membot 0.5.2 → 0.6.0

package/src/ingest/downloaders/github.ts

@@ -0,0 +1,178 @@
+import { HelpfulError } from "../../errors.ts";
+import { sha256Hex } from "../local-reader.ts";
+import type { DownloadedRemote, Downloader, DownloaderCtx } from "./index.ts";
+
+const ISSUE_OR_PR = /^\/([^/]+)\/([^/]+)\/(issues|pull)\/(\d+)(?:$|\/|#|\?)/;
+
+const API_BASE = "https://api.github.com";
+
+/**
+ * GitHub issues and PRs via the REST API. The user sets a personal
+ * access token once via `membot config set downloaders.github.api_key
+ * <PAT>` (or via the `GITHUB_TOKEN` env var, which `gh auth token`
+ * happens to populate), and we fetch the issue/PR + every comment as
+ * structured JSON, then render to markdown.
+ *
+ * Why API instead of rendering github.com HTML: the rendered page
+ * works for public, network-cooperative cases but stalls when GitHub
+ * shows interstitials (rate-limit, abuse, login challenges) and
+ * captures hundreds of KB of GitHub chrome that the embedder doesn't
+ * care about. The API gives us the exact body and comment thread in
+ * a few KB.
+ *
+ * Public repos: the `api_key` is optional — we'll send unauthenticated
+ * requests if it's blank, which works for public content but gets
+ * rate-limited at 60 req/hr. Private repos require the token.
+ */
+export const githubDownloader: Downloader = {
+	name: "github",
+	description: "GitHub issues + PRs (github.com/<owner>/<repo>/(issues|pull)/<n>) — uses the GitHub REST API.",
+	logins: [
+		{
+			kind: "api_key",
+			name: "GitHub",
+			url: "https://github.com/settings/tokens",
+			setupCommand: "membot config set downloaders.github.api_key <PAT>",
+			description: "create a fine-grained token with repo:read access (or use GITHUB_TOKEN env var)",
+		},
+	],
+	requiresApiKey: false,
+	matches(url) {
+		return url.hostname === "github.com" && ISSUE_OR_PR.test(url.pathname);
+	},
+	async download(url, ctx): Promise<DownloadedRemote> {
+		const args = parseIssueUrl(url);
+		const owner = args.owner as string;
+		const repo = args.repo as string;
+		const number = args.number as number;
+
+		const token = (ctx.config.downloaders.github.api_key || process.env.GITHUB_TOKEN || "").trim();
+		ctx.onProgress?.("fetching issue");
+		const issue = await getJson<GithubIssue>(`/repos/${owner}/${repo}/issues/${number}`, token, url);
+		ctx.onProgress?.("fetching comments");
+		const comments = await getJson<GithubComment[]>(
+			`/repos/${owner}/${repo}/issues/${number}/comments?per_page=100`,
+			token,
+			url,
+		);
+
+		const isPullRequest = !!issue.pull_request;
+		const markdown = renderIssue(issue, comments, isPullRequest);
+		const bytes = new TextEncoder().encode(markdown);
+		return {
+			bytes,
+			sha256: sha256Hex(bytes),
+			mimeType: "text/markdown",
+			downloader: "github",
+			downloaderArgs: args,
+			sourceUrl: url.toString(),
+		};
+	},
+};
+
+interface GithubIssue {
+	number: number;
+	title: string;
+	body: string | null;
+	state: string;
+	html_url: string;
+	user: { login: string } | null;
+	assignees: Array<{ login: string }> | null;
+	labels: Array<{ name: string } | string> | null;
+	created_at: string;
+	updated_at: string;
+	closed_at: string | null;
+	pull_request?: unknown;
+}
+
+interface GithubComment {
+	body: string | null;
+	user: { login: string } | null;
+	created_at: string;
+}
+
+async function getJson<T>(path: string, token: string, url: URL): Promise<T> {
+	const headers: Record<string, string> = {
+		Accept: "application/vnd.github+json",
+		"X-GitHub-Api-Version": "2022-11-28",
+		"User-Agent": "membot",
+	};
+	if (token !== "") headers.Authorization = `Bearer ${token}`;
+
+	const response = await fetch(`${API_BASE}${path}`, { headers });
+	if (response.status === 401 || response.status === 403) {
+		throw new HelpfulError({
+			kind: "auth_error",
+			message: `GitHub API returned ${response.status} for ${url.toString()}.`,
+			hint:
+				token === ""
+					? "Set a personal access token: create one at https://github.com/settings/tokens, then `membot config set downloaders.github.api_key <PAT>` (or set $GITHUB_TOKEN)."
+					: "The configured API key is missing repo:read access for this repo, or has expired. Re-create the token and run `membot config set downloaders.github.api_key <PAT>`.",
+		});
+	}
+	if (response.status === 404) {
+		throw new HelpfulError({
+			kind: "not_found",
+			message: `GitHub returned 404 for ${url.toString()}.`,
+			hint: "Verify the URL exists. Private repos require an API key with the right scope.",
+		});
+	}
+	if (!response.ok) {
+		throw new HelpfulError({
+			kind: "network_error",
+			message: `GitHub API returned ${response.status} ${response.statusText} for ${url.toString()}.`,
+			hint: "Retry; if the failure persists, run with --verbose for the full response.",
+		});
+	}
+	return (await response.json()) as T;
+}
+
+function parseIssueUrl(url: URL): Record<string, unknown> {
+	const match = url.pathname.match(ISSUE_OR_PR);
+	if (!match) {
+		throw new HelpfulError({
+			kind: "input_error",
+			message: `not a GitHub issue/PR URL: ${url.toString()}`,
+			hint: "Pass a URL like https://github.com/<owner>/<repo>/issues/<n> or .../pull/<n>.",
+		});
+	}
+	return { owner: match[1], repo: match[2], kind: match[3], number: Number(match[4]) };
+}
+
+function renderIssue(issue: GithubIssue, comments: GithubComment[], isPr: boolean): string {
+	const lines: string[] = [];
+	const kind = isPr ? "PR" : "Issue";
+	lines.push(`# ${kind} #${issue.number}: ${issue.title}`);
+	lines.push("");
+	lines.push(`- URL: ${issue.html_url}`);
+	lines.push(`- State: ${issue.state}${issue.closed_at ? ` (closed ${issue.closed_at})` : ""}`);
+	if (issue.user) lines.push(`- Author: @${issue.user.login}`);
+	if (issue.assignees && issue.assignees.length > 0) {
+		lines.push(`- Assignees: ${issue.assignees.map((a) => `@${a.login}`).join(", ")}`);
+	}
+	if (issue.labels && issue.labels.length > 0) {
+		const labels = issue.labels.map((l) => (typeof l === "string" ? l : l.name)).filter(Boolean);
+		if (labels.length > 0) lines.push(`- Labels: ${labels.join(", ")}`);
+	}
+	lines.push(`- Created: ${issue.created_at}`);
+	lines.push(`- Updated: ${issue.updated_at}`);
+	lines.push("");
+	if (issue.body && issue.body.trim() !== "") {
+		lines.push("## Description");
+		lines.push("");
+		lines.push(issue.body.trim());
+		lines.push("");
+	}
+	if (comments.length > 0) {
+		lines.push(`## Comments (${comments.length})`);
+		lines.push("");
+		for (const c of comments) {
+			const author = c.user ? `@${c.user.login}` : "(unknown)";
+			lines.push(`### ${author} — ${c.created_at}`);
+			lines.push("");
+			lines.push((c.body ?? "").trim());
+			lines.push("");
+		}
+	}
+	return lines.join("\n").trim();
+}

package/src/ingest/downloaders/google-docs.ts

@@ -0,0 +1,56 @@
+import { HelpfulError } from "../../errors.ts";
+import { sha256Hex } from "../local-reader.ts";
+import { fetchWithBrowserCookies } from "./google-shared.ts";
+import type { DownloadedRemote, Downloader } from "./index.ts";
+
+const DOC_PATH = /^\/document\/d\/([a-zA-Z0-9_-]+)/;
+const DOCX_MIME = "application/vnd.openxmlformats-officedocument.wordprocessingml.document";
+
+/**
+ * Download a Google Doc as a `.docx` blob via the canonical export
+ * endpoint. Authentication uses cookies pulled from the persistent
+ * chromium profile (populated by `membot login`); the fetch itself
+ * is a plain Node `fetch`, not Playwright's APIRequestContext, to
+ * dodge a Playwright bug that crashes parsing Set-Cookie headers
+ * from Google's same-origin redirects.
+ */
+export const googleDocsDownloader: Downloader = {
+	name: "google-docs",
+	description: "Google Docs (docs.google.com/document/d/<id>) — exports as .docx via the user's logged-in session.",
+	logins: [
+		{
+			kind: "browser",
+			name: "Google",
+			url: "https://accounts.google.com/signin",
+			description: "covers Docs, Sheets, and Slides",
+		},
+	],
+	matches(url) {
+		return url.hostname === "docs.google.com" && DOC_PATH.test(url.pathname);
+	},
+	async download(url, ctx): Promise<DownloadedRemote> {
+		const docId = extractDocId(url);
+		const exportUrl = `https://docs.google.com/document/d/${docId}/export?format=docx`;
+		const body = await fetchWithBrowserCookies(exportUrl, ctx, "Google Docs", url);
+		return {
+			bytes: new Uint8Array(body),
+			sha256: sha256Hex(body),
+			mimeType: DOCX_MIME,
+			downloader: "google-docs",
+			downloaderArgs: { document_id: docId },
+			sourceUrl: url.toString(),
+		};
+	},
+};
+
+function extractDocId(url: URL): string {
+	const match = url.pathname.match(DOC_PATH);
+	if (!match || !match[1]) {
+		throw new HelpfulError({
+			kind: "input_error",
+			message: `not a Google Docs URL: ${url.toString()}`,
+			hint: "Pass a URL like https://docs.google.com/document/d/<DOC_ID>/edit.",
+		});
+	}
+	return match[1];
+}

package/src/ingest/downloaders/google-shared.ts

@@ -0,0 +1,86 @@
+import { HelpfulError } from "../../errors.ts";
+import type { DownloaderCtx } from "./index.ts";
+
+const USER_AGENT =
+	"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/147.0.0.0 Safari/537.36";
+
+/**
+ * Fetch a Google export URL using cookies from the persistent
+ * chromium profile. Uses Node's built-in `fetch` (not Playwright's
+ * APIRequestContext) because Playwright crashes when parsing
+ * Set-Cookie headers on same-origin Google redirects (its
+ * `_parseSetCookieHeader` calls `new URL(responseUrl)` with a
+ * relative path and throws `ERR_INVALID_URL`).
+ *
+ * Same redirect handling rules as the Playwright path used to do:
+ * follow same-origin internal redirects (Google may bounce the
+ * download via `/exportInternal` or similar) but bail with a clean
+ * `auth_error` if Google sends us to `accounts.google.com/ServiceLogin`
+ * because the user isn't signed in.
+ */
+export async function fetchWithBrowserCookies(
+	exportUrl: string,
+	ctx: DownloaderCtx,
+	serviceName: string,
+	sourceUrl: URL,
+): Promise<Buffer> {
+	ctx.onProgress?.(`downloading from ${serviceName.toLowerCase()}`);
+	const cookieHeader = await ctx.pool.cookieHeader(exportUrl);
+
+	let currentUrl = exportUrl;
+	for (let hop = 0; hop < 5; hop++) {
+		const response = await fetch(currentUrl, {
+			headers: {
+				Cookie: cookieHeader,
+				"User-Agent": USER_AGENT,
+				Accept: "*/*",
+			},
+			redirect: "manual",
+		});
+
+		if (response.status >= 200 && response.status < 300) {
+			return Buffer.from(await response.arrayBuffer());
+		}
+
+		if (response.status >= 300 && response.status < 400) {
+			const location = response.headers.get("location");
+			if (!location) {
+				throw new HelpfulError({
+					kind: "network_error",
+					message: `${serviceName} returned ${response.status} for ${sourceUrl.toString()} with no Location header.`,
+					hint: "Open the URL in your browser to verify it exists and is shared with you.",
+				});
+			}
+			const next = new URL(location, currentUrl);
+			if (next.hostname === "accounts.google.com" || /\/ServiceLogin/i.test(next.pathname)) {
+				throw new HelpfulError({
+					kind: "auth_error",
+					message: `${serviceName} redirected ${sourceUrl.toString()} to a Google login page.`,
+					hint: "Run `membot login` and sign into Google in the browser that opens, then re-run.",
+				});
+			}
+			currentUrl = next.toString();
+			continue;
+		}
+
+		if (response.status === 401 || response.status === 403) {
+			throw new HelpfulError({
+				kind: "auth_error",
+				message: `${serviceName} returned ${response.status} for ${sourceUrl.toString()}.`,
+				hint: "Run `membot login` and sign into Google in the browser that opens, then re-run.",
+			});
+		}
+
+		throw new HelpfulError({
+			kind: "network_error",
+			message: `${serviceName} returned ${response.status} ${response.statusText} for ${sourceUrl.toString()}.`,
+			hint: "Open the URL in your browser to verify it's accessible to your account.",
+		});
+	}
+
+	throw new HelpfulError({
+		kind: "network_error",
+		message: `${serviceName} bounced through too many redirects for ${sourceUrl.toString()}.`,
+		hint: "Re-run the command; if the failure persists, open the URL in your browser to investigate.",
+	});
+}

package/src/ingest/downloaders/google-sheets.ts

@@ -0,0 +1,58 @@
+import { HelpfulError } from "../../errors.ts";
+import { sha256Hex } from "../local-reader.ts";
+import { fetchWithBrowserCookies } from "./google-shared.ts";
+import type { DownloadedRemote, Downloader } from "./index.ts";
+
+const SHEET_PATH = /^\/spreadsheets\/d\/([a-zA-Z0-9_-]+)/;
+
+const XLSX_MIME = "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet";
+
+/**
+ * Download a Google Sheet as `.xlsx` (the workbook's native format)
+ * — the export includes **every tab** in a single file. The bytes
+ * flow through `convertXlsx`, which renders each tab as a markdown
+ * `## <tab name>` section with a real GitHub-flavored pipe table.
+ * Cleaner than the PDF route (preserves cell structure, no layout
+ * truncation) and `format=html` is no longer supported by Google.
+ */
+export const googleSheetsDownloader: Downloader = {
+	name: "google-sheets",
+	description:
+		"Google Sheets (docs.google.com/spreadsheets/d/<id>) — exports every tab as .xlsx, rendered to markdown tables locally.",
+	logins: [
+		{
+			kind: "browser",
+			name: "Google",
+			url: "https://accounts.google.com/signin",
+			description: "covers Docs, Sheets, and Slides",
+		},
+	],
+	matches(url) {
+		return url.hostname === "docs.google.com" && SHEET_PATH.test(url.pathname);
+	},
+	async download(url, ctx): Promise<DownloadedRemote> {
+		const sheetId = extractSheetId(url);
+		const exportUrl = `https://docs.google.com/spreadsheets/d/${sheetId}/export?format=xlsx`;
+		const body = await fetchWithBrowserCookies(exportUrl, ctx, "Google Sheets", url);
+		return {
+			bytes: new Uint8Array(body),
+			sha256: sha256Hex(body),
+			mimeType: XLSX_MIME,
+			downloader: "google-sheets",
+			downloaderArgs: { sheet_id: sheetId },
+			sourceUrl: url.toString(),
+		};
+	},
+};
+
+function extractSheetId(url: URL): string {
+	const match = url.pathname.match(SHEET_PATH);
+	if (!match || !match[1]) {
+		throw new HelpfulError({
+			kind: "input_error",
+			message: `not a Google Sheets URL: ${url.toString()}`,
+			hint: "Pass a URL like https://docs.google.com/spreadsheets/d/<SHEET_ID>/edit.",
+		});
+	}
+	return match[1];
+}

package/src/ingest/downloaders/google-slides.ts

@@ -0,0 +1,53 @@
+import { HelpfulError } from "../../errors.ts";
+import { sha256Hex } from "../local-reader.ts";
+import { fetchWithBrowserCookies } from "./google-shared.ts";
+import type { DownloadedRemote, Downloader } from "./index.ts";
+
+const SLIDE_PATH = /^\/presentation\/d\/([a-zA-Z0-9_-]+)/;
+
+/**
+ * Download a Google Slides deck as a PDF via the canonical export
+ * endpoint. PDF preserves layout and text-on-slides faithfully; the
+ * existing `convertPdf` pipeline (unpdf) extracts the speaker text +
+ * bullets without losing slide ordering.
+ */
+export const googleSlidesDownloader: Downloader = {
+	name: "google-slides",
+	description: "Google Slides (docs.google.com/presentation/d/<id>) — exports as PDF for layout-faithful conversion.",
+	logins: [
+		{
+			kind: "browser",
+			name: "Google",
+			url: "https://accounts.google.com/signin",
+			description: "covers Docs, Sheets, and Slides",
+		},
+	],
+	matches(url) {
+		return url.hostname === "docs.google.com" && SLIDE_PATH.test(url.pathname);
+	},
+	async download(url, ctx): Promise<DownloadedRemote> {
+		const slidesId = extractSlidesId(url);
+		const exportUrl = `https://docs.google.com/presentation/d/${slidesId}/export/pdf`;
+		const body = await fetchWithBrowserCookies(exportUrl, ctx, "Google Slides", url);
+		return {
+			bytes: new Uint8Array(body),
+			sha256: sha256Hex(body),
+			mimeType: "application/pdf",
+			downloader: "google-slides",
+			downloaderArgs: { slides_id: slidesId },
+			sourceUrl: url.toString(),
+		};
+	},
+};
+
+function extractSlidesId(url: URL): string {
+	const match = url.pathname.match(SLIDE_PATH);
+	if (!match || !match[1]) {
+		throw new HelpfulError({
+			kind: "input_error",
+			message: `not a Google Slides URL: ${url.toString()}`,
+			hint: "Pass a URL like https://docs.google.com/presentation/d/<SLIDES_ID>/edit.",
+		});
+	}
+	return match[1];
+}

package/src/ingest/downloaders/index.ts

@@ -0,0 +1,182 @@
+import type { MembotConfig } from "../../config/schemas.ts";
+import type { logger as Logger } from "../../output/logger.ts";
+import type { BrowserPool } from "./browser.ts";
+import { genericWebDownloader } from "./generic-web.ts";
+import { githubDownloader } from "./github.ts";
+import { googleDocsDownloader } from "./google-docs.ts";
+import { googleSheetsDownloader } from "./google-sheets.ts";
+import { googleSlidesDownloader } from "./google-slides.ts";
+import { linearDownloader } from "./linear.ts";
+
+/**
+ * The shape every URL fetch produces — drop-in replacement for the
+ * old `FetchedRemote` shape. `downloader` + `downloaderArgs` get
+ * persisted on the row so refresh replays the same downloader against
+ * the same URL deterministically (no LLM, no agent loop).
+ */
+export interface DownloadedRemote {
+	bytes: Uint8Array;
+	sha256: string;
+	mimeType: string;
+	downloader: string;
+	downloaderArgs: Record<string, unknown>;
+	sourceUrl: string;
+}
+
+export interface DownloaderCtx {
+	pool: BrowserPool;
+	logger: typeof Logger;
+	config: MembotConfig;
+	/**
+	 * Optional sublabel hook for the host's progress spinner. Long-running
+	 * downloaders (multi-query GraphQL, paginated REST fetches, headless
+	 * browser navigation) can call this with short status strings —
+	 * "fetching", "rendering", "parsing 3/4 pages" — and the CLI will
+	 * surface them under the per-entry progress bar. No-op when the host
+	 * doesn't supply one (e.g. MCP server, JSON-mode CLI).
+	 */
+	onProgress?: (sublabel: string) => void;
+}
+
+/**
+ * One tactic for fetching a URL. Specific downloaders (Google,
+ * GitHub, Linear) match URLs by host/pattern and hit the canonical
+ * export endpoint; the generic-web downloader is the registry's
+ * always-matching catch-all (HEADs the URL, prints to PDF if HTML,
+ * else streams the raw bytes through). Adding a 6th service is one
+ * file — implement `Downloader`, register it here.
+ *
+ * If a downloader requires a logged-in browser session, it declares
+ * one or more `LoginEntry` objects; the `membot login` page collects
+ * those across every downloader, dedupes by URL, and renders one
+ * button per service.
+ */
+export interface Downloader {
+	name: string;
+	description: string;
+	matches(url: URL): boolean;
+	download(url: URL, ctx: DownloaderCtx): Promise<DownloadedRemote>;
+	logins?: LoginEntry[];
+	/**
+	 * Force the BrowserPool into headed mode for this downloader's
+	 * fetches. Used for SPAs that detect headless Chromium and refuse
+	 * to hydrate; we don't currently use it (services that needed it
+	 * have moved to the API-key flow), but the hook remains for
+	 * future cookie-based downloaders.
+	 */
+	requireHeaded?: boolean;
+	/**
+	 * The downloader authenticates via a config-stored API key, not
+	 * browser cookies. The fetcher uses this to skip the auto-login
+	 * browser prompt on `auth_error` (opening a browser doesn't help
+	 * when the missing credential is in the config file).
+	 */
+	requiresApiKey?: boolean;
+}
+
+/**
+ * A service the user might need to set up before fetches against it
+ * succeed. Two flavors:
+ *  - `kind: "browser"` — the user clicks a link in the `membot login`
+ *    browser, signs in, and closes the window. Cookies + IndexedDB
+ *    land in the persistent profile and downloaders use them
+ *    automatically.
+ *  - `kind: "api_key"` — the user visits the service's API-key page,
+ *    copies the key, and runs the displayed `setupCommand`. The key
+ *    lives in `~/.membot/config.json` and downloaders read it from
+ *    `ctx.config`.
+ *
+ * Multiple downloaders can declare the same `LoginEntry` (e.g. all
+ * three Google downloaders share Google sign-in); the login page
+ * dedupes by `(kind, url)`.
+ */
+export type LoginEntry = BrowserLoginEntry | ApiKeyLoginEntry;
+
+export interface BrowserLoginEntry {
+	kind: "browser";
+	/** Display name (e.g. "Google"). */
+	name: string;
+	/** Login URL the button opens. */
+	url: string;
+	/** Optional one-liner shown next to the button. */
+	description?: string;
+}
+
+export interface ApiKeyLoginEntry {
+	kind: "api_key";
+	/** Display name (e.g. "Linear"). */
+	name: string;
+	/** Settings page where the user creates the key. */
+	url: string;
+	/** Shell command the user copies — e.g. `membot config set linear.api_key <KEY>`. */
+	setupCommand: string;
+	/** Optional one-liner shown next to the link. */
+	description?: string;
+}
+
+const REGISTRY: Downloader[] = [
+	googleDocsDownloader,
+	googleSheetsDownloader,
+	googleSlidesDownloader,
+	githubDownloader,
+	linearDownloader,
+	genericWebDownloader,
+];
+
+/**
+ * Find the first downloader that matches `url`. Returns `null` only
+ * if `url` doesn't parse — in normal use the generic-web downloader
+ * matches everything else, so callers can treat `findDownloader` as
+ * total over valid URLs.
+ */
+export function findDownloader(url: string | URL): Downloader | null {
+	let parsed: URL;
+	try {
+		parsed = typeof url === "string" ? new URL(url) : url;
+	} catch {
+		return null;
+	}
+	for (const d of REGISTRY) {
+		if (d.matches(parsed)) return d;
+	}
+	return null;
+}
+
+/** Lookup by name (used by refresh to replay a persisted downloader). */
+export function findDownloaderByName(name: string): Downloader | null {
+	return REGISTRY.find((d) => d.name === name) ?? null;
+}
+
+/** Read-only view of every registered downloader. */
+export function listDownloaders(): readonly Downloader[] {
+	return REGISTRY;
+}
+
+/**
+ * Collect every `LoginEntry` declared by a downloader, deduped by URL
+ * within each kind. Used by `membot login` to render one button per
+ * service (browser-login) and one set of instructions per service
+ * (api-key) even when multiple downloaders share the same setup
+ * (e.g. Google Docs / Sheets / Slides all share Google sign-in).
+ */
+export function collectLoginEntries(): { browser: BrowserLoginEntry[]; apiKey: ApiKeyLoginEntry[] } {
+	const browser = new Map<string, BrowserLoginEntry>();
+	const apiKey = new Map<string, ApiKeyLoginEntry>();
+	for (const d of REGISTRY) {
+		if (!d.logins) continue;
+		for (const entry of d.logins) {
+			if (entry.kind === "browser") {
+				if (!browser.has(entry.url)) browser.set(entry.url, entry);
+			} else {
+				if (!apiKey.has(entry.url)) apiKey.set(entry.url, entry);
+			}
+		}
+	}
+	return { browser: [...browser.values()], apiKey: [...apiKey.values()] };
+}
+
+/**
+ * Compute a stable sha256 hex digest of the bytes. Re-exposed here
+ * because every downloader uses it.
+ */
+export { sha256Hex } from "../local-reader.ts";