@link-assistant/hive-mind 1.69.13 → 1.69.15

package/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @link-assistant/hive-mind
 
+## 1.69.15
+
+### Patch Changes
+
+- fbda6de: Fix `--auto-fork` failing on private repositories with read-only access when forking is allowed. `handleAutoForkOption` now probes the `allow_forking` repository attribute before bailing out: when it is `true`, fork mode is enabled (the same behaviour already used for public repos without write access); when it is explicitly `false`, the fatal exit explains that direct branch mode needs push/write access, fork mode is disabled, and the maintainer must either grant Write access or enable private forking; when it cannot be determined, we fall through with a verbose warning so `gh repo fork` can produce a precise downstream error. Resolves #1795.
+
+## 1.69.14
+
+### Patch Changes
+
+- 32af9e1: Show subscription end date in `/limits` for Claude and Codex when the underlying providers expose it. Claude trials display the trial end date from the OAuth profile; Codex displays the renewal date decoded from the ChatGPT JWT (`chatgpt_subscription_active_until`). Lines are only rendered when real data is available.
+
 ## 1.69.13
 
 ### Patch Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@link-assistant/hive-mind",
-  "version": "1.69.13",
+  "version": "1.69.15",
   "description": "AI-powered issue solver and hive mind for collaborative problem solving",
   "main": "src/hive.mjs",
   "type": "module",

package/src/limits-i18n.lib.mjs

@@ -74,6 +74,11 @@ const ENGLISH_LIMITS = {
   seven_day_sonnet_only: '7d Sonnet only',
   session: 'session',
   start: 'Start',
+  subscription_ends: 'Subscription ends {{time}}',
+  subscription_ends_in: 'Subscription ends in {{duration}} ({{time}})',
+  subscription_status: 'Subscription: {{status}}',
+  trial_ends: 'Trial ends {{time}}',
+  trial_ends_in: 'Trial ends in {{duration}} ({{time}})',
   unavailable: 'unavailable',
   unlimited: 'unlimited',
   used: 'used',
@@ -110,6 +115,20 @@ export function formatLimitResetsAt(resetTime, options = {}) {
   return lt('resets_at', { time: resetTime }, options);
 }
 
+export function formatSubscriptionEnds(duration, resetTime, options = {}) {
+  if (duration) return lt('subscription_ends_in', { duration, time: resetTime }, options);
+  return lt('subscription_ends', { time: resetTime }, options);
+}
+
+export function formatTrialEnds(duration, resetTime, options = {}) {
+  if (duration) return lt('trial_ends_in', { duration, time: resetTime }, options);
+  return lt('trial_ends', { time: resetTime }, options);
+}
+
+export function formatSubscriptionStatus(status, options = {}) {
+  return lt('subscription_status', { status }, options);
+}
+
 export function formatLocalizedResetTime(isoDate, includeTimezone = true, options = {}) {
   if (typeof includeTimezone === 'object') return formatLocalizedResetTime(isoDate, true, includeTimezone);
   const locale = resolveLimitLocale(options);

package/src/limits-subscription.lib.mjs

@@ -0,0 +1,206 @@
+/**
+ * Subscription metadata helpers for the /limits command.
+ *
+ * Surfaces the subscription end / trial end / status fields the underlying
+ * providers expose:
+ *   - Claude: GET https://api.anthropic.com/api/oauth/profile
+ *   - Codex:  decoded id_token from ~/.codex/auth.json
+ *
+ * See `docs/case-studies/issue-1793/`.
+ */
+
+import { CACHE_TTL, DEFAULT_CODEX_AUTH_PATH, DEFAULT_CREDENTIALS_PATH, decodeJwtPayload, getLimitCache, readCodexAuth, readCredentials } from './limits.lib.mjs';
+import { formatLocalizedRelativeTime, formatLocalizedResetTime, formatSubscriptionEnds, formatSubscriptionStatus, formatTrialEnds, resolveLimitLocale } from './limits-i18n.lib.mjs';
+
+const PROFILE_API_ENDPOINT = 'https://api.anthropic.com/api/oauth/profile';
+
+/**
+ * Render the localized "Subscription ends …" / "Trial ends …" / "Subscription: …"
+ * line for a tool. Returns '' when no displayable data is present.
+ */
+export function formatSubscriptionLines(subscription, options = {}) {
+  if (!subscription) return '';
+  const locale = resolveLimitLocale(options);
+  const buildLine = (iso, formatter) => {
+    const resetTime = formatLocalizedResetTime(iso, true, { locale });
+    return resetTime ? formatter(formatLocalizedRelativeTime(iso, { locale }), resetTime, { locale }) : null;
+  };
+  let line = null;
+  if (subscription.endsAt) line = buildLine(subscription.endsAt, formatSubscriptionEnds);
+  else if (subscription.trialEndsAt) line = buildLine(subscription.trialEndsAt, formatTrialEnds);
+  else if (subscription.status) line = formatSubscriptionStatus(subscription.status, { locale });
+  return line ? `${line}\n` : '';
+}
+
+/**
+ * Get Claude subscription metadata.
+ *
+ * Reads `~/.claude/.credentials.json` and queries Anthropic's
+ * `/api/oauth/profile` endpoint to surface what is currently published:
+ *   - subscription_status ("active" / "inactive")
+ *   - subscription_created_at (ISO timestamp)
+ *   - claude_code_trial_ends_at (ISO timestamp; trials only)
+ *   - subscriptionType from local creds (informational plan label)
+ *
+ * Anthropic does NOT currently expose a `subscription_ends_at` field for
+ * paid plans, so we never fabricate one. The renderer only emits a line
+ * when a value is available.
+ *
+ * @param {Object} opts
+ * @param {boolean} opts.verbose - Verbose logging
+ * @param {string} opts.credentialsPath - Override Claude credentials path
+ * @returns {Object} `{ success, subscription? , error? }`
+ */
+export async function getClaudeSubscriptionInfo({ verbose = false, credentialsPath = DEFAULT_CREDENTIALS_PATH } = {}) {
+  try {
+    const credentials = await readCredentials(credentialsPath, verbose);
+    if (!credentials) {
+      return {
+        success: false,
+        error: 'Could not read Claude credentials. Make sure Claude is properly installed and authenticated.',
+      };
+    }
+
+    const accessToken = credentials?.claudeAiOauth?.accessToken;
+    const planType = credentials?.claudeAiOauth?.subscriptionType || null;
+
+    if (!accessToken) {
+      return {
+        success: false,
+        error: 'No access token found in Claude credentials.',
+      };
+    }
+
+    const requestHeaders = {
+      Accept: 'application/json',
+      'Content-Type': 'application/json',
+      'User-Agent': 'claude-code/2.0.55',
+      Authorization: `Bearer ${accessToken}`,
+      'anthropic-beta': 'oauth-2025-04-20',
+    };
+
+    if (verbose) {
+      console.log(`[VERBOSE] /limits subscription: GET ${PROFILE_API_ENDPOINT}`);
+    }
+
+    const response = await fetch(PROFILE_API_ENDPOINT, { method: 'GET', headers: requestHeaders });
+    if (!response.ok) {
+      if (verbose) {
+        console.error(`[VERBOSE] /limits subscription HTTP ${response.status} ${response.statusText}`);
+      }
+      return {
+        success: false,
+        error: `Failed to fetch Claude profile: ${response.status} ${response.statusText}`,
+      };
+    }
+
+    const data = await response.json();
+    if (verbose) {
+      console.log('[VERBOSE] /limits subscription body:', JSON.stringify(data, null, 2));
+    }
+
+    const organization = data?.organization || {};
+    return {
+      success: true,
+      subscription: {
+        planType,
+        status: organization.subscription_status || null,
+        createdAt: organization.subscription_created_at || null,
+        trialEndsAt: organization.claude_code_trial_ends_at || null,
+        endsAt: organization.subscription_ends_at || null,
+      },
+    };
+  } catch (error) {
+    if (verbose) console.error('[VERBOSE] /limits subscription error:', error);
+    return { success: false, error: `Failed to get Claude subscription info: ${error.message}` };
+  }
+}
+
+/**
+ * Get Codex subscription metadata.
+ *
+ * Decodes the OIDC `id_token` persisted in `~/.codex/auth.json`. The token's
+ * `https://api.openai.com/auth` claim carries the active ChatGPT subscription
+ * window — including `chatgpt_subscription_active_until`, which is exactly
+ * the renewal/end date the issue asks for. No HTTP call is needed.
+ *
+ * @param {Object} opts
+ * @param {boolean} opts.verbose
+ * @param {string} opts.authPath
+ * @returns {Object} `{ success, subscription? , error? }`
+ */
+export async function getCodexSubscriptionInfo({ verbose = false, authPath = DEFAULT_CODEX_AUTH_PATH } = {}) {
+  try {
+    const auth = await readCodexAuth(authPath, verbose);
+    if (!auth) {
+      return {
+        success: false,
+        error: 'Could not read Codex authentication.',
+      };
+    }
+
+    if (auth.auth_mode && auth.auth_mode !== 'chatgpt') {
+      return {
+        success: false,
+        error: 'Codex subscription info is only available for ChatGPT-authenticated Codex.',
+      };
+    }
+
+    const idToken = auth?.tokens?.id_token || null;
+    const accessToken = auth?.tokens?.access_token || null;
+    const payload = decodeJwtPayload(idToken) || decodeJwtPayload(accessToken);
+    const claims = payload?.['https://api.openai.com/auth'] || null;
+
+    if (!claims) {
+      return {
+        success: false,
+        error: 'Could not decode Codex subscription claims from id_token.',
+      };
+    }
+
+    return {
+      success: true,
+      subscription: {
+        planType: claims.chatgpt_plan_type || null,
+        activeStart: claims.chatgpt_subscription_active_start || null,
+        endsAt: claims.chatgpt_subscription_active_until || null,
+        lastChecked: claims.chatgpt_subscription_last_checked || null,
+      },
+    };
+  } catch (error) {
+    if (verbose) console.error('[VERBOSE] /limits Codex subscription error:', error);
+    return { success: false, error: `Failed to get Codex subscription info: ${error.message}` };
+  }
+}
+
+/**
+ * Cached Claude subscription metadata. Uses the same 20-minute
+ * TTL as `/limits` so we don't add traffic to the Anthropic OAuth API.
+ */
+export async function getCachedClaudeSubscription(verbose = false) {
+  const cache = getLimitCache();
+  const cached = cache.get('claude-subscription', CACHE_TTL.USAGE_API);
+  if (cached) {
+    if (verbose) console.log('[VERBOSE] /limits-cache: Using cached Claude subscription');
+    return cached;
+  }
+  const result = await getClaudeSubscriptionInfo({ verbose });
+  if (result.success) cache.set('claude-subscription', result, CACHE_TTL.USAGE_API);
+  return result;
+}
+
+/**
+ * Cached Codex subscription metadata. The JWT decode is local, but we still
+ * cache for parity with the rest of the /limits pipeline.
+ */
+export async function getCachedCodexSubscription(verbose = false) {
+  const cache = getLimitCache();
+  const cached = cache.get('codex-subscription', CACHE_TTL.USAGE_API);
+  if (cached) {
+    if (verbose) console.log('[VERBOSE] /limits-cache: Using cached Codex subscription');
+    return cached;
+  }
+  const result = await getCodexSubscriptionInfo({ verbose });
+  if (result.success) cache.set('codex-subscription', result, CACHE_TTL.USAGE_API);
+  return result;
+}

package/src/limits.lib.mjs

@@ -14,6 +14,8 @@ import utc from 'dayjs/plugin/utc.js';
 
 import { wrapDollarWithGhRetry as _wrapDollarWithGhRetry, execGhWithRetry } from './github-rate-limit.lib.mjs'; // rate-limit marker (#1726): gh API calls flow through $ wrapped by caller. execGhWithRetry adds transient-network retry (#1756).
 import { formatLimitResetsAt, formatLimitResetsIn, formatLocalizedCurrentTime, formatLocalizedRelativeTime, formatLocalizedResetTime, localizeCompactDuration, lt, resolveLimitLocale } from './limits-i18n.lib.mjs';
+import { formatSubscriptionLines, getCachedClaudeSubscription, getCachedCodexSubscription, getClaudeSubscriptionInfo, getCodexSubscriptionInfo } from './limits-subscription.lib.mjs';
+export { getCachedClaudeSubscription, getCachedCodexSubscription, getClaudeSubscriptionInfo, getCodexSubscriptionInfo };
 // Initialize dayjs plugins
 dayjs.extend(utc);
 
@@ -31,8 +33,8 @@ const execAsync = promisify(exec);
 /**
  * Default path to Claude credentials file
  */
-const DEFAULT_CREDENTIALS_PATH = join(homedir(), '.claude', '.credentials.json');
-const DEFAULT_CODEX_AUTH_PATH = join(homedir(), '.codex', 'auth.json');
+export const DEFAULT_CREDENTIALS_PATH = join(homedir(), '.claude', '.credentials.json');
+export const DEFAULT_CODEX_AUTH_PATH = join(homedir(), '.codex', 'auth.json');
 const DEFAULT_CODEX_CONFIG_PATH = join(homedir(), '.codex', 'config.toml');
 
 /**
@@ -41,7 +43,7 @@ const DEFAULT_CODEX_CONFIG_PATH = join(homedir(), '.codex', 'config.toml');
 const USAGE_API_ENDPOINT = 'https://api.anthropic.com/api/oauth/usage';
 const CODEX_USAGE_API_DEFAULT_BASE_URL = 'https://chatgpt.com/backend-api';
 
-function decodeJwtPayload(token) {
+export function decodeJwtPayload(token) {
   if (!token || typeof token !== 'string') return null;
 
   try {
@@ -73,7 +75,7 @@ function mapCodexWindow(window) {
   };
 }
 
-async function readCodexAuth(authPath = DEFAULT_CODEX_AUTH_PATH, verbose = false) {
+export async function readCodexAuth(authPath = DEFAULT_CODEX_AUTH_PATH, verbose = false) {
   try {
     const content = await readFile(authPath, 'utf-8');
     const auth = JSON.parse(content);
@@ -121,7 +123,7 @@ async function getCodexUsageBaseUrl(configPath = DEFAULT_CODEX_CONFIG_PATH, verb
  * @param {boolean} verbose - Whether to log verbose output
  * @returns {Object|null} Credentials object or null if not found
  */
-async function readCredentials(credentialsPath = DEFAULT_CREDENTIALS_PATH, verbose = false) {
+export async function readCredentials(credentialsPath = DEFAULT_CREDENTIALS_PATH, verbose = false) {
   try {
     const content = await readFile(credentialsPath, 'utf-8');
     const credentials = JSON.parse(content);
@@ -1000,6 +1002,7 @@ export function formatUsageMessage(usage, diskSpace = null, githubRateLimit = nu
     extraSections = [];
   }
   const locale = resolveLimitLocale(options);
+  const subscription = options?.subscription || null;
   const sections = [];
 
   sections.push(`${lt('current_time', {}, { locale })}: ${formatCurrentTime({ locale })}\n`);
@@ -1157,6 +1160,9 @@ export function formatUsageMessage(usage, diskSpace = null, githubRateLimit = nu
       sonnetSection += `${lt('na', {}, { locale })}\n`;
     }
     sections.push(sonnetSection);
+
+    const subscriptionLines = formatSubscriptionLines(subscription, { locale });
+    if (subscriptionLines) sections.push(subscriptionLines);
   }
 
   // Append any caller-provided extra sections (e.g. queue status) inside the code block
@@ -1187,6 +1193,7 @@ export function formatCodexLimitsSection(codexLimits, codexError = null, options
   const additionalRateLimits = codexLimits?.additionalRateLimits || [];
   const credits = codexLimits?.credits || null;
   const planType = codexLimits?.planType || null;
+  const subscription = options?.subscription || null;
 
   let section = `${lt('codex_limits', {}, { locale })}\n`;
   if (planType) {
@@ -1249,6 +1256,9 @@ export function formatCodexLimitsSection(codexLimits, codexError = null, options
     section += `\n${lt('codex_credits', {}, { locale })}\n${creditSummary}\n`;
   }
 
+  const subscriptionLines = formatSubscriptionLines(subscription, { locale });
+  if (subscriptionLines) section += subscriptionLines;
+
   return section;
 }
 
@@ -1435,14 +1445,16 @@ export async function getCachedDiskInfo(verbose = false) {
 }
 
 export async function getAllCachedLimits(verbose = false) {
-  const [claude, codex, github, memory, cpu, disk] = await Promise.all([getCachedClaudeLimits(verbose), getCachedCodexLimits(verbose), getCachedGitHubLimits(verbose), getCachedMemoryInfo(verbose), getCachedCpuInfo(verbose), getCachedDiskInfo(verbose)]);
-  return { claude, codex, github, memory, cpu, disk };
+  const [claude, codex, github, memory, cpu, disk, claudeSubscription, codexSubscription] = await Promise.all([getCachedClaudeLimits(verbose), getCachedCodexLimits(verbose), getCachedGitHubLimits(verbose), getCachedMemoryInfo(verbose), getCachedCpuInfo(verbose), getCachedDiskInfo(verbose), getCachedClaudeSubscription(verbose), getCachedCodexSubscription(verbose)]);
+  return { claude, codex, github, memory, cpu, disk, claudeSubscription, codexSubscription };
 }
 
 export default {
   // Raw functions (no caching)
   getClaudeUsageLimits,
   getCodexUsageLimits,
+  getClaudeSubscriptionInfo,
+  getCodexSubscriptionInfo,
   getCpuLoadInfo,
   getMemoryInfo,
   getDiskSpaceInfo,
@@ -1461,6 +1473,8 @@ export default {
   // Cached functions
   getCachedClaudeLimits,
   getCachedCodexLimits,
+  getCachedClaudeSubscription,
+  getCachedCodexSubscription,
   getCachedGitHubLimits,
   getCachedMemoryInfo,
   getCachedCpuInfo,

package/src/locales/en.lino

@@ -135,6 +135,11 @@ en
   limits.seven_day_sonnet_only "7d Sonnet only"
   limits.session "session"
   limits.start "Start"
+  limits.subscription_ends "Subscription ends {{time}}"
+  limits.subscription_ends_in "Subscription ends in {{duration}} ({{time}})"
+  limits.subscription_status "Subscription: {{status}}"
+  limits.trial_ends "Trial ends {{time}}"
+  limits.trial_ends_in "Trial ends in {{duration}} ({{time}})"
   limits.unavailable "unavailable"
   limits.unlimited "unlimited"
   limits.used "used"

package/src/locales/hi.lino

@@ -135,6 +135,11 @@ hi
   limits.seven_day_sonnet_only "7 दिन केवल Sonnet"
   limits.session "सत्र"
   limits.start "शुरुआत"
+  limits.subscription_ends "सदस्यता समाप्त होगी {{time}}"
+  limits.subscription_ends_in "सदस्यता {{duration}} में समाप्त होगी ({{time}})"
+  limits.subscription_status "सदस्यता: {{status}}"
+  limits.trial_ends "ट्रायल समाप्त होगा {{time}}"
+  limits.trial_ends_in "ट्रायल {{duration}} में समाप्त होगा ({{time}})"
   limits.unavailable "अनुपलब्ध"
   limits.unlimited "असीमित"
   limits.used "उपयोग"

package/src/locales/ru.lino

@@ -135,6 +135,11 @@ ru
   limits.seven_day_sonnet_only "7 дней, только Sonnet"
   limits.session "сеанс"
   limits.start "Начало"
+  limits.subscription_ends "Подписка заканчивается {{time}}"
+  limits.subscription_ends_in "Подписка заканчивается через {{duration}} ({{time}})"
+  limits.subscription_status "Подписка: {{status}}"
+  limits.trial_ends "Пробный период заканчивается {{time}}"
+  limits.trial_ends_in "Пробный период заканчивается через {{duration}} ({{time}})"
   limits.unavailable "недоступно"
   limits.unlimited "без ограничений"
   limits.used "использовано"

package/src/locales/zh.lino

@@ -135,6 +135,11 @@ zh
   limits.seven_day_sonnet_only "7 天仅 Sonnet"
   limits.session "会话"
   limits.start "开始"
+  limits.subscription_ends "订阅结束于 {{time}}"
+  limits.subscription_ends_in "订阅将在 {{duration}} 后结束 ({{time}})"
+  limits.subscription_status "订阅: {{status}}"
+  limits.trial_ends "试用结束于 {{time}}"
+  limits.trial_ends_in "试用将在 {{duration}} 后结束 ({{time}})"
   limits.unavailable "不可用"
   limits.unlimited "无限"
   limits.used "已用"

package/src/solve.fork-detection.lib.mjs

@@ -24,9 +24,41 @@ const { log, ghCmdRetry } = lib;
 const githubLib = await import('./github.lib.mjs');
 
 /**
- * Handle the --auto-fork option: when the user lacks write access to a public
- * repository, automatically enable fork mode; when the repository is private,
- * fail with an actionable error.
+ * Probe whether the repository allows forking via the GitHub API
+ * (`allow_forking` is true for repos that can be forked by users with read
+ * access — including private repositories). Returns `null` when the
+ * attribute could not be determined so callers can decide a safe default.
+ *
+ * Kept here (instead of github.lib.mjs) because it's only used by the
+ * auto-fork branch and the existing `detectRepositoryVisibility` already
+ * makes a separate API call; this avoids reshuffling shared helpers.
+ *
+ * Issue #1795: a private repository with read-only access can still be
+ * forked when `allow_forking` is true, so failing early was overly
+ * conservative.
+ */
+async function detectAllowForking(owner, repo) {
+  const result = await ghCmdRetry(() => $`gh api repos/${owner}/${repo} --jq .allow_forking`, { label: `allow_forking ${owner}/${repo}` });
+  if (result.code !== 0) return null;
+  const raw = result.stdout.toString().trim();
+  if (raw === 'true') return true;
+  if (raw === 'false') return false;
+  return null;
+}
+
+function describeRepoPermissionLevel(permissions) {
+  if (permissions.admin === true) return 'Admin';
+  if (permissions.maintain === true) return 'Maintain';
+  if (permissions.push === true) return 'Write';
+  if (permissions.triage === true) return 'Triage';
+  if (permissions.pull === true) return 'Read';
+  return 'No confirmed repository access';
+}
+
+/**
+ * Handle the --auto-fork option: when the user lacks write access, attempt
+ * to enable fork mode (including for private repositories where
+ * `allow_forking` is true). Only fail when forking is also unavailable.
  *
  * Mutates argv.fork in place when fork mode is enabled.
  *
@@ -51,19 +83,52 @@ export async function handleAutoForkOption({ owner, repo, argv, safeExit }) {
       const { isPublic } = await detectRepositoryVisibility(owner, repo);
 
       if (!isPublic) {
-        await log('');
-        await log("❌ --auto-fork failed: Repository is private and you don't have write access", { level: 'error' });
-        await log('');
-        await log('   🔍 What happened:', { level: 'error' });
-        await log(`      Repository ${owner}/${repo} is private`, { level: 'error' });
-        await log("      You don't have write access to this repository", { level: 'error' });
-        await log('      --auto-fork cannot create a fork of a private repository you cannot access', { level: 'error' });
-        await log('');
-        await log('   💡 Solution:', { level: 'error' });
-        await log('      • Request collaborator access from the repository owner', { level: 'error' });
-        await log(`        https://github.com/${owner}/${repo}/settings/access`, { level: 'error' });
-        await log('');
-        await safeExit(1, 'Auto-fork failed - private repository without access');
+        // Issue #1795: read access to a private repo is enough to fork it
+        // when the upstream allows forking. Probe `allow_forking` before
+        // bailing out so users with limited (read-only) access can still
+        // proceed via their own fork.
+        const allowForking = await detectAllowForking(owner, repo);
+        if (allowForking === false) {
+          const permissionLevel = describeRepoPermissionLevel(permissions);
+
+          await log('');
+          await log("❌ --auto-fork failed: Repository is private, you don't have write access, and forking is disabled", { level: 'error' });
+          await log('');
+          await log('   🔍 What happened:', { level: 'error' });
+          await log(`      Repository ${owner}/${repo} is private`, { level: 'error' });
+          await log(`      Your detected GitHub repository access level is ${permissionLevel}`, { level: 'error' });
+          await log(`      API permissions: ${JSON.stringify(permissions)}`, { level: 'error' });
+          await log('      Direct branch mode requires push/write access, but permissions.push is false', { level: 'error' });
+          await log("      Fork mode is also unavailable because the repository owner disabled private forking ('allow_forking' is false)", {
+            level: 'error',
+          });
+          await log('');
+          await log('   💡 Solution:', { level: 'error' });
+          await log('      • To let Hive Mind work directly in this repository:', { level: 'error' });
+          await log(`        Ask an owner/admin to open https://github.com/${owner}/${repo}/settings/access`, { level: 'error' });
+          await log('        Then add this GitHub account or its team with the Write role (Maintain/Admin also works)', { level: 'error' });
+          await log('      • To let Hive Mind work through a fork instead:', { level: 'error' });
+          await log(`        Ask an owner/admin to open https://github.com/${owner}/${repo}/settings`, { level: 'error' });
+          await log('        Then enable Settings -> General -> Features -> Allow forking', { level: 'error' });
+          await log('        For organization-owned private repositories, the organization must also allow private repository forks', {
+            level: 'error',
+          });
+          await log('');
+          await safeExit(1, 'Auto-fork failed - private repository without access and forking is disabled');
+          return;
+        }
+
+        if (allowForking === true) {
+          await log('✅ Auto-fork: Read-only access to private repository, enabling fork mode (allow_forking=true)');
+        } else {
+          await log("✅ Auto-fork: Read-only access to private repository, attempting fork mode (allow_forking couldn't be confirmed)");
+          await log("   ⚠️  Could not determine 'allow_forking' for the private repository; letting gh repo fork report the exact result", {
+            verbose: true,
+            level: 'warning',
+          });
+        }
+
+        argv.fork = true;
         return;
       }
 

package/src/telegram-bot.mjs

@@ -566,8 +566,10 @@ bot.command('limits', async ctx => {
   const codexError = limits.codex.success ? null : limits.codex.error;
   const solveQueue = getSolveQueue({ verbose: VERBOSE });
   const queueStatus = await solveQueue.formatStatus({ locale: userLocale });
-  const codexSection = formatCodexLimitsSection(limits.codex.success ? limits.codex : null, codexError, { locale: userLocale });
-  const message = t('telegram.usage_limits_title', {}, { locale: userLocale }) + '\n\n' + formatUsageMessage(limits.claude.success ? limits.claude.usage : null, limits.disk.success ? limits.disk.diskSpace : null, limits.github.success ? limits.github.githubRateLimit : null, limits.cpu.success ? limits.cpu.cpuLoad : null, limits.memory.success ? limits.memory.memory : null, claudeError, [codexSection, queueStatus], { locale: userLocale });
+  const claudeSubscription = limits.claudeSubscription?.success ? limits.claudeSubscription.subscription : null;
+  const codexSubscription = limits.codexSubscription?.success ? limits.codexSubscription.subscription : null;
+  const codexSection = formatCodexLimitsSection(limits.codex.success ? limits.codex : null, codexError, { locale: userLocale, subscription: codexSubscription });
+  const message = t('telegram.usage_limits_title', {}, { locale: userLocale }) + '\n\n' + formatUsageMessage(limits.claude.success ? limits.claude.usage : null, limits.disk.success ? limits.disk.diskSpace : null, limits.github.success ? limits.github.githubRateLimit : null, limits.cpu.success ? limits.cpu.cpuLoad : null, limits.memory.success ? limits.memory.memory : null, claudeError, [codexSection, queueStatus], { locale: userLocale, subscription: claudeSubscription });
   await safeEditMessageText(ctx.telegram, fetchingMessage.chat.id, fetchingMessage.message_id, undefined, message, { parse_mode: 'Markdown', fallbackLocale: userLocale, verbose: VERBOSE });
 });
 bot.command('version', async ctx => {