@oh-my-pi/pi-coding-agent 15.3.2 → 15.4.1

package/src/web/search/provider.ts

@@ -8,6 +8,7 @@
 // The `label`/`id` metadata is kept inline so callers needing a display name
 // (error formatting, UI listings) do not force a load.
 
+import type { AuthStorage } from "@oh-my-pi/pi-ai";
 import type { SearchProvider } from "./providers/base";
 import type { SearchProviderId } from "./types";
 
@@ -64,7 +65,7 @@ const PROVIDER_META: Record<SearchProviderId, ProviderMeta> = {
 	},
 	codex: {
 		id: "codex",
-		label: "Codex",
+		label: "OpenAI",
 		load: async () => new (await import("./providers/codex")).CodexProvider(),
 	},
 	tavily: {
@@ -148,13 +149,14 @@ export function setPreferredSearchProvider(provider: SearchProviderId | "auto"):
  * is walked, so unconfigured providers never pay the load cost.
  */
 export async function resolveProviderChain(
+	authStorage: AuthStorage,
 	preferredProvider: SearchProviderId | "auto" = preferredProvId,
 ): Promise<SearchProvider[]> {
 	const providers: SearchProvider[] = [];
 
 	if (preferredProvider !== "auto") {
 		const provider = await getSearchProvider(preferredProvider);
-		if (await provider.isAvailable()) {
+		if (await provider.isAvailable(authStorage)) {
 			providers.push(provider);
 		}
 	}
@@ -162,7 +164,7 @@ export async function resolveProviderChain(
 	for (const id of SEARCH_PROVIDER_ORDER) {
 		if (id === preferredProvider) continue;
 		const provider = await getSearchProvider(id);
-		if (await provider.isAvailable()) {
+		if (await provider.isAvailable(authStorage)) {
 			providers.push(provider);
 		}
 	}

package/src/web/search/providers/anthropic.ts

@@ -7,10 +7,11 @@
 import {
 	type AnthropicAuthConfig,
 	type AnthropicSystemBlock,
+	type AuthStorage,
+	buildAnthropicAuthConfig,
 	buildAnthropicSearchHeaders,
 	buildAnthropicSystemBlocks,
 	buildAnthropicUrl,
-	findAnthropicAuth,
 	stripClaudeToolPrefix,
 } from "@oh-my-pi/pi-ai";
 import { $env } from "@oh-my-pi/pi-utils";
@@ -34,9 +35,7 @@ export interface AnthropicSearchParams {
 	query: string;
 	system_prompt?: string;
 	num_results?: number;
-	/** Maximum output tokens. Defaults to 4096. */
 	max_tokens?: number;
-	/** Sampling temperature (0–1). Lower = more focused/factual. */
 	temperature?: number;
 	signal?: AbortSignal;
 }
@@ -242,30 +241,47 @@ function parseResponse(response: AnthropicApiResponse): SearchResponse {
  * @returns Search response with synthesized answer, sources, and citations
  * @throws {Error} If no Anthropic credentials are configured
  */
-export async function searchAnthropic(params: AnthropicSearchParams): Promise<SearchResponse> {
-	const auth = await findAnthropicAuth();
+export async function searchAnthropic(
+	params: SearchParams | AnthropicSearchParams,
+	_legacyStorage?: unknown,
+): Promise<SearchResponse> {
+	const searchApiKey = $env.ANTHROPIC_SEARCH_API_KEY;
+	const searchBaseUrl = $env.ANTHROPIC_SEARCH_BASE_URL;
+	let auth: AnthropicAuthConfig | undefined;
+
+	if (searchApiKey) {
+		auth = buildAnthropicAuthConfig(searchApiKey, searchBaseUrl);
+	} else if ("authStorage" in params) {
+		const apiKey = await params.authStorage.getApiKey("anthropic", params.sessionId, {
+			signal: params.signal,
+		});
+		if (apiKey) auth = buildAnthropicAuthConfig(apiKey);
+	}
+
 	if (!auth) {
 		throw new Error(
-			"No Anthropic credentials found. Set ANTHROPIC_API_KEY or configure OAuth in ~/.omp/agent/agent.db",
+			"No Anthropic credentials found. Set ANTHROPIC_SEARCH_API_KEY or ANTHROPIC_API_KEY, or configure Anthropic OAuth.",
 		);
 	}
 
 	const model = getModel();
+	const systemPrompt = "authStorage" in params ? params.systemPrompt : params.system_prompt;
+	const maxTokens = "authStorage" in params ? params.maxOutputTokens : params.max_tokens;
 	const response = await callSearch(
 		auth,
 		model,
 		params.query,
-		params.system_prompt,
-		params.max_tokens,
+		systemPrompt,
+		maxTokens,
 		params.temperature,
 		params.signal,
 	);
 
 	const result = parseResponse(response);
 
-	// Apply num_results limit if specified
-	if (params.num_results && result.sources.length > params.num_results) {
-		result.sources = result.sources.slice(0, params.num_results);
+	const numResults = "authStorage" in params ? (params.numSearchResults ?? params.limit) : params.num_results;
+	if (numResults && result.sources.length > numResults) {
+		result.sources = result.sources.slice(0, numResults);
 	}
 
 	return result;
@@ -276,18 +292,11 @@ export class AnthropicProvider extends SearchProvider {
 	readonly id = "anthropic";
 	readonly label = "Anthropic";
 
-	isAvailable() {
-		return findAnthropicAuth().then(Boolean);
+	isAvailable(authStorage: AuthStorage): Promise<boolean> | boolean {
+		return Boolean($env.ANTHROPIC_SEARCH_API_KEY) || authStorage.hasAuth("anthropic");
 	}
 
 	search(params: SearchParams): Promise<SearchResponse> {
-		return searchAnthropic({
-			query: params.query,
-			system_prompt: params.systemPrompt,
-			num_results: params.numSearchResults ?? params.limit,
-			max_tokens: params.maxOutputTokens,
-			temperature: params.temperature,
-			signal: params.signal,
-		});
+		return searchAnthropic(params);
 	}
 }

package/src/web/search/providers/base.ts

@@ -1,6 +1,16 @@
+import type { AuthStorage } from "@oh-my-pi/pi-ai";
 import type { SearchProviderId, SearchResponse } from "../types";
 
-/** Shared web search parameters passed to providers. */
+/**
+ * Shared web search parameters passed to providers.
+ *
+ * `authStorage` is the **only** credential source providers may consult.
+ * Opening a sibling SQLite handle or calling provider-direct refresh helpers
+ * (e.g. `refreshOpenAICodexToken`, `refreshGoogleCloudToken`) is prohibited:
+ * it races the broker's per-credential refresh and POSTs the broker sentinel
+ * (`REMOTE_REFRESH_SENTINEL`) to the upstream token endpoint, which classifies
+ * as `invalid_grant` and disables the row.
+ */
 export interface SearchParams {
 	query: string;
 	limit?: number;
@@ -26,6 +36,20 @@ export interface SearchParams {
 	googleSearch?: Record<string, unknown>;
 	codeExecution?: Record<string, unknown>;
 	urlContext?: Record<string, unknown>;
+	/**
+	 * The single source of truth for credentials. Providers MUST consult this
+	 * handle exclusively (`getApiKey` for bearer-style auth, `getOAuthAccess`
+	 * when identity metadata is required). Do not open `AgentStorage` or any
+	 * `AuthCredentialStore` directly — that bypasses the broker pipeline and
+	 * the per-credential single-flight refresh.
+	 */
+	authStorage: AuthStorage;
+	/**
+	 * Optional session id used as the round-robin / sticky key when selecting
+	 * among multiple credentials for the same provider. Pass through from the
+	 * caller's agent session when available; otherwise omit.
+	 */
+	sessionId?: string;
 }
 
 /** Base class for web search providers. */
@@ -33,6 +57,15 @@ export abstract class SearchProvider {
 	abstract readonly id: SearchProviderId;
 	abstract readonly label: string;
 
-	abstract isAvailable(): Promise<boolean> | boolean;
+	/**
+	 * Indicates whether this provider has the credentials/config it needs to
+	 * service a request right now. Implementations consult the passed
+	 * {@link AuthStorage} — never a sibling store.
+	 */
+	abstract isAvailable(authStorage: AuthStorage): Promise<boolean> | boolean;
+
+	/**
+	 * Execute a search. Credentials MUST be resolved through `params.authStorage`.
+	 */
 	abstract search(params: SearchParams): Promise<SearchResponse>;
 }

package/src/web/search/providers/brave.ts

@@ -4,13 +4,13 @@
  * Calls Brave's web search REST API and maps results into the unified
  * SearchResponse shape used by the web search tool.
  */
-import { getEnvApiKey } from "@oh-my-pi/pi-ai";
+import { type AuthStorage, getEnvApiKey } from "@oh-my-pi/pi-ai";
 import type { SearchResponse, SearchSource } from "../../../web/search/types";
 import { SearchProviderError } from "../../../web/search/types";
 import { clampNumResults, dateToAgeSeconds } from "../utils";
 import type { SearchParams } from "./base";
 import { SearchProvider } from "./base";
-import { classifyProviderHttpError, isApiKeyAvailable, withHardTimeout } from "./utils";
+import { classifyProviderHttpError, withHardTimeout } from "./utils";
 
 const BRAVE_SEARCH_URL = "https://api.search.brave.com/res/v1/web/search";
 const DEFAULT_NUM_RESULTS = 10;
@@ -134,8 +134,8 @@ export class BraveProvider extends SearchProvider {
 	readonly id = "brave";
 	readonly label = "Brave";
 
-	isAvailable() {
-		return isApiKeyAvailable(findApiKey);
+	isAvailable(_authStorage: AuthStorage): boolean {
+		return !!findApiKey();
 	}
 
 	search(params: SearchParams): Promise<SearchResponse> {

package/src/web/search/providers/codex.ts

@@ -2,15 +2,15 @@
  * OpenAI Codex Web Search Provider
  *
  * Uses Codex's built-in web_search tool via the Responses API.
- * Requires OAuth credentials stored in agent.db for provider "openai-codex".
- * Returns synthesized answers with web search sources.
+ * Auth is resolved through `AuthStorage.getOAuthAccess("openai-codex")` so the
+ * broker is the sole refresh authority — this module never opens a sibling
+ * SQLite store, never POSTs the broker sentinel to an OpenAI token endpoint.
  */
 import * as os from "node:os";
-import { getBundledModels } from "@oh-my-pi/pi-ai";
+import { type AuthStorage, getBundledModels } from "@oh-my-pi/pi-ai";
 import { decodeJwt } from "@oh-my-pi/pi-ai/utils/oauth/openai-codex";
-import { $env, getAgentDbPath, readSseJson } from "@oh-my-pi/pi-utils";
+import { $env, readSseJson } from "@oh-my-pi/pi-utils";
 import packageJson from "../../../../package.json" with { type: "json" };
-import { AgentStorage } from "../../../session/agent-storage";
 import type { SearchResponse, SearchSource } from "../../../web/search/types";
 import { SearchProviderError } from "../../../web/search/types";
 import type { SearchParams } from "./base";
@@ -19,29 +19,48 @@ import { classifyProviderHttpError, withHardTimeout } from "./utils";
 
 const CODEX_BASE_URL = "https://chatgpt.com/backend-api";
 const CODEX_RESPONSES_PATH = "/codex/responses";
-const FALLBACK_MODEL = "gpt-5-codex-mini";
+const FALLBACK_MODEL = "gpt-5.4";
 const DEFAULT_MODEL_PREFERENCES = [
-	"gpt-5-codex-mini",
 	"gpt-5.4",
+	"gpt-5-codex",
+	"gpt-5",
 	"gpt-5.3-codex",
 	"gpt-5.2-codex",
 	"gpt-5.1-codex",
-	"gpt-5-codex",
+	"gpt-5-codex-mini",
 ];
 const JWT_CLAIM_PATH = "https://api.openai.com/auth";
 const DEFAULT_INSTRUCTIONS =
 	"You are a helpful assistant with web search capabilities. Search the web to answer the user's question accurately and cite your sources.";
 
-function getModel(): string {
+function getConfiguredModel(): string | undefined {
 	const configuredModel = $env.PI_CODEX_WEB_SEARCH_MODEL?.trim();
-	if (configuredModel) return configuredModel;
+	return configuredModel ? configuredModel : undefined;
+}
 
+function getDefaultModelCandidates(): string[] {
 	const bundledModels = getBundledModels("openai-codex");
 	const bundledIds = new Set(bundledModels.map(model => model.id));
-	const preferred = DEFAULT_MODEL_PREFERENCES.find(modelId => bundledIds.has(modelId));
-	if (preferred) return preferred;
+	const candidates = DEFAULT_MODEL_PREFERENCES.filter(modelId => bundledIds.has(modelId));
+
+	if (candidates.length > 0) {
+		return candidates;
+	}
+
 	const nonMini = bundledModels.find(model => !model.id.includes("mini") && !model.id.includes("spark"));
-	return nonMini?.id ?? bundledModels[0]?.id ?? FALLBACK_MODEL;
+	if (nonMini) {
+		return [nonMini.id];
+	}
+
+	return bundledModels[0]?.id ? [bundledModels[0].id] : [FALLBACK_MODEL];
+}
+
+function shouldRetryWithNextDefaultModel(error: unknown): boolean {
+	if (!(error instanceof SearchProviderError)) return false;
+	if (error.provider !== "codex" || error.status !== 400) return false;
+	return /model is not supported|requested model is not supported|not supported when using codex with a chatgpt account/i.test(
+		error.message,
+	);
 }
 
 export interface CodexSearchParams {
@@ -53,15 +72,6 @@ export interface CodexSearchParams {
 	search_context_size?: "low" | "medium" | "high";
 }
 
-/** OAuth credential stored in agent.db */
-interface CodexOAuthCredential {
-	type: "oauth";
-	access: string;
-	refresh?: string;
-	expires: number;
-	accountId?: string;
-}
-
 /** Codex API response structure */
 interface CodexResponseItem {
 	type: string;
@@ -231,7 +241,7 @@ function extractTextSources(text: string): SearchSource[] {
  * @param accessToken - JWT access token
  * @returns Account ID string, or null if not found
  */
-function getAccountId(accessToken: string): string | null {
+function getAccountIdFromJwt(accessToken: string): string | null {
 	const payload = decodeJwt(accessToken);
 	const auth = payload?.[JWT_CLAIM_PATH] as { chatgpt_account_id?: string } | undefined;
 	const accountId = auth?.chatgpt_account_id;
@@ -239,43 +249,25 @@ function getAccountId(accessToken: string): string | null {
 }
 
 /**
- * Finds valid Codex OAuth credentials from agent.db.
- * Checks agent credentials and returns the first non-expired credential.
- * @returns OAuth credential with access token and account ID, or null if none found
+ * Resolve a Codex bearer + accountId through {@link AuthStorage} — the single
+ * refresh authority. Returns `null` when no OAuth credential is configured,
+ * when the credential cannot be refreshed (broker error, revoked token, etc.),
+ * or when the access token carries no `chatgpt_account_id` claim.
  */
-async function findCodexAuth(): Promise<{ accessToken: string; accountId: string } | null> {
-	const expiryBuffer = 5 * 60 * 1000; // 5 minutes
-	const now = Date.now();
-
-	try {
-		const storage = await AgentStorage.open(getAgentDbPath());
-		const records = storage.listAuthCredentials("openai-codex");
-
-		for (const record of records) {
-			const credential = record.credential;
-			if (credential.type !== "oauth") continue;
-
-			const oauthCred = credential as CodexOAuthCredential;
-			if (!oauthCred.access) continue;
-			if (oauthCred.expires <= now + expiryBuffer) continue;
-
-			const accountId = oauthCred.accountId ?? getAccountId(oauthCred.access);
-			if (!accountId) continue;
-
-			return { accessToken: oauthCred.access, accountId };
-		}
-	} catch {
-		return null;
-	}
-
-	return null;
+async function findCodexAuth(
+	authStorage: AuthStorage,
+	sessionId: string | undefined,
+	signal: AbortSignal | undefined,
+): Promise<{ accessToken: string; accountId: string } | null> {
+	const access = await authStorage.getOAuthAccess("openai-codex", sessionId, { signal });
+	if (!access) return null;
+	const accountId = access.accountId ?? getAccountIdFromJwt(access.accessToken);
+	if (!accountId) return null;
+	return { accessToken: access.accessToken, accountId };
 }
 
 /**
  * Builds HTTP headers for Codex API requests.
- * @param accessToken - OAuth access token
- * @param accountId - ChatGPT account ID
- * @returns Headers object for fetch requests
  */
 function buildCodexHeaders(accessToken: string, accountId: string): Record<string, string> {
 	return {
@@ -291,17 +283,19 @@ function buildCodexHeaders(accessToken: string, accountId: string): Record<strin
 
 /**
  * Calls the Codex Responses API with web search tool enabled.
- * Streams the response and collects all events.
- * @param auth - Authentication info (access token and account ID)
- * @param query - Search query from the user
- * @param options - Search options including system prompt and context size
- * @returns Parsed response with answer, sources, and usage
- * @throws {SearchProviderError} If the API request fails
+ * The caller provides the exact model id to send; retry / fallback policy
+ * lives one layer up in `searchCodex()` so we can distinguish explicit user
+ * overrides from the default ChatGPT-account model-selection path.
  */
 async function callCodexSearch(
 	auth: { accessToken: string; accountId: string },
 	query: string,
-	options: { signal?: AbortSignal; systemPrompt?: string; searchContextSize?: "low" | "medium" | "high" },
+	options: {
+		signal?: AbortSignal;
+		systemPrompt?: string;
+		searchContextSize?: "low" | "medium" | "high";
+		modelId: string;
+	},
 ): Promise<{
 	answer: string;
 	sources: SearchSource[];
@@ -312,7 +306,7 @@ async function callCodexSearch(
 	const url = `${CODEX_BASE_URL}${CODEX_RESPONSES_PATH}`;
 	const headers = buildCodexHeaders(auth.accessToken, auth.accountId);
 
-	const requestedModel = getModel();
+	const requestedModel = options.modelId;
 
 	const body: Record<string, unknown> = {
 		model: requestedModel,
@@ -457,29 +451,67 @@ async function callCodexSearch(
 
 /**
  * Executes a web search using OpenAI Codex's built-in web search tool.
- * Requires OAuth credentials stored in agent.db for provider "openai-codex".
- * @param params - Search parameters including query and optional settings
- * @returns Search response with synthesized answer, sources, and usage
- * @throws {Error} If no Codex OAuth credentials are configured
+ *
+ * Default-model behavior:
+ * - If `PI_CODEX_WEB_SEARCH_MODEL` is set, use it exactly once and surface any
+ *   upstream error verbatim.
+ * - Otherwise prefer ChatGPT-account-safe bundled defaults (GPT-5.4, GPT-5
+ *   Codex, GPT-5, …) and retry the next candidate only when Codex returns the
+ *   known 400 "model is not supported" family. This avoids selecting
+ *   `gpt-5-codex-mini` first on ChatGPT accounts, which OpenAI rejects.
  */
-export async function searchCodex(params: CodexSearchParams): Promise<SearchResponse> {
-	const auth = await findCodexAuth();
+export async function searchCodex(params: SearchParams): Promise<SearchResponse> {
+	const auth = await findCodexAuth(params.authStorage, params.sessionId, params.signal);
 	if (!auth) {
 		throw new Error(
 			"No Codex OAuth credentials found. Login with 'omp /login openai-codex' to enable Codex web search.",
 		);
 	}
 
-	const result = await callCodexSearch(auth, params.query, {
-		systemPrompt: params.system_prompt,
-		searchContextSize: params.search_context_size ?? "high",
-	});
+	const configuredModel = getConfiguredModel();
+	const modelCandidates = configuredModel ? [configuredModel] : getDefaultModelCandidates();
+
+	let result:
+		| {
+				answer: string;
+				sources: SearchSource[];
+				model: string;
+				requestId: string;
+				usage?: { inputTokens: number; outputTokens: number; totalTokens: number };
+		  }
+		| undefined;
+	let lastError: unknown;
+
+	for (let index = 0; index < modelCandidates.length; index += 1) {
+		const modelId = modelCandidates[index];
+		if (!modelId) continue;
+
+		try {
+			result = await callCodexSearch(auth, params.query, {
+				signal: params.signal,
+				systemPrompt: params.systemPrompt,
+				searchContextSize: "high",
+				modelId,
+			});
+			break;
+		} catch (error) {
+			lastError = error;
+			const isLastCandidate = index === modelCandidates.length - 1;
+			if (configuredModel || isLastCandidate || !shouldRetryWithNextDefaultModel(error)) {
+				throw error;
+			}
+		}
+	}
+
+	if (!result) {
+		throw lastError ?? new Error("Codex search failed without returning a result");
+	}
 
 	let sources = result.sources;
 
-	// Apply num_results limit if specified
-	if (params.num_results && sources.length > params.num_results) {
-		sources = sources.slice(0, params.num_results);
+	const numResults = params.numSearchResults ?? params.limit;
+	if (numResults && sources.length > numResults) {
+		sources = sources.slice(0, numResults);
 	}
 
 	return {
@@ -500,28 +532,25 @@ export async function searchCodex(params: CodexSearchParams): Promise<SearchResp
 
 /**
  * Checks if Codex web search is available.
- * @returns True if valid OAuth credentials exist for openai-codex
  */
-export async function hasCodexSearch(): Promise<boolean> {
-	const auth = await findCodexAuth();
-	return auth !== null;
+export async function hasCodexSearch(authStorage: AuthStorage): Promise<boolean> {
+	// `isAvailable` runs before every request — keep the probe cheap.
+	// `hasOAuth(...)` is a synchronous in-memory check that returns true as soon
+	// as a Codex OAuth credential is loaded, without driving the refresh
+	// pipeline. The actual refresh happens lazily in `searchCodex`.
+	return authStorage.hasOAuth("openai-codex");
 }
 
 /** Search provider for OpenAI Codex web search. */
 export class CodexProvider extends SearchProvider {
 	readonly id = "codex";
-	readonly label = "Codex";
+	readonly label = "OpenAI";
 
-	isAvailable(): Promise<boolean> {
-		return Promise.resolve(hasCodexSearch());
+	isAvailable(authStorage: AuthStorage): Promise<boolean> | boolean {
+		return hasCodexSearch(authStorage);
 	}
 
 	search(params: SearchParams): Promise<SearchResponse> {
-		return searchCodex({
-			signal: params.signal,
-			query: params.query,
-			system_prompt: params.systemPrompt,
-			num_results: params.numSearchResults ?? params.limit,
-		});
+		return searchCodex(params);
 	}
 }

package/src/web/search/providers/exa.ts

@@ -6,9 +6,10 @@
  * Requests per-result summaries via `contents.summary` and synthesizes
  * them into a combined `answer` string on the SearchResponse.
  */
-import { getEnvApiKey } from "@oh-my-pi/pi-ai";
+import { type AuthStorage, getEnvApiKey } from "@oh-my-pi/pi-ai";
 import { settings } from "../../../config/settings";
 import { callExaTool, findApiKey, isSearchResponse } from "../../../exa/mcp-client";
+
 import type { SearchResponse, SearchSource } from "../../../web/search/types";
 import { SearchProviderError } from "../../../web/search/types";
 import { dateToAgeSeconds } from "../utils";
@@ -249,7 +250,7 @@ export class ExaProvider extends SearchProvider {
 	readonly id = "exa";
 	readonly label = "Exa";
 
-	isAvailable(): boolean {
+	isAvailable(_authStorage: AuthStorage): boolean {
 		try {
 			if (settings.get("exa.enabled") === false || settings.get("exa.enableSearch") === false) {
 				return false;