npm - @nghyane/arcane - Versions diffs - 0.1.0 - Mend

@nghyane/arcane 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (738) hide show

package/CHANGELOG.md +3 -0
package/README.md +12 -0
package/examples/README.md +21 -0
package/examples/custom-tools/README.md +109 -0
package/examples/custom-tools/hello/index.ts +20 -0
package/examples/custom-tools/todo/index.ts +206 -0
package/examples/extensions/README.md +143 -0
package/examples/extensions/api-demo.ts +89 -0
package/examples/extensions/chalk-logger.ts +25 -0
package/examples/extensions/hello.ts +32 -0
package/examples/extensions/pirate.ts +43 -0
package/examples/extensions/plan-mode.ts +550 -0
package/examples/extensions/reload-runtime.ts +37 -0
package/examples/extensions/todo.ts +296 -0
package/examples/extensions/tools.ts +144 -0
package/examples/extensions/with-deps/index.ts +35 -0
package/examples/extensions/with-deps/package-lock.json +31 -0
package/examples/extensions/with-deps/package.json +16 -0
package/examples/hooks/README.md +56 -0
package/examples/hooks/auto-commit-on-exit.ts +48 -0
package/examples/hooks/confirm-destructive.ts +58 -0
package/examples/hooks/custom-compaction.ts +116 -0
package/examples/hooks/dirty-repo-guard.ts +51 -0
package/examples/hooks/file-trigger.ts +40 -0
package/examples/hooks/git-checkpoint.ts +52 -0
package/examples/hooks/handoff.ts +150 -0
package/examples/hooks/permission-gate.ts +33 -0
package/examples/hooks/protected-paths.ts +29 -0
package/examples/hooks/qna.ts +119 -0
package/examples/hooks/status-line.ts +39 -0
package/examples/sdk/01-minimal.ts +21 -0
package/examples/sdk/02-custom-model.ts +49 -0
package/examples/sdk/03-custom-prompt.ts +43 -0
package/examples/sdk/04-skills.ts +43 -0
package/examples/sdk/06-extensions.ts +80 -0
package/examples/sdk/06-hooks.ts +61 -0
package/examples/sdk/07-context-files.ts +35 -0
package/examples/sdk/08-prompt-templates.ts +36 -0
package/examples/sdk/08-slash-commands.ts +41 -0
package/examples/sdk/09-api-keys-and-oauth.ts +54 -0
package/examples/sdk/11-sessions.ts +47 -0
package/examples/sdk/README.md +150 -0
package/package.json +464 -0
package/scripts/format-prompts.ts +184 -0
package/scripts/generate-docs-index.ts +40 -0
package/scripts/generate-template.ts +32 -0
package/src/bun-imports.d.ts +22 -0
package/src/capability/context-file.ts +39 -0
package/src/capability/extension-module.ts +33 -0
package/src/capability/extension.ts +47 -0
package/src/capability/fs.ts +89 -0
package/src/capability/hook.ts +39 -0
package/src/capability/index.ts +432 -0
package/src/capability/instruction.ts +36 -0
package/src/capability/mcp.ts +60 -0
package/src/capability/prompt.ts +34 -0
package/src/capability/rule.ts +223 -0
package/src/capability/settings.ts +34 -0
package/src/capability/skill.ts +48 -0
package/src/capability/slash-command.ts +39 -0
package/src/capability/ssh.ts +41 -0
package/src/capability/system-prompt.ts +34 -0
package/src/capability/tool.ts +37 -0
package/src/capability/types.ts +156 -0
package/src/cli/args.ts +259 -0
package/src/cli/config-cli.ts +357 -0
package/src/cli/file-processor.ts +124 -0
package/src/cli/grep-cli.ts +152 -0
package/src/cli/jupyter-cli.ts +106 -0
package/src/cli/list-models.ts +103 -0
package/src/cli/plugin-cli.ts +661 -0
package/src/cli/session-picker.ts +42 -0
package/src/cli/setup-cli.ts +376 -0
package/src/cli/shell-cli.ts +174 -0
package/src/cli/ssh-cli.ts +179 -0
package/src/cli/stats-cli.ts +197 -0
package/src/cli/update-cli.ts +286 -0
package/src/cli/web-search-cli.ts +143 -0
package/src/cli.ts +65 -0
package/src/commands/commit.ts +36 -0
package/src/commands/config.ts +51 -0
package/src/commands/grep.ts +41 -0
package/src/commands/jupyter.ts +32 -0
package/src/commands/launch.ts +139 -0
package/src/commands/plugin.ts +70 -0
package/src/commands/setup.ts +42 -0
package/src/commands/shell.ts +29 -0
package/src/commands/ssh.ts +60 -0
package/src/commands/stats.ts +29 -0
package/src/commands/update.ts +21 -0
package/src/commands/web-search.ts +42 -0
package/src/commit/agentic/agent.ts +311 -0
package/src/commit/agentic/fallback.ts +96 -0
package/src/commit/agentic/index.ts +359 -0
package/src/commit/agentic/prompts/analyze-file.md +22 -0
package/src/commit/agentic/prompts/session-user.md +25 -0
package/src/commit/agentic/prompts/split-confirm.md +1 -0
package/src/commit/agentic/prompts/system.md +38 -0
package/src/commit/agentic/state.ts +69 -0
package/src/commit/agentic/tools/analyze-file.ts +118 -0
package/src/commit/agentic/tools/git-file-diff.ts +194 -0
package/src/commit/agentic/tools/git-hunk.ts +50 -0
package/src/commit/agentic/tools/git-overview.ts +84 -0
package/src/commit/agentic/tools/index.ts +56 -0
package/src/commit/agentic/tools/propose-changelog.ts +128 -0
package/src/commit/agentic/tools/propose-commit.ts +154 -0
package/src/commit/agentic/tools/recent-commits.ts +81 -0
package/src/commit/agentic/tools/split-commit.ts +280 -0
package/src/commit/agentic/topo-sort.ts +44 -0
package/src/commit/agentic/trivial.ts +51 -0
package/src/commit/agentic/validation.ts +200 -0
package/src/commit/analysis/conventional.ts +165 -0
package/src/commit/analysis/index.ts +4 -0
package/src/commit/analysis/scope.ts +242 -0
package/src/commit/analysis/summary.ts +112 -0
package/src/commit/analysis/validation.ts +66 -0
package/src/commit/changelog/detect.ts +37 -0
package/src/commit/changelog/generate.ts +110 -0
package/src/commit/changelog/index.ts +234 -0
package/src/commit/changelog/parse.ts +44 -0
package/src/commit/cli.ts +93 -0
package/src/commit/git/diff.ts +148 -0
package/src/commit/git/errors.ts +9 -0
package/src/commit/git/index.ts +211 -0
package/src/commit/git/operations.ts +54 -0
package/src/commit/index.ts +5 -0
package/src/commit/map-reduce/index.ts +64 -0
package/src/commit/map-reduce/map-phase.ts +178 -0
package/src/commit/map-reduce/reduce-phase.ts +145 -0
package/src/commit/map-reduce/utils.ts +9 -0
package/src/commit/message.ts +11 -0
package/src/commit/model-selection.ts +69 -0
package/src/commit/pipeline.ts +243 -0
package/src/commit/prompts/analysis-system.md +148 -0
package/src/commit/prompts/analysis-user.md +38 -0
package/src/commit/prompts/changelog-system.md +50 -0
package/src/commit/prompts/changelog-user.md +18 -0
package/src/commit/prompts/file-observer-system.md +24 -0
package/src/commit/prompts/file-observer-user.md +8 -0
package/src/commit/prompts/reduce-system.md +50 -0
package/src/commit/prompts/reduce-user.md +17 -0
package/src/commit/prompts/summary-retry.md +3 -0
package/src/commit/prompts/summary-system.md +38 -0
package/src/commit/prompts/summary-user.md +13 -0
package/src/commit/prompts/types-description.md +2 -0
package/src/commit/types.ts +109 -0
package/src/commit/utils/exclusions.ts +42 -0
package/src/config/file-lock.ts +121 -0
package/src/config/keybindings.ts +280 -0
package/src/config/model-registry.ts +1140 -0
package/src/config/model-resolver.ts +812 -0
package/src/config/prompt-templates.ts +526 -0
package/src/config/resolve-config-value.ts +92 -0
package/src/config/settings-schema.ts +1236 -0
package/src/config/settings.ts +706 -0
package/src/config.ts +414 -0
package/src/cursor.ts +239 -0
package/src/debug/index.ts +431 -0
package/src/debug/log-formatting.ts +60 -0
package/src/debug/log-viewer.ts +903 -0
package/src/debug/profiler.ts +158 -0
package/src/debug/report-bundle.ts +366 -0
package/src/debug/system-info.ts +112 -0
package/src/discovery/agents-md.ts +68 -0
package/src/discovery/agents.ts +199 -0
package/src/discovery/builtin.ts +815 -0
package/src/discovery/claude-plugins.ts +205 -0
package/src/discovery/claude.ts +506 -0
package/src/discovery/cline.ts +83 -0
package/src/discovery/codex.ts +532 -0
package/src/discovery/cursor.ts +218 -0
package/src/discovery/gemini.ts +395 -0
package/src/discovery/github.ts +117 -0
package/src/discovery/helpers.ts +698 -0
package/src/discovery/index.ts +89 -0
package/src/discovery/mcp-json.ts +156 -0
package/src/discovery/opencode.ts +394 -0
package/src/discovery/ssh.ts +160 -0
package/src/discovery/vscode.ts +103 -0
package/src/discovery/windsurf.ts +145 -0
package/src/exa/company.ts +57 -0
package/src/exa/index.ts +62 -0
package/src/exa/linkedin.ts +57 -0
package/src/exa/mcp-client.ts +289 -0
package/src/exa/render.ts +244 -0
package/src/exa/researcher.ts +89 -0
package/src/exa/search.ts +330 -0
package/src/exa/types.ts +166 -0
package/src/exa/websets.ts +247 -0
package/src/exec/bash-executor.ts +184 -0
package/src/exec/exec.ts +53 -0
package/src/export/custom-share.ts +65 -0
package/src/export/html/index.ts +162 -0
package/src/export/html/template.css +889 -0
package/src/export/html/template.generated.ts +2 -0
package/src/export/html/template.html +45 -0
package/src/export/html/template.js +1329 -0
package/src/export/html/template.macro.ts +24 -0
package/src/export/html/vendor/highlight.min.js +1213 -0
package/src/export/html/vendor/marked.min.js +6 -0
package/src/export/ttsr.ts +434 -0
package/src/extensibility/custom-commands/bundled/review/index.ts +433 -0
package/src/extensibility/custom-commands/index.ts +15 -0
package/src/extensibility/custom-commands/loader.ts +231 -0
package/src/extensibility/custom-commands/types.ts +111 -0
package/src/extensibility/custom-tools/index.ts +22 -0
package/src/extensibility/custom-tools/loader.ts +235 -0
package/src/extensibility/custom-tools/types.ts +226 -0
package/src/extensibility/custom-tools/wrapper.ts +45 -0
package/src/extensibility/extensions/index.ts +136 -0
package/src/extensibility/extensions/loader.ts +520 -0
package/src/extensibility/extensions/runner.ts +774 -0
package/src/extensibility/extensions/types.ts +1293 -0
package/src/extensibility/extensions/wrapper.ts +188 -0
package/src/extensibility/hooks/index.ts +16 -0
package/src/extensibility/hooks/loader.ts +273 -0
package/src/extensibility/hooks/runner.ts +441 -0
package/src/extensibility/hooks/tool-wrapper.ts +106 -0
package/src/extensibility/hooks/types.ts +817 -0
package/src/extensibility/plugins/doctor.ts +65 -0
package/src/extensibility/plugins/git-url.ts +281 -0
package/src/extensibility/plugins/index.ts +33 -0
package/src/extensibility/plugins/installer.ts +192 -0
package/src/extensibility/plugins/loader.ts +338 -0
package/src/extensibility/plugins/manager.ts +716 -0
package/src/extensibility/plugins/parser.ts +105 -0
package/src/extensibility/plugins/types.ts +190 -0
package/src/extensibility/skills.ts +385 -0
package/src/extensibility/slash-commands.ts +287 -0
package/src/extensibility/tool-proxy.ts +25 -0
package/src/index.ts +275 -0
package/src/internal-urls/agent-protocol.ts +136 -0
package/src/internal-urls/artifact-protocol.ts +97 -0
package/src/internal-urls/docs-index.generated.ts +54 -0
package/src/internal-urls/docs-protocol.ts +84 -0
package/src/internal-urls/index.ts +31 -0
package/src/internal-urls/json-query.ts +126 -0
package/src/internal-urls/memory-protocol.ts +133 -0
package/src/internal-urls/router.ts +70 -0
package/src/internal-urls/rule-protocol.ts +55 -0
package/src/internal-urls/skill-protocol.ts +111 -0
package/src/internal-urls/types.ts +52 -0
package/src/ipy/executor.ts +556 -0
package/src/ipy/gateway-coordinator.ts +426 -0
package/src/ipy/kernel.ts +892 -0
package/src/ipy/modules.ts +109 -0
package/src/ipy/prelude.py +831 -0
package/src/ipy/prelude.ts +3 -0
package/src/ipy/runtime.ts +222 -0
package/src/lsp/client.ts +867 -0
package/src/lsp/clients/biome-client.ts +202 -0
package/src/lsp/clients/index.ts +50 -0
package/src/lsp/clients/lsp-linter-client.ts +93 -0
package/src/lsp/clients/swiftlint-client.ts +120 -0
package/src/lsp/config.ts +397 -0
package/src/lsp/defaults.json +464 -0
package/src/lsp/edits.ts +109 -0
package/src/lsp/index.ts +1268 -0
package/src/lsp/lspmux.ts +250 -0
package/src/lsp/render.ts +689 -0
package/src/lsp/types.ts +414 -0
package/src/lsp/utils.ts +549 -0
package/src/main.ts +773 -0
package/src/mcp/client.ts +239 -0
package/src/mcp/config-writer.ts +215 -0
package/src/mcp/config.ts +363 -0
package/src/mcp/index.ts +55 -0
package/src/mcp/json-rpc.ts +84 -0
package/src/mcp/loader.ts +124 -0
package/src/mcp/manager.ts +490 -0
package/src/mcp/oauth-discovery.ts +274 -0
package/src/mcp/oauth-flow.ts +229 -0
package/src/mcp/render.ts +123 -0
package/src/mcp/tool-bridge.ts +372 -0
package/src/mcp/tool-cache.ts +121 -0
package/src/mcp/transports/http.ts +332 -0
package/src/mcp/transports/index.ts +6 -0
package/src/mcp/transports/stdio.ts +281 -0
package/src/mcp/types.ts +248 -0
package/src/memories/index.ts +1099 -0
package/src/memories/storage.ts +563 -0
package/src/modes/components/agent-dashboard.ts +1130 -0
package/src/modes/components/assistant-message.ts +144 -0
package/src/modes/components/bash-execution.ts +218 -0
package/src/modes/components/bordered-loader.ts +41 -0
package/src/modes/components/branch-summary-message.ts +45 -0
package/src/modes/components/codemode-group.ts +369 -0
package/src/modes/components/compaction-summary-message.ts +51 -0
package/src/modes/components/countdown-timer.ts +46 -0
package/src/modes/components/custom-editor.ts +181 -0
package/src/modes/components/custom-message.ts +91 -0
package/src/modes/components/diff.ts +186 -0
package/src/modes/components/dynamic-border.ts +25 -0
package/src/modes/components/extensions/extension-dashboard.ts +325 -0
package/src/modes/components/extensions/extension-list.ts +484 -0
package/src/modes/components/extensions/index.ts +9 -0
package/src/modes/components/extensions/inspector-panel.ts +321 -0
package/src/modes/components/extensions/state-manager.ts +586 -0
package/src/modes/components/extensions/types.ts +191 -0
package/src/modes/components/footer.ts +315 -0
package/src/modes/components/history-search.ts +157 -0
package/src/modes/components/hook-editor.ts +101 -0
package/src/modes/components/hook-input.ts +72 -0
package/src/modes/components/hook-message.ts +100 -0
package/src/modes/components/hook-selector.ts +155 -0
package/src/modes/components/index.ts +41 -0
package/src/modes/components/keybinding-hints.ts +65 -0
package/src/modes/components/login-dialog.ts +164 -0
package/src/modes/components/mcp-add-wizard.ts +1295 -0
package/src/modes/components/model-selector.ts +625 -0
package/src/modes/components/oauth-selector.ts +210 -0
package/src/modes/components/plugin-settings.ts +477 -0
package/src/modes/components/python-execution.ts +196 -0
package/src/modes/components/queue-mode-selector.ts +56 -0
package/src/modes/components/read-tool-group.ts +119 -0
package/src/modes/components/session-selector.ts +242 -0
package/src/modes/components/settings-defs.ts +340 -0
package/src/modes/components/settings-selector.ts +529 -0
package/src/modes/components/show-images-selector.ts +45 -0
package/src/modes/components/skill-message.ts +90 -0
package/src/modes/components/status-line/index.ts +4 -0
package/src/modes/components/status-line/presets.ts +94 -0
package/src/modes/components/status-line/segments.ts +352 -0
package/src/modes/components/status-line/separators.ts +55 -0
package/src/modes/components/status-line/types.ts +75 -0
package/src/modes/components/status-line-segment-editor.ts +354 -0
package/src/modes/components/status-line.ts +421 -0
package/src/modes/components/theme-selector.ts +63 -0
package/src/modes/components/thinking-selector.ts +64 -0
package/src/modes/components/todo-display.ts +115 -0
package/src/modes/components/todo-reminder.ts +40 -0
package/src/modes/components/tool-execution.ts +703 -0
package/src/modes/components/tree-selector.ts +904 -0
package/src/modes/components/ttsr-notification.ts +80 -0
package/src/modes/components/user-message-selector.ts +146 -0
package/src/modes/components/user-message.ts +22 -0
package/src/modes/components/visual-truncate.ts +63 -0
package/src/modes/components/welcome.ts +247 -0
package/src/modes/controllers/command-controller.ts +1120 -0
package/src/modes/controllers/event-controller.ts +479 -0
package/src/modes/controllers/extension-ui-controller.ts +778 -0
package/src/modes/controllers/input-controller.ts +671 -0
package/src/modes/controllers/mcp-command-controller.ts +1315 -0
package/src/modes/controllers/selector-controller.ts +712 -0
package/src/modes/controllers/ssh-command-controller.ts +452 -0
package/src/modes/index.ts +15 -0
package/src/modes/interactive-mode.ts +1027 -0
package/src/modes/print-mode.ts +191 -0
package/src/modes/rpc/rpc-client.ts +583 -0
package/src/modes/rpc/rpc-mode.ts +700 -0
package/src/modes/rpc/rpc-types.ts +236 -0
package/src/modes/theme/dark.json +95 -0
package/src/modes/theme/defaults/alabaster.json +93 -0
package/src/modes/theme/defaults/amethyst.json +96 -0
package/src/modes/theme/defaults/anthracite.json +93 -0
package/src/modes/theme/defaults/basalt.json +91 -0
package/src/modes/theme/defaults/birch.json +95 -0
package/src/modes/theme/defaults/dark-abyss.json +91 -0
package/src/modes/theme/defaults/dark-arctic.json +104 -0
package/src/modes/theme/defaults/dark-aurora.json +95 -0
package/src/modes/theme/defaults/dark-catppuccin.json +107 -0
package/src/modes/theme/defaults/dark-cavern.json +91 -0
package/src/modes/theme/defaults/dark-copper.json +95 -0
package/src/modes/theme/defaults/dark-cosmos.json +90 -0
package/src/modes/theme/defaults/dark-cyberpunk.json +102 -0
package/src/modes/theme/defaults/dark-dracula.json +98 -0
package/src/modes/theme/defaults/dark-eclipse.json +91 -0
package/src/modes/theme/defaults/dark-ember.json +95 -0
package/src/modes/theme/defaults/dark-equinox.json +90 -0
package/src/modes/theme/defaults/dark-forest.json +96 -0
package/src/modes/theme/defaults/dark-github.json +105 -0
package/src/modes/theme/defaults/dark-gruvbox.json +112 -0
package/src/modes/theme/defaults/dark-lavender.json +95 -0
package/src/modes/theme/defaults/dark-lunar.json +89 -0
package/src/modes/theme/defaults/dark-midnight.json +95 -0
package/src/modes/theme/defaults/dark-monochrome.json +94 -0
package/src/modes/theme/defaults/dark-monokai.json +98 -0
package/src/modes/theme/defaults/dark-nebula.json +90 -0
package/src/modes/theme/defaults/dark-nord.json +97 -0
package/src/modes/theme/defaults/dark-ocean.json +101 -0
package/src/modes/theme/defaults/dark-one.json +100 -0
package/src/modes/theme/defaults/dark-rainforest.json +91 -0
package/src/modes/theme/defaults/dark-reef.json +91 -0
package/src/modes/theme/defaults/dark-retro.json +92 -0
package/src/modes/theme/defaults/dark-rose-pine.json +96 -0
package/src/modes/theme/defaults/dark-sakura.json +95 -0
package/src/modes/theme/defaults/dark-slate.json +95 -0
package/src/modes/theme/defaults/dark-solarized.json +97 -0
package/src/modes/theme/defaults/dark-solstice.json +90 -0
package/src/modes/theme/defaults/dark-starfall.json +91 -0
package/src/modes/theme/defaults/dark-sunset.json +99 -0
package/src/modes/theme/defaults/dark-swamp.json +90 -0
package/src/modes/theme/defaults/dark-synthwave.json +103 -0
package/src/modes/theme/defaults/dark-taiga.json +91 -0
package/src/modes/theme/defaults/dark-terminal.json +95 -0
package/src/modes/theme/defaults/dark-tokyo-night.json +101 -0
package/src/modes/theme/defaults/dark-tundra.json +91 -0
package/src/modes/theme/defaults/dark-twilight.json +91 -0
package/src/modes/theme/defaults/dark-volcanic.json +91 -0
package/src/modes/theme/defaults/graphite.json +92 -0
package/src/modes/theme/defaults/index.ts +195 -0
package/src/modes/theme/defaults/light-arctic.json +107 -0
package/src/modes/theme/defaults/light-aurora-day.json +91 -0
package/src/modes/theme/defaults/light-canyon.json +91 -0
package/src/modes/theme/defaults/light-catppuccin.json +106 -0
package/src/modes/theme/defaults/light-cirrus.json +90 -0
package/src/modes/theme/defaults/light-coral.json +95 -0
package/src/modes/theme/defaults/light-cyberpunk.json +96 -0
package/src/modes/theme/defaults/light-dawn.json +90 -0
package/src/modes/theme/defaults/light-dunes.json +91 -0
package/src/modes/theme/defaults/light-eucalyptus.json +95 -0
package/src/modes/theme/defaults/light-forest.json +100 -0
package/src/modes/theme/defaults/light-frost.json +95 -0
package/src/modes/theme/defaults/light-github.json +115 -0
package/src/modes/theme/defaults/light-glacier.json +91 -0
package/src/modes/theme/defaults/light-gruvbox.json +108 -0
package/src/modes/theme/defaults/light-haze.json +90 -0
package/src/modes/theme/defaults/light-honeycomb.json +95 -0
package/src/modes/theme/defaults/light-lagoon.json +91 -0
package/src/modes/theme/defaults/light-lavender.json +95 -0
package/src/modes/theme/defaults/light-meadow.json +91 -0
package/src/modes/theme/defaults/light-mint.json +95 -0
package/src/modes/theme/defaults/light-monochrome.json +101 -0
package/src/modes/theme/defaults/light-ocean.json +99 -0
package/src/modes/theme/defaults/light-one.json +99 -0
package/src/modes/theme/defaults/light-opal.json +91 -0
package/src/modes/theme/defaults/light-orchard.json +91 -0
package/src/modes/theme/defaults/light-paper.json +95 -0
package/src/modes/theme/defaults/light-prism.json +90 -0
package/src/modes/theme/defaults/light-retro.json +98 -0
package/src/modes/theme/defaults/light-sand.json +95 -0
package/src/modes/theme/defaults/light-savanna.json +91 -0
package/src/modes/theme/defaults/light-solarized.json +102 -0
package/src/modes/theme/defaults/light-soleil.json +90 -0
package/src/modes/theme/defaults/light-sunset.json +99 -0
package/src/modes/theme/defaults/light-synthwave.json +98 -0
package/src/modes/theme/defaults/light-tokyo-night.json +111 -0
package/src/modes/theme/defaults/light-wetland.json +91 -0
package/src/modes/theme/defaults/light-zenith.json +89 -0
package/src/modes/theme/defaults/limestone.json +94 -0
package/src/modes/theme/defaults/mahogany.json +97 -0
package/src/modes/theme/defaults/marble.json +93 -0
package/src/modes/theme/defaults/obsidian.json +91 -0
package/src/modes/theme/defaults/onyx.json +91 -0
package/src/modes/theme/defaults/pearl.json +93 -0
package/src/modes/theme/defaults/porcelain.json +91 -0
package/src/modes/theme/defaults/quartz.json +96 -0
package/src/modes/theme/defaults/sandstone.json +95 -0
package/src/modes/theme/defaults/titanium.json +90 -0
package/src/modes/theme/light.json +93 -0
package/src/modes/theme/mermaid-cache.ts +111 -0
package/src/modes/theme/theme-schema.json +429 -0
package/src/modes/theme/theme.ts +2333 -0
package/src/modes/types.ts +216 -0
package/src/modes/utils/ui-helpers.ts +529 -0
package/src/patch/applicator.ts +1482 -0
package/src/patch/diff.ts +425 -0
package/src/patch/fuzzy.ts +784 -0
package/src/patch/hashline.ts +972 -0
package/src/patch/index.ts +964 -0
package/src/patch/normalize.ts +397 -0
package/src/patch/normative.ts +72 -0
package/src/patch/parser.ts +532 -0
package/src/patch/shared.ts +400 -0
package/src/patch/types.ts +292 -0
package/src/priority.json +35 -0
package/src/prompts/agents/explore.md +48 -0
package/src/prompts/agents/frontmatter.md +9 -0
package/src/prompts/agents/init.md +36 -0
package/src/prompts/agents/librarian.md +53 -0
package/src/prompts/agents/oracle.md +51 -0
package/src/prompts/agents/reviewer.md +70 -0
package/src/prompts/agents/task.md +14 -0
package/src/prompts/compaction/branch-summary-context.md +5 -0
package/src/prompts/compaction/branch-summary-preamble.md +2 -0
package/src/prompts/compaction/branch-summary.md +30 -0
package/src/prompts/compaction/compaction-short-summary.md +9 -0
package/src/prompts/compaction/compaction-summary-context.md +5 -0
package/src/prompts/compaction/compaction-summary.md +38 -0
package/src/prompts/compaction/compaction-turn-prefix.md +17 -0
package/src/prompts/compaction/compaction-update-summary.md +45 -0
package/src/prompts/memories/consolidation.md +30 -0
package/src/prompts/memories/read_path.md +11 -0
package/src/prompts/memories/stage_one_input.md +6 -0
package/src/prompts/memories/stage_one_system.md +21 -0
package/src/prompts/review-request.md +64 -0
package/src/prompts/system/agent-creation-architect.md +65 -0
package/src/prompts/system/agent-creation-user.md +6 -0
package/src/prompts/system/custom-system-prompt.md +68 -0
package/src/prompts/system/file-operations.md +10 -0
package/src/prompts/system/subagent-submit-reminder.md +11 -0
package/src/prompts/system/subagent-system-prompt.md +31 -0
package/src/prompts/system/subagent-user-prompt.md +8 -0
package/src/prompts/system/summarization-system.md +3 -0
package/src/prompts/system/system-prompt.md +300 -0
package/src/prompts/system/title-system.md +2 -0
package/src/prompts/system/ttsr-interrupt.md +7 -0
package/src/prompts/system/web-search.md +28 -0
package/src/prompts/tools/ask.md +44 -0
package/src/prompts/tools/bash.md +24 -0
package/src/prompts/tools/browser.md +33 -0
package/src/prompts/tools/calculator.md +12 -0
package/src/prompts/tools/explore.md +29 -0
package/src/prompts/tools/fetch.md +16 -0
package/src/prompts/tools/find.md +18 -0
package/src/prompts/tools/gemini-image.md +23 -0
package/src/prompts/tools/grep.md +28 -0
package/src/prompts/tools/hashline.md +232 -0
package/src/prompts/tools/librarian.md +24 -0
package/src/prompts/tools/lsp.md +28 -0
package/src/prompts/tools/oracle.md +26 -0
package/src/prompts/tools/patch.md +74 -0
package/src/prompts/tools/python.md +66 -0
package/src/prompts/tools/read.md +36 -0
package/src/prompts/tools/replace.md +38 -0
package/src/prompts/tools/reviewer.md +41 -0
package/src/prompts/tools/ssh.md +51 -0
package/src/prompts/tools/task-summary.md +28 -0
package/src/prompts/tools/task.md +275 -0
package/src/prompts/tools/todo-write.md +65 -0
package/src/prompts/tools/undo-edit.md +7 -0
package/src/prompts/tools/web-search.md +19 -0
package/src/prompts/tools/write.md +18 -0
package/src/sdk.ts +1287 -0
package/src/secrets/index.ts +116 -0
package/src/secrets/obfuscator.ts +269 -0
package/src/secrets/regex.ts +21 -0
package/src/session/agent-session.ts +4669 -0
package/src/session/agent-storage.ts +621 -0
package/src/session/artifacts.ts +132 -0
package/src/session/auth-storage.ts +1433 -0
package/src/session/blob-store.ts +103 -0
package/src/session/compaction/branch-summarization.ts +315 -0
package/src/session/compaction/compaction.ts +864 -0
package/src/session/compaction/index.ts +7 -0
package/src/session/compaction/pruning.ts +91 -0
package/src/session/compaction/utils.ts +171 -0
package/src/session/history-storage.ts +170 -0
package/src/session/messages.ts +317 -0
package/src/session/session-manager.ts +2276 -0
package/src/session/session-storage.ts +342 -0
package/src/session/streaming-output.ts +565 -0
package/src/slash-commands/builtin-registry.ts +439 -0
package/src/ssh/config-writer.ts +183 -0
package/src/ssh/connection-manager.ts +444 -0
package/src/ssh/ssh-executor.ts +127 -0
package/src/ssh/sshfs-mount.ts +135 -0
package/src/stt/downloader.ts +71 -0
package/src/stt/index.ts +3 -0
package/src/stt/recorder.ts +351 -0
package/src/stt/setup.ts +52 -0
package/src/stt/stt-controller.ts +160 -0
package/src/stt/transcribe.py +70 -0
package/src/stt/transcriber.ts +91 -0
package/src/system-prompt.ts +685 -0
package/src/task/agents.ts +155 -0
package/src/task/batch.ts +102 -0
package/src/task/commands.ts +134 -0
package/src/task/discovery.ts +126 -0
package/src/task/executor.ts +908 -0
package/src/task/index.ts +223 -0
package/src/task/output-manager.ts +107 -0
package/src/task/parallel.ts +84 -0
package/src/task/render.ts +326 -0
package/src/task/subprocess-tool-registry.ts +88 -0
package/src/task/template.ts +32 -0
package/src/task/types.ts +144 -0
package/src/tools/ask.ts +523 -0
package/src/tools/bash-interactive.ts +419 -0
package/src/tools/bash-interceptor.ts +105 -0
package/src/tools/bash-normalize.ts +107 -0
package/src/tools/bash-skill-urls.ts +177 -0
package/src/tools/bash.ts +347 -0
package/src/tools/browser.ts +1374 -0
package/src/tools/calculator.ts +537 -0
package/src/tools/context.ts +39 -0
package/src/tools/explore.ts +23 -0
package/src/tools/fetch.ts +1091 -0
package/src/tools/find.ts +540 -0
package/src/tools/fs-cache-invalidation.ts +28 -0
package/src/tools/gemini-image.ts +907 -0
package/src/tools/grep.ts +489 -0
package/src/tools/index.ts +337 -0
package/src/tools/json-tree.ts +231 -0
package/src/tools/jtd-to-json-schema.ts +247 -0
package/src/tools/jtd-to-typescript.ts +198 -0
package/src/tools/librarian.ts +33 -0
package/src/tools/list-limit.ts +40 -0
package/src/tools/notebook.ts +287 -0
package/src/tools/oracle.ts +40 -0
package/src/tools/output-meta.ts +459 -0
package/src/tools/output-utils.ts +63 -0
package/src/tools/path-utils.ts +116 -0
package/src/tools/puppeteer/00_stealth_tampering.txt +63 -0
package/src/tools/puppeteer/01_stealth_activity.txt +20 -0
package/src/tools/puppeteer/02_stealth_hairline.txt +11 -0
package/src/tools/puppeteer/03_stealth_botd.txt +384 -0
package/src/tools/puppeteer/04_stealth_iframe.txt +81 -0
package/src/tools/puppeteer/05_stealth_webgl.txt +75 -0
package/src/tools/puppeteer/06_stealth_screen.txt +72 -0
package/src/tools/puppeteer/07_stealth_fonts.txt +97 -0
package/src/tools/puppeteer/08_stealth_audio.txt +51 -0
package/src/tools/puppeteer/09_stealth_locale.txt +46 -0
package/src/tools/puppeteer/10_stealth_plugins.txt +206 -0
package/src/tools/puppeteer/11_stealth_hardware.txt +8 -0
package/src/tools/puppeteer/12_stealth_codecs.txt +40 -0
package/src/tools/puppeteer/13_stealth_worker.txt +74 -0
package/src/tools/python.ts +1118 -0
package/src/tools/read.ts +1193 -0
package/src/tools/render-utils.ts +680 -0
package/src/tools/renderers.ts +60 -0
package/src/tools/reviewer-tool.ts +41 -0
package/src/tools/ssh.ts +326 -0
package/src/tools/subagent-tool.ts +169 -0
package/src/tools/submit-result.ts +152 -0
package/src/tools/todo-write.ts +255 -0
package/src/tools/tool-errors.ts +92 -0
package/src/tools/tool-result.ts +86 -0
package/src/tools/undo-edit.ts +145 -0
package/src/tools/undo-history.ts +22 -0
package/src/tools/write.ts +274 -0
package/src/tui/code-cell.ts +108 -0
package/src/tui/file-list.ts +47 -0
package/src/tui/index.ts +11 -0
package/src/tui/output-block.ts +144 -0
package/src/tui/status-line.ts +39 -0
package/src/tui/tree-list.ts +53 -0
package/src/tui/types.ts +16 -0
package/src/tui/utils.ts +116 -0
package/src/utils/changelog.ts +98 -0
package/src/utils/event-bus.ts +33 -0
package/src/utils/external-editor.ts +59 -0
package/src/utils/file-display-mode.ts +36 -0
package/src/utils/file-mentions.ts +384 -0
package/src/utils/frontmatter.ts +101 -0
package/src/utils/fuzzy.ts +108 -0
package/src/utils/ignore-files.ts +119 -0
package/src/utils/image-convert.ts +27 -0
package/src/utils/image-resize.ts +236 -0
package/src/utils/mime.ts +30 -0
package/src/utils/open.ts +20 -0
package/src/utils/shell-snapshot.ts +199 -0
package/src/utils/timings.ts +26 -0
package/src/utils/title-generator.ts +167 -0
package/src/utils/tools-manager.ts +362 -0
package/src/web/scrapers/artifacthub.ts +215 -0
package/src/web/scrapers/arxiv.ts +88 -0
package/src/web/scrapers/aur.ts +175 -0
package/src/web/scrapers/biorxiv.ts +141 -0
package/src/web/scrapers/bluesky.ts +284 -0
package/src/web/scrapers/brew.ts +177 -0
package/src/web/scrapers/cheatsh.ts +78 -0
package/src/web/scrapers/chocolatey.ts +158 -0
package/src/web/scrapers/choosealicense.ts +110 -0
package/src/web/scrapers/cisa-kev.ts +100 -0
package/src/web/scrapers/clojars.ts +180 -0
package/src/web/scrapers/coingecko.ts +184 -0
package/src/web/scrapers/crates-io.ts +128 -0
package/src/web/scrapers/crossref.ts +149 -0
package/src/web/scrapers/devto.ts +177 -0
package/src/web/scrapers/discogs.ts +307 -0
package/src/web/scrapers/discourse.ts +221 -0
package/src/web/scrapers/dockerhub.ts +160 -0
package/src/web/scrapers/fdroid.ts +158 -0
package/src/web/scrapers/firefox-addons.ts +214 -0
package/src/web/scrapers/flathub.ts +239 -0
package/src/web/scrapers/github-gist.ts +68 -0
package/src/web/scrapers/github.ts +490 -0
package/src/web/scrapers/gitlab.ts +456 -0
package/src/web/scrapers/go-pkg.ts +275 -0
package/src/web/scrapers/hackage.ts +94 -0
package/src/web/scrapers/hackernews.ts +208 -0
package/src/web/scrapers/hex.ts +121 -0
package/src/web/scrapers/huggingface.ts +385 -0
package/src/web/scrapers/iacr.ts +86 -0
package/src/web/scrapers/index.ts +249 -0
package/src/web/scrapers/jetbrains-marketplace.ts +169 -0
package/src/web/scrapers/lemmy.ts +220 -0
package/src/web/scrapers/lobsters.ts +186 -0
package/src/web/scrapers/mastodon.ts +310 -0
package/src/web/scrapers/maven.ts +152 -0
package/src/web/scrapers/mdn.ts +172 -0
package/src/web/scrapers/metacpan.ts +253 -0
package/src/web/scrapers/musicbrainz.ts +272 -0
package/src/web/scrapers/npm.ts +114 -0
package/src/web/scrapers/nuget.ts +205 -0
package/src/web/scrapers/nvd.ts +243 -0
package/src/web/scrapers/ollama.ts +265 -0
package/src/web/scrapers/open-vsx.ts +119 -0
package/src/web/scrapers/opencorporates.ts +275 -0
package/src/web/scrapers/openlibrary.ts +319 -0
package/src/web/scrapers/orcid.ts +298 -0
package/src/web/scrapers/osv.ts +192 -0
package/src/web/scrapers/packagist.ts +174 -0
package/src/web/scrapers/pub-dev.ts +185 -0
package/src/web/scrapers/pubmed.ts +177 -0
package/src/web/scrapers/pypi.ts +129 -0
package/src/web/scrapers/rawg.ts +124 -0
package/src/web/scrapers/readthedocs.ts +125 -0
package/src/web/scrapers/reddit.ts +104 -0
package/src/web/scrapers/repology.ts +262 -0
package/src/web/scrapers/rfc.ts +209 -0
package/src/web/scrapers/rubygems.ts +117 -0
package/src/web/scrapers/searchcode.ts +217 -0
package/src/web/scrapers/sec-edgar.ts +274 -0
package/src/web/scrapers/semantic-scholar.ts +190 -0
package/src/web/scrapers/snapcraft.ts +200 -0
package/src/web/scrapers/sourcegraph.ts +373 -0
package/src/web/scrapers/spdx.ts +121 -0
package/src/web/scrapers/spotify.ts +217 -0
package/src/web/scrapers/stackoverflow.ts +124 -0
package/src/web/scrapers/terraform.ts +304 -0
package/src/web/scrapers/tldr.ts +51 -0
package/src/web/scrapers/twitter.ts +97 -0
package/src/web/scrapers/types.ts +200 -0
package/src/web/scrapers/utils.ts +142 -0
package/src/web/scrapers/vimeo.ts +152 -0
package/src/web/scrapers/vscode-marketplace.ts +195 -0
package/src/web/scrapers/w3c.ts +163 -0
package/src/web/scrapers/wikidata.ts +357 -0
package/src/web/scrapers/wikipedia.ts +95 -0
package/src/web/scrapers/youtube.ts +312 -0
package/src/web/search/auth.ts +178 -0
package/src/web/search/index.ts +598 -0
package/src/web/search/provider.ts +77 -0
package/src/web/search/providers/anthropic.ts +284 -0
package/src/web/search/providers/base.ts +22 -0
package/src/web/search/providers/brave.ts +165 -0
package/src/web/search/providers/codex.ts +377 -0
package/src/web/search/providers/exa.ts +158 -0
package/src/web/search/providers/gemini.ts +437 -0
package/src/web/search/providers/jina.ts +99 -0
package/src/web/search/providers/kimi.ts +196 -0
package/src/web/search/providers/perplexity.ts +546 -0
package/src/web/search/providers/synthetic.ts +136 -0
package/src/web/search/providers/zai.ts +352 -0
package/src/web/search/render.ts +299 -0
package/src/web/search/types.ts +437 -0

package/src/session/auth-storage.ts ADDED Viewed

@@ -0,0 +1,1433 @@
+/**
+ * Credential storage for API keys and OAuth tokens.
+ * Handles loading, saving, and refreshing credentials from agent.db.
+ */
+import {
+	antigravityUsageProvider,
+	claudeUsageProvider,
+	getEnvApiKey,
+	getOAuthApiKey,
+	getOAuthProvider,
+	githubCopilotUsageProvider,
+	googleGeminiCliUsageProvider,
+	kimiUsageProvider,
+	loginAnthropic,
+	loginAntigravity,
+	loginCerebras,
+	loginCloudflareAiGateway,
+	loginCursor,
+	loginGeminiCli,
+	loginGitHubCopilot,
+	loginHuggingface,
+	loginKimi,
+	loginLiteLLM,
+	loginMiniMaxCode,
+	loginMiniMaxCodeCn,
+	loginMoonshot,
+	loginNanoGPT,
+	loginNvidia,
+	loginOllama,
+	loginOpenAICodex,
+	loginOpenCode,
+	loginPerplexity,
+	loginQianfan,
+	loginQwenPortal,
+	loginSynthetic,
+	loginTogether,
+	loginVenice,
+	loginVllm,
+	loginXiaomi,
+	loginZai,
+	type OAuthController,
+	type OAuthCredentials,
+	type OAuthProvider,
+	type OAuthProviderId,
+	openaiCodexUsageProvider,
+	type Provider,
+	type UsageCache,
+	type UsageCacheEntry,
+	type UsageCredential,
+	type UsageLimit,
+	type UsageLogger,
+	type UsageProvider,
+	type UsageReport,
+	zaiUsageProvider,
+} from "@nghyane/arcane-ai";
+import { logger } from "@nghyane/arcane-utils";
+import { resolveConfigValue } from "../config/resolve-config-value";
+import { AgentStorage } from "./agent-storage";
+export type ApiKeyCredential = {
+	type: "api_key";
+	key: string;
+};
+export type OAuthCredential = {
+	type: "oauth";
+} & OAuthCredentials;
+export type AuthCredential = ApiKeyCredential | OAuthCredential;
+export type AuthCredentialEntry = AuthCredential | AuthCredential[];
+export type AuthStorageData = Record<string, AuthCredentialEntry>;
+/**
+ * Serialized representation of AuthStorage for passing to subagent workers.
+ * Contains only the essential credential data, not runtime state.
+ */
+export interface SerializedAuthStorage {
+	credentials: Record<
+		string,
+		Array<{
+			id: number;
+			type: "api_key" | "oauth";
+			data: Record<string, unknown>;
+		}>
+	>;
+	runtimeOverrides?: Record<string, string>;
+	dbPath?: string;
+}
+/**
+ * In-memory representation pairing DB row ID with credential.
+ * The ID is required for update/delete operations against agent.db.
+ */
+type StoredCredential = { id: number; credential: AuthCredential };
+export type AuthStorageOptions = {
+	usageProviderResolver?: (provider: Provider) => UsageProvider | undefined;
+	usageCache?: UsageCache;
+	usageFetch?: typeof fetch;
+	usageNow?: () => number;
+	usageLogger?: UsageLogger;
+};
+const DEFAULT_USAGE_PROVIDERS: UsageProvider[] = [
+	openaiCodexUsageProvider,
+	kimiUsageProvider,
+	antigravityUsageProvider,
+	googleGeminiCliUsageProvider,
+	claudeUsageProvider,
+	zaiUsageProvider,
+	githubCopilotUsageProvider,
+];
+const DEFAULT_USAGE_PROVIDER_MAP = new Map<Provider, UsageProvider>(
+	DEFAULT_USAGE_PROVIDERS.map(provider => [provider.id, provider]),
+);
+const USAGE_CACHE_PREFIX = "usage_cache:";
+function resolveDefaultUsageProvider(provider: Provider): UsageProvider | undefined {
+	return DEFAULT_USAGE_PROVIDER_MAP.get(provider);
+}
+function parseUsageCacheEntry(raw: string): UsageCacheEntry | undefined {
+	try {
+		const parsed = JSON.parse(raw) as { value?: UsageReport | null; expiresAt?: unknown };
+		const expiresAt = typeof parsed.expiresAt === "number" ? parsed.expiresAt : undefined;
+		if (!expiresAt || !Number.isFinite(expiresAt)) return undefined;
+		return { value: parsed.value ?? null, expiresAt };
+	} catch {
+		return undefined;
+	}
+}
+class AuthStorageUsageCache implements UsageCache {
+	constructor(private storage: AgentStorage) {}
+	get(key: string): UsageCacheEntry | undefined {
+		const raw = this.storage.getCache(`${USAGE_CACHE_PREFIX}${key}`);
+		if (!raw) return undefined;
+		const entry = parseUsageCacheEntry(raw);
+		if (!entry) return undefined;
+		if (entry.expiresAt <= Date.now()) return undefined;
+		return entry;
+	}
+	set(key: string, entry: UsageCacheEntry): void {
+		const payload = JSON.stringify({ value: entry.value ?? null, expiresAt: entry.expiresAt });
+		this.storage.setCache(`${USAGE_CACHE_PREFIX}${key}`, payload, Math.floor(entry.expiresAt / 1000));
+	}
+	cleanup(): void {
+		this.storage.cleanExpiredCache();
+	}
+}
+/**
+ * Credential storage backed by agent.db.
+ * Reads from SQLite (agent.db).
+ */
+export class AuthStorage {
+	static readonly #defaultBackoffMs = 60_000; // Default backoff when no reset time available
+	/** Provider -> credentials cache, populated from agent.db on reload(). */
+	#data: Map<string, StoredCredential[]> = new Map();
+	#runtimeOverrides: Map<string, string> = new Map();
+	/** Tracks next credential index per provider:type key for round-robin distribution (non-session use). */
+	#providerRoundRobinIndex: Map<string, number> = new Map();
+	/** Tracks the last used credential per provider for a session (used for rate-limit switching). */
+	#sessionLastCredential: Map<string, Map<string, { type: AuthCredential["type"]; index: number }>> = new Map();
+	/** Maps provider:type -> credentialIndex -> blockedUntilMs for temporary backoff. */
+	#credentialBackoff: Map<string, Map<number, number>> = new Map();
+	#usageProviderResolver?: (provider: Provider) => UsageProvider | undefined;
+	#usageCache?: UsageCache;
+	#usageFetch: typeof fetch;
+	#usageNow: () => number;
+	#usageLogger?: UsageLogger;
+	#fallbackResolver?: (provider: string) => string | undefined;
+	private constructor(
+		private storage: AgentStorage,
+		options: AuthStorageOptions = {},
+	) {
+		this.#usageProviderResolver = options.usageProviderResolver ?? resolveDefaultUsageProvider;
+		this.#usageCache = options.usageCache ?? new AuthStorageUsageCache(this.storage);
+		this.#usageFetch = options.usageFetch ?? fetch;
+		this.#usageNow = options.usageNow ?? Date.now;
+		this.#usageLogger =
+			options.usageLogger ??
+			({
+				debug: (message, meta) => logger.debug(message, meta),
+				warn: (message, meta) => logger.warn(message, meta),
+			} satisfies UsageLogger);
+	}
+	/**
+	 * Create an AuthStorage instance.
+	 * @param dbPath - Path to agent.db
+	 */
+	static async create(dbPath: string, options: AuthStorageOptions = {}): Promise<AuthStorage> {
+		const storage = await AgentStorage.open(dbPath);
+		return new AuthStorage(storage, options);
+	}
+	/**
+	 * Set a runtime API key override (not persisted to disk).
+	 * Used for CLI --api-key flag.
+	 */
+	setRuntimeApiKey(provider: string, apiKey: string): void {
+		this.#runtimeOverrides.set(provider, apiKey);
+	}
+	/**
+	 * Remove a runtime API key override.
+	 */
+	removeRuntimeApiKey(provider: string): void {
+		this.#runtimeOverrides.delete(provider);
+	}
+	/**
+	 * Set a fallback resolver for API keys not found in agent.db or env vars.
+	 * Used for custom provider keys from models.json.
+	 */
+	setFallbackResolver(resolver: (provider: string) => string | undefined): void {
+		this.#fallbackResolver = resolver;
+	}
+	/**
+	 * Reload credentials from agent.db.
+	 * Reloads credentials from the database.
+	 */
+	async reload(): Promise<void> {
+		const records = this.storage.listAuthCredentials();
+		const grouped = new Map<string, StoredCredential[]>();
+		for (const record of records) {
+			const list = grouped.get(record.provider) ?? [];
+			list.push({ id: record.id, credential: record.credential });
+			grouped.set(record.provider, list);
+		}
+		const dedupedGrouped = new Map<string, StoredCredential[]>();
+		for (const [provider, entries] of grouped.entries()) {
+			const deduped = this.#pruneDuplicateStoredCredentials(provider, entries);
+			if (deduped.length > 0) {
+				dedupedGrouped.set(provider, deduped);
+			}
+		}
+		this.#data = dedupedGrouped;
+	}
+	/**
+	 * Gets cached credentials for a provider.
+	 * @param provider - Provider name (e.g., "anthropic", "openai")
+	 * @returns Array of stored credentials, empty if none exist
+	 */
+	#getStoredCredentials(provider: string): StoredCredential[] {
+		return this.#data.get(provider) ?? [];
+	}
+	/**
+	 * Updates in-memory credential cache for a provider.
+	 * Removes the provider entry entirely if credentials array is empty.
+	 * @param provider - Provider name (e.g., "anthropic", "openai")
+	 * @param credentials - Array of stored credentials to cache
+	 */
+	#setStoredCredentials(provider: string, credentials: StoredCredential[]): void {
+		if (credentials.length === 0) {
+			this.#data.delete(provider);
+		} else {
+			this.#data.set(provider, credentials);
+		}
+	}
+	#getOAuthIdentifiers(credential: OAuthCredential): string[] {
+		const identifiers: string[] = [];
+		const accountId = credential.accountId?.trim();
+		if (accountId) identifiers.push(`account:${accountId}`);
+		const email = credential.email?.trim().toLowerCase();
+		if (email) identifiers.push(`email:${email}`);
+		if (identifiers.length > 0) return identifiers;
+		const tokenIdentifiers = this.#getOAuthIdentifiersFromToken(credential.access) ?? [];
+		for (const identifier of tokenIdentifiers) {
+			identifiers.push(identifier);
+		}
+		if (identifiers.length > 0) return identifiers;
+		const refreshIdentifiers = this.#getOAuthIdentifiersFromToken(credential.refresh) ?? [];
+		for (const identifier of refreshIdentifiers) {
+			identifiers.push(identifier);
+		}
+		return identifiers;
+	}
+	#getOAuthIdentifiersFromToken(token: string | undefined): string[] | undefined {
+		if (!token) return undefined;
+		const parts = token.split(".");
+		if (parts.length !== 3) return undefined;
+		const payloadRaw = parts[1];
+		const decoder = new TextDecoder("utf-8");
+		try {
+			const payload = JSON.parse(
+				decoder.decode(Uint8Array.fromBase64(payloadRaw, { alphabet: "base64url" })),
+			) as Record<string, unknown>;
+			if (!payload || typeof payload !== "object") return undefined;
+			const identifiers: string[] = [];
+			const email = typeof payload.email === "string" ? payload.email.trim().toLowerCase() : undefined;
+			if (email) identifiers.push(`email:${email}`);
+			const accountId =
+				typeof payload.account_id === "string"
+					? payload.account_id
+					: typeof payload.accountId === "string"
+						? payload.accountId
+						: typeof payload.user_id === "string"
+							? payload.user_id
+							: typeof payload.sub === "string"
+								? payload.sub
+								: undefined;
+			const trimmedAccountId = accountId?.trim();
+			if (trimmedAccountId) identifiers.push(`account:${trimmedAccountId}`);
+			return identifiers.length > 0 ? identifiers : undefined;
+		} catch {
+			return undefined;
+		}
+	}
+	#dedupeOAuthCredentials(credentials: AuthCredential[]): AuthCredential[] {
+		const seen = new Set<string>();
+		const deduped: AuthCredential[] = [];
+		for (let index = credentials.length - 1; index >= 0; index -= 1) {
+			const credential = credentials[index];
+			if (credential.type !== "oauth") {
+				deduped.push(credential);
+				continue;
+			}
+			const identifiers = this.#getOAuthIdentifiers(credential);
+			if (identifiers.length === 0) {
+				deduped.push(credential);
+				continue;
+			}
+			if (identifiers.some(identifier => seen.has(identifier))) {
+				continue;
+			}
+			for (const identifier of identifiers) {
+				seen.add(identifier);
+			}
+			deduped.push(credential);
+		}
+		return deduped.reverse();
+	}
+	#pruneDuplicateStoredCredentials(provider: string, entries: StoredCredential[]): StoredCredential[] {
+		const seen = new Set<string>();
+		const kept: StoredCredential[] = [];
+		const removed: StoredCredential[] = [];
+		for (let index = entries.length - 1; index >= 0; index -= 1) {
+			const entry = entries[index];
+			const credential = entry.credential;
+			if (credential.type !== "oauth") {
+				kept.push(entry);
+				continue;
+			}
+			const identifiers = this.#getOAuthIdentifiers(credential);
+			if (identifiers.length === 0) {
+				kept.push(entry);
+				continue;
+			}
+			if (identifiers.some(identifier => seen.has(identifier))) {
+				removed.push(entry);
+				continue;
+			}
+			for (const identifier of identifiers) {
+				seen.add(identifier);
+			}
+			kept.push(entry);
+		}
+		if (removed.length > 0) {
+			for (const entry of removed) {
+				this.storage.deleteAuthCredential(entry.id);
+			}
+			this.#resetProviderAssignments(provider);
+		}
+		return kept.reverse();
+	}
+	/** Returns all credentials for a provider as an array */
+	#getCredentialsForProvider(provider: string): AuthCredential[] {
+		return this.#getStoredCredentials(provider).map(entry => entry.credential);
+	}
+	/** Composite key for round-robin tracking: "anthropic:oauth" or "openai:api_key" */
+	#getProviderTypeKey(provider: string, type: AuthCredential["type"]): string {
+		return `${provider}:${type}`;
+	}
+	/**
+	 * Returns next index in round-robin sequence for load distribution.
+	 * Increments stored counter and wraps at total.
+	 */
+	#getNextRoundRobinIndex(providerKey: string, total: number): number {
+		if (total <= 1) return 0;
+		const current = this.#providerRoundRobinIndex.get(providerKey) ?? -1;
+		const next = (current + 1) % total;
+		this.#providerRoundRobinIndex.set(providerKey, next);
+		return next;
+	}
+	/**
+	 * FNV-1a hash for deterministic session-to-credential mapping.
+	 * Ensures the same session always starts with the same credential.
+	 */
+	#getHashedIndex(sessionId: string, total: number): number {
+		if (total <= 1) return 0;
+		let hash = 2166136261; // FNV offset basis
+		for (let i = 0; i < sessionId.length; i++) {
+			hash ^= sessionId.charCodeAt(i);
+			hash = Math.imul(hash, 16777619); // FNV prime
+		}
+		return (hash >>> 0) % total;
+	}
+	/**
+	 * Returns credential indices in priority order for selection.
+	 * With sessionId: starts from hashed index (consistent per session).
+	 * Without sessionId: starts from round-robin index (load balancing).
+	 * Order wraps around so all credentials are tried if earlier ones are blocked.
+	 */
+	#getCredentialOrder(providerKey: string, sessionId: string | undefined, total: number): number[] {
+		if (total <= 1) return [0];
+		const start = sessionId
+			? this.#getHashedIndex(sessionId, total)
+			: this.#getNextRoundRobinIndex(providerKey, total);
+		const order: number[] = [];
+		for (let i = 0; i < total; i++) {
+			order.push((start + i) % total);
+		}
+		return order;
+	}
+	/** Checks if a credential is temporarily blocked due to usage limits. */
+	#isCredentialBlocked(providerKey: string, credentialIndex: number): boolean {
+		const backoffMap = this.#credentialBackoff.get(providerKey);
+		if (!backoffMap) return false;
+		const blockedUntil = backoffMap.get(credentialIndex);
+		if (!blockedUntil) return false;
+		if (blockedUntil <= Date.now()) {
+			backoffMap.delete(credentialIndex);
+			if (backoffMap.size === 0) {
+				this.#credentialBackoff.delete(providerKey);
+			}
+			return false;
+		}
+		return true;
+	}
+	/** Marks a credential as blocked until the specified time. */
+	#markCredentialBlocked(providerKey: string, credentialIndex: number, blockedUntilMs: number): void {
+		const backoffMap = this.#credentialBackoff.get(providerKey) ?? new Map<number, number>();
+		const existing = backoffMap.get(credentialIndex) ?? 0;
+		backoffMap.set(credentialIndex, Math.max(existing, blockedUntilMs));
+		this.#credentialBackoff.set(providerKey, backoffMap);
+	}
+	/** Records which credential was used for a session (for rate-limit switching). */
+	#recordSessionCredential(
+		provider: string,
+		sessionId: string | undefined,
+		type: AuthCredential["type"],
+		index: number,
+	): void {
+		if (!sessionId) return;
+		const sessionMap = this.#sessionLastCredential.get(provider) ?? new Map();
+		sessionMap.set(sessionId, { type, index });
+		this.#sessionLastCredential.set(provider, sessionMap);
+	}
+	/** Retrieves the last credential used by a session. */
+	#getSessionCredential(
+		provider: string,
+		sessionId: string | undefined,
+	): { type: AuthCredential["type"]; index: number } | undefined {
+		if (!sessionId) return undefined;
+		return this.#sessionLastCredential.get(provider)?.get(sessionId);
+	}
+	/**
+	 * Selects a credential of the specified type for a provider.
+	 * Returns both the credential and its index in the original array (for updates/removal).
+	 * Uses deterministic hashing for session stickiness and skips blocked credentials when possible.
+	 */
+	#selectCredentialByType<T extends AuthCredential["type"]>(
+		provider: string,
+		type: T,
+		sessionId?: string,
+	): { credential: Extract<AuthCredential, { type: T }>; index: number } | undefined {
+		const credentials = this.#getCredentialsForProvider(provider)
+			.map((credential, index) => ({ credential, index }))
+			.filter(
+				(entry): entry is { credential: Extract<AuthCredential, { type: T }>; index: number } =>
+					entry.credential.type === type,
+			);
+		if (credentials.length === 0) return undefined;
+		if (credentials.length === 1) return credentials[0];
+		const providerKey = this.#getProviderTypeKey(provider, type);
+		const order = this.#getCredentialOrder(providerKey, sessionId, credentials.length);
+		const fallback = credentials[order[0]];
+		for (const idx of order) {
+			const candidate = credentials[idx];
+			if (!this.#isCredentialBlocked(providerKey, candidate.index)) {
+				return candidate;
+			}
+		}
+		return fallback;
+	}
+	/**
+	 * Clears round-robin and session assignment state for a provider.
+	 * Called when credentials are added/removed to prevent stale index references.
+	 */
+	#resetProviderAssignments(provider: string): void {
+		for (const key of this.#providerRoundRobinIndex.keys()) {
+			if (key.startsWith(`${provider}:`)) {
+				this.#providerRoundRobinIndex.delete(key);
+			}
+		}
+		this.#sessionLastCredential.delete(provider);
+		for (const key of this.#credentialBackoff.keys()) {
+			if (key.startsWith(`${provider}:`)) {
+				this.#credentialBackoff.delete(key);
+			}
+		}
+	}
+	/** Updates credential at index in-place (used for OAuth token refresh) */
+	#replaceCredentialAt(provider: string, index: number, credential: AuthCredential): void {
+		const entries = this.#getStoredCredentials(provider);
+		if (index < 0 || index >= entries.length) return;
+		const target = entries[index];
+		this.storage.updateAuthCredential(target.id, credential);
+		const updated = [...entries];
+		updated[index] = { id: target.id, credential };
+		this.#setStoredCredentials(provider, updated);
+	}
+	/**
+	 * Disables credential at index (used when OAuth refresh fails).
+	 * The credential remains in the database but is excluded from active queries.
+	 * Cleans up provider entry if last credential disabled.
+	 */
+	#removeCredentialAt(provider: string, index: number): void {
+		const entries = this.#getStoredCredentials(provider);
+		if (index < 0 || index >= entries.length) return;
+		this.storage.disableAuthCredential(entries[index].id);
+		const updated = entries.filter((_value, idx) => idx !== index);
+		this.#setStoredCredentials(provider, updated);
+		this.#resetProviderAssignments(provider);
+	}
+	/**
+	 * Get credential for a provider (first entry if multiple).
+	 */
+	get(provider: string): AuthCredential | undefined {
+		return this.#getCredentialsForProvider(provider)[0];
+	}
+	/**
+	 * Set credential for a provider.
+	 */
+	async set(provider: string, credential: AuthCredentialEntry): Promise<void> {
+		const normalized = Array.isArray(credential) ? credential : [credential];
+		const deduped = this.#dedupeOAuthCredentials(normalized);
+		const stored = this.storage.replaceAuthCredentialsForProvider(provider, deduped);
+		this.#setStoredCredentials(
+			provider,
+			stored.map(record => ({ id: record.id, credential: record.credential })),
+		);
+		this.#resetProviderAssignments(provider);
+	}
+	/**
+	 * Remove credential for a provider.
+	 */
+	async remove(provider: string): Promise<void> {
+		this.storage.deleteAuthCredentialsForProvider(provider);
+		this.#data.delete(provider);
+		this.#resetProviderAssignments(provider);
+	}
+	/**
+	 * List all providers with credentials.
+	 */
+	list(): string[] {
+		return [...this.#data.keys()];
+	}
+	/**
+	 * Check if credentials exist for a provider in agent.db.
+	 */
+	has(provider: string): boolean {
+		return this.#getCredentialsForProvider(provider).length > 0;
+	}
+	/**
+	 * Check if any form of auth is configured for a provider.
+	 * Unlike getApiKey(), this doesn't refresh OAuth tokens.
+	 */
+	hasAuth(provider: string): boolean {
+		if (this.#runtimeOverrides.has(provider)) return true;
+		if (this.#getCredentialsForProvider(provider).length > 0) return true;
+		if (getEnvApiKey(provider)) return true;
+		if (this.#fallbackResolver?.(provider)) return true;
+		return false;
+	}
+	/**
+	 * Check if OAuth credentials are configured for a provider.
+	 */
+	hasOAuth(provider: string): boolean {
+		return this.#getCredentialsForProvider(provider).some(credential => credential.type === "oauth");
+	}
+	/**
+	 * Get OAuth credentials for a provider.
+	 */
+	getOAuthCredential(provider: string): OAuthCredential | undefined {
+		return this.#getCredentialsForProvider(provider).find(
+			(credential): credential is OAuthCredential => credential.type === "oauth",
+		);
+	}
+	/**
+	 * Get all credentials.
+	 */
+	getAll(): AuthStorageData {
+		const result: AuthStorageData = {};
+		for (const [provider, entries] of this.#data.entries()) {
+			const credentials = entries.map(entry => entry.credential);
+			if (credentials.length === 1) {
+				result[provider] = credentials[0];
+			} else if (credentials.length > 1) {
+				result[provider] = credentials;
+			}
+		}
+		return result;
+	}
+	/**
+	 * Login to an OAuth provider.
+	 */
+	async login(
+		provider: OAuthProviderId,
+		ctrl: OAuthController & {
+			/** onAuth is required by auth-storage but optional in OAuthController */
+			onAuth: (info: { url: string; instructions?: string }) => void;
+			/** onPrompt is required for some providers (github-copilot, openai-codex) */
+			onPrompt: (prompt: { message: string; placeholder?: string }) => Promise<string>;
+		},
+	): Promise<void> {
+		let credentials: OAuthCredentials;
+		const saveApiKeyCredential = async (apiKey: string): Promise<void> => {
+			const newCredential: ApiKeyCredential = { type: "api_key", key: apiKey };
+			const existing = this.#getCredentialsForProvider(provider);
+			if (existing.length === 0) {
+				await this.set(provider, newCredential);
+				return;
+			}
+			await this.set(provider, [...existing, newCredential]);
+		};
+		switch (provider) {
+			case "anthropic":
+				credentials = await loginAnthropic({
+					...ctrl,
+					onManualCodeInput: async () =>
+						ctrl.onPrompt({ message: "Paste the authorization code (or full redirect URL):" }),
+				});
+				break;
+			case "github-copilot":
+				credentials = await loginGitHubCopilot({
+					onAuth: (url, instructions) => ctrl.onAuth({ url, instructions }),
+					onPrompt: ctrl.onPrompt,
+					onProgress: ctrl.onProgress,
+					signal: ctrl.signal,
+				});
+				break;
+			case "google-gemini-cli":
+				credentials = await loginGeminiCli(ctrl);
+				break;
+			case "google-antigravity":
+				credentials = await loginAntigravity(ctrl);
+				break;
+			case "openai-codex":
+				credentials = await loginOpenAICodex(ctrl);
+				break;
+			case "kimi-code":
+				credentials = await loginKimi(ctrl);
+				break;
+			case "cursor":
+				credentials = await loginCursor(
+					url => ctrl.onAuth({ url }),
+					ctrl.onProgress ? () => ctrl.onProgress?.("Waiting for browser authentication...") : undefined,
+				);
+				break;
+			case "perplexity":
+				credentials = await loginPerplexity(ctrl);
+				break;
+			case "huggingface": {
+				const apiKey = await loginHuggingface(ctrl);
+				await saveApiKeyCredential(apiKey);
+				return;
+			}
+			case "opencode": {
+				const apiKey = await loginOpenCode(ctrl);
+				await saveApiKeyCredential(apiKey);
+				return;
+			}
+			case "ollama": {
+				const apiKey = await loginOllama(ctrl);
+				if (!apiKey) {
+					return;
+				}
+				await saveApiKeyCredential(apiKey);
+				return;
+			}
+			case "cerebras": {
+				const apiKey = await loginCerebras(ctrl);
+				await saveApiKeyCredential(apiKey);
+				return;
+			}
+			case "zai": {
+				const apiKey = await loginZai(ctrl);
+				await saveApiKeyCredential(apiKey);
+				return;
+			}
+			case "qianfan": {
+				const apiKey = await loginQianfan(ctrl);
+				await saveApiKeyCredential(apiKey);
+				return;
+			}
+			case "minimax-code": {
+				const apiKey = await loginMiniMaxCode(ctrl);
+				await saveApiKeyCredential(apiKey);
+				return;
+			}
+			case "minimax-code-cn": {
+				const apiKey = await loginMiniMaxCodeCn(ctrl);
+				await saveApiKeyCredential(apiKey);
+				return;
+			}
+			case "synthetic": {
+				const apiKey = await loginSynthetic(ctrl);
+				await saveApiKeyCredential(apiKey);
+				return;
+			}
+			case "venice": {
+				const apiKey = await loginVenice(ctrl);
+				await saveApiKeyCredential(apiKey);
+				return;
+			}
+			case "litellm": {
+				const apiKey = await loginLiteLLM(ctrl);
+				await saveApiKeyCredential(apiKey);
+				return;
+			}
+			case "moonshot": {
+				const apiKey = await loginMoonshot(ctrl);
+				await saveApiKeyCredential(apiKey);
+				return;
+			}
+			case "nanogpt": {
+				const apiKey = await loginNanoGPT(ctrl);
+				await saveApiKeyCredential(apiKey);
+				return;
+			}
+			case "together": {
+				const apiKey = await loginTogether(ctrl);
+				await saveApiKeyCredential(apiKey);
+				return;
+			}
+			case "cloudflare-ai-gateway": {
+				const apiKey = await loginCloudflareAiGateway(ctrl);
+				await saveApiKeyCredential(apiKey);
+				return;
+			}
+			case "vllm": {
+				const apiKey = await loginVllm(ctrl);
+				await saveApiKeyCredential(apiKey);
+				return;
+			}
+			case "qwen-portal": {
+				const apiKey = await loginQwenPortal(ctrl);
+				await saveApiKeyCredential(apiKey);
+				return;
+			}
+			case "nvidia": {
+				const apiKey = await loginNvidia(ctrl);
+				await saveApiKeyCredential(apiKey);
+				return;
+			}
+			case "xiaomi": {
+				const apiKey = await loginXiaomi(ctrl);
+				await saveApiKeyCredential(apiKey);
+				return;
+			}
+			default: {
+				const customProvider = getOAuthProvider(provider);
+				if (!customProvider) {
+					throw new Error(`Unknown OAuth provider: ${provider}`);
+				}
+				const customLoginResult = await customProvider.login({
+					onAuth: info => ctrl.onAuth(info),
+					onProgress: ctrl.onProgress,
+					onPrompt: ctrl.onPrompt,
+					onManualCodeInput: async () =>
+						ctrl.onPrompt({ message: "Paste the authorization code (or full redirect URL):" }),
+					signal: ctrl.signal,
+				});
+				if (typeof customLoginResult === "string") {
+					await saveApiKeyCredential(customLoginResult);
+					return;
+				}
+				credentials = customLoginResult;
+				break;
+			}
+		}
+		const newCredential: OAuthCredential = { type: "oauth", ...credentials };
+		const existing = this.#getCredentialsForProvider(provider);
+		if (existing.length === 0) {
+			await this.set(provider, newCredential);
+			return;
+		}
+		await this.set(provider, [...existing, newCredential]);
+	}
+	/**
+	 * Logout from a provider.
+	 */
+	async logout(provider: string): Promise<void> {
+		await this.remove(provider);
+	}
+	// ─────────────────────────────────────────────────────────────────────────────
+	// Usage API Integration
+	// Queries provider usage endpoints to detect rate limits before they occur.
+	// ─────────────────────────────────────────────────────────────────────────────
+	#buildUsageCredential(credential: OAuthCredential): UsageCredential {
+		return {
+			type: "oauth",
+			accessToken: credential.access,
+			refreshToken: credential.refresh,
+			expiresAt: credential.expires,
+			accountId: credential.accountId,
+			projectId: credential.projectId,
+			email: credential.email,
+			enterpriseUrl: credential.enterpriseUrl,
+		};
+	}
+	#getUsageReportMetadataValue(report: UsageReport, key: string): string | undefined {
+		const metadata = report.metadata;
+		if (!metadata || typeof metadata !== "object") return undefined;
+		const value = metadata[key];
+		return typeof value === "string" ? value.trim() : undefined;
+	}
+	#getUsageReportScopeAccountId(report: UsageReport): string | undefined {
+		const ids = new Set<string>();
+		for (const limit of report.limits) {
+			const accountId = limit.scope.accountId?.trim();
+			if (accountId) ids.add(accountId);
+		}
+		if (ids.size === 1) return [...ids][0];
+		return undefined;
+	}
+	#getUsageReportIdentifiers(report: UsageReport): string[] {
+		const identifiers: string[] = [];
+		const email = this.#getUsageReportMetadataValue(report, "email");
+		if (email) identifiers.push(`email:${email.toLowerCase()}`);
+		const accountId = this.#getUsageReportMetadataValue(report, "accountId");
+		if (accountId) identifiers.push(`account:${accountId}`);
+		const account = this.#getUsageReportMetadataValue(report, "account");
+		if (account) identifiers.push(`account:${account}`);
+		const user = this.#getUsageReportMetadataValue(report, "user");
+		if (user) identifiers.push(`account:${user}`);
+		const username = this.#getUsageReportMetadataValue(report, "username");
+		if (username) identifiers.push(`account:${username}`);
+		const scopeAccountId = this.#getUsageReportScopeAccountId(report);
+		if (scopeAccountId) identifiers.push(`account:${scopeAccountId}`);
+		return identifiers.map(identifier => `${report.provider}:${identifier.toLowerCase()}`);
+	}
+	#mergeUsageReportGroup(reports: UsageReport[]): UsageReport {
+		if (reports.length === 1) return reports[0];
+		const sorted = [...reports].sort((a, b) => {
+			const limitDiff = b.limits.length - a.limits.length;
+			if (limitDiff !== 0) return limitDiff;
+			return (b.fetchedAt ?? 0) - (a.fetchedAt ?? 0);
+		});
+		const base = sorted[0];
+		const mergedLimits = [...base.limits];
+		const limitIds = new Set(mergedLimits.map(limit => limit.id));
+		const mergedMetadata: Record<string, unknown> = { ...(base.metadata ?? {}) };
+		let fetchedAt = base.fetchedAt;
+		for (const report of sorted.slice(1)) {
+			fetchedAt = Math.max(fetchedAt, report.fetchedAt);
+			for (const limit of report.limits) {
+				if (!limitIds.has(limit.id)) {
+					limitIds.add(limit.id);
+					mergedLimits.push(limit);
+				}
+			}
+			if (report.metadata) {
+				for (const [key, value] of Object.entries(report.metadata)) {
+					if (mergedMetadata[key] === undefined) {
+						mergedMetadata[key] = value;
+					}
+				}
+			}
+		}
+		return {
+			...base,
+			fetchedAt,
+			limits: mergedLimits,
+			metadata: Object.keys(mergedMetadata).length > 0 ? mergedMetadata : undefined,
+		};
+	}
+	#dedupeUsageReports(reports: UsageReport[]): UsageReport[] {
+		const groups: UsageReport[][] = [];
+		const idToGroup = new Map<string, number>();
+		for (const report of reports) {
+			const identifiers = this.#getUsageReportIdentifiers(report);
+			let groupIndex: number | undefined;
+			for (const identifier of identifiers) {
+				const existing = idToGroup.get(identifier);
+				if (existing !== undefined) {
+					groupIndex = existing;
+					break;
+				}
+			}
+			if (groupIndex === undefined) {
+				groupIndex = groups.length;
+				groups.push([]);
+			}
+			groups[groupIndex].push(report);
+			for (const identifier of identifiers) {
+				idToGroup.set(identifier, groupIndex);
+			}
+		}
+		const deduped = groups.map(group => this.#mergeUsageReportGroup(group));
+		if (deduped.length !== reports.length) {
+			this.#usageLogger?.debug("Usage reports deduped", {
+				before: reports.length,
+				after: deduped.length,
+			});
+		}
+		return deduped;
+	}
+	#isUsageLimitExhausted(limit: UsageLimit): boolean {
+		if (limit.status === "exhausted") return true;
+		const amount = limit.amount;
+		if (amount.usedFraction !== undefined && amount.usedFraction >= 1) return true;
+		if (amount.remainingFraction !== undefined && amount.remainingFraction <= 0) return true;
+		if (amount.used !== undefined && amount.limit !== undefined && amount.used >= amount.limit) return true;
+		if (amount.remaining !== undefined && amount.remaining <= 0) return true;
+		if (amount.unit === "percent" && amount.used !== undefined && amount.used >= 100) return true;
+		return false;
+	}
+	/** Returns true if usage indicates rate limit has been reached. */
+	#isUsageLimitReached(report: UsageReport): boolean {
+		return report.limits.some(limit => this.#isUsageLimitExhausted(limit));
+	}
+	/** Extracts the earliest reset timestamp from exhausted windows (in ms). */
+	#getUsageResetAtMs(report: UsageReport, nowMs: number): number | undefined {
+		const candidates: number[] = [];
+		for (const limit of report.limits) {
+			if (!this.#isUsageLimitExhausted(limit)) continue;
+			const window = limit.window;
+			if (window?.resetsAt && window.resetsAt > nowMs) {
+				candidates.push(window.resetsAt);
+			}
+			if (window?.resetInMs && window.resetInMs > 0) {
+				const resetAt = nowMs + window.resetInMs;
+				if (resetAt > nowMs) candidates.push(resetAt);
+			}
+		}
+		if (candidates.length === 0) return undefined;
+		return Math.min(...candidates);
+	}
+	async #getUsageReport(
+		provider: Provider,
+		credential: OAuthCredential,
+		options?: { baseUrl?: string },
+	): Promise<UsageReport | null> {
+		const resolver = this.#usageProviderResolver;
+		const cache = this.#usageCache;
+		if (!resolver || !cache) return null;
+		const providerImpl = resolver(provider);
+		if (!providerImpl) return null;
+		const params = {
+			provider,
+			credential: this.#buildUsageCredential(credential),
+			baseUrl: options?.baseUrl,
+		};
+		if (providerImpl.supports && !providerImpl.supports(params)) return null;
+		try {
+			return await providerImpl.fetchUsage(params, {
+				cache,
+				fetch: this.#usageFetch,
+				now: this.#usageNow,
+				logger: this.#usageLogger,
+			});
+		} catch (error) {
+			logger.debug("AuthStorage usage fetch failed", {
+				provider,
+				error: String(error),
+			});
+			return null;
+		}
+	}
+	async fetchUsageReports(options?: {
+		baseUrlResolver?: (provider: Provider) => string | undefined;
+	}): Promise<UsageReport[] | null> {
+		const resolver = this.#usageProviderResolver;
+		const cache = this.#usageCache;
+		if (!resolver || !cache) return null;
+		const tasks: Array<Promise<UsageReport | null>> = [];
+		const providers = new Set<string>([
+			...this.#data.keys(),
+			...DEFAULT_USAGE_PROVIDERS.map(provider => provider.id),
+		]);
+		this.#usageLogger?.debug("Usage fetch requested", {
+			providers: Array.from(providers).sort(),
+		});
+		for (const provider of providers) {
+			const providerImpl = resolver(provider as Provider);
+			if (!providerImpl) continue;
+			const baseUrl = options?.baseUrlResolver?.(provider as Provider);
+			let entries = this.#getStoredCredentials(provider);
+			if (entries.length > 0) {
+				const dedupedEntries = this.#pruneDuplicateStoredCredentials(provider, entries);
+				if (dedupedEntries.length !== entries.length) {
+					this.#setStoredCredentials(provider, dedupedEntries);
+				}
+				entries = dedupedEntries;
+			}
+			if (entries.length === 0) {
+				const runtimeKey = this.#runtimeOverrides.get(provider);
+				const envKey = getEnvApiKey(provider);
+				const apiKey = runtimeKey ?? envKey;
+				if (!apiKey) {
+					continue;
+				}
+				const params = {
+					provider: provider as Provider,
+					credential: { type: "api_key", apiKey } satisfies UsageCredential,
+					baseUrl,
+				};
+				if (providerImpl.supports && !providerImpl.supports(params)) {
+					continue;
+				}
+				this.#usageLogger?.debug("Usage fetch queued", {
+					provider,
+					credentialType: "api_key",
+					baseUrl,
+				});
+				tasks.push(
+					providerImpl
+						.fetchUsage(params, {
+							cache,
+							fetch: this.#usageFetch,
+							now: this.#usageNow,
+							logger: this.#usageLogger,
+						})
+						.catch(error => {
+							logger.debug("AuthStorage usage fetch failed", {
+								provider,
+								error: String(error),
+							});
+							return null;
+						}),
+				);
+				continue;
+			}
+			for (const entry of entries) {
+				const credential = entry.credential;
+				const usageCredential: UsageCredential =
+					credential.type === "api_key"
+						? { type: "api_key", apiKey: credential.key }
+						: this.#buildUsageCredential(credential);
+				const params = {
+					provider: provider as Provider,
+					credential: usageCredential,
+					baseUrl,
+				};
+				if (providerImpl.supports && !providerImpl.supports(params)) {
+					continue;
+				}
+				this.#usageLogger?.debug("Usage fetch queued", {
+					provider,
+					credentialType: usageCredential.type,
+					baseUrl,
+					accountId: usageCredential.accountId,
+					email: usageCredential.email,
+				});
+				tasks.push(
+					providerImpl
+						.fetchUsage(params, {
+							cache,
+							fetch: this.#usageFetch,
+							now: this.#usageNow,
+							logger: this.#usageLogger,
+						})
+						.catch(error => {
+							logger.debug("AuthStorage usage fetch failed", {
+								provider,
+								error: String(error),
+							});
+							return null;
+						}),
+				);
+			}
+		}
+		if (tasks.length === 0) return [];
+		const results = await Promise.all(tasks);
+		const reports = results.filter((report): report is UsageReport => report !== null);
+		const deduped = this.#dedupeUsageReports(reports);
+		this.#usageLogger?.debug("Usage fetch resolved", {
+			reports: deduped.map(report => {
+				const accountLabel =
+					this.#getUsageReportMetadataValue(report, "email") ??
+					this.#getUsageReportMetadataValue(report, "accountId") ??
+					this.#getUsageReportMetadataValue(report, "account") ??
+					this.#getUsageReportMetadataValue(report, "user") ??
+					this.#getUsageReportMetadataValue(report, "username") ??
+					this.#getUsageReportScopeAccountId(report);
+				return {
+					provider: report.provider,
+					limits: report.limits.length,
+					account: accountLabel,
+				};
+			}),
+		});
+		return deduped;
+	}
+	/**
+	 * Marks the current session's credential as temporarily blocked due to usage limits.
+	 * Uses usage reports to determine accurate reset time when available.
+	 * Returns true if a credential was blocked, enabling automatic fallback to the next credential.
+	 */
+	async markUsageLimitReached(
+		provider: string,
+		sessionId: string | undefined,
+		options?: { retryAfterMs?: number; baseUrl?: string },
+	): Promise<boolean> {
+		const sessionCredential = this.#getSessionCredential(provider, sessionId);
+		if (!sessionCredential) return false;
+		const providerKey = this.#getProviderTypeKey(provider, sessionCredential.type);
+		const now = this.#usageNow();
+		let blockedUntil = now + (options?.retryAfterMs ?? AuthStorage.#defaultBackoffMs);
+		if (provider === "openai-codex" && sessionCredential.type === "oauth") {
+			const credential = this.#getCredentialsForProvider(provider)[sessionCredential.index];
+			if (credential?.type === "oauth") {
+				const report = await this.#getUsageReport(provider, credential, options);
+				if (report && this.#isUsageLimitReached(report)) {
+					const resetAtMs = this.#getUsageResetAtMs(report, this.#usageNow());
+					if (resetAtMs && resetAtMs > blockedUntil) {
+						blockedUntil = resetAtMs;
+					}
+				}
+			}
+		}
+		this.#markCredentialBlocked(providerKey, sessionCredential.index, blockedUntil);
+		const remainingCredentials = this.#getCredentialsForProvider(provider)
+			.map((credential, index) => ({ credential, index }))
+			.filter(
+				(entry): entry is { credential: AuthCredential; index: number } =>
+					entry.credential.type === sessionCredential.type && entry.index !== sessionCredential.index,
+			);
+		return remainingCredentials.some(candidate => !this.#isCredentialBlocked(providerKey, candidate.index));
+	}
+	/**
+	 * Resolves an OAuth API key, trying credentials in priority order.
+	 * Skips blocked credentials and checks usage limits for providers with usage data.
+	 * Falls back to earliest-unblocking credential if all are blocked.
+	 */
+	async #resolveOAuthApiKey(
+		provider: string,
+		sessionId?: string,
+		options?: { baseUrl?: string },
+	): Promise<string | undefined> {
+		const credentials = this.#getCredentialsForProvider(provider)
+			.map((credential, index) => ({ credential, index }))
+			.filter((entry): entry is { credential: OAuthCredential; index: number } => entry.credential.type === "oauth");
+		if (credentials.length === 0) return undefined;
+		const providerKey = this.#getProviderTypeKey(provider, "oauth");
+		const order = this.#getCredentialOrder(providerKey, sessionId, credentials.length);
+		const fallback = credentials[order[0]];
+		const checkUsage = provider === "openai-codex" && credentials.length > 1;
+		for (const idx of order) {
+			const selection = credentials[idx];
+			const apiKey = await this.#tryOAuthCredential(
+				provider,
+				selection,
+				providerKey,
+				sessionId,
+				options,
+				checkUsage,
+				false,
+			);
+			if (apiKey) return apiKey;
+		}
+		if (fallback && this.#isCredentialBlocked(providerKey, fallback.index)) {
+			return this.#tryOAuthCredential(provider, fallback, providerKey, sessionId, options, checkUsage, true);
+		}
+		return undefined;
+	}
+	/** Attempts to use a single OAuth credential, checking usage and refreshing token. */
+	async #tryOAuthCredential(
+		provider: string,
+		selection: { credential: OAuthCredential; index: number },
+		providerKey: string,
+		sessionId: string | undefined,
+		options: { baseUrl?: string } | undefined,
+		checkUsage: boolean,
+		allowBlocked: boolean,
+	): Promise<string | undefined> {
+		if (!allowBlocked && this.#isCredentialBlocked(providerKey, selection.index)) {
+			return undefined;
+		}
+		let usage: UsageReport | null = null;
+		let usageChecked = false;
+		if (checkUsage && !allowBlocked) {
+			usage = await this.#getUsageReport(provider, selection.credential, options);
+			usageChecked = true;
+			if (usage && this.#isUsageLimitReached(usage)) {
+				const resetAtMs = this.#getUsageResetAtMs(usage, this.#usageNow());
+				this.#markCredentialBlocked(
+					providerKey,
+					selection.index,
+					resetAtMs ?? this.#usageNow() + AuthStorage.#defaultBackoffMs,
+				);
+				return undefined;
+			}
+		}
+		try {
+			let result: { newCredentials: OAuthCredentials; apiKey: string } | null;
+			const customProvider = getOAuthProvider(provider);
+			if (customProvider) {
+				let refreshedCredentials: OAuthCredentials = selection.credential;
+				if (Date.now() >= refreshedCredentials.expires) {
+					if (!customProvider.refreshToken) {
+						throw new Error(`OAuth provider "${provider}" does not support token refresh`);
+					}
+					refreshedCredentials = await customProvider.refreshToken(refreshedCredentials);
+				}
+				const apiKey = customProvider.getApiKey
+					? customProvider.getApiKey(refreshedCredentials)
+					: refreshedCredentials.access;
+				result = { newCredentials: refreshedCredentials, apiKey };
+			} else {
+				const oauthCreds: Record<string, OAuthCredentials> = {
+					[provider]: selection.credential,
+				};
+				result = await getOAuthApiKey(provider as OAuthProvider, oauthCreds);
+			}
+			if (!result) return undefined;
+			const updated: OAuthCredential = {
+				type: "oauth",
+				access: result.newCredentials.access,
+				refresh: result.newCredentials.refresh,
+				expires: result.newCredentials.expires,
+				accountId: result.newCredentials.accountId ?? selection.credential.accountId,
+				email: result.newCredentials.email ?? selection.credential.email,
+				projectId: result.newCredentials.projectId ?? selection.credential.projectId,
+				enterpriseUrl: result.newCredentials.enterpriseUrl ?? selection.credential.enterpriseUrl,
+			};
+			this.#replaceCredentialAt(provider, selection.index, updated);
+			if (checkUsage && !allowBlocked) {
+				const sameAccount = selection.credential.accountId === updated.accountId;
+				if (!usageChecked || !sameAccount) {
+					usage = await this.#getUsageReport(provider, updated, options);
+				}
+				if (usage && this.#isUsageLimitReached(usage)) {
+					const resetAtMs = this.#getUsageResetAtMs(usage, this.#usageNow());
+					this.#markCredentialBlocked(
+						providerKey,
+						selection.index,
+						resetAtMs ?? this.#usageNow() + AuthStorage.#defaultBackoffMs,
+					);
+					return undefined;
+				}
+			}
+			this.#recordSessionCredential(provider, sessionId, "oauth", selection.index);
+			return result.apiKey;
+		} catch (error) {
+			const errorMsg = String(error);
+			// Only remove credentials for definitive auth failures
+			// Keep credentials for transient errors (network, 5xx) and block temporarily
+			const isDefinitiveFailure =
+				/invalid_grant|invalid_token|revoked|unauthorized|expired.*refresh|refresh.*expired/i.test(errorMsg) ||
+				(/\b(401|403)\b/.test(errorMsg) && !/timeout|network|fetch failed|ECONNREFUSED/i.test(errorMsg));
+			logger.warn("OAuth token refresh failed", {
+				provider,
+				index: selection.index,
+				error: errorMsg,
+				isDefinitiveFailure,
+			});
+			if (isDefinitiveFailure) {
+				// Permanently remove invalid credentials
+				this.#removeCredentialAt(provider, selection.index);
+				if (this.#getCredentialsForProvider(provider).some(credential => credential.type === "oauth")) {
+					return this.getApiKey(provider, sessionId, options);
+				}
+			} else {
+				// Block temporarily for transient failures (5 minutes)
+				this.#markCredentialBlocked(providerKey, selection.index, this.#usageNow() + 5 * 60 * 1000);
+			}
+		}
+		return undefined;
+	}
+	/**
+	 * Peek at API key for a provider without refreshing OAuth tokens.
+	 * Used for model discovery where we only need to know if credentials exist
+	 * and get a best-effort token. The actual refresh happens lazily when the
+	 * provider is used for an API call.
+	 */
+	async peekApiKey(provider: string): Promise<string | undefined> {
+		const runtimeKey = this.#runtimeOverrides.get(provider);
+		if (runtimeKey) {
+			return runtimeKey;
+		}
+		const apiKeySelection = this.#selectCredentialByType(provider, "api_key");
+		if (apiKeySelection) {
+			return resolveConfigValue(apiKeySelection.credential.key);
+		}
+		// Return current OAuth access token only if it is not already expired.
+		const oauthSelection = this.#selectCredentialByType(provider, "oauth");
+		if (oauthSelection) {
+			const expiresAt = oauthSelection.credential.expires;
+			if (Number.isFinite(expiresAt) && expiresAt > Date.now()) {
+				return oauthSelection.credential.access;
+			}
+		}
+		const envKey = getEnvApiKey(provider);
+		if (envKey) return envKey;
+		return this.#fallbackResolver?.(provider) ?? undefined;
+	}
+	/**
+	 * Get API key for a provider.
+	 * Priority:
+	 * 1. Runtime override (CLI --api-key)
+	 * 2. API key from agent.db
+	 * 3. OAuth token from agent.db (auto-refreshed)
+	 * 4. Environment variable
+	 * 5. Fallback resolver (models.json custom providers)
+	 */
+	async getApiKey(provider: string, sessionId?: string, options?: { baseUrl?: string }): Promise<string | undefined> {
+		// Runtime override takes highest priority
+		const runtimeKey = this.#runtimeOverrides.get(provider);
+		if (runtimeKey) {
+			return runtimeKey;
+		}
+		const apiKeySelection = this.#selectCredentialByType(provider, "api_key", sessionId);
+		if (apiKeySelection) {
+			this.#recordSessionCredential(provider, sessionId, "api_key", apiKeySelection.index);
+			return resolveConfigValue(apiKeySelection.credential.key);
+		}
+		const oauthKey = await this.#resolveOAuthApiKey(provider, sessionId, options);
+		if (oauthKey) {
+			return oauthKey;
+		}
+		// Fall back to environment variable
+		const envKey = getEnvApiKey(provider);
+		if (envKey) return envKey;
+		// Fall back to custom resolver (e.g., models.json custom providers)
+		return this.#fallbackResolver?.(provider) ?? undefined;
+	}
+}