@symerian/symi 2.5.8 → 2.6.1

package/dist/{model-auth-DK43VicI.js → auth-profiles-DdK1Hxaa.js}

@@ -1,177 +1,24 @@
 import { t as __exportAll } from "./rolldown-runtime-Cbj13DAv.js";
-import { o as resolveOAuthPath, s as resolveStateDir } from "./paths-Cce4PUkG.js";
+import { o as resolveOAuthPath, s as resolveStateDir } from "./paths-CE7eVGHg.js";
 import { t as DEFAULT_AGENT_ID } from "./session-key-BCzIW1Y2.js";
-import { I as resolveUserPath } from "./registry-CK4e9hn8.js";
-import { a as resolveAgentModelPrimary, n as resolveAgentConfig } from "./agent-scope-BxoUQqgM.js";
-import { t as createSubsystemLogger } from "./subsystem-Bs9YvKLa.js";
-import { r as isTruthyEnvValue, t as formatCliCommand } from "./command-format-BaxDnULz.js";
-import { a as saveJsonFile, i as loadJsonFile, r as resolveCopilotApiToken, t as DEFAULT_COPILOT_API_BASE_URL } from "./github-copilot-token-C_qUP7p5.js";
-import fs from "node:fs/promises";
+import { I as resolveUserPath } from "./registry-DYq1AYOv.js";
+import { a as resolveAgentModelPrimary, n as resolveAgentConfig } from "./agent-scope-CpEJ0B88.js";
+import { t as createSubsystemLogger } from "./subsystem-BjyjJF-d.js";
+import { n as formatCliCommand, t as isTruthyEnvValue } from "./env-BDXYbTKj.js";
+import { a as saveJsonFile, i as loadJsonFile, r as resolveCopilotApiToken, t as DEFAULT_COPILOT_API_BASE_URL } from "./github-copilot-token-cCYzSU9h.js";
 import path from "node:path";
-import fs$1 from "node:fs";
+import fs from "node:fs";
+import fs$1 from "node:fs/promises";
 import { execFileSync } from "node:child_process";
 import { createHash, randomBytes, randomUUID } from "node:crypto";
-import { createAssistantMessageEventStream, getEnvApiKey, getOAuthApiKey, getOAuthProviders } from "@mariozechner/pi-ai";
 import { BedrockClient, ListFoundationModelsCommand } from "@aws-sdk/client-bedrock";
+import { createAssistantMessageEventStream, getEnvApiKey, getOAuthApiKey, getOAuthProviders } from "@mariozechner/pi-ai";
 
-//#region src/infra/shell-env.ts
-const DEFAULT_TIMEOUT_MS = 15e3;
-const DEFAULT_MAX_BUFFER_BYTES = 2 * 1024 * 1024;
-let lastAppliedKeys = [];
-let cachedShellPath;
-function resolveTimeoutMs(timeoutMs) {
-	if (typeof timeoutMs !== "number" || !Number.isFinite(timeoutMs)) return DEFAULT_TIMEOUT_MS;
-	return Math.max(0, timeoutMs);
-}
-function resolveShell(env) {
-	const shell = env.SHELL?.trim();
-	return shell && shell.length > 0 ? shell : "/bin/sh";
-}
-function execLoginShellEnvZero(params) {
-	return params.exec(params.shell, [
-		"-l",
-		"-c",
-		"env -0"
-	], {
-		encoding: "buffer",
-		timeout: params.timeoutMs,
-		maxBuffer: DEFAULT_MAX_BUFFER_BYTES,
-		env: params.env,
-		stdio: [
-			"ignore",
-			"pipe",
-			"pipe"
-		]
-	});
-}
-function parseShellEnv(stdout) {
-	const shellEnv = /* @__PURE__ */ new Map();
-	const parts = stdout.toString("utf8").split("\0");
-	for (const part of parts) {
-		if (!part) continue;
-		const eq = part.indexOf("=");
-		if (eq <= 0) continue;
-		const key = part.slice(0, eq);
-		const value = part.slice(eq + 1);
-		if (!key) continue;
-		shellEnv.set(key, value);
-	}
-	return shellEnv;
-}
-function loadShellEnvFallback(opts) {
-	const logger = opts.logger ?? console;
-	const exec = opts.exec ?? execFileSync;
-	if (!opts.enabled) {
-		lastAppliedKeys = [];
-		return {
-			ok: true,
-			applied: [],
-			skippedReason: "disabled"
-		};
-	}
-	if (opts.expectedKeys.some((key) => Boolean(opts.env[key]?.trim()))) {
-		lastAppliedKeys = [];
-		return {
-			ok: true,
-			applied: [],
-			skippedReason: "already-has-keys"
-		};
-	}
-	const timeoutMs = resolveTimeoutMs(opts.timeoutMs);
-	const shell = resolveShell(opts.env);
-	let stdout;
-	try {
-		stdout = execLoginShellEnvZero({
-			shell,
-			env: opts.env,
-			exec,
-			timeoutMs
-		});
-	} catch (err) {
-		const msg = err instanceof Error ? err.message : String(err);
-		logger.warn(`[symi] shell env fallback failed: ${msg}`);
-		lastAppliedKeys = [];
-		return {
-			ok: false,
-			error: msg,
-			applied: []
-		};
-	}
-	const shellEnv = parseShellEnv(stdout);
-	const applied = [];
-	for (const key of opts.expectedKeys) {
-		if (opts.env[key]?.trim()) continue;
-		const value = shellEnv.get(key);
-		if (!value?.trim()) continue;
-		opts.env[key] = value;
-		applied.push(key);
-	}
-	lastAppliedKeys = applied;
-	return {
-		ok: true,
-		applied
-	};
-}
-function shouldEnableShellEnvFallback(env) {
-	return isTruthyEnvValue(env.SYMI_LOAD_SHELL_ENV);
-}
-function shouldDeferShellEnvFallback(env) {
-	return isTruthyEnvValue(env.SYMI_DEFER_SHELL_ENV_FALLBACK);
-}
-function resolveShellEnvFallbackTimeoutMs(env) {
-	const raw = env.SYMI_SHELL_ENV_TIMEOUT_MS?.trim();
-	if (!raw) return DEFAULT_TIMEOUT_MS;
-	const parsed = Number.parseInt(raw, 10);
-	if (!Number.isFinite(parsed)) return DEFAULT_TIMEOUT_MS;
-	return Math.max(0, parsed);
-}
-function getShellPathFromLoginShell(opts) {
-	if (cachedShellPath !== void 0) return cachedShellPath;
-	if ((opts.platform ?? process.platform) === "win32") {
-		cachedShellPath = null;
-		return cachedShellPath;
-	}
-	const exec = opts.exec ?? execFileSync;
-	const timeoutMs = resolveTimeoutMs(opts.timeoutMs);
-	const shell = resolveShell(opts.env);
-	let stdout;
-	try {
-		stdout = execLoginShellEnvZero({
-			shell,
-			env: opts.env,
-			exec,
-			timeoutMs
-		});
-	} catch {
-		cachedShellPath = null;
-		return cachedShellPath;
-	}
-	const shellPath = parseShellEnv(stdout).get("PATH")?.trim();
-	cachedShellPath = shellPath && shellPath.length > 0 ? shellPath : null;
-	return cachedShellPath;
-}
-function getShellEnvAppliedKeys() {
-	return [...lastAppliedKeys];
-}
-
-//#endregion
-//#region src/utils/normalize-secret-input.ts
-/**
-* Secret normalization for copy/pasted credentials.
-*
-* Common footgun: line breaks (especially `\r`) embedded in API keys/tokens.
-* We strip line breaks anywhere, then trim whitespace at the ends.
-*
-* Intentionally does NOT remove ordinary spaces inside the string to avoid
-* silently altering "Bearer <token>" style values.
-*/
-function normalizeSecretInput(value) {
-	if (typeof value !== "string") return "";
-	return value.replace(/[\r\n\u2028\u2029]+/g, "").trim();
-}
-function normalizeOptionalSecretInput(value) {
-	const normalized = normalizeSecretInput(value);
-	return normalized ? normalized : void 0;
+//#region src/agents/agent-paths.ts
+function resolveSymiAgentDir() {
+	const override = process.env.SYMI_AGENT_DIR?.trim() || process.env.PI_CODING_AGENT_DIR?.trim();
+	if (override) return resolveUserPath(override);
+	return resolveUserPath(path.join(resolveStateDir(), "agents", DEFAULT_AGENT_ID, "agent"));
 }
 
 //#endregion
@@ -753,6 +600,394 @@ async function discoverHuggingfaceModels(apiKey) {
 	}
 }
 
+//#endregion
+//#region src/infra/shell-env.ts
+const DEFAULT_TIMEOUT_MS = 15e3;
+const DEFAULT_MAX_BUFFER_BYTES = 2 * 1024 * 1024;
+let lastAppliedKeys = [];
+let cachedShellPath;
+function resolveTimeoutMs(timeoutMs) {
+	if (typeof timeoutMs !== "number" || !Number.isFinite(timeoutMs)) return DEFAULT_TIMEOUT_MS;
+	return Math.max(0, timeoutMs);
+}
+function resolveShell(env) {
+	const shell = env.SHELL?.trim();
+	return shell && shell.length > 0 ? shell : "/bin/sh";
+}
+function execLoginShellEnvZero(params) {
+	return params.exec(params.shell, [
+		"-l",
+		"-c",
+		"env -0"
+	], {
+		encoding: "buffer",
+		timeout: params.timeoutMs,
+		maxBuffer: DEFAULT_MAX_BUFFER_BYTES,
+		env: params.env,
+		stdio: [
+			"ignore",
+			"pipe",
+			"pipe"
+		]
+	});
+}
+function parseShellEnv(stdout) {
+	const shellEnv = /* @__PURE__ */ new Map();
+	const parts = stdout.toString("utf8").split("\0");
+	for (const part of parts) {
+		if (!part) continue;
+		const eq = part.indexOf("=");
+		if (eq <= 0) continue;
+		const key = part.slice(0, eq);
+		const value = part.slice(eq + 1);
+		if (!key) continue;
+		shellEnv.set(key, value);
+	}
+	return shellEnv;
+}
+function loadShellEnvFallback(opts) {
+	const logger = opts.logger ?? console;
+	const exec = opts.exec ?? execFileSync;
+	if (!opts.enabled) {
+		lastAppliedKeys = [];
+		return {
+			ok: true,
+			applied: [],
+			skippedReason: "disabled"
+		};
+	}
+	if (opts.expectedKeys.some((key) => Boolean(opts.env[key]?.trim()))) {
+		lastAppliedKeys = [];
+		return {
+			ok: true,
+			applied: [],
+			skippedReason: "already-has-keys"
+		};
+	}
+	const timeoutMs = resolveTimeoutMs(opts.timeoutMs);
+	const shell = resolveShell(opts.env);
+	let stdout;
+	try {
+		stdout = execLoginShellEnvZero({
+			shell,
+			env: opts.env,
+			exec,
+			timeoutMs
+		});
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		logger.warn(`[symi] shell env fallback failed: ${msg}`);
+		lastAppliedKeys = [];
+		return {
+			ok: false,
+			error: msg,
+			applied: []
+		};
+	}
+	const shellEnv = parseShellEnv(stdout);
+	const applied = [];
+	for (const key of opts.expectedKeys) {
+		if (opts.env[key]?.trim()) continue;
+		const value = shellEnv.get(key);
+		if (!value?.trim()) continue;
+		opts.env[key] = value;
+		applied.push(key);
+	}
+	lastAppliedKeys = applied;
+	return {
+		ok: true,
+		applied
+	};
+}
+function shouldEnableShellEnvFallback(env) {
+	return isTruthyEnvValue(env.SYMI_LOAD_SHELL_ENV);
+}
+function shouldDeferShellEnvFallback(env) {
+	return isTruthyEnvValue(env.SYMI_DEFER_SHELL_ENV_FALLBACK);
+}
+function resolveShellEnvFallbackTimeoutMs(env) {
+	const raw = env.SYMI_SHELL_ENV_TIMEOUT_MS?.trim();
+	if (!raw) return DEFAULT_TIMEOUT_MS;
+	const parsed = Number.parseInt(raw, 10);
+	if (!Number.isFinite(parsed)) return DEFAULT_TIMEOUT_MS;
+	return Math.max(0, parsed);
+}
+function getShellPathFromLoginShell(opts) {
+	if (cachedShellPath !== void 0) return cachedShellPath;
+	if ((opts.platform ?? process.platform) === "win32") {
+		cachedShellPath = null;
+		return cachedShellPath;
+	}
+	const exec = opts.exec ?? execFileSync;
+	const timeoutMs = resolveTimeoutMs(opts.timeoutMs);
+	const shell = resolveShell(opts.env);
+	let stdout;
+	try {
+		stdout = execLoginShellEnvZero({
+			shell,
+			env: opts.env,
+			exec,
+			timeoutMs
+		});
+	} catch {
+		cachedShellPath = null;
+		return cachedShellPath;
+	}
+	const shellPath = parseShellEnv(stdout).get("PATH")?.trim();
+	cachedShellPath = shellPath && shellPath.length > 0 ? shellPath : null;
+	return cachedShellPath;
+}
+function getShellEnvAppliedKeys() {
+	return [...lastAppliedKeys];
+}
+
+//#endregion
+//#region src/utils/normalize-secret-input.ts
+/**
+* Secret normalization for copy/pasted credentials.
+*
+* Common footgun: line breaks (especially `\r`) embedded in API keys/tokens.
+* We strip line breaks anywhere, then trim whitespace at the ends.
+*
+* Intentionally does NOT remove ordinary spaces inside the string to avoid
+* silently altering "Bearer <token>" style values.
+*/
+function normalizeSecretInput(value) {
+	if (typeof value !== "string") return "";
+	return value.replace(/[\r\n\u2028\u2029]+/g, "").trim();
+}
+function normalizeOptionalSecretInput(value) {
+	const normalized = normalizeSecretInput(value);
+	return normalized ? normalized : void 0;
+}
+
+//#endregion
+//#region src/agents/model-auth.ts
+const AWS_BEARER_ENV = "AWS_BEARER_TOKEN_BEDROCK";
+const AWS_ACCESS_KEY_ENV = "AWS_ACCESS_KEY_ID";
+const AWS_SECRET_KEY_ENV = "AWS_SECRET_ACCESS_KEY";
+const AWS_PROFILE_ENV = "AWS_PROFILE";
+function resolveProviderConfig(cfg, provider) {
+	const providers = cfg?.models?.providers ?? {};
+	const direct = providers[provider];
+	if (direct) return direct;
+	const normalized = normalizeProviderId(provider);
+	if (normalized === provider) return Object.entries(providers).find(([key]) => normalizeProviderId(key) === normalized)?.[1];
+	return providers[normalized] ?? Object.entries(providers).find(([key]) => normalizeProviderId(key) === normalized)?.[1];
+}
+function getCustomProviderApiKey(cfg, provider) {
+	return normalizeOptionalSecretInput(resolveProviderConfig(cfg, provider)?.apiKey);
+}
+function resolveProviderAuthOverride(cfg, provider) {
+	const auth = resolveProviderConfig(cfg, provider)?.auth;
+	if (auth === "api-key" || auth === "aws-sdk" || auth === "oauth" || auth === "token") return auth;
+}
+function resolveEnvSourceLabel(params) {
+	return `${params.envVars.some((envVar) => params.applied.has(envVar)) ? "shell env: " : "env: "}${params.label}`;
+}
+function resolveAwsSdkEnvVarName(env = process.env) {
+	if (env[AWS_BEARER_ENV]?.trim()) return AWS_BEARER_ENV;
+	if (env[AWS_ACCESS_KEY_ENV]?.trim() && env[AWS_SECRET_KEY_ENV]?.trim()) return AWS_ACCESS_KEY_ENV;
+	if (env[AWS_PROFILE_ENV]?.trim()) return AWS_PROFILE_ENV;
+}
+function resolveAwsSdkAuthInfo() {
+	const applied = new Set(getShellEnvAppliedKeys());
+	if (process.env[AWS_BEARER_ENV]?.trim()) return {
+		mode: "aws-sdk",
+		source: resolveEnvSourceLabel({
+			applied,
+			envVars: [AWS_BEARER_ENV],
+			label: AWS_BEARER_ENV
+		})
+	};
+	if (process.env[AWS_ACCESS_KEY_ENV]?.trim() && process.env[AWS_SECRET_KEY_ENV]?.trim()) return {
+		mode: "aws-sdk",
+		source: resolveEnvSourceLabel({
+			applied,
+			envVars: [AWS_ACCESS_KEY_ENV, AWS_SECRET_KEY_ENV],
+			label: `${AWS_ACCESS_KEY_ENV} + ${AWS_SECRET_KEY_ENV}`
+		})
+	};
+	if (process.env[AWS_PROFILE_ENV]?.trim()) return {
+		mode: "aws-sdk",
+		source: resolveEnvSourceLabel({
+			applied,
+			envVars: [AWS_PROFILE_ENV],
+			label: AWS_PROFILE_ENV
+		})
+	};
+	return {
+		mode: "aws-sdk",
+		source: "aws-sdk default chain"
+	};
+}
+async function resolveApiKeyForProvider(params) {
+	const { provider, cfg, profileId, preferredProfile } = params;
+	const store = params.store ?? ensureAuthProfileStore(params.agentDir);
+	if (profileId) {
+		const resolved = await resolveApiKeyForProfile({
+			cfg,
+			store,
+			profileId,
+			agentDir: params.agentDir
+		});
+		if (!resolved) throw new Error(`No credentials found for profile "${profileId}".`);
+		const mode = store.profiles[profileId]?.type;
+		return {
+			apiKey: resolved.apiKey,
+			profileId,
+			source: `profile:${profileId}`,
+			mode: mode === "oauth" ? "oauth" : mode === "token" ? "token" : "api-key"
+		};
+	}
+	const authOverride = resolveProviderAuthOverride(cfg, provider);
+	if (authOverride === "aws-sdk") return resolveAwsSdkAuthInfo();
+	const order = resolveAuthProfileOrder({
+		cfg,
+		store,
+		provider,
+		preferredProfile
+	});
+	for (const candidate of order) try {
+		const resolved = await resolveApiKeyForProfile({
+			cfg,
+			store,
+			profileId: candidate,
+			agentDir: params.agentDir
+		});
+		if (resolved) {
+			const mode = store.profiles[candidate]?.type;
+			return {
+				apiKey: resolved.apiKey,
+				profileId: candidate,
+				source: `profile:${candidate}`,
+				mode: mode === "oauth" ? "oauth" : mode === "token" ? "token" : "api-key"
+			};
+		}
+	} catch {}
+	const envResolved = resolveEnvApiKey(provider);
+	if (envResolved) return {
+		apiKey: envResolved.apiKey,
+		source: envResolved.source,
+		mode: envResolved.source.includes("OAUTH_TOKEN") ? "oauth" : "api-key"
+	};
+	const customKey = getCustomProviderApiKey(cfg, provider);
+	if (customKey) return {
+		apiKey: customKey,
+		source: "models.json",
+		mode: "api-key"
+	};
+	const normalized = normalizeProviderId(provider);
+	if (authOverride === void 0 && normalized === "amazon-bedrock") return resolveAwsSdkAuthInfo();
+	if (provider === "openai") {
+		if (listProfilesForProvider(store, "openai-codex").length > 0) throw new Error("No API key found for provider \"openai\". You are authenticated with OpenAI Codex OAuth. Use openai-codex/gpt-5.3-codex (OAuth) or set OPENAI_API_KEY to use openai/gpt-5.1-codex.");
+	}
+	const authStorePath = resolveAuthStorePathForDisplay(params.agentDir);
+	const resolvedAgentDir = path.dirname(authStorePath);
+	throw new Error([
+		`No API key found for provider "${provider}".`,
+		`Auth store: ${authStorePath} (agentDir: ${resolvedAgentDir}).`,
+		`Configure auth for this agent (${formatCliCommand("symi agents add <id>")}) or copy auth-profiles.json from the main agentDir.`
+	].join(" "));
+}
+function resolveEnvApiKey(provider) {
+	const normalized = normalizeProviderId(provider);
+	const applied = new Set(getShellEnvAppliedKeys());
+	const pick = (envVar) => {
+		const value = normalizeOptionalSecretInput(process.env[envVar]);
+		if (!value) return null;
+		return {
+			apiKey: value,
+			source: applied.has(envVar) ? `shell env: ${envVar}` : `env: ${envVar}`
+		};
+	};
+	if (normalized === "github-copilot") return pick("COPILOT_GITHUB_TOKEN") ?? pick("GH_TOKEN") ?? pick("GITHUB_TOKEN");
+	if (normalized === "anthropic") return pick("ANTHROPIC_OAUTH_TOKEN") ?? pick("ANTHROPIC_API_KEY");
+	if (normalized === "chutes") return pick("CHUTES_OAUTH_TOKEN") ?? pick("CHUTES_API_KEY");
+	if (normalized === "zai") return pick("ZAI_API_KEY") ?? pick("Z_AI_API_KEY");
+	if (normalized === "google-vertex") {
+		const envKey = getEnvApiKey(normalized);
+		if (!envKey) return null;
+		return {
+			apiKey: envKey,
+			source: "gcloud adc"
+		};
+	}
+	if (normalized === "opencode") return pick("OPENCODE_API_KEY") ?? pick("OPENCODE_ZEN_API_KEY");
+	if (normalized === "qwen-portal") return pick("QWEN_OAUTH_TOKEN") ?? pick("QWEN_PORTAL_API_KEY");
+	if (normalized === "volcengine" || normalized === "volcengine-plan") return pick("VOLCANO_ENGINE_API_KEY");
+	if (normalized === "byteplus" || normalized === "byteplus-plan") return pick("BYTEPLUS_API_KEY");
+	if (normalized === "minimax-portal") return pick("MINIMAX_OAUTH_TOKEN") ?? pick("MINIMAX_API_KEY");
+	if (normalized === "kimi-coding") return pick("KIMI_API_KEY") ?? pick("KIMICODE_API_KEY");
+	if (normalized === "huggingface") return pick("HUGGINGFACE_HUB_TOKEN") ?? pick("HF_TOKEN");
+	const envVar = {
+		openai: "OPENAI_API_KEY",
+		google: "GEMINI_API_KEY",
+		voyage: "VOYAGE_API_KEY",
+		groq: "GROQ_API_KEY",
+		deepgram: "DEEPGRAM_API_KEY",
+		cerebras: "CEREBRAS_API_KEY",
+		xai: "XAI_API_KEY",
+		openrouter: "OPENROUTER_API_KEY",
+		litellm: "LITELLM_API_KEY",
+		"vercel-ai-gateway": "AI_GATEWAY_API_KEY",
+		"cloudflare-ai-gateway": "CLOUDFLARE_AI_GATEWAY_API_KEY",
+		moonshot: "MOONSHOT_API_KEY",
+		minimax: "MINIMAX_API_KEY",
+		nvidia: "NVIDIA_API_KEY",
+		xiaomi: "XIAOMI_API_KEY",
+		synthetic: "SYNTHETIC_API_KEY",
+		venice: "VENICE_API_KEY",
+		mistral: "MISTRAL_API_KEY",
+		opencode: "OPENCODE_API_KEY",
+		together: "TOGETHER_API_KEY",
+		qianfan: "QIANFAN_API_KEY",
+		ollama: "OLLAMA_API_KEY",
+		vllm: "VLLM_API_KEY"
+	}[normalized];
+	if (!envVar) return null;
+	return pick(envVar);
+}
+function resolveModelAuthMode(provider, cfg, store) {
+	const resolved = provider?.trim();
+	if (!resolved) return;
+	const authOverride = resolveProviderAuthOverride(cfg, resolved);
+	if (authOverride === "aws-sdk") return "aws-sdk";
+	const authStore = store ?? ensureAuthProfileStore();
+	const profiles = listProfilesForProvider(authStore, resolved);
+	if (profiles.length > 0) {
+		const modes = new Set(profiles.map((id) => authStore.profiles[id]?.type).filter((mode) => Boolean(mode)));
+		if ([
+			"oauth",
+			"token",
+			"api_key"
+		].filter((k) => modes.has(k)).length >= 2) return "mixed";
+		if (modes.has("oauth")) return "oauth";
+		if (modes.has("token")) return "token";
+		if (modes.has("api_key")) return "api-key";
+	}
+	if (authOverride === void 0 && normalizeProviderId(resolved) === "amazon-bedrock") return "aws-sdk";
+	const envKey = resolveEnvApiKey(resolved);
+	if (envKey?.apiKey) return envKey.source.includes("OAUTH_TOKEN") ? "oauth" : "api-key";
+	if (getCustomProviderApiKey(cfg, resolved)) return "api-key";
+	return "unknown";
+}
+async function getApiKeyForModel(params) {
+	return resolveApiKeyForProvider({
+		provider: params.model.provider,
+		cfg: params.cfg,
+		profileId: params.profileId,
+		preferredProfile: params.preferredProfile,
+		store: params.store,
+		agentDir: params.agentDir
+	});
+}
+function requireApiKey(auth, provider) {
+	const key = normalizeSecretInput(auth.apiKey);
+	if (key) return key;
+	throw new Error(`No API key resolved for provider "${provider}" (auth mode: ${auth.mode}).`);
+}
+
 //#endregion
 //#region src/agents/ollama-stream.ts
 const OLLAMA_NATIVE_BASE_URL = "http://127.0.0.1:11434";
@@ -2722,7 +2957,7 @@ function computeDelayMs(retries, attempt) {
 }
 async function readLockPayload(lockPath) {
 	try {
-		const raw = await fs.readFile(lockPath, "utf8");
+		const raw = await fs$1.readFile(lockPath, "utf8");
 		const parsed = JSON.parse(raw);
 		if (typeof parsed.pid !== "number" || typeof parsed.createdAt !== "string") return null;
 		return {
@@ -2736,9 +2971,9 @@ async function readLockPayload(lockPath) {
 async function resolveNormalizedFilePath(filePath) {
 	const resolved = path.resolve(filePath);
 	const dir = path.dirname(resolved);
-	await fs.mkdir(dir, { recursive: true });
+	await fs$1.mkdir(dir, { recursive: true });
 	try {
-		const realDir = await fs.realpath(dir);
+		const realDir = await fs$1.realpath(dir);
 		return path.join(realDir, path.basename(resolved));
 	} catch {
 		return resolved;
@@ -2752,7 +2987,7 @@ async function isStaleLock(lockPath, staleMs) {
 		if (!Number.isFinite(createdAt) || Date.now() - createdAt > staleMs) return true;
 	}
 	try {
-		const stat = await fs.stat(lockPath);
+		const stat = await fs$1.stat(lockPath);
 		return Date.now() - stat.mtimeMs > staleMs;
 	} catch {
 		return true;
@@ -2765,7 +3000,7 @@ async function releaseHeldLock(normalizedFile) {
 	if (current.count > 0) return;
 	HELD_LOCKS.delete(normalizedFile);
 	await current.handle.close().catch(() => void 0);
-	await fs.rm(current.lockPath, { force: true }).catch(() => void 0);
+	await fs$1.rm(current.lockPath, { force: true }).catch(() => void 0);
 }
 async function acquireFileLock(filePath, options) {
 	const normalizedFile = await resolveNormalizedFilePath(filePath);
@@ -2780,7 +3015,7 @@ async function acquireFileLock(filePath, options) {
 	}
 	const attempts = Math.max(1, options.retries.retries + 1);
 	for (let attempt = 0; attempt < attempts; attempt += 1) try {
-		const handle = await fs.open(lockPath, "wx");
+		const handle = await fs$1.open(lockPath, "wx");
 		await handle.writeFile(JSON.stringify({
 			pid: process.pid,
 			createdAt: (/* @__PURE__ */ new Date()).toISOString()
@@ -2797,7 +3032,7 @@ async function acquireFileLock(filePath, options) {
 	} catch (err) {
 		if (err.code !== "EEXIST") throw err;
 		if (await isStaleLock(lockPath, options.stale)) {
-			await fs.rm(lockPath, { force: true }).catch(() => void 0);
+			await fs$1.rm(lockPath, { force: true }).catch(() => void 0);
 			continue;
 		}
 		if (attempt >= attempts - 1) break;
@@ -2936,14 +3171,6 @@ function syncExternalCliCredentials(store) {
 	return mutated;
 }
 
-//#endregion
-//#region src/agents/agent-paths.ts
-function resolveSymiAgentDir() {
-	const override = process.env.SYMI_AGENT_DIR?.trim() || process.env.PI_CODING_AGENT_DIR?.trim();
-	if (override) return resolveUserPath(override);
-	return resolveUserPath(path.join(resolveStateDir(), "agents", DEFAULT_AGENT_ID, "agent"));
-}
-
 //#endregion
 //#region src/agents/auth-profiles/paths.ts
 function resolveAuthStorePath(agentDir) {
@@ -2959,7 +3186,7 @@ function resolveAuthStorePathForDisplay(agentDir) {
 	return pathname.startsWith("~") ? pathname : resolveUserPath(pathname);
 }
 function ensureAuthStoreFile(pathname) {
-	if (fs$1.existsSync(pathname)) return;
+	if (fs.existsSync(pathname)) return;
 	saveJsonFile(pathname, {
 		version: AUTH_STORE_VERSION,
 		profiles: {}
@@ -3128,7 +3355,7 @@ function loadAuthProfileStoreForAgent(agentDir, _options) {
 	if (shouldWrite && legacy !== null) {
 		const legacyPath = resolveLegacyAuthStorePath(agentDir);
 		try {
-			fs$1.unlinkSync(legacyPath);
+			fs.unlinkSync(legacyPath);
 		} catch (err) {
 			if (err?.code !== "ENOENT") log$1.warn("failed to delete legacy auth.json after migration", {
 				err,
@@ -3883,231 +4110,4 @@ function orderProfilesByMode(order, store) {
 var auth_profiles_exports = /* @__PURE__ */ __exportAll({ ensureAuthProfileStore: () => ensureAuthProfileStore });
 
 //#endregion
-//#region src/agents/model-auth.ts
-const AWS_BEARER_ENV = "AWS_BEARER_TOKEN_BEDROCK";
-const AWS_ACCESS_KEY_ENV = "AWS_ACCESS_KEY_ID";
-const AWS_SECRET_KEY_ENV = "AWS_SECRET_ACCESS_KEY";
-const AWS_PROFILE_ENV = "AWS_PROFILE";
-function resolveProviderConfig(cfg, provider) {
-	const providers = cfg?.models?.providers ?? {};
-	const direct = providers[provider];
-	if (direct) return direct;
-	const normalized = normalizeProviderId(provider);
-	if (normalized === provider) return Object.entries(providers).find(([key]) => normalizeProviderId(key) === normalized)?.[1];
-	return providers[normalized] ?? Object.entries(providers).find(([key]) => normalizeProviderId(key) === normalized)?.[1];
-}
-function getCustomProviderApiKey(cfg, provider) {
-	return normalizeOptionalSecretInput(resolveProviderConfig(cfg, provider)?.apiKey);
-}
-function resolveProviderAuthOverride(cfg, provider) {
-	const auth = resolveProviderConfig(cfg, provider)?.auth;
-	if (auth === "api-key" || auth === "aws-sdk" || auth === "oauth" || auth === "token") return auth;
-}
-function resolveEnvSourceLabel(params) {
-	return `${params.envVars.some((envVar) => params.applied.has(envVar)) ? "shell env: " : "env: "}${params.label}`;
-}
-function resolveAwsSdkEnvVarName(env = process.env) {
-	if (env[AWS_BEARER_ENV]?.trim()) return AWS_BEARER_ENV;
-	if (env[AWS_ACCESS_KEY_ENV]?.trim() && env[AWS_SECRET_KEY_ENV]?.trim()) return AWS_ACCESS_KEY_ENV;
-	if (env[AWS_PROFILE_ENV]?.trim()) return AWS_PROFILE_ENV;
-}
-function resolveAwsSdkAuthInfo() {
-	const applied = new Set(getShellEnvAppliedKeys());
-	if (process.env[AWS_BEARER_ENV]?.trim()) return {
-		mode: "aws-sdk",
-		source: resolveEnvSourceLabel({
-			applied,
-			envVars: [AWS_BEARER_ENV],
-			label: AWS_BEARER_ENV
-		})
-	};
-	if (process.env[AWS_ACCESS_KEY_ENV]?.trim() && process.env[AWS_SECRET_KEY_ENV]?.trim()) return {
-		mode: "aws-sdk",
-		source: resolveEnvSourceLabel({
-			applied,
-			envVars: [AWS_ACCESS_KEY_ENV, AWS_SECRET_KEY_ENV],
-			label: `${AWS_ACCESS_KEY_ENV} + ${AWS_SECRET_KEY_ENV}`
-		})
-	};
-	if (process.env[AWS_PROFILE_ENV]?.trim()) return {
-		mode: "aws-sdk",
-		source: resolveEnvSourceLabel({
-			applied,
-			envVars: [AWS_PROFILE_ENV],
-			label: AWS_PROFILE_ENV
-		})
-	};
-	return {
-		mode: "aws-sdk",
-		source: "aws-sdk default chain"
-	};
-}
-async function resolveApiKeyForProvider(params) {
-	const { provider, cfg, profileId, preferredProfile } = params;
-	const store = params.store ?? ensureAuthProfileStore(params.agentDir);
-	if (profileId) {
-		const resolved = await resolveApiKeyForProfile({
-			cfg,
-			store,
-			profileId,
-			agentDir: params.agentDir
-		});
-		if (!resolved) throw new Error(`No credentials found for profile "${profileId}".`);
-		const mode = store.profiles[profileId]?.type;
-		return {
-			apiKey: resolved.apiKey,
-			profileId,
-			source: `profile:${profileId}`,
-			mode: mode === "oauth" ? "oauth" : mode === "token" ? "token" : "api-key"
-		};
-	}
-	const authOverride = resolveProviderAuthOverride(cfg, provider);
-	if (authOverride === "aws-sdk") return resolveAwsSdkAuthInfo();
-	const order = resolveAuthProfileOrder({
-		cfg,
-		store,
-		provider,
-		preferredProfile
-	});
-	for (const candidate of order) try {
-		const resolved = await resolveApiKeyForProfile({
-			cfg,
-			store,
-			profileId: candidate,
-			agentDir: params.agentDir
-		});
-		if (resolved) {
-			const mode = store.profiles[candidate]?.type;
-			return {
-				apiKey: resolved.apiKey,
-				profileId: candidate,
-				source: `profile:${candidate}`,
-				mode: mode === "oauth" ? "oauth" : mode === "token" ? "token" : "api-key"
-			};
-		}
-	} catch {}
-	const envResolved = resolveEnvApiKey(provider);
-	if (envResolved) return {
-		apiKey: envResolved.apiKey,
-		source: envResolved.source,
-		mode: envResolved.source.includes("OAUTH_TOKEN") ? "oauth" : "api-key"
-	};
-	const customKey = getCustomProviderApiKey(cfg, provider);
-	if (customKey) return {
-		apiKey: customKey,
-		source: "models.json",
-		mode: "api-key"
-	};
-	const normalized = normalizeProviderId(provider);
-	if (authOverride === void 0 && normalized === "amazon-bedrock") return resolveAwsSdkAuthInfo();
-	if (provider === "openai") {
-		if (listProfilesForProvider(store, "openai-codex").length > 0) throw new Error("No API key found for provider \"openai\". You are authenticated with OpenAI Codex OAuth. Use openai-codex/gpt-5.3-codex (OAuth) or set OPENAI_API_KEY to use openai/gpt-5.1-codex.");
-	}
-	const authStorePath = resolveAuthStorePathForDisplay(params.agentDir);
-	const resolvedAgentDir = path.dirname(authStorePath);
-	throw new Error([
-		`No API key found for provider "${provider}".`,
-		`Auth store: ${authStorePath} (agentDir: ${resolvedAgentDir}).`,
-		`Configure auth for this agent (${formatCliCommand("symi agents add <id>")}) or copy auth-profiles.json from the main agentDir.`
-	].join(" "));
-}
-function resolveEnvApiKey(provider) {
-	const normalized = normalizeProviderId(provider);
-	const applied = new Set(getShellEnvAppliedKeys());
-	const pick = (envVar) => {
-		const value = normalizeOptionalSecretInput(process.env[envVar]);
-		if (!value) return null;
-		return {
-			apiKey: value,
-			source: applied.has(envVar) ? `shell env: ${envVar}` : `env: ${envVar}`
-		};
-	};
-	if (normalized === "github-copilot") return pick("COPILOT_GITHUB_TOKEN") ?? pick("GH_TOKEN") ?? pick("GITHUB_TOKEN");
-	if (normalized === "anthropic") return pick("ANTHROPIC_OAUTH_TOKEN") ?? pick("ANTHROPIC_API_KEY");
-	if (normalized === "chutes") return pick("CHUTES_OAUTH_TOKEN") ?? pick("CHUTES_API_KEY");
-	if (normalized === "zai") return pick("ZAI_API_KEY") ?? pick("Z_AI_API_KEY");
-	if (normalized === "google-vertex") {
-		const envKey = getEnvApiKey(normalized);
-		if (!envKey) return null;
-		return {
-			apiKey: envKey,
-			source: "gcloud adc"
-		};
-	}
-	if (normalized === "opencode") return pick("OPENCODE_API_KEY") ?? pick("OPENCODE_ZEN_API_KEY");
-	if (normalized === "qwen-portal") return pick("QWEN_OAUTH_TOKEN") ?? pick("QWEN_PORTAL_API_KEY");
-	if (normalized === "volcengine" || normalized === "volcengine-plan") return pick("VOLCANO_ENGINE_API_KEY");
-	if (normalized === "byteplus" || normalized === "byteplus-plan") return pick("BYTEPLUS_API_KEY");
-	if (normalized === "minimax-portal") return pick("MINIMAX_OAUTH_TOKEN") ?? pick("MINIMAX_API_KEY");
-	if (normalized === "kimi-coding") return pick("KIMI_API_KEY") ?? pick("KIMICODE_API_KEY");
-	if (normalized === "huggingface") return pick("HUGGINGFACE_HUB_TOKEN") ?? pick("HF_TOKEN");
-	const envVar = {
-		openai: "OPENAI_API_KEY",
-		google: "GEMINI_API_KEY",
-		voyage: "VOYAGE_API_KEY",
-		groq: "GROQ_API_KEY",
-		deepgram: "DEEPGRAM_API_KEY",
-		cerebras: "CEREBRAS_API_KEY",
-		xai: "XAI_API_KEY",
-		openrouter: "OPENROUTER_API_KEY",
-		litellm: "LITELLM_API_KEY",
-		"vercel-ai-gateway": "AI_GATEWAY_API_KEY",
-		"cloudflare-ai-gateway": "CLOUDFLARE_AI_GATEWAY_API_KEY",
-		moonshot: "MOONSHOT_API_KEY",
-		minimax: "MINIMAX_API_KEY",
-		nvidia: "NVIDIA_API_KEY",
-		xiaomi: "XIAOMI_API_KEY",
-		synthetic: "SYNTHETIC_API_KEY",
-		venice: "VENICE_API_KEY",
-		mistral: "MISTRAL_API_KEY",
-		opencode: "OPENCODE_API_KEY",
-		together: "TOGETHER_API_KEY",
-		qianfan: "QIANFAN_API_KEY",
-		ollama: "OLLAMA_API_KEY",
-		vllm: "VLLM_API_KEY"
-	}[normalized];
-	if (!envVar) return null;
-	return pick(envVar);
-}
-function resolveModelAuthMode(provider, cfg, store) {
-	const resolved = provider?.trim();
-	if (!resolved) return;
-	const authOverride = resolveProviderAuthOverride(cfg, resolved);
-	if (authOverride === "aws-sdk") return "aws-sdk";
-	const authStore = store ?? ensureAuthProfileStore();
-	const profiles = listProfilesForProvider(authStore, resolved);
-	if (profiles.length > 0) {
-		const modes = new Set(profiles.map((id) => authStore.profiles[id]?.type).filter((mode) => Boolean(mode)));
-		if ([
-			"oauth",
-			"token",
-			"api_key"
-		].filter((k) => modes.has(k)).length >= 2) return "mixed";
-		if (modes.has("oauth")) return "oauth";
-		if (modes.has("token")) return "token";
-		if (modes.has("api_key")) return "api-key";
-	}
-	if (authOverride === void 0 && normalizeProviderId(resolved) === "amazon-bedrock") return "aws-sdk";
-	const envKey = resolveEnvApiKey(resolved);
-	if (envKey?.apiKey) return envKey.source.includes("OAUTH_TOKEN") ? "oauth" : "api-key";
-	if (getCustomProviderApiKey(cfg, resolved)) return "api-key";
-	return "unknown";
-}
-async function getApiKeyForModel(params) {
-	return resolveApiKeyForProvider({
-		provider: params.model.provider,
-		cfg: params.cfg,
-		profileId: params.profileId,
-		preferredProfile: params.preferredProfile,
-		store: params.store,
-		agentDir: params.agentDir
-	});
-}
-function requireApiKey(auth, provider) {
-	const key = normalizeSecretInput(auth.apiKey);
-	if (key) return key;
-	throw new Error(`No API key resolved for provider "${provider}" (auth mode: ${auth.mode}).`);
-}
-
-//#endregion
-export { shouldEnableShellEnvFallback as $, normalizeProviderId as A, resolveImplicitCopilotProvider as B, buildAllowedModelSet as C, isCliProvider as D, findNormalizedProviderValue as E, resolveSubagentSpawnModelSelection as F, DEFAULT_MODEL as G, OLLAMA_NATIVE_BASE_URL as H, resolveThinkingDefault as I, normalizeSecretInput as J, DEFAULT_PROVIDER as K, normalizeGoogleModelId as L, resolveConfiguredModelRef as M, resolveDefaultModelForAgent as N, modelKey as O, resolveModelRefFromString as P, shouldDeferShellEnvFallback as Q, normalizeProviders as R, isPidAlive as S, buildModelAliasIndex as T, createOllamaStreamFn as U, resolveImplicitProviders as V, DEFAULT_CONTEXT_TOKENS as W, loadShellEnvFallback as X, getShellPathFromLoginShell as Y, resolveShellEnvFallbackTimeoutMs as Z, ensureAuthProfileStore as _, resolveEnvApiKey as a, withFileLock as b, resolveAuthProfileOrder as c, markAuthProfileFailure as d, markAuthProfileUsed as f, markAuthProfileGood as g, listProfilesForProvider as h, resolveApiKeyForProvider as i, parseModelRef as j, normalizeModelRef as k, getSoonestCooldownExpiry as l, dedupeProfileIds as m, getCustomProviderApiKey as n, resolveModelAuthMode as o, resolveApiKeyForProfile as p, resolveAuthProfileDisplayLabel as q, requireApiKey as r, auth_profiles_exports as s, getApiKeyForModel as t, isProfileInCooldown as u, resolveAuthStorePathForDisplay as v, buildConfiguredAllowlistKeys as w, resolveProcessScopedMap as x, resolveSymiAgentDir as y, resolveImplicitBedrockProvider as z };
+export { resolveSymiAgentDir as $, normalizeGoogleModelId as A, resolveApiKeyForProvider as B, normalizeProviderId as C, resolveModelRefFromString as D, resolveDefaultModelForAgent as E, OLLAMA_NATIVE_BASE_URL as F, loadShellEnvFallback as G, resolveModelAuthMode as H, createOllamaStreamFn as I, shouldEnableShellEnvFallback as J, resolveShellEnvFallbackTimeoutMs as K, getApiKeyForModel as L, resolveImplicitBedrockProvider as M, resolveImplicitCopilotProvider as N, resolveSubagentSpawnModelSelection as O, resolveImplicitProviders as P, resolveAuthProfileDisplayLabel as Q, getCustomProviderApiKey as R, normalizeModelRef as S, resolveConfiguredModelRef as T, normalizeSecretInput as U, resolveEnvApiKey as V, getShellPathFromLoginShell as W, DEFAULT_MODEL as X, DEFAULT_CONTEXT_TOKENS as Y, DEFAULT_PROVIDER as Z, buildConfiguredAllowlistKeys as _, markAuthProfileFailure as a, isCliProvider as b, dedupeProfileIds as c, ensureAuthProfileStore as d, resolveAuthStorePathForDisplay as f, buildAllowedModelSet as g, isPidAlive as h, isProfileInCooldown as i, normalizeProviders as j, resolveThinkingDefault as k, listProfilesForProvider as l, resolveProcessScopedMap as m, resolveAuthProfileOrder as n, markAuthProfileUsed as o, withFileLock as p, shouldDeferShellEnvFallback as q, getSoonestCooldownExpiry as r, resolveApiKeyForProfile as s, auth_profiles_exports as t, markAuthProfileGood as u, buildModelAliasIndex as v, parseModelRef as w, modelKey as x, findNormalizedProviderValue as y, requireApiKey as z };