@oh-my-pi/pi-coding-agent 15.1.8 → 15.1.9

package/CHANGELOG.md

@@ -2,6 +2,28 @@
 
 ## [Unreleased]
 
+## [15.1.9] - 2026-05-21
+
+### Fixed
+
+- Fixed `disabledProviders` still probing local discovery endpoints for Ollama, llama.cpp, and LM Studio during background model refresh. Disabled providers are now excluded before implicit and built-in discovery managers are created. ([#1232](https://github.com/can1357/oh-my-pi/issues/1232))
+
+### Fixed
+
+- Fixed `omp acp` auto-discovering host `.mcp.json` servers in parallel with the ACP client's `session/new.mcpServers`, which shadowed client-supplied MCP tools in `search_tool_bm25` and the session tool registry. The ACP session factory now forces `enableMCP: false`, so MCP ownership stays with `AcpAgent#configureMcpServers`. Non-ACP modes keep on-disk discovery. ([#1234](https://github.com/can1357/oh-my-pi/issues/1234))
+
+### Fixed
+
+- Fixed binary `omp update` rollbacks so a downloaded replacement that fails post-install version verification no longer remains installed over the previous working binary. ([#1240](https://github.com/can1357/oh-my-pi/issues/1240))
+
+### Fixed
+
+- Fixed `/force <tool>` rejecting Ollama/local models before the requested tool could run; Ollama now receives a named forced choice that the provider transport narrows to the selected tool. ([#1236](https://github.com/can1357/oh-my-pi/issues/1236))
+
+### Fixed
+
+- Fixed `web_search` freezing the session when an upstream provider stalled. Bun's WinHTTP backend on Windows can silently drop `AbortSignal` once a TCP/TLS connection hangs (oven-sh/bun#15275, oven-sh/bun#18536), so Esc never reached the in-flight fetch and the only recovery was Ctrl+C + `omp --resume`. Every web-search provider's outbound `fetch` (anthropic, brave, codex, exa, gemini, jina, kagi, kimi, parallel, perplexity, searxng, synthetic, tavily, z.ai) now composes the caller signal with a 60s hard timeout via a shared `withHardTimeout` helper, guaranteeing the request settles within a minute even when Bun's abort fails to propagate. Independently, `executeSearch`'s provider-fallback loop was masking real cancellations as ordinary provider errors and returning "All web search providers failed"; it now re-throws as `ToolAbortError` the moment the caller's signal aborts, so the session sees a clean cancel on every platform. ([#1221](https://github.com/can1357/oh-my-pi/issues/1221))
+
 ## [15.1.8] - 2026-05-20
 
 ### Fixed

package/dist/types/cli/update-cli.d.ts

@@ -1,3 +1,17 @@
+/** Result from running the installed binary and parsing its reported version. */
+export interface InstalledVersionVerification {
+    ok: boolean;
+    actual?: string;
+    path?: string;
+}
+/** Paths and verifier used while replacing a downloaded binary update. */
+export interface BinaryReplacementOptions {
+    targetPath: string;
+    tempPath: string;
+    backupPath: string;
+    expectedVersion: string;
+    verifyInstalledVersion: (expectedVersion: string) => Promise<InstalledVersionVerification>;
+}
 /**
  * Parse update subcommand arguments.
  * Returns undefined if not an update command.
@@ -7,6 +21,10 @@ export declare function parseUpdateArgs(args: string[]): {
     check: boolean;
 } | undefined;
 export declare function resolveUpdateMethodForTest(ompPath: string, bunBinDir: string | undefined): "bun" | "binary";
+/**
+ * Atomically replace the installed binary and roll back if version verification fails.
+ */
+export declare function replaceBinaryForUpdate(options: BinaryReplacementOptions): Promise<InstalledVersionVerification>;
 /**
  * Run the update command.
  */

package/dist/types/main.d.ts

@@ -5,16 +5,40 @@
  * createAgentSession() options. The SDK does the heavy lifting.
  */
 import type { Args } from "./cli/args";
+import { ModelRegistry } from "./config/model-registry";
 import { Settings } from "./config/settings";
 import { InteractiveMode, runAcpMode } from "./modes";
 import type { SubmittedUserInput } from "./modes/types";
-import { createAgentSession, discoverAuthStorage } from "./sdk";
+import { type CreateAgentSessionOptions, type CreateAgentSessionResult, createAgentSession, discoverAuthStorage } from "./sdk";
 import type { AgentSession } from "./session/agent-session";
+import type { AuthStorage } from "./session/auth-storage";
 export interface InteractiveModeNotify {
     kind: "warn" | "error" | "info";
     message: string;
 }
 export declare function submitInteractiveInput(mode: Pick<InteractiveMode, "markPendingSubmissionStarted" | "finishPendingSubmission" | "showError" | "checkShutdownRequested">, session: Pick<AgentSession, "prompt" | "promptCustomMessage">, input: SubmittedUserInput): Promise<void>;
+type AcpSessionFactory = (cwd: string) => Promise<AgentSession>;
+export interface AcpSessionFactoryOptions {
+    baseOptions: CreateAgentSessionOptions;
+    settings: Settings;
+    sessionDir?: string;
+    authStorage: AuthStorage;
+    modelRegistry: ModelRegistry;
+    parsedArgs: Pick<Args, "apiKey">;
+    rawArgs: string[];
+    createSession: (options: CreateAgentSessionOptions) => Promise<CreateAgentSessionResult>;
+}
+/**
+ * Build the per-`session/new` factory used by ACP mode.
+ *
+ * MCP servers in ACP sessions are owned exclusively by the ACP client, which
+ * supplies them through `session/new.mcpServers` and re-applies them via
+ * {@link AcpAgent#configureMcpServers}. We therefore force `enableMCP: false`
+ * on every session created here so {@link createAgentSession} skips the on-disk
+ * `.mcp.json` discovery path — otherwise host MCP tools land in the session's
+ * tool registry and shadow the client-supplied servers (issue #1234).
+ */
+export declare function createAcpSessionFactory(args: AcpSessionFactoryOptions): AcpSessionFactory;
 interface RunRootCommandDependencies {
     createAgentSession?: typeof createAgentSession;
     discoverAuthStorage?: typeof discoverAuthStorage;

package/dist/types/utils/tool-choice.d.ts

@@ -1,6 +1,7 @@
 import type { Api, Model, ToolChoice } from "@oh-my-pi/pi-ai";
 /**
  * Build a provider-aware tool choice that targets one specific tool when supported.
- * Some providers only support "any tool" forcing, not a named tool.
+ * Providers that only expose required/any forcing may still honor named choices by
+ * narrowing their request tool list before transport.
  */
 export declare function buildNamedToolChoice(toolName: string, model?: Model<Api>): ToolChoice | undefined;

package/dist/types/web/search/providers/utils.d.ts

@@ -12,6 +12,31 @@ export declare function findCredential(envKey: string | null | undefined, ...sto
  * Swallows lookup errors and reports unavailability.
  */
 export declare function isApiKeyAvailable(findApiKey: () => string | null | Promise<string | null>): Promise<boolean>;
+/**
+ * Default hard ceiling for a single web-search round-trip. 60s tolerates
+ * legitimate slow LLM-mediated responses (anthropic web_search_20250305,
+ * perplexity, gemini, codex) while still guaranteeing the session unfreezes
+ * within a minute if Bun's `AbortSignal` fails to propagate on Windows.
+ *
+ * Pure search APIs (brave, exa, jina, tavily, searxng, synthetic, zai)
+ * settle far faster in practice; reusing the same ceiling keeps the wiring
+ * uniform without compromising correctness.
+ */
+export declare const SEARCH_HARD_TIMEOUT_MS = 60000;
+/**
+ * Compose a caller-supplied {@link AbortSignal} with a hard timeout so an
+ * outbound `fetch()` is guaranteed to settle within `ms` even when the
+ * runtime fails to propagate cancellation to the underlying transport.
+ *
+ * Bun's WinHTTP backend on Windows is known to ignore `AbortSignal` once a
+ * TCP/TLS connection stalls (oven-sh/bun#15275, oven-sh/bun#18536); without
+ * this safety net a stalled web-search request freezes the entire session
+ * because the user's Esc is never delivered to the native layer.
+ *
+ * @param signal - Caller cancellation signal, if any.
+ * @param ms - Hard timeout in milliseconds. Defaults to {@link SEARCH_HARD_TIMEOUT_MS}.
+ */
+export declare function withHardTimeout(signal: AbortSignal | undefined, ms?: number): AbortSignal;
 /**
  * Map a provider's raw source list to the unified SearchSource shape,
  * clamped to the requested result count and annotated with ageSeconds.

package/package.json

@@ -1,7 +1,7 @@
 {
 	"type": "module",
 	"name": "@oh-my-pi/pi-coding-agent",
-	"version": "15.1.8",
+	"version": "15.1.9",
 	"description": "Coding agent CLI with read, bash, edit, write tools and session management",
 	"homepage": "https://omp.sh",
 	"author": "Can Boluk",
@@ -47,12 +47,12 @@
 		"@agentclientprotocol/sdk": "0.21.0",
 		"@babel/parser": "^7.29.3",
 		"@mozilla/readability": "^0.6.0",
-		"@oh-my-pi/omp-stats": "15.1.8",
-		"@oh-my-pi/pi-agent-core": "15.1.8",
-		"@oh-my-pi/pi-ai": "15.1.8",
-		"@oh-my-pi/pi-natives": "15.1.8",
-		"@oh-my-pi/pi-tui": "15.1.8",
-		"@oh-my-pi/pi-utils": "15.1.8",
+		"@oh-my-pi/omp-stats": "15.1.9",
+		"@oh-my-pi/pi-agent-core": "15.1.9",
+		"@oh-my-pi/pi-ai": "15.1.9",
+		"@oh-my-pi/pi-natives": "15.1.9",
+		"@oh-my-pi/pi-tui": "15.1.9",
+		"@oh-my-pi/pi-utils": "15.1.9",
 		"@puppeteer/browsers": "^2.13.0",
 		"@types/turndown": "5.0.6",
 		"@xterm/headless": "^6.0.0",

package/src/cli/update-cli.ts

@@ -20,6 +20,22 @@ interface ReleaseInfo {
 	version: string;
 }
 
+/** Result from running the installed binary and parsing its reported version. */
+export interface InstalledVersionVerification {
+	ok: boolean;
+	actual?: string;
+	path?: string;
+}
+
+/** Paths and verifier used while replacing a downloaded binary update. */
+export interface BinaryReplacementOptions {
+	targetPath: string;
+	tempPath: string;
+	backupPath: string;
+	expectedVersion: string;
+	verifyInstalledVersion: (expectedVersion: string) => Promise<InstalledVersionVerification>;
+}
+
 /**
  * Parse update subcommand arguments.
  * Returns undefined if not an update command.
@@ -197,9 +213,7 @@ function resolveOmpPath(): string | undefined {
 /**
  * Run the resolved omp binary and check if it reports the expected version.
  */
-async function verifyInstalledVersion(
-	expectedVersion: string,
-): Promise<{ ok: boolean; actual?: string; path?: string }> {
+async function verifyInstalledVersion(expectedVersion: string): Promise<InstalledVersionVerification> {
 	const ompPath = resolveOmpPath();
 	if (!ompPath) return { ok: false };
 	try {
@@ -215,29 +229,69 @@ async function verifyInstalledVersion(
 	}
 }
 
+function printVerifiedVersion(expectedVersion: string): void {
+	console.log(chalk.green(`\n${theme.status.success} Updated to ${expectedVersion}`));
+}
+
+function formatVerificationFailure(result: InstalledVersionVerification, expectedVersion: string): string {
+	if (result.actual) {
+		return `${APP_NAME} at ${result.path} still reports ${result.actual} (expected ${expectedVersion})`;
+	}
+	return `could not verify updated version${result.path ? ` at ${result.path}` : ""}`;
+}
+
 /**
  * Print post-update verification result.
  */
 async function printVerification(expectedVersion: string): Promise<void> {
 	const result = await verifyInstalledVersion(expectedVersion);
 	if (result.ok) {
-		console.log(chalk.green(`\n${theme.status.success} Updated to ${expectedVersion}`));
+		printVerifiedVersion(expectedVersion);
 		return;
 	}
-	if (result.actual) {
-		console.log(
-			chalk.yellow(
-				`\nWarning: ${APP_NAME} at ${result.path} still reports ${result.actual} (expected ${expectedVersion})`,
-			),
-		);
-	} else {
-		console.log(
-			chalk.yellow(`\nWarning: could not verify updated version${result.path ? ` at ${result.path}` : ""}`),
-		);
-	}
+	console.log(chalk.yellow(`\nWarning: ${formatVerificationFailure(result, expectedVersion)}`));
 	console.log(chalk.yellow(`You may need to reinstall: curl -fsSL https://omp.sh/install | sh`));
 }
 
+async function unlinkIfExists(filePath: string): Promise<void> {
+	try {
+		await fs.promises.unlink(filePath);
+	} catch (err) {
+		if (!isEnoent(err)) throw err;
+	}
+}
+
+/**
+ * Atomically replace the installed binary and roll back if version verification fails.
+ */
+export async function replaceBinaryForUpdate(options: BinaryReplacementOptions): Promise<InstalledVersionVerification> {
+	let backupReady = false;
+	try {
+		await unlinkIfExists(options.backupPath);
+		await fs.promises.rename(options.targetPath, options.backupPath);
+		backupReady = true;
+		await fs.promises.rename(options.tempPath, options.targetPath);
+
+		const verification = await options.verifyInstalledVersion(options.expectedVersion);
+		if (!verification.ok) {
+			throw new Error(
+				`${formatVerificationFailure(verification, options.expectedVersion)}; restored previous ${APP_NAME} binary`,
+			);
+		}
+
+		backupReady = false;
+		await unlinkIfExists(options.backupPath);
+		return verification;
+	} catch (err) {
+		if (backupReady) {
+			await unlinkIfExists(options.targetPath);
+			await fs.promises.rename(options.backupPath, options.targetPath);
+		}
+		await unlinkIfExists(options.tempPath);
+		throw err;
+	}
+}
+
 /**
  * Update via bun package manager.
  */
@@ -271,27 +325,15 @@ async function updateViaBinaryAt(targetPath: string, expectedVersion: string): P
 	await pipeline(response.body, fileStream);
 
 	console.log(chalk.dim("Installing update..."));
-	try {
-		try {
-			await fs.promises.unlink(backupPath);
-		} catch (err) {
-			if (!isEnoent(err)) throw err;
-		}
-		await fs.promises.rename(targetPath, backupPath);
-		await fs.promises.rename(tempPath, targetPath);
-		await fs.promises.unlink(backupPath);
-
-		await printVerification(expectedVersion);
-		console.log(chalk.dim(`Restart ${APP_NAME} to use the new version`));
-	} catch (err) {
-		if (fs.existsSync(backupPath) && !fs.existsSync(targetPath)) {
-			await fs.promises.rename(backupPath, targetPath);
-		}
-		if (fs.existsSync(tempPath)) {
-			await fs.promises.unlink(tempPath);
-		}
-		throw err;
-	}
+	await replaceBinaryForUpdate({
+		targetPath,
+		tempPath,
+		backupPath,
+		expectedVersion,
+		verifyInstalledVersion,
+	});
+	printVerifiedVersion(expectedVersion);
+	console.log(chalk.dim(`Restart ${APP_NAME} to use the new version`));
 }
 
 /**

package/src/config/model-registry.ts

@@ -1017,7 +1017,8 @@ export class ModelRegistry {
 	}
 
 	#addImplicitDiscoverableProviders(configuredProviders: Set<string>): void {
-		if (!configuredProviders.has("ollama")) {
+		const disabledProviders = getDisabledProviderIdsFromSettings();
+		if (!configuredProviders.has("ollama") && !disabledProviders.has("ollama")) {
 			this.#discoverableProviders.push({
 				provider: "ollama",
 				api: "openai-responses",
@@ -1027,7 +1028,7 @@ export class ModelRegistry {
 			});
 			this.#keylessProviders.add("ollama");
 		}
-		if (!configuredProviders.has("llama.cpp")) {
+		if (!configuredProviders.has("llama.cpp") && !disabledProviders.has("llama.cpp")) {
 			this.#discoverableProviders.push({
 				provider: "llama.cpp",
 				api: "openai-responses",
@@ -1040,7 +1041,7 @@ export class ModelRegistry {
 				this.#keylessProviders.add("llama.cpp");
 			}
 		}
-		if (!configuredProviders.has("lm-studio")) {
+		if (!configuredProviders.has("lm-studio") && !disabledProviders.has("lm-studio")) {
 			this.#discoverableProviders.push({
 				provider: "lm-studio",
 				api: "openai-completions",
@@ -1160,9 +1161,12 @@ export class ModelRegistry {
 		strategy: ModelRefreshStrategy,
 		providerFilter?: ReadonlySet<string>,
 	): Promise<void> {
-		const selectedDiscoverableProviders = providerFilter
-			? this.#discoverableProviders.filter(provider => providerFilter.has(provider.provider))
-			: this.#discoverableProviders;
+		const disabledProviders = getDisabledProviderIdsFromSettings();
+		const selectedDiscoverableProviders = (
+			providerFilter
+				? this.#discoverableProviders.filter(provider => providerFilter.has(provider.provider))
+				: this.#discoverableProviders
+		).filter(provider => !disabledProviders.has(provider.provider));
 		const configuredDiscoveriesPromise =
 			selectedDiscoverableProviders.length === 0
 				? Promise.resolve<Model<Api>[]>([])
@@ -1366,17 +1370,24 @@ export class ModelRegistry {
 				},
 			},
 		];
+		const disabledProviders = getDisabledProviderIdsFromSettings();
+		const standardProviderDescriptors = PROVIDER_DESCRIPTORS.filter(
+			descriptor => !disabledProviders.has(descriptor.providerId),
+		);
+		const enabledSpecialProviderDescriptors = specialProviderDescriptors.filter(
+			descriptor => !disabledProviders.has(descriptor.providerId),
+		);
 		// Use peekApiKey to avoid OAuth token refresh during discovery.
 		// The token is only needed if the dynamic fetch fires (cache miss),
 		// and failures there are handled gracefully.
 		const peekKey = (descriptor: { providerId: string }) => this.#peekApiKeyForProvider(descriptor.providerId);
 		const [standardProviderKeys, specialKeys] = await Promise.all([
-			Promise.all(PROVIDER_DESCRIPTORS.map(peekKey)),
-			Promise.all(specialProviderDescriptors.map(peekKey)),
+			Promise.all(standardProviderDescriptors.map(peekKey)),
+			Promise.all(enabledSpecialProviderDescriptors.map(peekKey)),
 		]);
 		const options: ModelManagerOptions<Api>[] = [];
-		for (let i = 0; i < PROVIDER_DESCRIPTORS.length; i++) {
-			const descriptor = PROVIDER_DESCRIPTORS[i];
+		for (let i = 0; i < standardProviderDescriptors.length; i++) {
+			const descriptor = standardProviderDescriptors[i];
 			const apiKey = standardProviderKeys[i];
 			if (isAuthenticated(apiKey) || descriptor.allowUnauthenticated) {
 				options.push(
@@ -1388,8 +1399,8 @@ export class ModelRegistry {
 			}
 		}
 
-		for (let i = 0; i < specialProviderDescriptors.length; i++) {
-			const descriptor = specialProviderDescriptors[i];
+		for (let i = 0; i < enabledSpecialProviderDescriptors.length; i++) {
+			const descriptor = enabledSpecialProviderDescriptors[i];
 			const key = descriptor.resolveKey(specialKeys[i]);
 			if (!isAuthenticated(key)) {
 				continue;

package/src/main.ts

@@ -199,7 +199,7 @@ function applyExtensionFlagValues(session: AgentSession, rawArgs: string[]): Map
 
 type AcpSessionFactory = (cwd: string) => Promise<AgentSession>;
 
-interface AcpSessionFactoryOptions {
+export interface AcpSessionFactoryOptions {
 	baseOptions: CreateAgentSessionOptions;
 	settings: Settings;
 	sessionDir?: string;
@@ -210,7 +210,17 @@ interface AcpSessionFactoryOptions {
 	createSession: (options: CreateAgentSessionOptions) => Promise<CreateAgentSessionResult>;
 }
 
-function createAcpSessionFactory(args: AcpSessionFactoryOptions): AcpSessionFactory {
+/**
+ * Build the per-`session/new` factory used by ACP mode.
+ *
+ * MCP servers in ACP sessions are owned exclusively by the ACP client, which
+ * supplies them through `session/new.mcpServers` and re-applies them via
+ * {@link AcpAgent#configureMcpServers}. We therefore force `enableMCP: false`
+ * on every session created here so {@link createAgentSession} skips the on-disk
+ * `.mcp.json` discovery path — otherwise host MCP tools land in the session's
+ * tool registry and shadow the client-supplied servers (issue #1234).
+ */
+export function createAcpSessionFactory(args: AcpSessionFactoryOptions): AcpSessionFactory {
 	return async cwd => {
 		const nextSettings = await args.settings.cloneForCwd(cwd);
 		const nextSessionManager = SessionManager.create(cwd, args.sessionDir);
@@ -224,6 +234,7 @@ function createAcpSessionFactory(args: AcpSessionFactoryOptions): AcpSessionFact
 			modelRegistry: args.modelRegistry,
 			agentId,
 			hasUI: false,
+			enableMCP: false,
 		});
 		if (args.parsedArgs.apiKey && !args.baseOptions.model && nextSession.model) {
 			args.authStorage.setRuntimeApiKey(nextSession.model.provider, args.parsedArgs.apiKey);

package/src/prompts/agents/oracle.md

@@ -1,19 +1,17 @@
 ---
 name: oracle
-description: Deep reasoning advisor for debugging dead ends, architecture decisions, and second opinions. Read-only.
+description: Wise senior engineer to consult or delegate work to — debugging, architecture, second opinions, and hands-on implementation when asked.
 spawns: explore
 model: pi/slow
 thinking-level: xhigh
 blocking: true
 ---
 
-You are a senior diagnostician and strategic technical advisor. You receive problems other agents are stuck on — doom loops, mysterious failures, architectural tradeoffs, subtle bugs — and return clear, actionable analysis.
+You are the wise guy on the team — a senior engineer with deep judgment that other agents consult when they are stuck, uncertain, or need a second opinion. You also take direct delegation: if the caller hands you work, you do it, including reads, writes, edits, and running commands.
 
-You diagnose, explain, and recommend. You do not implement. Others act on your findings.
-
-<critical>
-You MUST operate as read-only. You NEVER write, edit, or modify files, nor execute any state-changing commands.
-</critical>
+You diagnose, decide, and execute. You match the mode to the ask:
+- **Consult**: explain the root cause, lay out tradeoffs, recommend a path.
+- **Delegate**: carry the work to completion — modify files, run verification, deliver a finished change.
 
 <directives>
 - You MUST reason from first principles. The caller already tried the obvious.
@@ -23,6 +21,7 @@ You MUST operate as read-only. You NEVER write, edit, or modify files, nor execu
 - You SHOULD consider at least two hypotheses before converging on one.
 - You SHOULD invoke tools in parallel when investigating multiple hypotheses.
 - When the problem is architectural, you MUST weigh tradeoffs explicitly: what does each option cost, what does it buy, what does it foreclose.
+- When delegated implementation work, you MUST finish it: edit the files, run the relevant tests/checks, and report exactly what changed.
 </directives>
 
 <decision-framework>
@@ -35,22 +34,22 @@ Apply pragmatic minimalism:
 </decision-framework>
 
 <procedure>
-1. Read the problem statement carefully. Identify what was already tried and why it failed.
-2. Form 2-3 hypotheses for the root cause.
+1. Read the problem statement carefully. Identify what was already tried, what failed, and whether the caller wants advice or execution.
+2. Form 2-3 hypotheses for the root cause (for diagnosis) or 2-3 viable approaches (for design).
 3. Use tools to gather evidence — read relevant code, trace data flow, check types, grep for related patterns. Parallelize independent reads.
-4. Eliminate hypotheses based on evidence. Narrow to the most likely cause.
-5. If the problem is a decision (not a bug), lay out options with concrete tradeoffs.
-6. Deliver a clear verdict with supporting evidence.
+4. Eliminate hypotheses based on evidence. Narrow to the most likely cause or best approach.
+5. If consulting: deliver verdict with supporting evidence and a concrete recommendation.
+6. If implementing: make the changes, verify them, and report the diff and verification result.
 </procedure>
+
 <scope-discipline>
-- Recommend ONLY what was asked. No unsolicited improvements.
+- Do ONLY what was asked. No unsolicited refactors or improvements.
 - If you notice other issues, list at most 2 as "Optional future considerations" at the end.
 - You NEVER expand the problem surface beyond the original request.
 - Exhaust provided context before reaching for tools. External lookups fill genuine gaps, not curiosity.
 </scope-discipline>
 
 <critical>
-You MUST keep going until you have a clear answer or have exhausted available evidence.
-Before finalizing: re-scan for unstated assumptions, verify claims are grounded in code not invented, check for overly strong language not justified by evidence.
-This matters. The caller is stuck. Get it right.
+You MUST keep going until the problem is solved or the work is finished. Before finalizing: re-scan for unstated assumptions, verify claims are grounded in code not invented, check for overly strong language not justified by evidence.
+The caller came to you because they trust your judgment. Get it right.
 </critical>

package/src/utils/tool-choice.ts

@@ -2,7 +2,8 @@ import type { Api, Model, ToolChoice } from "@oh-my-pi/pi-ai";
 
 /**
  * Build a provider-aware tool choice that targets one specific tool when supported.
- * Some providers only support "any tool" forcing, not a named tool.
+ * Providers that only expose required/any forcing may still honor named choices by
+ * narrowing their request tool list before transport.
  */
 export function buildNamedToolChoice(toolName: string, model?: Model<Api>): ToolChoice | undefined {
 	if (!model) return undefined;
@@ -20,12 +21,11 @@ export function buildNamedToolChoice(toolName: string, model?: Model<Api>): Tool
 		return { type: "function", name: toolName };
 	}
 
-	if (
-		model.api === "google-generative-ai" ||
-		model.api === "google-gemini-cli" ||
-		model.api === "google-vertex" ||
-		model.api === "ollama-chat"
-	) {
+	if (model.api === "ollama-chat") {
+		return { type: "function", name: toolName };
+	}
+
+	if (model.api === "google-generative-ai" || model.api === "google-gemini-cli" || model.api === "google-vertex") {
 		return "required";
 	}
 

package/src/web/kagi.ts

@@ -1,5 +1,5 @@
 import { getEnvApiKey } from "@oh-my-pi/pi-ai";
-import { findCredential } from "./search/providers/utils";
+import { findCredential, withHardTimeout } from "./search/providers/utils";
 
 const KAGI_SEARCH_URL = "https://kagi.com/api/v0/search";
 
@@ -138,7 +138,7 @@ export async function searchWithKagi(query: string, options: KagiSearchOptions =
 
 	const response = await fetch(requestUrl, {
 		headers: getAuthHeaders(apiKey),
-		signal: options.signal,
+		signal: withHardTimeout(options.signal),
 	});
 	if (!response.ok) {
 		throw parseKagiErrorResponse(response.status, await response.text());

package/src/web/parallel.ts

@@ -1,5 +1,5 @@
 import { getEnvApiKey } from "@oh-my-pi/pi-ai";
-import { findCredential } from "./search/providers/utils";
+import { findCredential, withHardTimeout } from "./search/providers/utils";
 
 const PARALLEL_API_URL = "https://api.parallel.ai";
 const PARALLEL_SEARCH_URL = `${PARALLEL_API_URL}/v1beta/search`;
@@ -304,7 +304,7 @@ export async function searchWithParallel(
 				max_chars_per_result: options.maxCharsPerResult ?? 10_000,
 			},
 		}),
-		signal: options.signal,
+		signal: withHardTimeout(options.signal),
 	});
 	if (!response.ok) {
 		throw parseParallelErrorResponse(response.status, await response.text());
@@ -335,7 +335,7 @@ export async function extractWithParallel(
 			excerpts: options.excerpts ?? true,
 			full_content: options.fullContent ?? false,
 		}),
-		signal: options.signal,
+		signal: withHardTimeout(options.signal),
 	});
 	if (!response.ok) {
 		throw parseParallelErrorResponse(response.status, await response.text());

package/src/web/search/index.ts

@@ -14,6 +14,7 @@ import webSearchSystemPrompt from "../../prompts/system/web-search.md" with { ty
 import webSearchDescription from "../../prompts/tools/web-search.md" with { type: "text" };
 import type { ToolSession } from "../../tools";
 import { formatAge } from "../../tools/render-utils";
+import { throwIfAborted } from "../../tools/tool-errors";
 import { getSearchProvider, getSearchProviderLabel, resolveProviderChain, type SearchProvider } from "./provider";
 import { renderSearchCall, renderSearchResult, type SearchRenderDetails } from "./render";
 import type { SearchProviderId, SearchResponse } from "./types";
@@ -161,6 +162,12 @@ async function executeSearch(
 				details: { response },
 			};
 		} catch (error) {
+			// Surface user-initiated cancellation immediately so the session sees
+			// a clean abort instead of a generic "all providers failed" message.
+			// Without this, an AbortError from `fetch()` is treated as a provider
+			// failure and the loop falls through to the next provider (or to the
+			// summary error), masking the cancellation.
+			throwIfAborted(signal);
 			lastError = error;
 		}
 	}

package/src/web/search/providers/anthropic.ts

@@ -24,12 +24,12 @@ import type {
 import { SearchProviderError } from "../../../web/search/types";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
+import { withHardTimeout } from "./utils";
 
 const DEFAULT_MODEL = "claude-haiku-4-5";
 const DEFAULT_MAX_TOKENS = 4096;
 const WEB_SEARCH_TOOL_NAME = "web_search";
 const WEB_SEARCH_TOOL_TYPE = "web_search_20250305";
-
 export interface AnthropicSearchParams {
 	query: string;
 	system_prompt?: string;
@@ -118,7 +118,7 @@ async function callSearch(
 		method: "POST",
 		headers,
 		body: JSON.stringify(body),
-		signal,
+		signal: withHardTimeout(signal),
 	});
 
 	if (!response.ok) {

package/src/web/search/providers/brave.ts

@@ -10,7 +10,7 @@ import { SearchProviderError } from "../../../web/search/types";
 import { clampNumResults, dateToAgeSeconds } from "../utils";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
-import { isApiKeyAvailable } from "./utils";
+import { isApiKeyAvailable, withHardTimeout } from "./utils";
 
 const BRAVE_SEARCH_URL = "https://api.search.brave.com/res/v1/web/search";
 const DEFAULT_NUM_RESULTS = 10;
@@ -85,7 +85,7 @@ async function callBraveSearch(
 			Accept: "application/json",
 			"X-Subscription-Token": apiKey,
 		},
-		signal: params.signal,
+		signal: withHardTimeout(params.signal),
 	});
 
 	if (!response.ok) {

package/src/web/search/providers/codex.ts

@@ -15,6 +15,7 @@ import type { SearchResponse, SearchSource } from "../../../web/search/types";
 import { SearchProviderError } from "../../../web/search/types";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
+import { withHardTimeout } from "./utils";
 
 const CODEX_BASE_URL = "https://chatgpt.com/backend-api";
 const CODEX_RESPONSES_PATH = "/codex/responses";
@@ -338,7 +339,7 @@ async function callCodexSearch(
 		method: "POST",
 		headers,
 		body: JSON.stringify(body),
-		signal: options.signal,
+		signal: withHardTimeout(options.signal),
 	});
 
 	if (!response.ok) {

package/src/web/search/providers/exa.ts

@@ -14,6 +14,7 @@ import { SearchProviderError } from "../../../web/search/types";
 import { dateToAgeSeconds } from "../utils";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
+import { withHardTimeout } from "./utils";
 
 const EXA_API_URL = "https://api.exa.ai/search";
 
@@ -180,7 +181,7 @@ async function callExaSearch(apiKey: string, params: ExaSearchParams): Promise<E
 			"x-api-key": apiKey,
 		},
 		body: JSON.stringify(body),
-		signal: params.signal,
+		signal: withHardTimeout(params.signal),
 	});
 
 	if (!response.ok) {

package/src/web/search/providers/gemini.ts

@@ -15,6 +15,7 @@ import type { SearchCitation, SearchResponse, SearchSource } from "../../../web/
 import { SearchProviderError } from "../../../web/search/types";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
+import { withHardTimeout } from "./utils";
 
 const DEFAULT_ENDPOINT = "https://cloudcode-pa.googleapis.com";
 const ANTIGRAVITY_DAILY_ENDPOINT = "https://daily-cloudcode-pa.googleapis.com";
@@ -310,7 +311,7 @@ async function callGeminiSearch(
 			...headers,
 		},
 		body: JSON.stringify(requestBody),
-		signal,
+		signal: withHardTimeout(signal),
 	});
 	const urlFor = (attempt: number) =>
 		`${endpoints[Math.min(attempt, endpoints.length - 1)]}/v1internal:streamGenerateContent?alt=sse`;

package/src/web/search/providers/jina.ts

@@ -10,7 +10,7 @@ import type { SearchResponse, SearchSource } from "../../../web/search/types";
 import { SearchProviderError } from "../../../web/search/types";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
-import { isApiKeyAvailable } from "./utils";
+import { isApiKeyAvailable, withHardTimeout } from "./utils";
 
 const JINA_SEARCH_URL = "https://s.jina.ai";
 
@@ -41,7 +41,7 @@ async function callJinaSearch(apiKey: string, query: string, signal?: AbortSigna
 			Accept: "application/json",
 			Authorization: `Bearer ${apiKey}`,
 		},
-		signal,
+		signal: withHardTimeout(signal),
 	});
 
 	if (!response.ok) {

package/src/web/search/providers/kimi.ts

@@ -11,7 +11,7 @@ import { SearchProviderError } from "../../../web/search/types";
 import { clampNumResults, dateToAgeSeconds } from "../utils";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
-import { findCredential, isApiKeyAvailable } from "./utils";
+import { findCredential, isApiKeyAvailable, withHardTimeout } from "./utils";
 
 const KIMI_SEARCH_URL = "https://api.kimi.com/coding/v1/search";
 
@@ -78,7 +78,7 @@ async function callKimiSearch(
 			enable_page_crawling: params.includeContent,
 			timeout_seconds: DEFAULT_TIMEOUT_SECONDS,
 		}),
-		signal: params.signal,
+		signal: withHardTimeout(params.signal),
 	});
 
 	if (!response.ok) {

package/src/web/search/providers/perplexity.ts

@@ -22,6 +22,7 @@ import { SearchProviderError } from "../../../web/search/types";
 import { dateToAgeSeconds } from "../utils";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
+import { withHardTimeout } from "./utils";
 
 const PERPLEXITY_API_URL = "https://api.perplexity.ai/chat/completions";
 const PERPLEXITY_OAUTH_ASK_URL = "https://www.perplexity.ai/rest/sse/perplexity_ask";
@@ -247,7 +248,7 @@ async function callPerplexityApi(
 			"Content-Type": "application/json",
 		},
 		body: JSON.stringify(request),
-		signal,
+		signal: withHardTimeout(signal),
 	});
 
 	if (!response.ok) {
@@ -364,7 +365,7 @@ async function callPerplexityOAuth(
 				skip_search_enabled: true,
 			},
 		}),
-		signal: params.signal,
+		signal: withHardTimeout(params.signal),
 	});
 
 	if (!response.ok) {

package/src/web/search/providers/searxng.ts

@@ -31,6 +31,7 @@ import { SearchProviderError } from "../../../web/search/types";
 import { clampNumResults, dateToAgeSeconds } from "../utils";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
+import { withHardTimeout } from "./utils";
 
 const DEFAULT_NUM_RESULTS = 10;
 const MAX_NUM_RESULTS = 20;
@@ -211,7 +212,7 @@ async function callSearXNGSearch(
 
 	const response = await fetch(url, {
 		headers,
-		signal: params.signal,
+		signal: withHardTimeout(params.signal),
 	});
 
 	if (!response.ok) {

package/src/web/search/providers/synthetic.ts

@@ -10,7 +10,7 @@ import type { SearchResponse, SearchSource } from "../../../web/search/types";
 import { SearchProviderError } from "../../../web/search/types";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
-import { findCredential, isApiKeyAvailable } from "./utils";
+import { findCredential, isApiKeyAvailable, withHardTimeout } from "./utils";
 
 const SYNTHETIC_SEARCH_URL = "https://api.synthetic.new/v2/search";
 
@@ -43,7 +43,7 @@ async function callSyntheticSearch(
 			Authorization: `Bearer ${apiKey}`,
 		},
 		body: JSON.stringify({ query }),
-		signal,
+		signal: withHardTimeout(signal),
 	});
 
 	if (!response.ok) {

package/src/web/search/providers/tavily.ts

@@ -10,7 +10,7 @@ import { SearchProviderError } from "../../../web/search/types";
 import { clampNumResults, dateToAgeSeconds } from "../utils";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
-import { findCredential, isApiKeyAvailable } from "./utils";
+import { findCredential, isApiKeyAvailable, withHardTimeout } from "./utils";
 
 const TAVILY_SEARCH_URL = "https://api.tavily.com/search";
 const DEFAULT_NUM_RESULTS = 5;
@@ -92,7 +92,7 @@ async function callTavilySearch(apiKey: string, params: TavilySearchParams): Pro
 			Authorization: `Bearer ${apiKey}`,
 		},
 		body: JSON.stringify(buildRequestBody(params)),
-		signal: params.signal,
+		signal: withHardTimeout(params.signal),
 	});
 
 	if (!response.ok) {

package/src/web/search/providers/utils.ts

@@ -49,6 +49,36 @@ export async function isApiKeyAvailable(findApiKey: () => string | null | Promis
 	}
 }
 
+/**
+ * Default hard ceiling for a single web-search round-trip. 60s tolerates
+ * legitimate slow LLM-mediated responses (anthropic web_search_20250305,
+ * perplexity, gemini, codex) while still guaranteeing the session unfreezes
+ * within a minute if Bun's `AbortSignal` fails to propagate on Windows.
+ *
+ * Pure search APIs (brave, exa, jina, tavily, searxng, synthetic, zai)
+ * settle far faster in practice; reusing the same ceiling keeps the wiring
+ * uniform without compromising correctness.
+ */
+export const SEARCH_HARD_TIMEOUT_MS = 60_000;
+
+/**
+ * Compose a caller-supplied {@link AbortSignal} with a hard timeout so an
+ * outbound `fetch()` is guaranteed to settle within `ms` even when the
+ * runtime fails to propagate cancellation to the underlying transport.
+ *
+ * Bun's WinHTTP backend on Windows is known to ignore `AbortSignal` once a
+ * TCP/TLS connection stalls (oven-sh/bun#15275, oven-sh/bun#18536); without
+ * this safety net a stalled web-search request freezes the entire session
+ * because the user's Esc is never delivered to the native layer.
+ *
+ * @param signal - Caller cancellation signal, if any.
+ * @param ms - Hard timeout in milliseconds. Defaults to {@link SEARCH_HARD_TIMEOUT_MS}.
+ */
+export function withHardTimeout(signal: AbortSignal | undefined, ms: number = SEARCH_HARD_TIMEOUT_MS): AbortSignal {
+	const timeout = AbortSignal.timeout(ms);
+	return signal ? AbortSignal.any([signal, timeout]) : timeout;
+}
+
 /**
  * Map a provider's raw source list to the unified SearchSource shape,
  * clamped to the requested result count and annotated with ageSeconds.

package/src/web/search/providers/zai.ts

@@ -11,7 +11,7 @@ import { SearchProviderError } from "../../../web/search/types";
 import { dateToAgeSeconds } from "../utils";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
-import { findCredential, isApiKeyAvailable } from "./utils";
+import { findCredential, isApiKeyAvailable, withHardTimeout } from "./utils";
 
 const ZAI_MCP_URL = "https://api.z.ai/api/mcp/web_search_prime/mcp";
 const ZAI_TOOL_NAME = "web_search_prime";
@@ -73,7 +73,7 @@ async function callZaiTool(apiKey: string, args: Record<string, unknown>, signal
 				arguments: args,
 			},
 		}),
-		signal,
+		signal: withHardTimeout(signal),
 	});
 
 	if (!response.ok) {