synurex 2026.2.19-1

package/dist/model-selection-CjYymzT8.js

@@ -0,0 +1,2983 @@
+import { t as __exportAll } from "./rolldown-runtime-Cbj13DAv.js";
+import { g as resolveStateDir, h as resolveOAuthPath } from "./paths-Drx5WZ13.js";
+import { n as DEFAULT_AGENT_ID } from "./session-key-DrNCyvP1.js";
+import { t as createSubsystemLogger } from "./subsystem-DPYBJG7C.js";
+import { h as resolveUserPath } from "./utils-C7NsUvD1.js";
+import { a as resolveAgentModelPrimary } from "./agent-scope-CRRhJ7Hf.js";
+import { a as saveJsonFile, i as loadJsonFile, r as resolveCopilotApiToken, t as DEFAULT_COPILOT_API_BASE_URL } from "./github-copilot-token-_jdpoYjM.js";
+import { t as formatCliCommand } from "./command-format-CEnDvS9q.js";
+import { t as isTruthyEnvValue } from "./env-DgIs6BZg.js";
+import path from "node:path";
+import fs from "node:fs";
+import { execFileSync, execSync } from "node:child_process";
+import lockfile from "proper-lockfile";
+import { createHash, randomBytes } from "node:crypto";
+import { getEnvApiKey, getOAuthApiKey, getOAuthProviders } from "@mariozechner/pi-ai";
+import { BedrockClient, ListFoundationModelsCommand } from "@aws-sdk/client-bedrock";
+
+//#region src/agents/defaults.ts
+const DEFAULT_PROVIDER = "anthropic";
+const DEFAULT_MODEL = "claude-opus-4-6";
+const DEFAULT_CONTEXT_TOKENS = 2e5;
+
+//#endregion
+//#region src/agents/auth-profiles/constants.ts
+const AUTH_STORE_VERSION = 1;
+const AUTH_PROFILE_FILENAME = "auth-profiles.json";
+const LEGACY_AUTH_FILENAME = "auth.json";
+const CLAUDE_CLI_PROFILE_ID = "anthropic:claude-cli";
+const CODEX_CLI_PROFILE_ID = "openai-codex:codex-cli";
+const QWEN_CLI_PROFILE_ID = "qwen-portal:qwen-cli";
+const MINIMAX_CLI_PROFILE_ID = "minimax-portal:minimax-cli";
+const AUTH_STORE_LOCK_OPTIONS = {
+	retries: {
+		retries: 10,
+		factor: 2,
+		minTimeout: 100,
+		maxTimeout: 1e4,
+		randomize: true
+	},
+	stale: 3e4
+};
+const EXTERNAL_CLI_SYNC_TTL_MS = 900 * 1e3;
+const EXTERNAL_CLI_NEAR_EXPIRY_MS = 600 * 1e3;
+const log$1 = createSubsystemLogger("agents/auth-profiles");
+
+//#endregion
+//#region src/agents/auth-profiles/display.ts
+function resolveAuthProfileDisplayLabel(params) {
+	const { cfg, store, profileId } = params;
+	const profile = store.profiles[profileId];
+	const email = cfg?.auth?.profiles?.[profileId]?.email?.trim() || (profile && "email" in profile ? profile.email?.trim() : void 0);
+	if (email) return `${profileId} (${email})`;
+	return profileId;
+}
+
+//#endregion
+//#region src/agents/cli-credentials.ts
+const log = createSubsystemLogger("agents/auth-profiles");
+const QWEN_CLI_CREDENTIALS_RELATIVE_PATH = ".qwen/oauth_creds.json";
+const MINIMAX_CLI_CREDENTIALS_RELATIVE_PATH = ".minimax/oauth_creds.json";
+let qwenCliCache = null;
+let minimaxCliCache = null;
+function resolveQwenCliCredentialsPath(homeDir) {
+	const baseDir = homeDir ?? resolveUserPath("~");
+	return path.join(baseDir, QWEN_CLI_CREDENTIALS_RELATIVE_PATH);
+}
+function resolveMiniMaxCliCredentialsPath(homeDir) {
+	const baseDir = homeDir ?? resolveUserPath("~");
+	return path.join(baseDir, MINIMAX_CLI_CREDENTIALS_RELATIVE_PATH);
+}
+function readQwenCliCredentials(options) {
+	const raw = loadJsonFile(resolveQwenCliCredentialsPath(options?.homeDir));
+	if (!raw || typeof raw !== "object") return null;
+	const data = raw;
+	const accessToken = data.access_token;
+	const refreshToken = data.refresh_token;
+	const expiresAt = data.expiry_date;
+	if (typeof accessToken !== "string" || !accessToken) return null;
+	if (typeof refreshToken !== "string" || !refreshToken) return null;
+	if (typeof expiresAt !== "number" || !Number.isFinite(expiresAt)) return null;
+	return {
+		type: "oauth",
+		provider: "qwen-portal",
+		access: accessToken,
+		refresh: refreshToken,
+		expires: expiresAt
+	};
+}
+function readMiniMaxCliCredentials(options) {
+	const raw = loadJsonFile(resolveMiniMaxCliCredentialsPath(options?.homeDir));
+	if (!raw || typeof raw !== "object") return null;
+	const data = raw;
+	const accessToken = data.access_token;
+	const refreshToken = data.refresh_token;
+	const expiresAt = data.expiry_date;
+	if (typeof accessToken !== "string" || !accessToken) return null;
+	if (typeof refreshToken !== "string" || !refreshToken) return null;
+	if (typeof expiresAt !== "number" || !Number.isFinite(expiresAt)) return null;
+	return {
+		type: "oauth",
+		provider: "minimax-portal",
+		access: accessToken,
+		refresh: refreshToken,
+		expires: expiresAt
+	};
+}
+function readQwenCliCredentialsCached(options) {
+	const ttlMs = options?.ttlMs ?? 0;
+	const now = Date.now();
+	const cacheKey = resolveQwenCliCredentialsPath(options?.homeDir);
+	if (ttlMs > 0 && qwenCliCache && qwenCliCache.cacheKey === cacheKey && now - qwenCliCache.readAt < ttlMs) return qwenCliCache.value;
+	const value = readQwenCliCredentials({ homeDir: options?.homeDir });
+	if (ttlMs > 0) qwenCliCache = {
+		value,
+		readAt: now,
+		cacheKey
+	};
+	return value;
+}
+function readMiniMaxCliCredentialsCached(options) {
+	const ttlMs = options?.ttlMs ?? 0;
+	const now = Date.now();
+	const cacheKey = resolveMiniMaxCliCredentialsPath(options?.homeDir);
+	if (ttlMs > 0 && minimaxCliCache && minimaxCliCache.cacheKey === cacheKey && now - minimaxCliCache.readAt < ttlMs) return minimaxCliCache.value;
+	const value = readMiniMaxCliCredentials({ homeDir: options?.homeDir });
+	if (ttlMs > 0) minimaxCliCache = {
+		value,
+		readAt: now,
+		cacheKey
+	};
+	return value;
+}
+
+//#endregion
+//#region src/agents/auth-profiles/external-cli-sync.ts
+function shallowEqualOAuthCredentials(a, b) {
+	if (!a) return false;
+	if (a.type !== "oauth") return false;
+	return a.provider === b.provider && a.access === b.access && a.refresh === b.refresh && a.expires === b.expires && a.email === b.email && a.enterpriseUrl === b.enterpriseUrl && a.projectId === b.projectId && a.accountId === b.accountId;
+}
+function isExternalProfileFresh(cred, now) {
+	if (!cred) return false;
+	if (cred.type !== "oauth" && cred.type !== "token") return false;
+	if (cred.provider !== "qwen-portal" && cred.provider !== "minimax-portal") return false;
+	if (typeof cred.expires !== "number") return true;
+	return cred.expires > now + EXTERNAL_CLI_NEAR_EXPIRY_MS;
+}
+/** Sync external CLI credentials into the store for a given provider. */
+function syncExternalCliCredentialsForProvider(store, profileId, provider, readCredentials, now) {
+	const existing = store.profiles[profileId];
+	const creds = !existing || existing.provider !== provider || !isExternalProfileFresh(existing, now) ? readCredentials() : null;
+	if (!creds) return false;
+	const existingOAuth = existing?.type === "oauth" ? existing : void 0;
+	if ((!existingOAuth || existingOAuth.provider !== provider || existingOAuth.expires <= now || creds.expires > existingOAuth.expires) && !shallowEqualOAuthCredentials(existingOAuth, creds)) {
+		store.profiles[profileId] = creds;
+		log$1.info(`synced ${provider} credentials from external cli`, {
+			profileId,
+			expires: new Date(creds.expires).toISOString()
+		});
+		return true;
+	}
+	return false;
+}
+/**
+* Sync OAuth credentials from external CLI tools (Qwen Code CLI, MiniMax CLI) into the store.
+*
+* Returns true if any credentials were updated.
+*/
+function syncExternalCliCredentials(store) {
+	let mutated = false;
+	const now = Date.now();
+	const existingQwen = store.profiles[QWEN_CLI_PROFILE_ID];
+	const qwenCreds = !existingQwen || existingQwen.provider !== "qwen-portal" || !isExternalProfileFresh(existingQwen, now) ? readQwenCliCredentialsCached({ ttlMs: EXTERNAL_CLI_SYNC_TTL_MS }) : null;
+	if (qwenCreds) {
+		const existing = store.profiles[QWEN_CLI_PROFILE_ID];
+		const existingOAuth = existing?.type === "oauth" ? existing : void 0;
+		if ((!existingOAuth || existingOAuth.provider !== "qwen-portal" || existingOAuth.expires <= now || qwenCreds.expires > existingOAuth.expires) && !shallowEqualOAuthCredentials(existingOAuth, qwenCreds)) {
+			store.profiles[QWEN_CLI_PROFILE_ID] = qwenCreds;
+			mutated = true;
+			log$1.info("synced qwen credentials from qwen cli", {
+				profileId: QWEN_CLI_PROFILE_ID,
+				expires: new Date(qwenCreds.expires).toISOString()
+			});
+		}
+	}
+	if (syncExternalCliCredentialsForProvider(store, MINIMAX_CLI_PROFILE_ID, "minimax-portal", () => readMiniMaxCliCredentialsCached({ ttlMs: EXTERNAL_CLI_SYNC_TTL_MS }), now)) mutated = true;
+	return mutated;
+}
+
+//#endregion
+//#region src/agents/agent-paths.ts
+function resolveSynurexAgentDir() {
+	const override = process.env.SYNUREX_AGENT_DIR?.trim() || process.env.PI_CODING_AGENT_DIR?.trim();
+	if (override) return resolveUserPath(override);
+	return resolveUserPath(path.join(resolveStateDir(), "agents", DEFAULT_AGENT_ID, "agent"));
+}
+
+//#endregion
+//#region src/agents/auth-profiles/paths.ts
+function resolveAuthStorePath(agentDir) {
+	const resolved = resolveUserPath(agentDir ?? resolveSynurexAgentDir());
+	return path.join(resolved, AUTH_PROFILE_FILENAME);
+}
+function resolveLegacyAuthStorePath(agentDir) {
+	const resolved = resolveUserPath(agentDir ?? resolveSynurexAgentDir());
+	return path.join(resolved, LEGACY_AUTH_FILENAME);
+}
+function resolveAuthStorePathForDisplay(agentDir) {
+	const pathname = resolveAuthStorePath(agentDir);
+	return pathname.startsWith("~") ? pathname : resolveUserPath(pathname);
+}
+function ensureAuthStoreFile(pathname) {
+	if (fs.existsSync(pathname)) return;
+	saveJsonFile(pathname, {
+		version: AUTH_STORE_VERSION,
+		profiles: {}
+	});
+}
+
+//#endregion
+//#region src/agents/auth-profiles/store.ts
+async function updateAuthProfileStoreWithLock(params) {
+	const authPath = resolveAuthStorePath(params.agentDir);
+	ensureAuthStoreFile(authPath);
+	let release;
+	try {
+		release = await lockfile.lock(authPath, AUTH_STORE_LOCK_OPTIONS);
+		const store = ensureAuthProfileStore(params.agentDir);
+		if (params.updater(store)) saveAuthProfileStore(store, params.agentDir);
+		return store;
+	} catch {
+		return null;
+	} finally {
+		if (release) try {
+			await release();
+		} catch {}
+	}
+}
+function coerceLegacyStore(raw) {
+	if (!raw || typeof raw !== "object") return null;
+	const record = raw;
+	if ("profiles" in record) return null;
+	const entries = {};
+	for (const [key, value] of Object.entries(record)) {
+		if (!value || typeof value !== "object") continue;
+		const typed = value;
+		if (typed.type !== "api_key" && typed.type !== "oauth" && typed.type !== "token") continue;
+		entries[key] = {
+			...typed,
+			provider: String(typed.provider ?? key)
+		};
+	}
+	return Object.keys(entries).length > 0 ? entries : null;
+}
+function coerceAuthStore(raw) {
+	if (!raw || typeof raw !== "object") return null;
+	const record = raw;
+	if (!record.profiles || typeof record.profiles !== "object") return null;
+	const profiles = record.profiles;
+	const normalized = {};
+	for (const [key, value] of Object.entries(profiles)) {
+		if (!value || typeof value !== "object") continue;
+		const typed = value;
+		if (typed.type !== "api_key" && typed.type !== "oauth" && typed.type !== "token") continue;
+		if (!typed.provider) continue;
+		normalized[key] = typed;
+	}
+	const order = record.order && typeof record.order === "object" ? Object.entries(record.order).reduce((acc, [provider, value]) => {
+		if (!Array.isArray(value)) return acc;
+		const list = value.map((entry) => typeof entry === "string" ? entry.trim() : "").filter(Boolean);
+		if (list.length === 0) return acc;
+		acc[provider] = list;
+		return acc;
+	}, {}) : void 0;
+	return {
+		version: Number(record.version ?? AUTH_STORE_VERSION),
+		profiles: normalized,
+		order,
+		lastGood: record.lastGood && typeof record.lastGood === "object" ? record.lastGood : void 0,
+		usageStats: record.usageStats && typeof record.usageStats === "object" ? record.usageStats : void 0
+	};
+}
+function mergeRecord(base, override) {
+	if (!base && !override) return;
+	if (!base) return { ...override };
+	if (!override) return { ...base };
+	return {
+		...base,
+		...override
+	};
+}
+function mergeAuthProfileStores(base, override) {
+	if (Object.keys(override.profiles).length === 0 && !override.order && !override.lastGood && !override.usageStats) return base;
+	return {
+		version: Math.max(base.version, override.version ?? base.version),
+		profiles: {
+			...base.profiles,
+			...override.profiles
+		},
+		order: mergeRecord(base.order, override.order),
+		lastGood: mergeRecord(base.lastGood, override.lastGood),
+		usageStats: mergeRecord(base.usageStats, override.usageStats)
+	};
+}
+function mergeOAuthFileIntoStore(store) {
+	const oauthRaw = loadJsonFile(resolveOAuthPath());
+	if (!oauthRaw || typeof oauthRaw !== "object") return false;
+	const oauthEntries = oauthRaw;
+	let mutated = false;
+	for (const [provider, creds] of Object.entries(oauthEntries)) {
+		if (!creds || typeof creds !== "object") continue;
+		const profileId = `${provider}:default`;
+		if (store.profiles[profileId]) continue;
+		store.profiles[profileId] = {
+			type: "oauth",
+			provider,
+			...creds
+		};
+		mutated = true;
+	}
+	return mutated;
+}
+function loadAuthProfileStore() {
+	const authPath = resolveAuthStorePath();
+	const asStore = coerceAuthStore(loadJsonFile(authPath));
+	if (asStore) {
+		if (syncExternalCliCredentials(asStore)) saveJsonFile(authPath, asStore);
+		return asStore;
+	}
+	const legacy = coerceLegacyStore(loadJsonFile(resolveLegacyAuthStorePath()));
+	if (legacy) {
+		const store = {
+			version: AUTH_STORE_VERSION,
+			profiles: {}
+		};
+		for (const [provider, cred] of Object.entries(legacy)) {
+			const profileId = `${provider}:default`;
+			if (cred.type === "api_key") store.profiles[profileId] = {
+				type: "api_key",
+				provider: String(cred.provider ?? provider),
+				key: cred.key,
+				...cred.email ? { email: cred.email } : {}
+			};
+			else if (cred.type === "token") store.profiles[profileId] = {
+				type: "token",
+				provider: String(cred.provider ?? provider),
+				token: cred.token,
+				...typeof cred.expires === "number" ? { expires: cred.expires } : {},
+				...cred.email ? { email: cred.email } : {}
+			};
+			else store.profiles[profileId] = {
+				type: "oauth",
+				provider: String(cred.provider ?? provider),
+				access: cred.access,
+				refresh: cred.refresh,
+				expires: cred.expires,
+				...cred.enterpriseUrl ? { enterpriseUrl: cred.enterpriseUrl } : {},
+				...cred.projectId ? { projectId: cred.projectId } : {},
+				...cred.accountId ? { accountId: cred.accountId } : {},
+				...cred.email ? { email: cred.email } : {}
+			};
+		}
+		syncExternalCliCredentials(store);
+		return store;
+	}
+	const store = {
+		version: AUTH_STORE_VERSION,
+		profiles: {}
+	};
+	syncExternalCliCredentials(store);
+	return store;
+}
+function loadAuthProfileStoreForAgent(agentDir, _options) {
+	const authPath = resolveAuthStorePath(agentDir);
+	const asStore = coerceAuthStore(loadJsonFile(authPath));
+	if (asStore) {
+		if (syncExternalCliCredentials(asStore)) saveJsonFile(authPath, asStore);
+		return asStore;
+	}
+	if (agentDir) {
+		const mainStore = coerceAuthStore(loadJsonFile(resolveAuthStorePath()));
+		if (mainStore && Object.keys(mainStore.profiles).length > 0) {
+			saveJsonFile(authPath, mainStore);
+			log$1.info("inherited auth-profiles from main agent", { agentDir });
+			return mainStore;
+		}
+	}
+	const legacy = coerceLegacyStore(loadJsonFile(resolveLegacyAuthStorePath(agentDir)));
+	const store = {
+		version: AUTH_STORE_VERSION,
+		profiles: {}
+	};
+	if (legacy) for (const [provider, cred] of Object.entries(legacy)) {
+		const profileId = `${provider}:default`;
+		if (cred.type === "api_key") store.profiles[profileId] = {
+			type: "api_key",
+			provider: String(cred.provider ?? provider),
+			key: cred.key,
+			...cred.email ? { email: cred.email } : {}
+		};
+		else if (cred.type === "token") store.profiles[profileId] = {
+			type: "token",
+			provider: String(cred.provider ?? provider),
+			token: cred.token,
+			...typeof cred.expires === "number" ? { expires: cred.expires } : {},
+			...cred.email ? { email: cred.email } : {}
+		};
+		else store.profiles[profileId] = {
+			type: "oauth",
+			provider: String(cred.provider ?? provider),
+			access: cred.access,
+			refresh: cred.refresh,
+			expires: cred.expires,
+			...cred.enterpriseUrl ? { enterpriseUrl: cred.enterpriseUrl } : {},
+			...cred.projectId ? { projectId: cred.projectId } : {},
+			...cred.accountId ? { accountId: cred.accountId } : {},
+			...cred.email ? { email: cred.email } : {}
+		};
+	}
+	const mergedOAuth = mergeOAuthFileIntoStore(store);
+	const syncedCli = syncExternalCliCredentials(store);
+	const shouldWrite = legacy !== null || mergedOAuth || syncedCli;
+	if (shouldWrite) saveJsonFile(authPath, store);
+	if (shouldWrite && legacy !== null) {
+		const legacyPath = resolveLegacyAuthStorePath(agentDir);
+		try {
+			fs.unlinkSync(legacyPath);
+		} catch (err) {
+			if (err?.code !== "ENOENT") log$1.warn("failed to delete legacy auth.json after migration", {
+				err,
+				legacyPath
+			});
+		}
+	}
+	return store;
+}
+function ensureAuthProfileStore(agentDir, options) {
+	const store = loadAuthProfileStoreForAgent(agentDir, options);
+	const authPath = resolveAuthStorePath(agentDir);
+	const mainAuthPath = resolveAuthStorePath();
+	if (!agentDir || authPath === mainAuthPath) return store;
+	return mergeAuthProfileStores(loadAuthProfileStoreForAgent(void 0, options), store);
+}
+function saveAuthProfileStore(store, agentDir) {
+	saveJsonFile(resolveAuthStorePath(agentDir), {
+		version: AUTH_STORE_VERSION,
+		profiles: store.profiles,
+		order: store.order ?? void 0,
+		lastGood: store.lastGood ?? void 0,
+		usageStats: store.usageStats ?? void 0
+	});
+}
+
+//#endregion
+//#region src/agents/auth-profiles/profiles.ts
+async function setAuthProfileOrder(params) {
+	const providerKey = normalizeProviderId(params.provider);
+	const sanitized = params.order && Array.isArray(params.order) ? params.order.map((entry) => String(entry).trim()).filter(Boolean) : [];
+	const deduped = [];
+	for (const entry of sanitized) if (!deduped.includes(entry)) deduped.push(entry);
+	return await updateAuthProfileStoreWithLock({
+		agentDir: params.agentDir,
+		updater: (store) => {
+			store.order = store.order ?? {};
+			if (deduped.length === 0) {
+				if (!store.order[providerKey]) return false;
+				delete store.order[providerKey];
+				if (Object.keys(store.order).length === 0) store.order = void 0;
+				return true;
+			}
+			store.order[providerKey] = deduped;
+			return true;
+		}
+	});
+}
+function upsertAuthProfile(params) {
+	const store = ensureAuthProfileStore(params.agentDir);
+	store.profiles[params.profileId] = params.credential;
+	saveAuthProfileStore(store, params.agentDir);
+}
+function listProfilesForProvider(store, provider) {
+	const providerKey = normalizeProviderId(provider);
+	return Object.entries(store.profiles).filter(([, cred]) => normalizeProviderId(cred.provider) === providerKey).map(([id]) => id);
+}
+async function markAuthProfileGood(params) {
+	const { store, provider, profileId, agentDir } = params;
+	const updated = await updateAuthProfileStoreWithLock({
+		agentDir,
+		updater: (freshStore) => {
+			const profile = freshStore.profiles[profileId];
+			if (!profile || profile.provider !== provider) return false;
+			freshStore.lastGood = {
+				...freshStore.lastGood,
+				[provider]: profileId
+			};
+			return true;
+		}
+	});
+	if (updated) {
+		store.lastGood = updated.lastGood;
+		return;
+	}
+	const profile = store.profiles[profileId];
+	if (!profile || profile.provider !== provider) return;
+	store.lastGood = {
+		...store.lastGood,
+		[provider]: profileId
+	};
+	saveAuthProfileStore(store, agentDir);
+}
+
+//#endregion
+//#region src/agents/auth-profiles/repair.ts
+function getProfileSuffix(profileId) {
+	const idx = profileId.indexOf(":");
+	if (idx < 0) return "";
+	return profileId.slice(idx + 1);
+}
+function isEmailLike(value) {
+	const trimmed = value.trim();
+	if (!trimmed) return false;
+	return trimmed.includes("@") && trimmed.includes(".");
+}
+function suggestOAuthProfileIdForLegacyDefault(params) {
+	const providerKey = normalizeProviderId(params.provider);
+	if (getProfileSuffix(params.legacyProfileId) !== "default") return null;
+	const legacyCfg = params.cfg?.auth?.profiles?.[params.legacyProfileId];
+	if (legacyCfg && normalizeProviderId(legacyCfg.provider) === providerKey && legacyCfg.mode !== "oauth") return null;
+	const oauthProfiles = listProfilesForProvider(params.store, providerKey).filter((id) => params.store.profiles[id]?.type === "oauth");
+	if (oauthProfiles.length === 0) return null;
+	const configuredEmail = legacyCfg?.email?.trim();
+	if (configuredEmail) {
+		const byEmail = oauthProfiles.find((id) => {
+			const cred = params.store.profiles[id];
+			if (!cred || cred.type !== "oauth") return false;
+			return cred.email?.trim() === configuredEmail || id === `${providerKey}:${configuredEmail}`;
+		});
+		if (byEmail) return byEmail;
+	}
+	const lastGood = params.store.lastGood?.[providerKey] ?? params.store.lastGood?.[params.provider];
+	if (lastGood && oauthProfiles.includes(lastGood)) return lastGood;
+	const nonLegacy = oauthProfiles.filter((id) => id !== params.legacyProfileId);
+	if (nonLegacy.length === 1) return nonLegacy[0] ?? null;
+	const emailLike = nonLegacy.filter((id) => isEmailLike(getProfileSuffix(id)));
+	if (emailLike.length === 1) return emailLike[0] ?? null;
+	return null;
+}
+function repairOAuthProfileIdMismatch(params) {
+	const legacyProfileId = params.legacyProfileId ?? `${normalizeProviderId(params.provider)}:default`;
+	const legacyCfg = params.cfg.auth?.profiles?.[legacyProfileId];
+	if (!legacyCfg) return {
+		config: params.cfg,
+		changes: [],
+		migrated: false
+	};
+	if (legacyCfg.mode !== "oauth") return {
+		config: params.cfg,
+		changes: [],
+		migrated: false
+	};
+	if (normalizeProviderId(legacyCfg.provider) !== normalizeProviderId(params.provider)) return {
+		config: params.cfg,
+		changes: [],
+		migrated: false
+	};
+	const toProfileId = suggestOAuthProfileIdForLegacyDefault({
+		cfg: params.cfg,
+		store: params.store,
+		provider: params.provider,
+		legacyProfileId
+	});
+	if (!toProfileId || toProfileId === legacyProfileId) return {
+		config: params.cfg,
+		changes: [],
+		migrated: false
+	};
+	const toCred = params.store.profiles[toProfileId];
+	const toEmail = toCred?.type === "oauth" ? toCred.email?.trim() : void 0;
+	const nextProfiles = { ...params.cfg.auth?.profiles };
+	delete nextProfiles[legacyProfileId];
+	nextProfiles[toProfileId] = {
+		...legacyCfg,
+		...toEmail ? { email: toEmail } : {}
+	};
+	const providerKey = normalizeProviderId(params.provider);
+	const nextOrder = (() => {
+		const order = params.cfg.auth?.order;
+		if (!order) return;
+		const resolvedKey = Object.keys(order).find((key) => normalizeProviderId(key) === providerKey);
+		if (!resolvedKey) return order;
+		const existing = order[resolvedKey];
+		if (!Array.isArray(existing)) return order;
+		const replaced = existing.map((id) => id === legacyProfileId ? toProfileId : id).filter((id) => typeof id === "string" && id.trim().length > 0);
+		const deduped = [];
+		for (const entry of replaced) if (!deduped.includes(entry)) deduped.push(entry);
+		return {
+			...order,
+			[resolvedKey]: deduped
+		};
+	})();
+	return {
+		config: {
+			...params.cfg,
+			auth: {
+				...params.cfg.auth,
+				profiles: nextProfiles,
+				...nextOrder ? { order: nextOrder } : {}
+			}
+		},
+		changes: [`Auth: migrate ${legacyProfileId} → ${toProfileId} (OAuth profile id)`],
+		migrated: true,
+		fromProfileId: legacyProfileId,
+		toProfileId
+	};
+}
+
+//#endregion
+//#region src/agents/auth-profiles/doctor.ts
+function formatAuthDoctorHint(params) {
+	const providerKey = normalizeProviderId(params.provider);
+	if (providerKey !== "anthropic") return "";
+	const legacyProfileId = params.profileId ?? "anthropic:default";
+	const suggested = suggestOAuthProfileIdForLegacyDefault({
+		cfg: params.cfg,
+		store: params.store,
+		provider: providerKey,
+		legacyProfileId
+	});
+	if (!suggested || suggested === legacyProfileId) return "";
+	const storeOauthProfiles = listProfilesForProvider(params.store, providerKey).filter((id) => params.store.profiles[id]?.type === "oauth").join(", ");
+	const cfgMode = params.cfg?.auth?.profiles?.[legacyProfileId]?.mode;
+	const cfgProvider = params.cfg?.auth?.profiles?.[legacyProfileId]?.provider;
+	return [
+		"Doctor hint (for GitHub issue):",
+		`- provider: ${providerKey}`,
+		`- config: ${legacyProfileId}${cfgProvider || cfgMode ? ` (provider=${cfgProvider ?? "?"}, mode=${cfgMode ?? "?"})` : ""}`,
+		`- auth store oauth profiles: ${storeOauthProfiles || "(none)"}`,
+		`- suggested profile: ${suggested}`,
+		`Fix: run "${formatCliCommand("synurex doctor --yes")}"`
+	].join("\n");
+}
+
+//#endregion
+//#region src/providers/qwen-portal-oauth.ts
+const QWEN_OAUTH_TOKEN_ENDPOINT = `https://chat.qwen.ai/api/v1/oauth2/token`;
+const QWEN_OAUTH_CLIENT_ID = "f0304373b74a44d2b584a3fb70ca9e56";
+async function refreshQwenPortalCredentials(credentials) {
+	if (!credentials.refresh?.trim()) throw new Error("Qwen OAuth refresh token missing; re-authenticate.");
+	const response = await fetch(QWEN_OAUTH_TOKEN_ENDPOINT, {
+		method: "POST",
+		headers: {
+			"Content-Type": "application/x-www-form-urlencoded",
+			Accept: "application/json"
+		},
+		body: new URLSearchParams({
+			grant_type: "refresh_token",
+			refresh_token: credentials.refresh,
+			client_id: QWEN_OAUTH_CLIENT_ID
+		})
+	});
+	if (!response.ok) {
+		const text = await response.text();
+		if (response.status === 400) throw new Error(`Qwen OAuth refresh token expired or invalid. Re-authenticate with \`${formatCliCommand("synurex models auth login --provider qwen-portal")}\`.`);
+		throw new Error(`Qwen OAuth refresh failed: ${text || response.statusText}`);
+	}
+	const payload = await response.json();
+	if (!payload.access_token || !payload.expires_in) throw new Error("Qwen OAuth refresh response missing access token.");
+	return {
+		...credentials,
+		access: payload.access_token,
+		refresh: payload.refresh_token || credentials.refresh,
+		expires: Date.now() + payload.expires_in * 1e3
+	};
+}
+
+//#endregion
+//#region src/agents/chutes-oauth.ts
+const CHUTES_OAUTH_ISSUER = "https://api.chutes.ai";
+const CHUTES_AUTHORIZE_ENDPOINT = `${CHUTES_OAUTH_ISSUER}/idp/authorize`;
+const CHUTES_TOKEN_ENDPOINT = `${CHUTES_OAUTH_ISSUER}/idp/token`;
+const CHUTES_USERINFO_ENDPOINT = `${CHUTES_OAUTH_ISSUER}/idp/userinfo`;
+const DEFAULT_EXPIRES_BUFFER_MS = 300 * 1e3;
+function generateChutesPkce() {
+	const verifier = randomBytes(32).toString("hex");
+	return {
+		verifier,
+		challenge: createHash("sha256").update(verifier).digest("base64url")
+	};
+}
+function parseOAuthCallbackInput(input, expectedState) {
+	const trimmed = input.trim();
+	if (!trimmed) return { error: "No input provided" };
+	try {
+		const url = new URL(trimmed);
+		const code = url.searchParams.get("code");
+		const state = url.searchParams.get("state");
+		if (!code) return { error: "Missing 'code' parameter in URL" };
+		if (!state) return { error: "Missing 'state' parameter. Paste the full URL." };
+		return {
+			code,
+			state
+		};
+	} catch {
+		if (!expectedState) return { error: "Paste the full redirect URL, not just the code." };
+		return {
+			code: trimmed,
+			state: expectedState
+		};
+	}
+}
+function coerceExpiresAt(expiresInSeconds, now) {
+	const value = now + Math.max(0, Math.floor(expiresInSeconds)) * 1e3 - DEFAULT_EXPIRES_BUFFER_MS;
+	return Math.max(value, now + 3e4);
+}
+async function fetchChutesUserInfo(params) {
+	const response = await (params.fetchFn ?? fetch)(CHUTES_USERINFO_ENDPOINT, { headers: { Authorization: `Bearer ${params.accessToken}` } });
+	if (!response.ok) return null;
+	const data = await response.json();
+	if (!data || typeof data !== "object") return null;
+	return data;
+}
+async function exchangeChutesCodeForTokens(params) {
+	const fetchFn = params.fetchFn ?? fetch;
+	const now = params.now ?? Date.now();
+	const body = new URLSearchParams({
+		grant_type: "authorization_code",
+		client_id: params.app.clientId,
+		code: params.code,
+		redirect_uri: params.app.redirectUri,
+		code_verifier: params.codeVerifier
+	});
+	if (params.app.clientSecret) body.set("client_secret", params.app.clientSecret);
+	const response = await fetchFn(CHUTES_TOKEN_ENDPOINT, {
+		method: "POST",
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		body
+	});
+	if (!response.ok) {
+		const text = await response.text();
+		throw new Error(`Chutes token exchange failed: ${text}`);
+	}
+	const data = await response.json();
+	const access = data.access_token?.trim();
+	const refresh = data.refresh_token?.trim();
+	const expiresIn = data.expires_in ?? 0;
+	if (!access) throw new Error("Chutes token exchange returned no access_token");
+	if (!refresh) throw new Error("Chutes token exchange returned no refresh_token");
+	const info = await fetchChutesUserInfo({
+		accessToken: access,
+		fetchFn
+	});
+	return {
+		access,
+		refresh,
+		expires: coerceExpiresAt(expiresIn, now),
+		email: info?.username,
+		accountId: info?.sub,
+		clientId: params.app.clientId
+	};
+}
+async function refreshChutesTokens(params) {
+	const fetchFn = params.fetchFn ?? fetch;
+	const now = params.now ?? Date.now();
+	const refreshToken = params.credential.refresh?.trim();
+	if (!refreshToken) throw new Error("Chutes OAuth credential is missing refresh token");
+	const clientId = params.credential.clientId?.trim() ?? process.env.CHUTES_CLIENT_ID?.trim();
+	if (!clientId) throw new Error("Missing CHUTES_CLIENT_ID for Chutes OAuth refresh (set env var or re-auth).");
+	const clientSecret = process.env.CHUTES_CLIENT_SECRET?.trim() || void 0;
+	const body = new URLSearchParams({
+		grant_type: "refresh_token",
+		client_id: clientId,
+		refresh_token: refreshToken
+	});
+	if (clientSecret) body.set("client_secret", clientSecret);
+	const response = await fetchFn(CHUTES_TOKEN_ENDPOINT, {
+		method: "POST",
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		body
+	});
+	if (!response.ok) {
+		const text = await response.text();
+		throw new Error(`Chutes token refresh failed: ${text}`);
+	}
+	const data = await response.json();
+	const access = data.access_token?.trim();
+	const newRefresh = data.refresh_token?.trim();
+	const expiresIn = data.expires_in ?? 0;
+	if (!access) throw new Error("Chutes token refresh returned no access_token");
+	return {
+		...params.credential,
+		access,
+		refresh: newRefresh || refreshToken,
+		expires: coerceExpiresAt(expiresIn, now),
+		clientId
+	};
+}
+
+//#endregion
+//#region src/agents/auth-profiles/oauth.ts
+const OAUTH_PROVIDER_IDS = new Set(getOAuthProviders().map((provider) => provider.id));
+const isOAuthProvider = (provider) => OAUTH_PROVIDER_IDS.has(provider);
+const resolveOAuthProvider = (provider) => isOAuthProvider(provider) ? provider : null;
+function buildOAuthApiKey(provider, credentials) {
+	return provider === "google-gemini-cli" || provider === "google-antigravity" ? JSON.stringify({
+		token: credentials.access,
+		projectId: credentials.projectId
+	}) : credentials.access;
+}
+async function refreshOAuthTokenWithLock(params) {
+	const authPath = resolveAuthStorePath(params.agentDir);
+	ensureAuthStoreFile(authPath);
+	let release;
+	try {
+		release = await lockfile.lock(authPath, { ...AUTH_STORE_LOCK_OPTIONS });
+		const store = ensureAuthProfileStore(params.agentDir);
+		const cred = store.profiles[params.profileId];
+		if (!cred || cred.type !== "oauth") return null;
+		if (Date.now() < cred.expires) return {
+			apiKey: buildOAuthApiKey(cred.provider, cred),
+			newCredentials: cred
+		};
+		const oauthCreds = { [cred.provider]: cred };
+		const result = String(cred.provider) === "chutes" ? await (async () => {
+			const newCredentials = await refreshChutesTokens({ credential: cred });
+			return {
+				apiKey: newCredentials.access,
+				newCredentials
+			};
+		})() : String(cred.provider) === "qwen-portal" ? await (async () => {
+			const newCredentials = await refreshQwenPortalCredentials(cred);
+			return {
+				apiKey: newCredentials.access,
+				newCredentials
+			};
+		})() : await (async () => {
+			const oauthProvider = resolveOAuthProvider(cred.provider);
+			if (!oauthProvider) return null;
+			return await getOAuthApiKey(oauthProvider, oauthCreds);
+		})();
+		if (!result) return null;
+		store.profiles[params.profileId] = {
+			...cred,
+			...result.newCredentials,
+			type: "oauth"
+		};
+		saveAuthProfileStore(store, params.agentDir);
+		return result;
+	} finally {
+		if (release) try {
+			await release();
+		} catch {}
+	}
+}
+async function tryResolveOAuthProfile(params) {
+	const { cfg, store, profileId } = params;
+	const cred = store.profiles[profileId];
+	if (!cred || cred.type !== "oauth") return null;
+	const profileConfig = cfg?.auth?.profiles?.[profileId];
+	if (profileConfig && profileConfig.provider !== cred.provider) return null;
+	if (profileConfig && profileConfig.mode !== cred.type) return null;
+	if (Date.now() < cred.expires) return {
+		apiKey: buildOAuthApiKey(cred.provider, cred),
+		provider: cred.provider,
+		email: cred.email
+	};
+	const refreshed = await refreshOAuthTokenWithLock({
+		profileId,
+		agentDir: params.agentDir
+	});
+	if (!refreshed) return null;
+	return {
+		apiKey: refreshed.apiKey,
+		provider: cred.provider,
+		email: cred.email
+	};
+}
+async function resolveApiKeyForProfile(params) {
+	const { cfg, store, profileId } = params;
+	const cred = store.profiles[profileId];
+	if (!cred) return null;
+	const profileConfig = cfg?.auth?.profiles?.[profileId];
+	if (profileConfig && profileConfig.provider !== cred.provider) return null;
+	if (profileConfig && profileConfig.mode !== cred.type) {
+		if (!(profileConfig.mode === "oauth" && cred.type === "token")) return null;
+	}
+	if (cred.type === "api_key") {
+		const key = cred.key?.trim();
+		if (!key) return null;
+		return {
+			apiKey: key,
+			provider: cred.provider,
+			email: cred.email
+		};
+	}
+	if (cred.type === "token") {
+		const token = cred.token?.trim();
+		if (!token) return null;
+		if (typeof cred.expires === "number" && Number.isFinite(cred.expires) && cred.expires > 0 && Date.now() >= cred.expires) return null;
+		return {
+			apiKey: token,
+			provider: cred.provider,
+			email: cred.email
+		};
+	}
+	if (Date.now() < cred.expires) return {
+		apiKey: buildOAuthApiKey(cred.provider, cred),
+		provider: cred.provider,
+		email: cred.email
+	};
+	try {
+		const result = await refreshOAuthTokenWithLock({
+			profileId,
+			agentDir: params.agentDir
+		});
+		if (!result) return null;
+		return {
+			apiKey: result.apiKey,
+			provider: cred.provider,
+			email: cred.email
+		};
+	} catch (error) {
+		const refreshedStore = ensureAuthProfileStore(params.agentDir);
+		const refreshed = refreshedStore.profiles[profileId];
+		if (refreshed?.type === "oauth" && Date.now() < refreshed.expires) return {
+			apiKey: buildOAuthApiKey(refreshed.provider, refreshed),
+			provider: refreshed.provider,
+			email: refreshed.email ?? cred.email
+		};
+		const fallbackProfileId = suggestOAuthProfileIdForLegacyDefault({
+			cfg,
+			store: refreshedStore,
+			provider: cred.provider,
+			legacyProfileId: profileId
+		});
+		if (fallbackProfileId && fallbackProfileId !== profileId) try {
+			const fallbackResolved = await tryResolveOAuthProfile({
+				cfg,
+				store: refreshedStore,
+				profileId: fallbackProfileId,
+				agentDir: params.agentDir
+			});
+			if (fallbackResolved) return fallbackResolved;
+		} catch {}
+		if (params.agentDir) try {
+			const mainCred = ensureAuthProfileStore(void 0).profiles[profileId];
+			if (mainCred?.type === "oauth" && Date.now() < mainCred.expires) {
+				refreshedStore.profiles[profileId] = { ...mainCred };
+				saveAuthProfileStore(refreshedStore, params.agentDir);
+				log$1.info("inherited fresh OAuth credentials from main agent", {
+					profileId,
+					agentDir: params.agentDir,
+					expires: new Date(mainCred.expires).toISOString()
+				});
+				return {
+					apiKey: buildOAuthApiKey(mainCred.provider, mainCred),
+					provider: mainCred.provider,
+					email: mainCred.email
+				};
+			}
+		} catch {}
+		const message = error instanceof Error ? error.message : String(error);
+		const hint = formatAuthDoctorHint({
+			cfg,
+			store: refreshedStore,
+			provider: cred.provider,
+			profileId
+		});
+		throw new Error(`OAuth token refresh failed for ${cred.provider}: ${message}. Please try again or re-authenticate.` + (hint ? `\n\n${hint}` : ""), { cause: error });
+	}
+}
+
+//#endregion
+//#region src/agents/auth-profiles/usage.ts
+function resolveProfileUnusableUntil$1(stats) {
+	const values = [stats.cooldownUntil, stats.disabledUntil].filter((value) => typeof value === "number").filter((value) => Number.isFinite(value) && value > 0);
+	if (values.length === 0) return null;
+	return Math.max(...values);
+}
+/**
+* Check if a profile is currently in cooldown (due to rate limiting or errors).
+*/
+function isProfileInCooldown(store, profileId) {
+	const stats = store.usageStats?.[profileId];
+	if (!stats) return false;
+	const unusableUntil = resolveProfileUnusableUntil$1(stats);
+	return unusableUntil ? Date.now() < unusableUntil : false;
+}
+/**
+* Mark a profile as successfully used. Resets error count and updates lastUsed.
+* Uses store lock to avoid overwriting concurrent usage updates.
+*/
+async function markAuthProfileUsed(params) {
+	const { store, profileId, agentDir } = params;
+	const updated = await updateAuthProfileStoreWithLock({
+		agentDir,
+		updater: (freshStore) => {
+			if (!freshStore.profiles[profileId]) return false;
+			freshStore.usageStats = freshStore.usageStats ?? {};
+			freshStore.usageStats[profileId] = {
+				...freshStore.usageStats[profileId],
+				lastUsed: Date.now(),
+				errorCount: 0,
+				cooldownUntil: void 0,
+				disabledUntil: void 0,
+				disabledReason: void 0,
+				failureCounts: void 0
+			};
+			return true;
+		}
+	});
+	if (updated) {
+		store.usageStats = updated.usageStats;
+		return;
+	}
+	if (!store.profiles[profileId]) return;
+	store.usageStats = store.usageStats ?? {};
+	store.usageStats[profileId] = {
+		...store.usageStats[profileId],
+		lastUsed: Date.now(),
+		errorCount: 0,
+		cooldownUntil: void 0,
+		disabledUntil: void 0,
+		disabledReason: void 0,
+		failureCounts: void 0
+	};
+	saveAuthProfileStore(store, agentDir);
+}
+function calculateAuthProfileCooldownMs(errorCount) {
+	const normalized = Math.max(1, errorCount);
+	return Math.min(3600 * 1e3, 60 * 1e3 * 5 ** Math.min(normalized - 1, 3));
+}
+function resolveAuthCooldownConfig(params) {
+	const defaults = {
+		billingBackoffHours: 5,
+		billingMaxHours: 24,
+		failureWindowHours: 24
+	};
+	const resolveHours = (value, fallback) => typeof value === "number" && Number.isFinite(value) && value > 0 ? value : fallback;
+	const cooldowns = params.cfg?.auth?.cooldowns;
+	const billingBackoffHours = resolveHours((() => {
+		const map = cooldowns?.billingBackoffHoursByProvider;
+		if (!map) return;
+		for (const [key, value] of Object.entries(map)) if (normalizeProviderId(key) === params.providerId) return value;
+	})() ?? cooldowns?.billingBackoffHours, defaults.billingBackoffHours);
+	const billingMaxHours = resolveHours(cooldowns?.billingMaxHours, defaults.billingMaxHours);
+	const failureWindowHours = resolveHours(cooldowns?.failureWindowHours, defaults.failureWindowHours);
+	return {
+		billingBackoffMs: billingBackoffHours * 60 * 60 * 1e3,
+		billingMaxMs: billingMaxHours * 60 * 60 * 1e3,
+		failureWindowMs: failureWindowHours * 60 * 60 * 1e3
+	};
+}
+function calculateAuthProfileBillingDisableMsWithConfig(params) {
+	const normalized = Math.max(1, params.errorCount);
+	const baseMs = Math.max(6e4, params.baseMs);
+	const maxMs = Math.max(baseMs, params.maxMs);
+	const raw = baseMs * 2 ** Math.min(normalized - 1, 10);
+	return Math.min(maxMs, raw);
+}
+function resolveProfileUnusableUntilForDisplay(store, profileId) {
+	const stats = store.usageStats?.[profileId];
+	if (!stats) return null;
+	return resolveProfileUnusableUntil$1(stats);
+}
+function computeNextProfileUsageStats(params) {
+	const windowMs = params.cfgResolved.failureWindowMs;
+	const windowExpired = typeof params.existing.lastFailureAt === "number" && params.existing.lastFailureAt > 0 && params.now - params.existing.lastFailureAt > windowMs;
+	const nextErrorCount = (windowExpired ? 0 : params.existing.errorCount ?? 0) + 1;
+	const failureCounts = windowExpired ? {} : { ...params.existing.failureCounts };
+	failureCounts[params.reason] = (failureCounts[params.reason] ?? 0) + 1;
+	const updatedStats = {
+		...params.existing,
+		errorCount: nextErrorCount,
+		failureCounts,
+		lastFailureAt: params.now
+	};
+	if (params.reason === "billing") {
+		const backoffMs = calculateAuthProfileBillingDisableMsWithConfig({
+			errorCount: failureCounts.billing ?? 1,
+			baseMs: params.cfgResolved.billingBackoffMs,
+			maxMs: params.cfgResolved.billingMaxMs
+		});
+		updatedStats.disabledUntil = params.now + backoffMs;
+		updatedStats.disabledReason = "billing";
+	} else {
+		const backoffMs = calculateAuthProfileCooldownMs(nextErrorCount);
+		updatedStats.cooldownUntil = params.now + backoffMs;
+	}
+	return updatedStats;
+}
+/**
+* Mark a profile as failed for a specific reason. Billing failures are treated
+* as "disabled" (longer backoff) vs the regular cooldown window.
+*/
+async function markAuthProfileFailure(params) {
+	const { store, profileId, reason, agentDir, cfg } = params;
+	const updated = await updateAuthProfileStoreWithLock({
+		agentDir,
+		updater: (freshStore) => {
+			const profile = freshStore.profiles[profileId];
+			if (!profile) return false;
+			freshStore.usageStats = freshStore.usageStats ?? {};
+			const existing = freshStore.usageStats[profileId] ?? {};
+			const now = Date.now();
+			const cfgResolved = resolveAuthCooldownConfig({
+				cfg,
+				providerId: normalizeProviderId(profile.provider)
+			});
+			freshStore.usageStats[profileId] = computeNextProfileUsageStats({
+				existing,
+				now,
+				reason,
+				cfgResolved
+			});
+			return true;
+		}
+	});
+	if (updated) {
+		store.usageStats = updated.usageStats;
+		return;
+	}
+	if (!store.profiles[profileId]) return;
+	store.usageStats = store.usageStats ?? {};
+	const existing = store.usageStats[profileId] ?? {};
+	const now = Date.now();
+	const cfgResolved = resolveAuthCooldownConfig({
+		cfg,
+		providerId: normalizeProviderId(store.profiles[profileId]?.provider ?? "")
+	});
+	store.usageStats[profileId] = computeNextProfileUsageStats({
+		existing,
+		now,
+		reason,
+		cfgResolved
+	});
+	saveAuthProfileStore(store, agentDir);
+}
+
+//#endregion
+//#region src/agents/auth-profiles/order.ts
+function resolveProfileUnusableUntil(stats) {
+	const values = [stats.cooldownUntil, stats.disabledUntil].filter((value) => typeof value === "number").filter((value) => Number.isFinite(value) && value > 0);
+	if (values.length === 0) return null;
+	return Math.max(...values);
+}
+function resolveAuthProfileOrder(params) {
+	const { cfg, store, provider, preferredProfile } = params;
+	const providerKey = normalizeProviderId(provider);
+	const now = Date.now();
+	const storedOrder = (() => {
+		const order = store.order;
+		if (!order) return;
+		for (const [key, value] of Object.entries(order)) if (normalizeProviderId(key) === providerKey) return value;
+	})();
+	const configuredOrder = (() => {
+		const order = cfg?.auth?.order;
+		if (!order) return;
+		for (const [key, value] of Object.entries(order)) if (normalizeProviderId(key) === providerKey) return value;
+	})();
+	const explicitOrder = storedOrder ?? configuredOrder;
+	const explicitProfiles = cfg?.auth?.profiles ? Object.entries(cfg.auth.profiles).filter(([, profile]) => normalizeProviderId(profile.provider) === providerKey).map(([profileId]) => profileId) : [];
+	const baseOrder = explicitOrder ?? (explicitProfiles.length > 0 ? explicitProfiles : listProfilesForProvider(store, providerKey));
+	if (baseOrder.length === 0) return [];
+	const filtered = baseOrder.filter((profileId) => {
+		const cred = store.profiles[profileId];
+		if (!cred) return false;
+		if (normalizeProviderId(cred.provider) !== providerKey) return false;
+		const profileConfig = cfg?.auth?.profiles?.[profileId];
+		if (profileConfig) {
+			if (normalizeProviderId(profileConfig.provider) !== providerKey) return false;
+			if (profileConfig.mode !== cred.type) {
+				if (!(profileConfig.mode === "oauth" && cred.type === "token")) return false;
+			}
+		}
+		if (cred.type === "api_key") return Boolean(cred.key?.trim());
+		if (cred.type === "token") {
+			if (!cred.token?.trim()) return false;
+			if (typeof cred.expires === "number" && Number.isFinite(cred.expires) && cred.expires > 0 && now >= cred.expires) return false;
+			return true;
+		}
+		if (cred.type === "oauth") return Boolean(cred.access?.trim() || cred.refresh?.trim());
+		return false;
+	});
+	const deduped = [];
+	for (const entry of filtered) if (!deduped.includes(entry)) deduped.push(entry);
+	if (explicitOrder && explicitOrder.length > 0) {
+		const available = [];
+		const inCooldown = [];
+		for (const profileId of deduped) {
+			const cooldownUntil = resolveProfileUnusableUntil(store.usageStats?.[profileId] ?? {}) ?? 0;
+			if (typeof cooldownUntil === "number" && Number.isFinite(cooldownUntil) && cooldownUntil > 0 && now < cooldownUntil) inCooldown.push({
+				profileId,
+				cooldownUntil
+			});
+			else available.push(profileId);
+		}
+		const cooldownSorted = inCooldown.toSorted((a, b) => a.cooldownUntil - b.cooldownUntil).map((entry) => entry.profileId);
+		const ordered = [...available, ...cooldownSorted];
+		if (preferredProfile && ordered.includes(preferredProfile)) return [preferredProfile, ...ordered.filter((e) => e !== preferredProfile)];
+		return ordered;
+	}
+	const sorted = orderProfilesByMode(deduped, store);
+	if (preferredProfile && sorted.includes(preferredProfile)) return [preferredProfile, ...sorted.filter((e) => e !== preferredProfile)];
+	return sorted;
+}
+function orderProfilesByMode(order, store) {
+	const now = Date.now();
+	const available = [];
+	const inCooldown = [];
+	for (const profileId of order) if (isProfileInCooldown(store, profileId)) inCooldown.push(profileId);
+	else available.push(profileId);
+	const sorted = available.map((profileId) => {
+		const type = store.profiles[profileId]?.type;
+		return {
+			profileId,
+			typeScore: type === "oauth" ? 0 : type === "token" ? 1 : type === "api_key" ? 2 : 3,
+			lastUsed: store.usageStats?.[profileId]?.lastUsed ?? 0
+		};
+	}).toSorted((a, b) => {
+		if (a.typeScore !== b.typeScore) return a.typeScore - b.typeScore;
+		return a.lastUsed - b.lastUsed;
+	}).map((entry) => entry.profileId);
+	const cooldownSorted = inCooldown.map((profileId) => ({
+		profileId,
+		cooldownUntil: resolveProfileUnusableUntil(store.usageStats?.[profileId] ?? {}) ?? now
+	})).toSorted((a, b) => a.cooldownUntil - b.cooldownUntil).map((entry) => entry.profileId);
+	return [...sorted, ...cooldownSorted];
+}
+
+//#endregion
+//#region src/agents/auth-profiles.ts
+var auth_profiles_exports = /* @__PURE__ */ __exportAll({ ensureAuthProfileStore: () => ensureAuthProfileStore });
+
+//#endregion
+//#region src/agents/bedrock-discovery.ts
+const DEFAULT_REFRESH_INTERVAL_SECONDS = 3600;
+const DEFAULT_CONTEXT_WINDOW = 32e3;
+const DEFAULT_MAX_TOKENS = 4096;
+const DEFAULT_COST = {
+	input: 0,
+	output: 0,
+	cacheRead: 0,
+	cacheWrite: 0
+};
+const discoveryCache = /* @__PURE__ */ new Map();
+let hasLoggedBedrockError = false;
+function normalizeProviderFilter(filter) {
+	if (!filter || filter.length === 0) return [];
+	const normalized = new Set(filter.map((entry) => entry.trim().toLowerCase()).filter((entry) => entry.length > 0));
+	return Array.from(normalized).toSorted();
+}
+function buildCacheKey(params) {
+	return JSON.stringify(params);
+}
+function includesTextModalities(modalities) {
+	return (modalities ?? []).some((entry) => entry.toLowerCase() === "text");
+}
+function isActive(summary) {
+	const status = summary.modelLifecycle?.status;
+	return typeof status === "string" ? status.toUpperCase() === "ACTIVE" : false;
+}
+function mapInputModalities(summary) {
+	const inputs = summary.inputModalities ?? [];
+	const mapped = /* @__PURE__ */ new Set();
+	for (const modality of inputs) {
+		const lower = modality.toLowerCase();
+		if (lower === "text") mapped.add("text");
+		if (lower === "image") mapped.add("image");
+	}
+	if (mapped.size === 0) mapped.add("text");
+	return Array.from(mapped);
+}
+function inferReasoningSupport(summary) {
+	const haystack = `${summary.modelId ?? ""} ${summary.modelName ?? ""}`.toLowerCase();
+	return haystack.includes("reasoning") || haystack.includes("thinking");
+}
+function resolveDefaultContextWindow(config) {
+	const value = Math.floor(config?.defaultContextWindow ?? DEFAULT_CONTEXT_WINDOW);
+	return value > 0 ? value : DEFAULT_CONTEXT_WINDOW;
+}
+function resolveDefaultMaxTokens(config) {
+	const value = Math.floor(config?.defaultMaxTokens ?? DEFAULT_MAX_TOKENS);
+	return value > 0 ? value : DEFAULT_MAX_TOKENS;
+}
+function matchesProviderFilter(summary, filter) {
+	if (filter.length === 0) return true;
+	const normalized = (summary.providerName ?? (typeof summary.modelId === "string" ? summary.modelId.split(".")[0] : void 0))?.trim().toLowerCase();
+	if (!normalized) return false;
+	return filter.includes(normalized);
+}
+function shouldIncludeSummary(summary, filter) {
+	if (!summary.modelId?.trim()) return false;
+	if (!matchesProviderFilter(summary, filter)) return false;
+	if (summary.responseStreamingSupported !== true) return false;
+	if (!includesTextModalities(summary.outputModalities)) return false;
+	if (!isActive(summary)) return false;
+	return true;
+}
+function toModelDefinition(summary, defaults) {
+	const id = summary.modelId?.trim() ?? "";
+	return {
+		id,
+		name: summary.modelName?.trim() || id,
+		reasoning: inferReasoningSupport(summary),
+		input: mapInputModalities(summary),
+		cost: DEFAULT_COST,
+		contextWindow: defaults.contextWindow,
+		maxTokens: defaults.maxTokens
+	};
+}
+async function discoverBedrockModels(params) {
+	const refreshIntervalSeconds = Math.max(0, Math.floor(params.config?.refreshInterval ?? DEFAULT_REFRESH_INTERVAL_SECONDS));
+	const providerFilter = normalizeProviderFilter(params.config?.providerFilter);
+	const defaultContextWindow = resolveDefaultContextWindow(params.config);
+	const defaultMaxTokens = resolveDefaultMaxTokens(params.config);
+	const cacheKey = buildCacheKey({
+		region: params.region,
+		providerFilter,
+		refreshIntervalSeconds,
+		defaultContextWindow,
+		defaultMaxTokens
+	});
+	const now = params.now?.() ?? Date.now();
+	if (refreshIntervalSeconds > 0) {
+		const cached = discoveryCache.get(cacheKey);
+		if (cached?.value && cached.expiresAt > now) return cached.value;
+		if (cached?.inFlight) return cached.inFlight;
+	}
+	const client = (params.clientFactory ?? ((region) => new BedrockClient({ region })))(params.region);
+	const discoveryPromise = (async () => {
+		const response = await client.send(new ListFoundationModelsCommand({}));
+		const discovered = [];
+		for (const summary of response.modelSummaries ?? []) {
+			if (!shouldIncludeSummary(summary, providerFilter)) continue;
+			discovered.push(toModelDefinition(summary, {
+				contextWindow: defaultContextWindow,
+				maxTokens: defaultMaxTokens
+			}));
+		}
+		return discovered.toSorted((a, b) => a.name.localeCompare(b.name));
+	})();
+	if (refreshIntervalSeconds > 0) discoveryCache.set(cacheKey, {
+		expiresAt: now + refreshIntervalSeconds * 1e3,
+		inFlight: discoveryPromise
+	});
+	try {
+		const value = await discoveryPromise;
+		if (refreshIntervalSeconds > 0) discoveryCache.set(cacheKey, {
+			expiresAt: now + refreshIntervalSeconds * 1e3,
+			value
+		});
+		return value;
+	} catch (error) {
+		if (refreshIntervalSeconds > 0) discoveryCache.delete(cacheKey);
+		if (!hasLoggedBedrockError) {
+			hasLoggedBedrockError = true;
+			console.warn(`[bedrock-discovery] Failed to list models: ${String(error)}`);
+		}
+		return [];
+	}
+}
+
+//#endregion
+//#region src/agents/cloudflare-ai-gateway.ts
+const CLOUDFLARE_AI_GATEWAY_PROVIDER_ID = "cloudflare-ai-gateway";
+const CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_ID = "claude-sonnet-4-5";
+const CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_REF = `${CLOUDFLARE_AI_GATEWAY_PROVIDER_ID}/${CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_ID}`;
+const CLOUDFLARE_AI_GATEWAY_DEFAULT_CONTEXT_WINDOW = 2e5;
+const CLOUDFLARE_AI_GATEWAY_DEFAULT_MAX_TOKENS = 64e3;
+const CLOUDFLARE_AI_GATEWAY_DEFAULT_COST = {
+	input: 3,
+	output: 15,
+	cacheRead: .3,
+	cacheWrite: 3.75
+};
+function buildCloudflareAiGatewayModelDefinition(params) {
+	return {
+		id: params?.id?.trim() || CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_ID,
+		name: params?.name ?? "Claude Sonnet 4.5",
+		reasoning: params?.reasoning ?? true,
+		input: params?.input ?? ["text", "image"],
+		cost: CLOUDFLARE_AI_GATEWAY_DEFAULT_COST,
+		contextWindow: CLOUDFLARE_AI_GATEWAY_DEFAULT_CONTEXT_WINDOW,
+		maxTokens: CLOUDFLARE_AI_GATEWAY_DEFAULT_MAX_TOKENS
+	};
+}
+function resolveCloudflareAiGatewayBaseUrl(params) {
+	const accountId = params.accountId.trim();
+	const gatewayId = params.gatewayId.trim();
+	if (!accountId || !gatewayId) return "";
+	return `https://gateway.ai.cloudflare.com/v1/${accountId}/${gatewayId}/anthropic`;
+}
+
+//#endregion
+//#region src/infra/shell-env.ts
+const DEFAULT_TIMEOUT_MS = 15e3;
+const DEFAULT_MAX_BUFFER_BYTES = 2 * 1024 * 1024;
+let lastAppliedKeys = [];
+let cachedShellPath;
+function resolveShell(env) {
+	const shell = env.SHELL?.trim();
+	return shell && shell.length > 0 ? shell : "/bin/sh";
+}
+function parseShellEnv(stdout) {
+	const shellEnv = /* @__PURE__ */ new Map();
+	const parts = stdout.toString("utf8").split("\0");
+	for (const part of parts) {
+		if (!part) continue;
+		const eq = part.indexOf("=");
+		if (eq <= 0) continue;
+		const key = part.slice(0, eq);
+		const value = part.slice(eq + 1);
+		if (!key) continue;
+		shellEnv.set(key, value);
+	}
+	return shellEnv;
+}
+function loadShellEnvFallback(opts) {
+	const logger = opts.logger ?? console;
+	const exec = opts.exec ?? execFileSync;
+	if (!opts.enabled) {
+		lastAppliedKeys = [];
+		return {
+			ok: true,
+			applied: [],
+			skippedReason: "disabled"
+		};
+	}
+	if (opts.expectedKeys.some((key) => Boolean(opts.env[key]?.trim()))) {
+		lastAppliedKeys = [];
+		return {
+			ok: true,
+			applied: [],
+			skippedReason: "already-has-keys"
+		};
+	}
+	const timeoutMs = typeof opts.timeoutMs === "number" && Number.isFinite(opts.timeoutMs) ? Math.max(0, opts.timeoutMs) : DEFAULT_TIMEOUT_MS;
+	const shell = resolveShell(opts.env);
+	let stdout;
+	try {
+		stdout = exec(shell, [
+			"-l",
+			"-c",
+			"env -0"
+		], {
+			encoding: "buffer",
+			timeout: timeoutMs,
+			maxBuffer: DEFAULT_MAX_BUFFER_BYTES,
+			env: opts.env,
+			stdio: [
+				"ignore",
+				"pipe",
+				"pipe"
+			]
+		});
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		logger.warn(`[Synurex] shell env fallback failed: ${msg}`);
+		lastAppliedKeys = [];
+		return {
+			ok: false,
+			error: msg,
+			applied: []
+		};
+	}
+	const shellEnv = parseShellEnv(stdout);
+	const applied = [];
+	for (const key of opts.expectedKeys) {
+		if (opts.env[key]?.trim()) continue;
+		const value = shellEnv.get(key);
+		if (!value?.trim()) continue;
+		opts.env[key] = value;
+		applied.push(key);
+	}
+	lastAppliedKeys = applied;
+	return {
+		ok: true,
+		applied
+	};
+}
+function shouldEnableShellEnvFallback(env) {
+	return isTruthyEnvValue(env.SYNUREX_LOAD_SHELL_ENV);
+}
+function shouldDeferShellEnvFallback(env) {
+	return isTruthyEnvValue(env.SYNUREX_DEFER_SHELL_ENV_FALLBACK);
+}
+function resolveShellEnvFallbackTimeoutMs(env) {
+	const raw = env.SYNUREX_SHELL_ENV_TIMEOUT_MS?.trim();
+	if (!raw) return DEFAULT_TIMEOUT_MS;
+	const parsed = Number.parseInt(raw, 10);
+	if (!Number.isFinite(parsed)) return DEFAULT_TIMEOUT_MS;
+	return Math.max(0, parsed);
+}
+function getShellPathFromLoginShell(opts) {
+	if (cachedShellPath !== void 0) return cachedShellPath;
+	if (process.platform === "win32") {
+		cachedShellPath = null;
+		return cachedShellPath;
+	}
+	const exec = opts.exec ?? execFileSync;
+	const timeoutMs = typeof opts.timeoutMs === "number" && Number.isFinite(opts.timeoutMs) ? Math.max(0, opts.timeoutMs) : DEFAULT_TIMEOUT_MS;
+	const shell = resolveShell(opts.env);
+	let stdout;
+	try {
+		stdout = exec(shell, [
+			"-l",
+			"-c",
+			"env -0"
+		], {
+			encoding: "buffer",
+			timeout: timeoutMs,
+			maxBuffer: DEFAULT_MAX_BUFFER_BYTES,
+			env: opts.env,
+			stdio: [
+				"ignore",
+				"pipe",
+				"pipe"
+			]
+		});
+	} catch {
+		cachedShellPath = null;
+		return cachedShellPath;
+	}
+	const shellPath = parseShellEnv(stdout).get("PATH")?.trim();
+	cachedShellPath = shellPath && shellPath.length > 0 ? shellPath : null;
+	return cachedShellPath;
+}
+function getShellEnvAppliedKeys() {
+	return [...lastAppliedKeys];
+}
+
+//#endregion
+//#region src/agents/model-auth.ts
+const AWS_BEARER_ENV = "AWS_BEARER_TOKEN_BEDROCK";
+const AWS_ACCESS_KEY_ENV = "AWS_ACCESS_KEY_ID";
+const AWS_SECRET_KEY_ENV = "AWS_SECRET_ACCESS_KEY";
+const AWS_PROFILE_ENV = "AWS_PROFILE";
+function resolveProviderConfig(cfg, provider) {
+	const providers = cfg?.models?.providers ?? {};
+	const direct = providers[provider];
+	if (direct) return direct;
+	const normalized = normalizeProviderId(provider);
+	if (normalized === provider) return Object.entries(providers).find(([key]) => normalizeProviderId(key) === normalized)?.[1];
+	return providers[normalized] ?? Object.entries(providers).find(([key]) => normalizeProviderId(key) === normalized)?.[1];
+}
+function getCustomProviderApiKey(cfg, provider) {
+	return resolveProviderConfig(cfg, provider)?.apiKey?.trim() || void 0;
+}
+function resolveProviderAuthOverride(cfg, provider) {
+	const auth = resolveProviderConfig(cfg, provider)?.auth;
+	if (auth === "api-key" || auth === "aws-sdk" || auth === "oauth" || auth === "token") return auth;
+}
+function resolveEnvSourceLabel(params) {
+	return `${params.envVars.some((envVar) => params.applied.has(envVar)) ? "shell env: " : "env: "}${params.label}`;
+}
+function resolveAwsSdkEnvVarName(env = process.env) {
+	if (env[AWS_BEARER_ENV]?.trim()) return AWS_BEARER_ENV;
+	if (env[AWS_ACCESS_KEY_ENV]?.trim() && env[AWS_SECRET_KEY_ENV]?.trim()) return AWS_ACCESS_KEY_ENV;
+	if (env[AWS_PROFILE_ENV]?.trim()) return AWS_PROFILE_ENV;
+}
+function resolveAwsSdkAuthInfo() {
+	const applied = new Set(getShellEnvAppliedKeys());
+	if (process.env[AWS_BEARER_ENV]?.trim()) return {
+		mode: "aws-sdk",
+		source: resolveEnvSourceLabel({
+			applied,
+			envVars: [AWS_BEARER_ENV],
+			label: AWS_BEARER_ENV
+		})
+	};
+	if (process.env[AWS_ACCESS_KEY_ENV]?.trim() && process.env[AWS_SECRET_KEY_ENV]?.trim()) return {
+		mode: "aws-sdk",
+		source: resolveEnvSourceLabel({
+			applied,
+			envVars: [AWS_ACCESS_KEY_ENV, AWS_SECRET_KEY_ENV],
+			label: `${AWS_ACCESS_KEY_ENV} + ${AWS_SECRET_KEY_ENV}`
+		})
+	};
+	if (process.env[AWS_PROFILE_ENV]?.trim()) return {
+		mode: "aws-sdk",
+		source: resolveEnvSourceLabel({
+			applied,
+			envVars: [AWS_PROFILE_ENV],
+			label: AWS_PROFILE_ENV
+		})
+	};
+	return {
+		mode: "aws-sdk",
+		source: "aws-sdk default chain"
+	};
+}
+async function resolveApiKeyForProvider(params) {
+	const { provider, cfg, profileId, preferredProfile } = params;
+	const store = params.store ?? ensureAuthProfileStore(params.agentDir);
+	if (profileId) {
+		const resolved = await resolveApiKeyForProfile({
+			cfg,
+			store,
+			profileId,
+			agentDir: params.agentDir
+		});
+		if (!resolved) throw new Error(`No credentials found for profile "${profileId}".`);
+		const mode = store.profiles[profileId]?.type;
+		return {
+			apiKey: resolved.apiKey,
+			profileId,
+			source: `profile:${profileId}`,
+			mode: mode === "oauth" ? "oauth" : mode === "token" ? "token" : "api-key"
+		};
+	}
+	const authOverride = resolveProviderAuthOverride(cfg, provider);
+	if (authOverride === "aws-sdk") return resolveAwsSdkAuthInfo();
+	const order = resolveAuthProfileOrder({
+		cfg,
+		store,
+		provider,
+		preferredProfile
+	});
+	for (const candidate of order) try {
+		const resolved = await resolveApiKeyForProfile({
+			cfg,
+			store,
+			profileId: candidate,
+			agentDir: params.agentDir
+		});
+		if (resolved) {
+			const mode = store.profiles[candidate]?.type;
+			return {
+				apiKey: resolved.apiKey,
+				profileId: candidate,
+				source: `profile:${candidate}`,
+				mode: mode === "oauth" ? "oauth" : mode === "token" ? "token" : "api-key"
+			};
+		}
+	} catch {}
+	const envResolved = resolveEnvApiKey(provider);
+	if (envResolved) return {
+		apiKey: envResolved.apiKey,
+		source: envResolved.source,
+		mode: envResolved.source.includes("OAUTH_TOKEN") ? "oauth" : "api-key"
+	};
+	const customKey = getCustomProviderApiKey(cfg, provider);
+	if (customKey) return {
+		apiKey: customKey,
+		source: "models.json",
+		mode: "api-key"
+	};
+	const normalized = normalizeProviderId(provider);
+	if (authOverride === void 0 && normalized === "amazon-bedrock") return resolveAwsSdkAuthInfo();
+	if (provider === "openai") {
+		if (listProfilesForProvider(store, "openai-codex").length > 0) throw new Error("No API key found for provider \"openai\". You are authenticated with OpenAI Codex OAuth. Use openai-codex/gpt-5.3-codex (OAuth) or set OPENAI_API_KEY to use openai/gpt-5.1-codex.");
+	}
+	const authStorePath = resolveAuthStorePathForDisplay(params.agentDir);
+	const resolvedAgentDir = path.dirname(authStorePath);
+	throw new Error([
+		`No API key found for provider "${provider}".`,
+		`Auth store: ${authStorePath} (agentDir: ${resolvedAgentDir}).`,
+		`Configure auth for this agent (${formatCliCommand("synurex agents add <id>")}) or copy auth-profiles.json from the main agentDir.`
+	].join(" "));
+}
+function resolveEnvApiKey(provider) {
+	const normalized = normalizeProviderId(provider);
+	const applied = new Set(getShellEnvAppliedKeys());
+	const pick = (envVar) => {
+		const value = process.env[envVar]?.trim();
+		if (!value) return null;
+		return {
+			apiKey: value,
+			source: applied.has(envVar) ? `shell env: ${envVar}` : `env: ${envVar}`
+		};
+	};
+	if (normalized === "github-copilot") return pick("COPILOT_GITHUB_TOKEN") ?? pick("GH_TOKEN") ?? pick("GITHUB_TOKEN");
+	if (normalized === "anthropic") return pick("ANTHROPIC_OAUTH_TOKEN") ?? pick("ANTHROPIC_API_KEY");
+	if (normalized === "chutes") return pick("CHUTES_OAUTH_TOKEN") ?? pick("CHUTES_API_KEY");
+	if (normalized === "zai") return pick("ZAI_API_KEY") ?? pick("Z_AI_API_KEY");
+	if (normalized === "google-vertex") {
+		const envKey = getEnvApiKey(normalized);
+		if (!envKey) return null;
+		return {
+			apiKey: envKey,
+			source: "gcloud adc"
+		};
+	}
+	if (normalized === "opencode") return pick("OPENCODE_API_KEY") ?? pick("OPENCODE_ZEN_API_KEY");
+	if (normalized === "qwen-portal") return pick("QWEN_OAUTH_TOKEN") ?? pick("QWEN_PORTAL_API_KEY");
+	if (normalized === "minimax-portal") return pick("MINIMAX_OAUTH_TOKEN") ?? pick("MINIMAX_API_KEY");
+	if (normalized === "kimi-coding") return pick("KIMI_API_KEY") ?? pick("KIMICODE_API_KEY");
+	const envVar = {
+		openai: "OPENAI_API_KEY",
+		google: "GEMINI_API_KEY",
+		voyage: "VOYAGE_API_KEY",
+		groq: "GROQ_API_KEY",
+		deepgram: "DEEPGRAM_API_KEY",
+		cerebras: "CEREBRAS_API_KEY",
+		xai: "XAI_API_KEY",
+		openrouter: "OPENROUTER_API_KEY",
+		"vercel-ai-gateway": "AI_GATEWAY_API_KEY",
+		"cloudflare-ai-gateway": "CLOUDFLARE_AI_GATEWAY_API_KEY",
+		moonshot: "MOONSHOT_API_KEY",
+		minimax: "MINIMAX_API_KEY",
+		xiaomi: "XIAOMI_API_KEY",
+		synthetic: "SYNTHETIC_API_KEY",
+		venice: "VENICE_API_KEY",
+		mistral: "MISTRAL_API_KEY",
+		opencode: "OPENCODE_API_KEY",
+		qianfan: "QIANFAN_API_KEY",
+		ollama: "OLLAMA_API_KEY"
+	}[normalized];
+	if (!envVar) return null;
+	return pick(envVar);
+}
+function resolveModelAuthMode(provider, cfg, store) {
+	const resolved = provider?.trim();
+	if (!resolved) return;
+	const authOverride = resolveProviderAuthOverride(cfg, resolved);
+	if (authOverride === "aws-sdk") return "aws-sdk";
+	const authStore = store ?? ensureAuthProfileStore();
+	const profiles = listProfilesForProvider(authStore, resolved);
+	if (profiles.length > 0) {
+		const modes = new Set(profiles.map((id) => authStore.profiles[id]?.type).filter((mode) => Boolean(mode)));
+		if ([
+			"oauth",
+			"token",
+			"api_key"
+		].filter((k) => modes.has(k)).length >= 2) return "mixed";
+		if (modes.has("oauth")) return "oauth";
+		if (modes.has("token")) return "token";
+		if (modes.has("api_key")) return "api-key";
+	}
+	if (authOverride === void 0 && normalizeProviderId(resolved) === "amazon-bedrock") return "aws-sdk";
+	const envKey = resolveEnvApiKey(resolved);
+	if (envKey?.apiKey) return envKey.source.includes("OAUTH_TOKEN") ? "oauth" : "api-key";
+	if (getCustomProviderApiKey(cfg, resolved)) return "api-key";
+	return "unknown";
+}
+async function getApiKeyForModel(params) {
+	return resolveApiKeyForProvider({
+		provider: params.model.provider,
+		cfg: params.cfg,
+		profileId: params.profileId,
+		preferredProfile: params.preferredProfile,
+		store: params.store,
+		agentDir: params.agentDir
+	});
+}
+function requireApiKey(auth, provider) {
+	const key = auth.apiKey?.trim();
+	if (key) return key;
+	throw new Error(`No API key resolved for provider "${provider}" (auth mode: ${auth.mode}).`);
+}
+
+//#endregion
+//#region src/agents/synthetic-models.ts
+const SYNTHETIC_BASE_URL = "https://api.synthetic.new/anthropic";
+const SYNTHETIC_DEFAULT_MODEL_ID = "hf:MiniMaxAI/MiniMax-M2.1";
+const SYNTHETIC_DEFAULT_MODEL_REF = `synthetic/${SYNTHETIC_DEFAULT_MODEL_ID}`;
+const SYNTHETIC_DEFAULT_COST = {
+	input: 0,
+	output: 0,
+	cacheRead: 0,
+	cacheWrite: 0
+};
+const SYNTHETIC_MODEL_CATALOG = [
+	{
+		id: SYNTHETIC_DEFAULT_MODEL_ID,
+		name: "MiniMax M2.1",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 192e3,
+		maxTokens: 65536
+	},
+	{
+		id: "hf:moonshotai/Kimi-K2-Thinking",
+		name: "Kimi K2 Thinking",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 256e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:zai-org/GLM-4.7",
+		name: "GLM-4.7",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 198e3,
+		maxTokens: 128e3
+	},
+	{
+		id: "hf:deepseek-ai/DeepSeek-R1-0528",
+		name: "DeepSeek R1 0528",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 128e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:deepseek-ai/DeepSeek-V3-0324",
+		name: "DeepSeek V3 0324",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 128e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:deepseek-ai/DeepSeek-V3.1",
+		name: "DeepSeek V3.1",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 128e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:deepseek-ai/DeepSeek-V3.1-Terminus",
+		name: "DeepSeek V3.1 Terminus",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 128e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:deepseek-ai/DeepSeek-V3.2",
+		name: "DeepSeek V3.2",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 159e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:meta-llama/Llama-3.3-70B-Instruct",
+		name: "Llama 3.3 70B Instruct",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 128e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:meta-llama/Llama-4-Maverick-17B-128E-Instruct-FP8",
+		name: "Llama 4 Maverick 17B 128E Instruct FP8",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 524e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:moonshotai/Kimi-K2-Instruct-0905",
+		name: "Kimi K2 Instruct 0905",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 256e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:moonshotai/Kimi-K2.5",
+		name: "Kimi K2.5",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 256e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:openai/gpt-oss-120b",
+		name: "GPT OSS 120B",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 128e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:Qwen/Qwen3-235B-A22B-Instruct-2507",
+		name: "Qwen3 235B A22B Instruct 2507",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 256e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:Qwen/Qwen3-Coder-480B-A35B-Instruct",
+		name: "Qwen3 Coder 480B A35B Instruct",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 256e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:Qwen/Qwen3-VL-235B-A22B-Instruct",
+		name: "Qwen3 VL 235B A22B Instruct",
+		reasoning: false,
+		input: ["text", "image"],
+		contextWindow: 25e4,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:zai-org/GLM-4.5",
+		name: "GLM-4.5",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 128e3,
+		maxTokens: 128e3
+	},
+	{
+		id: "hf:zai-org/GLM-4.6",
+		name: "GLM-4.6",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 198e3,
+		maxTokens: 128e3
+	},
+	{
+		id: "hf:deepseek-ai/DeepSeek-V3",
+		name: "DeepSeek V3",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 128e3,
+		maxTokens: 8192
+	},
+	{
+		id: "hf:Qwen/Qwen3-235B-A22B-Thinking-2507",
+		name: "Qwen3 235B A22B Thinking 2507",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 256e3,
+		maxTokens: 8192
+	}
+];
+function buildSyntheticModelDefinition(entry) {
+	return {
+		id: entry.id,
+		name: entry.name,
+		reasoning: entry.reasoning,
+		input: [...entry.input],
+		cost: SYNTHETIC_DEFAULT_COST,
+		contextWindow: entry.contextWindow,
+		maxTokens: entry.maxTokens
+	};
+}
+
+//#endregion
+//#region src/agents/venice-models.ts
+const VENICE_BASE_URL = "https://api.venice.ai/api/v1";
+const VENICE_DEFAULT_MODEL_ID = "llama-3.3-70b";
+const VENICE_DEFAULT_MODEL_REF = `venice/${VENICE_DEFAULT_MODEL_ID}`;
+const VENICE_DEFAULT_COST = {
+	input: 0,
+	output: 0,
+	cacheRead: 0,
+	cacheWrite: 0
+};
+/**
+* Complete catalog of Venice AI models.
+*
+* Venice provides two privacy modes:
+* - "private": Fully private inference, no logging, ephemeral
+* - "anonymized": Proxied through Venice with metadata stripped (for proprietary models)
+*
+* Note: The `privacy` field is included for documentation purposes but is not
+* propagated to ModelDefinitionConfig as it's not part of the core model schema.
+* Privacy mode is determined by the model itself, not configurable at runtime.
+*
+* This catalog serves as a fallback when the Venice API is unreachable.
+*/
+const VENICE_MODEL_CATALOG = [
+	{
+		id: "llama-3.3-70b",
+		name: "Llama 3.3 70B",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 131072,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "llama-3.2-3b",
+		name: "Llama 3.2 3B",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 131072,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "hermes-3-llama-3.1-405b",
+		name: "Hermes 3 Llama 3.1 405B",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 131072,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "qwen3-235b-a22b-thinking-2507",
+		name: "Qwen3 235B Thinking",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 131072,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "qwen3-235b-a22b-instruct-2507",
+		name: "Qwen3 235B Instruct",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 131072,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "qwen3-coder-480b-a35b-instruct",
+		name: "Qwen3 Coder 480B",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 262144,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "qwen3-next-80b",
+		name: "Qwen3 Next 80B",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 262144,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "qwen3-vl-235b-a22b",
+		name: "Qwen3 VL 235B (Vision)",
+		reasoning: false,
+		input: ["text", "image"],
+		contextWindow: 262144,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "qwen3-4b",
+		name: "Venice Small (Qwen3 4B)",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 32768,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "deepseek-v3.2",
+		name: "DeepSeek V3.2",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 163840,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "venice-uncensored",
+		name: "Venice Uncensored (Dolphin-Mistral)",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 32768,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "mistral-31-24b",
+		name: "Venice Medium (Mistral)",
+		reasoning: false,
+		input: ["text", "image"],
+		contextWindow: 131072,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "google-gemma-3-27b-it",
+		name: "Google Gemma 3 27B Instruct",
+		reasoning: false,
+		input: ["text", "image"],
+		contextWindow: 202752,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "openai-gpt-oss-120b",
+		name: "OpenAI GPT OSS 120B",
+		reasoning: false,
+		input: ["text"],
+		contextWindow: 131072,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "zai-org-glm-4.7",
+		name: "GLM 4.7",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 202752,
+		maxTokens: 8192,
+		privacy: "private"
+	},
+	{
+		id: "claude-opus-45",
+		name: "Claude Opus 4.5 (via Venice)",
+		reasoning: true,
+		input: ["text", "image"],
+		contextWindow: 202752,
+		maxTokens: 8192,
+		privacy: "anonymized"
+	},
+	{
+		id: "claude-sonnet-45",
+		name: "Claude Sonnet 4.5 (via Venice)",
+		reasoning: true,
+		input: ["text", "image"],
+		contextWindow: 202752,
+		maxTokens: 8192,
+		privacy: "anonymized"
+	},
+	{
+		id: "openai-gpt-52",
+		name: "GPT-5.2 (via Venice)",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 262144,
+		maxTokens: 8192,
+		privacy: "anonymized"
+	},
+	{
+		id: "openai-gpt-52-codex",
+		name: "GPT-5.2 Codex (via Venice)",
+		reasoning: true,
+		input: ["text", "image"],
+		contextWindow: 262144,
+		maxTokens: 8192,
+		privacy: "anonymized"
+	},
+	{
+		id: "gemini-3-pro-preview",
+		name: "Gemini 3 Pro (via Venice)",
+		reasoning: true,
+		input: ["text", "image"],
+		contextWindow: 202752,
+		maxTokens: 8192,
+		privacy: "anonymized"
+	},
+	{
+		id: "gemini-3-flash-preview",
+		name: "Gemini 3 Flash (via Venice)",
+		reasoning: true,
+		input: ["text", "image"],
+		contextWindow: 262144,
+		maxTokens: 8192,
+		privacy: "anonymized"
+	},
+	{
+		id: "grok-41-fast",
+		name: "Grok 4.1 Fast (via Venice)",
+		reasoning: true,
+		input: ["text", "image"],
+		contextWindow: 262144,
+		maxTokens: 8192,
+		privacy: "anonymized"
+	},
+	{
+		id: "grok-code-fast-1",
+		name: "Grok Code Fast 1 (via Venice)",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 262144,
+		maxTokens: 8192,
+		privacy: "anonymized"
+	},
+	{
+		id: "kimi-k2-thinking",
+		name: "Kimi K2 Thinking (via Venice)",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 262144,
+		maxTokens: 8192,
+		privacy: "anonymized"
+	},
+	{
+		id: "minimax-m21",
+		name: "MiniMax M2.1 (via Venice)",
+		reasoning: true,
+		input: ["text"],
+		contextWindow: 202752,
+		maxTokens: 8192,
+		privacy: "anonymized"
+	}
+];
+/**
+* Build a ModelDefinitionConfig from a Venice catalog entry.
+*
+* Note: The `privacy` field from the catalog is not included in the output
+* as ModelDefinitionConfig doesn't support custom metadata fields. Privacy
+* mode is inherent to each model and documented in the catalog/docs.
+*/
+function buildVeniceModelDefinition(entry) {
+	return {
+		id: entry.id,
+		name: entry.name,
+		reasoning: entry.reasoning,
+		input: [...entry.input],
+		cost: VENICE_DEFAULT_COST,
+		contextWindow: entry.contextWindow,
+		maxTokens: entry.maxTokens
+	};
+}
+/**
+* Discover models from Venice API with fallback to static catalog.
+* The /models endpoint is public and doesn't require authentication.
+*/
+async function discoverVeniceModels() {
+	if (process.env.VITEST) return VENICE_MODEL_CATALOG.map(buildVeniceModelDefinition);
+	try {
+		const response = await fetch(`${VENICE_BASE_URL}/models`, { signal: AbortSignal.timeout(5e3) });
+		if (!response.ok) {
+			console.warn(`[venice-models] Failed to discover models: HTTP ${response.status}, using static catalog`);
+			return VENICE_MODEL_CATALOG.map(buildVeniceModelDefinition);
+		}
+		const data = await response.json();
+		if (!Array.isArray(data.data) || data.data.length === 0) {
+			console.warn("[venice-models] No models found from API, using static catalog");
+			return VENICE_MODEL_CATALOG.map(buildVeniceModelDefinition);
+		}
+		const catalogById = new Map(VENICE_MODEL_CATALOG.map((m) => [m.id, m]));
+		const models = [];
+		for (const apiModel of data.data) {
+			const catalogEntry = catalogById.get(apiModel.id);
+			if (catalogEntry) models.push(buildVeniceModelDefinition(catalogEntry));
+			else {
+				const isReasoning = apiModel.model_spec.capabilities.supportsReasoning || apiModel.id.toLowerCase().includes("thinking") || apiModel.id.toLowerCase().includes("reason") || apiModel.id.toLowerCase().includes("r1");
+				const hasVision = apiModel.model_spec.capabilities.supportsVision;
+				models.push({
+					id: apiModel.id,
+					name: apiModel.model_spec.name || apiModel.id,
+					reasoning: isReasoning,
+					input: hasVision ? ["text", "image"] : ["text"],
+					cost: VENICE_DEFAULT_COST,
+					contextWindow: apiModel.model_spec.availableContextTokens || 128e3,
+					maxTokens: 8192
+				});
+			}
+		}
+		return models.length > 0 ? models : VENICE_MODEL_CATALOG.map(buildVeniceModelDefinition);
+	} catch (error) {
+		console.warn(`[venice-models] Discovery failed: ${String(error)}, using static catalog`);
+		return VENICE_MODEL_CATALOG.map(buildVeniceModelDefinition);
+	}
+}
+
+//#endregion
+//#region src/agents/models-config.providers.ts
+const MINIMAX_API_BASE_URL = "https://api.minimax.chat/v1";
+const MINIMAX_PORTAL_BASE_URL = "https://api.minimax.io/anthropic";
+const MINIMAX_DEFAULT_MODEL_ID = "MiniMax-M2.1";
+const MINIMAX_DEFAULT_VISION_MODEL_ID = "MiniMax-VL-01";
+const MINIMAX_DEFAULT_CONTEXT_WINDOW = 2e5;
+const MINIMAX_DEFAULT_MAX_TOKENS = 8192;
+const MINIMAX_OAUTH_PLACEHOLDER = "minimax-oauth";
+const MINIMAX_API_COST = {
+	input: 15,
+	output: 60,
+	cacheRead: 2,
+	cacheWrite: 10
+};
+const XIAOMI_BASE_URL = "https://api.xiaomimimo.com/anthropic";
+const XIAOMI_DEFAULT_MODEL_ID = "mimo-v2-flash";
+const XIAOMI_DEFAULT_CONTEXT_WINDOW = 262144;
+const XIAOMI_DEFAULT_MAX_TOKENS = 8192;
+const XIAOMI_DEFAULT_COST = {
+	input: 0,
+	output: 0,
+	cacheRead: 0,
+	cacheWrite: 0
+};
+const MOONSHOT_BASE_URL = "https://api.moonshot.ai/v1";
+const MOONSHOT_DEFAULT_MODEL_ID = "kimi-k2.5";
+const MOONSHOT_DEFAULT_CONTEXT_WINDOW = 256e3;
+const MOONSHOT_DEFAULT_MAX_TOKENS = 8192;
+const MOONSHOT_DEFAULT_COST = {
+	input: 0,
+	output: 0,
+	cacheRead: 0,
+	cacheWrite: 0
+};
+const QWEN_PORTAL_BASE_URL = "https://portal.qwen.ai/v1";
+const QWEN_PORTAL_OAUTH_PLACEHOLDER = "qwen-oauth";
+const QWEN_PORTAL_DEFAULT_CONTEXT_WINDOW = 128e3;
+const QWEN_PORTAL_DEFAULT_MAX_TOKENS = 8192;
+const QWEN_PORTAL_DEFAULT_COST = {
+	input: 0,
+	output: 0,
+	cacheRead: 0,
+	cacheWrite: 0
+};
+const OLLAMA_BASE_URL = "http://127.0.0.1:11434/v1";
+const OLLAMA_API_BASE_URL = "http://127.0.0.1:11434";
+const OLLAMA_DEFAULT_CONTEXT_WINDOW = 128e3;
+const OLLAMA_DEFAULT_MAX_TOKENS = 8192;
+const OLLAMA_DEFAULT_COST = {
+	input: 0,
+	output: 0,
+	cacheRead: 0,
+	cacheWrite: 0
+};
+const QIANFAN_BASE_URL = "https://qianfan.baidubce.com/v2";
+const QIANFAN_DEFAULT_MODEL_ID = "deepseek-v3.2";
+const QIANFAN_DEFAULT_CONTEXT_WINDOW = 98304;
+const QIANFAN_DEFAULT_MAX_TOKENS = 32768;
+const QIANFAN_DEFAULT_COST = {
+	input: 0,
+	output: 0,
+	cacheRead: 0,
+	cacheWrite: 0
+};
+async function discoverOllamaModels() {
+	if (process.env.VITEST || false) return [];
+	try {
+		const response = await fetch(`${OLLAMA_API_BASE_URL}/api/tags`, { signal: AbortSignal.timeout(5e3) });
+		if (!response.ok) {
+			console.warn(`Failed to discover Ollama models: ${response.status}`);
+			return [];
+		}
+		const data = await response.json();
+		if (!data.models || data.models.length === 0) {
+			console.warn("No Ollama models found on local instance");
+			return [];
+		}
+		return data.models.map((model) => {
+			const modelId = model.name;
+			return {
+				id: modelId,
+				name: modelId,
+				reasoning: modelId.toLowerCase().includes("r1") || modelId.toLowerCase().includes("reasoning"),
+				input: ["text"],
+				cost: OLLAMA_DEFAULT_COST,
+				contextWindow: OLLAMA_DEFAULT_CONTEXT_WINDOW,
+				maxTokens: OLLAMA_DEFAULT_MAX_TOKENS,
+				params: { streaming: false }
+			};
+		});
+	} catch (error) {
+		console.warn(`Failed to discover Ollama models: ${String(error)}`);
+		return [];
+	}
+}
+function normalizeApiKeyConfig(value) {
+	const trimmed = value.trim();
+	return /^\$\{([A-Z0-9_]+)\}$/.exec(trimmed)?.[1] ?? trimmed;
+}
+function resolveEnvApiKeyVarName(provider) {
+	const resolved = resolveEnvApiKey(provider);
+	if (!resolved) return;
+	const match = /^(?:env: |shell env: )([A-Z0-9_]+)$/.exec(resolved.source);
+	return match ? match[1] : void 0;
+}
+function resolveAwsSdkApiKeyVarName() {
+	return resolveAwsSdkEnvVarName() ?? "AWS_PROFILE";
+}
+function resolveApiKeyFromProfiles(params) {
+	const ids = listProfilesForProvider(params.store, params.provider);
+	for (const id of ids) {
+		const cred = params.store.profiles[id];
+		if (!cred) continue;
+		if (cred.type === "api_key") return cred.key;
+		if (cred.type === "token") return cred.token;
+	}
+}
+function normalizeGoogleModelId(id) {
+	if (id === "gemini-3-pro") return "gemini-3-pro-preview";
+	if (id === "gemini-3-flash") return "gemini-3-flash-preview";
+	return id;
+}
+function normalizeGoogleProvider(provider) {
+	let mutated = false;
+	const models = provider.models.map((model) => {
+		const nextId = normalizeGoogleModelId(model.id);
+		if (nextId === model.id) return model;
+		mutated = true;
+		return {
+			...model,
+			id: nextId
+		};
+	});
+	return mutated ? {
+		...provider,
+		models
+	} : provider;
+}
+function normalizeProviders(params) {
+	const { providers } = params;
+	if (!providers) return providers;
+	const authStore = ensureAuthProfileStore(params.agentDir, { allowKeychainPrompt: false });
+	let mutated = false;
+	const next = {};
+	for (const [key, provider] of Object.entries(providers)) {
+		const normalizedKey = key.trim();
+		let normalizedProvider = provider;
+		if (normalizedProvider.apiKey && normalizeApiKeyConfig(normalizedProvider.apiKey) !== normalizedProvider.apiKey) {
+			mutated = true;
+			normalizedProvider = {
+				...normalizedProvider,
+				apiKey: normalizeApiKeyConfig(normalizedProvider.apiKey)
+			};
+		}
+		if (Array.isArray(normalizedProvider.models) && normalizedProvider.models.length > 0 && !normalizedProvider.apiKey?.trim()) if ((normalizedProvider.auth ?? (normalizedKey === "amazon-bedrock" ? "aws-sdk" : void 0)) === "aws-sdk") {
+			const apiKey = resolveAwsSdkApiKeyVarName();
+			mutated = true;
+			normalizedProvider = {
+				...normalizedProvider,
+				apiKey
+			};
+		} else {
+			const fromEnv = resolveEnvApiKeyVarName(normalizedKey);
+			const fromProfiles = resolveApiKeyFromProfiles({
+				provider: normalizedKey,
+				store: authStore
+			});
+			const apiKey = fromEnv ?? fromProfiles;
+			if (apiKey?.trim()) {
+				mutated = true;
+				normalizedProvider = {
+					...normalizedProvider,
+					apiKey
+				};
+			}
+		}
+		if (normalizedKey === "google") {
+			const googleNormalized = normalizeGoogleProvider(normalizedProvider);
+			if (googleNormalized !== normalizedProvider) mutated = true;
+			normalizedProvider = googleNormalized;
+		}
+		next[key] = normalizedProvider;
+	}
+	return mutated ? next : providers;
+}
+function buildMinimaxProvider() {
+	return {
+		baseUrl: MINIMAX_API_BASE_URL,
+		api: "openai-completions",
+		models: [{
+			id: MINIMAX_DEFAULT_MODEL_ID,
+			name: "MiniMax M2.1",
+			reasoning: false,
+			input: ["text"],
+			cost: MINIMAX_API_COST,
+			contextWindow: MINIMAX_DEFAULT_CONTEXT_WINDOW,
+			maxTokens: MINIMAX_DEFAULT_MAX_TOKENS
+		}, {
+			id: MINIMAX_DEFAULT_VISION_MODEL_ID,
+			name: "MiniMax VL 01",
+			reasoning: false,
+			input: ["text", "image"],
+			cost: MINIMAX_API_COST,
+			contextWindow: MINIMAX_DEFAULT_CONTEXT_WINDOW,
+			maxTokens: MINIMAX_DEFAULT_MAX_TOKENS
+		}]
+	};
+}
+function buildMinimaxPortalProvider() {
+	return {
+		baseUrl: MINIMAX_PORTAL_BASE_URL,
+		api: "anthropic-messages",
+		models: [{
+			id: MINIMAX_DEFAULT_MODEL_ID,
+			name: "MiniMax M2.1",
+			reasoning: false,
+			input: ["text"],
+			cost: MINIMAX_API_COST,
+			contextWindow: MINIMAX_DEFAULT_CONTEXT_WINDOW,
+			maxTokens: MINIMAX_DEFAULT_MAX_TOKENS
+		}]
+	};
+}
+function buildMoonshotProvider() {
+	return {
+		baseUrl: MOONSHOT_BASE_URL,
+		api: "openai-completions",
+		models: [{
+			id: MOONSHOT_DEFAULT_MODEL_ID,
+			name: "Kimi K2.5",
+			reasoning: false,
+			input: ["text"],
+			cost: MOONSHOT_DEFAULT_COST,
+			contextWindow: MOONSHOT_DEFAULT_CONTEXT_WINDOW,
+			maxTokens: MOONSHOT_DEFAULT_MAX_TOKENS
+		}]
+	};
+}
+function buildQwenPortalProvider() {
+	return {
+		baseUrl: QWEN_PORTAL_BASE_URL,
+		api: "openai-completions",
+		models: [{
+			id: "coder-model",
+			name: "Qwen Coder",
+			reasoning: false,
+			input: ["text"],
+			cost: QWEN_PORTAL_DEFAULT_COST,
+			contextWindow: QWEN_PORTAL_DEFAULT_CONTEXT_WINDOW,
+			maxTokens: QWEN_PORTAL_DEFAULT_MAX_TOKENS
+		}, {
+			id: "vision-model",
+			name: "Qwen Vision",
+			reasoning: false,
+			input: ["text", "image"],
+			cost: QWEN_PORTAL_DEFAULT_COST,
+			contextWindow: QWEN_PORTAL_DEFAULT_CONTEXT_WINDOW,
+			maxTokens: QWEN_PORTAL_DEFAULT_MAX_TOKENS
+		}]
+	};
+}
+function buildSyntheticProvider() {
+	return {
+		baseUrl: SYNTHETIC_BASE_URL,
+		api: "anthropic-messages",
+		models: SYNTHETIC_MODEL_CATALOG.map(buildSyntheticModelDefinition)
+	};
+}
+function buildXiaomiProvider() {
+	return {
+		baseUrl: XIAOMI_BASE_URL,
+		api: "anthropic-messages",
+		models: [{
+			id: XIAOMI_DEFAULT_MODEL_ID,
+			name: "Xiaomi MiMo V2 Flash",
+			reasoning: false,
+			input: ["text"],
+			cost: XIAOMI_DEFAULT_COST,
+			contextWindow: XIAOMI_DEFAULT_CONTEXT_WINDOW,
+			maxTokens: XIAOMI_DEFAULT_MAX_TOKENS
+		}]
+	};
+}
+async function buildVeniceProvider() {
+	return {
+		baseUrl: VENICE_BASE_URL,
+		api: "openai-completions",
+		models: await discoverVeniceModels()
+	};
+}
+async function buildOllamaProvider() {
+	return {
+		baseUrl: OLLAMA_BASE_URL,
+		api: "openai-completions",
+		models: await discoverOllamaModels()
+	};
+}
+function buildQianfanProvider() {
+	return {
+		baseUrl: QIANFAN_BASE_URL,
+		api: "openai-completions",
+		models: [{
+			id: QIANFAN_DEFAULT_MODEL_ID,
+			name: "DEEPSEEK V3.2",
+			reasoning: true,
+			input: ["text"],
+			cost: QIANFAN_DEFAULT_COST,
+			contextWindow: QIANFAN_DEFAULT_CONTEXT_WINDOW,
+			maxTokens: QIANFAN_DEFAULT_MAX_TOKENS
+		}, {
+			id: "ernie-5.0-thinking-preview",
+			name: "ERNIE-5.0-Thinking-Preview",
+			reasoning: true,
+			input: ["text", "image"],
+			cost: QIANFAN_DEFAULT_COST,
+			contextWindow: 119e3,
+			maxTokens: 64e3
+		}]
+	};
+}
+async function resolveImplicitProviders(params) {
+	const providers = {};
+	const authStore = ensureAuthProfileStore(params.agentDir, { allowKeychainPrompt: false });
+	const minimaxKey = resolveEnvApiKeyVarName("minimax") ?? resolveApiKeyFromProfiles({
+		provider: "minimax",
+		store: authStore
+	});
+	if (minimaxKey) providers.minimax = {
+		...buildMinimaxProvider(),
+		apiKey: minimaxKey
+	};
+	if (listProfilesForProvider(authStore, "minimax-portal").length > 0) providers["minimax-portal"] = {
+		...buildMinimaxPortalProvider(),
+		apiKey: MINIMAX_OAUTH_PLACEHOLDER
+	};
+	const moonshotKey = resolveEnvApiKeyVarName("moonshot") ?? resolveApiKeyFromProfiles({
+		provider: "moonshot",
+		store: authStore
+	});
+	if (moonshotKey) providers.moonshot = {
+		...buildMoonshotProvider(),
+		apiKey: moonshotKey
+	};
+	const syntheticKey = resolveEnvApiKeyVarName("synthetic") ?? resolveApiKeyFromProfiles({
+		provider: "synthetic",
+		store: authStore
+	});
+	if (syntheticKey) providers.synthetic = {
+		...buildSyntheticProvider(),
+		apiKey: syntheticKey
+	};
+	const veniceKey = resolveEnvApiKeyVarName("venice") ?? resolveApiKeyFromProfiles({
+		provider: "venice",
+		store: authStore
+	});
+	if (veniceKey) providers.venice = {
+		...await buildVeniceProvider(),
+		apiKey: veniceKey
+	};
+	if (listProfilesForProvider(authStore, "qwen-portal").length > 0) providers["qwen-portal"] = {
+		...buildQwenPortalProvider(),
+		apiKey: QWEN_PORTAL_OAUTH_PLACEHOLDER
+	};
+	const xiaomiKey = resolveEnvApiKeyVarName("xiaomi") ?? resolveApiKeyFromProfiles({
+		provider: "xiaomi",
+		store: authStore
+	});
+	if (xiaomiKey) providers.xiaomi = {
+		...buildXiaomiProvider(),
+		apiKey: xiaomiKey
+	};
+	const cloudflareProfiles = listProfilesForProvider(authStore, "cloudflare-ai-gateway");
+	for (const profileId of cloudflareProfiles) {
+		const cred = authStore.profiles[profileId];
+		if (cred?.type !== "api_key") continue;
+		const accountId = cred.metadata?.accountId?.trim();
+		const gatewayId = cred.metadata?.gatewayId?.trim();
+		if (!accountId || !gatewayId) continue;
+		const baseUrl = resolveCloudflareAiGatewayBaseUrl({
+			accountId,
+			gatewayId
+		});
+		if (!baseUrl) continue;
+		const apiKey = resolveEnvApiKeyVarName("cloudflare-ai-gateway") ?? cred.key?.trim() ?? "";
+		if (!apiKey) continue;
+		providers["cloudflare-ai-gateway"] = {
+			baseUrl,
+			api: "anthropic-messages",
+			apiKey,
+			models: [buildCloudflareAiGatewayModelDefinition()]
+		};
+		break;
+	}
+	const ollamaKey = resolveEnvApiKeyVarName("ollama") ?? resolveApiKeyFromProfiles({
+		provider: "ollama",
+		store: authStore
+	});
+	if (ollamaKey) providers.ollama = {
+		...await buildOllamaProvider(),
+		apiKey: ollamaKey
+	};
+	const qianfanKey = resolveEnvApiKeyVarName("qianfan") ?? resolveApiKeyFromProfiles({
+		provider: "qianfan",
+		store: authStore
+	});
+	if (qianfanKey) providers.qianfan = {
+		...buildQianfanProvider(),
+		apiKey: qianfanKey
+	};
+	return providers;
+}
+async function resolveImplicitCopilotProvider(params) {
+	const env = params.env ?? process.env;
+	const authStore = ensureAuthProfileStore(params.agentDir, { allowKeychainPrompt: false });
+	const hasProfile = listProfilesForProvider(authStore, "github-copilot").length > 0;
+	const githubToken = (env.COPILOT_GITHUB_TOKEN ?? env.GH_TOKEN ?? env.GITHUB_TOKEN ?? "").trim();
+	if (!hasProfile && !githubToken) return null;
+	let selectedGithubToken = githubToken;
+	if (!selectedGithubToken && hasProfile) {
+		const profileId = listProfilesForProvider(authStore, "github-copilot")[0];
+		const profile = profileId ? authStore.profiles[profileId] : void 0;
+		if (profile && profile.type === "token") selectedGithubToken = profile.token;
+	}
+	let baseUrl = DEFAULT_COPILOT_API_BASE_URL;
+	if (selectedGithubToken) try {
+		baseUrl = (await resolveCopilotApiToken({
+			githubToken: selectedGithubToken,
+			env
+		})).baseUrl;
+	} catch {
+		baseUrl = DEFAULT_COPILOT_API_BASE_URL;
+	}
+	return {
+		baseUrl,
+		models: []
+	};
+}
+async function resolveImplicitBedrockProvider(params) {
+	const env = params.env ?? process.env;
+	const discoveryConfig = params.config?.models?.bedrockDiscovery;
+	const enabled = discoveryConfig?.enabled;
+	const hasAwsCreds = resolveAwsSdkEnvVarName(env) !== void 0;
+	if (enabled === false) return null;
+	if (enabled !== true && !hasAwsCreds) return null;
+	const region = discoveryConfig?.region ?? env.AWS_REGION ?? env.AWS_DEFAULT_REGION ?? "us-east-1";
+	const models = await discoverBedrockModels({
+		region,
+		config: discoveryConfig
+	});
+	if (models.length === 0) return null;
+	return {
+		baseUrl: `https://bedrock-runtime.${region}.amazonaws.com`,
+		api: "bedrock-converse-stream",
+		auth: "aws-sdk",
+		models
+	};
+}
+
+//#endregion
+//#region src/agents/model-selection.ts
+const ANTHROPIC_MODEL_ALIASES = {
+	"opus-4.6": "claude-opus-4-6",
+	"opus-4.5": "claude-opus-4-5",
+	"sonnet-4.5": "claude-sonnet-4-5"
+};
+function normalizeAliasKey(value) {
+	return value.trim().toLowerCase();
+}
+function modelKey(provider, model) {
+	return `${provider}/${model}`;
+}
+function normalizeProviderId(provider) {
+	const normalized = provider.trim().toLowerCase();
+	if (normalized === "z.ai" || normalized === "z-ai") return "zai";
+	if (normalized === "opencode-zen") return "opencode";
+	if (normalized === "qwen") return "qwen-portal";
+	if (normalized === "kimi-code") return "kimi-coding";
+	return normalized;
+}
+function isCliProvider(provider, cfg) {
+	const normalized = normalizeProviderId(provider);
+	if (normalized === "claude-cli") return true;
+	if (normalized === "codex-cli") return true;
+	const backends = cfg?.agents?.defaults?.cliBackends ?? {};
+	return Object.keys(backends).some((key) => normalizeProviderId(key) === normalized);
+}
+function normalizeAnthropicModelId(model) {
+	const trimmed = model.trim();
+	if (!trimmed) return trimmed;
+	return ANTHROPIC_MODEL_ALIASES[trimmed.toLowerCase()] ?? trimmed;
+}
+function normalizeProviderModelId(provider, model) {
+	if (provider === "anthropic") return normalizeAnthropicModelId(model);
+	if (provider === "google") return normalizeGoogleModelId(model);
+	return model;
+}
+function parseModelRef(raw, defaultProvider) {
+	const trimmed = raw.trim();
+	if (!trimmed) return null;
+	const slash = trimmed.indexOf("/");
+	if (slash === -1) {
+		const provider = normalizeProviderId(defaultProvider);
+		return {
+			provider,
+			model: normalizeProviderModelId(provider, trimmed)
+		};
+	}
+	const provider = normalizeProviderId(trimmed.slice(0, slash).trim());
+	const model = trimmed.slice(slash + 1).trim();
+	if (!provider || !model) return null;
+	return {
+		provider,
+		model: normalizeProviderModelId(provider, model)
+	};
+}
+function resolveAllowlistModelKey(raw, defaultProvider) {
+	const parsed = parseModelRef(raw, defaultProvider);
+	if (!parsed) return null;
+	return modelKey(parsed.provider, parsed.model);
+}
+function buildConfiguredAllowlistKeys(params) {
+	const rawAllowlist = Object.keys(params.cfg?.agents?.defaults?.models ?? {});
+	if (rawAllowlist.length === 0) return null;
+	const keys = /* @__PURE__ */ new Set();
+	for (const raw of rawAllowlist) {
+		const key = resolveAllowlistModelKey(String(raw ?? ""), params.defaultProvider);
+		if (key) keys.add(key);
+	}
+	return keys.size > 0 ? keys : null;
+}
+function buildModelAliasIndex(params) {
+	const byAlias = /* @__PURE__ */ new Map();
+	const byKey = /* @__PURE__ */ new Map();
+	const rawModels = params.cfg.agents?.defaults?.models ?? {};
+	for (const [keyRaw, entryRaw] of Object.entries(rawModels)) {
+		const parsed = parseModelRef(String(keyRaw ?? ""), params.defaultProvider);
+		if (!parsed) continue;
+		const alias = String(entryRaw?.alias ?? "").trim();
+		if (!alias) continue;
+		const aliasKey = normalizeAliasKey(alias);
+		byAlias.set(aliasKey, {
+			alias,
+			ref: parsed
+		});
+		const key = modelKey(parsed.provider, parsed.model);
+		const existing = byKey.get(key) ?? [];
+		existing.push(alias);
+		byKey.set(key, existing);
+	}
+	return {
+		byAlias,
+		byKey
+	};
+}
+function resolveModelRefFromString(params) {
+	const trimmed = params.raw.trim();
+	if (!trimmed) return null;
+	if (!trimmed.includes("/")) {
+		const aliasKey = normalizeAliasKey(trimmed);
+		const aliasMatch = params.aliasIndex?.byAlias.get(aliasKey);
+		if (aliasMatch) return {
+			ref: aliasMatch.ref,
+			alias: aliasMatch.alias
+		};
+	}
+	const parsed = parseModelRef(trimmed, params.defaultProvider);
+	if (!parsed) return null;
+	return { ref: parsed };
+}
+function resolveConfiguredModelRef(params) {
+	const rawModel = (() => {
+		const raw = params.cfg.agents?.defaults?.model;
+		if (typeof raw === "string") return raw.trim();
+		return raw?.primary?.trim() ?? "";
+	})();
+	if (rawModel) {
+		const trimmed = rawModel.trim();
+		const aliasIndex = buildModelAliasIndex({
+			cfg: params.cfg,
+			defaultProvider: params.defaultProvider
+		});
+		if (!trimmed.includes("/")) {
+			const aliasKey = normalizeAliasKey(trimmed);
+			const aliasMatch = aliasIndex.byAlias.get(aliasKey);
+			if (aliasMatch) return aliasMatch.ref;
+			console.warn(`[Synurex] Model "${trimmed}" specified without provider. Falling back to "anthropic/${trimmed}". Please use "anthropic/${trimmed}" in your config.`);
+			return {
+				provider: "anthropic",
+				model: trimmed
+			};
+		}
+		const resolved = resolveModelRefFromString({
+			raw: trimmed,
+			defaultProvider: params.defaultProvider,
+			aliasIndex
+		});
+		if (resolved) return resolved.ref;
+	}
+	return {
+		provider: params.defaultProvider,
+		model: params.defaultModel
+	};
+}
+function resolveDefaultModelForAgent(params) {
+	const agentModelOverride = params.agentId ? resolveAgentModelPrimary(params.cfg, params.agentId) : void 0;
+	return resolveConfiguredModelRef({
+		cfg: agentModelOverride && agentModelOverride.length > 0 ? {
+			...params.cfg,
+			agents: {
+				...params.cfg.agents,
+				defaults: {
+					...params.cfg.agents?.defaults,
+					model: {
+						...typeof params.cfg.agents?.defaults?.model === "object" ? params.cfg.agents.defaults.model : void 0,
+						primary: agentModelOverride
+					}
+				}
+			}
+		} : params.cfg,
+		defaultProvider: DEFAULT_PROVIDER,
+		defaultModel: DEFAULT_MODEL
+	});
+}
+function buildAllowedModelSet(params) {
+	const rawAllowlist = (() => {
+		const modelMap = params.cfg.agents?.defaults?.models ?? {};
+		return Object.keys(modelMap);
+	})();
+	const allowAny = rawAllowlist.length === 0;
+	const defaultModel = params.defaultModel?.trim();
+	const defaultKey = defaultModel && params.defaultProvider ? modelKey(params.defaultProvider, defaultModel) : void 0;
+	const catalogKeys = new Set(params.catalog.map((entry) => modelKey(entry.provider, entry.id)));
+	if (allowAny) {
+		if (defaultKey) catalogKeys.add(defaultKey);
+		return {
+			allowAny: true,
+			allowedCatalog: params.catalog,
+			allowedKeys: catalogKeys
+		};
+	}
+	const allowedKeys = /* @__PURE__ */ new Set();
+	const configuredProviders = params.cfg.models?.providers ?? {};
+	for (const raw of rawAllowlist) {
+		const parsed = parseModelRef(String(raw), params.defaultProvider);
+		if (!parsed) continue;
+		const key = modelKey(parsed.provider, parsed.model);
+		const providerKey = normalizeProviderId(parsed.provider);
+		if (isCliProvider(parsed.provider, params.cfg)) allowedKeys.add(key);
+		else if (catalogKeys.has(key)) allowedKeys.add(key);
+		else if (configuredProviders[providerKey] != null) allowedKeys.add(key);
+	}
+	if (defaultKey) allowedKeys.add(defaultKey);
+	const allowedCatalog = params.catalog.filter((entry) => allowedKeys.has(modelKey(entry.provider, entry.id)));
+	if (allowedCatalog.length === 0 && allowedKeys.size === 0) {
+		if (defaultKey) catalogKeys.add(defaultKey);
+		return {
+			allowAny: true,
+			allowedCatalog: params.catalog,
+			allowedKeys: catalogKeys
+		};
+	}
+	return {
+		allowAny: false,
+		allowedCatalog,
+		allowedKeys
+	};
+}
+function getModelRefStatus(params) {
+	const allowed = buildAllowedModelSet({
+		cfg: params.cfg,
+		catalog: params.catalog,
+		defaultProvider: params.defaultProvider,
+		defaultModel: params.defaultModel
+	});
+	const key = modelKey(params.ref.provider, params.ref.model);
+	return {
+		key,
+		inCatalog: params.catalog.some((entry) => modelKey(entry.provider, entry.id) === key),
+		allowAny: allowed.allowAny,
+		allowed: allowed.allowAny || allowed.allowedKeys.has(key)
+	};
+}
+function resolveAllowedModelRef(params) {
+	const trimmed = params.raw.trim();
+	if (!trimmed) return { error: "invalid model: empty" };
+	const aliasIndex = buildModelAliasIndex({
+		cfg: params.cfg,
+		defaultProvider: params.defaultProvider
+	});
+	const resolved = resolveModelRefFromString({
+		raw: trimmed,
+		defaultProvider: params.defaultProvider,
+		aliasIndex
+	});
+	if (!resolved) return { error: `invalid model: ${trimmed}` };
+	const status = getModelRefStatus({
+		cfg: params.cfg,
+		catalog: params.catalog,
+		ref: resolved.ref,
+		defaultProvider: params.defaultProvider,
+		defaultModel: params.defaultModel
+	});
+	if (!status.allowed) return { error: `model not allowed: ${status.key}` };
+	return {
+		ref: resolved.ref,
+		key: status.key
+	};
+}
+function resolveThinkingDefault(params) {
+	const configured = params.cfg.agents?.defaults?.thinkingDefault;
+	if (configured) return configured;
+	if ((params.catalog?.find((entry) => entry.provider === params.provider && entry.id === params.model))?.reasoning) return "low";
+	return "off";
+}
+/**
+* Resolve the model configured for Gmail hook processing.
+* Returns null if hooks.gmail.model is not set.
+*/
+function resolveHooksGmailModel(params) {
+	const hooksModel = params.cfg.hooks?.gmail?.model;
+	if (!hooksModel?.trim()) return null;
+	const aliasIndex = buildModelAliasIndex({
+		cfg: params.cfg,
+		defaultProvider: params.defaultProvider
+	});
+	return resolveModelRefFromString({
+		raw: hooksModel,
+		defaultProvider: params.defaultProvider,
+		aliasIndex
+	})?.ref ?? null;
+}
+
+//#endregion
+export { markAuthProfileFailure as $, SYNTHETIC_BASE_URL as A, resolveModelAuthMode as B, resolveImplicitBedrockProvider as C, DEFAULT_PROVIDER as Ct, VENICE_DEFAULT_MODEL_REF as D, VENICE_BASE_URL as E, getCustomProviderApiKey as F, shouldDeferShellEnvFallback as G, getShellPathFromLoginShell as H, requireApiKey as I, buildCloudflareAiGatewayModelDefinition as J, shouldEnableShellEnvFallback as K, resolveApiKeyForProvider as L, SYNTHETIC_MODEL_CATALOG as M, buildSyntheticModelDefinition as N, VENICE_MODEL_CATALOG as O, getApiKeyForModel as P, isProfileInCooldown as Q, resolveAwsSdkEnvVarName as R, normalizeProviders as S, DEFAULT_MODEL as St, resolveImplicitProviders as T, loadShellEnvFallback as U, getShellEnvAppliedKeys as V, resolveShellEnvFallbackTimeoutMs as W, auth_profiles_exports as X, resolveCloudflareAiGatewayBaseUrl as Y, resolveAuthProfileOrder as Z, QIANFAN_DEFAULT_MODEL_ID as _, resolveSynurexAgentDir as _t, isCliProvider as a, generateChutesPkce as at, buildXiaomiProvider as b, CODEX_CLI_PROFILE_ID as bt, parseModelRef as c, listProfilesForProvider as ct, resolveConfiguredModelRef as d, upsertAuthProfile as dt, markAuthProfileUsed as et, resolveDefaultModelForAgent as f, ensureAuthProfileStore as ft, QIANFAN_BASE_URL as g, resolveAuthStorePathForDisplay as gt, resolveThinkingDefault as h, resolveAuthStorePath as ht, getModelRefStatus as i, exchangeChutesCodeForTokens as it, SYNTHETIC_DEFAULT_MODEL_REF as j, buildVeniceModelDefinition as k, resolveAllowedModelRef as l, markAuthProfileGood as lt, resolveModelRefFromString as m, updateAuthProfileStoreWithLock as mt, buildConfiguredAllowlistKeys as n, resolveApiKeyForProfile as nt, modelKey as o, parseOAuthCallbackInput as ot, resolveHooksGmailModel as p, loadAuthProfileStore as pt, CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_REF as q, buildModelAliasIndex as r, CHUTES_AUTHORIZE_ENDPOINT as rt, normalizeProviderId as s, repairOAuthProfileIdMismatch as st, buildAllowedModelSet as t, resolveProfileUnusableUntilForDisplay as tt, resolveAllowlistModelKey as u, setAuthProfileOrder as ut, XIAOMI_DEFAULT_MODEL_ID as v, resolveAuthProfileDisplayLabel as vt, resolveImplicitCopilotProvider as w, normalizeGoogleModelId as x, DEFAULT_CONTEXT_TOKENS as xt, buildQianfanProvider as y, CLAUDE_CLI_PROFILE_ID as yt, resolveEnvApiKey as z };