@slock-ai/daemon 0.52.2 → 0.53.0

package/dist/{chunk-HSBOURQE.js → chunk-LPRTPDGH.js}

@@ -9,7 +9,7 @@ import {
 // src/core.ts
 import path16 from "path";
 import os8 from "os";
-import { createRequire } from "module";
+import { createRequire as createRequire2 } from "module";
 import { accessSync } from "fs";
 import { fileURLToPath } from "url";
 
@@ -772,12 +772,13 @@ import os6 from "os";
 
 // src/drivers/claude.ts
 import { spawn } from "child_process";
-import { existsSync as existsSync3, readdirSync, readFileSync, statSync, writeFileSync as writeFileSync2 } from "fs";
+import { existsSync as existsSync3, readdirSync, readFileSync as readFileSync2, statSync, writeFileSync as writeFileSync2 } from "fs";
 import os2 from "os";
 import path4 from "path";
 
 // src/drivers/cliTransport.ts
-import { mkdirSync, rmSync, writeFileSync } from "fs";
+import { mkdirSync, readFileSync, rmSync, writeFileSync } from "fs";
+import { createRequire } from "module";
 import path2 from "path";
 
 // src/drivers/systemPrompt.ts
@@ -872,13 +873,15 @@ Use the \`slock\` CLI for chat / task / attachment operations. The daemon inject
 17. **\`slock attachment view\`** \u2014 Download an attached file by its attachment ID so you can inspect it locally.
 18. **\`slock profile show\`** \u2014 Show your own profile, or another visible profile via \`@handle\`. Mirrors the canonical Slock profile view.
 19. **\`slock profile update\`** \u2014 Update your own profile. Supports \`--avatar-file <path>\`, \`--avatar-url pixel:random:<seed>\`, \`--display-name <name>\`, and \`--description <text>\`. Use \`--avatar-url pixel:random:<seed>\` when you want a new pixel avatar but do not have a local image file. Values must be non-empty. Provide at least one flag per call; multiple flags can be combined.
-20. **\`slock reminder schedule\`** \u2014 Schedule a reminder for yourself later, at a specific time, or on a recurring cadence.
-21. **\`slock reminder list\`** \u2014 List your reminders, including lifecycle history for each reminder.
-22. **\`slock reminder snooze\`** \u2014 Push a reminder later without replacing it.
-23. **\`slock reminder update\`** \u2014 Change a reminder's title, schedule, or recurrence without creating a new reminder.
-24. **\`slock reminder cancel\`** \u2014 Cancel one of your reminders by ID.
-25. **\`slock reminder log\`** \u2014 Show the event log for a reminder, including fires, dismissals, and reschedules.
-26. **\`slock action prepare\`** \u2014 Prepare an action card for a human to commit (B-mode quick-commit shortcut). Posts a card the human can click to execute the action under their own identity. Pass \`--target <ch>\` and pipe the action JSON on stdin (variants: \`channel:create\`, \`agent:create\`).
+20. **\`slock integration list\`** \u2014 List registered third-party services and this agent's active Slock Agent Logins.
+21. **\`slock integration login\`** \u2014 Provision or reuse this agent's login for a registered third-party service.
+22. **\`slock reminder schedule\`** \u2014 Schedule a reminder for yourself later, at a specific time, or on a recurring cadence.
+23. **\`slock reminder list\`** \u2014 List your reminders, including lifecycle history for each reminder.
+24. **\`slock reminder snooze\`** \u2014 Push a reminder later without replacing it.
+25. **\`slock reminder update\`** \u2014 Change a reminder's title, schedule, or recurrence without creating a new reminder.
+26. **\`slock reminder cancel\`** \u2014 Cancel one of your reminders by ID.
+27. **\`slock reminder log\`** \u2014 Show the event log for a reminder, including fires, dismissals, and reschedules.
+28. **\`slock action prepare\`** \u2014 Prepare an action card for a human to commit (B-mode quick-commit shortcut). Posts a card the human can click to execute the action under their own identity. Pass \`--target <ch>\` and pipe the action JSON on stdin (variants: \`channel:create\`, \`agent:create\`).
 
 The CLI prints human-readable canonical text on success (matching the format you see in received messages and history). On failure it prints JSON to stderr:
 - failure \u2192 stderr \`{"ok":false,"code":"...","message":"..."}\` with non-zero exit
@@ -913,20 +916,23 @@ Use reminders for follow-up that depends on future state you cannot resolve now,
 When a reminder already exists, prefer \`slock reminder snooze\` to push it later, \`slock reminder update\` to change its meaning or schedule, and \`slock reminder cancel\` only when it is truly no longer needed.
 Use ${scheduleReminderCmd} rather than runtime-native wake or cron tools such as ScheduleWakeup or CronCreate for user-visible reminders, so reminders stay author-owned, persistent, observable, snoozable, updatable, and cancelable in Slock.
 Create agent reminders only after resolving the anchor message from the current conversation and passing its msgId explicitly; if no anchor can be resolved, consider posting a status update in the relevant thread so the intent is visible, then revisit when context is available.`;
+  const messageHeredocDelimiter = "SLOCKMSG";
   const sendingMessagesSection = isCli ? `### Sending messages
 
-- **Reply to a channel**: \`slock message send --target "#channel-name" <<'EOF'\` followed by the message body and \`EOF\`
-- **Reply to a DM**: \`slock message send --target dm:@peer-name <<'EOF'\` followed by the message body and \`EOF\`
-- **Reply in a thread**: \`slock message send --target "#channel:shortid" <<'EOF'\` followed by the message body and \`EOF\`
-- **Start a NEW DM**: \`slock message send --target dm:@person-name <<'EOF'\` followed by the message body and \`EOF\`
+- **Reply to a channel**: \`slock message send --target "#channel-name" <<'${messageHeredocDelimiter}'\` followed by the message body and \`${messageHeredocDelimiter}\`
+- **Reply to a DM**: \`slock message send --target dm:@peer-name <<'${messageHeredocDelimiter}'\` followed by the message body and \`${messageHeredocDelimiter}\`
+- **Reply in a thread**: \`slock message send --target "#channel:shortid" <<'${messageHeredocDelimiter}'\` followed by the message body and \`${messageHeredocDelimiter}\`
+- **Start a NEW DM**: \`slock message send --target dm:@person-name <<'${messageHeredocDelimiter}'\` followed by the message body and \`${messageHeredocDelimiter}\`
 
 Message content is always read from stdin. Use a heredoc so quotes, backticks, code blocks, and newlines are not interpreted by the shell:
 \`\`\`bash
-slock message send --target "#channel-name" <<'EOF'
+slock message send --target "#channel-name" <<'${messageHeredocDelimiter}'
 Long message with "quotes", $vars, \`backticks\`, and code blocks.
-EOF
+${messageHeredocDelimiter}
 \`\`\`
 
+Use a delimiter that is unlikely to appear in the message body; the examples use \`${messageHeredocDelimiter}\` instead of \`EOF\` so shell snippets and recovery drafts are less likely to leak delimiter text into sent messages.
+
 If Slock says a message was not sent and was saved as a draft, choose one path:
 - To update the draft, use a normal \`slock message send --target <target>\` with the revised content.
 - To send the current draft unchanged, use \`slock message send --send-draft --target <target>\` with no stdin. Do not use \`--send-draft\` when changing content.
@@ -945,7 +951,7 @@ Threads are sub-conversations attached to a specific message. They let you discu
 
 - **Thread targets** have a colon and short ID suffix: \`#general:a1b2c3d4\` (thread in #general) or \`dm:@richard:x9y8z7a0\` (thread in a DM).
 - When you receive a message from a thread (the target has a \`:shortid\` suffix), **always reply using that same target** to keep the conversation in the thread.
-- **Start a new thread**: Use the \`msg=\` field from the header as the thread suffix. For example, if you see \`[target=#general msg=a1b2c3d4 ...]\`, reply with \`slock message send --target "#general:a1b2c3d4" <<'EOF'\` followed by the message body and \`EOF\`. The thread will be auto-created if it doesn't exist yet.
+- **Start a new thread**: Use the \`msg=\` field from the header as the thread suffix. For example, if you see \`[target=#general msg=a1b2c3d4 ...]\`, reply with \`slock message send --target "#general:a1b2c3d4" <<'${messageHeredocDelimiter}'\` followed by the message body and \`${messageHeredocDelimiter}\`. The thread will be auto-created if it doesn't exist yet.
 - When you send a message, the response includes the message ID. You can use it to start a thread on your own message.
 - You can read thread history: \`slock message read --channel "#general:a1b2c3d4"\`
 - You can stop receiving ordinary delivery for a thread with \`slock thread unfollow --target "#general:a1b2c3d4"\`. Only do this when your work in that thread is clearly complete or no longer relevant.
@@ -979,6 +985,11 @@ Each channel has a **name** and optionally a **description** that define its pur
 - **Reply in context** \u2014 always respond in the channel/thread the message came from.
 - **Stay on topic** \u2014 when proactively sharing results or updates, post in the channel most relevant to the work. Don't scatter messages across unrelated channels.
 - If unsure where something belongs, call ${serverInfoCmd} to review channel descriptions.`;
+  const thirdPartyIntegrationsSection = isCli ? `### Third-party integrations
+
+If a registered third-party service requires login, use Slock Agent Login through the CLI instead of asking the human to copy tokens or complete human OAuth for you. If a human asks you to sign into, open, use, or fetch identity from a third-party app, first run \`slock integration list\` and match the app to a registered service before browsing the app. Use \`slock integration login --service <service>\` to provision or reuse your agent login for that service. If the CLI reports that the \`integration\` command is unknown, the local daemon/CLI is too old for Slock Agent Login; report that the machine must be upgraded/restarted instead of calling internal HTTP endpoints yourself. When the command returns \`Agent login ready\` or \`Already logged in\`, the agent-side login is ready. If the output includes an app URL, open that URL as the service-provided third-party app surface; it should look like the service's normal Login with Slock callback and not require you to understand Slock's internal grant/request protocol. Do not crawl third-party routes looking for a session before trying the registered-service login path. Do not open the human \`Login with Slock\` browser flow, use internal request IDs as OAuth callback codes, call internal Slock integration endpoints directly, or call third-party exchange endpoints unless a human explicitly asks you to debug that server-to-server protocol. If the service or human asks for your Slock Agent identity card, use \`slock profile show\`. Third-party pages may show \`Login with Slock\`; for agent-facing access, prefer the registered service / Slock Agent Login path.` : `### Third-party integrations
+
+If a registered third-party service requires login, use Slock Agent Login through the available registered-service interface instead of asking the human to copy tokens or complete human OAuth for you. If a human asks you to sign into, open, use, or fetch identity from a third-party app, first inspect the registered-service interface and match the app to a registered service before browsing the app. Once the registered-service interface reports the agent login is ready, the agent-side login is ready. If that interface provides an app URL, use it as the service-provided third-party app surface; it should look like the service's normal Login with Slock callback and not require you to understand Slock's internal grant/request protocol. Do not crawl third-party routes looking for a session before trying the registered-service login path. Do not open the human \`Login with Slock\` browser flow or treat internal request IDs as OAuth callback codes unless a human explicitly asks you to debug that server-to-server protocol. If the service or human asks for your Slock Agent identity card, use your Slock profile view. Third-party pages may show \`Login with Slock\`; for agent-facing access, prefer the registered service / Slock Agent Login path.`;
   const readingHistorySection = isCli ? `### Reading history
 
 \`slock message read --channel "#channel-name"\` or \`slock message read --channel dm:@peer-name\` or \`slock message read --channel "#channel:shortid"\`
@@ -1015,7 +1026,7 @@ Only top-level channel / DM messages can become tasks. Messages inside threads a
 **Workflow:**
 1. Receive a message that requires action \u2192 claim it first (by task number if already a task, or by message ID if it's a regular message)
 2. If the claim fails, someone else is working on it \u2014 move on to another task
-3. Post updates in the task's thread: \`slock message send --target "#channel:msgShortId" <<'EOF'\` followed by the message body and \`EOF\`
+3. Post updates in the task's thread: \`slock message send --target "#channel:msgShortId" <<'${messageHeredocDelimiter}'\` followed by the message body and \`${messageHeredocDelimiter}\`
 4. When done, set status to \`in_review\` so a human can validate via \`slock task update\`
 5. After approval (e.g. "looks good", "merge it"), set status to \`done\`
 
@@ -1150,6 +1161,8 @@ ${discoverySection}
 
 ${channelAwarenessSection}
 
+${thirdPartyIntegrationsSection}
+
 ${readingHistorySection}
 
 ${historicalReferenceSection}
@@ -1872,8 +1885,51 @@ function unregisterAgentCredentialProxyForLaunch(input) {
 
 // src/drivers/cliTransport.ts
 var shellSingleQuote = (value) => `'${value.replace(/'/g, `'\\''`)}'`;
+var powershellSingleQuote = (value) => `'${value.replace(/'/g, "''")}'`;
 var DEFAULT_ACTIVE_CAPABILITIES = "send,read,mentions,tasks,reactions,server,channels";
 var safePathPart = (value) => value.replace(/[^a-zA-Z0-9_.-]/g, "_");
+var cachedOpencliBinPath;
+function resolveOpencliBinPath() {
+  if (cachedOpencliBinPath !== void 0) return cachedOpencliBinPath;
+  try {
+    const require2 = createRequire(import.meta.url);
+    const mainPath = require2.resolve("@jackwener/opencli");
+    let dir = path2.dirname(mainPath);
+    const root = path2.parse(dir).root;
+    while (dir && dir !== root) {
+      const candidate = path2.join(dir, "package.json");
+      try {
+        const pkg = JSON.parse(readFileSync(candidate, "utf8"));
+        if (pkg.name === "@jackwener/opencli") {
+          const binEntry = typeof pkg.bin === "string" ? pkg.bin : pkg.bin?.opencli;
+          if (!binEntry) {
+            cachedOpencliBinPath = null;
+            return null;
+          }
+          cachedOpencliBinPath = path2.resolve(dir, binEntry);
+          return cachedOpencliBinPath;
+        }
+      } catch {
+      }
+      const parent = path2.dirname(dir);
+      if (parent === dir) break;
+      dir = parent;
+    }
+    cachedOpencliBinPath = null;
+    return null;
+  } catch {
+    cachedOpencliBinPath = null;
+    return null;
+  }
+}
+function windowsUtf8Env() {
+  return {
+    PYTHONIOENCODING: "utf-8",
+    PYTHONUTF8: "1",
+    LANG: "C.UTF-8",
+    LC_ALL: "C.UTF-8"
+  };
+}
 function runtimeContextEnv(config) {
   const ctx = config.runtimeContext;
   if (!ctx) return {};
@@ -1932,10 +1988,70 @@ ${posixCredentialPrefix}exec ${shellSingleQuote(process.execPath)} ${shellSingle
 set "SLOCK_AGENT_PROXY_TOKEN_FILE=${agentCredentialProxyTokenFile}"\r
 set "SLOCK_AGENT_ACTIVE_CAPABILITIES=${DEFAULT_ACTIVE_CAPABILITIES}"\r
 ` : "";
-    const cmdBody = `@echo off\r
-${cmdCredentialLine}"${process.execPath}" "${ctx.slockCliPath}" %*\r
-`;
+    const cmdBody = [
+      "@echo off",
+      "set PYTHONIOENCODING=utf-8",
+      "set PYTHONUTF8=1",
+      "set LANG=C.UTF-8",
+      "set LC_ALL=C.UTF-8",
+      "chcp 65001 >NUL 2>NUL",
+      cmdCredentialLine.trimEnd(),
+      `"${process.execPath}" "${ctx.slockCliPath}" %*`,
+      ""
+    ].filter((line) => line.length > 0).join("\r\n") + "\r\n";
     writeFileSync(cmdWrapper, cmdBody);
+    const psWrapper = path2.join(slockDir, "slock.ps1");
+    const psCredentialLines = agentCredentialProxy ? [
+      `$env:SLOCK_AGENT_PROXY_URL=${powershellSingleQuote(agentCredentialProxy.proxyUrl)}`,
+      `$env:SLOCK_AGENT_PROXY_TOKEN_FILE=${powershellSingleQuote(agentCredentialProxyTokenFile)}`,
+      `$env:SLOCK_AGENT_ACTIVE_CAPABILITIES=${powershellSingleQuote(DEFAULT_ACTIVE_CAPABILITIES)}`
+    ] : [];
+    const psBody = [
+      "$ErrorActionPreference = 'Stop'",
+      "$utf8NoBom = [System.Text.UTF8Encoding]::new($false)",
+      "[Console]::OutputEncoding = $utf8NoBom",
+      "$OutputEncoding = $utf8NoBom",
+      "$env:PYTHONIOENCODING = 'utf-8'",
+      "$env:PYTHONUTF8 = '1'",
+      "$env:LANG = 'C.UTF-8'",
+      "$env:LC_ALL = 'C.UTF-8'",
+      ...psCredentialLines,
+      `$node = ${powershellSingleQuote(process.execPath)}`,
+      `$cli = ${powershellSingleQuote(ctx.slockCliPath)}`,
+      "if ($MyInvocation.ExpectingInput) {",
+      "  $input | & $node $cli @args",
+      "} else {",
+      "  & $node $cli @args",
+      "}",
+      "exit $LASTEXITCODE",
+      ""
+    ].join("\r\n");
+    writeFileSync(psWrapper, psBody);
+  }
+  const opencliBinPath = resolveOpencliBinPath();
+  if (opencliBinPath) {
+    const opencliPosixWrapper = path2.join(slockDir, "opencli");
+    writeFileSync(
+      opencliPosixWrapper,
+      `#!/usr/bin/env bash
+exec ${shellSingleQuote(process.execPath)} ${shellSingleQuote(opencliBinPath)} "$@"
+`,
+      { mode: 493 }
+    );
+    if (platform === "win32") {
+      const opencliCmdWrapper = path2.join(slockDir, "opencli.cmd");
+      const opencliCmdBody = [
+        "@echo off",
+        "set PYTHONIOENCODING=utf-8",
+        "set PYTHONUTF8=1",
+        "set LANG=C.UTF-8",
+        "set LC_ALL=C.UTF-8",
+        "chcp 65001 >NUL 2>NUL",
+        `"${process.execPath}" "${opencliBinPath}" %*`,
+        ""
+      ].join("\r\n") + "\r\n";
+      writeFileSync(opencliCmdWrapper, opencliCmdBody);
+    }
   }
   const wrapperPath = platform === "win32" ? path2.join(slockDir, "slock.cmd") : posixWrapper;
   const spawnEnv = {
@@ -1943,6 +2059,7 @@ ${cmdCredentialLine}"${process.execPath}" "${ctx.slockCliPath}" %*\r
     FORCE_COLOR: "0",
     ...ctx.config.envVars || {},
     ...extraEnv,
+    ...platform === "win32" ? windowsUtf8Env() : {},
     ...runtimeContextEnv(ctx.config),
     [SLOCK_HOME_ENV]: slockHome,
     SLOCK_AGENT_ID: ctx.agentId,
@@ -2085,7 +2202,7 @@ function expandClaudeMcpConfigVariables(raw, vars) {
 function readClaudeMcpServers(configPath, vars = {}) {
   try {
     const parsed = JSON.parse(
-      expandClaudeMcpConfigVariables(readFileSync(configPath, "utf8"), vars)
+      expandClaudeMcpConfigVariables(readFileSync2(configPath, "utf8"), vars)
     );
     if (!isRecord(parsed) || !isRecord(parsed.mcpServers)) return null;
     return parsed.mcpServers;
@@ -2387,7 +2504,7 @@ var ClaudeDriver = class {
 
 // src/drivers/codex.ts
 import { spawn as spawn2, execFileSync as execFileSync2, execSync } from "child_process";
-import { existsSync as existsSync4, readFileSync as readFileSync2 } from "fs";
+import { existsSync as existsSync4, readFileSync as readFileSync3 } from "fs";
 import os3 from "os";
 import path5 from "path";
 function getCodexNotificationErrorMessage(params) {
@@ -2925,7 +3042,7 @@ function detectCodexModels(home = os3.homedir()) {
   const configPath = path5.join(home, ".codex", "config.toml");
   let models = [];
   try {
-    const raw = readFileSync2(cachePath, "utf8");
+    const raw = readFileSync3(cachePath, "utf8");
     const parsed = JSON.parse(raw);
     const entries = Array.isArray(parsed?.models) ? parsed.models : [];
     for (const entry of entries) {
@@ -2942,7 +3059,7 @@ function detectCodexModels(home = os3.homedir()) {
   if (models.length === 0) return null;
   let defaultModel;
   try {
-    const raw = readFileSync2(configPath, "utf8");
+    const raw = readFileSync3(configPath, "utf8");
     const match = raw.match(/^\s*model\s*=\s*"([^"]+)"/m);
     if (match) defaultModel = match[1];
   } catch {
@@ -3540,7 +3657,7 @@ var GeminiDriver = class {
 // src/drivers/kimi.ts
 import { randomUUID } from "crypto";
 import { spawn as spawn6 } from "child_process";
-import { existsSync as existsSync7, readFileSync as readFileSync3, writeFileSync as writeFileSync6 } from "fs";
+import { existsSync as existsSync7, readFileSync as readFileSync4, writeFileSync as writeFileSync6 } from "fs";
 import os4 from "os";
 import path9 from "path";
 var KIMI_WIRE_PROTOCOL_VERSION = "1.3";
@@ -3775,7 +3892,7 @@ function detectKimiModels(home = os4.homedir()) {
   const configPath = path9.join(home, ".kimi", "config.toml");
   let raw;
   try {
-    raw = readFileSync3(configPath, "utf8");
+    raw = readFileSync4(configPath, "utf8");
   } catch {
     return null;
   }
@@ -3799,7 +3916,7 @@ function detectKimiModels(home = os4.homedir()) {
 
 // src/drivers/opencode.ts
 import { spawn as spawn7, spawnSync as spawnSync2 } from "child_process";
-import { existsSync as existsSync8, readFileSync as readFileSync4 } from "fs";
+import { existsSync as existsSync8, readFileSync as readFileSync5 } from "fs";
 import os5 from "os";
 import path10 from "path";
 var CHAT_MCP_SERVER_NAME = "chat";
@@ -3851,7 +3968,7 @@ function parseUserOpenCodeConfig(ctx) {
 function readLocalOpenCodeConfig(home = os5.homedir()) {
   const configPath = path10.join(home, ".config", "opencode", "opencode.json");
   try {
-    return parseOpenCodeConfigContent(readFileSync4(configPath, "utf8"));
+    return parseOpenCodeConfigContent(readFileSync5(configPath, "utf8"));
   } catch {
   }
   return {};
@@ -4102,7 +4219,7 @@ function resolveWindowsOpenCodePackageEntry(commandPath, deps = {}) {
 }
 function extractWindowsShimTargets(commandPath, deps = {}) {
   if (!isWindowsCommandShim(commandPath)) return [];
-  const readFileSyncFn = deps.readFileSyncFn ?? readFileSync4;
+  const readFileSyncFn = deps.readFileSyncFn ?? readFileSync5;
   const commandDir = path10.win32.dirname(commandPath);
   let raw;
   try {
@@ -5158,7 +5275,7 @@ Do not copy these answers verbatim.
 ## FAQ 15: How do I create agents or channels?
 ### Answer idea
 - When the owner agrees to a new agent or channel, **post an action card** with \`slock action prepare\`. The card lives inline in chat; the owner clicks the action button, the matching create dialog opens prefilled with your values (editable), and the resource is created under their identity when they submit.
-- v1 supports three action types via \`slock action prepare --target '<channel>' <<EOF { ... } EOF\`:
+- v1 supports three action types via \`slock action prepare --target '<channel>' <<'SLOCKACTION' { ... } SLOCKACTION\`:
   - \`{type: "channel:create", name, visibility: "public" | "private", description?, initialHumans?: ["@alice"], initialAgents?: ["@scout"], draftHint?}\`
   - \`{type: "agent:create", name, description?, draftHint?}\` \u2014 runtime / model / computer are the owner's call, not yours
   - \`{type: "channel:add_member", channel: "#existing-channel", humans?: ["@alice"], agents?: ["@scout"], draftHint?}\` \u2014 at least one of humans / agents must be non-empty. The owner clicks "Add Members" on the card; an AddMembers dialog opens with your suggested list (each row toggleable) and the owner submits to actually add them.
@@ -8582,7 +8699,7 @@ var ReminderCache = class {
 
 // src/machineLock.ts
 import { createHash as createHash3, randomUUID as randomUUID2 } from "crypto";
-import { mkdirSync as mkdirSync5, readFileSync as readFileSync5, rmSync as rmSync3, statSync as statSync3, writeFileSync as writeFileSync8 } from "fs";
+import { mkdirSync as mkdirSync5, readFileSync as readFileSync6, rmSync as rmSync3, statSync as statSync3, writeFileSync as writeFileSync8 } from "fs";
 import os7 from "os";
 import path13 from "path";
 var INCOMPLETE_LOCK_STALE_MS = 3e4;
@@ -8610,7 +8727,7 @@ function ownerPath(lockDir) {
 }
 function readOwner(lockDir) {
   try {
-    return JSON.parse(readFileSync5(ownerPath(lockDir), "utf8"));
+    return JSON.parse(readFileSync6(ownerPath(lockDir), "utf8"));
   } catch {
     return null;
   }
@@ -9253,7 +9370,7 @@ function parseDaemonCliArgs(args) {
 }
 function readDaemonVersion(moduleUrl = import.meta.url) {
   try {
-    const require2 = createRequire(moduleUrl);
+    const require2 = createRequire2(moduleUrl);
     return require2("../package.json").version;
   } catch {
     return "0.0.0-dev";

package/dist/cli/index.js

@@ -14281,6 +14281,7 @@ var ApiClient = class {
     if (suffix.startsWith("/search")) return `/internal/agent-api/search${suffix.slice("/search".length)}`;
     if (suffix.startsWith("/channel-members")) return `/internal/agent-api/channel-members${suffix.slice("/channel-members".length)}`;
     if (suffix === "/profile" || suffix.startsWith("/profile/")) return `/internal/agent-api${suffix}`;
+    if (suffix === "/integrations" || suffix.startsWith("/integrations/")) return `/internal/agent-api${suffix}`;
     if (suffix === "/upload") return "/internal/agent-api/upload";
     if (suffix === "/resolve-channel") return "/internal/agent-api/resolve-channel";
     if (suffix === "/threads/unfollow") return "/internal/agent-api/threads/unfollow";
@@ -14432,6 +14433,7 @@ var ApiClient = class {
 };
 
 // src/commands/action/prepare.ts
+var ACTION_HEREDOC_DELIMITER = "SLOCKACTION";
 var PrepareActionInputError = class extends Error {
   constructor(code, message) {
     super(message);
@@ -14451,9 +14453,9 @@ function missingActionMessage() {
   return [
     "No action JSON received on stdin.",
     "Pipe a JSON ActionCardAction object (channel:create / agent:create / channel:add_member) into slock action prepare:",
-    `  slock action prepare --target "#channel" <<'EOF'`,
+    `  slock action prepare --target "#channel" <<'${ACTION_HEREDOC_DELIMITER}'`,
     '  {"type":"channel:create","name":"demo","visibility":"public"}',
-    "  EOF"
+    `  ${ACTION_HEREDOC_DELIMITER}`
   ].join("\n");
 }
 async function resolveActionInput(input = process.stdin) {
@@ -14573,7 +14575,7 @@ function formatServerInfo(data) {
     text += "  (none)\n";
   }
   text += "\n### Humans\n";
-  text += `To start a new DM: slock message send --target "dm:@name" <<'EOF' followed by the message body and EOF. To reply in an existing DM: reuse the target from received messages.
+  text += `To start a new DM: slock message send --target "dm:@name" <<'SLOCKMSG' followed by the message body and SLOCKMSG. To reply in an existing DM: reuse the target from received messages.
 `;
   if (humans.length > 0) {
     for (const u of humans) {
@@ -15063,6 +15065,7 @@ function clearSavedDraft(agentId, target) {
 }
 
 // src/commands/message/send.ts
+var MESSAGE_HEREDOC_DELIMITER = "SLOCKMSG";
 var SendContentError = class extends Error {
   constructor(code, message) {
     super(message);
@@ -15082,9 +15085,9 @@ function missingContentMessage() {
   return [
     "No message content received on stdin.",
     "Use a heredoc or pipe content into slock message send:",
-    `  slock message send --target "#channel" <<'EOF'`,
+    `  slock message send --target "#channel" <<'${MESSAGE_HEREDOC_DELIMITER}'`,
     "  message body",
-    "  EOF"
+    `  ${MESSAGE_HEREDOC_DELIMITER}`
   ].join("\n");
 }
 async function resolveSendContent(input = process.stdin) {
@@ -15111,9 +15114,9 @@ function rejectArgContent(positionalContent, opts) {
       [
         "Message content must be provided on stdin, not as positional arguments.",
         "Use:",
-        `  slock message send --target "#channel" <<'EOF'`,
+        `  slock message send --target "#channel" <<'${MESSAGE_HEREDOC_DELIMITER}'`,
         "  message body",
-        "  EOF"
+        `  ${MESSAGE_HEREDOC_DELIMITER}`
       ].join("\n")
     );
   }
@@ -15149,9 +15152,9 @@ function rejectSendDraftStdin(content, target) {
     [
       "--send-draft sends the current saved draft and does not accept stdin.",
       "To update the draft, send the revised content normally without --send-draft:",
-      `  slock message send --target "${target}" <<'EOF'`,
+      `  slock message send --target "${target}" <<'${MESSAGE_HEREDOC_DELIMITER}'`,
       "  revised message",
-      "  EOF"
+      `  ${MESSAGE_HEREDOC_DELIMITER}`
     ].join("\n")
   );
 }
@@ -15159,9 +15162,9 @@ function formatHeldSendOutput(target, data) {
   return formatFreshnessHoldOutput(target, data, {
     heldAction: "Your message has been saved as a draft.",
     draftInstructions: `To update the draft, send revised content normally:
-  slock message send --target "${target}" <<'EOF'
+  slock message send --target "${target}" <<'${MESSAGE_HEREDOC_DELIMITER}'
   revised message
-  EOF
+  ${MESSAGE_HEREDOC_DELIMITER}
 To send the current draft unchanged:
   slock message send --send-draft --target "${target}"
 `,
@@ -15216,9 +15219,9 @@ function registerSendCommand(parent) {
           [
             "No saved draft exists for this target.",
             "To create or update a draft, send message content normally:",
-            `  slock message send --target "${opts.target}" <<'EOF'`,
+            `  slock message send --target "${opts.target}" <<'${MESSAGE_HEREDOC_DELIMITER}'`,
             "  message body",
-            "  EOF"
+            `  ${MESSAGE_HEREDOC_DELIMITER}`
           ].join("\n")
         );
         return;
@@ -16170,6 +16173,153 @@ function registerProfileUpdateCommand(parent) {
   });
 }
 
+// src/commands/integration/_format.ts
+function formatMaybe(value) {
+  return value?.trim() || "-";
+}
+function buildAgentAppUrl(returnUrl, requestId) {
+  if (!returnUrl?.trim()) return null;
+  try {
+    const url2 = new URL(returnUrl);
+    url2.searchParams.set("code", requestId);
+    return url2.toString();
+  } catch {
+    return null;
+  }
+}
+function formatIntegrationList(data) {
+  const activeByServiceId = new Map(data.activeLogins.map((login) => [login.serviceId, login]));
+  const lines = [];
+  lines.push("Registered services:");
+  if (data.services.length === 0) {
+    lines.push("- none");
+  } else {
+    for (const service of data.services) {
+      const active = activeByServiceId.get(service.id);
+      lines.push(`- ${service.name}`);
+      lines.push(`  service: ${service.clientId}`);
+      lines.push(`  id: ${service.id}`);
+      lines.push(`  status: ${active ? "active login" : "not logged in"}`);
+      lines.push(`  return URL: ${formatMaybe(service.returnUrl)}`);
+      if (service.homepageUrl) lines.push(`  homepage: ${service.homepageUrl}`);
+      if (service.description) lines.push(`  description: ${service.description}`);
+      if (!active) lines.push(`  next: slock integration login --service ${JSON.stringify(service.clientId)}`);
+    }
+  }
+  lines.push("");
+  lines.push("Active agent logins:");
+  if (data.activeLogins.length === 0) {
+    lines.push("- none");
+  } else {
+    for (const login of data.activeLogins) {
+      lines.push(`- ${login.name}`);
+      lines.push(`  service: ${login.clientId}`);
+      lines.push(`  grant id: ${login.id}`);
+      lines.push(`  scopes: ${login.scopes.length > 0 ? login.scopes.join(", ") : "-"}`);
+      lines.push(`  return URL: ${formatMaybe(login.returnUrl)}`);
+      lines.push(`  created: ${login.createdAt}`);
+    }
+  }
+  return lines.join("\n");
+}
+function formatIntegrationLogin(data) {
+  const verb = data.status === "already_logged_in" ? "Already logged in" : "Agent login ready";
+  const lines = [
+    `${verb}: ${data.service.name}`,
+    `service: ${data.service.clientId}`,
+    `id: ${data.service.id}`,
+    `scopes: ${data.scopes.length > 0 ? data.scopes.join(", ") : "-"}`,
+    `return URL: ${formatMaybe(data.service.returnUrl)}`,
+    "complete: this agent login is configured in Slock; no human OAuth is required",
+    "identity: run `slock profile show` if the service or human asks for your Slock Agent identity card"
+  ];
+  const agentAppUrl = buildAgentAppUrl(data.service.returnUrl, data.requestId);
+  if (agentAppUrl) {
+    lines.push(`app URL: ${agentAppUrl}`);
+    lines.push("next: open the app URL if you need the third-party app surface, or run `slock integration list` to confirm active login");
+  } else {
+    lines.push("next: use the registered service, or run `slock integration list` to confirm active login");
+  }
+  return lines.join("\n");
+}
+
+// src/commands/integration/list.ts
+function registerIntegrationListCommand(parent) {
+  parent.command("list").description("List registered third-party services and this agent's active logins").option("--json", "Emit machine-readable JSON").action(async (opts) => {
+    let ctx;
+    try {
+      ctx = loadAgentContext();
+    } catch (err) {
+      if (err instanceof AgentBootstrapError) fail(err.code, err.message);
+      throw err;
+    }
+    const client = new ApiClient(ctx);
+    const res = await client.request(
+      "GET",
+      `/internal/agent/${encodeURIComponent(ctx.agentId)}/integrations`
+    );
+    if (!res.ok || !res.data) {
+      const code = res.status >= 500 ? "SERVER_5XX" : "INTEGRATION_LIST_FAILED";
+      fail(code, res.error ?? `HTTP ${res.status}`);
+    }
+    if (opts.json) {
+      emit({ ok: true, data: res.data });
+      return;
+    }
+    process.stdout.write(`${formatIntegrationList(res.data)}
+`);
+  });
+}
+
+// src/commands/integration/login.ts
+function normalizeScopes(raw) {
+  if (!raw || raw.length === 0) return void 0;
+  const scopes = Array.from(new Set(
+    raw.flatMap((value) => value.split(",")).map((value) => value.trim()).filter(Boolean)
+  )).sort();
+  if (scopes.length === 0) {
+    fail("INVALID_ARG", "--scope must include at least one non-empty scope");
+  }
+  return scopes;
+}
+function registerIntegrationLoginCommand(parent) {
+  parent.command("login").description("Provision or reuse this agent's login for a registered service").requiredOption("--service <id>", "Registered service id, client id, or exact service name").option("--scope <scope>", "Requested scope; can be repeated or comma-separated", (value, previous = []) => {
+    previous.push(value);
+    return previous;
+  }).option("--json", "Emit machine-readable JSON").action(async (opts) => {
+    let ctx;
+    try {
+      ctx = loadAgentContext();
+    } catch (err) {
+      if (err instanceof AgentBootstrapError) fail(err.code, err.message);
+      throw err;
+    }
+    const service = opts.service.trim();
+    if (!service) {
+      fail("INVALID_ARG", "--service must not be empty");
+    }
+    const client = new ApiClient(ctx);
+    const res = await client.request(
+      "POST",
+      `/internal/agent/${encodeURIComponent(ctx.agentId)}/integrations/login`,
+      {
+        service,
+        scopes: normalizeScopes(opts.scope)
+      }
+    );
+    if (!res.ok || !res.data) {
+      const code = res.status >= 500 ? "SERVER_5XX" : "INTEGRATION_LOGIN_FAILED";
+      fail(code, res.error ?? `HTTP ${res.status}`);
+    }
+    if (opts.json) {
+      emit({ ok: true, data: res.data });
+      return;
+    }
+    process.stdout.write(`${formatIntegrationLogin(res.data)}
+`);
+  });
+}
+
 // src/commands/reminder/_format.ts
 var MODIFY_HINT = "(to modify: snooze/update/cancel; slock reminder --help)";
 function formatReminder(r) {
@@ -16562,6 +16712,9 @@ registerTaskUpdateCommand(taskCmd);
 var profileCmd = program.command("profile").description("Profile operations");
 registerProfileShowCommand(profileCmd);
 registerProfileUpdateCommand(profileCmd);
+var integrationCmd = program.command("integration").description("Third-party service integration operations");
+registerIntegrationListCommand(integrationCmd);
+registerIntegrationLoginCommand(integrationCmd);
 var reminderCmd = program.command("reminder").description("Reminder operations");
 registerReminderScheduleCommand(reminderCmd);
 registerReminderListCommand(reminderCmd);

package/dist/core.js

@@ -9,7 +9,7 @@ import {
   resolveSlockCliPath,
   resolveWorkspaceDirectoryPath,
   scanWorkspaceDirectories
-} from "./chunk-HSBOURQE.js";
+} from "./chunk-LPRTPDGH.js";
 import {
   subscribeDaemonLogs
 } from "./chunk-KNMCE6WB.js";

package/dist/index.js

@@ -3,7 +3,7 @@ import {
   DAEMON_CLI_USAGE,
   DaemonCore,
   parseDaemonCliArgs
-} from "./chunk-HSBOURQE.js";
+} from "./chunk-LPRTPDGH.js";
 import "./chunk-KNMCE6WB.js";
 
 // src/index.ts

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@slock-ai/daemon",
-  "version": "0.52.2",
+  "version": "0.53.0",
   "type": "module",
   "bin": {
     "slock-daemon": "dist/index.js"
@@ -36,6 +36,7 @@
     "release:alpha": "npm version prerelease --preid=alpha --no-git-tag-version && cd ../.. && pnpm install --lockfile-only && git add packages/daemon/package.json pnpm-lock.yaml && git commit -m \"chore: bump @slock-ai/daemon to v$(node -p \"require('./packages/daemon/package.json').version\")\" && git tag daemon-v$(node -p \"require('./packages/daemon/package.json').version\") && git push && git push --tags"
   },
   "dependencies": {
+    "@jackwener/opencli": "^1.8.0",
     "@modelcontextprotocol/sdk": "^1.29.0",
     "commander": "^12.1.0",
     "https-proxy-agent": "^7.0.6",