silentlake 2026.3.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (1893) hide show
  1. package/CHANGELOG.md +4587 -0
  2. package/LICENSE +21 -0
  3. package/README.md +248 -0
  4. package/assets/avatar-placeholder.svg +19 -0
  5. package/assets/chrome-extension/icons/icon128.png +0 -0
  6. package/assets/chrome-extension/icons/icon16.png +0 -0
  7. package/assets/chrome-extension/icons/icon32.png +0 -0
  8. package/assets/chrome-extension/icons/icon48.png +0 -0
  9. package/assets/dmg-background-small.png +0 -0
  10. package/assets/dmg-background.png +0 -0
  11. package/assets/silentlake-banner.png +0 -0
  12. package/dist/APEv2Parser-BZv_dP9t.js +269 -0
  13. package/dist/APEv2Parser-CPzxFNBB.js +5 -0
  14. package/dist/AbstractID3Parser-mvDFcjYV.js +47 -0
  15. package/dist/AiffParser-BXQ9SRZk.js +145 -0
  16. package/dist/AsfParser-CmBDUlZE.js +631 -0
  17. package/dist/BasicParser-DhmXREDo.js +853 -0
  18. package/dist/DsdiffParser-CTKKGyZg.js +150 -0
  19. package/dist/DsfParser-Ds-YQe4Z.js +101 -0
  20. package/dist/FlacParser-B1XVPgXF.js +5 -0
  21. package/dist/FlacParser-DMPyL1y4.js +367 -0
  22. package/dist/ID3v1Parser-BICWWVDG.js +289 -0
  23. package/dist/ID3v2Parser-BmZHSUqs.js +650 -0
  24. package/dist/ID3v2Token-DeJf4tYQ.js +145 -0
  25. package/dist/MP4Parser-Cjf-Zs8T.js +1061 -0
  26. package/dist/MatroskaParser-DgBzBe8t.js +909 -0
  27. package/dist/MpegParser-D5swTpA1.js +744 -0
  28. package/dist/MusepackParser-D8EQXnpK.js +285 -0
  29. package/dist/OggParser-BcIYPHwP.js +390 -0
  30. package/dist/Util-D_zGsr97.js +170 -0
  31. package/dist/WavPackParser-hosU8gfo.js +166 -0
  32. package/dist/WaveParser-CA00FZrC.js +273 -0
  33. package/dist/abort-cutoff-CERmtgZI.js +56 -0
  34. package/dist/abort-cutoff.runtime-DZkGKKzv.js +61 -0
  35. package/dist/abort-signal-CsrBEr94.js +13 -0
  36. package/dist/account-helpers-D3c_eI7c.js +37 -0
  37. package/dist/account-helpers-ru3jdZSV.js +12 -0
  38. package/dist/account-id-DZnNZg8x.js +1 -0
  39. package/dist/account-id-ZCrgXl7Z.js +44 -0
  40. package/dist/account-lookup-nkoa-foB.js +10 -0
  41. package/dist/account-snapshot-fields-Cvq7803C.js +116 -0
  42. package/dist/account-summary-B5Xzvntm.js +36 -0
  43. package/dist/accounts-43SvCDEA.js +212 -0
  44. package/dist/accounts-CYgFhv2o.js +105 -0
  45. package/dist/accounts-ChlyF7cx.js +112 -0
  46. package/dist/ack-reactions-CNVwfOBj.js +43 -0
  47. package/dist/acp-cli-B4Rv7-xU.js +2033 -0
  48. package/dist/acp-runtime-BdLdT-QY.js +1 -0
  49. package/dist/actions.runtime-CqnQssoB.js +217 -0
  50. package/dist/actions.runtime-FLmCvVRd.js +236 -0
  51. package/dist/agent-CBOdzEvR.js +1 -0
  52. package/dist/agent-scope-BLhzf-o0.js +17 -0
  53. package/dist/agent-scope-DPP4Z_UU.js +193 -0
  54. package/dist/agents-D8pBK0II.js +855 -0
  55. package/dist/agents-Dihz1Ihx.js +323 -0
  56. package/dist/agents.config-C_lrnc9J.js +18 -0
  57. package/dist/agents.config-D1VqC78r.js +121 -0
  58. package/dist/allow-from-BPSBITdd.js +9 -0
  59. package/dist/allow-from-BwTLpvhp.js +20 -0
  60. package/dist/allow-from-C4iBpqFI.js +62 -0
  61. package/dist/allowlist-config-edit-CKbnMmwS.js +279 -0
  62. package/dist/allowlist-match-CYmPgg1K.js +63 -0
  63. package/dist/ansi-BEJF8NKS.js +54 -0
  64. package/dist/anthropic-vertex-provider-Dd5agCN9.js +60 -0
  65. package/dist/apply.runtime-DhKxNSJE.js +370 -0
  66. package/dist/apply.runtime-ghlh-P6X.js +211 -0
  67. package/dist/archive-Tr0wIUO-.js +532 -0
  68. package/dist/arg-split-Dtda0YDl.js +38 -0
  69. package/dist/artifacts-C_4LekPC.js +39 -0
  70. package/dist/audit-BOPSQQtd.js +54 -0
  71. package/dist/audit-C5kdrCi_.js +788 -0
  72. package/dist/audit-channel.allow-from.runtime-B7BHNblL.js +17 -0
  73. package/dist/audit-channel.collect.runtime-CjAbXFBV.js +521 -0
  74. package/dist/audit-channel.discord.runtime-BBY6S9lg.js +5 -0
  75. package/dist/audit-channel.telegram.runtime-SJnxOJH2.js +8 -0
  76. package/dist/audit-channel.zalouser.runtime-SGRWvHxT.js +5 -0
  77. package/dist/audit-extra.async-DY8v7LXH.js +817 -0
  78. package/dist/audit-fs-oDMUa5N_.js +375 -0
  79. package/dist/audit-membership-runtime-BPjFryEx.js +261 -0
  80. package/dist/audit.deep.runtime-WFf-TpsD.js +31 -0
  81. package/dist/audit.nondeep.runtime-B4BaEaRU.js +842 -0
  82. package/dist/audit.runtime-rFjCrods.js +74 -0
  83. package/dist/auth-O6LQFLHJ.js +416 -0
  84. package/dist/auth-choice-DIBaxmAQ.js +219 -0
  85. package/dist/auth-choice-PrbpIjyg.js +610 -0
  86. package/dist/auth-choice-legacy-Clyw2lVc.js +17 -0
  87. package/dist/auth-choice-options-ohUw8QR-.js +127 -0
  88. package/dist/auth-choice-prompt-Cm0s-9Du.js +215 -0
  89. package/dist/auth-choice-prompt-DI-Xl1Nv.js +36 -0
  90. package/dist/auth-choice-rKBOd02a.js +64 -0
  91. package/dist/auth-choice.apply-helpers-BibBSEl9.js +66 -0
  92. package/dist/auth-choice.plugin-providers.runtime-gqF9NO7_.js +219 -0
  93. package/dist/auth-health-TWboMYA5.js +166 -0
  94. package/dist/auth-mode-policy-DywddkT-.js +18 -0
  95. package/dist/auth-profiles-CWEIQV77.js +1047 -0
  96. package/dist/auth-profiles.runtime-B98lwopF.js +48 -0
  97. package/dist/avatar-policy-Ds9e6uHI.js +67 -0
  98. package/dist/axios-xDDnM0KG.js +12831 -0
  99. package/dist/backup-create-B6JAR6jJ.js +461 -0
  100. package/dist/banner-bez5CpOK.js +351 -0
  101. package/dist/base-session-key-Cf2rkwag.js +14 -0
  102. package/dist/bindings-BV4AtNSY.js +21 -0
  103. package/dist/bindings-kjwuC11Q.js +69 -0
  104. package/dist/bluebubbles-C1M3Geg0.js +87 -0
  105. package/dist/bluebubbles-DRW3JdOY.js +603 -0
  106. package/dist/bluebubbles-dEl4QpYz.js +37 -0
  107. package/dist/bonjour-discovery-C2oY96BG.js +376 -0
  108. package/dist/boolean-DKtCJu_W.js +29 -0
  109. package/dist/boolean-param-xAGXUSSN.js +13 -0
  110. package/dist/boundary-file-read-BP6VMpqH.js +106 -0
  111. package/dist/boundary-path-B3FFLYNx.js +557 -0
  112. package/dist/brave-CkimJe4j.js +405 -0
  113. package/dist/brew-DSwWqzLd.js +44 -0
  114. package/dist/browser-cli-D3kBUBNc.js +1502 -0
  115. package/dist/bundled/boot-md/handler.js +381 -0
  116. package/dist/bundled/bootstrap-extra-files/handler.js +56 -0
  117. package/dist/bundled/command-logger/handler.js +62 -0
  118. package/dist/bundled/session-memory/handler.js +401 -0
  119. package/dist/call-BDvaXe4i.js +44 -0
  120. package/dist/call-BmLt3xO1.js +639 -0
  121. package/dist/catalog-BwAYUfL7.js +240 -0
  122. package/dist/channel-BBCuV5OT.js +4945 -0
  123. package/dist/channel-BDBXuqeg.js +321 -0
  124. package/dist/channel-C8h1Irxm.js +1284 -0
  125. package/dist/channel-CbGpFzo4.js +1602 -0
  126. package/dist/channel-Ci3K8fI9.js +1006 -0
  127. package/dist/channel-DGT5N1v7.js +1077 -0
  128. package/dist/channel-account-context-Bwa-YH_o.js +104 -0
  129. package/dist/channel-actions-DU2CR3xW.js +37 -0
  130. package/dist/channel-activity-B8aReQoE.js +35 -0
  131. package/dist/channel-config-3Uv6ve2_.js +115 -0
  132. package/dist/channel-config-helpers-CieQWILI.js +377 -0
  133. package/dist/channel-config-schema-DEVsCZpj.js +1 -0
  134. package/dist/channel-feedback-G6zh8efr.js +245 -0
  135. package/dist/channel-inbound-DwzVf2PK.js +395 -0
  136. package/dist/channel-lifecycle-CpU1dRbh.js +354 -0
  137. package/dist/channel-options-DJaIP4Dv.js +38 -0
  138. package/dist/channel-pairing-D54mn51y.js +66 -0
  139. package/dist/channel-plugin-common-BhTxCE5t.js +1 -0
  140. package/dist/channel-plugin-ids-CFeS3qir.js +26 -0
  141. package/dist/channel-plugin-resolution-DUngfdFj.js +112 -0
  142. package/dist/channel-policy-C4GKHvhz.js +1 -0
  143. package/dist/channel-reply-pipeline-CPTuaW8n.js +15 -0
  144. package/dist/channel-send-result-By8EpCPw.js +40 -0
  145. package/dist/channel-setup-Ck35g7zI.js +49 -0
  146. package/dist/channel-shared-LkXtTPXk.js +308 -0
  147. package/dist/channel-summary-CdYLGMVt.js +137 -0
  148. package/dist/channel-summary-D33z52ft.js +41 -0
  149. package/dist/channel-targets-DfnKGXez.js +87 -0
  150. package/dist/channel.runtime-DAyBR2A5.js +324 -0
  151. package/dist/channel.runtime-DVq5tC2D.js +35 -0
  152. package/dist/channel.runtime-DaLTDGtF.js +288 -0
  153. package/dist/channel.runtime-FKfTev2g.js +512 -0
  154. package/dist/channel.runtime-owqedh1t.js +268 -0
  155. package/dist/channel.runtime-wOTeiifp.js +230 -0
  156. package/dist/channels-CIHgkPea.js +408 -0
  157. package/dist/channels-ZXK6Jiuk.js +1393 -0
  158. package/dist/channels-cli-Bj6qSlkE.js +412 -0
  159. package/dist/channels-status-issues-C_U44M8Y.js +16 -0
  160. package/dist/chat-type-C-n03mQY.js +10 -0
  161. package/dist/clack-prompter-DuzDnaLi.js +112 -0
  162. package/dist/clawbot-cli-YNPuwmTB.js +218 -0
  163. package/dist/cli/daemon-cli.js +88 -0
  164. package/dist/cli-CW46WAZn.js +254 -0
  165. package/dist/cli-name-Daok7A7-.js +25 -0
  166. package/dist/cli-runtime-aAVwbEYy.js +7 -0
  167. package/dist/cli-utils-Np4NAAtt.js +39 -0
  168. package/dist/command-format-CYK9XiUC.js +16 -0
  169. package/dist/command-format-g8YUHNir.js +2 -0
  170. package/dist/command-gating-BQXGSqc9.js +40 -0
  171. package/dist/command-options-5coRiipK.js +25 -0
  172. package/dist/command-poll-backoff-CpkSns-6.js +56 -0
  173. package/dist/command-poll-backoff.runtime-YT6EGcLN.js +7 -0
  174. package/dist/command-registry-BI2MOs89.js +242 -0
  175. package/dist/command-registry-BMsxnuoC.js +14 -0
  176. package/dist/command-secret-gateway-ChXyZwos.js +211 -0
  177. package/dist/command-secret-targets-COcwhn-D.js +88 -0
  178. package/dist/command-secret-targets-CQJT3viO.js +3 -0
  179. package/dist/commands-Bb9xUwz9.js +42 -0
  180. package/dist/commands-core-C1usZXC2.js +4923 -0
  181. package/dist/commands-core.runtime-OTZivlO2.js +232 -0
  182. package/dist/commands-registry-ChCep1KJ.js +295 -0
  183. package/dist/commands-registry.data-XyUTELK9.js +904 -0
  184. package/dist/commands-registry.runtime-m5WTxFtv.js +25 -0
  185. package/dist/commands-status.runtime-C8_hpNgj.js +211 -0
  186. package/dist/commands.runtime-BZPnQKcW.js +232 -0
  187. package/dist/common-CUBlLRXB.js +457 -0
  188. package/dist/compact.runtime-Djmzpbn6.js +216 -0
  189. package/dist/completion-cli-D8tLgE5W.js +445 -0
  190. package/dist/completion-cli-Dz89naVA.js +17 -0
  191. package/dist/config-6sZwvXJD.js +88 -0
  192. package/dist/config-B7tPwoHZ.js +38 -0
  193. package/dist/config-DdDLrP_v.js +273 -0
  194. package/dist/config-cli-C10R8azD.js +945 -0
  195. package/dist/config-guard-B1c73BYQ.js +126 -0
  196. package/dist/config-helpers-3u5wfLBu.js +117 -0
  197. package/dist/config-pn7LKJdW.js +23 -0
  198. package/dist/config-presence-BmUF_5K9.js +79 -0
  199. package/dist/config-regex-CvZFnWkO.js +39 -0
  200. package/dist/config-runtime-CstET7fq.js +142 -0
  201. package/dist/config-schema-5YkIW1xw.js +270 -0
  202. package/dist/config-schema-B1UGMwZ8.js +31 -0
  203. package/dist/config-schema-DzlnsY3D.js +33 -0
  204. package/dist/config-state-CE0CGjey.js +288 -0
  205. package/dist/config-validation-CkVqgkHr.js +272 -0
  206. package/dist/config-value-DgJrpclm.js +25 -0
  207. package/dist/configure-DMkp7Sr4.js +1126 -0
  208. package/dist/configure-DOrQthLy.js +344 -0
  209. package/dist/connection-auth-BSQJeDOU.js +30 -0
  210. package/dist/constants-C_Scc680.js +71 -0
  211. package/dist/control-ui-assets-DjqeIg6A.js +232 -0
  212. package/dist/control-ui-shared-DP000Pxd.js +29 -0
  213. package/dist/conversation-runtime-1O0Aaolb.js +1458 -0
  214. package/dist/core-C7aHA4Aq.js +187 -0
  215. package/dist/core-command-descriptors-DCUYAEZd.js +96 -0
  216. package/dist/credentials-BPwBlm1X.js +265 -0
  217. package/dist/cron-cli-N2Hw_02d.js +579 -0
  218. package/dist/daemon-cli-DgfaF9xx.js +354 -0
  219. package/dist/daemon-install-CbclJo5M.js +134 -0
  220. package/dist/daemon-install-plan.shared-DK6BHlWI.js +222 -0
  221. package/dist/daemon-runtime-CbClrCwc.js +12 -0
  222. package/dist/dangerous-config-flags-BJtLWIk7.js +15 -0
  223. package/dist/dangerous-name-matching-DZa_t0RM.js +44 -0
  224. package/dist/dangerous-tools-yGPDFTHh.js +27 -0
  225. package/dist/date-time-DCAyaBop.js +118 -0
  226. package/dist/dedupe-Cgnk5BbX.js +55 -0
  227. package/dist/defaults-CEdZhIIb.js +6 -0
  228. package/dist/delegate-D4ql5N70.js +43 -0
  229. package/dist/deliver-B004w1Mv.js +212 -0
  230. package/dist/deliver-runtime-IYvc0giI.js +211 -0
  231. package/dist/delivery-queue-B19wDCjT.js +3 -0
  232. package/dist/delivery-queue-DrrqB4Hi.js +299 -0
  233. package/dist/device-auth-GEXe9vqR.js +15 -0
  234. package/dist/device-bootstrap-CwwokLEY.js +96 -0
  235. package/dist/device-bootstrap-Dbhe6oe8.js +1 -0
  236. package/dist/device-metadata-normalization-BDSQ_eA7.js +21 -0
  237. package/dist/device-pairing-cFWbBray.js +553 -0
  238. package/dist/devices-cli-DzycjFzS.js +366 -0
  239. package/dist/diagnostic-DqJXx_4Q.js +310 -0
  240. package/dist/diagnostic-events-ktCoG8Br.js +48 -0
  241. package/dist/diagnostics-CMhyGsPu.js +33 -0
  242. package/dist/diagnostics-DpLHpQ9c.js +14 -0
  243. package/dist/directive-handling.fast-lane-toP_ri_H.js +273 -0
  244. package/dist/directive-handling.impl-BRARyrsT.js +638 -0
  245. package/dist/directive-handling.impl-CUB4MOnK.js +214 -0
  246. package/dist/directive-handling.levels-8vnMeuGX.js +2 -0
  247. package/dist/directive-handling.levels-CoruY1AA.js +13 -0
  248. package/dist/directive-handling.persist.runtime-78Du6PgL.js +170 -0
  249. package/dist/directive-handling.shared-DCGUCHjn.js +147 -0
  250. package/dist/directory-cli-DVsDcgIU.js +437 -0
  251. package/dist/directory-config-helpers-CURJ8mj7.js +129 -0
  252. package/dist/directory-runtime-DhC8QkMq.js +19 -0
  253. package/dist/directory.static-DQaG9ohH.js +44 -0
  254. package/dist/discord-CYj8s73O.js +214 -0
  255. package/dist/discord-L9zvSHVn.js +635 -0
  256. package/dist/discord-core-5tkl-BzP.js +1 -0
  257. package/dist/dm-policy-shared-6bCJzHOS.js +188 -0
  258. package/dist/dns-cli-BMvHy265.js +223 -0
  259. package/dist/docker-XFNiArwM.js +1254 -0
  260. package/dist/docs-cli-BTaH94wD.js +176 -0
  261. package/dist/doctor-completion-DKx5m2UC.js +90 -0
  262. package/dist/doctor-config-preflight-BzQgc3_t.js +40 -0
  263. package/dist/doctor-config-preflight-DxVCut8L.js +150 -0
  264. package/dist/doctor-state-migrations-CTF66iAy.js +732 -0
  265. package/dist/doctor-state-migrations-D0VP4dUh.js +212 -0
  266. package/dist/entry-status-B2OWAf0s.js +172 -0
  267. package/dist/entry.js +210 -0
  268. package/dist/env-BP70DGuy.js +30 -0
  269. package/dist/env-overrides-JneV60sd.js +434 -0
  270. package/dist/env-overrides.runtime-DLrwions.js +18 -0
  271. package/dist/env-substitution-D6t_sLS_.js +136 -0
  272. package/dist/errors-BxyFnvP3.js +58 -0
  273. package/dist/exec-Dmex2w_d.js +310 -0
  274. package/dist/exec-approvals-BJhuySBz.js +386 -0
  275. package/dist/exec-approvals-allowlist-B_wPddCb.js +384 -0
  276. package/dist/exec-approvals-cli-C2dwhSkX.js +427 -0
  277. package/dist/exec-safe-bin-runtime-policy-BZkObC8r.js +89 -0
  278. package/dist/exec-safety-CaaBy-Zw.js +24 -0
  279. package/dist/extension-shared-5txN7IXK.js +74 -0
  280. package/dist/extensionAPI.js +218 -0
  281. package/dist/extensions/amazon-bedrock/index.js +231 -0
  282. package/dist/extensions/anthropic/index.js +330 -0
  283. package/dist/extensions/bluebubbles/index.js +224 -0
  284. package/dist/extensions/bluebubbles/setup-entry.js +289 -0
  285. package/dist/extensions/brave/index.js +23 -0
  286. package/dist/extensions/byteplus/index.js +112 -0
  287. package/dist/extensions/chutes/index.js +221 -0
  288. package/dist/extensions/cloudflare-ai-gateway/index.js +218 -0
  289. package/dist/extensions/copilot-proxy/index.js +125 -0
  290. package/dist/extensions/device-pair/index.js +1040 -0
  291. package/dist/extensions/discord/index.js +215 -0
  292. package/dist/extensions/discord/setup-entry.js +215 -0
  293. package/dist/extensions/elevenlabs/index.js +223 -0
  294. package/dist/extensions/fal/index.js +112 -0
  295. package/dist/extensions/feishu/index.js +227 -0
  296. package/dist/extensions/feishu/setup-entry.js +112 -0
  297. package/dist/extensions/firecrawl/index.js +211 -0
  298. package/dist/extensions/github-copilot/index.js +490 -0
  299. package/dist/extensions/google/index.js +211 -0
  300. package/dist/extensions/huggingface/index.js +108 -0
  301. package/dist/extensions/imessage/index.js +223 -0
  302. package/dist/extensions/imessage/setup-entry.js +220 -0
  303. package/dist/extensions/irc/index.js +220 -0
  304. package/dist/extensions/irc/setup-entry.js +222 -0
  305. package/dist/extensions/kilocode/index.js +282 -0
  306. package/dist/extensions/kimi-coding/index.js +148 -0
  307. package/dist/extensions/line/index.js +57 -0
  308. package/dist/extensions/line/setup-entry.js +49 -0
  309. package/dist/extensions/llm-task/index.js +157 -0
  310. package/dist/extensions/lobster/index.js +261 -0
  311. package/dist/extensions/mattermost/index.js +220 -0
  312. package/dist/extensions/mattermost/setup-entry.js +222 -0
  313. package/dist/extensions/memory-core/index.js +36 -0
  314. package/dist/extensions/microsoft/index.js +223 -0
  315. package/dist/extensions/minimax/index.js +437 -0
  316. package/dist/extensions/mistral/index.js +149 -0
  317. package/dist/extensions/modelstudio/index.js +144 -0
  318. package/dist/extensions/moonshot/index.js +211 -0
  319. package/dist/extensions/nextcloud-talk/index.js +221 -0
  320. package/dist/extensions/nextcloud-talk/setup-entry.js +223 -0
  321. package/dist/extensions/nvidia/index.js +29 -0
  322. package/dist/extensions/ollama/index.js +118 -0
  323. package/dist/extensions/open-prose/index.js +10 -0
  324. package/dist/extensions/openai/index.js +677 -0
  325. package/dist/extensions/opencode/index.js +116 -0
  326. package/dist/extensions/opencode-go/index.js +114 -0
  327. package/dist/extensions/openrouter/index.js +398 -0
  328. package/dist/extensions/openshell/index.js +923 -0
  329. package/dist/extensions/perplexity/index.js +23 -0
  330. package/dist/extensions/phone-control/index.js +276 -0
  331. package/dist/extensions/qianfan/index.js +114 -0
  332. package/dist/extensions/qwen-portal-auth/index.js +350 -0
  333. package/dist/extensions/sglang/index.js +285 -0
  334. package/dist/extensions/signal/index.js +218 -0
  335. package/dist/extensions/signal/setup-entry.js +218 -0
  336. package/dist/extensions/slack/index.js +222 -0
  337. package/dist/extensions/slack/setup-entry.js +220 -0
  338. package/dist/extensions/synology-chat/index.js +56 -0
  339. package/dist/extensions/synology-chat/setup-entry.js +58 -0
  340. package/dist/extensions/synthetic/index.js +112 -0
  341. package/dist/extensions/talk-voice/index.js +197 -0
  342. package/dist/extensions/tavily/index.js +211 -0
  343. package/dist/extensions/telegram/index.js +221 -0
  344. package/dist/extensions/telegram/setup-entry.js +221 -0
  345. package/dist/extensions/thread-ownership/index.js +70 -0
  346. package/dist/extensions/together/index.js +113 -0
  347. package/dist/extensions/venice/index.js +132 -0
  348. package/dist/extensions/vercel-ai-gateway/index.js +86 -0
  349. package/dist/extensions/vllm/index.js +285 -0
  350. package/dist/extensions/voice-call/index.js +5715 -0
  351. package/dist/extensions/volcengine/index.js +112 -0
  352. package/dist/extensions/xai/index.js +211 -0
  353. package/dist/extensions/xiaomi/index.js +115 -0
  354. package/dist/extensions/zai/index.js +559 -0
  355. package/dist/extensions/zalo/index.js +225 -0
  356. package/dist/extensions/zalo/setup-entry.js +226 -0
  357. package/dist/external-content-BUdUOqkv.js +238 -0
  358. package/dist/feishu-CgbwAF0e.js +2664 -0
  359. package/dist/feishu-Dh5fEbh5.js +59127 -0
  360. package/dist/fetch-guard-DIyN1HW5.js +165 -0
  361. package/dist/fetch-timeout-C5xpMuGd.js +36 -0
  362. package/dist/file-identity-Cw0fQxYY.js +11 -0
  363. package/dist/file-lock-WbEmczmY.js +107 -0
  364. package/dist/filter-oMGaNOM1.js +20 -0
  365. package/dist/format-DH8ysi7s.js +19 -0
  366. package/dist/format-datetime-BGS6tLDE.js +73 -0
  367. package/dist/format-duration-CO0BGWB0.js +57 -0
  368. package/dist/format-relative-C3nDxnXz.js +54 -0
  369. package/dist/frontmatter-S5vS-I4a.js +309 -0
  370. package/dist/fs-safe-D3qzH-ab.js +731 -0
  371. package/dist/gateway-cli-PQNp7o0j.js +28378 -0
  372. package/dist/gateway-install-token-DV5KjD4F.js +164 -0
  373. package/dist/gateway-rpc-C0Ey-rik.js +26 -0
  374. package/dist/gateway-runtime-ih2e7a2K.js +42 -0
  375. package/dist/gaxios-fetch-compat-KX6bsqFm.js +165 -0
  376. package/dist/gemini-auth-B5ljg7jr.js +29 -0
  377. package/dist/git-commit-BIdLubm5.js +2 -0
  378. package/dist/git-commit-OvUvjri2.js +177 -0
  379. package/dist/github-copilot-auth-Ccm-cBwy.js +104 -0
  380. package/dist/global-singleton-4KwY5RvX.js +13 -0
  381. package/dist/globals-41sdSaKv.js +38 -0
  382. package/dist/gmail-setup-utils-BX68dZla.js +419 -0
  383. package/dist/group-access-DJZrYPx1.js +113 -0
  384. package/dist/group-keys-BD_IYSMs.js +44 -0
  385. package/dist/group-policy-CWFxv3iB.js +201 -0
  386. package/dist/group-policy-warnings-Ddu6lBkh.js +175 -0
  387. package/dist/health-Bu1sbyYy.js +573 -0
  388. package/dist/health-Cbxc9Bn3.js +59 -0
  389. package/dist/health-format-B5XfOTuJ.js +26 -0
  390. package/dist/heartbeat-7aHh0m3d.js +169 -0
  391. package/dist/heartbeat-summary-Das49TYq.js +57 -0
  392. package/dist/help-CcbF7-ha.js +81 -0
  393. package/dist/help-format-Dv45FpYu.js +15 -0
  394. package/dist/helpers-DJ-5HEbE.js +24 -0
  395. package/dist/helpers-MxyaLZUk.js +32 -0
  396. package/dist/history-CHjo8B5W.js +102 -0
  397. package/dist/hook-runtime-BnNBi_q4.js +1 -0
  398. package/dist/hooks-cli-DUYK4RM1.js +1102 -0
  399. package/dist/hooks-policy-BL6HDLUn.js +20 -0
  400. package/dist/hooks-status-gzNmo3li.js +78 -0
  401. package/dist/host-env-security-BogNN146.js +223 -0
  402. package/dist/http-body-CCiSfloA.js +237 -0
  403. package/dist/http-registry-WFFbLYRd.js +153 -0
  404. package/dist/identity-DovQV4zD.js +112 -0
  405. package/dist/identity-cyBYcoXS.js +84 -0
  406. package/dist/identity-file-EndG1nfc.js +60 -0
  407. package/dist/image-generation-CNKc-mFK.js +441 -0
  408. package/dist/image-kJ7Tbov4.js +211 -0
  409. package/dist/image-ops-j01UkxEv.js +371 -0
  410. package/dist/imessage-B5pSMT47.js +219 -0
  411. package/dist/imessage-CoIuY1Ro.js +1451 -0
  412. package/dist/imessage-Cqjsq4VW.js +190 -0
  413. package/dist/imessage-core-CsYJuaRZ.js +1 -0
  414. package/dist/inbound-envelope-4P3IIJc3.js +61 -0
  415. package/dist/inbound-reply-dispatch-i2Vekqyy.js +72 -0
  416. package/dist/includes-7XyL3p1c.js +188 -0
  417. package/dist/includes-scan-y-rS6tTw.js +55 -0
  418. package/dist/index.js +57 -0
  419. package/dist/infra/warning-filter.js +2 -0
  420. package/dist/inspect-CcxlJ1ba.js +279 -0
  421. package/dist/install-safe-path-Rwbw1XCZ.js +62 -0
  422. package/dist/installs-iHi2aSjM.js +532 -0
  423. package/dist/interactive-F7iY0yED.js +8 -0
  424. package/dist/interactive-runtime-OweOj_Vv.js +90 -0
  425. package/dist/internal-hooks-0uipqzRY.js +156 -0
  426. package/dist/io-BX49DsSJ.js +35 -0
  427. package/dist/io-jOnQRia2.js +7178 -0
  428. package/dist/ip-C8vmzVu0.js +203 -0
  429. package/dist/ipv4-DAmsJVOV.js +82 -0
  430. package/dist/irc-AZ-Ec8be.js +12 -0
  431. package/dist/irc-CCSRuEC2.js +660 -0
  432. package/dist/is-main-YViS6wOn.js +27 -0
  433. package/dist/issue-format-CBEXVico.js +31 -0
  434. package/dist/issue-format-D3HehoKZ.js +4 -0
  435. package/dist/json-file-C2zjA0Gv.js +23 -0
  436. package/dist/json-files-WW-H_psG.js +60 -0
  437. package/dist/json-pointer-f9dEnBoR.js +43 -0
  438. package/dist/json-store-O1LwpnBH.js +37 -0
  439. package/dist/kb-cli-DMZs6PCu.js +65 -0
  440. package/dist/keyed-async-queue-CPUWV5Pm.js +32 -0
  441. package/dist/kill-tree-CbjXBw3z.js +149 -0
  442. package/dist/kilocode-shared-DS7_0IMs.js +29 -0
  443. package/dist/launchd-tyqGVx9U.js +491 -0
  444. package/dist/lazy-runtime-BcXbyAaC.js +1 -0
  445. package/dist/lazy-runtime-bWkd2cs3.js +29 -0
  446. package/dist/legacy-names-CUNZ4vHN.js +7 -0
  447. package/dist/legacy-web-search-BgZjNG2h.js +222 -0
  448. package/dist/lib-CERS7N4b.js +503 -0
  449. package/dist/lib-PPICrHv1.js +1938 -0
  450. package/dist/library-CZ461krl.js +211 -0
  451. package/dist/lifecycle-core-Dnxnw0oy.js +382 -0
  452. package/dist/line/accounts.js +10 -0
  453. package/dist/line/send.js +39 -0
  454. package/dist/line/template-messages.js +2 -0
  455. package/dist/line-CJSvwApm.js +1 -0
  456. package/dist/line-N9vL-2JB.js +688 -0
  457. package/dist/line-core-BOIxkjgu.js +1 -0
  458. package/dist/links-Bilm-v0z.js +13 -0
  459. package/dist/llm-slug-generator-BuAuQ5Ft.js +68 -0
  460. package/dist/llm-slug-generator.js +212 -0
  461. package/dist/llm-task-Dx8ymRFr.js +1 -0
  462. package/dist/local-roots-DAzCjWbC.js +34 -0
  463. package/dist/location-DefAH9WS.js +42 -0
  464. package/dist/logger-CoEtkjhn.js +550 -0
  465. package/dist/logger-Cqy7-Maj.js +70 -0
  466. package/dist/logging-B2wMcpWV.js +13 -0
  467. package/dist/logging-Bz1qZDPg.js +16 -0
  468. package/dist/logging-CArEWRgI.js +36 -0
  469. package/dist/logging-CbTTfADU.js +1 -0
  470. package/dist/logs-cli-BSjKwaur.js +261 -0
  471. package/dist/magic-string.es-DJPWMt-n.js +1011 -0
  472. package/dist/main-session-DKr0lBVk.js +36 -0
  473. package/dist/manager-ChTGDe87.js +2005 -0
  474. package/dist/manager-DuwFn87U.js +4226 -0
  475. package/dist/manager-runtime-E16jsvRe.js +59 -0
  476. package/dist/manager.runtime-F9F1eFiB.js +827 -0
  477. package/dist/manifest-registry-B90TyTWl.js +1350 -0
  478. package/dist/map-size-CMTQVKUV.js +15 -0
  479. package/dist/markdown-to-line-BWwaRx5F.js +640 -0
  480. package/dist/mask-api-key-CprzEe7l.js +10 -0
  481. package/dist/matrix-DzvdUw97.js +228 -0
  482. package/dist/matrix-migration-snapshot-adoDbNii.js +702 -0
  483. package/dist/mattermost-DO0BCfF3.js +1 -0
  484. package/dist/mattermost-SjOt4QDb.js +15 -0
  485. package/dist/mcp-cli-BC_VPl_o.js +94 -0
  486. package/dist/mcp-config-Coky4zS4.js +108 -0
  487. package/dist/media-limits-Cuvmmhop.js +14 -0
  488. package/dist/media-understanding-DD2uMjK8.js +48 -0
  489. package/dist/media-understanding.runtime-Kbb2bRmk.js +216 -0
  490. package/dist/memory-DBjQ0TPd.js +1 -0
  491. package/dist/memory-cli-Cm4Df0hJ.js +215 -0
  492. package/dist/memory-cli-yzqneSF8.js +541 -0
  493. package/dist/memory-search-Das1tiuB.js +204 -0
  494. package/dist/memory-search-DxmSTjHq.js +18 -0
  495. package/dist/mention-gating-B_q-EHFx.js +25 -0
  496. package/dist/mentions-Bxys_va0.js +154 -0
  497. package/dist/message-channel-Cy-gN4K2.js +106 -0
  498. package/dist/message-hook-mappers-BBTV3JRQ.js +249 -0
  499. package/dist/method-scopes-DgypDW23.js +2649 -0
  500. package/dist/mime-C4vVTBso.js +150 -0
  501. package/dist/minimal-C5yUxtHy.js +2120 -0
  502. package/dist/model-auth-B__TJTPw.js +309 -0
  503. package/dist/model-auth-env-CF9ts7Th.js +111 -0
  504. package/dist/model-catalog.runtime-CWh17vcc.js +211 -0
  505. package/dist/model-id-normalization-Y-MIsyK_.js +16 -0
  506. package/dist/model-input-BB2wSAHb.js +20 -0
  507. package/dist/model-overrides-sIzKU2wo.js +84 -0
  508. package/dist/model-param-b-DIFEhICm.js +15 -0
  509. package/dist/model-picker-CAPjetT3.js +400 -0
  510. package/dist/model-picker-DEw9viWc.js +215 -0
  511. package/dist/model-picker.runtime-ixYl7lB5.js +224 -0
  512. package/dist/model-selection-BTpJnslv.js +437 -0
  513. package/dist/model-selection-Ci9cPkL2.js +765 -0
  514. package/dist/model-suppression.runtime-D8cIb6Y5.js +216 -0
  515. package/dist/models-BQtc3khN.js +226 -0
  516. package/dist/models-CQgBV5dW.js +2536 -0
  517. package/dist/models-cli-DbQ-QpQk.js +418 -0
  518. package/dist/models-config-D2xK-G6c.js +211 -0
  519. package/dist/models-config.providers.discovery-BaIk1NKL.js +141 -0
  520. package/dist/models-config.runtime-Cf7q9uAQ.js +211 -0
  521. package/dist/monitor-B5QmKaD7.js +3272 -0
  522. package/dist/monitor-CL5OYLih.js +878 -0
  523. package/dist/monitor-CNZxrM4d.js +3145 -0
  524. package/dist/monitor-CyQVZdDh.js +223 -0
  525. package/dist/multimodal-DC43jYNv.js +75 -0
  526. package/dist/mutable-allowlist-detectors-C6EAzWYE.js +62 -0
  527. package/dist/net-DlJFp95v.js +270 -0
  528. package/dist/network-mode-DOgvmom4.js +17 -0
  529. package/dist/nextcloud-talk-ChMP88s-.js +12 -0
  530. package/dist/nextcloud-talk-CwnkUy8E.js +1 -0
  531. package/dist/node-cli-BZDC7rXg.js +2484 -0
  532. package/dist/node-command-policy-Bg2g6Xjp.js +192 -0
  533. package/dist/node-commands-B6W6Eo0b.js +11 -0
  534. package/dist/node-require-BgDD9bTi.js +14 -0
  535. package/dist/node-resolve-BunMro3f.js +69 -0
  536. package/dist/node-service-CEZZaqba.js +65 -0
  537. package/dist/node-startup-env-Gz8ZQniA.js +50 -0
  538. package/dist/nodes-cli-B4Jr9vct.js +1330 -0
  539. package/dist/nodes-screen-CQ7IvP62.js +401 -0
  540. package/dist/normalize-secret-input-_PgpexOG.js +32 -0
  541. package/dist/note-dfjacCV8.js +109 -0
  542. package/dist/npm-pack-install-CYNRv-vM.js +574 -0
  543. package/dist/npm-resolution-Ml2aA6Nu.js +60 -0
  544. package/dist/oauth.runtime-DA_48MPQ.js +687 -0
  545. package/dist/oauth.runtime-DS1ry5__.js +318 -0
  546. package/dist/oauth.runtime-qCkidk8J.js +180 -0
  547. package/dist/ollama-defaults-asNuGW4_.js +4 -0
  548. package/dist/onboard-BM6gO6Uw.js +589 -0
  549. package/dist/onboard-D9IU-7uw.js +48 -0
  550. package/dist/onboard-DQaHGPRm.js +25 -0
  551. package/dist/onboard-channels-BdQtLjYb.js +300 -0
  552. package/dist/onboard-channels-DIVUygs5.js +1257 -0
  553. package/dist/onboard-config-DFKb-0sE.js +29 -0
  554. package/dist/onboard-config-DYykzJhx.js +2 -0
  555. package/dist/onboard-custom-CDP4w1AT.js +216 -0
  556. package/dist/onboard-custom-DhJN13UV.js +644 -0
  557. package/dist/onboard-helpers-B7XTd4Pw.js +335 -0
  558. package/dist/onboard-helpers-BUKtx5Bq.js +54 -0
  559. package/dist/onboard-hooks-BHSSLAhI.js +73 -0
  560. package/dist/onboard-remote-BOzEPdHA.js +59 -0
  561. package/dist/onboard-remote-DVza19_k.js +182 -0
  562. package/dist/onboard-search-CrS-n9_3.js +446 -0
  563. package/dist/onboard-skills-BojzIPvk.js +133 -0
  564. package/dist/onboard-skills-D7HyCVjz.js +69 -0
  565. package/dist/openai-codex-provider.runtime-BFsopDHI.js +2 -0
  566. package/dist/openai-defaults-B7FUywsh.js +10 -0
  567. package/dist/openclaw-exec-env-AcZ9we1N.js +14 -0
  568. package/dist/openclaw-root-TUHYdr9B.js +88 -0
  569. package/dist/openclaw-tools.runtime-draZJo5r.js +211 -0
  570. package/dist/outbound-media-69yrWRDt.js +11 -0
  571. package/dist/outbound-runtime-ic_7ulJJ.js +1 -0
  572. package/dist/pairing-challenge-CNrPmmi9.js +48 -0
  573. package/dist/pairing-cli-BohXW2BK.js +150 -0
  574. package/dist/pairing-labels-CNKCSmBK.js +7 -0
  575. package/dist/pairing-message-CBv2njJT.js +4 -0
  576. package/dist/pairing-store-C4lsd4pO.js +590 -0
  577. package/dist/pairing-token-gKj4SNFJ.js +55 -0
  578. package/dist/parse-duration-BBGYkY0S.js +41 -0
  579. package/dist/parse-finite-number-CP4MQF_w.js +30 -0
  580. package/dist/parse-log-line-CVh9zu3Q.js +43 -0
  581. package/dist/parse-port-COyt3COn.js +8 -0
  582. package/dist/path-alias-guards-ZTKqurNH.js +40 -0
  583. package/dist/path-env-CPkz6U0Y.js +87 -0
  584. package/dist/paths-CTjJI9l0.js +179 -0
  585. package/dist/paths-GHJ97ebE.js +268 -0
  586. package/dist/paths-nCHyK08H.js +56 -0
  587. package/dist/perplexity-Beshd9zu.js +422 -0
  588. package/dist/persistent-dedupe-bjKjVI5u.js +116 -0
  589. package/dist/pi-embedded-CSQySvOV.js +168518 -0
  590. package/dist/pi-model-discovery-CuX5CDyZ.js +125 -0
  591. package/dist/pi-model-discovery-runtime-DNsMrX1n.js +44 -0
  592. package/dist/pi-tools.before-tool-call.runtime-DxVqzMVf.js +387 -0
  593. package/dist/platform-launcher-CqGy6UhP.js +83 -0
  594. package/dist/plugin-entry-CwuwM1jC.js +17 -0
  595. package/dist/plugin-install-JJwfOXtg.js +216 -0
  596. package/dist/plugin-install-plan-cixz1_W4.js +49 -0
  597. package/dist/plugin-install-vkpI1UNd.js +184 -0
  598. package/dist/plugin-registry-C3j_DUnj.js +51 -0
  599. package/dist/plugin-registry-DB_yxabS.js +213 -0
  600. package/dist/plugin-sdk/account-helpers.js +3 -0
  601. package/dist/plugin-sdk/account-id.js +2 -0
  602. package/dist/plugin-sdk/account-resolution.js +216 -0
  603. package/dist/plugin-sdk/acp-runtime.js +46 -0
  604. package/dist/plugin-sdk/agent-runtime.js +215 -0
  605. package/dist/plugin-sdk/allow-from.js +17 -0
  606. package/dist/plugin-sdk/allowlist-config-edit.js +2 -0
  607. package/dist/plugin-sdk/bluebubbles.js +232 -0
  608. package/dist/plugin-sdk/boolean-param.js +2 -0
  609. package/dist/plugin-sdk/channel-actions.js +16 -0
  610. package/dist/plugin-sdk/channel-config-helpers.js +15 -0
  611. package/dist/plugin-sdk/channel-config-schema.js +5 -0
  612. package/dist/plugin-sdk/channel-contract.js +1 -0
  613. package/dist/plugin-sdk/channel-feedback.js +4 -0
  614. package/dist/plugin-sdk/channel-inbound.js +53 -0
  615. package/dist/plugin-sdk/channel-lifecycle.js +2 -0
  616. package/dist/plugin-sdk/channel-pairing.js +2 -0
  617. package/dist/plugin-sdk/channel-policy.js +19 -0
  618. package/dist/plugin-sdk/channel-reply-pipeline.js +23 -0
  619. package/dist/plugin-sdk/channel-runtime.js +33 -0
  620. package/dist/plugin-sdk/channel-send-result.js +2 -0
  621. package/dist/plugin-sdk/channel-setup.js +24 -0
  622. package/dist/plugin-sdk/channel-targets.js +3 -0
  623. package/dist/plugin-sdk/cli-runtime.js +5 -0
  624. package/dist/plugin-sdk/command-auth.js +212 -0
  625. package/dist/plugin-sdk/compat.js +59 -0
  626. package/dist/plugin-sdk/config-runtime.js +51 -0
  627. package/dist/plugin-sdk/conversation-runtime.js +55 -0
  628. package/dist/plugin-sdk/core.js +40 -0
  629. package/dist/plugin-sdk/device-bootstrap.js +6 -0
  630. package/dist/plugin-sdk/diagnostics-otel.js +7 -0
  631. package/dist/plugin-sdk/diffs.js +3 -0
  632. package/dist/plugin-sdk/directory-runtime.js +5 -0
  633. package/dist/plugin-sdk/discord-core.js +26 -0
  634. package/dist/plugin-sdk/discord.js +219 -0
  635. package/dist/plugin-sdk/extension-shared.js +15 -0
  636. package/dist/plugin-sdk/feishu.js +101 -0
  637. package/dist/plugin-sdk/gateway-runtime.js +46 -0
  638. package/dist/plugin-sdk/googlechat.js +93 -0
  639. package/dist/plugin-sdk/group-access.js +2 -0
  640. package/dist/plugin-sdk/hook-runtime.js +12 -0
  641. package/dist/plugin-sdk/image-generation.js +51 -0
  642. package/dist/plugin-sdk/imessage-core.js +214 -0
  643. package/dist/plugin-sdk/imessage.js +223 -0
  644. package/dist/plugin-sdk/index.js +55 -0
  645. package/dist/plugin-sdk/infra-runtime.js +223 -0
  646. package/dist/plugin-sdk/interactive-runtime.js +3 -0
  647. package/dist/plugin-sdk/irc.js +232 -0
  648. package/dist/plugin-sdk/json-store.js +9 -0
  649. package/dist/plugin-sdk/keyed-async-queue.js +2 -0
  650. package/dist/plugin-sdk/lazy-runtime.js +2 -0
  651. package/dist/plugin-sdk/line-core.js +29 -0
  652. package/dist/plugin-sdk/line.js +22 -0
  653. package/dist/plugin-sdk/llm-task.js +7 -0
  654. package/dist/plugin-sdk/matrix-runtime-heavy.js +223 -0
  655. package/dist/plugin-sdk/matrix-runtime-shared.js +2 -0
  656. package/dist/plugin-sdk/matrix.js +84 -0
  657. package/dist/plugin-sdk/mattermost.js +233 -0
  658. package/dist/plugin-sdk/media-runtime.js +212 -0
  659. package/dist/plugin-sdk/media-understanding-runtime.js +211 -0
  660. package/dist/plugin-sdk/media-understanding.js +15 -0
  661. package/dist/plugin-sdk/memory-core.js +2 -0
  662. package/dist/plugin-sdk/memory-lancedb.js +2 -0
  663. package/dist/plugin-sdk/msteams.js +244 -0
  664. package/dist/plugin-sdk/nextcloud-talk.js +231 -0
  665. package/dist/plugin-sdk/nostr.js +50 -0
  666. package/dist/plugin-sdk/ollama-setup.js +33 -0
  667. package/dist/plugin-sdk/outbound-runtime.js +23 -0
  668. package/dist/plugin-sdk/plugin-entry.js +3 -0
  669. package/dist/plugin-sdk/plugin-runtime.js +211 -0
  670. package/dist/plugin-sdk/process-runtime.js +12 -0
  671. package/dist/plugin-sdk/provider-auth-api-key.js +53 -0
  672. package/dist/plugin-sdk/provider-auth-login.js +2 -0
  673. package/dist/plugin-sdk/provider-auth.js +37 -0
  674. package/dist/plugin-sdk/provider-catalog.js +2 -0
  675. package/dist/plugin-sdk/provider-env-vars.js +2 -0
  676. package/dist/plugin-sdk/provider-google.js +3 -0
  677. package/dist/plugin-sdk/provider-models.js +27 -0
  678. package/dist/plugin-sdk/provider-onboard.js +20 -0
  679. package/dist/plugin-sdk/provider-setup.js +58 -0
  680. package/dist/plugin-sdk/provider-stream.js +211 -0
  681. package/dist/plugin-sdk/provider-usage.js +18 -0
  682. package/dist/plugin-sdk/provider-web-search.js +23 -0
  683. package/dist/plugin-sdk/provider-zai-endpoint.js +3 -0
  684. package/dist/plugin-sdk/reply-history.js +23 -0
  685. package/dist/plugin-sdk/reply-payload.js +2 -0
  686. package/dist/plugin-sdk/reply-runtime.js +211 -0
  687. package/dist/plugin-sdk/request-url.js +2 -0
  688. package/dist/plugin-sdk/routing.js +25 -0
  689. package/dist/plugin-sdk/runtime-env.js +15 -0
  690. package/dist/plugin-sdk/runtime-store.js +2 -0
  691. package/dist/plugin-sdk/runtime.js +15 -0
  692. package/dist/plugin-sdk/sandbox.js +66 -0
  693. package/dist/plugin-sdk/secret-input.js +3 -0
  694. package/dist/plugin-sdk/security-runtime.js +18 -0
  695. package/dist/plugin-sdk/self-hosted-provider-setup.js +33 -0
  696. package/dist/plugin-sdk/setup-adapter-runtime.js +2 -0
  697. package/dist/plugin-sdk/setup-runtime.js +17 -0
  698. package/dist/plugin-sdk/setup-tools.js +21 -0
  699. package/dist/plugin-sdk/setup.js +26 -0
  700. package/dist/plugin-sdk/signal.js +220 -0
  701. package/dist/plugin-sdk/slack-core.js +22 -0
  702. package/dist/plugin-sdk/slack.js +223 -0
  703. package/dist/plugin-sdk/speech-runtime.js +213 -0
  704. package/dist/plugin-sdk/speech.js +212 -0
  705. package/dist/plugin-sdk/ssrf-runtime.js +5 -0
  706. package/dist/plugin-sdk/state-paths.js +3 -0
  707. package/dist/plugin-sdk/status-helpers.js +9 -0
  708. package/dist/plugin-sdk/telegram-core.js +23 -0
  709. package/dist/plugin-sdk/telegram.js +224 -0
  710. package/dist/plugin-sdk/testing.js +13174 -0
  711. package/dist/plugin-sdk/text-runtime.js +45 -0
  712. package/dist/plugin-sdk/thread-bindings-runtime.js +2 -0
  713. package/dist/plugin-sdk/thread-ownership.js +2 -0
  714. package/dist/plugin-sdk/tlon.js +57 -0
  715. package/dist/plugin-sdk/tool-send.js +2 -0
  716. package/dist/plugin-sdk/twitch.js +46 -0
  717. package/dist/plugin-sdk/voice-call.js +213 -0
  718. package/dist/plugin-sdk/web-media.js +28 -0
  719. package/dist/plugin-sdk/webhook-ingress.js +7 -0
  720. package/dist/plugin-sdk/webhook-path.js +2 -0
  721. package/dist/plugin-sdk/whatsapp-core.js +219 -0
  722. package/dist/plugin-sdk/whatsapp-shared.js +18 -0
  723. package/dist/plugin-sdk/windows-spawn.js +2 -0
  724. package/dist/plugin-sdk/zalo.js +239 -0
  725. package/dist/plugin-sdk/zalouser.js +240 -0
  726. package/dist/plugins/build-smoke-entry.js +211 -0
  727. package/dist/plugins/runtime/index.js +229 -0
  728. package/dist/plugins-1Z50ecJ6.js +1 -0
  729. package/dist/plugins-C6fKmNuA.js +7 -0
  730. package/dist/plugins-cli-BkgQkGaU.js +1192 -0
  731. package/dist/policy-CpkbSAfm.js +60 -0
  732. package/dist/polls-B2VH7SN9.js +35 -0
  733. package/dist/ports-BjWuIIQw.js +262 -0
  734. package/dist/ports-DFiK_Jc-.js +385 -0
  735. package/dist/ports-lsof-DtJqhFOr.js +25 -0
  736. package/dist/ports-probe-BQqp8l8E.js +14 -0
  737. package/dist/preflight-audio.runtime-Fi9mofpp.js +216 -0
  738. package/dist/probe-BM9sbCgS.js +20 -0
  739. package/dist/probe-DLBOZftS.js +134 -0
  740. package/dist/probe-auth-Bjp3G4CI.js +48 -0
  741. package/dist/probe-auth-DMSPTRRk.js +45 -0
  742. package/dist/process-runtime-C7el-Ri4.js +1 -0
  743. package/dist/process-scoped-map-C4gOa-gv.js +61 -0
  744. package/dist/profile-utils-BcMYGFPT.js +15 -0
  745. package/dist/profiles-D17eMKQZ.js +683 -0
  746. package/dist/program-Ch-76sgl.js +155 -0
  747. package/dist/program-context-BMWNUfqL.js +10 -0
  748. package/dist/program-context-CD_RvRYh.js +2 -0
  749. package/dist/progress-D1r9bZU1.js +132 -0
  750. package/dist/prompt-select-styled-NUKYS9QR.js +4879 -0
  751. package/dist/prompt-style-BvciNCqy.js +7 -0
  752. package/dist/prompts-NtuylUyl.js +9 -0
  753. package/dist/prototype-keys-Cm_8mWvq.js +11 -0
  754. package/dist/provider-api-key-auth-BE0taXiB.js +108 -0
  755. package/dist/provider-api-key-auth.runtime-jDZZUAMX.js +34 -0
  756. package/dist/provider-auth-Bw8x1a3o.js +58 -0
  757. package/dist/provider-auth-api-key-BrQYvdxi.js +1 -0
  758. package/dist/provider-auth-choice-BYbPq0eC.js +128 -0
  759. package/dist/provider-auth-choice-helpers-Bj1GkOSn.js +48 -0
  760. package/dist/provider-auth-choice-preference-tKq5gaJL.js +192 -0
  761. package/dist/provider-auth-choice.runtime-DegPpvRJ.js +223 -0
  762. package/dist/provider-auth-choices-QSilukI1.js +58 -0
  763. package/dist/provider-auth-guidance-gninjjq8.js +34 -0
  764. package/dist/provider-auth-helpers-B0dS-1WK.js +86 -0
  765. package/dist/provider-auth-input-BftBdgvW.js +112 -0
  766. package/dist/provider-auth-login-D0n0lMuc.js +8 -0
  767. package/dist/provider-auth-login.runtime-LvuBkQrc.js +243 -0
  768. package/dist/provider-auth-mode-sTdccIKL.js +20 -0
  769. package/dist/provider-auth-ref-BS3gwrNr.js +168 -0
  770. package/dist/provider-auth-ref-BmEcEN7K.js +3 -0
  771. package/dist/provider-catalog--18-pW5t.js +11 -0
  772. package/dist/provider-catalog-2P2hel74.js +48 -0
  773. package/dist/provider-catalog-B0FqWSwe.js +48 -0
  774. package/dist/provider-catalog-BvORKzzD.js +91 -0
  775. package/dist/provider-catalog-C34j1_or.js +26 -0
  776. package/dist/provider-catalog-C5vmXjmb.js +11 -0
  777. package/dist/provider-catalog-CBufm2Dr.js +36 -0
  778. package/dist/provider-catalog-D7QvsUXS.js +12 -0
  779. package/dist/provider-catalog-DKy_dzQZ.js +41 -0
  780. package/dist/provider-env-vars-CsQlY7bF.js +110 -0
  781. package/dist/provider-id-BpXo5t6v.js +31 -0
  782. package/dist/provider-model-allowlist-4HSOnlX-.js +24 -0
  783. package/dist/provider-model-primary-NJ-xlhec.js +53 -0
  784. package/dist/provider-models-C2EjYMwW.js +2416 -0
  785. package/dist/provider-oauth-flow-BQN6F6EC.js +33 -0
  786. package/dist/provider-ollama-setup-DhQvDwAj.js +309 -0
  787. package/dist/provider-onboard-CjOfyeQG.js +1 -0
  788. package/dist/provider-onboarding-config-DOZ3pFA6.js +165 -0
  789. package/dist/provider-openai-codex-oauth-tls-Bo8U4D3E.js +101 -0
  790. package/dist/provider-runtime.runtime-DnP2jpoM.js +211 -0
  791. package/dist/provider-self-hosted-setup-CUrmsugW.js +182 -0
  792. package/dist/provider-usage-ClDVmkhl.js +633 -0
  793. package/dist/provider-usage-DIC6cn-3.js +211 -0
  794. package/dist/provider-web-search-NzK8ep1E.js +507 -0
  795. package/dist/provider-wizard-C6jCuyQe.js +236 -0
  796. package/dist/provider-zai-endpoint-DeDABzT4.js +106 -0
  797. package/dist/proxy-H5O2p6AP.js +121 -0
  798. package/dist/proxy-env-DG2u55RW.js +40 -0
  799. package/dist/push-apns-D4zD2tmP.js +1050 -0
  800. package/dist/pw-ai-BuPUVeUK.js +1876 -0
  801. package/dist/qmd-manager-BpygGMW9.js +1571 -0
  802. package/dist/qr-cli-DnWHXcxh.js +370 -0
  803. package/dist/qr-cli-yaZ0FZ6z.js +213 -0
  804. package/dist/query-expansion-Do45hILP.js +1114 -0
  805. package/dist/reactions-BcC_XZqD.js +281 -0
  806. package/dist/read-only-account-inspect-DPJzadPo.js +42 -0
  807. package/dist/read-only-account-inspect.discord.runtime-CW9DDKH8.js +216 -0
  808. package/dist/read-only-account-inspect.slack.runtime-BcXBPyh3.js +216 -0
  809. package/dist/read-only-account-inspect.telegram.runtime-Y7h0Jbdj.js +216 -0
  810. package/dist/redact-BDinS1q9.js +102 -0
  811. package/dist/redact-identifier-FUiWQxv5.js +13 -0
  812. package/dist/redact-snapshot-DBPmeYy2.js +2654 -0
  813. package/dist/ref-contract-CCBBbf1r.js +53 -0
  814. package/dist/register-CppP7Ddc.js +43 -0
  815. package/dist/register.agent-BOD5ROGQ.js +546 -0
  816. package/dist/register.backup-Y2VGqcRu.js +269 -0
  817. package/dist/register.configure-1qiTINph.js +354 -0
  818. package/dist/register.maintenance-shn-zigv.js +694 -0
  819. package/dist/register.message-mR4CLSoo.js +812 -0
  820. package/dist/register.onboard-CkDryVid.js +298 -0
  821. package/dist/register.setup-B0xW5olD.js +318 -0
  822. package/dist/register.status-health-sessions-CuhWc03j.js +604 -0
  823. package/dist/register.subclis-BazXM5TW.js +315 -0
  824. package/dist/register.subclis-C2d8UDhH.js +13 -0
  825. package/dist/registry-C3q59Qj0.js +55 -0
  826. package/dist/registry-CPsHw6xU.js +219 -0
  827. package/dist/registry-CxgtJ09C.js +28 -0
  828. package/dist/registry-rgYi7KoO.js +160 -0
  829. package/dist/repair-qXnOAvDy.js +105 -0
  830. package/dist/replies-EiwmmZ_W.js +122 -0
  831. package/dist/reply-history-CVCD5oE9.js +1 -0
  832. package/dist/reply-payload-DBGc074f.js +232 -0
  833. package/dist/report-cli-DB1jQx32.js +42 -0
  834. package/dist/request-url-BKfWAQx8.js +10 -0
  835. package/dist/resolve-Ckjd8TAk.js +14 -0
  836. package/dist/resolve-T2q_0ARF.js +619 -0
  837. package/dist/resolve-route-vEY3ONZ2.js +466 -0
  838. package/dist/resolve-utils-CbqJY2bs.js +102 -0
  839. package/dist/response-generator-VdoCcQ3y.js +153 -0
  840. package/dist/restart-stale-pids-CLGiqU2E.js +187 -0
  841. package/dist/retry-D15TD1S3.js +168 -0
  842. package/dist/root-help-B9Aou4ho.js +32 -0
  843. package/dist/routes-TpLEcKO8.js +7084 -0
  844. package/dist/routing-Y3m0o-kB.js +26 -0
  845. package/dist/rpc-C6MN-nVc.js +67 -0
  846. package/dist/run-command-DRKv5Lj6.js +32 -0
  847. package/dist/run-main-YZSMdx0B.js +424 -0
  848. package/dist/run-with-concurrency-BrSjWzpg.js +41 -0
  849. package/dist/runtime-B66W9flm.js +43 -0
  850. package/dist/runtime-C9VaVKYZ.js +2338 -0
  851. package/dist/runtime-CT2LIJZu.js +91 -0
  852. package/dist/runtime-CqDQ81eY.js +143 -0
  853. package/dist/runtime-CuvWMN7E.js +89 -0
  854. package/dist/runtime-D4_OpzA1.js +5 -0
  855. package/dist/runtime-DP-4DZja.js +5 -0
  856. package/dist/runtime-Dl17x_cV.js +1 -0
  857. package/dist/runtime-Z35JoYPC.js +30 -0
  858. package/dist/runtime-api-D79M0lQN.js +1 -0
  859. package/dist/runtime-api-y3zfnQGK.js +39 -0
  860. package/dist/runtime-discord-ops.runtime-Bg5h5v9-.js +234 -0
  861. package/dist/runtime-env-a_iwdJIv.js +1 -0
  862. package/dist/runtime-forwarders-DtMc8rBP.js +44 -0
  863. package/dist/runtime-group-policy-B7irU4eu.js +59 -0
  864. package/dist/runtime-guard-y62lPDGY.js +58 -0
  865. package/dist/runtime-parse-CeqXmZHJ.js +84 -0
  866. package/dist/runtime-paths-CstaCCMi.js +334 -0
  867. package/dist/runtime-slack-ops.runtime-BumgKDhS.js +226 -0
  868. package/dist/runtime-status-CgL02wYX.js +15 -0
  869. package/dist/runtime-store-Bt3Sdbrn.js +22 -0
  870. package/dist/runtime-telegram-ops.runtime-rSLQ3KrE.js +233 -0
  871. package/dist/runtime-whatsapp-boundary-xZem0NyQ.js +364 -0
  872. package/dist/safe-open-sync-Bt9R1Mnf.js +83 -0
  873. package/dist/safe-regex-tLlDZYfM.js +244 -0
  874. package/dist/safe-text-B_CQuica.js +16 -0
  875. package/dist/sandbox-CUUouiKs.js +2795 -0
  876. package/dist/sandbox-cli-BN8y0Get.js +499 -0
  877. package/dist/sandbox-paths-fqp_TZdO.js +144 -0
  878. package/dist/sandbox-qSs4h3sk.js +1 -0
  879. package/dist/sanitize-env-vars-vNSNqm0y.js +74 -0
  880. package/dist/scan-paths-BJmvUZ1E.js +28 -0
  881. package/dist/search-manager-DWhFgwyp.js +17 -0
  882. package/dist/search-manager-r8Cw4ZRv.js +392 -0
  883. package/dist/secret-equal-ObQfyZGa.js +9 -0
  884. package/dist/secret-file-Ch0yuOXR.js +11 -0
  885. package/dist/secret-file-DYJtH6kf.js +92 -0
  886. package/dist/secret-input-4REZ4sHo.js +35 -0
  887. package/dist/secrets-cli-D1df8b0o.js +2304 -0
  888. package/dist/secure-random-Cs8tw_HQ.js +10 -0
  889. package/dist/security-cli-V66ESmdT.js +676 -0
  890. package/dist/security-runtime-BuEhpJVE.js +23 -0
  891. package/dist/send-3tabvle6.js +100 -0
  892. package/dist/send-CC5J3tyW.js +1026 -0
  893. package/dist/send-deps-CrFMNvqO.js +19 -0
  894. package/dist/send-i2-mdtiE.js +250 -0
  895. package/dist/server-BTOjmlyi.js +116 -0
  896. package/dist/server-middleware-CCqKhKUb.js +106 -0
  897. package/dist/server-node-events-D6y22Tt8.js +611 -0
  898. package/dist/server-startup-matrix-migration-DHWSoS73.js +1595 -0
  899. package/dist/service-Bxc9uL2e.js +774 -0
  900. package/dist/service-CBLajPZL.js +21 -0
  901. package/dist/session-cost-usage-BmbaBvk4.js +212 -0
  902. package/dist/session-cost-usage-C30Jl2SI.js +615 -0
  903. package/dist/session-fork.runtime-BZfcC1Nc.js +51 -0
  904. package/dist/session-key-gFFk3uv9.js +216 -0
  905. package/dist/session-write-lock-DNKvpjKf.js +324 -0
  906. package/dist/sessions-BIH_j_XS.js +222 -0
  907. package/dist/sessions-D5dWcxC_.js +212 -0
  908. package/dist/sessions-DaSBVNwD.js +669 -0
  909. package/dist/setup-C2XF1YH3.js +397 -0
  910. package/dist/setup-CN-teRpz.js +8 -0
  911. package/dist/setup-adapter-runtime-Bjv2adwG.js +1 -0
  912. package/dist/setup-binary-BOJA7zdN.js +30 -0
  913. package/dist/setup-browser-BhNPCUtK.js +71 -0
  914. package/dist/setup-core-BsG09DZH.js +149 -0
  915. package/dist/setup-core-D-O1GQax.js +162 -0
  916. package/dist/setup-core-Dtm54Rcq.js +510 -0
  917. package/dist/setup-entry-B1mTa7bU.js +10 -0
  918. package/dist/setup-entry-CTMgw-K5.js +13 -0
  919. package/dist/setup-entry-Cmd_cufO.js +13 -0
  920. package/dist/setup-entry-CybgA3zP.js +12 -0
  921. package/dist/setup-entry-DED_hL6i.js +12 -0
  922. package/dist/setup-entry-WCq9VMWx.js +14 -0
  923. package/dist/setup-group-access-BtPApRvE.js +70 -0
  924. package/dist/setup-helpers-B62Ecg9r.js +362 -0
  925. package/dist/setup-surface-B7A7qowY.js +452 -0
  926. package/dist/setup-surface-BBYJVRXc.js +380 -0
  927. package/dist/setup-surface-CFUz_BJi.js +298 -0
  928. package/dist/setup-tools-BPiMjAN7.js +1 -0
  929. package/dist/setup-wizard-helpers-COZ1UAdX.js +770 -0
  930. package/dist/setup-wizard-proxy-Slwi-1gX.js +116 -0
  931. package/dist/setup.finalize-B8O01nge.js +633 -0
  932. package/dist/setup.gateway-config-BPDIFk__.js +288 -0
  933. package/dist/setup.secret-input-BL-bqJpt.js +25 -0
  934. package/dist/shared-AygSbeCK.js +50 -0
  935. package/dist/shared-BHqDLkMG.js +127 -0
  936. package/dist/shared-BPtG8PgB.js +70 -0
  937. package/dist/shared-BU0QgVMZ.js +36 -0
  938. package/dist/shared-Bzr2UyEm.js +351 -0
  939. package/dist/shared-C_XXbGIF.js +87 -0
  940. package/dist/shared-Diw3KzwZ.js +82 -0
  941. package/dist/shared-DngjQumT.js +196 -0
  942. package/dist/shared-DzH3zmAy.js +64 -0
  943. package/dist/shared-LeP8iUTz.js +54 -0
  944. package/dist/shell-argv-DWV43Vya.js +72 -0
  945. package/dist/shell-env-cD92jEyV.js +181 -0
  946. package/dist/signal-BQd9f9dF.js +315 -0
  947. package/dist/signal-Ca7y47bM.js +46 -0
  948. package/dist/signal-Did9U_fa.js +214 -0
  949. package/dist/signal-cli-install-DxoL8CgF.js +188 -0
  950. package/dist/skill-commands-CiSwTFBQ.js +652 -0
  951. package/dist/skill-commands.runtime-CEwlWT4j.js +34 -0
  952. package/dist/skill-scanner-DG7MT7pu.js +354 -0
  953. package/dist/skills-BC8GJ9Rp.js +22 -0
  954. package/dist/skills-CCgKs_NJ.js +863 -0
  955. package/dist/skills-cli-dhYXJCuL.js +339 -0
  956. package/dist/skills-install-DiriUXJd.js +763 -0
  957. package/dist/skills-status-BmQTn4jL.js +23 -0
  958. package/dist/skills-status-a9b899Y3.js +169 -0
  959. package/dist/slack-CXgv7nu7.js +730 -0
  960. package/dist/slack-CcSByPzI.js +217 -0
  961. package/dist/slack-CtcCh0Lj.js +24537 -0
  962. package/dist/slack-core-DcsbATUs.js +1 -0
  963. package/dist/slash-commands.runtime-kO8EUKYW.js +228 -0
  964. package/dist/slash-dispatch.runtime-Bu2yMeFy.js +238 -0
  965. package/dist/slash-skill-commands.runtime-wwX3tF84.js +216 -0
  966. package/dist/speech-bSreRuDH.js +1 -0
  967. package/dist/speech-runtime-y1FcnGVA.js +1 -0
  968. package/dist/src-CmXHIz5f.js +846 -0
  969. package/dist/ssh-config-ChqR6ijV.js +77 -0
  970. package/dist/ssh-tunnel-Cz51VBAt.js +159 -0
  971. package/dist/ssh-tunnel-DWze2IQS.js +16 -0
  972. package/dist/ssrf-Dk9XaoKN.js +220 -0
  973. package/dist/ssrf-policy-Dk6oMa20.js +69 -0
  974. package/dist/ssrf-runtime-C-mAQLVA.js +1 -0
  975. package/dist/stagger-DU7FjHYo.js +54 -0
  976. package/dist/state-paths-DJIGEFq_.js +1 -0
  977. package/dist/status-69r8-Zey.js +75 -0
  978. package/dist/status-BdLTvZOL.js +44 -0
  979. package/dist/status-Bt7DQmRI.js +1665 -0
  980. package/dist/status-CoUFSBgt.js +202 -0
  981. package/dist/status-DbI3Kbh5.js +235 -0
  982. package/dist/status-DeKlzu_o.js +212 -0
  983. package/dist/status-Haie42Fc.js +606 -0
  984. package/dist/status-helpers-Cda-rGLX.js +101 -0
  985. package/dist/status-json-DS1M_MWJ.js +322 -0
  986. package/dist/status.link-channel-Cb8bZ_Od.js +40 -0
  987. package/dist/status.scan.deps.runtime-7_6VUs50.js +77 -0
  988. package/dist/status.scan.runtime-DtR8BIE9.js +14 -0
  989. package/dist/status.summary-l_Bi1buR.js +600 -0
  990. package/dist/status.summary.runtime-Cng6MzRU.js +151 -0
  991. package/dist/status.update-DtbnnPKx.js +79 -0
  992. package/dist/store-CvL8MPei.js +1446 -0
  993. package/dist/store.runtime-hgnvmZgO.js +43 -0
  994. package/dist/string-normalization-CvzuCAZv.js +19 -0
  995. package/dist/string-sample-BOLqzr4Y.js +11 -0
  996. package/dist/subagent-orphan-recovery-si1z2iBu.js +407 -0
  997. package/dist/subagent-registry-runtime-CXUDI8gL.js +211 -0
  998. package/dist/subcli-descriptors-CY_nHzpZ.js +151 -0
  999. package/dist/subsystem-CUp-6QQf.js +421 -0
  1000. package/dist/synology-chat-CdejNfs0.js +12 -0
  1001. package/dist/system-cli-DkOaXHkQ.js +99 -0
  1002. package/dist/system-events-mAu6Ap6K.js +75 -0
  1003. package/dist/system-message-DA9eUYzB.js +16 -0
  1004. package/dist/system-run-command-Cxq2F1MB.js +258 -0
  1005. package/dist/systemd-CrxZBFae.js +557 -0
  1006. package/dist/systemd-hints-y-zJ9aTm.js +315 -0
  1007. package/dist/systemd-linger-BdklDcLg.js +16 -0
  1008. package/dist/systemd-linger-DLrbG9_d.js +68 -0
  1009. package/dist/table-DFMOhmNZ.js +305 -0
  1010. package/dist/tailnet-ofqBrXzu.js +38 -0
  1011. package/dist/tailscale-Cbsx-2HB.js +254 -0
  1012. package/dist/target-errors-ksphhzJg.js +26 -0
  1013. package/dist/target-registry-krAVlXi_.js +1321 -0
  1014. package/dist/telegram/audit.js +2 -0
  1015. package/dist/telegram/token.js +211 -0
  1016. package/dist/telegram-BjDUP22F.js +10910 -0
  1017. package/dist/telegram-DMiNSGAJ.js +575 -0
  1018. package/dist/telegram-Dt11B3JL.js +218 -0
  1019. package/dist/telegram-core-B4Jo-uko.js +1 -0
  1020. package/dist/template-messages-kh7VfgOb.js +214 -0
  1021. package/dist/text-chunking-CUf5WgqG.js +19 -0
  1022. package/dist/text-format-sFXlJfHH.js +8 -0
  1023. package/dist/text-runtime-C_Roi_Je.js +1418 -0
  1024. package/dist/theme-B5HDbQfl.js +2 -0
  1025. package/dist/theme-CdOoMzRk.js +34 -0
  1026. package/dist/thinking-BBD_0HSp.js +68 -0
  1027. package/dist/thinking.shared-CncvRHts.js +246 -0
  1028. package/dist/thread-bindings-messages-Cdo8jSa9.js +229 -0
  1029. package/dist/thread-bindings-policy-DMjOaNyR.js +119 -0
  1030. package/dist/thread-bindings-runtime-Ckwk3Uuz.js +1 -0
  1031. package/dist/threading-helpers-Cq55SUtb.js +14 -0
  1032. package/dist/timeouts-BwR1sGom.js +72 -0
  1033. package/dist/tmp-openclaw-dir-idKIOMmb.js +102 -0
  1034. package/dist/token-Bgv8XEsC.js +50 -0
  1035. package/dist/tool-catalog-BV6FcEWS.js +337 -0
  1036. package/dist/tool-policy-match-CHqTCSdK.js +46 -0
  1037. package/dist/tool-send-9LXKcrda.js +16 -0
  1038. package/dist/topology-cli-BhUXVViF.js +43 -0
  1039. package/dist/transcript-events-B1V6z5ct.js +29 -0
  1040. package/dist/tui-DDJMGCFK.js +3838 -0
  1041. package/dist/tui-cli-ByN-ZH6y.js +237 -0
  1042. package/dist/typebox-D0SHDJST.js +175 -0
  1043. package/dist/types-BCKGVVld.js +83 -0
  1044. package/dist/types-CtpUGsDP.js +30 -0
  1045. package/dist/types.secrets-BWSeXrF4.js +80 -0
  1046. package/dist/types.tools-BBO8HCi6.js +22 -0
  1047. package/dist/typing-DG_YqWJ7.js +224 -0
  1048. package/dist/unhandled-rejections-CDJ8dOVP.js +170 -0
  1049. package/dist/unhandled-rejections-O6cVOz2D.js +4 -0
  1050. package/dist/update-Br8U-txJ.js +1039 -0
  1051. package/dist/update-check-C3TeQaWg.js +464 -0
  1052. package/dist/update-cli-XHfIntD0.js +1625 -0
  1053. package/dist/update-offset-store-36vzzZXw.js +211 -0
  1054. package/dist/upsert-with-lock-Bb96JHpb.js +34 -0
  1055. package/dist/url-userinfo-Db63ng4y.js +14 -0
  1056. package/dist/utils-Bxk6BLTg.js +236 -0
  1057. package/dist/utils-vDeUf98G.js +7 -0
  1058. package/dist/version-DCY9_obP.js +64 -0
  1059. package/dist/version-DRF-wKTV.js +2 -0
  1060. package/dist/voice-call-D4fgwZNO.js +1 -0
  1061. package/dist/warning-filter-CgvLQB4Y.js +56 -0
  1062. package/dist/web-media-BfBb8i48.js +1 -0
  1063. package/dist/web-media-CtU6jM5V.js +498 -0
  1064. package/dist/webhook-ingress-CupqYpKM.js +338 -0
  1065. package/dist/webhook-memory-guards-BHrFZ4yq.js +129 -0
  1066. package/dist/webhook-path-BGFZ55ML.js +22 -0
  1067. package/dist/webhook-shared-Cvk3b0ac.js +349 -0
  1068. package/dist/webhooks-cli-vOAoBF9b.js +357 -0
  1069. package/dist/whatsapp-D5nD0rGG.js +58 -0
  1070. package/dist/whatsapp-DXbWlm3A.js +82 -0
  1071. package/dist/whatsapp-core-C2WGMsaY.js +89451 -0
  1072. package/dist/whatsapp-heartbeat-CSWnPQ7q.js +84 -0
  1073. package/dist/whatsapp-shared-BmHKqTtR.js +95 -0
  1074. package/dist/widearea-dns-CXimgJzu.js +125 -0
  1075. package/dist/windows-argv-IXrdWrJj.js +145 -0
  1076. package/dist/windows-spawn-vMJGZo89.js +154 -0
  1077. package/dist/with-timeout-2AKTISee.js +58 -0
  1078. package/dist/workspace-BH7CXmrr.js +479 -0
  1079. package/dist/workspace-dirs-_O4V3xCR.js +13 -0
  1080. package/dist/workspace-v5XppK5M.js +302 -0
  1081. package/dist/ws-By-QcLjg.js +11 -0
  1082. package/dist/wsl-BV3Cb66X.js +57 -0
  1083. package/dist/zalo-CHQzsLhE.js +301 -0
  1084. package/dist/zalo-CcJ3J9f2.js +13 -0
  1085. package/dist/zod-schema.agent-runtime-T_EC_6fg.js +600 -0
  1086. package/dist/zod-schema.core-BdgRr-F1.js +545 -0
  1087. package/dist/zod-schema.providers-core-Dgq7MTqU.js +1613 -0
  1088. package/docs/.i18n/README.md +31 -0
  1089. package/docs/.i18n/glossary.ja-JP.json +14 -0
  1090. package/docs/.i18n/glossary.zh-CN.json +242 -0
  1091. package/docs/.i18n/ja-JP.tm.jsonl +0 -0
  1092. package/docs/assets/install-script.svg +1 -0
  1093. package/docs/assets/macos-onboarding/01-macos-warning.jpeg +0 -0
  1094. package/docs/assets/macos-onboarding/02-local-networks.jpeg +0 -0
  1095. package/docs/assets/macos-onboarding/03-security-notice.png +0 -0
  1096. package/docs/assets/macos-onboarding/04-choose-gateway.png +0 -0
  1097. package/docs/assets/macos-onboarding/05-permissions.png +0 -0
  1098. package/docs/assets/openclaw-logo-text-dark.png +0 -0
  1099. package/docs/assets/openclaw-logo-text-dark.svg +418 -0
  1100. package/docs/assets/openclaw-logo-text.png +0 -0
  1101. package/docs/assets/openclaw-logo-text.svg +418 -0
  1102. package/docs/assets/pixel-lobster.svg +60 -0
  1103. package/docs/assets/showcase/agents-ui.jpg +0 -0
  1104. package/docs/assets/showcase/bambu-cli.png +0 -0
  1105. package/docs/assets/showcase/codexmonitor.png +0 -0
  1106. package/docs/assets/showcase/gohome-grafana.png +0 -0
  1107. package/docs/assets/showcase/ios-testflight.jpg +0 -0
  1108. package/docs/assets/showcase/oura-health.png +0 -0
  1109. package/docs/assets/showcase/padel-cli.svg +11 -0
  1110. package/docs/assets/showcase/padel-screenshot.jpg +0 -0
  1111. package/docs/assets/showcase/papla-tts.jpg +0 -0
  1112. package/docs/assets/showcase/pr-review-telegram.jpg +0 -0
  1113. package/docs/assets/showcase/roborock-screenshot.jpg +0 -0
  1114. package/docs/assets/showcase/roborock-status.svg +13 -0
  1115. package/docs/assets/showcase/roof-camera-sky.jpg +0 -0
  1116. package/docs/assets/showcase/snag.png +0 -0
  1117. package/docs/assets/showcase/tesco-shop.jpg +0 -0
  1118. package/docs/assets/showcase/wienerlinien.png +0 -0
  1119. package/docs/assets/showcase/wine-cellar-skill.jpg +0 -0
  1120. package/docs/assets/showcase/winix-air-purifier.jpg +0 -0
  1121. package/docs/assets/showcase/xuezh-pronunciation.jpeg +0 -0
  1122. package/docs/assets/sponsors/blacksmith.svg +14 -0
  1123. package/docs/assets/sponsors/convex.svg +16 -0
  1124. package/docs/assets/sponsors/openai.svg +3 -0
  1125. package/docs/assets/sponsors/vercel.svg +5 -0
  1126. package/docs/auth-credential-semantics.md +53 -0
  1127. package/docs/automation/auth-monitoring.md +44 -0
  1128. package/docs/automation/cron-jobs.md +727 -0
  1129. package/docs/automation/cron-vs-heartbeat.md +286 -0
  1130. package/docs/automation/gmail-pubsub.md +256 -0
  1131. package/docs/automation/hooks.md +1049 -0
  1132. package/docs/automation/poll.md +86 -0
  1133. package/docs/automation/standing-orders.md +251 -0
  1134. package/docs/automation/troubleshooting.md +122 -0
  1135. package/docs/automation/webhook.md +217 -0
  1136. package/docs/brave-search.md +93 -0
  1137. package/docs/channels/bluebubbles.md +347 -0
  1138. package/docs/channels/broadcast-groups.md +442 -0
  1139. package/docs/channels/channel-routing.md +139 -0
  1140. package/docs/channels/discord.md +1229 -0
  1141. package/docs/channels/feishu.md +747 -0
  1142. package/docs/channels/googlechat.md +261 -0
  1143. package/docs/channels/group-messages.md +84 -0
  1144. package/docs/channels/groups.md +379 -0
  1145. package/docs/channels/imessage.md +367 -0
  1146. package/docs/channels/index.md +47 -0
  1147. package/docs/channels/irc.md +242 -0
  1148. package/docs/channels/line.md +194 -0
  1149. package/docs/channels/location.md +56 -0
  1150. package/docs/channels/matrix.md +677 -0
  1151. package/docs/channels/mattermost.md +427 -0
  1152. package/docs/channels/msteams.md +780 -0
  1153. package/docs/channels/nextcloud-talk.md +138 -0
  1154. package/docs/channels/nostr.md +242 -0
  1155. package/docs/channels/pairing.md +114 -0
  1156. package/docs/channels/signal.md +329 -0
  1157. package/docs/channels/slack.md +603 -0
  1158. package/docs/channels/synology-chat.md +132 -0
  1159. package/docs/channels/telegram.md +987 -0
  1160. package/docs/channels/tlon.md +276 -0
  1161. package/docs/channels/troubleshooting.md +118 -0
  1162. package/docs/channels/twitch.md +379 -0
  1163. package/docs/channels/whatsapp.md +460 -0
  1164. package/docs/channels/zalo.md +243 -0
  1165. package/docs/channels/zalouser.md +181 -0
  1166. package/docs/ci.md +55 -0
  1167. package/docs/cli/acp.md +288 -0
  1168. package/docs/cli/agent.md +29 -0
  1169. package/docs/cli/agents.md +123 -0
  1170. package/docs/cli/approvals.md +50 -0
  1171. package/docs/cli/backup.md +76 -0
  1172. package/docs/cli/browser.md +106 -0
  1173. package/docs/cli/channels.md +102 -0
  1174. package/docs/cli/clawbot.md +21 -0
  1175. package/docs/cli/completion.md +35 -0
  1176. package/docs/cli/config.md +295 -0
  1177. package/docs/cli/configure.md +36 -0
  1178. package/docs/cli/cron.md +77 -0
  1179. package/docs/cli/daemon.md +53 -0
  1180. package/docs/cli/dashboard.md +22 -0
  1181. package/docs/cli/devices.md +139 -0
  1182. package/docs/cli/directory.md +63 -0
  1183. package/docs/cli/dns.md +23 -0
  1184. package/docs/cli/docs.md +15 -0
  1185. package/docs/cli/doctor.md +48 -0
  1186. package/docs/cli/gateway.md +235 -0
  1187. package/docs/cli/health.md +21 -0
  1188. package/docs/cli/hooks.md +318 -0
  1189. package/docs/cli/index.md +1147 -0
  1190. package/docs/cli/logs.md +28 -0
  1191. package/docs/cli/memory.md +66 -0
  1192. package/docs/cli/message.md +278 -0
  1193. package/docs/cli/models.md +81 -0
  1194. package/docs/cli/node.md +127 -0
  1195. package/docs/cli/nodes.md +75 -0
  1196. package/docs/cli/onboard.md +157 -0
  1197. package/docs/cli/pairing.md +32 -0
  1198. package/docs/cli/plugins.md +186 -0
  1199. package/docs/cli/qr.md +46 -0
  1200. package/docs/cli/reset.md +20 -0
  1201. package/docs/cli/sandbox.md +197 -0
  1202. package/docs/cli/secrets.md +188 -0
  1203. package/docs/cli/security.md +79 -0
  1204. package/docs/cli/sessions.md +110 -0
  1205. package/docs/cli/setup.md +29 -0
  1206. package/docs/cli/skills.md +26 -0
  1207. package/docs/cli/status.md +30 -0
  1208. package/docs/cli/system.md +60 -0
  1209. package/docs/cli/tui.md +30 -0
  1210. package/docs/cli/uninstall.md +20 -0
  1211. package/docs/cli/update.md +103 -0
  1212. package/docs/cli/voicecall.md +34 -0
  1213. package/docs/cli/webhooks.md +25 -0
  1214. package/docs/concepts/agent-loop.md +148 -0
  1215. package/docs/concepts/agent-workspace.md +236 -0
  1216. package/docs/concepts/agent.md +122 -0
  1217. package/docs/concepts/architecture.md +137 -0
  1218. package/docs/concepts/compaction.md +123 -0
  1219. package/docs/concepts/context-engine.md +268 -0
  1220. package/docs/concepts/context.md +172 -0
  1221. package/docs/concepts/delegate-architecture.md +296 -0
  1222. package/docs/concepts/features.md +73 -0
  1223. package/docs/concepts/markdown-formatting.md +130 -0
  1224. package/docs/concepts/memory.md +108 -0
  1225. package/docs/concepts/messages.md +154 -0
  1226. package/docs/concepts/model-failover.md +152 -0
  1227. package/docs/concepts/model-providers.md +607 -0
  1228. package/docs/concepts/models.md +225 -0
  1229. package/docs/concepts/multi-agent.md +552 -0
  1230. package/docs/concepts/oauth.md +158 -0
  1231. package/docs/concepts/presence.md +102 -0
  1232. package/docs/concepts/queue.md +89 -0
  1233. package/docs/concepts/retry.md +69 -0
  1234. package/docs/concepts/session-pruning.md +121 -0
  1235. package/docs/concepts/session-tool.md +242 -0
  1236. package/docs/concepts/session.md +310 -0
  1237. package/docs/concepts/streaming.md +155 -0
  1238. package/docs/concepts/system-prompt.md +132 -0
  1239. package/docs/concepts/timezone.md +91 -0
  1240. package/docs/concepts/typebox.md +291 -0
  1241. package/docs/concepts/typing-indicators.md +68 -0
  1242. package/docs/concepts/usage-tracking.md +35 -0
  1243. package/docs/date-time.md +128 -0
  1244. package/docs/debug/node-issue.md +85 -0
  1245. package/docs/diagnostics/flags.md +91 -0
  1246. package/docs/docs.json +2061 -0
  1247. package/docs/gateway/authentication.md +179 -0
  1248. package/docs/gateway/background-process.md +97 -0
  1249. package/docs/gateway/bonjour.md +177 -0
  1250. package/docs/gateway/bridge-protocol.md +91 -0
  1251. package/docs/gateway/cli-backends.md +225 -0
  1252. package/docs/gateway/configuration-examples.md +651 -0
  1253. package/docs/gateway/configuration-reference.md +3123 -0
  1254. package/docs/gateway/configuration.md +633 -0
  1255. package/docs/gateway/discovery.md +123 -0
  1256. package/docs/gateway/doctor.md +362 -0
  1257. package/docs/gateway/gateway-lock.md +34 -0
  1258. package/docs/gateway/health.md +44 -0
  1259. package/docs/gateway/heartbeat.md +393 -0
  1260. package/docs/gateway/index.md +261 -0
  1261. package/docs/gateway/local-models.md +152 -0
  1262. package/docs/gateway/logging.md +113 -0
  1263. package/docs/gateway/multiple-gateways.md +112 -0
  1264. package/docs/gateway/network-model.md +22 -0
  1265. package/docs/gateway/openai-http-api.md +132 -0
  1266. package/docs/gateway/openresponses-http-api.md +295 -0
  1267. package/docs/gateway/openshell.md +307 -0
  1268. package/docs/gateway/pairing.md +99 -0
  1269. package/docs/gateway/protocol.md +267 -0
  1270. package/docs/gateway/remote-gateway-readme.md +158 -0
  1271. package/docs/gateway/remote.md +153 -0
  1272. package/docs/gateway/sandbox-vs-tool-policy-vs-elevated.md +134 -0
  1273. package/docs/gateway/sandboxing.md +469 -0
  1274. package/docs/gateway/secrets-plan-contract.md +116 -0
  1275. package/docs/gateway/secrets.md +503 -0
  1276. package/docs/gateway/security/index.md +1213 -0
  1277. package/docs/gateway/tailscale.md +132 -0
  1278. package/docs/gateway/tools-invoke-http-api.md +110 -0
  1279. package/docs/gateway/troubleshooting.md +378 -0
  1280. package/docs/gateway/trusted-proxy-auth.md +330 -0
  1281. package/docs/help/debugging.md +168 -0
  1282. package/docs/help/environment.md +163 -0
  1283. package/docs/help/faq.md +2999 -0
  1284. package/docs/help/index.md +28 -0
  1285. package/docs/help/scripts.md +28 -0
  1286. package/docs/help/testing.md +524 -0
  1287. package/docs/help/troubleshooting.md +297 -0
  1288. package/docs/images/configure-model-picker-unsearchable.png +0 -0
  1289. package/docs/images/feishu-step2-create-app.png +0 -0
  1290. package/docs/images/feishu-step3-credentials.png +0 -0
  1291. package/docs/images/feishu-step4-permissions.png +0 -0
  1292. package/docs/images/feishu-step5-bot-capability.png +0 -0
  1293. package/docs/images/feishu-step6-event-subscription.png +0 -0
  1294. package/docs/images/feishu-verification-token.png +0 -0
  1295. package/docs/images/groups-flow.svg +52 -0
  1296. package/docs/images/mobile-ui-screenshot.png +0 -0
  1297. package/docs/index.md +196 -0
  1298. package/docs/install/ansible.md +230 -0
  1299. package/docs/install/azure.md +311 -0
  1300. package/docs/install/bun.md +55 -0
  1301. package/docs/install/development-channels.md +120 -0
  1302. package/docs/install/digitalocean.md +129 -0
  1303. package/docs/install/docker-vm-runtime.md +142 -0
  1304. package/docs/install/docker.md +375 -0
  1305. package/docs/install/exe-dev.md +126 -0
  1306. package/docs/install/fly.md +501 -0
  1307. package/docs/install/gcp.md +402 -0
  1308. package/docs/install/hetzner.md +251 -0
  1309. package/docs/install/index.md +183 -0
  1310. package/docs/install/installer.md +415 -0
  1311. package/docs/install/kubernetes.md +191 -0
  1312. package/docs/install/macos-vm.md +281 -0
  1313. package/docs/install/migrating-matrix.md +346 -0
  1314. package/docs/install/migrating.md +110 -0
  1315. package/docs/install/nix.md +89 -0
  1316. package/docs/install/node.md +138 -0
  1317. package/docs/install/northflank.mdx +54 -0
  1318. package/docs/install/oracle.md +156 -0
  1319. package/docs/install/podman.md +133 -0
  1320. package/docs/install/railway.mdx +100 -0
  1321. package/docs/install/raspberry-pi.md +159 -0
  1322. package/docs/install/render.mdx +169 -0
  1323. package/docs/install/uninstall.md +128 -0
  1324. package/docs/install/updating.md +128 -0
  1325. package/docs/ja-JP/index.md +186 -0
  1326. package/docs/ja-JP/start/getting-started.md +125 -0
  1327. package/docs/ja-JP/start/wizard.md +77 -0
  1328. package/docs/logging.md +352 -0
  1329. package/docs/nav-tabs-underline.js +100 -0
  1330. package/docs/network.md +54 -0
  1331. package/docs/nodes/audio.md +187 -0
  1332. package/docs/nodes/camera.md +162 -0
  1333. package/docs/nodes/images.md +72 -0
  1334. package/docs/nodes/index.md +393 -0
  1335. package/docs/nodes/location-command.md +98 -0
  1336. package/docs/nodes/media-understanding.md +394 -0
  1337. package/docs/nodes/talk.md +92 -0
  1338. package/docs/nodes/troubleshooting.md +114 -0
  1339. package/docs/nodes/voicewake.md +66 -0
  1340. package/docs/perplexity.md +174 -0
  1341. package/docs/pi-dev.md +80 -0
  1342. package/docs/pi.md +567 -0
  1343. package/docs/platforms/android.md +168 -0
  1344. package/docs/platforms/digitalocean.md +266 -0
  1345. package/docs/platforms/index.md +54 -0
  1346. package/docs/platforms/ios.md +220 -0
  1347. package/docs/platforms/linux.md +94 -0
  1348. package/docs/platforms/mac/bundled-gateway.md +73 -0
  1349. package/docs/platforms/mac/canvas.md +125 -0
  1350. package/docs/platforms/mac/child-process.md +69 -0
  1351. package/docs/platforms/mac/dev-setup.md +104 -0
  1352. package/docs/platforms/mac/health.md +34 -0
  1353. package/docs/platforms/mac/icon.md +31 -0
  1354. package/docs/platforms/mac/logging.md +57 -0
  1355. package/docs/platforms/mac/menu-bar.md +81 -0
  1356. package/docs/platforms/mac/peekaboo.md +65 -0
  1357. package/docs/platforms/mac/permissions.md +50 -0
  1358. package/docs/platforms/mac/remote.md +84 -0
  1359. package/docs/platforms/mac/signing.md +47 -0
  1360. package/docs/platforms/mac/skills.md +33 -0
  1361. package/docs/platforms/mac/voice-overlay.md +60 -0
  1362. package/docs/platforms/mac/voicewake.md +67 -0
  1363. package/docs/platforms/mac/webchat.md +43 -0
  1364. package/docs/platforms/mac/xpc.md +61 -0
  1365. package/docs/platforms/macos.md +226 -0
  1366. package/docs/platforms/oracle.md +303 -0
  1367. package/docs/platforms/raspberry-pi.md +412 -0
  1368. package/docs/platforms/windows.md +241 -0
  1369. package/docs/plugins/agent-tools.md +10 -0
  1370. package/docs/plugins/architecture.md +1363 -0
  1371. package/docs/plugins/building-extensions.md +10 -0
  1372. package/docs/plugins/building-plugins.md +376 -0
  1373. package/docs/plugins/bundles.md +181 -0
  1374. package/docs/plugins/community.md +141 -0
  1375. package/docs/plugins/manifest.md +145 -0
  1376. package/docs/plugins/sdk-migration.md +169 -0
  1377. package/docs/plugins/voice-call.md +380 -0
  1378. package/docs/plugins/zalouser.md +77 -0
  1379. package/docs/prose.md +134 -0
  1380. package/docs/providers/anthropic.md +259 -0
  1381. package/docs/providers/bedrock.md +176 -0
  1382. package/docs/providers/claude-max-api-proxy.md +154 -0
  1383. package/docs/providers/cloudflare-ai-gateway.md +71 -0
  1384. package/docs/providers/deepgram.md +93 -0
  1385. package/docs/providers/github-copilot.md +72 -0
  1386. package/docs/providers/glm.md +43 -0
  1387. package/docs/providers/google.md +78 -0
  1388. package/docs/providers/groq.md +96 -0
  1389. package/docs/providers/huggingface.md +209 -0
  1390. package/docs/providers/index.md +69 -0
  1391. package/docs/providers/kilocode.md +74 -0
  1392. package/docs/providers/litellm.md +154 -0
  1393. package/docs/providers/minimax.md +224 -0
  1394. package/docs/providers/mistral.md +54 -0
  1395. package/docs/providers/models.md +45 -0
  1396. package/docs/providers/modelstudio.md +66 -0
  1397. package/docs/providers/moonshot.md +175 -0
  1398. package/docs/providers/nvidia.md +55 -0
  1399. package/docs/providers/ollama.md +352 -0
  1400. package/docs/providers/openai.md +303 -0
  1401. package/docs/providers/opencode-go.md +45 -0
  1402. package/docs/providers/opencode.md +64 -0
  1403. package/docs/providers/openrouter.md +37 -0
  1404. package/docs/providers/perplexity-provider.md +62 -0
  1405. package/docs/providers/qianfan.md +38 -0
  1406. package/docs/providers/qwen.md +53 -0
  1407. package/docs/providers/sglang.md +104 -0
  1408. package/docs/providers/synthetic.md +99 -0
  1409. package/docs/providers/together.md +66 -0
  1410. package/docs/providers/venice.md +282 -0
  1411. package/docs/providers/vercel-ai-gateway.md +60 -0
  1412. package/docs/providers/vllm.md +92 -0
  1413. package/docs/providers/volcengine.md +74 -0
  1414. package/docs/providers/xai.md +60 -0
  1415. package/docs/providers/xiaomi.md +86 -0
  1416. package/docs/providers/zai.md +46 -0
  1417. package/docs/reference/AGENTS.default.md +126 -0
  1418. package/docs/reference/RELEASING.md +42 -0
  1419. package/docs/reference/api-usage-costs.md +144 -0
  1420. package/docs/reference/credits.md +30 -0
  1421. package/docs/reference/device-models.md +47 -0
  1422. package/docs/reference/memory-config.md +711 -0
  1423. package/docs/reference/prompt-caching.md +185 -0
  1424. package/docs/reference/rpc.md +43 -0
  1425. package/docs/reference/secretref-credential-surface.md +140 -0
  1426. package/docs/reference/secretref-user-supplied-credentials-matrix.json +563 -0
  1427. package/docs/reference/session-management-compaction.md +324 -0
  1428. package/docs/reference/templates/AGENTS.dev.md +83 -0
  1429. package/docs/reference/templates/AGENTS.md +219 -0
  1430. package/docs/reference/templates/BOOT.md +11 -0
  1431. package/docs/reference/templates/BOOTSTRAP.md +62 -0
  1432. package/docs/reference/templates/HEARTBEAT.md +14 -0
  1433. package/docs/reference/templates/IDENTITY.dev.md +47 -0
  1434. package/docs/reference/templates/IDENTITY.md +29 -0
  1435. package/docs/reference/templates/SOUL.dev.md +76 -0
  1436. package/docs/reference/templates/SOUL.md +43 -0
  1437. package/docs/reference/templates/TOOLS.dev.md +24 -0
  1438. package/docs/reference/templates/TOOLS.md +47 -0
  1439. package/docs/reference/templates/USER.dev.md +18 -0
  1440. package/docs/reference/templates/USER.md +23 -0
  1441. package/docs/reference/test.md +90 -0
  1442. package/docs/reference/token-use.md +175 -0
  1443. package/docs/reference/transcript-hygiene.md +151 -0
  1444. package/docs/reference/wizard.md +235 -0
  1445. package/docs/security/CONTRIBUTING-THREAT-MODEL.md +98 -0
  1446. package/docs/security/THREAT-MODEL-ATLAS.md +611 -0
  1447. package/docs/security/formal-verification.md +167 -0
  1448. package/docs/start/bootstrapping.md +41 -0
  1449. package/docs/start/docs-directory.md +66 -0
  1450. package/docs/start/getting-started.md +116 -0
  1451. package/docs/start/hubs.md +198 -0
  1452. package/docs/start/lore.md +219 -0
  1453. package/docs/start/onboarding-overview.md +67 -0
  1454. package/docs/start/onboarding.md +91 -0
  1455. package/docs/start/openclaw.md +216 -0
  1456. package/docs/start/quickstart.md +22 -0
  1457. package/docs/start/setup.md +164 -0
  1458. package/docs/start/showcase.md +418 -0
  1459. package/docs/start/wizard-cli-automation.md +215 -0
  1460. package/docs/start/wizard-cli-reference.md +299 -0
  1461. package/docs/start/wizard.md +125 -0
  1462. package/docs/style.css +37 -0
  1463. package/docs/tools/acp-agents.md +623 -0
  1464. package/docs/tools/agent-send.md +100 -0
  1465. package/docs/tools/apply-patch.md +51 -0
  1466. package/docs/tools/brave-search.md +93 -0
  1467. package/docs/tools/browser-linux-troubleshooting.md +138 -0
  1468. package/docs/tools/browser-login.md +73 -0
  1469. package/docs/tools/browser-wsl2-windows-remote-cdp-troubleshooting.md +211 -0
  1470. package/docs/tools/browser.md +731 -0
  1471. package/docs/tools/btw.md +142 -0
  1472. package/docs/tools/capability-cookbook.md +119 -0
  1473. package/docs/tools/clawhub.md +257 -0
  1474. package/docs/tools/creating-skills.md +117 -0
  1475. package/docs/tools/diffs.md +386 -0
  1476. package/docs/tools/elevated.md +114 -0
  1477. package/docs/tools/exec-approvals.md +400 -0
  1478. package/docs/tools/exec.md +204 -0
  1479. package/docs/tools/firecrawl.md +140 -0
  1480. package/docs/tools/index.md +137 -0
  1481. package/docs/tools/llm-task.md +119 -0
  1482. package/docs/tools/lobster.md +340 -0
  1483. package/docs/tools/loop-detection.md +100 -0
  1484. package/docs/tools/multi-agent-sandbox-tools.md +364 -0
  1485. package/docs/tools/pdf.md +156 -0
  1486. package/docs/tools/perplexity-search.md +174 -0
  1487. package/docs/tools/plugin.md +251 -0
  1488. package/docs/tools/reactions.md +64 -0
  1489. package/docs/tools/skills-config.md +86 -0
  1490. package/docs/tools/skills.md +306 -0
  1491. package/docs/tools/slash-commands.md +294 -0
  1492. package/docs/tools/subagents.md +295 -0
  1493. package/docs/tools/tavily.md +125 -0
  1494. package/docs/tools/thinking.md +96 -0
  1495. package/docs/tools/tts.md +406 -0
  1496. package/docs/tools/web.md +516 -0
  1497. package/docs/tts.md +406 -0
  1498. package/docs/vps.md +112 -0
  1499. package/docs/web/control-ui.md +275 -0
  1500. package/docs/web/dashboard.md +54 -0
  1501. package/docs/web/index.md +120 -0
  1502. package/docs/web/tui.md +170 -0
  1503. package/docs/web/webchat.md +61 -0
  1504. package/docs/whatsapp-openclaw-ai-zh.jpg +0 -0
  1505. package/docs/whatsapp-openclaw.jpg +0 -0
  1506. package/docs/zh-CN/AGENTS.md +61 -0
  1507. package/docs/zh-CN/automation/auth-monitoring.md +47 -0
  1508. package/docs/zh-CN/automation/cron-jobs.md +435 -0
  1509. package/docs/zh-CN/automation/cron-vs-heartbeat.md +286 -0
  1510. package/docs/zh-CN/automation/gmail-pubsub.md +249 -0
  1511. package/docs/zh-CN/automation/hooks.md +1051 -0
  1512. package/docs/zh-CN/automation/poll.md +76 -0
  1513. package/docs/zh-CN/automation/troubleshooting.md +8 -0
  1514. package/docs/zh-CN/automation/webhook.md +163 -0
  1515. package/docs/zh-CN/brave-search.md +60 -0
  1516. package/docs/zh-CN/channels/bluebubbles.md +354 -0
  1517. package/docs/zh-CN/channels/broadcast-groups.md +449 -0
  1518. package/docs/zh-CN/channels/channel-routing.md +117 -0
  1519. package/docs/zh-CN/channels/discord.md +468 -0
  1520. package/docs/zh-CN/channels/feishu.md +728 -0
  1521. package/docs/zh-CN/channels/googlechat.md +257 -0
  1522. package/docs/zh-CN/channels/grammy.md +38 -0
  1523. package/docs/zh-CN/channels/group-messages.md +91 -0
  1524. package/docs/zh-CN/channels/groups.md +379 -0
  1525. package/docs/zh-CN/channels/imessage.md +302 -0
  1526. package/docs/zh-CN/channels/index.md +53 -0
  1527. package/docs/zh-CN/channels/line.md +180 -0
  1528. package/docs/zh-CN/channels/location.md +63 -0
  1529. package/docs/zh-CN/channels/matrix.md +221 -0
  1530. package/docs/zh-CN/channels/mattermost.md +144 -0
  1531. package/docs/zh-CN/channels/msteams.md +775 -0
  1532. package/docs/zh-CN/channels/nextcloud-talk.md +142 -0
  1533. package/docs/zh-CN/channels/nostr.md +249 -0
  1534. package/docs/zh-CN/channels/pairing.md +89 -0
  1535. package/docs/zh-CN/channels/signal.md +209 -0
  1536. package/docs/zh-CN/channels/slack.md +531 -0
  1537. package/docs/zh-CN/channels/synology-chat.md +138 -0
  1538. package/docs/zh-CN/channels/telegram.md +751 -0
  1539. package/docs/zh-CN/channels/tlon.md +136 -0
  1540. package/docs/zh-CN/channels/troubleshooting.md +36 -0
  1541. package/docs/zh-CN/channels/twitch.md +385 -0
  1542. package/docs/zh-CN/channels/whatsapp.md +411 -0
  1543. package/docs/zh-CN/channels/zalo.md +196 -0
  1544. package/docs/zh-CN/channels/zalouser.md +147 -0
  1545. package/docs/zh-CN/cli/acp.md +173 -0
  1546. package/docs/zh-CN/cli/agent.md +30 -0
  1547. package/docs/zh-CN/cli/agents.md +82 -0
  1548. package/docs/zh-CN/cli/approvals.md +57 -0
  1549. package/docs/zh-CN/cli/browser.md +114 -0
  1550. package/docs/zh-CN/cli/channels.md +86 -0
  1551. package/docs/zh-CN/cli/config.md +57 -0
  1552. package/docs/zh-CN/cli/configure.md +38 -0
  1553. package/docs/zh-CN/cli/cron.md +43 -0
  1554. package/docs/zh-CN/cli/dashboard.md +23 -0
  1555. package/docs/zh-CN/cli/devices.md +74 -0
  1556. package/docs/zh-CN/cli/directory.md +70 -0
  1557. package/docs/zh-CN/cli/dns.md +30 -0
  1558. package/docs/zh-CN/cli/docs.md +22 -0
  1559. package/docs/zh-CN/cli/doctor.md +48 -0
  1560. package/docs/zh-CN/cli/gateway.md +206 -0
  1561. package/docs/zh-CN/cli/health.md +28 -0
  1562. package/docs/zh-CN/cli/hooks.md +298 -0
  1563. package/docs/zh-CN/cli/index.md +1143 -0
  1564. package/docs/zh-CN/cli/logs.md +31 -0
  1565. package/docs/zh-CN/cli/memory.md +52 -0
  1566. package/docs/zh-CN/cli/message.md +246 -0
  1567. package/docs/zh-CN/cli/models.md +85 -0
  1568. package/docs/zh-CN/cli/node.md +115 -0
  1569. package/docs/zh-CN/cli/nodes.md +80 -0
  1570. package/docs/zh-CN/cli/onboard.md +164 -0
  1571. package/docs/zh-CN/cli/pairing.md +28 -0
  1572. package/docs/zh-CN/cli/plugins.md +66 -0
  1573. package/docs/zh-CN/cli/reset.md +24 -0
  1574. package/docs/zh-CN/cli/sandbox.md +158 -0
  1575. package/docs/zh-CN/cli/security.md +33 -0
  1576. package/docs/zh-CN/cli/sessions.md +23 -0
  1577. package/docs/zh-CN/cli/setup.md +36 -0
  1578. package/docs/zh-CN/cli/skills.md +33 -0
  1579. package/docs/zh-CN/cli/status.md +33 -0
  1580. package/docs/zh-CN/cli/system.md +63 -0
  1581. package/docs/zh-CN/cli/tui.md +30 -0
  1582. package/docs/zh-CN/cli/uninstall.md +24 -0
  1583. package/docs/zh-CN/cli/update.md +101 -0
  1584. package/docs/zh-CN/cli/voicecall.md +41 -0
  1585. package/docs/zh-CN/cli/webhooks.md +32 -0
  1586. package/docs/zh-CN/concepts/agent-loop.md +146 -0
  1587. package/docs/zh-CN/concepts/agent-workspace.md +219 -0
  1588. package/docs/zh-CN/concepts/agent.md +115 -0
  1589. package/docs/zh-CN/concepts/architecture.md +123 -0
  1590. package/docs/zh-CN/concepts/compaction.md +67 -0
  1591. package/docs/zh-CN/concepts/context.md +168 -0
  1592. package/docs/zh-CN/concepts/features.md +59 -0
  1593. package/docs/zh-CN/concepts/markdown-formatting.md +117 -0
  1594. package/docs/zh-CN/concepts/memory.md +412 -0
  1595. package/docs/zh-CN/concepts/messages.md +141 -0
  1596. package/docs/zh-CN/concepts/model-failover.md +145 -0
  1597. package/docs/zh-CN/concepts/model-providers.md +606 -0
  1598. package/docs/zh-CN/concepts/models.md +225 -0
  1599. package/docs/zh-CN/concepts/multi-agent.md +372 -0
  1600. package/docs/zh-CN/concepts/oauth.md +164 -0
  1601. package/docs/zh-CN/concepts/presence.md +99 -0
  1602. package/docs/zh-CN/concepts/queue.md +94 -0
  1603. package/docs/zh-CN/concepts/retry.md +76 -0
  1604. package/docs/zh-CN/concepts/session-pruning.md +129 -0
  1605. package/docs/zh-CN/concepts/session-tool.md +200 -0
  1606. package/docs/zh-CN/concepts/session.md +166 -0
  1607. package/docs/zh-CN/concepts/streaming.md +133 -0
  1608. package/docs/zh-CN/concepts/system-prompt.md +101 -0
  1609. package/docs/zh-CN/concepts/timezone.md +96 -0
  1610. package/docs/zh-CN/concepts/typebox.md +284 -0
  1611. package/docs/zh-CN/concepts/typing-indicators.md +74 -0
  1612. package/docs/zh-CN/concepts/usage-tracking.md +42 -0
  1613. package/docs/zh-CN/date-time.md +129 -0
  1614. package/docs/zh-CN/debug/node-issue.md +90 -0
  1615. package/docs/zh-CN/diagnostics/flags.md +98 -0
  1616. package/docs/zh-CN/gateway/authentication.md +184 -0
  1617. package/docs/zh-CN/gateway/background-process.md +100 -0
  1618. package/docs/zh-CN/gateway/bonjour.md +174 -0
  1619. package/docs/zh-CN/gateway/bridge-protocol.md +86 -0
  1620. package/docs/zh-CN/gateway/cli-backends.md +213 -0
  1621. package/docs/zh-CN/gateway/configuration-examples.md +587 -0
  1622. package/docs/zh-CN/gateway/configuration-reference.md +3103 -0
  1623. package/docs/zh-CN/gateway/configuration.md +640 -0
  1624. package/docs/zh-CN/gateway/discovery.md +123 -0
  1625. package/docs/zh-CN/gateway/doctor.md +238 -0
  1626. package/docs/zh-CN/gateway/gateway-lock.md +41 -0
  1627. package/docs/zh-CN/gateway/health.md +42 -0
  1628. package/docs/zh-CN/gateway/heartbeat.md +274 -0
  1629. package/docs/zh-CN/gateway/index.md +335 -0
  1630. package/docs/zh-CN/gateway/local-models.md +159 -0
  1631. package/docs/zh-CN/gateway/logging.md +114 -0
  1632. package/docs/zh-CN/gateway/multiple-gateways.md +119 -0
  1633. package/docs/zh-CN/gateway/network-model.md +23 -0
  1634. package/docs/zh-CN/gateway/openai-http-api.md +125 -0
  1635. package/docs/zh-CN/gateway/openresponses-http-api.md +317 -0
  1636. package/docs/zh-CN/gateway/pairing.md +99 -0
  1637. package/docs/zh-CN/gateway/protocol.md +220 -0
  1638. package/docs/zh-CN/gateway/remote-gateway-readme.md +164 -0
  1639. package/docs/zh-CN/gateway/remote.md +133 -0
  1640. package/docs/zh-CN/gateway/sandbox-vs-tool-policy-vs-elevated.md +135 -0
  1641. package/docs/zh-CN/gateway/sandboxing.md +188 -0
  1642. package/docs/zh-CN/gateway/security/index.md +777 -0
  1643. package/docs/zh-CN/gateway/tailscale.md +124 -0
  1644. package/docs/zh-CN/gateway/tools-invoke-http-api.md +92 -0
  1645. package/docs/zh-CN/gateway/troubleshooting.md +771 -0
  1646. package/docs/zh-CN/help/debugging.md +160 -0
  1647. package/docs/zh-CN/help/environment.md +88 -0
  1648. package/docs/zh-CN/help/faq.md +2640 -0
  1649. package/docs/zh-CN/help/index.md +28 -0
  1650. package/docs/zh-CN/help/scripts.md +35 -0
  1651. package/docs/zh-CN/help/testing.md +375 -0
  1652. package/docs/zh-CN/help/troubleshooting.md +104 -0
  1653. package/docs/zh-CN/index.md +186 -0
  1654. package/docs/zh-CN/install/ansible.md +215 -0
  1655. package/docs/zh-CN/install/bun.md +65 -0
  1656. package/docs/zh-CN/install/development-channels.md +81 -0
  1657. package/docs/zh-CN/install/docker.md +532 -0
  1658. package/docs/zh-CN/install/exe-dev.md +133 -0
  1659. package/docs/zh-CN/install/fly.md +490 -0
  1660. package/docs/zh-CN/install/gcp.md +510 -0
  1661. package/docs/zh-CN/install/hetzner.md +337 -0
  1662. package/docs/zh-CN/install/index.md +235 -0
  1663. package/docs/zh-CN/install/installer.md +422 -0
  1664. package/docs/zh-CN/install/macos-vm.md +288 -0
  1665. package/docs/zh-CN/install/migrating.md +199 -0
  1666. package/docs/zh-CN/install/nix.md +99 -0
  1667. package/docs/zh-CN/install/node.md +8 -0
  1668. package/docs/zh-CN/install/northflank.mdx +60 -0
  1669. package/docs/zh-CN/install/railway.mdx +106 -0
  1670. package/docs/zh-CN/install/render.mdx +169 -0
  1671. package/docs/zh-CN/install/uninstall.md +135 -0
  1672. package/docs/zh-CN/install/updating.md +233 -0
  1673. package/docs/zh-CN/logging.md +329 -0
  1674. package/docs/zh-CN/network.md +59 -0
  1675. package/docs/zh-CN/nodes/audio.md +120 -0
  1676. package/docs/zh-CN/nodes/camera.md +162 -0
  1677. package/docs/zh-CN/nodes/images.md +79 -0
  1678. package/docs/zh-CN/nodes/index.md +348 -0
  1679. package/docs/zh-CN/nodes/location-command.md +120 -0
  1680. package/docs/zh-CN/nodes/media-understanding.md +380 -0
  1681. package/docs/zh-CN/nodes/talk.md +97 -0
  1682. package/docs/zh-CN/nodes/troubleshooting.md +8 -0
  1683. package/docs/zh-CN/nodes/voicewake.md +72 -0
  1684. package/docs/zh-CN/perplexity.md +102 -0
  1685. package/docs/zh-CN/pi-dev.md +77 -0
  1686. package/docs/zh-CN/pi.md +619 -0
  1687. package/docs/zh-CN/platforms/android.md +155 -0
  1688. package/docs/zh-CN/platforms/digitalocean.md +273 -0
  1689. package/docs/zh-CN/platforms/index.md +60 -0
  1690. package/docs/zh-CN/platforms/ios.md +114 -0
  1691. package/docs/zh-CN/platforms/linux.md +100 -0
  1692. package/docs/zh-CN/platforms/mac/bundled-gateway.md +75 -0
  1693. package/docs/zh-CN/platforms/mac/canvas.md +128 -0
  1694. package/docs/zh-CN/platforms/mac/child-process.md +73 -0
  1695. package/docs/zh-CN/platforms/mac/dev-setup.md +109 -0
  1696. package/docs/zh-CN/platforms/mac/health.md +41 -0
  1697. package/docs/zh-CN/platforms/mac/icon.md +38 -0
  1698. package/docs/zh-CN/platforms/mac/logging.md +64 -0
  1699. package/docs/zh-CN/platforms/mac/menu-bar.md +88 -0
  1700. package/docs/zh-CN/platforms/mac/peekaboo.md +62 -0
  1701. package/docs/zh-CN/platforms/mac/permissions.md +46 -0
  1702. package/docs/zh-CN/platforms/mac/remote.md +90 -0
  1703. package/docs/zh-CN/platforms/mac/signing.md +54 -0
  1704. package/docs/zh-CN/platforms/mac/skills.md +40 -0
  1705. package/docs/zh-CN/platforms/mac/voice-overlay.md +67 -0
  1706. package/docs/zh-CN/platforms/mac/voicewake.md +74 -0
  1707. package/docs/zh-CN/platforms/mac/webchat.md +43 -0
  1708. package/docs/zh-CN/platforms/mac/xpc.md +68 -0
  1709. package/docs/zh-CN/platforms/macos.md +193 -0
  1710. package/docs/zh-CN/platforms/oracle.md +310 -0
  1711. package/docs/zh-CN/platforms/raspberry-pi.md +416 -0
  1712. package/docs/zh-CN/platforms/windows.md +247 -0
  1713. package/docs/zh-CN/plugins/agent-tools.md +99 -0
  1714. package/docs/zh-CN/plugins/manifest.md +68 -0
  1715. package/docs/zh-CN/plugins/voice-call.md +250 -0
  1716. package/docs/zh-CN/plugins/zalouser.md +88 -0
  1717. package/docs/zh-CN/prose.md +141 -0
  1718. package/docs/zh-CN/providers/anthropic.md +265 -0
  1719. package/docs/zh-CN/providers/bedrock.md +170 -0
  1720. package/docs/zh-CN/providers/claude-max-api-proxy.md +155 -0
  1721. package/docs/zh-CN/providers/cloudflare-ai-gateway.md +78 -0
  1722. package/docs/zh-CN/providers/deepgram.md +97 -0
  1723. package/docs/zh-CN/providers/github-copilot.md +67 -0
  1724. package/docs/zh-CN/providers/glm.md +50 -0
  1725. package/docs/zh-CN/providers/huggingface.md +216 -0
  1726. package/docs/zh-CN/providers/index.md +69 -0
  1727. package/docs/zh-CN/providers/kilocode.md +80 -0
  1728. package/docs/zh-CN/providers/litellm.md +160 -0
  1729. package/docs/zh-CN/providers/minimax.md +222 -0
  1730. package/docs/zh-CN/providers/mistral.md +61 -0
  1731. package/docs/zh-CN/providers/models.md +51 -0
  1732. package/docs/zh-CN/providers/moonshot.md +182 -0
  1733. package/docs/zh-CN/providers/nvidia.md +62 -0
  1734. package/docs/zh-CN/providers/ollama.md +359 -0
  1735. package/docs/zh-CN/providers/openai.md +308 -0
  1736. package/docs/zh-CN/providers/opencode-go.md +52 -0
  1737. package/docs/zh-CN/providers/opencode.md +71 -0
  1738. package/docs/zh-CN/providers/openrouter.md +44 -0
  1739. package/docs/zh-CN/providers/qianfan.md +45 -0
  1740. package/docs/zh-CN/providers/qwen.md +55 -0
  1741. package/docs/zh-CN/providers/sglang.md +111 -0
  1742. package/docs/zh-CN/providers/synthetic.md +106 -0
  1743. package/docs/zh-CN/providers/together.md +72 -0
  1744. package/docs/zh-CN/providers/venice.md +289 -0
  1745. package/docs/zh-CN/providers/vercel-ai-gateway.md +66 -0
  1746. package/docs/zh-CN/providers/xiaomi.md +93 -0
  1747. package/docs/zh-CN/providers/zai.md +53 -0
  1748. package/docs/zh-CN/reference/AGENTS.default.md +131 -0
  1749. package/docs/zh-CN/reference/RELEASING.md +48 -0
  1750. package/docs/zh-CN/reference/api-usage-costs.md +141 -0
  1751. package/docs/zh-CN/reference/credits.md +34 -0
  1752. package/docs/zh-CN/reference/device-models.md +54 -0
  1753. package/docs/zh-CN/reference/rpc.md +48 -0
  1754. package/docs/zh-CN/reference/session-management-compaction.md +287 -0
  1755. package/docs/zh-CN/reference/templates/AGENTS.dev.md +89 -0
  1756. package/docs/zh-CN/reference/templates/AGENTS.md +225 -0
  1757. package/docs/zh-CN/reference/templates/BOOT.md +17 -0
  1758. package/docs/zh-CN/reference/templates/BOOTSTRAP.md +68 -0
  1759. package/docs/zh-CN/reference/templates/HEARTBEAT.md +18 -0
  1760. package/docs/zh-CN/reference/templates/IDENTITY.dev.md +54 -0
  1761. package/docs/zh-CN/reference/templates/IDENTITY.md +36 -0
  1762. package/docs/zh-CN/reference/templates/SOUL.dev.md +83 -0
  1763. package/docs/zh-CN/reference/templates/SOUL.md +49 -0
  1764. package/docs/zh-CN/reference/templates/TOOLS.dev.md +31 -0
  1765. package/docs/zh-CN/reference/templates/TOOLS.md +53 -0
  1766. package/docs/zh-CN/reference/templates/USER.dev.md +25 -0
  1767. package/docs/zh-CN/reference/templates/USER.md +30 -0
  1768. package/docs/zh-CN/reference/test.md +57 -0
  1769. package/docs/zh-CN/reference/token-use.md +119 -0
  1770. package/docs/zh-CN/reference/transcript-hygiene.md +109 -0
  1771. package/docs/zh-CN/reference/wizard.md +242 -0
  1772. package/docs/zh-CN/security/formal-verification.md +171 -0
  1773. package/docs/zh-CN/start/bootstrapping.md +9 -0
  1774. package/docs/zh-CN/start/docs-directory.md +70 -0
  1775. package/docs/zh-CN/start/getting-started.md +143 -0
  1776. package/docs/zh-CN/start/hubs.md +194 -0
  1777. package/docs/zh-CN/start/lore.md +226 -0
  1778. package/docs/zh-CN/start/onboarding-overview.md +58 -0
  1779. package/docs/zh-CN/start/onboarding.md +105 -0
  1780. package/docs/zh-CN/start/openclaw.md +248 -0
  1781. package/docs/zh-CN/start/quickstart.md +88 -0
  1782. package/docs/zh-CN/start/setup.md +153 -0
  1783. package/docs/zh-CN/start/showcase.md +423 -0
  1784. package/docs/zh-CN/start/wizard-cli-automation.md +222 -0
  1785. package/docs/zh-CN/start/wizard-cli-reference.md +306 -0
  1786. package/docs/zh-CN/start/wizard.md +132 -0
  1787. package/docs/zh-CN/tools/agent-send.md +59 -0
  1788. package/docs/zh-CN/tools/apply-patch.md +57 -0
  1789. package/docs/zh-CN/tools/browser-linux-troubleshooting.md +144 -0
  1790. package/docs/zh-CN/tools/browser-login.md +75 -0
  1791. package/docs/zh-CN/tools/browser.md +553 -0
  1792. package/docs/zh-CN/tools/chrome-extension.md +183 -0
  1793. package/docs/zh-CN/tools/clawhub.md +209 -0
  1794. package/docs/zh-CN/tools/creating-skills.md +61 -0
  1795. package/docs/zh-CN/tools/elevated.md +64 -0
  1796. package/docs/zh-CN/tools/exec-approvals.md +234 -0
  1797. package/docs/zh-CN/tools/exec.md +169 -0
  1798. package/docs/zh-CN/tools/firecrawl.md +68 -0
  1799. package/docs/zh-CN/tools/index.md +515 -0
  1800. package/docs/zh-CN/tools/llm-task.md +117 -0
  1801. package/docs/zh-CN/tools/lobster.md +349 -0
  1802. package/docs/zh-CN/tools/multi-agent-sandbox-tools.md +401 -0
  1803. package/docs/zh-CN/tools/plugin.md +1612 -0
  1804. package/docs/zh-CN/tools/reactions.md +29 -0
  1805. package/docs/zh-CN/tools/skills-config.md +78 -0
  1806. package/docs/zh-CN/tools/skills.md +279 -0
  1807. package/docs/zh-CN/tools/slash-commands.md +205 -0
  1808. package/docs/zh-CN/tools/subagents.md +167 -0
  1809. package/docs/zh-CN/tools/thinking.md +80 -0
  1810. package/docs/zh-CN/tools/web.md +289 -0
  1811. package/docs/zh-CN/tts.md +375 -0
  1812. package/docs/zh-CN/vps.md +47 -0
  1813. package/docs/zh-CN/web/control-ui.md +191 -0
  1814. package/docs/zh-CN/web/dashboard.md +53 -0
  1815. package/docs/zh-CN/web/index.md +118 -0
  1816. package/docs/zh-CN/web/tui.md +166 -0
  1817. package/docs/zh-CN/web/webchat.md +56 -0
  1818. package/openclaw.mjs +135 -0
  1819. package/package.json +835 -0
  1820. package/skills/1password/SKILL.md +70 -0
  1821. package/skills/1password/references/cli-examples.md +29 -0
  1822. package/skills/1password/references/get-started.md +17 -0
  1823. package/skills/apple-notes/SKILL.md +77 -0
  1824. package/skills/apple-reminders/SKILL.md +118 -0
  1825. package/skills/bear-notes/SKILL.md +107 -0
  1826. package/skills/blogwatcher/SKILL.md +69 -0
  1827. package/skills/blucli/SKILL.md +47 -0
  1828. package/skills/bluebubbles/SKILL.md +131 -0
  1829. package/skills/camsnap/SKILL.md +45 -0
  1830. package/skills/canvas/SKILL.md +198 -0
  1831. package/skills/clawhub/SKILL.md +77 -0
  1832. package/skills/coding-agent/SKILL.md +295 -0
  1833. package/skills/discord/SKILL.md +197 -0
  1834. package/skills/doubao-code/SKILL.md +43 -0
  1835. package/skills/eightctl/SKILL.md +50 -0
  1836. package/skills/gemini/SKILL.md +43 -0
  1837. package/skills/gh-issues/SKILL.md +865 -0
  1838. package/skills/gifgrep/SKILL.md +79 -0
  1839. package/skills/github/SKILL.md +163 -0
  1840. package/skills/gog/SKILL.md +116 -0
  1841. package/skills/goplaces/SKILL.md +52 -0
  1842. package/skills/healthcheck/SKILL.md +245 -0
  1843. package/skills/himalaya/SKILL.md +257 -0
  1844. package/skills/himalaya/references/configuration.md +184 -0
  1845. package/skills/himalaya/references/message-composition.md +199 -0
  1846. package/skills/imsg/SKILL.md +122 -0
  1847. package/skills/kimi-code/SKILL.md +42 -0
  1848. package/skills/mcporter/SKILL.md +61 -0
  1849. package/skills/model-usage/SKILL.md +69 -0
  1850. package/skills/model-usage/references/codexbar-cli.md +33 -0
  1851. package/skills/model-usage/scripts/model_usage.py +320 -0
  1852. package/skills/model-usage/scripts/test_model_usage.py +40 -0
  1853. package/skills/nano-pdf/SKILL.md +38 -0
  1854. package/skills/node-connect/SKILL.md +142 -0
  1855. package/skills/notion/SKILL.md +174 -0
  1856. package/skills/obsidian/SKILL.md +81 -0
  1857. package/skills/openai-image-gen/SKILL.md +92 -0
  1858. package/skills/openai-image-gen/scripts/gen.py +328 -0
  1859. package/skills/openai-image-gen/scripts/test_gen.py +140 -0
  1860. package/skills/openai-whisper/SKILL.md +38 -0
  1861. package/skills/openai-whisper-api/SKILL.md +52 -0
  1862. package/skills/openai-whisper-api/scripts/transcribe.sh +85 -0
  1863. package/skills/openhue/SKILL.md +112 -0
  1864. package/skills/oracle/SKILL.md +125 -0
  1865. package/skills/ordercli/SKILL.md +78 -0
  1866. package/skills/peekaboo/SKILL.md +190 -0
  1867. package/skills/sag/SKILL.md +87 -0
  1868. package/skills/session-logs/SKILL.md +115 -0
  1869. package/skills/sherpa-onnx-tts/SKILL.md +103 -0
  1870. package/skills/sherpa-onnx-tts/bin/sherpa-onnx-tts +178 -0
  1871. package/skills/skill-creator/SKILL.md +372 -0
  1872. package/skills/skill-creator/license.txt +202 -0
  1873. package/skills/skill-creator/scripts/init_skill.py +378 -0
  1874. package/skills/skill-creator/scripts/package_skill.py +139 -0
  1875. package/skills/skill-creator/scripts/quick_validate.py +159 -0
  1876. package/skills/skill-creator/scripts/test_package_skill.py +160 -0
  1877. package/skills/skill-creator/scripts/test_quick_validate.py +72 -0
  1878. package/skills/slack/SKILL.md +144 -0
  1879. package/skills/songsee/SKILL.md +49 -0
  1880. package/skills/sonoscli/SKILL.md +65 -0
  1881. package/skills/spotify-player/SKILL.md +64 -0
  1882. package/skills/summarize/SKILL.md +87 -0
  1883. package/skills/things-mac/SKILL.md +86 -0
  1884. package/skills/tmux/SKILL.md +153 -0
  1885. package/skills/tmux/scripts/find-sessions.sh +112 -0
  1886. package/skills/tmux/scripts/wait-for-text.sh +83 -0
  1887. package/skills/trello/SKILL.md +95 -0
  1888. package/skills/video-frames/SKILL.md +46 -0
  1889. package/skills/video-frames/scripts/frame.sh +81 -0
  1890. package/skills/voice-call/SKILL.md +45 -0
  1891. package/skills/wacli/SKILL.md +72 -0
  1892. package/skills/weather/SKILL.md +112 -0
  1893. package/skills/xurl/SKILL.md +461 -0
package/dist/secrets-cli-D1df8b0o.js ADDED
@@ -0,0 +1,2304 @@
1
+ import "./src-CmXHIz5f.js";
2
+ import "./redact-BDinS1q9.js";
3
+ import "./errors-BxyFnvP3.js";
4
+ import "./unhandled-rejections-CDJ8dOVP.js";
5
+ import "./logger-CoEtkjhn.js";
6
+ import { _ as resolveStateDir } from "./paths-GHJ97ebE.js";
7
+ import "./tmp-openclaw-dir-idKIOMmb.js";
8
+ import { r as theme } from "./theme-CdOoMzRk.js";
9
+ import { t as danger } from "./globals-41sdSaKv.js";
10
+ import { n as defaultRuntime } from "./runtime-CT2LIJZu.js";
11
+ import "./ansi-BEJF8NKS.js";
12
+ import "./subsystem-CUp-6QQf.js";
13
+ import "./boolean-DKtCJu_W.js";
14
+ import "./env-BP70DGuy.js";
15
+ import "./warning-filter-CgvLQB4Y.js";
16
+ import { g as resolveConfigDir, y as resolveUserPath } from "./utils-Bxk6BLTg.js";
17
+ import { t as formatDocsLink } from "./links-Bilm-v0z.js";
18
+ import { n as resolveAuthStorePath } from "./paths-nCHyK08H.js";
19
+ import "./auth-profiles-CWEIQV77.js";
20
+ import { c as normalizeAgentId } from "./session-key-gFFk3uv9.js";
21
+ import "./boundary-path-B3FFLYNx.js";
22
+ import "./boundary-file-read-BP6VMpqH.js";
23
+ import "./logger-Cqy7-Maj.js";
24
+ import "./exec-Dmex2w_d.js";
25
+ import "./workspace-BH7CXmrr.js";
26
+ import { a as resolveAgentDir, i as resolveAgentConfig, m as resolveDefaultAgentId, r as listAgentIds } from "./agent-scope-DPP4Z_UU.js";
27
+ import "./model-selection-BTpJnslv.js";
28
+ import { r as normalizeProviderId } from "./provider-id-BpXo5t6v.js";
29
+ import { i as createConfigIO } from "./io-jOnQRia2.js";
30
+ import "./host-env-security-BogNN146.js";
31
+ import "./shell-env-cD92jEyV.js";
32
+ import "./safe-text-B_CQuica.js";
33
+ import "./version-DCY9_obP.js";
34
+ import { d as resolveSecretInputRef, i as coerceSecretRef } from "./types.secrets-BWSeXrF4.js";
35
+ import "./env-substitution-D6t_sLS_.js";
36
+ import "./includes-7XyL3p1c.js";
37
+ import "./zod-schema.providers-core-Dgq7MTqU.js";
38
+ import { t as isSafeExecutableValue } from "./exec-safety-CaaBy-Zw.js";
39
+ import "./legacy-web-search-BgZjNG2h.js";
40
+ import "./registry-rgYi7KoO.js";
41
+ import "./config-state-CE0CGjey.js";
42
+ import "./manifest-registry-B90TyTWl.js";
43
+ import "./avatar-policy-Ds9e6uHI.js";
44
+ import "./ip-C8vmzVu0.js";
45
+ import "./zod-schema.agent-runtime-T_EC_6fg.js";
46
+ import { a as formatExecSecretRefIdValidationMessage, c as isValidSecretProviderAlias, l as resolveDefaultSecretProviderAlias, o as isValidExecSecretRefId, u as secretRefKey } from "./ref-contract-CCBBbf1r.js";
47
+ import { C as SecretProviderSchema } from "./zod-schema.core-BdgRr-F1.js";
48
+ import "./config-pn7LKJdW.js";
49
+ import "./file-lock-WbEmczmY.js";
50
+ import "./audit-fs-oDMUa5N_.js";
51
+ import { t as runTasksWithConcurrency } from "./run-with-concurrency-BrSjWzpg.js";
52
+ import { a as parseDotPath, c as writeTextFileAtomic, n as isNonEmptyString, o as parseEnvValue, r as isRecord, s as toDotPath, t as describeUnknownError } from "./shared-AygSbeCK.js";
53
+ import { a as resolveSecretRefValue, o as resolveSecretRefValues, r as isProviderScopedSecretResolutionError } from "./resolve-T2q_0ARF.js";
54
+ import { d as loadAuthProfileStoreForSecretsRuntime } from "./profiles-D17eMKQZ.js";
55
+ import "./repair-qXnOAvDy.js";
56
+ import "./tailscale-Cbsx-2HB.js";
57
+ import "./tailnet-ofqBrXzu.js";
58
+ import "./net-DlJFp95v.js";
59
+ import "./auth-O6LQFLHJ.js";
60
+ import "./credentials-BPwBlm1X.js";
61
+ import "./message-channel-Cy-gN4K2.js";
62
+ import "./store-CvL8MPei.js";
63
+ import "./runtime-CuvWMN7E.js";
64
+ import "./registry-C3q59Qj0.js";
65
+ import "./plugins-1Z50ecJ6.js";
66
+ import "./sessions-DaSBVNwD.js";
67
+ import "./paths-CTjJI9l0.js";
68
+ import "./session-write-lock-DNKvpjKf.js";
69
+ import "./method-scopes-DgypDW23.js";
70
+ import "./call-BmLt3xO1.js";
71
+ import "./ports-lsof-DtJqhFOr.js";
72
+ import "./restart-stale-pids-CLGiqU2E.js";
73
+ import "./ports-DFiK_Jc-.js";
74
+ import "./logging-CbTTfADU.js";
75
+ import "./commands-Bb9xUwz9.js";
76
+ import "./progress-D1r9bZU1.js";
77
+ import "./identity-cyBYcoXS.js";
78
+ import "./secret-input-4REZ4sHo.js";
79
+ import "./bindings-kjwuC11Q.js";
80
+ import "./resolve-route-vEY3ONZ2.js";
81
+ import "./routing-Y3m0o-kB.js";
82
+ import "./base-session-key-Cf2rkwag.js";
83
+ import "./token-Bgv8XEsC.js";
84
+ import { As as prepareSecretsRuntimeSnapshot, Dp as isExpectedResolvedSecretValue, Ep as hasConfiguredPlaintextSecretValue, Tp as assertExpectedResolvedSecretValue } from "./pi-embedded-CSQySvOV.js";
85
+ import "./identity-file-EndG1nfc.js";
86
+ import "./identity-DovQV4zD.js";
87
+ import { i as listKnownSecretEnvVarNames, n as PROVIDER_ENV_VARS } from "./provider-env-vars-CsQlY7bF.js";
88
+ import { f as isNonSecretApiKeyMarker, m as isSecretRefHeaderValueMarker } from "./model-auth-env-CF9ts7Th.js";
89
+ import "./anthropic-vertex-provider-Dd5agCN9.js";
90
+ import "./model-auth-B__TJTPw.js";
91
+ import "./kilocode-shared-DS7_0IMs.js";
92
+ import "./provider-models-C2EjYMwW.js";
93
+ import "./provider-model-allowlist-4HSOnlX-.js";
94
+ import "./retry-D15TD1S3.js";
95
+ import "./models-config.providers.discovery-BaIk1NKL.js";
96
+ import "./state-paths-DJIGEFq_.js";
97
+ import "./cli-runtime-aAVwbEYy.js";
98
+ import "./runtime-env-a_iwdJIv.js";
99
+ import "./diagnostic-DqJXx_4Q.js";
100
+ import "./text-runtime-C_Roi_Je.js";
101
+ import "./config-presence-BmUF_5K9.js";
102
+ import "./thread-bindings-messages-Cdo8jSa9.js";
103
+ import "./conversation-runtime-1O0Aaolb.js";
104
+ import "./registry-CPsHw6xU.js";
105
+ import "./internal-hooks-0uipqzRY.js";
106
+ import "./http-registry-WFFbLYRd.js";
107
+ import "./runtime-whatsapp-boundary-xZem0NyQ.js";
108
+ import "./provider-catalog-D7QvsUXS.js";
109
+ import "./provider-catalog-C5vmXjmb.js";
110
+ import "./provider-catalog--18-pW5t.js";
111
+ import "./tool-catalog-BV6FcEWS.js";
112
+ import "./docker-XFNiArwM.js";
113
+ import "./sandbox-CUUouiKs.js";
114
+ import "./common-CUBlLRXB.js";
115
+ import "./image-ops-j01UkxEv.js";
116
+ import "./thinking-BBD_0HSp.js";
117
+ import "./path-alias-guards-ZTKqurNH.js";
118
+ import "./sandbox-paths-fqp_TZdO.js";
119
+ import "./typebox-D0SHDJST.js";
120
+ import "./mime-C4vVTBso.js";
121
+ import "./ssrf-Dk9XaoKN.js";
122
+ import "./fetch-guard-DIyN1HW5.js";
123
+ import "./provider-web-search-NzK8ep1E.js";
124
+ import "./manager-ChTGDe87.js";
125
+ import "./heartbeat-7aHh0m3d.js";
126
+ import "./typing-DG_YqWJ7.js";
127
+ import { a as isKnownSecretTargetType, d as getPath, f as setPathCreateStrict, l as resolvePlanTargetAgainstRegistry, n as discoverConfigSecretTargets, o as listAuthProfileSecretTargetEntries, t as discoverAuthProfileSecretTargets, u as deletePathStrict } from "./target-registry-krAVlXi_.js";
128
+ import "./external-content-BUdUOqkv.js";
129
+ import "./brave-CkimJe4j.js";
130
+ import "./channel-config-helpers-CieQWILI.js";
131
+ import "./whatsapp-DXbWlm3A.js";
132
+ import "./delegate-D4ql5N70.js";
133
+ import "./config-schema-B1UGMwZ8.js";
134
+ import "./secret-file-DYJtH6kf.js";
135
+ import "./core-C7aHA4Aq.js";
136
+ import "./security-runtime-BuEhpJVE.js";
137
+ import "./pairing-store-C4lsd4pO.js";
138
+ import "./json-store-O1LwpnBH.js";
139
+ import "./dm-policy-shared-6bCJzHOS.js";
140
+ import "./provider-auth-ref-BS3gwrNr.js";
141
+ import "./provider-auth-input-BftBdgvW.js";
142
+ import "./provider-auth-Bw8x1a3o.js";
143
+ import "./provider-auth-helpers-B0dS-1WK.js";
144
+ import "./provider-api-key-auth-BE0taXiB.js";
145
+ import "./image-generation-CNKc-mFK.js";
146
+ import "./shared-LeP8iUTz.js";
147
+ import "./provider-usage-ClDVmkhl.js";
148
+ import "./media-understanding-DD2uMjK8.js";
149
+ import "./provider-onboard-CjOfyeQG.js";
150
+ import "./perplexity-Beshd9zu.js";
151
+ import "./provider-auth-api-key-BrQYvdxi.js";
152
+ import "./command-secret-targets-COcwhn-D.js";
153
+ import "./whatsapp-heartbeat-CSWnPQ7q.js";
154
+ import "./fs-safe-D3qzH-ab.js";
155
+ import "./web-media-CtU6jM5V.js";
156
+ import "./local-roots-DAzCjWbC.js";
157
+ import "./frontmatter-S5vS-I4a.js";
158
+ import "./env-overrides-JneV60sd.js";
159
+ import "./skills-CCgKs_NJ.js";
160
+ import "./skill-commands-CiSwTFBQ.js";
161
+ import "./workspace-dirs-_O4V3xCR.js";
162
+ import "./pairing-token-gKj4SNFJ.js";
163
+ import "./model-selection-Ci9cPkL2.js";
164
+ import "./system-events-mAu6Ap6K.js";
165
+ import "./pi-model-discovery-CuX5CDyZ.js";
166
+ import "./message-hook-mappers-BBTV3JRQ.js";
167
+ import "./delivery-queue-DrrqB4Hi.js";
168
+ import "./channel-plugin-common-BhTxCE5t.js";
169
+ import "./shared-BU0QgVMZ.js";
170
+ import "./status-helpers-Cda-rGLX.js";
171
+ import "./config-runtime-CstET7fq.js";
172
+ import "./routes-TpLEcKO8.js";
173
+ import "./media-limits-Cuvmmhop.js";
174
+ import "./axios-xDDnM0KG.js";
175
+ import "./manager-DuwFn87U.js";
176
+ import "./web-media-BfBb8i48.js";
177
+ import "./mentions-Bxys_va0.js";
178
+ import "./commands-registry.data-XyUTELK9.js";
179
+ import "./commands-registry-ChCep1KJ.js";
180
+ import "./channel-inbound-DwzVf2PK.js";
181
+ import "./config-DdDLrP_v.js";
182
+ import "./ssh-tunnel-Cz51VBAt.js";
183
+ import "./server-middleware-CCqKhKUb.js";
184
+ import "./read-only-account-inspect-DPJzadPo.js";
185
+ import "./channel-summary-CdYLGMVt.js";
186
+ import "./channel-policy-C4GKHvhz.js";
187
+ import "./resolve-utils-CbqJY2bs.js";
188
+ import "./allow-from-C4iBpqFI.js";
189
+ import "./channel-actions-DU2CR3xW.js";
190
+ import "./exec-approvals-BJhuySBz.js";
191
+ import "./exec-approvals-allowlist-B_wPddCb.js";
192
+ import "./http-body-CCiSfloA.js";
193
+ import "./ssrf-policy-Dk6oMa20.js";
194
+ import "./history-CHjo8B5W.js";
195
+ import "./reply-history-CVCD5oE9.js";
196
+ import "./channel-reply-pipeline-CPTuaW8n.js";
197
+ import "./exec-safe-bin-runtime-policy-BZkObC8r.js";
198
+ import "./nodes-screen-CQ7IvP62.js";
199
+ import "./system-run-command-Cxq2F1MB.js";
200
+ import "./stagger-DU7FjHYo.js";
201
+ import "./tool-policy-match-CHqTCSdK.js";
202
+ import "./setup-binary-BOJA7zdN.js";
203
+ import "./archive-Tr0wIUO-.js";
204
+ import "./signal-cli-install-DxoL8CgF.js";
205
+ import "./directory-runtime-DhC8QkMq.js";
206
+ import "./timeouts-BwR1sGom.js";
207
+ import "./outbound-runtime-ic_7ulJJ.js";
208
+ import "./acp-runtime-BdLdT-QY.js";
209
+ import "./gateway-runtime-ih2e7a2K.js";
210
+ import "./connection-auth-BSQJeDOU.js";
211
+ import "./discord-core-5tkl-BzP.js";
212
+ import "./with-timeout-2AKTISee.js";
213
+ import "./multimodal-DC43jYNv.js";
214
+ import "./memory-search-Das1tiuB.js";
215
+ import "./query-expansion-Do45hILP.js";
216
+ import "./search-manager-r8Cw4ZRv.js";
217
+ import "./memory-DBjQ0TPd.js";
218
+ import "./mcp-config-Coky4zS4.js";
219
+ import { n as callGatewayFromCli, t as addGatewayClientOptions } from "./gateway-rpc-C0Ey-rik.js";
220
+ import fs from "node:fs";
221
+ import path from "node:path";
222
+ import os from "node:os";
223
+ import { isDeepStrictEqual } from "node:util";
224
+ import { confirm, select, text } from "@clack/prompts";
225
+ //#region src/secrets/auth-profiles-scan.ts
226
+ function getAuthProfileFieldName(pathPattern) {
227
+ const segments = pathPattern.split(".").filter(Boolean);
228
+ return segments[segments.length - 1] ?? "";
229
+ }
230
+ const AUTH_PROFILE_FIELD_SPEC_BY_TYPE = (() => {
231
+ const defaults = {
232
+ api_key: {
233
+ valueField: "key",
234
+ refField: "keyRef"
235
+ },
236
+ token: {
237
+ valueField: "token",
238
+ refField: "tokenRef"
239
+ }
240
+ };
241
+ for (const target of listAuthProfileSecretTargetEntries()) {
242
+ if (!target.authProfileType) continue;
243
+ defaults[target.authProfileType] = {
244
+ valueField: getAuthProfileFieldName(target.pathPattern),
245
+ refField: target.refPathPattern !== void 0 ? getAuthProfileFieldName(target.refPathPattern) : defaults[target.authProfileType].refField
246
+ };
247
+ }
248
+ return defaults;
249
+ })();
250
+ function getAuthProfileFieldSpec(type) {
251
+ return AUTH_PROFILE_FIELD_SPEC_BY_TYPE[type];
252
+ }
253
+ function toSecretCredentialVisit(params) {
254
+ const spec = getAuthProfileFieldSpec(params.kind);
255
+ return {
256
+ kind: params.kind,
257
+ profileId: params.profileId,
258
+ provider: params.provider,
259
+ profile: params.profile,
260
+ valueField: spec.valueField,
261
+ refField: spec.refField,
262
+ value: params.profile[spec.valueField],
263
+ refValue: params.profile[spec.refField]
264
+ };
265
+ }
266
+ function* iterateAuthProfileCredentials(profiles) {
267
+ for (const [profileId, value] of Object.entries(profiles)) {
268
+ if (!isRecord(value) || !isNonEmptyString(value.provider)) continue;
269
+ const provider = String(value.provider);
270
+ if (value.type === "api_key" || value.type === "token") {
271
+ yield toSecretCredentialVisit({
272
+ kind: value.type,
273
+ profileId,
274
+ provider,
275
+ profile: value
276
+ });
277
+ continue;
278
+ }
279
+ if (value.type === "oauth") yield {
280
+ kind: "oauth",
281
+ profileId,
282
+ provider,
283
+ profile: value,
284
+ hasAccess: isNonEmptyString(value.access),
285
+ hasRefresh: isNonEmptyString(value.refresh)
286
+ };
287
+ }
288
+ }
289
+ //#endregion
290
+ //#region src/secrets/config-io.ts
291
+ const silentConfigIoLogger = {
292
+ error: () => {},
293
+ warn: () => {}
294
+ };
295
+ function createSecretsConfigIO(params) {
296
+ return createConfigIO({
297
+ env: params.env,
298
+ logger: silentConfigIoLogger
299
+ });
300
+ }
301
+ //#endregion
302
+ //#region src/secrets/exec-resolution-policy.ts
303
+ function selectRefsForExecPolicy(params) {
304
+ const refsToResolve = [];
305
+ const skippedExecRefs = [];
306
+ for (const ref of params.refs) {
307
+ if (ref.source === "exec" && !params.allowExec) {
308
+ skippedExecRefs.push(ref);
309
+ continue;
310
+ }
311
+ refsToResolve.push(ref);
312
+ }
313
+ return {
314
+ refsToResolve,
315
+ skippedExecRefs
316
+ };
317
+ }
318
+ function getSkippedExecRefStaticError(params) {
319
+ const id = params.ref.id.trim();
320
+ const refLabel = `${params.ref.source}:${params.ref.provider}:${id}`;
321
+ if (!id) return "Error: Secret reference id is empty.";
322
+ if (!isValidExecSecretRefId(id)) return `Error: ${formatExecSecretRefIdValidationMessage()} (ref: ${refLabel}).`;
323
+ const providerConfig = params.config.secrets?.providers?.[params.ref.provider];
324
+ if (!providerConfig) return `Error: Secret provider "${params.ref.provider}" is not configured (ref: ${refLabel}).`;
325
+ if (providerConfig.source !== params.ref.source) return `Error: Secret provider "${params.ref.provider}" has source "${providerConfig.source}" but ref requests "${params.ref.source}".`;
326
+ return null;
327
+ }
328
+ //#endregion
329
+ //#region src/secrets/plan.ts
330
+ const FORBIDDEN_PATH_SEGMENTS = new Set([
331
+ "__proto__",
332
+ "prototype",
333
+ "constructor"
334
+ ]);
335
+ function isObjectRecord(value) {
336
+ return Boolean(value) && typeof value === "object" && !Array.isArray(value);
337
+ }
338
+ function isSecretProviderConfigShape(value) {
339
+ return SecretProviderSchema.safeParse(value).success;
340
+ }
341
+ function hasForbiddenPathSegment(segments) {
342
+ return segments.some((segment) => FORBIDDEN_PATH_SEGMENTS.has(segment));
343
+ }
344
+ function resolveValidatedPlanTarget(candidate) {
345
+ if (!isKnownSecretTargetType(candidate.type)) return null;
346
+ const path = typeof candidate.path === "string" ? candidate.path.trim() : "";
347
+ if (!path) return null;
348
+ const segments = Array.isArray(candidate.pathSegments) && candidate.pathSegments.length > 0 ? candidate.pathSegments.map((segment) => String(segment).trim()).filter(Boolean) : parseDotPath(path);
349
+ if (segments.length === 0 || hasForbiddenPathSegment(segments) || path !== toDotPath(segments)) return null;
350
+ return resolvePlanTargetAgainstRegistry({
351
+ type: candidate.type,
352
+ pathSegments: segments,
353
+ providerId: candidate.providerId,
354
+ accountId: candidate.accountId
355
+ });
356
+ }
357
+ function isSecretsApplyPlan(value) {
358
+ if (!value || typeof value !== "object" || Array.isArray(value)) return false;
359
+ const typed = value;
360
+ if (typed.version !== 1 || typed.protocolVersion !== 1 || !Array.isArray(typed.targets)) return false;
361
+ for (const target of typed.targets) {
362
+ if (!target || typeof target !== "object") return false;
363
+ const candidate = target;
364
+ const ref = candidate.ref;
365
+ const resolved = resolveValidatedPlanTarget({
366
+ type: candidate.type,
367
+ path: candidate.path,
368
+ pathSegments: candidate.pathSegments,
369
+ agentId: candidate.agentId,
370
+ providerId: candidate.providerId,
371
+ accountId: candidate.accountId,
372
+ authProfileProvider: candidate.authProfileProvider
373
+ });
374
+ if (!isKnownSecretTargetType(candidate.type) || typeof candidate.path !== "string" || !candidate.path.trim() || candidate.pathSegments !== void 0 && !Array.isArray(candidate.pathSegments) || !resolved || !ref || typeof ref !== "object" || ref.source !== "env" && ref.source !== "file" && ref.source !== "exec" || typeof ref.provider !== "string" || ref.provider.trim().length === 0 || typeof ref.id !== "string" || ref.id.trim().length === 0 || ref.source === "exec" && !isValidExecSecretRefId(ref.id)) return false;
375
+ if (resolved.entry.configFile === "auth-profiles.json") {
376
+ if (typeof candidate.agentId !== "string" || candidate.agentId.trim().length === 0) return false;
377
+ if (candidate.authProfileProvider !== void 0 && (typeof candidate.authProfileProvider !== "string" || candidate.authProfileProvider.trim().length === 0)) return false;
378
+ }
379
+ }
380
+ if (typed.providerUpserts !== void 0) {
381
+ if (!isObjectRecord(typed.providerUpserts)) return false;
382
+ for (const [providerAlias, providerValue] of Object.entries(typed.providerUpserts)) {
383
+ if (!isValidSecretProviderAlias(providerAlias)) return false;
384
+ if (!isSecretProviderConfigShape(providerValue)) return false;
385
+ }
386
+ }
387
+ if (typed.providerDeletes !== void 0) {
388
+ if (!Array.isArray(typed.providerDeletes) || typed.providerDeletes.some((providerAlias) => typeof providerAlias !== "string" || !isValidSecretProviderAlias(providerAlias))) return false;
389
+ }
390
+ return true;
391
+ }
392
+ function normalizeSecretsPlanOptions(options) {
393
+ return {
394
+ scrubEnv: options?.scrubEnv ?? true,
395
+ scrubAuthProfilesForProviderTargets: options?.scrubAuthProfilesForProviderTargets ?? true,
396
+ scrubLegacyAuthJson: options?.scrubLegacyAuthJson ?? true
397
+ };
398
+ }
399
+ //#endregion
400
+ //#region src/secrets/auth-store-paths.ts
401
+ function listAuthProfileStorePaths$1(config, stateDir) {
402
+ const paths = /* @__PURE__ */ new Set();
403
+ paths.add(path.join(resolveUserPath(stateDir), "agents", "main", "agent", "auth-profiles.json"));
404
+ const agentsRoot = path.join(resolveUserPath(stateDir), "agents");
405
+ if (fs.existsSync(agentsRoot)) for (const entry of fs.readdirSync(agentsRoot, { withFileTypes: true })) {
406
+ if (!entry.isDirectory()) continue;
407
+ paths.add(path.join(agentsRoot, entry.name, "agent", "auth-profiles.json"));
408
+ }
409
+ for (const agentId of listAgentIds(config)) {
410
+ if (agentId === "main") {
411
+ paths.add(path.join(resolveUserPath(stateDir), "agents", "main", "agent", "auth-profiles.json"));
412
+ continue;
413
+ }
414
+ const agentDir = resolveAgentDir(config, agentId);
415
+ paths.add(resolveUserPath(resolveAuthStorePath(agentDir)));
416
+ }
417
+ return [...paths];
418
+ }
419
+ //#endregion
420
+ //#region src/secrets/storage-scan.ts
421
+ function parseEnvAssignmentValue(raw) {
422
+ return parseEnvValue(raw);
423
+ }
424
+ function listAuthProfileStorePaths(config, stateDir) {
425
+ return listAuthProfileStorePaths$1(config, stateDir);
426
+ }
427
+ function listLegacyAuthJsonPaths(stateDir) {
428
+ const out = [];
429
+ const agentsRoot = path.join(resolveUserPath(stateDir), "agents");
430
+ if (!fs.existsSync(agentsRoot)) return out;
431
+ for (const entry of fs.readdirSync(agentsRoot, { withFileTypes: true })) {
432
+ if (!entry.isDirectory()) continue;
433
+ const candidate = path.join(agentsRoot, entry.name, "agent", "auth.json");
434
+ if (fs.existsSync(candidate)) out.push(candidate);
435
+ }
436
+ return out;
437
+ }
438
+ function resolveActiveAgentDir(stateDir, env = process.env) {
439
+ const override = env.OPENCLAW_AGENT_DIR?.trim() || env.PI_CODING_AGENT_DIR?.trim();
440
+ if (override) return resolveUserPath(override);
441
+ return path.join(resolveUserPath(stateDir), "agents", "main", "agent");
442
+ }
443
+ function listAgentModelsJsonPaths(config, stateDir, env = process.env) {
444
+ const resolvedStateDir = resolveUserPath(stateDir);
445
+ const paths = /* @__PURE__ */ new Set();
446
+ paths.add(path.join(resolvedStateDir, "agents", "main", "agent", "models.json"));
447
+ paths.add(path.join(resolveActiveAgentDir(stateDir, env), "models.json"));
448
+ const agentsRoot = path.join(resolvedStateDir, "agents");
449
+ if (fs.existsSync(agentsRoot)) for (const entry of fs.readdirSync(agentsRoot, { withFileTypes: true })) {
450
+ if (!entry.isDirectory()) continue;
451
+ paths.add(path.join(agentsRoot, entry.name, "agent", "models.json"));
452
+ }
453
+ for (const agentId of listAgentIds(config)) {
454
+ if (agentId === "main") {
455
+ paths.add(path.join(resolvedStateDir, "agents", "main", "agent", "models.json"));
456
+ continue;
457
+ }
458
+ const agentDir = resolveAgentDir(config, agentId);
459
+ paths.add(path.join(resolveUserPath(agentDir), "models.json"));
460
+ }
461
+ return [...paths];
462
+ }
463
+ function readJsonObjectIfExists(filePath, options = {}) {
464
+ if (!fs.existsSync(filePath)) return { value: null };
465
+ try {
466
+ const stats = fs.statSync(filePath);
467
+ if (options.requireRegularFile && !stats.isFile()) return {
468
+ value: null,
469
+ error: `Refusing to read non-regular file: ${filePath}`
470
+ };
471
+ if (typeof options.maxBytes === "number" && Number.isFinite(options.maxBytes) && options.maxBytes >= 0 && stats.size > options.maxBytes) return {
472
+ value: null,
473
+ error: `Refusing to read oversized JSON (${stats.size} bytes): ${filePath}`
474
+ };
475
+ const raw = fs.readFileSync(filePath, "utf8");
476
+ const parsed = JSON.parse(raw);
477
+ if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return { value: null };
478
+ return { value: parsed };
479
+ } catch (err) {
480
+ return {
481
+ value: null,
482
+ error: err instanceof Error ? err.message : String(err)
483
+ };
484
+ }
485
+ }
486
+ //#endregion
487
+ //#region src/secrets/apply.ts
488
+ function planContainsExecReferences(plan) {
489
+ if (plan.targets.some((target) => target.ref.source === "exec")) return true;
490
+ return Object.values(plan.providerUpserts ?? {}).some((provider) => provider.source === "exec");
491
+ }
492
+ function resolveTarget(target) {
493
+ const resolved = resolveValidatedPlanTarget(target);
494
+ if (!resolved) throw new Error(`Invalid plan target path for ${target.type}: ${target.path}`);
495
+ return resolved;
496
+ }
497
+ function scrubEnvRaw(raw, migratedValues, allowedEnvKeys) {
498
+ if (migratedValues.size === 0 || allowedEnvKeys.size === 0) return {
499
+ nextRaw: raw,
500
+ removed: 0
501
+ };
502
+ const lines = raw.split(/\r?\n/);
503
+ const nextLines = [];
504
+ let removed = 0;
505
+ for (const line of lines) {
506
+ const match = line.match(/^\s*(?:export\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(.*)$/);
507
+ if (!match) {
508
+ nextLines.push(line);
509
+ continue;
510
+ }
511
+ const envKey = match[1] ?? "";
512
+ if (!allowedEnvKeys.has(envKey)) {
513
+ nextLines.push(line);
514
+ continue;
515
+ }
516
+ const parsedValue = parseEnvAssignmentValue(match[2] ?? "");
517
+ if (migratedValues.has(parsedValue)) {
518
+ removed += 1;
519
+ continue;
520
+ }
521
+ nextLines.push(line);
522
+ }
523
+ const hadTrailingNewline = raw.endsWith("\n");
524
+ const joined = nextLines.join("\n");
525
+ return {
526
+ nextRaw: hadTrailingNewline || joined.length === 0 ? `${joined}${joined.endsWith("\n") ? "" : "\n"}` : joined,
527
+ removed
528
+ };
529
+ }
530
+ function applyProviderPlanMutations(params) {
531
+ const currentProviders = isRecord(params.config.secrets?.providers) ? structuredClone(params.config.secrets?.providers) : {};
532
+ let changed = false;
533
+ for (const providerAlias of params.deletes ?? []) {
534
+ if (!Object.prototype.hasOwnProperty.call(currentProviders, providerAlias)) continue;
535
+ delete currentProviders[providerAlias];
536
+ changed = true;
537
+ }
538
+ for (const [providerAlias, providerConfig] of Object.entries(params.upserts ?? {})) {
539
+ const previous = currentProviders[providerAlias];
540
+ if (isDeepStrictEqual(previous, providerConfig)) continue;
541
+ currentProviders[providerAlias] = structuredClone(providerConfig);
542
+ changed = true;
543
+ }
544
+ if (!changed) return false;
545
+ params.config.secrets ??= {};
546
+ if (Object.keys(currentProviders).length === 0) {
547
+ if ("providers" in params.config.secrets) delete params.config.secrets.providers;
548
+ return true;
549
+ }
550
+ params.config.secrets.providers = currentProviders;
551
+ return true;
552
+ }
553
+ async function projectPlanState(params) {
554
+ const { snapshot, writeOptions } = await createSecretsConfigIO({ env: params.env }).readConfigFileSnapshotForWrite();
555
+ if (!snapshot.valid) throw new Error("Cannot apply secrets plan: config is invalid.");
556
+ const options = normalizeSecretsPlanOptions(params.plan.options);
557
+ const nextConfig = structuredClone(snapshot.config);
558
+ const stateDir = resolveStateDir(params.env, os.homedir);
559
+ const changedFiles = /* @__PURE__ */ new Set();
560
+ const warnings = [];
561
+ const configPath = resolveUserPath(snapshot.path);
562
+ if (applyProviderPlanMutations({
563
+ config: nextConfig,
564
+ upserts: params.plan.providerUpserts,
565
+ deletes: params.plan.providerDeletes
566
+ })) changedFiles.add(configPath);
567
+ const targetMutations = applyConfigTargetMutations({
568
+ planTargets: params.plan.targets,
569
+ nextConfig,
570
+ stateDir,
571
+ authStoreByPath: /* @__PURE__ */ new Map(),
572
+ changedFiles
573
+ });
574
+ if (targetMutations.configChanged) changedFiles.add(configPath);
575
+ const authStoreByPath = scrubAuthStoresForProviderTargets({
576
+ nextConfig,
577
+ stateDir,
578
+ providerTargets: targetMutations.providerTargets,
579
+ scrubbedValues: targetMutations.scrubbedValues,
580
+ authStoreByPath: targetMutations.authStoreByPath,
581
+ changedFiles,
582
+ warnings,
583
+ enabled: options.scrubAuthProfilesForProviderTargets
584
+ });
585
+ const authJsonByPath = scrubLegacyAuthJsonStores({
586
+ stateDir,
587
+ changedFiles,
588
+ enabled: options.scrubLegacyAuthJson
589
+ });
590
+ const envRawByPath = scrubEnvFiles({
591
+ env: params.env,
592
+ scrubbedValues: targetMutations.scrubbedValues,
593
+ changedFiles,
594
+ enabled: options.scrubEnv
595
+ });
596
+ const validation = await validateProjectedSecretsState({
597
+ env: params.env,
598
+ nextConfig,
599
+ resolvedTargets: targetMutations.resolvedTargets,
600
+ authStoreByPath,
601
+ write: params.write,
602
+ allowExecInDryRun: params.allowExecInDryRun
603
+ });
604
+ return {
605
+ nextConfig,
606
+ configPath,
607
+ configWriteOptions: writeOptions,
608
+ authStoreByPath,
609
+ authJsonByPath,
610
+ envRawByPath,
611
+ changedFiles,
612
+ warnings,
613
+ refsChecked: validation.refsChecked,
614
+ skippedExecRefs: validation.skippedExecRefs,
615
+ resolvabilityComplete: validation.resolvabilityComplete
616
+ };
617
+ }
618
+ function applyConfigTargetMutations(params) {
619
+ const resolvedTargets = params.planTargets.map((target) => ({
620
+ target,
621
+ resolved: resolveTarget(target)
622
+ }));
623
+ const scrubbedValues = /* @__PURE__ */ new Set();
624
+ const providerTargets = /* @__PURE__ */ new Set();
625
+ let configChanged = false;
626
+ for (const { target, resolved } of resolvedTargets) {
627
+ if (resolved.entry.configFile === "auth-profiles.json") {
628
+ if (applyAuthProfileTargetMutation({
629
+ target,
630
+ resolved,
631
+ nextConfig: params.nextConfig,
632
+ stateDir: params.stateDir,
633
+ authStoreByPath: params.authStoreByPath,
634
+ scrubbedValues
635
+ })) {
636
+ const agentId = String(target.agentId ?? "").trim();
637
+ if (!agentId) throw new Error(`Missing required agentId for auth-profiles target ${target.path}.`);
638
+ params.changedFiles.add(resolveAuthStorePathForAgent({
639
+ nextConfig: params.nextConfig,
640
+ stateDir: params.stateDir,
641
+ agentId
642
+ }));
643
+ }
644
+ continue;
645
+ }
646
+ const targetPathSegments = resolved.pathSegments;
647
+ if (resolved.entry.secretShape === "sibling_ref") {
648
+ const previous = getPath(params.nextConfig, targetPathSegments);
649
+ if (isNonEmptyString(previous)) scrubbedValues.add(previous.trim());
650
+ const refPathSegments = resolved.refPathSegments;
651
+ if (!refPathSegments) throw new Error(`Missing sibling ref path for target ${target.type}.`);
652
+ const wroteRef = setPathCreateStrict(params.nextConfig, refPathSegments, target.ref);
653
+ const deletedLegacy = deletePathStrict(params.nextConfig, targetPathSegments);
654
+ if (wroteRef || deletedLegacy) configChanged = true;
655
+ continue;
656
+ }
657
+ const previous = getPath(params.nextConfig, targetPathSegments);
658
+ if (isNonEmptyString(previous)) scrubbedValues.add(previous.trim());
659
+ if (setPathCreateStrict(params.nextConfig, targetPathSegments, target.ref)) configChanged = true;
660
+ if (resolved.entry.trackProviderShadowing && resolved.providerId) providerTargets.add(normalizeProviderId(resolved.providerId));
661
+ }
662
+ return {
663
+ resolvedTargets,
664
+ scrubbedValues,
665
+ providerTargets,
666
+ configChanged,
667
+ authStoreByPath: params.authStoreByPath
668
+ };
669
+ }
670
+ function scrubAuthStoresForProviderTargets(params) {
671
+ if (!params.enabled || params.providerTargets.size === 0) return params.authStoreByPath;
672
+ for (const authStorePath of listAuthProfileStorePaths(params.nextConfig, params.stateDir)) {
673
+ const parsed = params.authStoreByPath.get(authStorePath) ?? readJsonObjectIfExists(authStorePath).value;
674
+ if (!parsed || !isRecord(parsed.profiles)) continue;
675
+ const nextStore = structuredClone(parsed);
676
+ let mutated = false;
677
+ for (const profile of iterateAuthProfileCredentials(nextStore.profiles)) {
678
+ const provider = normalizeProviderId(profile.provider);
679
+ if (!params.providerTargets.has(provider)) continue;
680
+ if (profile.kind === "api_key" || profile.kind === "token") {
681
+ if (isNonEmptyString(profile.value)) params.scrubbedValues.add(profile.value.trim());
682
+ if (profile.valueField in profile.profile) {
683
+ delete profile.profile[profile.valueField];
684
+ mutated = true;
685
+ }
686
+ if (profile.refField in profile.profile) {
687
+ delete profile.profile[profile.refField];
688
+ mutated = true;
689
+ }
690
+ continue;
691
+ }
692
+ if (profile.kind === "oauth" && (profile.hasAccess || profile.hasRefresh)) params.warnings.push(`Provider "${provider}" has OAuth credentials in ${authStorePath}; those still take precedence and are out of scope for static SecretRef migration.`);
693
+ }
694
+ if (mutated) {
695
+ params.authStoreByPath.set(authStorePath, nextStore);
696
+ params.changedFiles.add(authStorePath);
697
+ }
698
+ }
699
+ return params.authStoreByPath;
700
+ }
701
+ function ensureMutableAuthStore(store) {
702
+ const next = store ? structuredClone(store) : {};
703
+ if (!isRecord(next.profiles)) next.profiles = {};
704
+ if (typeof next.version !== "number" || !Number.isFinite(next.version)) next.version = 1;
705
+ return next;
706
+ }
707
+ function resolveAuthStoreForTarget(params) {
708
+ const agentId = String(params.target.agentId ?? "").trim();
709
+ if (!agentId) throw new Error(`Missing required agentId for auth-profiles target ${params.target.path}.`);
710
+ const authStorePath = resolveAuthStorePathForAgent({
711
+ nextConfig: params.nextConfig,
712
+ stateDir: params.stateDir,
713
+ agentId
714
+ });
715
+ const loaded = params.authStoreByPath.get(authStorePath) ?? readJsonObjectIfExists(authStorePath).value;
716
+ const store = ensureMutableAuthStore(isRecord(loaded) ? loaded : void 0);
717
+ params.authStoreByPath.set(authStorePath, store);
718
+ return {
719
+ path: authStorePath,
720
+ store
721
+ };
722
+ }
723
+ function asConfigPathRoot(store) {
724
+ return store;
725
+ }
726
+ function resolveAuthStorePathForAgent(params) {
727
+ const normalizedAgentId = normalizeAgentId(params.agentId);
728
+ const configuredAgentDir = resolveAgentConfig(params.nextConfig, normalizedAgentId)?.agentDir?.trim();
729
+ if (configuredAgentDir) return resolveUserPath(resolveAuthStorePath(configuredAgentDir));
730
+ return path.join(resolveUserPath(params.stateDir), "agents", normalizedAgentId, "agent", "auth-profiles.json");
731
+ }
732
+ function ensureAuthProfileContainer(params) {
733
+ let changed = false;
734
+ const profilePathSegments = params.resolved.pathSegments.slice(0, 2);
735
+ const profileId = profilePathSegments[1];
736
+ if (!profileId) throw new Error(`Invalid auth profile target path: ${params.target.path}`);
737
+ const current = getPath(params.store, profilePathSegments);
738
+ const expectedType = params.resolved.entry.authProfileType;
739
+ if (isRecord(current)) {
740
+ if (expectedType && typeof current.type === "string" && current.type !== expectedType) throw new Error(`Auth profile "${profileId}" type mismatch for ${params.target.path}: expected "${expectedType}", got "${current.type}".`);
741
+ if (!isNonEmptyString(current.provider) && isNonEmptyString(params.target.authProfileProvider)) {
742
+ const wroteProvider = setPathCreateStrict(asConfigPathRoot(params.store), [...profilePathSegments, "provider"], params.target.authProfileProvider);
743
+ changed = changed || wroteProvider;
744
+ }
745
+ return changed;
746
+ }
747
+ if (!expectedType) throw new Error(`Auth profile target ${params.target.path} is missing auth profile type metadata.`);
748
+ const provider = String(params.target.authProfileProvider ?? "").trim();
749
+ if (!provider) throw new Error(`Cannot create auth profile "${profileId}" for ${params.target.path} without authProfileProvider.`);
750
+ const wroteProfile = setPathCreateStrict(asConfigPathRoot(params.store), profilePathSegments, {
751
+ type: expectedType,
752
+ provider
753
+ });
754
+ changed = changed || wroteProfile;
755
+ return changed;
756
+ }
757
+ function applyAuthProfileTargetMutation(params) {
758
+ if (params.resolved.entry.configFile !== "auth-profiles.json") return false;
759
+ const { store } = resolveAuthStoreForTarget({
760
+ target: params.target,
761
+ nextConfig: params.nextConfig,
762
+ stateDir: params.stateDir,
763
+ authStoreByPath: params.authStoreByPath
764
+ });
765
+ let changed = ensureAuthProfileContainer({
766
+ target: params.target,
767
+ resolved: params.resolved,
768
+ store
769
+ });
770
+ const targetPathSegments = params.resolved.pathSegments;
771
+ if (params.resolved.entry.secretShape === "sibling_ref") {
772
+ const previous = getPath(store, targetPathSegments);
773
+ if (isNonEmptyString(previous)) params.scrubbedValues.add(previous.trim());
774
+ const refPathSegments = params.resolved.refPathSegments;
775
+ if (!refPathSegments) throw new Error(`Missing sibling ref path for auth-profiles target ${params.target.path}.`);
776
+ const wroteRef = setPathCreateStrict(asConfigPathRoot(store), refPathSegments, params.target.ref);
777
+ const deletedPlaintext = deletePathStrict(asConfigPathRoot(store), targetPathSegments);
778
+ changed = changed || wroteRef || deletedPlaintext;
779
+ return changed;
780
+ }
781
+ const previous = getPath(store, targetPathSegments);
782
+ if (isNonEmptyString(previous)) params.scrubbedValues.add(previous.trim());
783
+ const wroteRef = setPathCreateStrict(asConfigPathRoot(store), targetPathSegments, params.target.ref);
784
+ changed = changed || wroteRef;
785
+ return changed;
786
+ }
787
+ function scrubLegacyAuthJsonStores(params) {
788
+ const authJsonByPath = /* @__PURE__ */ new Map();
789
+ if (!params.enabled) return authJsonByPath;
790
+ for (const authJsonPath of listLegacyAuthJsonPaths(params.stateDir)) {
791
+ const parsed = readJsonObjectIfExists(authJsonPath).value;
792
+ if (!parsed) continue;
793
+ let mutated = false;
794
+ const nextParsed = structuredClone(parsed);
795
+ for (const [providerId, value] of Object.entries(nextParsed)) {
796
+ if (!isRecord(value)) continue;
797
+ if (value.type === "api_key" && isNonEmptyString(value.key)) {
798
+ delete nextParsed[providerId];
799
+ mutated = true;
800
+ }
801
+ }
802
+ if (mutated) {
803
+ authJsonByPath.set(authJsonPath, nextParsed);
804
+ params.changedFiles.add(authJsonPath);
805
+ }
806
+ }
807
+ return authJsonByPath;
808
+ }
809
+ function scrubEnvFiles(params) {
810
+ const envRawByPath = /* @__PURE__ */ new Map();
811
+ if (!params.enabled || params.scrubbedValues.size === 0) return envRawByPath;
812
+ const envPath = path.join(resolveConfigDir(params.env, os.homedir), ".env");
813
+ if (!fs.existsSync(envPath)) return envRawByPath;
814
+ const current = fs.readFileSync(envPath, "utf8");
815
+ const scrubbed = scrubEnvRaw(current, params.scrubbedValues, new Set(listKnownSecretEnvVarNames()));
816
+ if (scrubbed.removed > 0 && scrubbed.nextRaw !== current) {
817
+ envRawByPath.set(envPath, scrubbed.nextRaw);
818
+ params.changedFiles.add(envPath);
819
+ }
820
+ return envRawByPath;
821
+ }
822
+ async function validateProjectedSecretsState(params) {
823
+ const cache = {};
824
+ let refsChecked = 0;
825
+ let skippedExecRefs = 0;
826
+ for (const { target, resolved: resolvedTarget } of params.resolvedTargets) {
827
+ if (!params.write && target.ref.source === "exec" && !params.allowExecInDryRun) {
828
+ skippedExecRefs += 1;
829
+ const staticError = getSkippedExecRefStaticError({
830
+ ref: target.ref,
831
+ config: params.nextConfig
832
+ });
833
+ if (staticError) throw new Error(staticError);
834
+ continue;
835
+ }
836
+ const resolved = await resolveSecretRefValue(target.ref, {
837
+ config: params.nextConfig,
838
+ env: params.env,
839
+ cache
840
+ });
841
+ refsChecked += 1;
842
+ assertExpectedResolvedSecretValue({
843
+ value: resolved,
844
+ expected: resolvedTarget.entry.expectedResolvedValue,
845
+ errorMessage: resolvedTarget.entry.expectedResolvedValue === "string" ? `Ref ${target.ref.source}:${target.ref.provider}:${target.ref.id} is not a non-empty string.` : `Ref ${target.ref.source}:${target.ref.provider}:${target.ref.id} is not string/object.`
846
+ });
847
+ }
848
+ const authStoreLookup = /* @__PURE__ */ new Map();
849
+ for (const [authStorePath, store] of params.authStoreByPath.entries()) authStoreLookup.set(resolveUserPath(authStorePath), store);
850
+ if (params.write || params.allowExecInDryRun) await prepareSecretsRuntimeSnapshot({
851
+ config: params.nextConfig,
852
+ env: params.env,
853
+ loadAuthStore: (agentDir) => {
854
+ const storePath = resolveUserPath(resolveAuthStorePath(agentDir));
855
+ const override = authStoreLookup.get(storePath);
856
+ if (override) return structuredClone(override);
857
+ return loadAuthProfileStoreForSecretsRuntime(agentDir);
858
+ }
859
+ });
860
+ return {
861
+ refsChecked,
862
+ skippedExecRefs,
863
+ resolvabilityComplete: params.write || params.allowExecInDryRun || skippedExecRefs === 0
864
+ };
865
+ }
866
+ function captureFileSnapshot(pathname) {
867
+ if (!fs.existsSync(pathname)) return {
868
+ existed: false,
869
+ content: "",
870
+ mode: 384
871
+ };
872
+ const stat = fs.statSync(pathname);
873
+ return {
874
+ existed: true,
875
+ content: fs.readFileSync(pathname, "utf8"),
876
+ mode: stat.mode & 511
877
+ };
878
+ }
879
+ function restoreFileSnapshot(pathname, snapshot) {
880
+ if (!snapshot.existed) {
881
+ if (fs.existsSync(pathname)) fs.rmSync(pathname, { force: true });
882
+ return;
883
+ }
884
+ writeTextFileAtomic(pathname, snapshot.content, snapshot.mode || 384);
885
+ }
886
+ function toJsonWrite(pathname, value) {
887
+ return {
888
+ path: pathname,
889
+ content: `${JSON.stringify(value, null, 2)}\n`,
890
+ mode: 384
891
+ };
892
+ }
893
+ async function runSecretsApply(params) {
894
+ const env = params.env ?? process.env;
895
+ const write = params.write === true;
896
+ const allowExec = Boolean(params.allowExec);
897
+ if (write && planContainsExecReferences(params.plan) && !allowExec) throw new Error("Plan contains exec SecretRefs/providers. Re-run with --allow-exec.");
898
+ const allowExecInDryRun = write ? true : allowExec;
899
+ const projected = await projectPlanState({
900
+ plan: params.plan,
901
+ env,
902
+ write,
903
+ allowExecInDryRun
904
+ });
905
+ const changedFiles = [...projected.changedFiles].toSorted();
906
+ if (!write) return {
907
+ mode: "dry-run",
908
+ changed: changedFiles.length > 0,
909
+ changedFiles,
910
+ checks: {
911
+ resolvability: true,
912
+ resolvabilityComplete: projected.resolvabilityComplete
913
+ },
914
+ refsChecked: projected.refsChecked,
915
+ skippedExecRefs: projected.skippedExecRefs,
916
+ warningCount: projected.warnings.length,
917
+ warnings: projected.warnings
918
+ };
919
+ if (changedFiles.length === 0) return {
920
+ mode: "write",
921
+ changed: false,
922
+ changedFiles: [],
923
+ checks: {
924
+ resolvability: true,
925
+ resolvabilityComplete: true
926
+ },
927
+ refsChecked: projected.refsChecked,
928
+ skippedExecRefs: 0,
929
+ warningCount: projected.warnings.length,
930
+ warnings: projected.warnings
931
+ };
932
+ const io = createSecretsConfigIO({ env });
933
+ const snapshots = /* @__PURE__ */ new Map();
934
+ const capture = (pathname) => {
935
+ if (!snapshots.has(pathname)) snapshots.set(pathname, captureFileSnapshot(pathname));
936
+ };
937
+ capture(projected.configPath);
938
+ const writes = [];
939
+ for (const [pathname, value] of projected.authStoreByPath.entries()) {
940
+ capture(pathname);
941
+ writes.push(toJsonWrite(pathname, value));
942
+ }
943
+ for (const [pathname, value] of projected.authJsonByPath.entries()) {
944
+ capture(pathname);
945
+ writes.push(toJsonWrite(pathname, value));
946
+ }
947
+ for (const [pathname, raw] of projected.envRawByPath.entries()) {
948
+ capture(pathname);
949
+ writes.push({
950
+ path: pathname,
951
+ content: raw,
952
+ mode: 384
953
+ });
954
+ }
955
+ try {
956
+ await io.writeConfigFile(projected.nextConfig, projected.configWriteOptions);
957
+ for (const write of writes) writeTextFileAtomic(write.path, write.content, write.mode);
958
+ } catch (err) {
959
+ for (const [pathname, snapshot] of snapshots.entries()) try {
960
+ restoreFileSnapshot(pathname, snapshot);
961
+ } catch {}
962
+ throw new Error(`Secrets apply failed: ${String(err)}`, { cause: err });
963
+ }
964
+ return {
965
+ mode: "write",
966
+ changed: changedFiles.length > 0,
967
+ changedFiles,
968
+ checks: {
969
+ resolvability: true,
970
+ resolvabilityComplete: true
971
+ },
972
+ refsChecked: projected.refsChecked,
973
+ skippedExecRefs: 0,
974
+ warningCount: projected.warnings.length,
975
+ warnings: projected.warnings
976
+ };
977
+ }
978
+ //#endregion
979
+ //#region src/secrets/audit.ts
980
+ const REF_RESOLVE_FALLBACK_CONCURRENCY = 8;
981
+ const MAX_AUDIT_MODELS_JSON_BYTES = 5 * 1024 * 1024;
982
+ const ALWAYS_SENSITIVE_MODEL_PROVIDER_HEADER_NAMES = new Set([
983
+ "authorization",
984
+ "proxy-authorization",
985
+ "x-api-key",
986
+ "api-key",
987
+ "apikey",
988
+ "x-auth-token",
989
+ "auth-token",
990
+ "x-access-token",
991
+ "access-token",
992
+ "x-secret-key",
993
+ "secret-key"
994
+ ]);
995
+ const SENSITIVE_MODEL_PROVIDER_HEADER_NAME_FRAGMENTS = [
996
+ "api-key",
997
+ "apikey",
998
+ "token",
999
+ "secret",
1000
+ "password",
1001
+ "credential"
1002
+ ];
1003
+ function isLikelySensitiveModelProviderHeaderName(value) {
1004
+ const normalized = value.trim().toLowerCase();
1005
+ if (!normalized) return false;
1006
+ if (ALWAYS_SENSITIVE_MODEL_PROVIDER_HEADER_NAMES.has(normalized)) return true;
1007
+ return SENSITIVE_MODEL_PROVIDER_HEADER_NAME_FRAGMENTS.some((fragment) => normalized.includes(fragment));
1008
+ }
1009
+ function addFinding(collector, finding) {
1010
+ collector.findings.push(finding);
1011
+ }
1012
+ function collectProviderRefPath(collector, providerId, configPath) {
1013
+ const key = normalizeProviderId(providerId);
1014
+ const existing = collector.configProviderRefPaths.get(key);
1015
+ if (existing) {
1016
+ existing.push(configPath);
1017
+ return;
1018
+ }
1019
+ collector.configProviderRefPaths.set(key, [configPath]);
1020
+ }
1021
+ function trackAuthProviderState(collector, provider, mode) {
1022
+ const key = normalizeProviderId(provider);
1023
+ const existing = collector.authProviderState.get(key);
1024
+ if (existing) {
1025
+ existing.hasUsableStaticOrOAuth = true;
1026
+ existing.modes.add(mode);
1027
+ return;
1028
+ }
1029
+ collector.authProviderState.set(key, {
1030
+ hasUsableStaticOrOAuth: true,
1031
+ modes: new Set([mode])
1032
+ });
1033
+ }
1034
+ function collectEnvPlaintext(params) {
1035
+ if (!fs.existsSync(params.envPath)) return;
1036
+ params.collector.filesScanned.add(params.envPath);
1037
+ const knownKeys = new Set(listKnownSecretEnvVarNames());
1038
+ const lines = fs.readFileSync(params.envPath, "utf8").split(/\r?\n/);
1039
+ for (const line of lines) {
1040
+ const match = line.match(/^\s*(?:export\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(.*)$/);
1041
+ if (!match) continue;
1042
+ const key = match[1] ?? "";
1043
+ if (!knownKeys.has(key)) continue;
1044
+ if (!parseEnvAssignmentValue(match[2] ?? "")) continue;
1045
+ addFinding(params.collector, {
1046
+ code: "PLAINTEXT_FOUND",
1047
+ severity: "warn",
1048
+ file: params.envPath,
1049
+ jsonPath: `$env.${key}`,
1050
+ message: `Potential secret found in .env (${key}).`
1051
+ });
1052
+ }
1053
+ }
1054
+ function collectConfigSecrets(params) {
1055
+ const defaults = params.config.secrets?.defaults;
1056
+ for (const target of discoverConfigSecretTargets(params.config)) {
1057
+ if (!target.entry.includeInAudit) continue;
1058
+ const { ref } = resolveSecretInputRef({
1059
+ value: target.value,
1060
+ refValue: target.refValue,
1061
+ defaults
1062
+ });
1063
+ if (ref) {
1064
+ params.collector.refAssignments.push({
1065
+ file: params.configPath,
1066
+ path: target.path,
1067
+ ref,
1068
+ expected: target.entry.expectedResolvedValue,
1069
+ provider: target.providerId
1070
+ });
1071
+ if (target.entry.trackProviderShadowing && target.providerId) collectProviderRefPath(params.collector, target.providerId, target.path);
1072
+ continue;
1073
+ }
1074
+ const hasPlaintext = hasConfiguredPlaintextSecretValue(target.value, target.entry.expectedResolvedValue);
1075
+ if (target.entry.id === "models.providers.*.headers.*" && !isLikelySensitiveModelProviderHeaderName(target.pathSegments.at(-1) ?? "")) continue;
1076
+ if (!hasPlaintext) continue;
1077
+ addFinding(params.collector, {
1078
+ code: "PLAINTEXT_FOUND",
1079
+ severity: "warn",
1080
+ file: params.configPath,
1081
+ jsonPath: target.path,
1082
+ message: `${target.path} is stored as plaintext.`,
1083
+ provider: target.providerId
1084
+ });
1085
+ }
1086
+ }
1087
+ function collectAuthStoreSecrets(params) {
1088
+ if (!fs.existsSync(params.authStorePath)) return;
1089
+ params.collector.filesScanned.add(params.authStorePath);
1090
+ const parsedResult = readJsonObjectIfExists(params.authStorePath);
1091
+ if (parsedResult.error) {
1092
+ addFinding(params.collector, {
1093
+ code: "REF_UNRESOLVED",
1094
+ severity: "error",
1095
+ file: params.authStorePath,
1096
+ jsonPath: "<root>",
1097
+ message: `Invalid JSON in auth-profiles store: ${parsedResult.error}`
1098
+ });
1099
+ return;
1100
+ }
1101
+ const parsed = parsedResult.value;
1102
+ if (!parsed || !isRecord(parsed.profiles)) return;
1103
+ for (const entry of iterateAuthProfileCredentials(parsed.profiles)) {
1104
+ if (entry.kind === "api_key" || entry.kind === "token") {
1105
+ const { ref } = resolveSecretInputRef({
1106
+ value: entry.value,
1107
+ refValue: entry.refValue,
1108
+ defaults: params.defaults
1109
+ });
1110
+ if (ref) {
1111
+ params.collector.refAssignments.push({
1112
+ file: params.authStorePath,
1113
+ path: `profiles.${entry.profileId}.${entry.valueField}`,
1114
+ ref,
1115
+ expected: "string",
1116
+ provider: entry.provider
1117
+ });
1118
+ trackAuthProviderState(params.collector, entry.provider, entry.kind);
1119
+ }
1120
+ if (isNonEmptyString(entry.value)) {
1121
+ addFinding(params.collector, {
1122
+ code: "PLAINTEXT_FOUND",
1123
+ severity: "warn",
1124
+ file: params.authStorePath,
1125
+ jsonPath: `profiles.${entry.profileId}.${entry.valueField}`,
1126
+ message: entry.kind === "api_key" ? "Auth profile API key is stored as plaintext." : "Auth profile token is stored as plaintext.",
1127
+ provider: entry.provider,
1128
+ profileId: entry.profileId
1129
+ });
1130
+ trackAuthProviderState(params.collector, entry.provider, entry.kind);
1131
+ }
1132
+ continue;
1133
+ }
1134
+ if (entry.hasAccess || entry.hasRefresh) {
1135
+ addFinding(params.collector, {
1136
+ code: "LEGACY_RESIDUE",
1137
+ severity: "info",
1138
+ file: params.authStorePath,
1139
+ jsonPath: `profiles.${entry.profileId}`,
1140
+ message: "OAuth credentials are present (out of scope for static SecretRef migration).",
1141
+ provider: entry.provider,
1142
+ profileId: entry.profileId
1143
+ });
1144
+ trackAuthProviderState(params.collector, entry.provider, "oauth");
1145
+ }
1146
+ }
1147
+ }
1148
+ function collectAuthJsonResidue(params) {
1149
+ for (const authJsonPath of listLegacyAuthJsonPaths(params.stateDir)) {
1150
+ params.collector.filesScanned.add(authJsonPath);
1151
+ const parsedResult = readJsonObjectIfExists(authJsonPath);
1152
+ if (parsedResult.error) {
1153
+ addFinding(params.collector, {
1154
+ code: "REF_UNRESOLVED",
1155
+ severity: "error",
1156
+ file: authJsonPath,
1157
+ jsonPath: "<root>",
1158
+ message: `Invalid JSON in legacy auth.json: ${parsedResult.error}`
1159
+ });
1160
+ continue;
1161
+ }
1162
+ const parsed = parsedResult.value;
1163
+ if (!parsed) continue;
1164
+ for (const [providerId, value] of Object.entries(parsed)) {
1165
+ if (!isRecord(value)) continue;
1166
+ if (value.type === "api_key" && isNonEmptyString(value.key)) addFinding(params.collector, {
1167
+ code: "LEGACY_RESIDUE",
1168
+ severity: "warn",
1169
+ file: authJsonPath,
1170
+ jsonPath: providerId,
1171
+ message: "Legacy auth.json contains static api_key credentials.",
1172
+ provider: providerId
1173
+ });
1174
+ }
1175
+ }
1176
+ }
1177
+ function collectModelsJsonSecrets(params) {
1178
+ if (!fs.existsSync(params.modelsJsonPath)) return;
1179
+ params.collector.filesScanned.add(params.modelsJsonPath);
1180
+ const parsedResult = readJsonObjectIfExists(params.modelsJsonPath, {
1181
+ requireRegularFile: true,
1182
+ maxBytes: MAX_AUDIT_MODELS_JSON_BYTES
1183
+ });
1184
+ if (parsedResult.error) {
1185
+ addFinding(params.collector, {
1186
+ code: "REF_UNRESOLVED",
1187
+ severity: "error",
1188
+ file: params.modelsJsonPath,
1189
+ jsonPath: "<root>",
1190
+ message: `Invalid JSON in models.json: ${parsedResult.error}`
1191
+ });
1192
+ return;
1193
+ }
1194
+ const parsed = parsedResult.value;
1195
+ if (!parsed || !isRecord(parsed.providers)) return;
1196
+ for (const [providerId, providerValue] of Object.entries(parsed.providers)) {
1197
+ if (!isRecord(providerValue)) continue;
1198
+ const apiKey = providerValue.apiKey;
1199
+ if (coerceSecretRef(apiKey)) addFinding(params.collector, {
1200
+ code: "REF_UNRESOLVED",
1201
+ severity: "error",
1202
+ file: params.modelsJsonPath,
1203
+ jsonPath: `providers.${providerId}.apiKey`,
1204
+ message: "models.json contains an unresolved SecretRef object; regenerate models.json.",
1205
+ provider: providerId
1206
+ });
1207
+ else if (isNonEmptyString(apiKey) && !isNonSecretApiKeyMarker(apiKey)) addFinding(params.collector, {
1208
+ code: "PLAINTEXT_FOUND",
1209
+ severity: "warn",
1210
+ file: params.modelsJsonPath,
1211
+ jsonPath: `providers.${providerId}.apiKey`,
1212
+ message: "models.json provider apiKey is stored as plaintext.",
1213
+ provider: providerId
1214
+ });
1215
+ const headers = isRecord(providerValue.headers) ? providerValue.headers : void 0;
1216
+ if (!headers) continue;
1217
+ for (const [headerKey, headerValue] of Object.entries(headers)) {
1218
+ const headerPath = `providers.${providerId}.headers.${headerKey}`;
1219
+ if (coerceSecretRef(headerValue)) {
1220
+ addFinding(params.collector, {
1221
+ code: "REF_UNRESOLVED",
1222
+ severity: "error",
1223
+ file: params.modelsJsonPath,
1224
+ jsonPath: headerPath,
1225
+ message: "models.json contains an unresolved SecretRef object for provider headers; regenerate models.json.",
1226
+ provider: providerId
1227
+ });
1228
+ continue;
1229
+ }
1230
+ if (!isNonEmptyString(headerValue)) continue;
1231
+ if (isSecretRefHeaderValueMarker(headerValue)) continue;
1232
+ if (!isLikelySensitiveModelProviderHeaderName(headerKey)) continue;
1233
+ addFinding(params.collector, {
1234
+ code: "PLAINTEXT_FOUND",
1235
+ severity: "warn",
1236
+ file: params.modelsJsonPath,
1237
+ jsonPath: headerPath,
1238
+ message: "models.json provider header value is stored as plaintext.",
1239
+ provider: providerId
1240
+ });
1241
+ }
1242
+ }
1243
+ }
1244
+ async function collectUnresolvedRefFindings(params) {
1245
+ const cache = {};
1246
+ const refsByProvider = /* @__PURE__ */ new Map();
1247
+ const skippedRefKeys = /* @__PURE__ */ new Set();
1248
+ let refsChecked = 0;
1249
+ let skippedExecRefs = 0;
1250
+ for (const assignment of params.collector.refAssignments) {
1251
+ const providerKey = `${assignment.ref.source}:${assignment.ref.provider}`;
1252
+ let refsForProvider = refsByProvider.get(providerKey);
1253
+ if (!refsForProvider) {
1254
+ refsForProvider = /* @__PURE__ */ new Map();
1255
+ refsByProvider.set(providerKey, refsForProvider);
1256
+ }
1257
+ refsForProvider.set(secretRefKey(assignment.ref), assignment.ref);
1258
+ }
1259
+ const resolvedByRefKey = /* @__PURE__ */ new Map();
1260
+ const errorsByRefKey = /* @__PURE__ */ new Map();
1261
+ for (const refsForProvider of refsByProvider.values()) {
1262
+ const refs = [...refsForProvider.values()];
1263
+ const selectedRefs = selectRefsForExecPolicy({
1264
+ refs,
1265
+ allowExec: params.allowExec
1266
+ });
1267
+ if (selectedRefs.skippedExecRefs.length > 0) {
1268
+ skippedExecRefs += selectedRefs.skippedExecRefs.length;
1269
+ for (const ref of selectedRefs.skippedExecRefs) {
1270
+ skippedRefKeys.add(secretRefKey(ref));
1271
+ const staticError = getSkippedExecRefStaticError({
1272
+ ref,
1273
+ config: params.config
1274
+ });
1275
+ if (staticError) errorsByRefKey.set(secretRefKey(ref), new Error(staticError));
1276
+ }
1277
+ }
1278
+ if (selectedRefs.refsToResolve.length === 0) continue;
1279
+ refsChecked += selectedRefs.refsToResolve.length;
1280
+ const provider = refs[0]?.provider;
1281
+ try {
1282
+ const resolved = await resolveSecretRefValues(selectedRefs.refsToResolve, {
1283
+ config: params.config,
1284
+ env: params.env,
1285
+ cache
1286
+ });
1287
+ for (const [key, value] of resolved.entries()) resolvedByRefKey.set(key, value);
1288
+ continue;
1289
+ } catch (err) {
1290
+ if (provider && isProviderScopedSecretResolutionError(err)) {
1291
+ for (const ref of selectedRefs.refsToResolve) errorsByRefKey.set(secretRefKey(ref), err);
1292
+ continue;
1293
+ }
1294
+ }
1295
+ const fallback = await runTasksWithConcurrency({
1296
+ tasks: selectedRefs.refsToResolve.map((ref) => async () => ({
1297
+ key: secretRefKey(ref),
1298
+ resolved: await resolveSecretRefValue(ref, {
1299
+ config: params.config,
1300
+ env: params.env,
1301
+ cache
1302
+ })
1303
+ })),
1304
+ limit: Math.min(REF_RESOLVE_FALLBACK_CONCURRENCY, selectedRefs.refsToResolve.length),
1305
+ errorMode: "continue",
1306
+ onTaskError: (error, index) => {
1307
+ const ref = selectedRefs.refsToResolve[index];
1308
+ if (!ref) return;
1309
+ errorsByRefKey.set(secretRefKey(ref), error);
1310
+ }
1311
+ });
1312
+ for (const result of fallback.results) {
1313
+ if (!result) continue;
1314
+ resolvedByRefKey.set(result.key, result.resolved);
1315
+ }
1316
+ }
1317
+ for (const assignment of params.collector.refAssignments) {
1318
+ const key = secretRefKey(assignment.ref);
1319
+ if (skippedRefKeys.has(key) && !errorsByRefKey.has(key)) continue;
1320
+ const resolveErr = errorsByRefKey.get(key);
1321
+ if (resolveErr) {
1322
+ addFinding(params.collector, {
1323
+ code: "REF_UNRESOLVED",
1324
+ severity: "error",
1325
+ file: assignment.file,
1326
+ jsonPath: assignment.path,
1327
+ message: `Failed to resolve ${assignment.ref.source}:${assignment.ref.provider}:${assignment.ref.id} (${describeUnknownError(resolveErr)}).`,
1328
+ provider: assignment.provider
1329
+ });
1330
+ continue;
1331
+ }
1332
+ if (!resolvedByRefKey.has(key)) {
1333
+ addFinding(params.collector, {
1334
+ code: "REF_UNRESOLVED",
1335
+ severity: "error",
1336
+ file: assignment.file,
1337
+ jsonPath: assignment.path,
1338
+ message: `Failed to resolve ${assignment.ref.source}:${assignment.ref.provider}:${assignment.ref.id} (resolved value is missing).`,
1339
+ provider: assignment.provider
1340
+ });
1341
+ continue;
1342
+ }
1343
+ if (!isExpectedResolvedSecretValue(resolvedByRefKey.get(key), assignment.expected)) addFinding(params.collector, {
1344
+ code: "REF_UNRESOLVED",
1345
+ severity: "error",
1346
+ file: assignment.file,
1347
+ jsonPath: assignment.path,
1348
+ message: assignment.expected === "string" ? `Failed to resolve ${assignment.ref.source}:${assignment.ref.provider}:${assignment.ref.id} (resolved value is not a non-empty string).` : `Failed to resolve ${assignment.ref.source}:${assignment.ref.provider}:${assignment.ref.id} (resolved value is not a string/object).`,
1349
+ provider: assignment.provider
1350
+ });
1351
+ }
1352
+ return {
1353
+ refsChecked,
1354
+ skippedExecRefs
1355
+ };
1356
+ }
1357
+ function collectShadowingFindings(collector) {
1358
+ for (const [provider, paths] of collector.configProviderRefPaths.entries()) {
1359
+ const authState = collector.authProviderState.get(provider);
1360
+ if (!authState?.hasUsableStaticOrOAuth) continue;
1361
+ const modeText = [...authState.modes].join("/");
1362
+ for (const configPath of paths) addFinding(collector, {
1363
+ code: "REF_SHADOWED",
1364
+ severity: "warn",
1365
+ file: "openclaw.json",
1366
+ jsonPath: configPath,
1367
+ message: `Auth profile credentials (${modeText}) take precedence for provider "${provider}", so this config ref may never be used.`,
1368
+ provider
1369
+ });
1370
+ }
1371
+ }
1372
+ function summarizeFindings(findings) {
1373
+ return {
1374
+ plaintextCount: findings.filter((entry) => entry.code === "PLAINTEXT_FOUND").length,
1375
+ unresolvedRefCount: findings.filter((entry) => entry.code === "REF_UNRESOLVED").length,
1376
+ shadowedRefCount: findings.filter((entry) => entry.code === "REF_SHADOWED").length,
1377
+ legacyResidueCount: findings.filter((entry) => entry.code === "LEGACY_RESIDUE").length
1378
+ };
1379
+ }
1380
+ async function runSecretsAudit(params = {}) {
1381
+ const env = params.env ?? process.env;
1382
+ const allowExec = Boolean(params.allowExec);
1383
+ const snapshot = await createSecretsConfigIO({ env }).readConfigFileSnapshot();
1384
+ const configPath = resolveUserPath(snapshot.path);
1385
+ const defaults = snapshot.valid ? snapshot.config.secrets?.defaults : void 0;
1386
+ const collector = {
1387
+ findings: [],
1388
+ refAssignments: [],
1389
+ configProviderRefPaths: /* @__PURE__ */ new Map(),
1390
+ authProviderState: /* @__PURE__ */ new Map(),
1391
+ filesScanned: new Set([configPath])
1392
+ };
1393
+ const stateDir = resolveStateDir(env, os.homedir);
1394
+ const envPath = path.join(resolveConfigDir(env, os.homedir), ".env");
1395
+ const config = snapshot.valid ? snapshot.config : {};
1396
+ let resolution = {
1397
+ refsChecked: 0,
1398
+ skippedExecRefs: 0,
1399
+ resolvabilityComplete: true
1400
+ };
1401
+ if (snapshot.valid) {
1402
+ collectConfigSecrets({
1403
+ config,
1404
+ configPath,
1405
+ collector
1406
+ });
1407
+ for (const authStorePath of listAuthProfileStorePaths(config, stateDir)) collectAuthStoreSecrets({
1408
+ authStorePath,
1409
+ collector,
1410
+ defaults
1411
+ });
1412
+ for (const modelsJsonPath of listAgentModelsJsonPaths(config, stateDir, env)) collectModelsJsonSecrets({
1413
+ modelsJsonPath,
1414
+ collector
1415
+ });
1416
+ const unresolvedRefResult = await collectUnresolvedRefFindings({
1417
+ collector,
1418
+ config,
1419
+ env,
1420
+ allowExec
1421
+ });
1422
+ resolution = {
1423
+ refsChecked: unresolvedRefResult.refsChecked,
1424
+ skippedExecRefs: unresolvedRefResult.skippedExecRefs,
1425
+ resolvabilityComplete: unresolvedRefResult.skippedExecRefs === 0
1426
+ };
1427
+ collectShadowingFindings(collector);
1428
+ } else addFinding(collector, {
1429
+ code: "REF_UNRESOLVED",
1430
+ severity: "error",
1431
+ file: configPath,
1432
+ jsonPath: "<root>",
1433
+ message: "Config is invalid; cannot validate secret references reliably."
1434
+ });
1435
+ collectEnvPlaintext({
1436
+ envPath,
1437
+ collector
1438
+ });
1439
+ collectAuthJsonResidue({
1440
+ stateDir,
1441
+ collector
1442
+ });
1443
+ const summary = summarizeFindings(collector.findings);
1444
+ return {
1445
+ version: 1,
1446
+ status: summary.unresolvedRefCount > 0 ? "unresolved" : collector.findings.length > 0 ? "findings" : "clean",
1447
+ resolution,
1448
+ filesScanned: [...collector.filesScanned].toSorted(),
1449
+ summary,
1450
+ findings: collector.findings
1451
+ };
1452
+ }
1453
+ function resolveSecretsAuditExitCode(report, check) {
1454
+ if (report.summary.unresolvedRefCount > 0) return 2;
1455
+ if (check && report.findings.length > 0) return 1;
1456
+ return 0;
1457
+ }
1458
+ //#endregion
1459
+ //#region src/secrets/configure-plan.ts
1460
+ function getSecretProviders$1(config) {
1461
+ if (!isRecord(config.secrets?.providers)) return {};
1462
+ return config.secrets.providers;
1463
+ }
1464
+ function configureCandidateSortKey(candidate) {
1465
+ if (candidate.configFile === "auth-profiles.json") return `auth-profiles:${candidate.agentId ?? ""}:${candidate.path}`;
1466
+ return `openclaw:${candidate.path}`;
1467
+ }
1468
+ function resolveAuthProfileProvider(store, pathSegments) {
1469
+ const profileId = pathSegments[1];
1470
+ if (!profileId) return;
1471
+ const profile = store.profiles?.[profileId];
1472
+ if (!isRecord(profile) || typeof profile.provider !== "string") return;
1473
+ const provider = profile.provider.trim();
1474
+ return provider.length > 0 ? provider : void 0;
1475
+ }
1476
+ function buildConfigureCandidatesForScope(params) {
1477
+ const authoredConfig = params.authoredOpenClawConfig ?? params.config;
1478
+ const hasPathInAuthoredConfig = (pathSegments) => hasPath(authoredConfig, pathSegments);
1479
+ const openclawCandidates = discoverConfigSecretTargets(params.config).filter((entry) => entry.entry.includeInConfigure).map((entry) => {
1480
+ const resolved = resolveSecretInputRef({
1481
+ value: entry.value,
1482
+ refValue: entry.refValue,
1483
+ defaults: params.config.secrets?.defaults
1484
+ });
1485
+ const pathExists = hasPathInAuthoredConfig(entry.pathSegments);
1486
+ const refPathExists = entry.refPathSegments ? hasPathInAuthoredConfig(entry.refPathSegments) : false;
1487
+ return {
1488
+ type: entry.entry.targetType,
1489
+ path: entry.path,
1490
+ pathSegments: [...entry.pathSegments],
1491
+ label: entry.path,
1492
+ configFile: "openclaw.json",
1493
+ expectedResolvedValue: entry.entry.expectedResolvedValue,
1494
+ ...resolved.ref ? { existingRef: resolved.ref } : {},
1495
+ ...pathExists || refPathExists ? {} : { isDerived: true },
1496
+ ...entry.providerId ? { providerId: entry.providerId } : {},
1497
+ ...entry.accountId ? { accountId: entry.accountId } : {}
1498
+ };
1499
+ });
1500
+ const authCandidates = params.authProfiles === void 0 ? [] : discoverAuthProfileSecretTargets(params.authProfiles.store).filter((entry) => entry.entry.includeInConfigure).map((entry) => {
1501
+ const authProfiles = params.authProfiles;
1502
+ if (!authProfiles) throw new Error("Missing auth profile scope for configure candidate discovery.");
1503
+ const authProfileProvider = resolveAuthProfileProvider(authProfiles.store, entry.pathSegments);
1504
+ const resolved = resolveSecretInputRef({
1505
+ value: entry.value,
1506
+ refValue: entry.refValue,
1507
+ defaults: params.config.secrets?.defaults
1508
+ });
1509
+ return {
1510
+ type: entry.entry.targetType,
1511
+ path: entry.path,
1512
+ pathSegments: [...entry.pathSegments],
1513
+ label: `${entry.path} (auth profile, agent ${authProfiles.agentId})`,
1514
+ configFile: "auth-profiles.json",
1515
+ expectedResolvedValue: entry.entry.expectedResolvedValue,
1516
+ ...resolved.ref ? { existingRef: resolved.ref } : {},
1517
+ agentId: authProfiles.agentId,
1518
+ ...authProfileProvider ? { authProfileProvider } : {}
1519
+ };
1520
+ });
1521
+ return [...openclawCandidates, ...authCandidates].toSorted((a, b) => configureCandidateSortKey(a).localeCompare(configureCandidateSortKey(b)));
1522
+ }
1523
+ function hasPath(root, segments) {
1524
+ if (segments.length === 0) return false;
1525
+ let cursor = root;
1526
+ for (let index = 0; index < segments.length; index += 1) {
1527
+ const segment = segments[index] ?? "";
1528
+ if (Array.isArray(cursor)) {
1529
+ if (!/^\d+$/.test(segment)) return false;
1530
+ const parsedIndex = Number.parseInt(segment, 10);
1531
+ if (!Number.isFinite(parsedIndex) || parsedIndex < 0 || parsedIndex >= cursor.length) return false;
1532
+ if (index === segments.length - 1) return true;
1533
+ cursor = cursor[parsedIndex];
1534
+ continue;
1535
+ }
1536
+ if (!isRecord(cursor)) return false;
1537
+ if (!Object.prototype.hasOwnProperty.call(cursor, segment)) return false;
1538
+ if (index === segments.length - 1) return true;
1539
+ cursor = cursor[segment];
1540
+ }
1541
+ return false;
1542
+ }
1543
+ function collectConfigureProviderChanges(params) {
1544
+ const originalProviders = getSecretProviders$1(params.original);
1545
+ const nextProviders = getSecretProviders$1(params.next);
1546
+ const upserts = {};
1547
+ const deletes = [];
1548
+ for (const [providerAlias, nextProviderConfig] of Object.entries(nextProviders)) {
1549
+ const current = originalProviders[providerAlias];
1550
+ if (isDeepStrictEqual(current, nextProviderConfig)) continue;
1551
+ upserts[providerAlias] = structuredClone(nextProviderConfig);
1552
+ }
1553
+ for (const providerAlias of Object.keys(originalProviders)) if (!Object.prototype.hasOwnProperty.call(nextProviders, providerAlias)) deletes.push(providerAlias);
1554
+ return {
1555
+ upserts,
1556
+ deletes: deletes.toSorted()
1557
+ };
1558
+ }
1559
+ function hasConfigurePlanChanges(params) {
1560
+ return params.selectedTargets.size > 0 || Object.keys(params.providerChanges.upserts).length > 0 || params.providerChanges.deletes.length > 0;
1561
+ }
1562
+ function buildSecretsConfigurePlan(params) {
1563
+ return {
1564
+ version: 1,
1565
+ protocolVersion: 1,
1566
+ generatedAt: params.generatedAt ?? (/* @__PURE__ */ new Date()).toISOString(),
1567
+ generatedBy: "openclaw secrets configure",
1568
+ targets: [...params.selectedTargets.values()].map((entry) => ({
1569
+ type: entry.type,
1570
+ path: entry.path,
1571
+ pathSegments: [...entry.pathSegments],
1572
+ ref: entry.ref,
1573
+ ...entry.agentId ? { agentId: entry.agentId } : {},
1574
+ ...entry.providerId ? { providerId: entry.providerId } : {},
1575
+ ...entry.accountId ? { accountId: entry.accountId } : {},
1576
+ ...entry.authProfileProvider ? { authProfileProvider: entry.authProfileProvider } : {}
1577
+ })),
1578
+ ...Object.keys(params.providerChanges.upserts).length > 0 ? { providerUpserts: params.providerChanges.upserts } : {},
1579
+ ...params.providerChanges.deletes.length > 0 ? { providerDeletes: params.providerChanges.deletes } : {},
1580
+ options: {
1581
+ scrubEnv: true,
1582
+ scrubAuthProfilesForProviderTargets: true,
1583
+ scrubLegacyAuthJson: true
1584
+ }
1585
+ };
1586
+ }
1587
+ //#endregion
1588
+ //#region src/secrets/configure.ts
1589
+ const ENV_NAME_PATTERN = /^[A-Z][A-Z0-9_]{0,127}$/;
1590
+ const WINDOWS_ABS_PATH_PATTERN = /^[A-Za-z]:[\\/]/;
1591
+ const WINDOWS_UNC_PATH_PATTERN = /^\\\\[^\\]+\\[^\\]+/;
1592
+ function isAbsolutePathValue(value) {
1593
+ return path.isAbsolute(value) || WINDOWS_ABS_PATH_PATTERN.test(value) || WINDOWS_UNC_PATH_PATTERN.test(value);
1594
+ }
1595
+ function parseCsv(value) {
1596
+ return value.split(",").map((entry) => entry.trim()).filter((entry) => entry.length > 0);
1597
+ }
1598
+ function parseOptionalPositiveInt(value, max) {
1599
+ const trimmed = value.trim();
1600
+ if (!trimmed) return;
1601
+ if (!/^\d+$/.test(trimmed)) return;
1602
+ const parsed = Number.parseInt(trimmed, 10);
1603
+ if (!Number.isFinite(parsed) || parsed <= 0 || parsed > max) return;
1604
+ return parsed;
1605
+ }
1606
+ function getSecretProviders(config) {
1607
+ if (!isRecord(config.secrets?.providers)) return {};
1608
+ return config.secrets.providers;
1609
+ }
1610
+ function setSecretProvider(config, providerAlias, providerConfig) {
1611
+ config.secrets ??= {};
1612
+ if (!isRecord(config.secrets.providers)) config.secrets.providers = {};
1613
+ config.secrets.providers[providerAlias] = providerConfig;
1614
+ }
1615
+ function removeSecretProvider(config, providerAlias) {
1616
+ if (!isRecord(config.secrets?.providers)) return false;
1617
+ const providers = config.secrets.providers;
1618
+ if (!Object.prototype.hasOwnProperty.call(providers, providerAlias)) return false;
1619
+ delete providers[providerAlias];
1620
+ if (Object.keys(providers).length === 0) delete config.secrets?.providers;
1621
+ if (isRecord(config.secrets?.defaults)) {
1622
+ const defaults = config.secrets.defaults;
1623
+ if (defaults?.env === providerAlias) delete defaults.env;
1624
+ if (defaults?.file === providerAlias) delete defaults.file;
1625
+ if (defaults?.exec === providerAlias) delete defaults.exec;
1626
+ if (defaults && defaults.env === void 0 && defaults.file === void 0 && defaults.exec === void 0) delete config.secrets?.defaults;
1627
+ }
1628
+ return true;
1629
+ }
1630
+ function providerHint(provider) {
1631
+ if (provider.source === "env") return provider.allowlist?.length ? `env (${provider.allowlist.length} allowlisted)` : "env";
1632
+ if (provider.source === "file") return `file (${provider.mode ?? "json"})`;
1633
+ return `exec (${provider.jsonOnly === false ? "json+text" : "json"})`;
1634
+ }
1635
+ function toSourceChoices(config) {
1636
+ const hasSource = (source) => Object.values(config.secrets?.providers ?? {}).some((provider) => provider?.source === source);
1637
+ const choices = [{
1638
+ value: "env",
1639
+ label: "env"
1640
+ }];
1641
+ if (hasSource("file")) choices.push({
1642
+ value: "file",
1643
+ label: "file"
1644
+ });
1645
+ if (hasSource("exec")) choices.push({
1646
+ value: "exec",
1647
+ label: "exec"
1648
+ });
1649
+ return choices;
1650
+ }
1651
+ function assertNoCancel(value, message) {
1652
+ if (typeof value === "symbol") throw new Error(message);
1653
+ return value;
1654
+ }
1655
+ const AUTH_PROFILE_ID_PATTERN = /^[A-Za-z0-9:_-]{1,128}$/;
1656
+ function validateEnvNameCsv(value) {
1657
+ const entries = parseCsv(value);
1658
+ for (const entry of entries) if (!ENV_NAME_PATTERN.test(entry)) return `Invalid env name: ${entry}`;
1659
+ }
1660
+ async function promptEnvNameCsv(params) {
1661
+ const raw = assertNoCancel(await text({
1662
+ message: params.message,
1663
+ initialValue: params.initialValue,
1664
+ validate: (value) => validateEnvNameCsv(String(value ?? ""))
1665
+ }), "Secrets configure cancelled.");
1666
+ return parseCsv(String(raw ?? ""));
1667
+ }
1668
+ async function promptOptionalPositiveInt(params) {
1669
+ const raw = assertNoCancel(await text({
1670
+ message: params.message,
1671
+ initialValue: params.initialValue === void 0 ? "" : String(params.initialValue),
1672
+ validate: (value) => {
1673
+ const trimmed = String(value ?? "").trim();
1674
+ if (!trimmed) return;
1675
+ if (parseOptionalPositiveInt(trimmed, params.max) === void 0) return `Must be an integer between 1 and ${params.max}`;
1676
+ }
1677
+ }), "Secrets configure cancelled.");
1678
+ return parseOptionalPositiveInt(String(raw ?? ""), params.max);
1679
+ }
1680
+ function configureCandidateKey(candidate) {
1681
+ if (candidate.configFile === "auth-profiles.json") return `auth-profiles:${String(candidate.agentId ?? "").trim()}:${candidate.path}`;
1682
+ return `openclaw:${candidate.path}`;
1683
+ }
1684
+ function hasSourceChoice(sourceChoices, source) {
1685
+ return sourceChoices.some((entry) => entry.value === source);
1686
+ }
1687
+ function resolveCandidateProviderHint(candidate) {
1688
+ if (typeof candidate.authProfileProvider === "string" && candidate.authProfileProvider.trim()) return candidate.authProfileProvider.trim().toLowerCase();
1689
+ if (typeof candidate.providerId === "string" && candidate.providerId.trim()) return candidate.providerId.trim().toLowerCase();
1690
+ }
1691
+ function resolveSuggestedEnvSecretId(candidate) {
1692
+ const hintedProvider = resolveCandidateProviderHint(candidate);
1693
+ if (!hintedProvider) return;
1694
+ const envCandidates = PROVIDER_ENV_VARS[hintedProvider];
1695
+ if (!Array.isArray(envCandidates) || envCandidates.length === 0) return;
1696
+ return envCandidates[0];
1697
+ }
1698
+ function resolveConfigureAgentId(config, explicitAgentId) {
1699
+ const knownAgentIds = new Set(listAgentIds(config));
1700
+ if (!explicitAgentId) return resolveDefaultAgentId(config);
1701
+ const normalized = normalizeAgentId(explicitAgentId);
1702
+ if (knownAgentIds.has(normalized)) return normalized;
1703
+ const known = [...knownAgentIds].toSorted().join(", ");
1704
+ throw new Error(`Unknown agent id "${explicitAgentId}". Known agents: ${known || "none configured"}.`);
1705
+ }
1706
+ function normalizeAuthStoreForConfigure(raw, storePath) {
1707
+ if (!raw) return {
1708
+ version: 1,
1709
+ profiles: {}
1710
+ };
1711
+ if (!isRecord(raw.profiles)) throw new Error(`Cannot run interactive secrets configure because ${storePath} is invalid (missing "profiles" object).`);
1712
+ return {
1713
+ version: typeof raw.version === "number" && Number.isFinite(raw.version) ? raw.version : 1,
1714
+ profiles: raw.profiles,
1715
+ ...isRecord(raw.order) ? { order: raw.order } : {},
1716
+ ...isRecord(raw.lastGood) ? { lastGood: raw.lastGood } : {},
1717
+ ...isRecord(raw.usageStats) ? { usageStats: raw.usageStats } : {}
1718
+ };
1719
+ }
1720
+ function loadAuthProfileStoreForConfigure(params) {
1721
+ const storePath = resolveAuthStorePath(resolveAgentDir(params.config, params.agentId));
1722
+ const parsed = readJsonObjectIfExists(storePath);
1723
+ if (parsed.error) throw new Error(`Cannot run interactive secrets configure because ${storePath} could not be read: ${parsed.error}`);
1724
+ return normalizeAuthStoreForConfigure(parsed.value, storePath);
1725
+ }
1726
+ async function promptNewAuthProfileCandidate(agentId) {
1727
+ const profileId = assertNoCancel(await text({
1728
+ message: "Auth profile id",
1729
+ validate: (value) => {
1730
+ const trimmed = String(value ?? "").trim();
1731
+ if (!trimmed) return "Required";
1732
+ if (!AUTH_PROFILE_ID_PATTERN.test(trimmed)) return "Use letters/numbers/\":\"/\"_\"/\"-\" only.";
1733
+ }
1734
+ }), "Secrets configure cancelled.");
1735
+ const credentialType = assertNoCancel(await select({
1736
+ message: "Auth profile credential type",
1737
+ options: [{
1738
+ value: "api_key",
1739
+ label: "api_key (key/keyRef)"
1740
+ }, {
1741
+ value: "token",
1742
+ label: "token (token/tokenRef)"
1743
+ }]
1744
+ }), "Secrets configure cancelled.");
1745
+ const provider = assertNoCancel(await text({
1746
+ message: "Provider id",
1747
+ validate: (value) => String(value ?? "").trim().length > 0 ? void 0 : "Required"
1748
+ }), "Secrets configure cancelled.");
1749
+ const profileIdTrimmed = String(profileId).trim();
1750
+ const providerTrimmed = String(provider).trim();
1751
+ if (credentialType === "token") return {
1752
+ type: "auth-profiles.token.token",
1753
+ path: `profiles.${profileIdTrimmed}.token`,
1754
+ pathSegments: [
1755
+ "profiles",
1756
+ profileIdTrimmed,
1757
+ "token"
1758
+ ],
1759
+ label: `profiles.${profileIdTrimmed}.token (auth profile, agent ${agentId})`,
1760
+ configFile: "auth-profiles.json",
1761
+ agentId,
1762
+ authProfileProvider: providerTrimmed,
1763
+ expectedResolvedValue: "string"
1764
+ };
1765
+ return {
1766
+ type: "auth-profiles.api_key.key",
1767
+ path: `profiles.${profileIdTrimmed}.key`,
1768
+ pathSegments: [
1769
+ "profiles",
1770
+ profileIdTrimmed,
1771
+ "key"
1772
+ ],
1773
+ label: `profiles.${profileIdTrimmed}.key (auth profile, agent ${agentId})`,
1774
+ configFile: "auth-profiles.json",
1775
+ agentId,
1776
+ authProfileProvider: providerTrimmed,
1777
+ expectedResolvedValue: "string"
1778
+ };
1779
+ }
1780
+ async function promptProviderAlias(params) {
1781
+ const alias = assertNoCancel(await text({
1782
+ message: "Provider alias",
1783
+ initialValue: "default",
1784
+ validate: (value) => {
1785
+ const trimmed = String(value ?? "").trim();
1786
+ if (!trimmed) return "Required";
1787
+ if (!isValidSecretProviderAlias(trimmed)) return "Must match /^[a-z][a-z0-9_-]{0,63}$/";
1788
+ if (params.existingAliases.has(trimmed)) return "Alias already exists";
1789
+ }
1790
+ }), "Secrets configure cancelled.");
1791
+ return String(alias).trim();
1792
+ }
1793
+ async function promptProviderSource(initial) {
1794
+ return assertNoCancel(await select({
1795
+ message: "Provider source",
1796
+ options: [
1797
+ {
1798
+ value: "env",
1799
+ label: "env"
1800
+ },
1801
+ {
1802
+ value: "file",
1803
+ label: "file"
1804
+ },
1805
+ {
1806
+ value: "exec",
1807
+ label: "exec"
1808
+ }
1809
+ ],
1810
+ initialValue: initial
1811
+ }), "Secrets configure cancelled.");
1812
+ }
1813
+ async function promptEnvProvider(base) {
1814
+ const allowlist = await promptEnvNameCsv({
1815
+ message: "Env allowlist (comma-separated, blank for unrestricted)",
1816
+ initialValue: base?.allowlist?.join(",") ?? ""
1817
+ });
1818
+ return {
1819
+ source: "env",
1820
+ ...allowlist.length > 0 ? { allowlist } : {}
1821
+ };
1822
+ }
1823
+ async function promptFileProvider(base) {
1824
+ const filePath = assertNoCancel(await text({
1825
+ message: "File path (absolute)",
1826
+ initialValue: base?.path ?? "",
1827
+ validate: (value) => {
1828
+ const trimmed = String(value ?? "").trim();
1829
+ if (!trimmed) return "Required";
1830
+ if (!isAbsolutePathValue(trimmed)) return "Must be an absolute path";
1831
+ }
1832
+ }), "Secrets configure cancelled.");
1833
+ const mode = assertNoCancel(await select({
1834
+ message: "File mode",
1835
+ options: [{
1836
+ value: "json",
1837
+ label: "json"
1838
+ }, {
1839
+ value: "singleValue",
1840
+ label: "singleValue"
1841
+ }],
1842
+ initialValue: base?.mode ?? "json"
1843
+ }), "Secrets configure cancelled.");
1844
+ const timeoutMs = await promptOptionalPositiveInt({
1845
+ message: "Timeout ms (blank for default)",
1846
+ initialValue: base?.timeoutMs,
1847
+ max: 12e4
1848
+ });
1849
+ const maxBytes = await promptOptionalPositiveInt({
1850
+ message: "Max bytes (blank for default)",
1851
+ initialValue: base?.maxBytes,
1852
+ max: 20 * 1024 * 1024
1853
+ });
1854
+ return {
1855
+ source: "file",
1856
+ path: String(filePath).trim(),
1857
+ mode,
1858
+ ...timeoutMs ? { timeoutMs } : {},
1859
+ ...maxBytes ? { maxBytes } : {}
1860
+ };
1861
+ }
1862
+ async function parseArgsInput(rawValue) {
1863
+ const trimmed = rawValue.trim();
1864
+ if (!trimmed) return;
1865
+ const parsed = JSON.parse(trimmed);
1866
+ if (!Array.isArray(parsed) || !parsed.every((entry) => typeof entry === "string")) throw new Error("args must be a JSON array of strings");
1867
+ return parsed;
1868
+ }
1869
+ async function promptExecProvider(base) {
1870
+ const command = assertNoCancel(await text({
1871
+ message: "Command path (absolute)",
1872
+ initialValue: base?.command ?? "",
1873
+ validate: (value) => {
1874
+ const trimmed = String(value ?? "").trim();
1875
+ if (!trimmed) return "Required";
1876
+ if (!isAbsolutePathValue(trimmed)) return "Must be an absolute path";
1877
+ if (!isSafeExecutableValue(trimmed)) return "Command value is not allowed";
1878
+ }
1879
+ }), "Secrets configure cancelled.");
1880
+ const argsRaw = assertNoCancel(await text({
1881
+ message: "Args JSON array (blank for none)",
1882
+ initialValue: JSON.stringify(base?.args ?? []),
1883
+ validate: (value) => {
1884
+ const trimmed = String(value ?? "").trim();
1885
+ if (!trimmed) return;
1886
+ try {
1887
+ const parsed = JSON.parse(trimmed);
1888
+ if (!Array.isArray(parsed) || !parsed.every((entry) => typeof entry === "string")) return "Must be a JSON array of strings";
1889
+ return;
1890
+ } catch {
1891
+ return "Must be valid JSON";
1892
+ }
1893
+ }
1894
+ }), "Secrets configure cancelled.");
1895
+ const timeoutMs = await promptOptionalPositiveInt({
1896
+ message: "Timeout ms (blank for default)",
1897
+ initialValue: base?.timeoutMs,
1898
+ max: 12e4
1899
+ });
1900
+ const noOutputTimeoutMs = await promptOptionalPositiveInt({
1901
+ message: "No-output timeout ms (blank for default)",
1902
+ initialValue: base?.noOutputTimeoutMs,
1903
+ max: 12e4
1904
+ });
1905
+ const maxOutputBytes = await promptOptionalPositiveInt({
1906
+ message: "Max output bytes (blank for default)",
1907
+ initialValue: base?.maxOutputBytes,
1908
+ max: 20 * 1024 * 1024
1909
+ });
1910
+ const jsonOnly = assertNoCancel(await confirm({
1911
+ message: "Require JSON-only response?",
1912
+ initialValue: base?.jsonOnly ?? true
1913
+ }), "Secrets configure cancelled.");
1914
+ const passEnv = await promptEnvNameCsv({
1915
+ message: "Pass-through env vars (comma-separated, blank for none)",
1916
+ initialValue: base?.passEnv?.join(",") ?? ""
1917
+ });
1918
+ const trustedDirsRaw = assertNoCancel(await text({
1919
+ message: "Trusted dirs (comma-separated absolute paths, blank for none)",
1920
+ initialValue: base?.trustedDirs?.join(",") ?? "",
1921
+ validate: (value) => {
1922
+ const entries = parseCsv(String(value ?? ""));
1923
+ for (const entry of entries) if (!isAbsolutePathValue(entry)) return `Trusted dir must be absolute: ${entry}`;
1924
+ }
1925
+ }), "Secrets configure cancelled.");
1926
+ const allowInsecurePath = assertNoCancel(await confirm({
1927
+ message: "Allow insecure command path checks?",
1928
+ initialValue: base?.allowInsecurePath ?? false
1929
+ }), "Secrets configure cancelled.");
1930
+ const allowSymlinkCommand = assertNoCancel(await confirm({
1931
+ message: "Allow symlink command path?",
1932
+ initialValue: base?.allowSymlinkCommand ?? false
1933
+ }), "Secrets configure cancelled.");
1934
+ const args = await parseArgsInput(String(argsRaw ?? ""));
1935
+ const trustedDirs = parseCsv(String(trustedDirsRaw ?? ""));
1936
+ return {
1937
+ source: "exec",
1938
+ command: String(command).trim(),
1939
+ ...args && args.length > 0 ? { args } : {},
1940
+ ...timeoutMs ? { timeoutMs } : {},
1941
+ ...noOutputTimeoutMs ? { noOutputTimeoutMs } : {},
1942
+ ...maxOutputBytes ? { maxOutputBytes } : {},
1943
+ ...jsonOnly ? { jsonOnly } : { jsonOnly: false },
1944
+ ...passEnv.length > 0 ? { passEnv } : {},
1945
+ ...trustedDirs.length > 0 ? { trustedDirs } : {},
1946
+ ...allowInsecurePath ? { allowInsecurePath: true } : {},
1947
+ ...allowSymlinkCommand ? { allowSymlinkCommand: true } : {},
1948
+ ...isRecord(base?.env) ? { env: base.env } : {}
1949
+ };
1950
+ }
1951
+ async function promptProviderConfig(source, current) {
1952
+ if (source === "env") return await promptEnvProvider(current?.source === "env" ? current : void 0);
1953
+ if (source === "file") return await promptFileProvider(current?.source === "file" ? current : void 0);
1954
+ return await promptExecProvider(current?.source === "exec" ? current : void 0);
1955
+ }
1956
+ async function configureProvidersInteractive(config) {
1957
+ while (true) {
1958
+ const providers = getSecretProviders(config);
1959
+ const providerEntries = Object.entries(providers).toSorted(([left], [right]) => left.localeCompare(right));
1960
+ const actionOptions = [{
1961
+ value: "add",
1962
+ label: "Add provider",
1963
+ hint: "Define a new env/file/exec provider"
1964
+ }];
1965
+ if (providerEntries.length > 0) {
1966
+ actionOptions.push({
1967
+ value: "edit",
1968
+ label: "Edit provider",
1969
+ hint: "Update an existing provider"
1970
+ });
1971
+ actionOptions.push({
1972
+ value: "remove",
1973
+ label: "Remove provider",
1974
+ hint: "Delete a provider alias"
1975
+ });
1976
+ }
1977
+ actionOptions.push({
1978
+ value: "continue",
1979
+ label: "Continue",
1980
+ hint: "Move to credential mapping"
1981
+ });
1982
+ const action = assertNoCancel(await select({
1983
+ message: providerEntries.length > 0 ? "Configure secret providers" : "Configure secret providers (only env refs are available until file/exec providers are added)",
1984
+ options: actionOptions
1985
+ }), "Secrets configure cancelled.");
1986
+ if (action === "continue") return;
1987
+ if (action === "add") {
1988
+ const source = await promptProviderSource();
1989
+ setSecretProvider(config, await promptProviderAlias({ existingAliases: new Set(providerEntries.map(([providerAlias]) => providerAlias)) }), await promptProviderConfig(source));
1990
+ continue;
1991
+ }
1992
+ if (action === "edit") {
1993
+ const alias = assertNoCancel(await select({
1994
+ message: "Select provider to edit",
1995
+ options: providerEntries.map(([providerAlias, providerConfig]) => ({
1996
+ value: providerAlias,
1997
+ label: providerAlias,
1998
+ hint: providerHint(providerConfig)
1999
+ }))
2000
+ }), "Secrets configure cancelled.");
2001
+ const current = providers[alias];
2002
+ if (!current) continue;
2003
+ const nextProviderConfig = await promptProviderConfig(await promptProviderSource(current.source), current);
2004
+ if (!isDeepStrictEqual(current, nextProviderConfig)) setSecretProvider(config, alias, nextProviderConfig);
2005
+ continue;
2006
+ }
2007
+ if (action === "remove") {
2008
+ const alias = assertNoCancel(await select({
2009
+ message: "Select provider to remove",
2010
+ options: providerEntries.map(([providerAlias, providerConfig]) => ({
2011
+ value: providerAlias,
2012
+ label: providerAlias,
2013
+ hint: providerHint(providerConfig)
2014
+ }))
2015
+ }), "Secrets configure cancelled.");
2016
+ if (assertNoCancel(await confirm({
2017
+ message: `Remove provider "${alias}"?`,
2018
+ initialValue: false
2019
+ }), "Secrets configure cancelled.")) removeSecretProvider(config, alias);
2020
+ }
2021
+ }
2022
+ }
2023
+ async function runSecretsConfigureInteractive(params = {}) {
2024
+ if (!process.stdin.isTTY) throw new Error("secrets configure requires an interactive TTY.");
2025
+ if (params.providersOnly && params.skipProviderSetup) throw new Error("Cannot combine --providers-only with --skip-provider-setup.");
2026
+ const env = params.env ?? process.env;
2027
+ const allowExecInPreflight = Boolean(params.allowExecInPreflight);
2028
+ const { snapshot } = await createSecretsConfigIO({ env }).readConfigFileSnapshotForWrite();
2029
+ if (!snapshot.valid) throw new Error("Cannot run interactive secrets configure because config is invalid.");
2030
+ const stagedConfig = structuredClone(snapshot.config);
2031
+ if (!params.skipProviderSetup) await configureProvidersInteractive(stagedConfig);
2032
+ const providerChanges = collectConfigureProviderChanges({
2033
+ original: snapshot.config,
2034
+ next: stagedConfig
2035
+ });
2036
+ const selectedByPath = /* @__PURE__ */ new Map();
2037
+ if (!params.providersOnly) {
2038
+ const configureAgentId = resolveConfigureAgentId(snapshot.config, params.agentId);
2039
+ const authStore = loadAuthProfileStoreForConfigure({
2040
+ config: snapshot.config,
2041
+ agentId: configureAgentId
2042
+ });
2043
+ const candidates = buildConfigureCandidatesForScope({
2044
+ config: stagedConfig,
2045
+ authoredOpenClawConfig: snapshot.resolved,
2046
+ authProfiles: {
2047
+ agentId: configureAgentId,
2048
+ store: authStore
2049
+ }
2050
+ });
2051
+ if (candidates.length === 0) throw new Error("No configurable secret-bearing fields found for this agent scope.");
2052
+ const sourceChoices = toSourceChoices(stagedConfig);
2053
+ const hasDerivedCandidates = candidates.some((candidate) => candidate.isDerived === true);
2054
+ let showDerivedCandidates = false;
2055
+ while (true) {
2056
+ const visibleCandidates = showDerivedCandidates ? candidates : candidates.filter((candidate) => candidate.isDerived !== true);
2057
+ const options = visibleCandidates.map((candidate) => ({
2058
+ value: configureCandidateKey(candidate),
2059
+ label: candidate.label,
2060
+ hint: [candidate.configFile === "auth-profiles.json" ? "auth-profiles.json" : "openclaw.json", candidate.isDerived === true ? "derived" : void 0].filter(Boolean).join(" | ")
2061
+ }));
2062
+ options.push({
2063
+ value: "__create_auth_profile__",
2064
+ label: "Create auth profile mapping",
2065
+ hint: `Add a new auth-profiles target for agent ${configureAgentId}`
2066
+ });
2067
+ if (hasDerivedCandidates) options.push({
2068
+ value: "__toggle_derived__",
2069
+ label: showDerivedCandidates ? "Hide derived targets" : "Show derived targets",
2070
+ hint: showDerivedCandidates ? "Show only fields authored directly in config" : "Include normalized/derived aliases"
2071
+ });
2072
+ if (selectedByPath.size > 0) options.unshift({
2073
+ value: "__done__",
2074
+ label: "Done",
2075
+ hint: "Finish and run preflight"
2076
+ });
2077
+ const selectedPath = assertNoCancel(await select({
2078
+ message: "Select credential field",
2079
+ options
2080
+ }), "Secrets configure cancelled.");
2081
+ if (selectedPath === "__done__") break;
2082
+ if (selectedPath === "__create_auth_profile__") {
2083
+ const createdCandidate = await promptNewAuthProfileCandidate(configureAgentId);
2084
+ const key = configureCandidateKey(createdCandidate);
2085
+ const existingIndex = candidates.findIndex((entry) => configureCandidateKey(entry) === key);
2086
+ if (existingIndex >= 0) candidates[existingIndex] = createdCandidate;
2087
+ else candidates.push(createdCandidate);
2088
+ continue;
2089
+ }
2090
+ if (selectedPath === "__toggle_derived__") {
2091
+ showDerivedCandidates = !showDerivedCandidates;
2092
+ continue;
2093
+ }
2094
+ const candidate = visibleCandidates.find((entry) => configureCandidateKey(entry) === selectedPath);
2095
+ if (!candidate) throw new Error(`Unknown configure target: ${selectedPath}`);
2096
+ const candidateKey = configureCandidateKey(candidate);
2097
+ const existingRef = selectedByPath.get(candidateKey)?.ref ?? candidate.existingRef;
2098
+ const source = assertNoCancel(await select({
2099
+ message: "Secret source",
2100
+ options: sourceChoices,
2101
+ initialValue: existingRef && hasSourceChoice(sourceChoices, existingRef.source) ? existingRef.source : void 0
2102
+ }), "Secrets configure cancelled.");
2103
+ const defaultAlias = resolveDefaultSecretProviderAlias(stagedConfig, source, { preferFirstProviderForSource: true });
2104
+ const provider = assertNoCancel(await text({
2105
+ message: "Provider alias",
2106
+ initialValue: existingRef?.source === source ? existingRef.provider : defaultAlias,
2107
+ validate: (value) => {
2108
+ const trimmed = String(value ?? "").trim();
2109
+ if (!trimmed) return "Required";
2110
+ if (!isValidSecretProviderAlias(trimmed)) return "Must match /^[a-z][a-z0-9_-]{0,63}$/";
2111
+ }
2112
+ }), "Secrets configure cancelled.");
2113
+ const providerAlias = String(provider).trim();
2114
+ let suggestedId = existingRef?.source === source ? existingRef.id : void 0;
2115
+ if (!suggestedId && source === "env") suggestedId = resolveSuggestedEnvSecretId(candidate);
2116
+ if (!suggestedId && source === "file") {
2117
+ const configuredProvider = stagedConfig.secrets?.providers?.[providerAlias];
2118
+ if (configuredProvider?.source === "file" && configuredProvider.mode === "singleValue") suggestedId = "value";
2119
+ }
2120
+ const id = assertNoCancel(await text({
2121
+ message: "Secret id",
2122
+ initialValue: suggestedId,
2123
+ validate: (value) => {
2124
+ const trimmed = String(value ?? "").trim();
2125
+ if (!trimmed) return "Required";
2126
+ if (source === "exec" && !isValidExecSecretRefId(trimmed)) return formatExecSecretRefIdValidationMessage();
2127
+ }
2128
+ }), "Secrets configure cancelled.");
2129
+ const ref = {
2130
+ source,
2131
+ provider: providerAlias,
2132
+ id: String(id).trim()
2133
+ };
2134
+ if (ref.source === "exec" && !allowExecInPreflight) {
2135
+ const staticError = getSkippedExecRefStaticError({
2136
+ ref,
2137
+ config: stagedConfig
2138
+ });
2139
+ if (staticError) throw new Error(staticError);
2140
+ } else assertExpectedResolvedSecretValue({
2141
+ value: await resolveSecretRefValue(ref, {
2142
+ config: stagedConfig,
2143
+ env
2144
+ }),
2145
+ expected: candidate.expectedResolvedValue,
2146
+ errorMessage: candidate.expectedResolvedValue === "string" ? `Ref ${ref.source}:${ref.provider}:${ref.id} did not resolve to a non-empty string.` : `Ref ${ref.source}:${ref.provider}:${ref.id} did not resolve to a supported value type.`
2147
+ });
2148
+ const next = {
2149
+ ...candidate,
2150
+ ref
2151
+ };
2152
+ selectedByPath.set(candidateKey, next);
2153
+ if (!assertNoCancel(await confirm({
2154
+ message: "Configure another credential?",
2155
+ initialValue: true
2156
+ }), "Secrets configure cancelled.")) break;
2157
+ }
2158
+ }
2159
+ if (!hasConfigurePlanChanges({
2160
+ selectedTargets: selectedByPath,
2161
+ providerChanges
2162
+ })) throw new Error("No secrets changes were selected.");
2163
+ const plan = buildSecretsConfigurePlan({
2164
+ selectedTargets: selectedByPath,
2165
+ providerChanges
2166
+ });
2167
+ return {
2168
+ plan,
2169
+ preflight: await runSecretsApply({
2170
+ plan,
2171
+ env,
2172
+ write: false,
2173
+ allowExec: allowExecInPreflight
2174
+ })
2175
+ };
2176
+ }
2177
+ //#endregion
2178
+ //#region src/cli/secrets-cli.ts
2179
+ function readPlanFile(pathname) {
2180
+ const raw = fs.readFileSync(pathname, "utf8");
2181
+ const parsed = JSON.parse(raw);
2182
+ if (!isSecretsApplyPlan(parsed)) throw new Error(`Invalid secrets plan file: ${pathname}`);
2183
+ return parsed;
2184
+ }
2185
+ function registerSecretsCli(program) {
2186
+ const secrets = program.command("secrets").description("Secrets runtime controls").addHelpText("after", () => `\n${theme.muted("Docs:")} ${formatDocsLink("/gateway/security", "docs.openclaw.ai/gateway/security")}\n`);
2187
+ addGatewayClientOptions(secrets.command("reload").description("Re-resolve secret references and atomically swap runtime snapshot").option("--json", "Output JSON", false)).action(async (opts) => {
2188
+ try {
2189
+ const result = await callGatewayFromCli("secrets.reload", opts, void 0, { expectFinal: false });
2190
+ if (opts.json) {
2191
+ defaultRuntime.log(JSON.stringify(result, null, 2));
2192
+ return;
2193
+ }
2194
+ const warningCount = Number(result?.warningCount ?? 0);
2195
+ if (Number.isFinite(warningCount) && warningCount > 0) {
2196
+ defaultRuntime.log(`Secrets reloaded with ${warningCount} warning(s).`);
2197
+ return;
2198
+ }
2199
+ defaultRuntime.log("Secrets reloaded.");
2200
+ } catch (err) {
2201
+ defaultRuntime.error(danger(String(err)));
2202
+ defaultRuntime.exit(1);
2203
+ }
2204
+ });
2205
+ secrets.command("audit").description("Audit plaintext secrets, unresolved refs, and precedence drift").option("--check", "Exit non-zero when findings are present", false).option("--allow-exec", "Allow exec SecretRef resolution during audit (may execute provider commands)", false).option("--json", "Output JSON", false).action(async (opts) => {
2206
+ try {
2207
+ const report = await runSecretsAudit({ allowExec: Boolean(opts.allowExec) });
2208
+ if (opts.json) defaultRuntime.log(JSON.stringify(report, null, 2));
2209
+ else {
2210
+ defaultRuntime.log(`Secrets audit: ${report.status}. plaintext=${report.summary.plaintextCount}, unresolved=${report.summary.unresolvedRefCount}, shadowed=${report.summary.shadowedRefCount}, legacy=${report.summary.legacyResidueCount}.`);
2211
+ if (report.findings.length > 0) {
2212
+ for (const finding of report.findings.slice(0, 20)) defaultRuntime.log(`- [${finding.code}] ${finding.file}:${finding.jsonPath} ${finding.message}`);
2213
+ if (report.findings.length > 20) defaultRuntime.log(`... ${report.findings.length - 20} more finding(s).`);
2214
+ }
2215
+ if (report.resolution.skippedExecRefs > 0) defaultRuntime.log(`Audit note: skipped ${report.resolution.skippedExecRefs} exec SecretRef resolvability check(s). Re-run with --allow-exec to execute exec providers during audit.`);
2216
+ }
2217
+ const exitCode = resolveSecretsAuditExitCode(report, Boolean(opts.check));
2218
+ if (exitCode !== 0) defaultRuntime.exit(exitCode);
2219
+ } catch (err) {
2220
+ defaultRuntime.error(danger(String(err)));
2221
+ defaultRuntime.exit(2);
2222
+ }
2223
+ });
2224
+ secrets.command("configure").description("Interactive secrets helper (provider setup + SecretRef mapping + preflight)").option("--apply", "Apply changes immediately after preflight", false).option("--yes", "Skip apply confirmation prompt", false).option("--providers-only", "Configure secrets.providers only, skip credential mapping", false).option("--skip-provider-setup", "Skip provider setup and only map credential fields to existing providers", false).option("--agent <id>", "Agent id for auth-profiles targets (default: configured default agent)").option("--allow-exec", "Allow exec SecretRef preflight checks (may execute provider commands)", false).option("--plan-out <path>", "Write generated plan JSON to a file").option("--json", "Output JSON", false).action(async (opts) => {
2225
+ try {
2226
+ const configured = await runSecretsConfigureInteractive({
2227
+ providersOnly: Boolean(opts.providersOnly),
2228
+ skipProviderSetup: Boolean(opts.skipProviderSetup),
2229
+ agentId: typeof opts.agent === "string" ? opts.agent : void 0,
2230
+ allowExecInPreflight: Boolean(opts.allowExec)
2231
+ });
2232
+ if (opts.planOut) fs.writeFileSync(opts.planOut, `${JSON.stringify(configured.plan, null, 2)}\n`, "utf8");
2233
+ if (opts.json) defaultRuntime.log(JSON.stringify({
2234
+ plan: configured.plan,
2235
+ preflight: configured.preflight
2236
+ }, null, 2));
2237
+ else {
2238
+ defaultRuntime.log(`Preflight: changed=${configured.preflight.changed}, files=${configured.preflight.changedFiles.length}, warnings=${configured.preflight.warningCount}.`);
2239
+ if (configured.preflight.warningCount > 0) for (const warning of configured.preflight.warnings) defaultRuntime.log(`- warning: ${warning}`);
2240
+ if (!configured.preflight.checks.resolvabilityComplete && configured.preflight.skippedExecRefs > 0) defaultRuntime.log(`Preflight note: skipped ${configured.preflight.skippedExecRefs} exec SecretRef resolvability check(s). Re-run with --allow-exec to execute exec providers during preflight.`);
2241
+ const providerUpserts = Object.keys(configured.plan.providerUpserts ?? {}).length;
2242
+ const providerDeletes = configured.plan.providerDeletes?.length ?? 0;
2243
+ defaultRuntime.log(`Plan: targets=${configured.plan.targets.length}, providerUpserts=${providerUpserts}, providerDeletes=${providerDeletes}.`);
2244
+ if (opts.planOut) defaultRuntime.log(`Plan written to ${opts.planOut}`);
2245
+ }
2246
+ let shouldApply = Boolean(opts.apply);
2247
+ if (!shouldApply && !opts.json) {
2248
+ const approved = await confirm({
2249
+ message: "Apply this plan now?",
2250
+ initialValue: true
2251
+ });
2252
+ if (typeof approved === "boolean") shouldApply = approved;
2253
+ }
2254
+ if (shouldApply) {
2255
+ if (Boolean(opts.apply) && !opts.yes && !opts.json) {
2256
+ if (await confirm({
2257
+ message: "This migration is one-way for migrated plaintext values. Continue with apply?",
2258
+ initialValue: true
2259
+ }) !== true) {
2260
+ defaultRuntime.log("Apply cancelled.");
2261
+ return;
2262
+ }
2263
+ }
2264
+ const result = await runSecretsApply({
2265
+ plan: configured.plan,
2266
+ write: true,
2267
+ allowExec: Boolean(opts.allowExec)
2268
+ });
2269
+ if (opts.json) {
2270
+ defaultRuntime.log(JSON.stringify(result, null, 2));
2271
+ return;
2272
+ }
2273
+ defaultRuntime.log(result.changed ? `Secrets applied. Updated ${result.changedFiles.length} file(s).` : "Secrets apply: no changes.");
2274
+ }
2275
+ } catch (err) {
2276
+ defaultRuntime.error(danger(String(err)));
2277
+ defaultRuntime.exit(1);
2278
+ }
2279
+ });
2280
+ secrets.command("apply").description("Apply a previously generated secrets plan").requiredOption("--from <path>", "Path to plan JSON").option("--dry-run", "Validate/preflight only", false).option("--allow-exec", "Allow exec SecretRef checks (may execute provider commands)", false).option("--json", "Output JSON", false).action(async (opts) => {
2281
+ try {
2282
+ const result = await runSecretsApply({
2283
+ plan: readPlanFile(opts.from),
2284
+ write: !opts.dryRun,
2285
+ allowExec: Boolean(opts.allowExec)
2286
+ });
2287
+ if (opts.json) {
2288
+ defaultRuntime.log(JSON.stringify(result, null, 2));
2289
+ return;
2290
+ }
2291
+ if (opts.dryRun) {
2292
+ defaultRuntime.log(result.changed ? `Secrets apply dry run: ${result.changedFiles.length} file(s) would change.` : "Secrets apply dry run: no changes.");
2293
+ if (!result.checks.resolvabilityComplete && result.skippedExecRefs > 0) defaultRuntime.log(`Secrets apply dry-run note: skipped ${result.skippedExecRefs} exec SecretRef resolvability check(s). Re-run with --allow-exec to execute exec providers during dry-run.`);
2294
+ return;
2295
+ }
2296
+ defaultRuntime.log(result.changed ? `Secrets applied. Updated ${result.changedFiles.length} file(s).` : "Secrets apply: no changes.");
2297
+ } catch (err) {
2298
+ defaultRuntime.error(danger(String(err)));
2299
+ defaultRuntime.exit(1);
2300
+ }
2301
+ });
2302
+ }
2303
+ //#endregion
2304
+ export { registerSecretsCli };