@desplega.ai/agent-swarm 1.92.2 → 1.93.0

package/src/providers/claude-adapter.ts

@@ -470,6 +470,8 @@ class ClaudeSession implements ProviderSession {
     private sessionMcpConfig: string | null = null,
     private claudeBinaryArgv: readonly string[] = ["claude"],
     systemPromptFile: string | null = null,
+    private harnessVariant?: string,
+    private harnessVariantMeta?: Record<string, unknown>,
   ) {
     this.taskFilePid = taskFilePid;
     this.contextWindowSize = getContextWindowSize(model);
@@ -682,7 +684,13 @@ class ClaudeSession implements ProviderSession {
       // Session ID from init message
       if (json.type === "system" && json.subtype === "init" && json.session_id) {
         this._sessionId = json.session_id;
-        this.emit({ type: "session_init", sessionId: json.session_id, provider: "claude" });
+        this.emit({
+          type: "session_init",
+          sessionId: json.session_id,
+          provider: "claude",
+          ...(this.harnessVariant ? { harnessVariant: this.harnessVariant } : {}),
+          ...(this.harnessVariantMeta ? { harnessVariantMeta: this.harnessVariantMeta } : {}),
+        });
         if (json.model) {
           // Phase 4: the CLI's `init.model` reflects the actual model after any
           // backoff/fallback. Update `this.model` so subsequent CostData rows
@@ -970,6 +978,28 @@ export class ClaudeAdapter implements ProviderAdapter {
       }
     }
 
+    const harnessVariant = useClaudeBridge ? "bridge" : "stock";
+    let harnessVariantMeta: Record<string, unknown> | undefined;
+    if (useClaudeBridge) {
+      try {
+        const bin = effectiveClaudeBinaryArgv[0] ?? "claude-bridge";
+        const result = await Bun.$`${bin} --version`.quiet();
+        const trimmed = result.text().trim();
+        if (trimmed) harnessVariantMeta = { version: trimmed };
+      } catch {
+        // bridge version is best-effort
+      }
+    } else {
+      try {
+        const bin = effectiveClaudeBinaryArgv[0] ?? "claude";
+        const result = await Bun.$`${bin} --version`.quiet();
+        const trimmed = result.text().trim();
+        if (trimmed) harnessVariantMeta = { version: trimmed };
+      } catch {
+        // stock version is best-effort
+      }
+    }
+
     return new ClaudeSession(
       config,
       model,
@@ -978,6 +1008,8 @@ export class ClaudeAdapter implements ProviderAdapter {
       sessionMcpConfig,
       effectiveClaudeBinaryArgv,
       systemPromptFile,
+      harnessVariant,
+      harnessVariantMeta,
     );
   }
 

package/src/providers/claude-managed-adapter.ts

@@ -69,6 +69,7 @@ import { scrubSecrets } from "../utils/secret-scrubber";
 import { computeClaudeManagedCostUsd } from "./claude-managed-models";
 import { getRuntimeFeePerHour } from "./claude-managed-pricing";
 import { createClaudeManagedSwarmEventHandler } from "./claude-managed-swarm-events";
+import { readPkgVersion } from "./harness-version";
 import type {
   CostData,
   CredStatus,
@@ -639,11 +640,13 @@ class ClaudeManagedSession implements ProviderSession {
       // 3. Emit `session_init` once the session is wired up. Listeners
       //    attached via `onEvent` will see this either immediately (if they
       //    attached pre-emit) or via the queue flush.
+      const sdkVersion = readPkgVersion("@anthropic-ai/sdk");
       this.emit({
         type: "session_init",
         sessionId: this._sessionId,
         provider: "claude-managed",
         providerMeta: { managed: true },
+        ...(sdkVersion ? { harnessVariantMeta: { version: sdkVersion } } : {}),
       });
 
       // 4. Drain the SSE stream.

package/src/providers/claude-managed-models.ts

@@ -25,6 +25,7 @@
 
 /** Models supported by the managed-agents surface for the swarm worker. */
 export const CLAUDE_MANAGED_MODELS = [
+  "claude-fable-5",
   "claude-sonnet-4-6",
   "claude-opus-4-8",
   "claude-opus-4-7",
@@ -57,6 +58,12 @@ export interface ClaudeManagedModelPricing {
  * - claude-haiku-4-5:  $1 / $5 / $0.10 / $1.25
  */
 export const CLAUDE_MANAGED_MODEL_PRICING: Record<ClaudeManagedModel, ClaudeManagedModelPricing> = {
+  "claude-fable-5": {
+    inputPerMillion: 10.0,
+    outputPerMillion: 50.0,
+    cacheReadPerMillion: 1.0,
+    cacheWritePerMillion: 12.5,
+  },
   "claude-sonnet-4-6": {
     inputPerMillion: 3.0,
     outputPerMillion: 15.0,

package/src/providers/codex-adapter.ts

@@ -83,6 +83,7 @@ import { getValidCodexOAuth } from "./codex-oauth/storage.js";
 import { resolveCodexPrompt } from "./codex-skill-resolver";
 import { createCodexSwarmEventHandler } from "./codex-swarm-events";
 import { CTX_MODE_NUDGE_EVERY } from "./ctx-mode-env";
+import { readPkgVersion } from "./harness-version";
 import { buildOtelTraceparentEnv } from "./otel-env";
 import type {
   CostData,
@@ -694,7 +695,13 @@ export class CodexSession implements ProviderSession {
     switch (event.type) {
       case "thread.started": {
         this._sessionId = event.thread_id;
-        this.emit({ type: "session_init", sessionId: event.thread_id, provider: "codex" });
+        const codexVersion = readPkgVersion("@openai/codex-sdk");
+        this.emit({
+          type: "session_init",
+          sessionId: event.thread_id,
+          provider: "codex",
+          ...(codexVersion ? { harnessVariantMeta: { version: codexVersion } } : {}),
+        });
         break;
       }
       case "turn.started": {

package/src/providers/codex-models.ts

@@ -36,6 +36,7 @@ export const CODEX_DEFAULT_MODEL: CodexModel = "gpt-5.4";
  * a task authored for Claude works unchanged when pointed at a Codex worker.
  */
 const CLAUDE_SHORTNAMES: Record<string, CodexModel> = {
+  fable: "gpt-5.5",
   opus: "gpt-5.4",
   sonnet: "gpt-5.4",
   haiku: "gpt-5.4-mini",

package/src/providers/codex-oauth/auth-json.ts

@@ -48,6 +48,7 @@ export function authJsonToCredentialSelection(auth: CodexAuthJson, slot = 0, tot
     total,
     keySuffix: suffixSource.slice(-5),
     keyType: "CODEX_OAUTH",
+    isRateLimitFallback: false,
   };
 }
 

package/src/providers/harness-version.ts

@@ -0,0 +1,7 @@
+export function readPkgVersion(packageName: string): string | undefined {
+  try {
+    return require(`${packageName}/package.json`).version;
+  } catch {
+    return undefined;
+  }
+}

package/src/providers/opencode-adapter.ts

@@ -21,6 +21,7 @@ import { validateOpencodeCredentials } from "../utils/credentials";
 import { fetchInstalledMcpServers } from "../utils/mcp-server-fetcher";
 import { scrubSecrets } from "../utils/secret-scrubber";
 import { CTX_MODE_NUDGE_EVERY } from "./ctx-mode-env";
+import { readPkgVersion } from "./harness-version";
 import type {
   CostData,
   CredCheckOptions,
@@ -210,7 +211,7 @@ export class OpencodeSession implements ProviderSession {
   // The runner attaches its listener after `await adapter.createSession(...)`
   // resolves, but events queued via Promise.resolve().then(...) inside
   // createSession fire on the next microtask — *before* that listener call —
-  // so the runner would miss session_init and never PUT /claude-session,
+  // so the runner would miss session_init and never PUT /session,
   // leaving agent_tasks.provider/.model NULL. Buffer + flush on first attach.
   private pendingEvents: ProviderEvent[] = [];
   private completionResolve!: (result: ProviderResult) => void;
@@ -280,8 +281,13 @@ export class OpencodeSession implements ProviderSession {
 
   /** Emit the synthetic session_init event. Called by the adapter immediately
    * after construction; buffers if no listener is attached yet. */
-  emitSessionInit(provider: "opencode"): void {
-    this.emit({ type: "session_init", sessionId: this._sessionId, provider });
+  emitSessionInit(provider: "opencode", harnessVariantMeta?: Record<string, unknown>): void {
+    this.emit({
+      type: "session_init",
+      sessionId: this._sessionId,
+      provider,
+      ...(harnessVariantMeta ? { harnessVariantMeta } : {}),
+    });
   }
 
   onEvent(listener: (event: ProviderEvent) => void): void {
@@ -767,7 +773,8 @@ export class OpencodeAdapter implements ProviderAdapter {
 
     // Emit session_init synchronously; the session buffers events until the
     // runner's `onEvent(listener)` call attaches a listener.
-    session.emitSessionInit("opencode");
+    const opcVersion = readPkgVersion("@opencode-ai/sdk");
+    session.emitSessionInit("opencode", opcVersion ? { version: opcVersion } : undefined);
 
     // Subscribe to SSE events and drive the session
     client.event

package/src/providers/pi-mono-adapter.ts

@@ -26,6 +26,7 @@ import {
 } from "@earendil-works/pi-coding-agent";
 import { type TSchema, Type } from "typebox";
 import { scrubSecrets } from "../utils/secret-scrubber";
+import { readPkgVersion } from "./harness-version";
 import { createSwarmHooksExtension } from "./pi-mono-extension";
 import { McpHttpClient } from "./pi-mono-mcp-client";
 import type {
@@ -173,6 +174,7 @@ function mcpToolsToDefinitions(
  * (`anthropic/claude-{opus,sonnet,haiku}-*`).
  */
 const ANTHROPIC_SHORTNAME_OPENROUTER_MIRROR: Record<string, string> = {
+  fable: "anthropic/claude-fable-5",
   opus: "anthropic/claude-opus-4",
   sonnet: "anthropic/claude-sonnet-4",
   haiku: "anthropic/claude-haiku-4.5",
@@ -233,7 +235,8 @@ export function resolveModel(
   if (!modelStr) return undefined;
 
   const lower = modelStr.toLowerCase();
-  const isAnthropicShortname = lower === "opus" || lower === "sonnet" || lower === "haiku";
+  const isAnthropicShortname =
+    lower === "opus" || lower === "sonnet" || lower === "haiku" || lower === "fable";
 
   // Reroute anthropic shortnames through OpenRouter when no anthropic cred
   // is available. The OpenRouter mirror IDs (`anthropic/claude-sonnet-4`,
@@ -251,6 +254,7 @@ export function resolveModel(
 
   // Map common shortnames to provider/model pairs (native anthropic path).
   const shortnames: Record<string, [string, string]> = {
+    fable: ["anthropic", "claude-fable-5"],
     opus: ["anthropic", "claude-opus-4-20250514"],
     sonnet: ["anthropic", "claude-sonnet-4-20250514"],
     haiku: ["anthropic", "claude-haiku-4-5-20251001"],
@@ -367,7 +371,13 @@ export class PiMonoSession implements ProviderSession {
     this.sessionStartedAt = Date.now();
 
     // Emit session_init immediately
-    this.emit({ type: "session_init", sessionId: this._sessionId, provider: "pi" });
+    const piVersion = readPkgVersion("@earendil-works/pi-coding-agent");
+    this.emit({
+      type: "session_init",
+      sessionId: this._sessionId,
+      provider: "pi",
+      ...(piVersion ? { harnessVariantMeta: { version: piVersion } } : {}),
+    });
 
     // Subscribe to agent events and normalize
     this.agentSession.subscribe((event) => this.handleAgentEvent(event));

package/src/providers/types.ts

@@ -42,6 +42,8 @@ export type ProviderEvent =
       sessionId: string;
       provider?: ProviderName;
       providerMeta?: Record<string, unknown>;
+      harnessVariant?: string;
+      harnessVariantMeta?: Record<string, unknown>;
     }
   | { type: "message"; role: "assistant" | "user"; content: string }
   | { type: "tool_start"; toolCallId: string; toolName: string; args: unknown }

package/src/scripts-runtime/egress-secrets.ts

@@ -0,0 +1,83 @@
+import type { EgressSecretEntry } from "./executors/types";
+
+/**
+ * Hardcoded allowlist mapping env-var names to the hosts where egress
+ * substitution is permitted. Adding a new entry here is a security-boundary
+ * decision — it lets scripts authenticate to that host without the caller
+ * passing the secret explicitly.
+ */
+const EGRESS_ALLOWLIST: Record<string, string[]> = {
+  GITHUB_TOKEN: ["api.github.com"],
+};
+
+export function buildEgressSecrets(): EgressSecretEntry[] {
+  const entries: EgressSecretEntry[] = [];
+  for (const [envKey, hosts] of Object.entries(EGRESS_ALLOWLIST)) {
+    const value = process.env[envKey];
+    if (!value) continue;
+    entries.push({
+      placeholder: `[REDACTED:${envKey}]`,
+      hosts,
+      value,
+    });
+  }
+  return entries;
+}
+
+export function patchFetchWithEgressSubstitution(secrets: EgressSecretEntry[]): void {
+  if (secrets.length === 0) return;
+
+  const byPlaceholder = new Map<string, EgressSecretEntry>();
+  for (const entry of secrets) {
+    byPlaceholder.set(entry.placeholder, entry);
+  }
+
+  const originalFetch = globalThis.fetch;
+
+  globalThis.fetch = function patchedFetch(
+    input: string | URL | Request,
+    init?: RequestInit,
+  ): Promise<Response> {
+    let hostname: string;
+    try {
+      const url = input instanceof Request ? input.url : input instanceof URL ? input.href : input;
+      hostname = new URL(url).hostname;
+    } catch {
+      return originalFetch(input, init);
+    }
+
+    const headers = new Headers(input instanceof Request ? input.headers : init?.headers);
+
+    let modified = false;
+    const newHeaders = new Headers();
+
+    for (const [key, rawValue] of headers.entries()) {
+      let value = rawValue;
+      for (const [placeholder, entry] of byPlaceholder) {
+        if (value.includes(placeholder) && entry.hosts.includes(hostname)) {
+          value = value.split(placeholder).join(entry.value);
+          modified = true;
+        }
+      }
+      newHeaders.set(key, value);
+    }
+
+    if (!modified) return originalFetch(input, init);
+
+    const mergedInit: RequestInit = {
+      ...(input instanceof Request
+        ? {
+            method: input.method,
+            body: input.body,
+            redirect: input.redirect,
+            signal: input.signal,
+          }
+        : {}),
+      ...init,
+      headers: newHeaders,
+    };
+
+    const url = input instanceof Request ? input.url : input;
+    return originalFetch(url, mergedInit);
+  } as typeof fetch;
+}

package/src/scripts-runtime/eval-harness.ts

@@ -1,4 +1,5 @@
 import { buildCtx } from "./ctx";
+import { patchFetchWithEgressSubstitution } from "./egress-secrets";
 import type { SwarmConfigPayload } from "./executors/types";
 import { SwarmConfig } from "./swarm-config";
 
@@ -84,6 +85,9 @@ try {
   }
 
   const payload = JSON.parse(stdin) as SwarmConfigPayload;
+  if (payload.egressSecrets?.length) {
+    patchFetchWithEgressSubstitution(payload.egressSecrets);
+  }
   const swarmConfig = new SwarmConfig(payload);
   const rawArgs = JSON.parse(await Bun.file(requiredEnv("SWARM_SCRIPT_ARGS_FILE")).text());
   // Accept both shapes: callers may pass an already-serialized JSON string.

package/src/scripts-runtime/executors/types.ts

@@ -1,5 +1,11 @@
 export type ScriptFsMode = "none" | "workspace-rw";
 
+export type EgressSecretEntry = {
+  placeholder: string;
+  hosts: string[];
+  value: string;
+};
+
 export type SwarmConfigPayload = {
   system: {
     apiKey: { value: string; isSecret: true };
@@ -7,6 +13,7 @@ export type SwarmConfigPayload = {
     mcpBaseUrl: { value: string; isSecret: false };
   };
   user: Record<string, { value: string; isSecret: boolean }>;
+  egressSecrets?: EgressSecretEntry[];
 };
 
 export type ScriptResourcePolicy = {

package/src/scripts-runtime/loader.ts

@@ -1,5 +1,6 @@
 import { getApiKey } from "../utils/api-key";
 import { scrubObject, scrubSecrets } from "../utils/secret-scrubber";
+import { buildEgressSecrets } from "./egress-secrets";
 import { getScriptExecutor } from "./executors/registry";
 import {
   DEFAULT_SCRIPT_RESOURCES,
@@ -44,6 +45,7 @@ function buildConfigPayload(input: RunScriptInput): SwarmConfigPayload {
       },
     },
     user: input.userConfig ?? {},
+    egressSecrets: buildEgressSecrets(),
   };
 }
 

package/src/server-user.ts

@@ -28,9 +28,9 @@ const userSendTaskInputSchema = z.object({
   tags: z.array(z.string()).optional().describe("Tags for filtering (e.g., ['urgent'])."),
   priority: z.number().int().min(0).max(100).optional().describe("Priority 0-100 (default: 50)."),
   model: z
-    .enum(["haiku", "sonnet", "opus"])
+    .enum(["haiku", "sonnet", "opus", "fable"])
     .optional()
-    .describe("Model to use for this task ('haiku', 'sonnet', or 'opus')."),
+    .describe("Model to use for this task ('haiku', 'sonnet', 'opus', or 'fable')."),
 });
 
 export function createUserServer(user: User): McpServer {

package/src/slack/channel-join.ts

@@ -0,0 +1,41 @@
+import type { WebClient } from "@slack/web-api";
+
+// @slack/web-api platform errors set message to "An API error occurred: <code>"
+// and store the raw Slack API code at error.data.error.
+function slackCode(error: unknown): string | undefined {
+  if (!(error instanceof Error)) return undefined;
+  const d = (error as { data?: { error?: unknown } }).data;
+  return typeof d?.error === "string" ? d.error : undefined;
+}
+
+/**
+ * Wraps a Slack API call with automatic channel join for public channels.
+ *
+ * On not_in_channel: calls conversations.join and retries the original call once.
+ * On private channel (method_not_supported_for_channel_type): throws a descriptive
+ * error telling the caller the bot must be /invite-d — it cannot self-join private channels.
+ */
+export async function withAutoJoin<T>(
+  client: WebClient,
+  channelId: string,
+  fn: () => Promise<T>,
+): Promise<T> {
+  try {
+    return await fn();
+  } catch (error) {
+    if (slackCode(error) !== "not_in_channel") throw error;
+
+    try {
+      await client.conversations.join({ channel: channelId });
+    } catch (joinError) {
+      if (slackCode(joinError) === "method_not_supported_for_channel_type") {
+        throw new Error(
+          `Cannot access private channel ${channelId} — invite the bot with /invite @<bot-name> first.`,
+        );
+      }
+      throw joinError;
+    }
+
+    return await fn();
+  }
+}

package/src/tests/additive-buffer.test.ts

@@ -15,7 +15,6 @@ describe("createAdditiveBuffer", () => {
       /positive number/,
     );
     expect(() => createAdditiveBuffer({ timeoutMs: -1, onFlush: () => {} })).toThrow();
-    // biome-ignore lint/suspicious/noExplicitAny: type-guard test
     expect(() => createAdditiveBuffer({ timeoutMs: NaN as any, onFlush: () => {} })).toThrow();
   });
 

package/src/tests/api-key-tracking.test.ts

@@ -5,6 +5,7 @@
 import { afterAll, beforeAll, describe, expect, test } from "bun:test";
 import { unlink } from "node:fs/promises";
 import {
+  clearKeyRateLimit,
   closeDb,
   getAvailableKeyIndices,
   getKeyStatuses,
@@ -12,6 +13,7 @@ import {
   markKeyRateLimited,
   recordKeyUsage,
 } from "../be/db";
+import type { CredentialSelection } from "../utils/credentials";
 import { resolveCredentialPools, selectCredential } from "../utils/credentials";
 
 // ─── Credential Selection Unit Tests ────────────────────────────────────────
@@ -53,6 +55,7 @@ describe("selectCredential", () => {
     const value = "key-aaa11,key-bbb22";
     const result = selectCredential(value, []);
     expect(["key-aaa11", "key-bbb22"]).toContain(result.selected);
+    expect(result.isRateLimitFallback).toBe(true);
   });
 
   test("filters out-of-range availableIndices", () => {
@@ -60,6 +63,23 @@ describe("selectCredential", () => {
     const result = selectCredential(value, [99]); // Out of range
     // Falls back to random
     expect(["key-aaa11", "key-bbb22"]).toContain(result.selected);
+    expect(result.isRateLimitFallback).toBe(true);
+  });
+
+  test("isRateLimitFallback is false when indices are available", () => {
+    const result = selectCredential("key-aaa11,key-bbb22", [0, 1]);
+    expect(result.isRateLimitFallback).toBe(false);
+  });
+
+  test("isRateLimitFallback is false when no availability info", () => {
+    const result = selectCredential("key-aaa11,key-bbb22");
+    expect(result.isRateLimitFallback).toBe(false);
+  });
+
+  test("single key with empty availableIndices sets isRateLimitFallback", () => {
+    const result = selectCredential("single-key", []);
+    expect(result.isRateLimitFallback).toBe(true);
+    expect(result.selected).toBe("single-key");
   });
 
   test("keySuffix is last 5 chars of selected key", () => {
@@ -198,4 +218,97 @@ describe("API key tracking DB queries", () => {
     const key1b = statuses2.find((s) => s.keySuffix === "bbb22");
     expect(key1b!.rateLimitCount).toBe(2);
   });
+
+  test("clearKeyRateLimit clears a rate-limited key", () => {
+    const until = new Date(Date.now() + 300_000).toISOString();
+    recordKeyUsage("OPENAI_API_KEY", "oai01", 0, null);
+    markKeyRateLimited("OPENAI_API_KEY", "oai01", 0, until);
+
+    let statuses = getKeyStatuses("OPENAI_API_KEY");
+    expect(statuses.find((s) => s.keySuffix === "oai01")!.status).toBe("rate_limited");
+
+    const cleared = clearKeyRateLimit("OPENAI_API_KEY", "oai01");
+    expect(cleared).toBe(true);
+
+    statuses = getKeyStatuses("OPENAI_API_KEY");
+    expect(statuses.find((s) => s.keySuffix === "oai01")!.status).toBe("available");
+    expect(statuses.find((s) => s.keySuffix === "oai01")!.rateLimitedUntil).toBeNull();
+  });
+
+  test("clearKeyRateLimit returns false for already-available key", () => {
+    recordKeyUsage("OPENAI_API_KEY", "oai02", 1, null);
+    const cleared = clearKeyRateLimit("OPENAI_API_KEY", "oai02");
+    expect(cleared).toBe(false);
+  });
+});
+
+// ─── Cross-keyType Failover Logic Tests ──────────────────────────────────────
+
+describe("cross-keyType failover", () => {
+  test("prefers non-rate-limited credential when both keyTypes available", () => {
+    const rateLimited: CredentialSelection = {
+      selected: "sk-xxx",
+      index: 0,
+      total: 1,
+      keySuffix: "k-xxx",
+      keyType: "OPENAI_API_KEY",
+      isRateLimitFallback: true,
+    };
+    const healthy: CredentialSelection = {
+      selected: "oauth-yyy",
+      index: 0,
+      total: 2,
+      keySuffix: "h-yyy",
+      keyType: "CODEX_OAUTH",
+      isRateLimitFallback: false,
+    };
+
+    // Simulate the runner's primary selection logic
+    let primarySelection: CredentialSelection | undefined;
+    if (rateLimited && healthy) {
+      if (rateLimited.isRateLimitFallback && !healthy.isRateLimitFallback) {
+        primarySelection = healthy;
+      } else {
+        primarySelection = rateLimited;
+      }
+    } else {
+      primarySelection = rateLimited ?? healthy;
+    }
+
+    expect(primarySelection).toBe(healthy);
+    expect(primarySelection!.keyType).toBe("CODEX_OAUTH");
+  });
+
+  test("uses first credential when neither is rate-limited", () => {
+    const first: CredentialSelection = {
+      selected: "sk-aaa",
+      index: 0,
+      total: 1,
+      keySuffix: "k-aaa",
+      keyType: "OPENAI_API_KEY",
+      isRateLimitFallback: false,
+    };
+    const second: CredentialSelection = {
+      selected: "oauth-bbb",
+      index: 0,
+      total: 1,
+      keySuffix: "h-bbb",
+      keyType: "CODEX_OAUTH",
+      isRateLimitFallback: false,
+    };
+
+    let primarySelection: CredentialSelection | undefined;
+    if (first && second) {
+      if (first.isRateLimitFallback && !second.isRateLimitFallback) {
+        primarySelection = second;
+      } else {
+        primarySelection = first;
+      }
+    } else {
+      primarySelection = first ?? second;
+    }
+
+    expect(primarySelection).toBe(first);
+    expect(primarySelection!.keyType).toBe("OPENAI_API_KEY");
+  });
 });

package/src/tests/approval-requests.test.ts

@@ -577,11 +577,8 @@ describe("Approval Requests", () => {
       });
 
       expect(result.status).toBe("success");
-      // biome-ignore lint/suspicious/noExplicitAny: test assertion on untyped executor result
       expect((result as any).async).toBe(true);
-      // biome-ignore lint/suspicious/noExplicitAny: test assertion on untyped executor result
       expect((result as any).waitFor).toBe("approval.resolved");
-      // biome-ignore lint/suspicious/noExplicitAny: test assertion on untyped executor result
       expect((result as any).correlationId).toBeTruthy();
 
       // Verify the request was created in DB
@@ -616,9 +613,7 @@ describe("Approval Requests", () => {
       });
 
       expect(result.status).toBe("success");
-      // biome-ignore lint/suspicious/noExplicitAny: test assertion on untyped executor result
       expect((result as any).async).toBe(true);
-      // biome-ignore lint/suspicious/noExplicitAny: test assertion on untyped executor result
       expect((result as any).correlationId).toBe(existingId);
     });
 
@@ -650,7 +645,6 @@ describe("Approval Requests", () => {
       });
 
       expect(result.status).toBe("success");
-      // biome-ignore lint/suspicious/noExplicitAny: test assertion on untyped executor result
       expect((result as any).async).toBeUndefined();
       expect(result.output).toBeDefined();
       expect(result.output!.requestId).toBe(existingId);

package/src/tests/claude-managed-setup.test.ts

@@ -59,7 +59,6 @@ describe("runClaudeManagedSetupFlow — happy path", () => {
     const log = mock((_msg: string) => undefined);
 
     const result = await runClaudeManagedSetupFlow(baseConfig, {
-      // biome-ignore lint/suspicious/noExplicitAny: fake client subset for mock
       client: client as any,
       fetchConfig,
       upsert,
@@ -132,7 +131,6 @@ describe("runClaudeManagedSetupFlow — happy path", () => {
     await runClaudeManagedSetupFlow(
       { ...baseConfig, mcpBaseUrl: "https://swarm.example.com/" },
       {
-        // biome-ignore lint/suspicious/noExplicitAny: fake client subset for mock
         client: client as any,
         fetchConfig: mock(async () => null),
         upsert: mock(async () => undefined),
@@ -175,7 +173,6 @@ describe("runClaudeManagedSetupFlow — idempotent re-run", () => {
     const uploadOne = mock(async () => null);
 
     const result = await runClaudeManagedSetupFlow(baseConfig, {
-      // biome-ignore lint/suspicious/noExplicitAny: fake client subset for mock
       client: client as any,
       fetchConfig,
       upsert,
@@ -208,7 +205,6 @@ describe("runClaudeManagedSetupFlow — idempotent re-run", () => {
     await runClaudeManagedSetupFlow(
       { ...baseConfig, force: true },
       {
-        // biome-ignore lint/suspicious/noExplicitAny: fake client subset for mock
         client: client as any,
         fetchConfig,
         upsert,