@companyhelm/runner 0.1.1 → 0.2.0

package/dist/commands/root.js

@@ -34,6 +34,7 @@ var __importStar = (this && this.__importStar) || (function () {
 })();
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.toErrorMessage = toErrorMessage;
+exports.formatWorkspaceStartupMessage = formatWorkspaceStartupMessage;
 exports.isRetryableApiConnectionError = isRetryableApiConnectionError;
 exports.formatApiConnectionFailureMessage = formatApiConnectionFailureMessage;
 exports.formatApiConnectionFailureDiagnostics = formatApiConnectionFailureDiagnostics;
@@ -42,6 +43,7 @@ exports.isNoActiveTurnSteerError = isNoActiveTurnSteerError;
 exports.isNoRunningTurnInterruptError = isNoRunningTurnInterruptError;
 exports.normalizeThreadAgentApiUrlForRuntime = normalizeThreadAgentApiUrlForRuntime;
 exports.extractThreadNameUpdateFromNotification = extractThreadNameUpdateFromNotification;
+exports.extractThreadTokenUsageUpdateFromNotification = extractThreadTokenUsageUpdateFromNotification;
 exports.runCommandLoop = runCommandLoop;
 exports.isInternalDaemonChildProcess = isInternalDaemonChildProcess;
 exports.runDetachedDaemonProcess = runDetachedDaemonProcess;
@@ -74,19 +76,18 @@ const daemon_js_1 = require("../utils/daemon.js");
 const logger_js_1 = require("../utils/logger.js");
 const path_js_1 = require("../utils/path.js");
 const terminal_js_1 = require("../utils/terminal.js");
-const workspace_agents_js_1 = require("../service/workspace_agents.js");
+const daemon_startup_watchdog_js_1 = require("../utils/daemon_startup_watchdog.js");
+const thread_metadata_store_js_1 = require("../provisioning/host_provisioning/thread_metadata_store.js");
+const thread_workspace_provisioner_js_1 = require("../provisioning/host_provisioning/thread_workspace_provisioner.js");
+const system_prompt_js_1 = require("../provisioning/runtime_provisioning/system_prompt.js");
+const entrypoints_js_1 = require("../preflight/entrypoints.js");
 const auth_js_1 = require("./sdk/codex/auth.js");
 const COMMAND_CHANNEL_CONNECT_RETRY_DELAY_MS = 1000;
 const COMMAND_CHANNEL_OPEN_TIMEOUT_MS = 5000;
 const TURN_COMPLETION_TIMEOUT_MS = 2 * 60 * 60000;
-const GITHUB_INSTALLATIONS_SYNC_INTERVAL_MS = 5 * 60000;
-const GITHUB_INSTALLATIONS_MIN_SYNC_INTERVAL_MS = 30000;
-const GITHUB_INSTALLATIONS_REFRESH_WINDOW_MS = 15 * 60000;
 const WORKSPACE_INSTALLATIONS_DIRECTORY = ".companyhelm";
-const WORKSPACE_INSTALLATIONS_FILENAME = "installations.json";
 const THREAD_GIT_SKILLS_CONFIG_FILENAME = "thread-git-skills.json";
 const THREAD_MCP_CONFIG_FILENAME = "thread-mcp.json";
-const THREAD_AGENT_CLI_CONFIG_FILENAME = "thread-agent-cli.json";
 const THREAD_MCP_BEARER_TOKEN_ENV_PREFIX = "COMPANYHELM_MCP_TOKEN_";
 const THREAD_MCP_AUTH_TYPE_BEARER_TOKEN = 2;
 const THREAD_MCP_STARTUP_TIMEOUT_SECONDS = 60;
@@ -95,7 +96,7 @@ const YOLO_SANDBOX_MODE = "danger-full-access";
 const YOLO_SANDBOX_POLICY = { type: "dangerFullAccess" };
 const DOCKER_INTERNAL_HOSTNAME = "host.docker.internal";
 const LOCALHOST_HOSTNAMES = new Set(["localhost", "127.0.0.1", "0.0.0.0", "::1"]);
-const DAEMON_STARTUP_TIMEOUT_MS = 15000;
+const DAEMON_STARTUP_TIMEOUT_MS = 60000;
 class RootCommandInterruptedError extends Error {
     constructor(message = "Root command interrupted.") {
         super(message);
@@ -258,6 +259,20 @@ function normalizeReasoningLevels(value) {
 function toErrorMessage(error) {
     return error instanceof Error ? error.message : String(error);
 }
+function formatWorkspaceStartupMessage(cfg) {
+    if (cfg.use_dedicated_workspaces) {
+        const workspacesDirectory = (0, thread_lifecycle_js_1.resolveThreadsRootDirectory)(cfg.config_directory, cfg.workspaces_directory);
+        return `Workspace modality: dedicated (workspaces dir: ${workspacesDirectory})`;
+    }
+    const workspaceDirectory = (0, thread_workspace_provisioner_js_1.resolveThreadWorkspaceDirectory)({
+        configDirectory: cfg.config_directory,
+        workspacesDirectory: cfg.workspaces_directory,
+        workspacePath: cfg.workspace_path,
+        useDedicatedWorkspaces: false,
+        threadId: "startup",
+    });
+    return `Workspace modality: shared (workspace: ${workspaceDirectory})`;
+}
 function getGrpcStatusCode(error) {
     if (!error || typeof error !== "object" || !("code" in error)) {
         return undefined;
@@ -358,6 +373,36 @@ function normalizeNonEmptyString(value) {
     const trimmed = value.trim();
     return trimmed.length > 0 ? trimmed : undefined;
 }
+function normalizeNonNegativeNumber(value) {
+    if (typeof value !== "number" || !Number.isFinite(value) || value < 0) {
+        return undefined;
+    }
+    return Math.floor(value);
+}
+function resolveTokenUsageBreakdown(value) {
+    if (!isRecord(value)) {
+        return null;
+    }
+    const inputTokens = normalizeNonNegativeNumber(value.inputTokens ?? value.input_tokens);
+    const cachedInputTokens = normalizeNonNegativeNumber(value.cachedInputTokens ?? value.cached_input_tokens);
+    const outputTokens = normalizeNonNegativeNumber(value.outputTokens ?? value.output_tokens);
+    const reasoningOutputTokens = normalizeNonNegativeNumber(value.reasoningOutputTokens ?? value.reasoning_output_tokens);
+    const totalTokens = normalizeNonNegativeNumber(value.totalTokens ?? value.total_tokens);
+    if (inputTokens === undefined ||
+        cachedInputTokens === undefined ||
+        outputTokens === undefined ||
+        reasoningOutputTokens === undefined ||
+        totalTokens === undefined) {
+        return null;
+    }
+    return {
+        inputTokens,
+        cachedInputTokens,
+        outputTokens,
+        reasoningOutputTokens,
+        totalTokens,
+    };
+}
 function rewriteLocalTargetForDockerRuntime(target) {
     const trimmed = target.trim();
     if (!trimmed) {
@@ -447,89 +492,34 @@ function extractThreadNameUpdateFromNotification(notification) {
         normalizeNonEmptyString(params.thread_name);
     return { sdkThreadId, threadName };
 }
-function isGrpcServiceError(error) {
-    return Boolean(error && typeof error === "object" && "code" in error);
-}
-function isUnimplementedGrpcMethod(error) {
-    return isGrpcServiceError(error) && error.code === grpc.status.UNIMPLEMENTED;
-}
-function normalizeAccessTokenExpiration(accessTokenExpiresUnixTimeMs) {
-    const rawUnixTimeMs = Number(accessTokenExpiresUnixTimeMs);
-    const expirationUnixTimeMs = Number.isFinite(rawUnixTimeMs) && rawUnixTimeMs > 0
-        ? Math.floor(rawUnixTimeMs)
-        : Date.now() + 60 * 60000;
-    return {
-        accessTokenExpiresUnixTimeMs: expirationUnixTimeMs.toString(),
-        accessTokenExpiration: new Date(expirationUnixTimeMs).toISOString(),
-    };
-}
-async function loadRuntimeGithubInstallations(apiClient, options, logger) {
-    let installationIds = [];
-    try {
-        const listResponse = await apiClient.listGithubInstallationsForRunner(options);
-        installationIds = listResponse.installations.map((installation) => installation.installationId);
+function extractThreadTokenUsageUpdateFromNotification(notification) {
+    if (notification.method !== "thread/tokenUsage/updated") {
+        return null;
     }
-    catch (error) {
-        const warning = isUnimplementedGrpcMethod(error)
-            ? "CompanyHelm API does not implement listGithubInstallationsForRunner yet."
-            : `Failed to fetch GitHub installations: ${toErrorMessage(error)}`;
-        logger.warn(warning);
-        return [];
+    const rawParams = notification.params;
+    const sdkThreadId = normalizeNonEmptyString(rawParams.threadId) ??
+        normalizeNonEmptyString(rawParams.thread_id);
+    const sdkTurnId = normalizeNonEmptyString(rawParams.turnId) ??
+        normalizeNonEmptyString(rawParams.turn_id);
+    const tokenUsage = isRecord(rawParams.tokenUsage) ? rawParams.tokenUsage : rawParams.token_usage;
+    if (!sdkThreadId || !sdkTurnId || !isRecord(tokenUsage)) {
+        return null;
     }
-    const installationDetails = [];
-    for (const installationId of installationIds) {
-        try {
-            const accessTokenResponse = await apiClient.getGithubInstallationAccessTokenForRunner(installationId, options);
-            const accessToken = accessTokenResponse.accessToken.trim();
-            if (!accessToken) {
-                logger.warn(`Received empty GitHub access token for installation ${installationId.toString()}; skipping.`);
-                continue;
-            }
-            const expiration = normalizeAccessTokenExpiration(accessTokenResponse.accessTokenExpiresUnixTimeMs);
-            const repositories = [...new Set(accessTokenResponse.repositories.filter((repository) => repository.trim().length > 0))]
-                .sort((left, right) => left.localeCompare(right));
-            installationDetails.push({
-                installationId: accessTokenResponse.installationId.toString(),
-                accessToken,
-                accessTokenExpiresUnixTimeMs: expiration.accessTokenExpiresUnixTimeMs,
-                accessTokenExpiration: expiration.accessTokenExpiration,
-                repositories,
-            });
-        }
-        catch (error) {
-            const warning = isUnimplementedGrpcMethod(error)
-                ? "CompanyHelm API does not implement getGithubInstallationAccessTokenForRunner yet."
-                : `Failed to fetch GitHub access token for installation ${installationId.toString()}: ${toErrorMessage(error)}`;
-            logger.warn(warning);
-        }
+    const totalUsage = resolveTokenUsageBreakdown(tokenUsage.total);
+    const lastUsage = resolveTokenUsageBreakdown(tokenUsage.last);
+    if (!totalUsage || !lastUsage) {
+        return null;
     }
-    return installationDetails;
-}
-function buildWorkspaceGithubInstallationsPayload(installations) {
     return {
-        synced_at: new Date().toISOString(),
-        installations: installations.map((installation) => ({
-            installation_id: installation.installationId,
-            access_token: installation.accessToken,
-            access_token_expires_unix_time_ms: installation.accessTokenExpiresUnixTimeMs,
-            access_token_expiration: installation.accessTokenExpiration,
-            repositories: installation.repositories,
-        })),
+        sdkThreadId,
+        sdkTurnId,
+        totalUsage,
+        lastUsage,
+        modelContextWindow: normalizeNonNegativeNumber(tokenUsage.modelContextWindow ?? tokenUsage.model_context_window) ?? null,
     };
 }
-function writeWorkspaceGithubInstallationsPayload(workspaceDirectory, payload, logger) {
-    const installationsDirectory = (0, node_path_1.join)(workspaceDirectory, WORKSPACE_INSTALLATIONS_DIRECTORY);
-    const installationsPath = (0, node_path_1.join)(installationsDirectory, WORKSPACE_INSTALLATIONS_FILENAME);
-    const temporaryPath = `${installationsPath}.tmp`;
-    const serializedPayload = `${JSON.stringify(payload, null, 2)}\n`;
-    try {
-        (0, node_fs_1.mkdirSync)(installationsDirectory, { recursive: true });
-        (0, node_fs_1.writeFileSync)(temporaryPath, serializedPayload, "utf8");
-        (0, node_fs_1.renameSync)(temporaryPath, installationsPath);
-    }
-    catch (error) {
-        logger.warn(`Failed writing GitHub installations file for workspace '${workspaceDirectory}': ${toErrorMessage(error)}`);
-    }
+function isGrpcServiceError(error) {
+    return Boolean(error && typeof error === "object" && "code" in error);
 }
 function isHttpsRepositoryUrl(value) {
     try {
@@ -848,65 +838,6 @@ function readWorkspaceThreadMcpConfig(workspaceDirectory, logger) {
         return [];
     }
 }
-function resolveThreadAgentCliConfigPath(workspaceDirectory) {
-    return (0, node_path_1.join)(workspaceDirectory, WORKSPACE_INSTALLATIONS_DIRECTORY, THREAD_AGENT_CLI_CONFIG_FILENAME);
-}
-function parseThreadAgentCliConfig(content) {
-    if (!isRecord(content)) {
-        return null;
-    }
-    const agentApiUrl = normalizeNonEmptyString(content.agent_api_url);
-    const token = normalizeNonEmptyString(content.token);
-    if (!agentApiUrl || !token) {
-        return null;
-    }
-    return {
-        agent_api_url: agentApiUrl,
-        token,
-    };
-}
-function writeWorkspaceThreadAgentCliConfig(workspaceDirectory, cliSecret, agentApiUrl, logger) {
-    const configPath = resolveThreadAgentCliConfigPath(workspaceDirectory);
-    const configDirectory = (0, node_path_1.join)(workspaceDirectory, WORKSPACE_INSTALLATIONS_DIRECTORY);
-    const temporaryPath = `${configPath}.tmp`;
-    try {
-        (0, node_fs_1.mkdirSync)(configDirectory, { recursive: true });
-        if (cliSecret.length === 0) {
-            (0, node_fs_1.rmSync)(configPath, { force: true });
-            (0, node_fs_1.rmSync)(temporaryPath, { force: true });
-            return;
-        }
-        const payload = {
-            agent_api_url: normalizeThreadAgentApiUrlForRuntime(agentApiUrl),
-            token: cliSecret,
-        };
-        (0, node_fs_1.writeFileSync)(temporaryPath, `${JSON.stringify(payload, null, 2)}\n`, "utf8");
-        (0, node_fs_1.renameSync)(temporaryPath, configPath);
-    }
-    catch (error) {
-        logger.warn(`Failed writing thread agent CLI config for workspace '${workspaceDirectory}': ${toErrorMessage(error)}`);
-    }
-}
-function readWorkspaceThreadAgentCliConfig(workspaceDirectory, logger) {
-    const configPath = resolveThreadAgentCliConfigPath(workspaceDirectory);
-    try {
-        const rawContent = (0, node_fs_1.readFileSync)(configPath, "utf8");
-        const parsedContent = JSON.parse(rawContent);
-        const parsedConfig = parseThreadAgentCliConfig(parsedContent);
-        if (!parsedConfig) {
-            logger.warn(`Thread agent CLI config has invalid shape at '${configPath}'.`);
-            return null;
-        }
-        return parsedConfig;
-    }
-    catch (error) {
-        if (error && typeof error === "object" && "code" in error && error.code === "ENOENT") {
-            return null;
-        }
-        logger.warn(`Failed reading thread agent CLI config at '${configPath}': ${toErrorMessage(error)}`);
-        return null;
-    }
-}
 function escapeTomlString(value) {
     return JSON.stringify(value);
 }
@@ -1056,7 +987,7 @@ function readWorkspaceThreadGitSkillsConfig(workspaceDirectory, logger) {
     }
 }
 async function ensureThreadGitSkillsInRuntime(cfg, threadState, containerService, logger) {
-    const packages = readWorkspaceThreadGitSkillsConfig(threadState.workspace, logger);
+    const packages = new thread_metadata_store_js_1.ThreadMetadataStore(cfg.config_directory, logger).readThreadGitSkillsConfig(threadState.id);
     if (packages.length === 0) {
         return;
     }
@@ -1104,8 +1035,10 @@ async function reconcileThreadRunningStateBeforeUserMessage(cfg, threadState, lo
             isCurrentTurnRunning: false,
         };
     }
-    const threadMcpSetup = buildThreadCodexMcpSetup(readWorkspaceThreadMcpConfig(threadState.workspace, logger));
-    const threadAgentCliConfig = readWorkspaceThreadAgentCliConfig(threadState.workspace, logger);
+    const metadataStore = new thread_metadata_store_js_1.ThreadMetadataStore(cfg.config_directory, logger);
+    const persistedThreadMcpServers = metadataStore.readThreadMcpConfig(threadState.id);
+    const persistedThreadGitSkillPackages = metadataStore.readThreadGitSkillsConfig(threadState.id);
+    const threadMcpSetup = buildThreadCodexMcpSetup(persistedThreadMcpServers);
     const appServerSession = await getOrCreateThreadAppServerSession(threadState.id, threadState.runtimeContainer, threadMcpSetup.appServerEnv, cfg.codex.app_server_client_name, logger);
     const runtimeUser = buildThreadRuntimeUser(cfg, threadState);
     await (0, thread_runtime_js_1.ensureThreadRuntimeReady)({
@@ -1117,9 +1050,10 @@ async function reconcileThreadRunningStateBeforeUserMessage(cfg, threadState, lo
         user: runtimeUser,
     });
     await ensureThreadGitSkillsInRuntime(cfg, threadState, containerService, logger);
-    if (threadAgentCliConfig) {
-        await containerService.ensureRuntimeContainerAgentCliConfig(threadState.runtimeContainer, runtimeUser, threadAgentCliConfig);
-    }
+    await containerService.ensureRuntimeContainerThreadMetadata(threadState.runtimeContainer, runtimeUser, {
+        mcpServers: persistedThreadMcpServers,
+        gitSkillPackages: persistedThreadGitSkillPackages,
+    });
     if (!appServerSession.started) {
         await containerService.ensureRuntimeContainerCodexConfig(threadState.runtimeContainer, runtimeUser, threadMcpSetup.configToml);
     }
@@ -1151,49 +1085,6 @@ async function reconcileThreadRunningStateBeforeUserMessage(cfg, threadState, lo
         isCurrentTurnRunning: false,
     };
 }
-async function listTrackedThreadWorkspaces(cfg, logger) {
-    const { db, client } = await (0, db_js_1.initDb)(cfg.state_db_path);
-    try {
-        const rows = await db.select({ workspace: schema_js_1.threads.workspace }).from(schema_js_1.threads);
-        return [...new Set(rows.map((row) => row.workspace.trim()).filter((workspace) => workspace.length > 0))];
-    }
-    catch (error) {
-        logger.warn(`Failed to list tracked thread workspaces for GitHub installation sync: ${toErrorMessage(error)}`);
-        return [];
-    }
-    finally {
-        client.close();
-    }
-}
-function resolveGithubInstallationsSyncDelayMs(installations) {
-    let syncDelayMs = GITHUB_INSTALLATIONS_SYNC_INTERVAL_MS;
-    const now = Date.now();
-    for (const installation of installations) {
-        const expirationUnixTimeMs = Number(installation.accessTokenExpiresUnixTimeMs);
-        if (!Number.isFinite(expirationUnixTimeMs) || expirationUnixTimeMs <= 0) {
-            continue;
-        }
-        const refreshInMs = expirationUnixTimeMs - now - GITHUB_INSTALLATIONS_REFRESH_WINDOW_MS;
-        const boundedRefreshDelayMs = Math.max(GITHUB_INSTALLATIONS_MIN_SYNC_INTERVAL_MS, Math.min(GITHUB_INSTALLATIONS_SYNC_INTERVAL_MS, refreshInMs));
-        syncDelayMs = Math.min(syncDelayMs, boundedRefreshDelayMs);
-    }
-    return Math.max(GITHUB_INSTALLATIONS_MIN_SYNC_INTERVAL_MS, Math.min(GITHUB_INSTALLATIONS_SYNC_INTERVAL_MS, syncDelayMs));
-}
-async function syncGithubInstallationsForWorkspaces(apiClient, options, workspaceDirectories, logger) {
-    const uniqueWorkspaces = [
-        ...new Set(workspaceDirectories.map((workspace) => workspace.trim()).filter((workspace) => workspace.length > 0)),
-    ];
-    if (uniqueWorkspaces.length === 0) {
-        return [];
-    }
-    const installations = await loadRuntimeGithubInstallations(apiClient, options, logger);
-    const payload = buildWorkspaceGithubInstallationsPayload(installations);
-    for (const workspaceDirectory of uniqueWorkspaces) {
-        writeWorkspaceGithubInstallationsPayload(workspaceDirectory, payload, logger);
-    }
-    logger.debug(`Synced ${installations.length} GitHub installation token(s) to ${uniqueWorkspaces.length} workspace(s).`);
-    return installations;
-}
 async function waitForAbort(signal, delayMs) {
     if (signal.aborted) {
         return;
@@ -1211,21 +1102,6 @@ async function waitForAbort(signal, delayMs) {
         signal.addEventListener("abort", handleAbort);
     });
 }
-async function runGithubInstallationsSyncLoop(cfg, apiClient, options, logger, signal) {
-    while (!signal.aborted) {
-        let nextDelayMs = GITHUB_INSTALLATIONS_SYNC_INTERVAL_MS;
-        try {
-            const workspaces = await listTrackedThreadWorkspaces(cfg, logger);
-            const installations = await syncGithubInstallationsForWorkspaces(apiClient, options, workspaces, logger);
-            nextDelayMs = resolveGithubInstallationsSyncDelayMs(installations);
-        }
-        catch (error) {
-            logger.warn(`GitHub installation sync loop iteration failed: ${toErrorMessage(error)}`);
-            nextDelayMs = GITHUB_INSTALLATIONS_MIN_SYNC_INTERVAL_MS;
-        }
-        await waitForAbort(signal, nextDelayMs);
-    }
-}
 function normalizeReasoningEffort(value) {
     if (!value) {
         return null;
@@ -1243,8 +1119,14 @@ function normalizeAdditionalModelInstructions(value) {
     const trimmed = value.trim();
     return trimmed.length > 0 ? trimmed : null;
 }
-function buildThreadDeveloperInstructions(additionalModelInstructions) {
-    return normalizeAdditionalModelInstructions(additionalModelInstructions);
+function buildThreadDeveloperInstructions(threadId, cfg, additionalModelInstructions, cliSecret) {
+    return (0, system_prompt_js_1.buildCodexDeveloperInstructions)(additionalModelInstructions, {
+        homeDirectory: cfg.agent_home_directory,
+        agentApiUrl: normalizeThreadAgentApiUrlForRuntime(cfg.agent_api_url),
+        agentToken: normalizeNonEmptyString(cliSecret) ?? "<thread-secret>",
+        threadId,
+        workspaceMode: cfg.use_dedicated_workspaces ? "dedicated" : "shared",
+    });
 }
 function buildUserTextInput(text) {
     return [
@@ -1493,6 +1375,32 @@ async function sendThreadNameUpdate(commandChannel, threadId, threadName) {
     });
     await commandChannel.send(message);
 }
+function toProtoTokenUsageBreakdown(usage) {
+    return {
+        inputTokens: BigInt(usage.inputTokens),
+        cachedInputTokens: BigInt(usage.cachedInputTokens),
+        outputTokens: BigInt(usage.outputTokens),
+        reasoningOutputTokens: BigInt(usage.reasoningOutputTokens),
+        totalTokens: BigInt(usage.totalTokens),
+    };
+}
+async function sendThreadTokenUsageUpdate(commandChannel, threadId, tokenUsageUpdate) {
+    const message = (0, protobuf_1.create)(protos_1.ClientMessageSchema, {
+        payload: {
+            case: "threadTokenUsageUpdate",
+            value: {
+                threadId,
+                sdkTurnId: tokenUsageUpdate.sdkTurnId,
+                totalUsage: toProtoTokenUsageBreakdown(tokenUsageUpdate.totalUsage),
+                lastUsage: toProtoTokenUsageBreakdown(tokenUsageUpdate.lastUsage),
+                modelContextWindow: tokenUsageUpdate.modelContextWindow === null
+                    ? undefined
+                    : BigInt(tokenUsageUpdate.modelContextWindow),
+            },
+        },
+    });
+    await commandChannel.send(message);
+}
 async function sendTurnExecutionUpdate(commandChannel, threadId, sdkTurnId, status, requestId) {
     const message = (0, protobuf_1.create)(protos_1.ClientMessageSchema, {
         requestId,
@@ -1598,16 +1506,22 @@ async function loadCodexSdkState(cfg) {
         client.close();
     }
 }
-async function refreshCodexModelsForRegistration(cfg, logger) {
+async function refreshCodexModelsForRegistration(cfg, logger, reportProgress) {
     const codexSdk = await loadCodexSdkState(cfg);
     if (!codexSdk || codexSdk.status !== "configured" || codexSdk.authentication === "unauthenticated") {
         logger.info("Codex is not configured; registering runner with unconfigured Codex SDK state.");
         return null;
     }
     try {
-        const results = await (0, refresh_models_js_1.refreshSdkModels)({ sdk: "codex", logger });
+        reportProgress?.("Refreshing Codex models from the local app-server.");
+        const results = await (0, refresh_models_js_1.refreshSdkModels)({
+            sdk: "codex",
+            logger,
+            imageStatusReporter: reportProgress,
+        });
         const modelCount = results[0]?.modelCount ?? 0;
         logger.info(`Refreshed Codex models from container app-server (${modelCount} models).`);
+        reportProgress?.(`Refreshed Codex models from container app-server (${modelCount} models).`);
         return null;
     }
     catch (error) {
@@ -1679,7 +1593,9 @@ async function handleCreateThreadRequest(cfg, commandChannel, request, requestId
         return;
     }
     const { db, client } = await (0, db_js_1.initDb)(cfg.state_db_path);
-    const threadDirectory = (0, thread_lifecycle_js_1.resolveThreadDirectory)(cfg.config_directory, cfg.workspaces_directory, threadId);
+    const workspaceProvisioner = new thread_workspace_provisioner_js_1.ThreadWorkspaceProvisioner(cfg.config_directory, cfg.workspaces_directory, cfg.workspace_path, cfg.use_dedicated_workspaces);
+    const metadataStore = new thread_metadata_store_js_1.ThreadMetadataStore(cfg.config_directory, logger);
+    const threadDirectory = workspaceProvisioner.resolveWorkspaceDirectory(threadId);
     const containerNames = (0, thread_lifecycle_js_1.buildThreadContainerNames)(threadId);
     const hostInfo = (0, host_js_1.getHostInfo)(cfg.codex.codex_auth_path);
     const normalizedAdditionalModelInstructions = normalizeAdditionalModelInstructions(request.additionalModelInstructions);
@@ -1741,12 +1657,9 @@ async function handleCreateThreadRequest(cfg, commandChannel, request, requestId
     finally {
         client.close();
     }
-    (0, node_fs_1.mkdirSync)(threadDirectory, { recursive: true });
-    (0, workspace_agents_js_1.ensureWorkspaceAgentsMd)(threadDirectory, cfg.agent_home_directory);
-    writeWorkspaceThreadGitSkillsConfig(threadDirectory, threadGitSkillPackages, logger);
-    writeWorkspaceThreadMcpConfig(threadDirectory, threadMcpServers, logger);
-    writeWorkspaceThreadAgentCliConfig(threadDirectory, cliSecret, cfg.agent_api_url, logger);
-    await syncGithubInstallationsForWorkspaces(apiClient, apiCallOptions, [threadDirectory], logger);
+    workspaceProvisioner.ensureWorkspaceDirectory(threadId);
+    metadataStore.writeThreadGitSkillsConfig(threadId, threadGitSkillPackages);
+    metadataStore.writeThreadMcpConfig(threadId, threadMcpServers);
     logger.debug(`Thread '${threadId}' workspace initialized at '${threadDirectory}'.`);
     const containerService = new thread_lifecycle_js_1.ThreadContainerService();
     const mounts = (0, thread_lifecycle_js_1.buildSharedThreadMounts)({
@@ -1796,8 +1709,9 @@ async function handleCreateThreadRequest(cfg, commandChannel, request, requestId
         if (!threadState) {
             throw new Error(`Thread '${threadId}' disappeared before SDK bootstrap.`);
         }
-        const threadMcpSetup = buildThreadCodexMcpSetup(readWorkspaceThreadMcpConfig(threadState.workspace, logger));
-        const threadAgentCliConfig = readWorkspaceThreadAgentCliConfig(threadState.workspace, logger);
+        const persistedThreadMcpServers = metadataStore.readThreadMcpConfig(threadState.id);
+        const persistedThreadGitSkillPackages = metadataStore.readThreadGitSkillsConfig(threadState.id);
+        const threadMcpSetup = buildThreadCodexMcpSetup(persistedThreadMcpServers);
         const appServerSession = await getOrCreateThreadAppServerSession(threadId, threadState.runtimeContainer, threadMcpSetup.appServerEnv, cfg.codex.app_server_client_name, logger);
         const runtimeUser = {
             uid: threadState.uid,
@@ -1814,14 +1728,15 @@ async function handleCreateThreadRequest(cfg, commandChannel, request, requestId
             user: runtimeUser,
         });
         await ensureThreadGitSkillsInRuntime(cfg, threadState, containerService, logger);
-        if (threadAgentCliConfig) {
-            await containerService.ensureRuntimeContainerAgentCliConfig(threadState.runtimeContainer, runtimeUser, threadAgentCliConfig);
-        }
+        await containerService.ensureRuntimeContainerThreadMetadata(threadState.runtimeContainer, runtimeUser, {
+            mcpServers: persistedThreadMcpServers,
+            gitSkillPackages: persistedThreadGitSkillPackages,
+        });
         if (!appServerSession.started) {
             await containerService.ensureRuntimeContainerCodexConfig(threadState.runtimeContainer, runtimeUser, threadMcpSetup.configToml);
         }
         await ensureThreadAppServerSessionStarted(appServerSession);
-        const developerInstructions = buildThreadDeveloperInstructions(threadState.additionalModelInstructions);
+        const developerInstructions = buildThreadDeveloperInstructions(threadId, cfg, threadState.additionalModelInstructions, threadState.cliSecret);
         logger.debug(`Starting app-server thread '${threadId}' with developer instructions: ${JSON.stringify(developerInstructions)}.`);
         const threadStartResponse = await appServerSession.appServer.startThreadWithResponse({
             model: threadState.model,
@@ -1904,6 +1819,7 @@ async function deleteThreadWithCleanup(cfg, request) {
     const containerService = new thread_lifecycle_js_1.ThreadContainerService();
     try {
         const containerNames = (0, thread_lifecycle_js_1.buildThreadContainerNames)(existingThread.id);
+        const workspaceProvisioner = new thread_workspace_provisioner_js_1.ThreadWorkspaceProvisioner(cfg.config_directory, cfg.workspaces_directory, cfg.workspace_path, cfg.use_dedicated_workspaces);
         await stopThreadAppServerSession(request.threadId);
         threadRolloutPaths.delete(request.threadId);
         await containerService.forceRemoveContainer(existingThread.runtimeContainer);
@@ -1912,7 +1828,8 @@ async function deleteThreadWithCleanup(cfg, request) {
         }
         await containerService.forceRemoveVolume(containerNames.home);
         await containerService.forceRemoveVolume(containerNames.tmp);
-        removeWorkspaceDirectory(existingThread.workspace);
+        workspaceProvisioner.removeWorkspaceDirectory(existingThread.id, existingThread.workspace);
+        new thread_metadata_store_js_1.ThreadMetadataStore(cfg.config_directory, (0, logger_js_1.createLogger)("ERROR")).removeThreadMetadata(existingThread.id);
     }
     catch (error) {
         return {
@@ -2031,6 +1948,12 @@ async function waitForThreadTurnCompletion(stateDbPath, appServer, commandChanne
                 receivedThreadNameUpdate = true;
                 await sendThreadNameUpdate(commandChannel, threadId, threadNameUpdate.threadName);
             }
+            const tokenUsageUpdate = extractThreadTokenUsageUpdateFromNotification(notification);
+            if (tokenUsageUpdate &&
+                tokenUsageUpdate.sdkThreadId === sdkThreadId &&
+                tokenUsageUpdate.sdkTurnId === sdkTurnId) {
+                await sendThreadTokenUsageUpdate(commandChannel, threadId, tokenUsageUpdate);
+            }
             if (notification.method === "item/started" &&
                 notification.params.threadId === sdkThreadId &&
                 notification.params.turnId === sdkTurnId) {
@@ -2071,8 +1994,10 @@ async function waitForThreadTurnCompletion(stateDbPath, appServer, commandChanne
 }
 async function executeCreateUserMessageRequest(cfg, commandChannel, request, requestId, threadState, startedFromIdle, trackTurnCompletion, logger) {
     const containerService = new thread_lifecycle_js_1.ThreadContainerService();
-    const threadMcpSetup = buildThreadCodexMcpSetup(readWorkspaceThreadMcpConfig(threadState.workspace, logger));
-    const threadAgentCliConfig = readWorkspaceThreadAgentCliConfig(threadState.workspace, logger);
+    const metadataStore = new thread_metadata_store_js_1.ThreadMetadataStore(cfg.config_directory, logger);
+    const persistedThreadMcpServers = metadataStore.readThreadMcpConfig(threadState.id);
+    const persistedThreadGitSkillPackages = metadataStore.readThreadGitSkillsConfig(threadState.id);
+    const threadMcpSetup = buildThreadCodexMcpSetup(persistedThreadMcpServers);
     const appServerSession = await getOrCreateThreadAppServerSession(request.threadId, threadState.runtimeContainer, threadMcpSetup.appServerEnv, cfg.codex.app_server_client_name, logger);
     const appServer = appServerSession.appServer;
     const runtimeUser = buildThreadRuntimeUser(cfg, threadState);
@@ -2093,9 +2018,10 @@ async function executeCreateUserMessageRequest(cfg, commandChannel, request, req
             user: runtimeUser,
         });
         await ensureThreadGitSkillsInRuntime(cfg, threadState, containerService, logger);
-        if (threadAgentCliConfig) {
-            await containerService.ensureRuntimeContainerAgentCliConfig(threadState.runtimeContainer, runtimeUser, threadAgentCliConfig);
-        }
+        await containerService.ensureRuntimeContainerThreadMetadata(threadState.runtimeContainer, runtimeUser, {
+            mcpServers: persistedThreadMcpServers,
+            gitSkillPackages: persistedThreadGitSkillPackages,
+        });
         if (!appServerSession.started) {
             await containerService.ensureRuntimeContainerCodexConfig(threadState.runtimeContainer, runtimeUser, threadMcpSetup.configToml);
         }
@@ -2119,7 +2045,7 @@ async function executeCreateUserMessageRequest(cfg, commandChannel, request, req
             await updateThreadTurnState(cfg, request.threadId, { sdkThreadId });
         }
         else {
-            const developerInstructions = buildThreadDeveloperInstructions(threadState.additionalModelInstructions);
+            const developerInstructions = buildThreadDeveloperInstructions(request.threadId, cfg, threadState.additionalModelInstructions, threadState.cliSecret);
             const threadStartParams = {
                 model: request.model ?? threadState.model,
                 modelProvider: null,
@@ -2498,20 +2424,20 @@ async function runDetachedDaemonProcess(options) {
                 windowsHide: true,
             });
             let settled = false;
-            const timeout = setTimeout(() => {
+            const startupWatchdog = new daemon_startup_watchdog_js_1.DaemonStartupWatchdog(DAEMON_STARTUP_TIMEOUT_MS, () => {
                 if (settled) {
                     return;
                 }
                 settled = true;
                 child.kill();
                 reject(new Error(`Timed out waiting for daemon startup confirmation. See ${logPath}.`));
-            }, DAEMON_STARTUP_TIMEOUT_MS);
+            });
             const finish = (callback) => {
                 if (settled) {
                     return;
                 }
                 settled = true;
-                clearTimeout(timeout);
+                startupWatchdog.finish();
                 callback();
             };
             child.once("error", (error) => {
@@ -2527,6 +2453,10 @@ async function runDetachedDaemonProcess(options) {
                     return;
                 }
                 const type = message.type;
+                if (type === "daemon-progress") {
+                    startupWatchdog.bump();
+                    return;
+                }
                 if (type === "daemon-ready") {
                     finish(() => {
                         if (child.connected) {
@@ -2558,11 +2488,13 @@ function sendDaemonParentMessage(message) {
 async function runRootCommand(options, runtimeOptions) {
     const logger = (0, logger_js_1.createLogger)(options.logLevel ?? "INFO", { daemonMode: options.daemon ?? false });
     const cfg = buildRootConfig(options);
+    logger.info(formatWorkspaceStartupMessage(cfg));
+    await (0, entrypoints_js_1.ensureRunnerStartupPreflight)(cfg);
     await (0, auth_js_1.ensureCodexRunnerStartState)(cfg, {
         useDedicatedAuth: options.useDedicatedAuth,
         logInfo: (message) => logger.info(message),
     });
-    const codexRefreshErrorMessage = await refreshCodexModelsForRegistration(cfg, logger);
+    const codexRefreshErrorMessage = await refreshCodexModelsForRegistration(cfg, logger, runtimeOptions?.onDaemonProgress);
     const registerRequest = await buildRegisterRunnerRequest(cfg, logger, codexRefreshErrorMessage);
     const apiCallOptions = buildGrpcAuthCallOptions(options.secret);
     if (options.daemon) {
@@ -2587,8 +2519,6 @@ async function runRootCommand(options, runtimeOptions) {
             const apiClient = new companyhelm_api_client_js_1.CompanyhelmApiClient({ apiUrl: cfg.companyhelm_api_url, logger });
             activeApiClient = apiClient;
             let commandChannel = null;
-            let githubInstallationsSyncAbortController = null;
-            let githubInstallationsSyncTask = null;
             try {
                 reconnectAttempt += 1;
                 commandChannel = await apiClient.connect(registerRequest, apiCallOptions);
@@ -2603,12 +2533,6 @@ async function runRootCommand(options, runtimeOptions) {
                     logger.info(`Connected to CompanyHelm API at ${cfg.companyhelm_api_url}`);
                 }
                 reconnectAttempt = 0;
-                githubInstallationsSyncAbortController = new AbortController();
-                githubInstallationsSyncTask = runGithubInstallationsSyncLoop(cfg, apiClient, apiCallOptions, logger, githubInstallationsSyncAbortController.signal).catch((error) => {
-                    if (!githubInstallationsSyncAbortController?.signal.aborted) {
-                        logger.warn(`GitHub installation sync loop exited unexpectedly: ${toErrorMessage(error)}`);
-                    }
-                });
                 await raceWithAbort(runCommandLoop(cfg, commandChannel, commandMessageSink, apiClient, apiCallOptions, logger), interruptState.signal);
                 logger.warn("CompanyHelm API command channel closed. Reconnecting...");
             }
@@ -2628,10 +2552,6 @@ async function runRootCommand(options, runtimeOptions) {
                     "Retrying...");
             }
             finally {
-                if (githubInstallationsSyncAbortController) {
-                    githubInstallationsSyncAbortController.abort();
-                }
-                void githubInstallationsSyncTask;
                 if (commandChannel) {
                     commandChannel.cancel();
                     commandMessageSink.unbind(commandChannel);
@@ -2666,8 +2586,13 @@ async function runRootCommand(options, runtimeOptions) {
     }
 }
 function buildRootConfig(options) {
+    if (options.useDedicatedWorkspaces && typeof options.workspacePath === "string" && options.workspacePath.trim().length > 0) {
+        throw new Error("--workspace-path and --use-dedicated-workspaces cannot be used together.");
+    }
     return config_js_1.config.parse({
         config_directory: options.configPath,
+        workspace_path: options.workspacePath,
+        use_dedicated_workspaces: options.useDedicatedWorkspaces,
         state_db_path: options.stateDbPath,
         companyhelm_api_url: options.serverUrl,
         agent_api_url: options.agentApiUrl,