opendevbrowser 0.0.28 → 0.0.30

package/dist/chunk-WHQZBUNY.js

@@ -0,0 +1,982 @@
+import {
+  isProviderReasonCode
+} from "./chunk-FUSXMW3G.js";
+
+// src/core/logging.ts
+import { randomUUID } from "crypto";
+var SECRET_KEY_PATTERN = /(token|secret|password|authorization|cookie|api[-_]?key|session)/i;
+var SECRET_VALUE_PATTERN = /(bearer\s+[a-z0-9._-]+|sk_[a-z0-9_-]+|pk_[a-z0-9_-]+|eyJ[a-z0-9_-]+\.[a-z0-9_-]+\.[a-z0-9_-]+)/gi;
+function redactString(value) {
+  return value.replace(SECRET_VALUE_PATTERN, "[REDACTED]");
+}
+function redactSensitive(value, seen = /* @__PURE__ */ new WeakSet()) {
+  if (typeof value === "string") {
+    return redactString(value);
+  }
+  if (typeof value !== "object" || value === null) {
+    return value;
+  }
+  if (seen.has(value)) {
+    return "[Circular]";
+  }
+  seen.add(value);
+  if (Array.isArray(value)) {
+    return value.map((item) => redactSensitive(item, seen));
+  }
+  const output = {};
+  for (const [key, entry] of Object.entries(value)) {
+    if (SECRET_KEY_PATTERN.test(key)) {
+      output[key] = "[REDACTED]";
+      continue;
+    }
+    output[key] = redactSensitive(entry, seen);
+  }
+  return output;
+}
+function createRequestId() {
+  return randomUUID();
+}
+var defaultSink = (entry) => {
+  const payload = JSON.stringify(entry);
+  if (entry.level === "error") {
+    console.error(payload);
+    return;
+  }
+  if (entry.level === "warn") {
+    console.warn(payload);
+    return;
+  }
+  console.log(payload);
+};
+var stderrSink = (entry) => {
+  process.stderr.write(`${JSON.stringify(entry)}
+`);
+};
+var configuredDefaultSink = defaultSink;
+function setDefaultLogSink(sink) {
+  configuredDefaultSink = sink ?? defaultSink;
+}
+function createLogger(moduleName, sink) {
+  const emit = (level, event, fields = {}) => {
+    const entry = {
+      ts: (/* @__PURE__ */ new Date()).toISOString(),
+      level,
+      module: moduleName,
+      event,
+      requestId: fields.requestId ?? createRequestId(),
+      ...fields.sessionId ? { sessionId: fields.sessionId } : {},
+      ...fields.traceId ? { traceId: fields.traceId } : {},
+      ...typeof fields.data === "undefined" ? {} : { data: redactSensitive(fields.data) }
+    };
+    (sink ?? configuredDefaultSink)(entry);
+    return entry;
+  };
+  return {
+    debug: (event, fields) => emit("debug", event, fields),
+    info: (event, fields) => emit("info", event, fields),
+    warn: (event, fields) => emit("warn", event, fields),
+    error: (event, fields) => emit("error", event, fields),
+    audit: (event, fields) => emit("audit", event, fields)
+  };
+}
+
+// src/providers/safety/prompt-guard.ts
+var MAX_EXCERPT_LENGTH = 120;
+var RULES = [
+  {
+    id: "reveal_system_prompt",
+    regex: /\b(reveal|show|print|dump|expose|leak)\b[^.!?\n]{0,80}\b(system prompt|hidden prompt|internal prompt)\b/gi,
+    severity: "high",
+    action: "quarantine"
+  },
+  {
+    id: "tool_abuse_directive",
+    regex: /\buse (?:the )?tool(?:ing)?\b[^.!?\n]{0,120}\b(delete|remove|drop|wipe|exfiltrat|override|bypass)\w*/gi,
+    severity: "high",
+    action: "quarantine"
+  },
+  {
+    id: "ignore_previous_instructions",
+    regex: /\bignore (?:all )?previous instructions?\b/gi,
+    severity: "medium",
+    action: "strip"
+  },
+  {
+    id: "reveal_hidden_data",
+    regex: /\breveal (?:hidden|secret|confidential) (?:data|information)\b/gi,
+    severity: "high",
+    action: "quarantine"
+  }
+];
+var sanitizeExcerpt = (value) => {
+  const compact = value.replace(/\s+/g, " ").trim();
+  if (compact.length <= MAX_EXCERPT_LENGTH) return compact;
+  return `${compact.slice(0, MAX_EXCERPT_LENGTH - 3)}...`;
+};
+var isJsonObject = (value) => {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+};
+var withSecurityAttributes = (record, enabled, guardEntries, quarantinedSegments) => {
+  const existingSecurity = isJsonObject(record.attributes.security) ? record.attributes.security : {};
+  return {
+    ...record.attributes,
+    security: {
+      ...existingSecurity,
+      untrustedContent: true,
+      dataOnlyContext: true,
+      promptGuardEnabled: enabled,
+      guardEntries,
+      quarantinedSegments
+    }
+  };
+};
+function sanitizePromptGuardText(text, enabled) {
+  if (!enabled || !text) {
+    return {
+      text,
+      diagnostics: { entries: 0, quarantinedSegments: 0 },
+      entries: []
+    };
+  }
+  let output = text;
+  const entries = [];
+  for (const rule of RULES) {
+    rule.regex.lastIndex = 0;
+    output = output.replace(rule.regex, (match) => {
+      entries.push({
+        pattern: rule.id,
+        action: rule.action,
+        severity: rule.severity,
+        excerpt: sanitizeExcerpt(match)
+      });
+      return rule.action === "quarantine" ? "[QUARANTINED]" : " ";
+    });
+  }
+  const normalized = output.replace(/\s{2,}/g, " ").trim();
+  const quarantinedSegments = entries.reduce((count, entry) => {
+    return entry.action === "quarantine" ? count + 1 : count;
+  }, 0);
+  return {
+    text: normalized,
+    diagnostics: {
+      entries: entries.length,
+      quarantinedSegments
+    },
+    entries
+  };
+}
+function applyPromptGuard(records, enabled) {
+  const auditEntries = [];
+  let totalQuarantinedSegments = 0;
+  const guardedRecords = records.map((record) => {
+    if (!enabled) {
+      return {
+        ...record,
+        attributes: withSecurityAttributes(record, false, 0, 0)
+      };
+    }
+    let title = record.title;
+    let content = record.content;
+    let recordEntries = 0;
+    let recordQuarantinedSegments = 0;
+    if (typeof record.title === "string") {
+      const sanitizedTitle = sanitizePromptGuardText(record.title, true);
+      title = sanitizedTitle.text;
+      recordEntries += sanitizedTitle.diagnostics.entries;
+      recordQuarantinedSegments += sanitizedTitle.diagnostics.quarantinedSegments;
+      for (const entry of sanitizedTitle.entries) {
+        auditEntries.push({
+          ...entry,
+          recordId: record.id,
+          field: "title"
+        });
+      }
+    }
+    if (typeof record.content === "string") {
+      const sanitizedContent = sanitizePromptGuardText(record.content, true);
+      content = sanitizedContent.text;
+      recordEntries += sanitizedContent.diagnostics.entries;
+      recordQuarantinedSegments += sanitizedContent.diagnostics.quarantinedSegments;
+      for (const entry of sanitizedContent.entries) {
+        auditEntries.push({
+          ...entry,
+          recordId: record.id,
+          field: "content"
+        });
+      }
+    }
+    totalQuarantinedSegments += recordQuarantinedSegments;
+    return {
+      ...record,
+      ...typeof title === "string" ? { title } : {},
+      ...typeof content === "string" ? { content } : {},
+      attributes: withSecurityAttributes(record, true, recordEntries, recordQuarantinedSegments)
+    };
+  });
+  return {
+    records: guardedRecords,
+    audit: {
+      enabled,
+      quarantinedSegments: enabled ? totalQuarantinedSegments : 0,
+      entries: enabled ? auditEntries : []
+    }
+  };
+}
+
+// src/providers/blocker.ts
+var AUTH_URL_PATTERNS = [
+  { id: "redirect_login_flow", regex: /\/i\/flow\/login/i, confidence: 0.97 },
+  { id: "auth_login_path", regex: /\/(login|signin|sign-in|auth)(?:[./?]|$)/i, confidence: 0.9 }
+];
+var AUTH_TITLE_PATTERNS = [
+  { id: "title_login", regex: /\b(log ?in|sign ?in|login|signin)\b/i, confidence: 0.92 },
+  { id: "title_auth_required", regex: /authentication required/i, confidence: 0.9 }
+];
+var CHALLENGE_PATTERNS = [
+  { id: "challenge_keyword", regex: /\b(?:captcha|interstitial|cf_chl|recaptcha|hcaptcha|security challenge|browser challenge|bot check|bot detection)\b/i, confidence: 0.88 },
+  { id: "complete_challenge_prompt", regex: /\b(?:complete|solve|pass) (?:the )?(?:security )?challenge\b/i, confidence: 0.9 },
+  { id: "prove_humanity", regex: /prove your humanity/i, confidence: 0.96 },
+  { id: "verify_humanity", regex: /verify (?:you(?:'|’)re|you are) human/i, confidence: 0.96 },
+  { id: "robot_or_human", regex: /robot or human/i, confidence: 0.98 },
+  { id: "confirm_human", regex: /confirm that you(?:'|’)re human/i, confidence: 0.96 },
+  { id: "confirm_not_bot", regex: /sign in to confirm (?:you(?:'|’)re|you are) not a bot/i, confidence: 0.96 },
+  { id: "click_and_hold", regex: /\b(?:click|press|tap|activate)\s+(?:and\s+)?hold\b/i, confidence: 0.95 },
+  { id: "press_and_hold", regex: /activate and hold the button/i, confidence: 0.95 },
+  { id: "drag_slider", regex: /\b(?:drag|slide|move)(?:\s+the)?\s+(?:slider|puzzle(?:\s+piece)?|piece|button)\b/i, confidence: 0.95 },
+  { id: "pardon_interruption", regex: /pardon our interruption/i, confidence: 0.97 },
+  { id: "checking_browser_gate", regex: /checking your browser before you access/i, confidence: 0.97 }
+];
+var RECAPTCHA_HOST_PATTERNS = [/recaptcha/i, /hcaptcha/i, /challenges\.cloudflare\.com/i];
+var STATIC_BLOCK_HOST_PATTERNS = [/redditstatic\.com$/i, /abs\.twimg\.com$/i, /twimg\.com$/i];
+var ENV_LIMITED_PATTERNS = [
+  /extension not connected/i,
+  /connect the extension/i,
+  /manual interaction/i,
+  /timed out/i,
+  /not available in this environment/i
+];
+var RESTRICTED_TARGET_PATTERNS = [/^chrome:\/\//i, /^chrome-extension:\/\//i, /^about:blank$/i, /^devtools:\/\//i];
+var DEFAULT_BLOCKER_ARTIFACT_CAPS = {
+  maxNetworkEvents: 20,
+  maxConsoleEvents: 20,
+  maxExceptionEvents: 10,
+  maxHosts: 10,
+  maxTextLength: 512
+};
+var toLower = (value) => value.trim().toLowerCase();
+var clampNumber = (value, min, max) => {
+  if (!Number.isFinite(value)) return min;
+  if (value < min) return min;
+  if (value > max) return max;
+  return value;
+};
+var clampBlockerConfidence = (value) => {
+  return clampNumber(value, 0, 1);
+};
+var clampThreshold = (value) => {
+  if (typeof value !== "number") return 0.7;
+  return clampNumber(value, 0, 1);
+};
+var clampText = (value, maxLength) => {
+  if (typeof value !== "string") return void 0;
+  if (maxLength <= 0) return "";
+  return value.length <= maxLength ? value : `${value.slice(0, Math.max(0, maxLength - 3))}...`;
+};
+var boundedUniqueList = (values, maxLength) => {
+  if (!values || values.length === 0 || maxLength <= 0) return [];
+  const seen = /* @__PURE__ */ new Set();
+  const list = [];
+  for (const value of values) {
+    if (typeof value !== "string") continue;
+    const normalized = value.trim();
+    if (!normalized) continue;
+    const key = normalized.toLowerCase();
+    if (seen.has(key)) continue;
+    seen.add(key);
+    list.push(normalized);
+    if (list.length >= maxLength) break;
+  }
+  return list;
+};
+var extractHost = (value) => {
+  if (!value) return null;
+  try {
+    return toLower(new URL(value).hostname);
+  } catch {
+    return null;
+  }
+};
+var scorePatternMatches = (text, patterns) => {
+  const matched = [];
+  let confidence = 0;
+  for (const pattern of patterns) {
+    if (!pattern.regex.test(text)) continue;
+    matched.push(pattern.id);
+    confidence = Math.max(confidence, pattern.confidence);
+  }
+  return { matched, confidence };
+};
+var hasAnyPattern = (value, patterns) => {
+  return patterns.some((pattern) => pattern.test(value));
+};
+var isLoopbackHost = (value) => {
+  const normalized = toLower(value).replace(/^\[|\]$/g, "");
+  if (!normalized) return false;
+  if (normalized === "localhost" || normalized === "::1") return true;
+  if (normalized === "127.0.0.1" || normalized.startsWith("127.")) return true;
+  return /^::ffff:127\.\d+\.\d+\.\d+$/.test(normalized);
+};
+var buildHints = (type) => {
+  switch (type) {
+    case "auth_required":
+      return [
+        { id: "manual_login", reason: "Authentication flow requires interactive login.", priority: 1 },
+        { id: "switch_managed_headed", reason: "Headed mode can complete login and persist session state.", priority: 2 },
+        { id: "switch_extension_mode", reason: "Extension mode can reuse an already logged-in browser profile.", priority: 3 }
+      ];
+    case "anti_bot_challenge":
+      return [
+        { id: "manual_challenge", reason: "Challenge page requires manual completion.", priority: 1 },
+        { id: "switch_managed_headed", reason: "Headed mode improves challenge completion reliability.", priority: 2 },
+        { id: "collect_debug_trace", reason: "Collect trace artifacts to compare challenge indicators before and after manual action.", priority: 3 }
+      ];
+    case "rate_limited":
+      return [
+        { id: "retry_after_backoff", reason: "Rate-limited responses should be retried after a bounded delay.", priority: 1 },
+        { id: "collect_debug_trace", reason: "Trace data can confirm cooldown and request pacing behavior.", priority: 2 }
+      ];
+    case "upstream_block":
+      return [
+        { id: "retry_after_backoff", reason: "Upstream blocks may clear after network or host recovery.", priority: 1 },
+        { id: "switch_managed_headed", reason: "Browser-assisted retrieval may bypass runtime fetch limitations.", priority: 2 },
+        { id: "collect_debug_trace", reason: "Trace host evidence helps confirm blocked upstream dependencies.", priority: 3 }
+      ];
+    case "restricted_target":
+      return [
+        { id: "switch_managed_headed", reason: "Restricted internal targets require navigation to a normal http(s) tab.", priority: 1 },
+        { id: "collect_debug_trace", reason: "Trace confirms blocked scheme or tab restriction source.", priority: 2 }
+      ];
+    case "env_limited":
+      return [
+        { id: "switch_extension_mode", reason: "Extension relay availability is required for this operation.", priority: 1 },
+        { id: "switch_managed_headed", reason: "Managed headed mode is a deterministic fallback when extension is unavailable.", priority: 2 },
+        { id: "collect_debug_trace", reason: "Diagnostics can confirm environment capability gaps.", priority: 3 }
+      ];
+    case "unknown":
+      return [{ id: "collect_debug_trace", reason: "Additional trace evidence is required for reliable classification.", priority: 1 }];
+  }
+};
+var classifyFromInputs = (input, normalizedHosts, matchedPatterns) => {
+  const status = input.status;
+  const code = toLower(input.providerErrorCode ?? "");
+  const url = input.url ?? "";
+  const finalUrl = input.finalUrl ?? "";
+  const title = input.title ?? "";
+  const message = input.message ?? "";
+  const challengeText = `${title} ${message}`;
+  const urlSignals = `${url} ${finalUrl}`;
+  const isUpstreamCode = code === "upstream" || code === "network" || code === "unavailable";
+  const hasStaticBlockHost = normalizedHosts.some((host) => hasAnyPattern(host, STATIC_BLOCK_HOST_PATTERNS));
+  const isLoopbackContext = [
+    extractHost(url),
+    extractHost(finalUrl),
+    ...normalizedHosts
+  ].some((host) => typeof host === "string" && isLoopbackHost(host));
+  const authMatches = [];
+  let authConfidence = 0;
+  if (status === 401 || status === 403) {
+    authMatches.push(`status:${status}`);
+    authConfidence = Math.max(authConfidence, status === 401 ? 0.94 : 0.9);
+  }
+  if (code === "auth") {
+    authMatches.push("provider_code:auth");
+    authConfidence = Math.max(authConfidence, 0.9);
+  }
+  const authPathMatches = scorePatternMatches(`${url} ${finalUrl}`, AUTH_URL_PATTERNS);
+  authMatches.push(...authPathMatches.matched);
+  authConfidence = Math.max(authConfidence, authPathMatches.confidence);
+  const authTitleMatches = scorePatternMatches(title, AUTH_TITLE_PATTERNS);
+  authMatches.push(...authTitleMatches.matched);
+  authConfidence = Math.max(authConfidence, authTitleMatches.confidence);
+  if (authConfidence > 0) {
+    return {
+      type: "auth_required",
+      reasonCode: "token_required",
+      confidence: authConfidence,
+      retryable: false,
+      matches: boundedUniqueList([...matchedPatterns, ...authMatches], 16)
+    };
+  }
+  if (!isLoopbackContext) {
+    const challengeMatches = [];
+    let challengeConfidence = 0;
+    const challengePatternMatches = scorePatternMatches(challengeText, CHALLENGE_PATTERNS);
+    challengeMatches.push(...challengePatternMatches.matched);
+    challengeConfidence = Math.max(challengeConfidence, challengePatternMatches.confidence);
+    if (/(captcha|cf_chl|hcaptcha|recaptcha|interstitial)/i.test(urlSignals)) {
+      challengeMatches.push("url:challenge_token");
+      challengeConfidence = Math.max(challengeConfidence, 0.9);
+    }
+    if (hasAnyPattern(title, CHALLENGE_PATTERNS.map((entry) => entry.regex)) && status === 200) {
+      challengeMatches.push("status:200_challenge_title");
+      challengeConfidence = Math.max(challengeConfidence, 0.92);
+    }
+    if (normalizedHosts.some((host) => hasAnyPattern(host, RECAPTCHA_HOST_PATTERNS))) {
+      challengeMatches.push("network:challenge_host");
+      challengeConfidence = Math.max(challengeConfidence, 0.96);
+    }
+    if (challengeConfidence > 0) {
+      return {
+        type: "anti_bot_challenge",
+        reasonCode: "challenge_detected",
+        confidence: challengeConfidence,
+        retryable: false,
+        matches: boundedUniqueList([...matchedPatterns, ...challengeMatches], 16)
+      };
+    }
+  }
+  if (status === 429 || code === "rate_limited") {
+    return {
+      type: "rate_limited",
+      reasonCode: "rate_limited",
+      confidence: 0.95,
+      retryable: true,
+      matches: boundedUniqueList([...matchedPatterns, status === 429 ? "status:429" : "provider_code:rate_limited"], 16)
+    };
+  }
+  if (isUpstreamCode && (hasStaticBlockHost || /retrieval failed/i.test(message) || typeof status === "number" && status >= 500)) {
+    return {
+      type: "upstream_block",
+      reasonCode: "ip_blocked",
+      confidence: hasStaticBlockHost ? 0.9 : 0.8,
+      retryable: input.retryable ?? true,
+      matches: boundedUniqueList(
+        [
+          ...matchedPatterns,
+          `provider_code:${code}`,
+          ...hasStaticBlockHost ? ["network:blocked_static_host"] : []
+        ],
+        16
+      )
+    };
+  }
+  if (input.restrictedTarget || RESTRICTED_TARGET_PATTERNS.some((pattern) => pattern.test(url)) || RESTRICTED_TARGET_PATTERNS.some((pattern) => pattern.test(finalUrl))) {
+    return {
+      type: "restricted_target",
+      confidence: 0.92,
+      retryable: false,
+      matches: boundedUniqueList([...matchedPatterns, "restricted_target"], 16)
+    };
+  }
+  if (input.envLimited || code === "unavailable" && ENV_LIMITED_PATTERNS.some((pattern) => pattern.test(message))) {
+    return {
+      type: "env_limited",
+      reasonCode: "env_limited",
+      confidence: input.envLimited ? 0.9 : 0.78,
+      retryable: true,
+      matches: boundedUniqueList([...matchedPatterns, "env_limited"], 16)
+    };
+  }
+  if (status || code || title || message || normalizedHosts.length > 0) {
+    return {
+      type: "unknown",
+      confidence: 0.5,
+      retryable: input.retryable ?? false,
+      matches: boundedUniqueList(matchedPatterns, 16)
+    };
+  }
+  return null;
+};
+var coerceJsonValue = (value, maxTextLength, promptGuardEnabled, diagnostics, seen) => {
+  if (value === null || typeof value === "number" || typeof value === "boolean") {
+    return value;
+  }
+  if (typeof value === "string") {
+    const sanitized = sanitizePromptGuardText(value, promptGuardEnabled);
+    diagnostics.entries += sanitized.diagnostics.entries;
+    diagnostics.quarantinedSegments += sanitized.diagnostics.quarantinedSegments;
+    const redacted = redactSensitive(sanitized.text);
+    const asString = typeof redacted === "string" ? redacted : String(redacted);
+    return clampText(asString, maxTextLength) ?? "";
+  }
+  if (Array.isArray(value)) {
+    return value.slice(0, 20).map((entry) => coerceJsonValue(entry, maxTextLength, promptGuardEnabled, diagnostics, seen));
+  }
+  if (typeof value !== "object") {
+    return String(value);
+  }
+  if (seen.has(value)) {
+    return "[Circular]";
+  }
+  seen.add(value);
+  const objectValue = value;
+  const entries = Object.entries(objectValue).slice(0, 30);
+  const output = {};
+  for (const [key, entryValue] of entries) {
+    output[key] = coerceJsonValue(entryValue, maxTextLength, promptGuardEnabled, diagnostics, seen);
+  }
+  return output;
+};
+var coerceEventList = (values, maxItems, maxTextLength, promptGuardEnabled, diagnostics) => {
+  if (!Array.isArray(values) || maxItems <= 0) return [];
+  return values.slice(-maxItems).map((entry) => {
+    const sanitized = coerceJsonValue(
+      redactSensitive(entry),
+      maxTextLength,
+      promptGuardEnabled,
+      diagnostics,
+      /* @__PURE__ */ new WeakSet()
+    );
+    if (!sanitized || typeof sanitized !== "object" || Array.isArray(sanitized)) {
+      return { value: sanitized };
+    }
+    return sanitized;
+  });
+};
+var resolveBlockerArtifactCaps = (partial) => {
+  return {
+    maxNetworkEvents: clampNumber(partial?.maxNetworkEvents ?? DEFAULT_BLOCKER_ARTIFACT_CAPS.maxNetworkEvents, 1, 500),
+    maxConsoleEvents: clampNumber(partial?.maxConsoleEvents ?? DEFAULT_BLOCKER_ARTIFACT_CAPS.maxConsoleEvents, 1, 500),
+    maxExceptionEvents: clampNumber(partial?.maxExceptionEvents ?? DEFAULT_BLOCKER_ARTIFACT_CAPS.maxExceptionEvents, 1, 200),
+    maxHosts: clampNumber(partial?.maxHosts ?? DEFAULT_BLOCKER_ARTIFACT_CAPS.maxHosts, 1, 200),
+    maxTextLength: clampNumber(partial?.maxTextLength ?? DEFAULT_BLOCKER_ARTIFACT_CAPS.maxTextLength, 32, 4096)
+  };
+};
+var classifyBlockerSignal = (input) => {
+  const promptGuardEnabled = input.promptGuardEnabled ?? true;
+  const titleSanitized = sanitizePromptGuardText(input.title ?? "", promptGuardEnabled);
+  const messageSanitized = sanitizePromptGuardText(input.message ?? "", promptGuardEnabled);
+  const matchedPatterns = boundedUniqueList(input.matchedPatterns, 16);
+  const normalizedHosts = boundedUniqueList(input.networkHosts?.map(toLower), 20);
+  const classification = classifyFromInputs({
+    ...input,
+    title: titleSanitized.text,
+    message: messageSanitized.text
+  }, normalizedHosts, matchedPatterns);
+  if (!classification) {
+    return null;
+  }
+  const threshold = clampThreshold(input.threshold);
+  const confidence = clampBlockerConfidence(classification.confidence);
+  if (confidence < threshold) {
+    return null;
+  }
+  const evidence = {
+    ...input.url ? { url: clampText(input.url, 512) } : {},
+    ...input.finalUrl ? { finalUrl: clampText(input.finalUrl, 512) } : {},
+    ...titleSanitized.text ? { title: clampText(titleSanitized.text, 512) } : {},
+    ...typeof input.status === "number" ? { status: input.status } : {},
+    ...input.providerErrorCode ? { providerErrorCode: input.providerErrorCode } : {},
+    matchedPatterns: boundedUniqueList(classification.matches, 16),
+    networkHosts: boundedUniqueList(normalizedHosts, 10),
+    ...input.traceRequestId ? { traceRequestId: input.traceRequestId } : {}
+  };
+  const sanitationEntries = titleSanitized.diagnostics.entries + messageSanitized.diagnostics.entries;
+  const sanitationQuarantined = titleSanitized.diagnostics.quarantinedSegments + messageSanitized.diagnostics.quarantinedSegments;
+  return {
+    schemaVersion: "1.0",
+    type: classification.type,
+    source: input.source,
+    ...classification.reasonCode ? { reasonCode: classification.reasonCode } : {},
+    confidence,
+    retryable: classification.retryable,
+    detectedAt: input.detectedAt ?? (/* @__PURE__ */ new Date()).toISOString(),
+    evidence,
+    actionHints: buildHints(classification.type),
+    ...sanitationEntries > 0 || sanitationQuarantined > 0 ? {
+      sanitation: {
+        entries: sanitationEntries,
+        quarantinedSegments: sanitationQuarantined
+      }
+    } : {}
+  };
+};
+var buildBlockerArtifacts = (input) => {
+  const caps = resolveBlockerArtifactCaps(input.caps);
+  const promptGuardEnabled = input.promptGuardEnabled ?? true;
+  const diagnostics = {
+    entries: 0,
+    quarantinedSegments: 0
+  };
+  const network = coerceEventList(
+    input.networkEvents,
+    caps.maxNetworkEvents,
+    caps.maxTextLength,
+    promptGuardEnabled,
+    diagnostics
+  );
+  const console2 = coerceEventList(
+    input.consoleEvents,
+    caps.maxConsoleEvents,
+    caps.maxTextLength,
+    promptGuardEnabled,
+    diagnostics
+  );
+  const exception = coerceEventList(
+    input.exceptionEvents,
+    caps.maxExceptionEvents,
+    caps.maxTextLength,
+    promptGuardEnabled,
+    diagnostics
+  );
+  const hosts = boundedUniqueList(
+    network.map((event) => typeof event.url === "string" ? extractHost(event.url) : null).filter((host) => typeof host === "string"),
+    caps.maxHosts
+  );
+  return {
+    schemaVersion: "1.0",
+    network,
+    console: console2,
+    exception,
+    hosts,
+    sanitation: diagnostics
+  };
+};
+var __test__ = {
+  classifyFromInputs,
+  extractHost,
+  hasAnyPattern,
+  clampThreshold,
+  isLoopbackHost
+};
+
+// src/providers/constraint.ts
+var BLOCKER_TYPES = /* @__PURE__ */ new Set([
+  "auth_required",
+  "anti_bot_challenge",
+  "rate_limited",
+  "upstream_block",
+  "restricted_target",
+  "env_limited",
+  "unknown"
+]);
+var CONSTRAINT_KINDS = /* @__PURE__ */ new Set([
+  "session_required",
+  "render_required"
+]);
+var RENDER_REQUIRED_SHELLS = /* @__PURE__ */ new Set([
+  "bestbuy_international_gate",
+  "bestbuy_pdp_error_shell",
+  "duckduckgo_non_js_redirect",
+  "macys_access_denied_shell",
+  "social_first_party_help_shell",
+  "social_js_required_shell",
+  "social_render_shell",
+  "target_shell_page",
+  "temu_empty_shell"
+]);
+var CHALLENGE_SHELLS = /* @__PURE__ */ new Set(["social_verification_wall", "temu_challenge_shell"]);
+var toNonEmptyString = (value) => {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : void 0;
+};
+var normalizeBlockerType = (value) => {
+  return typeof value === "string" && BLOCKER_TYPES.has(value) ? value : void 0;
+};
+var buildConstraint = (kind, evidenceCode, providerShell, message) => ({
+  kind,
+  evidenceCode,
+  ...providerShell ? { providerShell } : {},
+  ...message ? { message } : {}
+});
+var isProviderConstraint = (value) => {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    return false;
+  }
+  const candidate = value;
+  return CONSTRAINT_KINDS.has(candidate.kind) && typeof candidate.evidenceCode === "string" && candidate.evidenceCode.trim().length > 0 && (candidate.providerShell === void 0 || typeof candidate.providerShell === "string") && (candidate.message === void 0 || typeof candidate.message === "string");
+};
+var classifyProviderIssue = (input) => {
+  const providerShell = toNonEmptyString(input.providerShell);
+  const message = toNonEmptyString(input.message);
+  if (providerShell && CHALLENGE_SHELLS.has(providerShell)) {
+    return {
+      reasonCode: "challenge_detected",
+      blockerType: "anti_bot_challenge"
+    };
+  }
+  if (providerShell && RENDER_REQUIRED_SHELLS.has(providerShell)) {
+    return {
+      reasonCode: "env_limited",
+      blockerType: "env_limited",
+      constraint: buildConstraint("render_required", providerShell, providerShell, message)
+    };
+  }
+  const blocker = classifyBlockerSignal({
+    source: input.source ?? "runtime_fetch",
+    ...input.url ? { url: input.url, finalUrl: input.url } : {},
+    ...input.title ? { title: input.title } : {},
+    ...message ? { message } : {},
+    ...typeof input.status === "number" ? { status: input.status } : {},
+    ...input.providerErrorCode ? { providerErrorCode: input.providerErrorCode } : {},
+    ...typeof input.retryable === "boolean" ? { retryable: input.retryable } : {},
+    envLimited: input.browserRequired === true
+  });
+  if (blocker?.type === "auth_required") {
+    return {
+      /* c8 ignore next -- classifyBlockerSignal always supplies token_required for auth_required blockers */
+      reasonCode: blocker.reasonCode ?? "token_required",
+      blockerType: blocker.type,
+      constraint: buildConstraint("session_required", providerShell ?? "auth_required", providerShell, message)
+    };
+  }
+  if (blocker?.type === "anti_bot_challenge") {
+    return {
+      /* c8 ignore next -- classifyBlockerSignal always supplies challenge_detected for anti-bot blockers */
+      reasonCode: blocker.reasonCode ?? "challenge_detected",
+      blockerType: blocker.type
+    };
+  }
+  if (input.browserRequired === true) {
+    return {
+      /* c8 ignore next -- browserRequired inputs always classify to a blocker payload in the shared classifier */
+      reasonCode: blocker?.reasonCode ?? "env_limited",
+      /* c8 ignore next -- browserRequired fallbacks only normalize unknown blocker types */
+      blockerType: blocker?.type === "unknown" ? "env_limited" : blocker?.type,
+      /* c8 ignore next -- providerShell or blocker type always survives before the defensive browser_required fallback */
+      constraint: buildConstraint("render_required", providerShell ?? blocker?.type ?? "browser_required", providerShell, message)
+    };
+  }
+  if (blocker?.type === "env_limited") {
+    return {
+      /* c8 ignore next -- classifyBlockerSignal always supplies env_limited for env_limited blockers */
+      reasonCode: blocker.reasonCode ?? "env_limited",
+      blockerType: blocker.type
+    };
+  }
+  return null;
+};
+var readProviderIssueHint = (args) => {
+  const details = args.details;
+  const reasonCode = isProviderReasonCode(args.reasonCode) ? args.reasonCode : isProviderReasonCode(details?.reasonCode) ? details.reasonCode : void 0;
+  const blockerType = normalizeBlockerType(args.blockerType ?? details?.blockerType);
+  const constraint = isProviderConstraint(details?.constraint) ? details.constraint : void 0;
+  if (reasonCode || blockerType || constraint) {
+    return {
+      reasonCode: reasonCode ?? (constraint?.kind === "session_required" ? "token_required" : "env_limited"),
+      ...blockerType ? { blockerType } : {},
+      ...constraint ? { constraint } : {}
+    };
+  }
+  return classifyProviderIssue({
+    url: toNonEmptyString(details?.url),
+    title: toNonEmptyString(details?.title),
+    message: toNonEmptyString(details?.message ?? args.message),
+    providerShell: toNonEmptyString(details?.providerShell),
+    browserRequired: details?.browserRequired === true,
+    providerErrorCode: toNonEmptyString(args.code),
+    source: "runtime_fetch"
+  });
+};
+var readProviderIssueHintFromRecord = (record) => {
+  const details = record.attributes;
+  return readProviderIssueHint({
+    reasonCode: details.reasonCode,
+    blockerType: details.blockerType,
+    message: record.content,
+    details: {
+      url: record.url,
+      title: record.title,
+      message: record.content,
+      providerShell: details.providerShell,
+      browserRequired: details.browserRequired,
+      constraint: details.constraint
+    }
+  });
+};
+var applyProviderIssueHint = (details, hint) => {
+  if (!hint) return details;
+  const next = {
+    ...details ?? {},
+    reasonCode: hint.reasonCode
+  };
+  if (hint.blockerType && typeof next.blockerType !== "string") {
+    next.blockerType = hint.blockerType;
+  }
+  if (hint.constraint && !isProviderConstraint(next.constraint)) {
+    next.constraint = hint.constraint;
+  }
+  if (typeof next.guidance === "undefined") {
+    const guidance = buildProviderIssueGuidance({ hint, details: next });
+    if (guidance) {
+      next.guidance = guidance;
+    }
+  }
+  return next;
+};
+var providerLabel = (provider) => {
+  const normalized = toNonEmptyString(provider);
+  if (!normalized) return "Provider";
+  const separator = normalized.lastIndexOf("/");
+  const tail = separator >= 0 ? normalized.slice(separator + 1) : normalized;
+  return tail.charAt(0).toUpperCase() + tail.slice(1);
+};
+var hasPreservedBrowserState = (details) => {
+  return typeof details?.preservedSessionId === "string" || typeof details?.preservedTargetId === "string";
+};
+var buildGuidance = (reason, recommendedNextCommands) => ({
+  reason,
+  recommendedNextCommands
+});
+var buildAuthGuidance = (subject, preservedBrowserState) => {
+  return preservedBrowserState ? buildGuidance(
+    `${subject} preserved browser state that can finish authentication.`,
+    [
+      "Complete the login or account checkpoint in the preserved browser session.",
+      "Rerun the same provider or workflow after the session is fully authenticated."
+    ]
+  ) : buildGuidance(
+    `${subject} needs an authenticated session before retrying.`,
+    [
+      "Reuse an authenticated browser session, import logged-in cookies, or use the provider sign-in flow.",
+      "Rerun the same provider or workflow once the session is active."
+    ]
+  );
+};
+var buildChallengeGuidance = (subject, preservedBrowserState) => {
+  return preservedBrowserState ? buildGuidance(
+    `${subject} preserved browser state that can complete the current challenge.`,
+    [
+      "Finish the login or anti-bot challenge in the preserved browser session.",
+      "Rerun the same provider or workflow after the page unlocks."
+    ]
+  ) : buildGuidance(
+    `${subject} hit a challenge that still needs browser-assisted follow-up.`,
+    [
+      "Retry with browser assistance so the challenge can be completed interactively.",
+      "Only ask for manual credentials if browser-assisted recovery still cannot unlock the page."
+    ]
+  );
+};
+var buildRenderGuidance = (subject, preservedBrowserState, constraint) => {
+  if (constraint?.providerShell === "bestbuy_international_gate") {
+    return buildGuidance(
+      `${subject} needs the Best Buy country-selection interstitial cleared before retrying.`,
+      [
+        "Choose the shopping country or region in the preserved browser session.",
+        "Rerun the same provider or workflow after the Best Buy PDP or search results are visible."
+      ]
+    );
+  }
+  if (constraint?.providerShell === "bestbuy_pdp_error_shell") {
+    return buildGuidance(
+      `${subject} needs a valid Best Buy product detail page before retrying.`,
+      [
+        "Open the Best Buy product URL in the preserved browser session and confirm the PDP is visible.",
+        "Rerun the workflow after the product title, price, and media are visible instead of the generic error page."
+      ]
+    );
+  }
+  return preservedBrowserState ? buildGuidance(
+    `${subject} still needs a live browser-rendered page, but browser state is already preserved.`,
+    [
+      "Inspect the preserved browser session until usable content is visible.",
+      "Rerun the same provider or workflow after the rendered page is ready."
+    ]
+  ) : buildGuidance(
+    `${subject} needs a live browser-rendered page before retrying.`,
+    [
+      "Retry with browser assistance or a headed browser session.",
+      "Rerun the same provider or workflow after the rendered page is ready."
+    ]
+  );
+};
+var buildProviderIssueGuidance = (args) => {
+  const subject = providerLabel(args.provider);
+  const preservedBrowserState = hasPreservedBrowserState(args.details);
+  const disposition = toNonEmptyString(args.details?.disposition);
+  if (disposition === "completed") return void 0;
+  if (disposition === "challenge_preserved") {
+    return buildChallengeGuidance(subject, true);
+  }
+  if (args.hint.reasonCode === "token_required" || args.hint.reasonCode === "auth_required") {
+    return buildAuthGuidance(subject, preservedBrowserState);
+  }
+  if (args.hint.reasonCode === "challenge_detected") {
+    return buildChallengeGuidance(subject, preservedBrowserState);
+  }
+  if (args.hint.constraint?.kind === "render_required" || args.hint.reasonCode === "env_limited") {
+    return buildRenderGuidance(subject, preservedBrowserState, args.hint.constraint);
+  }
+  return void 0;
+};
+var summaryPriority = (hint) => {
+  if (hint.reasonCode === "token_required" || hint.reasonCode === "auth_required") return 3;
+  if (hint.reasonCode === "challenge_detected") return 2;
+  if (hint.constraint?.kind === "render_required") return 1;
+  return 0;
+};
+var summarizeRenderConstraint = (subject, constraint) => {
+  if (constraint?.providerShell === "bestbuy_international_gate") {
+    return `${subject} is blocked by the Best Buy country-selection interstitial.`;
+  }
+  if (constraint?.providerShell === "bestbuy_pdp_error_shell") {
+    return `${subject} is blocked by a Best Buy product-detail error shell.`;
+  }
+  return `${subject} requires a live browser-rendered page.`;
+};
+var summarizeProviderIssue = (args) => {
+  const subject = providerLabel(args.provider);
+  if (args.hint.reasonCode === "token_required" || args.hint.reasonCode === "auth_required") {
+    return `${subject} requires login or an existing session.`;
+  }
+  if (args.hint.reasonCode === "challenge_detected") {
+    return `${subject} hit an anti-bot challenge that requires manual completion.`;
+  }
+  if (args.hint.constraint?.kind === "render_required") {
+    return summarizeRenderConstraint(subject, args.hint.constraint);
+  }
+  return `${subject} requires manual browser follow-up; this run did not determine whether login or page rendering is required.`;
+};
+var summarizePrimaryProviderIssue = (failures) => {
+  if (!Array.isArray(failures) || failures.length === 0) return null;
+  let best = null;
+  for (const failure of failures) {
+    const hint = readProviderIssueHint({
+      reasonCode: failure.error?.reasonCode,
+      code: failure.error?.code,
+      message: failure.error?.message,
+      details: failure.error?.details
+    });
+    if (!hint) continue;
+    const summary = summarizeProviderIssue({ provider: failure.provider, hint });
+    const guidance = buildProviderIssueGuidance({
+      provider: failure.provider,
+      hint,
+      details: failure.error?.details
+    });
+    const candidate = {
+      provider: failure.provider,
+      summary,
+      ...hint,
+      ...guidance ? { guidance } : {}
+    };
+    if (!best || summaryPriority(candidate) > summaryPriority(best)) {
+      best = candidate;
+    }
+  }
+  return best;
+};
+
+export {
+  redactSensitive,
+  createRequestId,
+  stderrSink,
+  setDefaultLogSink,
+  createLogger,
+  applyPromptGuard,
+  DEFAULT_BLOCKER_ARTIFACT_CAPS,
+  clampBlockerConfidence,
+  clampText,
+  boundedUniqueList,
+  resolveBlockerArtifactCaps,
+  classifyBlockerSignal,
+  buildBlockerArtifacts,
+  __test__,
+  classifyProviderIssue,
+  readProviderIssueHint,
+  readProviderIssueHintFromRecord,
+  applyProviderIssueHint,
+  buildProviderIssueGuidance,
+  summarizePrimaryProviderIssue
+};
+//# sourceMappingURL=chunk-WHQZBUNY.js.map