@desplega.ai/agent-swarm 1.93.0 → 1.95.0

package/src/be/scripts/boot-reembed.ts

@@ -0,0 +1,74 @@
+/**
+ * Post-listen backfill: embed scripts that are missing embeddings (e.g. after
+ * boot seeding with scriptEmbeddingMode: "skip"). Runs once per boot,
+ * async/non-blocking, idempotent, no-op when every non-scratch script already
+ * has an embedding row.
+ *
+ * Mirrors the memory boot-reembed pattern (src/be/memory/boot-reembed.ts).
+ */
+
+import { getDb } from "@/be/db";
+import type { ScriptScope } from "@/types";
+import { embedScript } from "./embeddings";
+
+type ScriptMissingEmbedding = {
+  id: string;
+  name: string;
+  scope: ScriptScope;
+  scopeId: string | null;
+  source: string;
+  description: string;
+  intent: string;
+  signatureJson: string;
+  argsJsonSchema: string | null;
+  contentHash: string;
+  version: number;
+  isScratch: number;
+  typeChecked: number;
+  fsMode: "none" | "workspace-rw";
+  createdByAgentId: string | null;
+  createdAt: string;
+  updatedAt: string;
+};
+
+export async function runBootReembedScripts(): Promise<void> {
+  const db = getDb();
+
+  const missing = db
+    .prepare<ScriptMissingEmbedding, []>(
+      `SELECT s.* FROM scripts s
+       LEFT JOIN script_embeddings e ON e.scriptId = s.id
+       WHERE s.isScratch = 0 AND e.scriptId IS NULL`,
+    )
+    .all();
+
+  if (missing.length === 0) {
+    return;
+  }
+
+  console.log(`[boot-reembed-scripts] starting: ${missing.length} scripts missing embeddings`);
+
+  let embedded = 0;
+  let failed = 0;
+
+  for (const row of missing) {
+    try {
+      await embedScript({
+        ...row,
+        scopeId: row.scopeId ?? null,
+        isScratch: row.isScratch === 1,
+        typeChecked: row.typeChecked === 1,
+        createdByAgentId: row.createdByAgentId ?? null,
+      });
+      embedded++;
+    } catch (err) {
+      failed++;
+      console.error(
+        `[boot-reembed-scripts] failed to embed "${row.name}":`,
+        (err as Error).message,
+      );
+    }
+  }
+
+  console.log(`[boot-reembed-scripts] complete: embedded=${embedded} failed=${failed}`);
+}

package/src/be/scripts/db.ts

@@ -26,6 +26,7 @@ type ScriptWriteArgs = ScriptIdentity & {
   fsMode?: ScriptFsMode;
   agentId?: string | null;
   changeReason?: string | null;
+  embeddingMode?: "sync" | "skip";
 };
 
 export type UpsertScriptResult = {
@@ -178,10 +179,11 @@ export function insertScript(args: ScriptWriteArgs): ScriptRecord {
  * immediately consistent for authored/promoted scripts.
  */
 export async function upsertScriptByName(args: ScriptWriteArgs): Promise<UpsertScriptResult> {
+  const shouldEmbed = args.embeddingMode !== "skip";
   const existing = getScript(args);
   if (!existing) {
     const script = insertScript(args);
-    if (!script.isScratch) {
+    if (!script.isScratch && shouldEmbed) {
       await embedScript(script);
     }
     return {
@@ -235,7 +237,7 @@ export async function upsertScriptByName(args: ScriptWriteArgs): Promise<UpsertS
 
       if (!row) throw new Error("Failed to update script metadata");
       const script = rowToScript(row);
-      if (!script.isScratch && (trackedMetadataChanged || promotedFromScratch)) {
+      if (!script.isScratch && shouldEmbed && (trackedMetadataChanged || promotedFromScratch)) {
         await embedScript(script);
       }
       return {
@@ -318,7 +320,7 @@ export async function upsertScriptByName(args: ScriptWriteArgs): Promise<UpsertS
   });
 
   const script = txn();
-  if (!script.isScratch) {
+  if (!script.isScratch && shouldEmbed) {
     await embedScript(script);
   }
 
@@ -347,6 +349,11 @@ export function getScript(args: ScriptIdentity): ScriptRecord | null {
   return row ? rowToScript(row) : null;
 }
 
+export function getScriptById(id: string): ScriptRecord | null {
+  const row = getDb().prepare<ScriptRow, [string]>("SELECT * FROM scripts WHERE id = ?").get(id);
+  return row ? rowToScript(row) : null;
+}
+
 export function getScriptVersion(args: {
   scriptId: string;
   version?: number;
@@ -408,6 +415,15 @@ export function listScripts(args?: {
     .map(rowToScript);
 }
 
+export function listScriptVersions(scriptId: string): ScriptVersionRecord[] {
+  return getDb()
+    .prepare<ScriptVersionRow, [string]>(
+      "SELECT * FROM script_versions WHERE scriptId = ? ORDER BY version DESC",
+    )
+    .all(scriptId)
+    .map(rowToScriptVersion);
+}
+
 export function deleteScript(args: ScriptIdentity): boolean {
   const existing = getScript(args);
   if (!existing) return false;

package/src/be/seed/index.ts

@@ -6,4 +6,4 @@
 export { runAllSeeders, SEEDERS } from "./registry";
 export { runSeeder, runSeeders } from "./runner";
 export { getSeedState, recordSeedState } from "./state-db";
-export type { SeedAction, Seeder, SeederResult, SeedItem } from "./types";
+export type { SeedAction, Seeder, SeederResult, SeederRunOptions, SeedItem } from "./types";

package/src/be/seed/registry.ts

@@ -9,11 +9,11 @@
 import { scriptsSeeder } from "../seed-scripts";
 import { skillsSeeder } from "../seed-skills";
 import { runSeeders } from "./runner";
-import type { Seeder, SeederResult } from "./types";
+import type { Seeder, SeederResult, SeederRunOptions } from "./types";
 
 export const SEEDERS: Seeder[] = [scriptsSeeder, skillsSeeder];
 
 /** Apply every registered seeder. Called at API boot and by the seed CLI. */
-export function runAllSeeders(opts?: { quiet?: boolean }): Promise<SeederResult[]> {
+export function runAllSeeders(opts?: SeederRunOptions): Promise<SeederResult[]> {
   return runSeeders(SEEDERS, opts);
 }

package/src/be/seed/runner.ts

@@ -5,7 +5,7 @@
  */
 
 import { getSeedState, recordSeedState } from "./state-db";
-import type { Seeder, SeederResult } from "./types";
+import type { Seeder, SeederResult, SeederRunOptions } from "./types";
 
 /**
  * Apply one seeder. Idempotent and version-aware:
@@ -14,7 +14,7 @@ import type { Seeder, SeederResult } from "./types";
  *   - upstream pristine, src same  -> no-op
  *   - upstream user-modified       -> preserve (never overwrite)
  */
-export async function runSeeder(seeder: Seeder, opts?: { quiet?: boolean }): Promise<SeederResult> {
+export async function runSeeder(seeder: Seeder, opts?: SeederRunOptions): Promise<SeederResult> {
   const result: SeederResult = {
     kind: seeder.kind,
     created: 0,
@@ -31,7 +31,7 @@ export async function runSeeder(seeder: Seeder, opts?: { quiet?: boolean }): Pro
 
       // Absent upstream -> create.
       if (upstream === null) {
-        await seeder.apply(item, "create");
+        await seeder.apply(item, "create", opts);
         recordSeedState(seeder.kind, item.key, item.contentHash);
         result.created += 1;
         continue;
@@ -60,7 +60,7 @@ export async function runSeeder(seeder: Seeder, opts?: { quiet?: boolean }): Pro
       }
 
       // Pristine upstream + changed source -> update to the new source version.
-      await seeder.apply(item, "update");
+      await seeder.apply(item, "update", opts);
       recordSeedState(seeder.kind, item.key, item.contentHash);
       result.updated += 1;
     } catch (err) {
@@ -88,7 +88,7 @@ export async function runSeeder(seeder: Seeder, opts?: { quiet?: boolean }): Pro
 /** Apply a list of seeders in order. */
 export async function runSeeders(
   seeders: Seeder[],
-  opts?: { quiet?: boolean },
+  opts?: SeederRunOptions,
 ): Promise<SeederResult[]> {
   const results: SeederResult[] = [];
   for (const seeder of seeders) {

package/src/be/seed/types.ts

@@ -35,6 +35,11 @@ export interface SeedItem {
   readonly contentHash: string;
 }
 
+export type SeederRunOptions = {
+  quiet?: boolean;
+  scriptEmbeddingMode?: "sync" | "skip";
+};
+
 export interface Seeder<TItem extends SeedItem = SeedItem> {
   /** Kind discriminator — namespaces this seeder's rows in `seed_state`. */
   readonly kind: string;
@@ -46,7 +51,7 @@ export interface Seeder<TItem extends SeedItem = SeedItem> {
    */
   upstreamHash(item: TItem): string | null | Promise<string | null>;
   /** Create or update the upstream entity so it matches the source definition. */
-  apply(item: TItem, action: "create" | "update"): void | Promise<void>;
+  apply(item: TItem, action: "create" | "update", opts?: SeederRunOptions): void | Promise<void>;
 }
 
 export type SeederResult = {

package/src/be/seed-pricing.ts

@@ -68,6 +68,7 @@ const MANUAL_PRICING_OVERRIDES: Array<{
  */
 const ANTHROPIC_SHORTNAME_TO_MODELSDEV: Record<string, string> = {
   fable: "claude-fable-5",
+  mythos: "claude-mythos-5",
   opus: "claude-opus-4-8",
   sonnet: "claude-sonnet-4-6",
   haiku: "claude-haiku-4-5",

package/src/be/seed-scripts/index.ts

@@ -21,7 +21,7 @@ import { computeContentHash } from "../db";
 import { getScript, upsertScriptByName } from "../scripts/db";
 import { extractArgsJsonSchema } from "../scripts/extract-schema";
 import { typecheckScript } from "../scripts/typecheck";
-import type { Seeder, SeedItem } from "../seed/types";
+import type { Seeder, SeederRunOptions, SeedItem } from "../seed/types";
 import bootTriageSrc from "./catalog/boot-triage.inline.ts" with { type: "text" };
 // @ts-expect-error Bun text imports synthesize a default string for this helper.
 import catalogReportSrc from "./catalog/catalog-report.inline.ts" with { type: "text" };
@@ -234,7 +234,7 @@ export const scriptsSeeder: Seeder<ScriptSeedItem> = {
     return existing ? existing.contentHash : null;
   },
 
-  async apply(item): Promise<void> {
+  async apply(item, _action, opts?: SeederRunOptions): Promise<void> {
     const { script } = item;
 
     const imports = validateScriptImports(script.source);
@@ -260,6 +260,7 @@ export const scriptsSeeder: Seeder<ScriptSeedItem> = {
       isScratch: false,
       typeChecked: true,
       changeReason: "Seeded from the built-in scripts catalog (src/be/seed-scripts)",
+      embeddingMode: opts?.scriptEmbeddingMode ?? "sync",
     });
   },
 };

package/src/be/skill-sync.ts

@@ -1,9 +1,8 @@
 /**
  * Filesystem sync for skills.
  *
- * Writes installed skills to ~/.claude/skills/<name>/SKILL.md,
- * ~/.pi/agent/skills/<name>/SKILL.md, and ~/.codex/skills/<name>/SKILL.md
- * so Claude Code, Pi, and Codex discover them natively.
+ * Writes installed skills to every local harness skill tree so Claude Code,
+ * Pi, Codex, OpenCode, and AGENTS.md-compatible adapters can discover them.
  *
  * This runs on the API side — workers call it via POST /api/skills/sync-filesystem.
  * The actual FS write logic lives in the worker-safe src/utils/skill-fs-writer.ts
@@ -13,6 +12,7 @@
 import { homedir } from "node:os";
 import {
   type SkillFsEntry,
+  type SkillHarnessTarget,
   type SkillSyncResult,
   writeSkillsToFilesystem,
 } from "../utils/skill-fs-writer";
@@ -32,7 +32,7 @@ export type { SkillSyncResult };
  */
 export function syncSkillsToFilesystem(
   agentId: string,
-  harnessType: "claude" | "pi" | "codex" | "all" = "all",
+  harnessType: SkillHarnessTarget = "all",
   homeOverride?: string,
 ): SkillSyncResult {
   const skills = getAgentSkills(agentId);

package/src/be/swarm-config-guard.ts

@@ -58,6 +58,14 @@ const VALIDATED_KEYS: Record<string, (value: unknown) => string | null> = {
     if (["true", "false", "1", "0"].includes(normalized)) return null;
     return "Invalid SWARM_USE_CLAUDE_BRIDGE value (must be one of: true, false, 1, 0)";
   },
+  // AWS credential mode for the Bedrock path on the pi harness.
+  //   sdk    — AWS SDK default credential chain (env, ~/.aws/*, SSO, IMDS, …)
+  //   bearer — explicit bearer token via AWS_BEARER_TOKEN_BEDROCK (future/Mantle)
+  // When absent the worker infers the mode from MODEL_OVERRIDE (sdk semantics).
+  BEDROCK_AUTH_MODE: (value) => {
+    if (value === "sdk" || value === "bearer") return null;
+    return "Invalid BEDROCK_AUTH_MODE value (must be one of: sdk, bearer)";
+  },
 };
 
 export function validateConfigValue(key: string, value: unknown): string | null {

package/src/commands/provider-credentials.ts

@@ -302,14 +302,20 @@ export async function validateProviderCredentials(provider: string): Promise<Liv
       }
       case "pi":
       case "opencode": {
-        // pi-mono with MODEL_OVERRIDE=amazon-bedrock/* delegates credential
-        // resolution to the AWS SDK default chain (env, ~/.aws/*, SSO, IMDS,
-        // assume-role, …). pi-ai exposes no Bedrock-specific check we could
-        // call here, and the SDK chain may issue slow IMDS network calls on
-        // non-EC2 hosts — so the live test is a presence check, mirroring the
-        // codex-OAuth pattern above. Real validation happens at the first
-        // Bedrock inference call.
-        if (provider === "pi" && env.MODEL_OVERRIDE?.toLowerCase().startsWith("amazon-bedrock/")) {
+        // For the pi Bedrock path, the real credential check is the
+        // `ListFoundationModels` probe that `checkProviderCredentials` (the
+        // `pi` dynamic-import arm) already ran.  That probe result is already
+        // in `buildCredStatusReport` — the live-test is a pass-through / no-op
+        // so we never issue a second AWS SDK call here (which would drag the
+        // SDK into the wrong binary or make slow IMDS calls on non-EC2 hosts).
+        // Bedrock mode: explicit BEDROCK_AUTH_MODE=sdk OR
+        //               absent BEDROCK_AUTH_MODE + amazon-bedrock/ MODEL_OVERRIDE prefix.
+        if (
+          provider === "pi" &&
+          (env.BEDROCK_AUTH_MODE?.toLowerCase() === "sdk" ||
+            (env.BEDROCK_AUTH_MODE === undefined &&
+              env.MODEL_OVERRIDE?.toLowerCase().startsWith("amazon-bedrock/")))
+        ) {
           return presenceCheckOk();
         }
         // Both pi-mono and opencode resolve credentials in the same order:

package/src/commands/runner.ts

@@ -2,6 +2,7 @@ import { existsSync, statSync } from "node:fs";
 import { mkdir, readFile, stat, writeFile } from "node:fs/promises";
 import { ensure, initialize } from "@desplega.ai/business-use";
 import type { TemplateResponse } from "../../templates/schema.ts";
+import { resolveTaskModelSelection } from "../model-tiers.ts";
 import {
   type Attributes,
   initOtel,
@@ -350,6 +351,7 @@ async function fetchResolvedEnv(
   apiKey: string,
   agentId: string,
   baseEnv: Record<string, string | undefined> = process.env,
+  taskModel?: string,
 ): Promise<ResolvedEnvResult> {
   const env: Record<string, string | undefined> = { ...baseEnv };
 
@@ -382,6 +384,12 @@ async function fetchResolvedEnv(
 
   const resolvedProvider = resolveHarnessProvider(env, baseEnv);
 
+  // Effective model: per-task model takes priority over the agent-level
+  // MODEL_OVERRIDE from swarm_config. Passed to resolveCredentialPools so
+  // the harness × model matrix can exclude incompatible credential vars
+  // (e.g. OPENAI_API_KEY when an OpenRouter model is selected on opencode).
+  const effectiveModel = taskModel || (env.MODEL_OVERRIDE as string | undefined) || "";
+
   const credentialSelections = await resolveCredentialPools(env, {
     apiUrl,
     apiKey,
@@ -393,6 +401,7 @@ async function fetchResolvedEnv(
     // Use the resolved provider (swarm_config > env) so an operator can flip
     // the worker's harness from the dashboard without restarting the container.
     provider: resolvedProvider,
+    model: effectiveModel,
   });
 
   return { env, credentialSelections, resolvedProvider };
@@ -427,6 +436,7 @@ const RELOADABLE_ENV_KEYS: ReadonlySet<string> = new Set([
   "MODEL_OVERRIDE",
   "AGENT_FS_SHARED_ORG_ID",
   "SWARM_USE_CLAUDE_BRIDGE",
+  "BEDROCK_AUTH_MODE",
 ]);
 
 /**
@@ -867,6 +877,7 @@ export async function ensureTaskFinished(
    * from the resolved swarm_config value. Falls back to env when omitted.
    */
   provider?: ProviderName,
+  failureDiagnostics?: string,
 ): Promise<void> {
   const headers: Record<string, string> = {
     "X-Agent-ID": config.agentId,
@@ -883,6 +894,9 @@ export async function ensureTaskFinished(
 
   if (status === "failed") {
     body.failureReason = failureReason || `Claude process exited with code ${exitCode}`;
+    if (failureDiagnostics) {
+      body.failureReason = `${body.failureReason}\n\n${failureDiagnostics}`;
+    }
   } else if (providerOutput) {
     const validation = await validateProviderOutputIfNeeded(config, taskId, providerOutput);
     if (validation.ok) {
@@ -1653,6 +1667,32 @@ async function findBridgeFailureArtifact(cwd: string): Promise<string | undefine
   }
 }
 
+async function readBridgeFailureTail(
+  artifactPath: string,
+  maxLines = 40,
+  maxChars = 4000,
+): Promise<string | undefined> {
+  try {
+    const text = await Bun.file(artifactPath).text();
+    const tail = text.split(/\r?\n/).slice(-maxLines).join("\n").trim();
+    if (!tail) return undefined;
+    return tail.length > maxChars ? tail.slice(-maxChars) : tail;
+  } catch {
+    return undefined;
+  }
+}
+
+export async function getBridgeFailureDiagnostics(
+  cwd: string,
+): Promise<{ artifactPath: string; paneTail?: string } | undefined> {
+  const artifactPath = await findBridgeFailureArtifact(cwd);
+  if (!artifactPath) return undefined;
+  return {
+    artifactPath,
+    paneTail: await readBridgeFailureTail(artifactPath),
+  };
+}
+
 async function updateHarnessVariantMeta(
   apiUrl: string,
   apiKey: string,
@@ -2519,6 +2559,7 @@ async function spawnProviderProcess(
     iteration: number;
     taskId?: string;
     model?: string;
+    modelTier?: string;
     resumeSessionId?: string;
     harnessProvider: ProviderName;
     cwd?: string;
@@ -2532,11 +2573,15 @@ async function spawnProviderProcess(
   // Correlation ID for logs/display — always defined
   const effectiveTaskId = realTaskId || crypto.randomUUID();
 
-  // Resolve env first so we can use MODEL_OVERRIDE from config
+  // Resolve env first so we can use MODEL_OVERRIDE from config.
+  // Pass opts.model (per-task model) so the credential picker can apply
+  // the harness × model matrix (e.g. exclude OPENAI_API_KEY for OpenRouter models).
   const { env: freshEnv, credentialSelections } = await fetchResolvedEnv(
     opts.apiUrl,
     opts.apiKey,
     opts.agentId,
+    process.env,
+    opts.model,
   );
 
   // Report which key was selected for this task (fire-and-forget)
@@ -2553,7 +2598,14 @@ async function spawnProviderProcess(
   }
 
   const configModel = (freshEnv.MODEL_OVERRIDE as string | undefined) || "";
-  const model = opts.model || configModel || "";
+  const taskModelSelection = resolveTaskModelSelection({
+    model: opts.model,
+    modelTier: opts.modelTier,
+    harnessProvider: opts.harnessProvider,
+    env: freshEnv,
+  });
+  const taskModel = taskModelSelection.model || "";
+  const model = taskModel || configModel || "";
 
   // Resolve Codex OAuth pool slot BEFORE building ProviderSessionConfig so we
   // can pass codexSlot through and the adapter writes token refreshes back to
@@ -2644,7 +2696,7 @@ async function spawnProviderProcess(
   );
   const initialModelReport = buildLatestModelReport({
     model,
-    taskModel: opts.model,
+    taskModel,
     configModel,
     taskId: realTaskId,
     harnessProvider: opts.harnessProvider,
@@ -2766,6 +2818,17 @@ async function spawnProviderProcess(
             );
           }
 
+          // Structured session-start log for observability (covers all providers)
+          {
+            const variant = event.harnessVariant ?? "unknown";
+            const version =
+              (event.harnessVariantMeta as Record<string, unknown> | undefined)?.version ??
+              "unknown";
+            console.log(
+              `[${opts.role}] [harness] provider=${event.provider ?? opts.harnessProvider} variant=${variant} version=${version} model=${model || "default"}`,
+            );
+          }
+
           // Buffer session start event
           bufferEvent({
             category: "session",
@@ -3342,6 +3405,20 @@ async function checkCompletedProcesses(
           rateLimitedUntil,
         ).catch(() => {});
       }
+      let bridgeDiagnostics: Awaited<ReturnType<typeof getBridgeFailureDiagnostics>> | undefined;
+      if (result.exitCode !== 0 && harnessProvider === "claude" && workingDir) {
+        bridgeDiagnostics = await getBridgeFailureDiagnostics(workingDir);
+        if (bridgeDiagnostics?.artifactPath && result.sessionId) {
+          console.log(`[${role}] Bridge failure artifact found: ${bridgeDiagnostics.artifactPath}`);
+          updateHarnessVariantMeta(apiConfig.apiUrl, apiConfig.apiKey, taskId, result.sessionId, {
+            failureArtifact: bridgeDiagnostics.artifactPath,
+          }).catch((err) => console.warn(`[runner] Failed to update harness variant meta: ${err}`));
+        }
+      }
+      const bridgeFailureDiagnostics =
+        bridgeDiagnostics?.paneTail != null
+          ? `Claude bridge final tmux pane tail (${bridgeDiagnostics.artifactPath}):\n${bridgeDiagnostics.paneTail}`
+          : undefined;
       await ensureTaskFinished(
         apiConfig,
         role,
@@ -3350,6 +3427,7 @@ async function checkCompletedProcesses(
         failureReason,
         result.output,
         harnessProvider,
+        bridgeFailureDiagnostics,
       );
 
       if (result.exitCode === 0 && credentialInfo) {
@@ -3361,16 +3439,6 @@ async function checkCompletedProcesses(
         ).catch(() => {});
       }
 
-      if (result.exitCode !== 0 && harnessProvider === "claude" && workingDir && result.sessionId) {
-        const artifactPath = await findBridgeFailureArtifact(workingDir);
-        if (artifactPath) {
-          console.log(`[${role}] Bridge failure artifact found: ${artifactPath}`);
-          updateHarnessVariantMeta(apiConfig.apiUrl, apiConfig.apiKey, taskId, result.sessionId, {
-            failureArtifact: artifactPath,
-          }).catch((err) => console.warn(`[runner] Failed to update harness variant meta: ${err}`));
-        }
-      }
-
       ensure({
         id: "worker_process_finished",
         flow: "task",
@@ -4391,6 +4459,7 @@ export async function runAgent(config: RunnerConfig, opts: RunnerOptions) {
               iteration,
               taskId: task.id,
               model: (task as { model?: string }).model,
+              modelTier: (task as { modelTier?: string }).modelTier,
               harnessProvider: state.harnessProvider,
               cwd: resumeCwd,
               vcsRepo: task.vcsRepo,
@@ -4710,6 +4779,7 @@ export async function runAgent(config: RunnerConfig, opts: RunnerOptions) {
 
         // Extract model from task data for per-task model selection
         const taskModel = (trigger.task as { model?: string } | undefined)?.model;
+        const taskModelTier = (trigger.task as { modelTier?: string } | undefined)?.modelTier;
 
         // Detect Slack context for conditional prompt sections
         const taskSlackChannelId = (trigger.task as { slackChannelId?: string } | undefined)
@@ -4852,6 +4922,7 @@ export async function runAgent(config: RunnerConfig, opts: RunnerOptions) {
               iteration,
               taskId: trigger.taskId,
               model: taskModel,
+              modelTier: taskModelTier,
               harnessProvider: state.harnessProvider,
               cwd: effectiveCwd,
               vcsRepo: taskVcsRepo,

package/src/http/index.ts

@@ -458,10 +458,12 @@ try {
 // Seed the built-in entity catalog (scripts today; more kinds later) so
 // `script-search` & co. return useful hits from a fresh DB. Idempotent and
 // version-aware: a pristine entity updates when its source changes, a
-// user-modified one is preserved. See src/be/seed for the framework.
+// user-modified one is preserved. Script embeddings are deferred to a
+// post-listen backfill so boot doesn't block on embedding provider calls.
+// See src/be/seed for the framework.
 try {
   const { runAllSeeders } = await import("../be/seed");
-  await runAllSeeders();
+  await runAllSeeders({ scriptEmbeddingMode: "skip" });
 } catch (err) {
   console.error("[startup] Failed to seed built-in entities:", err);
 }
@@ -565,6 +567,15 @@ httpServer
       .catch((err) => {
         console.error("[boot-reembed] startup backfill failed (non-fatal):", err);
       });
+
+    // Background backfill: embed any scripts that were seeded without embeddings
+    // (scriptEmbeddingMode: "skip" during boot). Non-blocking, idempotent, no-op
+    // when every non-scratch script already has an embedding.
+    import("../be/scripts/boot-reembed")
+      .then(({ runBootReembedScripts }) => runBootReembedScripts())
+      .catch((err) => {
+        console.error("[boot-reembed-scripts] startup backfill failed (non-fatal):", err);
+      });
   })
   .on("error", (err) => {
     console.error("HTTP Server Error:", err);

package/src/http/mcp-oauth.ts

@@ -362,6 +362,19 @@ async function prepareAuthorizeFlow(
 
   const scopes = q.scopes ? splitScopes(q.scopes) : client.scopes;
 
+  let extraParams: Record<string, string> | undefined;
+  if (server.extraAuthorizeParams) {
+    try {
+      const parsed = JSON.parse(server.extraAuthorizeParams);
+      if (parsed && typeof parsed === "object") {
+        extraParams = Object.fromEntries(Object.entries(parsed).map(([k, v]) => [k, String(v)]));
+      }
+    } catch {
+      // Malformed config must never break the authorize flow — log + ignore.
+      console.warn(`[mcp-oauth] Ignoring malformed extraAuthorizeParams for server ${mcpServerId}`);
+    }
+  }
+
   const built = await buildAuthorizeUrl({
     authorizeUrl: client.authorizeUrl,
     tokenUrl: client.tokenUrl,
@@ -369,6 +382,7 @@ async function prepareAuthorizeFlow(
     redirectUri: callbackRedirectUri(),
     scopes,
     resource: client.resourceUrl,
+    extraParams,
   });
 
   insertMcpOAuthPending({