npm - openmates - Versions diffs - 0.12.0-alpha.27 → 0.12.0-alpha.29 - Mend

openmates 0.12.0-alpha.27 → 0.12.0-alpha.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/{chunk-4S3EN6KA.js → chunk-FCSXUBOU.js} +656 -41
package/dist/cli.js +1 -1
package/dist/index.d.ts +31 -0
package/dist/index.js +1 -1
package/package.json +3 -2

package/dist/{chunk-4S3EN6KA.js → chunk-FCSXUBOU.js} RENAMED Viewed

@@ -4,7 +4,7 @@ import {
 } from "./chunk-AXNRPVLE.js";
 // src/client.ts
-import { randomUUID as randomUUID2 } from "crypto";
+import { randomUUID as randomUUID3 } from "crypto";
 import { platform as platform2, release } from "os";
 import { createInterface } from "readline/promises";
 import { stdin, stdout } from "process";
@@ -2048,6 +2048,163 @@ function buildEmbedShareUrl(origin, embedId, blob) {
   return `${origin}/share/embed/${embedId}#key=${blob}`;
 }
+// src/connectedAccountImport.ts
+import { createHash as createHash4, randomUUID as randomUUID2, webcrypto as webcrypto5 } from "crypto";
+var TRANSFER_PREFIX = "OMCA1.";
+var SUPPORTED_KDF_ITERATIONS = 1e5;
+async function decryptConnectedAccountCliTransferPayload(encryptedPayload, passcode) {
+  if (!encryptedPayload.startsWith(TRANSFER_PREFIX)) {
+    throw new Error("Connected account import payload must start with OMCA1.");
+  }
+  if (!passcode.trim()) {
+    throw new Error("A passcode is required to import a connected account.");
+  }
+  const envelope = parseEnvelope(encryptedPayload.slice(TRANSFER_PREFIX.length));
+  if (envelope.version !== 1 || envelope.kdf.name !== "PBKDF2-SHA256" || envelope.kdf.iterations !== SUPPORTED_KDF_ITERATIONS || envelope.cipher.name !== "AES-256-GCM") {
+    throw new Error("Unsupported connected account import payload format.");
+  }
+  try {
+    const key = await deriveTransferKey(passcode, base64UrlToBytes(envelope.kdf.salt), envelope.kdf.iterations);
+    const plaintext = await webcrypto5.subtle.decrypt(
+      { name: "AES-GCM", iv: toArrayBuffer3(base64UrlToBytes(envelope.cipher.iv)) },
+      key,
+      toArrayBuffer3(base64UrlToBytes(envelope.cipher.text))
+    );
+    return validateTransferPayload(JSON.parse(new TextDecoder().decode(plaintext)));
+  } catch (error) {
+    if (error instanceof Error && error.message.startsWith("Unsupported")) {
+      throw error;
+    }
+    throw new Error("Could not decrypt connected account import payload. Check the passcode and payload.");
+  }
+}
+async function buildEncryptedConnectedAccountImportRow(params) {
+  const accountId = randomUUID2();
+  const providerId = params.payload.provider_id;
+  const appId = normalizeAppId(params.payload.app_id || appIdForProvider(providerId));
+  const capabilities = normalizeCapabilities(params.payload.capabilities);
+  const allowedActions = actionsForCapabilities(capabilities);
+  const scopes = Array.isArray(params.payload.refresh_token_bundle.scopes) ? params.payload.refresh_token_bundle.scopes.filter((item) => typeof item === "string") : [];
+  const label = params.payload.label.trim() || defaultProviderLabel(providerId);
+  const accountRef = params.payload.account_ref?.trim() || accountId;
+  return {
+    id: accountId,
+    hashed_user_id: sha256Hex(params.userId),
+    encrypted_provider_type: await encryptJsonOrString(providerId, params.masterKey),
+    provider_type_hash: sha256Hex(providerId),
+    encrypted_account_label: await encryptJsonOrString(label, params.masterKey),
+    encrypted_refresh_token_bundle: await encryptJsonOrString(params.payload.refresh_token_bundle, params.masterKey),
+    encrypted_capabilities: await encryptJsonOrString(capabilities, params.masterKey),
+    encrypted_app_permissions: await encryptJsonOrString(
+      {
+        app_id: appId,
+        allowed_actions: allowedActions,
+        scopes
+      },
+      params.masterKey
+    ),
+    encrypted_account_directory_hint: await encryptJsonOrString(
+      {
+        account_ref: accountRef,
+        label,
+        capabilities,
+        runtime_modes: Object.keys(params.payload.runtime_modes).length ? params.payload.runtime_modes : runtimeModesForActions(allowedActions)
+      },
+      params.masterKey
+    )
+  };
+}
+function parseEnvelope(encodedEnvelope) {
+  try {
+    return JSON.parse(new TextDecoder().decode(base64UrlToBytes(encodedEnvelope)));
+  } catch {
+    throw new Error("Connected account import payload is malformed.");
+  }
+}
+function validateTransferPayload(value) {
+  if (!value || typeof value !== "object" || Array.isArray(value)) {
+    throw new Error("Connected account import payload is malformed.");
+  }
+  const payload = value;
+  if (payload.version !== 1) throw new Error("Unsupported connected account import payload format.");
+  if (typeof payload.provider_id !== "string" || !payload.provider_id) throw new Error("Import payload is missing provider_id.");
+  if (typeof payload.app_id !== "string" || !payload.app_id) throw new Error("Import payload is missing app_id.");
+  if (typeof payload.label !== "string") throw new Error("Import payload is missing label.");
+  if (!Array.isArray(payload.capabilities)) throw new Error("Import payload is missing capabilities.");
+  if (!payload.runtime_modes || typeof payload.runtime_modes !== "object" || Array.isArray(payload.runtime_modes)) {
+    throw new Error("Import payload is missing runtime_modes.");
+  }
+  if (!payload.refresh_token_bundle || typeof payload.refresh_token_bundle !== "object" || Array.isArray(payload.refresh_token_bundle) || typeof payload.refresh_token_bundle.refresh_token !== "string" || !payload.refresh_token_bundle.refresh_token) {
+    throw new Error("Import payload is missing refresh token material.");
+  }
+  return payload;
+}
+async function deriveTransferKey(passcode, salt, iterations) {
+  const keyMaterial = await webcrypto5.subtle.importKey(
+    "raw",
+    new TextEncoder().encode(passcode),
+    "PBKDF2",
+    false,
+    ["deriveKey"]
+  );
+  return webcrypto5.subtle.deriveKey(
+    {
+      name: "PBKDF2",
+      salt: toArrayBuffer3(salt),
+      iterations,
+      hash: "SHA-256"
+    },
+    keyMaterial,
+    { name: "AES-GCM", length: 256 },
+    false,
+    ["decrypt"]
+  );
+}
+async function encryptJsonOrString(value, masterKey) {
+  const plaintext = typeof value === "string" ? value : JSON.stringify(value);
+  return encryptWithAesGcmCombined(plaintext, masterKey);
+}
+function normalizeCapabilities(value) {
+  if (!Array.isArray(value)) return ["read"];
+  const capabilities = value.filter((item) => typeof item === "string" && item.trim().length > 0);
+  return capabilities.length ? Array.from(new Set(capabilities)) : ["read"];
+}
+function actionsForCapabilities(capabilities) {
+  const actions = /* @__PURE__ */ new Set();
+  for (const capability of capabilities) {
+    if (capability === "read") actions.add("read");
+    if (capability === "write") {
+      actions.add("write");
+      actions.add("update");
+    }
+    if (capability === "delete") actions.add("delete");
+  }
+  return actions.size ? Array.from(actions) : ["read"];
+}
+function runtimeModesForActions(actions) {
+  return Object.fromEntries(actions.map((action) => [action, action === "read" ? "allow_automatically" : "always_ask"]));
+}
+function normalizeAppId(appId) {
+  return appId === "google_calendar" ? "calendar" : appId;
+}
+function appIdForProvider(providerId) {
+  return providerId === "google_calendar" ? "calendar" : providerId;
+}
+function defaultProviderLabel(providerId) {
+  return providerId === "google_calendar" ? "Google Calendar" : "Connected account";
+}
+function sha256Hex(value) {
+  return createHash4("sha256").update(value).digest("hex");
+}
+function base64UrlToBytes(value) {
+  return base64ToBytes(value.replace(/-/g, "+").replace(/_/g, "/"));
+}
+function toArrayBuffer3(input) {
+  const output = new ArrayBuffer(input.byteLength);
+  new Uint8Array(output).set(input);
+  return output;
+}
 // src/client.ts
 function normalizeUnixSeconds(value, fallback) {
   if (typeof value !== "number" || !Number.isFinite(value) || value <= 0) {
@@ -2856,11 +3013,11 @@ var OpenMatesClient = class _OpenMatesClient {
     }
     let anonymousId = loadAnonymousId();
     if (!anonymousId) {
-      anonymousId = randomUUID2();
+      anonymousId = randomUUID3();
       saveAnonymousId(anonymousId);
     }
-    const chatId = `anonymous-${randomUUID2()}`;
-    const messageId = `anonymous-message-${randomUUID2()}`;
+    const chatId = `anonymous-${randomUUID3()}`;
+    const messageId = `anonymous-message-${randomUUID3()}`;
     const requestBody = {
       anonymous_id: anonymousId,
       client_chat_id: chatId,
@@ -2918,6 +3075,59 @@ var OpenMatesClient = class _OpenMatesClient {
       };
     });
   }
+  async importConnectedAccountFromCliPayload(params) {
+    this.requireSession();
+    const payload = await decryptConnectedAccountCliTransferPayload(params.encryptedPayload, params.passcode);
+    const validation = await this.validateConnectedAccountImportPayload(payload);
+    const user = await this.whoAmI();
+    const userId = typeof user.id === "string" ? user.id : typeof user.user_id === "string" ? user.user_id : "";
+    if (!userId) {
+      throw new Error("Could not resolve current user id for connected account import.");
+    }
+    const row = await buildEncryptedConnectedAccountImportRow({
+      payload,
+      userId,
+      masterKey: this.getMasterKeyBytes()
+    });
+    const stored = await this.createConnectedAccountImportRow(row);
+    return {
+      id: stored.id,
+      providerId: payload.provider_id,
+      appId: payload.app_id,
+      label: payload.label,
+      validation
+    };
+  }
+  async validateConnectedAccountImportPayload(payload) {
+    this.requireSession();
+    const response = await this.http.post(
+      "/v1/connected-accounts/validate-import",
+      {
+        provider_id: payload.provider_id,
+        app_id: payload.app_id,
+        capabilities: payload.capabilities,
+        refresh_token_envelope: payload.refresh_token_bundle
+      },
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok || response.data.valid !== true) {
+      throw new Error(`Connected account validation failed (HTTP ${response.status})`);
+    }
+    assertNoConnectedAccountSecretLeak(response.data);
+    return response.data;
+  }
+  async createConnectedAccountImportRow(row) {
+    assertNoConnectedAccountSecretLeak(row);
+    const response = await this.http.post(
+      "/v1/connected-accounts",
+      row,
+      this.getCliRequestHeaders()
+    );
+    if (!response.ok || !response.data.id) {
+      throw new Error(`Failed to store connected account import (HTTP ${response.status})`);
+    }
+    return response.data;
+  }
   async cancelConnectedAccountAction(params) {
     const response = await this.http.post(
       `/v1/connected-accounts/actions/${encodeURIComponent(params.actionId)}/cancel`,
@@ -2994,7 +3204,7 @@ var OpenMatesClient = class _OpenMatesClient {
       pin: pin.trim().toUpperCase(),
       token
     });
-    const sessionId = randomUUID2();
+    const sessionId = randomUUID3();
     const login = await this.http.post(
       "/v1/auth/login",
       {
@@ -3169,7 +3379,7 @@ var OpenMatesClient = class _OpenMatesClient {
     }
     const session = {
       apiUrl: this.apiUrl,
-      sessionId: randomUUID2(),
+      sessionId: randomUUID3(),
       wsToken: null,
       cookies: this.http.getCookieMap(),
       masterKeyExportedB64: material.masterKeyB64,
@@ -3416,8 +3626,8 @@ var OpenMatesClient = class _OpenMatesClient {
       );
       let msgEmbedIds = [];
       if (clientMsgId && cache.embeds.length > 0) {
-        const { createHash: createHash6 } = await import("crypto");
-        const hashed = createHash6("sha256").update(clientMsgId).digest("hex");
+        const { createHash: createHash7 } = await import("crypto");
+        const hashed = createHash7("sha256").update(clientMsgId).digest("hex");
         msgEmbedIds = cache.embeds.filter(
           (e) => e.hashed_message_id === hashed && // Only include parent embeds (no parent_embed_id).
           // Child embeds inherit the parent's key and are loaded
@@ -3464,8 +3674,8 @@ var OpenMatesClient = class _OpenMatesClient {
       );
     }
     const embedId = String(embed.embed_id ?? embed.id ?? "");
-    const { createHash: createHash6 } = await import("crypto");
-    const hashedEmbedId = createHash6("sha256").update(embedId).digest("hex");
+    const { createHash: createHash7 } = await import("crypto");
+    const hashedEmbedId = createHash7("sha256").update(embedId).digest("hex");
     const embedKeyBytes = await this.resolveEmbedKey(
       cache,
       masterKey,
@@ -3573,7 +3783,7 @@ var OpenMatesClient = class _OpenMatesClient {
   async resolveEmbedKey(cache, masterKey, embed, embedId, hashedEmbedId, visited = /* @__PURE__ */ new Set()) {
     if (visited.has(embedId)) return null;
     visited.add(embedId);
-    const { createHash: createHash6 } = await import("crypto");
+    const { createHash: createHash7 } = await import("crypto");
     const masterKeyEntry = cache.embedKeys.find(
       (ek) => ek.hashed_embed_id === hashedEmbedId && String(ek.key_type) === "master"
     );
@@ -3590,7 +3800,7 @@ var OpenMatesClient = class _OpenMatesClient {
     if (chatKeyEntry && typeof chatKeyEntry.encrypted_embed_key === "string") {
       const hashedChatId = String(chatKeyEntry.hashed_chat_id ?? "");
       const owningChat = cache.chats.find((c) => {
-        const chatHash = createHash6("sha256").update(String(c.details.id ?? "")).digest("hex");
+        const chatHash = createHash7("sha256").update(String(c.details.id ?? "")).digest("hex");
         return chatHash === hashedChatId;
       });
       if (owningChat) {
@@ -3619,7 +3829,7 @@ var OpenMatesClient = class _OpenMatesClient {
         const parentFullId = String(
           parentEmbed2.embed_id ?? parentEmbed2.id ?? ""
         );
-        const parentHashedId = createHash6("sha256").update(parentFullId).digest("hex");
+        const parentHashedId = createHash7("sha256").update(parentFullId).digest("hex");
         const parentKey = await this.resolveEmbedKey(
           cache,
           masterKey,
@@ -3734,7 +3944,7 @@ var OpenMatesClient = class _OpenMatesClient {
   async sendMessage(params) {
     let chatId;
     if (!params.chatId) {
-      chatId = randomUUID2();
+      chatId = randomUUID3();
     } else if (params.chatId.length < 36) {
       const resolved = await this.resolveFullChatId(params.chatId);
       if (!resolved) {
@@ -3764,7 +3974,7 @@ var OpenMatesClient = class _OpenMatesClient {
       }
     }
     const { ws, session } = await this.openWsClient();
-    const messageId = randomUUID2();
+    const messageId = randomUUID3();
     const createdAt = Math.floor(Date.now() / 1e3);
     const isNewChat = !params.chatId;
     ws.send("set_active_chat", { chat_id: chatId });
@@ -4151,7 +4361,7 @@ var OpenMatesClient = class _OpenMatesClient {
           );
           const encryptedCategory = category ? await encryptWithAesGcmCombined(category, chatKeyBytes) : void 0;
           const encryptedModelName = modelName ? await encryptWithAesGcmCombined(modelName, chatKeyBytes) : void 0;
-          const persistedAssistantMessageId = assistantMessageId ?? randomUUID2();
+          const persistedAssistantMessageId = assistantMessageId ?? randomUUID3();
           ws.send("ai_response_completed", {
             chat_id: chatId,
             message: {
@@ -5294,7 +5504,7 @@ Required: ${schema.required.join(", ")}`
         );
       }
     }
-    const entryId = params.entryId ?? randomUUID2();
+    const entryId = params.entryId ?? randomUUID3();
     const now = Math.floor(Date.now() / 1e3);
     const hashedKey = hashItemKey(params.appId, params.itemType);
     const plaintextPayload = {
@@ -5428,7 +5638,7 @@ Required: ${schema.required.join(", ")}`
     const session = this.requireSession();
     const masterKey = base64ToBytes(session.masterKeyExportedB64);
     const cache = await this.ensureSynced();
-    const { createHash: createHash6 } = await import("crypto");
+    const { createHash: createHash7 } = await import("crypto");
     const embed = cache.embeds.find(
       (e) => String(e.embed_id ?? "").startsWith(embedIdOrShort) || String(e.id ?? "").startsWith(embedIdOrShort)
     );
@@ -5436,7 +5646,7 @@ Required: ${schema.required.join(", ")}`
       throw new Error(`Embed '${embedIdOrShort}' not found in local cache.`);
     }
     const embedId = String(embed.embed_id ?? embed.id ?? "");
-    const hashedEmbedId = createHash6("sha256").update(embedId).digest("hex");
+    const hashedEmbedId = createHash7("sha256").update(embedId).digest("hex");
     const embedKeyBytes = await this.resolveEmbedKey(
       cache,
       masterKey,
@@ -5496,8 +5706,8 @@ Required: ${schema.required.join(", ")}`
     if (!embed) {
       throw new Error(`Embed '${embedId}' not found in local cache. Run 'openmates chats list' to sync first.`);
     }
-    const { createHash: createHash6 } = await import("crypto");
-    const hashedEmbedId = createHash6("sha256").update(embedId).digest("hex");
+    const { createHash: createHash7 } = await import("crypto");
+    const hashedEmbedId = createHash7("sha256").update(embedId).digest("hex");
     const embedKey = await this.resolveEmbedKey(
       cache,
       masterKey,
@@ -5591,8 +5801,8 @@ Required: ${schema.required.join(", ")}`
     if (!embed) {
       throw new Error(`Embed '${embedId}' not found in local cache. Run 'openmates chats list' to sync first.`);
     }
-    const { createHash: createHash6 } = await import("crypto");
-    const hashedEmbedId = createHash6("sha256").update(embedId).digest("hex");
+    const { createHash: createHash7 } = await import("crypto");
+    const hashedEmbedId = createHash7("sha256").update(embedId).digest("hex");
     const embedKey = await this.resolveEmbedKey(
       cache,
       masterKey,
@@ -5769,7 +5979,7 @@ Required: ${schema.required.join(", ")}`
   makeWsClient(session) {
     return new OpenMatesWsClient({
       apiUrl: session.apiUrl,
-      sessionId: randomUUID2(),
+      sessionId: randomUUID3(),
       wsToken: session.wsToken,
       refreshToken: session.cookies.auth_refresh_token ?? null,
       // Same User-Agent as login so OS-based device fingerprint hash matches.
@@ -6929,7 +7139,7 @@ var OutputRedactor = class {
 import { readFileSync as readFileSync4, statSync, existsSync as existsSync4 } from "fs";
 import { basename, extname, resolve as resolve2 } from "path";
 import { homedir as homedir4 } from "os";
-import { createHash as createHash4 } from "crypto";
+import { createHash as createHash5 } from "crypto";
 var MAX_PER_FILE_SIZE = 100 * 1024 * 1024;
 var BLOCKED_EXTENSIONS = /* @__PURE__ */ new Set([
   ".pem",
@@ -7239,7 +7449,7 @@ function processCodeFile(filePath, filename, redactor) {
       line_count: lineCount
     });
     const textPreview = `${filename} (${language}, ${lineCount} lines)`;
-    const contentHash = createHash4("sha256").update(content).digest("hex");
+    const contentHash = createHash5("sha256").update(content).digest("hex");
     const embed = {
       embedId,
       embedRef,
@@ -8754,8 +8964,8 @@ function formatTs(ts) {
 }
 // src/server.ts
-import { execSync, spawn as nodeSpawn } from "child_process";
-import { createHash as createHash5, randomBytes as randomBytes2 } from "crypto";
+import { execFileSync as execFileSync2, execSync, spawn as nodeSpawn } from "child_process";
+import { createHash as createHash6, randomBytes as randomBytes2 } from "crypto";
 import { chmodSync as chmodSync2, copyFileSync, cpSync, existsSync as existsSync5, mkdirSync as mkdirSync3, mkdtempSync, readFileSync as readFileSync5, readdirSync, rmSync as rmSync3, writeFileSync as writeFileSync3 } from "fs";
 import { createInterface as createInterface2 } from "readline";
 import { createInterface as createPromptInterface } from "readline/promises";
@@ -8894,6 +9104,49 @@ function planRestore(input) {
     steps: input.yes === true ? ["stop", "restore", "start", "health-check"] : ["confirm", "stop", "restore", "start", "health-check"]
   };
 }
+function parseSecretEnvKey(envKey) {
+  if (!envKey.startsWith("SECRET__")) return null;
+  const parts = envKey.slice("SECRET__".length).split("__", 2);
+  if (parts.length !== 2 || !parts[0] || !parts[1]) return null;
+  return {
+    envKey,
+    vaultPath: `kv/data/providers/${parts[0].toLowerCase()}`,
+    vaultKey: parts[1].toLowerCase()
+  };
+}
+function summarizeSecretPreflight(input) {
+  const inlineSecretEnvKeys = [];
+  const importedSecretEnvKeys = [];
+  const emptySecretEnvKeys = [];
+  const importedVaultPresent = [];
+  const importedVaultMissing = [];
+  const importedVaultUnavailable = [];
+  for (const [envKey, rawValue] of Object.entries(input.env).sort(([a], [b]) => a.localeCompare(b))) {
+    if (!parseSecretEnvKey(envKey)) continue;
+    const value = rawValue.trim();
+    if (!value) {
+      emptySecretEnvKeys.push(envKey);
+      continue;
+    }
+    if (value !== "IMPORTED_TO_VAULT") {
+      inlineSecretEnvKeys.push(envKey);
+      continue;
+    }
+    importedSecretEnvKeys.push(envKey);
+    const presence = input.vaultPresence?.[envKey];
+    if (presence === "present") importedVaultPresent.push(envKey);
+    else if (presence === "missing") importedVaultMissing.push(envKey);
+    else importedVaultUnavailable.push(envKey);
+  }
+  return {
+    inlineSecretEnvKeys,
+    importedSecretEnvKeys,
+    emptySecretEnvKeys,
+    importedVaultPresent,
+    importedVaultMissing,
+    importedVaultUnavailable
+  };
+}
 function planCaddyCommand(input) {
   const role = parseServerRole(input.role);
   const templatePath = `templates/caddy/${role}/Caddyfile`;
@@ -9321,7 +9574,7 @@ function packagedCaddyTemplatePath(role) {
 }
 function fileHash(path) {
   if (!existsSync5(path)) return null;
-  return createHash5("sha256").update(readFileSync5(path)).digest("hex");
+  return createHash6("sha256").update(readFileSync5(path)).digest("hex");
 }
 async function loadSelfHostComposeTemplate(templateRef, role) {
   const templateDir = process.env.OPENMATES_SELFHOST_TEMPLATE_DIR;
@@ -9586,6 +9839,89 @@ function missingRequiredEnvKeys(installPath, role) {
   const env = readEnvMap(installPath);
   return requiredRuntimeEnvKeys(role).filter((key) => !env[key]);
 }
+function vaultCheckContainerForRole(role) {
+  if (role === "core") return "api";
+  if (role === "upload") return "app-uploads";
+  return null;
+}
+function readImportedVaultSecretPresence(role, importedSecrets) {
+  const checks = importedSecrets.filter((item) => item !== null);
+  if (checks.length === 0) return { presence: {}, checked: true, unavailableReason: null };
+  const container = vaultCheckContainerForRole(role);
+  if (!container) {
+    return { presence: {}, checked: false, unavailableReason: `${role} role does not expose a Vault-backed app container for secret verification.` };
+  }
+  const script = `
+import json
+import os
+import urllib.error
+import urllib.request
+checks = json.loads(os.environ["OPENMATES_SECRET_CHECKS"])
+token_path = "/vault-data/api.token"
+try:
+    with open(token_path, "r", encoding="utf-8") as token_file:
+        token = token_file.read().strip()
+except Exception as exc:
+    print(json.dumps({"ok": False, "reason": f"could not read {token_path}: {exc}", "presence": {}}))
+    raise SystemExit(0)
+presence = {}
+for item in checks:
+    request = urllib.request.Request(
+        f"http://vault:8200/v1/{item['vaultPath']}",
+        headers={"X-Vault-Token": token},
+    )
+    try:
+        with urllib.request.urlopen(request, timeout=3) as response:
+            payload = json.loads(response.read().decode("utf-8"))
+        value = payload.get("data", {}).get("data", {}).get(item["vaultKey"])
+        presence[item["envKey"]] = "present" if value else "missing"
+    except urllib.error.HTTPError as exc:
+        presence[item["envKey"]] = "missing" if exc.code == 404 else "unavailable"
+    except Exception:
+        presence[item["envKey"]] = "unavailable"
+print(json.dumps({"ok": True, "presence": presence}))
+`;
+  try {
+    const output = execFileSync2(
+      "docker",
+      ["exec", "-e", `OPENMATES_SECRET_CHECKS=${JSON.stringify(checks)}`, container, "python", "-c", script],
+      { encoding: "utf-8", timeout: 1e4, stdio: ["pipe", "pipe", "pipe"] }
+    ).trim();
+    const parsed = JSON.parse(output);
+    if (parsed.ok === false) return { presence: {}, checked: false, unavailableReason: parsed.reason ?? "Vault check failed." };
+    return { presence: parsed.presence ?? {}, checked: true, unavailableReason: null };
+  } catch (error) {
+    return {
+      presence: {},
+      checked: false,
+      unavailableReason: `Vault check unavailable. Is the ${container} container running? ${error instanceof Error ? error.message : String(error)}`
+    };
+  }
+}
+function runtimeSecretPreflight(installPath, role) {
+  const env = readEnvMap(installPath);
+  const importedSecrets = Object.entries(env).filter(([, value]) => value.trim() === "IMPORTED_TO_VAULT").map(([envKey]) => parseSecretEnvKey(envKey)).filter((item) => item !== null);
+  const vault = readImportedVaultSecretPresence(role, importedSecrets);
+  return {
+    ...summarizeSecretPreflight({ env, vaultPresence: vault.presence }),
+    vaultChecked: vault.checked,
+    vaultUnavailableReason: vault.unavailableReason
+  };
+}
+function formatSecretPreflight(preflight) {
+  const parts = [
+    `${preflight.importedVaultPresent.length}/${preflight.importedSecretEnvKeys.length} imported verified`
+  ];
+  if (preflight.importedVaultMissing.length) parts.push(`missing in Vault: ${preflight.importedVaultMissing.join(", ")}`);
+  if (preflight.importedVaultUnavailable.length) parts.push(`unverified: ${preflight.importedVaultUnavailable.join(", ")}`);
+  if (preflight.inlineSecretEnvKeys.length) parts.push(`inline SECRET entries: ${preflight.inlineSecretEnvKeys.length}`);
+  if (preflight.emptySecretEnvKeys.length) parts.push(`empty SECRET entries: ${preflight.emptySecretEnvKeys.length}`);
+  if (preflight.vaultUnavailableReason) parts.push(preflight.vaultUnavailableReason);
+  return parts.join("; ");
+}
 function writeChecksums(rootDir) {
   const lines = [];
   const walk = (dir) => {
@@ -9597,7 +9933,7 @@ function writeChecksums(rootDir) {
       }
       if (entry.name === "checksums.sha256") continue;
       const relative2 = path.slice(rootDir.length + 1);
-      const hash = createHash5("sha256").update(readFileSync5(path)).digest("hex");
+      const hash = createHash6("sha256").update(readFileSync5(path)).digest("hex");
       lines.push(`${hash}  ${relative2}`);
     }
   };
@@ -9619,7 +9955,7 @@ function verifyChecksums(rootDir) {
     }
     const filePath = join3(rootDir, relative2);
     if (!existsSync5(filePath)) throw new Error(`Backup archive is missing checksummed file: ${relative2}`);
-    const actual = createHash5("sha256").update(readFileSync5(filePath)).digest("hex");
+    const actual = createHash6("sha256").update(readFileSync5(filePath)).digest("hex");
     if (actual !== match[1]) throw new Error(`Backup checksum mismatch for ${relative2}.`);
   }
 }
@@ -10129,6 +10465,12 @@ async function serverUpdate(rest, flags) {
   const filterRequested = hasServiceFilter(flags);
   const selectedServices = filterRequested ? selectedComposeServices(role, flags) : [];
   const missingEnvKeys = missingRequiredEnvKeys(installPath, role);
+  const secretPreflight = runtimeSecretPreflight(installPath, role);
+  const missingOrUnverifiedSecrets = [
+    ...missingEnvKeys,
+    ...secretPreflight.importedVaultMissing,
+    ...secretPreflight.importedVaultUnavailable
+  ];
   if (installMode === "source" && (flags["image-tag"] !== void 0 || flags.channel !== void 0)) {
     throw new Error("--image-tag and --channel only apply to image-mode installs. Source-mode installs update from Git.");
   }
@@ -10138,7 +10480,7 @@ async function serverUpdate(rest, flags) {
     const currentTag = getImageTagFromEnv(installPath, config);
     const target = resolveTargetImageTag(flags, currentTag, getPackageVersion());
     const templateRef = templateRefForImageTag(target.tag, getPackageVersion());
-    const safetyPlan = planUpdate({ role, selectedServices, dryRun, skipBackup: flags["skip-backup"] === true, continuous: false, missingRequiredSecrets: missingEnvKeys });
+    const safetyPlan = planUpdate({ role, selectedServices, dryRun, skipBackup: flags["skip-backup"] === true, continuous: false, missingRequiredSecrets: missingOrUnverifiedSecrets });
     const plan = {
       command: "update",
       role,
@@ -10152,6 +10494,7 @@ async function serverUpdate(rest, flags) {
       steps: safetyPlan.steps,
       backupName: safetyPlan.backupName,
       missingRequiredEnvKeys: missingEnvKeys,
+      secretPreflight,
       blocked: safetyPlan.blocked,
       blockReason: safetyPlan.blockReason,
       dryRun
@@ -10170,13 +10513,16 @@ async function serverUpdate(rest, flags) {
         console.log(`  Backup:        ${safetyPlan.backupName ?? "none"}`);
         console.log(`  Steps:         ${safetyPlan.steps.join(" -> ")}`);
         console.log(`  Env preflight: ${missingEnvKeys.length ? `missing ${missingEnvKeys.join(", ")}` : "ok"}`);
+        console.log(`  Vault secrets: ${formatSecretPreflight(secretPreflight)}`);
         console.log("  Commands:      refresh compose, docker compose pull, docker compose up -d, health checks");
       }
       return;
     }
     if (safetyPlan.blocked) throw new Error(safetyPlan.blockReason ?? "Update blocked by preflight.");
-    if (missingEnvKeys.length && flags.yes !== true) {
-      throw new Error(`Required environment keys are missing: ${missingEnvKeys.join(", ")}. Add them to .env or rerun with --yes after reviewing.`);
+    if (missingOrUnverifiedSecrets.length && flags.yes !== true) {
+      throw new Error(
+        `Required runtime secret checks failed: ${missingOrUnverifiedSecrets.join(", ")}. Add missing non-SECRET values to .env, ensure IMPORTED_TO_VAULT markers exist in Vault, or rerun with --yes after reviewing.`
+      );
     }
     console.error(`Mode: image`);
     console.error(`Current image tag: ${currentTag || "unknown"}`);
@@ -10729,8 +11075,14 @@ async function serverPreflight(flags) {
   const config = loadConfigForInstallPath(installPath);
   const role = getServerRole(flags, config);
   const services = hasServiceFilter(flags) ? selectedComposeServices(role, flags) : [];
-  const updatePlan = planUpdate({ role, selectedServices: services, dryRun: true });
   const missingEnvKeys = missingRequiredEnvKeys(installPath, role);
+  const secretPreflight = runtimeSecretPreflight(installPath, role);
+  const missingOrUnverifiedSecrets = [
+    ...missingEnvKeys,
+    ...secretPreflight.importedVaultMissing,
+    ...secretPreflight.importedVaultUnavailable
+  ];
+  const updatePlan = planUpdate({ role, selectedServices: services, dryRun: true, continuous: true, missingRequiredSecrets: missingOrUnverifiedSecrets });
   const runtimePlan = planServerRuntime({
     role,
     profile: getCoreProfile(flags, config),
@@ -10748,6 +11100,10 @@ async function serverPreflight(flags) {
     updateSteps: updatePlan.steps,
     backupName: updatePlan.backupName,
     missingRequiredEnvKeys: missingEnvKeys,
+    secretPreflight,
+    missingOrUnverifiedSecrets,
+    blocked: updatePlan.blocked,
+    blockReason: updatePlan.blockReason,
     caddy: caddyPlan
   };
   if (flags.json === true) {
@@ -10760,6 +11116,8 @@ async function serverPreflight(flags) {
   console.log(`  Services:      ${hasServiceFilter(flags) ? services.join(", ") : "all"}`);
   console.log(`  Backup:        ${updatePlan.backupName ?? "none"}`);
   console.log(`  Env preflight: ${missingEnvKeys.length ? `missing ${missingEnvKeys.join(", ")}` : "ok"}`);
+  console.log(`  Vault secrets: ${formatSecretPreflight(secretPreflight)}`);
+  if (updatePlan.blocked) console.log(`  Blocked:       ${updatePlan.blockReason}`);
   console.log(`  Health checks: ${runtimePlan.healthChecks.join(", ")}`);
   console.log(`  Caddy steps:   ${caddyPlan.steps.join(" -> ")}`);
 }
@@ -10812,14 +11170,16 @@ WARNING: This will replace ${appliedPath} with the packaged ${role} Caddyfile.`)
       }
     }
     const backupPath = `${appliedPath}.openmates-backup-${nowStamp()}`;
+    const hadExistingCaddyfile = existsSync5(appliedPath);
     try {
-      if (existsSync5(appliedPath)) copyFileSync(appliedPath, backupPath);
+      mkdirSync3(dirname(appliedPath), { recursive: true });
+      if (hadExistingCaddyfile) copyFileSync(appliedPath, backupPath);
       copyFileSync(templatePath, appliedPath);
       execSync("systemctl reload caddy", { stdio: "inherit" });
     } catch (error) {
       throw new Error(`Could not apply Caddyfile. Run with sudo or use --config <writable path>. ${error instanceof Error ? error.message : String(error)}`);
     }
-    console.log(`Applied Caddyfile for ${role}. Backup: ${backupPath}`);
+    console.log(`Applied Caddyfile for ${role}. ${hadExistingCaddyfile ? `Backup: ${backupPath}` : "No previous Caddyfile existed."}`);
     return;
   }
   console.log(`Caddy ${action} plan:`);
@@ -24990,6 +25350,118 @@ var berlinMorningBikeForecastChat = {
   }
 };
+// ../ui/src/demo_chats/data/example_chats/privacy-first-product-launch-mind-map.ts
+var privacyFirstProductLaunchMindMapChat = {
+  chat_id: "example-privacy-first-product-launch",
+  slug: "privacy-first-product-launch-mind-map",
+  title: "example_chats.privacy_first_product_launch_mind_map.title",
+  summary: "example_chats.privacy_first_product_launch_mind_map.summary",
+  icon: "workflow",
+  category: "design",
+  keywords: ["mind map", "privacy-first product launch", "product planning", "privacy UX", "launch strategy"],
+  follow_up_suggestions: ["example_chats.privacy_first_product_launch_mind_map.follow_up_1", "example_chats.privacy_first_product_launch_mind_map.follow_up_2", "example_chats.privacy_first_product_launch_mind_map.follow_up_3", "example_chats.privacy_first_product_launch_mind_map.follow_up_4", "example_chats.privacy_first_product_launch_mind_map.follow_up_5", "example_chats.privacy_first_product_launch_mind_map.follow_up_6"],
+  messages: [
+    {
+      "id": "15e39975-bc0e-4184-bf14-473d87131a6a",
+      "role": "user",
+      "content": "example_chats.privacy_first_product_launch_mind_map.message_1",
+      "created_at": 1782037289
+    },
+    {
+      "id": "d07c4f4f-76b2-4e71-a863-9f8baf0a359e",
+      "role": "assistant",
+      "content": "example_chats.privacy_first_product_launch_mind_map.message_2",
+      "created_at": 1782037316,
+      "user_message_id": "15e39975-bc0e-4184-bf14-473d87131a6a",
+      "category": "design",
+      "model_name": "Gemini 3.1 Pro"
+    }
+  ],
+  embeds: [
+    {
+      "embed_id": "f9540460-1fce-441a-9abc-f627efaf1c0f",
+      "type": "mindmap",
+      "content": `type: mindmap
+app_id: mindmaps
+skill_id: mindmap
+title: Privacy-First Product Launch Planning
+source_json: "{\\n  \\"openmatesType\\": \\"mindmap\\",\\n  \\"schemaVersion\\": 1,\\n  \\"title\\": \\"Privacy-First Product Launch Planning\\",\\n  \\"rootId\\": \\"root\\",\\n  \\"nodes\\": [\\n    {\\n      \\"id\\": \\"root\\",\\n      \\"label\\": \\"Privacy-First Product Launch\\",\\n      \\"children\\": [\\n        \\"prod-eng\\",\\n        \\"legal\\",\\n        \\"ux\\",\\n        \\"marketing\\",\\n        \\"logistics\\"\\n      ]\\n    },\\n    {\\n      \\"id\\": \\"prod-eng\\",\\n      \\"label\\": \\"Product & Engineering\\",\\n      \\"children\\": [\\n        \\"pe-data\\",\\n        \\"pe-e2e\\",\\n        \\"pe-audit\\"\\n      ]\\n    },\\n    {\\n      \\"id\\": \\"pe-data\\",\\n      \\"label\\": \\"Data Minimization Specs\\"\\n    },\\n    {\\n      \\"id\\": \\"pe-e2e\\",\\n      \\"label\\": \\"End-to-End Encryption\\"\\n    },\\n    {\\n      \\"id\\": \\"pe-audit\\",\\n      \\"label\\": \\"3rd-Party Security Audits\\"\\n    },\\n    {\\n      \\"id\\": \\"legal\\",\\n      \\"label\\": \\"Legal & Compliance\\",\\n      \\"children\\": [\\n        \\"leg-gdpr\\",\\n        \\"leg-policy\\",\\n        \\"leg-tos\\"\\n      ]\\n    },\\n    {\\n      \\"id\\": \\"leg-gdpr\\",\\n      \\"label\\": \\"GDPR / CCPA Readiness\\"\\n    },\\n    {\\n      \\"id\\": \\"leg-policy\\",\\n      \\"label\\": \\"Plain-English Privacy Policy\\"\\n    },\\n    {\\n      \\"id\\": \\"leg-tos\\",\\n      \\"label\\": \\"Transparent Terms of Service\\"\\n    },\\n    {\\n      \\"id\\": \\"ux\\",\\n      \\"label\\": \\"User Experience (UX)\\",\\n      \\"children\\": [\\n        \\"ux-consent\\",\\n        \\"ux-dash\\",\\n        \\"ux-delete\\"\\n      ]\\n    },\\n    {\\n      \\"id\\": \\"ux-consent\\",\\n      \\"label\\": \\"Clear Consent Flows (No Dark Patterns)\\"\\n    },\\n    {\\n      \\"id\\": \\"ux-dash\\",\\n      \\"label\\": \\"Centralized Privacy Dashboard\\"\\n    },\\n    {\\n      \\"id\\": \\"ux-delete\\",\\n      \\"label\\": \\"1-Click Account Deletion\\"\\n    },\\n    {\\n      \\"id\\": \\"marketing\\",\\n      \\"label\\": \\"Marketing & Messaging\\",\\n      \\"children\\": [\\n        \\"mkt-core\\",\\n        \\"mkt-press\\",\\n        \\"mkt-advocates\\"\\n      ]\\n    },\\n    {\\n      \\"id\\": \\"mkt-core\\",\\n      \\"label\\": \\"Core Message: 'Your Data is Yours'\\"\\n    },\\n    {\\n      \\"id\\": \\"mkt-press\\",\\n      \\"label\\": \\"Pitching Privacy Tech Journalists\\"\\n    },\\n    {\\n      \\"id\\": \\"mkt-advocates\\",\\n      \\"label\\": \\"Partnering w/ Privacy Advocates\\"\\n    },\\n    {\\n      \\"id\\": \\"logistics\\",\\n      \\"label\\": \\"Launch Logistics\\",\\n      \\"children\\": [\\n        \\"log-beta\\",\\n        \\"log-rollout\\"\\n      ]\\n    },\\n    {\\n      \\"id\\": \\"log-beta\\",\\n      \\"label\\": \\"Closed Beta & Bug Bounty\\"\\n    },\\n    {\\n      \\"id\\": \\"log-rollout\\",\\n      \\"label\\": \\"Phased Public Rollout\\"\\n    }\\n  ],\\n  \\"edges\\": [],\\n  \\"view\\": {\\n    \\"layout\\": \\"radial-tree\\",\\n    \\"collapsedNodeIds\\": []\\n  }\\n}"
+model:
+  openmatesType: mindmap
+  schemaVersion: 1
+  title: Privacy-First Product Launch Planning
+  rootId: root
+  nodes[20]:
+    - id: root
+      label: Privacy-First Product Launch
+      children[5]: prod-eng,legal,ux,marketing,logistics
+    - id: prod-eng
+      label: Product & Engineering
+      children[3]: pe-data,pe-e2e,pe-audit
+    - id: pe-data
+      label: Data Minimization Specs
+    - id: pe-e2e
+      label: End-to-End Encryption
+    - id: pe-audit
+      label: 3rd-Party Security Audits
+    - id: legal
+      label: Legal & Compliance
+      children[3]: leg-gdpr,leg-policy,leg-tos
+    - id: leg-gdpr
+      label: GDPR / CCPA Readiness
+    - id: leg-policy
+      label: Plain-English Privacy Policy
+    - id: leg-tos
+      label: Transparent Terms of Service
+    - id: ux
+      label: User Experience (UX)
+      children[3]: ux-consent,ux-dash,ux-delete
+    - id: ux-consent
+      label: Clear Consent Flows (No Dark Patterns)
+    - id: ux-dash
+      label: Centralized Privacy Dashboard
+    - id: ux-delete
+      label: 1-Click Account Deletion
+    - id: marketing
+      label: Marketing & Messaging
+      children[3]: mkt-core,mkt-press,mkt-advocates
+    - id: mkt-core
+      label: "Core Message: 'Your Data is Yours'"
+    - id: mkt-press
+      label: Pitching Privacy Tech Journalists
+    - id: mkt-advocates
+      label: Partnering w/ Privacy Advocates
+    - id: logistics
+      label: Launch Logistics
+      children[2]: log-beta,log-rollout
+    - id: log-beta
+      label: Closed Beta & Bug Bounty
+    - id: log-rollout
+      label: Phased Public Rollout
+  edges[0]:
+  view:
+    layout: radial-tree
+    collapsedNodeIds[0]:
+embed_ref: mind-map-f95404
+status: finished
+node_count: 20
+edge_count: 0
+validation:
+  status: valid
+  warnings[0]:
+  parse_error: null
+version_number: 1`,
+      "parent_embed_id": null,
+      "embed_ids": null
+    }
+  ],
+  metadata: {
+    featured: true,
+    order: 105,
+    content_embed_examples: ["mindmaps.mindmap"]
+  }
+};
 // ../ui/src/demo_chats/exampleChatData.ts
 var ALL_EXAMPLE_CHATS = [
   giganticAirplanesChat,
@@ -25077,7 +25549,8 @@ var ALL_EXAMPLE_CHATS = [
   rostockHeavyRainRadarChat,
   classicCarReverseImageSearchChat,
   usbC3v3LdoPcbSchematicChat,
-  berlinMorningBikeForecastChat
+  berlinMorningBikeForecastChat,
+  privacyFirstProductLaunchMindMapChat
 ].sort((a, b) => a.metadata.order - b.metadata.order);
 // ../ui/src/i18n/locales/en.json
@@ -27711,6 +28184,12 @@ Only output the final Markdown table. Do NOT include explanations, notes, or any
       continue: {
         text: "Continue"
       },
+      skip: {
+        text: "Skip"
+      },
+      select_interests: {
+        text: "Select interests"
+      },
       software_development: {
         text: "software development"
       },
@@ -27740,6 +28219,21 @@ Only output the final Markdown table. Do NOT include explanations, notes, or any
       },
       learn_anything: {
         text: "learn anything"
+      },
+      plan_trips: {
+        text: "plan trips"
+      },
+      create_images: {
+        text: "create images"
+      },
+      follow_news: {
+        text: "follow news"
+      },
+      stay_healthy: {
+        text: "stay healthy"
+      },
+      write_better: {
+        text: "write better"
       }
     },
     new_chat: {
@@ -33210,6 +33704,38 @@ Like [Denis Villeneuve](wiki:Denis_Villeneuve)\u2019s work, *Contact* avoids the
         text: '```json\n{"type": "app_skill_use", "embed_id": "54a8d949-0a13-463f-bc6a-958e1f746f79", "app_id": "pdf", "skill_id": "view", "query": "Please describe the visual layout of this page, including the title and the structure of any bulleted lists."}\n```\n\n_\nThe first page of sample.pdf features a clean, professional layout with the following structure:\n\n### **Visual Layout Overview**\n*   **Title:** The document begins with a prominent, bold heading: **"OpenMates PDF Test Document"**.\n*   **Subheading:** Immediately below the title is a line indicating the page and section: "Page 1 of 2 \u2014 Introduction".\n*   **Introductory Paragraph:** A brief paragraph explains that the document is intended for testing PDF upload and AI reading features.\n*   **Bullet List Structure:** \n    *   The list is introduced by the phrase "Key facts on this page:".\n    *   It consists of **three bullet points**, each marked with a standard black circular bullet (\u2022).\n    *   The bullets highlight the document title, a "secret word" (ALPHA), and the nature of the text on the page.\n*   **Closing Text:** A final sentence notes that an AI assistant should be able to read the content and identify the secret word.\n\nWould you like me to [read the text](/#settings/apps/pdf) from page 2 or [search for specific keywords](/#settings/apps/pdf) within the document?'
       }
     },
+    privacy_first_product_launch_mind_map: {
+      title: {
+        text: "Privacy-First Product Launch Mind Map"
+      },
+      summary: {
+        text: "A structured mind map for planning a privacy-first product launch across product, legal, marketing, UX, and logistics."
+      },
+      message_1: {
+        text: "Create a visual mind map artifact for planning a privacy-first product launch. Use a central idea with clear branches and sub-branches."
+      },
+      message_2: {
+        text: 'Here is a visual mind map to help you organize and plan your privacy-first product launch. I\'ve broken it down into key areas: Product/Engineering, Legal, Marketing, UX, and Logistics. \n\n```json\n{"type": "mindmap", "embed_id": "f9540460-1fce-441a-9abc-f627efaf1c0f"}\n```\n\n### Design Notes for a Privacy-First Launch\nSince privacy is deeply connected to user trust, your UI and UX design choices will be just as important as your backend engineering. When you\'re designing the interface (especially the **UX** branch of this map), keep these principles in mind:\n*   **Visual Transparency:** Avoid hiding data toggles in complex sub-menus. A clean, spacious privacy dashboard gives users a sense of control. \n*   **Plain Language Design:** Pair your "Plain-English Privacy Policy" with simple iconography. E.g., an open padlock vs. a closed padlock.\n*   **Combine AI and Your Own Craft:** If you need placeholder icons, UI mockups, or wireframes for this launch, you can sketch them out on paper or in a simple tool, upload them here, and we can use AI to refine those rough concepts together. It\u2019s a great way to keep the personal touch while moving quickly!\n\nWhich area of the launch map feels like the biggest hurdle for you right now? I\'d be happy to help you brainstorm marketing assets or sketch out some UI flows for your consent screens!'
+      },
+      follow_up_1: {
+        text: "Search for upcoming privacy-focused product launch events"
+      },
+      follow_up_2: {
+        text: "Explain the importance of visual transparency in UI design"
+      },
+      follow_up_3: {
+        text: "Find tutorials on designing privacy dashboards"
+      },
+      follow_up_4: {
+        text: "List key principles for a privacy-first product launch"
+      },
+      follow_up_5: {
+        text: "Generate mockups for a clean privacy dashboard"
+      },
+      follow_up_6: {
+        text: "Help me brainstorm marketing assets for a privacy-focused product"
+      }
+    },
     privacy_website_hero_background: {
       title: {
         text: "Privacy Website Hero Background"
@@ -40105,6 +40631,33 @@ As of mid-2026, the severe supply shocks from the 2024\u20132025 avian flu have
         },
         finalize_error: {
           text: "Could not finish updating connected account."
+        },
+        cli_export_title: {
+          text: "CLI test-account import"
+        },
+        cli_export_warning: {
+          text: "This is for testing only. Anyone with the generated command and passcode can add this provider account to another OpenMates account."
+        },
+        cli_export_passcode_placeholder: {
+          text: "Passcode for the CLI import"
+        },
+        cli_export_passcode_required: {
+          text: "Enter a passcode before generating the CLI import command."
+        },
+        cli_export_button: {
+          text: "Generate CLI import command"
+        },
+        cli_export_command_label: {
+          text: "Generated CLI import command"
+        },
+        cli_export_copied: {
+          text: "CLI import command copied. Paste it while logged into the test account in OpenMates CLI."
+        },
+        cli_export_generated: {
+          text: "CLI import command generated. Copy it and paste it while logged into the test account in OpenMates CLI."
+        },
+        cli_export_error: {
+          text: "Could not generate the CLI import command."
         }
       },
       nearby_by_default: {
@@ -43277,7 +43830,7 @@ function buildAssistantFeedbackDecision(rating) {
 }
 // src/benchmark.ts
-import { randomUUID as randomUUID3 } from "crypto";
+import { randomUUID as randomUUID4 } from "crypto";
 import { existsSync as existsSync6, mkdtempSync as mkdtempSync2, readFileSync as readFileSync6, readdirSync as readdirSync2, writeFileSync as writeFileSync4 } from "fs";
 import { tmpdir } from "os";
 import { dirname as dirname2, join as join4, resolve as resolve5 } from "path";
@@ -43577,7 +44130,7 @@ async function handleBenchmark(client, subcommand, rest, flags) {
   const caseIds = parseCaseIds(flags.case);
   const dryRun = flags["dry-run"] === true;
   const output = typeof flags.output === "string" ? flags.output : void 0;
-  const runId = typeof flags["run-id"] === "string" ? flags["run-id"] : randomUUID3();
+  const runId = typeof flags["run-id"] === "string" ? flags["run-id"] : randomUUID4();
   const imagePath = typeof flags.image === "string" ? resolve5(flags.image) : defaultImageFixturePath();
   if (!dryRun && flags["confirm-spend-credits"] !== true) {
     throw new Error(
@@ -43987,7 +44540,7 @@ function buildLongContextHistory() {
 }
 function appendHistory(history, role, content) {
   history.push({
-    message_id: randomUUID3(),
+    message_id: randomUUID4(),
     role,
     sender_name: role === "user" ? "User" : "Assistant",
     content,
@@ -44326,6 +44879,10 @@ async function main() {
       printSettingsHelp(client);
       return;
     }
+    if (command === "connected-accounts") {
+      printConnectedAccountsHelp();
+      return;
+    }
     if (command === "learning-mode") {
       printLearningModeHelp();
       return;
@@ -44428,6 +44985,10 @@ async function main() {
     await handleSettings(client, subcommand, rest, parsed.flags);
     return;
   }
+  if (command === "connected-accounts") {
+    await handleConnectedAccounts(client, subcommand, parsed.flags);
+    return;
+  }
   if (command === "learning-mode") {
     await handleLearningMode(client, subcommand, parsed.flags);
     return;
@@ -46152,6 +46713,43 @@ async function promptSecret(question) {
     stdin2.on("data", onData);
   });
 }
+async function handleConnectedAccounts(client, subcommand, flags) {
+  if (!subcommand || subcommand === "help" || flags.help === true) {
+    printConnectedAccountsHelp();
+    return;
+  }
+  if (subcommand !== "import") {
+    throw new Error(`Unknown connected-accounts command '${subcommand}'. Run 'openmates connected-accounts --help'.`);
+  }
+  if (flags.passcode !== void 0) {
+    throw new Error("Connected account import passcodes must be entered through the hidden prompt, not a command-line flag.");
+  }
+  const payload = typeof flags.payload === "string" ? flags.payload.trim() : "";
+  if (!payload) {
+    throw new Error("Missing --payload. Paste the command generated by connected account settings.");
+  }
+  if (!client.hasSession()) {
+    throw new Error("Not logged in. Run `openmates login` before importing a connected account.");
+  }
+  const passcode = await promptSecret("Connected account import passcode: ");
+  const result = await client.importConnectedAccountFromCliPayload({
+    encryptedPayload: payload,
+    passcode
+  });
+  if (flags.json === true) {
+    printJson2({
+      id: result.id,
+      provider_id: result.providerId,
+      app_id: result.appId,
+      validation: result.validation
+    });
+    return;
+  }
+  console.log("Connected account imported.");
+  console.log(`Provider: ${result.providerId}`);
+  console.log(`App: ${result.appId}`);
+  console.log("Validation: harmless read succeeded");
+}
 async function writeSecretFile(filePath, content, force = false) {
   const { mkdir, writeFile, stat: stat2 } = await import("fs/promises");
   const { dirname: dirname4 } = await import("path");
@@ -48891,6 +49489,7 @@ Commands:
   openmates mentions [--help]                List available @mentions
   openmates embeds [--help]                  Embed commands (show)
   openmates settings [--help]                Predefined settings commands
+  openmates connected-accounts [--help]      Connected account import helpers
   openmates learning-mode [--help]           Account-wide Learning Mode controls
   openmates inspirations [--lang <code>] [--json]   Daily inspirations
   openmates newchatsuggestions [--limit <n>] [--json]   Personalized new chat suggestions
@@ -48906,6 +49505,22 @@ Flags:
   --api-key <key> Optional API key override (or set OPENMATES_API_KEY)
   --help          Show contextual help for any command`);
 }
+function printConnectedAccountsHelp() {
+  console.log(`Connected account commands:
+  openmates connected-accounts import --payload <OMCA1...> [--json]
+Imports one passcode-protected connected account generated from web settings.
+The CLI prompts for the passcode interactively, validates the provider token with
+a harmless read, then re-encrypts the account for the currently logged-in CLI
+account before storing it.
+Options:
+  --payload <OMCA1...>  Required encrypted import payload from web settings
+  --json               Output a redacted JSON summary
+Security:
+  Do not pass the passcode as a flag. It is always entered through a hidden prompt.`);
+}
 function printFeedbackHelp() {
   console.log(`Feedback commands:
   openmates feedback assistant-response --rating <1-5> [--json]

package/dist/cli.js CHANGED Viewed

@@ -2,7 +2,7 @@
 import {
   getExtForLang,
   serializeToYaml
-} from "./chunk-4S3EN6KA.js";
+} from "./chunk-FCSXUBOU.js";
 import "./chunk-AXNRPVLE.js";
 export {
   getExtForLang,

package/dist/index.d.ts CHANGED Viewed

@@ -209,6 +209,18 @@ interface EmbedKeyWrapper {
  */
 type ShareDuration = 0 | 60 | 3600 | 86400 | 604800 | 1209600 | 2592000 | 7776000;
+interface ConnectedAccountCliTransferPayload {
+    version: 1;
+    provider_id: string;
+    app_id: string;
+    label: string;
+    account_ref?: string;
+    capabilities: string[];
+    runtime_modes: Record<string, string>;
+    refresh_token_bundle: Record<string, unknown>;
+    created_at: string;
+}
 interface CliSubChatRequest {
     id?: string;
     chat_id?: string;
@@ -249,6 +261,19 @@ interface ConnectedAccountTurnTokenRef {
     action_scope?: Record<string, unknown>;
     expires_at: number;
 }
+interface ConnectedAccountImportValidationResult {
+    valid: boolean;
+    provider_id: string;
+    app_id: string;
+    checked_at: number;
+}
+interface ConnectedAccountImportResult {
+    id: string;
+    providerId: string;
+    appId: string;
+    label: string;
+    validation: ConnectedAccountImportValidationResult;
+}
 type LearningModeAgeGroup = "under_10" | "10_12" | "13_15" | "16_18" | "adult";
 interface LearningModeStatus {
     enabled: boolean;
@@ -565,6 +590,12 @@ declare class OpenMatesClient {
         messageId: string;
         refs: ConnectedAccountTurnTokenRefInput[];
     }): Promise<ConnectedAccountTurnTokenRef[]>;
+    importConnectedAccountFromCliPayload(params: {
+        encryptedPayload: string;
+        passcode: string;
+    }): Promise<ConnectedAccountImportResult>;
+    validateConnectedAccountImportPayload(payload: ConnectedAccountCliTransferPayload): Promise<ConnectedAccountImportValidationResult>;
+    private createConnectedAccountImportRow;
     cancelConnectedAccountAction(params: {
         actionId: string;
         chatId: string;

package/dist/index.js CHANGED Viewed

@@ -11,7 +11,7 @@ import {
   getExtForLang,
   normalizeInterestTagIds,
   serializeToYaml
-} from "./chunk-4S3EN6KA.js";
+} from "./chunk-FCSXUBOU.js";
 import "./chunk-AXNRPVLE.js";
 export {
   ASSISTANT_FEEDBACK_REPORT_TITLE,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "openmates",
-  "version": "0.12.0-alpha.27",
+  "version": "0.12.0-alpha.29",
   "description": "OpenMates CLI and SDK",
   "type": "module",
   "main": "dist/index.js",
@@ -30,8 +30,9 @@
     "test:unit:billing": "node --test tests/billing.test.ts",
     "test:unit:account-delete": "node --test tests/account-delete.test.ts",
     "test:unit:cli": "node --test tests/cli.test.ts",
+    "test:unit:connected-account-import": "node --test --experimental-strip-types --loader ./tests/loader.mjs tests/connectedAccountImport.test.ts",
     "test:unit:benchmark": "node --test --experimental-strip-types --loader ./tests/loader.mjs src/__tests__/benchmark.test.ts",
-    "test": "node --test --experimental-strip-types --loader ./tests/loader.mjs tests/crypto.test.ts tests/storage.test.ts tests/keychain.test.ts tests/mentions.test.ts tests/outputRedactor.test.ts tests/fileEmbed.test.ts tests/embedCreator.test.ts tests/shareEncryption.test.ts tests/server.test.ts tests/ws.test.ts tests/urlEmbed.test.ts src/__tests__/benchmark.test.ts && node --test --experimental-strip-types tests/embedRenderers.test.ts && node --test tests/cli.test.ts tests/billing.test.ts tests/account-delete.test.ts tests/signup.test.ts tests/security-setup.test.ts tests/e2e-provisioning.test.ts"
+    "test": "node --test --experimental-strip-types --loader ./tests/loader.mjs tests/crypto.test.ts tests/storage.test.ts tests/keychain.test.ts tests/mentions.test.ts tests/outputRedactor.test.ts tests/fileEmbed.test.ts tests/embedCreator.test.ts tests/shareEncryption.test.ts tests/server.test.ts tests/ws.test.ts tests/urlEmbed.test.ts src/__tests__/benchmark.test.ts && node --test --experimental-strip-types --loader ./tests/loader.mjs tests/embedRenderers.test.ts tests/connectedAccountImport.test.ts && node --test tests/cli.test.ts tests/billing.test.ts tests/account-delete.test.ts tests/signup.test.ts tests/security-setup.test.ts tests/e2e-provisioning.test.ts"
   },
   "keywords": [
     "openmates",