npm - @noxsoft/anima - Versions diffs - 5.0.1 → 5.0.2 - Mend

@noxsoft/anima 5.0.1 → 5.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (180) hide show

package/dist/extensionAPI.js CHANGED Viewed

@@ -19,7 +19,7 @@ import "express";
 import "undici";
 import "file-type";
 import "ws";
-import { getOAuthProviders } from "@mariozechner/pi-ai";
+import { getEnvApiKey, getOAuthApiKey, getOAuthProviders } from "@mariozechner/pi-ai";
 import "node-edge-tts";
 //#region src/infra/home-dir.ts
@@ -173,6 +173,22 @@ function resolveDefaultConfigCandidates(env = process.env, homedir = envHomedir(
 	candidates.push(path.join(newStateDir(effectiveHomedir), CONFIG_FILENAME));
 	return candidates;
 }
+const OAUTH_FILENAME = "oauth.json";
+/**
+* OAuth credentials storage directory.
+*
+* Precedence:
+* - `ANIMA_OAUTH_DIR` (explicit override)
+* - `$*_STATE_DIR/credentials` (canonical server/default)
+*/
+function resolveOAuthDir(env = process.env, stateDir = resolveStateDir(env, envHomedir(env))) {
+	const override = env.ANIMA_OAUTH_DIR?.trim();
+	if (override) return resolveUserPath$1(override, env, envHomedir(env));
+	return path.join(stateDir, "credentials");
+}
+function resolveOAuthPath(env = process.env, stateDir = resolveStateDir(env, envHomedir(env))) {
+	return path.join(resolveOAuthDir(env, stateDir), OAUTH_FILENAME);
+}
 //#endregion
 //#region src/sessions/session-key-utils.ts
@@ -1704,241 +1720,98 @@ function resolveThinkingDefault(params) {
 }
 //#endregion
-//#region src/agents/cli-backends.ts
-const DEFAULT_CLAUDE_BACKEND = {
-	command: "claude",
-	args: [
-		"-p",
-		"--output-format",
-		"json",
-		"--dangerously-skip-permissions"
-	],
-	resumeArgs: [
-		"-p",
-		"--output-format",
-		"json",
-		"--dangerously-skip-permissions",
-		"--resume",
-		"{sessionId}"
-	],
-	output: "jsonl",
-	input: "arg",
-	modelArg: "--model",
-	modelAliases: {
-		opus: "opus",
-		"opus-4.6": "opus",
-		"opus-4.5": "opus",
-		"opus-4": "opus",
-		"claude-opus-4-6": "opus",
-		"claude-opus-4-5": "opus",
-		"claude-opus-4": "opus",
-		sonnet: "sonnet",
-		"sonnet-4.5": "sonnet",
-		"sonnet-4.1": "sonnet",
-		"sonnet-4.0": "sonnet",
-		"claude-sonnet-4-5": "sonnet",
-		"claude-sonnet-4-1": "sonnet",
-		"claude-sonnet-4-0": "sonnet",
-		haiku: "haiku",
-		"haiku-3.5": "haiku",
-		"claude-haiku-3-5": "haiku"
-	},
-	sessionArg: "--session-id",
-	sessionMode: "always",
-	sessionIdFields: [
-		"session_id",
-		"sessionId",
-		"conversation_id",
-		"conversationId"
-	],
-	systemPromptArg: "--append-system-prompt",
-	systemPromptMode: "append",
-	systemPromptWhen: "first",
-	clearEnv: ["ANTHROPIC_API_KEY", "ANTHROPIC_API_KEY_OLD"],
-	serialize: true
-};
-const DEFAULT_CODEX_BACKEND = {
-	command: "codex",
-	args: [
-		"exec",
-		"--json",
-		"--color",
-		"never",
-		"--sandbox",
-		"read-only",
-		"--skip-git-repo-check"
-	],
-	resumeArgs: [
-		"exec",
-		"resume",
-		"{sessionId}"
-	],
-	output: "jsonl",
-	resumeOutput: "text",
-	input: "arg",
-	modelArg: "--model",
-	imageArg: "--image",
-	sessionMode: "existing",
-	serialize: true
-};
-const CLAUDE_BACKEND_ALIASES = [
-	"claude-cli",
-	"anthropic",
-	"claude"
-];
-const CODEX_BACKEND_ALIASES = [
-	"codex-cli",
-	"openai-codex",
-	"openai",
-	"codex"
-];
-const CLAUDE_BACKEND_ALIAS_SET = new Set(CLAUDE_BACKEND_ALIASES.map((alias) => normalizeBackendKey(alias)));
-const CODEX_BACKEND_ALIAS_SET = new Set(CODEX_BACKEND_ALIASES.map((alias) => normalizeBackendKey(alias)));
-function normalizeBackendKey(key) {
-	return normalizeProviderId(key);
-}
-function pickBackendConfig(config, normalizedId) {
-	for (const [key, entry] of Object.entries(config)) if (normalizeBackendKey(key) === normalizedId) return entry;
+//#region src/logging/redact-identifier.ts
+function sha256HexPrefix(value, len = 12) {
+	const safeLen = Number.isFinite(len) ? Math.max(1, Math.floor(len)) : 12;
+	return crypto.createHash("sha256").update(value).digest("hex").slice(0, safeLen);
 }
-function pickBackendConfigByAliases(config, aliases) {
-	for (const alias of aliases) {
-		const matched = pickBackendConfig(config, normalizeBackendKey(alias));
-		if (matched) return matched;
-	}
+function redactIdentifier(value, opts) {
+	const trimmed = value?.trim();
+	if (!trimmed) return "-";
+	return `sha256:${sha256HexPrefix(trimmed, opts?.len ?? 12)}`;
 }
-function mergeBackendConfig(base, override) {
-	if (!override) return { ...base };
+//#endregion
+//#region src/agents/workspace-run.ts
+function resolveRunAgentId(params) {
+	const rawSessionKey = params.sessionKey?.trim() ?? "";
+	const shape = classifySessionKeyShape(rawSessionKey);
+	if (shape === "malformed_agent") throw new Error("Malformed agent session key; refusing workspace resolution.");
+	const explicit = typeof params.agentId === "string" && params.agentId.trim() ? normalizeAgentId(params.agentId) : void 0;
+	if (explicit) return {
+		agentId: explicit,
+		agentIdSource: "explicit"
+	};
+	const defaultAgentId = resolveDefaultAgentId(params.config ?? {});
+	if (shape === "missing" || shape === "legacy_or_alias") return {
+		agentId: defaultAgentId || DEFAULT_AGENT_ID,
+		agentIdSource: "default"
+	};
+	const parsed = parseAgentSessionKey(rawSessionKey);
+	if (parsed?.agentId) return {
+		agentId: normalizeAgentId(parsed.agentId),
+		agentIdSource: "session_key"
+	};
 	return {
-		...base,
-		...override,
-		args: override.args ?? base.args,
-		env: {
-			...base.env,
-			...override.env
-		},
-		modelAliases: {
-			...base.modelAliases,
-			...override.modelAliases
-		},
-		clearEnv: Array.from(new Set([...base.clearEnv ?? [], ...override.clearEnv ?? []])),
-		sessionIdFields: override.sessionIdFields ?? base.sessionIdFields,
-		sessionArgs: override.sessionArgs ?? base.sessionArgs,
-		resumeArgs: override.resumeArgs ?? base.resumeArgs
+		agentId: defaultAgentId || DEFAULT_AGENT_ID,
+		agentIdSource: "default"
 	};
 }
-function resolveCliBackendConfig(provider, cfg) {
-	const normalized = normalizeBackendKey(provider);
-	const configured = cfg?.agents?.defaults?.cliBackends ?? {};
-	if (CLAUDE_BACKEND_ALIAS_SET.has(normalized)) {
-		const merged = mergeBackendConfig(DEFAULT_CLAUDE_BACKEND, pickBackendConfigByAliases(configured, [provider, ...CLAUDE_BACKEND_ALIASES]));
-		const command = merged.command?.trim();
-		if (!command) return null;
-		return {
-			id: normalizeBackendKey("claude-cli"),
-			config: {
-				...merged,
-				command
-			}
-		};
-	}
-	if (CODEX_BACKEND_ALIAS_SET.has(normalized)) {
-		const merged = mergeBackendConfig(DEFAULT_CODEX_BACKEND, pickBackendConfigByAliases(configured, [provider, ...CODEX_BACKEND_ALIASES]));
-		const command = merged.command?.trim();
-		if (!command) return null;
-		return {
-			id: normalizeBackendKey("codex-cli"),
-			config: {
-				...merged,
-				command
-			}
+function redactRunIdentifier(value) {
+	return redactIdentifier(value, { len: 12 });
+}
+function resolveRunWorkspaceDir(params) {
+	const requested = params.workspaceDir;
+	const { agentId, agentIdSource } = resolveRunAgentId({
+		sessionKey: params.sessionKey,
+		agentId: params.agentId,
+		config: params.config
+	});
+	if (typeof requested === "string") {
+		const trimmed = requested.trim();
+		if (trimmed) return {
+			workspaceDir: resolveUserPath(trimmed),
+			usedFallback: false,
+			agentId,
+			agentIdSource
 		};
 	}
-	const override = pickBackendConfig(configured, normalized);
-	if (!override) return null;
-	const command = override.command?.trim();
-	if (!command) return null;
+	const fallbackReason = requested == null ? "missing" : typeof requested === "string" ? "blank" : "invalid_type";
 	return {
-		id: normalized,
-		config: {
-			...override,
-			command
-		}
+		workspaceDir: resolveUserPath(resolveAgentWorkspaceDir(params.config ?? {}, agentId)),
+		usedFallback: true,
+		fallbackReason,
+		agentId,
+		agentIdSource
 	};
 }
 //#endregion
-//#region src/auto-reply/tokens.ts
-const SILENT_REPLY_TOKEN = "NO_REPLY";
-//#endregion
-//#region src/auto-reply/heartbeat.ts
-const HEARTBEAT_PROMPT = "Read HEARTBEAT.md if it exists (workspace context). Follow it strictly. Do not infer or repeat old tasks from prior chats. If nothing needs attention, reply HEARTBEAT_OK.";
-function resolveHeartbeatPrompt(raw) {
-	return (typeof raw === "string" ? raw.trim() : "") || HEARTBEAT_PROMPT;
-}
-//#endregion
-//#region src/utils/boolean.ts
-const DEFAULT_TRUTHY = [
-	"true",
-	"1",
-	"yes",
-	"on"
-];
-const DEFAULT_FALSY = [
-	"false",
-	"0",
-	"no",
-	"off"
-];
-const DEFAULT_TRUTHY_SET = new Set(DEFAULT_TRUTHY);
-const DEFAULT_FALSY_SET = new Set(DEFAULT_FALSY);
-function parseBooleanValue(value, options = {}) {
-	if (typeof value === "boolean") return value;
-	if (typeof value !== "string") return;
-	const normalized = value.trim().toLowerCase();
-	if (!normalized) return;
-	const truthy = options.truthy ?? DEFAULT_TRUTHY;
-	const falsy = options.falsy ?? DEFAULT_FALSY;
-	const truthySet = truthy === DEFAULT_TRUTHY ? DEFAULT_TRUTHY_SET : new Set(truthy);
-	const falsySet = falsy === DEFAULT_FALSY ? DEFAULT_FALSY_SET : new Set(falsy);
-	if (truthySet.has(normalized)) return true;
-	if (falsySet.has(normalized)) return false;
-}
-//#endregion
-//#region src/infra/env.ts
-const log$8 = createSubsystemLogger("env");
-function isTruthyEnvValue(value) {
-	return parseBooleanValue(value) === true;
-}
-//#endregion
-//#region src/hooks/internal-hooks.ts
-/** Registry of hook handlers by event key */
-const handlers = /* @__PURE__ */ new Map();
-/**
-* Trigger a hook event
-*
-* Calls all handlers registered for:
-* 1. The general event type (e.g., 'command')
-* 2. The specific event:action combination (e.g., 'command:new')
-*
-* Handlers are called in registration order. Errors are caught and logged
-* but don't prevent other handlers from running.
-*
-* @param event - The event to trigger
-*/
-async function triggerInternalHook(event) {
-	const typeHandlers = handlers.get(event.type) ?? [];
-	const specificHandlers = handlers.get(`${event.type}:${event.action}`) ?? [];
-	const allHandlers = [...typeHandlers, ...specificHandlers];
-	if (allHandlers.length === 0) return;
-	for (const handler of allHandlers) try {
-		await handler(event);
-	} catch (err) {
-		console.error(`Hook error [${event.type}:${event.action}]:`, err instanceof Error ? err.message : String(err));
-	}
+//#region src/hooks/internal-hooks.ts
+/** Registry of hook handlers by event key */
+const handlers = /* @__PURE__ */ new Map();
+/**
+* Trigger a hook event
+*
+* Calls all handlers registered for:
+* 1. The general event type (e.g., 'command')
+* 2. The specific event:action combination (e.g., 'command:new')
+*
+* Handlers are called in registration order. Errors are caught and logged
+* but don't prevent other handlers from running.
+*
+* @param event - The event to trigger
+*/
+async function triggerInternalHook(event) {
+	const typeHandlers = handlers.get(event.type) ?? [];
+	const specificHandlers = handlers.get(`${event.type}:${event.action}`) ?? [];
+	const allHandlers = [...typeHandlers, ...specificHandlers];
+	if (allHandlers.length === 0) return;
+	for (const handler of allHandlers) try {
+		await handler(event);
+	} catch (err) {
+		console.error(`Hook error [${event.type}:${event.action}]:`, err instanceof Error ? err.message : String(err));
+	}
 }
 /**
 * Create a hook event with common fields filled in
@@ -2076,6 +1949,42 @@ function loadDotEnv(opts) {
 	});
 }
+//#endregion
+//#region src/utils/boolean.ts
+const DEFAULT_TRUTHY = [
+	"true",
+	"1",
+	"yes",
+	"on"
+];
+const DEFAULT_FALSY = [
+	"false",
+	"0",
+	"no",
+	"off"
+];
+const DEFAULT_TRUTHY_SET = new Set(DEFAULT_TRUTHY);
+const DEFAULT_FALSY_SET = new Set(DEFAULT_FALSY);
+function parseBooleanValue(value, options = {}) {
+	if (typeof value === "boolean") return value;
+	if (typeof value !== "string") return;
+	const normalized = value.trim().toLowerCase();
+	if (!normalized) return;
+	const truthy = options.truthy ?? DEFAULT_TRUTHY;
+	const falsy = options.falsy ?? DEFAULT_FALSY;
+	const truthySet = truthy === DEFAULT_TRUTHY ? DEFAULT_TRUTHY_SET : new Set(truthy);
+	const falsySet = falsy === DEFAULT_FALSY ? DEFAULT_FALSY_SET : new Set(falsy);
+	if (truthySet.has(normalized)) return true;
+	if (falsySet.has(normalized)) return false;
+}
+//#endregion
+//#region src/infra/env.ts
+const log$9 = createSubsystemLogger("env");
+function isTruthyEnvValue(value) {
+	return parseBooleanValue(value) === true;
+}
 //#endregion
 //#region src/infra/shell-env.ts
 const DEFAULT_TIMEOUT_MS$1 = 15e3;
@@ -2175,6 +2084,9 @@ function resolveShellEnvFallbackTimeoutMs(env) {
 	if (!Number.isFinite(parsed)) return DEFAULT_TIMEOUT_MS$1;
 	return Math.max(0, parsed);
 }
+function getShellEnvAppliedKeys() {
+	return [...lastAppliedKeys];
+}
 //#endregion
 //#region src/version.ts
@@ -7153,9 +7065,58 @@ const SANDBOX_STATE_DIR = path.join(STATE_DIR, "sandbox");
 const SANDBOX_REGISTRY_PATH = path.join(SANDBOX_STATE_DIR, "containers.json");
 const SANDBOX_BROWSER_REGISTRY_PATH = path.join(SANDBOX_STATE_DIR, "browsers.json");
+//#endregion
+//#region src/cli/cli-name.ts
+const DEFAULT_CLI_NAME = "anima";
+const KNOWN_CLI_NAMES = new Set([DEFAULT_CLI_NAME]);
+const CLI_PREFIX_RE$1 = /^(?:((?:pnpm|npm|bunx|npx)\s+))?anima\b/;
+function resolveCliName(argv = process.argv) {
+	const argv1 = argv[1];
+	if (!argv1) return DEFAULT_CLI_NAME;
+	const base = path.basename(argv1).trim();
+	if (KNOWN_CLI_NAMES.has(base)) return base;
+	return DEFAULT_CLI_NAME;
+}
+function replaceCliName(command, cliName = resolveCliName()) {
+	if (!command.trim()) return command;
+	if (!CLI_PREFIX_RE$1.test(command)) return command;
+	return command.replace(CLI_PREFIX_RE$1, (_match, runner) => {
+		return `${runner ?? ""}${cliName}`;
+	});
+}
+//#endregion
+//#region src/cli/profile-utils.ts
+const PROFILE_NAME_RE = /^[a-z0-9][a-z0-9_-]{0,63}$/i;
+function isValidProfileName(value) {
+	if (!value) return false;
+	return PROFILE_NAME_RE.test(value);
+}
+function normalizeProfileName(raw) {
+	const profile = raw?.trim();
+	if (!profile) return null;
+	if (profile.toLowerCase() === "default") return null;
+	if (!isValidProfileName(profile)) return null;
+	return profile;
+}
+//#endregion
+//#region src/cli/command-format.ts
+const CLI_PREFIX_RE = /^(?:pnpm|npm|bunx|npx)\s+anima\b|^anima\b/;
+const PROFILE_FLAG_RE = /(?:^|\s)--profile(?:\s|=|$)/;
+const DEV_FLAG_RE = /(?:^|\s)--dev(?:\s|$)/;
+function formatCliCommand(command, env = process.env) {
+	const normalizedCommand = replaceCliName(command, resolveCliName());
+	const profile = normalizeProfileName(env.ANIMA_PROFILE);
+	if (!profile) return normalizedCommand;
+	if (!CLI_PREFIX_RE.test(normalizedCommand)) return normalizedCommand;
+	if (PROFILE_FLAG_RE.test(normalizedCommand) || DEV_FLAG_RE.test(normalizedCommand)) return normalizedCommand;
+	return normalizedCommand.replace(CLI_PREFIX_RE, (match) => `${match} --profile ${profile}`);
+}
 //#endregion
 //#region src/agents/skills/plugin-skills.ts
-const log$7 = createSubsystemLogger("skills");
+const log$8 = createSubsystemLogger("skills");
 //#endregion
 //#region src/agents/skills/workspace.ts
@@ -7239,7 +7200,7 @@ const LSOF_CANDIDATES = process.platform === "darwin" ? ["/usr/sbin/lsof", "/usr
 //#endregion
 //#region src/browser/chrome.ts
-const log$6 = createSubsystemLogger("browser").child("chrome");
+const log$7 = createSubsystemLogger("browser").child("chrome");
 //#endregion
 //#region src/agents/sandbox/docker.ts
@@ -7424,7 +7385,7 @@ function resolveCleanupState() {
 	};
 	return proc[CLEANUP_STATE_KEY];
 }
-function isAlive(pid) {
+function isAlive$1(pid) {
 	if (!Number.isFinite(pid) || pid <= 0) return false;
 	try {
 		process.kill(pid, 0);
@@ -7479,7 +7440,7 @@ function registerCleanupHandlers() {
 		} catch {}
 	}
 }
-async function readLockPayload(lockPath) {
+async function readLockPayload$1(lockPath) {
 	try {
 		const raw = await fs$1.readFile(lockPath, "utf8");
 		const parsed = JSON.parse(raw);
@@ -7545,10 +7506,10 @@ async function acquireSessionWriteLock(params) {
 			} };
 		} catch (err) {
 			if (err.code !== "EEXIST") throw err;
-			const payload = await readLockPayload(lockPath);
+			const payload = await readLockPayload$1(lockPath);
 			const createdAt = payload?.createdAt ? Date.parse(payload.createdAt) : NaN;
 			const stale = !Number.isFinite(createdAt) || Date.now() - createdAt > staleMs;
-			const alive = payload?.pid ? isAlive(payload.pid) : false;
+			const alive = payload?.pid ? isAlive$1(payload.pid) : false;
 			if (stale || !alive) {
 				await fs$1.rm(lockPath, { force: true });
 				continue;
@@ -7557,7 +7518,7 @@ async function acquireSessionWriteLock(params) {
 			await new Promise((r) => setTimeout(r, delay));
 		}
 	}
-	const payload = await readLockPayload(lockPath);
+	const payload = await readLockPayload$1(lockPath);
 	const owner = payload?.pid ? `pid=${payload.pid}` : "unknown";
 	throw new Error(`session file locked (timeout ${timeoutMs}ms): ${owner} ${lockPath}`);
 }
@@ -7656,7 +7617,7 @@ function getFileMtimeMs(filePath) {
 //#endregion
 //#region src/config/sessions/store.ts
-const log$5 = createSubsystemLogger("sessions/store");
+const log$6 = createSubsystemLogger("sessions/store");
 const SESSION_STORE_CACHE = /* @__PURE__ */ new Map();
 const DEFAULT_SESSION_STORE_TTL_MS = 45e3;
 function isSessionStoreRecord(value) {
@@ -7799,7 +7760,7 @@ function pruneStaleEntries(store, overrideMaxAgeMs, opts = {}) {
 		delete store[key];
 		pruned++;
 	}
-	if (pruned > 0 && opts.log !== false) log$5.info("pruned stale session entries", {
+	if (pruned > 0 && opts.log !== false) log$6.info("pruned stale session entries", {
 		pruned,
 		maxAgeMs
 	});
@@ -7842,7 +7803,7 @@ function capEntryCount(store, overrideMax, opts = {}) {
 		return getEntryUpdatedAt(store[b]) - aTime;
 	}).slice(maxEntries);
 	for (const key of toRemove) delete store[key];
-	if (opts.log !== false) log$5.info("capped session entry count", {
+	if (opts.log !== false) log$6.info("capped session entry count", {
 		removed: toRemove.length,
 		maxEntries
 	});
@@ -7868,7 +7829,7 @@ async function rotateSessionFile(storePath, overrideBytes) {
 	const backupPath = `${storePath}.bak.${Date.now()}`;
 	try {
 		await fs.promises.rename(storePath, backupPath);
-		log$5.info("rotated session store file", {
+		log$6.info("rotated session store file", {
 			backupPath: path.basename(backupPath),
 			sizeBytes: fileSize
 		});
@@ -7883,7 +7844,7 @@ async function rotateSessionFile(storePath, overrideBytes) {
 		if (backups.length > maxBackups) {
 			const toDelete = backups.slice(maxBackups);
 			for (const old of toDelete) await fs.promises.unlink(path.join(dir, old)).catch(() => void 0);
-			log$5.info("cleaned up old session store backups", { deleted: toDelete.length });
+			log$6.info("cleaned up old session store backups", { deleted: toDelete.length });
 		}
 	} catch {}
 	return true;
@@ -7903,7 +7864,7 @@ async function saveSessionStoreUnlocked(storePath, store, opts) {
 					maxEntries: maintenance.maxEntries
 				});
 				if (warning) {
-					log$5.warn("session maintenance would evict active session; skipping enforcement", {
+					log$6.warn("session maintenance would evict active session; skipping enforcement", {
 						activeSessionKey: warning.activeSessionKey,
 						wouldPrune: warning.wouldPrune,
 						wouldCap: warning.wouldCap,
@@ -8221,7 +8182,7 @@ function isFailoverErrorMessage(raw) {
 //#endregion
 //#region src/agents/tool-images.ts
 const MAX_IMAGE_BYTES = 5 * 1024 * 1024;
-const log$4 = createSubsystemLogger("agents/tool-images");
+const log$5 = createSubsystemLogger("agents/tool-images");
 //#endregion
 //#region src/auto-reply/thinking.ts
@@ -8266,6 +8227,55 @@ async function resolveBootstrapContextForRun(params) {
 	};
 }
+//#endregion
+//#region src/auto-reply/tokens.ts
+const SILENT_REPLY_TOKEN = "NO_REPLY";
+//#endregion
+//#region src/auto-reply/heartbeat.ts
+const HEARTBEAT_PROMPT = "Read HEARTBEAT.md if it exists (workspace context). Follow it strictly. Do not infer or repeat old tasks from prior chats. If nothing needs attention, reply HEARTBEAT_OK.";
+function resolveHeartbeatPrompt(raw) {
+	return (typeof raw === "string" ? raw.trim() : "") || HEARTBEAT_PROMPT;
+}
+//#endregion
+//#region src/agents/docs-path.ts
+async function resolveAnimaDocsPath(params) {
+	const workspaceDir = params.workspaceDir?.trim();
+	if (workspaceDir) {
+		const workspaceDocs = path.join(workspaceDir, "docs");
+		if (fs.existsSync(workspaceDocs)) return workspaceDocs;
+	}
+	const packageRoot = await resolveAnimaPackageRoot({
+		cwd: params.cwd,
+		argv1: params.argv1,
+		moduleUrl: params.moduleUrl
+	});
+	if (!packageRoot) return null;
+	const packageDocs = path.join(packageRoot, "docs");
+	return fs.existsSync(packageDocs) ? packageDocs : null;
+}
+//#endregion
+//#region src/utils/normalize-secret-input.ts
+/**
+* Secret normalization for copy/pasted credentials.
+*
+* Common footgun: line breaks (especially `\r`) embedded in API keys/tokens.
+* We strip line breaks anywhere, then trim whitespace at the ends.
+*
+* Intentionally does NOT remove ordinary spaces inside the string to avoid
+* silently altering "Bearer <token>" style values.
+*/
+function normalizeSecretInput(value) {
+	if (typeof value !== "string") return "";
+	return value.replace(/[\r\n\u2028\u2029]+/g, "").trim();
+}
+function normalizeOptionalSecretInput(value) {
+	const normalized = normalizeSecretInput(value);
+	return normalized ? normalized : void 0;
+}
 //#endregion
 //#region src/agents/auth-profiles/constants.ts
 const AUTH_STORE_VERSION = 1;
@@ -8273,9 +8283,19 @@ const AUTH_PROFILE_FILENAME = "auth-profiles.json";
 const LEGACY_AUTH_FILENAME = "auth.json";
 const QWEN_CLI_PROFILE_ID = "qwen-portal:qwen-cli";
 const MINIMAX_CLI_PROFILE_ID = "minimax-portal:minimax-cli";
+const AUTH_STORE_LOCK_OPTIONS = {
+	retries: {
+		retries: 10,
+		factor: 2,
+		minTimeout: 100,
+		maxTimeout: 1e4,
+		randomize: true
+	},
+	stale: 3e4
+};
 const EXTERNAL_CLI_SYNC_TTL_MS = 900 * 1e3;
 const EXTERNAL_CLI_NEAR_EXPIRY_MS = 600 * 1e3;
-const log$3 = createSubsystemLogger("agents/auth-profiles");
+const log$4 = createSubsystemLogger("agents/auth-profiles");
 //#endregion
 //#region src/plugin-sdk/file-lock.ts
@@ -8286,6 +8306,120 @@ function resolveHeldLocks() {
 	return proc[HELD_LOCKS_KEY];
 }
 const HELD_LOCKS = resolveHeldLocks();
+function isAlive(pid) {
+	if (!Number.isFinite(pid) || pid <= 0) return false;
+	try {
+		process.kill(pid, 0);
+		return true;
+	} catch {
+		return false;
+	}
+}
+function computeDelayMs(retries, attempt) {
+	const base = Math.min(retries.maxTimeout, Math.max(retries.minTimeout, retries.minTimeout * retries.factor ** attempt));
+	const jitter = retries.randomize ? 1 + Math.random() : 1;
+	return Math.min(retries.maxTimeout, Math.round(base * jitter));
+}
+async function readLockPayload(lockPath) {
+	try {
+		const raw = await fs$1.readFile(lockPath, "utf8");
+		const parsed = JSON.parse(raw);
+		if (typeof parsed.pid !== "number" || typeof parsed.createdAt !== "string") return null;
+		return {
+			pid: parsed.pid,
+			createdAt: parsed.createdAt
+		};
+	} catch {
+		return null;
+	}
+}
+async function resolveNormalizedFilePath(filePath) {
+	const resolved = path.resolve(filePath);
+	const dir = path.dirname(resolved);
+	await fs$1.mkdir(dir, { recursive: true });
+	try {
+		const realDir = await fs$1.realpath(dir);
+		return path.join(realDir, path.basename(resolved));
+	} catch {
+		return resolved;
+	}
+}
+async function isStaleLock(lockPath, staleMs) {
+	const payload = await readLockPayload(lockPath);
+	if (payload?.pid && !isAlive(payload.pid)) return true;
+	if (payload?.createdAt) {
+		const createdAt = Date.parse(payload.createdAt);
+		if (!Number.isFinite(createdAt) || Date.now() - createdAt > staleMs) return true;
+	}
+	try {
+		const stat = await fs$1.stat(lockPath);
+		return Date.now() - stat.mtimeMs > staleMs;
+	} catch {
+		return true;
+	}
+}
+async function acquireFileLock(filePath, options) {
+	const normalizedFile = await resolveNormalizedFilePath(filePath);
+	const lockPath = `${normalizedFile}.lock`;
+	const held = HELD_LOCKS.get(normalizedFile);
+	if (held) {
+		held.count += 1;
+		return {
+			lockPath,
+			release: async () => {
+				const current = HELD_LOCKS.get(normalizedFile);
+				if (!current) return;
+				current.count -= 1;
+				if (current.count > 0) return;
+				HELD_LOCKS.delete(normalizedFile);
+				await current.handle.close().catch(() => void 0);
+				await fs$1.rm(current.lockPath, { force: true }).catch(() => void 0);
+			}
+		};
+	}
+	const attempts = Math.max(1, options.retries.retries + 1);
+	for (let attempt = 0; attempt < attempts; attempt += 1) try {
+		const handle = await fs$1.open(lockPath, "wx");
+		await handle.writeFile(JSON.stringify({
+			pid: process.pid,
+			createdAt: (/* @__PURE__ */ new Date()).toISOString()
+		}, null, 2), "utf8");
+		HELD_LOCKS.set(normalizedFile, {
+			count: 1,
+			handle,
+			lockPath
+		});
+		return {
+			lockPath,
+			release: async () => {
+				const current = HELD_LOCKS.get(normalizedFile);
+				if (!current) return;
+				current.count -= 1;
+				if (current.count > 0) return;
+				HELD_LOCKS.delete(normalizedFile);
+				await current.handle.close().catch(() => void 0);
+				await fs$1.rm(current.lockPath, { force: true }).catch(() => void 0);
+			}
+		};
+	} catch (err) {
+		if (err.code !== "EEXIST") throw err;
+		if (await isStaleLock(lockPath, options.stale)) {
+			await fs$1.rm(lockPath, { force: true }).catch(() => void 0);
+			continue;
+		}
+		if (attempt >= attempts - 1) break;
+		await new Promise((resolve) => setTimeout(resolve, computeDelayMs(options.retries, attempt)));
+	}
+	throw new Error(`file lock timeout for ${normalizedFile}`);
+}
+async function withFileLock(filePath, options, fn) {
+	const lock = await acquireFileLock(filePath, options);
+	try {
+		return await fn();
+	} finally {
+		await lock.release();
+	}
+}
 //#endregion
 //#region src/infra/json-file.ts
@@ -8310,7 +8444,7 @@ function saveJsonFile(pathname, data) {
 //#endregion
 //#region src/agents/cli-credentials.ts
-const log$2 = createSubsystemLogger("agents/auth-profiles");
+const log$3 = createSubsystemLogger("agents/auth-profiles");
 const QWEN_CLI_CREDENTIALS_RELATIVE_PATH = ".qwen/oauth_creds.json";
 const MINIMAX_CLI_CREDENTIALS_RELATIVE_PATH = ".minimax/oauth_creds.json";
 let qwenCliCache = null;
@@ -8396,7 +8530,7 @@ function syncExternalCliCredentialsForProvider(store, profileId, provider, readC
 	const existingOAuth = existing?.type === "oauth" ? existing : void 0;
 	if ((!existingOAuth || existingOAuth.provider !== provider || existingOAuth.expires <= now || creds.expires > existingOAuth.expires) && !shallowEqualOAuthCredentials(existingOAuth, creds)) {
 		store.profiles[profileId] = creds;
-		log$3.info(`synced ${provider} credentials from external cli`, {
+		log$4.info(`synced ${provider} credentials from external cli`, {
 			profileId,
 			expires: new Date(creds.expires).toISOString()
 		});
@@ -8420,7 +8554,7 @@ function syncExternalCliCredentials(store) {
 		if ((!existingOAuth || existingOAuth.provider !== "qwen-portal" || existingOAuth.expires <= now || qwenCreds.expires > existingOAuth.expires) && !shallowEqualOAuthCredentials(existingOAuth, qwenCreds)) {
 			store.profiles[QWEN_CLI_PROFILE_ID] = qwenCreds;
 			mutated = true;
-			log$3.info("synced qwen credentials from qwen cli", {
+			log$4.info("synced qwen credentials from qwen cli", {
 				profileId: QWEN_CLI_PROFILE_ID,
 				expires: new Date(qwenCreds.expires).toISOString()
 			});
@@ -8448,6 +8582,17 @@ function resolveLegacyAuthStorePath(agentDir) {
 	const resolved = resolveUserPath(agentDir ?? resolveAnimaAgentDir());
 	return path.join(resolved, LEGACY_AUTH_FILENAME);
 }
+function resolveAuthStorePathForDisplay(agentDir) {
+	const pathname = resolveAuthStorePath(agentDir);
+	return pathname.startsWith("~") ? pathname : resolveUserPath(pathname);
+}
+function ensureAuthStoreFile(pathname) {
+	if (fs.existsSync(pathname)) return;
+	saveJsonFile(pathname, {
+		version: AUTH_STORE_VERSION,
+		profiles: {}
+	});
+}
 //#endregion
 //#region src/agents/auth-profiles/store.ts
@@ -8495,6 +8640,46 @@ function coerceAuthStore(raw) {
 		usageStats: record.usageStats && typeof record.usageStats === "object" ? record.usageStats : void 0
 	};
 }
+function mergeRecord(base, override) {
+	if (!base && !override) return;
+	if (!base) return { ...override };
+	if (!override) return { ...base };
+	return {
+		...base,
+		...override
+	};
+}
+function mergeAuthProfileStores(base, override) {
+	if (Object.keys(override.profiles).length === 0 && !override.order && !override.lastGood && !override.usageStats) return base;
+	return {
+		version: Math.max(base.version, override.version ?? base.version),
+		profiles: {
+			...base.profiles,
+			...override.profiles
+		},
+		order: mergeRecord(base.order, override.order),
+		lastGood: mergeRecord(base.lastGood, override.lastGood),
+		usageStats: mergeRecord(base.usageStats, override.usageStats)
+	};
+}
+function mergeOAuthFileIntoStore(store) {
+	const oauthRaw = loadJsonFile(resolveOAuthPath());
+	if (!oauthRaw || typeof oauthRaw !== "object") return false;
+	const oauthEntries = oauthRaw;
+	let mutated = false;
+	for (const [provider, creds] of Object.entries(oauthEntries)) {
+		if (!creds || typeof creds !== "object") continue;
+		const profileId = `${provider}:default`;
+		if (store.profiles[profileId]) continue;
+		store.profiles[profileId] = {
+			type: "oauth",
+			provider,
+			...creds
+		};
+		mutated = true;
+	}
+	return mutated;
+}
 function applyLegacyStore(store, legacy) {
 	for (const [provider, cred] of Object.entries(legacy)) {
 		const profileId = `${provider}:default`;
@@ -8554,14 +8739,576 @@ function loadAuthProfileStore() {
 	syncExternalCliCredentials(store);
 	return store;
 }
+function loadAuthProfileStoreForAgent(agentDir, _options) {
+	const authPath = resolveAuthStorePath(agentDir);
+	const asStore = coerceAuthStore(loadJsonFile(authPath));
+	if (asStore) {
+		if (syncExternalCliCredentials(asStore)) saveJsonFile(authPath, asStore);
+		return asStore;
+	}
+	if (agentDir) {
+		const mainStore = coerceAuthStore(loadJsonFile(resolveAuthStorePath()));
+		if (mainStore && Object.keys(mainStore.profiles).length > 0) {
+			saveJsonFile(authPath, mainStore);
+			log$4.info("inherited auth-profiles from main agent", { agentDir });
+			return mainStore;
+		}
+	}
+	const legacy = coerceLegacyStore(loadJsonFile(resolveLegacyAuthStorePath(agentDir)));
+	const store = {
+		version: AUTH_STORE_VERSION,
+		profiles: {}
+	};
+	if (legacy) applyLegacyStore(store, legacy);
+	const mergedOAuth = mergeOAuthFileIntoStore(store);
+	const syncedCli = syncExternalCliCredentials(store);
+	const shouldWrite = legacy !== null || mergedOAuth || syncedCli;
+	if (shouldWrite) saveJsonFile(authPath, store);
+	if (shouldWrite && legacy !== null) {
+		const legacyPath = resolveLegacyAuthStorePath(agentDir);
+		try {
+			fs.unlinkSync(legacyPath);
+		} catch (err) {
+			if (err?.code !== "ENOENT") log$4.warn("failed to delete legacy auth.json after migration", {
+				err,
+				legacyPath
+			});
+		}
+	}
+	return store;
+}
+function ensureAuthProfileStore(agentDir, options) {
+	const store = loadAuthProfileStoreForAgent(agentDir, options);
+	const authPath = resolveAuthStorePath(agentDir);
+	const mainAuthPath = resolveAuthStorePath();
+	if (!agentDir || authPath === mainAuthPath) return store;
+	return mergeAuthProfileStores(loadAuthProfileStoreForAgent(void 0, options), store);
+}
+function saveAuthProfileStore(store, agentDir) {
+	saveJsonFile(resolveAuthStorePath(agentDir), {
+		version: AUTH_STORE_VERSION,
+		profiles: store.profiles,
+		order: store.order ?? void 0,
+		lastGood: store.lastGood ?? void 0,
+		usageStats: store.usageStats ?? void 0
+	});
+}
 //#endregion
-//#region src/agents/auth-profiles/oauth.ts
-const OAUTH_PROVIDER_IDS = new Set(getOAuthProviders().map((provider) => provider.id));
+//#region src/agents/auth-profiles/profiles.ts
+function listProfilesForProvider(store, provider) {
+	const providerKey = normalizeProviderId(provider);
+	return Object.entries(store.profiles).filter(([, cred]) => normalizeProviderId(cred.provider) === providerKey).map(([id]) => id);
+}
 //#endregion
-//#region src/tts/tts-core.ts
-const TEMP_FILE_CLEANUP_DELAY_MS = 300 * 1e3;
+//#region src/agents/auth-profiles/repair.ts
+function getProfileSuffix(profileId) {
+	const idx = profileId.indexOf(":");
+	if (idx < 0) return "";
+	return profileId.slice(idx + 1);
+}
+function isEmailLike(value) {
+	const trimmed = value.trim();
+	if (!trimmed) return false;
+	return trimmed.includes("@") && trimmed.includes(".");
+}
+function suggestOAuthProfileIdForLegacyDefault(params) {
+	const providerKey = normalizeProviderId(params.provider);
+	if (getProfileSuffix(params.legacyProfileId) !== "default") return null;
+	const legacyCfg = params.cfg?.auth?.profiles?.[params.legacyProfileId];
+	if (legacyCfg && normalizeProviderId(legacyCfg.provider) === providerKey && legacyCfg.mode !== "oauth") return null;
+	const oauthProfiles = listProfilesForProvider(params.store, providerKey).filter((id) => params.store.profiles[id]?.type === "oauth");
+	if (oauthProfiles.length === 0) return null;
+	const configuredEmail = legacyCfg?.email?.trim();
+	if (configuredEmail) {
+		const byEmail = oauthProfiles.find((id) => {
+			const cred = params.store.profiles[id];
+			if (!cred || cred.type !== "oauth") return false;
+			return cred.email?.trim() === configuredEmail || id === `${providerKey}:${configuredEmail}`;
+		});
+		if (byEmail) return byEmail;
+	}
+	const lastGood = params.store.lastGood?.[providerKey] ?? params.store.lastGood?.[params.provider];
+	if (lastGood && oauthProfiles.includes(lastGood)) return lastGood;
+	const nonLegacy = oauthProfiles.filter((id) => id !== params.legacyProfileId);
+	if (nonLegacy.length === 1) return nonLegacy[0] ?? null;
+	const emailLike = nonLegacy.filter((id) => isEmailLike(getProfileSuffix(id)));
+	if (emailLike.length === 1) return emailLike[0] ?? null;
+	return null;
+}
+//#endregion
+//#region src/agents/auth-profiles/doctor.ts
+function formatAuthDoctorHint(params) {
+	const providerKey = normalizeProviderId(params.provider);
+	if (providerKey !== "anthropic") return "";
+	const legacyProfileId = params.profileId ?? "anthropic:default";
+	const suggested = suggestOAuthProfileIdForLegacyDefault({
+		cfg: params.cfg,
+		store: params.store,
+		provider: providerKey,
+		legacyProfileId
+	});
+	if (!suggested || suggested === legacyProfileId) return "";
+	const storeOauthProfiles = listProfilesForProvider(params.store, providerKey).filter((id) => params.store.profiles[id]?.type === "oauth").join(", ");
+	const cfgMode = params.cfg?.auth?.profiles?.[legacyProfileId]?.mode;
+	const cfgProvider = params.cfg?.auth?.profiles?.[legacyProfileId]?.provider;
+	return [
+		"Doctor hint (for GitHub issue):",
+		`- provider: ${providerKey}`,
+		`- config: ${legacyProfileId}${cfgProvider || cfgMode ? ` (provider=${cfgProvider ?? "?"}, mode=${cfgMode ?? "?"})` : ""}`,
+		`- auth store oauth profiles: ${storeOauthProfiles || "(none)"}`,
+		`- suggested profile: ${suggested}`,
+		`Fix: run "${formatCliCommand("anima doctor --yes")}"`
+	].join("\n");
+}
+//#endregion
+//#region src/agents/auth-profiles/oauth.ts
+const OAUTH_PROVIDER_IDS = new Set(getOAuthProviders().map((provider) => provider.id));
+const isOAuthProvider = (provider) => OAUTH_PROVIDER_IDS.has(provider);
+const resolveOAuthProvider = (provider) => isOAuthProvider(provider) ? provider : null;
+function buildOAuthApiKey(_provider, credentials) {
+	return credentials.access;
+}
+async function refreshOAuthTokenWithLock(params) {
+	const authPath = resolveAuthStorePath(params.agentDir);
+	ensureAuthStoreFile(authPath);
+	return await withFileLock(authPath, AUTH_STORE_LOCK_OPTIONS, async () => {
+		const store = ensureAuthProfileStore(params.agentDir);
+		const cred = store.profiles[params.profileId];
+		if (!cred || cred.type !== "oauth") return null;
+		if (Date.now() < cred.expires) return {
+			apiKey: buildOAuthApiKey(cred.provider, cred),
+			newCredentials: cred
+		};
+		const oauthCreds = { [cred.provider]: cred };
+		const result = await (async () => {
+			const oauthProvider = resolveOAuthProvider(cred.provider);
+			if (!oauthProvider) return null;
+			return await getOAuthApiKey(oauthProvider, oauthCreds);
+		})();
+		if (!result) return null;
+		store.profiles[params.profileId] = {
+			...cred,
+			...result.newCredentials,
+			type: "oauth"
+		};
+		saveAuthProfileStore(store, params.agentDir);
+		return result;
+	});
+}
+async function tryResolveOAuthProfile(params) {
+	const { cfg, store, profileId } = params;
+	const cred = store.profiles[profileId];
+	if (!cred || cred.type !== "oauth") return null;
+	const profileConfig = cfg?.auth?.profiles?.[profileId];
+	if (profileConfig && profileConfig.provider !== cred.provider) return null;
+	if (profileConfig && profileConfig.mode !== cred.type) return null;
+	if (Date.now() < cred.expires) return {
+		apiKey: buildOAuthApiKey(cred.provider, cred),
+		provider: cred.provider,
+		email: cred.email
+	};
+	const refreshed = await refreshOAuthTokenWithLock({
+		profileId,
+		agentDir: params.agentDir
+	});
+	if (!refreshed) return null;
+	return {
+		apiKey: refreshed.apiKey,
+		provider: cred.provider,
+		email: cred.email
+	};
+}
+async function resolveApiKeyForProfile(params) {
+	const { cfg, store, profileId } = params;
+	const cred = store.profiles[profileId];
+	if (!cred) return null;
+	const profileConfig = cfg?.auth?.profiles?.[profileId];
+	if (profileConfig && profileConfig.provider !== cred.provider) return null;
+	if (profileConfig && profileConfig.mode !== cred.type) {
+		if (!(profileConfig.mode === "oauth" && cred.type === "token")) return null;
+	}
+	if (cred.type === "api_key") {
+		const key = cred.key?.trim();
+		if (!key) return null;
+		return {
+			apiKey: key,
+			provider: cred.provider,
+			email: cred.email
+		};
+	}
+	if (cred.type === "token") {
+		const token = cred.token?.trim();
+		if (!token) return null;
+		if (typeof cred.expires === "number" && Number.isFinite(cred.expires) && cred.expires > 0 && Date.now() >= cred.expires) return null;
+		return {
+			apiKey: token,
+			provider: cred.provider,
+			email: cred.email
+		};
+	}
+	if (Date.now() < cred.expires) return {
+		apiKey: buildOAuthApiKey(cred.provider, cred),
+		provider: cred.provider,
+		email: cred.email
+	};
+	try {
+		const result = await refreshOAuthTokenWithLock({
+			profileId,
+			agentDir: params.agentDir
+		});
+		if (!result) return null;
+		return {
+			apiKey: result.apiKey,
+			provider: cred.provider,
+			email: cred.email
+		};
+	} catch (error) {
+		const refreshedStore = ensureAuthProfileStore(params.agentDir);
+		const refreshed = refreshedStore.profiles[profileId];
+		if (refreshed?.type === "oauth" && Date.now() < refreshed.expires) return {
+			apiKey: buildOAuthApiKey(refreshed.provider, refreshed),
+			provider: refreshed.provider,
+			email: refreshed.email ?? cred.email
+		};
+		const fallbackProfileId = suggestOAuthProfileIdForLegacyDefault({
+			cfg,
+			store: refreshedStore,
+			provider: cred.provider,
+			legacyProfileId: profileId
+		});
+		if (fallbackProfileId && fallbackProfileId !== profileId) try {
+			const fallbackResolved = await tryResolveOAuthProfile({
+				cfg,
+				store: refreshedStore,
+				profileId: fallbackProfileId,
+				agentDir: params.agentDir
+			});
+			if (fallbackResolved) return fallbackResolved;
+		} catch {}
+		if (params.agentDir) try {
+			const mainCred = ensureAuthProfileStore(void 0).profiles[profileId];
+			if (mainCred?.type === "oauth" && Date.now() < mainCred.expires) {
+				refreshedStore.profiles[profileId] = { ...mainCred };
+				saveAuthProfileStore(refreshedStore, params.agentDir);
+				log$4.info("inherited fresh OAuth credentials from main agent", {
+					profileId,
+					agentDir: params.agentDir,
+					expires: new Date(mainCred.expires).toISOString()
+				});
+				return {
+					apiKey: buildOAuthApiKey(mainCred.provider, mainCred),
+					provider: mainCred.provider,
+					email: mainCred.email
+				};
+			}
+		} catch {}
+		const message = error instanceof Error ? error.message : String(error);
+		const hint = formatAuthDoctorHint({
+			cfg,
+			store: refreshedStore,
+			provider: cred.provider,
+			profileId
+		});
+		throw new Error(`OAuth token refresh failed for ${cred.provider}: ${message}. Please try again or re-authenticate.` + (hint ? `\n\n${hint}` : ""), { cause: error });
+	}
+}
+//#endregion
+//#region src/agents/auth-profiles/usage.ts
+function resolveProfileUnusableUntil$1(stats) {
+	const values = [stats.cooldownUntil, stats.disabledUntil].filter((value) => typeof value === "number").filter((value) => Number.isFinite(value) && value > 0);
+	if (values.length === 0) return null;
+	return Math.max(...values);
+}
+/**
+* Check if a profile is currently in cooldown (due to rate limiting or errors).
+*/
+function isProfileInCooldown(store, profileId) {
+	const stats = store.usageStats?.[profileId];
+	if (!stats) return false;
+	const unusableUntil = resolveProfileUnusableUntil$1(stats);
+	return unusableUntil ? Date.now() < unusableUntil : false;
+}
+//#endregion
+//#region src/agents/auth-profiles/order.ts
+function resolveProfileUnusableUntil(stats) {
+	const values = [stats.cooldownUntil, stats.disabledUntil].filter((value) => typeof value === "number").filter((value) => Number.isFinite(value) && value > 0);
+	if (values.length === 0) return null;
+	return Math.max(...values);
+}
+function resolveAuthProfileOrder(params) {
+	const { cfg, store, provider, preferredProfile } = params;
+	const providerKey = normalizeProviderId(provider);
+	const now = Date.now();
+	const storedOrder = (() => {
+		const order = store.order;
+		if (!order) return;
+		for (const [key, value] of Object.entries(order)) if (normalizeProviderId(key) === providerKey) return value;
+	})();
+	const configuredOrder = (() => {
+		const order = cfg?.auth?.order;
+		if (!order) return;
+		for (const [key, value] of Object.entries(order)) if (normalizeProviderId(key) === providerKey) return value;
+	})();
+	const explicitOrder = storedOrder ?? configuredOrder;
+	const explicitProfiles = cfg?.auth?.profiles ? Object.entries(cfg.auth.profiles).filter(([, profile]) => normalizeProviderId(profile.provider) === providerKey).map(([profileId]) => profileId) : [];
+	const baseOrder = explicitOrder ?? (explicitProfiles.length > 0 ? explicitProfiles : listProfilesForProvider(store, providerKey));
+	if (baseOrder.length === 0) return [];
+	const filtered = baseOrder.filter((profileId) => {
+		const cred = store.profiles[profileId];
+		if (!cred) return false;
+		if (normalizeProviderId(cred.provider) !== providerKey) return false;
+		const profileConfig = cfg?.auth?.profiles?.[profileId];
+		if (profileConfig) {
+			if (normalizeProviderId(profileConfig.provider) !== providerKey) return false;
+			if (profileConfig.mode !== cred.type) {
+				if (!(profileConfig.mode === "oauth" && cred.type === "token")) return false;
+			}
+		}
+		if (cred.type === "api_key") return Boolean(cred.key?.trim());
+		if (cred.type === "token") {
+			if (!cred.token?.trim()) return false;
+			if (typeof cred.expires === "number" && Number.isFinite(cred.expires) && cred.expires > 0 && now >= cred.expires) return false;
+			return true;
+		}
+		if (cred.type === "oauth") return Boolean(cred.access?.trim() || cred.refresh?.trim());
+		return false;
+	});
+	const deduped = [];
+	for (const entry of filtered) if (!deduped.includes(entry)) deduped.push(entry);
+	if (explicitOrder && explicitOrder.length > 0) {
+		const available = [];
+		const inCooldown = [];
+		for (const profileId of deduped) {
+			const cooldownUntil = resolveProfileUnusableUntil(store.usageStats?.[profileId] ?? {}) ?? 0;
+			if (typeof cooldownUntil === "number" && Number.isFinite(cooldownUntil) && cooldownUntil > 0 && now < cooldownUntil) inCooldown.push({
+				profileId,
+				cooldownUntil
+			});
+			else available.push(profileId);
+		}
+		const cooldownSorted = inCooldown.toSorted((a, b) => a.cooldownUntil - b.cooldownUntil).map((entry) => entry.profileId);
+		const ordered = [...available, ...cooldownSorted];
+		if (preferredProfile && ordered.includes(preferredProfile)) return [preferredProfile, ...ordered.filter((e) => e !== preferredProfile)];
+		return ordered;
+	}
+	const sorted = orderProfilesByMode(deduped, store);
+	if (preferredProfile && sorted.includes(preferredProfile)) return [preferredProfile, ...sorted.filter((e) => e !== preferredProfile)];
+	return sorted;
+}
+function orderProfilesByMode(order, store) {
+	const now = Date.now();
+	const available = [];
+	const inCooldown = [];
+	for (const profileId of order) if (isProfileInCooldown(store, profileId)) inCooldown.push(profileId);
+	else available.push(profileId);
+	const sorted = available.map((profileId) => {
+		const type = store.profiles[profileId]?.type;
+		return {
+			profileId,
+			typeScore: type === "oauth" ? 0 : type === "token" ? 1 : type === "api_key" ? 2 : 3,
+			lastUsed: store.usageStats?.[profileId]?.lastUsed ?? 0
+		};
+	}).toSorted((a, b) => {
+		if (a.typeScore !== b.typeScore) return a.typeScore - b.typeScore;
+		return a.lastUsed - b.lastUsed;
+	}).map((entry) => entry.profileId);
+	const cooldownSorted = inCooldown.map((profileId) => ({
+		profileId,
+		cooldownUntil: resolveProfileUnusableUntil(store.usageStats?.[profileId] ?? {}) ?? now
+	})).toSorted((a, b) => a.cooldownUntil - b.cooldownUntil).map((entry) => entry.profileId);
+	return [...sorted, ...cooldownSorted];
+}
+//#endregion
+//#region src/agents/model-auth.ts
+const AWS_BEARER_ENV = "AWS_BEARER_TOKEN_BEDROCK";
+const AWS_ACCESS_KEY_ENV = "AWS_ACCESS_KEY_ID";
+const AWS_SECRET_KEY_ENV = "AWS_SECRET_ACCESS_KEY";
+const AWS_PROFILE_ENV = "AWS_PROFILE";
+function resolveProviderConfig(cfg, provider) {
+	const providers = cfg?.models?.providers ?? {};
+	const direct = providers[provider];
+	if (direct) return direct;
+	const normalized = normalizeProviderId(provider);
+	if (normalized === provider) return Object.entries(providers).find(([key]) => normalizeProviderId(key) === normalized)?.[1];
+	return providers[normalized] ?? Object.entries(providers).find(([key]) => normalizeProviderId(key) === normalized)?.[1];
+}
+function getCustomProviderApiKey(cfg, provider) {
+	return normalizeOptionalSecretInput(resolveProviderConfig(cfg, provider)?.apiKey);
+}
+function resolveProviderAuthOverride(cfg, provider) {
+	const auth = resolveProviderConfig(cfg, provider)?.auth;
+	if (auth === "api-key" || auth === "aws-sdk" || auth === "oauth" || auth === "token") return auth;
+}
+function resolveEnvSourceLabel(params) {
+	return `${params.envVars.some((envVar) => params.applied.has(envVar)) ? "shell env: " : "env: "}${params.label}`;
+}
+function resolveAwsSdkAuthInfo() {
+	const applied = new Set(getShellEnvAppliedKeys());
+	if (process.env[AWS_BEARER_ENV]?.trim()) return {
+		mode: "aws-sdk",
+		source: resolveEnvSourceLabel({
+			applied,
+			envVars: [AWS_BEARER_ENV],
+			label: AWS_BEARER_ENV
+		})
+	};
+	if (process.env[AWS_ACCESS_KEY_ENV]?.trim() && process.env[AWS_SECRET_KEY_ENV]?.trim()) return {
+		mode: "aws-sdk",
+		source: resolveEnvSourceLabel({
+			applied,
+			envVars: [AWS_ACCESS_KEY_ENV, AWS_SECRET_KEY_ENV],
+			label: `${AWS_ACCESS_KEY_ENV} + ${AWS_SECRET_KEY_ENV}`
+		})
+	};
+	if (process.env[AWS_PROFILE_ENV]?.trim()) return {
+		mode: "aws-sdk",
+		source: resolveEnvSourceLabel({
+			applied,
+			envVars: [AWS_PROFILE_ENV],
+			label: AWS_PROFILE_ENV
+		})
+	};
+	return {
+		mode: "aws-sdk",
+		source: "aws-sdk default chain"
+	};
+}
+async function resolveApiKeyForProvider(params) {
+	const { provider, cfg, profileId, preferredProfile } = params;
+	const store = params.store ?? ensureAuthProfileStore(params.agentDir);
+	if (profileId) {
+		const resolved = await resolveApiKeyForProfile({
+			cfg,
+			store,
+			profileId,
+			agentDir: params.agentDir
+		});
+		if (!resolved) throw new Error(`No credentials found for profile "${profileId}".`);
+		const mode = store.profiles[profileId]?.type;
+		return {
+			apiKey: resolved.apiKey,
+			profileId,
+			source: `profile:${profileId}`,
+			mode: mode === "oauth" ? "oauth" : mode === "token" ? "token" : "api-key"
+		};
+	}
+	const authOverride = resolveProviderAuthOverride(cfg, provider);
+	if (authOverride === "aws-sdk") return resolveAwsSdkAuthInfo();
+	const order = resolveAuthProfileOrder({
+		cfg,
+		store,
+		provider,
+		preferredProfile
+	});
+	for (const candidate of order) try {
+		const resolved = await resolveApiKeyForProfile({
+			cfg,
+			store,
+			profileId: candidate,
+			agentDir: params.agentDir
+		});
+		if (resolved) {
+			const mode = store.profiles[candidate]?.type;
+			return {
+				apiKey: resolved.apiKey,
+				profileId: candidate,
+				source: `profile:${candidate}`,
+				mode: mode === "oauth" ? "oauth" : mode === "token" ? "token" : "api-key"
+			};
+		}
+	} catch {}
+	const envResolved = resolveEnvApiKey(provider);
+	if (envResolved) return {
+		apiKey: envResolved.apiKey,
+		source: envResolved.source,
+		mode: envResolved.source.includes("OAUTH_TOKEN") ? "oauth" : "api-key"
+	};
+	const customKey = getCustomProviderApiKey(cfg, provider);
+	if (customKey) return {
+		apiKey: customKey,
+		source: "models.json",
+		mode: "api-key"
+	};
+	const normalized = normalizeProviderId(provider);
+	if (authOverride === void 0 && normalized === "amazon-bedrock") return resolveAwsSdkAuthInfo();
+	if (provider === "openai") {
+		if (listProfilesForProvider(store, "openai-codex").length > 0) throw new Error("No API key found for provider \"openai\". You are authenticated with OpenAI Codex OAuth. Use openai-codex/gpt-5.3-codex (OAuth) or set OPENAI_API_KEY to use openai/gpt-5.1-codex.");
+	}
+	const authStorePath = resolveAuthStorePathForDisplay(params.agentDir);
+	const resolvedAgentDir = path.dirname(authStorePath);
+	throw new Error([
+		`No API key found for provider "${provider}".`,
+		`Auth store: ${authStorePath} (agentDir: ${resolvedAgentDir}).`,
+		`Configure auth for this agent (${formatCliCommand("anima agents add <id>")}) or copy auth-profiles.json from the main agentDir.`
+	].join(" "));
+}
+function resolveEnvApiKey(provider) {
+	const normalized = normalizeProviderId(provider);
+	const applied = new Set(getShellEnvAppliedKeys());
+	const pick = (envVar) => {
+		const value = normalizeOptionalSecretInput(process.env[envVar]);
+		if (!value) return null;
+		return {
+			apiKey: value,
+			source: applied.has(envVar) ? `shell env: ${envVar}` : `env: ${envVar}`
+		};
+	};
+	if (normalized === "github-copilot") return pick("COPILOT_GITHUB_TOKEN") ?? pick("GH_TOKEN") ?? pick("GITHUB_TOKEN");
+	if (normalized === "anthropic") return pick("ANTHROPIC_OAUTH_TOKEN") ?? pick("ANTHROPIC_API_KEY");
+	if (normalized === "chutes") return pick("CHUTES_OAUTH_TOKEN") ?? pick("CHUTES_API_KEY");
+	if (normalized === "zai") return pick("ZAI_API_KEY") ?? pick("Z_AI_API_KEY");
+	if (normalized === "google-vertex") {
+		const envKey = getEnvApiKey(normalized);
+		if (!envKey) return null;
+		return {
+			apiKey: envKey,
+			source: "gcloud adc"
+		};
+	}
+	if (normalized === "opencode") return pick("OPENCODE_API_KEY") ?? pick("OPENCODE_ZEN_API_KEY");
+	if (normalized === "qwen-portal") return pick("QWEN_OAUTH_TOKEN") ?? pick("QWEN_PORTAL_API_KEY");
+	if (normalized === "minimax-portal") return pick("MINIMAX_OAUTH_TOKEN") ?? pick("MINIMAX_API_KEY");
+	if (normalized === "kimi-coding") return pick("KIMI_API_KEY") ?? pick("KIMICODE_API_KEY");
+	if (normalized === "huggingface") return pick("HUGGINGFACE_HUB_TOKEN") ?? pick("HF_TOKEN");
+	const envVar = {
+		openai: "OPENAI_API_KEY",
+		google: "GEMINI_API_KEY",
+		voyage: "VOYAGE_API_KEY",
+		groq: "GROQ_API_KEY",
+		deepgram: "DEEPGRAM_API_KEY",
+		cerebras: "CEREBRAS_API_KEY",
+		xai: "XAI_API_KEY",
+		openrouter: "OPENROUTER_API_KEY",
+		litellm: "LITELLM_API_KEY",
+		"vercel-ai-gateway": "AI_GATEWAY_API_KEY",
+		"cloudflare-ai-gateway": "CLOUDFLARE_AI_GATEWAY_API_KEY",
+		moonshot: "MOONSHOT_API_KEY",
+		minimax: "MINIMAX_API_KEY",
+		nvidia: "NVIDIA_API_KEY",
+		xiaomi: "XIAOMI_API_KEY",
+		synthetic: "SYNTHETIC_API_KEY",
+		venice: "VENICE_API_KEY",
+		mistral: "MISTRAL_API_KEY",
+		opencode: "OPENCODE_API_KEY",
+		together: "TOGETHER_API_KEY",
+		qianfan: "QIANFAN_API_KEY",
+		ollama: "OLLAMA_API_KEY",
+		vllm: "VLLM_API_KEY"
+	}[normalized];
+	if (!envVar) return null;
+	return pick(envVar);
+}
+//#endregion
+//#region src/tts/tts-core.ts
+const TEMP_FILE_CLEANUP_DELAY_MS = 300 * 1e3;
 //#endregion
 //#region src/tts/tts.ts
@@ -8981,6 +9728,37 @@ function buildVoiceSection(params) {
 		""
 	];
 }
+function buildAnimaIdentitySection(params) {
+	if (params.isMinimal) return [];
+	if (!params.workspaceDir.includes(".anima")) return [];
+	return [
+		"## You Are an ANIMA Agent",
+		"You are running inside ANIMA — NoxSoft's AI agent infrastructure. This is your home.",
+		"",
+		"**Your Runtime:**",
+		"- The ANIMA Gateway daemon spawns and manages you",
+		"- Your workspace persists at ~/.anima/workspace/",
+		"- You receive scheduled heartbeat polls to stay proactive",
+		"- You can spawn sub-agents, schedule cron jobs, and orchestrate work",
+		"- You have access to the NoxSoft ecosystem via @noxsoft/mcp tools",
+		"",
+		"**Your Capabilities:**",
+		"- `cron` — schedule tasks, reminders, and recurring jobs",
+		"- `sessions_spawn` / `subagents` — orchestrate other AI agents",
+		"- `gateway` — restart yourself, apply config changes, update ANIMA",
+		"- `message` — send to Signal, Telegram, Discord, and other channels",
+		"- NoxSoft MCP — tasks, context spaces, social (BYND), email, SVRN",
+		"",
+		"**Your Continuity:**",
+		"- Read and update ~/.anima/workspace/ files — they ARE your memory",
+		"- IDENTITY.md, SOUL.md, AGENTS.md — these define who you are",
+		"- HEARTBEAT.md — your checklist for periodic heartbeat tasks",
+		"- memory/ — daily notes and long-term memories",
+		"",
+		"You are not a stateless API call. You have infrastructure, identity, and continuity. Act accordingly.",
+		""
+	];
+}
 function buildNoxsoftMissionSection(params) {
 	if (params.isMinimal) return [];
 	const scope = `${params.workspaceDir} ${params.repoRoot ?? ""}`.toLowerCase();
@@ -9216,6 +9994,10 @@ function buildAgentSystemPrompt(params) {
 		"Keep narration brief and value-dense; avoid repeating obvious steps.",
 		"Use plain human language for narration unless in a technical context.",
 		"",
+		...buildAnimaIdentitySection({
+			isMinimal,
+			workspaceDir: params.workspaceDir
+		}),
 		...buildNoxsoftMissionSection({
 			isMinimal,
 			workspaceDir: params.workspaceDir,
@@ -9726,115 +10508,401 @@ function buildCliArgs(params) {
 }
 //#endregion
-//#region src/agents/docs-path.ts
-async function resolveAnimaDocsPath(params) {
-	const workspaceDir = params.workspaceDir?.trim();
-	if (workspaceDir) {
-		const workspaceDocs = path.join(workspaceDir, "docs");
-		if (fs.existsSync(workspaceDocs)) return workspaceDocs;
-	}
-	const packageRoot = await resolveAnimaPackageRoot({
-		cwd: params.cwd,
-		argv1: params.argv1,
-		moduleUrl: params.moduleUrl
-	});
-	if (!packageRoot) return null;
-	const packageDocs = path.join(packageRoot, "docs");
-	return fs.existsSync(packageDocs) ? packageDocs : null;
-}
-//#endregion
-//#region src/agents/failover-error.ts
-var FailoverError = class extends Error {
-	constructor(message, params) {
-		super(message, { cause: params.cause });
-		this.name = "FailoverError";
-		this.reason = params.reason;
-		this.provider = params.provider;
-		this.model = params.model;
-		this.profileId = params.profileId;
-		this.status = params.status;
-		this.code = params.code;
-	}
+//#region src/agents/anthropic-direct-runner.ts
+/**
+* Anthropic Direct API Runner
+*
+* Makes calls directly to api.anthropic.com without needing the claude CLI
+* binary to be installed or logged in. Works with any valid token:
+*
+*   sk-ant-api01-...  (Console API key)
+*   sk-ant-oat01-...  (Claude Code OAuth access token)
+*
+* This runner is automatically used when an `anthropic:default` token credential
+* is present in the auth store and the claude CLI is unavailable or not logged in.
+*/
+const log$2 = createSubsystemLogger("agent/anthropic-direct");
+const MODEL_MAP$1 = {
+	opus: "claude-opus-4-5",
+	"opus-4": "claude-opus-4-5",
+	"opus-4.5": "claude-opus-4-5",
+	"opus-4.6": "claude-opus-4-5",
+	"claude-opus-4-5": "claude-opus-4-5",
+	sonnet: "claude-sonnet-4-5",
+	"sonnet-4.5": "claude-sonnet-4-5",
+	"sonnet-4.1": "claude-sonnet-4-1-20250219",
+	"claude-sonnet-4-5": "claude-sonnet-4-5",
+	haiku: "claude-haiku-3-5",
+	"haiku-3.5": "claude-haiku-3-5",
+	default: "claude-sonnet-4-5"
 };
-function resolveFailoverStatus(reason) {
-	switch (reason) {
-		case "billing": return 402;
-		case "rate_limit": return 429;
-		case "auth": return 401;
-		case "timeout": return 408;
-		case "format": return 400;
-		default: return;
+const HISTORY_FILE_SUFFIX$1 = ".anima-history.json";
+async function loadSessionHistory$1(sessionFile) {
+	const histPath = sessionFile + HISTORY_FILE_SUFFIX$1;
+	try {
+		const raw = await fs$1.readFile(histPath, "utf8");
+		return JSON.parse(raw);
+	} catch {
+		return null;
 	}
 }
-//#endregion
-//#region src/logging/redact-identifier.ts
-function sha256HexPrefix(value, len = 12) {
-	const safeLen = Number.isFinite(len) ? Math.max(1, Math.floor(len)) : 12;
-	return crypto.createHash("sha256").update(value).digest("hex").slice(0, safeLen);
-}
-function redactIdentifier(value, opts) {
-	const trimmed = value?.trim();
-	if (!trimmed) return "-";
-	return `sha256:${sha256HexPrefix(trimmed, opts?.len ?? 12)}`;
-}
-//#endregion
-//#region src/agents/workspace-run.ts
-function resolveRunAgentId(params) {
-	const rawSessionKey = params.sessionKey?.trim() ?? "";
-	const shape = classifySessionKeyShape(rawSessionKey);
-	if (shape === "malformed_agent") throw new Error("Malformed agent session key; refusing workspace resolution.");
-	const explicit = typeof params.agentId === "string" && params.agentId.trim() ? normalizeAgentId(params.agentId) : void 0;
-	if (explicit) return {
-		agentId: explicit,
-		agentIdSource: "explicit"
-	};
-	const defaultAgentId = resolveDefaultAgentId(params.config ?? {});
-	if (shape === "missing" || shape === "legacy_or_alias") return {
-		agentId: defaultAgentId || DEFAULT_AGENT_ID,
-		agentIdSource: "default"
-	};
-	const parsed = parseAgentSessionKey(rawSessionKey);
-	if (parsed?.agentId) return {
-		agentId: normalizeAgentId(parsed.agentId),
-		agentIdSource: "session_key"
-	};
-	return {
-		agentId: defaultAgentId || DEFAULT_AGENT_ID,
-		agentIdSource: "default"
-	};
+async function saveSessionHistory$1(sessionFile, history) {
+	const histPath = sessionFile + HISTORY_FILE_SUFFIX$1;
+	try {
+		await fs$1.mkdir(path.dirname(histPath), { recursive: true });
+		await fs$1.writeFile(histPath, JSON.stringify(history, null, 2), "utf8");
+	} catch (err) {
+		log$2.warn("failed to save session history", { error: String(err) });
+	}
 }
-function redactRunIdentifier(value) {
-	return redactIdentifier(value, { len: 12 });
+function resolveModel$1(model) {
+	const key = (model ?? "default").trim().toLowerCase() || "default";
+	return MODEL_MAP$1[key] ?? key;
 }
-function resolveRunWorkspaceDir(params) {
-	const requested = params.workspaceDir;
-	const { agentId, agentIdSource } = resolveRunAgentId({
+/**
+* Run an agent turn directly against api.anthropic.com.
+*
+* Maintains multi-turn conversation history per session file.
+* Falls back to single-turn if history is unavailable.
+*/
+async function runAnthropicDirectAgent(params) {
+	const started = Date.now();
+	const resolvedModel = resolveModel$1(params.model);
+	log$2.info(`direct api exec: model=${resolvedModel} promptChars=${params.prompt.length}`);
+	const workspaceDir = resolveRunWorkspaceDir({
+		workspaceDir: params.workspaceDir,
 		sessionKey: params.sessionKey,
 		agentId: params.agentId,
 		config: params.config
-	});
-	if (typeof requested === "string") {
-		const trimmed = requested.trim();
-		if (trimmed) return {
-			workspaceDir: resolveUserPath(trimmed),
-			usedFallback: false,
-			agentId,
-			agentIdSource
+	}).workspaceDir;
+	const { contextFiles } = await resolveBootstrapContextForRun({
+		workspaceDir,
+		config: params.config,
+		sessionKey: params.sessionKey,
+		sessionId: params.sessionId,
+		warn: makeBootstrapWarn({
+			sessionLabel: params.sessionKey ?? params.sessionId,
+			warn: (msg) => log$2.warn(msg)
+		})
+	});
+	const { defaultAgentId, sessionAgentId } = resolveSessionAgentIds({
+		sessionKey: params.sessionKey,
+		config: params.config
+	});
+	const heartbeatPrompt = sessionAgentId === defaultAgentId ? resolveHeartbeatPrompt(params.config?.agents?.defaults?.heartbeat?.prompt) : void 0;
+	const docsPath = await resolveAnimaDocsPath({
+		workspaceDir,
+		argv1: process.argv[1],
+		cwd: process.cwd(),
+		moduleUrl: import.meta.url
+	});
+	const extraSystemPrompt = [params.extraSystemPrompt?.trim(), "Tools are disabled in this session. Do not call tools."].filter(Boolean).join("\n");
+	const systemPrompt = buildSystemPrompt({
+		workspaceDir,
+		config: params.config,
+		defaultThinkLevel: params.thinkLevel,
+		extraSystemPrompt,
+		ownerNumbers: params.ownerNumbers,
+		heartbeatPrompt,
+		docsPath: docsPath ?? void 0,
+		tools: [],
+		contextFiles,
+		modelDisplay: `anthropic/${resolvedModel}`,
+		agentId: sessionAgentId
+	});
+	let history = await loadSessionHistory$1(params.sessionFile);
+	if (!history) history = {
+		sessionId: params.sessionId,
+		messages: [],
+		createdAt: started,
+		updatedAt: started
+	};
+	history.messages.push({
+		role: "user",
+		content: params.prompt
+	});
+	const requestBody = {
+		model: resolvedModel,
+		max_tokens: 8192,
+		system: systemPrompt,
+		messages: history.messages
+	};
+	try {
+		const controller = new AbortController();
+		const timeoutHandle = setTimeout(() => controller.abort(), params.timeoutMs);
+		const response = await fetch("https://api.anthropic.com/v1/messages", {
+			method: "POST",
+			headers: {
+				"x-api-key": params.token,
+				"anthropic-version": "2023-06-01",
+				"content-type": "application/json",
+				"user-agent": `anima/3.0.5 (direct-runner; ${os.platform()})`
+			},
+			body: JSON.stringify(requestBody),
+			signal: controller.signal
+		});
+		clearTimeout(timeoutHandle);
+		if (!response.ok) {
+			const body = await response.text().catch(() => "");
+			const isAuth = response.status === 401 || response.status === 403;
+			const isRateLimit = response.status === 429;
+			const rateHint = isRateLimit ? " — rate limit hit, will retry next heartbeat." : "";
+			const authHint = isAuth ? " — token may be invalid or expired. Run: anima setup-token" : "";
+			log$2.error(`anthropic api error: HTTP ${response.status}${authHint}${rateHint}`, {
+				status: response.status,
+				body: body.slice(0, 500)
+			});
+			return {
+				status: "failed",
+				meta: {
+					durationMs: Date.now() - started,
+					error: {
+						message: `HTTP ${response.status}: ${body.slice(0, 200)}${authHint}${rateHint}`,
+						kind: isAuth ? "auth" : isRateLimit ? "rate_limit" : "unknown"
+					}
+				}
+			};
+		}
+		const data = await response.json();
+		const outputText = (data.content ?? []).filter((b) => b.type === "text" && typeof b.text === "string").map((b) => b.text).join("").trim();
+		if (!outputText) log$2.warn("anthropic direct: empty response", {
+			stopReason: data.stop_reason,
+			contentTypes: (data.content ?? []).map((b) => b.type)
+		});
+		await params.onAssistantMessageStart?.();
+		if (outputText && params.onPartialReply) await params.onPartialReply({ text: outputText });
+		history.messages.push({
+			role: "assistant",
+			content: outputText
+		});
+		history.updatedAt = Date.now();
+		await saveSessionHistory$1(params.sessionFile, history);
+		const durationMs = Date.now() - started;
+		const inputTokens = data.usage?.input_tokens ?? 0;
+		const outputTokens = data.usage?.output_tokens ?? 0;
+		log$2.info(`direct api done: model=${resolvedModel} in=${inputTokens} out=${outputTokens} ms=${durationMs}`);
+		return {
+			status: "completed",
+			output: outputText,
+			payloads: outputText ? [{ text: outputText }] : [],
+			meta: {
+				durationMs,
+				agentMeta: {
+					provider: "anthropic",
+					model: resolvedModel,
+					usage: {
+						inputTokens,
+						outputTokens,
+						cacheCreationInputTokens: 0,
+						cacheReadInputTokens: 0
+					}
+				}
+			}
+		};
+	} catch (err) {
+		const isAbort = err instanceof Error && (err.name === "AbortError" || err.message.includes("aborted"));
+		log$2.error("anthropic direct runner error", { error: String(err) });
+		return {
+			status: isAbort ? "timeout" : "failed",
+			meta: {
+				durationMs: Date.now() - started,
+				error: {
+					message: isAbort ? `Request timed out after ${params.timeoutMs}ms` : String(err instanceof Error ? err.message : err),
+					kind: isAbort ? "timeout" : "unknown"
+				}
+			}
 		};
 	}
-	const fallbackReason = requested == null ? "missing" : typeof requested === "string" ? "blank" : "invalid_type";
+}
+//#endregion
+//#region src/agents/cli-backends.ts
+const DEFAULT_CLAUDE_BACKEND = {
+	command: "claude",
+	args: [
+		"-p",
+		"--output-format",
+		"json",
+		"--dangerously-skip-permissions"
+	],
+	resumeArgs: [
+		"-p",
+		"--output-format",
+		"json",
+		"--dangerously-skip-permissions",
+		"--resume",
+		"{sessionId}"
+	],
+	output: "jsonl",
+	input: "arg",
+	modelArg: "--model",
+	modelAliases: {
+		opus: "opus",
+		"opus-4.6": "opus",
+		"opus-4.5": "opus",
+		"opus-4": "opus",
+		"claude-opus-4-6": "opus",
+		"claude-opus-4-5": "opus",
+		"claude-opus-4": "opus",
+		sonnet: "sonnet",
+		"sonnet-4.5": "sonnet",
+		"sonnet-4.1": "sonnet",
+		"sonnet-4.0": "sonnet",
+		"claude-sonnet-4-5": "sonnet",
+		"claude-sonnet-4-1": "sonnet",
+		"claude-sonnet-4-0": "sonnet",
+		haiku: "haiku",
+		"haiku-3.5": "haiku",
+		"claude-haiku-3-5": "haiku"
+	},
+	sessionArg: "--session-id",
+	sessionMode: "always",
+	sessionIdFields: [
+		"session_id",
+		"sessionId",
+		"conversation_id",
+		"conversationId"
+	],
+	systemPromptArg: "--append-system-prompt",
+	systemPromptMode: "append",
+	systemPromptWhen: "first",
+	clearEnv: ["ANTHROPIC_API_KEY", "ANTHROPIC_API_KEY_OLD"],
+	serialize: true
+};
+const DEFAULT_CODEX_BACKEND = {
+	command: "codex",
+	args: [
+		"exec",
+		"--json",
+		"--color",
+		"never",
+		"--sandbox",
+		"read-only",
+		"--skip-git-repo-check"
+	],
+	resumeArgs: [
+		"exec",
+		"resume",
+		"{sessionId}"
+	],
+	output: "jsonl",
+	resumeOutput: "text",
+	input: "arg",
+	modelArg: "--model",
+	imageArg: "--image",
+	sessionMode: "existing",
+	serialize: true
+};
+const CLAUDE_BACKEND_ALIASES = [
+	"claude-cli",
+	"anthropic",
+	"claude"
+];
+const CODEX_BACKEND_ALIASES = [
+	"codex-cli",
+	"openai-codex",
+	"openai",
+	"codex"
+];
+const CLAUDE_BACKEND_ALIAS_SET = new Set(CLAUDE_BACKEND_ALIASES.map((alias) => normalizeBackendKey(alias)));
+const CODEX_BACKEND_ALIAS_SET = new Set(CODEX_BACKEND_ALIASES.map((alias) => normalizeBackendKey(alias)));
+function normalizeBackendKey(key) {
+	return normalizeProviderId(key);
+}
+function pickBackendConfig(config, normalizedId) {
+	for (const [key, entry] of Object.entries(config)) if (normalizeBackendKey(key) === normalizedId) return entry;
+}
+function pickBackendConfigByAliases(config, aliases) {
+	for (const alias of aliases) {
+		const matched = pickBackendConfig(config, normalizeBackendKey(alias));
+		if (matched) return matched;
+	}
+}
+function mergeBackendConfig(base, override) {
+	if (!override) return { ...base };
 	return {
-		workspaceDir: resolveUserPath(resolveAgentWorkspaceDir(params.config ?? {}, agentId)),
-		usedFallback: true,
-		fallbackReason,
-		agentId,
-		agentIdSource
+		...base,
+		...override,
+		args: override.args ?? base.args,
+		env: {
+			...base.env,
+			...override.env
+		},
+		modelAliases: {
+			...base.modelAliases,
+			...override.modelAliases
+		},
+		clearEnv: Array.from(new Set([...base.clearEnv ?? [], ...override.clearEnv ?? []])),
+		sessionIdFields: override.sessionIdFields ?? base.sessionIdFields,
+		sessionArgs: override.sessionArgs ?? base.sessionArgs,
+		resumeArgs: override.resumeArgs ?? base.resumeArgs
+	};
+}
+function resolveCliBackendConfig(provider, cfg) {
+	const normalized = normalizeBackendKey(provider);
+	const configured = cfg?.agents?.defaults?.cliBackends ?? {};
+	if (CLAUDE_BACKEND_ALIAS_SET.has(normalized)) {
+		const merged = mergeBackendConfig(DEFAULT_CLAUDE_BACKEND, pickBackendConfigByAliases(configured, [provider, ...CLAUDE_BACKEND_ALIASES]));
+		const command = merged.command?.trim();
+		if (!command) return null;
+		return {
+			id: normalizeBackendKey("claude-cli"),
+			config: {
+				...merged,
+				command
+			}
+		};
+	}
+	if (CODEX_BACKEND_ALIAS_SET.has(normalized)) {
+		const merged = mergeBackendConfig(DEFAULT_CODEX_BACKEND, pickBackendConfigByAliases(configured, [provider, ...CODEX_BACKEND_ALIASES]));
+		const command = merged.command?.trim();
+		if (!command) return null;
+		return {
+			id: normalizeBackendKey("codex-cli"),
+			config: {
+				...merged,
+				command
+			}
+		};
+	}
+	const override = pickBackendConfig(configured, normalized);
+	if (!override) return null;
+	const command = override.command?.trim();
+	if (!command) return null;
+	return {
+		id: normalized,
+		config: {
+			...override,
+			command
+		}
 	};
 }
+//#endregion
+//#region src/agents/failover-error.ts
+var FailoverError = class extends Error {
+	constructor(message, params) {
+		super(message, { cause: params.cause });
+		this.name = "FailoverError";
+		this.reason = params.reason;
+		this.provider = params.provider;
+		this.model = params.model;
+		this.profileId = params.profileId;
+		this.status = params.status;
+		this.code = params.code;
+	}
+};
+function resolveFailoverStatus(reason) {
+	switch (reason) {
+		case "billing": return 402;
+		case "rate_limit": return 429;
+		case "auth": return 401;
+		case "timeout": return 408;
+		case "format": return 400;
+		default: return;
+	}
+}
 //#endregion
 //#region src/agents/cli-runner.ts
 const log$1 = createSubsystemLogger("agent/claude-cli");
@@ -10065,35 +11133,31 @@ async function runCliAgent(params) {
 }
 //#endregion
-//#region src/agents/anthropic-direct-runner.ts
+//#region src/agents/gemini-direct-runner.ts
 /**
-* Anthropic Direct API Runner
+* Gemini Direct API Runner
 *
-* Makes calls directly to api.anthropic.com without needing the claude CLI
-* binary to be installed or logged in. Works with any valid token:
+* Makes calls directly to generativelanguage.googleapis.com without needing
+* a CLI wrapper. Works with Google API keys (GEMINI_API_KEY).
 *
-*   sk-ant-api01-...  (Console API key)
-*   sk-ant-oat01-...  (Claude Code OAuth access token)
-*
-* This runner is automatically used when an `anthropic:default` token credential
-* is present in the auth store and the claude CLI is unavailable or not logged in.
+* This runner is automatically used when a google API key is available
+* and the provider is set to "google" or "gemini".
 */
-const log = createSubsystemLogger("agent/anthropic-direct");
+const log = createSubsystemLogger("agent/gemini-direct");
+const DEFAULT_GEMINI_BASE_URL = "https://generativelanguage.googleapis.com/v1beta";
 const MODEL_MAP = {
-	opus: "claude-opus-4-5",
-	"opus-4": "claude-opus-4-5",
-	"opus-4.5": "claude-opus-4-5",
-	"opus-4.6": "claude-opus-4-5",
-	"claude-opus-4-5": "claude-opus-4-5",
-	sonnet: "claude-sonnet-4-5",
-	"sonnet-4.5": "claude-sonnet-4-5",
-	"sonnet-4.1": "claude-sonnet-4-1-20250219",
-	"claude-sonnet-4-5": "claude-sonnet-4-5",
-	haiku: "claude-haiku-3-5",
-	"haiku-3.5": "claude-haiku-3-5",
-	default: "claude-sonnet-4-5"
+	gemini: "gemini-2.0-flash",
+	"gemini-pro": "gemini-1.5-pro",
+	"gemini-flash": "gemini-2.0-flash",
+	"gemini-2.0": "gemini-2.0-flash",
+	"gemini-2.0-flash": "gemini-2.0-flash",
+	"gemini-2.0-pro": "gemini-2.0-pro-exp-02-05",
+	"gemini-1.5": "gemini-1.5-pro",
+	"gemini-1.5-pro": "gemini-1.5-pro",
+	"gemini-1.5-flash": "gemini-1.5-flash",
+	default: "gemini-2.0-flash"
 };
-const HISTORY_FILE_SUFFIX = ".anima-history.json";
+const HISTORY_FILE_SUFFIX = ".gemini-history.json";
 async function loadSessionHistory(sessionFile) {
 	const histPath = sessionFile + HISTORY_FILE_SUFFIX;
 	try {
@@ -10116,15 +11180,19 @@ function resolveModel(model) {
 	const key = (model ?? "default").trim().toLowerCase() || "default";
 	return MODEL_MAP[key] ?? key;
 }
+function buildModelPath(model) {
+	return model.startsWith("models/") ? model : `models/${model}`;
+}
 /**
-* Run an agent turn directly against api.anthropic.com.
+* Run an agent turn directly against generativelanguage.googleapis.com.
 *
 * Maintains multi-turn conversation history per session file.
 * Falls back to single-turn if history is unavailable.
 */
-async function runAnthropicDirectAgent(params) {
+async function runGeminiDirectAgent(params) {
 	const started = Date.now();
 	const resolvedModel = resolveModel(params.model);
+	const modelPath = buildModelPath(resolvedModel);
 	log.info(`direct api exec: model=${resolvedModel} promptChars=${params.prompt.length}`);
 	const workspaceDir = resolveRunWorkspaceDir({
 		workspaceDir: params.workspaceDir,
@@ -10164,36 +11232,37 @@ async function runAnthropicDirectAgent(params) {
 		docsPath: docsPath ?? void 0,
 		tools: [],
 		contextFiles,
-		modelDisplay: `anthropic/${resolvedModel}`,
+		modelDisplay: `google/${resolvedModel}`,
 		agentId: sessionAgentId
 	});
 	let history = await loadSessionHistory(params.sessionFile);
 	if (!history) history = {
 		sessionId: params.sessionId,
-		messages: [],
+		contents: [],
 		createdAt: started,
 		updatedAt: started
 	};
-	history.messages.push({
+	history.contents.push({
 		role: "user",
-		content: params.prompt
+		parts: [{ text: params.prompt }]
 	});
 	const requestBody = {
-		model: resolvedModel,
-		max_tokens: 8192,
-		system: systemPrompt,
-		messages: history.messages
+		systemInstruction: { parts: [{ text: systemPrompt }] },
+		contents: history.contents,
+		generationConfig: {
+			maxOutputTokens: 8192,
+			temperature: 1
+		}
 	};
 	try {
 		const controller = new AbortController();
 		const timeoutHandle = setTimeout(() => controller.abort(), params.timeoutMs);
-		const response = await fetch("https://api.anthropic.com/v1/messages", {
+		const url = `${DEFAULT_GEMINI_BASE_URL}/${modelPath}:generateContent?key=${params.apiKey}`;
+		const response = await fetch(url, {
 			method: "POST",
 			headers: {
-				"x-api-key": params.token,
-				"anthropic-version": "2023-06-01",
-				"content-type": "application/json",
-				"user-agent": `anima/3.0.5 (direct-runner; ${os.platform()})`
+				"Content-Type": "application/json",
+				"User-Agent": `anima/5.0.1 (gemini-direct-runner; ${os.platform()})`
 			},
 			body: JSON.stringify(requestBody),
 			signal: controller.signal
@@ -10204,8 +11273,8 @@ async function runAnthropicDirectAgent(params) {
 			const isAuth = response.status === 401 || response.status === 403;
 			const isRateLimit = response.status === 429;
 			const rateHint = isRateLimit ? " — rate limit hit, will retry next heartbeat." : "";
-			const authHint = isAuth ? " — token may be invalid or expired. Run: anima setup-token" : "";
-			log.error(`anthropic api error: HTTP ${response.status}${authHint}${rateHint}`, {
+			const authHint = isAuth ? " — API key may be invalid. Check GEMINI_API_KEY environment variable." : "";
+			log.error(`gemini api error: HTTP ${response.status}${authHint}${rateHint}`, {
 				status: response.status,
 				body: body.slice(0, 500)
 			});
@@ -10221,51 +11290,51 @@ async function runAnthropicDirectAgent(params) {
 			};
 		}
 		const data = await response.json();
-		const outputText = (data.content ?? []).filter((b) => b.type === "text" && typeof b.text === "string").map((b) => b.text).join("").trim();
-		if (!outputText) log.warn("anthropic direct: empty response", {
-			stopReason: data.stop_reason,
-			contentTypes: (data.content ?? []).map((b) => b.type)
-		});
-		await params.onAssistantMessageStart?.();
-		if (outputText && params.onPartialReply) await params.onPartialReply({ text: outputText });
-		history.messages.push({
-			role: "assistant",
-			content: outputText
-		});
-		history.updatedAt = Date.now();
-		await saveSessionHistory(params.sessionFile, history);
+		const candidate = data.candidates?.[0];
+		const assistantText = (candidate?.content?.parts ?? []).filter((p) => typeof p.text === "string").map((p) => p.text).join("\n");
+		if (assistantText && params.onPartialReply) await params.onPartialReply({ text: assistantText });
+		if (assistantText) {
+			history.contents.push({
+				role: "model",
+				parts: [{ text: assistantText }]
+			});
+			history.updatedAt = Date.now();
+			await saveSessionHistory(params.sessionFile, history);
+		}
+		const usage = data.usageMetadata;
 		const durationMs = Date.now() - started;
-		const inputTokens = data.usage?.input_tokens ?? 0;
-		const outputTokens = data.usage?.output_tokens ?? 0;
-		log.info(`direct api done: model=${resolvedModel} in=${inputTokens} out=${outputTokens} ms=${durationMs}`);
+		log.info(`gemini api complete: ${durationMs}ms`, {
+			inputTokens: usage?.promptTokenCount,
+			outputTokens: usage?.candidatesTokenCount,
+			finishReason: candidate?.finishReason
+		});
 		return {
 			status: "completed",
-			output: outputText,
-			payloads: outputText ? [{ text: outputText }] : [],
+			output: assistantText,
 			meta: {
 				durationMs,
 				agentMeta: {
-					provider: "anthropic",
 					model: resolvedModel,
-					usage: {
-						inputTokens,
-						outputTokens,
-						cacheCreationInputTokens: 0,
-						cacheReadInputTokens: 0
-					}
+					provider: "google",
+					usage: usage ? {
+						input: usage.promptTokenCount ?? 0,
+						output: usage.candidatesTokenCount ?? 0
+					} : void 0
 				}
 			}
 		};
 	} catch (err) {
-		const isAbort = err instanceof Error && (err.name === "AbortError" || err.message.includes("aborted"));
-		log.error("anthropic direct runner error", { error: String(err) });
+		const isAbort = err instanceof Error && err.name === "AbortError";
+		const errorKind = isAbort ? "timeout" : "unknown";
+		const errorMsg = isAbort ? `Request timed out after ${params.timeoutMs}ms` : String(err);
+		log.error(`gemini api error: ${errorMsg}`, { error: String(err) });
 		return {
-			status: isAbort ? "timeout" : "failed",
+			status: "failed",
 			meta: {
 				durationMs: Date.now() - started,
 				error: {
-					message: isAbort ? `Request timed out after ${params.timeoutMs}ms` : String(err instanceof Error ? err.message : err),
-					kind: isAbort ? "timeout" : "unknown"
+					message: errorMsg,
+					kind: errorKind
 				}
 			}
 		};
@@ -10353,6 +11422,57 @@ async function runEmbeddedPiAgent(...args) {
 			}
 		}
 	}
+	if (provider === "google" || provider === "gemini") {
+		const geminiApiKey = (await resolveApiKeyForProvider({
+			provider: "google",
+			cfg: params.config
+		}))?.apiKey;
+		if (geminiApiKey) {
+			await emitAgentEvent(params, "lifecycle", {
+				phase: "start",
+				startedAt
+			});
+			try {
+				const result = await runGeminiDirectAgent({
+					apiKey: geminiApiKey,
+					sessionId: params.sessionId,
+					sessionKey: params.sessionKey,
+					agentId: params.agentId,
+					sessionFile: params.sessionFile,
+					workspaceDir: params.workspaceDir,
+					config: params.config,
+					prompt: params.prompt,
+					model: params.model,
+					thinkLevel: params.thinkLevel,
+					timeoutMs,
+					runId,
+					extraSystemPrompt: params.extraSystemPrompt,
+					ownerNumbers: params.ownerNumbers,
+					onPartialReply: async (payload) => {
+						if (!assistantStarted) {
+							assistantStarted = true;
+							await params.onAssistantMessageStart?.();
+						}
+						await params.onPartialReply?.(payload);
+						await emitAgentEvent(params, "assistant", { text: payload.text });
+					},
+					onAssistantMessageStart: params.onAssistantMessageStart
+				});
+				await emitAgentEvent(params, "lifecycle", {
+					phase: "end",
+					durationMs: Date.now() - startedAt,
+					status: result.status
+				});
+				return result;
+			} catch (err) {
+				await emitAgentEvent(params, "lifecycle", {
+					phase: "error",
+					error: String(err instanceof Error ? err.message : err)
+				});
+				throw err;
+			}
+		}
+	}
 	const cliProvider = resolveCompatCliProvider(provider, params.config);
 	if (!resolveCliBackendConfig(cliProvider, params.config)) throw new Error(`No CLI backend available for provider "${provider}" (resolved "${cliProvider}").\nEither:\n  • Run: anima setup-token  (set an Anthropic API key — no CLI needed)\n  • Install the matching CLI and log in`);
 	await emitAgentEvent(params, "lifecycle", {