openclaw-multi-auto 1.7.0 → 1.7.3

package/dist/build-info.json

@@ -1,5 +1,5 @@
 {
-  "version": "1.7.0",
-  "commit": "dbb1bae51093028fd6577029fa3fcb8263f64320",
-  "builtAt": "2026-03-15T06:54:43.828Z"
+  "version": "1.7.3",
+  "commit": "8c2e552fce3ebfc997b7776d1f5d79981f725070",
+  "builtAt": "2026-03-15T07:11:58.932Z"
 }

package/dist/canvas-host/a2ui/.bundle.hash

@@ -1 +1 @@
-82f62992910e699c950030ac8e39e6cdcd876d99d1a507fd9a24f4ba533819b3
+aefd368fa9a68e0748c1358dae286ec36b151a9b875c5901874ddb08700b2022

package/dist/plugin-sdk/accounts-CJWOBzwB.js

@@ -0,0 +1,35 @@
+import { ot as normalizeAccountId } from "./run-with-concurrency-Bt_ks0Qa.js";
+import { v as resolveAccountEntry, y as createAccountListHelpers } from "./accounts-DP1-L-QS.js";
+
+//#region src/imessage/accounts.ts
+const { listAccountIds, resolveDefaultAccountId } = createAccountListHelpers("imessage");
+const listIMessageAccountIds = listAccountIds;
+const resolveDefaultIMessageAccountId = resolveDefaultAccountId;
+function resolveAccountConfig(cfg, accountId) {
+	return resolveAccountEntry(cfg.channels?.imessage?.accounts, accountId);
+}
+function mergeIMessageAccountConfig(cfg, accountId) {
+	const { accounts: _ignored, ...base } = cfg.channels?.imessage ?? {};
+	const account = resolveAccountConfig(cfg, accountId) ?? {};
+	return {
+		...base,
+		...account
+	};
+}
+function resolveIMessageAccount(params) {
+	const accountId = normalizeAccountId(params.accountId);
+	const baseEnabled = params.cfg.channels?.imessage?.enabled !== false;
+	const merged = mergeIMessageAccountConfig(params.cfg, accountId);
+	const accountEnabled = merged.enabled !== false;
+	const configured = Boolean(merged.cliPath?.trim() || merged.dbPath?.trim() || merged.service || merged.region?.trim() || merged.allowFrom && merged.allowFrom.length > 0 || merged.groupAllowFrom && merged.groupAllowFrom.length > 0 || merged.dmPolicy || merged.groupPolicy || typeof merged.includeAttachments === "boolean" || merged.attachmentRoots && merged.attachmentRoots.length > 0 || merged.remoteAttachmentRoots && merged.remoteAttachmentRoots.length > 0 || typeof merged.mediaMaxMb === "number" || typeof merged.textChunkLimit === "number" || merged.groups && Object.keys(merged.groups).length > 0);
+	return {
+		accountId,
+		enabled: baseEnabled && accountEnabled,
+		name: merged.name?.trim() || void 0,
+		config: merged,
+		configured
+	};
+}
+
+//#endregion
+export { resolveDefaultIMessageAccountId as n, resolveIMessageAccount as r, listIMessageAccountIds as t };

package/dist/plugin-sdk/accounts-DP1-L-QS.js

@@ -0,0 +1,288 @@
+import { at as DEFAULT_ACCOUNT_ID, ot as normalizeAccountId, st as normalizeOptionalAccountId } from "./run-with-concurrency-Bt_ks0Qa.js";
+import { o as resolveOAuthDir } from "./paths-MKyEVmEb.js";
+import { Pr as formatCliCommand } from "./config-BkEnz2Po.js";
+import { B as success, E as resolveUserPath, G as getChildLogger, I as info, c as defaultRuntime, x as jidToE164 } from "./logger-CZY9KIoY.js";
+import fs from "node:fs";
+import path from "node:path";
+import fs$1 from "node:fs/promises";
+
+//#region src/channels/plugins/account-helpers.ts
+function createAccountListHelpers(channelKey) {
+	function resolveConfiguredDefaultAccountId(cfg) {
+		const channel = cfg.channels?.[channelKey];
+		const preferred = normalizeOptionalAccountId(typeof channel?.defaultAccount === "string" ? channel.defaultAccount : void 0);
+		if (!preferred) return;
+		if (listAccountIds(cfg).some((id) => normalizeAccountId(id) === preferred)) return preferred;
+	}
+	function listConfiguredAccountIds(cfg) {
+		const accounts = (cfg.channels?.[channelKey])?.accounts;
+		if (!accounts || typeof accounts !== "object") return [];
+		return Object.keys(accounts).filter(Boolean);
+	}
+	function listAccountIds(cfg) {
+		const ids = listConfiguredAccountIds(cfg);
+		if (ids.length === 0) return [DEFAULT_ACCOUNT_ID];
+		return ids.toSorted((a, b) => a.localeCompare(b));
+	}
+	function resolveDefaultAccountId(cfg) {
+		const preferred = resolveConfiguredDefaultAccountId(cfg);
+		if (preferred) return preferred;
+		const ids = listAccountIds(cfg);
+		if (ids.includes(DEFAULT_ACCOUNT_ID)) return DEFAULT_ACCOUNT_ID;
+		return ids[0] ?? DEFAULT_ACCOUNT_ID;
+	}
+	return {
+		listConfiguredAccountIds,
+		listAccountIds,
+		resolveDefaultAccountId
+	};
+}
+
+//#endregion
+//#region src/routing/account-lookup.ts
+function resolveAccountEntry(accounts, accountId) {
+	if (!accounts || typeof accounts !== "object") return;
+	if (Object.hasOwn(accounts, accountId)) return accounts[accountId];
+	const normalized = accountId.toLowerCase();
+	const matchKey = Object.keys(accounts).find((key) => key.toLowerCase() === normalized);
+	return matchKey ? accounts[matchKey] : void 0;
+}
+
+//#endregion
+//#region src/web/auth-store.ts
+function resolveDefaultWebAuthDir() {
+	return path.join(resolveOAuthDir(), "whatsapp", DEFAULT_ACCOUNT_ID);
+}
+const WA_WEB_AUTH_DIR = resolveDefaultWebAuthDir();
+function resolveWebCredsPath(authDir) {
+	return path.join(authDir, "creds.json");
+}
+function resolveWebCredsBackupPath(authDir) {
+	return path.join(authDir, "creds.json.bak");
+}
+function hasWebCredsSync(authDir) {
+	try {
+		const stats = fs.statSync(resolveWebCredsPath(authDir));
+		return stats.isFile() && stats.size > 1;
+	} catch {
+		return false;
+	}
+}
+function readCredsJsonRaw(filePath) {
+	try {
+		if (!fs.existsSync(filePath)) return null;
+		const stats = fs.statSync(filePath);
+		if (!stats.isFile() || stats.size <= 1) return null;
+		return fs.readFileSync(filePath, "utf-8");
+	} catch {
+		return null;
+	}
+}
+function maybeRestoreCredsFromBackup(authDir) {
+	const logger = getChildLogger({ module: "web-session" });
+	try {
+		const credsPath = resolveWebCredsPath(authDir);
+		const backupPath = resolveWebCredsBackupPath(authDir);
+		const raw = readCredsJsonRaw(credsPath);
+		if (raw) {
+			JSON.parse(raw);
+			return;
+		}
+		const backupRaw = readCredsJsonRaw(backupPath);
+		if (!backupRaw) return;
+		JSON.parse(backupRaw);
+		fs.copyFileSync(backupPath, credsPath);
+		try {
+			fs.chmodSync(credsPath, 384);
+		} catch {}
+		logger.warn({ credsPath }, "restored corrupted WhatsApp creds.json from backup");
+	} catch {}
+}
+async function webAuthExists(authDir = resolveDefaultWebAuthDir()) {
+	const resolvedAuthDir = resolveUserPath(authDir);
+	maybeRestoreCredsFromBackup(resolvedAuthDir);
+	const credsPath = resolveWebCredsPath(resolvedAuthDir);
+	try {
+		await fs$1.access(resolvedAuthDir);
+	} catch {
+		return false;
+	}
+	try {
+		const stats = await fs$1.stat(credsPath);
+		if (!stats.isFile() || stats.size <= 1) return false;
+		const raw = await fs$1.readFile(credsPath, "utf-8");
+		JSON.parse(raw);
+		return true;
+	} catch {
+		return false;
+	}
+}
+async function clearLegacyBaileysAuthState(authDir) {
+	const entries = await fs$1.readdir(authDir, { withFileTypes: true });
+	const shouldDelete = (name) => {
+		if (name === "oauth.json") return false;
+		if (name === "creds.json" || name === "creds.json.bak") return true;
+		if (!name.endsWith(".json")) return false;
+		return /^(app-state-sync|session|sender-key|pre-key)-/.test(name);
+	};
+	await Promise.all(entries.map(async (entry) => {
+		if (!entry.isFile()) return;
+		if (!shouldDelete(entry.name)) return;
+		await fs$1.rm(path.join(authDir, entry.name), { force: true });
+	}));
+}
+async function logoutWeb(params) {
+	const runtime = params.runtime ?? defaultRuntime;
+	const resolvedAuthDir = resolveUserPath(params.authDir ?? resolveDefaultWebAuthDir());
+	if (!await webAuthExists(resolvedAuthDir)) {
+		runtime.log(info("No WhatsApp Web session found; nothing to delete."));
+		return false;
+	}
+	if (params.isLegacyAuthDir) await clearLegacyBaileysAuthState(resolvedAuthDir);
+	else await fs$1.rm(resolvedAuthDir, {
+		recursive: true,
+		force: true
+	});
+	runtime.log(success("Cleared WhatsApp Web credentials."));
+	return true;
+}
+function readWebSelfId(authDir = resolveDefaultWebAuthDir()) {
+	try {
+		const credsPath = resolveWebCredsPath(resolveUserPath(authDir));
+		if (!fs.existsSync(credsPath)) return {
+			e164: null,
+			jid: null
+		};
+		const raw = fs.readFileSync(credsPath, "utf-8");
+		const jid = JSON.parse(raw)?.me?.id ?? null;
+		return {
+			e164: jid ? jidToE164(jid, { authDir }) : null,
+			jid
+		};
+	} catch {
+		return {
+			e164: null,
+			jid: null
+		};
+	}
+}
+/**
+* Return the age (in milliseconds) of the cached WhatsApp web auth state, or null when missing.
+* Helpful for heartbeats/observability to spot stale credentials.
+*/
+function getWebAuthAgeMs(authDir = resolveDefaultWebAuthDir()) {
+	try {
+		const stats = fs.statSync(resolveWebCredsPath(resolveUserPath(authDir)));
+		return Date.now() - stats.mtimeMs;
+	} catch {
+		return null;
+	}
+}
+function logWebSelfId(authDir = resolveDefaultWebAuthDir(), runtime = defaultRuntime, includeChannelPrefix = false) {
+	const { e164, jid } = readWebSelfId(authDir);
+	const details = e164 || jid ? `${e164 ?? "unknown"}${jid ? ` (jid ${jid})` : ""}` : "unknown";
+	const prefix = includeChannelPrefix ? "Web Channel: " : "";
+	runtime.log(info(`${prefix}${details}`));
+}
+async function pickWebChannel(pref, authDir = resolveDefaultWebAuthDir()) {
+	const choice = pref === "auto" ? "web" : pref;
+	if (!await webAuthExists(authDir)) throw new Error(`No WhatsApp Web session found. Run \`${formatCliCommand("openclaw channels login --channel whatsapp --verbose")}\` to link.`);
+	return choice;
+}
+
+//#endregion
+//#region src/web/accounts.ts
+const { listConfiguredAccountIds, listAccountIds, resolveDefaultAccountId } = createAccountListHelpers("whatsapp");
+const listWhatsAppAccountIds = listAccountIds;
+const resolveDefaultWhatsAppAccountId = resolveDefaultAccountId;
+function listWhatsAppAuthDirs(cfg) {
+	const oauthDir = resolveOAuthDir();
+	const whatsappDir = path.join(oauthDir, "whatsapp");
+	const authDirs = new Set([oauthDir, path.join(whatsappDir, DEFAULT_ACCOUNT_ID)]);
+	const accountIds = listConfiguredAccountIds(cfg);
+	for (const accountId of accountIds) authDirs.add(resolveWhatsAppAuthDir({
+		cfg,
+		accountId
+	}).authDir);
+	try {
+		const entries = fs.readdirSync(whatsappDir, { withFileTypes: true });
+		for (const entry of entries) {
+			if (!entry.isDirectory()) continue;
+			authDirs.add(path.join(whatsappDir, entry.name));
+		}
+	} catch {}
+	return Array.from(authDirs);
+}
+function hasAnyWhatsAppAuth(cfg) {
+	return listWhatsAppAuthDirs(cfg).some((authDir) => hasWebCredsSync(authDir));
+}
+function resolveAccountConfig(cfg, accountId) {
+	return resolveAccountEntry(cfg.channels?.whatsapp?.accounts, accountId);
+}
+function resolveDefaultAuthDir(accountId) {
+	return path.join(resolveOAuthDir(), "whatsapp", normalizeAccountId(accountId));
+}
+function resolveLegacyAuthDir() {
+	return resolveOAuthDir();
+}
+function legacyAuthExists(authDir) {
+	try {
+		return fs.existsSync(path.join(authDir, "creds.json"));
+	} catch {
+		return false;
+	}
+}
+function resolveWhatsAppAuthDir(params) {
+	const accountId = params.accountId.trim() || DEFAULT_ACCOUNT_ID;
+	const configured = resolveAccountConfig(params.cfg, accountId)?.authDir?.trim();
+	if (configured) return {
+		authDir: resolveUserPath(configured),
+		isLegacy: false
+	};
+	const defaultDir = resolveDefaultAuthDir(accountId);
+	if (accountId === DEFAULT_ACCOUNT_ID) {
+		const legacyDir = resolveLegacyAuthDir();
+		if (legacyAuthExists(legacyDir) && !legacyAuthExists(defaultDir)) return {
+			authDir: legacyDir,
+			isLegacy: true
+		};
+	}
+	return {
+		authDir: defaultDir,
+		isLegacy: false
+	};
+}
+function resolveWhatsAppAccount(params) {
+	const rootCfg = params.cfg.channels?.whatsapp;
+	const accountId = params.accountId?.trim() || resolveDefaultWhatsAppAccountId(params.cfg);
+	const accountCfg = resolveAccountConfig(params.cfg, accountId);
+	const enabled = accountCfg?.enabled !== false;
+	const { authDir, isLegacy } = resolveWhatsAppAuthDir({
+		cfg: params.cfg,
+		accountId
+	});
+	return {
+		accountId,
+		name: accountCfg?.name?.trim() || void 0,
+		enabled,
+		sendReadReceipts: accountCfg?.sendReadReceipts ?? rootCfg?.sendReadReceipts ?? true,
+		messagePrefix: accountCfg?.messagePrefix ?? rootCfg?.messagePrefix ?? params.cfg.messages?.messagePrefix,
+		authDir,
+		isLegacyAuthDir: isLegacy,
+		selfChatMode: accountCfg?.selfChatMode ?? rootCfg?.selfChatMode,
+		dmPolicy: accountCfg?.dmPolicy ?? rootCfg?.dmPolicy,
+		allowFrom: accountCfg?.allowFrom ?? rootCfg?.allowFrom,
+		groupAllowFrom: accountCfg?.groupAllowFrom ?? rootCfg?.groupAllowFrom,
+		groupPolicy: accountCfg?.groupPolicy ?? rootCfg?.groupPolicy,
+		textChunkLimit: accountCfg?.textChunkLimit ?? rootCfg?.textChunkLimit,
+		chunkMode: accountCfg?.chunkMode ?? rootCfg?.chunkMode,
+		mediaMaxMb: accountCfg?.mediaMaxMb ?? rootCfg?.mediaMaxMb,
+		blockStreaming: accountCfg?.blockStreaming ?? rootCfg?.blockStreaming,
+		ackReaction: accountCfg?.ackReaction ?? rootCfg?.ackReaction,
+		groups: accountCfg?.groups ?? rootCfg?.groups,
+		debounceMs: accountCfg?.debounceMs ?? rootCfg?.debounceMs
+	};
+}
+
+//#endregion
+export { webAuthExists as _, resolveWhatsAppAuthDir as a, logWebSelfId as c, pickWebChannel as d, readCredsJsonRaw as f, resolveWebCredsPath as g, resolveWebCredsBackupPath as h, resolveWhatsAppAccount as i, logoutWeb as l, resolveDefaultWebAuthDir as m, listWhatsAppAccountIds as n, WA_WEB_AUTH_DIR as o, readWebSelfId as p, resolveDefaultWhatsAppAccountId as r, getWebAuthAgeMs as s, hasAnyWhatsAppAuth as t, maybeRestoreCredsFromBackup as u, resolveAccountEntry as v, createAccountListHelpers as y };

package/dist/plugin-sdk/accounts-DZhWlEg3.js

@@ -0,0 +1,46 @@
+import { ot as normalizeAccountId } from "./run-with-concurrency-Bt_ks0Qa.js";
+import { v as resolveAccountEntry, y as createAccountListHelpers } from "./accounts-DP1-L-QS.js";
+
+//#region src/signal/accounts.ts
+const { listAccountIds, resolveDefaultAccountId } = createAccountListHelpers("signal");
+const listSignalAccountIds = listAccountIds;
+const resolveDefaultSignalAccountId = resolveDefaultAccountId;
+function resolveAccountConfig(cfg, accountId) {
+	return resolveAccountEntry(cfg.channels?.signal?.accounts, accountId);
+}
+function mergeSignalAccountConfig(cfg, accountId) {
+	const { accounts: _ignored, ...base } = cfg.channels?.signal ?? {};
+	const account = resolveAccountConfig(cfg, accountId) ?? {};
+	return {
+		...base,
+		...account
+	};
+}
+function resolveSignalAccount(params) {
+	const accountId = normalizeAccountId(params.accountId);
+	const baseEnabled = params.cfg.channels?.signal?.enabled !== false;
+	const merged = mergeSignalAccountConfig(params.cfg, accountId);
+	const accountEnabled = merged.enabled !== false;
+	const enabled = baseEnabled && accountEnabled;
+	const host = merged.httpHost?.trim() || "127.0.0.1";
+	const port = merged.httpPort ?? 8080;
+	const baseUrl = merged.httpUrl?.trim() || `http://${host}:${port}`;
+	const configured = Boolean(merged.account?.trim() || merged.httpUrl?.trim() || merged.cliPath?.trim() || merged.httpHost?.trim() || typeof merged.httpPort === "number" || typeof merged.autoStart === "boolean");
+	return {
+		accountId,
+		enabled,
+		name: merged.name?.trim() || void 0,
+		baseUrl,
+		configured,
+		config: merged
+	};
+}
+function listEnabledSignalAccounts(cfg) {
+	return listSignalAccountIds(cfg).map((accountId) => resolveSignalAccount({
+		cfg,
+		accountId
+	})).filter((account) => account.enabled);
+}
+
+//#endregion
+export { resolveSignalAccount as i, listSignalAccountIds as n, resolveDefaultSignalAccountId as r, listEnabledSignalAccounts as t };

package/dist/plugin-sdk/active-listener-B_sLJTXM.js

@@ -0,0 +1,50 @@
+import { at as DEFAULT_ACCOUNT_ID } from "./run-with-concurrency-Bt_ks0Qa.js";
+import { Pr as formatCliCommand } from "./config-BkEnz2Po.js";
+import crypto from "node:crypto";
+
+//#region src/logging/redact-identifier.ts
+function sha256HexPrefix(value, len = 12) {
+	const safeLen = Number.isFinite(len) ? Math.max(1, Math.floor(len)) : 12;
+	return crypto.createHash("sha256").update(value).digest("hex").slice(0, safeLen);
+}
+function redactIdentifier(value, opts) {
+	const trimmed = value?.trim();
+	if (!trimmed) return "-";
+	return `sha256:${sha256HexPrefix(trimmed, opts?.len ?? 12)}`;
+}
+
+//#endregion
+//#region src/web/active-listener.ts
+const listeners = /* @__PURE__ */ new Map();
+function resolveWebAccountId(accountId) {
+	return (accountId ?? "").trim() || DEFAULT_ACCOUNT_ID;
+}
+function requireActiveWebListener(accountId) {
+	const id = resolveWebAccountId(accountId);
+	const listener = listeners.get(id) ?? null;
+	if (!listener) throw new Error(`No active WhatsApp Web listener (account: ${id}). Start the gateway, then link WhatsApp with: ${formatCliCommand(`openclaw channels login --channel whatsapp --account ${id}`)}.`);
+	return {
+		accountId: id,
+		listener
+	};
+}
+function setActiveWebListener(accountIdOrListener, maybeListener) {
+	const { accountId, listener } = typeof accountIdOrListener === "string" ? {
+		accountId: accountIdOrListener,
+		listener: maybeListener ?? null
+	} : {
+		accountId: DEFAULT_ACCOUNT_ID,
+		listener: accountIdOrListener ?? null
+	};
+	const id = resolveWebAccountId(accountId);
+	if (!listener) listeners.delete(id);
+	else listeners.set(id, listener);
+	if (id === DEFAULT_ACCOUNT_ID) {}
+}
+function getActiveWebListener(accountId) {
+	const id = resolveWebAccountId(accountId);
+	return listeners.get(id) ?? null;
+}
+
+//#endregion
+export { redactIdentifier as i, requireActiveWebListener as n, setActiveWebListener as r, getActiveWebListener as t };

package/dist/plugin-sdk/api-key-rotation-BRE4X2tf.js

@@ -0,0 +1,181 @@
+import { jn as normalizeProviderId } from "./config-BkEnz2Po.js";
+import { r as formatErrorMessage } from "./errors-DaiAM-yU.js";
+
+//#region src/infra/gemini-auth.ts
+/**
+* Shared Gemini authentication utilities.
+*
+* Supports both traditional API keys and OAuth JSON format.
+*/
+/**
+* Parse Gemini API key and return appropriate auth headers.
+*
+* OAuth format: `{"token": "...", "projectId": "..."}`
+*
+* @param apiKey - Either a traditional API key string or OAuth JSON
+* @returns Headers object with appropriate authentication
+*/
+function parseGeminiAuth(apiKey) {
+	if (apiKey.startsWith("{")) try {
+		const parsed = JSON.parse(apiKey);
+		if (typeof parsed.token === "string" && parsed.token) return { headers: {
+			Authorization: `Bearer ${parsed.token}`,
+			"Content-Type": "application/json"
+		} };
+	} catch {}
+	return { headers: {
+		"x-goog-api-key": apiKey,
+		"Content-Type": "application/json"
+	} };
+}
+
+//#endregion
+//#region src/agents/live-auth-keys.ts
+const KEY_SPLIT_RE = /[\s,;]+/g;
+const GOOGLE_LIVE_SINGLE_KEY = "OPENCLAW_LIVE_GEMINI_KEY";
+const PROVIDER_PREFIX_OVERRIDES = {
+	google: "GEMINI",
+	"google-vertex": "GEMINI"
+};
+const PROVIDER_API_KEY_CONFIG = {
+	anthropic: {
+		liveSingle: "OPENCLAW_LIVE_ANTHROPIC_KEY",
+		listVar: "OPENCLAW_LIVE_ANTHROPIC_KEYS",
+		primaryVar: "ANTHROPIC_API_KEY",
+		prefixedVar: "ANTHROPIC_API_KEY_"
+	},
+	google: {
+		liveSingle: GOOGLE_LIVE_SINGLE_KEY,
+		listVar: "GEMINI_API_KEYS",
+		primaryVar: "GEMINI_API_KEY",
+		prefixedVar: "GEMINI_API_KEY_"
+	},
+	"google-vertex": {
+		liveSingle: GOOGLE_LIVE_SINGLE_KEY,
+		listVar: "GEMINI_API_KEYS",
+		primaryVar: "GEMINI_API_KEY",
+		prefixedVar: "GEMINI_API_KEY_"
+	},
+	openai: {
+		liveSingle: "OPENCLAW_LIVE_OPENAI_KEY",
+		listVar: "OPENAI_API_KEYS",
+		primaryVar: "OPENAI_API_KEY",
+		prefixedVar: "OPENAI_API_KEY_"
+	}
+};
+function parseKeyList(raw) {
+	if (!raw) return [];
+	return raw.split(KEY_SPLIT_RE).map((value) => value.trim()).filter(Boolean);
+}
+function collectEnvPrefixedKeys(prefix) {
+	const keys = [];
+	for (const [name, value] of Object.entries(process.env)) {
+		if (!name.startsWith(prefix)) continue;
+		const trimmed = value?.trim();
+		if (!trimmed) continue;
+		keys.push(trimmed);
+	}
+	return keys;
+}
+function resolveProviderApiKeyConfig(provider) {
+	const normalized = normalizeProviderId(provider);
+	const custom = PROVIDER_API_KEY_CONFIG[normalized];
+	const base = PROVIDER_PREFIX_OVERRIDES[normalized] ?? normalized.toUpperCase().replace(/-/g, "_");
+	const liveSingle = custom?.liveSingle ?? `OPENCLAW_LIVE_${base}_KEY`;
+	const listVar = custom?.listVar ?? `${base}_API_KEYS`;
+	const primaryVar = custom?.primaryVar ?? `${base}_API_KEY`;
+	const prefixedVar = custom?.prefixedVar ?? `${base}_API_KEY_`;
+	if (normalized === "google" || normalized === "google-vertex") return {
+		liveSingle,
+		listVar,
+		primaryVar,
+		prefixedVar,
+		fallbackVars: ["GOOGLE_API_KEY"]
+	};
+	return {
+		liveSingle,
+		listVar,
+		primaryVar,
+		prefixedVar,
+		fallbackVars: []
+	};
+}
+function collectProviderApiKeys(provider) {
+	const config = resolveProviderApiKeyConfig(provider);
+	const forcedSingle = config.liveSingle ? process.env[config.liveSingle]?.trim() : void 0;
+	if (forcedSingle) return [forcedSingle];
+	const fromList = parseKeyList(config.listVar ? process.env[config.listVar] : void 0);
+	const primary = config.primaryVar ? process.env[config.primaryVar]?.trim() : void 0;
+	const fromPrefixed = config.prefixedVar ? collectEnvPrefixedKeys(config.prefixedVar) : [];
+	const fallback = config.fallbackVars.map((envVar) => process.env[envVar]?.trim()).filter(Boolean);
+	const seen = /* @__PURE__ */ new Set();
+	const add = (value) => {
+		if (!value) return;
+		if (seen.has(value)) return;
+		seen.add(value);
+	};
+	for (const value of fromList) add(value);
+	add(primary);
+	for (const value of fromPrefixed) add(value);
+	for (const value of fallback) add(value);
+	return Array.from(seen);
+}
+function isApiKeyRateLimitError(message) {
+	const lower = message.toLowerCase();
+	if (lower.includes("rate_limit")) return true;
+	if (lower.includes("rate limit")) return true;
+	if (lower.includes("429")) return true;
+	if (lower.includes("quota exceeded") || lower.includes("quota_exceeded")) return true;
+	if (lower.includes("resource exhausted") || lower.includes("resource_exhausted")) return true;
+	if (lower.includes("too many requests")) return true;
+	return false;
+}
+
+//#endregion
+//#region src/agents/api-key-rotation.ts
+function dedupeApiKeys(raw) {
+	const seen = /* @__PURE__ */ new Set();
+	const keys = [];
+	for (const value of raw) {
+		const apiKey = value.trim();
+		if (!apiKey || seen.has(apiKey)) continue;
+		seen.add(apiKey);
+		keys.push(apiKey);
+	}
+	return keys;
+}
+function collectProviderApiKeysForExecution(params) {
+	const { primaryApiKey, provider } = params;
+	return dedupeApiKeys([primaryApiKey?.trim() ?? "", ...collectProviderApiKeys(provider)]);
+}
+async function executeWithApiKeyRotation(params) {
+	const keys = dedupeApiKeys(params.apiKeys);
+	if (keys.length === 0) throw new Error(`No API keys configured for provider "${params.provider}".`);
+	let lastError;
+	for (let attempt = 0; attempt < keys.length; attempt += 1) {
+		const apiKey = keys[attempt];
+		try {
+			return await params.execute(apiKey);
+		} catch (error) {
+			lastError = error;
+			const message = formatErrorMessage(error);
+			if (!(params.shouldRetry ? params.shouldRetry({
+				apiKey,
+				error,
+				attempt,
+				message
+			}) : isApiKeyRateLimitError(message)) || attempt + 1 >= keys.length) break;
+			params.onRetry?.({
+				apiKey,
+				error,
+				attempt,
+				message
+			});
+		}
+	}
+	if (lastError === void 0) throw new Error(`Failed to run API request for ${params.provider}.`);
+	throw lastError;
+}
+
+//#endregion
+export { executeWithApiKeyRotation as n, parseGeminiAuth as r, collectProviderApiKeysForExecution as t };

package/dist/plugin-sdk/audio-preflight-DGEUDxxR.js

@@ -0,0 +1,69 @@
+import "./run-with-concurrency-Bt_ks0Qa.js";
+import "./accounts-DP1-L-QS.js";
+import "./paths-MKyEVmEb.js";
+import "./github-copilot-token-D5fdS6xD.js";
+import "./config-BkEnz2Po.js";
+import { L as logVerbose, z as shouldLogVerbose } from "./logger-CZY9KIoY.js";
+import "./thinking-Bo2eosVa.js";
+import "./image-ops-BSiMpAw4.js";
+import "./pi-embedded-helpers-1R1gu7eX.js";
+import "./plugins-DeBZB9l_.js";
+import "./accounts-CJWOBzwB.js";
+import "./accounts-DZhWlEg3.js";
+import "./paths-vTM3Lh3X.js";
+import "./redact-DjVX-1N3.js";
+import "./errors-DaiAM-yU.js";
+import "./path-alias-guards-DBjLbIX_.js";
+import "./fs-safe-B8y811FR.js";
+import "./ssrf-cFtplYtS.js";
+import "./fetch-guard-DETCcJzQ.js";
+import "./local-roots-BUP4YBmR.js";
+import "./tool-images-Gk_-0y2N.js";
+import { f as isAudioAttachment, i as normalizeMediaAttachments, o as resolveMediaAttachmentLocalRoots, t as runAudioTranscription } from "./audio-transcription-runner-DkoPNPYt.js";
+import "./skills-CBkHBYPq.js";
+import "./chrome-BXoCyCkY.js";
+import "./store-5nyxY3WU.js";
+import "./image-DjTEkYZE.js";
+import "./api-key-rotation-BRE4X2tf.js";
+import "./proxy-fetch-ChxOhWF4.js";
+
+//#region src/media-understanding/audio-preflight.ts
+/**
+* Transcribes the first audio attachment BEFORE mention checking.
+* This allows voice notes to be processed in group chats with requireMention: true.
+* Returns the transcript or undefined if transcription fails or no audio is found.
+*/
+async function transcribeFirstAudio(params) {
+	const { ctx, cfg } = params;
+	const audioConfig = cfg.tools?.media?.audio;
+	if (!audioConfig || audioConfig.enabled === false) return;
+	const attachments = normalizeMediaAttachments(ctx);
+	if (!attachments || attachments.length === 0) return;
+	const firstAudio = attachments.find((att) => att && isAudioAttachment(att) && !att.alreadyTranscribed);
+	if (!firstAudio) return;
+	if (shouldLogVerbose()) logVerbose(`audio-preflight: transcribing attachment ${firstAudio.index} for mention check`);
+	try {
+		const { transcript } = await runAudioTranscription({
+			ctx,
+			cfg,
+			attachments,
+			agentDir: params.agentDir,
+			providers: params.providers,
+			activeModel: params.activeModel,
+			localPathRoots: resolveMediaAttachmentLocalRoots({
+				cfg,
+				ctx
+			})
+		});
+		if (!transcript) return;
+		firstAudio.alreadyTranscribed = true;
+		if (shouldLogVerbose()) logVerbose(`audio-preflight: transcribed ${transcript.length} chars from attachment ${firstAudio.index}`);
+		return transcript;
+	} catch (err) {
+		if (shouldLogVerbose()) logVerbose(`audio-preflight: transcription failed: ${String(err)}`);
+		return;
+	}
+}
+
+//#endregion
+export { transcribeFirstAudio };