@bastani/atomic 0.8.31-alpha.3 → 0.8.31-alpha.4

package/CHANGELOG.md

@@ -23,6 +23,15 @@
 
 ### Fixed
 
+- Fixed `github-copilot/*` Gemini models (for example `github-copilot/gemini-3.1-pro-preview` and `github-copilot/gemini-3.5-flash`) failing **every** chat turn with `Error: 400 invalid request body`. These models are served through GitHub's Copilot API (CAPI), which translates the OpenAI chat-completions request into a Google GenAI `GenerateContent` request and forwards tool/function JSON Schema `anyOf`/`oneOf` verbatim into Gemini's `FunctionDeclaration` schema. Gemini rejects a union whose branch is a complex **object** schema, so Google returned HTTP 400 and CAPI relabelled it `{"error":{"code":"invalid_request_body"}}`. Because Atomic's bundled `workflow` tool — and any tool using the TypeBox `Type.Union([Type.Object(...), Type.String()])` pattern for fields such as `task`, `chain`, and `parallel` — is present in normal chat turns, the request failed before the model ever ran (it was previously masked only when a fallback model existed). Atomic now sanitizes outbound tool JSON Schemas for GitHub Copilot Gemini models into the subset CAPI/Gemini honors: it resolves object/array-bearing `anyOf`/`oneOf` to their most expressive branch, converts `const`/literal unions to `enum`, collapses nullable unions to `nullable`, prunes `required` to existing properties, and drops non-portable keywords (`additionalProperties`, `patternProperties`, `$schema`, `format`, `pattern`, numeric/length bounds, `default`, `title`, etc.). The transform is gated to `github-copilot` Gemini `openai-completions` models and runs last in the provider-payload pipeline (so it also covers extension/SDK-injected tools), leaving every other provider/model payload unchanged.
+- Fixed `github-copilot/*` Gemini models getting stuck in an infinite tool-call retry loop (most visibly on the workflow `structured_output` tool). Capturing the raw CAPI stream confirmed that Gemini serializes array/object function-call arguments as **flattened indexed keys** on the wire — for example `{ keywords: ["a", "b"] }` arrives as `{ "keywords[0]": "a", "keywords[1]": "b" }` — so schema validation failed (`keywords: must have required properties keywords` and `root: must not have additional properties`) and the model re-emitted the same shape forever. Atomic now reconstructs flattened tool-call arguments (`name[i]`, `name[i].sub`, `parent.child`) back into proper arrays/objects in each tool's `prepareArguments` step, before validation runs. Gated to GitHub Copilot Gemini models at call time and a no-op for well-formed arguments, so it covers built-in, extension, SDK, and MCP tools without affecting any other provider/model.
+- Fixed `github-copilot/*` Gemini models (for example `github-copilot/gemini-3.1-pro-preview`) silently dying mid-task instead of continuing the turn. Inspecting the affected sessions and confirming against GitHub's Copilot API (CAPI) source showed two distinct degenerate stream endings that Atomic was not recovering from: (1) CAPI's `getAzureFinishReason` maps several Gemini finish reasons — `MALFORMED_FUNCTION_CALL`, `OTHER`, `LANGUAGE`, and `UNEXPECTED_TOOL_CALL` — to a bare OpenAI `finish_reason: "error"`, which `pi-ai` surfaces as `"Provider finish_reason: error"`; the auto-retry classifier's regex did not match it, so the turn ended with an empty assistant message and no retry; and (2) Gemini intermittently ends the stream with `finish_reason: "stop"`, an **empty content array**, and **0 output tokens**, which Atomic treated as a successful (if empty) turn and stopped. Atomic now treats bare `finish_reason: error`/`content_filter` as retryable and detects degenerate empty completions (no text/tool-call/thinking content **and** zero output tokens on a `stop`/`toolUse` turn) as retryable, re-issuing the request with the existing exponential-backoff path. Empty `stop` completions also no longer reset the auto-retry counter, so repeated empties stay bounded by `maxRetries` instead of retrying forever.
+- Fixed the **root cause** behind `github-copilot/*` Gemini (for example `github-copilot/gemini-3.1-pro-preview`) returning repeated empty completions and "stopping to respond" after its first tool call. Gemini is a thinking model: each function/tool call it emits comes with an opaque **thought signature** that must be replayed, verbatim, on the next request or Gemini refuses to continue the reasoning chain. Confirmed against GitHub's Copilot API (CAPI) source, CAPI carries that signature in a non-standard `reasoning_opaque` field on the assistant message / streamed delta and reads the same `reasoning_opaque` back off the assistant message on replay to re-attach the signature to each Gemini function-call part (keyed by `tool_call.id`). The bundled `pi-ai` OpenAI-completions client never captured or replayed `reasoning_opaque` (it only round-trips the OpenRouter-style `reasoning_details: [{ type: "reasoning.encrypted", id, data }]` shape, which CAPI does not emit), so the real Gemini thought signature was dropped inbound and never sent back. With it missing, CAPI substitutes the sentinel `skip_thought_signature_validator` on the first replayed function call and Gemini responds with an empty candidate / `finish_reason: "stop"` and zero output tokens — which the empty-completion retry above then re-issued against the same signature-less history until `maxRetries` was exhausted. Atomic now bridges `reasoning_opaque` to the mechanism the client already round-trips: a `globalThis.fetch` interceptor scoped to `*.githubcopilot.com` event streams rewrites each CAPI Gemini SSE delta that carries both `reasoning_opaque` and a `tool_calls[].id` to add a matching `reasoning_details` entry (captured by the client as the tool call's `thoughtSignature`), and a provider-payload (`onPayload`) transform converts the `reasoning_details` the client re-emits on replayed assistant messages back into the single `reasoning_opaque` field CAPI reads. Both transforms are gated to GitHub Copilot Gemini `openai-completions` models and are no-ops for every other provider/model and for Gemini turns that carry no thought signature; the thinking text round-trips inside the same opaque blob, so combined think-then-tool-call turns keep their signatures across session save/load.
+- Fixed a second `github-copilot/*` Gemini multi-turn failure that surfaced once thought signatures were preserved: a turn after any **array/object tool call** (most visibly `edit`) ended with a bare `finish_reason: "error"` and then retried to exhaustion. CAPI delivers Gemini's array/object function-call arguments as **flattened indexed keys** (for example an `edit` call arrives as `{ "edits[0].newText": "...", "edits[0].oldText": "...", "path": "..." }`), and Atomic only reconstructed them at tool **execution** time — the persisted assistant message kept the raw flattened keys. On the next turn that message was replayed verbatim, CAPI parsed those literal keys straight into the Gemini `FunctionCall.Args`, and the resulting call no longer matched the tool's declared schema (nor the structure Gemini originally signed), so Gemini ended the turn with `MALFORMED_FUNCTION_CALL` / `UNEXPECTED_TOOL_CALL` / `OTHER` — all of which CAPI maps to a bare OpenAI `finish_reason: "error"`. Atomic now also reconstructs flattened tool-call arguments on the **outbound replay payload** for GitHub Copilot Gemini: each replayed assistant `tool_calls[].function.arguments` is unflattened (reusing the same `unflattenGeminiToolArguments` logic with the tool's own parameter schema, looked up from the request `tools`) back into the nested arrays/objects Gemini produced, before the request reaches CAPI. This runs in the provider-payload pipeline after schema sanitization and alongside the `reasoning_opaque` restore, is gated to GitHub Copilot Gemini `openai-completions` models, fails open on non-JSON arguments, and is a no-op for already well-formed arguments — healing both new sessions and already-persisted transcripts that contain flattened Gemini tool calls.
+- Reduced `github-copilot/*` Gemini `MALFORMED_FUNCTION_CALL` failures (surfaced as `finish_reason: "error"`) by emitting tool/function JSON Schemas in the shape Gemini resolves most reliably. The Gemini schema sanitizer now infers an explicit `type` on container nodes that omit one (`properties`/`required` ⇒ `object`, `items` ⇒ `array`) and collapses a tuple-form `items` array — which Gemini's single-`items` function-declaration schema rejects — into a single (most expressive object/array) schema. Gated to `github-copilot` Gemini `openai-completions` models and applied last in the provider-payload pipeline, so every other provider/model payload is unchanged.
+- Fixed `github-copilot/*` Gemini tool calls with **nested object arguments but no arrays** still failing validation and looping. CAPI flattens such arguments to purely dotted keys (for example `{ "metadata.confidence": 0.5 }` with no bracket index anywhere), which the previous reconstruction — gated on the presence of a `name[<digit>]` bracket key — skipped, so the nested-object call never validated. Atomic now also reconstructs purely dotted keys, disambiguated by the tool's own parameter schema: a dotted key is split into a nested path only when its head segment names an object/array container property (including container branches of an `anyOf`/`oneOf` union), so legitimate argument keys that happen to contain a dot are left intact. Bracket-indexed reconstruction is unchanged, and the transform remains gated to GitHub Copilot Gemini models and a no-op for well-formed arguments.
+- Hardened the GitHub Copilot Gemini tool-argument reconstruction against prototype pollution. `unflattenGeminiToolArguments` previously walked model-emitted key paths into a fresh object without guarding `__proto__`/`constructor`/`prototype`, so a steered Gemini tool call mixing a bracket key with e.g. `__proto__.polluted` could reach and mutate `Object.prototype` process-wide. Reconstruction now drops any key whose parsed path contains one of those segments (at any position, including the final segment and a literal plain key). The parse/assign/compact reconstruction (and this single guard) lives in one canonical module shared with the `@bastani/mcp` `callTool` normalizer, so the two implementations can no longer diverge on the fix.
+- Scoped the GitHub Copilot Gemini `content_filter` retry. The earlier finish-reason retry change treated `finish_reason: "content_filter"` as retryable for **every** provider/model; a genuine `content_filter` safety block on a non-Gemini provider would therefore be re-issued up to `maxRetries` times before its inevitable failure. `content_filter` is now retried only for GitHub Copilot Gemini models (where CAPI maps spurious Gemini RECITATION/safety blocks to it); a bare `finish_reason: "error"` remains retryable for all providers as a generic transient failure.
 - Fixed RPC unknown-command errors to include the request id so RPC clients do not hang waiting for a response.
 - Fixed `/model` autocomplete and model-selection searches to match provider/model queries regardless of whether the provider or model token is typed first.
 - Fixed the tree navigator to horizontally pan deep entries so the selected item remains readable.
@@ -31,6 +40,9 @@
 - Fixed context-window startup, session-switch, settings, and RPC edge cases: unknown provider fallback models no longer inherit selectable context-window options from provider defaults, fatal startup diagnostics no longer persist context-window settings, `AgentSession.setModel()` preserves an incoming target model's explicit selected context window, model-switch paths that change effective context windows now notify listeners via `context_window_changed`, the interactive context-window picker keys selection on raw token counts so colliding formatted labels never change which window is selected, RPC `set_model` returns the effective post-switch session model, and explicit startup `contextWindow` selections are journaled even when they equal the model scalar default ([#1409](https://github.com/bastani-inc/atomic/issues/1409)).
 - Fixed `AgentSession.setContextWindow()` so bare SDK/runtime calls update the active session, append `context_window_change`, and emit `context_window_changed` without persisting settings; callers must pass `{ persistDefault: true }` to update the active model's `defaultContextWindows["provider/modelId"]` setting ([#1409](https://github.com/bastani-inc/atomic/issues/1409)).
 - Fixed `packages/coding-agent` source-CLI subprocess tests (`session-id-readonly`, `startup-session-name`, `stdout-cleanliness`) crashing with `ERR_MODULE_NOT_FOUND` (for example `src/core/tools/oversized-tool-result.js`) when the Vitest worker pool runs under Node. They now launch the TypeScript source CLI with Bun explicitly via a `bunExecutable()` helper (matching `context-window-cli`/`rpc-context-window`) instead of assuming `process.execPath` is Bun, so the package test suite is portable across environments. The repo-wide `.js`->`.ts` source-import convention and shipped `dist/` are unchanged ([#1419](https://github.com/bastani-inc/atomic/issues/1419)).
+- Fixed a credential-store **load failure being misreported as `No API key found`**. When a fresh `AuthStorage` could not read `auth.json` (for example it was briefly locked by a concurrent process, surfacing an `ELOCKED` error), `reload()` recorded the error but left an empty in-memory credential set, and the prompt preflight then threw `No API key found for <provider>` — even though the credentials existed on disk. `AuthStorage` now exposes `getLoadError()`, and the prompt preflight surfaces the real load failure (`Could not load stored credentials for <provider>: …`, with the original error attached as `cause`) instead of claiming the key is absent, so a transient store-read failure is no longer indistinguishable from genuinely missing credentials. The message intentionally still reads as a recoverable auth failure so model fallback keeps retrying ([#1431](https://github.com/bastani-inc/atomic/issues/1431)).
+- Fixed `createAgentSession()` constructing a throwaway `AuthStorage` even when a `modelRegistry` was supplied. Because `AuthStorage` eagerly calls `reload()` in its constructor — taking the `auth.json` file lock — building one only to discard it added redundant lock contention on every session creation. `createAgentSession()` now only creates an `AuthStorage` when neither a `modelRegistry` nor an `authStorage` is provided, so callers that reuse one registry across sessions (such as workflow stage model fallback) no longer trigger an extra contended credential reload per session ([#1431](https://github.com/bastani-inc/atomic/issues/1431)).
+- Fixed the remaining `auth.json` **lock-contention hard failure** under many concurrent sessions (for example a workflow that fans out parallel stages through model fallback). `AuthStorage.reload()` previously acquired the exclusive `proper-lockfile` write lock just to *read* `auth.json`, and its sync acquisition (`acquireLockSyncWithRetry`) used a 200 ms **event-loop-blocking busy-wait**; when one stage held the lock across an async OAuth token refresh, sibling stages busy-waited (starving the very event loop the holder needed to release), gave up with `ELOCKED`, and recorded a credential load failure. With the #1431 message fix in place this no longer misreported as `No API key found`, but it could still burn a stage's configured fallback candidates (each skipped as a recoverable auth error) until the chain exhausted and the stage hard-failed. Pure reads are now **lock-free**: `AuthStorageBackend` gains an optional `read()` method (built-in backends implement it; custom backends that omit it fall back to the previous locked read, so the released interface stays compatible) and `reload()` uses it without taking any lock, while writers persist `auth.json` **atomically** (sibling temp file + `rename`) so a lock-free reader always observes a complete previous-or-next snapshot, never a torn one. The exclusive lock is retained only for read-modify-write paths (credential `set`/`remove` and locked OAuth refresh), and file permissions stay `0600`. Concurrent session creation no longer contends on or is starved by the credential store ([#1431](https://github.com/bastani-inc/atomic/issues/1431)).
 
 ## [0.8.30] - 2026-06-17
 

package/dist/builtin/cursor/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bastani/cursor",
-  "version": "0.8.31-alpha.3",
+  "version": "0.8.31-alpha.4",
   "private": true,
   "description": "Experimental first-party Atomic extension for Cursor OAuth, model discovery, and streaming provider registration.",
   "contributors": [
@@ -40,7 +40,7 @@
     }
   },
   "dependencies": {
-    "@bastani/atomic-natives": "0.8.31-alpha.3",
+    "@bastani/atomic-natives": "0.8.31-alpha.4",
     "@bufbuild/protobuf": "^2.0.0"
   }
 }

package/dist/builtin/intercom/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bastani/intercom",
-  "version": "0.8.31-alpha.3",
+  "version": "0.8.31-alpha.4",
   "private": true,
   "description": "Atomic extension providing a private coordination channel between parent and child agent sessions. Fork of: https://github.com/nicobailon/pi-intercom",
   "contributors": [

package/dist/builtin/mcp/CHANGELOG.md

@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+
+- Hardened `unflattenToolArguments` against prototype pollution: a flattened key whose path walks through `__proto__`, `constructor`, or `prototype` (at any position, including the final segment and a literal plain key) is now dropped instead of being written, so a model-emitted key such as `__proto__.polluted` can no longer reach and mutate `Object.prototype`. The reconstruction logic (parse/assign/compact plus this guard) is now imported from a single canonical implementation in `@bastani/atomic` (`reconstructFlattenedKeys`) instead of being duplicated in `packages/mcp/utils.ts`, so the host-runtime and MCP `callTool` paths can no longer drift (the previous near-duplicate copies had already diverged on the security guard). Behavior for well-formed and ordinary flattened arguments is unchanged.
+- Fixed MCP tool calls failing under GitHub Copilot Gemini models (e.g. `github-copilot/gemini-3.1-pro-preview`). Gemini, served through Copilot's CAPI/GenAI gateway, serializes array/object function-call arguments as flattened indexed keys on the wire — for example `{ keywords: ["a", "b"] }` arrives as `{ "keywords[0]": "a", "keywords[1]": "b" }` — which MCP servers reject as invalid arguments. The extension now normalizes arguments at the `callTool` boundary (both direct-tool and proxy/gateway paths) via `unflattenToolArguments`, reconstructing `name[i]`, `name[i].sub`, and `parent.child` keys back into proper arrays/objects before they reach the server. The normalizer is provider-agnostic and self-gating (a no-op unless flattened keys are present), so well-formed arguments — including those already normalized by the host runtime — pass through untouched.
+
 ### Changed
 
 - Aligned the MCP extension peer dependencies with upstream pi AI/TUI `^0.79.7` so MCP-backed sessions can use the host's latest provider catalog, model-search, theme/color-scheme, Warp image capability, and shared TUI compatibility fixes; no MCP extension code changes were made for this metadata sync ([#1413](https://github.com/bastani-inc/atomic/issues/1413)).

package/dist/builtin/mcp/direct-tools.ts

@@ -10,7 +10,7 @@ import { maybeStartUiSession, type UiSessionRuntime } from "./ui-session.ts";
 import { formatToolName, isToolExcluded } from "./types.ts";
 import { resourceNameToToolName } from "./resource-tools.ts";
 import { authenticate, supportsOAuth } from "./mcp-auth-flow.ts";
-import { formatAuthRequiredMessage } from "./utils.ts";
+import { formatAuthRequiredMessage, unflattenToolArguments } from "./utils.ts";
 
 const BUILTIN_NAMES = new Set(["read", "bash", "edit", "write", "grep", "find", "ls", "mcp"]);
 
@@ -369,7 +369,9 @@ export function createDirectToolExecutor(
 
       const resultPromise = connection.client.callTool({
         name: spec.originalName,
-        arguments: params ?? {},
+        // Normalize provider-flattened argument keys (e.g. Gemini's `keywords[0]`)
+        // back into arrays/objects before the MCP server validates them.
+        arguments: unflattenToolArguments(params),
         _meta: uiSession?.requestMeta,
       });
 

package/dist/builtin/mcp/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bastani/mcp",
-  "version": "0.8.31-alpha.3",
+  "version": "0.8.31-alpha.4",
   "private": true,
   "description": "Atomic extension that adapts MCP (Model Context Protocol) servers into the coding agent. Fork of: https://github.com/nicobailon/pi-mcp-adapter",
   "contributors": [

package/dist/builtin/mcp/proxy-modes.ts

@@ -6,7 +6,7 @@ import { lazyConnect, updateServerMetadata, updateMetadataCache, getFailureAgeSe
 import { buildToolMetadata, getToolNames, findToolByName, formatSchema } from "./tool-metadata.ts";
 import { transformMcpContent } from "./tool-registrar.ts";
 import { maybeStartUiSession, type UiSessionRuntime } from "./ui-session.ts";
-import { formatAuthRequiredMessage, truncateAtWord } from "./utils.ts";
+import { formatAuthRequiredMessage, truncateAtWord, unflattenToolArguments } from "./utils.ts";
 import { authenticate, supportsOAuth } from "./mcp-auth-flow.ts";
 
 type ProxyToolResult = AgentToolResult<Record<string, unknown>>;
@@ -718,7 +718,9 @@ export async function executeCall(
 
     const resultPromise = connection.client.callTool({
       name: toolMeta.originalName,
-      arguments: args ?? {},
+      // Normalize provider-flattened argument keys (e.g. Gemini's `keywords[0]`)
+      // back into arrays/objects before the MCP server validates them.
+      arguments: unflattenToolArguments(args),
       _meta: uiSession?.requestMeta,
     });
 

package/dist/builtin/mcp/utils.ts

@@ -1,4 +1,5 @@
 import type { ExtensionAPI } from "@bastani/atomic";
+import { reconstructFlattenedKeys } from "@bastani/atomic";
 import { homedir, platform } from "node:os";
 import { join } from "node:path";
 import type { McpConfig, ServerEntry } from "./types.ts";
@@ -127,3 +128,27 @@ export function extractToolUiStreamMode(toolMeta: Record<string, unknown> | unde
   }
   return undefined;
 }
+
+/**
+ * Reconstruct flattened tool-call arguments into proper nested arrays/objects.
+ *
+ * Some upstream providers — notably GitHub Copilot Gemini models proxied through
+ * Google's GenAI API — serialize array/object function-call arguments as
+ * flattened, indexed keys on the wire. For example a tool called with
+ * `{ keywords: ["a", "b"] }` arrives as `{ "keywords[0]": "a", "keywords[1]": "b" }`,
+ * which an MCP server then rejects as invalid arguments.
+ *
+ * This normalizer runs at the MCP `callTool` boundary so arguments are correct
+ * regardless of how the model/provider serialized them. It is provider-agnostic
+ * and **self-gating**: it is a no-op unless at least one bracket-indexed key
+ * (`name[<digit>]`) is present, so well-formed arguments pass through untouched
+ * (including arguments already normalized upstream by the host runtime).
+ */
+export function unflattenToolArguments(
+  args: Record<string, unknown> | null | undefined,
+): Record<string, unknown> {
+  if (args === null || args === undefined) return {};
+  const keys = Object.keys(args);
+  if (!keys.some((key) => /\[\d+\]/.test(key))) return args;
+  return reconstructFlattenedKeys(args, () => true);
+}

package/dist/builtin/subagents/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bastani/subagents",
-  "version": "0.8.31-alpha.3",
+  "version": "0.8.31-alpha.4",
   "private": true,
   "description": "Atomic extension for delegating tasks to subagents with chains, parallel execution, and TUI clarification. Fork of: https://github.com/nicobailon/pi-subagents",
   "contributors": [

package/dist/builtin/web-access/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bastani/web-access",
-  "version": "0.8.31-alpha.3",
+  "version": "0.8.31-alpha.4",
   "private": true,
   "description": "Atomic extension for web search, URL fetching, GitHub repo cloning, PDF/video extraction. Fork of: https://github.com/nicobailon/pi-web-access",
   "contributors": [

package/dist/builtin/workflows/CHANGELOG.md

@@ -22,6 +22,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 - Changed the builtin `deep-research-codebase`, `goal`, `ralph`, and `open-claude-design` workflows to run their GitHub Copilot `claude-opus-4.8` fallbacks at the model's largest advertised long-context (~1M/936K) window via the new `(1m)` token, automatically degrading to the 200K short window when Copilot's long-context tier is unavailable. Other models in each fallback chain are unaffected.
 - Aligned the workflows extension peer dependency with upstream pi TUI `^0.79.7` so workflow graph, custom UI, and prompt-broker integrations consume the latest shared TUI color-scheme, Warp image capability, and compatibility fixes; no workflows extension code changes were made for this metadata sync ([#1413](https://github.com/bastani-inc/atomic/issues/1413)).
 
+### Fixed
+
+- Fixed workflow stage **model fallback misreporting configured providers as `No API key found`**. Each fallback candidate session was created with a fresh `AuthStorage`/`ModelRegistry`, so after a primary model failed (for example the Ralph `reviewer-a` chain hitting an unavailable `anthropic/claude-fable-5` and getting a real provider 404), every fallback candidate re-read `auth.json` from scratch. Under concurrent reviewer stages and OAuth token refreshes holding the `auth.json` lock, that fresh synchronous reload could fail and silently fall back to an empty credential set, reporting `No API key found` for `anthropic`/`openai-codex`/`github-copilot` even while sibling reviewer stages used those exact providers successfully. A stage now captures the `ModelRegistry` (and its already-loaded `AuthStorage`) from its first session and threads it into every subsequent fallback candidate, so a successfully-loaded credential store is reused across the whole fallback chain instead of being discarded and re-loaded per candidate. Combined with the coding-agent change that surfaces a real credential-store load failure instead of `No API key found`, a transient store-read failure remains a recoverable/retryable auth failure ([#1431](https://github.com/bastani-inc/atomic/issues/1431)).
+- Fixed post-completion workflow follow-ups replaying the entire model-fallback chain from an unavailable primary instead of resuming on the model the stage settled on. After model fallback succeeded, the stage kept its working `session` but left `sessionPromise` undefined, and `ensureSession()` only checked `sessionPromise` — so a follow-up (`ctx.followUp`/`ctx.steer`/`ensureAttached`, and post-completion `workflow send`/TUI prompts) created a brand-new session from `candidates[0]` (the primary), discarding the working fallback session. For a chain whose primary 404s (e.g. `anthropic/claude-fable-5`), every follow-up re-ran `primary -> 404 -> ... -> working model` and could leave the stage stuck on the unavailable primary. `ensureSession()` now reuses an already-attached session, and `promptWithFallback()` retries the last-settled model first (for both live retained sessions and disk-reattached sessions), restarting the full chain from the primary only if that model fails again retryably ([#1431](https://github.com/bastani-inc/atomic/issues/1431)).
+
 ## [0.8.30] - 2026-06-17
 
 ### Changed

package/dist/builtin/workflows/builtin/ralph.ts

@@ -554,6 +554,7 @@ async function runRalphWorkflow(
     model: "github-copilot/gemini-3.1-pro-preview (1m):high",
     fallbackModels: [
       "google/gemini-3.1-pro-preview:high",
+      "google-vertex/gemini-3.1-pro-preview:high",
       "openai-codex/gpt-5.5:xhigh",
       "github-copilot/gpt-5.5:xhigh",
       "openai/gpt-5.5:xhigh",

package/dist/builtin/workflows/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@bastani/workflows",
-  "version": "0.8.31-alpha.3",
+  "version": "0.8.31-alpha.4",
   "private": true,
   "description": "Atomic extension for multi-stage workflow authoring and execution.",
   "contributors": [

package/dist/builtin/workflows/src/runs/foreground/stage-runner.ts

@@ -723,6 +723,18 @@ export function createStageContext(opts: StageRunnerOpts): InternalStageContext
   let candidatesPromise: Promise<WorkflowResolvedModelCandidate[]> | undefined;
   let activeCandidateIndex: number | undefined;
   let selectedModel: string | undefined;
+  // A single ModelRegistry (carrying its AuthStorage) reused across every model
+  // fallback candidate in this stage. Captured from the first created session
+  // and threaded into subsequent candidate sessions so fallback does not rebuild
+  // auth/model state per candidate — which can misreport configured providers as
+  // "No API key found" under auth.json lock contention (issue #1431).
+  let sharedModelRegistry: CreateAgentSessionOptions["modelRegistry"];
+  // When true, the next promptWithFallback() call first retries the model the
+  // session last settled on (a post-completion follow-up, a subsequent turn, or
+  // a reattached session) before replaying the chain from the primary. Set on
+  // every successful attempt and by ensureSession()'s reattach branch; cleared
+  // when the current session is disposed.
+  let resumeCurrentSession = false;
   const modelAttempts: WorkflowModelAttempt[] = [];
   const modelWarnings: string[] = [];
   const pendingFallbackWarnings: string[] = [];
@@ -748,7 +760,10 @@ export function createStageContext(opts: StageRunnerOpts): InternalStageContext
     return candidatesPromise;
   }
 
-  function stageOptionsForCandidate(candidate: WorkflowResolvedModelCandidate | undefined): StageOptions | undefined {
+  function stageOptionsForCandidate(
+    candidate: WorkflowResolvedModelCandidate | undefined,
+    resumeOptions?: { restoreSavedModel?: boolean },
+  ): StageOptions | undefined {
     const optionsForCandidate: StageOptions = candidate === undefined
       ? { ...(effectiveStageOptions ?? {}) }
       : {
@@ -763,6 +778,12 @@ export function createStageContext(opts: StageRunnerOpts): InternalStageContext
           fallbackModels: undefined,
           fallbackThinkingLevels: undefined,
         };
+    // When resuming a reattached session (a post-completion follow-up), drop any
+    // model override so the SDK restores the model the session last used — the
+    // one that actually worked — instead of forcing the primary/candidate model.
+    if (resumeOptions?.restoreSavedModel) {
+      delete optionsForCandidate.model;
+    }
     if (reattachSessionFile !== undefined && optionsForCandidate.sessionManager === undefined) {
       const cwd = optionsForCandidate.cwd ?? process.cwd();
       optionsForCandidate.sessionManager = SessionManager.open(
@@ -773,6 +794,11 @@ export function createStageContext(opts: StageRunnerOpts): InternalStageContext
       optionsForCandidate.context = undefined;
       optionsForCandidate.forkFromSessionFile = undefined;
     }
+    // Reuse the registry captured from the first session for later fallback
+    // candidates. A caller-supplied modelRegistry is preserved (issue #1431).
+    if (sharedModelRegistry !== undefined && optionsForCandidate.modelRegistry === undefined) {
+      optionsForCandidate.modelRegistry = sharedModelRegistry;
+    }
     return Object.keys(optionsForCandidate).length === 0 ? undefined : optionsForCandidate;
   }
 
@@ -829,6 +855,16 @@ export function createStageContext(opts: StageRunnerOpts): InternalStageContext
   function attachSession(created: StageSessionRuntime | StageSessionCreateResult): StageSessionRuntime {
     const result = normalizeSessionCreateResult(created);
     session = result.session;
+    // Capture the SDK ModelRegistry from the first real session so subsequent
+    // fallback candidates reuse the same already-loaded auth/model state instead
+    // of re-creating it per candidate (issue #1431). The test stub session has
+    // no modelRegistry, so capture is simply skipped there.
+    if (sharedModelRegistry === undefined) {
+      const withRegistry = result.session as Partial<Pick<AgentSession, "modelRegistry">>;
+      if (withRegistry.modelRegistry !== undefined) {
+        sharedModelRegistry = withRegistry.modelRegistry;
+      }
+    }
     sessionSettingsManager = result.settingsManager ?? result.session.settingsManager;
     if (pendingThinkingLevel !== undefined) {
       result.session.setThinkingLevel(pendingThinkingLevel);
@@ -851,12 +887,13 @@ export function createStageContext(opts: StageRunnerOpts): InternalStageContext
   async function createSession(
     candidate: WorkflowResolvedModelCandidate | undefined,
     consumer: AgentSessionConsumer,
+    resumeOptions?: { restoreSavedModel?: boolean },
   ): Promise<StageSessionRuntime> {
     applyCandidateThinking(candidate);
     const created = adapters.agentSession
-      ? await adapters.agentSession.create(stripWorkflowOnlyOptions(stageOptionsForCandidate(candidate)) as StageSessionCreateOptions, {
+      ? await adapters.agentSession.create(stripWorkflowOnlyOptions(stageOptionsForCandidate(candidate, resumeOptions)) as StageSessionCreateOptions, {
         ...meta,
-        stageOptions: stageOptionsForCandidate(candidate),
+        stageOptions: stageOptionsForCandidate(candidate, resumeOptions),
       })
       : missingAdapter(consumer);
     return attachSession(created);
@@ -864,12 +901,37 @@ export function createStageContext(opts: StageRunnerOpts): InternalStageContext
 
   async function ensureSession(consumer: AgentSessionConsumer = "prompt"): Promise<StageSessionRuntime> {
     if (disposed) throw new Error(`atomic-workflows: stage "${stageName}" session has been disposed`);
+    // Reuse an already-attached session. After model fallback settles, `session`
+    // is set but `sessionPromise` is left undefined; without this guard a
+    // follow-up's ensureSession() (via ctx.followUp / ctx.steer / __ensureSession)
+    // would create a brand-new session from the primary candidate and discard the
+    // working fallback session (issue #1431 follow-up).
+    if (session !== undefined) return session;
     if (!sessionPromise) {
       sessionPromise = (async () => {
         if (!hasExplicitModelFallbackConfig) return createSession(undefined, consumer);
         const candidates = await modelCandidates();
         const first = candidates[0];
         if (first === undefined) return createSession(undefined, consumer);
+
+        // Reattaching a previously-run session (e.g. a post-completion
+        // follow-up after the session was disposed): resume on the model the
+        // session last settled on — the one that actually worked — instead of
+        // replaying the fallback chain from an unavailable primary.
+        // promptWithFallback retries that model first; if it fails again it
+        // restarts the full chain from the primary.
+        if (reattachSessionFile !== undefined) {
+          const resumed = await createSession(undefined, consumer, { restoreSavedModel: true });
+          const restoredId = workflowModelId(resumed.model);
+          const restoredIndex = restoredId === undefined
+            ? -1
+            : candidates.findIndex((entry) => entry.id === restoredId);
+          activeCandidateIndex = restoredIndex >= 0 ? restoredIndex : undefined;
+          selectedModel = restoredId ?? first.id;
+          resumeCurrentSession = true;
+          return resumed;
+        }
+
         activeCandidateIndex = 0;
         selectedModel = first.id;
         return createSession(first, consumer);
@@ -889,6 +951,7 @@ export function createStageContext(opts: StageRunnerOpts): InternalStageContext
     session = undefined;
     sessionPromise = undefined;
     sessionSettingsManager = undefined;
+    resumeCurrentSession = false;
     for (const unsubscribe of listenerUnsubscribes.values()) unsubscribe();
     listenerUnsubscribes.clear();
     unsubscribeTerminateWatcher?.();
@@ -956,14 +1019,61 @@ export function createStageContext(opts: StageRunnerOpts): InternalStageContext
       return;
     }
 
-    let index = activeCandidateIndex ?? 0;
     const capturedStructuredOutputForAttempt = (): boolean =>
       structuredOutputCapture?.called === true && signal?.aborted !== true;
     const recordSuccessfulAttempt = (candidate: WorkflowResolvedModelCandidate): void => {
       modelAttempts.push({ model: candidate.id, success: true, ...modelAttemptReasoning(candidate) });
       pendingFallbackWarnings.length = 0;
+      // The session settled on a working model; a later follow-up/turn should
+      // resume on it rather than replaying the chain from the primary.
+      resumeCurrentSession = true;
     };
 
+    // Resume preamble: when the stage already settled on a working model (a
+    // post-completion follow-up, a subsequent turn, or a reattached session),
+    // retry that model first instead of replaying the chain from an unavailable
+    // primary. If that model now fails retryably, restart the full chain from
+    // the primary.
+    if (resumeCurrentSession && session !== undefined) {
+      resumeCurrentSession = false;
+      const resumedSession = session;
+      const resumedLabel = selectedModel ?? workflowModelId(resumedSession.model) ?? candidates[0]!.id;
+      notifyModelFallbackMetaChange();
+      try {
+        const { terminalScanStartIndex } = await promptWithPauseResume(resumedSession, text, sdkOptions);
+        const terminalFailure = latestTerminalAssistantFailureSince(resumedSession.messages, terminalScanStartIndex);
+        if (terminalFailure === undefined || capturedStructuredOutputForAttempt()) {
+          modelAttempts.push({ model: resumedLabel, success: true });
+          pendingFallbackWarnings.length = 0;
+          resumeCurrentSession = true;
+          return;
+        }
+        throw new WorkflowPromptModelFailure(terminalFailure);
+      } catch (err) {
+        if (capturedStructuredOutputForAttempt() && isRetryableModelFailure(err)) {
+          modelAttempts.push({ model: resumedLabel, success: true });
+          pendingFallbackWarnings.length = 0;
+          resumeCurrentSession = true;
+          return;
+        }
+        const message = errorMessage(err);
+        modelAttempts.push({ model: resumedLabel, success: false, error: message });
+        if (signal?.aborted || !isRetryableModelFailure(err)) {
+          modelWarnings.push(...pendingFallbackWarnings);
+          pendingFallbackWarnings.length = 0;
+          notifyModelFallbackMetaChange();
+          throw err;
+        }
+        // The resumed model failed retryably: restart the whole fallback chain
+        // from the primary. disposeCurrentSession clears resumeCurrentSession.
+        pendingFallbackWarnings.push(`[fallback] resume on ${resumedLabel} failed: ${message}. Restarting fallback from ${candidateLabel(candidates[0]!)}.`);
+        await disposeCurrentSession();
+        activeCandidateIndex = undefined;
+      }
+    }
+
+    let index = activeCandidateIndex ?? 0;
+
     while (index < candidates.length) {
       const candidate = candidates[index]!;
       const activeSession = session && activeCandidateIndex === index

package/dist/core/agent-session.d.ts

@@ -563,6 +563,31 @@ export declare class AgentSession {
      * Context overflow errors are NOT retryable (handled by compaction instead).
      */
     private _isRetryableError;
+    /**
+     * For GitHub Copilot Gemini, reconstruct flattened tool-call arguments
+     * (for example `edits[0].newText`) into the nested arrays/objects Gemini
+     * produced before the assistant message is persisted, so saved transcripts
+     * never carry the flattened CAPI wire shape and replays loaded from disk match
+     * the structure Gemini signed. In-place, gated to Copilot Gemini, and a no-op
+     * for well-formed arguments or any other provider/model. The outbound replay
+     * normalizer still heals already-persisted (legacy) sessions on the wire.
+     */
+    private _normalizePersistedGeminiToolArgs;
+    /**
+     * Detect a degenerate empty completion: the provider ended the stream with no
+     * usable content and zero output tokens. Seen with github-copilot Gemini models
+     * that emit finish_reason "stop" (or a tool-use stop) with an empty content array
+     * and 0 output tokens, leaving the turn dead instead of producing the next step.
+     *
+     * These are treated as retryable so the harness re-issues the request rather than
+     * silently stopping mid-task. Guarded tightly (no text, no tool call, no thinking,
+     * and output === 0) so legitimate non-empty turns are never matched.
+     *
+     * Intentionally provider-agnostic (not gated to Copilot Gemini): a degenerate
+     * empty turn is a transient failure for any provider. It is bounded by
+     * `maxRetries` and falls through to normal handling on exhaustion.
+     */
+    private _isEmptyCompletion;
     private _handleRetryableError;
     /**
      * Cancel in-progress retry.