liangzimixin 0.2.5 → 0.2.7

package/dist/index.cjs

@@ -2233,7 +2233,7 @@ var require_websocket = __commonJS({
     var http = require("http");
     var net = require("net");
     var tls = require("tls");
-    var { randomBytes: randomBytes3, createHash } = require("crypto");
+    var { randomBytes: randomBytes2, createHash } = require("crypto");
     var { Duplex, Readable } = require("stream");
     var { URL: URL2 } = require("url");
     var PerMessageDeflate = require_permessage_deflate();
@@ -2763,7 +2763,7 @@ var require_websocket = __commonJS({
         }
       }
       const defaultPort = isSecure ? 443 : 80;
-      const key = randomBytes3(16).toString("base64");
+      const key = randomBytes2(16).toString("base64");
       const request = isSecure ? https.request : http.request;
       const protocolSet = /* @__PURE__ */ new Set();
       let perMessageDeflate;
@@ -3658,7 +3658,7 @@ __export(index_exports, {
   startPlugin: () => startPlugin
 });
 module.exports = __toCommonJS(index_exports);
-var import_node_path2 = require("path");
+var import_node_path3 = require("path");
 var import_node_os = require("os");
 
 // node_modules/zod/v4/classic/external.js
@@ -17454,6 +17454,14 @@ var AccountConfigSchema = external_exports.object({
   "quantum-appId": external_exports.string().min(1, "quantum-appId \u4E0D\u80FD\u4E3A\u7A7A"),
   /** 🔴 量子服务密钥 — 用于量子密钥分发 */
   "quantum-appSecret": external_exports.string().min(1, "quantum-appSecret \u4E0D\u80FD\u4E3A\u7A7A"),
+  /** 🔴 PIN 口令 — 保护本地敏感数据 (切勿泄露, 修改后需删除旧密钥数据) */
+  pin: external_exports.string().min(1, "pin \u4E0D\u80FD\u4E3A\u7A7A"),
+  /**
+   * 🟡 量子密服地址 — 默认生产环境
+   * 测试环境: http://223.244.14.238:8552
+   * 生产环境: https://cmsp.zdxlz.com:8552
+   */
+  "quantum-url": external_exports.string().url().optional().default("https://cmsp.zdxlz.com:8552"),
   /**
    * 🟡 Bot 自己的用户 ID — 用于 anti-loop 检查
    * 如果不填，需要通过其他 API 在运行时获取。
@@ -17465,6 +17473,8 @@ var AccountConfigSchema = external_exports.object({
   quantumAccount: raw["quantum-account"],
   quantumAppId: raw["quantum-appId"],
   quantumAppSecret: raw["quantum-appSecret"],
+  pin: raw.pin,
+  quantumUrl: raw["quantum-url"],
   botUserId: raw.botUserId
 }));
 var DEFAULT_INTERNAL_CONFIG = {
@@ -17483,10 +17493,7 @@ var DEFAULT_INTERNAL_CONFIG = {
     }
   },
   auth: {
-    serverUrl: process.env.LZMX_AUTH_URL || "https://seal.example.com",
-    clientName: "liangzimixin",
-    scopes: ["openid", "im_sdk", "data_operate", "offline_access"],
-    autoRegister: true,
+    serverUrl: process.env.LZMX_AUTH_URL || "https://imtwo.zdxlz.com/open-apis/v1",
     refreshAheadMs: 3e5
   },
   crypto: {
@@ -17974,7 +17981,7 @@ async function resolveAndUploadMedia(params) {
       };
     }
     const msgType = fileType;
-    const contentPayload = fileType === "file" ? { fileKey: uploadResult.fileKey, filename: fileName, size: uploadResult.fileSize } : { fileKey: uploadResult.fileKey };
+    const contentPayload = fileType === "file" ? { fileId: uploadResult.fileKey, fileName, size: uploadResult.fileSize } : { fileId: uploadResult.fileKey };
     await messagePipe.sendMessage({
       chatId,
       senderId: chatId,
@@ -17984,7 +17991,7 @@ async function resolveAndUploadMedia(params) {
     });
     log3.info("media:sent", {
       chatId,
-      fileKey: uploadResult.fileKey,
+      fileId: uploadResult.fileKey,
       msgType
     });
     return {
@@ -18111,20 +18118,20 @@ ${body}` : body || raw.content;
     }
     case "image": {
       const c = parsed;
-      fileId = c?.fileKey;
+      fileId = c?.fileId;
       text = c?.altText ?? (fileId ? `![image](${fileId})` : "[image]");
       break;
     }
     case "file": {
       const c = parsed;
-      fileId = c?.fileKey;
-      fileName = c?.filename;
+      fileId = c?.fileId;
+      fileName = c?.fileName;
       text = fileName ? `[File: ${fileName}]` : "[file]";
       break;
     }
     case "voice": {
       const c = parsed;
-      fileId = c?.fileKey;
+      fileId = c?.fileId;
       const durationMs = c?.duration;
       const durationStr = durationMs != null ? ` ${(durationMs / 1e3).toFixed(1)}s` : "";
       text = `[Voice${durationStr}]`;
@@ -18132,7 +18139,7 @@ ${body}` : body || raw.content;
     }
     case "video": {
       const c = parsed;
-      fileId = c?.fileKey;
+      fileId = c?.fileId;
       const durationMs = c?.duration;
       const durationStr = durationMs != null ? ` ${(durationMs / 1e3).toFixed(1)}s` : "";
       text = `[Video${durationStr}]`;
@@ -18454,7 +18461,7 @@ var QUANTUM_IM_CONFIG_JSON_SCHEMA = {
   title: "\u91CF\u5B50\u5BC6\u4FE1 IM \u63D2\u4EF6\u914D\u7F6E",
   description: "\u5BC6\u4FE1 IM Channel \u63D2\u4EF6\uFF0C\u652F\u6301\u91CF\u5B50\u52A0\u5BC6\u7684\u5B89\u5168\u5373\u65F6\u901A\u4FE1\u3002",
   type: "object",
-  required: ["appId", "appSecret", "quantum-account", "quantum-appId", "quantum-appSecret"],
+  required: ["appId", "appSecret", "quantum-account", "quantum-appId", "quantum-appSecret", "pin"],
   properties: {
     appId: {
       type: "string",
@@ -18488,6 +18495,19 @@ var QUANTUM_IM_CONFIG_JSON_SCHEMA = {
       minLength: 1,
       format: "password"
     },
+    pin: {
+      type: "string",
+      title: "PIN \u53E3\u4EE4",
+      description: "\u4FDD\u62A4\u672C\u5730\u654F\u611F\u6570\u636E\u7684\u53E3\u4EE4\uFF0C\u7531\u7528\u6237\u81EA\u5B9A\u4E49\uFF08\u5207\u52FF\u6CC4\u9732\uFF0C\u4FEE\u6539\u540E\u8BF7\u5220\u9664\u65E7\u5BC6\u94A5\u6570\u636E\uFF09",
+      minLength: 1,
+      format: "password"
+    },
+    "quantum-url": {
+      type: "string",
+      title: "\u91CF\u5B50\u5BC6\u670D\u5730\u5740",
+      description: "\u91CF\u5B50\u5BC6\u94A5\u7BA1\u7406\u670D\u52A1\u5730\u5740\u3002\u6D4B\u8BD5\u73AF\u5883: http://223.244.14.238:8552\uFF0C\u751F\u4EA7\u73AF\u5883: https://cmsp.zdxlz.com:8552",
+      default: "https://cmsp.zdxlz.com:8552"
+    },
     botUserId: {
       type: "string",
       title: "Bot \u7528\u6237 ID",
@@ -18538,14 +18558,20 @@ function resolveAccount(cfg, accountId) {
 
 // src/channel/onboarding.ts
 var import_plugin_sdk2 = require("openclaw/plugin-sdk");
+function getChannelSection(cfg) {
+  return cfg.channels?.[CHANNEL_ID];
+}
+function getDefaultAccount(cfg) {
+  const section = getChannelSection(cfg);
+  if (!section?.accounts) return void 0;
+  return section.accounts.default;
+}
 function isConfigured(cfg) {
-  const section = getChannelConfig(cfg);
-  if (!section?.accounts) return false;
-  const defaultAccount = section.accounts.default;
-  if (!defaultAccount) return false;
-  return AccountConfigSchema.safeParse(defaultAccount).success;
+  const account = getDefaultAccount(cfg);
+  if (!account) return false;
+  return AccountConfigSchema.safeParse(account).success;
 }
-var required2 = (v) => String(v ?? "").trim() ? void 0 : "\u4E0D\u80FD\u4E3A\u7A7A";
+var required2 = (v) => v.trim() ? void 0 : "\u4E0D\u80FD\u4E3A\u7A7A";
 var quantumImOnboarding = {
   channel: CHANNEL_ID,
   async getStatus({ cfg }) {
@@ -18559,43 +18585,84 @@ var quantumImOnboarding = {
     };
   },
   async configure({ cfg, prompter }) {
+    const existing = getDefaultAccount(cfg) ?? {};
+    const alreadyConfigured = isConfigured(cfg);
+    if (alreadyConfigured) {
+      const reconfigure = await prompter.confirm({
+        message: "\u91CF\u5B50\u5BC6\u4FE1\u51ED\u636E\u5DF2\u914D\u7F6E\uFF0C\u662F\u5426\u91CD\u65B0\u914D\u7F6E\uFF1F",
+        initialValue: false
+      });
+      if (!reconfigure) {
+        return { cfg, accountId: import_plugin_sdk2.DEFAULT_ACCOUNT_ID };
+      }
+    }
     await prompter.note(
       [
         "\u8BF7\u51C6\u5907\u4EE5\u4E0B\u4FE1\u606F:",
         "  1. \u5E73\u53F0\u7533\u8BF7\u7684 appId \u548C appSecret",
         "  2. \u91CF\u5B50\u52A0\u5BC6\u670D\u52A1\u7684\u8D26\u6237\u3001appId \u548C appSecret",
+        "  3. \u4FDD\u62A4\u672C\u5730\u5BC6\u94A5\u6570\u636E\u7684 PIN \u53E3\u4EE4",
         "",
         "\u5982\u6709\u7591\u95EE\u8BF7\u8054\u7CFB\u5E73\u53F0\u7BA1\u7406\u5458\u83B7\u53D6\u3002"
       ].join("\n"),
       "\u91CF\u5B50\u5BC6\u4FE1 \u2014 \u51ED\u636E\u914D\u7F6E"
     );
-    const existing = getChannelConfig(cfg)?.accounts?.default ?? {};
     const appId = await prompter.text({
       message: "\u5E94\u7528 ID (appId)",
-      initialValue: existing.appId,
+      initialValue: existing.appId ?? void 0,
       validate: required2
     });
     const appSecret = await prompter.text({
       message: "\u5E94\u7528\u5BC6\u94A5 (appSecret)",
-      initialValue: existing.appSecret,
+      initialValue: existing.appSecret ?? void 0,
       validate: required2
     });
     const quantumAccount = await prompter.text({
       message: "\u91CF\u5B50\u8D26\u6237\u6807\u8BC6 (quantum-account)",
       placeholder: "\u5982: 17100001111",
-      initialValue: existing["quantum-account"],
+      initialValue: existing["quantum-account"] ?? void 0,
       validate: required2
     });
     const quantumAppId = await prompter.text({
       message: "\u91CF\u5B50\u670D\u52A1 ID (quantum-appId)",
-      initialValue: existing["quantum-appId"],
+      initialValue: existing["quantum-appId"] ?? void 0,
       validate: required2
     });
     const quantumAppSecret = await prompter.text({
       message: "\u91CF\u5B50\u670D\u52A1\u5BC6\u94A5 (quantum-appSecret)",
-      initialValue: existing["quantum-appSecret"],
+      initialValue: existing["quantum-appSecret"] ?? void 0,
       validate: required2
     });
+    const pin = await prompter.text({
+      message: "PIN \u53E3\u4EE4 (\u4FDD\u62A4\u672C\u5730\u654F\u611F\u6570\u636E, \u5207\u52FF\u6CC4\u9732)",
+      initialValue: existing.pin ?? void 0,
+      validate: required2
+    });
+    const urlChoice = await prompter.select({
+      message: "\u91CF\u5B50\u5BC6\u670D\u73AF\u5883",
+      options: [
+        { value: "https://cmsp.zdxlz.com:8552", label: "\u751F\u4EA7\u73AF\u5883", hint: "https://cmsp.zdxlz.com:8552" },
+        { value: "http://223.244.14.238:8552", label: "\u6D4B\u8BD5\u73AF\u5883", hint: "http://223.244.14.238:8552" },
+        { value: "custom", label: "\u81EA\u5B9A\u4E49\u5730\u5740" }
+      ],
+      initialValue: existing["quantum-url"] ?? "https://cmsp.zdxlz.com:8552"
+    });
+    let quantumUrl = urlChoice;
+    if (urlChoice === "custom") {
+      quantumUrl = await prompter.text({
+        message: "\u8BF7\u8F93\u5165\u91CF\u5B50\u5BC6\u670D\u5730\u5740",
+        placeholder: "https://your-server:8552",
+        validate: (v) => {
+          if (!v.trim()) return "\u4E0D\u80FD\u4E3A\u7A7A";
+          try {
+            new URL(v);
+          } catch {
+            return "\u8BF7\u8F93\u5165\u5408\u6CD5\u7684 URL";
+          }
+          return void 0;
+        }
+      });
+    }
     const channels = cfg.channels ?? {};
     const channelCfg = channels[CHANNEL_ID] ?? {};
     const accounts = channelCfg.accounts ?? {};
@@ -18605,6 +18672,7 @@ var quantumImOnboarding = {
         ...channels,
         [CHANNEL_ID]: {
           ...channelCfg,
+          enabled: true,
           accounts: {
             ...accounts,
             default: {
@@ -18612,7 +18680,9 @@ var quantumImOnboarding = {
               appSecret: appSecret.trim(),
               "quantum-account": quantumAccount.trim(),
               "quantum-appId": quantumAppId.trim(),
-              "quantum-appSecret": quantumAppSecret.trim()
+              "quantum-appSecret": quantumAppSecret.trim(),
+              pin: pin.trim(),
+              "quantum-url": quantumUrl.trim()
             }
           }
         }
@@ -18621,19 +18691,16 @@ var quantumImOnboarding = {
     await prompter.note("\u51ED\u636E\u5DF2\u4FDD\u5B58\uFF0C\u91CD\u542F gateway \u540E\u751F\u6548\u3002", "\u2713 \u914D\u7F6E\u5B8C\u6210");
     return { cfg: next, accountId: import_plugin_sdk2.DEFAULT_ACCOUNT_ID };
   },
-  disable(cfg) {
-    const channels = cfg.channels ?? {};
-    return {
-      ...cfg,
-      channels: {
-        ...channels,
-        [CHANNEL_ID]: {
-          ...channels[CHANNEL_ID] ?? {},
-          enabled: false
-        }
+  disable: (cfg) => ({
+    ...cfg,
+    channels: {
+      ...cfg.channels,
+      [CHANNEL_ID]: {
+        ...cfg.channels?.[CHANNEL_ID] ?? {},
+        enabled: false
       }
-    };
-  }
+    }
+  })
 };
 
 // src/channel/plugin.ts
@@ -18798,104 +18865,83 @@ var quantumImPlugin = {
   }
 };
 
-// src/crypto/quantun-plug-mock.ts
-var import_node_crypto = require("crypto");
-var log14 = createLogger("crypto/quantun-plug-mock");
-var MOCK_KEY = Buffer.alloc(32, 0);
-MOCK_KEY.write("quantum-mock-key-2026", 0);
-var MOCK_KEY_ID = "mock-key-v1";
-var initialized = false;
-var quantunPlugMock = {
-  /**
-   * 初始化 Mock SDK
-   * 幂等操作 — 重复调用不会报错
-   */
-  async init() {
-    if (initialized) return;
-    initialized = true;
-    log14.warn("\u26A0\uFE0F MOCK MODE \u2014 \u4F7F\u7528 AES-256-GCM \u6A21\u62DF\u91CF\u5B50\u52A0\u5BC6");
-  },
-  /**
-   * 加密明文 → 密文 + 密钥标识
-   *
-   * 内部流程:
-   *   1. 生成 12 字节随机 IV (确保每次加密结果不同)
-   *   2. AES-256-GCM 加密明文
-   *   3. 获取 16 字节 AuthTag (认证标签,防篡改)
-   *   4. 拼接 [IV(12) | Tag(16) | Ciphertext] → Base64 编码
-   */
-  async encrypt(plaintext, mode) {
-    if (!initialized) {
-      throw new Error("quantunPlug not initialized \u2014 call init() first");
-    }
-    const iv = (0, import_node_crypto.randomBytes)(12);
-    const cipher = (0, import_node_crypto.createCipheriv)("aes-256-gcm", MOCK_KEY, iv);
-    const encrypted = Buffer.concat([
-      cipher.update(plaintext, "utf-8"),
-      cipher.final()
-    ]);
-    const tag = cipher.getAuthTag();
-    const combined = Buffer.concat([iv, tag, encrypted]);
-    return {
-      ciphertext: combined.toString("base64"),
-      keyId: MOCK_KEY_ID
-    };
-  },
-  /**
-   * 解密密文 → 明文
-   *
-   * 内部流程:
-   *   1. Base64 解码
-   *   2. 拆分 IV(12) + Tag(16) + Ciphertext
-   *   3. AES-256-GCM 解密 + AuthTag 验证
-   *   4. 返回 UTF-8 明文
-   *
-   * @throws AuthTag 验证失败时抛出异常 (数据被篡改)
-   */
-  async decrypt(ciphertext, keyId, mode) {
-    if (!initialized) {
-      throw new Error("quantunPlug not initialized \u2014 call init() first");
-    }
-    const combined = Buffer.from(ciphertext, "base64");
-    const iv = combined.subarray(0, 12);
-    const tag = combined.subarray(12, 28);
-    const encrypted = combined.subarray(28);
-    const decipher = (0, import_node_crypto.createDecipheriv)("aes-256-gcm", MOCK_KEY, iv);
-    decipher.setAuthTag(tag);
-    const decrypted = Buffer.concat([
-      decipher.update(encrypted),
-      decipher.final()
-      // 此处 Tag 验证失败会抛出异常
-    ]);
-    return {
-      plaintext: decrypted.toString("utf-8")
-    };
-  }
+// src/crypto/quantun-plug-adapter.ts
+var import_node_module = require("module");
+var import_meta = {};
+var log14 = createLogger("crypto/quantun-plug-adapter");
+var SM4_MODE = {
+  ECB_NOPADDING: 1,
+  ECB_PKCS7PADDING: 2,
+  CBC_NOPADDING: 3,
+  CBC_PKCS7PADDING: 4
 };
-var quantun_plug_mock_default = quantunPlugMock;
+var DEFAULT_ENCRYPT_MODE = SM4_MODE.CBC_PKCS7PADDING;
+var require2 = (0, import_node_module.createRequire)(import_meta.url);
+var quantunPlug = null;
+try {
+  quantunPlug = require2("./sdk/index.min.cjs");
+  log14.info("Quantum SDK loaded from sdk/index.min.cjs");
+} catch (err) {
+  const msg = err instanceof Error ? err.message : String(err);
+  log14.warn("Quantum SDK missing, only passthrough mode will work:", msg);
+}
+var quantun_plug_adapter_default = quantunPlug;
+
+// src/crypto/quantum-config-writer.ts
+var import_node_fs = require("fs");
+var import_node_path = require("path");
+var import_node_url = require("url");
+var import_meta2 = {};
+var log15 = createLogger("crypto/quantum-config-writer");
+var QUANTUM_JSON_PATH = (0, import_node_path.join)(
+  (0, import_node_path.dirname)((0, import_node_url.fileURLToPath)(import_meta2.url)),
+  "sdk",
+  "quantum.json"
+);
+function writeQuantumConfig(credentials) {
+  const sdkConfig = {
+    account: credentials.quantumAccount,
+    appID: credentials.quantumAppId,
+    pin: credentials.pin,
+    authCode: credentials.quantumAppSecret,
+    url: credentials.quantumUrl
+  };
+  (0, import_node_fs.writeFileSync)(QUANTUM_JSON_PATH, JSON.stringify(sdkConfig, null, 2), "utf-8");
+  log15.info("quantum.json written to", QUANTUM_JSON_PATH);
+}
 
 // src/crypto/crypto-engine.ts
-var log15 = createLogger("crypto/crypto-engine");
+var log16 = createLogger("crypto/crypto-engine");
 var PASSTHROUGH_KEY_ID = "passthrough";
+var FILE_CHUNK_SIZE = 10 * 1024 * 1024;
+var FILE_DECRYPT_CHUNK_SIZE = FILE_CHUNK_SIZE + 16;
 var CryptoEngine = class _CryptoEngine {
-  /** 底层量子加密 SDK 实例 (Mock 或真实), 透传模式下为 null */
+  /** 底层量子加密 SDK 实例, 透传模式下为 null */
   plug;
   /** SDK 是否已完成初始化 */
-  initialized = false;
+  initialized;
   /** 是否为透传模式 (不加密, 明文直接透传) */
   passthrough;
+  /** 用户凭据 — 用于生成 quantum.json (透传模式下为 undefined) */
+  credentials;
   /**
-   * 构造加密引擎 (加密模式)
+   * 构造加密引擎
    *
-   * 当前默认使用 Mock SDK。
-   * 待真实 SDK 交付后，此处替换为 require('./quantunPlug.ejs')。
+   * @param opts - 构造选项
+   * @param opts.passthrough - true 为透传模式 (不加密); false 为加密模式 (默认)
+   * @param opts.credentials - 用户凭据 (加密模式必需, 用于生成 quantum.json)
    *
-   * 如需透传模式，请使用静态方法 CryptoEngine.createPassthrough()。
+   * 请使用静态工厂方法:
+   *   - new CryptoEngine({ credentials })          → 加密模式, 使用量子 SDK
+   *   - CryptoEngine.createPassthrough() → 透传模式, 无需 init()
    */
-  constructor() {
-    this.plug = quantun_plug_mock_default;
-    this.passthrough = false;
-    log15.info("CryptoEngine created (mock mode)");
+  constructor(opts = {}) {
+    const { passthrough = false, credentials } = opts;
+    this.passthrough = passthrough;
+    this.credentials = credentials;
+    this.plug = passthrough ? null : quantun_plug_adapter_default;
+    this.initialized = passthrough;
+    log16.info(`CryptoEngine created (${passthrough ? "passthrough mode \u2014 crypto disabled" : "quantum SDK mode"})`);
   }
   /**
    * 创建透传模式的加密引擎 (静态工厂方法)
@@ -18909,17 +18955,12 @@ var CryptoEngine = class _CryptoEngine {
    * 上层模块 (TokenStore, MessagePipe) 无需感知加密是否开启。
    */
   static createPassthrough() {
-    const instance = Object.create(_CryptoEngine.prototype);
-    instance.plug = null;
-    instance.passthrough = true;
-    instance.initialized = true;
-    log15.info("CryptoEngine created (passthrough mode \u2014 crypto disabled)");
-    return instance;
+    return new _CryptoEngine({ passthrough: true });
   }
   /**
    * 初始化加密引擎
    *
-   * 加密模式: 调用 SDK 的 init() 方法完成密钥协商等初始化操作。
+   * 加密模式: 调用 SDK 的 init() 方法完成密服入网、密钥协商等初始化操作。
    * 透传模式: 空操作 (already initialized)。
    * 幂等操作 — 重复调用安全。
    */
@@ -18929,29 +18970,37 @@ var CryptoEngine = class _CryptoEngine {
       this.initialized = true;
       return;
     }
+    if (!this.plug) {
+      throw new Error("Quantum encryption SDK is missing. Cannot initialize in encryption mode (check dist/index.min.cjs).");
+    }
+    if (this.credentials) {
+      writeQuantumConfig(this.credentials);
+    }
     await this.plug.init();
     this.initialized = true;
-    log15.info("CryptoEngine initialized \u2713");
+    log16.info("CryptoEngine initialized \u2713");
   }
   /**
    * 加密明文
    *
-   * 加密模式: 调用底层 SDK 加密, 返回 Base64 密文 + keyId
+   * 加密模式: 调用底层 SDK 加密 (SM4_CBC_PKCS7PADDING), 返回密文 + keyId
    * 透传模式: 直接返回明文作为 "密文", keyId = 'passthrough'
    *
+   * 注意: SDK 返回驼峰 cipherText, 此方法对外统一为小写 ciphertext
+   *
    * @param plaintext - 要加密的明文字符串
    * @returns { ciphertext: 密文字符串, keyId: 密钥标识 }
    * @throws 加密模式下未初始化时抛出错误
    */
   async encrypt(plaintext) {
-    this.ensureInitialized();
     if (this.passthrough) {
-      log15.debug("Encrypt (passthrough)", { length: plaintext.length });
+      log16.debug("Encrypt (passthrough)", { length: plaintext.length });
       return { ciphertext: plaintext, keyId: PASSTHROUGH_KEY_ID };
     }
-    const result = await this.plug.encrypt(plaintext, 1);
-    log15.debug("Encrypted", { length: plaintext.length, keyId: result.keyId });
-    return result;
+    const plug = this.requirePlug();
+    const result = await plug.encrypt(plaintext, DEFAULT_ENCRYPT_MODE);
+    log16.debug("Encrypted", { length: plaintext.length, keyId: result.keyId });
+    return { ciphertext: result.cipherText, keyId: result.keyId };
   }
   /**
    * 解密密文
@@ -18965,14 +19014,100 @@ var CryptoEngine = class _CryptoEngine {
    * @throws 加密模式下未初始化、密文损坏或 keyId 不匹配时抛出错误
    */
   async decrypt(ciphertext, keyId) {
-    this.ensureInitialized();
     if (this.passthrough) {
-      log15.debug("Decrypt (passthrough)", { keyId });
+      log16.debug("Decrypt (passthrough)", { keyId });
       return ciphertext;
     }
-    const result = await this.plug.decrypt(ciphertext, keyId, 1);
-    log15.debug("Decrypted", { keyId });
-    return result.plaintext;
+    const plug = this.requirePlug();
+    const result = await plug.decrypt(ciphertext, keyId, DEFAULT_ENCRYPT_MODE);
+    log16.debug("Decrypted", { keyId });
+    return result.plainText;
+  }
+  /**
+   * 加密文件数据
+   *
+   * 自动处理 10MB 分片编排:
+   *   - ≤10MB: 单次调用 SDK encryptFile
+   *   - >10MB: 按 10MB 分片, 首片无需传密钥参数, 后续片传入前一片返回的 { keyId, sessionKey, fillKey }
+   *
+   * 透传模式: 直接返回原数据
+   *
+   * @param fileData - 文件数据 Buffer
+   * @returns { fileBuffer: 加密后的文件 Buffer, keyId: 密钥标识 }
+   */
+  async encryptFile(fileData) {
+    if (this.passthrough) {
+      log16.debug("EncryptFile (passthrough)", { size: fileData.length });
+      return { fileBuffer: fileData, keyId: PASSTHROUGH_KEY_ID };
+    }
+    if (fileData.length === 0) {
+      return { fileBuffer: Buffer.alloc(0), keyId: PASSTHROUGH_KEY_ID };
+    }
+    const chunks = [];
+    const total = Math.ceil(fileData.length / FILE_CHUNK_SIZE);
+    let keyId;
+    let sessionKey;
+    let fillKey;
+    const plug = this.requirePlug();
+    log16.debug("EncryptFile", { size: fileData.length, chunks: total });
+    for (let i = 0; i < total; i++) {
+      const start = i * FILE_CHUNK_SIZE;
+      const end = Math.min(start + FILE_CHUNK_SIZE, fileData.length);
+      const chunk = fileData.subarray(start, end);
+      const result = await plug.encryptFile(chunk, DEFAULT_ENCRYPT_MODE, {
+        keyId,
+        sessionKey,
+        fillKey
+      });
+      chunks.push(result.fileBuffer);
+      keyId = result.keyId;
+      sessionKey = result.sessionKey;
+      fillKey = result.fillKey;
+    }
+    log16.debug("EncryptFile done", { keyId, chunks: total });
+    return { fileBuffer: Buffer.concat(chunks), keyId: keyId ?? "" };
+  }
+  /**
+   * 解密文件数据
+   *
+   * 自动处理 (10MB + 16) 分片编排:
+   *   - ≤(10MB+16): 单次调用 SDK decryptFile
+   *   - >(10MB+16): 按 (10MB+16) 分片, 首片传 keyId, 后续片传入前一片返回的 { sessionKey, fillKey }
+   *
+   * 透传模式: 直接返回原数据
+   *
+   * @param fileData - 加密后的文件 Buffer
+   * @param keyId    - 加密时返回的密钥标识
+   * @returns 解密后的文件 Buffer
+   */
+  async decryptFile(fileData, keyId) {
+    if (this.passthrough) {
+      log16.debug("DecryptFile (passthrough)", { keyId });
+      return fileData;
+    }
+    if (fileData.length === 0) {
+      return Buffer.alloc(0);
+    }
+    const plug = this.requirePlug();
+    const chunks = [];
+    const total = Math.ceil(fileData.length / FILE_DECRYPT_CHUNK_SIZE);
+    let sessionKey;
+    let fillKey;
+    log16.debug("DecryptFile", { size: fileData.length, chunks: total, keyId });
+    for (let i = 0; i < total; i++) {
+      const start = i * FILE_DECRYPT_CHUNK_SIZE;
+      const end = Math.min(start + FILE_DECRYPT_CHUNK_SIZE, fileData.length);
+      const chunk = fileData.subarray(start, end);
+      const result = await plug.decryptFile(chunk, keyId, DEFAULT_ENCRYPT_MODE, {
+        sessionKey,
+        fillKey
+      });
+      chunks.push(result.fileBuffer);
+      sessionKey = result.sessionKey;
+      fillKey = result.fillKey;
+    }
+    log16.debug("DecryptFile done", { keyId, chunks: total });
+    return Buffer.concat(chunks);
   }
   /**
    * 查询当前是否为透传模式
@@ -18982,25 +19117,26 @@ var CryptoEngine = class _CryptoEngine {
     return this.passthrough;
   }
   /**
-   * 确保引擎已初始化
-   * 未初始化时抛出明确错误，避免难以排查的 SDK 内部异常
+   * 确保引擎已初始化，同时返回非空 plug 实例
+   * （通过 init() 守卫保证：加密模式下 init() 成功后 plug 一定非 null）
    */
-  ensureInitialized() {
+  requirePlug() {
     if (!this.initialized) {
       throw new Error("CryptoEngine not initialized \u2014 call init() first");
     }
+    return this.plug;
   }
 };
 
 // src/auth/oauth-client.ts
-var log16 = createLogger("auth/oauth-client");
-var SealApiError = class extends Error {
+var log17 = createLogger("auth/oauth-client");
+var ApiError = class extends Error {
   constructor(status, body, endpoint) {
-    super(`Seal API error: ${status} on ${endpoint}`);
+    super(`API error: ${status} on ${endpoint}`);
     this.status = status;
     this.body = body;
     this.endpoint = endpoint;
-    this.name = "SealApiError";
+    this.name = "ApiError";
   }
 };
 var TokenAcquireError = class extends Error {
@@ -19017,28 +19153,21 @@ function sleep(ms) {
   return new Promise((resolve2) => setTimeout(resolve2, ms));
 }
 var DEFAULT_TIMEOUT_MS = 3e4;
-var SealClient = class {
+var GRANT_TYPE = "client_credentials";
+var SCOPE = "client_credentials refresh_token";
+var OAuthClient = class {
   baseUrl;
-  clientId;
-  clientSecret;
-  clientName;
-  scopes;
+  appId;
+  appSecret;
   constructor(config2) {
-    this.baseUrl = config2.serverUrl.replace(/\/+$/, "");
-    this.clientId = config2.clientId;
-    this.clientSecret = config2.clientSecret;
-    this.clientName = config2.clientName;
-    this.scopes = config2.scopes;
-    log16.info("SealClient initialized", { serverUrl: this.baseUrl, clientName: config2.clientName });
+    this.baseUrl = config2.baseUrl.replace(/\/+$/, "");
+    this.appId = config2.appId;
+    this.appSecret = config2.appSecret;
+    log17.info("OAuthClient initialized", { baseUrl: this.baseUrl, appId: sanitize(this.appId) });
   }
   // ── 通用 HTTP 请求 ──
   /**
    * 统一 HTTP 请求封装 — 含超时、日志脱敏和错误处理
-   * @param method - HTTP 方法
-   * @param path - 请求路径 (如 '/seal/client/register')
-   * @param options - 请求选项
-   * @returns 解析后的 JSON 响应
-   * @throws SealApiError — HTTP 非 2xx 响应
    */
   async request(method, path2, options = {}) {
     const url2 = `${this.baseUrl}${path2}`;
@@ -19054,7 +19183,7 @@ var SealClient = class {
         bodyStr = JSON.stringify(options.body);
       }
     }
-    log16.debug("HTTP request", { method, url: url2 });
+    log17.debug("HTTP request", { method, url: url2 });
     const response = await fetch(url2, {
       method,
       headers,
@@ -19069,110 +19198,39 @@ var SealClient = class {
       } catch {
         parsedBody = responseBody;
       }
-      log16.error("HTTP error", { method, url: url2, status: response.status });
-      throw new SealApiError(response.status, parsedBody, path2);
+      log17.error("HTTP error", { method, url: url2, status: response.status });
+      throw new ApiError(response.status, parsedBody, path2);
     }
-    log16.debug("HTTP response", { method, url: url2, status: response.status });
+    log17.debug("HTTP response", { method, url: url2, status: response.status });
     try {
       return JSON.parse(responseBody);
     } catch {
-      throw new SealApiError(response.status, responseBody, path2);
+      throw new ApiError(response.status, responseBody, path2);
     }
   }
   // ── 公共方法 ──
-  /** 判断是否已注册 (有 clientId + clientSecret) */
-  isRegistered() {
-    return !!(this.clientId && this.clientSecret);
-  }
-  /** 更新 clientId / clientSecret (注册成功后或从持久化加载后调用) */
-  setCredentials(clientId, clientSecret) {
-    this.clientId = clientId;
-    this.clientSecret = clientSecret;
-    log16.info("Credentials updated", { clientId: sanitize(clientId) });
-  }
   /**
-   * 动态注册客户端 → POST /seal/client/register
+   * 获取访问令牌 → POST /auth/token (client_credentials)
    *
-   * 首次运行时自动调用，获取 clientId 和 clientSecret。
-   * 注册成功后自动更新内部凭据。
-   */
-  async register(params) {
-    const body = {
-      client_name: params.clientName,
-      scopes: params.scopes,
-      authentication_methods: params.authMethods ?? ["client_secret_post"],
-      grant_types: params.grantTypes ?? ["authorization_code", "client_credentials", "refresh_token"],
-      redirect_uris: params.redirectUris ?? ["https://placeholder.local"],
-      logout_redirect_uris: [],
-      client_settings: {
-        "settings.client.require-authorization-consent": true
-      }
-    };
-    if (params.tokenSettings) {
-      const ts = {};
-      if (params.tokenSettings.accessTokenTtl) {
-        ts["settings.token.access-token-time-to-live"] = params.tokenSettings.accessTokenTtl;
-      }
-      if (params.tokenSettings.refreshTokenTtl) {
-        ts["settings.token.refresh-token-time-to-live"] = params.tokenSettings.refreshTokenTtl;
-      }
-      if (params.tokenSettings.accessTokenFormat) {
-        ts["settings.token.access-token-format"] = params.tokenSettings.accessTokenFormat;
-      }
-      if (params.tokenSettings.reuseRefreshTokens !== void 0) {
-        ts["settings.token.reuse-refresh-tokens"] = params.tokenSettings.reuseRefreshTokens;
-      }
-      ts["settings.token.authorization-code-time-to-live"] = "300";
-      body.token_settings = ts;
-    }
-    log16.info("Registering OAuth client", { clientName: params.clientName });
-    const response = await this.request(
-      "POST",
-      "/seal/client/register",
-      { body, contentType: "json" }
-    );
-    const registration = {
-      clientId: response.client_id,
-      clientSecret: response.client_secret,
-      clientSecretExpiresAt: response.client_secret_expires_at ?? "",
-      clientIdIssuedAt: response.client_id_issued_at ?? "",
-      scopes: response.scopes ?? params.scopes
-    };
-    this.setCredentials(registration.clientId, registration.clientSecret);
-    log16.info("OAuth client registered", {
-      clientId: sanitize(registration.clientId),
-      clientSecret: sanitize(registration.clientSecret),
-      scopes: registration.scopes,
-      expiresAt: registration.clientSecretExpiresAt
-    });
-    return registration;
-  }
-  /**
-   * 获取访问令牌 → POST /seal/oauth2/token (client_credentials)
+   * 请求参数 (x-www-form-urlencoded):
+   *   - grant_type: client_credentials (写死)
+   *   - client_id: appId
+   *   - client_secret: appSecret
+   *   - scope: client_credentials refresh_token (写死)
    *
-   * 使用客户端凭证模式获取 Access Token。
-   * 前置条件: clientId 和 clientSecret 必须存在 (通过 register 或 setCredentials 设置)
-   *
-   * @param scope - 请求的权限范围 (空格分隔)，不传则使用注册时的全部 scope
    * @returns TokenData 包含 access_token、过期时间等
-   * @throws Error — clientId/clientSecret 未设置
-   * @throws SealApiError — HTTP 错误
+   * @throws ApiError — HTTP 错误
    */
-  async getToken(scope) {
-    if (!this.clientId || !this.clientSecret) {
-      throw new Error("Cannot get token: clientId and clientSecret are required. Call register() or setCredentials() first.");
-    }
+  async getToken() {
     const params = new URLSearchParams();
-    params.set("grant_type", "client_credentials");
-    params.set("client_id", this.clientId);
-    params.set("client_secret", this.clientSecret);
-    if (scope) {
-      params.set("scope", scope);
-    }
-    log16.info("Requesting access token", { clientId: sanitize(this.clientId) });
+    params.set("grant_type", GRANT_TYPE);
+    params.set("client_id", this.appId);
+    params.set("client_secret", this.appSecret);
+    params.set("scope", SCOPE);
+    log17.info("Requesting access token", { appId: sanitize(this.appId) });
     const response = await this.request(
       "POST",
-      "/seal/oauth2/token",
+      "/auth/token",
       { body: params, contentType: "form" }
     );
     const now = Date.now();
@@ -19183,32 +19241,28 @@ var SealClient = class {
       expiresIn,
       scope: response.scope ?? "",
       refreshToken: void 0,
-      // Seal 不返回 refresh_token
       grantedAt: now,
       expiresAt: now + expiresIn * 1e3
     };
-    log16.info("Access token acquired", {
+    log17.info("Access token acquired", {
       accessToken: sanitize(tokenData.accessToken),
       expiresIn: tokenData.expiresIn,
       scope: tokenData.scope
     });
     return tokenData;
   }
-  /**
-   * 令牌校验 → GET /seal/oauth2/introspect
-   * 暂不实现 — 保留接口签名，后续需要时再补充
-   */
-  async introspect(_token) {
-    throw new Error("introspect() not implemented yet \u2014 Seal introspect API \u6682\u4E0D\u4F7F\u7528");
+  /** 获取 baseUrl (供其他模块复用) */
+  getBaseUrl() {
+    return this.baseUrl;
   }
 };
 
 // src/auth/token-store.ts
 var import_promises = require("fs/promises");
-var import_node_fs = require("fs");
-var import_node_path = require("path");
-var import_node_crypto2 = require("crypto");
-var log17 = createLogger("auth/token-store");
+var import_node_fs2 = require("fs");
+var import_node_path2 = require("path");
+var import_node_crypto = require("crypto");
+var log18 = createLogger("auth/token-store");
 var TokenStore = class {
   /** 存储目录路径 */
   storageDir;
@@ -19223,7 +19277,7 @@ var TokenStore = class {
   constructor(storageDir, crypto) {
     this.storageDir = storageDir;
     this.crypto = crypto;
-    log17.info("TokenStore initialized", { storageDir });
+    log18.info("TokenStore initialized", { storageDir });
   }
   /**
    * 确保存储目录存在并设置正确的权限。
@@ -19231,9 +19285,9 @@ var TokenStore = class {
    */
   async ensureDir() {
     if (this.dirEnsured) return;
-    if (!(0, import_node_fs.existsSync)(this.storageDir)) {
+    if (!(0, import_node_fs2.existsSync)(this.storageDir)) {
       await (0, import_promises.mkdir)(this.storageDir, { recursive: true, mode: 448 });
-      log17.debug("Storage directory created", { dir: this.storageDir });
+      log18.debug("Storage directory created", { dir: this.storageDir });
     }
     this.dirEnsured = true;
   }
@@ -19242,7 +19296,7 @@ var TokenStore = class {
    * @param key - 存储键名 (如 'token', 'credentials')
    */
   filePath(key) {
-    return (0, import_node_path.join)(this.storageDir, `${key}.enc`);
+    return (0, import_node_path2.join)(this.storageDir, `${key}.enc`);
   }
   /**
    * 保存 Token — 加密写入文件
@@ -19263,12 +19317,12 @@ var TokenStore = class {
     const storage = { ciphertext, keyId };
     const storageJson = JSON.stringify(storage);
     const targetPath = this.filePath(key);
-    const tmpSuffix = (0, import_node_crypto2.randomBytes)(4).toString("hex");
+    const tmpSuffix = (0, import_node_crypto.randomBytes)(4).toString("hex");
     const tmpPath = `${targetPath}.${tmpSuffix}.tmp`;
     try {
       await (0, import_promises.writeFile)(tmpPath, storageJson, { mode: 384 });
       await (0, import_promises.rename)(tmpPath, targetPath);
-      log17.debug("Token saved", { key, path: targetPath });
+      log18.debug("Token saved", { key, path: targetPath });
     } catch (err) {
       try {
         await (0, import_promises.unlink)(tmpPath);
@@ -19290,8 +19344,8 @@ var TokenStore = class {
    */
   async load(key) {
     const filePath = this.filePath(key);
-    if (!(0, import_node_fs.existsSync)(filePath)) {
-      log17.debug("Token file not found", { key, path: filePath });
+    if (!(0, import_node_fs2.existsSync)(filePath)) {
+      log18.debug("Token file not found", { key, path: filePath });
       return null;
     }
     try {
@@ -19299,10 +19353,10 @@ var TokenStore = class {
       const storage = JSON.parse(raw);
       const json2 = await this.crypto.decrypt(storage.ciphertext, storage.keyId);
       const data = JSON.parse(json2);
-      log17.debug("Token loaded", { key, path: filePath });
+      log18.debug("Token loaded", { key, path: filePath });
       return data;
     } catch (err) {
-      log17.warn("Failed to load token (corrupted or key mismatch), treating as empty", {
+      log18.warn("Failed to load token (corrupted or key mismatch), treating as empty", {
         key,
         error: err instanceof Error ? err.message : String(err)
       });
@@ -19318,7 +19372,7 @@ var TokenStore = class {
     const filePath = this.filePath(key);
     try {
       await (0, import_promises.unlink)(filePath);
-      log17.debug("Token file cleared", { key, path: filePath });
+      log18.debug("Token file cleared", { key, path: filePath });
     } catch (err) {
       if (err.code !== "ENOENT") {
         throw err;
@@ -19328,17 +19382,15 @@ var TokenStore = class {
 };
 
 // src/auth/token-manager.ts
-var log18 = createLogger("auth/token-manager");
+var log19 = createLogger("auth/token-manager");
 var DEFAULT_REFRESH_AHEAD_MS = 5 * 60 * 1e3;
 var MAX_RETRIES = 3;
 var RETRY_BASE_MS = 1e3;
 var TokenManager = class {
-  sealClient;
+  oauthClient;
   tokenStore;
   /** Token 过期前提前刷新的时间 (ms) */
   refreshAheadMs;
-  /** 自动注册的参数 */
-  autoRegisterParams;
   // ── 内存缓存 ──
   /** 内存中缓存的 access_token */
   cachedToken = null;
@@ -19352,11 +19404,10 @@ var TokenManager = class {
   /** 定时刷新器句柄 */
   refreshTimer = null;
   constructor(deps) {
-    this.sealClient = deps.sealClient;
+    this.oauthClient = deps.oauthClient;
     this.tokenStore = deps.tokenStore;
     this.refreshAheadMs = deps.refreshAheadMs ?? DEFAULT_REFRESH_AHEAD_MS;
-    this.autoRegisterParams = deps.autoRegisterParams;
-    log18.info("TokenManager initialized", { refreshAheadMs: this.refreshAheadMs });
+    log19.info("TokenManager initialized", { refreshAheadMs: this.refreshAheadMs });
   }
   // ── 核心方法 ──
   /**
@@ -19374,7 +19425,7 @@ var TokenManager = class {
       return this.cachedToken;
     }
     if (this.refreshLock) {
-      log18.debug("Waiting for concurrent token acquisition");
+      log19.debug("Waiting for concurrent token acquisition");
       return this.refreshLock;
     }
     this.refreshLock = this._acquireTokenWithRetry();
@@ -19384,13 +19435,6 @@ var TokenManager = class {
       this.refreshLock = null;
     }
   }
-  /**
-   * 令牌自省 — 暂不实现，后续补充。
-   * 返回的 identity_id 用于 gate.ts 的 anti-loop 检查 (bot 自己的 ID)。
-   */
-  async introspect() {
-    throw new Error("introspect() not implemented yet \u2014 Seal introspect API \u6682\u4E0D\u4F7F\u7528");
-  }
   /** 检查当前令牌是否包含指定的 scope */
   hasScope(scope) {
     if (!this.cachedScope) return false;
@@ -19407,13 +19451,13 @@ var TokenManager = class {
     this.cachedToken = null;
     this.cachedScope = null;
     this.currentTokenData = null;
-    log18.info("Token revoked and cleared");
+    log19.info("Token revoked and cleared");
   }
   /** 清理定时器和并发锁 — 优雅关闭时调用 */
   shutdown() {
     this.clearRefreshTimer();
     this.refreshLock = null;
-    log18.info("TokenManager shutdown");
+    log19.info("TokenManager shutdown");
   }
   // ── 内部方法 ──
   /**
@@ -19421,26 +19465,26 @@ var TokenManager = class {
    *
    * 重试策略:
    *   - 网络错误 / 5xx → 重试 (最多 3 次)
-   *   - 401/403 → 不重试 (client_secret 可能无效)
+   *   - 401/403 → 不重试 (凭证可能无效)
    */
   async _acquireTokenWithRetry() {
     for (let attempt = 0; attempt <= MAX_RETRIES; attempt++) {
       try {
         return await this._acquireToken();
       } catch (err) {
-        if (err instanceof SealApiError && (err.status === 401 || err.status === 403)) {
-          log18.error("Token acquire failed with auth error, not retrying", { status: err.status });
+        if (err instanceof ApiError && (err.status === 401 || err.status === 403)) {
+          log19.error("Token acquire failed with auth error, not retrying", { status: err.status });
           throw err;
         }
         if (attempt === MAX_RETRIES) {
-          log18.error("Token acquire failed after all retries", { attempts: attempt + 1 });
+          log19.error("Token acquire failed after all retries", { attempts: attempt + 1 });
           throw new TokenAcquireError(
             `Token acquire failed after ${attempt + 1} attempts`,
             { cause: err instanceof Error ? err : void 0 }
           );
         }
         const delay = RETRY_BASE_MS * Math.pow(2, attempt);
-        log18.warn("Token acquire failed, retrying", {
+        log19.warn("Token acquire failed, retrying", {
           attempt: attempt + 1,
           maxRetries: MAX_RETRIES,
           retryInMs: delay,
@@ -19456,63 +19500,27 @@ var TokenManager = class {
    *
    * 流程:
    *   1. 尝试从 TokenStore 加载缓存
-   *   2. 检查是否需要注册客户端
-   *   3. 调用 SealClient.getToken() 获取新 Token
-   *   4. 保存到内存缓存 + TokenStore
-   *   5. 设置定时刷新器
+   *   2. 调用 OAuthClient.getToken() 获取新 Token
+   *   3. 保存到内存缓存 + TokenStore
+   *   4. 设置定时刷新器
    */
   async _acquireToken() {
     try {
       const stored = await this.tokenStore.load("token");
       if (stored && !this.isTokenHardExpired(stored)) {
-        log18.info("Token loaded from store (still valid)");
+        log19.info("Token loaded from store (still valid)");
         this.updateCache(stored);
         this.scheduleRefresh(stored);
         return stored.accessToken;
       }
       if (stored) {
-        log18.info("Stored token has expired, acquiring new one");
+        log19.info("Stored token has expired, acquiring new one");
       }
     } catch {
-      log18.warn("Failed to load token from store, acquiring new one");
+      log19.warn("Failed to load token from store, acquiring new one");
     }
-    if (!this.sealClient.isRegistered()) {
-      try {
-        const savedCreds = await this.tokenStore.load("credentials");
-        if (savedCreds?.clientId && savedCreds?.clientSecret) {
-          this.sealClient.setCredentials(
-            savedCreds.clientId,
-            savedCreds.clientSecret
-          );
-          log18.info("Credentials loaded from store");
-        }
-      } catch {
-        log18.debug("No saved credentials found");
-      }
-    }
-    if (!this.sealClient.isRegistered()) {
-      if (!this.autoRegisterParams) {
-        throw new Error("SealClient not registered and autoRegisterParams not provided. Call setCredentials() or enable autoRegister.");
-      }
-      log18.info("Auto-registering OAuth client");
-      const registration = await this.sealClient.register({
-        clientName: this.autoRegisterParams.clientName,
-        scopes: this.autoRegisterParams.scopes,
-        tokenSettings: this.autoRegisterParams.tokenSettings ? {
-          accessTokenTtl: this.autoRegisterParams.tokenSettings.accessTokenTtl,
-          refreshTokenTtl: this.autoRegisterParams.tokenSettings.refreshTokenTtl,
-          accessTokenFormat: this.autoRegisterParams.tokenSettings.accessTokenFormat
-        } : void 0
-      });
-      await this.tokenStore.save("credentials", {
-        clientId: registration.clientId,
-        clientSecret: registration.clientSecret,
-        clientSecretExpiresAt: registration.clientSecretExpiresAt
-      });
-      log18.info("OAuth client registered and credentials saved");
-    }
-    log18.info("Acquiring new access token");
-    const tokenData = await this.sealClient.getToken();
+    log19.info("Acquiring new access token via POST /auth/token");
+    const tokenData = await this.oauthClient.getToken();
     this.updateCache(tokenData);
     await this.tokenStore.save("token", tokenData);
     this.scheduleRefresh(tokenData);
@@ -19542,22 +19550,22 @@ var TokenManager = class {
     this.clearRefreshTimer();
     const refreshInMs = tokenData.expiresAt - this.refreshAheadMs - Date.now();
     if (refreshInMs <= 0) {
-      log18.debug("Token already within refresh window, not scheduling timer");
+      log19.debug("Token already within refresh window, not scheduling timer");
       return;
     }
-    log18.debug("Scheduling token refresh", {
+    log19.debug("Scheduling token refresh", {
       refreshInMs,
       refreshAt: new Date(Date.now() + refreshInMs).toISOString()
     });
     this.refreshTimer = setTimeout(async () => {
       try {
-        log18.info("Scheduled token refresh triggered");
+        log19.info("Scheduled token refresh triggered");
         this.cachedToken = null;
         this.currentTokenData = null;
         await this.getValidToken();
-        log18.info("Scheduled token refresh completed");
+        log19.info("Scheduled token refresh completed");
       } catch (err) {
-        log18.error("Scheduled token refresh failed", {
+        log19.error("Scheduled token refresh failed", {
           error: err instanceof Error ? err.message : String(err)
         });
       }
@@ -19585,13 +19593,13 @@ var wrapper_default = import_websocket.default;
 
 // src/transport/ws-client.ts
 var import_node_events = require("events");
-var log19 = createLogger("transport/ws-client");
+var log20 = createLogger("transport/ws-client");
 var WSClient = class extends import_node_events.EventEmitter {
   /** 底层 WebSocket 实例 */
   ws = null;
   constructor() {
     super();
-    log19.info("WSClient initialized");
+    log20.info("WSClient initialized");
   }
   /**
    * 连接到 WebSocket 服务器并绑定事件。
@@ -19607,11 +19615,11 @@ var WSClient = class extends import_node_events.EventEmitter {
       this.ws = null;
     }
     const { url: url2, protocols, headers } = options;
-    log19.info("ws:connecting", { url: url2 });
+    log20.info("ws:connecting", { url: url2 });
     return new Promise((resolve2, reject) => {
       const ws = new wrapper_default(url2, protocols, { headers });
       ws.on("open", () => {
-        log19.info("ws:connected", { url: url2 });
+        log20.info("ws:connected", { url: url2 });
         this.emit("open");
         resolve2();
       });
@@ -19619,11 +19627,11 @@ var WSClient = class extends import_node_events.EventEmitter {
         this.emit("message", data);
       });
       ws.on("close", (code, reason) => {
-        log19.info("ws:closed", { code, reason: reason.toString() });
+        log20.info("ws:closed", { code, reason: reason.toString() });
         this.emit("close", code, reason.toString());
       });
       ws.on("error", (err) => {
-        log19.error("ws:error", { error: err.message });
+        log20.error("ws:error", { error: err.message });
         this.emit("error", err);
         if (this.ws !== ws) {
           reject(err);
@@ -19635,7 +19643,7 @@ var WSClient = class extends import_node_events.EventEmitter {
   /** 发送数据到服务器 — 前置检查连接状态 */
   send(data) {
     if (!this.ws || this.ws.readyState !== wrapper_default.OPEN) {
-      log19.warn("ws:send skipped, not connected", { readyState: this.ws?.readyState });
+      log20.warn("ws:send skipped, not connected", { readyState: this.ws?.readyState });
       return;
     }
     this.ws.send(data);
@@ -19646,7 +19654,7 @@ var WSClient = class extends import_node_events.EventEmitter {
       this.ws.removeAllListeners();
       this.ws.close(code, reason);
       this.ws = null;
-      log19.info("ws:close requested", { code, reason });
+      log20.info("ws:close requested", { code, reason });
     }
   }
   /** 当前连接状态 (0=CONNECTING, 1=OPEN, 2=CLOSING, 3=CLOSED) */
@@ -19656,7 +19664,7 @@ var WSClient = class extends import_node_events.EventEmitter {
 };
 
 // src/transport/dedup.ts
-var log20 = createLogger("transport/dedup");
+var log21 = createLogger("transport/dedup");
 var MessageDedup = class {
   /** 去重缓存生存时间 (ms) */
   ttlMs;
@@ -19667,7 +19675,7 @@ var MessageDedup = class {
   constructor(config2) {
     this.ttlMs = config2?.ttlMs ?? 3e5;
     this.maxEntries = config2?.maxEntries ?? 5e3;
-    log20.info("MessageDedup initialized", { ttlMs: this.ttlMs, maxEntries: this.maxEntries });
+    log21.info("MessageDedup initialized", { ttlMs: this.ttlMs, maxEntries: this.maxEntries });
   }
   /**
    * 检查消息是否重复。
@@ -19702,8 +19710,8 @@ var MessageDedup = class {
 };
 
 // src/transport/message-pipe.ts
-var import_node_crypto3 = require("crypto");
-var log21 = createLogger("transport/message-pipe");
+var import_node_crypto2 = require("crypto");
+var log22 = createLogger("transport/message-pipe");
 var MessagePipe = class {
   wsClient;
   dedup;
@@ -19722,15 +19730,15 @@ var MessagePipe = class {
     this.messageServiceBaseUrl = deps.messageServiceBaseUrl;
     this.wsClient.on("message", (rawData) => {
       this.handleInbound(rawData).catch((err) => {
-        log21.error("inbound:error", { step: "handleInbound", error: err.message });
+        log22.error("inbound:error", { step: "handleInbound", error: err.message });
       });
     });
-    log21.info("MessagePipe initialized");
+    log22.info("MessagePipe initialized");
   }
   /** 注册入站消息回调 — 解密后的消息会通过此回调传给 L4 层 */
   onMessage(callback) {
     this.messageCallback = callback;
-    log21.info("Inbound message callback registered");
+    log22.info("Inbound message callback registered");
   }
   /**
    * 出站发送 — 通过 HTTP API 发送消息到 IM 服务器。
@@ -19750,7 +19758,7 @@ var MessagePipe = class {
     }
     const result = await this.callMessageApi("/messages/v1/send", body, "outbound");
     if (!result) return;
-    log21.info("outbound:sent", {
+    log22.info("outbound:sent", {
       chatId: msg.chatId,
       senderId: msg.senderId,
       msgType: msg.msgType,
@@ -19774,7 +19782,7 @@ var MessagePipe = class {
     };
     const result = await this.callMessageApi("/messages/v1/recall", body, "recall");
     if (!result) return;
-    log21.info("recall:sent", {
+    log22.info("recall:sent", {
       messageId: params.messageId,
       requestId: result.request_id
     });
@@ -19801,7 +19809,7 @@ var MessagePipe = class {
         body: JSON.stringify(body)
       });
       if (!resp.ok) {
-        log21.error(`${logTag}:http-error`, {
+        log22.error(`${logTag}:http-error`, {
           status: resp.status,
           statusText: resp.statusText,
           url: url2
@@ -19810,7 +19818,7 @@ var MessagePipe = class {
       }
       const result = await resp.json();
       if (result.code !== 0) {
-        log21.error(`${logTag}:api-error`, {
+        log22.error(`${logTag}:api-error`, {
           code: result.code,
           msg: result.msg,
           requestId: result.request_id
@@ -19819,7 +19827,7 @@ var MessagePipe = class {
       }
       return result;
     } catch (err) {
-      log21.error(`${logTag}:network-error`, {
+      log22.error(`${logTag}:network-error`, {
         url: url2,
         error: err.message
       });
@@ -19841,7 +19849,7 @@ var MessagePipe = class {
     try {
       frame = JSON.parse(String(rawData));
     } catch (err) {
-      log21.warn("inbound:json-parse-error", { error: err.message });
+      log22.warn("inbound:json-parse-error", { error: err.message });
       return;
     }
     const timestamp = frame["X-CTQ-Timestamp"];
@@ -19850,9 +19858,9 @@ var MessagePipe = class {
     if (timestamp && nonce && signature) {
       const token = await this.tokenFn();
       const signatureInput = timestamp + nonce + frame.data;
-      const expected = (0, import_node_crypto3.createHmac)("sha256", token).update(signatureInput).digest("hex");
+      const expected = (0, import_node_crypto2.createHmac)("sha256", token).update(signatureInput).digest("hex");
       if (expected !== signature) {
-        log21.warn("inbound:signature-fail", { timestamp, nonce });
+        log22.warn("inbound:signature-fail", { timestamp, nonce });
         return;
       }
     }
@@ -19866,30 +19874,37 @@ var MessagePipe = class {
     try {
       callbackData = JSON.parse(dataStr);
     } catch (err) {
-      log21.warn("inbound:data-parse-error", { error: err.message });
+      log22.warn("inbound:data-parse-error", { error: err.message });
       return;
     }
-    if (callbackData.eventType !== "MessageReceived") {
-      log21.debug("inbound:event-ignored", { eventType: callbackData.eventType });
+    if (callbackData.eventType !== "callback:direct") {
+      log22.debug("inbound:event-ignored", { eventType: callbackData.eventType });
       return;
     }
-    const msg = callbackData.content;
-    log21.debug("inbound:frame", { messageId: msg.messageId, eventType: callbackData.eventType });
+    const msg = {
+      messageId: callbackData.msgUid,
+      chatId: callbackData.groupId || callbackData.userId,
+      senderId: callbackData.userId,
+      msgType: callbackData.type,
+      content: JSON.stringify(callbackData.content),
+      timestamp: Date.now()
+    };
+    log22.debug("inbound:frame", { messageId: msg.messageId, eventType: callbackData.eventType });
     if (this.dedup.isDuplicate(msg.messageId)) {
-      log21.debug("inbound:dedup-hit", { messageId: msg.messageId });
+      log22.debug("inbound:dedup-hit", { messageId: msg.messageId });
       return;
     }
-    log21.info("inbound:verified", { messageId: msg.messageId, chatId: msg.chatId });
+    log22.info("inbound:verified", { messageId: msg.messageId, chatId: msg.chatId });
     if (this.messageCallback) {
       this.messageCallback(msg);
     } else {
-      log21.warn("inbound:no-callback", { messageId: msg.messageId });
+      log22.warn("inbound:no-callback", { messageId: msg.messageId });
     }
   }
 };
 
 // src/transport/connection-manager.ts
-var log22 = createLogger("transport/connection-manager");
+var log23 = createLogger("transport/connection-manager");
 function sleep2(ms) {
   return new Promise((resolve2) => setTimeout(resolve2, ms));
 }
@@ -19919,7 +19934,7 @@ var ConnectionManager = class {
       reconnectMaxMs: options?.reconnectMaxMs ?? 6e4,
       maxReconnectAttempts: options?.maxReconnectAttempts ?? 10
     };
-    log22.info("ConnectionManager initialized", this.options);
+    log23.info("ConnectionManager initialized", this.options);
   }
   /**
    * 启动连接 — 连接 WS + 开始心跳 + 注册重连逻辑
@@ -19934,29 +19949,33 @@ var ConnectionManager = class {
     this.running = true;
     this.reconnectAttempts = 0;
     const token = await tokenFn();
+    const wsUrl = url2.replace(/\/+$/, "") + "/events/stream";
     await this.client.connect({
-      url: url2,
+      url: wsUrl,
       token,
-      headers: this.appId ? { "X-App-ID": this.appId } : void 0
+      headers: {
+        "Authorization": token,
+        ...this.appId ? { "X-App-ID": this.appId } : {}
+      }
     });
     this.client.on("close", () => {
       if (this.running) {
-        log22.warn("ws:disconnected, scheduling reconnect");
+        log23.warn("ws:disconnected, scheduling reconnect");
         this.scheduleReconnect();
       }
     });
     this.client.on("error", (err) => {
-      log22.error("ws:connection-error", { error: err.message });
+      log23.error("ws:connection-error", { error: err.message });
     });
     this.startHeartbeat();
-    log22.info("ConnectionManager started \u2713", { url: url2 });
+    log23.info("ConnectionManager started \u2713", { url: url2 });
   }
   /** 启动心跳保活 — 定时检查连接状态 */
   startHeartbeat() {
     this.stopHeartbeat();
     this.heartbeatTimer = setInterval(() => {
       if (this.client.readyState !== wrapper_default.OPEN) {
-        log22.warn("heartbeat: connection not open, scheduling reconnect");
+        log23.warn("heartbeat: connection not open, scheduling reconnect");
         this.scheduleReconnect();
       }
     }, this.options.heartbeatIntervalMs);
@@ -19984,30 +20003,34 @@ var ConnectionManager = class {
         this.options.reconnectBaseMs * 2 ** this.reconnectAttempts,
         this.options.reconnectMaxMs
       );
-      log22.info("ws:reconnecting", { attempt: this.reconnectAttempts + 1, delayMs: delay });
+      log23.info("ws:reconnecting", { attempt: this.reconnectAttempts + 1, delayMs: delay });
       await sleep2(delay);
       if (!this.running) return;
       this.reconnectAttempts++;
       try {
         const token = await this.tokenFn();
+        const wsUrl = this.url.replace(/\/+$/, "") + "/events/stream";
         await this.client.connect({
-          url: this.url,
+          url: wsUrl,
           token,
-          headers: this.appId ? { "X-App-ID": this.appId } : void 0
+          headers: {
+            "Authorization": token,
+            ...this.appId ? { "X-App-ID": this.appId } : {}
+          }
         });
         this.reconnectAttempts = 0;
         this.startHeartbeat();
-        log22.info("ws:reconnected", { attempt: this.reconnectAttempts, url: this.url });
+        log23.info("ws:reconnected", { attempt: this.reconnectAttempts, url: this.url });
         return;
       } catch (err) {
-        log22.warn("ws:reconnect-failed", {
+        log23.warn("ws:reconnect-failed", {
           attempt: this.reconnectAttempts,
           error: err.message
         });
       }
     }
     if (this.running) {
-      log22.error("ws:max-reconnect-reached", {
+      log23.error("ws:max-reconnect-reached", {
         maxAttempts: this.options.maxReconnectAttempts
       });
     }
@@ -20017,7 +20040,7 @@ var ConnectionManager = class {
     this.running = false;
     this.stopHeartbeat();
     this.client.close(1e3, "shutdown");
-    log22.info("ConnectionManager stopped");
+    log23.info("ConnectionManager stopped");
   }
   /** 当前是否已连接 (WebSocket readyState === OPEN) */
   get isConnected() {
@@ -20026,7 +20049,7 @@ var ConnectionManager = class {
 };
 
 // src/push/cockatoo-client.ts
-var log23 = createLogger("push/cockatoo-client");
+var log24 = createLogger("push/cockatoo-client");
 var DEFAULT_TIMEOUT_MS2 = 3e4;
 var CockatooPushError = class extends Error {
   constructor(status, body, endpoint) {
@@ -20060,7 +20083,7 @@ var CockatooClient = class {
     const base = config2.endpoint.replace(/\/+$/, "");
     this.pushUrl = `${base}/api/v1/push`;
     this.healthUrl = `${base}/health`;
-    log23.info("CockatooClient initialized", { endpoint: config2.endpoint });
+    log24.info("CockatooClient initialized", { endpoint: config2.endpoint });
   }
   /**
    * 推送消息到 Cockatoo 服务。
@@ -20091,7 +20114,7 @@ var CockatooClient = class {
       }
       throw new CockatooPushError(resp.status, body, this.pushUrl);
     }
-    log23.debug("push:sent", { type: payload.type });
+    log24.debug("push:sent", { type: payload.type });
   }
   /**
    * 执行一次健康检查。
@@ -20109,11 +20132,11 @@ var CockatooClient = class {
       });
       const isHealthy = resp.ok;
       if (!isHealthy) {
-        log23.warn("health-check:unhealthy", { status: resp.status });
+        log24.warn("health-check:unhealthy", { status: resp.status });
       }
       return isHealthy;
     } catch (err) {
-      log23.warn("health-check:error", { error: err.message });
+      log24.warn("health-check:error", { error: err.message });
       return false;
     }
   }
@@ -20125,7 +20148,7 @@ var CockatooClient = class {
         this.healthy = await this.healthCheck();
       } catch {
         this.healthy = false;
-        log23.warn("Cockatoo health check failed");
+        log24.warn("Cockatoo health check failed");
       }
     }, this.config.healthCheckIntervalMs ?? 6e4);
     if (typeof this.healthCheckTimer === "object" && "unref" in this.healthCheckTimer) {
@@ -20146,7 +20169,7 @@ var CockatooClient = class {
 };
 
 // src/push/push-queue.ts
-var log24 = createLogger("push/push-queue");
+var log25 = createLogger("push/push-queue");
 var RETRY_BASE_MS2 = 1e3;
 var PushQueue = class {
   client;
@@ -20188,7 +20211,7 @@ var PushQueue = class {
     this.unhealthyRetryMs = config2?.unhealthyRetryMs ?? 5e3;
     this.drainOnStop = config2?.drainOnStop ?? false;
     this.drainTimeoutMs = config2?.drainTimeoutMs ?? 5e3;
-    log24.info("PushQueue initialized", {
+    log25.info("PushQueue initialized", {
       maxSize: this.maxSize,
       retryAttempts: this.retryAttempts,
       processIntervalMs: this.processIntervalMs
@@ -20199,7 +20222,7 @@ var PushQueue = class {
   start() {
     if (this.running) return;
     this.running = true;
-    log24.info("PushQueue started");
+    log25.info("PushQueue started");
     this.scheduleNext(0);
   }
   /**
@@ -20213,10 +20236,10 @@ var PushQueue = class {
     this.running = false;
     this.clearTimer();
     if (this.drainOnStop && this.queue.length > 0) {
-      log24.info("PushQueue draining", { remaining: this.queue.length });
+      log25.info("PushQueue draining", { remaining: this.queue.length });
       await this.drain();
     }
-    log24.info("PushQueue stopped", {
+    log25.info("PushQueue stopped", {
       remaining: this.queue.length,
       sent: this.sentCount,
       dropped: this.droppedCount,
@@ -20231,13 +20254,13 @@ var PushQueue = class {
     if (this.queue.length >= this.maxSize) {
       const dropped = this.queue.shift();
       this.droppedCount++;
-      log24.warn("queue:full, dropping oldest", {
+      log25.warn("queue:full, dropping oldest", {
         droppedType: dropped?.payload.type,
         queueSize: this.queue.length
       });
     }
     this.queue.push({ payload, retries: 0, eligibleAt: 0 });
-    log24.debug("queue:enqueued", { type: payload.type, queueSize: this.queue.length });
+    log25.debug("queue:enqueued", { type: payload.type, queueSize: this.queue.length });
   }
   /** 当前队列长度 */
   get size() {
@@ -20262,7 +20285,7 @@ var PushQueue = class {
     this.clearTimer();
     this.processTimer = setTimeout(() => {
       this.tick().catch((err) => {
-        log24.error("tick:unexpected-error", { error: err.message });
+        log25.error("tick:unexpected-error", { error: err.message });
         if (this.running) {
           this.scheduleNext(this.idleIntervalMs);
         }
@@ -20284,7 +20307,7 @@ var PushQueue = class {
   async tick() {
     if (!this.running) return;
     if (!this.client.isHealthy) {
-      log24.debug("tick:service-unhealthy, pausing");
+      log25.debug("tick:service-unhealthy, pausing");
       this.scheduleNext(this.unhealthyRetryMs);
       return;
     }
@@ -20304,7 +20327,7 @@ var PushQueue = class {
     try {
       await this.processItem(item);
     } catch (err) {
-      log24.error("tick:process-unexpected", { error: err.message });
+      log25.error("tick:process-unexpected", { error: err.message });
     } finally {
       this.processing = false;
     }
@@ -20323,14 +20346,14 @@ var PushQueue = class {
     try {
       await this.client.push(item.payload);
       this.sentCount++;
-      log24.debug("push:success", {
+      log25.debug("push:success", {
         type: item.payload.type,
         retries: item.retries
       });
     } catch (err) {
       if (err instanceof CockatooPushError && err.isClientError) {
         this.droppedCount++;
-        log24.warn("push:4xx-dropped", {
+        log25.warn("push:4xx-dropped", {
           type: item.payload.type,
           status: err.status,
           retries: item.retries
@@ -20339,7 +20362,7 @@ var PushQueue = class {
       }
       if (item.retries >= this.retryAttempts) {
         this.droppedCount++;
-        log24.error("push:max-retries-dropped", {
+        log25.error("push:max-retries-dropped", {
           type: item.payload.type,
           retries: item.retries,
           error: err.message
@@ -20352,7 +20375,7 @@ var PushQueue = class {
       item.eligibleAt = Date.now() + backoffMs;
       this.queue.push(item);
       const errorDetail = err instanceof CockatooPushError ? `HTTP ${err.status}` : err.message;
-      log24.warn("push:retry-enqueued", {
+      log25.warn("push:retry-enqueued", {
         type: item.payload.type,
         retries: item.retries,
         backoffMs,
@@ -20376,22 +20399,22 @@ var PushQueue = class {
       try {
         await this.client.push(item.payload);
         this.sentCount++;
-        log24.debug("drain:sent", { type: item.payload.type });
+        log25.debug("drain:sent", { type: item.payload.type });
       } catch (err) {
         this.droppedCount++;
-        log24.warn("drain:dropped", {
+        log25.warn("drain:dropped", {
           type: item.payload.type,
           error: err.message
         });
       }
     }
     if (this.queue.length > 0) {
-      log24.warn("drain:timeout", {
+      log25.warn("drain:timeout", {
         remaining: this.queue.length,
         timeoutMs: this.drainTimeoutMs
       });
     } else {
-      log24.info("drain:complete");
+      log25.info("drain:complete");
     }
   }
   // ── 内部工具 ──
@@ -20405,43 +20428,32 @@ var PushQueue = class {
 };
 
 // src/index.ts
-var log25 = createLogger("plugin");
+var log26 = createLogger("plugin");
 async function startPlugin(accountConfig, internalOverrides) {
   const config2 = buildPluginConfig(accountConfig, internalOverrides);
-  log25.info("Config built \u2713", { pluginId: config2.pluginId });
+  log26.info("Config built \u2713", { pluginId: config2.pluginId });
   let cryptoEngine;
   if (config2.crypto.enabled) {
-    cryptoEngine = new CryptoEngine();
+    cryptoEngine = new CryptoEngine({ credentials: accountConfig });
     await cryptoEngine.init();
-    log25.info("Crypto initialized \u2713");
+    log26.info("Crypto initialized \u2713");
   } else {
     cryptoEngine = CryptoEngine.createPassthrough();
-    log25.info("Crypto passthrough mode \u2713 (disabled by config)");
-  }
-  const sealClient = new SealClient({
-    serverUrl: config2.auth.serverUrl,
-    clientName: config2.auth.clientName,
-    clientId: config2.auth.clientId,
-    clientSecret: config2.auth.clientSecret,
-    scopes: config2.auth.scopes
+    log26.info("Crypto passthrough mode \u2713 (disabled by config)");
+  }
+  const oauthClient = new OAuthClient({
+    baseUrl: config2.auth.serverUrl,
+    appId: accountConfig.appId,
+    appSecret: accountConfig.appSecret
   });
-  const tokenStorePath = (0, import_node_path2.join)((0, import_node_os.homedir)(), TOKEN_STORE_DIR, "tokens");
+  const tokenStorePath = (0, import_node_path3.join)((0, import_node_os.homedir)(), TOKEN_STORE_DIR, "tokens");
   const tokenStore = new TokenStore(tokenStorePath, cryptoEngine);
   const tokenManager = new TokenManager({
-    sealClient,
+    oauthClient,
     tokenStore,
-    refreshAheadMs: config2.auth.refreshAheadMs,
-    autoRegisterParams: config2.auth.autoRegister ? {
-      clientName: config2.auth.clientName,
-      scopes: config2.auth.scopes,
-      tokenSettings: config2.auth.tokenSettings ? {
-        accessTokenTtl: config2.auth.tokenSettings.accessTokenTtl,
-        refreshTokenTtl: config2.auth.tokenSettings.refreshTokenTtl,
-        accessTokenFormat: config2.auth.tokenSettings.accessTokenFormat
-      } : void 0
-    } : void 0
+    refreshAheadMs: config2.auth.refreshAheadMs
   });
-  log25.info("Auth initialized \u2713");
+  log26.info("Auth initialized \u2713");
   let pushQueue = null;
   let cockatooClient = null;
   if (config2.push?.enabled) {
@@ -20456,7 +20468,7 @@ async function startPlugin(accountConfig, internalOverrides) {
     });
     cockatooClient.startHealthCheck();
     pushQueue.start();
-    log25.info("Push initialized \u2713");
+    log26.info("Push initialized \u2713");
   }
   const wsClient = new WSClient();
   const dedup = new MessageDedup(config2.transport.dedup);
@@ -20474,8 +20486,8 @@ async function startPlugin(accountConfig, internalOverrides) {
     reconnectMaxMs: config2.transport.reconnectMaxMs,
     maxReconnectAttempts: config2.transport.maxReconnectAttempts
   });
-  log25.info("Transport initialized \u2713");
-  log25.info("Plugin started \u2713");
+  log26.info("Transport initialized \u2713");
+  log26.info("Plugin started \u2713");
   return {
     config: config2,
     messagePipe,
@@ -20483,12 +20495,12 @@ async function startPlugin(accountConfig, internalOverrides) {
     tokenManager,
     pushQueue,
     shutdown: async () => {
-      log25.info("Shutting down...");
+      log26.info("Shutting down...");
       await connectionManager.stop();
       if (pushQueue) await pushQueue.stop();
       if (cockatooClient) cockatooClient.stopHealthCheck();
       tokenManager.shutdown();
-      log25.info("Shutdown complete \u2713");
+      log26.info("Shutdown complete \u2713");
     }
   };
 }
@@ -20498,7 +20510,7 @@ var plugin = {
   description: "Quantum-encrypted IM channel plugin",
   register(api) {
     api.registerChannel({ plugin: quantumImPlugin });
-    log25.info("plugin registered \u2713");
+    log26.info("plugin registered \u2713");
   }
 };
 var index_default = plugin;