npm - @desplega.ai/agent-swarm - Versions diffs - 1.83.0 → 1.83.2 - Mend

@desplega.ai/agent-swarm 1.83.0 → 1.83.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (67) hide show

package/openapi.json +177 -10
package/package.json +6 -6
package/src/artifact-sdk/server.ts +23 -1
package/src/be/budget-admission.ts +28 -4
package/src/be/budget-refusal-notify.ts +19 -3
package/src/be/db-queries/oauth.ts +43 -0
package/src/be/db.ts +37 -4
package/src/be/migrations/074_user_budget_scope.sql +85 -0
package/src/be/schedules/validate.ts +21 -0
package/src/be/skill-sync.ts +65 -15
package/src/commands/resume-session.ts +118 -0
package/src/commands/runner.ts +178 -121
package/src/http/core.ts +4 -1
package/src/http/index.ts +16 -0
package/src/http/integrations.ts +26 -0
package/src/http/mcp-user.ts +111 -0
package/src/http/poll.ts +19 -5
package/src/http/schedules.ts +35 -10
package/src/http/skills.ts +27 -2
package/src/http/users.ts +107 -2
package/src/jira/client.ts +3 -5
package/src/jira/oauth.ts +1 -0
package/src/jira/sync.ts +2 -2
package/src/oauth/ensure-token.ts +1 -0
package/src/oauth/wrapper.ts +38 -7
package/src/providers/claude-adapter.ts +7 -2
package/src/providers/claude-managed-adapter.ts +1 -1
package/src/providers/codex-adapter.ts +30 -0
package/src/providers/opencode-adapter.ts +149 -14
package/src/providers/pi-mono-adapter.ts +41 -1
package/src/providers/types.ts +1 -1
package/src/server-user.ts +117 -0
package/src/tests/artifact-sdk.test.ts +23 -19
package/src/tests/budget-user-scope.test.ts +376 -0
package/src/tests/claude-managed-adapter.test.ts +6 -0
package/src/tests/codex-adapter.test.ts +192 -0
package/src/tests/codex-rate-limit-parse.test.ts +256 -0
package/src/tests/db-queries-oauth.test.ts +43 -0
package/src/tests/ensure-token.test.ts +93 -0
package/src/tests/error-tracker.test.ts +52 -0
package/src/tests/fetch-resolved-env.test.ts +33 -20
package/src/tests/http-api-integration.test.ts +36 -0
package/src/tests/http-users.test.ts +29 -1
package/src/tests/mcp-user-route.test.ts +325 -0
package/src/tests/opencode-adapter.test.ts +75 -0
package/src/tests/pi-mono-adapter.test.ts +21 -1
package/src/tests/rate-limit-event.test.ts +69 -6
package/src/tests/resume-session.test.ts +93 -0
package/src/tests/runner-skills-refresh.test.ts +200 -0
package/src/tests/schedule-validation-helper.test.ts +51 -0
package/src/tests/skill-sync.test.ts +73 -9
package/src/tests/skills-signature.test.ts +141 -0
package/src/tests/task-tools-ctx.test.ts +100 -0
package/src/tests/task-tools-ownership.test.ts +167 -0
package/src/tests/update-schedule-mcp-tool.test.ts +161 -0
package/src/tests/user-token-routes.test.ts +221 -0
package/src/tools/cancel-task.ts +137 -83
package/src/tools/get-task-details.ts +73 -59
package/src/tools/get-tasks.ts +134 -126
package/src/tools/schedules/update-schedule.ts +48 -8
package/src/tools/send-task.ts +312 -312
package/src/tools/slack-upload-file.ts +17 -5
package/src/tools/task-action.ts +464 -367
package/src/tools/task-tool-ctx.ts +43 -0
package/src/types.ts +6 -2
package/src/utils/error-tracker.ts +122 -9
package/src/utils/skills-refresh.ts +123 -0

package/src/http/poll.ts CHANGED Viewed

@@ -42,11 +42,13 @@ import { json, jsonError } from "./utils";
  * + workflow bus emit. See `src/be/budget-refusal-notify.ts`.
  */
 function buildBudgetRefusedTrigger(refusal: {
-  cause: "agent" | "global";
+  cause: "agent" | "global" | "user";
   agentSpend?: number;
   agentBudget?: number;
   globalSpend?: number;
   globalBudget?: number;
+  userSpend?: number;
+  userBudget?: number;
   resetAt: string;
 }): { type: "budget_refused"; [key: string]: unknown } {
   const trigger: { type: "budget_refused"; [key: string]: unknown } = {
@@ -58,6 +60,8 @@ function buildBudgetRefusedTrigger(refusal: {
   if (refusal.agentBudget !== undefined) trigger.agentBudget = refusal.agentBudget;
   if (refusal.globalSpend !== undefined) trigger.globalSpend = refusal.globalSpend;
   if (refusal.globalBudget !== undefined) trigger.globalBudget = refusal.globalBudget;
+  if (refusal.userSpend !== undefined) trigger.userSpend = refusal.userSpend;
+  if (refusal.userBudget !== undefined) trigger.userBudget = refusal.userBudget;
   return trigger;
 }
@@ -180,7 +184,7 @@ export async function handlePoll(
             // the capacity check so capacity AND budget gates share atomicity.
             // Phase 5 also records the dedup row + captures the side-effect
             // context here so the after-commit step can notify the lead.
-            const admission = canClaim(myAgentId, new Date());
+            const admission = canClaim(myAgentId, new Date(), pendingTask.requestedByUserId);
             if (!admission.allowed) {
               const utcDate = new Date().toISOString().slice(0, 10);
               const dedup = recordBudgetRefusalNotification({
@@ -192,6 +196,8 @@ export async function handlePoll(
                 agentBudgetUsd: admission.agentBudget,
                 globalSpendUsd: admission.globalSpend,
                 globalBudgetUsd: admission.globalBudget,
+                userSpendUsd: admission.userSpend,
+                userBudgetUsd: admission.userBudget,
               });
               return {
                 trigger: buildBudgetRefusedTrigger(admission),
@@ -200,6 +206,7 @@ export async function handlePoll(
                     task: {
                       id: pendingTask.id,
                       task: pendingTask.task,
+                      requestedByUserId: pendingTask.requestedByUserId,
                       slackChannelId: pendingTask.slackChannelId,
                       slackThreadTs: pendingTask.slackThreadTs,
                       slackUserId: pendingTask.slackUserId,
@@ -211,6 +218,8 @@ export async function handlePoll(
                     agentBudgetUsd: admission.agentBudget,
                     globalSpendUsd: admission.globalSpend,
                     globalBudgetUsd: admission.globalBudget,
+                    userSpendUsd: admission.userSpend,
+                    userBudgetUsd: admission.userBudget,
                     resetAt: admission.resetAt,
                   },
                   inserted: dedup.inserted,
@@ -303,10 +312,10 @@ export async function handlePoll(
             // refusal, and the dedup is per-(task,date) so subsequent same-day
             // refusals on the same lead-candidate are suppressed.
             if (unassignedIds.length > 0) {
-              const admission = canClaim(myAgentId, new Date());
+              const candidateId = unassignedIds[0]!;
+              const candidateTask = getTaskById(candidateId);
+              const admission = canClaim(myAgentId, new Date(), candidateTask?.requestedByUserId);
               if (!admission.allowed) {
-                const candidateId = unassignedIds[0]!;
-                const candidateTask = getTaskById(candidateId);
                 const utcDate = new Date().toISOString().slice(0, 10);
                 const dedup = recordBudgetRefusalNotification({
                   taskId: candidateId,
@@ -317,6 +326,8 @@ export async function handlePoll(
                   agentBudgetUsd: admission.agentBudget,
                   globalSpendUsd: admission.globalSpend,
                   globalBudgetUsd: admission.globalBudget,
+                  userSpendUsd: admission.userSpend,
+                  userBudgetUsd: admission.userBudget,
                 });
                 return {
                   trigger: buildBudgetRefusedTrigger(admission),
@@ -326,6 +337,7 @@ export async function handlePoll(
                           task: {
                             id: candidateTask.id,
                             task: candidateTask.task,
+                            requestedByUserId: candidateTask.requestedByUserId,
                             slackChannelId: candidateTask.slackChannelId,
                             slackThreadTs: candidateTask.slackThreadTs,
                             slackUserId: candidateTask.slackUserId,
@@ -337,6 +349,8 @@ export async function handlePoll(
                           agentBudgetUsd: admission.agentBudget,
                           globalSpendUsd: admission.globalSpend,
                           globalBudgetUsd: admission.globalBudget,
+                          userSpendUsd: admission.userSpend,
+                          userBudgetUsd: admission.userBudget,
                           resetAt: admission.resetAt,
                         },
                         inserted: dedup.inserted,

package/src/http/schedules.ts CHANGED Viewed

@@ -11,6 +11,7 @@ import {
   getScheduledTasks,
   updateScheduledTask,
 } from "../be/db";
+import { mergeScheduleTiming, validateRecurringTiming } from "../be/schedules/validate";
 import { calculateNextRun } from "../scheduler/scheduler";
 import { scheduleContextKey } from "../tasks/context-key";
 import { createTaskWithSiblingAwareness } from "../tasks/sibling-awareness";
@@ -115,8 +116,8 @@ const updateSchedule = route({
   body: z.object({
     name: z.string().optional(),
     description: z.string().optional(),
-    cronExpression: z.string().optional(),
-    intervalMs: z.number().int().optional(),
+    cronExpression: z.string().nullable().optional(),
+    intervalMs: z.number().int().positive().nullable().optional(),
     taskTemplate: z.string().optional(),
     taskType: z.string().optional(),
     tags: z.array(z.string()).optional(),
@@ -400,6 +401,22 @@ export async function handleSchedules(
       return true;
     }
+    // Validate merged timing state — catches cases where one side is null in the DB
+    // and the patch nulls the other, which the schema-level check cannot see.
+    if (existing.scheduleType !== "one_time") {
+      const timing = mergeScheduleTiming(
+        {
+          cronExpression: existing.cronExpression ?? null,
+          intervalMs: existing.intervalMs ?? null,
+        },
+        { cronExpression: parsed.body.cronExpression, intervalMs: parsed.body.intervalMs },
+      );
+      if (validateRecurringTiming(timing)) {
+        jsonError(res, "At least one of intervalMs or cronExpression must be set", 400);
+        return true;
+      }
+    }
     if (parsed.body.cronExpression) {
       try {
         CronExpressionParser.parse(parsed.body.cronExpression);
@@ -439,14 +456,22 @@ export async function handleSchedules(
         parsed.body.intervalMs !== undefined ||
         (parsed.body.enabled === true && !existing.enabled)
       ) {
-        const merged = {
-          cronExpression: parsed.body.cronExpression ?? existing.cronExpression,
-          intervalMs: parsed.body.intervalMs ?? existing.intervalMs,
-          timezone: parsed.body.timezone ?? existing.timezone,
-        };
-        if (merged.cronExpression || merged.intervalMs) {
-          // biome-ignore lint/suspicious/noExplicitAny: need partial ScheduledTask for calculateNextRun
-          body.nextRunAt = calculateNextRun(merged as any);
+        const timing = mergeScheduleTiming(
+          {
+            cronExpression: existing.cronExpression ?? null,
+            intervalMs: existing.intervalMs ?? null,
+          },
+          { cronExpression: parsed.body.cronExpression, intervalMs: parsed.body.intervalMs },
+        );
+        const mergedTimezone =
+          parsed.body.timezone !== undefined ? parsed.body.timezone : existing.timezone;
+        if (timing.mergedCron || timing.mergedInterval) {
+          body.nextRunAt = calculateNextRun({
+            cronExpression: timing.mergedCron,
+            intervalMs: timing.mergedInterval,
+            timezone: mergedTimezone,
+            // biome-ignore lint/suspicious/noExplicitAny: need partial ScheduledTask for calculateNextRun
+          } as any);
         }
       }
     }

package/src/http/skills.ts CHANGED Viewed

@@ -12,7 +12,7 @@ import {
   updateSkill,
 } from "../be/db";
 import { parseSkillContent } from "../be/skill-parser";
-import { syncSkillsToFilesystem } from "../be/skill-sync";
+import { computeAgentSkillsSignature, syncSkillsToFilesystem } from "../be/skill-sync";
 import { route } from "./route-def";
 import { json, jsonError } from "./utils";
@@ -193,6 +193,21 @@ const getAgentSkillsRoute = route({
   },
 });
+const getAgentSkillsSignatureRoute = route({
+  method: "get",
+  path: "/api/agents/{id}/skills/signature",
+  pattern: ["api", "agents", null, "skills", "signature"],
+  summary: "Compute a stable signature over an agent's installed skills",
+  description:
+    "Returns a sha256 hash over per-row mutation fields of the agent's active+enabled skill set. Workers poll this to detect skill changes cheaply without fetching the full list.",
+  tags: ["Skills"],
+  auth: { apiKey: true },
+  params: z.object({ id: z.string() }),
+  responses: {
+    200: { description: "Skills signature" },
+  },
+});
 // ─── Handler ─────────────────────────────────────────────────────────────────
 export async function handleSkills(
@@ -202,12 +217,22 @@ export async function handleSkills(
   queryParams: URLSearchParams,
   myAgentId: string | undefined,
 ): Promise<boolean> {
+  // GET /api/agents/:id/skills/signature (must come before the shorter pattern)
+  if (getAgentSkillsSignatureRoute.match(req.method, pathSegments)) {
+    const parsed = await getAgentSkillsSignatureRoute.parse(req, res, pathSegments, queryParams);
+    if (!parsed) return true;
+    const sig = computeAgentSkillsSignature(parsed.params.id);
+    json(res, { hash: sig.hash, count: sig.count, generatedAt: new Date().toISOString() });
+    return true;
+  }
   // GET /api/agents/:id/skills (must be before /api/skills routes)
   if (getAgentSkillsRoute.match(req.method, pathSegments)) {
     const parsed = await getAgentSkillsRoute.parse(req, res, pathSegments, queryParams);
     if (!parsed) return true;
     const skills = getAgentSkills(parsed.params.id);
-    json(res, { skills, total: skills.length });
+    const signature = computeAgentSkillsSignature(parsed.params.id).hash;
+    json(res, { skills, total: skills.length, signature });
     return true;
   }

package/src/http/users.ts CHANGED Viewed

@@ -7,8 +7,7 @@
  * pass it as the `IdentityActor` arg to the helpers in `src/be/users.ts` — so
  * every identity mutation lands an event row tagged `op:<sha256-16>`.
  *
- * Endpoint set (Core Req #6, minus `POST/DELETE /users/:id/mcp-tokens` which
- * are deferred to the MCP plan):
+ * Endpoint set:
  *
  *   GET    /api/users
  *   POST   /api/users
@@ -16,6 +15,8 @@
  *   POST   /api/users/unmapped/:kind/:externalId/resolve
  *   GET    /api/users/:id
  *   PATCH  /api/users/:id
+ *   POST   /api/users/:id/mcp-tokens
+ *   DELETE /api/users/:id/mcp-tokens/:tokenId
  *   POST   /api/users/:id/merge
  *   GET    /api/users/:id/events
  *   POST   /api/users/:id/identities
@@ -26,12 +27,14 @@ import type { IncomingMessage, ServerResponse } from "node:http";
 import { z } from "zod";
 import {
   createUser,
+  deleteBudget,
   deleteKv,
   deleteUser,
   getAllUsers,
   getUserById,
   listKv,
   updateUser,
+  upsertBudget,
 } from "../be/db";
 import {
   getUserIdentities,
@@ -39,7 +42,9 @@ import {
   linkIdentity,
   listUserEvents,
   listUserTokens,
+  mintToken,
   recordIdentityEvent,
+  revokeToken,
   unlinkIdentity,
 } from "../be/users";
 import { getOperatorActor } from "./operator-actor";
@@ -64,6 +69,15 @@ function composeUser(userId: string, recentEventLimit = 5) {
   };
 }
+function syncUserBudgetMirror(userId: string, dailyBudgetUsd: number | null | undefined): void {
+  if (dailyBudgetUsd === undefined) return;
+  if (dailyBudgetUsd === null) {
+    deleteBudget("user", userId);
+    return;
+  }
+  upsertBudget("user", userId, dailyBudgetUsd);
+}
 // ─── Route Definitions ───────────────────────────────────────────────────────
 const listUsers = route({
@@ -203,6 +217,41 @@ const updateUserRoute = route({
   auth: { apiKey: true },
 });
+const mintUserMcpTokenRoute = route({
+  method: "post",
+  path: "/api/users/{id}/mcp-tokens",
+  pattern: ["api", "users", null, "mcp-tokens"],
+  summary: "Mint a one-time plaintext MCP token for a user",
+  description:
+    "Returns the plaintext token exactly once. Subsequent reads only expose token summaries.",
+  tags: ["Users"],
+  params: z.object({ id: z.string() }),
+  body: z.object({
+    label: z.string().nullable().optional(),
+  }),
+  responses: {
+    200: { description: "Minted token plaintext, token summary and composed user" },
+    401: { description: "Unauthorized" },
+    404: { description: "User not found" },
+  },
+  auth: { apiKey: true },
+});
+const revokeUserMcpTokenRoute = route({
+  method: "delete",
+  path: "/api/users/{id}/mcp-tokens/{tokenId}",
+  pattern: ["api", "users", null, "mcp-tokens", null],
+  summary: "Revoke a user's MCP token",
+  tags: ["Users"],
+  params: z.object({ id: z.string(), tokenId: z.string() }),
+  responses: {
+    200: { description: "Composed user after token revocation" },
+    401: { description: "Unauthorized" },
+    404: { description: "User or token not found" },
+  },
+  auth: { apiKey: true },
+});
 const mergeUsersRoute = route({
   method: "post",
   path: "/api/users/{id}/merge",
@@ -370,6 +419,7 @@ export async function handleUsers(
     try {
       const { identities, ...userFields } = parsed.body;
       const user = createUser(userFields);
+      syncUserBudgetMirror(user.id, userFields.dailyBudgetUsd);
       for (const ident of identities ?? []) {
         linkIdentity(user.id, ident.kind, ident.externalId, actor);
       }
@@ -459,6 +509,60 @@ export async function handleUsers(
     return true;
   }
+  // ─── POST /api/users/:id/mcp-tokens ───────────────────────────────────────
+  if (mintUserMcpTokenRoute.match(req.method, pathSegments)) {
+    const parsed = await mintUserMcpTokenRoute.parse(req, res, pathSegments, queryParams);
+    if (!parsed) return true;
+    const actor = getOperatorActor(req, res);
+    if (!actor) return true;
+    if (!getUserById(parsed.params.id)) {
+      jsonError(res, "User not found", 404);
+      return true;
+    }
+    try {
+      const { tokenId, plaintext } = mintToken(parsed.params.id, parsed.body.label ?? null, actor);
+      const token = listUserTokens(parsed.params.id).find((t) => t.id === tokenId);
+      json(res, { plaintext, token, user: composeUser(parsed.params.id) });
+    } catch (err) {
+      jsonError(res, err instanceof Error ? err.message : "Failed to mint token", 500);
+    }
+    return true;
+  }
+  // ─── DELETE /api/users/:id/mcp-tokens/:tokenId ────────────────────────────
+  if (revokeUserMcpTokenRoute.match(req.method, pathSegments)) {
+    const parsed = await revokeUserMcpTokenRoute.parse(req, res, pathSegments, queryParams);
+    if (!parsed) return true;
+    const actor = getOperatorActor(req, res);
+    if (!actor) return true;
+    if (!getUserById(parsed.params.id)) {
+      jsonError(res, "User not found", 404);
+      return true;
+    }
+    const tokenBelongsToUser = listUserTokens(parsed.params.id).some(
+      (token) => token.id === parsed.params.tokenId,
+    );
+    if (!tokenBelongsToUser) {
+      jsonError(res, "Token not found", 404);
+      return true;
+    }
+    try {
+      revokeToken(parsed.params.tokenId, actor);
+      json(res, { user: composeUser(parsed.params.id) });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : "Failed to revoke token";
+      if (message.includes("Token not found")) {
+        jsonError(res, "Token not found", 404);
+      } else {
+        jsonError(res, message, 500);
+      }
+    }
+    return true;
+  }
   // ─── POST /api/users/:id/identities ────────────────────────────────────────
   if (addIdentityRoute.match(req.method, pathSegments)) {
     const parsed = await addIdentityRoute.parse(req, res, pathSegments, queryParams);
@@ -625,6 +729,7 @@ export async function handleUsers(
         jsonError(res, "User not found", 404);
         return true;
       }
+      syncUserBudgetMirror(parsed.params.id, parsed.body.dailyBudgetUsd);
       // Budget event
       if (

package/src/jira/client.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import { getOAuthTokens } from "../be/db-queries/oauth";
-import { ensureToken } from "../oauth/ensure-token";
+import { ensureToken, ensureTokenOrThrow } from "../oauth/ensure-token";
 import { getJiraMetadata } from "./metadata";
 /**
@@ -36,8 +36,7 @@ export function getJiraCloudId(): string {
  * - Prepends `https://api.atlassian.com/ex/jira/{cloudId}` to `path`.
  * - Sets `Authorization: Bearer <token>` and `Accept: application/json`.
  * - Sets `Content-Type: application/json` when a body is provided.
- * - On 401: refreshes the token (forced via `ensureToken("jira", 0)`) and
- *   retries once.
+ * - On 401: forces a token refresh and retries once.
  * - On 429: respects `Retry-After` (in seconds) with a single retry.
  *
  * Returns the raw `Response` — callers handle `response.json()`/`response.text()`
@@ -64,8 +63,7 @@ export async function jiraFetch(path: string, init?: RequestInit): Promise<Respo
   let response = await send(token);
   if (response.status === 401) {
-    // Force refresh — bufferMs=0 means "always refresh if any expiry is set"
-    await ensureToken("jira", 0);
+    await ensureTokenOrThrow("jira", Number.MAX_SAFE_INTEGER);
     token = await getJiraAccessToken();
     response = await send(token);
   }

package/src/jira/oauth.ts CHANGED Viewed

@@ -29,6 +29,7 @@ export function getJiraOAuthConfig(): OAuthProviderConfig | null {
     scopes: app.scopes.split(","),
     scopeSeparator: " ",
     extraParams: { audience: "api.atlassian.com" },
+    requiresRefreshTokenRotation: true,
   };
 }

package/src/jira/sync.ts CHANGED Viewed

@@ -21,7 +21,7 @@ import {
   getTrackerSyncByExternalId,
   updateTrackerSyncSwarmId,
 } from "../be/db-queries/tracker";
-import { ensureToken } from "../oauth/ensure-token";
+import { ensureToken, ensureTokenOrThrow } from "../oauth/ensure-token";
 import { resolveTemplate } from "../prompts/resolver";
 import { buildJiraContextKey } from "../tasks/context-key";
 import { createTaskWithSiblingAwareness } from "../tasks/sibling-awareness";
@@ -91,7 +91,7 @@ export async function resolveBotAccountId(): Promise<string | null> {
     // Mirror jiraFetch's 401-retry pattern: a token may go stale between the
     // proactive ensureToken call and the request reaching Atlassian.
     if (res.status === 401) {
-      await ensureToken("jira", 0);
+      await ensureTokenOrThrow("jira", Number.MAX_SAFE_INTEGER);
       tokens = getOAuthTokens("jira");
       if (!tokens?.accessToken) {
         console.warn("[Jira Sync] /me returned 401 and refresh produced no token");

package/src/oauth/ensure-token.ts CHANGED Viewed

@@ -18,6 +18,7 @@ function getOAuthConfig(provider: string): OAuthProviderConfig | null {
     redirectUri: app.redirectUri,
     scopes: app.scopes.split(","),
     extraParams: metadata.extraParams ?? (metadata.actor ? { actor: metadata.actor } : undefined),
+    requiresRefreshTokenRotation: provider === "jira",
   };
 }

package/src/oauth/wrapper.ts CHANGED Viewed

@@ -1,5 +1,5 @@
 import * as oauth from "oauth4webapi";
-import { storeOAuthTokens } from "../be/db-queries/oauth";
+import { storeOAuthTokens, updateOAuthTokensAfterRefresh } from "../be/db-queries/oauth";
 // ─── Types ───────────────────────────────────────────────────────────────────
@@ -13,6 +13,12 @@ export interface OAuthProviderConfig {
   scopes: string[];
   /** Extra query params appended to the authorization URL (e.g. { actor: "app" } for Linear) */
   extraParams?: Record<string, string>;
+  /**
+   * Provider rotates refresh tokens on every refresh. When true, a refresh
+   * response without a new refresh token is unusable because the old one may
+   * already be invalidated server-side.
+   */
+  requiresRefreshTokenRotation?: boolean;
   /**
    * How to join `scopes` in the authorization URL.
    *
@@ -160,7 +166,7 @@ export async function exchangeCode(
 export async function refreshAccessToken(
   config: OAuthProviderConfig,
   refreshToken: string,
-): Promise<{ accessToken: string; refreshToken?: string; expiresIn?: number }> {
+): Promise<{ accessToken: string; refreshToken?: string; expiresIn?: number; scope?: string }> {
   const body = new URLSearchParams({
     grant_type: "refresh_token",
     client_id: config.clientId,
@@ -183,23 +189,48 @@ export async function refreshAccessToken(
     access_token: string;
     token_type: string;
     expires_in?: number;
+    scope?: string;
     refresh_token?: string;
   };
+  if (typeof data.access_token !== "string" || data.access_token.length === 0) {
+    throw new Error(`Token refresh failed: ${config.provider} response missing access_token`);
+  }
+  if (
+    config.requiresRefreshTokenRotation &&
+    (typeof data.refresh_token !== "string" || data.refresh_token.length === 0)
+  ) {
+    throw new Error(
+      `Token refresh failed: ${config.provider} response did not include a rotated refresh_token`,
+    );
+  }
   const expiresAt = data.expires_in
     ? new Date(Date.now() + data.expires_in * 1000).toISOString()
     : new Date(Date.now() + 24 * 60 * 60 * 1000).toISOString();
-  storeOAuthTokens(config.provider, {
-    accessToken: data.access_token,
-    refreshToken: data.refresh_token ?? null,
-    expiresAt,
-  });
+  const nextRefreshToken = data.refresh_token ?? refreshToken;
+  try {
+    updateOAuthTokensAfterRefresh(config.provider, refreshToken, {
+      accessToken: data.access_token,
+      refreshToken: nextRefreshToken,
+      expiresAt,
+      scope: data.scope ?? null,
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : String(err);
+    console.warn(
+      `[OAuth] Refusing to use refreshed ${config.provider} access token because persistence failed: ${message}`,
+    );
+    throw err;
+  }
   return {
     accessToken: data.access_token,
     refreshToken: data.refresh_token,
     expiresIn: data.expires_in,
+    scope: data.scope,
   };
 }

package/src/providers/claude-adapter.ts CHANGED Viewed

@@ -395,6 +395,10 @@ class ClaudeSession implements ProviderSession {
       this.config.prompt,
     ];
+    if (this.config.resumeSessionId) {
+      cmd.push("--resume", this.config.resumeSessionId);
+    }
     if (this.config.additionalArgs?.length) {
       cmd.push(...this.config.additionalArgs);
     }
@@ -688,10 +692,11 @@ class ClaudeSession implements ProviderSession {
     // Stale session retry: if process failed because session not found and we used --resume,
     // strip --resume and retry with a fresh session
     if (result.exitCode !== 0 && this.errorTracker.isSessionNotFound()) {
-      const hasResume = (this.config.additionalArgs || []).includes("--resume");
+      const hasResume =
+        !!this.config.resumeSessionId || (this.config.additionalArgs || []).includes("--resume");
       if (hasResume) {
         console.log(
-          `\x1b[33m[${this.config.role}] Session not found for task ${this.config.taskId.slice(0, 8)} — retrying without --resume\x1b[0m`,
+          `\x1b[33m[${this.config.role}] Session resume failed for task ${this.config.taskId.slice(0, 8)} — retrying without --resume\x1b[0m`,
         );
         const freshArgs = (this.config.additionalArgs || []).filter((arg, idx, arr) => {

package/src/providers/claude-managed-adapter.ts CHANGED Viewed

@@ -642,7 +642,7 @@ class ClaudeManagedSession implements ProviderSession {
       this.emit({
         type: "session_init",
         sessionId: this._sessionId,
-        provider: "claude" as const,
+        provider: "claude-managed",
         providerMeta: { managed: true },
       });

package/src/providers/codex-adapter.ts CHANGED Viewed

@@ -71,6 +71,7 @@ import {
   clampContextPercent,
   computeContextUsedUnified,
 } from "../utils/context-window";
+import { SessionErrorTracker } from "../utils/error-tracker";
 import { summarizeSession as runSummarize } from "../utils/internal-ai";
 import { scrubSecrets } from "../utils/secret-scrubber";
 import { type CodexAgentsMdHandle, writeCodexAgentsMd } from "./codex-agents-md";
@@ -413,6 +414,7 @@ class CodexSession implements ProviderSession {
   private lastUsage: Usage | null = null;
   private aborted = false;
   private settled = false;
+  private readonly errorTracker = new SessionErrorTracker();
   /**
    * Result captured by `settle` but held back from `resolveCompletion` until
    * `runSession`'s `finally` block has fully cleaned up (log writer flush,
@@ -951,9 +953,11 @@ class CodexSession implements ProviderSession {
           }
           if (event.type === "turn.failed" && !terminalError) {
             terminalError = this.formatTerminalError(event.error.message);
+            this.errorTracker.processCodexUsageLimitMessage(event.error.message);
           }
           if (event.type === "error" && !terminalError) {
             terminalError = this.formatTerminalError(event.message);
+            this.errorTracker.processCodexUsageLimitMessage(event.message);
           }
         }
       } catch (err) {
@@ -970,6 +974,30 @@ class CodexSession implements ProviderSession {
           });
           return;
         }
+        // The Codex CLI exits with code 1 after emitting a UsageLimitReached or
+        // other terminal error event. The SDK then throws "Codex Exec exited with
+        // code 1: Reading prompt from stdin" AFTER the event loop ends, which
+        // would overwrite the structured terminalError we already captured above.
+        // Preserve the structured error so the [usage-limit] prefix survives to
+        // the runner's rate-limit resolver.
+        if (terminalError) {
+          const cost = this.buildCostData(this.lastUsage, true);
+          this.emit({
+            type: "result",
+            cost,
+            isError: true,
+            errorCategory: terminalError.category ?? "turn_failed",
+          });
+          this.settle({
+            exitCode: 1,
+            sessionId: this._sessionId,
+            cost,
+            isError: true,
+            failureReason: terminalError.message,
+            rateLimitResetAt: this.errorTracker.getRateLimitResetAt(),
+          });
+          return;
+        }
         throw err;
       }
@@ -987,6 +1015,7 @@ class CodexSession implements ProviderSession {
         cost,
         isError,
         failureReason: terminalError?.message,
+        rateLimitResetAt: this.errorTracker.getRateLimitResetAt(),
       });
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
@@ -1000,6 +1029,7 @@ class CodexSession implements ProviderSession {
         cost,
         isError: true,
         failureReason: message,
+        rateLimitResetAt: this.errorTracker.getRateLimitResetAt(),
       });
     } finally {
       // Session-end summarization. Pure addition for codex — no behavior to