@cortexkit/opencode-magic-context 0.27.0 → 0.27.2

package/README.md

@@ -28,6 +28,7 @@
   <a href="#-recall">Recall</a> ·
   <a href="https://docs.cortexkit.io/magic-context">Docs</a> ·
   <a href="./CONFIGURATION.md">Configuration</a> ·
+  <a href="https://github.com/cortexkit/magic-context/releases?q=dashboard&expanded=true">Dashboard</a> ·
   <a href="https://discord.gg/DSa65w8wuf">💬 Discord</a>
 </p>
 

package/dist/config/migrate-config-location.d.ts

@@ -58,6 +58,14 @@ export declare function resolveCortexKitProjectConfigPath(directory: string): st
  * `.jsonc` and a `.json` candidate; whichever exists migrates, target is always
  * `.jsonc`. The bare-root project source (`<root>/magic-context.*`) is unique to
  * Magic Context (AFT never had it) — omitting it would orphan repo-root configs.
+ *
+ * Project sources are filtered against the user-scope path set: when a session's
+ * project directory IS the user config home (e.g. opencode opened in
+ * `~/.config/cortexkit`), the bare-root project source `<root>/magic-context.jsonc`
+ * resolves to the USER config path. Without this guard the project migration
+ * would "migrate" the user's own config into `<root>/.cortexkit/` and rename the
+ * original aside, leaving the user on schema defaults (the config-eats-itself
+ * bug). A project migration must never touch a user-scope file.
  */
 export declare function resolveLegacyConfigSources(directory: string): {
     user: LegacyConfigSource[];

package/dist/config/migrate-config-location.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"migrate-config-location.d.ts","sourceRoot":"","sources":["../../src/config/migrate-config-location.ts"],"names":[],"mappings":"AAeA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,MAAM,WAAW,kBAAkB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,qBAAqB;IAClC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B;AAED,MAAM,WAAW,0BAA0B;IACvC,KAAK,EAAE,MAAM,GAAG,SAAS,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,SAAS,kBAAkB,EAAE,CAAC;IAC7C,MAAM,CAAC,EAAE,qBAAqB,CAAC;CAClC;AAED,MAAM,WAAW,yBAAyB;IACtC,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,OAAO,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACtB;AAoBD,iFAAiF;AACjF,wBAAgB,2BAA2B,IAAI,MAAM,CAEpD;AAED,+EAA+E;AAC/E,wBAAgB,8BAA8B,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAExE;AAED,2DAA2D;AAC3D,wBAAgB,8BAA8B,IAAI,MAAM,CAEvD;AAED,2DAA2D;AAC3D,wBAAgB,iCAAiC,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAE3E;AASD;;;;;GAKG;AACH,wBAAgB,0BAA0B,CAAC,SAAS,EAAE,MAAM,GAAG;IAC3D,IAAI,EAAE,kBAAkB,EAAE,CAAC;IAC3B,OAAO,EAAE,kBAAkB,EAAE,CAAC;CACjC,CAqBA;AAED,MAAM,MAAM,aAAa,GAAG,UAAU,GAAG,IAAI,CAAC;AAE9C;;;;;;;;;GASG;AACH,wBAAgB,oCAAoC,CAChD,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,aAAa,GACvB;IAAE,IAAI,EAAE,kBAAkB,EAAE,CAAC;IAAC,OAAO,EAAE,kBAAkB,EAAE,CAAA;CAAE,CA0B/D;AAmSD,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,0BAA0B,GAAG,yBAAyB,CA0F7F;AAED;;;;;GAKG;AACH,wBAAgB,kCAAkC,CAC9C,SAAS,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,qBAAqB,GAC/B,MAAM,EAAE,CA6BV"}
+{"version":3,"file":"migrate-config-location.d.ts","sourceRoot":"","sources":["../../src/config/migrate-config-location.ts"],"names":[],"mappings":"AAeA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,MAAM,WAAW,kBAAkB;IAC/B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;CACjB;AAED,MAAM,WAAW,qBAAqB;IAClC,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,IAAI,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;IAC7B,GAAG,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC/B;AAED,MAAM,WAAW,0BAA0B;IACvC,KAAK,EAAE,MAAM,GAAG,SAAS,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,SAAS,kBAAkB,EAAE,CAAC;IAC7C,MAAM,CAAC,EAAE,qBAAqB,CAAC;CAClC;AAED,MAAM,WAAW,yBAAyB;IACtC,QAAQ,EAAE,OAAO,CAAC;IAClB,QAAQ,EAAE,OAAO,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,EAAE,CAAC;CACtB;AAoBD,iFAAiF;AACjF,wBAAgB,2BAA2B,IAAI,MAAM,CAEpD;AAED,+EAA+E;AAC/E,wBAAgB,8BAA8B,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAExE;AAED,2DAA2D;AAC3D,wBAAgB,8BAA8B,IAAI,MAAM,CAEvD;AAED,2DAA2D;AAC3D,wBAAgB,iCAAiC,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAE3E;AA4BD;;;;;;;;;;;;;GAaG;AACH,wBAAgB,0BAA0B,CAAC,SAAS,EAAE,MAAM,GAAG;IAC3D,IAAI,EAAE,kBAAkB,EAAE,CAAC;IAC3B,OAAO,EAAE,kBAAkB,EAAE,CAAC;CACjC,CAsBA;AAED,MAAM,MAAM,aAAa,GAAG,UAAU,GAAG,IAAI,CAAC;AAE9C;;;;;;;;;GASG;AACH,wBAAgB,oCAAoC,CAChD,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,aAAa,GACvB;IAAE,IAAI,EAAE,kBAAkB,EAAE,CAAC;IAAC,OAAO,EAAE,kBAAkB,EAAE,CAAA;CAAE,CA0B/D;AAmSD,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,0BAA0B,GAAG,yBAAyB,CA0F7F;AAED;;;;;GAKG;AACH,wBAAgB,kCAAkC,CAC9C,SAAS,EAAE,MAAM,EACjB,MAAM,CAAC,EAAE,qBAAqB,GAC/B,MAAM,EAAE,CA6BV"}

package/dist/hooks/magic-context/event-handler.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"event-handler.d.ts","sourceRoot":"","sources":["../../../src/hooks/magic-context/event-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,yCAAyC,CAAC;AAyBvF,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,qCAAqC,CAAC;AAKlE,OAAO,KAAK,EAAE,YAAY,EAAe,MAAM,oCAAoC,CAAC;AAqBpF,OAAO,EAAE,KAAK,kBAAkB,EAAsB,MAAM,6BAA6B,CAAC;AAM1F,KAAK,cAAc,GAAG,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAEtD,UAAU,iBAAiB;IACvB,KAAK,EAAE,YAAY,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAMD,MAAM,WAAW,gBAAgB;IAC7B,eAAe,EAAE,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;IAChD,iBAAiB,EAAE,UAAU,CAAC,OAAO,uBAAuB,CAAC,CAAC;IAC9D,yBAAyB,CAAC,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,IAAI,CAAC;IACxD,gBAAgB,CAAC,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,IAAI,CAAC;IAC/C,MAAM,EAAE;QACJ,cAAc,EAAE,MAAM,CAAC;QACvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;QAC7B,4BAA4B,CAAC,EAAE,MAAM,GAAG;YAAE,OAAO,EAAE,MAAM,CAAC;YAAC,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAAA;SAAE,CAAC;QACxF,wBAAwB,CAAC,EAAE;YAAE,OAAO,CAAC,EAAE,MAAM,CAAC;YAAC,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAA;SAAE,CAAC;QACxF,SAAS,EAAE,cAAc,CAAC;QAC1B,sBAAsB,CAAC,EAAE;YAAE,OAAO,EAAE,OAAO,CAAC;YAAC,YAAY,EAAE,MAAM,CAAA;SAAE,CAAC;KACvE,CAAC;IACF,MAAM,EAAE,MAAM,CAAC;IAIf,EAAE,EAAE,OAAO,qBAAqB,EAAE,QAAQ,CAAC;IAC3C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,qFAAqF;IACrF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,0EAA0E;IAC1E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,2FAA2F;IAC3F,sBAAsB,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,OAAO,oBAAoB,EAAE,aAAa,CAAC,CAAC;IACjF,qBAAqB,CAAC,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,kBAAkB,CAAC;IAClE;;;;;OAKG;IACH,qBAAqB,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;CACvC;AAqID,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,gBAAgB,IACvC,OAAO;IAAE,KAAK,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,OAAO,CAAA;KAAE,CAAA;CAAE,KAAG,OAAO,CAAC,IAAI,CAAC,CAyfzF"}
+{"version":3,"file":"event-handler.d.ts","sourceRoot":"","sources":["../../../src/hooks/magic-context/event-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,uBAAuB,EAAE,MAAM,yCAAyC,CAAC;AAyBvF,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,qCAAqC,CAAC;AAKlE,OAAO,KAAK,EAAE,YAAY,EAAe,MAAM,oCAAoC,CAAC;AAwBpF,OAAO,EAAE,KAAK,kBAAkB,EAAsB,MAAM,6BAA6B,CAAC;AAM1F,KAAK,cAAc,GAAG,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;AAEtD,UAAU,iBAAiB;IACvB,KAAK,EAAE,YAAY,CAAC;IACpB,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,CAAC,EAAE,MAAM,CAAC;CAC7B;AAMD,MAAM,WAAW,gBAAgB;IAC7B,eAAe,EAAE,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,CAAC;IAChD,iBAAiB,EAAE,UAAU,CAAC,OAAO,uBAAuB,CAAC,CAAC;IAC9D,yBAAyB,CAAC,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,IAAI,CAAC;IACxD,gBAAgB,CAAC,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,IAAI,CAAC;IAC/C,MAAM,EAAE;QACJ,cAAc,EAAE,MAAM,CAAC;QACvB,mBAAmB,CAAC,EAAE,MAAM,CAAC;QAC7B,4BAA4B,CAAC,EAAE,MAAM,GAAG;YAAE,OAAO,EAAE,MAAM,CAAC;YAAC,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAAA;SAAE,CAAC;QACxF,wBAAwB,CAAC,EAAE;YAAE,OAAO,CAAC,EAAE,MAAM,CAAC;YAAC,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAAA;SAAE,CAAC;QACxF,SAAS,EAAE,cAAc,CAAC;QAC1B,sBAAsB,CAAC,EAAE;YAAE,OAAO,EAAE,OAAO,CAAC;YAAC,YAAY,EAAE,MAAM,CAAA;SAAE,CAAC;KACvE,CAAC;IACF,MAAM,EAAE,MAAM,CAAC;IAIf,EAAE,EAAE,OAAO,qBAAqB,EAAE,QAAQ,CAAC;IAC3C,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB,qFAAqF;IACrF,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,0EAA0E;IAC1E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,2FAA2F;IAC3F,sBAAsB,CAAC,EAAE,GAAG,CAAC,MAAM,EAAE,OAAO,oBAAoB,EAAE,aAAa,CAAC,CAAC;IACjF,qBAAqB,CAAC,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,kBAAkB,CAAC;IAClE;;;;;OAKG;IACH,qBAAqB,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC,CAAC;CACvC;AAqID,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,gBAAgB,IACvC,OAAO;IAAE,KAAK,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,UAAU,CAAC,EAAE,OAAO,CAAA;KAAE,CAAA;CAAE,KAAG,OAAO,CAAC,IAAI,CAAC,CAmgBzF"}

package/dist/index.js

@@ -176602,6 +176602,14 @@ async function refreshModelLimitsFromApi(client, options) {
     }
   }
 }
+async function refreshModelLimitsAfterAuthOnce(client) {
+  if (authRewarmDone)
+    return;
+  authRewarmDone = true;
+  const ok = await refreshModelLimitsOnce(client);
+  if (!ok)
+    authRewarmDone = false;
+}
 async function refreshModelLimitsOnce(client) {
   try {
     const result = await client.config.providers();
@@ -176655,7 +176663,7 @@ function lookupLimitWithTagFallback(cache, providerID, modelID) {
   }
   return;
 }
-var MIN_SANE_LIMIT = 20000, MAX_SANE_LIMIT = 3000000, apiCache = null, apiLoadedAt = 0, persistSeedLoaded = false;
+var MIN_SANE_LIMIT = 20000, MAX_SANE_LIMIT = 3000000, apiCache = null, apiLoadedAt = 0, persistSeedLoaded = false, authRewarmDone = false;
 var init_models_dev_cache = __esm(() => {
   init_data_path();
   init_logger();
@@ -186475,7 +186483,7 @@ function resolveTuiConfigPath() {
     return jsoncPath;
   if (existsSync19(jsonPath))
     return jsonPath;
-  return jsonPath;
+  return jsoncPath;
 }
 function ensureTuiPluginEntry() {
   try {
@@ -186811,7 +186819,18 @@ function legacySourcesForBase(basePath, label) {
     { path: `${basePath}.json`, label: `${label} magic-context.json` }
   ];
 }
+function userScopeConfigPaths() {
+  return new Set([
+    `${cortexKitUserConfigBasePath()}.jsonc`,
+    `${cortexKitUserConfigBasePath()}.json`,
+    join2(configHome(), "opencode", `${CONFIG_FILE_BASENAME}.jsonc`),
+    join2(configHome(), "opencode", `${CONFIG_FILE_BASENAME}.json`),
+    join2(homeDir(), ".pi", "agent", `${CONFIG_FILE_BASENAME}.jsonc`),
+    join2(homeDir(), ".pi", "agent", `${CONFIG_FILE_BASENAME}.json`)
+  ]);
+}
 function resolveLegacyConfigSources(directory) {
+  const userPaths = userScopeConfigPaths();
   return {
     user: [
       ...legacySourcesForBase(join2(configHome(), "opencode", CONFIG_FILE_BASENAME), "OpenCode user"),
@@ -186821,7 +186840,7 @@ function resolveLegacyConfigSources(directory) {
       ...legacySourcesForBase(join2(directory, CONFIG_FILE_BASENAME), "project root"),
       ...legacySourcesForBase(join2(directory, ".opencode", CONFIG_FILE_BASENAME), "OpenCode project"),
       ...legacySourcesForBase(join2(directory, ".pi", CONFIG_FILE_BASENAME), "Pi project")
-    ]
+    ].filter((source) => !userPaths.has(source.path))
   };
 }
 function resolveLegacyConfigSourcesForHarness(directory, harness) {
@@ -190163,6 +190182,12 @@ function redactionTypeForKey(key) {
   const suffix = normalized.split(".").filter(Boolean).at(-1) ?? normalized;
   return suffix || "secret";
 }
+function isNonSecretScalarValue(value) {
+  const v = value.trim();
+  if (v === "true" || v === "false" || v === "null" || v === "undefined")
+    return true;
+  return /^[+-]?\d+(?:\.\d+)?(?:[eE][+-]?\d+)?$/.test(v);
+}
 var SECRET_QUALIFIERS = new Set([
   "api",
   "access",
@@ -190242,11 +190267,11 @@ var SECRET_TEXT_PATTERNS = [
   },
   {
     pattern: /(["'])([^"']*(?:key|token|secret|password|auth|bearer|credential)[^"']*)\1(\s*:\s*)(["'])([^"']*)\4/gi,
-    replacement: (_full, quote, key, separator, valueQuote) => `${quote}${key}${quote}${separator}${valueQuote}<REDACTED:${redactionTypeForKey(key)}>${valueQuote}`
+    replacement: (full, quote, key, separator, valueQuote, value) => isNonSecretScalarValue(value) ? full : `${quote}${key}${quote}${separator}${valueQuote}<REDACTED:${redactionTypeForKey(key)}>${valueQuote}`
   },
   {
     pattern: /\b([A-Za-z0-9_.-]*(?:key|token|secret|password|auth|bearer|credential)[A-Za-z0-9_.-]*)\s*=\s*([^\s'"`]+)/gi,
-    replacement: (_full, key) => `${key}=<REDACTED:${redactionTypeForKey(key)}>`
+    replacement: (full, key, value) => isNonSecretScalarValue(value) ? full : `${key}=<REDACTED:${redactionTypeForKey(key)}>`
   }
 ];
 function redactSecretText(value) {
@@ -202311,6 +202336,9 @@ function createEventHandler2(deps) {
         }
         if (hasUsageTokens) {
           const totalInputTokens = (info.tokens?.input ?? 0) + (info.tokens?.cache?.read ?? 0) + (info.tokens?.cache?.write ?? 0);
+          if (deps.client) {
+            await refreshModelLimitsAfterAuthOnce(deps.client);
+          }
           let contextLimit = resolveContextLimit(info.providerID, info.modelID, {
             db: deps.db,
             sessionID: info.sessionID

package/dist/shared/models-dev-cache.d.ts

@@ -59,6 +59,29 @@ export declare function refreshModelLimitsFromApi(client: OpencodeClientLike, op
     retries?: number;
     retryDelayMs?: number;
 }): Promise<void>;
+/**
+ * Re-warm the limit cache ONCE per process, after auth is provably live.
+ *
+ * The startup warm (index.ts) can run before the user's provider auth is
+ * loaded. When it does, an auth-conditional limit patch hasn't applied yet, so
+ * `config.providers()` returns the RAW catalog limit (e.g. OpenAI gpt-5.5 OAuth
+ * is downshifted to a 272k input cap by OpenCode's Codex auth plugin only when
+ * `ctx.auth.type === "oauth"`; before auth loads it reports the raw 922k). That
+ * too-high value gets cached AND persisted as last-known-good, survives
+ * restarts, and the existing recovery only re-resolves a too-LOW limit
+ * (overflow / `percentage > 100`), so a too-HIGH one never self-corrects: the
+ * sidebar shows huge headroom while the backend rejects at the real cap (#179).
+ *
+ * The first `message.updated` carrying usage tokens proves a request succeeded,
+ * so auth + providers are fully resolved. Re-warming there overwrites any stale
+ * pre-auth limit with the live auth-adjusted one. Idempotent and cheap: a single
+ * `config.providers()` round-trip, then a no-op for the rest of the process. The
+ * latch is set before the await so concurrent `message.updated` events don't
+ * stack duplicate warms; a failed warm resets it so a later message retries.
+ */
+export declare function refreshModelLimitsAfterAuthOnce(client: OpencodeClientLike): Promise<void>;
+/** Test-only: reset the after-auth re-warm latch between cases. */
+export declare function resetAuthRewarmLatchForTest(): void;
 /**
  * Resolve a model's prompt limit from OpenCode's SDK (`config.providers()`),
  * the single source of truth: it already merges models.dev + compiled-in

package/dist/shared/models-dev-cache.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"models-dev-cache.d.ts","sourceRoot":"","sources":["../../src/shared/models-dev-cache.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAQH,UAAU,kBAAkB;IACxB,MAAM,EAAE;QACJ,SAAS,EAAE,MAAM,OAAO,CAAC;YAAE,IAAI,CAAC,EAAE;gBAAE,SAAS,CAAC,EAAE,OAAO,CAAA;aAAE,CAAA;SAAE,CAAC,CAAC;KAChE,CAAC;CACL;AASD,eAAO,MAAM,cAAc,QAAS,CAAC;AACrC,eAAO,MAAM,cAAc,UAAY,CAAC;AAExC;;kFAEkF;AAClF,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,KAAK,IAAI,MAAM,CAEtE;AA+HD;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,yBAAyB,CAC3C,MAAM,EAAE,kBAAkB,EAC1B,OAAO,CAAC,EAAE;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,CAAA;CAAE,GACtD,OAAO,CAAC,IAAI,CAAC,CAUf;AA+DD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAI1F;AA6BD,gFAAgF;AAChF,wBAAgB,mBAAmB,IAAI,IAAI,CAI1C;AAED,oDAAoD;AACpD,wBAAgB,sBAAsB,IAAI;IACtC,SAAS,EAAE,OAAO,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CACpB,CAMA"}
+{"version":3,"file":"models-dev-cache.d.ts","sourceRoot":"","sources":["../../src/shared/models-dev-cache.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAQH,UAAU,kBAAkB;IACxB,MAAM,EAAE;QACJ,SAAS,EAAE,MAAM,OAAO,CAAC;YAAE,IAAI,CAAC,EAAE;gBAAE,SAAS,CAAC,EAAE,OAAO,CAAA;aAAE,CAAA;SAAE,CAAC,CAAC;KAChE,CAAC;CACL;AASD,eAAO,MAAM,cAAc,QAAS,CAAC;AACrC,eAAO,MAAM,cAAc,UAAY,CAAC;AAExC;;kFAEkF;AAClF,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,GAAG,SAAS,GAAG,KAAK,IAAI,MAAM,CAEtE;AA+HD;;;;;;;;;;;;;;;GAeG;AACH,wBAAsB,yBAAyB,CAC3C,MAAM,EAAE,kBAAkB,EAC1B,OAAO,CAAC,EAAE;IAAE,OAAO,CAAC,EAAE,MAAM,CAAC;IAAC,YAAY,CAAC,EAAE,MAAM,CAAA;CAAE,GACtD,OAAO,CAAC,IAAI,CAAC,CAUf;AAKD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,+BAA+B,CAAC,MAAM,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAK/F;AAED,mEAAmE;AACnE,wBAAgB,2BAA2B,IAAI,IAAI,CAElD;AA+DD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,kBAAkB,CAAC,UAAU,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,SAAS,CAI1F;AA6BD,gFAAgF;AAChF,wBAAgB,mBAAmB,IAAI,IAAI,CAI1C;AAED,oDAAoD;AACpD,wBAAgB,sBAAsB,IAAI;IACtC,SAAS,EAAE,OAAO,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CACpB,CAMA"}

package/dist/shared/redaction.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"redaction.d.ts","sourceRoot":"","sources":["../../src/shared/redaction.ts"],"names":[],"mappings":"AAyDA,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAkChD;AAED,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAcxD;AAkED,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAatD;AAED,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE5D;AAsBD,wBAAgB,4BAA4B,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAOlE;AAED,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,GAAE,MAAM,EAAO,GAAG,OAAO,CAkBnF"}
+{"version":3,"file":"redaction.d.ts","sourceRoot":"","sources":["../../src/shared/redaction.ts"],"names":[],"mappings":"AAyEA,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAkChD;AAED,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAcxD;AA0ED,wBAAgB,gBAAgB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAatD;AAED,wBAAgB,sBAAsB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE5D;AAsBD,wBAAgB,4BAA4B,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAOlE;AAED,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,GAAE,MAAM,EAAO,GAAG,OAAO,CAkBnF"}

package/dist/shared/tui-config.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tui-config.d.ts","sourceRoot":"","sources":["../../src/shared/tui-config.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAkEH;;;GAGG;AACH,wBAAgB,oBAAoB,IAAI,OAAO,CAqD9C"}
+{"version":3,"file":"tui-config.d.ts","sourceRoot":"","sources":["../../src/shared/tui-config.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAyEH;;;GAGG;AACH,wBAAgB,oBAAoB,IAAI,OAAO,CAqD9C"}

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "@cortexkit/opencode-magic-context",
-	"version": "0.27.0",
+	"version": "0.27.2",
 	"type": "module",
 	"description": "OpenCode plugin for Magic Context — cross-session memory and context management",
 	"main": "dist/index.js",
@@ -44,9 +44,12 @@
 		"@jitl/quickjs-singlefile-cjs-release-asyncify": "0.32.0",
 		"@opencode-ai/plugin": "^1.15.13",
 		"@opencode-ai/sdk": "^1.15.13",
+		"@opentui/core": "^0.4.2",
+		"@opentui/solid": "^0.4.2",
 		"ai-tokenizer": "^1.0.6",
 		"comment-json": "^4.2.5",
 		"quickjs-emscripten": "^0.32.0",
+		"solid-js": "1.9.12",
 		"zod": "^4.1.8"
 	},
 	"devDependencies": {

package/src/shared/models-dev-cache.test.ts

@@ -6,7 +6,9 @@ import {
     clearModelsDevCache,
     getModelsDevCacheState,
     getSdkContextLimit,
+    refreshModelLimitsAfterAuthOnce,
     refreshModelLimitsFromApi,
+    resetAuthRewarmLatchForTest,
 } from "./models-dev-cache";
 
 /**
@@ -198,6 +200,86 @@ describe("models-dev-cache (SDK-only)", () => {
         });
     });
 
+    describe("after-auth re-warm (once per process)", () => {
+        // The startup warm can run before provider auth is loaded, caching a raw
+        // pre-downshift limit (gpt-5.5 922k) that then survives restarts and is
+        // never corrected by the too-low-only recovery. The first usage event
+        // proves auth is live; one re-warm there overwrites the stale value.
+        function makeCountingClient(input: number) {
+            let calls = 0;
+            return {
+                client: {
+                    config: {
+                        providers: async () => {
+                            calls++;
+                            return {
+                                data: {
+                                    providers: [
+                                        {
+                                            id: "openai",
+                                            models: { "gpt-5.5": { limit: { input } } },
+                                        },
+                                    ],
+                                },
+                            };
+                        },
+                    },
+                },
+                calls: () => calls,
+            };
+        }
+
+        test("re-warm overwrites a stale pre-auth limit and runs only once per process", async () => {
+            resetAuthRewarmLatchForTest();
+            // Pre-auth startup warm cached the raw 922k.
+            await refreshModelLimitsFromApi(
+                makeClient([{ id: "openai", models: { "gpt-5.5": { limit: { input: 922000 } } } }]),
+            );
+            expect(getSdkContextLimit("openai", "gpt-5.5")).toBe(922000);
+
+            // First usage: auth is live, providers() now reports the 272k cap.
+            const { client, calls } = makeCountingClient(272000);
+            await refreshModelLimitsAfterAuthOnce(client);
+            expect(getSdkContextLimit("openai", "gpt-5.5")).toBe(272000);
+            expect(calls()).toBe(1);
+
+            // Subsequent usage events are a no-op (latch held).
+            await refreshModelLimitsAfterAuthOnce(client);
+            await refreshModelLimitsAfterAuthOnce(client);
+            expect(calls()).toBe(1);
+        });
+
+        test("a failed re-warm resets the latch so a later usage event retries", async () => {
+            resetAuthRewarmLatchForTest();
+            let calls = 0;
+            const flaky = {
+                config: {
+                    providers: async () => {
+                        calls++;
+                        // First attempt: empty payload (auth still settling) → no warm.
+                        if (calls === 1) return { data: { providers: [] } };
+                        return {
+                            data: {
+                                providers: [
+                                    {
+                                        id: "openai",
+                                        models: { "gpt-5.5": { limit: { input: 272000 } } },
+                                    },
+                                ],
+                            },
+                        };
+                    },
+                },
+            };
+            await refreshModelLimitsAfterAuthOnce(flaky);
+            expect(getSdkContextLimit("openai", "gpt-5.5")).toBeUndefined();
+            // Latch was reset on failure, so the next event retries and succeeds.
+            await refreshModelLimitsAfterAuthOnce(flaky);
+            expect(getSdkContextLimit("openai", "gpt-5.5")).toBe(272000);
+            expect(calls).toBe(2);
+        });
+    });
+
     describe("startup retry", () => {
         test("retries when the provider payload is empty, then succeeds", async () => {
             let calls = 0;

package/src/shared/models-dev-cache.ts

@@ -210,6 +210,41 @@ export async function refreshModelLimitsFromApi(
     }
 }
 
+// Once-per-process latch for the after-auth re-warm below.
+let authRewarmDone = false;
+
+/**
+ * Re-warm the limit cache ONCE per process, after auth is provably live.
+ *
+ * The startup warm (index.ts) can run before the user's provider auth is
+ * loaded. When it does, an auth-conditional limit patch hasn't applied yet, so
+ * `config.providers()` returns the RAW catalog limit (e.g. OpenAI gpt-5.5 OAuth
+ * is downshifted to a 272k input cap by OpenCode's Codex auth plugin only when
+ * `ctx.auth.type === "oauth"`; before auth loads it reports the raw 922k). That
+ * too-high value gets cached AND persisted as last-known-good, survives
+ * restarts, and the existing recovery only re-resolves a too-LOW limit
+ * (overflow / `percentage > 100`), so a too-HIGH one never self-corrects: the
+ * sidebar shows huge headroom while the backend rejects at the real cap (#179).
+ *
+ * The first `message.updated` carrying usage tokens proves a request succeeded,
+ * so auth + providers are fully resolved. Re-warming there overwrites any stale
+ * pre-auth limit with the live auth-adjusted one. Idempotent and cheap: a single
+ * `config.providers()` round-trip, then a no-op for the rest of the process. The
+ * latch is set before the await so concurrent `message.updated` events don't
+ * stack duplicate warms; a failed warm resets it so a later message retries.
+ */
+export async function refreshModelLimitsAfterAuthOnce(client: OpencodeClientLike): Promise<void> {
+    if (authRewarmDone) return;
+    authRewarmDone = true;
+    const ok = await refreshModelLimitsOnce(client);
+    if (!ok) authRewarmDone = false;
+}
+
+/** Test-only: reset the after-auth re-warm latch between cases. */
+export function resetAuthRewarmLatchForTest(): void {
+    authRewarmDone = false;
+}
+
 /** Single SDK fetch + cache rebuild. Returns true when providers were loaded. */
 async function refreshModelLimitsOnce(client: OpencodeClientLike): Promise<boolean> {
     try {

package/src/shared/redaction.test.ts

@@ -2,7 +2,43 @@
 
 import { describe, expect, test } from "bun:test";
 
-import { hasShareabilitySensitiveText } from "./redaction";
+import { hasShareabilitySensitiveText, redactSecretText } from "./redaction";
+
+describe("redactSecretText — token counts and scalar diagnostics stay visible", () => {
+    test("keeps numeric/boolean values whose key merely contains a secret word", () => {
+        // These log shapes are counts/flags, not secrets, so they must stay readable.
+        expect(redactSecretText("tokens.input=45000 cache.read=0 cache.write=0")).toBe(
+            "tokens.input=45000 cache.read=0 cache.write=0",
+        );
+        expect(redactSecretText("hasUsageTokens=true")).toBe("hasUsageTokens=true");
+        expect(redactSecretText("totalInputTokens=132000")).toBe("totalInputTokens=132000");
+        expect(redactSecretText("max_tokens=4096")).toBe("max_tokens=4096");
+    });
+
+    test("keeps quoted numeric values matched only on the key word", () => {
+        expect(redactSecretText('"max_tokens": "4096"')).toBe('"max_tokens": "4096"');
+    });
+
+    test("still redacts real secret string values", () => {
+        // High-entropy / non-scalar values must always be redacted; only bare
+        // numeric/boolean scalars are exempt from the key-based match.
+        expect(redactSecretText("api_key=sk-abc123XYZsecretvalue")).toContain("<REDACTED:");
+        expect(redactSecretText("api_key=sk-abc123XYZsecretvalue")).not.toContain(
+            "sk-abc123XYZsecretvalue",
+        );
+        expect(redactSecretText('"auth_token": "tok_live_9f8e7d6c5b"')).toContain("<REDACTED:");
+    });
+
+    test("value-shaped secret patterns still fire independent of key name", () => {
+        // A bearer/JWT value is caught by its own pattern even if its key is bland.
+        expect(redactSecretText("Authorization: Bearer abc123def456ghi789")).toContain(
+            "<REDACTED:bearer>",
+        );
+        expect(redactSecretText("blob=eyJhbGciOi.eyJzdWIiOiIx.SflKxwRJSMeKKF2QT4")).toContain(
+            "<JWT_REDACTED>",
+        );
+    });
+});
 
 describe("hasShareabilitySensitiveText", () => {
     test("safe project facts are shareable", () => {

package/src/shared/redaction.ts

@@ -33,6 +33,22 @@ function redactionTypeForKey(key: string): string {
     return suffix || "secret";
 }
 
+// A bare number / boolean / null is never a secret — an API key, bearer token,
+// password, or credential is always a high-entropy string. So when a key-based
+// pattern (the `name=value` / `"name":"value"` forms below) matches purely on
+// the KEY containing a word like "token", but the VALUE is numeric/boolean, it's
+// a count or flag, not a secret. These must stay readable in logs:
+// `tokens.input=45000`, `hasUsageTokens=true`, `max_tokens=4096` are diagnostics,
+// not credentials. (High-entropy secret VALUES are still caught by the
+// value-shaped patterns above — bearer, JWT, AKIA, gh*_, etc. — independent of
+// the key name, so relaxing the key-based match for scalars loses no coverage.)
+function isNonSecretScalarValue(value: string): boolean {
+    const v = value.trim();
+    if (v === "true" || v === "false" || v === "null" || v === "undefined") return true;
+    // Integer or decimal, optional sign/exponent — token counts, ports, sizes.
+    return /^[+-]?\d+(?:\.\d+)?(?:[eE][+-]?\d+)?$/.test(v);
+}
+
 const SECRET_QUALIFIERS = new Set([
     "api",
     "access",
@@ -155,19 +171,27 @@ const SECRET_TEXT_PATTERNS: Array<{
         pattern:
             /(["'])([^"']*(?:key|token|secret|password|auth|bearer|credential)[^"']*)\1(\s*:\s*)(["'])([^"']*)\4/gi,
         replacement: (
-            _full: string,
+            full: string,
             quote: string,
             key: string,
             separator: string,
             valueQuote: string,
+            value: string,
         ) =>
-            `${quote}${key}${quote}${separator}${valueQuote}<REDACTED:${redactionTypeForKey(key)}>${valueQuote}`,
+            // A numeric/boolean value matched only because the KEY contains a
+            // secret word (e.g. "max_tokens": "4096") is a count, not a secret.
+            isNonSecretScalarValue(value)
+                ? full
+                : `${quote}${key}${quote}${separator}${valueQuote}<REDACTED:${redactionTypeForKey(key)}>${valueQuote}`,
     },
     {
         pattern:
             /\b([A-Za-z0-9_.-]*(?:key|token|secret|password|auth|bearer|credential)[A-Za-z0-9_.-]*)\s*=\s*([^\s'"`]+)/gi,
-        replacement: (_full: string, key: string) =>
-            `${key}=<REDACTED:${redactionTypeForKey(key)}>`,
+        replacement: (full: string, key: string, value: string) =>
+            // tokens.input=45000 / hasUsageTokens=true are diagnostics, not
+            // secrets — keep them readable. Real secret values are still caught
+            // by the value-shaped patterns above.
+            isNonSecretScalarValue(value) ? full : `${key}=<REDACTED:${redactionTypeForKey(key)}>`,
     },
 ];
 

package/src/shared/tui-config.test.ts

@@ -60,4 +60,47 @@ describe("ensureTuiPluginEntry", () => {
         expect(entry[0]).toBe("@cortexkit/opencode-magic-context@latest");
         expect(entry[1]).toEqual({ enabled: true });
     });
+
+    it("creates tui.jsonc (not tui.json) on a fresh install", async () => {
+        const root = mkdtempSync(join(tmpdir(), "mc-tui-fresh-"));
+        roots.push(root);
+        process.env.OPENCODE_CONFIG_DIR = root;
+
+        const { ensureTuiPluginEntry } = await import("./tui-config");
+        expect(ensureTuiPluginEntry()).toBe(true);
+
+        // The new file must be tui.jsonc so a tui.json stub never ends up
+        // sitting next to a tui.jsonc the user writes later (#176).
+        expect(existsSync(join(root, "tui.jsonc"))).toBe(true);
+        expect(existsSync(join(root, "tui.json"))).toBe(false);
+        const parsed = JSON.parse(readFileSync(join(root, "tui.jsonc"), "utf-8")) as {
+            plugin: unknown[];
+        };
+        expect(parsed.plugin).toContain("@cortexkit/opencode-magic-context@latest");
+    });
+
+    it("writes into the existing tui.jsonc when both files exist", async () => {
+        const root = mkdtempSync(join(tmpdir(), "mc-tui-both-"));
+        roots.push(root);
+        process.env.OPENCODE_CONFIG_DIR = root;
+        // A real user config in tui.jsonc plus a leftover empty tui.json.
+        writeFileSync(
+            join(root, "tui.jsonc"),
+            `${JSON.stringify({ keybinds: { x: "y" } }, null, 2)}\n`,
+        );
+        writeFileSync(join(root, "tui.json"), "{}\n");
+
+        const { ensureTuiPluginEntry } = await import("./tui-config");
+        expect(ensureTuiPluginEntry()).toBe(true);
+
+        // The plugin entry must land in tui.jsonc (higher precedence), and the
+        // user's keybinds must survive; tui.json must be left untouched.
+        const jsonc = JSON.parse(readFileSync(join(root, "tui.jsonc"), "utf-8")) as {
+            plugin: unknown[];
+            keybinds: Record<string, string>;
+        };
+        expect(jsonc.plugin).toContain("@cortexkit/opencode-magic-context@latest");
+        expect(jsonc.keybinds).toEqual({ x: "y" });
+        expect(readFileSync(join(root, "tui.json"), "utf-8")).toBe("{}\n");
+    });
 });

package/src/shared/tui-config.ts

@@ -62,9 +62,16 @@ function resolveTuiConfigPath(): string {
     const jsoncPath = join(configDir, "tui.jsonc");
     const jsonPath = join(configDir, "tui.json");
 
+    // OpenCode loads BOTH tui.json and tui.jsonc and merges them (tui.json first,
+    // tui.jsonc second, so .jsonc wins overlapping keys; plugin origins are
+    // deduped). So an existing tui.jsonc is the higher-precedence, user-facing
+    // file — write into it when present. Otherwise update an existing tui.json.
+    // For a fresh install create tui.jsonc, not tui.json: it lets the user add
+    // comments later and avoids leaving a second, lower-precedence config file
+    // alongside a tui.jsonc they create afterward (#176).
     if (existsSync(jsoncPath)) return jsoncPath;
     if (existsSync(jsonPath)) return jsonPath;
-    return jsonPath; // default: create tui.json
+    return jsoncPath;
 }
 
 /**