@oh-my-pi/pi-coding-agent 15.5.6 → 15.5.8

package/dist/types/tools/plan-mode-guard.d.ts

@@ -2,12 +2,11 @@ import type { ToolSession } from ".";
 /**
  * Resolve a write/edit target to its absolute filesystem path.
  *
- * In plan mode, transparently redirects targets whose basename matches the
- * plan file's basename (e.g. a bare `PLAN.md` or `./PLAN.md`) to the canonical
- * plan file location at `state.planFilePath`. This lets `write` and `edit`
- * accept the unqualified plan filename and have the change land at the
- * session-scoped `local://PLAN.md` artifact instead of a stray cwd-relative
- * file the plan-mode guard would otherwise reject.
+ * In plan mode, transparently redirects `PLAN.md` aliases and targets whose
+ * basename matches the plan file's basename to the canonical plan file
+ * location at `state.planFilePath`. This lets `write` and `edit` accept the
+ * habitual plan filename after approval even when the active artifact has a
+ * titled path such as `local://APPROVED.md`.
  *
  * Outside plan mode (or when the basename does not match) this is a no-op.
  */

package/dist/types/tools/render-utils.d.ts

@@ -100,7 +100,9 @@ export interface DiffStats {
 }
 export declare function getDiffStats(diffText: string): DiffStats;
 export declare function formatDiffStats(added: number, removed: number, hunks: number, theme: Theme): string;
-export declare function truncateDiffByHunk(diffText: string, maxHunks: number, maxLines: number): {
+export declare function truncateDiffByHunk(diffText: string, maxHunks: number, maxLines: number, options?: {
+    fromTail?: boolean;
+}): {
     text: string;
     hiddenHunks: number;
     hiddenLines: number;

package/dist/types/tools/tts.d.ts

@@ -0,0 +1,18 @@
+import * as z from "zod/v4";
+import type { CustomTool } from "../extensibility/custom-tools/types";
+type TtsCodec = "mp3" | "wav";
+declare const ttsSchema: z.ZodObject<{
+    text: z.ZodString;
+    voice_id: z.ZodDefault<z.ZodString>;
+    language: z.ZodDefault<z.ZodString>;
+    output_path: z.ZodString;
+    sample_rate: z.ZodOptional<z.ZodNumber>;
+    bit_rate: z.ZodOptional<z.ZodNumber>;
+}, z.core.$strip>;
+interface TtsToolDetails {
+    bytes: number;
+    voiceId: string;
+    codec: TtsCodec;
+}
+export declare const ttsTool: CustomTool<typeof ttsSchema, TtsToolDetails>;
+export {};

package/dist/types/tools/write.d.ts

@@ -15,6 +15,8 @@ export type WriteToolInput = z.infer<typeof writeSchema>;
 export interface WriteToolDetails {
     diagnostics?: FileDiagnosticsResult;
     meta?: OutputMeta;
+    /** Set when the file was auto-chmod'd because content begins with a `#!` shebang. */
+    madeExecutable?: boolean;
 }
 type WriteParams = WriteToolInput;
 /**

package/dist/types/utils/file-mentions.d.ts

@@ -1,3 +1,4 @@
+import { type SnapshotStore } from "@oh-my-pi/hashline";
 import type { AgentMessage } from "@oh-my-pi/pi-agent-core";
 /** Extract all @filepath mentions from text */
 export declare function extractFileMentions(text: string): string[];
@@ -8,4 +9,5 @@ export declare function extractFileMentions(text: string): string[];
 export declare function generateFileMentionMessages(filePaths: string[], cwd: string, options?: {
     autoResizeImages?: boolean;
     useHashLines?: boolean;
+    snapshotStore?: SnapshotStore;
 }): Promise<AgentMessage[]>;

package/package.json

@@ -1,7 +1,7 @@
 {
 	"type": "module",
 	"name": "@oh-my-pi/pi-coding-agent",
-	"version": "15.5.6",
+	"version": "15.5.8",
 	"description": "Coding agent CLI with read, bash, edit, write tools and session management",
 	"homepage": "https://omp.sh",
 	"author": "Can Boluk",
@@ -47,13 +47,13 @@
 		"@agentclientprotocol/sdk": "0.21.0",
 		"@babel/parser": "^7.29.3",
 		"@mozilla/readability": "^0.6.0",
-		"@oh-my-pi/hashline": "15.5.6",
-		"@oh-my-pi/omp-stats": "15.5.6",
-		"@oh-my-pi/pi-agent-core": "15.5.6",
-		"@oh-my-pi/pi-ai": "15.5.6",
-		"@oh-my-pi/pi-natives": "15.5.6",
-		"@oh-my-pi/pi-tui": "15.5.6",
-		"@oh-my-pi/pi-utils": "15.5.6",
+		"@oh-my-pi/hashline": "15.5.8",
+		"@oh-my-pi/omp-stats": "15.5.8",
+		"@oh-my-pi/pi-agent-core": "15.5.8",
+		"@oh-my-pi/pi-ai": "15.5.8",
+		"@oh-my-pi/pi-natives": "15.5.8",
+		"@oh-my-pi/pi-tui": "15.5.8",
+		"@oh-my-pi/pi-utils": "15.5.8",
 		"@puppeteer/browsers": "^2.13.0",
 		"@types/turndown": "5.0.6",
 		"@xterm/headless": "^6.0.0",

package/src/cli/args.ts

@@ -247,6 +247,8 @@ export function getExtraHelpText(): string {
   OPENCODE_API_KEY           - OpenCode Zen/OpenCode Go models
   CURSOR_ACCESS_TOKEN        - Cursor AI models
   AI_GATEWAY_API_KEY         - Vercel AI Gateway
+  WAFER_PASS_API_KEY         - Wafer Pass (flat-rate subscription; GLM-5.1, Qwen3.5)
+  WAFER_SERVERLESS_API_KEY   - Wafer Serverless (pay-as-you-go)
 
   ${chalk.dim("# Cloud Providers")}
   AWS_PROFILE                - AWS Bedrock (or AWS_ACCESS_KEY_ID + AWS_SECRET_ACCESS_KEY)

package/src/cli/auth-broker-cli.ts

@@ -34,6 +34,7 @@ import {
 	startAuthBroker,
 } from "@oh-my-pi/pi-ai";
 import { $which, APP_NAME, getAgentDbPath, getConfigRootDir, isEnoent, logger, VERSION } from "@oh-my-pi/pi-utils";
+import { setTransports as setLoggerTransports } from "@oh-my-pi/pi-utils/logger";
 import { $ } from "bun";
 import chalk from "chalk";
 import { resolveAuthBrokerConfig } from "../session/auth-broker-config";
@@ -124,7 +125,7 @@ async function runServe(flags: AuthBrokerCommandArgs["flags"]): Promise<void> {
 	// The broker is a long-running headless service: route structured logs to
 	// stdout so a process supervisor (pm2, journald, k8s) captures them, and
 	// skip the rotating ~/.omp/logs/ file the TUI default would have used.
-	logger.setTransports({ console: true, file: false });
+	setLoggerTransports({ console: true, file: false });
 
 	const bind = flags.bind ?? DEFAULT_AUTH_BROKER_BIND;
 	const token = await ensureToken();

package/src/cli/auth-gateway-cli.ts

@@ -19,6 +19,10 @@ import {
 	type Api,
 	AuthBrokerClient,
 	AuthStorage,
+	type CompletionProbe,
+	type CompletionProbeInput,
+	type CredentialCompletionResult,
+	completeSimple,
 	DEFAULT_AUTH_GATEWAY_BIND,
 	type GeneratedProvider,
 	getBundledModels,
@@ -46,6 +50,14 @@ export interface AuthGatewayCommandArgs {
 		 * to wire token-paste plumbing into every local client.
 		 */
 		noAuth?: boolean;
+		/**
+		 * Strict mode for `check` — additionally exercise every credential
+		 * against its provider's chat-completion endpoint. The usage probe (run
+		 * unconditionally) can pass while the chat endpoint still 401s the same
+		 * bearer, so strict mode is the definitive "is this credential
+		 * actually usable" signal. Slower and consumes a tiny amount of quota.
+		 */
+		strict?: boolean;
 	};
 }
 
@@ -342,12 +354,185 @@ export async function runAuthGatewayCommand(cmd: AuthGatewayCommandArgs): Promis
 	}
 }
 
+/**
+ * Providers whose chat endpoint expects a JSON-serialized credential blob
+ * (`{ token, projectId, refreshToken, expiresAt, … }`) rather than the raw
+ * access token. Mirrors `getOAuthApiKey` in `packages/ai/src/utils/oauth`.
+ */
+const STRUCTURED_API_KEY_PROVIDERS: ReadonlySet<string> = new Set([
+	"github-copilot",
+	"google-gemini-cli",
+	"google-antigravity",
+]);
+
+/**
+ * Provider API types that strict-mode chat probes intentionally skip:
+ * - `bedrock-converse-stream` resolves credentials from the AWS env/profile, not the broker bearer.
+ * - `google-vertex` uses Application Default Credentials; the broker bearer is not the right key.
+ * - `cursor-agent` and `pi-native` (gateway forwarding) have transport quirks
+ *   that make a bearer-only "ping" a poor signal.
+ */
+const STRICT_PROBE_SKIPPED_APIS: ReadonlySet<Api> = new Set<Api>([
+	"bedrock-converse-stream",
+	"google-vertex",
+	"cursor-agent",
+]);
+
+/** Max chat models to try per credential before reporting failure. */
+const STRICT_PROBE_MAX_CANDIDATES = 4;
+
+/** Per-attempt deadline. Each candidate gets its own slice instead of sharing one budget. */
+const STRICT_PROBE_PER_ATTEMPT_TIMEOUT_MS = 15_000;
+
+/**
+ * Overall per-credential budget passed to {@link AuthStorage.checkCredentials}.
+ * Big enough to walk every candidate at the per-attempt cap with a small
+ * margin for refresh/network overhead.
+ */
+const STRICT_PROBE_OVERALL_TIMEOUT_MS = STRICT_PROBE_PER_ATTEMPT_TIMEOUT_MS * (STRICT_PROBE_MAX_CANDIDATES + 1);
+
+/** Match upstream errors that mean "this model is gone, try a different one" so we walk the catalog instead of declaring the credential bad. */
+const RETRYABLE_MODEL_ERROR_RE =
+	/not[_ -]found|invalid[_ -]model|model[_ -]is[_ -]not[_ -]valid|no longer supported|deprecated|404|decommissioned/i;
+
+/**
+ * Rank bundled models for a provider in probe order: cheapest first, then by
+ * id for determinism. Filters out non-bearer-auth APIs (Vertex/Bedrock),
+ * pi-native transport (would loop through the gateway), and placeholder /
+ * router entries with negative/missing cost.
+ */
+function pickProbeCandidates(provider: string): Model<Api>[] {
+	const bundled = getBundledModels(provider as GeneratedProvider);
+	if (bundled.length === 0) return [];
+	const candidates = bundled.filter(model => {
+		if (model.transport === "pi-native") return false;
+		if (STRICT_PROBE_SKIPPED_APIS.has(model.api)) return false;
+		if (!model.input.includes("text")) return false;
+		const totalCost = (model.cost?.input ?? 0) + (model.cost?.output ?? 0);
+		if (!Number.isFinite(totalCost) || totalCost < 0) return false;
+		if (model.maxTokens <= 0) return false;
+		return true;
+	});
+	candidates.sort((a, b) => a.cost.input + a.cost.output - (b.cost.input + b.cost.output) || a.id.localeCompare(b.id));
+	return candidates;
+}
+
+/**
+ * Compose the apiKey bytes a provider's chat endpoint expects, given a
+ * post-refresh probe credential. Mirrors `getOAuthApiKey` for the providers
+ * that require a structured blob; otherwise returns the raw access token /
+ * API key.
+ */
+function composeProbeApiKey(provider: string, credential: CompletionProbeInput["credential"]): string {
+	if (credential.type === "api_key") return credential.apiKey;
+	if (!STRUCTURED_API_KEY_PROVIDERS.has(provider)) return credential.accessToken;
+	return JSON.stringify({
+		token: credential.accessToken,
+		enterpriseUrl: credential.enterpriseUrl,
+		projectId: credential.projectId,
+		refreshToken: credential.refreshToken,
+		expiresAt: credential.expiresAt,
+		email: credential.email,
+		accountId: credential.accountId,
+	});
+}
+
+async function probeOneModel(
+	model: Model<Api>,
+	apiKey: string,
+	outerSignal: AbortSignal,
+): Promise<CredentialCompletionResult> {
+	const start = Date.now();
+	const attemptTimeoutSignal = AbortSignal.timeout(STRICT_PROBE_PER_ATTEMPT_TIMEOUT_MS);
+	const attemptSignal = AbortSignal.any([outerSignal, attemptTimeoutSignal]);
+	// `systemPrompt` is mandatory for some providers (Codex 400s "Instructions
+	// are required" without it). `disableReasoning` is intentionally NOT set:
+	// providers like Fireworks reject the "none" effort it maps to, and we'd
+	// rather burn 16 reasoning tokens than misdiagnose a healthy credential.
+	const response = await completeSimple(
+		model,
+		{
+			systemPrompt: ["Connectivity check. Reply with the single word 'pong'."],
+			messages: [{ role: "user", content: "ping", timestamp: start }],
+		},
+		{
+			apiKey,
+			maxTokens: 32,
+			signal: attemptSignal,
+		},
+	);
+	const latencyMs = Date.now() - start;
+	if (response.stopReason === "error" || response.stopReason === "aborted") {
+		return {
+			ok: false,
+			reason: response.errorMessage ?? `chat probe ended with stopReason=${response.stopReason}`,
+			modelId: model.id,
+			latencyMs,
+		};
+	}
+	return { ok: true, modelId: model.id, latencyMs };
+}
+
+/**
+ * Build the {@link CompletionProbe} consumed by
+ * {@link AuthStorage.checkCredentials} in `--strict` mode. Walks the cheapest
+ * candidates per provider, retrying on "model not found / invalid model"
+ * errors so a stale catalog entry doesn't masquerade as a bad credential.
+ * Stops as soon as one model returns a successful response (the credential
+ * authenticated against at least one model in the catalog).
+ */
+function createStrictCompletionProbe(): CompletionProbe {
+	return async (input: CompletionProbeInput): Promise<CredentialCompletionResult> => {
+		const candidates = pickProbeCandidates(input.provider).slice(0, STRICT_PROBE_MAX_CANDIDATES);
+		if (candidates.length === 0) {
+			return { ok: null, reason: `no bearer-compatible probe model bundled for provider ${input.provider}` };
+		}
+		const apiKey = composeProbeApiKey(input.provider, input.credential);
+		let lastFailure: CredentialCompletionResult | undefined;
+		for (const model of candidates) {
+			if (input.signal.aborted) {
+				return {
+					ok: false,
+					reason: "aborted",
+					modelId: model.id,
+				};
+			}
+			const result = await probeOneModel(model, apiKey, input.signal);
+			if (result.ok === true) return result;
+			lastFailure = result;
+			if (!RETRYABLE_MODEL_ERROR_RE.test(result.reason ?? "")) {
+				// Non-model error (401, 403, 5xx, network) — the credential is the
+				// issue, not the catalog. Stop walking.
+				return result;
+			}
+		}
+		return (
+			lastFailure ?? {
+				ok: false,
+				reason: `all ${candidates.length} probe models failed for provider ${input.provider}`,
+			}
+		);
+	};
+}
+
+function formatCompletionStatus(completion: CredentialCompletionResult | undefined): string {
+	if (!completion) return "";
+	if (completion.ok === true) return chalk.green(" [chat: ok]");
+	if (completion.ok === false) return chalk.red(" [chat: FAIL]");
+	return chalk.yellow(" [chat: skip]");
+}
+
 /**
  * `omp auth-gateway check` — probe each broker-supplied credential and print
  * per-credential auth health. Use this when the gateway is returning 401s and
  * you need to find which row in a multi-account pool is the bad one. The
  * aggregate `/v1/usage` endpoint silently drops failed credentials, so a
  * dedicated diagnostic is the only way to see which credentials failed.
+ *
+ * Strict mode (`--strict`) additionally exercises each credential against a
+ * cheap chat model from its provider's bundled catalog. This catches the case
+ * where the usage endpoint reports 200 but the chat endpoint 401s the same
+ * bearer (revoked OAuth scope, mislabeled provider row, etc).
  */
 async function runCheck(flags: AuthGatewayCommandArgs["flags"]): Promise<void> {
 	const brokerConfig = await resolveAuthBrokerConfig();
@@ -363,10 +548,16 @@ async function runCheck(flags: AuthGatewayCommandArgs["flags"]): Promise<void> {
 	const storage = new AuthStorage(store, { sourceLabel: `broker ${brokerConfig.url}` });
 	try {
 		await storage.reload();
-		const results = await storage.checkCredentials();
+		const results = await storage.checkCredentials(
+			flags.strict
+				? { completionProbe: createStrictCompletionProbe(), completionTimeoutMs: STRICT_PROBE_OVERALL_TIMEOUT_MS }
+				: undefined,
+		);
 
 		if (flags.json) {
-			process.stdout.write(`${JSON.stringify({ broker: brokerConfig.url, credentials: results }, null, 2)}\n`);
+			process.stdout.write(
+				`${JSON.stringify({ broker: brokerConfig.url, strict: flags.strict === true, credentials: results }, null, 2)}\n`,
+			);
 		} else {
 			const grouped = new Map<string, typeof results>();
 			for (const row of results) {
@@ -375,7 +566,7 @@ async function runCheck(flags: AuthGatewayCommandArgs["flags"]): Promise<void> {
 				grouped.set(row.provider, list);
 			}
 			const providers = [...grouped.keys()].sort();
-			process.stdout.write(`broker: ${brokerConfig.url}\n`);
+			process.stdout.write(`broker: ${brokerConfig.url}${flags.strict ? chalk.dim(" [strict]") : ""}\n`);
 			for (const provider of providers) {
 				const rows = grouped.get(provider) ?? [];
 				process.stdout.write(`\n${chalk.bold(provider)} (${rows.length})\n`);
@@ -389,19 +580,29 @@ async function runCheck(flags: AuthGatewayCommandArgs["flags"]): Promise<void> {
 					const identity =
 						row.email ?? row.accountId ?? (row.type === "api_key" ? "(api key)" : "(no identity on credential)");
 					const remote = row.remoteRefresh ? chalk.dim(" [remote-refresh]") : "";
-					const reason = row.reason ? chalk.dim(` — ${row.reason}`) : "";
+					const reasonParts: string[] = [];
+					if (row.reason) reasonParts.push(row.reason);
+					if (row.completion?.reason) reasonParts.push(`chat: ${row.completion.reason}`);
+					const reason = reasonParts.length > 0 ? chalk.dim(` — ${reasonParts.join("; ")}`) : "";
+					const chat = formatCompletionStatus(row.completion);
 					process.stdout.write(
-						`  ${status} id=${row.id.toString().padStart(3)} ${row.type.padEnd(7)} ${identity}${remote}${reason}\n`,
+						`  ${status}${chat} id=${row.id.toString().padStart(3)} ${row.type.padEnd(7)} ${identity}${remote}${reason}\n`,
 					);
 				}
 			}
 			const failed = results.filter(row => row.ok === false).length;
 			const unverifiable = results.filter(row => row.ok === null).length;
 			const passing = results.filter(row => row.ok === true).length;
-			process.stdout.write(
-				`\n${chalk.green(`${passing} ok`)}, ${chalk.red(`${failed} failed`)}, ${chalk.yellow(`${unverifiable} unverifiable`)}, ${results.length} total\n`,
-			);
-			if (failed > 0) process.exitCode = 1;
+			const chatFailed = flags.strict ? results.filter(row => row.completion?.ok === false).length : 0;
+			const summaryParts = [
+				chalk.green(`${passing} ok`),
+				chalk.red(`${failed} failed`),
+				chalk.yellow(`${unverifiable} unverifiable`),
+			];
+			if (flags.strict) summaryParts.push(chalk.red(`${chatFailed} chat-failed`));
+			summaryParts.push(`${results.length} total`);
+			process.stdout.write(`\n${summaryParts.join(", ")}\n`);
+			if (failed > 0 || chatFailed > 0) process.exitCode = 1;
 		}
 	} finally {
 		storage.close();

package/src/commands/auth-gateway.ts

@@ -22,13 +22,17 @@ export default class AuthGateway extends Command {
 	};
 
 	static flags = {
-		json: Flags.boolean({ description: "Output JSON (token/status)" }),
+		json: Flags.boolean({ description: "Output JSON (token/status/check)" }),
 		bind: Flags.string({ description: "Bind address for `serve` (host:port)", char: "b" }),
 		regenerate: Flags.boolean({ description: "Regenerate the gateway bearer token (token)" }),
 		"no-auth": Flags.boolean({
 			description:
 				"Disable inbound bearer-token auth (serve). Useful when bound to loopback — any caller is allowed.",
 		}),
+		strict: Flags.boolean({
+			description:
+				"For `check`: additionally probe each credential against its provider's chat-completion endpoint. Slower; consumes a tiny amount of quota per credential.",
+		}),
 	};
 
 	static examples = [
@@ -40,6 +44,7 @@ export default class AuthGateway extends Command {
 		"# Show local gateway + broker config status\n  omp auth-gateway status",
 		"# Probe each broker credential to see which one is producing 401s\n  omp auth-gateway check",
 		"# Same, machine-readable for scripts\n  omp auth-gateway check --json",
+		"# Strict check — also exercises each credential with a real chat-completion ping\n  omp auth-gateway check --strict",
 	];
 
 	async run(): Promise<void> {
@@ -55,6 +60,7 @@ export default class AuthGateway extends Command {
 				bind: flags.bind,
 				regenerate: flags.regenerate,
 				noAuth: flags["no-auth"],
+				strict: flags.strict,
 			},
 		};
 		await initTheme();

package/src/config/model-registry.ts

@@ -291,6 +291,12 @@ export function mergeDiscoveredModel<TApi extends Api>(
 	return model;
 }
 
+const AUTHORITATIVE_RUNTIME_CATALOG_PROVIDERS = new Set<string>(
+	PROVIDER_DESCRIPTORS.filter(descriptor => descriptor.dynamicModelsAuthoritative).map(
+		descriptor => descriptor.providerId,
+	),
+);
+
 function isAuthoritativeProjectCatalogModel(model: Model<Api>): boolean {
 	return (
 		model.provider === "google-vertex" &&
@@ -323,6 +329,11 @@ interface DiscoveryProviderConfig {
 	optional?: boolean;
 }
 
+interface BuiltInDiscoveryResult {
+	models: Model<Api>[];
+	authoritativeProviders: Set<string>;
+}
+
 export type ProviderDiscoveryStatus = "idle" | "ok" | "empty" | "cached" | "unavailable" | "unauthenticated";
 
 export interface ProviderDiscoveryState {
@@ -914,6 +925,11 @@ export class ModelRegistry {
 				cachedAuthoritativeProviders.add(provider);
 			}
 		}
+		for (const provider of cachedStandardResult.authoritativeFreshProviders) {
+			if (AUTHORITATIVE_RUNTIME_CATALOG_PROVIDERS.has(provider)) {
+				cachedAuthoritativeProviders.add(provider);
+			}
+		}
 		if (cachedAuthoritativeProviders.size > 0) {
 			builtInModels = dropProviderModels(builtInModels, cachedAuthoritativeProviders);
 		}
@@ -1253,12 +1269,12 @@ export class ModelRegistry {
 				: Promise.all(
 						selectedDiscoverableProviders.map(provider => this.#discoverProviderModels(provider, strategy)),
 					).then(results => results.flat());
-		const [configuredDiscovered, builtInDiscovered] = await Promise.all([
+		const [configuredDiscovered, builtInDiscovery] = await Promise.all([
 			configuredDiscoveriesPromise,
 			this.#discoverBuiltInProviderModels(strategy, providerFilter),
 		]);
-		const discovered = [...configuredDiscovered, ...builtInDiscovered];
-		if (discovered.length === 0) {
+		const discovered = [...configuredDiscovered, ...builtInDiscovery.models];
+		if (discovered.length === 0 && builtInDiscovery.authoritativeProviders.size === 0) {
 			return;
 		}
 		const discoveredModels = this.#applyHardcodedModelPolicies(
@@ -1271,6 +1287,9 @@ export class ModelRegistry {
 			),
 		);
 		const authoritativeProviders = providersWithAuthoritativeProjectCatalog(discoveredModels);
+		for (const provider of builtInDiscovery.authoritativeProviders) {
+			authoritativeProviders.add(provider);
+		}
 		const baseModels =
 			authoritativeProviders.size > 0 ? dropProviderModels(this.#models, authoritativeProviders) : this.#models;
 		const resolved = this.#mergeResolvedModels(baseModels, discoveredModels);
@@ -1385,7 +1404,7 @@ export class ModelRegistry {
 	async #discoverBuiltInProviderModels(
 		strategy: ModelRefreshStrategy,
 		providerFilter?: ReadonlySet<string>,
-	): Promise<Model<Api>[]> {
+	): Promise<BuiltInDiscoveryResult> {
 		// Skip providers already handled by configured discovery (e.g. user-configured ollama with discovery.type)
 		const configuredDiscoveryProviders = new Set(this.#discoverableProviders.map(p => p.provider));
 		const managerOptions = (await this.#collectBuiltInModelManagerOptions()).filter(opts => {
@@ -1395,12 +1414,20 @@ export class ModelRegistry {
 			return providerFilter ? providerFilter.has(opts.providerId) : true;
 		});
 		if (managerOptions.length === 0) {
-			return [];
+			return { models: [], authoritativeProviders: new Set() };
 		}
 		const discoveries = await Promise.all(
 			managerOptions.map(options => this.#discoverWithModelManager(options, strategy)),
 		);
-		return discoveries.flat();
+		const authoritativeProviders = new Set<string>();
+		const models: Model<Api>[] = [];
+		for (const discovery of discoveries) {
+			models.push(...discovery.models);
+			for (const provider of discovery.authoritativeProviders) {
+				authoritativeProviders.add(provider);
+			}
+		}
+		return { models, authoritativeProviders };
 	}
 
 	async #collectBuiltInModelManagerOptions(): Promise<ModelManagerOptions<Api>[]> {
@@ -1482,19 +1509,24 @@ export class ModelRegistry {
 	async #discoverWithModelManager(
 		options: ModelManagerOptions<Api>,
 		strategy: ModelRefreshStrategy,
-	): Promise<Model<Api>[]> {
+	): Promise<BuiltInDiscoveryResult> {
 		try {
 			const manager = createModelManager({ ...options, cacheDbPath: this.#cacheDbPath });
 			const result = await manager.refresh(strategy);
-			return result.models.map(model =>
+			const models = result.models.map(model =>
 				model.provider === options.providerId ? model : { ...model, provider: options.providerId },
 			);
+			const authoritativeProviders = new Set<string>();
+			if (options.dynamicModelsAuthoritative && !result.stale) {
+				authoritativeProviders.add(options.providerId);
+			}
+			return { models, authoritativeProviders };
 		} catch (error) {
 			logger.warn("model discovery failed for provider", {
 				provider: options.providerId,
 				error: error instanceof Error ? error.message : String(error),
 			});
-			return [];
+			return { models: [], authoritativeProviders: new Set() };
 		}
 	}