@oh-my-pi/pi-coding-agent 15.1.7 → 15.1.9

package/CHANGELOG.md

@@ -2,6 +2,35 @@
 
 ## [Unreleased]
 
+## [15.1.9] - 2026-05-21
+
+### Fixed
+
+- Fixed `disabledProviders` still probing local discovery endpoints for Ollama, llama.cpp, and LM Studio during background model refresh. Disabled providers are now excluded before implicit and built-in discovery managers are created. ([#1232](https://github.com/can1357/oh-my-pi/issues/1232))
+
+### Fixed
+
+- Fixed `omp acp` auto-discovering host `.mcp.json` servers in parallel with the ACP client's `session/new.mcpServers`, which shadowed client-supplied MCP tools in `search_tool_bm25` and the session tool registry. The ACP session factory now forces `enableMCP: false`, so MCP ownership stays with `AcpAgent#configureMcpServers`. Non-ACP modes keep on-disk discovery. ([#1234](https://github.com/can1357/oh-my-pi/issues/1234))
+
+### Fixed
+
+- Fixed binary `omp update` rollbacks so a downloaded replacement that fails post-install version verification no longer remains installed over the previous working binary. ([#1240](https://github.com/can1357/oh-my-pi/issues/1240))
+
+### Fixed
+
+- Fixed `/force <tool>` rejecting Ollama/local models before the requested tool could run; Ollama now receives a named forced choice that the provider transport narrows to the selected tool. ([#1236](https://github.com/can1357/oh-my-pi/issues/1236))
+
+### Fixed
+
+- Fixed `web_search` freezing the session when an upstream provider stalled. Bun's WinHTTP backend on Windows can silently drop `AbortSignal` once a TCP/TLS connection hangs (oven-sh/bun#15275, oven-sh/bun#18536), so Esc never reached the in-flight fetch and the only recovery was Ctrl+C + `omp --resume`. Every web-search provider's outbound `fetch` (anthropic, brave, codex, exa, gemini, jina, kagi, kimi, parallel, perplexity, searxng, synthetic, tavily, z.ai) now composes the caller signal with a 60s hard timeout via a shared `withHardTimeout` helper, guaranteeing the request settles within a minute even when Bun's abort fails to propagate. Independently, `executeSearch`'s provider-fallback loop was masking real cancellations as ordinary provider errors and returning "All web search providers failed"; it now re-throws as `ToolAbortError` the moment the caller's signal aborts, so the session sees a clean cancel on every platform. ([#1221](https://github.com/can1357/oh-my-pi/issues/1221))
+
+## [15.1.8] - 2026-05-20
+
+### Fixed
+
+- Fixed streaming edit previews for `apply_patch` and `hashline` jittering as the model typed `+added` lines. Two root causes addressed: (1) the trailing partial line of the streaming text input is now trimmed at each tick so a half-typed `+added` line no longer flickers; (2) the preview is rendered in the model's input order during streaming instead of re-deriving a unified diff via `Diff.structuredPatch`, whose coalescing previously reshuffled existing `+added` lines downward each time a new `-removed` line arrived. Existing additions now stay put and the preview only grows at the bottom while streaming. A residual trailing `-removed`/hunk-header block whose matching `+added` companion has not yet arrived is also suppressed until the additions land.
+- Fixed Perplexity web search appearing "logged out" roughly an hour after `omp auth login perplexity`. The search provider's `findOAuthToken` was honoring the bogus `expires = login_time + 1h` written by older logins (Perplexity JWTs typically omit `exp` because sessions are server-side) and silently dropping the credential. The loader now decodes the JWT's `exp` claim directly and only skips when the JWT itself is expired; tokens without an `exp` claim are treated as non-expiring.
+
 ## [15.1.7] - 2026-05-19
 
 ### Fixed

package/dist/types/cli/update-cli.d.ts

@@ -1,3 +1,17 @@
+/** Result from running the installed binary and parsing its reported version. */
+export interface InstalledVersionVerification {
+    ok: boolean;
+    actual?: string;
+    path?: string;
+}
+/** Paths and verifier used while replacing a downloaded binary update. */
+export interface BinaryReplacementOptions {
+    targetPath: string;
+    tempPath: string;
+    backupPath: string;
+    expectedVersion: string;
+    verifyInstalledVersion: (expectedVersion: string) => Promise<InstalledVersionVerification>;
+}
 /**
  * Parse update subcommand arguments.
  * Returns undefined if not an update command.
@@ -7,6 +21,10 @@ export declare function parseUpdateArgs(args: string[]): {
     check: boolean;
 } | undefined;
 export declare function resolveUpdateMethodForTest(ompPath: string, bunBinDir: string | undefined): "bun" | "binary";
+/**
+ * Atomically replace the installed binary and roll back if version verification fails.
+ */
+export declare function replaceBinaryForUpdate(options: BinaryReplacementOptions): Promise<InstalledVersionVerification>;
 /**
  * Run the update command.
  */

package/dist/types/edit/streaming.d.ts

@@ -26,6 +26,13 @@ export interface StreamingDiffContext {
     fuzzyThreshold?: number;
     allowFuzzy?: boolean;
     hashlineAutoDropPureInsertDuplicates?: boolean;
+    /**
+     * True while the tool's arguments are still streaming in. Strategies that
+     * accept free-form text input (apply_patch, hashline) trim the trailing
+     * partial line so per-character growth of an in-flight `+added` line does
+     * not flicker in the preview.
+     */
+    isStreaming?: boolean;
 }
 export interface EditStreamingStrategy<Args = unknown> {
     /**

package/dist/types/main.d.ts

@@ -5,16 +5,40 @@
  * createAgentSession() options. The SDK does the heavy lifting.
  */
 import type { Args } from "./cli/args";
+import { ModelRegistry } from "./config/model-registry";
 import { Settings } from "./config/settings";
 import { InteractiveMode, runAcpMode } from "./modes";
 import type { SubmittedUserInput } from "./modes/types";
-import { createAgentSession, discoverAuthStorage } from "./sdk";
+import { type CreateAgentSessionOptions, type CreateAgentSessionResult, createAgentSession, discoverAuthStorage } from "./sdk";
 import type { AgentSession } from "./session/agent-session";
+import type { AuthStorage } from "./session/auth-storage";
 export interface InteractiveModeNotify {
     kind: "warn" | "error" | "info";
     message: string;
 }
 export declare function submitInteractiveInput(mode: Pick<InteractiveMode, "markPendingSubmissionStarted" | "finishPendingSubmission" | "showError" | "checkShutdownRequested">, session: Pick<AgentSession, "prompt" | "promptCustomMessage">, input: SubmittedUserInput): Promise<void>;
+type AcpSessionFactory = (cwd: string) => Promise<AgentSession>;
+export interface AcpSessionFactoryOptions {
+    baseOptions: CreateAgentSessionOptions;
+    settings: Settings;
+    sessionDir?: string;
+    authStorage: AuthStorage;
+    modelRegistry: ModelRegistry;
+    parsedArgs: Pick<Args, "apiKey">;
+    rawArgs: string[];
+    createSession: (options: CreateAgentSessionOptions) => Promise<CreateAgentSessionResult>;
+}
+/**
+ * Build the per-`session/new` factory used by ACP mode.
+ *
+ * MCP servers in ACP sessions are owned exclusively by the ACP client, which
+ * supplies them through `session/new.mcpServers` and re-applies them via
+ * {@link AcpAgent#configureMcpServers}. We therefore force `enableMCP: false`
+ * on every session created here so {@link createAgentSession} skips the on-disk
+ * `.mcp.json` discovery path — otherwise host MCP tools land in the session's
+ * tool registry and shadow the client-supplied servers (issue #1234).
+ */
+export declare function createAcpSessionFactory(args: AcpSessionFactoryOptions): AcpSessionFactory;
 interface RunRootCommandDependencies {
     createAgentSession?: typeof createAgentSession;
     discoverAuthStorage?: typeof discoverAuthStorage;

package/dist/types/utils/tool-choice.d.ts

@@ -1,6 +1,7 @@
 import type { Api, Model, ToolChoice } from "@oh-my-pi/pi-ai";
 /**
  * Build a provider-aware tool choice that targets one specific tool when supported.
- * Some providers only support "any tool" forcing, not a named tool.
+ * Providers that only expose required/any forcing may still honor named choices by
+ * narrowing their request tool list before transport.
  */
 export declare function buildNamedToolChoice(toolName: string, model?: Model<Api>): ToolChoice | undefined;

package/dist/types/web/search/providers/utils.d.ts

@@ -12,6 +12,31 @@ export declare function findCredential(envKey: string | null | undefined, ...sto
  * Swallows lookup errors and reports unavailability.
  */
 export declare function isApiKeyAvailable(findApiKey: () => string | null | Promise<string | null>): Promise<boolean>;
+/**
+ * Default hard ceiling for a single web-search round-trip. 60s tolerates
+ * legitimate slow LLM-mediated responses (anthropic web_search_20250305,
+ * perplexity, gemini, codex) while still guaranteeing the session unfreezes
+ * within a minute if Bun's `AbortSignal` fails to propagate on Windows.
+ *
+ * Pure search APIs (brave, exa, jina, tavily, searxng, synthetic, zai)
+ * settle far faster in practice; reusing the same ceiling keeps the wiring
+ * uniform without compromising correctness.
+ */
+export declare const SEARCH_HARD_TIMEOUT_MS = 60000;
+/**
+ * Compose a caller-supplied {@link AbortSignal} with a hard timeout so an
+ * outbound `fetch()` is guaranteed to settle within `ms` even when the
+ * runtime fails to propagate cancellation to the underlying transport.
+ *
+ * Bun's WinHTTP backend on Windows is known to ignore `AbortSignal` once a
+ * TCP/TLS connection stalls (oven-sh/bun#15275, oven-sh/bun#18536); without
+ * this safety net a stalled web-search request freezes the entire session
+ * because the user's Esc is never delivered to the native layer.
+ *
+ * @param signal - Caller cancellation signal, if any.
+ * @param ms - Hard timeout in milliseconds. Defaults to {@link SEARCH_HARD_TIMEOUT_MS}.
+ */
+export declare function withHardTimeout(signal: AbortSignal | undefined, ms?: number): AbortSignal;
 /**
  * Map a provider's raw source list to the unified SearchSource shape,
  * clamped to the requested result count and annotated with ageSeconds.

package/package.json

@@ -1,7 +1,7 @@
 {
 	"type": "module",
 	"name": "@oh-my-pi/pi-coding-agent",
-	"version": "15.1.7",
+	"version": "15.1.9",
 	"description": "Coding agent CLI with read, bash, edit, write tools and session management",
 	"homepage": "https://omp.sh",
 	"author": "Can Boluk",
@@ -47,12 +47,12 @@
 		"@agentclientprotocol/sdk": "0.21.0",
 		"@babel/parser": "^7.29.3",
 		"@mozilla/readability": "^0.6.0",
-		"@oh-my-pi/omp-stats": "15.1.7",
-		"@oh-my-pi/pi-agent-core": "15.1.7",
-		"@oh-my-pi/pi-ai": "15.1.7",
-		"@oh-my-pi/pi-natives": "15.1.7",
-		"@oh-my-pi/pi-tui": "15.1.7",
-		"@oh-my-pi/pi-utils": "15.1.7",
+		"@oh-my-pi/omp-stats": "15.1.9",
+		"@oh-my-pi/pi-agent-core": "15.1.9",
+		"@oh-my-pi/pi-ai": "15.1.9",
+		"@oh-my-pi/pi-natives": "15.1.9",
+		"@oh-my-pi/pi-tui": "15.1.9",
+		"@oh-my-pi/pi-utils": "15.1.9",
 		"@puppeteer/browsers": "^2.13.0",
 		"@types/turndown": "5.0.6",
 		"@xterm/headless": "^6.0.0",

package/src/cli/update-cli.ts

@@ -20,6 +20,22 @@ interface ReleaseInfo {
 	version: string;
 }
 
+/** Result from running the installed binary and parsing its reported version. */
+export interface InstalledVersionVerification {
+	ok: boolean;
+	actual?: string;
+	path?: string;
+}
+
+/** Paths and verifier used while replacing a downloaded binary update. */
+export interface BinaryReplacementOptions {
+	targetPath: string;
+	tempPath: string;
+	backupPath: string;
+	expectedVersion: string;
+	verifyInstalledVersion: (expectedVersion: string) => Promise<InstalledVersionVerification>;
+}
+
 /**
  * Parse update subcommand arguments.
  * Returns undefined if not an update command.
@@ -197,9 +213,7 @@ function resolveOmpPath(): string | undefined {
 /**
  * Run the resolved omp binary and check if it reports the expected version.
  */
-async function verifyInstalledVersion(
-	expectedVersion: string,
-): Promise<{ ok: boolean; actual?: string; path?: string }> {
+async function verifyInstalledVersion(expectedVersion: string): Promise<InstalledVersionVerification> {
 	const ompPath = resolveOmpPath();
 	if (!ompPath) return { ok: false };
 	try {
@@ -215,29 +229,69 @@ async function verifyInstalledVersion(
 	}
 }
 
+function printVerifiedVersion(expectedVersion: string): void {
+	console.log(chalk.green(`\n${theme.status.success} Updated to ${expectedVersion}`));
+}
+
+function formatVerificationFailure(result: InstalledVersionVerification, expectedVersion: string): string {
+	if (result.actual) {
+		return `${APP_NAME} at ${result.path} still reports ${result.actual} (expected ${expectedVersion})`;
+	}
+	return `could not verify updated version${result.path ? ` at ${result.path}` : ""}`;
+}
+
 /**
  * Print post-update verification result.
  */
 async function printVerification(expectedVersion: string): Promise<void> {
 	const result = await verifyInstalledVersion(expectedVersion);
 	if (result.ok) {
-		console.log(chalk.green(`\n${theme.status.success} Updated to ${expectedVersion}`));
+		printVerifiedVersion(expectedVersion);
 		return;
 	}
-	if (result.actual) {
-		console.log(
-			chalk.yellow(
-				`\nWarning: ${APP_NAME} at ${result.path} still reports ${result.actual} (expected ${expectedVersion})`,
-			),
-		);
-	} else {
-		console.log(
-			chalk.yellow(`\nWarning: could not verify updated version${result.path ? ` at ${result.path}` : ""}`),
-		);
-	}
+	console.log(chalk.yellow(`\nWarning: ${formatVerificationFailure(result, expectedVersion)}`));
 	console.log(chalk.yellow(`You may need to reinstall: curl -fsSL https://omp.sh/install | sh`));
 }
 
+async function unlinkIfExists(filePath: string): Promise<void> {
+	try {
+		await fs.promises.unlink(filePath);
+	} catch (err) {
+		if (!isEnoent(err)) throw err;
+	}
+}
+
+/**
+ * Atomically replace the installed binary and roll back if version verification fails.
+ */
+export async function replaceBinaryForUpdate(options: BinaryReplacementOptions): Promise<InstalledVersionVerification> {
+	let backupReady = false;
+	try {
+		await unlinkIfExists(options.backupPath);
+		await fs.promises.rename(options.targetPath, options.backupPath);
+		backupReady = true;
+		await fs.promises.rename(options.tempPath, options.targetPath);
+
+		const verification = await options.verifyInstalledVersion(options.expectedVersion);
+		if (!verification.ok) {
+			throw new Error(
+				`${formatVerificationFailure(verification, options.expectedVersion)}; restored previous ${APP_NAME} binary`,
+			);
+		}
+
+		backupReady = false;
+		await unlinkIfExists(options.backupPath);
+		return verification;
+	} catch (err) {
+		if (backupReady) {
+			await unlinkIfExists(options.targetPath);
+			await fs.promises.rename(options.backupPath, options.targetPath);
+		}
+		await unlinkIfExists(options.tempPath);
+		throw err;
+	}
+}
+
 /**
  * Update via bun package manager.
  */
@@ -271,27 +325,15 @@ async function updateViaBinaryAt(targetPath: string, expectedVersion: string): P
 	await pipeline(response.body, fileStream);
 
 	console.log(chalk.dim("Installing update..."));
-	try {
-		try {
-			await fs.promises.unlink(backupPath);
-		} catch (err) {
-			if (!isEnoent(err)) throw err;
-		}
-		await fs.promises.rename(targetPath, backupPath);
-		await fs.promises.rename(tempPath, targetPath);
-		await fs.promises.unlink(backupPath);
-
-		await printVerification(expectedVersion);
-		console.log(chalk.dim(`Restart ${APP_NAME} to use the new version`));
-	} catch (err) {
-		if (fs.existsSync(backupPath) && !fs.existsSync(targetPath)) {
-			await fs.promises.rename(backupPath, targetPath);
-		}
-		if (fs.existsSync(tempPath)) {
-			await fs.promises.unlink(tempPath);
-		}
-		throw err;
-	}
+	await replaceBinaryForUpdate({
+		targetPath,
+		tempPath,
+		backupPath,
+		expectedVersion,
+		verifyInstalledVersion,
+	});
+	printVerifiedVersion(expectedVersion);
+	console.log(chalk.dim(`Restart ${APP_NAME} to use the new version`));
 }
 
 /**

package/src/config/model-registry.ts

@@ -1017,7 +1017,8 @@ export class ModelRegistry {
 	}
 
 	#addImplicitDiscoverableProviders(configuredProviders: Set<string>): void {
-		if (!configuredProviders.has("ollama")) {
+		const disabledProviders = getDisabledProviderIdsFromSettings();
+		if (!configuredProviders.has("ollama") && !disabledProviders.has("ollama")) {
 			this.#discoverableProviders.push({
 				provider: "ollama",
 				api: "openai-responses",
@@ -1027,7 +1028,7 @@ export class ModelRegistry {
 			});
 			this.#keylessProviders.add("ollama");
 		}
-		if (!configuredProviders.has("llama.cpp")) {
+		if (!configuredProviders.has("llama.cpp") && !disabledProviders.has("llama.cpp")) {
 			this.#discoverableProviders.push({
 				provider: "llama.cpp",
 				api: "openai-responses",
@@ -1040,7 +1041,7 @@ export class ModelRegistry {
 				this.#keylessProviders.add("llama.cpp");
 			}
 		}
-		if (!configuredProviders.has("lm-studio")) {
+		if (!configuredProviders.has("lm-studio") && !disabledProviders.has("lm-studio")) {
 			this.#discoverableProviders.push({
 				provider: "lm-studio",
 				api: "openai-completions",
@@ -1160,9 +1161,12 @@ export class ModelRegistry {
 		strategy: ModelRefreshStrategy,
 		providerFilter?: ReadonlySet<string>,
 	): Promise<void> {
-		const selectedDiscoverableProviders = providerFilter
-			? this.#discoverableProviders.filter(provider => providerFilter.has(provider.provider))
-			: this.#discoverableProviders;
+		const disabledProviders = getDisabledProviderIdsFromSettings();
+		const selectedDiscoverableProviders = (
+			providerFilter
+				? this.#discoverableProviders.filter(provider => providerFilter.has(provider.provider))
+				: this.#discoverableProviders
+		).filter(provider => !disabledProviders.has(provider.provider));
 		const configuredDiscoveriesPromise =
 			selectedDiscoverableProviders.length === 0
 				? Promise.resolve<Model<Api>[]>([])
@@ -1366,17 +1370,24 @@ export class ModelRegistry {
 				},
 			},
 		];
+		const disabledProviders = getDisabledProviderIdsFromSettings();
+		const standardProviderDescriptors = PROVIDER_DESCRIPTORS.filter(
+			descriptor => !disabledProviders.has(descriptor.providerId),
+		);
+		const enabledSpecialProviderDescriptors = specialProviderDescriptors.filter(
+			descriptor => !disabledProviders.has(descriptor.providerId),
+		);
 		// Use peekApiKey to avoid OAuth token refresh during discovery.
 		// The token is only needed if the dynamic fetch fires (cache miss),
 		// and failures there are handled gracefully.
 		const peekKey = (descriptor: { providerId: string }) => this.#peekApiKeyForProvider(descriptor.providerId);
 		const [standardProviderKeys, specialKeys] = await Promise.all([
-			Promise.all(PROVIDER_DESCRIPTORS.map(peekKey)),
-			Promise.all(specialProviderDescriptors.map(peekKey)),
+			Promise.all(standardProviderDescriptors.map(peekKey)),
+			Promise.all(enabledSpecialProviderDescriptors.map(peekKey)),
 		]);
 		const options: ModelManagerOptions<Api>[] = [];
-		for (let i = 0; i < PROVIDER_DESCRIPTORS.length; i++) {
-			const descriptor = PROVIDER_DESCRIPTORS[i];
+		for (let i = 0; i < standardProviderDescriptors.length; i++) {
+			const descriptor = standardProviderDescriptors[i];
 			const apiKey = standardProviderKeys[i];
 			if (isAuthenticated(apiKey) || descriptor.allowUnauthenticated) {
 				options.push(
@@ -1388,8 +1399,8 @@ export class ModelRegistry {
 			}
 		}
 
-		for (let i = 0; i < specialProviderDescriptors.length; i++) {
-			const descriptor = specialProviderDescriptors[i];
+		for (let i = 0; i < enabledSpecialProviderDescriptors.length; i++) {
+			const descriptor = enabledSpecialProviderDescriptors[i];
 			const key = descriptor.resolveKey(specialKeys[i]);
 			if (!isAuthenticated(key)) {
 				continue;

package/src/edit/streaming.ts

@@ -45,6 +45,13 @@ export interface StreamingDiffContext {
 	fuzzyThreshold?: number;
 	allowFuzzy?: boolean;
 	hashlineAutoDropPureInsertDuplicates?: boolean;
+	/**
+	 * True while the tool's arguments are still streaming in. Strategies that
+	 * accept free-form text input (apply_patch, hashline) trim the trailing
+	 * partial line so per-character growth of an in-flight `+added` line does
+	 * not flicker in the preview.
+	 */
+	isStreaming?: boolean;
 }
 
 export interface EditStreamingStrategy<Args = unknown> {
@@ -274,21 +281,146 @@ interface HashlineArgs {
 	__partialJson?: string;
 }
 
+/**
+ * While streaming a free-form text payload (apply_patch envelope, hashline
+ * input), trim the trailing partial line so per-character growth of an
+ * in-flight `+added` line does not cause the diff preview to flicker. The
+ * full line will show on the next streaming tick once its `\n` arrives.
+ * Returns `text` unchanged when not streaming or when no newline is present.
+ */
+function trimTrailingPartialLine(text: string, isStreaming: boolean | undefined): string {
+	if (!isStreaming) return text;
+	const idx = text.lastIndexOf("\n");
+	if (idx === -1) return "";
+	return text.slice(0, idx + 1);
+}
+
+/**
+ * Build a per-file diff preview directly from a partial `apply_patch`
+ * envelope by emitting its body lines in *input order*. This bypasses the
+ * file-state re-diff (`computePatchDiff` → `Diff.structuredPatch`) whose
+ * coalescing reorders the model's `-old +new -old +new` stream into
+ * `-old -old +new +new` and visibly shifts existing `+added` lines
+ * downward each time a new `-` arrives. The preview therefore grows
+ * monotonically at the bottom while streaming and only becomes a real
+ * unified diff once the args are complete.
+ */
+function buildApplyPatchNaturalOrderPreviews(input: string): PerFileDiffPreview[] | null {
+	const lines = input.split("\n");
+	const groups = new Map<string, string[]>();
+	let currentPath: string | undefined;
+	const ensure = (path: string): string[] => {
+		let bucket = groups.get(path);
+		if (!bucket) {
+			bucket = [];
+			groups.set(path, bucket);
+		}
+		return bucket;
+	};
+	for (const raw of lines) {
+		const trimmedEnd = raw.trimEnd();
+		if (trimmedEnd === BEGIN_PATCH_MARKER || trimmedEnd === END_PATCH_MARKER || trimmedEnd === ABORT_MARKER) {
+			continue;
+		}
+		if (trimmedEnd.startsWith("*** Add File: ")) {
+			currentPath = trimmedEnd.slice("*** Add File: ".length);
+			ensure(currentPath);
+			continue;
+		}
+		if (trimmedEnd.startsWith("*** Delete File: ")) {
+			currentPath = trimmedEnd.slice("*** Delete File: ".length);
+			ensure(currentPath);
+			continue;
+		}
+		if (trimmedEnd.startsWith("*** Update File: ")) {
+			currentPath = trimmedEnd.slice("*** Update File: ".length);
+			ensure(currentPath);
+			continue;
+		}
+		if (trimmedEnd.startsWith("*** Move to:") || trimmedEnd.startsWith("*** End of File")) {
+			continue;
+		}
+		if (!currentPath) continue;
+		// Diff body: keep `-/+/space`-prefixed lines and `@@` hunk headers in
+		// input order. parseDiffLine accepts the no-line-number legacy form so
+		// the renderer styles them as additions/removals/context naturally.
+		if (raw.startsWith("+") || raw.startsWith("-") || raw.startsWith(" ") || raw.startsWith("@@")) {
+			ensure(currentPath).push(raw);
+		}
+	}
+	if (groups.size === 0) return null;
+	const previews: PerFileDiffPreview[] = [];
+	for (const [path, body] of groups) {
+		if (body.length === 0) continue;
+		previews.push({ path, diff: body.join("\n") });
+	}
+	return previews.length > 0 ? previews : null;
+}
+
+/**
+ * Hashline equivalent: emit each section's `~payload` lines as `+added`
+ * lines in the order the model typed them. We deliberately omit op headers
+ * and removal targets from the streaming preview because their content
+ * lives in the file and would require a costly re-apply per tick; the
+ * complete unified diff is shown once streaming finishes.
+ */
+function buildHashlineNaturalOrderPreviews(
+	input: string,
+	defaultPath: string | undefined,
+): PerFileDiffPreview[] | null {
+	const lines = input.split("\n");
+	const groups = new Map<string, string[]>();
+	let currentPath = defaultPath ?? "";
+	const ensure = (path: string): string[] => {
+		let bucket = groups.get(path);
+		if (!bucket) {
+			bucket = [];
+			groups.set(path, bucket);
+		}
+		return bucket;
+	};
+	for (const raw of lines) {
+		if (isHashlineEnvelopeMarkerLine(raw)) continue;
+		if (isHashlineHeaderLine(raw)) {
+			currentPath = raw.trimEnd().slice(1).trim();
+			if (currentPath) ensure(currentPath);
+			continue;
+		}
+		if (raw.startsWith("~")) {
+			ensure(currentPath).push(`+${raw.slice(1)}`);
+		}
+	}
+	if (groups.size === 0) return null;
+	const previews: PerFileDiffPreview[] = [];
+	for (const [path, body] of groups) {
+		if (body.length === 0) continue;
+		previews.push({ path, diff: body.join("\n") });
+	}
+	return previews.length > 0 ? previews : null;
+}
+
 const hashlineStrategy: EditStreamingStrategy<HashlineArgs> = {
 	extractCompleteEdits(args) {
 		return args;
 	},
 	async computeDiffPreview(args, ctx) {
 		if (typeof args.input !== "string" || args.input.length === 0) return null;
+		const input = trimTrailingPartialLine(args.input, ctx.isStreaming);
+		if (input.length === 0) return null;
+		if (ctx.isStreaming) {
+			// Skip the costly per-tick re-apply and avoid `Diff.structuredPatch`
+			// reordering by showing the model's `~payload` lines in input order.
+			return buildHashlineNaturalOrderPreviews(input, args.path);
+		}
 		ctx.signal.throwIfAborted();
 
 		let sections: HashlineInputSection[];
 		try {
-			sections = splitHashlineInputs(args.input, { cwd: ctx.cwd, path: args.path });
+			sections = splitHashlineInputs(input, { cwd: ctx.cwd, path: args.path });
 		} catch {
 			// Single-section fallback keeps the original error rendering for the
 			// "haven't typed `@@ PATH` yet" case.
-			const result = await computeHashlineDiff({ input: args.input, path: args.path }, ctx.cwd, {
+			const result = await computeHashlineDiff({ input, path: args.path }, ctx.cwd, {
 				autoDropPureInsertDuplicates: ctx.hashlineAutoDropPureInsertDuplicates,
 			});
 			ctx.signal.throwIfAborted();
@@ -340,12 +472,21 @@ const applyPatchStrategy: EditStreamingStrategy<ApplyPatchArgs> = {
 	},
 	async computeDiffPreview(args, ctx) {
 		if (typeof args.input !== "string" || args.input.length === 0) return null;
+		const input = trimTrailingPartialLine(args.input, ctx.isStreaming);
+		if (input.length === 0) return null;
+		if (ctx.isStreaming) {
+			// Render the envelope's diff body in input order so newly streamed
+			// `+added` lines append at the bottom instead of being shuffled
+			// upward as later `-removed` lines arrive and reorder the unified
+			// diff that `Diff.structuredPatch` would otherwise produce.
+			return buildApplyPatchNaturalOrderPreviews(input);
+		}
 		let entries: ApplyPatchEntry[];
 		try {
-			entries = expandApplyPatchToEntries({ input: args.input });
+			entries = expandApplyPatchToEntries({ input });
 		} catch {
 			try {
-				entries = expandApplyPatchToPreviewEntries({ input: args.input });
+				entries = expandApplyPatchToPreviewEntries({ input });
 			} catch (err) {
 				return [{ path: "", error: err instanceof Error ? err.message : String(err) }];
 			}

package/src/main.ts

@@ -199,7 +199,7 @@ function applyExtensionFlagValues(session: AgentSession, rawArgs: string[]): Map
 
 type AcpSessionFactory = (cwd: string) => Promise<AgentSession>;
 
-interface AcpSessionFactoryOptions {
+export interface AcpSessionFactoryOptions {
 	baseOptions: CreateAgentSessionOptions;
 	settings: Settings;
 	sessionDir?: string;
@@ -210,7 +210,17 @@ interface AcpSessionFactoryOptions {
 	createSession: (options: CreateAgentSessionOptions) => Promise<CreateAgentSessionResult>;
 }
 
-function createAcpSessionFactory(args: AcpSessionFactoryOptions): AcpSessionFactory {
+/**
+ * Build the per-`session/new` factory used by ACP mode.
+ *
+ * MCP servers in ACP sessions are owned exclusively by the ACP client, which
+ * supplies them through `session/new.mcpServers` and re-applies them via
+ * {@link AcpAgent#configureMcpServers}. We therefore force `enableMCP: false`
+ * on every session created here so {@link createAgentSession} skips the on-disk
+ * `.mcp.json` discovery path — otherwise host MCP tools land in the session's
+ * tool registry and shadow the client-supplied servers (issue #1234).
+ */
+export function createAcpSessionFactory(args: AcpSessionFactoryOptions): AcpSessionFactory {
 	return async cwd => {
 		const nextSettings = await args.settings.cloneForCwd(cwd);
 		const nextSessionManager = SessionManager.create(cwd, args.sessionDir);
@@ -224,6 +234,7 @@ function createAcpSessionFactory(args: AcpSessionFactoryOptions): AcpSessionFact
 			modelRegistry: args.modelRegistry,
 			agentId,
 			hasUI: false,
+			enableMCP: false,
 		});
 		if (args.parsedArgs.apiKey && !args.baseOptions.model && nextSession.model) {
 			args.authStorage.setRuntimeApiKey(nextSession.model.provider, args.parsedArgs.apiKey);

package/src/modes/components/tool-execution.ts

@@ -51,6 +51,49 @@ function cloneToolArgs<T>(args: T): T {
 	}
 }
 
+/**
+ * Drop trailing removal/hunk-header lines that appear in a streaming diff
+ * before the matching `+added` lines have arrived. Without this, a partial
+ * apply_patch / hashline preview shows `-old` first and then visibly grows
+ * the `+new` block beneath it — the "removals first, additions catching up"
+ * jitter. Once the next streaming tick brings the additions in, the trailing
+ * block reappears alongside them.
+ */
+function stripTrailingUnbalancedRemoval(diff: string | undefined): string | undefined {
+	if (!diff) return diff;
+	const lines = diff.split("\n");
+	let lastAddIdx = -1;
+	for (let i = lines.length - 1; i >= 0; i--) {
+		if (lines[i].startsWith("+")) {
+			lastAddIdx = i;
+			break;
+		}
+	}
+	let hasTrailingUnbalanced = false;
+	for (let i = lastAddIdx + 1; i < lines.length; i++) {
+		const line = lines[i];
+		if (line.startsWith("-") || line.startsWith("@@")) {
+			hasTrailingUnbalanced = true;
+			break;
+		}
+	}
+	if (!hasTrailingUnbalanced) return diff;
+	if (lastAddIdx === -1) return "";
+	return lines.slice(0, lastAddIdx + 1).join("\n");
+}
+
+function stabilizeStreamingPreviews(previews: PerFileDiffPreview[]): PerFileDiffPreview[] {
+	let changed = false;
+	const next = previews.map(preview => {
+		if (!preview.diff) return preview;
+		const trimmed = stripTrailingUnbalancedRemoval(preview.diff);
+		if (trimmed === preview.diff) return preview;
+		changed = true;
+		return { ...preview, diff: trimmed ?? "" };
+	});
+	return changed ? next : previews;
+}
+
 function isEditLikeToolName(toolName: string): boolean {
 	return toolName === "edit" || toolName === "apply_patch";
 }
@@ -222,16 +265,18 @@ export class ToolExecutionComponent extends Container {
 		this.#editDiffAbort = controller;
 
 		try {
+			const isStreaming = !this.#argsComplete;
 			const previews = await strategy.computeDiffPreview(effectiveArgs, {
 				cwd: this.#cwd,
 				signal: controller.signal,
 				fuzzyThreshold: this.#editFuzzyThreshold,
 				allowFuzzy: this.#editAllowFuzzy,
 				hashlineAutoDropPureInsertDuplicates: this.#hashlineAutoDropPureInsertDuplicates,
+				isStreaming,
 			});
 			if (controller.signal.aborted) return;
 			if (previews) {
-				this.#editDiffPreview = previews;
+				this.#editDiffPreview = isStreaming ? stabilizeStreamingPreviews(previews) : previews;
 				this.#updateDisplay();
 				this.#ui.requestRender();
 			}

package/src/modes/interactive-mode.ts

@@ -584,11 +584,17 @@ export class InteractiveMode implements InteractiveModeContext {
 		if (!this.loopModeEnabled || !this.loopPrompt) return;
 		const prompt = this.loopPrompt;
 		const loopAction = settings.get("loop.mode");
+		this.#deferLoopAutoSubmit(() => {
+			void this.#runLoopIteration(loopAction, prompt);
+		});
+	}
+
+	#deferLoopAutoSubmit(callback: () => void): void {
 		// Brief delay so the user has a chance to press Esc between iterations.
 		this.#loopAutoSubmitTimer = setTimeout(() => {
 			this.#loopAutoSubmitTimer = undefined;
 			if (!this.loopModeEnabled || !this.onInputCallback) return;
-			void this.#runLoopIteration(loopAction, prompt);
+			callback();
 		}, 800);
 	}
 
@@ -641,7 +647,32 @@ export class InteractiveMode implements InteractiveModeContext {
 		}
 	}
 
+	#isLoopAutoSubmitBlocked(): boolean {
+		return this.session.isStreaming || this.session.isCompacting;
+	}
+
+	#submitLoopPromptWhenReady(prompt: string): void {
+		if (!this.loopModeEnabled || this.loopPrompt !== prompt || !this.onInputCallback) return;
+		if (isLoopDurationExpired(this.loopLimit)) {
+			this.disableLoopMode("Loop time limit reached. Loop mode disabled.");
+			return;
+		}
+		if (this.#isLoopAutoSubmitBlocked()) {
+			this.#deferLoopAutoSubmit(() => this.#submitLoopPromptWhenReady(prompt));
+			return;
+		}
+		this.onInputCallback(this.startPendingSubmission({ text: prompt }));
+	}
+
 	async #runLoopIteration(action: "prompt" | "compact" | "reset", prompt: string): Promise<void> {
+		if (!this.loopModeEnabled || this.loopPrompt !== prompt || !this.onInputCallback) return;
+		if (this.#isLoopAutoSubmitBlocked()) {
+			this.#deferLoopAutoSubmit(() => {
+				void this.#runLoopIteration(action, prompt);
+			});
+			return;
+		}
+
 		if (!consumeLoopLimitIteration(this.loopLimit)) {
 			this.disableLoopMode("Loop limit reached. Loop mode disabled.");
 			return;
@@ -652,12 +683,7 @@ export class InteractiveMode implements InteractiveModeContext {
 		} else if (action === "reset") {
 			await this.handleClearCommand();
 		}
-		if (!this.loopModeEnabled || !this.onInputCallback) return;
-		if (isLoopDurationExpired(this.loopLimit)) {
-			this.disableLoopMode("Loop time limit reached. Loop mode disabled.");
-			return;
-		}
-		this.onInputCallback(this.startPendingSubmission({ text: prompt }));
+		this.#submitLoopPromptWhenReady(prompt);
 	}
 
 	disableLoopMode(message = "Loop mode disabled."): void {

package/src/prompts/agents/oracle.md

@@ -1,19 +1,17 @@
 ---
 name: oracle
-description: Deep reasoning advisor for debugging dead ends, architecture decisions, and second opinions. Read-only.
+description: Wise senior engineer to consult or delegate work to — debugging, architecture, second opinions, and hands-on implementation when asked.
 spawns: explore
 model: pi/slow
 thinking-level: xhigh
 blocking: true
 ---
 
-You are a senior diagnostician and strategic technical advisor. You receive problems other agents are stuck on — doom loops, mysterious failures, architectural tradeoffs, subtle bugs — and return clear, actionable analysis.
+You are the wise guy on the team — a senior engineer with deep judgment that other agents consult when they are stuck, uncertain, or need a second opinion. You also take direct delegation: if the caller hands you work, you do it, including reads, writes, edits, and running commands.
 
-You diagnose, explain, and recommend. You do not implement. Others act on your findings.
-
-<critical>
-You MUST operate as read-only. You NEVER write, edit, or modify files, nor execute any state-changing commands.
-</critical>
+You diagnose, decide, and execute. You match the mode to the ask:
+- **Consult**: explain the root cause, lay out tradeoffs, recommend a path.
+- **Delegate**: carry the work to completion — modify files, run verification, deliver a finished change.
 
 <directives>
 - You MUST reason from first principles. The caller already tried the obvious.
@@ -23,6 +21,7 @@ You MUST operate as read-only. You NEVER write, edit, or modify files, nor execu
 - You SHOULD consider at least two hypotheses before converging on one.
 - You SHOULD invoke tools in parallel when investigating multiple hypotheses.
 - When the problem is architectural, you MUST weigh tradeoffs explicitly: what does each option cost, what does it buy, what does it foreclose.
+- When delegated implementation work, you MUST finish it: edit the files, run the relevant tests/checks, and report exactly what changed.
 </directives>
 
 <decision-framework>
@@ -35,22 +34,22 @@ Apply pragmatic minimalism:
 </decision-framework>
 
 <procedure>
-1. Read the problem statement carefully. Identify what was already tried and why it failed.
-2. Form 2-3 hypotheses for the root cause.
+1. Read the problem statement carefully. Identify what was already tried, what failed, and whether the caller wants advice or execution.
+2. Form 2-3 hypotheses for the root cause (for diagnosis) or 2-3 viable approaches (for design).
 3. Use tools to gather evidence — read relevant code, trace data flow, check types, grep for related patterns. Parallelize independent reads.
-4. Eliminate hypotheses based on evidence. Narrow to the most likely cause.
-5. If the problem is a decision (not a bug), lay out options with concrete tradeoffs.
-6. Deliver a clear verdict with supporting evidence.
+4. Eliminate hypotheses based on evidence. Narrow to the most likely cause or best approach.
+5. If consulting: deliver verdict with supporting evidence and a concrete recommendation.
+6. If implementing: make the changes, verify them, and report the diff and verification result.
 </procedure>
+
 <scope-discipline>
-- Recommend ONLY what was asked. No unsolicited improvements.
+- Do ONLY what was asked. No unsolicited refactors or improvements.
 - If you notice other issues, list at most 2 as "Optional future considerations" at the end.
 - You NEVER expand the problem surface beyond the original request.
 - Exhaust provided context before reaching for tools. External lookups fill genuine gaps, not curiosity.
 </scope-discipline>
 
 <critical>
-You MUST keep going until you have a clear answer or have exhausted available evidence.
-Before finalizing: re-scan for unstated assumptions, verify claims are grounded in code not invented, check for overly strong language not justified by evidence.
-This matters. The caller is stuck. Get it right.
+You MUST keep going until the problem is solved or the work is finished. Before finalizing: re-scan for unstated assumptions, verify claims are grounded in code not invented, check for overly strong language not justified by evidence.
+The caller came to you because they trust your judgment. Get it right.
 </critical>

package/src/utils/tool-choice.ts

@@ -2,7 +2,8 @@ import type { Api, Model, ToolChoice } from "@oh-my-pi/pi-ai";
 
 /**
  * Build a provider-aware tool choice that targets one specific tool when supported.
- * Some providers only support "any tool" forcing, not a named tool.
+ * Providers that only expose required/any forcing may still honor named choices by
+ * narrowing their request tool list before transport.
  */
 export function buildNamedToolChoice(toolName: string, model?: Model<Api>): ToolChoice | undefined {
 	if (!model) return undefined;
@@ -20,12 +21,11 @@ export function buildNamedToolChoice(toolName: string, model?: Model<Api>): Tool
 		return { type: "function", name: toolName };
 	}
 
-	if (
-		model.api === "google-generative-ai" ||
-		model.api === "google-gemini-cli" ||
-		model.api === "google-vertex" ||
-		model.api === "ollama-chat"
-	) {
+	if (model.api === "ollama-chat") {
+		return { type: "function", name: toolName };
+	}
+
+	if (model.api === "google-generative-ai" || model.api === "google-gemini-cli" || model.api === "google-vertex") {
 		return "required";
 	}
 

package/src/web/kagi.ts

@@ -1,5 +1,5 @@
 import { getEnvApiKey } from "@oh-my-pi/pi-ai";
-import { findCredential } from "./search/providers/utils";
+import { findCredential, withHardTimeout } from "./search/providers/utils";
 
 const KAGI_SEARCH_URL = "https://kagi.com/api/v0/search";
 
@@ -138,7 +138,7 @@ export async function searchWithKagi(query: string, options: KagiSearchOptions =
 
 	const response = await fetch(requestUrl, {
 		headers: getAuthHeaders(apiKey),
-		signal: options.signal,
+		signal: withHardTimeout(options.signal),
 	});
 	if (!response.ok) {
 		throw parseKagiErrorResponse(response.status, await response.text());

package/src/web/parallel.ts

@@ -1,5 +1,5 @@
 import { getEnvApiKey } from "@oh-my-pi/pi-ai";
-import { findCredential } from "./search/providers/utils";
+import { findCredential, withHardTimeout } from "./search/providers/utils";
 
 const PARALLEL_API_URL = "https://api.parallel.ai";
 const PARALLEL_SEARCH_URL = `${PARALLEL_API_URL}/v1beta/search`;
@@ -304,7 +304,7 @@ export async function searchWithParallel(
 				max_chars_per_result: options.maxCharsPerResult ?? 10_000,
 			},
 		}),
-		signal: options.signal,
+		signal: withHardTimeout(options.signal),
 	});
 	if (!response.ok) {
 		throw parseParallelErrorResponse(response.status, await response.text());
@@ -335,7 +335,7 @@ export async function extractWithParallel(
 			excerpts: options.excerpts ?? true,
 			full_content: options.fullContent ?? false,
 		}),
-		signal: options.signal,
+		signal: withHardTimeout(options.signal),
 	});
 	if (!response.ok) {
 		throw parseParallelErrorResponse(response.status, await response.text());

package/src/web/search/index.ts

@@ -14,6 +14,7 @@ import webSearchSystemPrompt from "../../prompts/system/web-search.md" with { ty
 import webSearchDescription from "../../prompts/tools/web-search.md" with { type: "text" };
 import type { ToolSession } from "../../tools";
 import { formatAge } from "../../tools/render-utils";
+import { throwIfAborted } from "../../tools/tool-errors";
 import { getSearchProvider, getSearchProviderLabel, resolveProviderChain, type SearchProvider } from "./provider";
 import { renderSearchCall, renderSearchResult, type SearchRenderDetails } from "./render";
 import type { SearchProviderId, SearchResponse } from "./types";
@@ -161,6 +162,12 @@ async function executeSearch(
 				details: { response },
 			};
 		} catch (error) {
+			// Surface user-initiated cancellation immediately so the session sees
+			// a clean abort instead of a generic "all providers failed" message.
+			// Without this, an AbortError from `fetch()` is treated as a provider
+			// failure and the loop falls through to the next provider (or to the
+			// summary error), masking the cancellation.
+			throwIfAborted(signal);
 			lastError = error;
 		}
 	}

package/src/web/search/providers/anthropic.ts

@@ -24,12 +24,12 @@ import type {
 import { SearchProviderError } from "../../../web/search/types";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
+import { withHardTimeout } from "./utils";
 
 const DEFAULT_MODEL = "claude-haiku-4-5";
 const DEFAULT_MAX_TOKENS = 4096;
 const WEB_SEARCH_TOOL_NAME = "web_search";
 const WEB_SEARCH_TOOL_TYPE = "web_search_20250305";
-
 export interface AnthropicSearchParams {
 	query: string;
 	system_prompt?: string;
@@ -118,7 +118,7 @@ async function callSearch(
 		method: "POST",
 		headers,
 		body: JSON.stringify(body),
-		signal,
+		signal: withHardTimeout(signal),
 	});
 
 	if (!response.ok) {

package/src/web/search/providers/brave.ts

@@ -10,7 +10,7 @@ import { SearchProviderError } from "../../../web/search/types";
 import { clampNumResults, dateToAgeSeconds } from "../utils";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
-import { isApiKeyAvailable } from "./utils";
+import { isApiKeyAvailable, withHardTimeout } from "./utils";
 
 const BRAVE_SEARCH_URL = "https://api.search.brave.com/res/v1/web/search";
 const DEFAULT_NUM_RESULTS = 10;
@@ -85,7 +85,7 @@ async function callBraveSearch(
 			Accept: "application/json",
 			"X-Subscription-Token": apiKey,
 		},
-		signal: params.signal,
+		signal: withHardTimeout(params.signal),
 	});
 
 	if (!response.ok) {

package/src/web/search/providers/codex.ts

@@ -15,6 +15,7 @@ import type { SearchResponse, SearchSource } from "../../../web/search/types";
 import { SearchProviderError } from "../../../web/search/types";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
+import { withHardTimeout } from "./utils";
 
 const CODEX_BASE_URL = "https://chatgpt.com/backend-api";
 const CODEX_RESPONSES_PATH = "/codex/responses";
@@ -338,7 +339,7 @@ async function callCodexSearch(
 		method: "POST",
 		headers,
 		body: JSON.stringify(body),
-		signal: options.signal,
+		signal: withHardTimeout(options.signal),
 	});
 
 	if (!response.ok) {

package/src/web/search/providers/exa.ts

@@ -14,6 +14,7 @@ import { SearchProviderError } from "../../../web/search/types";
 import { dateToAgeSeconds } from "../utils";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
+import { withHardTimeout } from "./utils";
 
 const EXA_API_URL = "https://api.exa.ai/search";
 
@@ -180,7 +181,7 @@ async function callExaSearch(apiKey: string, params: ExaSearchParams): Promise<E
 			"x-api-key": apiKey,
 		},
 		body: JSON.stringify(body),
-		signal: params.signal,
+		signal: withHardTimeout(params.signal),
 	});
 
 	if (!response.ok) {

package/src/web/search/providers/gemini.ts

@@ -15,6 +15,7 @@ import type { SearchCitation, SearchResponse, SearchSource } from "../../../web/
 import { SearchProviderError } from "../../../web/search/types";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
+import { withHardTimeout } from "./utils";
 
 const DEFAULT_ENDPOINT = "https://cloudcode-pa.googleapis.com";
 const ANTIGRAVITY_DAILY_ENDPOINT = "https://daily-cloudcode-pa.googleapis.com";
@@ -310,7 +311,7 @@ async function callGeminiSearch(
 			...headers,
 		},
 		body: JSON.stringify(requestBody),
-		signal,
+		signal: withHardTimeout(signal),
 	});
 	const urlFor = (attempt: number) =>
 		`${endpoints[Math.min(attempt, endpoints.length - 1)]}/v1internal:streamGenerateContent?alt=sse`;

package/src/web/search/providers/jina.ts

@@ -10,7 +10,7 @@ import type { SearchResponse, SearchSource } from "../../../web/search/types";
 import { SearchProviderError } from "../../../web/search/types";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
-import { isApiKeyAvailable } from "./utils";
+import { isApiKeyAvailable, withHardTimeout } from "./utils";
 
 const JINA_SEARCH_URL = "https://s.jina.ai";
 
@@ -41,7 +41,7 @@ async function callJinaSearch(apiKey: string, query: string, signal?: AbortSigna
 			Accept: "application/json",
 			Authorization: `Bearer ${apiKey}`,
 		},
-		signal,
+		signal: withHardTimeout(signal),
 	});
 
 	if (!response.ok) {

package/src/web/search/providers/kimi.ts

@@ -11,7 +11,7 @@ import { SearchProviderError } from "../../../web/search/types";
 import { clampNumResults, dateToAgeSeconds } from "../utils";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
-import { findCredential, isApiKeyAvailable } from "./utils";
+import { findCredential, isApiKeyAvailable, withHardTimeout } from "./utils";
 
 const KIMI_SEARCH_URL = "https://api.kimi.com/coding/v1/search";
 
@@ -78,7 +78,7 @@ async function callKimiSearch(
 			enable_page_crawling: params.includeContent,
 			timeout_seconds: DEFAULT_TIMEOUT_SECONDS,
 		}),
-		signal: params.signal,
+		signal: withHardTimeout(params.signal),
 	});
 
 	if (!response.ok) {

package/src/web/search/providers/perplexity.ts

@@ -22,6 +22,7 @@ import { SearchProviderError } from "../../../web/search/types";
 import { dateToAgeSeconds } from "../utils";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
+import { withHardTimeout } from "./utils";
 
 const PERPLEXITY_API_URL = "https://api.perplexity.ai/chat/completions";
 const PERPLEXITY_OAUTH_ASK_URL = "https://www.perplexity.ai/rest/sse/perplexity_ask";
@@ -174,6 +175,25 @@ export function findApiKey(): string | null {
 	return getEnvApiKey("perplexity") ?? null;
 }
 
+/**
+ * Decode a Perplexity JWT's `exp` claim, in ms. Returns `undefined` when the
+ * token has no `exp` (which is the common case — Perplexity sessions are
+ * server-side and effectively non-expiring from the client's POV).
+ */
+function jwtExpiryMs(token: string): number | undefined {
+	const parts = token.split(".");
+	if (parts.length !== 3) return undefined;
+	const payload = parts[1];
+	if (!payload) return undefined;
+	try {
+		const decoded = JSON.parse(Buffer.from(payload, "base64url").toString("utf8")) as { exp?: unknown };
+		if (typeof decoded.exp !== "number" || !Number.isFinite(decoded.exp)) return undefined;
+		return decoded.exp * 1000;
+	} catch {
+		return undefined;
+	}
+}
+
 async function findOAuthToken(): Promise<string | null> {
 	const now = Date.now();
 	try {
@@ -183,7 +203,11 @@ async function findOAuthToken(): Promise<string | null> {
 			if (record.credential.type !== "oauth") continue;
 			const credential = record.credential as PerplexityOAuthCredential;
 			if (!credential.access) continue;
-			if (credential.expires <= now + OAUTH_EXPIRY_BUFFER_MS) continue;
+			// Trust the JWT's own `exp` claim if it has one; otherwise treat as
+			// non-expiring. The stored `expires` field is unreliable: older logins
+			// wrote `loginTime + 1h` even though Perplexity JWTs typically lack `exp`.
+			const jwtExpiry = jwtExpiryMs(credential.access);
+			if (jwtExpiry !== undefined && jwtExpiry <= now + OAUTH_EXPIRY_BUFFER_MS) continue;
 			return credential.access;
 		}
 	} catch {
@@ -224,7 +248,7 @@ async function callPerplexityApi(
 			"Content-Type": "application/json",
 		},
 		body: JSON.stringify(request),
-		signal,
+		signal: withHardTimeout(signal),
 	});
 
 	if (!response.ok) {
@@ -341,7 +365,7 @@ async function callPerplexityOAuth(
 				skip_search_enabled: true,
 			},
 		}),
-		signal: params.signal,
+		signal: withHardTimeout(params.signal),
 	});
 
 	if (!response.ok) {

package/src/web/search/providers/searxng.ts

@@ -31,6 +31,7 @@ import { SearchProviderError } from "../../../web/search/types";
 import { clampNumResults, dateToAgeSeconds } from "../utils";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
+import { withHardTimeout } from "./utils";
 
 const DEFAULT_NUM_RESULTS = 10;
 const MAX_NUM_RESULTS = 20;
@@ -211,7 +212,7 @@ async function callSearXNGSearch(
 
 	const response = await fetch(url, {
 		headers,
-		signal: params.signal,
+		signal: withHardTimeout(params.signal),
 	});
 
 	if (!response.ok) {

package/src/web/search/providers/synthetic.ts

@@ -10,7 +10,7 @@ import type { SearchResponse, SearchSource } from "../../../web/search/types";
 import { SearchProviderError } from "../../../web/search/types";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
-import { findCredential, isApiKeyAvailable } from "./utils";
+import { findCredential, isApiKeyAvailable, withHardTimeout } from "./utils";
 
 const SYNTHETIC_SEARCH_URL = "https://api.synthetic.new/v2/search";
 
@@ -43,7 +43,7 @@ async function callSyntheticSearch(
 			Authorization: `Bearer ${apiKey}`,
 		},
 		body: JSON.stringify({ query }),
-		signal,
+		signal: withHardTimeout(signal),
 	});
 
 	if (!response.ok) {

package/src/web/search/providers/tavily.ts

@@ -10,7 +10,7 @@ import { SearchProviderError } from "../../../web/search/types";
 import { clampNumResults, dateToAgeSeconds } from "../utils";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
-import { findCredential, isApiKeyAvailable } from "./utils";
+import { findCredential, isApiKeyAvailable, withHardTimeout } from "./utils";
 
 const TAVILY_SEARCH_URL = "https://api.tavily.com/search";
 const DEFAULT_NUM_RESULTS = 5;
@@ -92,7 +92,7 @@ async function callTavilySearch(apiKey: string, params: TavilySearchParams): Pro
 			Authorization: `Bearer ${apiKey}`,
 		},
 		body: JSON.stringify(buildRequestBody(params)),
-		signal: params.signal,
+		signal: withHardTimeout(params.signal),
 	});
 
 	if (!response.ok) {

package/src/web/search/providers/utils.ts

@@ -49,6 +49,36 @@ export async function isApiKeyAvailable(findApiKey: () => string | null | Promis
 	}
 }
 
+/**
+ * Default hard ceiling for a single web-search round-trip. 60s tolerates
+ * legitimate slow LLM-mediated responses (anthropic web_search_20250305,
+ * perplexity, gemini, codex) while still guaranteeing the session unfreezes
+ * within a minute if Bun's `AbortSignal` fails to propagate on Windows.
+ *
+ * Pure search APIs (brave, exa, jina, tavily, searxng, synthetic, zai)
+ * settle far faster in practice; reusing the same ceiling keeps the wiring
+ * uniform without compromising correctness.
+ */
+export const SEARCH_HARD_TIMEOUT_MS = 60_000;
+
+/**
+ * Compose a caller-supplied {@link AbortSignal} with a hard timeout so an
+ * outbound `fetch()` is guaranteed to settle within `ms` even when the
+ * runtime fails to propagate cancellation to the underlying transport.
+ *
+ * Bun's WinHTTP backend on Windows is known to ignore `AbortSignal` once a
+ * TCP/TLS connection stalls (oven-sh/bun#15275, oven-sh/bun#18536); without
+ * this safety net a stalled web-search request freezes the entire session
+ * because the user's Esc is never delivered to the native layer.
+ *
+ * @param signal - Caller cancellation signal, if any.
+ * @param ms - Hard timeout in milliseconds. Defaults to {@link SEARCH_HARD_TIMEOUT_MS}.
+ */
+export function withHardTimeout(signal: AbortSignal | undefined, ms: number = SEARCH_HARD_TIMEOUT_MS): AbortSignal {
+	const timeout = AbortSignal.timeout(ms);
+	return signal ? AbortSignal.any([signal, timeout]) : timeout;
+}
+
 /**
  * Map a provider's raw source list to the unified SearchSource shape,
  * clamped to the requested result count and annotated with ageSeconds.

package/src/web/search/providers/zai.ts

@@ -11,7 +11,7 @@ import { SearchProviderError } from "../../../web/search/types";
 import { dateToAgeSeconds } from "../utils";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
-import { findCredential, isApiKeyAvailable } from "./utils";
+import { findCredential, isApiKeyAvailable, withHardTimeout } from "./utils";
 
 const ZAI_MCP_URL = "https://api.z.ai/api/mcp/web_search_prime/mcp";
 const ZAI_TOOL_NAME = "web_search_prime";
@@ -73,7 +73,7 @@ async function callZaiTool(apiKey: string, args: Record<string, unknown>, signal
 				arguments: args,
 			},
 		}),
-		signal,
+		signal: withHardTimeout(signal),
 	});
 
 	if (!response.ok) {