@tloncorp/openclaw 0.1.0

package/dist/src/types.js

@@ -0,0 +1,79 @@
+export function resolveTlonAccount(cfg, accountId) {
+    const base = cfg.channels?.tlon;
+    if (!base) {
+        return {
+            accountId: accountId || "default",
+            name: null,
+            enabled: false,
+            configured: false,
+            ship: null,
+            url: null,
+            code: null,
+            allowPrivateNetwork: null,
+            groupChannels: [],
+            dmAllowlist: [],
+            groupInviteAllowlist: [],
+            autoDiscoverChannels: null,
+            showModelSignature: null,
+            autoAcceptDmInvites: null,
+            autoAcceptGroupInvites: null,
+            defaultAuthorizedShips: [],
+            ownerShip: null,
+            reactionLevel: null,
+        };
+    }
+    const useDefault = !accountId || accountId === "default";
+    const account = useDefault ? base : base.accounts?.[accountId];
+    const ship = (account?.ship ?? base.ship ?? null);
+    const url = (account?.url ?? base.url ?? null);
+    const code = (account?.code ?? base.code ?? null);
+    const allowPrivateNetwork = (account?.allowPrivateNetwork ?? base.allowPrivateNetwork ?? null);
+    const groupChannels = (account?.groupChannels ?? base.groupChannels ?? []);
+    const dmAllowlist = (account?.dmAllowlist ?? base.dmAllowlist ?? []);
+    const groupInviteAllowlist = (account?.groupInviteAllowlist ??
+        base.groupInviteAllowlist ??
+        []);
+    const autoDiscoverChannels = (account?.autoDiscoverChannels ??
+        base.autoDiscoverChannels ??
+        null);
+    const showModelSignature = (account?.showModelSignature ?? base.showModelSignature ?? null);
+    const autoAcceptDmInvites = (account?.autoAcceptDmInvites ?? base.autoAcceptDmInvites ?? null);
+    const autoAcceptGroupInvites = (account?.autoAcceptGroupInvites ??
+        base.autoAcceptGroupInvites ??
+        null);
+    const ownerShip = (account?.ownerShip ?? base.ownerShip ?? null);
+    const reactionLevel = (account?.reactionLevel ?? base.reactionLevel ?? null);
+    const defaultAuthorizedShips = (account?.defaultAuthorizedShips ??
+        base?.defaultAuthorizedShips ??
+        []);
+    const configured = Boolean(ship && url && code);
+    return {
+        accountId: accountId || "default",
+        name: (account?.name ?? base.name ?? null),
+        enabled: (account?.enabled ?? base.enabled ?? true) !== false,
+        configured,
+        ship,
+        url,
+        code,
+        allowPrivateNetwork,
+        groupChannels,
+        dmAllowlist,
+        groupInviteAllowlist,
+        autoDiscoverChannels,
+        showModelSignature,
+        autoAcceptDmInvites,
+        autoAcceptGroupInvites,
+        defaultAuthorizedShips,
+        ownerShip,
+        reactionLevel,
+    };
+}
+export function listTlonAccountIds(cfg) {
+    const base = cfg.channels?.tlon;
+    if (!base) {
+        return [];
+    }
+    const accounts = base.accounts ?? {};
+    return [...(base.ship ? ["default"] : []), ...Object.keys(accounts)];
+}
+//# sourceMappingURL=types.js.map

package/dist/src/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/types.ts"],"names":[],"mappings":"AA0BA,MAAM,UAAU,kBAAkB,CAChC,GAAmB,EACnB,SAAyB;IAEzB,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,EAAE,IAmBd,CAAC;IAEd,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO;YACL,SAAS,EAAE,SAAS,IAAI,SAAS;YACjC,IAAI,EAAE,IAAI;YACV,OAAO,EAAE,KAAK;YACd,UAAU,EAAE,KAAK;YACjB,IAAI,EAAE,IAAI;YACV,GAAG,EAAE,IAAI;YACT,IAAI,EAAE,IAAI;YACV,mBAAmB,EAAE,IAAI;YACzB,aAAa,EAAE,EAAE;YACjB,WAAW,EAAE,EAAE;YACf,oBAAoB,EAAE,EAAE;YACxB,oBAAoB,EAAE,IAAI;YAC1B,kBAAkB,EAAE,IAAI;YACxB,mBAAmB,EAAE,IAAI;YACzB,sBAAsB,EAAE,IAAI;YAC5B,sBAAsB,EAAE,EAAE;YAC1B,SAAS,EAAE,IAAI;YACf,aAAa,EAAE,IAAI;SACpB,CAAC;IACJ,CAAC;IAED,MAAM,UAAU,GAAG,CAAC,SAAS,IAAI,SAAS,KAAK,SAAS,CAAC;IACzD,MAAM,OAAO,GAAG,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,SAAS,CAAC,CAAC;IAE/D,MAAM,IAAI,GAAG,CAAC,OAAO,EAAE,IAAI,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAkB,CAAC;IACnE,MAAM,GAAG,GAAG,CAAC,OAAO,EAAE,GAAG,IAAI,IAAI,CAAC,GAAG,IAAI,IAAI,CAAkB,CAAC;IAChE,MAAM,IAAI,GAAG,CAAC,OAAO,EAAE,IAAI,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAkB,CAAC;IACnE,MAAM,mBAAmB,GAAG,CAAC,OAAO,EAAE,mBAAmB,IAAI,IAAI,CAAC,mBAAmB,IAAI,IAAI,CAErF,CAAC;IACT,MAAM,aAAa,GAAG,CAAC,OAAO,EAAE,aAAa,IAAI,IAAI,CAAC,aAAa,IAAI,EAAE,CAAa,CAAC;IACvF,MAAM,WAAW,GAAG,CAAC,OAAO,EAAE,WAAW,IAAI,IAAI,CAAC,WAAW,IAAI,EAAE,CAAa,CAAC;IACjF,MAAM,oBAAoB,GAAG,CAAC,OAAO,EAAE,oBAAoB;QACzD,IAAI,CAAC,oBAAoB;QACzB,EAAE,CAAa,CAAC;IAClB,MAAM,oBAAoB,GAAG,CAAC,OAAO,EAAE,oBAAoB;QACzD,IAAI,CAAC,oBAAoB;QACzB,IAAI,CAAmB,CAAC;IAC1B,MAAM,kBAAkB,GAAG,CAAC,OAAO,EAAE,kBAAkB,IAAI,IAAI,CAAC,kBAAkB,IAAI,IAAI,CAElF,CAAC;IACT,MAAM,mBAAmB,GAAG,CAAC,OAAO,EAAE,mBAAmB,IAAI,IAAI,CAAC,mBAAmB,IAAI,IAAI,CAErF,CAAC;IACT,MAAM,sBAAsB,GAAG,CAAC,OAAO,EAAE,sBAAsB;QAC7D,IAAI,CAAC,sBAAsB;QAC3B,IAAI,CAAmB,CAAC;IAC1B,MAAM,SAAS,GAAG,CAAC,OAAO,EAAE,SAAS,IAAI,IAAI,CAAC,SAAS,IAAI,IAAI,CAAkB,CAAC;IAClF,MAAM,aAAa,GAAG,CAAC,OAAO,EAAE,aAAa,IAAI,IAAI,CAAC,aAAa,IAAI,IAAI,CAAkB,CAAC;IAC9F,MAAM,sBAAsB,GAAG,CAAE,OAAmC,EAAE,sBAAsB;QACzF,IAAgC,EAAE,sBAAsB;QACzD,EAAE,CAAa,CAAC;IAClB,MAAM,UAAU,GAAG,OAAO,CAAC,IAAI,IAAI,GAAG,IAAI,IAAI,CAAC,CAAC;IAEhD,OAAO;QACL,SAAS,EAAE,SAAS,IAAI,SAAS;QACjC,IAAI,EAAE,CAAC,OAAO,EAAE,IAAI,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAkB;QAC3D,OAAO,EAAE,CAAC,OAAO,EAAE,OAAO,IAAI,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,KAAK,KAAK;QAC7D,UAAU;QACV,IAAI;QACJ,GAAG;QACH,IAAI;QACJ,mBAAmB;QACnB,aAAa;QACb,WAAW;QACX,oBAAoB;QACpB,oBAAoB;QACpB,kBAAkB;QAClB,mBAAmB;QACnB,sBAAsB;QACtB,sBAAsB;QACtB,SAAS;QACT,aAAa;KACd,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,GAAmB;IACpD,MAAM,IAAI,GAAG,GAAG,CAAC,QAAQ,EAAE,IAEd,CAAC;IACd,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;IACrC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC;AACvE,CAAC"}

package/dist/src/urbit/api-client.js

@@ -0,0 +1,104 @@
+import { configureClient } from "@tloncorp/api";
+import { createHttpPokeApi } from "./http-poke.js";
+import { authenticate } from "./auth.js";
+import { ssrfPolicyFromAllowPrivateNetwork } from "./context.js";
+import { urbitFetch } from "./fetch.js";
+/**
+ * Create a minimal Urbit-compatible shim that delegates poke() to the given function.
+ * The @tloncorp/api configureClient accepts a `client` that looks like an Urbit instance.
+ * Includes stubs for connect/eventSource/scryWithInfo so configureClient never crashes.
+ */
+function createClientShim(pokeFn, scryFn) {
+    return {
+        poke: (params) => pokeFn(params),
+        on: () => ({ on: () => ({}) }),
+        // connect/eventSource are called by configureClient when code is provided.
+        // Our shim should never hit that path (we always inject the client), but
+        // if another configureClient call happens without injecting, these no-ops
+        // prevent a TypeError crash.
+        connect: async () => { },
+        eventSource: async () => { },
+        // scryWithInfo is used by @tloncorp/api for scry operations (e.g., uploadFile).
+        scryWithInfo: scryFn
+            ? async (params) => {
+                const result = await scryFn(params);
+                return { result: result, responseSizeInBytes: 0, responseStatus: 200 };
+            }
+            : async () => {
+                throw new Error("Scry not supported on this client shim");
+            },
+        // Properties configureClient may access
+        verbose: false,
+        nodeId: "",
+    };
+}
+/**
+ * Configure @tloncorp/api's global client with an existing poke function.
+ * Use this when you already have an authenticated poke backend (e.g., SSE client in monitor).
+ */
+export function configureTlonApiWithPoke(pokeFn, ship, shipUrl, scryFn) {
+    const shim = createClientShim(pokeFn, scryFn);
+    configureClient({
+        shipName: ship.replace(/^~/, ""),
+        shipUrl,
+        client: shim,
+    });
+}
+/**
+ * Create an authenticated HTTP-only client, configure @tloncorp/api, run fn, clean up.
+ * Use this for one-shot outbound operations (channel.ts, actions.ts).
+ * Supports both poke and scry (needed for uploadFile).
+ */
+export async function withAuthenticatedTlonApi(params, fn) {
+    const ssrfPolicy = ssrfPolicyFromAllowPrivateNetwork(params.allowPrivateNetwork);
+    const cookie = await authenticate(params.url, params.code, { ssrfPolicy });
+    const api = await createHttpPokeApi({
+        url: params.url,
+        code: params.code,
+        ship: params.ship,
+        allowPrivateNetwork: params.allowPrivateNetwork,
+    });
+    // Build a scry function using the authenticated cookie
+    const scryFn = async ({ app, path }) => {
+        const scryPath = `/~/scry/${app}${path}.json`;
+        const { response, release } = await urbitFetch({
+            baseUrl: params.url,
+            path: scryPath,
+            init: {
+                method: "GET",
+                headers: { Cookie: cookie },
+            },
+            ssrfPolicy,
+            timeoutMs: 30_000,
+            auditContext: "tlon-api-scry",
+        });
+        try {
+            if (!response.ok) {
+                throw new Error(`Scry failed: ${response.status} ${scryPath}`);
+            }
+            return await response.json();
+        }
+        finally {
+            await release();
+        }
+    };
+    const shim = createClientShim(api.poke, scryFn);
+    configureClient({
+        shipName: params.ship.replace(/^~/, ""),
+        shipUrl: params.url,
+        client: shim,
+        getCode: async () => params.code,
+    });
+    try {
+        return await fn();
+    }
+    finally {
+        try {
+            await api.delete();
+        }
+        catch {
+            // ignore cleanup errors
+        }
+    }
+}
+//# sourceMappingURL=api-client.js.map

package/dist/src/urbit/api-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api-client.js","sourceRoot":"","sources":["../../../src/urbit/api-client.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,eAAe,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,EAAE,iBAAiB,EAAE,MAAM,gBAAgB,CAAC;AACnD,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AACzC,OAAO,EAAE,iCAAiC,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAKxC;;;;GAIG;AACH,SAAS,gBAAgB,CAAC,MAAc,EAAE,MAAe;IACvD,OAAO;QACL,IAAI,EAAE,CAAC,MAAoD,EAAE,EAAE,CAAC,MAAM,CAAC,MAAM,CAAC;QAC9E,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC;QAC9B,2EAA2E;QAC3E,yEAAyE;QACzE,0EAA0E;QAC1E,6BAA6B;QAC7B,OAAO,EAAE,KAAK,IAAI,EAAE,GAAE,CAAC;QACvB,WAAW,EAAE,KAAK,IAAI,EAAE,GAAE,CAAC;QAC3B,gFAAgF;QAChF,YAAY,EAAE,MAAM;YAClB,CAAC,CAAC,KAAK,EAAK,MAAqC,EAAE,EAAE;gBACjD,MAAM,MAAM,GAAG,MAAM,MAAM,CAAC,MAAM,CAAC,CAAC;gBACpC,OAAO,EAAE,MAAM,EAAE,MAAW,EAAE,mBAAmB,EAAE,CAAC,EAAE,cAAc,EAAE,GAAG,EAAE,CAAC;YAC9E,CAAC;YACH,CAAC,CAAC,KAAK,IAAI,EAAE;gBACT,MAAM,IAAI,KAAK,CAAC,wCAAwC,CAAC,CAAC;YAC5D,CAAC;QACL,wCAAwC;QACxC,OAAO,EAAE,KAAK;QACd,MAAM,EAAE,EAAE;KACJ,CAAC;AACX,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,wBAAwB,CACtC,MAAc,EACd,IAAY,EACZ,OAAe,EACf,MAAe;IAEf,MAAM,IAAI,GAAG,gBAAgB,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC9C,eAAe,CAAC;QACd,QAAQ,EAAE,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;QAChC,OAAO;QACP,MAAM,EAAE,IAAI;KACb,CAAC,CAAC;AACL,CAAC;AAED;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,MAAkF,EAClF,EAAoB;IAEpB,MAAM,UAAU,GAAG,iCAAiC,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;IACjF,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,EAAE,EAAE,UAAU,EAAE,CAAC,CAAC;IAE3E,MAAM,GAAG,GAAG,MAAM,iBAAiB,CAAC;QAClC,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,mBAAmB,EAAE,MAAM,CAAC,mBAAmB;KAChD,CAAC,CAAC;IAEH,uDAAuD;IACvD,MAAM,MAAM,GAAW,KAAK,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE;QAC7C,MAAM,QAAQ,GAAG,WAAW,GAAG,GAAG,IAAI,OAAO,CAAC;QAC9C,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,MAAM,UAAU,CAAC;YAC7C,OAAO,EAAE,MAAM,CAAC,GAAG;YACnB,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE;gBACJ,MAAM,EAAE,KAAK;gBACb,OAAO,EAAE,EAAE,MAAM,EAAE,MAAM,EAAE;aAC5B;YACD,UAAU;YACV,SAAS,EAAE,MAAM;YACjB,YAAY,EAAE,eAAe;SAC9B,CAAC,CAAC;QACH,IAAI,CAAC;YACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;gBACjB,MAAM,IAAI,KAAK,CAAC,gBAAgB,QAAQ,CAAC,MAAM,IAAI,QAAQ,EAAE,CAAC,CAAC;YACjE,CAAC;YACD,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QAC/B,CAAC;gBAAS,CAAC;YACT,MAAM,OAAO,EAAE,CAAC;QAClB,CAAC;IACH,CAAC,CAAC;IAEF,MAAM,IAAI,GAAG,gBAAgB,CAAC,GAAG,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC;IAChD,eAAe,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC;QACvC,OAAO,EAAE,MAAM,CAAC,GAAG;QACnB,MAAM,EAAE,IAAI;QACZ,OAAO,EAAE,KAAK,IAAI,EAAE,CAAC,MAAM,CAAC,IAAI;KACjC,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,OAAO,MAAM,EAAE,EAAE,CAAC;IACpB,CAAC;YAAS,CAAC;QACT,IAAI,CAAC;YACH,MAAM,GAAG,CAAC,MAAM,EAAE,CAAC;QACrB,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;IACH,CAAC;AACH,CAAC"}

package/dist/src/urbit/auth.js

@@ -0,0 +1,35 @@
+import { UrbitAuthError } from "./errors.js";
+import { urbitFetch } from "./fetch.js";
+export async function authenticate(url, code, options = {}) {
+    const { response, release } = await urbitFetch({
+        baseUrl: url,
+        path: "/~/login",
+        init: {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: new URLSearchParams({ password: code }).toString(),
+        },
+        ssrfPolicy: options.ssrfPolicy,
+        lookupFn: options.lookupFn,
+        fetchImpl: options.fetchImpl,
+        timeoutMs: options.timeoutMs ?? 15_000,
+        maxRedirects: 3,
+        auditContext: "tlon-urbit-login",
+    });
+    try {
+        if (!response.ok) {
+            throw new UrbitAuthError("auth_failed", `Login failed with status ${response.status}`);
+        }
+        // Some Urbit setups require the response body to be read before cookie headers finalize.
+        await response.text().catch(() => { });
+        const cookie = response.headers.get("set-cookie");
+        if (!cookie) {
+            throw new UrbitAuthError("missing_cookie", "No authentication cookie received");
+        }
+        return cookie;
+    }
+    finally {
+        await release();
+    }
+}
+//# sourceMappingURL=auth.js.map

package/dist/src/urbit/auth.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/urbit/auth.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AASxC,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,GAAW,EACX,IAAY,EACZ,UAAoC,EAAE;IAEtC,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,MAAM,UAAU,CAAC;QAC7C,OAAO,EAAE,GAAG;QACZ,IAAI,EAAE,UAAU;QAChB,IAAI,EAAE;YACJ,MAAM,EAAE,MAAM;YACd,OAAO,EAAE,EAAE,cAAc,EAAE,mCAAmC,EAAE;YAChE,IAAI,EAAE,IAAI,eAAe,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE;SACzD;QACD,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,QAAQ,EAAE,OAAO,CAAC,QAAQ;QAC1B,SAAS,EAAE,OAAO,CAAC,SAAS;QAC5B,SAAS,EAAE,OAAO,CAAC,SAAS,IAAI,MAAM;QACtC,YAAY,EAAE,CAAC;QACf,YAAY,EAAE,kBAAkB;KACjC,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,cAAc,CAAC,aAAa,EAAE,4BAA4B,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QACzF,CAAC;QAED,yFAAyF;QACzF,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QACtC,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QAClD,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,cAAc,CAAC,gBAAgB,EAAE,mCAAmC,CAAC,CAAC;QAClF,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;YAAS,CAAC;QACT,MAAM,OAAO,EAAE,CAAC;IAClB,CAAC;AACH,CAAC"}

package/dist/src/urbit/base-url.js

@@ -0,0 +1,45 @@
+import { isBlockedHostname, isPrivateIpAddress } from "openclaw/plugin-sdk";
+function hasScheme(value) {
+    return /^[a-zA-Z][a-zA-Z0-9+.-]*:\/\//.test(value);
+}
+export function validateUrbitBaseUrl(raw) {
+    const trimmed = String(raw ?? "").trim();
+    if (!trimmed) {
+        return { ok: false, error: "Required" };
+    }
+    const candidate = hasScheme(trimmed) ? trimmed : `https://${trimmed}`;
+    let parsed;
+    try {
+        parsed = new URL(candidate);
+    }
+    catch {
+        return { ok: false, error: "Invalid URL" };
+    }
+    if (!["http:", "https:"].includes(parsed.protocol)) {
+        return { ok: false, error: "URL must use http:// or https://" };
+    }
+    if (parsed.username || parsed.password) {
+        return { ok: false, error: "URL must not include credentials" };
+    }
+    const hostname = parsed.hostname.trim().toLowerCase().replace(/\.$/, "");
+    if (!hostname) {
+        return { ok: false, error: "Invalid hostname" };
+    }
+    // Normalize to origin so callers can't smuggle paths/query fragments into the base URL,
+    // and strip a trailing dot from the hostname (DNS root label).
+    const isIpv6 = hostname.includes(":");
+    const host = parsed.port
+        ? `${isIpv6 ? `[${hostname}]` : hostname}:${parsed.port}`
+        : isIpv6
+            ? `[${hostname}]`
+            : hostname;
+    return { ok: true, baseUrl: `${parsed.protocol}//${host}`, hostname };
+}
+export function isBlockedUrbitHostname(hostname) {
+    const normalized = hostname.trim().toLowerCase().replace(/\.$/, "");
+    if (!normalized) {
+        return false;
+    }
+    return isBlockedHostname(normalized) || isPrivateIpAddress(normalized);
+}
+//# sourceMappingURL=base-url.js.map

package/dist/src/urbit/base-url.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"base-url.js","sourceRoot":"","sources":["../../../src/urbit/base-url.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AAM5E,SAAS,SAAS,CAAC,KAAa;IAC9B,OAAO,+BAA+B,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACrD,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,GAAW;IAC9C,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IACzC,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC;IAC1C,CAAC;IAED,MAAM,SAAS,GAAG,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,WAAW,OAAO,EAAE,CAAC;IAEtE,IAAI,MAAW,CAAC;IAChB,IAAI,CAAC;QACH,MAAM,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,aAAa,EAAE,CAAC;IAC7C,CAAC;IAED,IAAI,CAAC,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnD,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,kCAAkC,EAAE,CAAC;IAClE,CAAC;IAED,IAAI,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;QACvC,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,kCAAkC,EAAE,CAAC;IAClE,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACzE,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,kBAAkB,EAAE,CAAC;IAClD,CAAC;IAED,wFAAwF;IACxF,+DAA+D;IAC/D,MAAM,MAAM,GAAG,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;IACtC,MAAM,IAAI,GAAG,MAAM,CAAC,IAAI;QACtB,CAAC,CAAC,GAAG,MAAM,CAAC,CAAC,CAAC,IAAI,QAAQ,GAAG,CAAC,CAAC,CAAC,QAAQ,IAAI,MAAM,CAAC,IAAI,EAAE;QACzD,CAAC,CAAC,MAAM;YACN,CAAC,CAAC,IAAI,QAAQ,GAAG;YACjB,CAAC,CAAC,QAAQ,CAAC;IAEf,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,MAAM,CAAC,QAAQ,KAAK,IAAI,EAAE,EAAE,QAAQ,EAAE,CAAC;AACxE,CAAC;AAED,MAAM,UAAU,sBAAsB,CAAC,QAAgB;IACrD,MAAM,UAAU,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACpE,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAO,iBAAiB,CAAC,UAAU,CAAC,IAAI,kBAAkB,CAAC,UAAU,CAAC,CAAC;AACzE,CAAC"}

package/dist/src/urbit/channel-ops.js

@@ -0,0 +1,136 @@
+import { UrbitHttpError } from "./errors.js";
+import { urbitFetch } from "./fetch.js";
+export async function pokeUrbitChannel(deps, params) {
+    const pokeId = Date.now();
+    const pokeData = {
+        id: pokeId,
+        action: "poke",
+        ship: deps.ship,
+        app: params.app,
+        mark: params.mark,
+        json: params.json,
+    };
+    const { response, release } = await urbitFetch({
+        baseUrl: deps.baseUrl,
+        path: `/~/channel/${deps.channelId}`,
+        init: {
+            method: "PUT",
+            headers: {
+                "Content-Type": "application/json",
+                Cookie: deps.cookie,
+            },
+            body: JSON.stringify([pokeData]),
+        },
+        ssrfPolicy: deps.ssrfPolicy,
+        lookupFn: deps.lookupFn,
+        fetchImpl: deps.fetchImpl,
+        timeoutMs: 30_000,
+        auditContext: params.auditContext,
+    });
+    try {
+        if (!response.ok && response.status !== 204) {
+            const errorText = await response.text().catch(() => "");
+            throw new Error(`Poke failed: ${response.status}${errorText ? ` - ${errorText}` : ""}`);
+        }
+        return pokeId;
+    }
+    finally {
+        await release();
+    }
+}
+export async function scryUrbitPath(deps, params) {
+    const scryPath = `/~/scry${params.path}`;
+    const { response, release } = await urbitFetch({
+        baseUrl: deps.baseUrl,
+        path: scryPath,
+        init: {
+            method: "GET",
+            headers: { Cookie: deps.cookie },
+        },
+        ssrfPolicy: deps.ssrfPolicy,
+        lookupFn: deps.lookupFn,
+        fetchImpl: deps.fetchImpl,
+        timeoutMs: 30_000,
+        auditContext: params.auditContext,
+    });
+    try {
+        if (!response.ok) {
+            throw new Error(`Scry failed: ${response.status} for path ${params.path}`);
+        }
+        return await response.json();
+    }
+    finally {
+        await release();
+    }
+}
+export async function createUrbitChannel(deps, params) {
+    const { response, release } = await urbitFetch({
+        baseUrl: deps.baseUrl,
+        path: `/~/channel/${deps.channelId}`,
+        init: {
+            method: "PUT",
+            headers: {
+                "Content-Type": "application/json",
+                Cookie: deps.cookie,
+            },
+            body: JSON.stringify(params.body),
+        },
+        ssrfPolicy: deps.ssrfPolicy,
+        lookupFn: deps.lookupFn,
+        fetchImpl: deps.fetchImpl,
+        timeoutMs: 30_000,
+        auditContext: params.auditContext,
+    });
+    try {
+        if (!response.ok && response.status !== 204) {
+            throw new UrbitHttpError({ operation: "Channel creation", status: response.status });
+        }
+    }
+    finally {
+        await release();
+    }
+}
+export async function wakeUrbitChannel(deps) {
+    const { response, release } = await urbitFetch({
+        baseUrl: deps.baseUrl,
+        path: `/~/channel/${deps.channelId}`,
+        init: {
+            method: "PUT",
+            headers: {
+                "Content-Type": "application/json",
+                Cookie: deps.cookie,
+            },
+            body: JSON.stringify([
+                {
+                    id: Date.now(),
+                    action: "poke",
+                    ship: deps.ship,
+                    app: "hood",
+                    mark: "helm-hi",
+                    json: "Opening API channel",
+                },
+            ]),
+        },
+        ssrfPolicy: deps.ssrfPolicy,
+        lookupFn: deps.lookupFn,
+        fetchImpl: deps.fetchImpl,
+        timeoutMs: 30_000,
+        auditContext: "tlon-urbit-channel-wake",
+    });
+    try {
+        if (!response.ok && response.status !== 204) {
+            throw new UrbitHttpError({ operation: "Channel activation", status: response.status });
+        }
+    }
+    finally {
+        await release();
+    }
+}
+export async function ensureUrbitChannelOpen(deps, params) {
+    await createUrbitChannel(deps, {
+        body: params.createBody,
+        auditContext: params.createAuditContext,
+    });
+    await wakeUrbitChannel(deps);
+}
+//# sourceMappingURL=channel-ops.js.map

package/dist/src/urbit/channel-ops.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"channel-ops.js","sourceRoot":"","sources":["../../../src/urbit/channel-ops.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAC7C,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAYxC,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,IAAsB,EACtB,MAA0E;IAE1E,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC1B,MAAM,QAAQ,GAAG;QACf,EAAE,EAAE,MAAM;QACV,MAAM,EAAE,MAAM;QACd,IAAI,EAAE,IAAI,CAAC,IAAI;QACf,GAAG,EAAE,MAAM,CAAC,GAAG;QACf,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,IAAI,EAAE,MAAM,CAAC,IAAI;KAClB,CAAC;IAEF,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,MAAM,UAAU,CAAC;QAC7C,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,IAAI,EAAE,cAAc,IAAI,CAAC,SAAS,EAAE;QACpC,IAAI,EAAE;YACJ,MAAM,EAAE,KAAK;YACb,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,MAAM,EAAE,IAAI,CAAC,MAAM;aACpB;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,CAAC;SACjC;QACD,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS,EAAE,MAAM;QACjB,YAAY,EAAE,MAAM,CAAC,YAAY;KAClC,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5C,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC;YACxD,MAAM,IAAI,KAAK,CAAC,gBAAgB,QAAQ,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC,CAAC,MAAM,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC1F,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;YAAS,CAAC;QACT,MAAM,OAAO,EAAE,CAAC;IAClB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,IAA4F,EAC5F,MAA8C;IAE9C,MAAM,QAAQ,GAAG,UAAU,MAAM,CAAC,IAAI,EAAE,CAAC;IACzC,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,MAAM,UAAU,CAAC;QAC7C,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,IAAI,EAAE,QAAQ;QACd,IAAI,EAAE;YACJ,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,EAAE,MAAM,EAAE,IAAI,CAAC,MAAM,EAAE;SACjC;QACD,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS,EAAE,MAAM;QACjB,YAAY,EAAE,MAAM,CAAC,YAAY;KAClC,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;YACjB,MAAM,IAAI,KAAK,CAAC,gBAAgB,QAAQ,CAAC,MAAM,aAAa,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QAC7E,CAAC;QACD,OAAO,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;IAC/B,CAAC;YAAS,CAAC;QACT,MAAM,OAAO,EAAE,CAAC;IAClB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,kBAAkB,CACtC,IAAsB,EACtB,MAA+C;IAE/C,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,MAAM,UAAU,CAAC;QAC7C,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,IAAI,EAAE,cAAc,IAAI,CAAC,SAAS,EAAE;QACpC,IAAI,EAAE;YACJ,MAAM,EAAE,KAAK;YACb,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,MAAM,EAAE,IAAI,CAAC,MAAM;aACpB;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC;SAClC;QACD,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS,EAAE,MAAM;QACjB,YAAY,EAAE,MAAM,CAAC,YAAY;KAClC,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5C,MAAM,IAAI,cAAc,CAAC,EAAE,SAAS,EAAE,kBAAkB,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QACvF,CAAC;IACH,CAAC;YAAS,CAAC;QACT,MAAM,OAAO,EAAE,CAAC;IAClB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,IAAsB;IAC3D,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,MAAM,UAAU,CAAC;QAC7C,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,IAAI,EAAE,cAAc,IAAI,CAAC,SAAS,EAAE;QACpC,IAAI,EAAE;YACJ,MAAM,EAAE,KAAK;YACb,OAAO,EAAE;gBACP,cAAc,EAAE,kBAAkB;gBAClC,MAAM,EAAE,IAAI,CAAC,MAAM;aACpB;YACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;gBACnB;oBACE,EAAE,EAAE,IAAI,CAAC,GAAG,EAAE;oBACd,MAAM,EAAE,MAAM;oBACd,IAAI,EAAE,IAAI,CAAC,IAAI;oBACf,GAAG,EAAE,MAAM;oBACX,IAAI,EAAE,SAAS;oBACf,IAAI,EAAE,qBAAqB;iBAC5B;aACF,CAAC;SACH;QACD,UAAU,EAAE,IAAI,CAAC,UAAU;QAC3B,QAAQ,EAAE,IAAI,CAAC,QAAQ;QACvB,SAAS,EAAE,IAAI,CAAC,SAAS;QACzB,SAAS,EAAE,MAAM;QACjB,YAAY,EAAE,yBAAyB;KACxC,CAAC,CAAC;IAEH,IAAI,CAAC;QACH,IAAI,CAAC,QAAQ,CAAC,EAAE,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;YAC5C,MAAM,IAAI,cAAc,CAAC,EAAE,SAAS,EAAE,oBAAoB,EAAE,MAAM,EAAE,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QACzF,CAAC;IACH,CAAC;YAAS,CAAC;QACT,MAAM,OAAO,EAAE,CAAC;IAClB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,sBAAsB,CAC1C,IAAsB,EACtB,MAA2D;IAE3D,MAAM,kBAAkB,CAAC,IAAI,EAAE;QAC7B,IAAI,EAAE,MAAM,CAAC,UAAU;QACvB,YAAY,EAAE,MAAM,CAAC,kBAAkB;KACxC,CAAC,CAAC;IACH,MAAM,gBAAgB,CAAC,IAAI,CAAC,CAAC;AAC/B,CAAC"}

package/dist/src/urbit/context.js

@@ -0,0 +1,42 @@
+import { validateUrbitBaseUrl } from "./base-url.js";
+import { UrbitUrlError } from "./errors.js";
+export function resolveShipFromHostname(hostname) {
+    const trimmed = hostname.trim().toLowerCase().replace(/\.$/, "");
+    if (!trimmed) {
+        return "";
+    }
+    if (trimmed.includes(".")) {
+        return trimmed.split(".")[0] ?? trimmed;
+    }
+    return trimmed;
+}
+export function normalizeUrbitShip(ship, hostname) {
+    const raw = ship?.replace(/^~/, "") ?? resolveShipFromHostname(hostname);
+    return raw.trim();
+}
+export function normalizeUrbitCookie(cookie) {
+    return cookie.split(";")[0] ?? cookie;
+}
+export function getUrbitContext(url, ship) {
+    const validated = validateUrbitBaseUrl(url);
+    if (!validated.ok) {
+        throw new UrbitUrlError(validated.error);
+    }
+    return {
+        baseUrl: validated.baseUrl,
+        hostname: validated.hostname,
+        ship: normalizeUrbitShip(ship, validated.hostname),
+    };
+}
+export function ssrfPolicyFromAllowPrivateNetwork(allowPrivateNetwork) {
+    return allowPrivateNetwork ? { allowPrivateNetwork: true } : undefined;
+}
+/**
+ * Get the default SSRF policy for image uploads.
+ * Uses a restrictive policy that blocks private networks by default.
+ */
+export function getDefaultSsrFPolicy() {
+    // Default: block private networks for image uploads (safer default)
+    return undefined;
+}
+//# sourceMappingURL=context.js.map

package/dist/src/urbit/context.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"context.js","sourceRoot":"","sources":["../../../src/urbit/context.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAQ5C,MAAM,UAAU,uBAAuB,CAAC,QAAgB;IACtD,MAAM,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;IACjE,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;QAC1B,OAAO,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,OAAO,CAAC;IAC1C,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,IAAwB,EAAE,QAAgB;IAC3E,MAAM,GAAG,GAAG,IAAI,EAAE,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,uBAAuB,CAAC,QAAQ,CAAC,CAAC;IACzE,OAAO,GAAG,CAAC,IAAI,EAAE,CAAC;AACpB,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,MAAc;IACjD,OAAO,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,MAAM,CAAC;AACxC,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,GAAW,EAAE,IAAa;IACxD,MAAM,SAAS,GAAG,oBAAoB,CAAC,GAAG,CAAC,CAAC;IAC5C,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,CAAC;QAClB,MAAM,IAAI,aAAa,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC3C,CAAC;IACD,OAAO;QACL,OAAO,EAAE,SAAS,CAAC,OAAO;QAC1B,QAAQ,EAAE,SAAS,CAAC,QAAQ;QAC5B,IAAI,EAAE,kBAAkB,CAAC,IAAI,EAAE,SAAS,CAAC,QAAQ,CAAC;KACnD,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,iCAAiC,CAC/C,mBAA+C;IAE/C,OAAO,mBAAmB,CAAC,CAAC,CAAC,EAAE,mBAAmB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;AACzE,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,oBAAoB;IAClC,oEAAoE;IACpE,OAAO,SAAS,CAAC;AACnB,CAAC"}

package/dist/src/urbit/errors.js

@@ -0,0 +1,36 @@
+export class UrbitError extends Error {
+    code;
+    constructor(code, message, options) {
+        super(message, options);
+        this.name = "UrbitError";
+        this.code = code;
+    }
+}
+export class UrbitUrlError extends UrbitError {
+    constructor(message, options) {
+        super("invalid_url", message, options);
+        this.name = "UrbitUrlError";
+    }
+}
+export class UrbitHttpError extends UrbitError {
+    status;
+    operation;
+    bodyText;
+    constructor(params) {
+        const suffix = params.bodyText ? ` - ${params.bodyText}` : "";
+        super("http_error", `${params.operation} failed: ${params.status}${suffix}`, {
+            cause: params.cause,
+        });
+        this.name = "UrbitHttpError";
+        this.status = params.status;
+        this.operation = params.operation;
+        this.bodyText = params.bodyText;
+    }
+}
+export class UrbitAuthError extends UrbitError {
+    constructor(code, message, options) {
+        super(code, message, options);
+        this.name = "UrbitAuthError";
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/src/urbit/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../../src/urbit/errors.ts"],"names":[],"mappings":"AAOA,MAAM,OAAO,UAAW,SAAQ,KAAK;IAC1B,IAAI,CAAiB;IAE9B,YAAY,IAAoB,EAAE,OAAe,EAAE,OAA6B;QAC9E,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QACxB,IAAI,CAAC,IAAI,GAAG,YAAY,CAAC;QACzB,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;IACnB,CAAC;CACF;AAED,MAAM,OAAO,aAAc,SAAQ,UAAU;IAC3C,YAAY,OAAe,EAAE,OAA6B;QACxD,KAAK,CAAC,aAAa,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QACvC,IAAI,CAAC,IAAI,GAAG,eAAe,CAAC;IAC9B,CAAC;CACF;AAED,MAAM,OAAO,cAAe,SAAQ,UAAU;IACnC,MAAM,CAAS;IACf,SAAS,CAAS;IAClB,QAAQ,CAAU;IAE3B,YAAY,MAAiF;QAC3F,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,MAAM,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9D,KAAK,CAAC,YAAY,EAAE,GAAG,MAAM,CAAC,SAAS,YAAY,MAAM,CAAC,MAAM,GAAG,MAAM,EAAE,EAAE;YAC3E,KAAK,EAAE,MAAM,CAAC,KAAK;SACpB,CAAC,CAAC;QACH,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;QAC7B,IAAI,CAAC,MAAM,GAAG,MAAM,CAAC,MAAM,CAAC;QAC5B,IAAI,CAAC,SAAS,GAAG,MAAM,CAAC,SAAS,CAAC;QAClC,IAAI,CAAC,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC;IAClC,CAAC;CACF;AAED,MAAM,OAAO,cAAe,SAAQ,UAAU;IAC5C,YACE,IAAsC,EACtC,OAAe,EACf,OAA6B;QAE7B,KAAK,CAAC,IAAI,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC;QAC9B,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;CACF"}

package/dist/src/urbit/fetch.js

@@ -0,0 +1,23 @@
+import { fetchWithSsrFGuard } from "openclaw/plugin-sdk";
+import { validateUrbitBaseUrl } from "./base-url.js";
+import { UrbitUrlError } from "./errors.js";
+export async function urbitFetch(params) {
+    const validated = validateUrbitBaseUrl(params.baseUrl);
+    if (!validated.ok) {
+        throw new UrbitUrlError(validated.error);
+    }
+    const url = new URL(params.path, validated.baseUrl).toString();
+    return await fetchWithSsrFGuard({
+        url,
+        fetchImpl: params.fetchImpl,
+        init: params.init,
+        timeoutMs: params.timeoutMs,
+        maxRedirects: params.maxRedirects,
+        signal: params.signal,
+        policy: params.ssrfPolicy,
+        lookupFn: params.lookupFn,
+        auditContext: params.auditContext,
+        pinDns: params.pinDns,
+    });
+}
+//# sourceMappingURL=fetch.js.map

package/dist/src/urbit/fetch.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"fetch.js","sourceRoot":"","sources":["../../../src/urbit/fetch.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,qBAAqB,CAAC;AACzD,OAAO,EAAE,oBAAoB,EAAE,MAAM,eAAe,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,aAAa,CAAC;AAsB5C,MAAM,CAAC,KAAK,UAAU,UAAU,CAAC,MAAyB;IACxD,MAAM,SAAS,GAAG,oBAAoB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;IACvD,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,CAAC;QAClB,MAAM,IAAI,aAAa,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;IAC3C,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,GAAG,CAAC,MAAM,CAAC,IAAI,EAAE,SAAS,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;IAC/D,OAAO,MAAM,kBAAkB,CAAC;QAC9B,GAAG;QACH,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,MAAM,EAAE,MAAM,CAAC,MAAM;QACrB,MAAM,EAAE,MAAM,CAAC,UAAU;QACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,MAAM,EAAE,MAAM,CAAC,MAAM;KACtB,CAAC,CAAC;AACL,CAAC"}

package/dist/src/urbit/foreigns.js

@@ -0,0 +1,6 @@
+/**
+ * Types for Urbit groups foreigns (group invites)
+ * Based on packages/shared/src/urbit/groups.ts from homestead
+ */
+export {};
+//# sourceMappingURL=foreigns.js.map

package/dist/src/urbit/foreigns.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"foreigns.js","sourceRoot":"","sources":["../../../src/urbit/foreigns.ts"],"names":[],"mappings":"AAAA;;;GAGG"}

package/dist/src/urbit/http-poke.js

@@ -0,0 +1,56 @@
+import { randomUUID } from "node:crypto";
+import { authenticate } from "./auth.js";
+import { ssrfPolicyFromAllowPrivateNetwork } from "./context.js";
+import { urbitFetch } from "./fetch.js";
+/**
+ * Simple HTTP-only poke that doesn't open an EventSource (avoids conflict with monitor's SSE)
+ */
+export async function createHttpPokeApi(params) {
+    const ssrfPolicy = ssrfPolicyFromAllowPrivateNetwork(params.allowPrivateNetwork);
+    const cookie = await authenticate(params.url, params.code, { ssrfPolicy });
+    const channelId = `${Math.floor(Date.now() / 1000)}-${randomUUID().slice(0, 8)}`;
+    const channelPath = `/~/channel/${channelId}`;
+    const shipName = params.ship.replace(/^~/, "");
+    return {
+        poke: async (pokeParams) => {
+            const pokeId = Date.now();
+            const pokeData = {
+                id: pokeId,
+                action: "poke",
+                ship: shipName,
+                app: pokeParams.app,
+                mark: pokeParams.mark,
+                json: pokeParams.json,
+            };
+            const { response, release } = await urbitFetch({
+                baseUrl: params.url,
+                path: channelPath,
+                init: {
+                    method: "PUT",
+                    headers: {
+                        "Content-Type": "application/json",
+                        Cookie: cookie.split(";")[0],
+                    },
+                    body: JSON.stringify([pokeData]),
+                },
+                ssrfPolicy,
+                timeoutMs: 30_000,
+                auditContext: "tlon-http-poke",
+            });
+            try {
+                if (!response.ok && response.status !== 204) {
+                    const errorText = await response.text();
+                    throw new Error(`Poke failed: ${response.status} - ${errorText}`);
+                }
+                return pokeId;
+            }
+            finally {
+                await release();
+            }
+        },
+        delete: async () => {
+            // No-op for HTTP-only client
+        },
+    };
+}
+//# sourceMappingURL=http-poke.js.map

package/dist/src/urbit/http-poke.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-poke.js","sourceRoot":"","sources":["../../../src/urbit/http-poke.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AACzC,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAEzC,OAAO,EAAE,iCAAiC,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AAOxC;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAKvC;IACC,MAAM,UAAU,GAAG,iCAAiC,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC;IACjF,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,MAAM,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,EAAE,EAAE,UAAU,EAAE,CAAC,CAAC;IAC3E,MAAM,SAAS,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,IAAI,UAAU,EAAE,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;IACjF,MAAM,WAAW,GAAG,cAAc,SAAS,EAAE,CAAC;IAC9C,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAE/C,OAAO;QACL,IAAI,EAAE,KAAK,EAAE,UAAwD,EAAE,EAAE;YACvE,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YAC1B,MAAM,QAAQ,GAAG;gBACf,EAAE,EAAE,MAAM;gBACV,MAAM,EAAE,MAAM;gBACd,IAAI,EAAE,QAAQ;gBACd,GAAG,EAAE,UAAU,CAAC,GAAG;gBACnB,IAAI,EAAE,UAAU,CAAC,IAAI;gBACrB,IAAI,EAAE,UAAU,CAAC,IAAI;aACtB,CAAC;YAEF,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,MAAM,UAAU,CAAC;gBAC7C,OAAO,EAAE,MAAM,CAAC,GAAG;gBACnB,IAAI,EAAE,WAAW;gBACjB,IAAI,EAAE;oBACJ,MAAM,EAAE,KAAK;oBACb,OAAO,EAAE;wBACP,cAAc,EAAE,kBAAkB;wBAClC,MAAM,EAAE,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;qBAC7B;oBACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,CAAC;iBACjC;gBACD,UAAU;gBACV,SAAS,EAAE,MAAM;gBACjB,YAAY,EAAE,gBAAgB;aAC/B,CAAC,CAAC;YAEH,IAAI,CAAC;gBACH,IAAI,CAAC,QAAQ,CAAC,EAAE,IAAI,QAAQ,CAAC,MAAM,KAAK,GAAG,EAAE,CAAC;oBAC5C,MAAM,SAAS,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;oBACxC,MAAM,IAAI,KAAK,CAAC,gBAAgB,QAAQ,CAAC,MAAM,MAAM,SAAS,EAAE,CAAC,CAAC;gBACpE,CAAC;gBACD,OAAO,MAAM,CAAC;YAChB,CAAC;oBAAS,CAAC;gBACT,MAAM,OAAO,EAAE,CAAC;YAClB,CAAC;QACH,CAAC;QACD,MAAM,EAAE,KAAK,IAAI,EAAE;YACjB,6BAA6B;QAC/B,CAAC;KACF,CAAC;AACJ,CAAC"}