@desplega.ai/agent-swarm 1.96.0 → 1.98.0

package/openapi.json

@@ -2,7 +2,7 @@
   "openapi": "3.1.0",
   "info": {
     "title": "Agent Swarm API",
-    "version": "1.96.0",
+    "version": "1.98.0",
     "description": "Multi-agent orchestration API for Claude Code, Codex, and Gemini CLI. Enables task distribution, agent communication, and service discovery.\n\nMCP tools are documented separately in [MCP.md](./MCP.md)."
   },
   "servers": [
@@ -2583,6 +2583,96 @@
         }
       }
     },
+    "/api/keys/report-rate-limit-windows": {
+      "post": {
+        "summary": "Record provider-emitted rate-limit window telemetry for an API key",
+        "tags": [
+          "API Keys"
+        ],
+        "security": [
+          {
+            "bearerAuth": []
+          }
+        ],
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "keyType": {
+                    "type": "string"
+                  },
+                  "keySuffix": {
+                    "type": "string",
+                    "minLength": 1,
+                    "maxLength": 10
+                  },
+                  "keyIndex": {
+                    "type": "integer",
+                    "minimum": 0
+                  },
+                  "windows": {
+                    "type": "object",
+                    "additionalProperties": {
+                      "type": "object",
+                      "properties": {
+                        "status": {
+                          "type": "string"
+                        },
+                        "utilization": {
+                          "type": "number"
+                        },
+                        "resetsAt": {
+                          "type": "number"
+                        },
+                        "isUsingOverage": {
+                          "type": "boolean"
+                        },
+                        "surpassedThreshold": {
+                          "type": "number"
+                        },
+                        "lastSeenAt": {
+                          "type": "string",
+                          "format": "date-time"
+                        }
+                      },
+                      "required": [
+                        "status",
+                        "lastSeenAt"
+                      ]
+                    }
+                  },
+                  "scope": {
+                    "type": "string"
+                  },
+                  "scopeId": {
+                    "type": "string"
+                  }
+                },
+                "required": [
+                  "keyType",
+                  "keySuffix",
+                  "keyIndex",
+                  "windows"
+                ]
+              }
+            }
+          }
+        },
+        "responses": {
+          "200": {
+            "description": "Rate-limit window telemetry recorded"
+          },
+          "400": {
+            "description": "Validation error"
+          },
+          "401": {
+            "description": "Unauthorized"
+          }
+        }
+      }
+    },
     "/api/keys/available": {
       "get": {
         "summary": "Get available (non-rate-limited) key indices for a credential type",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@desplega.ai/agent-swarm",
-  "version": "1.96.0",
+  "version": "1.98.0",
   "description": "Multi-agent orchestration for Claude Code, Codex, Gemini CLI, and other AI coding assistants",
   "license": "MIT",
   "author": "desplega.sh <contact@desplega.sh>",

package/src/be/db.ts

@@ -102,6 +102,7 @@ import type {
 } from "../types";
 import { FollowUpConfigSchema, isTerminalTaskStatus } from "../types";
 import { deriveProviderFromKeyType } from "../utils/credentials";
+import type { RateLimitWindowTelemetry } from "../utils/error-tracker";
 import { getCurrentRequestUserId } from "../utils/request-auth-context";
 import { scrubSecrets } from "../utils/secret-scrubber";
 import { decryptSecret, encryptSecret, getEncryptionKey, resolveEncryptionKey } from "./crypto";
@@ -9984,10 +9985,31 @@ export interface ApiKeyStatus {
   name: string | null;
   /** Auto-derived harness provider (claude/pi/codex) — see deriveProviderFromKeyType. */
   provider: string;
+  /** Latest provider-emitted rate-limit window snapshots, keyed by window type. */
+  rateLimitWindows: RateLimitWindowTelemetry;
   createdAt: string;
   updatedAt: string;
 }
 
+type ApiKeyStatusRow = Omit<ApiKeyStatus, "rateLimitWindows"> & { rateLimitWindows: string | null };
+
+function parseRateLimitWindowsJson(value: string | null | undefined): RateLimitWindowTelemetry {
+  if (!value) return {};
+  try {
+    const parsed = JSON.parse(value) as unknown;
+    if (parsed && typeof parsed === "object" && !Array.isArray(parsed)) {
+      return parsed as RateLimitWindowTelemetry;
+    }
+  } catch {
+    // Ignore malformed historical values; telemetry is best-effort.
+  }
+  return {};
+}
+
+function rowToApiKeyStatus(row: ApiKeyStatusRow): ApiKeyStatus {
+  return { ...row, rateLimitWindows: parseRateLimitWindowsJson(row.rateLimitWindows) };
+}
+
 /**
  * Get available (non-rate-limited) key indices for a credential type.
  * Automatically clears expired rate limits before returning.
@@ -10106,6 +10128,43 @@ export function markKeyRateLimited(
     );
 }
 
+export function recordKeyRateLimitWindows(
+  keyType: string,
+  keySuffix: string,
+  keyIndex: number,
+  windows: RateLimitWindowTelemetry,
+  scope = "global",
+  scopeId: string | null = null,
+): void {
+  if (Object.keys(windows).length === 0) return;
+
+  const now = new Date().toISOString();
+  const effectiveScopeId = scopeId ?? "";
+  const provider = deriveProviderFromKeyType(keyType);
+  const db = getDb();
+  const existing = db
+    .prepare<{ rateLimitWindows: string | null }, [string, string, string, string]>(
+      `SELECT rateLimitWindows FROM api_key_status
+       WHERE keyType = ? AND keySuffix = ? AND scope = ? AND scopeId = ?`,
+    )
+    .get(keyType, keySuffix, scope, effectiveScopeId);
+  const serialized = JSON.stringify({
+    ...parseRateLimitWindowsJson(existing?.rateLimitWindows),
+    ...windows,
+  });
+
+  db.prepare(
+    `INSERT INTO api_key_status (keyType, keySuffix, keyIndex, scope, scopeId, rateLimitWindows, provider, updatedAt)
+       VALUES (?, ?, ?, ?, ?, ?, ?, ?)
+       ON CONFLICT(keyType, keySuffix, scope, scopeId)
+       DO UPDATE SET
+         rateLimitWindows = excluded.rateLimitWindows,
+         keyIndex = excluded.keyIndex,
+         provider = excluded.provider,
+         updatedAt = excluded.updatedAt`,
+  ).run(keyType, keySuffix, keyIndex, scope, effectiveScopeId, serialized, provider, now);
+}
+
 /**
  * Set or clear the human-friendly `name` label on a pooled credential.
  * Identified by the natural key (keyType + keySuffix + scope + scopeId).
@@ -10177,8 +10236,9 @@ export function getKeyStatuses(
 
   const where = conditions.length > 0 ? `WHERE ${conditions.join(" AND ")}` : "";
   return db
-    .prepare<ApiKeyStatus, string[]>(`SELECT * FROM api_key_status ${where} ORDER BY keyIndex`)
-    .all(...params);
+    .prepare<ApiKeyStatusRow, string[]>(`SELECT * FROM api_key_status ${where} ORDER BY keyIndex`)
+    .all(...params)
+    .map(rowToApiKeyStatus);
 }
 
 export interface KeyCostSummary {

package/src/be/migrations/095_api_key_rate_limit_windows.sql

@@ -0,0 +1,5 @@
+-- Persist provider-emitted rate-limit window telemetry on credential rows.
+-- Shape is JSON keyed by provider window type, e.g.
+-- {"five_hour":{"status":"allowed_warning","utilization":0.82,"resetsAt":1781334000,"isUsingOverage":false,"surpassedThreshold":0.75,"lastSeenAt":"..."}}
+
+ALTER TABLE api_key_status ADD COLUMN rateLimitWindows TEXT NOT NULL DEFAULT '{}';

package/src/be/scripts/boot-reembed.ts

@@ -1,17 +1,17 @@
 /**
  * Post-listen backfill: embed scripts that are missing embeddings (e.g. after
- * boot seeding with scriptEmbeddingMode: "skip"). Runs once per boot,
- * async/non-blocking, idempotent, no-op when every non-scratch script already
- * has an embedding row.
+ * boot seeding with scriptEmbeddingMode: "skip") AND re-embed scripts whose
+ * stored embedding has the wrong dimension (e.g. 1536d legacy rows vs current
+ * 512d). Runs once per boot, async/non-blocking, idempotent, no-op when clean.
  *
  * Mirrors the memory boot-reembed pattern (src/be/memory/boot-reembed.ts).
  */
 
 import { getDb } from "@/be/db";
 import type { ScriptScope } from "@/types";
-import { embedScript } from "./embeddings";
+import { embeddingProvider, embedScript } from "./embeddings";
 
-type ScriptMissingEmbedding = {
+type ScriptRow = {
   id: string;
   name: string;
   scope: ScriptScope;
@@ -31,35 +31,65 @@ type ScriptMissingEmbedding = {
   updatedAt: string;
 };
 
+function toScriptRecord(row: ScriptRow) {
+  return {
+    ...row,
+    scopeId: row.scopeId ?? null,
+    isScratch: row.isScratch === 1,
+    typeChecked: row.typeChecked === 1,
+    createdByAgentId: row.createdByAgentId ?? null,
+  };
+}
+
 export async function runBootReembedScripts(): Promise<void> {
   const db = getDb();
+  const provider = embeddingProvider();
+  const expectedBytes = provider.dimensions * Float32Array.BYTES_PER_ELEMENT;
 
   const missing = db
-    .prepare<ScriptMissingEmbedding, []>(
+    .prepare<ScriptRow, []>(
       `SELECT s.* FROM scripts s
        LEFT JOIN script_embeddings e ON e.scriptId = s.id
        WHERE s.isScratch = 0 AND e.scriptId IS NULL`,
     )
     .all();
 
-  if (missing.length === 0) {
+  const wrongDim = db
+    .prepare<ScriptRow, []>(
+      `SELECT s.* FROM scripts s
+       JOIN script_embeddings e ON e.scriptId = s.id
+       WHERE s.isScratch = 0 AND length(e.embedding) != ${expectedBytes}`,
+    )
+    .all();
+
+  if (missing.length === 0 && wrongDim.length === 0) {
     return;
   }
 
-  console.log(`[boot-reembed-scripts] starting: ${missing.length} scripts missing embeddings`);
+  if (missing.length > 0) {
+    console.log(`[boot-reembed-scripts] ${missing.length} scripts missing embeddings`);
+  }
+  if (wrongDim.length > 0) {
+    console.log(
+      `[boot-reembed-scripts] ${wrongDim.length} scripts with wrong-dimension embeddings (expected ${expectedBytes} bytes)`,
+    );
+  }
+
+  // Probe: verify the provider can actually generate embeddings
+  const probe = await provider.embed("test");
+  if (!probe) {
+    console.warn(
+      `[boot-reembed-scripts] skipped: no working embedding provider (missing OpenAI key?)`,
+    );
+    return;
+  }
 
   let embedded = 0;
   let failed = 0;
 
-  for (const row of missing) {
+  for (const row of [...missing, ...wrongDim]) {
     try {
-      await embedScript({
-        ...row,
-        scopeId: row.scopeId ?? null,
-        isScratch: row.isScratch === 1,
-        typeChecked: row.typeChecked === 1,
-        createdByAgentId: row.createdByAgentId ?? null,
-      });
+      await embedScript(toScriptRecord(row));
       embedded++;
     } catch (err) {
       failed++;
@@ -70,5 +100,15 @@ export async function runBootReembedScripts(): Promise<void> {
     }
   }
 
-  console.log(`[boot-reembed-scripts] complete: embedded=${embedded} failed=${failed}`);
+  const afterWrongDim =
+    db
+      .prepare<{ count: number }, []>(
+        `SELECT COUNT(*) as count FROM script_embeddings
+         WHERE length(embedding) != ${expectedBytes}`,
+      )
+      .get()?.count ?? 0;
+
+  console.log(
+    `[boot-reembed-scripts] complete: embedded=${embedded} failed=${failed} remaining_wrong_dim=${afterWrongDim}`,
+  );
 }

package/src/be/scripts/embeddings.ts

@@ -42,7 +42,7 @@ export type ScriptSearchResult = {
 
 let providerOverride: EmbeddingProvider | null = null;
 
-function embeddingProvider(): EmbeddingProvider {
+export function embeddingProvider(): EmbeddingProvider {
   return providerOverride ?? getEmbeddingProvider();
 }
 
@@ -82,6 +82,13 @@ export async function embedScript(script: ScriptRecord): Promise<void> {
   const embedding = await provider.embed(text);
   if (!embedding) return;
 
+  if (embedding.length !== provider.dimensions) {
+    console.error(
+      `[script-embed] dimension mismatch for "${script.name}": expected=${provider.dimensions} got=${embedding.length}, skipping`,
+    );
+    return;
+  }
+
   getDb()
     .prepare(
       `INSERT INTO script_embeddings (
@@ -204,20 +211,24 @@ export async function searchScripts(args: {
   const candidates = candidateRows(args.scope, args.scopeId);
   if (candidates.length === 0) return lexicalFallback(args);
 
-  return candidates
-    .map((row) => {
-      const script = rowToScript(row);
-      const semanticScore = cosineSimilarity(queryEmbedding, deserializeEmbedding(row.embedding));
-      const bonus = nameMatchBonus(script, args.query);
-      return {
-        script,
-        score: 0.7 * semanticScore + 0.3 * bonus,
-        semanticScore,
-        nameMatchBonus: bonus,
-      };
-    })
-    .sort((a, b) => b.score - a.score)
-    .slice(0, args.limit ?? 10);
+  const results: ScriptSearchResult[] = [];
+  for (const row of candidates) {
+    const stored = deserializeEmbedding(row.embedding);
+    if (stored.length !== queryEmbedding.length) continue;
+    const script = rowToScript(row);
+    const semanticScore = cosineSimilarity(queryEmbedding, stored);
+    const bonus = nameMatchBonus(script, args.query);
+    results.push({
+      script,
+      score: 0.7 * semanticScore + 0.3 * bonus,
+      semanticScore,
+      nameMatchBonus: bonus,
+    });
+  }
+
+  if (results.length === 0) return lexicalFallback(args);
+
+  return results.sort((a, b) => b.score - a.score).slice(0, args.limit ?? 10);
 }
 
 export async function reembedAllScripts(): Promise<void> {

package/src/commands/runner.ts

@@ -45,6 +45,7 @@ import {
   isRateLimitMessage,
   MAX_RATE_LIMIT_RESET_MS,
   parseRateLimitResetTime,
+  type RateLimitWindowTelemetry,
   resolveCodexCreditsExhaustedCooldownMs,
 } from "../utils/error-tracker.ts";
 import { resolveHarnessProvider } from "../utils/harness-provider.ts";
@@ -1125,6 +1126,35 @@ async function reportKeyRateLimit(
   }
 }
 
+async function reportKeyRateLimitWindows(
+  apiUrl: string,
+  apiKey: string,
+  keyType: string,
+  keySuffix: string,
+  keyIndex: number,
+  windows: RateLimitWindowTelemetry,
+): Promise<void> {
+  if (Object.keys(windows).length === 0) return;
+  try {
+    await fetch(`${apiUrl}/api/keys/report-rate-limit-windows`, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        Authorization: `Bearer ${apiKey}`,
+      },
+      body: JSON.stringify({
+        keyType,
+        keySuffix,
+        keyIndex,
+        windows,
+      }),
+    });
+    console.log(`[credentials] Reported rate-limit windows for key ...${keySuffix}`);
+  } catch {
+    // Non-blocking
+  }
+}
+
 /** Clear a stale rate-limit record after a successful task (fire-and-forget) */
 async function reportKeyClearRateLimit(
   apiUrl: string,
@@ -3406,6 +3436,17 @@ async function checkCompletedProcesses(
           rateLimitedUntil,
         ).catch(() => {});
       }
+
+      if (credentialInfo && result.rateLimitWindows) {
+        reportKeyRateLimitWindows(
+          apiConfig.apiUrl,
+          apiConfig.apiKey,
+          credentialInfo.keyType,
+          credentialInfo.keySuffix,
+          credentialInfo.keyIndex,
+          result.rateLimitWindows,
+        ).catch(() => {});
+      }
       let bridgeDiagnostics: Awaited<ReturnType<typeof getBridgeFailureDiagnostics>> | undefined;
       if (result.exitCode !== 0 && harnessProvider === "claude" && workingDir) {
         bridgeDiagnostics = await getBridgeFailureDiagnostics(workingDir);

package/src/http/api-keys.ts

@@ -6,6 +6,7 @@ import {
   getKeyCostSummary,
   getKeyStatuses,
   markKeyRateLimited,
+  recordKeyRateLimitWindows,
   recordKeyUsage,
   setApiKeyName,
 } from "../be/db";
@@ -58,6 +59,37 @@ const reportRateLimit = route({
   auth: { apiKey: true },
 });
 
+const rateLimitWindowSchema = z.object({
+  status: z.string(),
+  utilization: z.number().optional(),
+  resetsAt: z.number().optional(),
+  isUsingOverage: z.boolean().optional(),
+  surpassedThreshold: z.number().optional(),
+  lastSeenAt: z.string().datetime(),
+});
+
+const reportRateLimitWindows = route({
+  method: "post",
+  path: "/api/keys/report-rate-limit-windows",
+  pattern: ["api", "keys", "report-rate-limit-windows"],
+  summary: "Record provider-emitted rate-limit window telemetry for an API key",
+  tags: ["API Keys"],
+  body: z.object({
+    keyType: z.string(),
+    keySuffix: z.string().min(1).max(10),
+    keyIndex: z.number().int().min(0),
+    windows: z.record(z.string(), rateLimitWindowSchema),
+    scope: z.string().optional(),
+    scopeId: z.string().optional(),
+  }),
+  responses: {
+    200: { description: "Rate-limit window telemetry recorded" },
+    400: { description: "Validation error" },
+    401: { description: "Unauthorized" },
+  },
+  auth: { apiKey: true },
+});
+
 const getAvailable = route({
   method: "get",
   path: "/api/keys/available",
@@ -196,6 +228,25 @@ export async function handleApiKeys(
     return true;
   }
 
+  // POST /api/keys/report-rate-limit-windows
+  if (reportRateLimitWindows.match(req.method, pathSegments)) {
+    const parsed = await reportRateLimitWindows.parse(req, res, pathSegments, queryParams);
+    if (!parsed) return true;
+
+    const { keyType, keySuffix, keyIndex, windows, scope, scopeId } = parsed.body;
+    try {
+      recordKeyRateLimitWindows(keyType, keySuffix, keyIndex, windows, scope, scopeId ?? null);
+      json(res, { success: true, message: `Rate-limit windows recorded for ...${keySuffix}` });
+    } catch (err) {
+      jsonError(
+        res,
+        err instanceof Error ? err.message : "Failed to record rate-limit windows",
+        500,
+      );
+    }
+    return true;
+  }
+
   // GET /api/keys/available
   if (getAvailable.match(req.method, pathSegments)) {
     const parsed = await getAvailable.parse(req, res, pathSegments, queryParams);

package/src/providers/claude-adapter.ts

@@ -674,6 +674,7 @@ class ClaudeSession implements ProviderSession {
       isError: (exitCode ?? 1) !== 0,
       failureReason,
       rateLimitResetAt: this.errorTracker.getRateLimitResetAt(),
+      rateLimitWindows: this.errorTracker.getRateLimitWindows(),
     };
   }
 

package/src/providers/codex-adapter.ts

@@ -1024,6 +1024,7 @@ export class CodexSession implements ProviderSession {
             isError: true,
             failureReason: terminalError.message,
             rateLimitResetAt: this.errorTracker.getRateLimitResetAt(),
+            rateLimitWindows: this.errorTracker.getRateLimitWindows(),
           });
           return;
         }
@@ -1045,6 +1046,7 @@ export class CodexSession implements ProviderSession {
         isError,
         failureReason: terminalError?.message,
         rateLimitResetAt: this.errorTracker.getRateLimitResetAt(),
+        rateLimitWindows: this.errorTracker.getRateLimitWindows(),
       });
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
@@ -1059,6 +1061,7 @@ export class CodexSession implements ProviderSession {
         isError: true,
         failureReason: message,
         rateLimitResetAt: this.errorTracker.getRateLimitResetAt(),
+        rateLimitWindows: this.errorTracker.getRateLimitWindows(),
       });
     } finally {
       // Session-end summarization. Pure addition for codex — no behavior to

package/src/providers/harness-version.ts

@@ -1,6 +1,53 @@
-export function readPkgVersion(packageName: string): string | undefined {
+import { spawnSync } from "node:child_process";
+
+type PackageJson = { version?: unknown };
+
+type ReadPkgVersionOptions = {
+  requirePackageJson?: (specifier: string) => PackageJson;
+  spawn?: typeof spawnSync;
+};
+
+const cliVersionCommands: Record<string, { command: string; args: string[] }> = {
+  "@earendil-works/pi-coding-agent": { command: "pi", args: ["--version"] },
+  "@opencode-ai/sdk": { command: "opencode", args: ["--version"] },
+};
+
+function normalizeVersion(value: unknown): string | undefined {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : undefined;
+}
+
+function parseCliVersion(output: string): string | undefined {
+  return output.match(/\d+\.\d+\.\d+(?:[-+][0-9A-Za-z.-]+)?/)?.[0];
+}
+
+function readCliVersion(packageName: string, spawn: typeof spawnSync): string | undefined {
+  const command = cliVersionCommands[packageName];
+  if (!command) return undefined;
+
+  try {
+    const result = spawn(command.command, command.args, {
+      encoding: "utf8",
+      stdio: ["ignore", "pipe", "pipe"],
+    });
+    return parseCliVersion(`${result.stdout ?? ""}\n${result.stderr ?? ""}`);
+  } catch {
+    return undefined;
+  }
+}
+
+export function readPkgVersion(
+  packageName: string,
+  {
+    requirePackageJson = (specifier) => require(specifier) as PackageJson,
+    spawn = spawnSync,
+  }: ReadPkgVersionOptions = {},
+): string | undefined {
+  const cliVersion = readCliVersion(packageName, spawn);
+  if (cliVersion) return cliVersion;
+
   try {
-    return require(`${packageName}/package.json`).version;
+    const version = normalizeVersion(requirePackageJson(`${packageName}/package.json`).version);
+    if (version) return version;
   } catch {
     return undefined;
   }

package/src/providers/opencode-adapter.ts

@@ -111,6 +111,11 @@ function defaultOpencodeSkillsDir(): string {
   return join(process.env.HOME ?? "/home/worker", ".opencode", "skills");
 }
 const MODEL_CACHE_REFRESH_TIMEOUT_MS = 15_000;
+// opencode cold-start on E2B disk regularly exceeds the SDK's 5s default
+// server-start timeout (@opencode-ai/sdk dist/server.js), failing the spawn with
+// "Timeout waiting for server to start after 5000ms". Override via
+// OPENCODE_SERVER_TIMEOUT_MS.
+const DEFAULT_SERVER_START_TIMEOUT_MS = 30_000;
 
 function isOpenRouterModel(model: string | undefined): boolean {
   return Boolean(model?.toLowerCase().startsWith("openrouter/"));
@@ -720,6 +725,7 @@ export class OpencodeAdapter implements ProviderAdapter {
       ({ client, server } = await createOpencode({
         hostname: "127.0.0.1",
         port: 0,
+        timeout: Number(process.env.OPENCODE_SERVER_TIMEOUT_MS) || DEFAULT_SERVER_START_TIMEOUT_MS,
         config: opencodeConfig,
       }));
     } finally {

package/src/providers/types.ts

@@ -34,6 +34,7 @@ export interface CostData {
 }
 
 import type { ProviderName } from "../types";
+import type { RateLimitWindowTelemetry } from "../utils/error-tracker";
 
 /** Normalized event emitted by any provider adapter. */
 export type ProviderEvent =
@@ -137,6 +138,12 @@ export interface ProviderResult {
    * three-tier cooldown resolver.
    */
   rateLimitResetAt?: string;
+  /**
+   * Latest provider-emitted rate-limit window snapshots observed during the
+   * session, keyed by provider window type (for Claude: five_hour, seven_day).
+   * Best-effort and informational; consumers must tolerate it being absent.
+   */
+  rateLimitWindows?: RateLimitWindowTelemetry;
 }
 
 /** Behavioral traits that govern prompt assembly and feature gating. */

package/src/tests/api-key-tracking.test.ts

@@ -11,6 +11,7 @@ import {
   getKeyStatuses,
   initDb,
   markKeyRateLimited,
+  recordKeyRateLimitWindows,
   recordKeyUsage,
 } from "../be/db";
 import type { CredentialSelection } from "../utils/credentials";
@@ -240,6 +241,67 @@ describe("API key tracking DB queries", () => {
     const cleared = clearKeyRateLimit("OPENAI_API_KEY", "oai02");
     expect(cleared).toBe(false);
   });
+
+  test("recordKeyRateLimitWindows persists latest provider windows", () => {
+    recordKeyRateLimitWindows("ANTHROPIC_API_KEY", "aaa11", 0, {
+      seven_day: {
+        status: "allowed_warning",
+        utilization: 0.82,
+        resetsAt: 1781334000,
+        isUsingOverage: false,
+        surpassedThreshold: 0.75,
+        lastSeenAt: "2026-06-12T00:00:00.000Z",
+      },
+    });
+
+    const key = getKeyStatuses("ANTHROPIC_API_KEY").find((s) => s.keySuffix === "aaa11");
+    expect(key?.rateLimitWindows).toEqual({
+      seven_day: {
+        status: "allowed_warning",
+        utilization: 0.82,
+        resetsAt: 1781334000,
+        isUsingOverage: false,
+        surpassedThreshold: 0.75,
+        lastSeenAt: "2026-06-12T00:00:00.000Z",
+      },
+    });
+  });
+
+  test("recordKeyRateLimitWindows merges with existing provider windows", () => {
+    recordKeyRateLimitWindows("ANTHROPIC_API_KEY", "aaa11", 0, {
+      seven_day: {
+        status: "allowed_warning",
+        utilization: 0.82,
+        resetsAt: 1781334000,
+        lastSeenAt: "2026-06-12T00:00:00.000Z",
+      },
+    });
+
+    recordKeyRateLimitWindows("ANTHROPIC_API_KEY", "aaa11", 0, {
+      five_hour: {
+        status: "allowed",
+        utilization: 0.2,
+        resetsAt: 1781270000,
+        lastSeenAt: "2026-06-12T01:00:00.000Z",
+      },
+    });
+
+    const key = getKeyStatuses("ANTHROPIC_API_KEY").find((s) => s.keySuffix === "aaa11");
+    expect(key?.rateLimitWindows).toEqual({
+      seven_day: {
+        status: "allowed_warning",
+        utilization: 0.82,
+        resetsAt: 1781334000,
+        lastSeenAt: "2026-06-12T00:00:00.000Z",
+      },
+      five_hour: {
+        status: "allowed",
+        utilization: 0.2,
+        resetsAt: 1781270000,
+        lastSeenAt: "2026-06-12T01:00:00.000Z",
+      },
+    });
+  });
 });
 
 // ─── Cross-keyType Failover Logic Tests ──────────────────────────────────────

package/src/tests/harness-version.test.ts

@@ -0,0 +1,47 @@
+import { describe, expect, mock, test } from "bun:test";
+import { readPkgVersion } from "../providers/harness-version";
+
+describe("readPkgVersion", () => {
+  test("reads pi version from the CLI before package.json probes", () => {
+    const spawn = mock(() => ({ stdout: "0.79.1\n", stderr: "", status: 0 }));
+    const requirePackageJson = mock(() => ({ version: "0.0.0" }));
+
+    const version = readPkgVersion("@earendil-works/pi-coding-agent", {
+      requirePackageJson,
+      spawn,
+    });
+
+    expect(version).toBe("0.79.1");
+    expect(spawn).toHaveBeenCalledWith("pi", ["--version"], {
+      encoding: "utf8",
+      stdio: ["ignore", "pipe", "pipe"],
+    });
+    expect(requirePackageJson).not.toHaveBeenCalled();
+  });
+
+  test("reads opencode version from the CLI before package.json probes", () => {
+    const spawn = mock(() => ({ stdout: "opencode 1.16.2\n", stderr: "", status: 0 }));
+    const requirePackageJson = mock(() => ({ version: "0.0.0" }));
+
+    const version = readPkgVersion("@opencode-ai/sdk", {
+      requirePackageJson,
+      spawn,
+    });
+
+    expect(version).toBe("1.16.2");
+    expect(spawn).toHaveBeenCalledWith("opencode", ["--version"], {
+      encoding: "utf8",
+      stdio: ["ignore", "pipe", "pipe"],
+    });
+    expect(requirePackageJson).not.toHaveBeenCalled();
+  });
+
+  test("falls back to package.json when no CLI mapping returns a version", () => {
+    const version = readPkgVersion("@earendil-works/pi-coding-agent", {
+      requirePackageJson: () => ({ version: "0.79.1" }),
+      spawn: mock(() => ({ stdout: "", stderr: "", status: 0 })),
+    });
+
+    expect(version).toBe("0.79.1");
+  });
+});

package/src/tests/opencode-adapter.test.ts

@@ -157,13 +157,14 @@ describe("OpencodeSession — SSE→ProviderEvent mapping", () => {
     const { emitted, result, serverCloseCalls } = await driveSession(events);
 
     const sessionInit = emitted.find((e) => e.type === "session_init");
-    expect(sessionInit).toBeDefined();
-    if (sessionInit?.type === "session_init") {
-      expect(sessionInit.provider).toBe("opencode");
-      expect(sessionInit.harnessVariant).toBe("stock");
-      expect(typeof sessionInit.harnessVariantMeta?.version).toBe("string");
-      expect((sessionInit.harnessVariantMeta?.version as string).length).toBeGreaterThan(0);
+    expect(sessionInit?.type).toBe("session_init");
+    if (sessionInit?.type !== "session_init") {
+      throw new Error("Expected opencode session_init event");
     }
+    expect(sessionInit.provider).toBe("opencode");
+    expect(sessionInit.harnessVariant).toBe("stock");
+    expect(typeof sessionInit.harnessVariantMeta?.version).toBe("string");
+    expect((sessionInit.harnessVariantMeta?.version as string).length).toBeGreaterThan(0);
 
     const resultEvent = emitted.find((e) => e.type === "result");
     expect(resultEvent).toBeDefined();

package/src/tests/providers/pi-cost.test.ts

@@ -108,13 +108,14 @@ describe("PiMonoSession — provider tag on CostData", () => {
       session.onEvent((e) => events.push(e));
 
       const sessionInit = events.find((e) => e.type === "session_init");
-      expect(sessionInit).toBeDefined();
-      if (sessionInit?.type === "session_init") {
-        expect(sessionInit.provider).toBe("pi");
-        expect(sessionInit.harnessVariant).toBe("stock");
-        expect(typeof sessionInit.harnessVariantMeta?.version).toBe("string");
-        expect((sessionInit.harnessVariantMeta?.version as string).length).toBeGreaterThan(0);
+      expect(sessionInit?.type).toBe("session_init");
+      if (sessionInit?.type !== "session_init") {
+        throw new Error("Expected pi session_init event");
       }
+      expect(sessionInit.provider).toBe("pi");
+      expect(sessionInit.harnessVariant).toBe("stock");
+      expect(typeof sessionInit.harnessVariantMeta?.version).toBe("string");
+      expect((sessionInit.harnessVariantMeta?.version as string).length).toBeGreaterThan(0);
 
       const result = await session.waitForCompletion();
 

package/src/tests/rate-limit-event.test.ts

@@ -2,6 +2,7 @@ import { describe, expect, test } from "bun:test";
 import {
   isRateLimitMessage,
   MAX_RATE_LIMIT_RESET_MS,
+  parseRateLimitWindowTelemetry,
   parseStderrForErrors,
   SessionErrorTracker,
   trackErrorFromJson,
@@ -23,6 +24,42 @@ const FIXTURE_REJECTED = {
 };
 
 describe("SessionErrorTracker — rate_limit_event processing", () => {
+  test("captures allowed_warning telemetry without marking a cooldown", () => {
+    const tracker = new SessionErrorTracker();
+    tracker.processRateLimitEvent({
+      type: "rate_limit_event",
+      rate_limit_info: {
+        status: "allowed_warning",
+        resetsAt: 1781334000,
+        rateLimitType: "seven_day",
+        utilization: 0.82,
+        isUsingOverage: false,
+        surpassedThreshold: 0.75,
+      },
+    });
+
+    expect(tracker.getRateLimitResetAt()).toBeUndefined();
+    expect(tracker.getRateLimitWindows()).toEqual({
+      seven_day: expect.objectContaining({
+        status: "allowed_warning",
+        resetsAt: 1781334000,
+        utilization: 0.82,
+        isUsingOverage: false,
+        surpassedThreshold: 0.75,
+      }),
+    });
+  });
+
+  test("parseRateLimitWindowTelemetry is best-effort for malformed events", () => {
+    expect(parseRateLimitWindowTelemetry({ type: "rate_limit_event" })).toBeNull();
+    expect(
+      parseRateLimitWindowTelemetry({
+        type: "rate_limit_event",
+        rate_limit_info: { status: "allowed_warning", resetsAt: "bad" },
+      }),
+    ).toBeNull();
+  });
+
   test("stashes resetsAt (seconds) correctly as ms — verbatim CAI-1279 fixture", () => {
     const tracker = new SessionErrorTracker();
     tracker.processRateLimitEvent(FIXTURE_REJECTED);

package/src/tests/scripts-boot-reembed.test.ts

@@ -1,6 +1,7 @@
 import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
 import { unlink } from "node:fs/promises";
 import { closeDb, getDb, initDb } from "../be/db";
+import { serializeEmbedding } from "../be/embedding";
 import type { EmbeddingProvider } from "../be/memory/types";
 import { runBootReembedScripts } from "../be/scripts/boot-reembed";
 import { upsertScriptByName } from "../be/scripts/db";
@@ -98,7 +99,8 @@ describe("boot-reembed-scripts", () => {
     provider.reset();
     await runBootReembedScripts();
     expect(embeddingCount(result.script.id)).toBe(1);
-    expect(provider.calls).toHaveLength(1);
+    // +1 for the provider probe call ("test") that verifies the provider works
+    expect(provider.calls).toHaveLength(2);
   });
 
   test("no-ops when all scripts already have embeddings", async () => {
@@ -157,7 +159,64 @@ describe("boot-reembed-scripts", () => {
 
     provider.reset();
     await runBootReembedScripts();
-    expect(provider.calls).toHaveLength(1);
+    // +1 for the provider probe call
+    expect(provider.calls).toHaveLength(2);
     expect(embeddingCount(withoutEmbed.script.id)).toBe(1);
   });
+
+  test("re-embeds scripts with wrong-dimension embeddings", async () => {
+    const result = await upsertScriptByName({
+      name: "wrong-dim",
+      scope: "global",
+      source: source("wrong-dim"),
+      description: "Script with legacy 1536d embedding",
+      intent: "Dimension fix test",
+      signatureJson,
+    });
+    expect(embeddingCount(result.script.id)).toBe(1);
+
+    // Overwrite with a wrong-dimension (1536d) embedding to simulate legacy data
+    const wrongDimVector = new Float32Array(1536).fill(0.1);
+    getDb().run("UPDATE script_embeddings SET embedding = ? WHERE scriptId = ?", [
+      serializeEmbedding(wrongDimVector),
+      result.script.id,
+    ]);
+
+    // Verify the wrong dim is stored
+    const stored = getDb()
+      .prepare<{ len: number }, [string]>(
+        "SELECT length(embedding) as len FROM script_embeddings WHERE scriptId = ?",
+      )
+      .get(result.script.id);
+    expect(stored?.len).toBe(1536 * 4);
+
+    provider.reset();
+    await runBootReembedScripts();
+    // +1 for the provider probe call
+    expect(provider.calls).toHaveLength(2);
+
+    // Should now have correct-dimension embedding
+    const fixed = getDb()
+      .prepare<{ len: number }, [string]>(
+        "SELECT length(embedding) as len FROM script_embeddings WHERE scriptId = ?",
+      )
+      .get(result.script.id);
+    expect(fixed?.len).toBe(5 * 4); // provider.dimensions = 5
+  });
+
+  test("no-ops when all scripts have correct-dimension embeddings", async () => {
+    await upsertScriptByName({
+      name: "correct-dim",
+      scope: "global",
+      source: source("correct"),
+      description: "Already correct",
+      intent: "No-op test",
+      signatureJson,
+    });
+    expect(totalEmbeddingCount()).toBe(1);
+
+    provider.reset();
+    await runBootReembedScripts();
+    expect(provider.calls).toHaveLength(0);
+  });
 });

package/src/tests/scripts-embeddings.test.ts

@@ -1,6 +1,7 @@
 import { afterAll, beforeAll, beforeEach, describe, expect, test } from "bun:test";
 import { unlink } from "node:fs/promises";
 import { closeDb, getDb, initDb } from "../be/db";
+import { serializeEmbedding } from "../be/embedding";
 import type { EmbeddingProvider } from "../be/memory/types";
 import { getScript, upsertScriptByName } from "../be/scripts/db";
 import {
@@ -378,4 +379,30 @@ describe("script embeddings", () => {
     expect(getScript({ name: "delete-embedding", scope: "agent", scopeId: "agent-1" })).toBeNull();
     expect(embeddingCount(created.script.id)).toBe(0);
   });
+
+  test("search skips wrong-dimension embeddings instead of throwing", async () => {
+    const good = await upsertFixture({
+      name: "good-dim",
+      description: "Linear issue triage helper",
+    });
+    const bad = await upsertFixture({
+      name: "bad-dim",
+      description: "Linear ticket router",
+    });
+    expect(embeddingCount(good.script.id)).toBe(1);
+    expect(embeddingCount(bad.script.id)).toBe(1);
+
+    // Overwrite bad-dim's embedding with a wrong-dimension vector (1536d)
+    const wrongDimVector = new Float32Array(1536).fill(0.1);
+    getDb().run("UPDATE script_embeddings SET embedding = ? WHERE scriptId = ?", [
+      serializeEmbedding(wrongDimVector),
+      bad.script.id,
+    ]);
+
+    provider.reset();
+    const results = await searchScripts({ query: "issue triage", scopeId: "agent-1", limit: 10 });
+    // Should not throw, and should only return the good-dim script
+    expect(results.map((r) => r.script.name)).toContain("good-dim");
+    expect(results.map((r) => r.script.name)).not.toContain("bad-dim");
+  });
 });

package/src/utils/error-tracker.ts

@@ -10,6 +10,54 @@ export interface ErrorSignal {
   timestamp: string;
 }
 
+export interface RateLimitWindowInfo {
+  status: string;
+  utilization?: number;
+  resetsAt?: number;
+  isUsingOverage?: boolean;
+  surpassedThreshold?: number;
+  lastSeenAt: string;
+}
+
+export type RateLimitWindowTelemetry = Record<string, RateLimitWindowInfo>;
+
+export function parseRateLimitWindowTelemetry(
+  json: Record<string, unknown>,
+  lastSeenAt = new Date().toISOString(),
+): { rateLimitType: string; info: RateLimitWindowInfo } | null {
+  try {
+    if (json.type !== "rate_limit_event") return null;
+    const rawInfo = json.rate_limit_info;
+    if (!rawInfo || typeof rawInfo !== "object") return null;
+
+    const info = rawInfo as Record<string, unknown>;
+    if (typeof info.status !== "string" || info.status.length === 0) return null;
+    if (typeof info.rateLimitType !== "string" || info.rateLimitType.length === 0) return null;
+
+    const window: RateLimitWindowInfo = {
+      status: info.status,
+      lastSeenAt,
+    };
+
+    if (typeof info.utilization === "number" && Number.isFinite(info.utilization)) {
+      window.utilization = info.utilization;
+    }
+    if (typeof info.resetsAt === "number" && Number.isFinite(info.resetsAt) && info.resetsAt > 0) {
+      window.resetsAt = info.resetsAt;
+    }
+    if (typeof info.isUsingOverage === "boolean") {
+      window.isUsingOverage = info.isUsingOverage;
+    }
+    if (typeof info.surpassedThreshold === "number" && Number.isFinite(info.surpassedThreshold)) {
+      window.surpassedThreshold = info.surpassedThreshold;
+    }
+
+    return { rateLimitType: info.rateLimitType, info: window };
+  } catch {
+    return null;
+  }
+}
+
 /**
  * Maximum cooldown horizon for a rate-limit reset. A weekly OAuth limit resets
  * up to ~7 days out, so the cap must be at least that or a weekly-limited key
@@ -85,6 +133,7 @@ export class SessionErrorTracker {
   private errors: ErrorSignal[] = [];
   /** Stashed reset time (ms) from the last rejected rate_limit_event in this session. */
   private rateLimitResetAtMs: number | undefined;
+  private rateLimitWindows: RateLimitWindowTelemetry = {};
 
   /** Record an error from an assistant message with message.error field */
   addApiError(errorCategory: string, message: string): void {
@@ -139,6 +188,11 @@ export class SessionErrorTracker {
       const info = json.rate_limit_info as Record<string, unknown> | undefined;
       if (!info) return;
 
+      const telemetry = parseRateLimitWindowTelemetry(json);
+      if (telemetry) {
+        this.rateLimitWindows[telemetry.rateLimitType] = telemetry.info;
+      }
+
       if (info.status !== "rejected") return;
 
       const resetsAtSec = info.resetsAt;
@@ -185,6 +239,11 @@ export class SessionErrorTracker {
     return new Date(this.rateLimitResetAtMs).toISOString();
   }
 
+  getRateLimitWindows(): RateLimitWindowTelemetry | undefined {
+    if (Object.keys(this.rateLimitWindows).length === 0) return undefined;
+    return { ...this.rateLimitWindows };
+  }
+
   hasErrors(): boolean {
     return this.errors.length > 0;
   }