@oh-my-pi/pi-ai 15.4.2 → 15.5.0

package/CHANGELOG.md

@@ -2,6 +2,27 @@
 
 ## [Unreleased]
 
+## [15.5.0] - 2026-05-26
+### Added
+
+- Added `zhipu-coding-plan` provider for Zhipu (智谱) BigModel's domestic coding-plan SKU at `https://open.bigmodel.cn/api/coding/paas/v4`, with dynamic model discovery (`ZHIPU_API_KEY`), zai-format thinking, `reasoning_content` field, and OAuth login flow ([#1340](https://github.com/can1357/oh-my-pi/issues/1340)).
+
+### Removed
+
+- Removed the `pi-ai` CLI binary (`packages/ai/src/cli.ts`) and its `bin` entry. Use the in-process equivalent in the omp coding-agent CLI: `omp auth-broker login [provider]`, `omp auth-broker logout [provider]`, and `omp auth-broker list`. The library API (`AuthStorage.login()`, `getOAuthProviders()`, etc.) is unchanged.
+
+### Fixed
+
+- Fixed delayed `toolResult` emissions so real tool results are emitted in the correct assistant `toolCall` window after handoff/compaction, preventing out-of-order or orphaned tool results
+- Fixed delayed `toolResult` handling for aborted calls so a late real result is emitted instead of a synthetic `aborted` result for the same `toolCallId`
+- Fixed usage polling to disable credentials when OAuth refresh fails definitively (for example `invalid_grant`) and clear cached last-good usage data so stale reports no longer remain visible
+
+## [15.4.3] - 2026-05-26
+
+### Fixed
+
+- Fixed Google Vertex model discovery to use the project-scoped OpenAI-compatible model list so Vertex Model Garden models such as GLM and Claude are available through ADC auth ([#1412](https://github.com/can1357/oh-my-pi/issues/1412)).
+
 ## [15.4.2] - 2026-05-26
 
 ### Fixed

package/README.md

@@ -1057,13 +1057,14 @@ Official docs: [Application Default Credentials](https://cloud.google.com/docs/a
 
 ### CLI Login
 
-The quickest way to authenticate:
+Authenticate via the [`omp`](https://omp.sh) coding-agent CLI, which drives this library's OAuth/API-key flows in-process and persists into `agent.db`:
 
 ```bash
-bunx @oh-my-pi/pi-ai login              # interactive provider selection
-bunx @oh-my-pi/pi-ai login anthropic    # login to specific provider
-bunx @oh-my-pi/pi-ai login vllm         # store vLLM API key (or placeholder for local no-auth)
-bunx @oh-my-pi/pi-ai list               # list available providers
+omp auth-broker login              # interactive provider selection
+omp auth-broker login anthropic    # login to a specific provider
+omp auth-broker login vllm         # store vLLM API key (or placeholder for local no-auth)
+omp auth-broker list               # list supported providers
+omp auth-broker logout             # interactive — pick a stored credential to remove
 ```
 
 Credentials are saved to `agent.db` in the agent directory. `/login qianfan` opens the Qianfan console and stores the pasted API key.

package/dist/types/auth-broker/refresher.d.ts

@@ -1,4 +1,4 @@
-import type { AuthStorage } from "../auth-storage";
+import { type AuthStorage } from "../auth-storage";
 export interface AuthBrokerRefresherOptions {
     storage: AuthStorage;
     /** Refresh credentials expiring within this window. Default 5 min. */

package/dist/types/auth-storage.d.ts

@@ -281,6 +281,7 @@ export type AuthStorageOptions = {
      */
     fetchUsageReports?: (signal?: AbortSignal) => Promise<UsageReport[] | null>;
 };
+export declare function isDefinitiveOAuthFailure(errorMsg: string): boolean;
 type AuthApiKeyOptions = {
     baseUrl?: string;
     modelId?: string;

package/dist/types/provider-models/google.d.ts

@@ -1,9 +1,14 @@
 import type { ModelManagerOptions } from "../model-manager";
+import type { FetchImpl } from "../types";
 export interface GoogleModelManagerConfig {
     apiKey?: string;
 }
 export interface GoogleVertexModelManagerConfig {
     apiKey?: string;
+    project?: string;
+    location?: string;
+    signal?: AbortSignal;
+    fetch?: FetchImpl;
 }
 export interface GoogleAntigravityModelManagerConfig {
     oauthToken?: string;
@@ -14,6 +19,6 @@ export interface GoogleGeminiCliModelManagerConfig {
     endpoint?: string;
 }
 export declare function googleModelManagerOptions(config?: GoogleModelManagerConfig): ModelManagerOptions<"google-generative-ai">;
-export declare function googleVertexModelManagerOptions(_config?: GoogleVertexModelManagerConfig): ModelManagerOptions<"google-vertex">;
+export declare function googleVertexModelManagerOptions(config?: GoogleVertexModelManagerConfig): ModelManagerOptions;
 export declare function googleAntigravityModelManagerOptions(config?: GoogleAntigravityModelManagerConfig): ModelManagerOptions<"google-gemini-cli">;
 export declare function googleGeminiCliModelManagerOptions(config?: GoogleGeminiCliModelManagerConfig): ModelManagerOptions<"google-gemini-cli">;

package/dist/types/provider-models/openai-compat.d.ts

@@ -58,6 +58,11 @@ export interface DeepSeekModelManagerConfig {
     baseUrl?: string;
 }
 export declare function deepseekModelManagerOptions(config?: DeepSeekModelManagerConfig): ModelManagerOptions<"openai-completions">;
+export interface ZhipuCodingPlanModelManagerConfig {
+    apiKey?: string;
+    baseUrl?: string;
+}
+export declare function zhipuCodingPlanModelManagerOptions(config?: ZhipuCodingPlanModelManagerConfig): ModelManagerOptions<"openai-completions">;
 export interface FireworksModelManagerConfig {
     apiKey?: string;
     baseUrl?: string;

package/dist/types/types.d.ts

@@ -48,7 +48,7 @@ export interface ThinkingConfig {
     /** Provider-specific transport used to encode the selected effort. */
     mode: ThinkingControlMode;
 }
-export type KnownProvider = "alibaba-coding-plan" | "amazon-bedrock" | "anthropic" | "google" | "google-gemini-cli" | "google-antigravity" | "google-vertex" | "openai" | "openai-codex" | "kimi-code" | "minimax-code" | "minimax-code-cn" | "github-copilot" | "fireworks" | "firepass" | "gitlab-duo" | "cursor" | "deepseek" | "xai" | "groq" | "cerebras" | "openrouter" | "kilo" | "vercel-ai-gateway" | "zai" | "mistral" | "minimax" | "opencode-go" | "opencode-zen" | "synthetic" | "cloudflare-ai-gateway" | "huggingface" | "litellm" | "moonshot" | "nvidia" | "nanogpt" | "ollama" | "ollama-cloud" | "qianfan" | "qwen-portal" | "together" | "venice" | "vllm" | "xiaomi" | "zenmux" | "lm-studio";
+export type KnownProvider = "alibaba-coding-plan" | "amazon-bedrock" | "anthropic" | "google" | "google-gemini-cli" | "google-antigravity" | "google-vertex" | "openai" | "openai-codex" | "kimi-code" | "minimax-code" | "minimax-code-cn" | "github-copilot" | "fireworks" | "firepass" | "gitlab-duo" | "cursor" | "deepseek" | "xai" | "groq" | "cerebras" | "openrouter" | "kilo" | "vercel-ai-gateway" | "zai" | "zhipu-coding-plan" | "mistral" | "minimax" | "opencode-go" | "opencode-zen" | "synthetic" | "cloudflare-ai-gateway" | "huggingface" | "litellm" | "moonshot" | "nvidia" | "nanogpt" | "ollama" | "ollama-cloud" | "qianfan" | "qwen-portal" | "together" | "venice" | "vllm" | "xiaomi" | "zenmux" | "lm-studio";
 export type Provider = KnownProvider | string;
 import type { Effort } from "./model-thinking";
 /** Token budgets for each thinking level (token-based providers only) */

package/dist/types/utils/discovery/index.d.ts

@@ -2,3 +2,4 @@ export * from "./antigravity";
 export * from "./codex";
 export * from "./gemini";
 export * from "./openai-compatible";
+export * from "./vertex";

package/dist/types/utils/discovery/vertex.d.ts

@@ -0,0 +1,25 @@
+import type { FetchImpl, Model } from "../../types";
+/** Configuration for Vertex AI OpenAI-compatible model discovery. */
+export interface VertexDiscoveryOptions {
+    /** Google Cloud project ID hosting the Vertex AI endpoint. */
+    project: string;
+    /** Vertex AI location, for example `global` or `us-central1`. */
+    location: string;
+    /** Optional requested page size for model listing. */
+    pageSize?: number;
+    /** Maximum number of pages to request before stopping pagination. */
+    maxPages?: number;
+    /** Optional abort signal for HTTP requests. */
+    signal?: AbortSignal;
+    /** Optional fetch implementation override for tests. */
+    fetch?: FetchImpl;
+}
+/**
+ * Fetches models exposed by Vertex AI's OpenAI-compatible endpoint.
+ *
+ * Returns `null` on auth, transport, or protocol failures so callers can fall
+ * back to cache/static models without surfacing discovery noise at startup.
+ */
+export declare function fetchVertexOpenAIModels(options: VertexDiscoveryOptions): Promise<Model<"openai-completions">[] | null>;
+/** Returns the stable Vertex AI OpenAI-compatible endpoint base URL. */
+export declare function buildVertexOpenAIBaseUrl(project: string, location: string): string;

package/dist/types/utils/oauth/types.d.ts

@@ -7,7 +7,7 @@ export type OAuthCredentials = {
     email?: string;
     accountId?: string;
 };
-export type OAuthProvider = "alibaba-coding-plan" | "anthropic" | "cerebras" | "cloudflare-ai-gateway" | "cursor" | "deepseek" | "fireworks" | "firepass" | "github-copilot" | "google-gemini-cli" | "google-antigravity" | "gitlab-duo" | "huggingface" | "kimi-code" | "kilo" | "kagi" | "litellm" | "lm-studio" | "minimax-code" | "minimax-code-cn" | "moonshot" | "nvidia" | "nanogpt" | "ollama" | "ollama-cloud" | "openai-codex" | "openai-codex-device" | "opencode-go" | "opencode-zen" | "parallel" | "perplexity" | "qianfan" | "qwen-portal" | "synthetic" | "tavily" | "together" | "venice" | "vercel-ai-gateway" | "vllm" | "xiaomi" | "zenmux" | "zai";
+export type OAuthProvider = "alibaba-coding-plan" | "anthropic" | "cerebras" | "cloudflare-ai-gateway" | "cursor" | "deepseek" | "fireworks" | "firepass" | "github-copilot" | "google-gemini-cli" | "google-antigravity" | "gitlab-duo" | "huggingface" | "kimi-code" | "kilo" | "kagi" | "litellm" | "lm-studio" | "minimax-code" | "minimax-code-cn" | "moonshot" | "nvidia" | "nanogpt" | "ollama" | "ollama-cloud" | "openai-codex" | "openai-codex-device" | "opencode-go" | "opencode-zen" | "parallel" | "perplexity" | "qianfan" | "qwen-portal" | "synthetic" | "tavily" | "together" | "venice" | "vercel-ai-gateway" | "vllm" | "xiaomi" | "zenmux" | "zai" | "zhipu-coding-plan";
 export type OAuthProviderId = OAuthProvider | (string & {});
 export type OAuthPrompt = {
     message: string;

package/dist/types/utils/oauth/zhipu.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Zhipu Coding Plan login flow.
+ *
+ * Zhipu BigModel (智谱) provides an OpenAI-compatible API.
+ * API docs: https://docs.bigmodel.cn/cn/guide/develop/openai/introduction
+ *
+ * Simple API key flow:
+ * 1. User gets their API key from https://open.bigmodel.cn
+ * 2. User pastes the API key into the CLI
+ */
+import type { OAuthController } from "./types";
+/**
+ * Login to Zhipu Coding Plan.
+ *
+ * Opens browser to API keys page, prompts user to paste their API key.
+ * Returns the API key directly (not OAuthCredentials - this isn't OAuth).
+ */
+export declare function loginZhipuCodingPlan(options: OAuthController): Promise<string>;

package/package.json

@@ -1,7 +1,7 @@
 {
 	"type": "module",
 	"name": "@oh-my-pi/pi-ai",
-	"version": "15.4.2",
+	"version": "15.5.0",
 	"description": "Unified LLM API with automatic model discovery and provider configuration",
 	"homepage": "https://omp.sh",
 	"author": "Can Boluk",
@@ -28,9 +28,6 @@
 	],
 	"main": "./src/index.ts",
 	"types": "./dist/types/index.d.ts",
-	"bin": {
-		"pi-ai": "./src/cli.ts"
-	},
 	"scripts": {
 		"check": "biome check . && bun run check:types",
 		"check:types": "tsgo -p tsconfig.json --noEmit",
@@ -43,7 +40,7 @@
 	"dependencies": {
 		"@anthropic-ai/sdk": "^0.94.0",
 		"@bufbuild/protobuf": "^2.12.0",
-		"@oh-my-pi/pi-utils": "15.4.2",
+		"@oh-my-pi/pi-utils": "15.5.0",
 		"openai": "^6.36.0",
 		"partial-json": "^0.1.7",
 		"zod": "4.4.3"

package/src/auth-broker/refresher.ts

@@ -10,7 +10,7 @@
  * snapshot pull surfaces a clean delete on the client.
  */
 import { logger } from "@oh-my-pi/pi-utils";
-import type { AuthStorage } from "../auth-storage";
+import { type AuthStorage, isDefinitiveOAuthFailure } from "../auth-storage";
 import { DEFAULT_REFRESH_INTERVAL_MS, DEFAULT_REFRESH_SKEW_MS } from "./types";
 
 export interface AuthBrokerRefresherOptions {
@@ -23,16 +23,6 @@ export interface AuthBrokerRefresherOptions {
 	now?: () => number;
 }
 
-const INVALID_GRANT_REGEX = /invalid_grant|invalid_token|revoked|unauthorized|expired.*refresh|refresh.*expired/i;
-const TRANSIENT_REGEX = /timeout|network|fetch failed|ECONNREFUSED/i;
-const HTTP_401_403_REGEX = /\b(401|403)\b/;
-
-function isDefinitiveFailure(errorMsg: string): boolean {
-	if (INVALID_GRANT_REGEX.test(errorMsg)) return true;
-	if (HTTP_401_403_REGEX.test(errorMsg) && !TRANSIENT_REGEX.test(errorMsg)) return true;
-	return false;
-}
-
 export interface AuthBrokerRefresherSchedule {
 	enabled: boolean;
 	intervalMs: number;
@@ -113,7 +103,7 @@ export class AuthBrokerRefresher {
 			await this.#storage.refreshCredentialById(id);
 		} catch (error) {
 			const errorMsg = String(error);
-			if (isDefinitiveFailure(errorMsg)) {
+			if (isDefinitiveOAuthFailure(errorMsg)) {
 				logger.warn("auth-broker refresh failed definitively; disabling credential", {
 					id,
 					error: errorMsg,

package/src/auth-storage.ts

@@ -414,6 +414,29 @@ const OAUTH_REFRESH_SKEW_MS = 60_000;
  */
 const MAX_PENDING_DISABLED_EVENTS = 32;
 
+/**
+ * Classify an OAuth refresh error as a definitive credential failure (the
+ * refresh token is dead — re-login required) versus a transient blip
+ * (network/5xx — retry next sweep).
+ *
+ * Anchored at module scope so all three refresh sites — in-stream
+ * {@link AuthStorage.getApiKey}, the usage probe in
+ * {@link AuthStorage.fetchUsageReports}, and the auth-broker background
+ * refresher — disable rows on the same criteria. A drifting classifier
+ * between sites would let stale last-good usage reports surface indefinitely
+ * while streaming requests correctly tear the row down.
+ */
+const OAUTH_DEFINITIVE_FAILURE_REGEX =
+	/invalid_grant|invalid_token|revoked|unauthorized|expired.*refresh|refresh.*expired/i;
+const OAUTH_TRANSIENT_FAILURE_REGEX = /timeout|network|fetch failed|ECONNREFUSED/i;
+const OAUTH_HTTP_AUTH_REGEX = /\b(401|403)\b/;
+
+export function isDefinitiveOAuthFailure(errorMsg: string): boolean {
+	if (OAUTH_DEFINITIVE_FAILURE_REGEX.test(errorMsg)) return true;
+	if (OAUTH_HTTP_AUTH_REGEX.test(errorMsg) && !OAUTH_TRANSIENT_FAILURE_REGEX.test(errorMsg)) return true;
+	return false;
+}
+
 type UsageCacheEntry<T> = {
 	value: T;
 	expiresAt: number;
@@ -1497,6 +1520,12 @@ export class AuthStorage {
 				await saveApiKeyCredential(apiKey);
 				return;
 			}
+			case "zhipu-coding-plan": {
+				const { loginZhipuCodingPlan } = await import("./utils/oauth/zhipu");
+				const apiKey = await loginZhipuCodingPlan(ctrl);
+				await saveApiKeyCredential(apiKey);
+				return;
+			}
 			case "qianfan": {
 				const { loginQianfan } = await import("./utils/oauth/qianfan");
 				const apiKey = await loginQianfan(ctrl);
@@ -1832,9 +1861,50 @@ export class AuthStorage {
 						credential: refreshedCredential,
 					};
 				} catch (error) {
+					const errorMsg = String(error);
+					// Definitive failure (invalid_grant / 401 not from a network blip) means
+					// the refresh token itself is dead — probing with the original credential
+					// will 401, the catch below will return null, and #fetchUsageCached's
+					// last-good fallback will surface yesterday's report indefinitely
+					// (including its already-elapsed `resetsAt`). CAS-disable the row and
+					// clear the cache so the credential drops out of the report instead of
+					// freezing in place until the user notices and re-logs in.
+					if (isDefinitiveOAuthFailure(errorMsg)) {
+						const credentialId = this.#findStoredCredentialIdForUsageCredential(
+							request.provider,
+							request.credential,
+						);
+						if (credentialId !== undefined) {
+							const entries = this.#getStoredCredentials(request.provider);
+							const index = entries.findIndex(entry => entry.id === credentialId);
+							if (index !== -1) {
+								const disabled = this.#tryDisableCredentialAtIfMatches(
+									request.provider,
+									index,
+									refreshableCredential,
+									`oauth refresh failed during usage probe: ${errorMsg}`,
+								);
+								if (disabled) {
+									this.#usageLogger?.warn(
+										"Usage credential refresh failed definitively; credential disabled",
+										{ provider: request.provider, credentialId, error: errorMsg },
+									);
+									// Neutralize last-good for this cache key: write a null
+									// entry with an immediately-elapsed expiry so a future
+									// getStale lookup (e.g. on re-login under the same
+									// account identity) can't replay the stale report.
+									this.#usageCache.set(this.#buildUsageReportCacheKey(request), {
+										value: null,
+										expiresAt: 0,
+									});
+									return null;
+								}
+							}
+						}
+					}
 					this.#usageLogger?.debug("Usage credential refresh failed, using original credential", {
 						provider: request.provider,
-						error: String(error),
+						error: errorMsg,
 					});
 				}
 			}
@@ -2877,9 +2947,7 @@ export class AuthStorage {
 			const errorMsg = String(error);
 			// Only remove credentials for definitive auth failures
 			// Keep credentials for transient errors (network, 5xx) and block temporarily
-			const isDefinitiveFailure =
-				/invalid_grant|invalid_token|revoked|unauthorized|expired.*refresh|refresh.*expired/i.test(errorMsg) ||
-				(/\b(401|403)\b/.test(errorMsg) && !/timeout|network|fetch failed|ECONNREFUSED/i.test(errorMsg));
+			const isDefinitiveFailure = isDefinitiveOAuthFailure(errorMsg);
 
 			logger.warn("OAuth token refresh failed", {
 				provider,