@docyrus/docyrus 0.0.25 → 0.0.27

package/server-loader.js

@@ -692,7 +692,7 @@ var init_dist = __esm({
 // src/server/server-loader.ts
 var import_node_fs = require("node:fs");
 var import_node_url = require("node:url");
-var import_node_path3 = require("node:path");
+var import_node_path4 = require("node:path");
 var import_picocolors = __toESM(require_picocolors());
 
 // src/agent/envStore.ts
@@ -795,8 +795,9 @@ var AgentEnvStore = class {
 
 // src/server/agentServer.ts
 var import_node_child_process = require("node:child_process");
-var import_promises2 = require("node:fs/promises");
-var import_node_path2 = require("node:path");
+var import_node_crypto2 = require("node:crypto");
+var import_promises3 = require("node:fs/promises");
+var import_node_path3 = require("node:path");
 
 // ../../node_modules/.pnpm/hono@4.12.8/node_modules/hono/dist/compose.js
 var compose = (middleware, onError, onNotFound) => {
@@ -2936,10 +2937,212 @@ var cors = (options) => {
   };
 };
 
+// resources/pi-agent/shared/askUserProtocol.ts
+var ASK_USER_TAG = "ask_user";
+var ASK_USER_OPEN = `<${ASK_USER_TAG}>`;
+var ASK_USER_CLOSE = `</${ASK_USER_TAG}>`;
+var ASK_USER_RESPONSE_TAG = "ask_user_response";
+var ASK_USER_RESPONSE_OPEN = `<${ASK_USER_RESPONSE_TAG}>`;
+var ASK_USER_RESPONSE_CLOSE = `</${ASK_USER_RESPONSE_TAG}>`;
+function hashString(value) {
+  let hash = 0;
+  for (let index = 0; index < value.length; index += 1) {
+    hash = (hash << 5) - hash + value.charCodeAt(index);
+    hash |= 0;
+  }
+  return Math.abs(hash).toString(36);
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null && !Array.isArray(value);
+}
+function isNonEmptyString(value) {
+  return typeof value === "string" && value.trim().length > 0;
+}
+function normalizeTrimmedString(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : void 0;
+}
+function normalizeQuestionType(value) {
+  return value === "text" || value === "textarea" || value === "boolean" || value === "singleSelect" || value === "multiSelect" ? value : void 0;
+}
+function normalizeDefaultValue(value) {
+  if (typeof value === "string" || typeof value === "boolean") {
+    return value;
+  }
+  if (Array.isArray(value) && value.every((item) => typeof item === "string")) {
+    return [...value];
+  }
+  return void 0;
+}
+function normalizeOptions(value) {
+  if (!Array.isArray(value)) {
+    return void 0;
+  }
+  const options = [];
+  for (const item of value) {
+    if (!isRecord(item) || !isNonEmptyString(item.label) || !isNonEmptyString(item.value)) {
+      return void 0;
+    }
+    options.push({
+      label: item.label.trim(),
+      value: item.value.trim()
+    });
+  }
+  return options;
+}
+function normalizeAskUserQuestion(value) {
+  if (!isRecord(value)) {
+    return void 0;
+  }
+  const id = normalizeTrimmedString(value.id);
+  const label = normalizeTrimmedString(value.label);
+  const type = normalizeQuestionType(value.type);
+  if (!id || !label || !type) {
+    return void 0;
+  }
+  const question = {
+    id,
+    label,
+    type
+  };
+  const description = normalizeTrimmedString(value.description);
+  if (description) {
+    question.description = description;
+  }
+  if (typeof value.required === "boolean") {
+    question.required = value.required;
+  }
+  const options = normalizeOptions(value.options);
+  if (type === "singleSelect" || type === "multiSelect") {
+    if (!options || options.length === 0) {
+      return void 0;
+    }
+    question.options = options;
+  }
+  const placeholder = normalizeTrimmedString(value.placeholder);
+  if (placeholder) {
+    question.placeholder = placeholder;
+  }
+  const defaultValue = normalizeDefaultValue(value.defaultValue);
+  if (defaultValue !== void 0) {
+    question.defaultValue = defaultValue;
+  }
+  return question;
+}
+function normalizeAskUserRequest(value) {
+  if (!isRecord(value)) {
+    return void 0;
+  }
+  const title = normalizeTrimmedString(value.title);
+  const message = normalizeTrimmedString(value.message);
+  if (!title || !message || !Array.isArray(value.questions) || value.questions.length === 0) {
+    return void 0;
+  }
+  const questions = [];
+  for (const question of value.questions) {
+    const normalized = normalizeAskUserQuestion(question);
+    if (!normalized) {
+      return void 0;
+    }
+    questions.push(normalized);
+  }
+  return {
+    title,
+    message,
+    questions
+  };
+}
+function normalizeAskUserResponse(value) {
+  if (!isRecord(value)) {
+    return void 0;
+  }
+  const action = value.action;
+  if (action !== "submit" && action !== "cancel" && action !== "decline") {
+    return void 0;
+  }
+  const answersRecord = isRecord(value.answers) ? value.answers : {};
+  const answers = {};
+  for (const [key, answerValue] of Object.entries(answersRecord)) {
+    const normalized = normalizeDefaultValue(answerValue);
+    if (normalized !== void 0) {
+      answers[key] = normalized;
+    }
+  }
+  return {
+    action,
+    answers
+  };
+}
+function createAskUserToolCallId(request) {
+  return `ask_user_${hashString(JSON.stringify(request))}`;
+}
+function parseAskUserRequestFromText(text) {
+  const trimmed = text.trim();
+  if (!trimmed.startsWith(ASK_USER_OPEN) || !trimmed.endsWith(ASK_USER_CLOSE)) {
+    return void 0;
+  }
+  const body = trimmed.slice(ASK_USER_OPEN.length, trimmed.length - ASK_USER_CLOSE.length).trim();
+  if (!body) {
+    return void 0;
+  }
+  try {
+    return normalizeAskUserRequest(JSON.parse(body));
+  } catch {
+    return void 0;
+  }
+}
+function formatAskUserResponsePrompt(response) {
+  return [
+    "The user submitted structured clarification answers.",
+    "",
+    `${ASK_USER_RESPONSE_OPEN}`,
+    JSON.stringify(response, null, 2),
+    `${ASK_USER_RESPONSE_CLOSE}`,
+    "",
+    "Continue the planning workflow using these answers."
+  ].join("\n");
+}
+function parseAskUserResponseFromToolOutput(output) {
+  return normalizeAskUserResponse(output);
+}
+
 // src/server/eventBridge.ts
 function createEventBridge(params) {
-  const { messageId, onChunk, onDone, onError } = params;
+  const { messageId, onChunk, onDone, onError, onAskUser } = params;
   const activeToolCalls = /* @__PURE__ */ new Map();
+  let activeTextBuffer = null;
+  function flushBufferedTextToStream(close) {
+    if (!activeTextBuffer) {
+      return;
+    }
+    onChunk({ type: "text-start", id: messageId });
+    if (activeTextBuffer.text.length > 0) {
+      onChunk({ type: "text-delta", id: messageId, delta: activeTextBuffer.text });
+    }
+    if (close) {
+      onChunk({ type: "text-end", id: messageId });
+      activeTextBuffer = null;
+      return;
+    }
+    activeTextBuffer = { text: "", mode: "plain" };
+  }
+  function maybeEmitAskUser(text) {
+    const request = parseAskUserRequestFromText(text);
+    if (!request) {
+      return false;
+    }
+    const toolCallId = createAskUserToolCallId(request);
+    onAskUser?.({ toolCallId, request });
+    onChunk({ type: "tool-input-start", toolCallId, toolName: "ask_user", dynamic: true, title: request.title });
+    onChunk({
+      type: "tool-input-available",
+      toolCallId,
+      toolName: "ask_user",
+      input: request,
+      dynamic: true,
+      title: request.title
+    });
+    return true;
+  }
   function handleEvent(event) {
     switch (event.type) {
       case "message_update": {
@@ -2963,15 +3166,42 @@ function createEventBridge(params) {
     }
     switch (assistantEvent.type) {
       case "text_start": {
-        onChunk({ type: "text-start", id: messageId });
+        activeTextBuffer = { text: "", mode: "pending" };
         break;
       }
       case "text_delta": {
-        onChunk({ type: "text-delta", id: messageId, delta: assistantEvent.delta ?? "" });
+        if (!activeTextBuffer) {
+          onChunk({ type: "text-start", id: messageId });
+          onChunk({ type: "text-delta", id: messageId, delta: assistantEvent.delta ?? "" });
+          activeTextBuffer = { text: "", mode: "plain" };
+          break;
+        }
+        if (activeTextBuffer.mode === "plain") {
+          onChunk({ type: "text-delta", id: messageId, delta: assistantEvent.delta ?? "" });
+          break;
+        }
+        activeTextBuffer.text += assistantEvent.delta ?? "";
+        if ("<ask_user>".startsWith(activeTextBuffer.text) || activeTextBuffer.text.startsWith("<ask_user>")) {
+          break;
+        }
+        flushBufferedTextToStream(false);
         break;
       }
       case "text_end": {
-        onChunk({ type: "text-end", id: messageId });
+        if (!activeTextBuffer) {
+          onChunk({ type: "text-end", id: messageId });
+          break;
+        }
+        if (activeTextBuffer.mode === "plain") {
+          onChunk({ type: "text-end", id: messageId });
+          activeTextBuffer = null;
+          break;
+        }
+        if (!maybeEmitAskUser(activeTextBuffer.text)) {
+          flushBufferedTextToStream(true);
+        } else {
+          activeTextBuffer = null;
+        }
         break;
       }
       case "thinking_start": {
@@ -3050,6 +3280,854 @@ function createEventBridge(params) {
   return { handleEvent };
 }
 
+// src/agent/modelsConfig.ts
+var import_promises2 = require("node:fs/promises");
+var import_node_path2 = require("node:path");
+function createDefaultState2() {
+  return {
+    providers: {}
+  };
+}
+async function readModelsConfig(filePath) {
+  try {
+    const raw2 = await (0, import_promises2.readFile)(filePath, "utf8");
+    const parsed = JSON.parse(raw2);
+    if (!parsed || typeof parsed !== "object" || typeof parsed.providers !== "object" || parsed.providers === null) {
+      return createDefaultState2();
+    }
+    return {
+      providers: { ...parsed.providers }
+    };
+  } catch (error) {
+    if (typeof error === "object" && error !== null && "code" in error && error.code === "ENOENT") {
+      return createDefaultState2();
+    }
+    return createDefaultState2();
+  }
+}
+async function writeModelsConfig(filePath, state) {
+  const directory = (0, import_node_path2.dirname)(filePath);
+  await (0, import_promises2.mkdir)(directory, {
+    recursive: true,
+    mode: 448
+  });
+  await (0, import_promises2.writeFile)(filePath, `${JSON.stringify(state, null, 2)}
+`, {
+    encoding: "utf8",
+    mode: 384
+  });
+  await (0, import_promises2.chmod)(filePath, 384);
+}
+async function upsertModelsProvider(filePath, providerId, providerConfig) {
+  const state = await readModelsConfig(filePath);
+  await writeModelsConfig(filePath, {
+    providers: {
+      ...state.providers,
+      [providerId]: providerConfig
+    }
+  });
+}
+async function removeModelsProvider(filePath, providerId) {
+  const state = await readModelsConfig(filePath);
+  const nextProviders = { ...state.providers };
+  delete nextProviders[providerId];
+  await writeModelsConfig(filePath, {
+    providers: nextProviders
+  });
+}
+function createCustomOpenAiProviderConfig(params) {
+  return {
+    baseUrl: params.baseUrl,
+    apiKey: "env:CUSTOM_OPENAI_API_KEY",
+    api: "openai-completions",
+    models: [
+      {
+        id: params.modelId,
+        name: params.modelId,
+        reasoning: false,
+        input: ["text"],
+        contextWindow: 128e3,
+        maxTokens: 16384,
+        cost: {
+          input: 0,
+          output: 0,
+          cacheRead: 0,
+          cacheWrite: 0
+        }
+      }
+    ]
+  };
+}
+function createAzureProviderConfig(params) {
+  const providerConfig = {
+    baseUrl: params.baseUrl,
+    apiKey: "env:AZURE_OPENAI_API_KEY"
+  };
+  if (params.useCustomModel) {
+    providerConfig.api = "azure-openai-responses";
+    providerConfig.models = [
+      {
+        id: params.modelId,
+        name: params.modelId,
+        reasoning: false,
+        input: ["text"],
+        contextWindow: 128e3,
+        maxTokens: 16384,
+        cost: {
+          input: 0,
+          output: 0,
+          cacheRead: 0,
+          cacheWrite: 0
+        }
+      }
+    ];
+  }
+  return providerConfig;
+}
+
+// src/agent/authFlows.ts
+function trimOrUndefined(value) {
+  const trimmed = value?.trim();
+  return trimmed && trimmed.length > 0 ? trimmed : void 0;
+}
+async function saveGenericApiKey(params) {
+  params.authStorage.set(params.providerId, {
+    type: "api_key",
+    key: params.apiKey.trim()
+  });
+}
+async function saveCustomOpenAiConfig(params) {
+  params.authStorage.set("custom-openai", {
+    type: "api_key",
+    key: params.apiKey.trim()
+  });
+  await params.envStore.removeMany([
+    "CUSTOM_OPENAI_API_KEY"
+  ]);
+  await params.envStore.setMany({
+    CUSTOM_OPENAI_API_KEY: params.apiKey.trim()
+  });
+  await upsertModelsProvider(params.modelsJsonPath, "custom-openai", createCustomOpenAiProviderConfig({
+    baseUrl: params.baseUrl.trim(),
+    modelId: params.modelId.trim()
+  }));
+  params.settingsManager.setDefaultModelAndProvider("custom-openai", params.modelId.trim());
+}
+async function saveAzureConfig(params) {
+  const modelId = params.modelId.trim();
+  const useCustomModel = params.useCustomModel ?? false;
+  params.authStorage.set("azure-openai-responses", {
+    type: "api_key",
+    key: params.apiKey.trim()
+  });
+  await params.envStore.removeMany([
+    "AZURE_OPENAI_API_KEY",
+    "AZURE_OPENAI_API_VERSION",
+    "AZURE_OPENAI_DEPLOYMENT_NAME_MAP"
+  ]);
+  const envValues = {
+    AZURE_OPENAI_API_KEY: params.apiKey.trim()
+  };
+  const trimmedApiVersion = trimOrUndefined(params.apiVersion);
+  if (trimmedApiVersion) {
+    envValues.AZURE_OPENAI_API_VERSION = trimmedApiVersion;
+  }
+  const trimmedDeploymentName = trimOrUndefined(params.deploymentName);
+  if (trimmedDeploymentName && trimmedDeploymentName !== modelId) {
+    envValues.AZURE_OPENAI_DEPLOYMENT_NAME_MAP = JSON.stringify({
+      [modelId]: trimmedDeploymentName
+    });
+  }
+  await params.envStore.setMany(envValues);
+  await upsertModelsProvider(params.modelsJsonPath, "azure-openai-responses", createAzureProviderConfig({
+    baseUrl: params.baseUrl.trim(),
+    modelId,
+    useCustomModel
+  }));
+  params.settingsManager.setDefaultModelAndProvider("azure-openai-responses", modelId);
+}
+async function saveBedrockConfig(params) {
+  params.authStorage.set("amazon-bedrock", {
+    type: "api_key",
+    key: "aws-configured"
+  });
+  await params.envStore.removeMany([
+    "AWS_PROFILE",
+    "AWS_ACCESS_KEY_ID",
+    "AWS_SECRET_ACCESS_KEY",
+    "AWS_SESSION_TOKEN",
+    "AWS_REGION",
+    "AWS_DEFAULT_REGION",
+    "AWS_BEARER_TOKEN_BEDROCK"
+  ]);
+  const envValues = {
+    AWS_REGION: params.region.trim(),
+    AWS_DEFAULT_REGION: params.region.trim()
+  };
+  const profile = trimOrUndefined(params.profile);
+  if (profile) {
+    envValues.AWS_PROFILE = profile;
+  }
+  const accessKeyId = trimOrUndefined(params.accessKeyId);
+  const secretAccessKey = trimOrUndefined(params.secretAccessKey);
+  if (accessKeyId && secretAccessKey) {
+    envValues.AWS_ACCESS_KEY_ID = accessKeyId;
+    envValues.AWS_SECRET_ACCESS_KEY = secretAccessKey;
+  }
+  const sessionToken = trimOrUndefined(params.sessionToken);
+  if (sessionToken) {
+    envValues.AWS_SESSION_TOKEN = sessionToken;
+  }
+  await params.envStore.setMany(envValues);
+  params.settingsManager.setDefaultModelAndProvider("amazon-bedrock", params.modelId.trim());
+}
+async function clearProviderConfig(params) {
+  params.authStorage.remove(params.providerId);
+  if (params.providerId === "custom-openai") {
+    await params.envStore.removeMany([
+      "CUSTOM_OPENAI_API_KEY"
+    ]);
+    await removeModelsProvider(params.modelsJsonPath, "custom-openai");
+  }
+  if (params.providerId === "azure-openai-responses") {
+    await params.envStore.removeMany([
+      "AZURE_OPENAI_API_KEY",
+      "AZURE_OPENAI_API_VERSION",
+      "AZURE_OPENAI_DEPLOYMENT_NAME_MAP"
+    ]);
+    await removeModelsProvider(params.modelsJsonPath, "azure-openai-responses");
+  }
+  if (params.providerId === "amazon-bedrock") {
+    await params.envStore.removeMany([
+      "AWS_PROFILE",
+      "AWS_ACCESS_KEY_ID",
+      "AWS_SECRET_ACCESS_KEY",
+      "AWS_SESSION_TOKEN",
+      "AWS_REGION",
+      "AWS_DEFAULT_REGION",
+      "AWS_BEARER_TOKEN_BEDROCK"
+    ]);
+  }
+}
+
+// src/agent/providerCatalog.ts
+var OAUTH_ONLY_PROVIDER_IDS = /* @__PURE__ */ new Set([
+  "github-copilot",
+  "openai-codex",
+  "google-gemini-cli",
+  "google-antigravity"
+]);
+var PROVIDER_LABELS = {
+  anthropic: "Anthropic (Claude)",
+  openai: "OpenAI",
+  google: "Google (Gemini)",
+  "google-vertex": "Google Vertex AI",
+  "azure-openai-responses": "Azure OpenAI",
+  "amazon-bedrock": "Amazon Bedrock",
+  xai: "xAI (Grok)",
+  groq: "Groq",
+  cerebras: "Cerebras",
+  openrouter: "OpenRouter",
+  "vercel-ai-gateway": "Vercel AI Gateway",
+  zai: "ZAI",
+  mistral: "Mistral",
+  minimax: "MiniMax",
+  "minimax-cn": "MiniMax CN",
+  huggingface: "Hugging Face",
+  opencode: "OpenCode",
+  "opencode-go": "OpenCode Go",
+  "kimi-coding": "Kimi Coding",
+  "custom-openai": "Custom OpenAI-Compatible",
+  "google-gemini-cli": "Google Gemini CLI",
+  "google-antigravity": "Google Antigravity",
+  "openai-codex": "OpenAI Codex",
+  "github-copilot": "GitHub Copilot"
+};
+var PROVIDER_HINTS = {
+  anthropic: "recommended",
+  "custom-openai": "custom base URL + API key",
+  "azure-openai-responses": "API key + base URL/resource + deployment",
+  "amazon-bedrock": "AWS profile or access key pair",
+  "openai-codex": "browser auth",
+  "github-copilot": "browser auth",
+  "google-gemini-cli": "browser auth",
+  "google-antigravity": "browser auth"
+};
+function humanizeProviderId(providerId) {
+  return providerId.split("-").map((part) => {
+    if (!part) {
+      return part;
+    }
+    if (part.length <= 3) {
+      return part.toUpperCase();
+    }
+    return part[0].toUpperCase() + part.slice(1);
+  }).join(" ");
+}
+function toLabel(providerId) {
+  return PROVIDER_LABELS[providerId] || humanizeProviderId(providerId);
+}
+function toHint(providerId) {
+  return PROVIDER_HINTS[providerId];
+}
+function compareProviderOptions(a, b) {
+  return a.label.localeCompare(b.label);
+}
+function getBrowserAuthProviderOptions(oauthProviders) {
+  return oauthProviders.map((provider) => ({
+    id: provider.id,
+    label: provider.name || toLabel(provider.id),
+    hint: toHint(provider.id),
+    flow: "oauth"
+  })).sort(compareProviderOptions);
+}
+function getApiKeyProviderOptions(providerIds) {
+  const baseProviders = providerIds.filter((providerId) => !OAUTH_ONLY_PROVIDER_IDS.has(providerId)).map((providerId) => {
+    let flow = "generic-api-key";
+    if (providerId === "azure-openai-responses") {
+      flow = "azure-openai-responses";
+    } else if (providerId === "amazon-bedrock") {
+      flow = "amazon-bedrock";
+    }
+    return {
+      id: providerId,
+      label: toLabel(providerId),
+      hint: toHint(providerId),
+      flow
+    };
+  });
+  baseProviders.push({
+    id: "custom-openai",
+    label: toLabel("custom-openai"),
+    hint: toHint("custom-openai"),
+    flow: "custom-openai"
+  });
+  const deduped = /* @__PURE__ */ new Map();
+  for (const provider of baseProviders) {
+    deduped.set(provider.id, provider);
+  }
+  return Array.from(deduped.values()).sort(compareProviderOptions);
+}
+function getProviderLabel(providerId) {
+  return toLabel(providerId);
+}
+function getProviderHint(providerId) {
+  return toHint(providerId);
+}
+
+// src/agent/authInteractivity.ts
+function buildFieldUiHint(field) {
+  return {
+    component: field.component,
+    ...field.component === "password" ? { secret: true } : {},
+    ...field.placeholder ? { placeholder: field.placeholder } : {},
+    ...field.options ? { options: field.options } : {},
+    ...field.dependsOn ? { dependsOn: field.dependsOn } : {}
+  };
+}
+function buildProperty(field) {
+  return {
+    type: "string",
+    title: field.title,
+    ...field.description ? { description: field.description } : {},
+    ...field.options ? { enum: field.options.map((option) => option.value) } : {},
+    ...field.defaultValue ? { default: field.defaultValue } : {}
+  };
+}
+function toSelectOptions(values) {
+  return values.map((value) => ({ label: value, value }));
+}
+function getProviderFormFields(params) {
+  const provider = params.provider;
+  switch (provider.flow) {
+    case "custom-openai":
+      return [
+        {
+          name: "baseUrl",
+          title: "Custom OpenAI base URL",
+          required: true,
+          component: "text",
+          placeholder: "https://my-proxy.example.com/v1"
+        },
+        {
+          name: "apiKey",
+          title: `${provider.label} API key`,
+          required: true,
+          component: "password"
+        },
+        {
+          name: "modelId",
+          title: "Model ID",
+          required: true,
+          component: "text",
+          placeholder: "gpt-4o"
+        }
+      ];
+    case "azure-openai-responses":
+      return [
+        {
+          name: "apiKey",
+          title: "Azure OpenAI API key",
+          required: true,
+          component: "password"
+        },
+        {
+          name: "configMode",
+          title: "Azure OpenAI configuration",
+          required: true,
+          defaultValue: "base-url",
+          component: "select",
+          options: [
+            { label: "Use a base URL", value: "base-url" },
+            { label: "Use an Azure resource name", value: "resource-name" }
+          ]
+        },
+        {
+          name: "baseUrl",
+          title: "Azure OpenAI base URL",
+          required: true,
+          component: "text",
+          placeholder: "https://my-resource.openai.azure.com/openai/v1",
+          dependsOn: { field: "configMode", equals: "base-url" }
+        },
+        {
+          name: "resourceName",
+          title: "Azure resource name",
+          required: true,
+          component: "text",
+          placeholder: "my-resource",
+          dependsOn: { field: "configMode", equals: "resource-name" }
+        },
+        {
+          name: "modelId",
+          title: "Model ID",
+          required: true,
+          component: params.modelIdsByProvider[provider.id]?.length ? "select" : "text",
+          options: params.modelIdsByProvider[provider.id]?.length ? toSelectOptions(params.modelIdsByProvider[provider.id]) : void 0,
+          defaultValue: params.modelIdsByProvider[provider.id]?.[0] || "gpt-4.1"
+        },
+        {
+          name: "deploymentName",
+          title: "Deployment name",
+          component: "text",
+          placeholder: "gpt-4.1"
+        },
+        {
+          name: "apiVersion",
+          title: "API version",
+          component: "text",
+          defaultValue: "2025-03-01-preview",
+          placeholder: "2025-03-01-preview"
+        }
+      ];
+    case "amazon-bedrock":
+      return [
+        {
+          name: "authMode",
+          title: "Amazon Bedrock authentication",
+          required: true,
+          defaultValue: "profile",
+          component: "select",
+          options: [
+            { label: "Use an AWS profile", value: "profile" },
+            { label: "Paste AWS access keys", value: "access-keys" }
+          ]
+        },
+        {
+          name: "profile",
+          title: "AWS profile name",
+          required: true,
+          defaultValue: "default",
+          component: "text",
+          placeholder: "default",
+          dependsOn: { field: "authMode", equals: "profile" }
+        },
+        {
+          name: "accessKeyId",
+          title: "AWS access key ID",
+          required: true,
+          component: "text",
+          dependsOn: { field: "authMode", equals: "access-keys" }
+        },
+        {
+          name: "secretAccessKey",
+          title: "AWS secret access key",
+          required: true,
+          component: "password",
+          dependsOn: { field: "authMode", equals: "access-keys" }
+        },
+        {
+          name: "sessionToken",
+          title: "AWS session token",
+          component: "password",
+          dependsOn: { field: "authMode", equals: "access-keys" }
+        },
+        {
+          name: "region",
+          title: "AWS region",
+          required: true,
+          defaultValue: "us-east-1",
+          component: "text",
+          placeholder: "us-east-1"
+        },
+        {
+          name: "modelId",
+          title: "Bedrock model ID",
+          required: true,
+          component: params.modelIdsByProvider[provider.id]?.length ? "select" : "text",
+          options: params.modelIdsByProvider[provider.id]?.length ? toSelectOptions(params.modelIdsByProvider[provider.id]) : void 0,
+          defaultValue: params.modelIdsByProvider[provider.id]?.[0] || "anthropic.claude-3-7-sonnet-20250219-v1:0"
+        }
+      ];
+    default:
+      return [
+        {
+          name: "apiKey",
+          title: `${provider.label} API key`,
+          required: true,
+          component: "password"
+        }
+      ];
+  }
+}
+function buildProviderFormContract(params) {
+  if (params.provider.flow === "oauth") {
+    return null;
+  }
+  const fields = getProviderFormFields(params);
+  const properties = Object.fromEntries(fields.map((field) => [field.name, buildProperty(field)]));
+  const required = fields.filter((field) => field.required).map((field) => field.name);
+  const fieldHints = Object.fromEntries(fields.map((field) => [field.name, buildFieldUiHint(field)]));
+  return {
+    inputSchema: {
+      type: "object",
+      properties,
+      required
+    },
+    uiHints: {
+      submitLabel: "Save credentials",
+      order: fields.map((field) => field.name),
+      fields: fieldHints
+    }
+  };
+}
+function getOAuthDescriptor(params, provider) {
+  return {
+    id: provider.id,
+    label: provider.name || getProviderLabel(provider.id),
+    hint: getProviderHint(provider.id),
+    flow: "oauth",
+    authMode: "oauth",
+    configured: params.authStorage.hasAuth(provider.id),
+    canLogin: true,
+    canLogout: params.authStorage.hasAuth(provider.id),
+    inputSchema: null,
+    uiHints: null,
+    oauth: { usesCallbackServer: provider.usesCallbackServer }
+  };
+}
+function getApiKeyDescriptor(params, provider) {
+  const contract = buildProviderFormContract({
+    provider,
+    modelIdsByProvider: params.modelIdsByProvider
+  });
+  return {
+    id: provider.id,
+    label: provider.label,
+    hint: provider.hint,
+    flow: provider.flow,
+    authMode: "api-key",
+    configured: params.authStorage.hasAuth(provider.id),
+    canLogin: true,
+    canLogout: params.authStorage.hasAuth(provider.id),
+    inputSchema: contract?.inputSchema ?? null,
+    uiHints: contract?.uiHints ?? null,
+    oauth: null
+  };
+}
+function buildProviderCatalog(params) {
+  const oauthProviders = getBrowserAuthProviderOptions(params.browserProviders).map(
+    (provider) => getOAuthDescriptor(
+      params,
+      params.browserProviders.find((item) => item.id === provider.id) ?? { id: provider.id, name: provider.label }
+    )
+  );
+  const apiKeyProviders = getApiKeyProviderOptions(params.apiKeyProviderIds).map((provider) => getApiKeyDescriptor(params, provider));
+  return [...oauthProviders, ...apiKeyProviders].sort((left, right) => left.label.localeCompare(right.label));
+}
+function listProviderOptions(params) {
+  return [
+    ...getBrowserAuthProviderOptions(params.browserProviders),
+    ...getApiKeyProviderOptions(params.apiKeyProviderIds)
+  ].sort((left, right) => left.label.localeCompare(right.label));
+}
+function findProviderOption(params) {
+  return listProviderOptions({
+    browserProviders: params.browserProviders,
+    apiKeyProviderIds: params.apiKeyProviderIds
+  }).find((provider) => provider.id === params.providerId);
+}
+function trimOrUndefined2(value) {
+  return typeof value === "string" && value.trim().length > 0 ? value.trim() : void 0;
+}
+function validateProviderLoginInput(params) {
+  const fields = getProviderFormFields({
+    provider: params.provider,
+    modelIdsByProvider: params.modelIdsByProvider
+  });
+  const values = {};
+  for (const field of fields) {
+    if (field.dependsOn) {
+      const dependsOnValue = values[field.dependsOn.field] ?? trimOrUndefined2(params.value[field.dependsOn.field]);
+      if (dependsOnValue !== field.dependsOn.equals) {
+        continue;
+      }
+    }
+    const rawValue = params.value[field.name];
+    const normalized = trimOrUndefined2(rawValue);
+    if (field.required && !normalized) {
+      return { ok: false, error: `Missing required field: ${field.name}` };
+    }
+    if (normalized) {
+      values[field.name] = normalized;
+    } else if (field.defaultValue) {
+      values[field.name] = field.defaultValue;
+    }
+  }
+  return { ok: true, value: values };
+}
+async function applyProviderLogin(params) {
+  const provider = params.provider;
+  switch (provider.flow) {
+    case "custom-openai": {
+      await saveCustomOpenAiConfig({
+        ...params,
+        apiKey: params.input.apiKey,
+        baseUrl: params.input.baseUrl,
+        modelId: params.input.modelId
+      });
+      return { providerId: provider.id, preferredModelId: params.input.modelId };
+    }
+    case "azure-openai-responses": {
+      const baseUrl = params.input.baseUrl ?? (params.input.resourceName ? `https://${params.input.resourceName}.openai.azure.com/openai/v1` : void 0);
+      if (!baseUrl) {
+        throw new Error("Azure login requires either baseUrl or resourceName.");
+      }
+      const builtInModelIds = new Set(params.modelIdsByProvider[provider.id] ?? []);
+      await saveAzureConfig({
+        ...params,
+        apiKey: params.input.apiKey,
+        baseUrl,
+        modelId: params.input.modelId,
+        deploymentName: params.input.deploymentName,
+        apiVersion: params.input.apiVersion,
+        useCustomModel: !builtInModelIds.has(params.input.modelId)
+      });
+      return { providerId: provider.id, preferredModelId: params.input.modelId };
+    }
+    case "amazon-bedrock": {
+      const authMode = params.input.authMode ?? "profile";
+      await saveBedrockConfig({
+        ...params,
+        region: params.input.region,
+        modelId: params.input.modelId,
+        profile: authMode === "profile" ? params.input.profile : void 0,
+        accessKeyId: authMode === "access-keys" ? params.input.accessKeyId : void 0,
+        secretAccessKey: authMode === "access-keys" ? params.input.secretAccessKey : void 0,
+        sessionToken: authMode === "access-keys" ? params.input.sessionToken : void 0
+      });
+      return { providerId: provider.id, preferredModelId: params.input.modelId };
+    }
+    default: {
+      await saveGenericApiKey({
+        ...params,
+        providerId: provider.id,
+        apiKey: params.input.apiKey
+      });
+      return { providerId: provider.id };
+    }
+  }
+}
+async function refreshSessionAfterCredentialChange(params) {
+  params.modelRegistry.refresh();
+  const availableModels = params.modelRegistry.getAvailable();
+  const preferredModel = params.preferredProviderId && params.preferredModelId ? availableModels.find((model) => model.provider === params.preferredProviderId && model.id === params.preferredModelId) : params.preferredProviderId ? availableModels.find((model) => model.provider === params.preferredProviderId) : void 0;
+  const currentModel = params.session.model;
+  const currentModelStillAvailable = currentModel ? availableModels.some((model) => model.provider === currentModel.provider && model.id === currentModel.id) : false;
+  if (currentModel && !currentModelStillAvailable) {
+    if (preferredModel) {
+      await params.session.setModel(preferredModel);
+      return;
+    }
+    if (availableModels[0]) {
+      await params.session.setModel(availableModels[0]);
+    }
+    return;
+  }
+  if (!currentModel && preferredModel) {
+    await params.session.setModel(preferredModel);
+    return;
+  }
+  if (!currentModel && availableModels[0]) {
+    await params.session.setModel(availableModels[0]);
+  }
+}
+function serializeModels(params) {
+  return params.models.map((model) => ({
+    provider: model.provider,
+    providerLabel: getProviderLabel(model.provider),
+    id: model.id,
+    name: typeof model.name === "string" && model.name.length > 0 ? model.name : model.id,
+    reasoning: model.reasoning === true,
+    contextWindow: typeof model.contextWindow === "number" ? model.contextWindow : null,
+    maxTokens: typeof model.maxTokens === "number" ? model.maxTokens : null,
+    configured: params.authStorage.hasAuth(model.provider)
+  }));
+}
+
+// src/server/oauthFlowManager.ts
+var import_node_crypto = require("node:crypto");
+function normalizeError(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+function buildPromptStep(params) {
+  return {
+    type: params.type,
+    stepToken: params.state.stepToken,
+    providerId: params.state.providerId,
+    message: params.prompt.message,
+    inputSchema: {
+      type: "object",
+      properties: {
+        value: {
+          type: "string",
+          title: params.type === "manual-code" ? "Verification Code" : "Value",
+          ...params.prompt.placeholder ? { default: params.prompt.placeholder } : {}
+        }
+      },
+      required: params.prompt.allowEmpty ? [] : ["value"]
+    },
+    uiHints: {
+      submitLabel: "Continue",
+      order: ["value"],
+      fields: {
+        value: {
+          component: "text",
+          ...params.prompt.placeholder ? { placeholder: params.prompt.placeholder } : {}
+        }
+      }
+    }
+  };
+}
+function buildAuthStep(params) {
+  return {
+    type: "open-url",
+    stepToken: params.state.stepToken,
+    providerId: params.state.providerId,
+    url: params.authInfo.url,
+    instructions: params.authInfo.instructions,
+    usesCallbackServer: params.state.usesCallbackServer,
+    pending: true
+  };
+}
+var OAuthFlowManager = class {
+  flows = /* @__PURE__ */ new Map();
+  emitStep(state, step) {
+    state.currentStep = step;
+    if (state.waitingForStep) {
+      const waiting = state.waitingForStep;
+      state.waitingForStep = void 0;
+      waiting.resolve(step);
+      return;
+    }
+    state.queuedSteps.push(step);
+  }
+  nextStep(state) {
+    const queued = state.queuedSteps.shift();
+    if (queued) {
+      return Promise.resolve(queued);
+    }
+    if (state.currentStep) {
+      return Promise.resolve(state.currentStep);
+    }
+    return new Promise((resolve2) => {
+      state.waitingForStep = { resolve: resolve2 };
+    });
+  }
+  async start(params) {
+    const state = {
+      stepToken: (0, import_node_crypto.randomUUID)(),
+      providerId: params.providerId,
+      usesCallbackServer: params.usesCallbackServer,
+      pendingInput: void 0,
+      currentStep: void 0,
+      queuedSteps: [],
+      completed: false
+    };
+    this.flows.set(state.stepToken, state);
+    void params.authStorage.login(params.providerId, {
+      onAuth: (info) => {
+        this.emitStep(state, buildAuthStep({ state, authInfo: info }));
+      },
+      onPrompt: async (prompt) => {
+        const step = buildPromptStep({ state, type: "prompt", prompt });
+        this.emitStep(state, step);
+        return await new Promise((resolve2) => {
+          state.pendingInput = { type: "prompt", resolve: resolve2 };
+        });
+      },
+      onManualCodeInput: async () => {
+        const step = buildPromptStep({
+          state,
+          type: "manual-code",
+          prompt: {
+            message: "Enter the verification code from the provider."
+          }
+        });
+        this.emitStep(state, step);
+        return await new Promise((resolve2) => {
+          state.pendingInput = { type: "manual-code", resolve: resolve2 };
+        });
+      },
+      onProgress: (_message) => {
+      }
+    }).then(() => {
+      state.completed = true;
+      this.emitStep(state, {
+        type: "complete",
+        stepToken: state.stepToken,
+        providerId: state.providerId
+      });
+    }).catch((error) => {
+      state.completed = true;
+      this.emitStep(state, {
+        type: "error",
+        stepToken: state.stepToken,
+        providerId: state.providerId,
+        error: normalizeError(error)
+      });
+    });
+    return await this.nextStep(state);
+  }
+  async continue(params) {
+    const state = this.flows.get(params.stepToken);
+    if (!state) {
+      throw new Error(`Unknown OAuth step token: ${params.stepToken}`);
+    }
+    if (state.pendingInput) {
+      const nextValue = params.value?.trim();
+      state.pendingInput.resolve(nextValue ?? "");
+      state.pendingInput = void 0;
+      state.currentStep = void 0;
+    }
+    const step = await this.nextStep(state);
+    if (step.type === "complete" || step.type === "error") {
+      this.flows.delete(state.stepToken);
+    }
+    return step;
+  }
+};
+
 // src/server/agentServer.ts
 function generateMessageId() {
   return `msg_${Date.now()}_${Math.random().toString(36).slice(2, 10)}`;
@@ -3069,6 +4147,40 @@ function extractLastUserText(messages) {
   }
   return void 0;
 }
+function extractAskUserToolResponse(messages) {
+  for (let messageIndex = messages.length - 1; messageIndex >= 0; messageIndex -= 1) {
+    const message = messages[messageIndex];
+    if (message.role !== "assistant") {
+      continue;
+    }
+    for (let partIndex = message.parts.length - 1; partIndex >= 0; partIndex -= 1) {
+      const part = message.parts[partIndex];
+      if (part.type === "dynamic-tool" && part.toolName === "ask_user" && part.state === "output-available" && typeof part.toolCallId === "string") {
+        const response = parseAskUserResponseFromToolOutput(part.output);
+        if (response) {
+          return {
+            toolCallId: part.toolCallId,
+            response
+          };
+        }
+      }
+    }
+  }
+  return void 0;
+}
+function normalizeSlashCommands(commands) {
+  const seen = /* @__PURE__ */ new Set();
+  return commands.filter((command) => typeof command.name === "string" && command.name.trim().length > 0).sort((left, right) => left.name.localeCompare(right.name)).filter((command) => {
+    if (seen.has(command.name)) {
+      return false;
+    }
+    seen.add(command.name);
+    return true;
+  }).map((command) => ({
+    name: command.name,
+    description: command.description?.trim() || null
+  }));
+}
 async function waitForIdle(session, timeoutMs = 3e4) {
   if (!session.isStreaming) {
     return;
@@ -3145,6 +4257,17 @@ function convertSessionEntriesToUIMessages(entries) {
       const parts = [];
       for (const block of content) {
         if (block.type === "text" && typeof block.text === "string") {
+          const askUserRequest = parseAskUserRequestFromText(block.text);
+          if (askUserRequest) {
+            parts.push({
+              type: "dynamic-tool",
+              toolCallId: createAskUserToolCallId(askUserRequest),
+              toolName: "ask_user",
+              state: "input-available",
+              input: askUserRequest
+            });
+            continue;
+          }
           parts.push({ type: "text", text: block.text });
         } else if (block.type === "thinking" && typeof block.thinking === "string") {
           parts.push({ type: "reasoning", text: block.thinking, state: "complete" });
@@ -3189,8 +4312,8 @@ var FS_IGNORE = /* @__PURE__ */ new Set([
   ".svelte-kit"
 ]);
 function resolveSafePath(cwd, requestPath) {
-  const resolved = (0, import_node_path2.resolve)(cwd, requestPath);
-  const normalizedCwd = cwd.endsWith(import_node_path2.sep) ? cwd : cwd + import_node_path2.sep;
+  const resolved = (0, import_node_path3.resolve)(cwd, requestPath);
+  const normalizedCwd = cwd.endsWith(import_node_path3.sep) ? cwd : cwd + import_node_path3.sep;
   if (resolved !== cwd && !resolved.startsWith(normalizedCwd)) {
     throw new Error("Path escapes working directory");
   }
@@ -3207,7 +4330,7 @@ async function buildTree(params) {
   }
   let entries;
   try {
-    entries = await (0, import_promises2.readdir)(dir, { withFileTypes: true });
+    entries = await (0, import_promises3.readdir)(dir, { withFileTypes: true });
   } catch {
     return [];
   }
@@ -3227,8 +4350,8 @@ async function buildTree(params) {
     if (ignore.has(entry.name)) {
       continue;
     }
-    const fullPath = (0, import_node_path2.join)(dir, entry.name);
-    const relativePath = (0, import_node_path2.relative)(cwd, fullPath);
+    const fullPath = (0, import_node_path3.join)(dir, entry.name);
+    const relativePath = (0, import_node_path3.relative)(cwd, fullPath);
     if (entry.isDirectory()) {
       const children = await buildTree({
         dir: fullPath,
@@ -3254,7 +4377,7 @@ async function walkFiles(params) {
   }
   let entries;
   try {
-    entries = await (0, import_promises2.readdir)(dir, { withFileTypes: true });
+    entries = await (0, import_promises3.readdir)(dir, { withFileTypes: true });
   } catch {
     return;
   }
@@ -3265,8 +4388,8 @@ async function walkFiles(params) {
     if (ignore.has(entry.name)) {
       continue;
     }
-    const fullPath = (0, import_node_path2.join)(dir, entry.name);
-    const relativePath = (0, import_node_path2.relative)(cwd, fullPath);
+    const fullPath = (0, import_node_path3.join)(dir, entry.name);
+    const relativePath = (0, import_node_path3.relative)(cwd, fullPath);
     if (entry.isDirectory()) {
       await walkFiles({ dir: fullPath, cwd, pattern, ignore, maxResults, results });
     } else if (entry.isFile() && pattern.test(relativePath)) {
@@ -3275,10 +4398,40 @@ async function walkFiles(params) {
   }
 }
 async function createAgentServer(params) {
-  const { port, sessionManager, modelRegistry, context, onCreateSession, onResumeSession } = params;
+  const { port, sessionManager, modelRegistry, authRuntime, context, onCreateSession, onResumeSession, authToken } = params;
   let activeSession = params.session;
+  const pendingAskUserRequests = /* @__PURE__ */ new Map();
+  const oauthFlowManager = new OAuthFlowManager();
   const app = new Hono2();
+  function getModelIdsByProvider() {
+    const values = {};
+    for (const model of modelRegistry.getAll()) {
+      if (!values[model.provider]) {
+        values[model.provider] = [];
+      }
+      values[model.provider].push(model.id);
+    }
+    for (const providerId of Object.keys(values)) {
+      values[providerId] = [...new Set(values[providerId])].sort((left, right) => left.localeCompare(right));
+    }
+    return values;
+  }
+  function getProviderCatalog() {
+    return buildProviderCatalog({
+      authStorage: authRuntime.authStorage,
+      browserProviders: authRuntime.authStorage.getOAuthProviders(),
+      apiKeyProviderIds: [...new Set(modelRegistry.getAll().map((model) => model.provider))].sort((left, right) => left.localeCompare(right)),
+      modelIdsByProvider: getModelIdsByProvider()
+    });
+  }
   app.use("/*", cors({ origin: "*" }));
+  app.use("/*", async (c, next) => {
+    const unauthorizedResponse = authorizeServerRequest(c.req.raw, authToken);
+    if (unauthorizedResponse) {
+      return unauthorizedResponse;
+    }
+    await next();
+  });
   app.get("/api/health", (c) => {
     return c.json({ ok: true });
   });
@@ -3291,9 +4444,23 @@ async function createAgentServer(params) {
   app.post("/api/chat", async (c) => {
     const body = await c.req.json();
     const messages = body.messages ?? [];
-    const userMessage = extractLastUserText(messages);
+    if (body.sessionId) {
+      try {
+        activeSession = await onResumeSession(body.sessionId);
+      } catch (error) {
+        const msg = error instanceof Error ? error.message : String(error);
+        return c.json({ error: `Failed to resume session: ${msg}` }, 400);
+      }
+    }
+    const sessionId = body.sessionId?.trim() || activeSession.id?.trim() || "active";
+    const askUserResponse = extractAskUserToolResponse(messages);
+    const pendingAskUser = pendingAskUserRequests.get(sessionId);
+    const userMessage = askUserResponse ? pendingAskUser && pendingAskUser.toolCallId === askUserResponse.toolCallId ? formatAskUserResponsePrompt(askUserResponse.response) : void 0 : extractLastUserText(messages);
     if (!userMessage) {
-      return c.json({ error: "No user message found" }, 400);
+      return c.json({ error: askUserResponse ? "No matching pending ask_user request found" : "No user message found" }, 400);
+    }
+    if (askUserResponse) {
+      pendingAskUserRequests.delete(sessionId);
     }
     if (activeSession.isStreaming) {
       await activeSession.abort();
@@ -3313,6 +4480,9 @@ async function createAgentServer(params) {
         const bridge = createEventBridge({
           messageId,
           onChunk: writeChunk,
+          onAskUser: ({ toolCallId, request }) => {
+            pendingAskUserRequests.set(sessionId, { toolCallId, request });
+          },
           onDone: () => {
             writeChunk({ type: "finish-step" });
             writeChunk({ type: "finish" });
@@ -3331,7 +4501,14 @@ async function createAgentServer(params) {
             unsubscribe();
           }
         });
-        activeSession.prompt(userMessage).catch((error) => {
+        activeSession.prompt(userMessage).then(() => {
+          if (!activeSession.isStreaming) {
+            unsubscribe();
+            writeChunk({ type: "finish-step" });
+            writeChunk({ type: "finish" });
+            controller.close();
+          }
+        }).catch((error) => {
           const errorMessage = error instanceof Error ? error.message : String(error);
           writeChunk({ type: "error", errorText: errorMessage });
           writeChunk({ type: "finish-step" });
@@ -3433,8 +4610,161 @@ async function createAgentServer(params) {
   app.get("/api/models", (c) => {
     return c.json({
       current: activeSession.model ? { provider: activeSession.model.provider, id: activeSession.model.id } : null,
-      available: modelRegistry.getAvailable()
+      thinkingLevel: activeSession.thinkingLevel,
+      availableThinkingLevels: activeSession.getAvailableThinkingLevels(),
+      available: serializeModels({
+        models: modelRegistry.getAvailable(),
+        authStorage: authRuntime.authStorage
+      })
+    });
+  });
+  app.get("/api/slash-commands", (c) => {
+    return c.json({
+      commands: normalizeSlashCommands(activeSession.listCommands())
+    });
+  });
+  app.get("/api/auth/providers", (c) => {
+    return c.json({
+      providers: getProviderCatalog()
+    });
+  });
+  app.post("/api/auth/providers/:providerId/login", async (c) => {
+    const providerId = c.req.param("providerId");
+    const provider = findProviderOption({
+      providerId,
+      browserProviders: authRuntime.authStorage.getOAuthProviders(),
+      apiKeyProviderIds: [...new Set(modelRegistry.getAll().map((model) => model.provider))]
+    });
+    if (!provider) {
+      return c.json({ error: `Unknown provider: ${providerId}` }, 404);
+    }
+    if (provider.flow === "oauth") {
+      const step = await oauthFlowManager.start({
+        authStorage: authRuntime.authStorage,
+        providerId,
+        usesCallbackServer: authRuntime.authStorage.getOAuthProviders().find((item) => item.id === providerId)?.usesCallbackServer
+      });
+      return c.json({ step });
+    }
+    const body = await c.req.json();
+    const validated = validateProviderLoginInput({
+      provider,
+      modelIdsByProvider: getModelIdsByProvider(),
+      value: body
     });
+    if (!validated.ok) {
+      return c.json({ error: validated.error }, 400);
+    }
+    try {
+      const result = await applyProviderLogin({
+        ...authRuntime,
+        provider,
+        input: validated.value,
+        modelIdsByProvider: getModelIdsByProvider()
+      });
+      await refreshSessionAfterCredentialChange({
+        session: activeSession,
+        modelRegistry,
+        preferredProviderId: result.providerId,
+        preferredModelId: result.preferredModelId
+      });
+      return c.json({
+        ok: true,
+        providerId,
+        current: activeSession.model ? { provider: activeSession.model.provider, id: activeSession.model.id } : null,
+        thinkingLevel: activeSession.thinkingLevel
+      });
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      return c.json({ error: message }, 400);
+    }
+  });
+  app.post("/api/auth/providers/:providerId/oauth/continue", async (c) => {
+    const providerId = c.req.param("providerId");
+    const body = await c.req.json();
+    if (!body.stepToken) {
+      return c.json({ error: "Missing required field: stepToken" }, 400);
+    }
+    try {
+      const value = typeof body.values?.value === "string" ? body.values.value : void 0;
+      const step = await oauthFlowManager.continue({
+        stepToken: body.stepToken,
+        value
+      });
+      if (step.type === "complete") {
+        modelRegistry.refresh();
+        await refreshSessionAfterCredentialChange({
+          session: activeSession,
+          modelRegistry,
+          preferredProviderId: providerId
+        });
+      }
+      return c.json({ step });
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      return c.json({ error: message }, 400);
+    }
+  });
+  app.post("/api/auth/providers/:providerId/logout", async (c) => {
+    const providerId = c.req.param("providerId");
+    const provider = findProviderOption({
+      providerId,
+      browserProviders: authRuntime.authStorage.getOAuthProviders(),
+      apiKeyProviderIds: [...new Set(modelRegistry.getAll().map((model) => model.provider))]
+    });
+    if (!provider) {
+      return c.json({ error: `Unknown provider: ${providerId}` }, 404);
+    }
+    try {
+      if (provider.flow === "oauth") {
+        authRuntime.authStorage.logout(providerId);
+      } else {
+        await clearProviderConfig({
+          ...authRuntime,
+          providerId
+        });
+      }
+      modelRegistry.refresh();
+      await refreshSessionAfterCredentialChange({
+        session: activeSession,
+        modelRegistry
+      });
+      return c.json({
+        ok: true,
+        providerId,
+        current: activeSession.model ? { provider: activeSession.model.provider, id: activeSession.model.id } : null,
+        thinkingLevel: activeSession.thinkingLevel
+      });
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      return c.json({ error: message }, 400);
+    }
+  });
+  app.post("/api/models/select", async (c) => {
+    const body = await c.req.json();
+    const provider = body.provider?.trim();
+    const modelId = body.modelId?.trim();
+    if (!provider || !modelId) {
+      return c.json({ error: "Missing required fields: provider, modelId" }, 400);
+    }
+    const model = modelRegistry.find(provider, modelId);
+    if (!model) {
+      return c.json({ error: `Model not found: ${provider}/${modelId}` }, 404);
+    }
+    try {
+      await activeSession.setModel(model);
+      if (body.thinkingLevel) {
+        activeSession.setThinkingLevel(body.thinkingLevel);
+      }
+      return c.json({
+        current: activeSession.model ? { provider: activeSession.model.provider, id: activeSession.model.id } : null,
+        thinkingLevel: activeSession.thinkingLevel,
+        availableThinkingLevels: activeSession.getAvailableThinkingLevels()
+      });
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      return c.json({ error: message }, 400);
+    }
   });
   app.post("/api/sessions/:sessionId/resume", async (c) => {
     const sessionId = c.req.param("sessionId");
@@ -3500,11 +4830,11 @@ async function createAgentServer(params) {
     }
     try {
       const resolved = resolveSafePath(context.cwd, filePath);
-      const fileStat = await (0, import_promises2.stat)(resolved);
+      const fileStat = await (0, import_promises3.stat)(resolved);
       if (!fileStat.isFile()) {
         return c.json({ error: "Path is not a file" }, 400);
       }
-      const content = await (0, import_promises2.readFile)(resolved, "utf-8");
+      const content = await (0, import_promises3.readFile)(resolved, "utf-8");
       return c.json({
         path: filePath,
         content,
@@ -3524,9 +4854,9 @@ async function createAgentServer(params) {
     }
     try {
       const resolved = resolveSafePath(context.cwd, body.path);
-      await (0, import_promises2.mkdir)((0, import_node_path2.join)(resolved, ".."), { recursive: true });
-      await (0, import_promises2.writeFile)(resolved, body.content, "utf-8");
-      const fileStat = await (0, import_promises2.stat)(resolved);
+      await (0, import_promises3.mkdir)((0, import_node_path3.join)(resolved, ".."), { recursive: true });
+      await (0, import_promises3.writeFile)(resolved, body.content, "utf-8");
+      const fileStat = await (0, import_promises3.stat)(resolved);
       return c.json({ ok: true, path: body.path, size: fileStat.size });
     } catch (error) {
       const message = error instanceof Error ? error.message : String(error);
@@ -3540,7 +4870,7 @@ async function createAgentServer(params) {
     }
     try {
       const resolved = resolveSafePath(context.cwd, body.path);
-      await (0, import_promises2.mkdir)(resolved, { recursive: true });
+      await (0, import_promises3.mkdir)(resolved, { recursive: true });
       return c.json({ ok: true, path: body.path });
     } catch (error) {
       const message = error instanceof Error ? error.message : String(error);
@@ -3555,8 +4885,8 @@ async function createAgentServer(params) {
     try {
       const resolvedFrom = resolveSafePath(context.cwd, body.from);
       const resolvedTo = resolveSafePath(context.cwd, body.to);
-      await (0, import_promises2.mkdir)((0, import_node_path2.join)(resolvedTo, ".."), { recursive: true });
-      await (0, import_promises2.rename)(resolvedFrom, resolvedTo);
+      await (0, import_promises3.mkdir)((0, import_node_path3.join)(resolvedTo, ".."), { recursive: true });
+      await (0, import_promises3.rename)(resolvedFrom, resolvedTo);
       return c.json({ ok: true, from: body.from, to: body.to });
     } catch (error) {
       const message = error instanceof Error ? error.message : String(error);
@@ -3574,8 +4904,8 @@ async function createAgentServer(params) {
       if (resolved === context.cwd) {
         return c.json({ error: "Cannot delete working directory" }, 400);
       }
-      const fileStat = await (0, import_promises2.stat)(resolved);
-      await (0, import_promises2.rm)(resolved, { recursive: fileStat.isDirectory() });
+      const fileStat = await (0, import_promises3.stat)(resolved);
+      await (0, import_promises3.rm)(resolved, { recursive: fileStat.isDirectory() });
       return c.json({ ok: true, path: filePath });
     } catch (error) {
       const message = error instanceof Error ? error.message : String(error);
@@ -3584,7 +4914,7 @@ async function createAgentServer(params) {
     }
   });
   const CLI_EXEC = process.env.DOCYRUS_CLI_EXECUTABLE || process.execPath;
-  const CLI_ENTRY = process.env.DOCYRUS_CLI_ENTRY || (0, import_node_path2.resolve)(process.argv[1] ? (0, import_node_path2.join)(process.argv[1], "..") : __dirname, "main.js");
+  const CLI_ENTRY = process.env.DOCYRUS_CLI_ENTRY || (0, import_node_path3.resolve)(process.argv[1] ? (0, import_node_path3.join)(process.argv[1], "..") : __dirname, "main.js");
   const CLI_SCOPE = process.env.DOCYRUS_CLI_SCOPE;
   const CLI_TIMEOUT_MS = 3e4;
   function runCliCommand(args) {
@@ -3634,7 +4964,7 @@ async function createAgentServer(params) {
   }
   async function detectDevPort(cwd) {
     try {
-      const pkg = JSON.parse(await (0, import_promises2.readFile)((0, import_node_path2.join)(cwd, "package.json"), "utf-8"));
+      const pkg = JSON.parse(await (0, import_promises3.readFile)((0, import_node_path3.join)(cwd, "package.json"), "utf-8"));
       const devScript = pkg.scripts?.dev;
       if (devScript) {
         const portFlag = devScript.match(/--port\s+(\d+)/);
@@ -3650,7 +4980,7 @@ async function createAgentServer(params) {
     }
     for (const name of ["vite.config.ts", "vite.config.mts", "vite.config.js"]) {
       try {
-        const content = await (0, import_promises2.readFile)((0, import_node_path2.join)(cwd, name), "utf-8");
+        const content = await (0, import_promises3.readFile)((0, import_node_path3.join)(cwd, name), "utf-8");
         const portMatch = content.match(/port\s*:\s*(\d+)/);
         if (portMatch) {
           return Number(portMatch[1]);
@@ -3660,19 +4990,19 @@ async function createAgentServer(params) {
     }
     for (const name of ["next.config.ts", "next.config.mts", "next.config.js", "next.config.mjs"]) {
       try {
-        await (0, import_promises2.stat)((0, import_node_path2.join)(cwd, name));
+        await (0, import_promises3.stat)((0, import_node_path3.join)(cwd, name));
         return 3e3;
       } catch {
       }
     }
     try {
-      await (0, import_promises2.stat)((0, import_node_path2.join)(cwd, "angular.json"));
+      await (0, import_promises3.stat)((0, import_node_path3.join)(cwd, "angular.json"));
       return 4200;
     } catch {
     }
     for (const name of ["nuxt.config.ts", "nuxt.config.js"]) {
       try {
-        await (0, import_promises2.stat)((0, import_node_path2.join)(cwd, name));
+        await (0, import_promises3.stat)((0, import_node_path3.join)(cwd, name));
         return 3e3;
       } catch {
       }
@@ -3702,14 +5032,14 @@ async function createAgentServer(params) {
     } catch {
     }
     try {
-      const pkg = JSON.parse(await (0, import_promises2.readFile)((0, import_node_path2.join)(cwd, "package.json"), "utf-8"));
+      const pkg = JSON.parse(await (0, import_promises3.readFile)((0, import_node_path3.join)(cwd, "package.json"), "utf-8"));
       packageName = pkg.name ?? null;
       packageVersion = pkg.version ?? null;
     } catch {
     }
     cachedProjectInfo = {
       path: cwd,
-      folder: (0, import_node_path2.basename)(cwd),
+      folder: (0, import_node_path3.basename)(cwd),
       repo,
       packageName,
       packageVersion
@@ -3824,6 +5154,140 @@ async function createAgentServer(params) {
     devUrl = null;
     return c.json({ status: "stopped", url: stoppedUrl, pid });
   });
+  function gitExec(args, gitCwd) {
+    return new Promise((res, rej) => {
+      (0, import_node_child_process.execFile)("git", args, { cwd: gitCwd, maxBuffer: 50 * 1024 * 1024 }, (err, stdout) => {
+        if (err) {
+          return rej(err);
+        }
+        res(stdout);
+      });
+    });
+  }
+  app.get("/api/git/diff", async (c) => {
+    const filterPath = c.req.query("path");
+    const cwd = context.cwd;
+    try {
+      let branch;
+      let hasHead = true;
+      try {
+        branch = (await gitExec(["rev-parse", "--abbrev-ref", "HEAD"], cwd)).trim() || void 0;
+      } catch {
+        hasHead = false;
+      }
+      const diffRef = hasHead ? ["diff", "HEAD"] : ["diff", "--cached"];
+      const [nameStatusRaw, untrackedRaw, numstatRaw] = await Promise.all([
+        gitExec([...diffRef, "--name-status"], cwd).catch(() => ""),
+        gitExec(["ls-files", "--others", "--exclude-standard"], cwd).catch(() => ""),
+        gitExec([...diffRef, "--numstat"], cwd).catch(() => "")
+      ]);
+      const entries = [];
+      for (const line of nameStatusRaw.split("\n").filter(Boolean)) {
+        const parts = line.split("	");
+        const code = parts[0];
+        if (code.startsWith("R")) {
+          entries.push({ path: parts[2], status: "renamed", oldPath: parts[1] });
+        } else if (code.startsWith("C")) {
+          entries.push({ path: parts[2], status: "copied", oldPath: parts[1] });
+        } else if (code.startsWith("M")) {
+          entries.push({ path: parts[1], status: "modified" });
+        } else if (code.startsWith("A")) {
+          entries.push({ path: parts[1], status: "added" });
+        } else if (code.startsWith("D")) {
+          entries.push({ path: parts[1], status: "deleted" });
+        }
+      }
+      for (const filePath of untrackedRaw.split("\n").filter(Boolean)) {
+        entries.push({ path: filePath, status: "untracked" });
+      }
+      const numstatMap = /* @__PURE__ */ new Map();
+      for (const line of numstatRaw.split("\n").filter(Boolean)) {
+        const match2 = line.match(/^(-|\d+)\t(-|\d+)\t(.+)$/);
+        if (!match2) {
+          continue;
+        }
+        const isBinary = match2[1] === "-" && match2[2] === "-";
+        const additions = isBinary ? 0 : Number(match2[1]);
+        const deletions = isBinary ? 0 : Number(match2[2]);
+        let filePath = match2[3];
+        const arrowIdx = filePath.indexOf(" => ");
+        if (arrowIdx !== -1) {
+          const braceStart = filePath.indexOf("{");
+          if (braceStart !== -1 && braceStart < arrowIdx) {
+            const braceEnd = filePath.indexOf("}", arrowIdx);
+            if (braceEnd !== -1) {
+              const prefix = filePath.slice(0, braceStart);
+              const suffix = filePath.slice(braceEnd + 1);
+              const newPart = filePath.slice(braceStart + 1, braceEnd).split(" => ")[1];
+              filePath = prefix + newPart + suffix;
+            }
+          } else {
+            filePath = filePath.slice(arrowIdx + 4);
+          }
+        }
+        numstatMap.set(filePath, { additions, deletions, isBinary });
+      }
+      const filtered = filterPath ? entries.filter((e) => e.path === filterPath) : entries;
+      const MAX_CONTENT_SIZE = 1e6;
+      const fileResults = await Promise.all(filtered.map(async (entry) => {
+        const stats = numstatMap.get(entry.path);
+        if (stats?.isBinary) {
+          return null;
+        }
+        let oldContent = "";
+        let newContent = "";
+        let truncated = false;
+        if (hasHead && (entry.status === "modified" || entry.status === "deleted" || entry.status === "renamed" || entry.status === "copied")) {
+          const showPath = entry.oldPath ?? entry.path;
+          try {
+            oldContent = await gitExec(["show", `HEAD:${showPath}`], cwd);
+            if (oldContent.length > MAX_CONTENT_SIZE) {
+              oldContent = oldContent.slice(0, MAX_CONTENT_SIZE);
+              truncated = true;
+            }
+          } catch {
+          }
+        }
+        if (entry.status !== "deleted") {
+          try {
+            const resolved = (0, import_node_path3.resolve)(cwd, entry.path);
+            const buf = await (0, import_promises3.readFile)(resolved);
+            if (buf.subarray(0, 8192).includes(0)) {
+              return null;
+            }
+            newContent = buf.toString("utf-8");
+            if (newContent.length > MAX_CONTENT_SIZE) {
+              newContent = newContent.slice(0, MAX_CONTENT_SIZE);
+              truncated = true;
+            }
+          } catch {
+          }
+        }
+        const additions = stats?.additions ?? (entry.status === "untracked" ? newContent.split("\n").length : 0);
+        const deletions = stats?.deletions ?? 0;
+        const file = {
+          path: entry.path,
+          status: entry.status,
+          oldContent,
+          newContent,
+          additions,
+          deletions
+        };
+        if (entry.oldPath) {
+          file.oldPath = entry.oldPath;
+        }
+        if (truncated) {
+          file.truncated = true;
+        }
+        return file;
+      }));
+      const files = fileResults.filter((f) => f !== null);
+      return c.json({ files, ...branch ? { branch } : {} });
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      return c.json({ error: message }, 500);
+    }
+  });
   const BOOLEAN_CLI_FLAGS = /* @__PURE__ */ new Set(["json", "verbose", "global", "noAuth", "expand", "i"]);
   function buildCliArgs(pathSegments, query, body) {
     const args = [...pathSegments, "--json"];
@@ -3940,6 +5404,18 @@ async function createAgentServer(params) {
     process.stderr.write(`  GET  /api/context                       \u2014 server context
 `);
     process.stderr.write(`  GET  /api/models                        \u2014 available models
+`);
+    process.stderr.write(`  GET  /api/auth/providers                \u2014 auth provider catalog
+`);
+    process.stderr.write(`  POST /api/auth/providers/:id/login      \u2014 provider login/start login flow
+`);
+    process.stderr.write(`  POST /api/auth/providers/:id/oauth/continue \u2014 continue OAuth flow
+`);
+    process.stderr.write(`  POST /api/auth/providers/:id/logout     \u2014 provider logout
+`);
+    process.stderr.write(`  POST /api/models/select                 \u2014 select model and optional thinking level
+`);
+    process.stderr.write(`  GET  /api/slash-commands                \u2014 slash command list
 `);
     process.stderr.write(`  GET  /api/fs/tree                       \u2014 directory tree
 `);
@@ -3960,6 +5436,8 @@ async function createAgentServer(params) {
     process.stderr.write(`  POST /api/env/serve                     \u2014 start dev server (pnpm dev)
 `);
     process.stderr.write(`  POST /api/env/stop                      \u2014 stop dev server
+`);
+    process.stderr.write(`  GET  /api/git/diff                      \u2014 uncommitted file diffs
 `);
     process.stderr.write(`  *    /api/cli/**                        \u2014 proxy any docyrus CLI command
 
@@ -3992,6 +5470,61 @@ async function createAgentServer(params) {
     }
   }
 }
+function extractBearerToken(authorizationHeader) {
+  if (!authorizationHeader) {
+    return null;
+  }
+  const trimmed = authorizationHeader.trim();
+  const firstSpaceIndex = trimmed.indexOf(" ");
+  if (firstSpaceIndex <= 0) {
+    return null;
+  }
+  const scheme = trimmed.slice(0, firstSpaceIndex);
+  const token = trimmed.slice(firstSpaceIndex + 1).trim();
+  if (scheme.toLowerCase() !== "bearer" || token.length === 0) {
+    return null;
+  }
+  return token;
+}
+function hashToken(token) {
+  return (0, import_node_crypto2.createHash)("sha256").update(token).digest();
+}
+function isBearerTokenAuthorized(actualToken, expectedToken) {
+  if (!expectedToken) {
+    return true;
+  }
+  if (!actualToken) {
+    return false;
+  }
+  const actualHash = hashToken(actualToken);
+  const expectedHash = hashToken(expectedToken);
+  return (0, import_node_crypto2.timingSafeEqual)(actualHash, expectedHash);
+}
+function createUnauthorizedResponse() {
+  return new Response(JSON.stringify({ error: "Unauthorized" }), {
+    status: 401,
+    headers: {
+      "Content-Type": "application/json",
+      "WWW-Authenticate": "Bearer"
+    }
+  });
+}
+function authorizeServerRequest(request, expectedToken) {
+  if (!expectedToken || request.method === "OPTIONS") {
+    return null;
+  }
+  const authorizationHeader = request.headers.get("Authorization");
+  const token = extractBearerToken(authorizationHeader);
+  if (!isBearerTokenAuthorized(token, expectedToken)) {
+    return createUnauthorizedResponse();
+  }
+  return null;
+}
+
+// src/server/loaderRequest.ts
+function parseServerLoaderRequest(payload) {
+  return JSON.parse(payload);
+}
 
 // src/server/server-loader.ts
 function readRequiredEnv(name) {
@@ -4002,19 +5535,19 @@ function readRequiredEnv(name) {
   return value;
 }
 function readLoaderRequest() {
-  return JSON.parse(readRequiredEnv("DOCYRUS_PI_REQUEST"));
+  return parseServerLoaderRequest(readRequiredEnv("DOCYRUS_PI_REQUEST"));
 }
 async function loadPiExports() {
   const piPackageDir = readRequiredEnv("PI_PACKAGE_DIR");
-  const moduleUrl = (0, import_node_url.pathToFileURL)((0, import_node_path3.join)(piPackageDir, "dist", "index.js")).href;
+  const moduleUrl = (0, import_node_url.pathToFileURL)((0, import_node_path4.join)(piPackageDir, "dist", "index.js")).href;
   return await import(moduleUrl);
 }
 function resolvePackagedPiResourceRoot() {
   const candidates = [
-    (0, import_node_path3.resolve)(process.cwd(), "apps/api-cli/resources/pi-agent"),
-    (0, import_node_path3.resolve)(__dirname, "../resources/pi-agent"),
-    (0, import_node_path3.resolve)(__dirname, "resources/pi-agent"),
-    (0, import_node_path3.resolve)(process.cwd(), "dist/apps/api-cli/resources/pi-agent")
+    (0, import_node_path4.resolve)(process.cwd(), "apps/api-cli/resources/pi-agent"),
+    (0, import_node_path4.resolve)(__dirname, "../resources/pi-agent"),
+    (0, import_node_path4.resolve)(__dirname, "resources/pi-agent"),
+    (0, import_node_path4.resolve)(process.cwd(), "dist/apps/api-cli/resources/pi-agent")
   ];
   const resolved = candidates.find((candidate) => (0, import_node_fs.existsSync)(candidate));
   if (!resolved) {
@@ -4023,13 +5556,13 @@ function resolvePackagedPiResourceRoot() {
   return resolved;
 }
 function resolvePackagedExtensionPaths(resourceRoot) {
-  const extensionsRoot = (0, import_node_path3.join)(resourceRoot, "extensions");
+  const extensionsRoot = (0, import_node_path4.join)(resourceRoot, "extensions");
   if (!(0, import_node_fs.existsSync)(extensionsRoot)) {
     return [];
   }
   return (0, import_node_fs.readdirSync)(extensionsRoot, {
     withFileTypes: true
-  }).filter((entry) => entry.isDirectory() || entry.isFile() && (entry.name.endsWith(".ts") || entry.name.endsWith(".js"))).map((entry) => (0, import_node_path3.join)(extensionsRoot, entry.name)).sort((left, right) => left.localeCompare(right));
+  }).filter((entry) => entry.isDirectory() || entry.isFile() && (entry.name.endsWith(".ts") || entry.name.endsWith(".js"))).map((entry) => (0, import_node_path4.join)(extensionsRoot, entry.name)).sort((left, right) => left.localeCompare(right));
 }
 function setProcessArgValue(flag, value) {
   const existingIndex = process.argv.indexOf(flag);
@@ -4096,6 +5629,45 @@ function renderStartupSplash(version) {
 `
   );
 }
+function createServerSessionAdapter(params) {
+  return {
+    id: params.session.id,
+    get isStreaming() {
+      return params.session.isStreaming;
+    },
+    get model() {
+      return params.session.model;
+    },
+    get thinkingLevel() {
+      return params.session.thinkingLevel;
+    },
+    subscribe(listener) {
+      return params.session.subscribe(listener);
+    },
+    prompt(text) {
+      return params.session.prompt(text);
+    },
+    abort() {
+      return params.session.abort();
+    },
+    setModel(model) {
+      return params.session.setModel(model);
+    },
+    setThinkingLevel(level) {
+      return params.session.setThinkingLevel(level);
+    },
+    getAvailableThinkingLevels() {
+      return params.session.getAvailableThinkingLevels();
+    },
+    supportsThinking() {
+      return params.session.supportsThinking();
+    },
+    listCommands() {
+      const getCommands = params.extensionsResult.runtime.getCommands;
+      return typeof getCommands === "function" ? getCommands() : [];
+    }
+  };
+}
 async function main() {
   const request = readLoaderRequest();
   const pi = await loadPiExports();
@@ -4104,16 +5676,16 @@ async function main() {
   const version = process.env.DOCYRUS_PI_VERSION || "dev";
   const resourceRoot = resolvePackagedPiResourceRoot();
   const packagedExtensionPaths = resolvePackagedExtensionPaths(resourceRoot);
-  const mcpConfigPath = (0, import_node_path3.join)(agentDir, "mcp.json");
+  const mcpConfigPath = (0, import_node_path4.join)(agentDir, "mcp.json");
   const hasPackagedMcpAdapter = packagedExtensionPaths.some((extensionPath) => extensionPath.includes("pi-mcp-adapter"));
-  const envStore = new AgentEnvStore((0, import_node_path3.join)(agentDir, "env.json"));
+  const envStore = new AgentEnvStore((0, import_node_path4.join)(agentDir, "env.json"));
   await envStore.hydrateProcessEnv(process.env);
   if (hasPackagedMcpAdapter) {
     setProcessArgValue("--mcp-config", mcpConfigPath);
   }
-  const authStorage = pi.AuthStorage.create((0, import_node_path3.join)(agentDir, "auth.json"));
+  const authStorage = pi.AuthStorage.create((0, import_node_path4.join)(agentDir, "auth.json"));
   const settingsManager = pi.SettingsManager.create(cwd, agentDir);
-  const modelsJsonPath = (0, import_node_path3.join)(agentDir, "models.json");
+  const modelsJsonPath = (0, import_node_path4.join)(agentDir, "models.json");
   const modelRegistry = new pi.ModelRegistry(authStorage, modelsJsonPath);
   const quietStartup = !request.verbose;
   if (quietStartup) {
@@ -4140,7 +5712,7 @@ async function main() {
     agentDir,
     settingsManager,
     additionalExtensionPaths: packagedExtensionPaths,
-    systemPrompt: (0, import_node_path3.join)(
+    systemPrompt: (0, import_node_path4.join)(
       resourceRoot,
       "prompts",
       request.profile === "agent" ? "agent-system.md" : "coder-system.md"
@@ -4173,14 +5745,19 @@ Or create ${modelsJsonPath}`
     );
   }
   await createAgentServer({
-    session,
+    session: createServerSessionAdapter({ session, extensionsResult }),
+    authToken: request.auth,
     port: request.port,
     sessionManager: {
       list: () => pi.SessionManager.list(cwd, request.sessionDir),
       open: (path) => pi.SessionManager.open(path, request.sessionDir)
     },
-    modelRegistry: {
-      getAvailable: () => modelRegistry.getAvailable()
+    modelRegistry,
+    authRuntime: {
+      authStorage,
+      envStore,
+      settingsManager,
+      modelsJsonPath
     },
     context: {
       cwd,
@@ -4191,7 +5768,7 @@ Or create ${modelsJsonPath}`
       thinkingLevel: request.thinking ?? null
     },
     onCreateSession: async () => {
-      const { session: freshSession } = await pi.createAgentSession({
+      const { session: freshSession, extensionsResult: freshExtensionsResult } = await pi.createAgentSession({
         cwd,
         agentDir,
         authStorage,
@@ -4203,7 +5780,10 @@ Or create ${modelsJsonPath}`
         model: requestedModel,
         thinkingLevel: request.thinking
       });
-      return freshSession;
+      return createServerSessionAdapter({
+        session: freshSession,
+        extensionsResult: freshExtensionsResult
+      });
     },
     onResumeSession: async (sessionId) => {
       const sessions = await pi.SessionManager.list(cwd, request.sessionDir);
@@ -4212,20 +5792,26 @@ Or create ${modelsJsonPath}`
         throw new Error(`Session not found: ${sessionId}`);
       }
       const resumeCwd = match2.cwd || cwd;
-      const { session: resumedSession } = await pi.createAgentSession({
+      const resumedSessionManager = pi.SessionManager.open(
+        match2.path,
+        request.sessionDir
+      );
+      const { session: resumedSession, extensionsResult: resumedExtensionsResult } = await pi.createAgentSession({
         cwd: resumeCwd,
         agentDir,
         authStorage,
         modelRegistry,
         resourceLoader,
         settingsManager,
-        sessionManager,
+        sessionManager: resumedSessionManager,
         tools: buildTools(request.profile, resumeCwd, pi),
         model: requestedModel,
-        thinkingLevel: request.thinking,
-        resumeSessionId: sessionId
+        thinkingLevel: request.thinking
+      });
+      return createServerSessionAdapter({
+        session: resumedSession,
+        extensionsResult: resumedExtensionsResult
       });
-      return resumedSession;
     }
   });
 }