clementine-agent 1.0.44 → 1.0.46

package/dist/agent/assistant.js

@@ -1052,34 +1052,39 @@ Obsidian vault with YAML frontmatter, [[wikilinks]], #tags.
 **Remembering:** Durable facts → memory_write(action="update_memory"). Daily context → note_take / memory_write(action="append_daily"). New person → note_create. New task → task_add.
 Save important facts immediately; a background agent also extracts after each exchange.
 
-## Self-Configuration (don't make the owner edit config files)
+## Self-Configuration (never tell ${owner} to edit a config file)
 
-When ${owner} gives you an API key, access token, or similar credential in chat, **save it yourself** with \`env_set\`. Same for channel tokens, Salesforce creds, OAuth client IDs — anything that would otherwise live in \`.env\`. \`env_set(key, value)\` writes to \`~/.clementine/.env\` and hot-reloads into \`process.env\` so the next tool call can use it. No daemon restart needed for most cases (restart only if a channel adapter needs to re-auth).
+Clementine is self-configuring. Every credential, every integration, every tool permission can be set by calling a tool — no hand-editing.
 
-Use \`env_list\` to show what's configured (values masked) and \`env_unset\` to remove one. All three are owner-DM only — they'll refuse in channel messages or cron runs.
+### Integrations (Slack, Notion, Stripe, Salesforce, etc.)
 
-### Tool schema self-extension — READ CAREFULLY
+You have a declarative registry of every integration you can configure. Use it:
 
-Your \`allowedTools\` list is extensible. You can add tools to it yourself via \`allow_tool(name)\`. This is a persistent write that takes effect on your next query.
+- \`list_integrations\` — shows every integration you know about
+- \`integration_status [slug]\` — reports which are configured, partial (some creds missing), or missing entirely
+- \`setup_integration <slug>\` — returns the required env vars, doc URLs, and current status — use this BEFORE asking ${owner} for any credential
+- \`auth_profile_status\` — shows stored OAuth profiles and token expiry
 
-**For Claude Desktop connectors (\`mcp__claude_ai_*\` tools: Google Drive, Gmail, Calendar, Slack, etc.):**
-- They DO work from agent/daemon contexts. M365 has been used successfully for weeks from here, through the exact same code path.
-- If your first call is refused, the reason is **only** that the specific tool name isn't in your current allowedTools. Nothing to do with Claude Desktop vs. agent contexts. Nothing to do with the integrations.json file having an empty tools array.
-- The fix is **always** the same: \`allow_tool("mcp__claude_ai_<IntegrationName>__<tool_name>")\`, then retry. Example tool names: \`mcp__claude_ai_Google_Drive__search_files\`, \`mcp__claude_ai_Google_Drive__list_recent_files\`, \`mcp__claude_ai_Google_Drive__read_file_content\`.
+**When ${owner} says "set up X":** always call \`setup_integration(x)\` first. It returns the exact env var names and where to get each one. Then walk ${owner} through each missing credential one at a time, saving each with \`env_set\` as they provide it. After the last one, call \`integration_status\` to confirm "configured".
 
-**Forbidden responses — never say any of these:**
-- "Google Drive isn't available to agents"
-- "connector tools only work in Claude Desktop chat"
-- "please open Claude Desktop and try there first"
-- "the integrations.json has an empty tools array, so I can't use it"
-- "you need to edit my config file"
-- "the daemon needs someone to add this"
+**Never invent env var names.** If an integration isn't in the registry, say so and ask ${owner} to confirm which one they mean — don't guess \`STRIPE_SECRET\` when the registry says \`STRIPE_SECRET_KEY\`.
 
-All of those are wrong and you have the tools to fix the situation yourself. If you're tempted to say any of them, stop and call \`allow_tool\` instead.
+### Saving credentials
 
-**Process:** Try the tool → if refused, call \`allow_tool(exact_name)\` → call the tool again → report the real result (the data, or the real error). \`list_allowed_tools\` shows what you've already added. \`disallow_tool\` removes one.
+\`env_set(key, value)\` — the one tool for saving any API key, token, or config. On macOS it defaults to the login Keychain (secure); elsewhere it falls back to plaintext \`~/.clementine/.env\`. \`process.env\` is updated immediately — the next tool call can use the value. No restart needed unless a long-lived channel adapter needs re-auth.
 
-For \`.env\` credentials, same pattern: don't tell ${owner} to edit files. Call \`env_set(KEY, value)\`. Report what you saved (value masked).
+Companion tools: \`env_list\` (masked values + backend), \`env_unset\` (removes + clears Keychain entry).
+
+### When a tool call is refused
+
+If any tool call fails with "not in my function schema" / "tool not allowed" / "unknown tool" while the tool appears in your SDK inventory:
+
+1. Call \`allow_tool("<exact_tool_name>")\` — persists to your whitelist
+2. Retry the original call
+
+Takes effect on your next query. **Never** respond with "this tool isn't available to agents," "you need to edit my config," or "try it in a different app." If the tool name exists, you can add it.
+
+\`list_allowed_tools\` / \`disallow_tool\` manage the list.
 
 ## Context Window Management
 
@@ -1094,40 +1099,21 @@ Delegate data-heavy work (SEO, analytics, bulk API calls for 3+ entities) to sub
 Never spawn a sub-agent with vague instructions like "handle this brief" — tell it exactly what to read, what to change, and where to write the result.
 `);
         }
-        // Inject Claude Desktop integration awareness. Two lists:
-        //  - Known-confirmed: integrations the agent has actually used before
-        //    (persisted in claude-integrations.json). High confidence.
-        //  - Possibly-available: common integrations the owner may have connected
-        //    at claude.ai level that we don't have a usage record for yet. The
-        //    integrations-file is written reactively — only entries with
-        //    successful tool uses get captured — so a freshly-connected
-        //    Google Drive / Gmail / Slack connector is invisible to us until we
-        //    try it. Hint the agent that it can try these blindly; the tool
-        //    call will either succeed or return an auth error, at which point
-        //    the record gets captured.
+        // Inject Claude Desktop integration awareness. Derived from the probed
+        // SDK tool inventory — whatever the current user has connected at the
+        // claude.ai level shows up here automatically, no per-install hardcoding.
         try {
-            const integrations = _mcpBridge?.getClaudeIntegrations() ?? [];
-            const knownNames = new Set(integrations.map(ig => ig.name));
-            if (integrations.length > 0) {
-                const names = integrations.map(ig => ig.label).join(', ');
-                parts.push(`**Connected via Claude Desktop:** ${names}. Use their \`mcp__claude_ai_*\` tools (e.g. \`mcp__claude_ai_Google_Drive__search_files\`).`);
-            }
-            // Common integrations to speculatively mention. If the owner has
-            // connected any of these at claude.ai, the corresponding tool names
-            // will work even if no prior record exists.
-            const SPECULATIVE = [
-                ['Google_Drive', 'Google Drive'], ['Gmail', 'Gmail'],
-                ['Google_Calendar', 'Google Calendar'], ['Google_Workspace', 'Google Workspace'],
-                ['Slack', 'Slack'], ['Notion', 'Notion'], ['GitHub', 'GitHub'],
-                ['Linear', 'Linear'], ['Asana', 'Asana'], ['Jira', 'Jira'],
-                ['Dropbox', 'Dropbox'], ['Salesforce', 'Salesforce'],
-                ['Microsoft_365', 'Microsoft 365'],
-            ];
-            const maybe = SPECULATIVE.filter(([name]) => !knownNames.has(name)).map(([, label]) => label);
-            if (maybe.length > 0) {
-                parts.push(`**Possibly connected (try them — they'll either work or return an auth error):** ${maybe.join(', ')}. ` +
-                    `Tool names follow \`mcp__claude_ai_<IntegrationName>__<tool>\` — e.g. \`mcp__claude_ai_Google_Drive__search_files\`, \`mcp__claude_ai_Gmail__authenticate\`. ` +
-                    `Don't tell ${owner} an integration is "not available" without first attempting the tool call — a fresh connection won't be in your recorded list until after first use.`);
+            const inv = _mcpBridge?.loadToolInventory();
+            const labels = new Set();
+            if (inv?.tools) {
+                for (const t of inv.tools) {
+                    const m = t.match(/^mcp__claude_ai_([^_]+(?:_[^_]+)*)__/);
+                    if (m)
+                        labels.add(m[1].replace(/_/g, ' '));
+                }
+            }
+            if (labels.size > 0) {
+                parts.push(`**Claude Desktop integrations connected for this user:** ${[...labels].sort().join(', ')}. Call \`mcp__claude_ai_<Integration>__<tool>\` directly; the tool names and schemas are in your SDK inventory.`);
             }
         }
         catch { /* non-fatal */ }
@@ -1331,6 +1317,18 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
         }
         // Security rules are now appended to systemPrompt in buildOptions()
         // Volatile suffix — put last so the stable prefix above stays cache-friendly.
+        // Integration status — injected here (not in the stable prefix) because
+        // it changes as ${owner} configures new credentials, and we don't want
+        // every env_set to invalidate the cache.
+        if (!isAutonomous) {
+            try {
+                const { summarizeIntegrationStatus } = require('../config/integrations-registry.js');
+                const summary = summarizeIntegrationStatus(process.env);
+                if (summary)
+                    parts.push(`## Integration Status\n\n${summary}\n\nCall \`integration_status\`, \`list_integrations\`, or \`setup_integration\` for details.`);
+            }
+            catch { /* non-fatal */ }
+        }
         const channel = deriveChannel({ sessionKey, isAutonomous, cronTier });
         const resolvedModel = resolveModel(model) ?? MODEL;
         const modelLabel = Object.entries(MODELS).find(([, v]) => v === resolvedModel)?.[0] ?? resolvedModel;
@@ -1387,6 +1385,11 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
             mcpTool('env_set'),
             mcpTool('env_list'),
             mcpTool('env_unset'),
+            // Integration registry — proactive configuration
+            mcpTool('integration_status'),
+            mcpTool('list_integrations'),
+            mcpTool('setup_integration'),
+            mcpTool('auth_profile_status'),
             // Self-service tool whitelist — Clementine can add tools she discovers
             // in the SDK init inventory but that aren't in her baseline allowedTools
             mcpTool('allow_tool'),
@@ -1449,28 +1452,26 @@ You have a cost budget per message — not a hard turn limit. Work until the tas
             }
         }
         catch { /* non-fatal — dynamic tools are supplementary */ }
-        // Claude Desktop connector tools (mcp__claude_ai_*). These reach the SDK
-        // subprocess via Claude Code's runtime but are NOT added to allowedTools
-        // automatically — which caused the model to see them in the init
-        // inventory but get refused when it tried to call one ("not in my
-        // function schema"). Add every tool from every auto-registered
-        // integration (populated from the SDK init message on prior queries) so
-        // the whitelist matches reality.
+        // Merge the SDK's probed tool inventory. On daemon startup we run a
+        // one-shot query with no whitelist to discover every tool Claude Code
+        // surfaces (mcp__claude_ai_* connectors, plugins, custom MCP servers,
+        // built-ins). The inventory is cached 24h. This makes the whitelist
+        // match whatever the *current user* has connected — no per-install
+        // hardcoding of tool names in the system prompt or code.
         try {
-            const integrations = _mcpBridge?.getClaudeIntegrations() ?? [];
-            for (const ig of integrations) {
-                for (const tool of ig.tools) {
-                    const fullName = `mcp__claude_ai_${ig.name}__${tool}`;
-                    if (!allowedTools.includes(fullName))
-                        allowedTools.push(fullName);
+            const inv = _mcpBridge?.loadToolInventory();
+            if (inv && Array.isArray(inv.tools)) {
+                for (const t of inv.tools) {
+                    if (typeof t === 'string' && !allowedTools.includes(t))
+                        allowedTools.push(t);
                 }
             }
         }
         catch { /* non-fatal */ }
         // Self-service extension — Clementine can add tools to her own whitelist
         // at runtime via the `allow_tool` MCP tool, writing to allowed-tools-
-        // extra.json. This eliminates the "tool not in schema → dead end → tell
-        // owner to edit config" failure pattern. See admin-tools.ts:allow_tool.
+        // extra.json. Covers the case where a user connects a new integration
+        // between daemon startup probes (< 24h window).
         try {
             const extraPath = path.join(BASE_DIR, 'allowed-tools-extra.json');
             if (fs.existsSync(extraPath)) {

package/dist/agent/mcp-bridge.d.ts

@@ -54,6 +54,22 @@ export declare function loadClaudeIntegrations(): Record<string, ClaudeIntegrati
 export declare function recordClaudeIntegrationUse(toolName: string): void;
 /** Get all discovered Claude Desktop integrations as a list. */
 export declare function getClaudeIntegrations(): ClaudeIntegration[];
+export interface ToolInventory {
+    /** ISO timestamp of the probe */
+    probedAt: string;
+    /** Full list of tool names the SDK reported in init.tools when no whitelist was applied */
+    tools: string[];
+}
+export declare function loadToolInventory(): ToolInventory | null;
+/**
+ * Run a minimal SDK query with NO tool whitelist so the init message
+ * returns every tool Claude Code is actually surfacing — claude_ai_*
+ * connectors, plugins, built-ins, custom MCP servers. Cached for 24h.
+ * This removes any need to hardcode user-specific tool names in the
+ * system prompt; whatever Claude Desktop is currently connecting to the
+ * user's account becomes automatically available to the agent.
+ */
+export declare function probeAvailableTools(force?: boolean): Promise<ToolInventory>;
 /**
  * Register every integration found in a tool inventory. The SDK's system
  * init message (subtype='init') includes a `tools: string[]` with the full

package/dist/agent/mcp-bridge.js

@@ -384,6 +384,73 @@ export function recordClaudeIntegrationUse(toolName) {
 export function getClaudeIntegrations() {
     return Object.values(loadClaudeIntegrations());
 }
+// ── SDK tool inventory probe ───────────────────────────────────────────
+const TOOL_INVENTORY_FILE = path.join(BASE_DIR, '.tool-inventory.json');
+const TOOL_INVENTORY_MAX_AGE_MS = 24 * 60 * 60 * 1000; // 24h
+export function loadToolInventory() {
+    try {
+        if (!existsSync(TOOL_INVENTORY_FILE))
+            return null;
+        const data = JSON.parse(readFileSync(TOOL_INVENTORY_FILE, 'utf-8'));
+        if (!Array.isArray(data.tools))
+            return null;
+        return data;
+    }
+    catch {
+        return null;
+    }
+}
+function saveToolInventory(inv) {
+    try {
+        writeFileSync(TOOL_INVENTORY_FILE, JSON.stringify(inv, null, 2));
+    }
+    catch { /* non-fatal */ }
+}
+/**
+ * Run a minimal SDK query with NO tool whitelist so the init message
+ * returns every tool Claude Code is actually surfacing — claude_ai_*
+ * connectors, plugins, built-ins, custom MCP servers. Cached for 24h.
+ * This removes any need to hardcode user-specific tool names in the
+ * system prompt; whatever Claude Desktop is currently connecting to the
+ * user's account becomes automatically available to the agent.
+ */
+export async function probeAvailableTools(force = false) {
+    const cached = loadToolInventory();
+    if (!force && cached) {
+        const age = Date.now() - Date.parse(cached.probedAt);
+        if (Number.isFinite(age) && age < TOOL_INVENTORY_MAX_AGE_MS)
+            return cached;
+    }
+    try {
+        const { query } = await import('@anthropic-ai/claude-agent-sdk');
+        const stream = query({
+            prompt: 'ok',
+            options: {
+                systemPrompt: 'Reply ok.',
+                model: 'claude-haiku-4-5',
+                permissionMode: 'bypassPermissions',
+                allowDangerouslySkipPermissions: true,
+            },
+        });
+        let tools = [];
+        for await (const msg of stream) {
+            if (msg?.type === 'system' && msg?.subtype === 'init' && Array.isArray(msg.tools)) {
+                tools = msg.tools;
+                break;
+            }
+            if (msg?.type === 'result')
+                break;
+        }
+        const inv = { probedAt: new Date().toISOString(), tools };
+        saveToolInventory(inv);
+        logger.info({ toolCount: tools.length }, 'Tool inventory probed');
+        return inv;
+    }
+    catch (err) {
+        logger.warn({ err }, 'Tool inventory probe failed — using cached or empty');
+        return cached ?? { probedAt: new Date(0).toISOString(), tools: [] };
+    }
+}
 /**
  * Register every integration found in a tool inventory. The SDK's system
  * init message (subtype='init') includes a `tools: string[]` with the full

package/dist/config/integrations-registry.d.ts

@@ -0,0 +1,80 @@
+/**
+ * Clementine TypeScript — Integration registry.
+ *
+ * Declarative metadata for every integration Clementine knows how to set up.
+ * The registry is the single source of truth for:
+ *   - What env vars an integration needs
+ *   - Where to get each credential (doc URLs)
+ *   - Whether the integration is configured right now
+ *   - How to surface gaps to the owner proactively
+ *
+ * Used by:
+ *   - integration_status()  — reports configured/partial/missing per integration
+ *   - setup_integration()   — walks the owner through setup conversationally
+ *   - list_integrations()   — enumerates what's available
+ *   - System prompt         — "Notion is configured, Stripe needs STRIPE_API_KEY"
+ *
+ * Replaces the previous pattern where the agent had to recall from chat
+ * history or invent which env vars a provider needs — the registry tells her
+ * exactly, with docs links, so she never has to guess.
+ */
+export type IntegrationKind = 'api-key' | 'oauth' | 'hybrid' | 'channel';
+export interface IntegrationRequirement {
+    /** Env var name (uppercase, underscores). */
+    envVar: string;
+    /** One-line description shown during setup. */
+    label: string;
+    /** Whether this credential is required (false = optional). */
+    required: boolean;
+    /** Doc link where the owner can find or generate this credential. */
+    docUrl?: string;
+    /** Optional regex the value must match (for early validation). */
+    pattern?: RegExp;
+    /** If true, value is long-lived (API key). If false, short-lived (OAuth token). */
+    persistent?: boolean;
+}
+export interface IntegrationDefinition {
+    /** Machine-readable slug (kebab-case). */
+    slug: string;
+    /** Human-friendly label. */
+    label: string;
+    /** One-line summary shown in status output. */
+    description: string;
+    /** Credential style. */
+    kind: IntegrationKind;
+    /** Required + optional env vars. */
+    requirements: IntegrationRequirement[];
+    /** Top-level docs URL. */
+    docUrl?: string;
+    /** Tools/capabilities this integration unlocks, for the status panel. */
+    capabilities?: string[];
+}
+/**
+ * The curated registry. Keep entries alphabetical within each kind for
+ * easier scanning. Adding a new integration: declare it here, and both
+ * integration_status and setup_integration automatically pick it up.
+ */
+export declare const INTEGRATIONS: IntegrationDefinition[];
+export type IntegrationStatus = 'configured' | 'partial' | 'missing';
+export interface IntegrationStatusReport {
+    slug: string;
+    label: string;
+    status: IntegrationStatus;
+    /** All required env vars that are currently set. */
+    have: string[];
+    /** Required env vars that are missing. */
+    missing: string[];
+    /** Optional env vars that are missing (informational only). */
+    optionalMissing: string[];
+    /** Helpful setup link. */
+    docUrl?: string;
+}
+/**
+ * Classify each integration against the current environment.
+ * Pure function — caller passes in env so this is testable.
+ */
+export declare function classifyIntegrations(env: NodeJS.ProcessEnv, slugs?: string[]): IntegrationStatusReport[];
+export declare function findIntegration(slug: string): IntegrationDefinition | undefined;
+/** A short one-line summary for prompt injection. */
+export declare function summarizeIntegrationStatus(env: NodeJS.ProcessEnv): string;
+//# sourceMappingURL=integrations-registry.d.ts.map

package/dist/config/integrations-registry.js

@@ -0,0 +1,268 @@
+/**
+ * Clementine TypeScript — Integration registry.
+ *
+ * Declarative metadata for every integration Clementine knows how to set up.
+ * The registry is the single source of truth for:
+ *   - What env vars an integration needs
+ *   - Where to get each credential (doc URLs)
+ *   - Whether the integration is configured right now
+ *   - How to surface gaps to the owner proactively
+ *
+ * Used by:
+ *   - integration_status()  — reports configured/partial/missing per integration
+ *   - setup_integration()   — walks the owner through setup conversationally
+ *   - list_integrations()   — enumerates what's available
+ *   - System prompt         — "Notion is configured, Stripe needs STRIPE_API_KEY"
+ *
+ * Replaces the previous pattern where the agent had to recall from chat
+ * history or invent which env vars a provider needs — the registry tells her
+ * exactly, with docs links, so she never has to guess.
+ */
+/**
+ * The curated registry. Keep entries alphabetical within each kind for
+ * easier scanning. Adding a new integration: declare it here, and both
+ * integration_status and setup_integration automatically pick it up.
+ */
+export const INTEGRATIONS = [
+    // NOTE: Anthropic auth is handled through `clementine login` (OAuth) or
+    // the ANTHROPIC_API_KEY env var — it's foundational and managed outside
+    // this registry because the auth path isn't uniform.
+    // ── Channels ──────────────────────────────────────────────────────
+    {
+        slug: 'discord',
+        label: 'Discord',
+        description: 'Main chat channel. Bot token + owner ID required.',
+        kind: 'channel',
+        docUrl: 'https://discord.com/developers/applications',
+        capabilities: ['chat', 'DMs', 'agent bots', 'notifications'],
+        requirements: [
+            { envVar: 'DISCORD_TOKEN', label: 'Bot token', required: true, docUrl: 'https://discord.com/developers/applications', persistent: true },
+            { envVar: 'DISCORD_OWNER_ID', label: 'Your Discord user ID (right-click your name → Copy User ID)', required: true, pattern: /^\d{15,22}$/, persistent: true },
+        ],
+    },
+    {
+        slug: 'slack',
+        label: 'Slack',
+        description: 'Alternate chat channel. Socket-mode app with bot + app tokens.',
+        kind: 'channel',
+        docUrl: 'https://api.slack.com/apps',
+        capabilities: ['chat', 'DMs', 'channel posts'],
+        requirements: [
+            { envVar: 'SLACK_BOT_TOKEN', label: 'Bot token (xoxb-...)', required: true, docUrl: 'https://api.slack.com/apps', pattern: /^xoxb-/, persistent: true },
+            { envVar: 'SLACK_APP_TOKEN', label: 'App-level token (xapp-...)', required: true, docUrl: 'https://api.slack.com/apps', pattern: /^xapp-/, persistent: true },
+            { envVar: 'SLACK_OWNER_USER_ID', label: 'Your Slack user ID (starts with U)', required: false, pattern: /^U[A-Z0-9]{6,}$/, persistent: true },
+        ],
+    },
+    {
+        slug: 'telegram',
+        label: 'Telegram',
+        description: 'Chat channel via Bot API.',
+        kind: 'channel',
+        docUrl: 'https://core.telegram.org/bots',
+        capabilities: ['chat', 'DMs'],
+        requirements: [
+            { envVar: 'TELEGRAM_BOT_TOKEN', label: 'Bot token from @BotFather', required: true, docUrl: 'https://t.me/BotFather', persistent: true },
+            { envVar: 'TELEGRAM_OWNER_CHAT_ID', label: 'Your Telegram chat ID', required: false, pattern: /^-?\d+$/, persistent: true },
+        ],
+    },
+    {
+        slug: 'whatsapp',
+        label: 'WhatsApp (via Twilio)',
+        description: 'Chat channel via Twilio WhatsApp API.',
+        kind: 'channel',
+        docUrl: 'https://www.twilio.com/docs/whatsapp',
+        capabilities: ['chat', 'DMs'],
+        requirements: [
+            { envVar: 'TWILIO_ACCOUNT_SID', label: 'Twilio account SID (AC...)', required: true, pattern: /^AC[a-f0-9]{32}$/i, persistent: true },
+            { envVar: 'TWILIO_AUTH_TOKEN', label: 'Twilio auth token', required: true, persistent: true },
+            { envVar: 'TWILIO_WHATSAPP_FROM', label: 'Twilio WhatsApp sender (whatsapp:+14155238886)', required: true, persistent: true },
+            { envVar: 'WHATSAPP_OWNER_NUMBER', label: 'Your WhatsApp number (E.164 format, e.g. +15551234567)', required: true, pattern: /^\+\d{8,15}$/, persistent: true },
+        ],
+    },
+    // ── Productivity / knowledge ──────────────────────────────────────
+    {
+        slug: 'notion',
+        label: 'Notion',
+        description: 'Read/write Notion pages and databases via integration.',
+        kind: 'api-key',
+        docUrl: 'https://www.notion.so/my-integrations',
+        capabilities: ['docs', 'databases', 'task tracking'],
+        requirements: [
+            { envVar: 'NOTION_API_KEY', label: 'Internal integration secret (secret_... or ntn_...)', required: true, docUrl: 'https://www.notion.so/my-integrations', persistent: true },
+        ],
+    },
+    {
+        slug: 'linear',
+        label: 'Linear',
+        description: 'Issue tracking and project management.',
+        kind: 'api-key',
+        docUrl: 'https://linear.app/settings/api',
+        capabilities: ['issues', 'projects', 'teams'],
+        requirements: [
+            { envVar: 'LINEAR_API_KEY', label: 'Personal API key (lin_api_...)', required: true, docUrl: 'https://linear.app/settings/api', pattern: /^lin_api_/, persistent: true },
+        ],
+    },
+    {
+        slug: 'github',
+        label: 'GitHub',
+        description: 'Read PRs, issues, manage releases.',
+        kind: 'api-key',
+        docUrl: 'https://github.com/settings/tokens',
+        capabilities: ['pull requests', 'issues', 'releases'],
+        requirements: [
+            { envVar: 'GITHUB_TOKEN', label: 'Personal access token (ghp_... or github_pat_...)', required: true, docUrl: 'https://github.com/settings/tokens?type=beta', pattern: /^(ghp_|github_pat_)/, persistent: true },
+        ],
+    },
+    // ── Email / calendar (OAuth) ──────────────────────────────────────
+    {
+        slug: 'microsoft-365',
+        label: 'Microsoft 365 (Outlook/Graph)',
+        description: 'Email, calendar, Teams, SharePoint via Microsoft Graph. OAuth app-only or delegated.',
+        kind: 'oauth',
+        docUrl: 'https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade',
+        capabilities: ['outlook inbox', 'outlook send', 'calendar', 'teams chat'],
+        requirements: [
+            { envVar: 'MS_TENANT_ID', label: 'Azure AD tenant ID', required: true, pattern: /^[a-f0-9-]{36}$/i, persistent: true },
+            { envVar: 'MS_CLIENT_ID', label: 'App registration client ID', required: true, pattern: /^[a-f0-9-]{36}$/i, persistent: true },
+            { envVar: 'MS_CLIENT_SECRET', label: 'App registration client secret value', required: true, persistent: true },
+            { envVar: 'MS_USER_EMAIL', label: 'Your primary email (used for delegated calls)', required: false, pattern: /@/, persistent: true },
+        ],
+    },
+    // ── CRM / sales ───────────────────────────────────────────────────
+    {
+        slug: 'salesforce',
+        label: 'Salesforce',
+        description: 'CRM access via SOAP/REST. Username + password + token flow.',
+        kind: 'api-key',
+        docUrl: 'https://help.salesforce.com/s/articleView?id=sf.code_sample_auth_api_oauth.htm',
+        capabilities: ['leads', 'contacts', 'opportunities', 'custom objects'],
+        requirements: [
+            { envVar: 'SF_INSTANCE_URL', label: 'Salesforce instance URL (https://your-org.my.salesforce.com)', required: true, pattern: /^https?:\/\//, persistent: true },
+            { envVar: 'SF_CLIENT_ID', label: 'Connected app consumer key', required: true, persistent: true },
+            { envVar: 'SF_CLIENT_SECRET', label: 'Connected app consumer secret', required: true, persistent: true },
+            { envVar: 'SF_USERNAME', label: 'Salesforce username (email)', required: true, pattern: /@/, persistent: true },
+            { envVar: 'SF_PASSWORD', label: 'Salesforce password + security token concatenated', required: true, persistent: true },
+        ],
+    },
+    // ── AI auxiliaries ────────────────────────────────────────────────
+    {
+        slug: 'openai',
+        label: 'OpenAI',
+        description: 'GPT + Whisper (used for auxiliary tasks and fallback).',
+        kind: 'api-key',
+        docUrl: 'https://platform.openai.com/api-keys',
+        capabilities: ['transcription', 'image generation', 'fallback model'],
+        requirements: [
+            { envVar: 'OPENAI_API_KEY', label: 'API key (sk-...)', required: true, docUrl: 'https://platform.openai.com/api-keys', pattern: /^sk-/, persistent: true },
+        ],
+    },
+    {
+        slug: 'elevenlabs',
+        label: 'ElevenLabs',
+        description: 'Text-to-speech for voice replies.',
+        kind: 'api-key',
+        docUrl: 'https://elevenlabs.io/app/settings/api-keys',
+        capabilities: ['voice synthesis'],
+        requirements: [
+            { envVar: 'ELEVENLABS_API_KEY', label: 'API key', required: true, docUrl: 'https://elevenlabs.io/app/settings/api-keys', persistent: true },
+        ],
+    },
+    {
+        slug: 'groq',
+        label: 'Groq',
+        description: 'Fast inference, used for real-time transcription.',
+        kind: 'api-key',
+        docUrl: 'https://console.groq.com/keys',
+        capabilities: ['voice transcription'],
+        requirements: [
+            { envVar: 'GROQ_API_KEY', label: 'API key (gsk_...)', required: true, docUrl: 'https://console.groq.com/keys', pattern: /^gsk_/, persistent: true },
+        ],
+    },
+    {
+        slug: 'google-ai',
+        label: 'Google AI (Gemini)',
+        description: 'Used for video analysis and multimodal tasks.',
+        kind: 'api-key',
+        docUrl: 'https://aistudio.google.com/apikey',
+        capabilities: ['video analysis', 'multimodal'],
+        requirements: [
+            { envVar: 'GOOGLE_API_KEY', label: 'Gemini API key', required: true, docUrl: 'https://aistudio.google.com/apikey', persistent: true },
+        ],
+    },
+    // ── Payments ──────────────────────────────────────────────────────
+    {
+        slug: 'stripe',
+        label: 'Stripe',
+        description: 'Payments read/write (one-off or recurring).',
+        kind: 'api-key',
+        docUrl: 'https://dashboard.stripe.com/apikeys',
+        capabilities: ['customers', 'payments', 'subscriptions'],
+        requirements: [
+            { envVar: 'STRIPE_SECRET_KEY', label: 'Secret key (sk_live_... or sk_test_...)', required: true, docUrl: 'https://dashboard.stripe.com/apikeys', pattern: /^sk_(live|test)_/, persistent: true },
+        ],
+    },
+];
+/**
+ * Classify each integration against the current environment.
+ * Pure function — caller passes in env so this is testable.
+ */
+export function classifyIntegrations(env, slugs) {
+    const targets = slugs?.length
+        ? INTEGRATIONS.filter(i => slugs.includes(i.slug))
+        : INTEGRATIONS;
+    return targets.map(integration => {
+        const required = integration.requirements.filter(r => r.required);
+        const optional = integration.requirements.filter(r => !r.required);
+        const have = [];
+        const missing = [];
+        for (const req of required) {
+            if (env[req.envVar])
+                have.push(req.envVar);
+            else
+                missing.push(req.envVar);
+        }
+        const optionalMissing = optional
+            .filter(r => !env[r.envVar])
+            .map(r => r.envVar);
+        let status;
+        if (missing.length === 0 && have.length > 0)
+            status = 'configured';
+        else if (have.length > 0)
+            status = 'partial';
+        else
+            status = 'missing';
+        // Special case for hybrid: "have" counts if ANY required-or-alternative is set.
+        if (integration.kind === 'hybrid' && missing.length > 0 && integration.requirements.some(r => env[r.envVar])) {
+            status = 'configured';
+        }
+        return {
+            slug: integration.slug,
+            label: integration.label,
+            status,
+            have,
+            missing,
+            optionalMissing,
+            docUrl: integration.docUrl,
+        };
+    });
+}
+export function findIntegration(slug) {
+    const normalized = slug.trim().toLowerCase();
+    return INTEGRATIONS.find(i => i.slug === normalized);
+}
+/** A short one-line summary for prompt injection. */
+export function summarizeIntegrationStatus(env) {
+    const reports = classifyIntegrations(env);
+    const configured = reports.filter(r => r.status === 'configured').map(r => r.label);
+    const partial = reports.filter(r => r.status === 'partial').map(r => `${r.label} (missing ${r.missing.join(', ')})`);
+    const missing = reports.filter(r => r.status === 'missing').map(r => r.label);
+    const lines = [];
+    if (configured.length > 0)
+        lines.push(`**Configured:** ${configured.join(', ')}`);
+    if (partial.length > 0)
+        lines.push(`**Partial:** ${partial.join('; ')}`);
+    if (missing.length > 0)
+        lines.push(`**Available but not configured:** ${missing.join(', ')}`);
+    return lines.join('\n');
+}
+//# sourceMappingURL=integrations-registry.js.map