      continue;
+    }
+    if (!hasGrantHook || !hasIssueHook) {
+      throw new Error(
+        `Plugin "${provider.manifest.name}" egress credential hooks must include both grantForEgress and issueCredential.`
+      );
+    }
+    if (hasGenericCredentials) {
+      throw new Error(
+        `Plugin "${provider.manifest.name}" egress credential hooks must use manifest.domains instead of generic credentials or apiHeaders.`
+      );
+    }
+    if (!hasDomains) {
+      throw new Error(
+        `Plugin "${provider.manifest.name}" egress credential hooks require manifest.domains to list sandbox egress hosts.`
+      );
+    }
+  }
+}
+export {
+  validatePluginRegistrations,
+  validatePluginEgressCredentialHooks
+};

package/dist/chunk-Y2CM7HXH.js ADDED Viewed

@@ -0,0 +1,111 @@
+// src/plugin-module.ts
+import { statSync } from "fs";
+import { createRequire } from "module";
+import path from "path";
+import { pathToFileURL } from "url";
+var PLUGIN_MODULE_EXTENSIONS = [
+  "",
+  ".ts",
+  ".tsx",
+  ".mts",
+  ".mjs",
+  ".js",
+  ".cjs"
+];
+function resolveRelativePluginModule(cwd, specifier) {
+  const basePath = path.resolve(cwd, specifier);
+  for (const extension of PLUGIN_MODULE_EXTENSIONS) {
+    const candidate = `${basePath}${extension}`;
+    try {
+      if (statSync(candidate).isFile()) {
+        return candidate;
+      }
+    } catch {
+    }
+  }
+  for (const extension of PLUGIN_MODULE_EXTENSIONS) {
+    const candidate = path.join(basePath, `index${extension}`);
+    try {
+      if (statSync(candidate).isFile()) {
+        return candidate;
+      }
+    } catch {
+    }
+  }
+  throw new Error(`Plugin module "${specifier}" could not be resolved`);
+}
+function resolvePluginModule(cwd, input) {
+  const moduleSpecifier = typeof input === "string" ? input : input.module;
+  const exportName = typeof input === "string" ? "plugins" : input.exportName ?? "plugins";
+  if (!moduleSpecifier.trim()) {
+    throw new Error("Plugin module specifier must not be empty");
+  }
+  if (moduleSpecifier.startsWith(".") || path.isAbsolute(moduleSpecifier)) {
+    const resolvedPath2 = resolveRelativePluginModule(cwd, moduleSpecifier);
+    return {
+      exportName,
+      importPath: resolvedPath2,
+      importUrl: pathToFileURL(resolvedPath2).href,
+      kind: "file",
+      sourceSpecifier: moduleSpecifier
+    };
+  }
+  const requireFromApp = createRequire(path.join(cwd, "package.json"));
+  const resolvedPath = requireFromApp.resolve(moduleSpecifier);
+  return {
+    exportName,
+    importPath: resolvedPath,
+    importUrl: pathToFileURL(resolvedPath).href,
+    kind: "package",
+    sourceSpecifier: moduleSpecifier
+  };
+}
+function assertPluginSet(value, source) {
+  if (!value || typeof value !== "object" || !Array.isArray(value.packageNames) || !Array.isArray(value.registrations)) {
+    throw new Error(
+      `Plugin module ${source} must export a defineJuniorPlugins(...) set`
+    );
+  }
+  const pluginSet = value;
+  const invalidPackageName = pluginSet.packageNames?.find(
+    (packageName) => typeof packageName !== "string"
+  );
+  if (invalidPackageName !== void 0) {
+    throw new Error(`Plugin module ${source} must export string package names`);
+  }
+  const invalidRegistration = pluginSet.registrations?.find(
+    (registration) => !registration || typeof registration !== "object" || !("manifest" in registration) || !registration.manifest || typeof registration.manifest !== "object" || !("name" in registration.manifest) || typeof registration.manifest.name !== "string"
+  );
+  if (invalidRegistration) {
+    throw new Error(
+      `Plugin module ${source} must export plugin registrations with manifest names`
+    );
+  }
+  return value;
+}
+async function loadPluginSetFromModule(moduleRef, importModule = async (ref) => await import(ref.importUrl)) {
+  const mod = await importModule(moduleRef);
+  const value = moduleRef.exportName === "default" ? mod.default : mod[moduleRef.exportName];
+  return assertPluginSet(
+    value,
+    `${moduleRef.importUrl}#${moduleRef.exportName}`
+  );
+}
+async function loadAppPluginSet(cwd, importModule) {
+  let pluginModule;
+  try {
+    pluginModule = resolvePluginModule(cwd, "./plugins");
+  } catch (error) {
+    if (error instanceof Error && error.message === 'Plugin module "./plugins" could not be resolved') {
+      return void 0;
+    }
+    throw error;
+  }
+  return await loadPluginSetFromModule(pluginModule, importModule);
+}
+export {
+  resolvePluginModule,
+  loadPluginSetFromModule,
+  loadAppPluginSet
+};

package/dist/{chunk-F6HWCPOC.js → chunk-Y5OFBCBZ.js} RENAMED Viewed

@@ -1,6 +1,6 @@
 import {
   getChatConfig
-} from "./chunk-GM7HTXYC.js";
+} from "./chunk-T77LUIX3.js";
 // src/chat/state/adapter.ts
 import { createMemoryState } from "@chat-adapter/state-memory";

package/dist/{chunk-M4FLLXXD.js → chunk-Z4CIQ3EB.js} RENAMED Viewed

@@ -2,7 +2,7 @@ import {
   isRecord,
   toOptionalNumber,
   toOptionalString
-} from "./chunk-3BYAPS6B.js";
+} from "./chunk-EJN6G5A2.js";
 // src/chat/state/conversation.ts
 function coerceRole(value) {
@@ -206,7 +206,11 @@ function buildConversationStatePatch(conversation) {
   };
 }
+// src/chat/state/ttl.ts
+var JUNIOR_THREAD_STATE_TTL_MS = 7 * 24 * 60 * 60 * 1e3;
 export {
+  JUNIOR_THREAD_STATE_TTL_MS,
   coerceThreadConversationState,
   buildConversationStatePatch
 };

package/dist/{chunk-7Q5YOUUT.js → chunk-ZLMBNBUG.js} RENAMED Viewed

@@ -1,16 +1,20 @@
+import {
+  parseActorUserId
+} from "./chunk-VALUBQ7R.js";
 import {
   discoverInstalledPluginPackageContent,
   normalizePluginPackageNames,
   pluginRoots
-} from "./chunk-KVZL5NZS.js";
-import {
-  parseActorUserId
-} from "./chunk-CYUI7JU5.js";
+} from "./chunk-Q3XNY442.js";
 import {
   logInfo,
   logWarn,
   setSpanAttributes
-} from "./chunk-3BYAPS6B.js";
+} from "./chunk-EJN6G5A2.js";
+// src/chat/plugins/registry.ts
+import { readFileSync, readdirSync, statSync } from "fs";
+import path from "path";
 // src/chat/plugins/manifest.ts
 import { z } from "zod";
@@ -1064,10 +1068,6 @@ function parseInlinePluginManifest(manifest, dir, config) {
   });
 }
-// src/chat/plugins/registry.ts
-import { readFileSync, readdirSync, statSync } from "fs";
-import path from "path";
 // src/chat/plugins/auth/oauth-bearer-broker.ts
 import { randomUUID as randomUUID2 } from "crypto";
@@ -1252,6 +1252,7 @@ function createApiHeadersBroker(manifest) {
 }
 // src/chat/plugins/auth/oauth-request.ts
+import { z as z3 } from "zod";
 var DEFAULT_TOKEN_CONTENT_TYPE = "application/x-www-form-urlencoded";
 function requireNonEmptyTokenField(data, field) {
   const value = data[field];
@@ -1260,6 +1261,19 @@ function requireNonEmptyTokenField(data, field) {
   }
   return value;
 }
+function requireTokenResponseObject(data) {
+  if (!data || typeof data !== "object" || Array.isArray(data)) {
+    throw new Error("OAuth token response must be an object");
+  }
+  return data;
+}
+var parsedOAuthTokenResponseSchema = z3.object({
+  accessToken: z3.string().min(1),
+  refreshToken: z3.string().min(1),
+  expiresAt: z3.number().positive().optional(),
+  refreshTokenExpiresAt: z3.number().positive().optional(),
+  scope: z3.string().min(1).optional()
+}).strict();
 function contentTypeToBody(contentType, payload) {
   const mediaType = contentType.split(";", 1)[0]?.trim().toLowerCase();
   if (!mediaType || mediaType === DEFAULT_TOKEN_CONTENT_TYPE) {
@@ -1299,10 +1313,12 @@ function buildOAuthTokenRequest(input) {
   };
 }
 function parseOAuthTokenResponse(data, requestedScope, options) {
-  const accessToken = requireNonEmptyTokenField(data, "access_token");
-  const refreshToken = requireNonEmptyTokenField(data, "refresh_token");
-  const expiresIn = data.expires_in;
-  const responseScope = data.scope;
+  const response = requireTokenResponseObject(data);
+  const accessToken = requireNonEmptyTokenField(response, "access_token");
+  const refreshToken = requireNonEmptyTokenField(response, "refresh_token");
+  const expiresIn = response.expires_in;
+  const refreshTokenExpiresIn = response.refresh_token_expires_in;
+  const responseScope = response.scope;
   let scope;
   if (responseScope !== void 0) {
     if (typeof responseScope !== "string") {
@@ -1319,23 +1335,28 @@ function parseOAuthTokenResponse(data, requestedScope, options) {
   } else {
     scope = normalizeOAuthScope(requestedScope);
   }
-  if (expiresIn === void 0) {
-    return { accessToken, refreshToken, ...scope ? { scope } : {} };
+  const result = { accessToken, refreshToken, ...scope ? { scope } : {} };
+  if (expiresIn !== void 0) {
+    if (typeof expiresIn !== "number" || !Number.isFinite(expiresIn) || expiresIn <= 0) {
+      throw new Error("OAuth token response returned invalid expires_in");
+    }
+    result.expiresAt = Date.now() + expiresIn * 1e3;
   }
-  if (typeof expiresIn !== "number" || !Number.isFinite(expiresIn) || expiresIn <= 0) {
-    throw new Error("OAuth token response returned invalid expires_in");
+  if (refreshTokenExpiresIn !== void 0) {
+    if (typeof refreshTokenExpiresIn !== "number" || !Number.isFinite(refreshTokenExpiresIn) || refreshTokenExpiresIn <= 0) {
+      throw new Error(
+        "OAuth token response returned invalid refresh_token_expires_in"
+      );
+    }
+    result.refreshTokenExpiresAt = Date.now() + refreshTokenExpiresIn * 1e3;
   }
-  return {
-    accessToken,
-    refreshToken,
-    expiresAt: Date.now() + expiresIn * 1e3,
-    ...scope ? { scope } : {}
-  };
+  return parsedOAuthTokenResponseSchema.parse(result);
 }
 // src/chat/plugins/auth/oauth-bearer-broker.ts
 var MAX_LEASE_MS2 = 60 * 60 * 1e3;
 var REFRESH_BUFFER_MS = 5 * 60 * 1e3;
+var TOKEN_REFRESH_TIMEOUT_MS = 2e4;
 var OAuthRefreshRejectedError = class extends Error {
   constructor(message) {
     super(message);
@@ -1374,7 +1395,8 @@ async function refreshAccessToken(refreshToken, oauth, requestedScope) {
   const response = await fetch(oauth.tokenEndpoint, {
     method: "POST",
     headers: request.headers,
-    body: request.body
+    body: request.body,
+    signal: AbortSignal.timeout(TOKEN_REFRESH_TIMEOUT_MS)
   });
   if (!response.ok) {
     const errorCode = parseRefreshError(await response.text());
@@ -1395,6 +1417,12 @@ async function refreshAccessToken(refreshToken, oauth, requestedScope) {
 function getLeaseExpiry(expiresAt) {
   return expiresAt ? Math.min(expiresAt, Date.now() + MAX_LEASE_MS2) : Date.now() + MAX_LEASE_MS2;
 }
+function canUseStoredToken(stored) {
+  return stored !== void 0 && (stored.expiresAt === void 0 || stored.expiresAt > Date.now());
+}
+function shouldRefreshStoredToken(stored) {
+  return stored !== void 0 && stored.expiresAt !== void 0 && stored.expiresAt - Date.now() < REFRESH_BUFFER_MS;
+}
 function createOAuthBearerBroker(manifest, credentials, deps) {
   const provider = manifest.name;
   const { domains, apiHeaders, authTokenEnv } = credentials;
@@ -1442,33 +1470,62 @@ function createOAuthBearerBroker(manifest, credentials, deps) {
               `Your ${provider} connection needs to be reauthorized.`
             );
           }
-          const now = Date.now();
-          if (stored.expiresAt !== void 0 && stored.expiresAt - now < REFRESH_BUFFER_MS) {
+          if (shouldRefreshStoredToken(stored)) {
             try {
-              const refreshed = await refreshAccessToken(
-                stored.refreshToken,
-                oauth,
-                stored.scope ?? oauth.scope
-              );
-              if (!hasRequiredOAuthScope(refreshed.scope, oauth.scope)) {
-                throw new CredentialUnavailableError(
-                  provider,
-                  `Your ${provider} connection needs to be reauthorized.`
-                );
-              }
-              const refreshedTokens = {
-                ...refreshed,
-                ...stored.account ? { account: stored.account } : {}
-              };
-              await deps.userTokenStore.set(
+              return await deps.userTokenStore.withRefresh(
                 userSubjectId,
                 provider,
-                refreshedTokens
-              );
-              return buildLease(
-                refreshed.accessToken,
-                getLeaseExpiry(refreshed.expiresAt),
-                input.reason
+                async () => {
+                  const latest = await deps.userTokenStore.get(
+                    userSubjectId,
+                    provider
+                  );
+                  if (latest && !hasRequiredOAuthScope(latest.scope, oauth.scope)) {
+                    throw new CredentialUnavailableError(
+                      provider,
+                      `Your ${provider} connection needs to be reauthorized.`
+                    );
+                  }
+                  if (!shouldRefreshStoredToken(latest) && canUseStoredToken(latest)) {
+                    return buildLease(
+                      latest.accessToken,
+                      getLeaseExpiry(latest.expiresAt),
+                      input.reason
+                    );
+                  }
+                  if (!latest) {
+                    throw new CredentialUnavailableError(
+                      provider,
+                      `No ${provider} credentials available.`
+                    );
+                  }
+                  const refreshed = await refreshAccessToken(
+                    latest.refreshToken,
+                    oauth,
+                    latest.scope ?? oauth.scope
+                  );
+                  if (!hasRequiredOAuthScope(refreshed.scope, oauth.scope)) {
+                    throw new CredentialUnavailableError(
+                      provider,
+                      `Your ${provider} connection needs to be reauthorized.`
+                    );
+                  }
+                  const refreshedTokens = {
+                    ...latest.refreshTokenExpiresAt ? { refreshTokenExpiresAt: latest.refreshTokenExpiresAt } : {},
+                    ...refreshed,
+                    ...latest.account ? { account: latest.account } : {}
+                  };
+                  await deps.userTokenStore.set(
+                    userSubjectId,
+                    provider,
+                    refreshedTokens
+                  );
+                  return buildLease(
+                    refreshed.accessToken,
+                    getLeaseExpiry(refreshed.expiresAt),
+                    input.reason
+                  );
+                }
               );
             } catch (error) {
               if (error instanceof CredentialUnavailableError) {
@@ -1483,7 +1540,7 @@ function createOAuthBearerBroker(manifest, credentials, deps) {
               throw error;
             }
           }
-          if (stored.expiresAt === void 0 || stored.expiresAt > Date.now()) {
+          if (canUseStoredToken(stored)) {
             return buildLease(
               stored.accessToken,
               getLeaseExpiry(stored.expiresAt),
@@ -1523,6 +1580,7 @@ function createLoadedPluginState(signature) {
   return {
     signature,
     pluginDefinitions: [],
+    pluginMigrationRoots: /* @__PURE__ */ new Map(),
     capabilityToPlugin: /* @__PURE__ */ new Map(),
     domainToPlugin: /* @__PURE__ */ new Map(),
     pluginConfigKeys: /* @__PURE__ */ new Set(),
@@ -1538,7 +1596,7 @@ function providerDomains(manifest) {
     ])
   ].sort((left, right) => left.localeCompare(right));
 }
-function registerPluginManifest(state, manifest, pluginDir, skillsDir) {
+function registerPluginManifest(state, manifest, pluginDir, skillsDir, migrationsDir) {
   if (state.pluginsByName.has(manifest.name)) {
     throw new Error(`Duplicate plugin name "${manifest.name}"`);
   }
@@ -1560,10 +1618,14 @@ function registerPluginManifest(state, manifest, pluginDir, skillsDir) {
   const definition = {
     manifest,
     dir: pluginDir,
+    ...migrationsDir ? { migrationsDir } : {},
     ...skillsDir ? { skillsDir } : {}
   };
   state.pluginDefinitions.push(definition);
   state.pluginsByName.set(manifest.name, definition);
+  if (definition.migrationsDir) {
+    state.pluginMigrationRoots.set(manifest.name, definition.migrationsDir);
+  }
   for (const cap of manifest.capabilities) {
     state.capabilityToPlugin.set(cap, definition);
   }
@@ -1613,6 +1675,14 @@ function getPluginCatalogSource() {
     signature: JSON.stringify({
       inlineManifests,
       manifestRoots,
+      packages: packagedContent.packages.map((pkg) => ({
+        dir: path.resolve(pkg.dir),
+        hasMigrationsDir: pkg.hasMigrationsDir,
+        hasSkillsDir: pkg.hasSkillsDir,
+        packageName: pkg.packageName
+      })).sort(
+        (left, right) => left.packageName.localeCompare(right.packageName)
+      ),
       packagedSkillRoots,
       packageNames: [...packagedContent.packageNames].sort(),
       pluginConfig: pluginConfig ?? {}
@@ -1640,19 +1710,34 @@ function clonePluginCatalogConfig(config) {
   };
 }
 function packageContentByName(packagedContent, packageName) {
-  return packagedContent.packages.find((pkg) => pkg.name === packageName);
+  return packagedContent.packages.find(
+    (pkg) => pkg.packageName === packageName
+  );
 }
 function registerInlineManifests(state, source) {
+  const migrationOwners = /* @__PURE__ */ new Map();
   for (const definition of source.inlineManifests) {
     const pkg = definition.packageName ? packageContentByName(source.packagedContent, definition.packageName) : void 0;
     const dir = pkg?.dir ?? process.cwd();
     const skillsDir = pkg?.hasSkillsDir ? path.join(pkg.dir, "skills") : void 0;
+    const migrationsDir = pkg?.hasMigrationsDir && statSync(path.join(pkg.dir, "migrations"), {
+      throwIfNoEntry: false
+    })?.isDirectory() ? path.join(pkg.dir, "migrations") : void 0;
     const manifest = parseInlinePluginManifest(
       definition.manifest,
       dir,
       pluginConfig
     );
-    registerPluginManifest(state, manifest, dir, skillsDir);
+    if (migrationsDir) {
+      const owner = migrationOwners.get(migrationsDir);
+      if (owner) {
+        throw new Error(
+          `Plugin "${manifest.name}" cannot share migrations directory with plugin "${owner}"`
+        );
+      }
+      migrationOwners.set(migrationsDir, manifest.name);
+    }
+    registerPluginManifest(state, manifest, dir, skillsDir, migrationsDir);
   }
 }
 function discoverConfiguredPluginPackageContent() {
@@ -1801,6 +1886,10 @@ function getPluginCapabilityProviders() {
 function getPluginProviders() {
   return [...ensurePluginsLoaded().pluginDefinitions];
 }
+function getPluginMigrationRoots() {
+  const state = ensurePluginsLoaded();
+  return [...state.pluginMigrationRoots.entries()].map(([pluginName, dir]) => ({ pluginName, dir })).sort((left, right) => left.pluginName.localeCompare(right.pluginName));
+}
 function getPluginMcpProviders() {
   return ensurePluginsLoaded().pluginDefinitions.filter(
     (plugin) => Boolean(plugin.manifest.mcp)
@@ -1897,6 +1986,9 @@ function getPluginDisplayName(provider) {
 function isPluginProvider(provider) {
   return ensurePluginsLoaded().pluginsByName.has(provider);
 }
+function isPluginCapability(capability) {
+  return ensurePluginsLoaded().capabilityToPlugin.has(capability);
+}
 function isPluginConfigKey(key) {
   return ensurePluginsLoaded().pluginConfigKeys.has(key);
 }
@@ -1940,6 +2032,7 @@ export {
   getPluginCatalogSignature,
   getPluginCapabilityProviders,
   getPluginProviders,
+  getPluginMigrationRoots,
   getPluginMcpProviders,
   getPluginRuntimeDependencies,
   getPluginRuntimePostinstall,
@@ -1949,6 +2042,7 @@ export {
   getPluginDefinition,
   getPluginDisplayName,
   isPluginProvider,
+  isPluginCapability,
   isPluginConfigKey,
   createPluginBroker
 };