@openafw/openafw 0.5.2 → 0.6.0

package/dist/bin/afw.js

@@ -1,21 +1,21 @@
 #!/usr/bin/env node
-import { AFW_HOME, DAEMON_BASE_URL, DAEMON_PORT, EMPTY_SECRETS, PRICING_CATALOG_CACHE, PRICING_OVERRIDE, atomicWrite, fileExists, getSecret, paths, readSecrets, removeSecret, secretRefs, setSecret } from "../secrets-Bj-gyv53.js";
-import { activeProviderFor, mutateToolProviders, readToolProviders, searchBaidu, searchBrave, searchDuckDuckGo } from "../backends-Byh5VYtT.js";
+import { AFW_HOME, DAEMON_BASE_URL, DAEMON_PORT, EMPTY_SECRETS, PRICING_CATALOG_CACHE, PRICING_OVERRIDE, atomicWrite, fileExists, getSecret, paths, readSecrets, removeSecret, secretRefs, setSecret } from "../secrets-evRw4cV3.js";
+import { activeProviderFor, mutateToolProviders, readToolProviders, searchBaidu, searchBrave, searchDuckDuckGo } from "../backends-BmyOv3bJ.js";
 import { createRequire } from "module";
 import process$1 from "node:process";
-import { execFile, execFileSync, spawn } from "node:child_process";
-import { basename, dirname, extname, join } from "node:path";
-import { existsSync, readFileSync, realpathSync, statSync, unlinkSync, watch, writeFileSync } from "node:fs";
-import { copyFile, mkdir, open, readFile, readdir, rm, stat, unlink, writeFile } from "node:fs/promises";
+import { execFileSync, spawn } from "node:child_process";
+import { basename, delimiter, dirname, extname, isAbsolute, join, normalize, sep } from "node:path";
+import { existsSync, mkdirSync, openSync, readFileSync, realpathSync, statSync, unlinkSync, watch, writeFileSync } from "node:fs";
+import { access, copyFile, mkdir, open, readFile, readdir, rm, stat, unlink, writeFile } from "node:fs/promises";
 import { homedir } from "node:os";
 import { createHash, randomBytes, webcrypto } from "node:crypto";
 import * as jsonc from "jsonc-parser";
+import { createServer } from "node:http";
+import { Buffer as Buffer$1 } from "node:buffer";
 import { createInterface } from "node:readline/promises";
 import { versions } from "process";
-import { Buffer as Buffer$1 } from "node:buffer";
-import { promisify } from "node:util";
 import { fileURLToPath } from "node:url";
-import { createServer } from "http";
+import { createServer as createServer$1 } from "http";
 import { Http2ServerRequest, constants } from "http2";
 import { Readable } from "stream";
 import crypto from "crypto";
@@ -3248,9 +3248,30 @@ async function daemonHealthy(timeoutMs = 1500) {
 
 //#endregion
 //#region src/cli/launch/daemon-autostart.ts
-function sleep$1(ms) {
+function sleep$2(ms) {
 	return new Promise((resolve) => setTimeout(resolve, ms));
 }
+/** stdio for the detached daemon — append its stdout/stderr to the same log
+*  files the installed service uses (~/.afw/logs/daemon.{log,err}), so an
+*  on-demand daemon (the `afw codex` / `afw claude` autostart) is just as
+*  inspectable as a serviced one. The logger only writes to stdout/stderr, so
+*  without this the autostart daemon's output goes nowhere. Falls back to
+*  discarding output if the log dir can't be opened (read-only home, etc.) —
+*  losing logs must never block the launch. */
+function daemonStdio() {
+	try {
+		mkdirSync(paths.logs.dir, { recursive: true });
+		const out = openSync(paths.logs.daemon, "a");
+		const err = openSync(paths.logs.daemonErr, "a");
+		return [
+			"ignore",
+			out,
+			err
+		];
+	} catch {
+		return "ignore";
+	}
+}
 /** Start the daemon if it isn't already answering /health, and wait for it to
 *  come up. Re-execs this same CLI (`<node> [execArgv] <cli> daemon`) detached
 *  so it survives the launcher process. Throws if it never becomes healthy. */
@@ -3263,11 +3284,11 @@ async function ensureDaemonRunning(opts = {}) {
 		"daemon"
 	], {
 		detached: true,
-		stdio: "ignore"
+		stdio: daemonStdio()
 	});
 	child.unref();
 	for (let i = 0; i < 40; i++) {
-		await sleep$1(250);
+		await sleep$2(250);
 		if (await daemonHealthy()) return;
 	}
 	throw new Error("afw daemon did not come up — try `afw daemon` in another terminal");
@@ -3693,6 +3714,391 @@ function decideAutoCompactWindow(opts) {
 	};
 }
 
+//#endregion
+//#region src/core/model-registry.ts
+const MODEL_REGISTRY_VERSION = 3;
+/** OpenRouter Fusion caps its panel at 8 models; mirror that. */
+const MAX_FUSION_PANEL = 8;
+const EMPTY_REGISTRY = {
+	version: MODEL_REGISTRY_VERSION,
+	providers: [],
+	models: [],
+	combos: []
+};
+const MODEL_APIS$2 = [
+	"anthropic-messages",
+	"openai-chat",
+	"openai-responses"
+];
+const MODALITIES$2 = [
+	"text",
+	"audio",
+	"image",
+	"video",
+	"pdf"
+];
+const REASONING_EFFORTS = [
+	"minimal",
+	"low",
+	"medium",
+	"high",
+	"xhigh"
+];
+const GENERATION_PATH_MODES = ["versioned", "direct"];
+function findProvider(reg, id) {
+	return reg.providers.find((p) => p.id === id);
+}
+/** Look up a model by id, optionally scoped to a provider.
+*
+*  Same model id can exist under multiple providers (e.g. a Xiangxin
+*  model harvested under `hermes/...` and also added by hand under a
+*  custom `og-text` provider). When `providerId` is supplied we match
+*  the exact pair; otherwise we fall back to the first matching id so
+*  legacy callers (and pre-providerId routing-policy entries) still
+*  resolve to *something* instead of breaking. */
+function findModel(reg, id, providerId) {
+	if (providerId !== void 0) return reg.models.find((m) => m.id === id && m.providerId === providerId);
+	return reg.models.find((m) => m.id === id);
+}
+/** A model's effective wire format: its own override, else its provider's. */
+function resolveApi(reg, model) {
+	return model.api ?? findProvider(reg, model.providerId)?.api;
+}
+function findCombo(reg, id) {
+	return reg.combos.find((c) => c.id === id);
+}
+function isObj$9(v) {
+	return typeof v === "object" && v !== null && !Array.isArray(v);
+}
+function normalizeAuth(raw$1) {
+	if (!isObj$9(raw$1)) return void 0;
+	if (raw$1.kind === "passthrough") return { kind: "passthrough" };
+	if (raw$1.kind === "agent-oauth" && (raw$1.agent === "claude-code" || raw$1.agent === "codex")) return {
+		kind: "agent-oauth",
+		agent: raw$1.agent
+	};
+	if (raw$1.kind === "bearer" && typeof raw$1.valueRef === "string") return {
+		kind: "bearer",
+		valueRef: raw$1.valueRef
+	};
+	if (raw$1.kind === "api-key" && typeof raw$1.header === "string" && raw$1.header !== "" && typeof raw$1.valueRef === "string") return {
+		kind: "api-key",
+		header: raw$1.header,
+		valueRef: raw$1.valueRef
+	};
+	return void 0;
+}
+function normalizeProvider(raw$1) {
+	if (!isObj$9(raw$1)) return void 0;
+	const { id, label, baseUrl, api: api$1, origin, seededFrom, reasoningEffort, generationPath } = raw$1;
+	if (typeof id !== "string" || id === "") return void 0;
+	if (typeof baseUrl !== "string" || baseUrl === "") return void 0;
+	if (!MODEL_APIS$2.includes(api$1)) return void 0;
+	const auth = normalizeAuth(raw$1.auth);
+	if (!auth) return void 0;
+	return {
+		id,
+		label: typeof label === "string" ? label : id,
+		baseUrl,
+		api: api$1,
+		auth,
+		origin: origin === "manual" ? "manual" : "seeded",
+		...typeof seededFrom === "string" ? { seededFrom } : {},
+		...REASONING_EFFORTS.includes(reasoningEffort) ? { reasoningEffort } : {},
+		...GENERATION_PATH_MODES.includes(generationPath) ? { generationPath } : {}
+	};
+}
+function normalizeCost(raw$1) {
+	if (!isObj$9(raw$1)) return void 0;
+	const { input, output, cacheRead, cacheWrite } = raw$1;
+	if (typeof input !== "number" || typeof output !== "number") return void 0;
+	return {
+		input,
+		output,
+		...typeof cacheRead === "number" ? { cacheRead } : {},
+		...typeof cacheWrite === "number" ? { cacheWrite } : {}
+	};
+}
+function normalizeModel(raw$1) {
+	if (!isObj$9(raw$1)) return void 0;
+	const { id, providerId, label, api: api$1, origin, contextWindow, maxTokens, reasoningEffort } = raw$1;
+	if (typeof id !== "string" || id === "") return void 0;
+	if (typeof providerId !== "string" || providerId === "") return void 0;
+	const input = Array.isArray(raw$1.input) ? raw$1.input.filter((m) => MODALITIES$2.includes(m)) : [];
+	const cost = normalizeCost(raw$1.cost);
+	return {
+		id,
+		providerId,
+		label: typeof label === "string" ? label : id,
+		...MODEL_APIS$2.includes(api$1) ? { api: api$1 } : {},
+		input: input.length > 0 ? input : ["text"],
+		...typeof contextWindow === "number" ? { contextWindow } : {},
+		...typeof maxTokens === "number" ? { maxTokens } : {},
+		...REASONING_EFFORTS.includes(reasoningEffort) ? { reasoningEffort } : {},
+		...cost ? { cost } : {},
+		origin: origin === "manual" ? "manual" : "seeded"
+	};
+}
+function normalizeFusionEndpoint(raw$1) {
+	if (!isObj$9(raw$1)) return void 0;
+	if (typeof raw$1.modelId !== "string" || raw$1.modelId === "") return void 0;
+	return {
+		modelId: raw$1.modelId,
+		...typeof raw$1.providerId === "string" && raw$1.providerId !== "" ? { providerId: raw$1.providerId } : {}
+	};
+}
+function normalizeWebSearch(raw$1) {
+	if (!isObj$9(raw$1)) return void 0;
+	return typeof raw$1.providerId === "string" && raw$1.providerId !== "" ? { providerId: raw$1.providerId } : {};
+}
+/** A fusion panel member: the primary model, its per-member failover rules
+*  (`switchOn` — token/USD caps + error), and the `fallback` model they switch
+*  to. `normalizeMember` parses the {modelId, providerId, switchOn} part. */
+function normalizeFusionMember(raw$1) {
+	const base = normalizeMember(raw$1);
+	if (!base) return void 0;
+	const fallback = isObj$9(raw$1) ? normalizeFusionEndpoint(raw$1.fallback) : void 0;
+	return {
+		modelId: base.modelId,
+		...base.providerId ? { providerId: base.providerId } : {},
+		...base.switchOn ? { switchOn: base.switchOn } : {},
+		...fallback ? { fallback } : {}
+	};
+}
+/** Lift a legacy failover-combo's combo-level vision/web_search capabilities to
+*  the fusion's combo-level vision/web_search, so they survive the move from
+*  failover chains to fusion. */
+function legacyCaps(rawCaps) {
+	const caps = normalizeCapabilities(rawCaps);
+	const vision = caps?.vision?.via === "companion" ? {
+		modelId: caps.vision.modelId,
+		...caps.vision.providerId ? { providerId: caps.vision.providerId } : {}
+	} : void 0;
+	const webSearch = caps?.web_search?.via === "local" ? caps.web_search.providerId ? { providerId: caps.web_search.providerId } : {} : void 0;
+	return {
+		...vision ? { vision } : {},
+		...webSearch ? { webSearch } : {}
+	};
+}
+/** A fusion combination model. Accepts the current `panel` shape and migrates
+*  the legacy failover-combo shape (`members` + `capabilities`) forward: each
+*  member becomes a panel member, and the old combo-level vision/web_search
+*  capabilities become the combo-level `vision`/`webSearch`. Dropped when it has
+*  no id or no resolvable panel member. */
+function normalizeCombo(raw$1) {
+	if (!isObj$9(raw$1)) return void 0;
+	const { id, label } = raw$1;
+	if (typeof id !== "string" || id === "") return void 0;
+	let panel;
+	let migrated = {};
+	if (Array.isArray(raw$1.panel)) panel = raw$1.panel.map(normalizeFusionMember).filter((m) => m != null);
+	else if (Array.isArray(raw$1.members)) {
+		migrated = legacyCaps(raw$1.capabilities);
+		panel = raw$1.members.map(normalizeMember).filter((m) => m != null).map((m) => ({
+			modelId: m.modelId,
+			...m.providerId ? { providerId: m.providerId } : {},
+			...m.switchOn ? { switchOn: m.switchOn } : {}
+		}));
+	} else panel = [];
+	if (panel.length === 0) return void 0;
+	const vision = normalizeFusionEndpoint(raw$1.vision) ?? migrated.vision;
+	const webSearch = normalizeWebSearch(raw$1.webSearch) ?? migrated.webSearch;
+	const judge = normalizeFusionEndpoint(raw$1.judge);
+	const synthesizer = normalizeFusionEndpoint(raw$1.synthesizer);
+	const cheapModel = normalizeFusionEndpoint(raw$1.cheapModel);
+	return {
+		id,
+		label: typeof label === "string" && label !== "" ? label : id,
+		panel: panel.slice(0, MAX_FUSION_PANEL),
+		...vision ? { vision } : {},
+		...webSearch ? { webSearch } : {},
+		...judge ? { judge } : {},
+		...synthesizer ? { synthesizer } : {},
+		...cheapModel ? { cheapModel } : {},
+		origin: "manual"
+	};
+}
+/** Coerce parsed JSON into a valid registry — malformed entries are dropped,
+*  a hand-edited file with one bad entry never wipes the rest. v1 (no `combos`)
+*  and v2 (failover-style combos) are accepted and migrated forward by
+*  `normalizeCombo` — v2 combos' `members`/`capabilities` become a fusion
+*  `panel`. Throws only on an unsupported version, so a future format is never
+*  silently downgraded. */
+function normalizeModelRegistry(raw$1) {
+	if (!isObj$9(raw$1)) return { ...EMPTY_REGISTRY };
+	if (raw$1.version !== 1 && raw$1.version !== 2 && raw$1.version !== MODEL_REGISTRY_VERSION) throw new Error(`models.json version ${String(raw$1.version)} not supported (expected ${MODEL_REGISTRY_VERSION})`);
+	const providers = Array.isArray(raw$1.providers) ? raw$1.providers.map(normalizeProvider).filter((p) => p != null) : [];
+	const models = Array.isArray(raw$1.models) ? raw$1.models.map(normalizeModel).filter((m) => m != null) : [];
+	const combos = Array.isArray(raw$1.combos) ? raw$1.combos.map(normalizeCombo).filter((c) => c != null) : [];
+	return {
+		version: MODEL_REGISTRY_VERSION,
+		providers,
+		models,
+		combos
+	};
+}
+async function readModelRegistry() {
+	if (!await fileExists(paths.models)) return { ...EMPTY_REGISTRY };
+	return normalizeModelRegistry(JSON.parse(await readFile(paths.models, "utf8")));
+}
+async function writeModelRegistry(reg) {
+	await atomicWrite(paths.models, `${JSON.stringify(reg, null, 2)}\n`);
+}
+let writeChain$3 = Promise.resolve();
+function mutateModelRegistry(fn) {
+	const next = writeChain$3.then(async () => {
+		const reg = await readModelRegistry();
+		const updated = fn(reg);
+		if (updated) await writeModelRegistry(updated);
+		return updated ?? reg;
+	});
+	writeChain$3 = next.catch(() => {});
+	return next;
+}
+
+//#endregion
+//#region src/cli/launch/codex-protocol.ts
+/** Resolve codex's effective backend wire format. `modelOverride` is the
+*  per-launch `--model` (a routed instance pins one model); without it the
+*  type-level `codex/*` routing default decides. Best-effort: any read failure
+*  or an unresolved/mixed target falls back to Responses (codex's native). */
+async function resolveCodexWireProtocol(modelOverride) {
+	const api$1 = await resolveBackendApi(modelOverride).catch(() => void 0);
+	if (api$1 === "openai-chat") return {
+		wireApi: "chat",
+		decoder: "openai-chat"
+	};
+	return {
+		wireApi: "responses",
+		decoder: "openai-responses"
+	};
+}
+async function resolveBackendApi(modelOverride) {
+	const reg = await readModelRegistry();
+	if (modelOverride) {
+		const m = findModel(reg, modelOverride);
+		if (m) return resolveApi(reg, m);
+	}
+	const policy$1 = await readRoutingPolicy();
+	const target = policy$1.agents["codex/*"]?.target ?? policy$1.agents.codex?.target;
+	if (target?.kind === "chain") {
+		const first = target.members[0];
+		if (first) {
+			const m = findModel(reg, first.modelId, first.providerId);
+			if (m) return resolveApi(reg, m);
+		}
+	}
+	return "openai-responses";
+}
+
+//#endregion
+//#region src/cli/launch/resolve-bin.ts
+const EXECUTABLE_EXTENSIONS = [".exe", ".com"];
+const SHELL_EXTENSIONS = [".cmd", ".bat"];
+async function exists$1(path$1) {
+	try {
+		await access(path$1);
+		return true;
+	} catch {
+		return false;
+	}
+}
+function pathValue(env) {
+	return env.PATH ?? env.Path ?? env.path ?? "";
+}
+function pathExts(env) {
+	const raw$1 = env.PATHEXT ?? env.PathExt ?? ".COM;.EXE;.BAT;.CMD";
+	return raw$1.split(";").map((x) => x.trim().toLowerCase()).filter(Boolean);
+}
+function hasPathSeparator(command) {
+	return command.includes("/") || command.includes("\\");
+}
+/** Resolve a candidate path the way Windows' loader does — case-insensitively.
+*  Returns the real on-disk path (preserving its actual case) or undefined.
+*  An exact match is the fast path (correct on real Windows and on a
+*  case-insensitive host FS like macOS); the directory scan is the fallback
+*  that makes win32 resolution behave correctly even on a case-sensitive host
+*  FS (Linux CI), where `PATHEXT`'s case need not match the file's. */
+async function resolveCaseInsensitive(path$1) {
+	if (await exists$1(path$1)) return path$1;
+	const dir = dirname(path$1);
+	const target = basename(path$1).toLowerCase();
+	try {
+		const entries = await readdir(dir);
+		const match$1 = entries.find((e) => e.toLowerCase() === target);
+		return match$1 ? join(dir, match$1) : void 0;
+	} catch {
+		return void 0;
+	}
+}
+async function firstExisting(candidates) {
+	for (const candidate of candidates) {
+		const hit = await resolveCaseInsensitive(candidate);
+		if (hit) return hit;
+	}
+	return void 0;
+}
+function asResolved(command, shell, argsPrefix = []) {
+	return {
+		command,
+		argsPrefix,
+		shell
+	};
+}
+function windowsCandidates(command, env) {
+	const dirs = hasPathSeparator(command) || isAbsolute(command) ? [""] : pathValue(env).split(delimiter);
+	const exts = pathExts(env);
+	const hasExt = /\.[^\\/]+$/.test(command);
+	const suffixes = hasExt ? [""] : [...EXECUTABLE_EXTENSIONS.filter((ext) => exts.includes(ext)), ...SHELL_EXTENSIONS.filter((ext) => exts.includes(ext))];
+	const out = [];
+	for (const dir of dirs) {
+		if (!dir && !hasPathSeparator(command) && !isAbsolute(command)) continue;
+		for (const suffix of suffixes) out.push(dir ? join(dir, `${command}${suffix}`) : `${command}${suffix}`);
+	}
+	return out;
+}
+function resolveShimPath(raw$1, baseDir) {
+	const withBaseDir = raw$1.replace(/%~dp0/gi, baseDir).replace(/%dp0%/gi, baseDir);
+	const withNativeSeparators = withBaseDir.replace(/[\\/]+/g, sep);
+	return normalize(isAbsolute(withNativeSeparators) ? withNativeSeparators : join(baseDir, withNativeSeparators));
+}
+function quotedDp0Targets(text$1, baseDir) {
+	return [...text$1.matchAll(/"([^"]*%~?dp0[^"]*)"/gi)].map((match$1) => resolveShimPath(match$1[1], baseDir));
+}
+async function resolveNpmCmdShim(command) {
+	const lower = command.toLowerCase();
+	if (!SHELL_EXTENSIONS.some((ext) => lower.endsWith(ext))) return void 0;
+	let text$1;
+	try {
+		text$1 = await readFile(command, "utf8");
+	} catch {
+		return void 0;
+	}
+	const baseDir = dirname(command);
+	const targets = quotedDp0Targets(text$1, baseDir);
+	const nativeTarget = targets.find((target) => /\.(exe|com)$/i.test(target) && !/[\\/]node\.exe$/i.test(target));
+	if (nativeTarget && await exists$1(nativeTarget)) return asResolved(nativeTarget, false);
+	const scriptTarget = targets.find((target) => /\.(cjs|js|mjs)$/i.test(target));
+	if (scriptTarget && await exists$1(scriptTarget)) {
+		const localNode = join(baseDir, "node.exe");
+		const node = await exists$1(localNode) ? localNode : process$1.execPath;
+		return asResolved(node, false, [scriptTarget]);
+	}
+	return void 0;
+}
+async function resolveLaunchBin(command, opts = {}) {
+	const platform = opts.platform ?? process$1.platform;
+	if (platform !== "win32") return asResolved(command, false);
+	const env = opts.env ?? process$1.env;
+	const candidates = windowsCandidates(command, env);
+	const resolved = await firstExisting(candidates);
+	if (!resolved) return asResolved(command, false);
+	const lower = resolved.toLowerCase();
+	const shimTarget = await resolveNpmCmdShim(resolved);
+	if (shimTarget) return shimTarget;
+	return asResolved(resolved, SHELL_EXTENSIONS.some((ext) => lower.endsWith(ext)));
+}
+
 //#endregion
 //#region src/cli/rewrite/jsonc.ts
 /**
@@ -3771,10 +4177,10 @@ async function readAgentEnv(settingsPath) {
 const CLAUDE_CODE = {
 	agent: "claude-code",
 	bins: ["claude", "claude-code"],
-	async build(baseUrl, extraEnv) {
+	async build(baseUrl, opts) {
 		const env = await readAgentEnv(paths.agent.claudeCode.settings);
 		env.ANTHROPIC_BASE_URL = baseUrl;
-		for (const [k, v] of Object.entries(extraEnv ?? {})) if (env[k] === void 0 && process$1.env[k] === void 0) env[k] = v;
+		for (const [k, v] of Object.entries(opts?.extraEnv ?? {})) if (env[k] === void 0 && process$1.env[k] === void 0) env[k] = v;
 		return {
 			argvPrefix: ["--settings", JSON.stringify({ env })],
 			env: {}
@@ -3784,7 +4190,8 @@ const CLAUDE_CODE = {
 const CODEX = {
 	agent: "codex",
 	bins: ["codex"],
-	async build(baseUrl) {
+	async build(baseUrl, opts) {
+		const wireApi = opts?.wireApi ?? "responses";
 		const argvPrefix = [
 			"-c",
 			"model_provider=afw",
@@ -3793,7 +4200,7 @@ const CODEX = {
 			"-c",
 			"model_providers.afw.name=\"afw (OpenAI)\"",
 			"-c",
-			"model_providers.afw.wire_api=\"responses\"",
+			`model_providers.afw.wire_api="${wireApi}"`,
 			"-c",
 			"model_providers.afw.requires_openai_auth=true"
 		];
@@ -3820,7 +4227,7 @@ function wiringForBin(bin, override) {
 //#region src/cli/launch/instance.ts
 /** Slug a label into a URL/policy-safe instance id; fall back to the pid. */
 function instanceIdFrom(label) {
-	if (label && label.trim()) {
+	if (label?.trim()) {
 		const slug = label.trim().toLowerCase().replace(/[^a-z0-9-]+/g, "-").replace(/^-+|-+$/g, "");
 		if (slug) return slug;
 	}
@@ -3876,18 +4283,28 @@ async function launchInstance(opts) {
 		} : null;
 		if (target !== null) await setInstancePolicy(routeKey, target);
 		const extraEnv = wiring.agent === "claude-code" && !opts.monitor && opts.model ? await resolveAutoCompactEnv(wiring.agent, opts.model) : {};
-		const plan = await wiring.build(baseUrl, extraEnv);
+		const wireApi = wiring.agent === "codex" && !opts.monitor ? (await resolveCodexWireProtocol(opts.model)).wireApi : void 0;
+		const plan = await wiring.build(baseUrl, {
+			extraEnv,
+			...wireApi ? { wireApi } : {}
+		});
 		argvPrefix = plan.argvPrefix;
 		envOverride = plan.env;
 	}
 	const mode = opts.raw ? "raw (bypassing afw)" : opts.monitor ? "monitor-only" : opts.model ? `→ ${opts.model}` : "type default";
 	logger.print(`▶ ${wiring.agent}@${instanceId}  ${mode}`);
-	const child = spawn(opts.bin, [...argvPrefix, ...opts.args], {
+	const resolvedBin = await resolveLaunchBin(opts.bin);
+	const child = spawn(resolvedBin.command, [
+		...resolvedBin.argsPrefix,
+		...argvPrefix,
+		...opts.args
+	], {
 		stdio: "inherit",
 		env: {
 			...process$1.env,
 			...envOverride
-		}
+		},
+		shell: resolvedBin.shell
 	});
 	const cleanup = async () => {
 		if (opts.ephemeral && !opts.raw) try {
@@ -3905,6 +4322,553 @@ async function launchInstance(opts) {
 	});
 }
 
+//#endregion
+//#region src/core/provider-catalog.ts
+const PROVIDER_CATALOG = [
+	{
+		id: "openai",
+		label: "OpenAI",
+		baseUrl: "https://api.openai.com/v1",
+		api: "openai-responses",
+		apiKeyUrl: "https://platform.openai.com/api-keys",
+		oauthKey: "openai",
+		models: [
+			{
+				id: "gpt-5.5",
+				label: "GPT-5.5",
+				vision: true,
+				contextWindow: 1e6,
+				maxTokens: 128e3
+			},
+			{
+				id: "gpt-5.4",
+				label: "GPT-5.4",
+				vision: true,
+				contextWindow: 272e3,
+				maxTokens: 128e3
+			},
+			{
+				id: "gpt-5.4-mini",
+				label: "GPT-5.4 mini",
+				vision: true,
+				contextWindow: 4e5,
+				maxTokens: 128e3
+			},
+			{
+				id: "gpt-5.3-codex",
+				label: "GPT-5.3 Codex",
+				vision: true,
+				contextWindow: 4e5,
+				maxTokens: 128e3
+			},
+			{
+				id: "o3",
+				label: "o3",
+				vision: true,
+				contextWindow: 2e5,
+				maxTokens: 1e5
+			},
+			{
+				id: "o4-mini",
+				label: "o4-mini",
+				vision: true,
+				contextWindow: 2e5,
+				maxTokens: 1e5
+			}
+		]
+	},
+	{
+		id: "anthropic",
+		label: "Anthropic",
+		baseUrl: "https://api.anthropic.com",
+		api: "anthropic",
+		apiKeyUrl: "https://console.anthropic.com/settings/keys",
+		oauthKey: "anthropic",
+		models: [
+			{
+				id: "claude-opus-4-8",
+				label: "Claude Opus 4.8",
+				vision: true,
+				contextWindow: 1048576,
+				maxTokens: 128e3
+			},
+			{
+				id: "claude-opus-4-7",
+				label: "Claude Opus 4.7",
+				vision: true,
+				contextWindow: 2e5,
+				maxTokens: 64e3
+			},
+			{
+				id: "claude-sonnet-4-6",
+				label: "Claude Sonnet 4.6",
+				vision: true,
+				contextWindow: 2e5,
+				maxTokens: 64e3
+			}
+		]
+	},
+	{
+		id: "deepseek",
+		label: "DeepSeek",
+		baseUrl: "https://api.deepseek.com",
+		api: "openai-chat",
+		apiKeyUrl: "https://platform.deepseek.com/api_keys",
+		models: [
+			{
+				id: "deepseek-v4-pro",
+				label: "DeepSeek V4 Pro",
+				contextWindow: 1e6,
+				maxTokens: 384e3
+			},
+			{
+				id: "deepseek-v4-flash",
+				label: "DeepSeek V4 Flash",
+				contextWindow: 1e6,
+				maxTokens: 384e3
+			},
+			{
+				id: "deepseek-chat",
+				label: "DeepSeek Chat",
+				contextWindow: 131072,
+				maxTokens: 8192
+			},
+			{
+				id: "deepseek-reasoner",
+				label: "DeepSeek Reasoner",
+				contextWindow: 131072,
+				maxTokens: 65536
+			}
+		]
+	},
+	{
+		id: "zai",
+		label: "Z.AI (GLM)",
+		baseUrl: "https://api.z.ai/api/paas/v4",
+		api: "openai-chat",
+		apiKeyUrl: "https://z.ai/manage-apikey/apikey-list",
+		models: [
+			{
+				id: "glm-5.1",
+				label: "GLM-5.1",
+				contextWindow: 202800,
+				maxTokens: 131100
+			},
+			{
+				id: "glm-5",
+				label: "GLM-5",
+				contextWindow: 202800,
+				maxTokens: 131100
+			},
+			{
+				id: "glm-5v-turbo",
+				label: "GLM-5V Turbo",
+				vision: true,
+				contextWindow: 202800,
+				maxTokens: 131100
+			},
+			{
+				id: "glm-4.7",
+				label: "GLM-4.7",
+				contextWindow: 204800,
+				maxTokens: 131072
+			}
+		]
+	},
+	{
+		id: "moonshot",
+		label: "Moonshot (Kimi)",
+		baseUrl: "https://api.moonshot.ai/v1",
+		api: "openai-chat",
+		apiKeyUrl: "https://platform.moonshot.ai/console/api-keys",
+		models: [
+			{
+				id: "kimi-k2.6",
+				label: "Kimi K2.6",
+				vision: true,
+				contextWindow: 262144,
+				maxTokens: 262144
+			},
+			{
+				id: "kimi-k2.5",
+				label: "Kimi K2.5",
+				vision: true,
+				contextWindow: 262144,
+				maxTokens: 262144
+			},
+			{
+				id: "kimi-k2-thinking",
+				label: "Kimi K2 Thinking",
+				contextWindow: 262144,
+				maxTokens: 262144
+			}
+		]
+	},
+	{
+		id: "mistral",
+		label: "Mistral",
+		baseUrl: "https://api.mistral.ai/v1",
+		api: "openai-chat",
+		apiKeyUrl: "https://console.mistral.ai/api-keys",
+		models: [
+			{
+				id: "mistral-large-latest",
+				label: "Mistral Large",
+				vision: true,
+				contextWindow: 262144,
+				maxTokens: 16384
+			},
+			{
+				id: "mistral-medium-3-5",
+				label: "Mistral Medium 3.5",
+				vision: true,
+				contextWindow: 262144,
+				maxTokens: 8192
+			},
+			{
+				id: "codestral-latest",
+				label: "Codestral",
+				contextWindow: 256e3,
+				maxTokens: 4096
+			},
+			{
+				id: "devstral-medium-latest",
+				label: "Devstral 2",
+				contextWindow: 262144,
+				maxTokens: 32768
+			}
+		]
+	},
+	{
+		id: "groq",
+		label: "Groq",
+		baseUrl: "https://api.groq.com/openai/v1",
+		api: "openai-chat",
+		apiKeyUrl: "https://console.groq.com/keys",
+		models: [
+			{
+				id: "openai/gpt-oss-120b",
+				label: "GPT OSS 120B",
+				contextWindow: 131072,
+				maxTokens: 65536
+			},
+			{
+				id: "qwen/qwen3-32b",
+				label: "Qwen3 32B",
+				contextWindow: 131072,
+				maxTokens: 40960
+			},
+			{
+				id: "llama-3.3-70b-versatile",
+				label: "Llama 3.3 70B Versatile",
+				contextWindow: 131072,
+				maxTokens: 32768
+			}
+		]
+	},
+	{
+		id: "openrouter",
+		label: "OpenRouter",
+		baseUrl: "https://openrouter.ai/api/v1",
+		api: "openai-chat",
+		apiKeyUrl: "https://openrouter.ai/keys",
+		models: []
+	},
+	{
+		id: "together",
+		label: "Together AI",
+		baseUrl: "https://api.together.xyz/v1",
+		api: "openai-chat",
+		apiKeyUrl: "https://api.together.ai/settings/api-keys",
+		models: [
+			{
+				id: "deepseek-ai/DeepSeek-V4-Pro",
+				label: "DeepSeek V4 Pro",
+				contextWindow: 512e3,
+				maxTokens: 8192
+			},
+			{
+				id: "zai-org/GLM-5.1",
+				label: "GLM 5.1",
+				contextWindow: 202752,
+				maxTokens: 8192
+			},
+			{
+				id: "moonshotai/Kimi-K2.6",
+				label: "Kimi K2.6",
+				vision: true,
+				contextWindow: 262144,
+				maxTokens: 32768
+			}
+		]
+	},
+	{
+		id: "fireworks",
+		label: "Fireworks AI",
+		baseUrl: "https://api.fireworks.ai/inference/v1",
+		api: "openai-chat",
+		apiKeyUrl: "https://app.fireworks.ai/settings/users/api-keys",
+		models: [{
+			id: "accounts/fireworks/models/kimi-k2p6",
+			label: "Kimi K2.6",
+			vision: true,
+			contextWindow: 262144,
+			maxTokens: 262144
+		}]
+	},
+	{
+		id: "deepinfra",
+		label: "DeepInfra",
+		baseUrl: "https://api.deepinfra.com/v1/openai",
+		api: "openai-chat",
+		apiKeyUrl: "https://deepinfra.com/dash/api_keys",
+		models: [
+			{
+				id: "deepseek-ai/DeepSeek-V4-Flash",
+				label: "DeepSeek V4 Flash",
+				contextWindow: 1048576,
+				maxTokens: 1048576
+			},
+			{
+				id: "zai-org/GLM-5.1",
+				label: "GLM-5.1",
+				contextWindow: 202752,
+				maxTokens: 202752
+			},
+			{
+				id: "moonshotai/Kimi-K2.5",
+				label: "Kimi K2.5",
+				vision: true,
+				contextWindow: 262144,
+				maxTokens: 262144
+			}
+		]
+	},
+	{
+		id: "novita",
+		label: "Novita AI",
+		baseUrl: "https://api.novita.ai/openai/v1",
+		api: "openai-chat",
+		apiKeyUrl: "https://novita.ai/settings/key-management",
+		models: [{
+			id: "moonshotai/kimi-k2.5",
+			label: "Kimi K2.5",
+			vision: true,
+			contextWindow: 262144,
+			maxTokens: 65536
+		}, {
+			id: "zai-org/glm-5",
+			label: "GLM-5",
+			contextWindow: 202752,
+			maxTokens: 65536
+		}]
+	},
+	{
+		id: "cerebras",
+		label: "Cerebras",
+		baseUrl: "https://api.cerebras.ai/v1",
+		api: "openai-chat",
+		apiKeyUrl: "https://cloud.cerebras.ai/platform",
+		models: [
+			{
+				id: "zai-glm-4.7",
+				label: "Z.ai GLM 4.7",
+				contextWindow: 128e3,
+				maxTokens: 8192
+			},
+			{
+				id: "gpt-oss-120b",
+				label: "GPT OSS 120B",
+				contextWindow: 128e3,
+				maxTokens: 8192
+			},
+			{
+				id: "qwen-3-235b-a22b-instruct-2507",
+				label: "Qwen 3 235B Instruct",
+				contextWindow: 128e3,
+				maxTokens: 8192
+			}
+		]
+	},
+	{
+		id: "nvidia",
+		label: "NVIDIA",
+		baseUrl: "https://integrate.api.nvidia.com/v1",
+		api: "openai-chat",
+		apiKeyUrl: "https://build.nvidia.com",
+		models: [{
+			id: "nvidia/nemotron-3-super-120b-a12b",
+			label: "Nemotron 3 Super 120B",
+			contextWindow: 262144,
+			maxTokens: 8192
+		}, {
+			id: "z-ai/glm-5.1",
+			label: "GLM 5.1",
+			contextWindow: 202752,
+			maxTokens: 8192
+		}]
+	},
+	{
+		id: "xiaomi",
+		label: "Xiaomi MiMo",
+		baseUrl: "https://api.xiaomimimo.com/v1",
+		api: "openai-chat",
+		models: [{
+			id: "mimo-v2-pro",
+			label: "MiMo V2 Pro",
+			contextWindow: 1048576,
+			maxTokens: 32e3
+		}, {
+			id: "mimo-v2-omni",
+			label: "MiMo V2 Omni",
+			vision: true,
+			contextWindow: 262144,
+			maxTokens: 32e3
+		}]
+	},
+	{
+		id: "stepfun",
+		label: "StepFun",
+		baseUrl: "https://api.stepfun.ai/v1",
+		api: "openai-chat",
+		models: [{
+			id: "step-3.5-flash",
+			label: "Step 3.5 Flash",
+			contextWindow: 262144,
+			maxTokens: 65536
+		}]
+	},
+	{
+		id: "venice",
+		label: "Venice AI",
+		baseUrl: "https://api.venice.ai/api/v1",
+		api: "openai-chat",
+		apiKeyUrl: "https://venice.ai/settings/api",
+		models: [
+			{
+				id: "zai-org-glm-5",
+				label: "GLM 5",
+				contextWindow: 198e3,
+				maxTokens: 32e3
+			},
+			{
+				id: "qwen3-235b-a22b-thinking-2507",
+				label: "Qwen3 235B Thinking",
+				contextWindow: 128e3,
+				maxTokens: 16384
+			},
+			{
+				id: "llama-3.3-70b",
+				label: "Llama 3.3 70B",
+				contextWindow: 128e3,
+				maxTokens: 4096
+			}
+		]
+	}
+];
+
+//#endregion
+//#region src/daemon/orchestrator/oauth/jwt.ts
+/** Decode a JWT's payload claims without verifying the signature, or undefined
+*  when the token is malformed. The upstream still verifies for real. */
+function decodeJwtPayload(token) {
+	const parts = token.split(".");
+	const payload = parts[1];
+	if (parts.length < 2 || !payload) return void 0;
+	try {
+		const json = Buffer$1.from(payload, "base64url").toString("utf8");
+		const claims = JSON.parse(json);
+		return typeof claims === "object" && claims !== null ? claims : void 0;
+	} catch {
+		return void 0;
+	}
+}
+/** The `exp` claim (epoch seconds) of a JWT, or undefined when the token is
+*  malformed or carries no numeric `exp`. */
+function decodeJwtExp(token) {
+	const exp = decodeJwtPayload(token)?.exp;
+	return typeof exp === "number" ? exp : void 0;
+}
+
+//#endregion
+//#region src/cli/util/select.ts
+const ESC = "\x1B";
+/** Drive an interactive selection over `labels`. Returns the chosen 0-based
+*  indices (length 1 in single mode), or null when an interactive UI can't be
+*  shown. Ctrl-C exits the process (130), matching the rest of the CLI prompts. */
+async function interactiveSelect(question, labels, opts = {}) {
+	const stdin = process$1.stdin;
+	const stdout = process$1.stdout;
+	if (!stdin.isTTY || typeof stdin.setRawMode !== "function" || labels.length === 0) return null;
+	const multi = opts.multi === true;
+	let cursor = 0;
+	const selected = new Set(opts.preselected ?? []);
+	const hint = multi ? "↑/↓ move · space toggle · a all · enter confirm" : "↑/↓ move · enter select";
+	const draw = (first) => {
+		const lines = labels.map((label, i) => {
+			const pointer = i === cursor ? "❯" : " ";
+			const box = multi ? selected.has(i) ? "◉ " : "◯ " : "";
+			const text$1 = `${pointer} ${box}${label}`;
+			return i === cursor ? `${ESC}[36m${text$1}${ESC}[0m` : text$1;
+		});
+		if (!first) stdout.write(`${ESC}[${labels.length}A`);
+		stdout.write(`${ESC}[J`);
+		stdout.write(`${lines.join("\r\n")}\r\n`);
+	};
+	stdout.write(`${question}  ${ESC}[2m${hint}${ESC}[0m\r\n`);
+	stdout.write(`${ESC}[?25l`);
+	draw(true);
+	return new Promise((resolve) => {
+		const cleanup = () => {
+			stdin.setRawMode(false);
+			stdin.pause();
+			stdin.removeListener("data", onData);
+			stdout.write(`${ESC}[?25h`);
+		};
+		const finish = (result) => {
+			cleanup();
+			stdout.write("\r\n");
+			resolve(result);
+		};
+		const onData = (chunk) => {
+			if (chunk === "") {
+				cleanup();
+				stdout.write("\r\n");
+				process$1.exit(130);
+			}
+			if (chunk === "\r" || chunk === "\n") {
+				finish(multi ? [...selected].sort((a, b) => a - b) : [cursor]);
+				return;
+			}
+			if (chunk === `${ESC}[A` || chunk === "k") {
+				cursor = (cursor - 1 + labels.length) % labels.length;
+				draw(false);
+				return;
+			}
+			if (chunk === `${ESC}[B` || chunk === "j") {
+				cursor = (cursor + 1) % labels.length;
+				draw(false);
+				return;
+			}
+			if (multi && chunk === " ") {
+				if (selected.has(cursor)) selected.delete(cursor);
+				else selected.add(cursor);
+				draw(false);
+				return;
+			}
+			if (multi && (chunk === "a" || chunk === "A")) {
+				if (selected.size === labels.length) selected.clear();
+				else for (let i = 0; i < labels.length; i++) selected.add(i);
+				draw(false);
+			}
+		};
+		stdin.setRawMode(true);
+		stdin.resume();
+		stdin.setEncoding("utf8");
+		stdin.on("data", onData);
+	});
+}
+
 //#endregion
 //#region src/cli/util/prompt.ts
 /**
@@ -3951,6 +4915,8 @@ async function promptText(question, def = "") {
 async function promptChoice(question, choices) {
 	const first = choices[0];
 	if (!process$1.stdin.isTTY) return first;
+	const picked = await interactiveSelect(question, choices, { multi: false });
+	if (picked) return choices[picked[0]];
 	const rl = createInterface({
 		input: process$1.stdin,
 		output: process$1.stdout
@@ -3970,6 +4936,54 @@ async function promptChoice(question, choices) {
 	}
 }
 /**
+* Ask the user to pick zero or more of `choices`. Accepts a comma/space list of
+* 1-based indices and ranges (`1,3` / `1 3` / `2-5`), or the word `all`. Empty
+* input selects nothing. Non-interactive (no TTY) returns `[]` so scripted runs
+* never block. Returns the chosen values in `choices` order, de-duplicated.
+*/
+async function promptMultiChoice(question, choices) {
+	if (!process$1.stdin.isTTY || choices.length === 0) return [];
+	const picked = await interactiveSelect(question, choices, { multi: true });
+	if (picked) return choices.filter((_, i) => picked.includes(i));
+	const rl = createInterface({
+		input: process$1.stdin,
+		output: process$1.stdout
+	});
+	try {
+		for (;;) {
+			const list = choices.map((c, i) => `  ${i + 1}) ${c}`).join("\n");
+			const answer = (await rl.question(`${question}\n${list}\n(e.g. 1,3 or 2-4 or 'all'; blank for none) `)).trim();
+			if (answer === "") return [];
+			if (answer.toLowerCase() === "all") return [...choices];
+			const picked$1 = new Set();
+			let bad = false;
+			for (const tok of answer.split(/[\s,]+/).filter(Boolean)) {
+				const range = tok.match(/^(\d+)-(\d+)$/);
+				if (range) {
+					const lo = Number.parseInt(range[1], 10);
+					const hi = Number.parseInt(range[2], 10);
+					if (lo < 1 || hi > choices.length || lo > hi) {
+						bad = true;
+						break;
+					}
+					for (let i = lo; i <= hi; i++) picked$1.add(i - 1);
+					continue;
+				}
+				const n = Number.parseInt(tok, 10);
+				if (!Number.isInteger(n) || n < 1 || n > choices.length) {
+					bad = true;
+					break;
+				}
+				picked$1.add(n - 1);
+			}
+			if (bad) continue;
+			return choices.filter((_, i) => picked$1.has(i));
+		}
+	} finally {
+		rl.close();
+	}
+}
+/**
 * Read a secret from the terminal without echoing keystrokes. Falls back to a
 * plain line read when stdin is not a TTY, so a piped value still works.
 */
@@ -4013,13 +5027,286 @@ async function promptSecret(question) {
 	});
 }
 
+//#endregion
+//#region src/cli/oauth/browser.ts
+function openBrowser$1(url) {
+	const platform = process$1.platform;
+	const cmd = platform === "darwin" ? "open" : platform === "win32" ? "cmd" : "xdg-open";
+	const args = platform === "win32" ? [
+		"/c",
+		"start",
+		"",
+		url
+	] : [url];
+	try {
+		const child = spawn(cmd, args, {
+			stdio: "ignore",
+			detached: true
+		});
+		child.on("error", () => {});
+		child.unref();
+	} catch {}
+}
+
+//#endregion
+//#region src/cli/oauth/pkce.ts
+function base64url(buf) {
+	return buf.toString("base64url");
+}
+/** A fresh PKCE verifier + S256 challenge pair. */
+function generatePkce() {
+	const verifier = base64url(randomBytes(32));
+	const challenge = base64url(createHash("sha256").update(verifier).digest());
+	return {
+		verifier,
+		challenge
+	};
+}
+/** An opaque anti-CSRF `state` value for the authorize request. */
+function generateState() {
+	return base64url(randomBytes(16));
+}
+
+//#endregion
+//#region src/cli/oauth/login.ts
+async function writeJson(path$1, value) {
+	await mkdir(dirname(path$1), { recursive: true });
+	await atomicWrite(path$1, `${JSON.stringify(value, null, 2)}\n`, { mode: 384 });
+}
+/** The ChatGPT account id is carried as a custom claim in the access (or id)
+*  token JWT. The Codex backend rejects requests without it. */
+function chatgptAccountId(tok) {
+	for (const jwt of [tok.access_token, tok.id_token]) {
+		if (!jwt) continue;
+		const claims = decodeJwtPayload(jwt);
+		const direct = claims?.["https://api.openai.com/auth.chatgpt_account_id"];
+		if (typeof direct === "string" && direct) return direct;
+		const fallback = claims?.["https://api.openai.com/auth.chatgpt_account_user_id"];
+		if (typeof fallback === "string" && fallback) return fallback;
+	}
+	return void 0;
+}
+const OAUTH_PROVIDERS = {
+	anthropic: {
+		key: "anthropic",
+		label: "Anthropic (Claude Pro/Max subscription)",
+		clientId: "9d1c250a-e61b-44d9-88ed-5944d1962f5e",
+		authorizeUrl: "https://claude.ai/oauth/authorize",
+		tokenUrl: "https://platform.claude.com/v1/oauth/token",
+		scope: "org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload",
+		redirectHost: "127.0.0.1",
+		redirectPort: 53692,
+		redirectPath: "/callback",
+		tokenStyle: "json",
+		extraAuthorize: { code: "true" },
+		register: {
+			agent: "claude-code",
+			baseUrl: "https://api.anthropic.com",
+			api: "anthropic-messages"
+		},
+		async persist(tok) {
+			const expiresAt = Date.now() + (tok.expires_in ?? 3600) * 1e3;
+			await writeJson(paths.oauth.claudeCode, { claudeAiOauth: {
+				accessToken: tok.access_token,
+				refreshToken: tok.refresh_token,
+				expiresAt
+			} });
+		}
+	},
+	openai: {
+		key: "openai",
+		label: "OpenAI (ChatGPT/Codex subscription)",
+		clientId: "app_EMoamEEZ73f0CkXaXp7hrann",
+		authorizeUrl: "https://auth.openai.com/oauth/authorize",
+		tokenUrl: "https://auth.openai.com/oauth/token",
+		scope: "openid profile email offline_access",
+		redirectHost: "localhost",
+		redirectPort: 1455,
+		redirectPath: "/auth/callback",
+		tokenStyle: "form",
+		extraAuthorize: {
+			id_token_add_organizations: "true",
+			codex_cli_simplified_flow: "true",
+			originator: "afw"
+		},
+		register: {
+			agent: "codex",
+			baseUrl: "https://chatgpt.com/backend-api/codex",
+			api: "openai-responses"
+		},
+		async persist(tok) {
+			await writeJson(paths.oauth.codex, {
+				auth_mode: "chatgpt",
+				tokens: {
+					access_token: tok.access_token,
+					refresh_token: tok.refresh_token,
+					...tok.id_token ? { id_token: tok.id_token } : {},
+					...chatgptAccountId(tok) ? { account_id: chatgptAccountId(tok) } : {}
+				},
+				last_refresh: new Date().toISOString()
+			});
+		}
+	}
+};
+function redirectUri(def) {
+	return `http://${def.redirectHost}:${def.redirectPort}${def.redirectPath}`;
+}
+function authorizeUrl(def, challenge, state$1) {
+	const u = new URL(def.authorizeUrl);
+	const params = {
+		response_type: "code",
+		client_id: def.clientId,
+		redirect_uri: redirectUri(def),
+		scope: def.scope,
+		code_challenge: challenge,
+		code_challenge_method: "S256",
+		state: state$1,
+		...def.extraAuthorize
+	};
+	for (const [k, v] of Object.entries(params)) u.searchParams.set(k, v);
+	return u.toString();
+}
+/** Pull the authorization code out of whatever the user pasted: a bare code, a
+*  `code#state` pair, or the full redirected URL. Returns undefined when it
+*  can't find one or the state doesn't match. */
+function parsePastedCode(input, state$1) {
+	const text$1 = input.trim();
+	if (text$1 === "") return void 0;
+	if (text$1.includes("://")) {
+		try {
+			const u = new URL(text$1);
+			const code$1 = u.searchParams.get("code");
+			const got$1 = u.searchParams.get("state");
+			if (code$1 && (!got$1 || got$1 === state$1)) return code$1;
+		} catch {
+			return void 0;
+		}
+		return void 0;
+	}
+	const [code, got] = text$1.split("#");
+	if (code && (!got || got === state$1)) return code;
+	return void 0;
+}
+const OK_PAGE = "<!doctype html><meta charset=\"utf-8\"><title>afw</title><body style=\"font-family:system-ui;padding:3rem;text-align:center\"><h2>✓ afw is now connected</h2><p>You can close this tab and return to the terminal.</p>";
+const ERR_PAGE = "<!doctype html><meta charset=\"utf-8\"><title>afw</title><body style=\"font-family:system-ui;padding:3rem;text-align:center\"><h2>Login failed</h2><p>Return to the terminal and try again.</p>";
+/** Wait for the authorization code via either the localhost callback or a
+*  hand-pasted code — whichever arrives first. */
+function awaitAuthCode(def, state$1) {
+	return new Promise((resolve, reject) => {
+		let settled = false;
+		const server = createServer((req, res) => {
+			const url = new URL(req.url ?? "/", `http://${def.redirectHost}:${def.redirectPort}`);
+			if (url.pathname !== def.redirectPath) {
+				res.writeHead(404);
+				res.end();
+				return;
+			}
+			const code = url.searchParams.get("code");
+			const got = url.searchParams.get("state");
+			if (!code || got && got !== state$1) {
+				res.writeHead(400, { "content-type": "text/html" });
+				res.end(ERR_PAGE);
+				finish(void 0, new Error("OAuth callback carried no code or a mismatched state"));
+				return;
+			}
+			res.writeHead(200, { "content-type": "text/html" });
+			res.end(OK_PAGE);
+			finish(code);
+		});
+		const finish = (code, err) => {
+			if (settled) return;
+			settled = true;
+			server.close();
+			if (code) resolve(code);
+			else reject(err ?? new Error("OAuth login cancelled"));
+		};
+		server.on("error", (err) => finish(void 0, err));
+		server.listen(def.redirectPort, def.redirectHost);
+		promptText("  …or paste the authorization code / redirect URL here").then((answer) => {
+			if (settled) return;
+			const code = parsePastedCode(answer, state$1);
+			if (code) finish(code);
+		});
+	});
+}
+async function exchangeCode(def, code, verifier, state$1) {
+	const fields = {
+		grant_type: "authorization_code",
+		client_id: def.clientId,
+		code,
+		code_verifier: verifier,
+		redirect_uri: redirectUri(def),
+		state: state$1
+	};
+	const res = def.tokenStyle === "json" ? await fetch(def.tokenUrl, {
+		method: "POST",
+		headers: { "content-type": "application/json" },
+		body: JSON.stringify(fields)
+	}) : await fetch(def.tokenUrl, {
+		method: "POST",
+		headers: { "content-type": "application/x-www-form-urlencoded" },
+		body: new URLSearchParams(fields).toString()
+	});
+	if (!res.ok) {
+		const body = (await res.text().catch(() => "")).slice(0, 300);
+		throw new Error(`token exchange failed: HTTP ${res.status} ${body}`);
+	}
+	return await res.json();
+}
+/** Run an interactive OAuth login for `key`. Opens the browser, waits for the
+*  callback (or a pasted code), exchanges it, and writes the tokens to afw's
+*  own store. Returns the provider def on success (so the caller can register
+*  the provider), or null when not on a TTY / cancelled. */
+async function oauthLogin(key) {
+	if (!process$1.stdin.isTTY) return null;
+	const def = OAUTH_PROVIDERS[key];
+	const { verifier, challenge } = generatePkce();
+	const state$1 = generateState();
+	const url = authorizeUrl(def, challenge, state$1);
+	logger.print(`\nLogging in to ${def.label} via afw.`);
+	logger.print("Opening your browser to authorize. If it does not open, visit:\n");
+	logger.print(`  ${url}\n`);
+	openBrowser$1(url);
+	let code;
+	try {
+		code = await awaitAuthCode(def, state$1);
+	} catch (err) {
+		logger.print(`  ✗ login failed: ${err.message}`);
+		return null;
+	}
+	try {
+		const tokens = await exchangeCode(def, code, verifier, state$1);
+		if (!tokens.access_token || !tokens.refresh_token) throw new Error("token endpoint returned no access/refresh token");
+		await def.persist(tokens);
+	} catch (err) {
+		logger.print(`  ✗ ${err.message}`);
+		if (await confirmYesNo("  Try the login again?", false)) return oauthLogin(key);
+		return null;
+	}
+	logger.print(`  ✓ logged in — afw stored your ${def.label} token locally.`);
+	return def;
+}
+
 //#endregion
 //#region src/cli/commands/route.ts
-const MODEL_APIS$2 = [
+const MODEL_APIS$1 = [
 	"anthropic-messages",
 	"openai-chat",
 	"openai-responses"
 ];
+function normalizeReasoningEffortFlag(raw$1) {
+	if (raw$1 == null) return void 0;
+	const value = raw$1.trim().toLowerCase();
+	return REASONING_EFFORTS.includes(value) ? value : void 0;
+}
+function normalizeGenerationPathFlag(raw$1) {
+	if (raw$1 == null) return void 0;
+	const value = raw$1.trim().toLowerCase();
+	return GENERATION_PATH_MODES.includes(value) ? value : void 0;
+}
+function providerSecretRef(id) {
+	return `provider:${id}`;
+}
 async function apiFetch(method, path$1, body) {
 	let res;
 	try {
@@ -4141,13 +5428,12 @@ const setCmd$1 = new Command("set").description("Route an <agent>/<sourceModel>
 		kind: "composite",
 		comboId: opts.fusion
 	} : { kind: "passthrough" };
-	const res = await apiFetch("POST", "/api/routing/agent", {
+	await apiFetch("POST", "/api/routing/agent", {
 		routeKey,
 		target
 	});
 	const combos = target.kind === "composite" ? (await apiFetch("GET", "/api/routing/registry")).combos : void 0;
 	logger.print(`✓ ${routeKey} ${describeTarget$2(target, combos)}`);
-	if (res.seededRoute) logger.print(`  + created wire route ${res.seededRoute} (decoder openai-chat)`);
 }));
 const unsetCmd$1 = new Command("unset").description("Remove a per-source-model routing entry. The source model inherits the agent's <agent>/* default again. Use `route set <key> --passthrough` instead if you want to pin it to passthrough explicitly.").argument("<routeKey>", "route key, e.g. claude-code/claude-opus-4-7").action((routeKey) => run$3(async () => {
 	await apiFetch("DELETE", `/api/routing/agent?routeKey=${encodeURIComponent(routeKey)}`);
@@ -4194,18 +5480,26 @@ const fusionList = new Command("list").description("List configured Model Fusion
 	}
 }));
 const fusionCmd = new Command("fusion").description("List Model Fusion combos (build them on the dashboard).").addCommand(fusionList);
-const providerAdd = new Command("add").description("Register a model provider.").argument("<id>", "provider id").requiredOption("--base-url <url>", "provider base URL").requiredOption("--api <api>", `wire format: ${MODEL_APIS$2.join(" | ")}`).option("--auth <kind>", "passthrough | bearer | api-key", "passthrough").option("--header <name>", "header name for api-key auth, e.g. x-api-key").option("--label <text>", "display label").option("--key <value>", "API key (prompted without echo if omitted)").action((id, opts) => run$3(async () => {
-	if (!MODEL_APIS$2.includes(opts.api)) return fail(`--api must be one of ${MODEL_APIS$2.join(", ")}`);
+const providerAdd = new Command("add").description("Register a model provider.").argument("<id>", "provider id").requiredOption("--base-url <url>", "provider base URL").requiredOption("--api <api>", `wire format: ${MODEL_APIS$1.join(" | ")}`).option("--auth <kind>", "passthrough | bearer | api-key", "passthrough").option("--header <name>", "header name for api-key auth, e.g. x-api-key").option("--label <text>", "display label").option("--key <value>", "API key (prompted without echo if omitted)").option("--generation-path <mode>", `generation endpoint path mode: ${GENERATION_PATH_MODES.join(" | ")}`).option("--reasoning-effort <effort>", `provider default reasoning effort: ${REASONING_EFFORTS.join(" | ")}`).action((id, opts) => run$3(async () => {
+	if (!MODEL_APIS$1.includes(opts.api)) return fail(`--api must be one of ${MODEL_APIS$1.join(", ")}`);
 	if (![
 		"passthrough",
 		"bearer",
 		"api-key"
 	].includes(opts.auth)) return fail("--auth must be passthrough, bearer, or api-key");
 	if (opts.auth === "api-key" && !opts.header) return fail("--header is required for api-key auth");
+	const generationPath = normalizeGenerationPathFlag(opts.generationPath);
+	if (opts.generationPath != null && !generationPath) return fail(`--generation-path must be one of ${GENERATION_PATH_MODES.join(", ")}`);
+	const reasoningEffort = normalizeReasoningEffortFlag(opts.reasoningEffort);
+	if (opts.reasoningEffort != null && !reasoningEffort) return fail(`--reasoning-effort must be one of ${REASONING_EFFORTS.join(", ")}`);
 	let apiKey = opts.key;
 	if ((opts.auth === "bearer" || opts.auth === "api-key") && !apiKey) {
-		apiKey = await promptSecret(`API key for ${id}: `);
-		if (!apiKey) return fail("an API key is required for this auth kind");
+		const reg = await apiFetch("GET", "/api/routing/registry");
+		const hasExistingSecret = reg.secretRefs.includes(providerSecretRef(id));
+		if (!hasExistingSecret) {
+			apiKey = await promptSecret(`API key for ${id}: `);
+			if (!apiKey) return fail("an API key is required for this auth kind");
+		}
 	}
 	await apiFetch("POST", "/api/routing/provider", {
 		id,
@@ -4214,7 +5508,9 @@ const providerAdd = new Command("add").description("Register a model provider.")
 		authKind: opts.auth,
 		...opts.header ? { authHeader: opts.header } : {},
 		...opts.label ? { label: opts.label } : {},
-		...apiKey ? { apiKey } : {}
+		...apiKey ? { apiKey } : {},
+		...generationPath ? { generationPath } : {},
+		...reasoningEffort ? { reasoningEffort } : {}
 	});
 	logger.print(`✓ provider ${id} registered`);
 }));
@@ -4228,13 +5524,44 @@ const providerList = new Command("list").description("List registered providers.
 		logger.print("No providers.");
 		return;
 	}
-	for (const p of reg.providers) logger.print(`  ${p.id.padEnd(20)} ${p.api.padEnd(20)} ${p.auth.kind.padEnd(12)} ${p.origin.padEnd(8)} ${p.baseUrl}`);
+	for (const p of reg.providers) {
+		const path$1 = `path=${p.generationPath ?? "versioned"}`;
+		const effort = p.reasoningEffort ? ` effort=${p.reasoningEffort}` : "";
+		logger.print(`  ${p.id.padEnd(20)} ${p.api.padEnd(20)} ${path$1.padEnd(14)}${effort.padEnd(14)} ${p.auth.kind.padEnd(12)} ${p.origin.padEnd(8)} ${p.baseUrl}`);
+	}
 }));
 const providerCmd = new Command("provider").description("Manage model providers.").addCommand(providerAdd).addCommand(providerRm).addCommand(providerList);
 const modelRm = new Command("rm").description("Remove a model.").argument("<id>", "model id").action((id) => run$3(async () => {
 	await apiFetch("DELETE", `/api/routing/model?id=${encodeURIComponent(id)}`);
 	logger.print(`✓ model ${id} removed`);
 }));
+const modelSet = new Command("set").description("Update model routing metadata.").argument("<id>", "model id").option("--provider <id>", "disambiguate provider id").option("--reasoning-effort <effort>", `model reasoning effort: ${REASONING_EFFORTS.join(" | ")}`).option("--clear-reasoning-effort", "clear the model reasoning effort override").action((id, opts) => run$3(async () => {
+	const wantsEffort = opts.reasoningEffort != null;
+	const wantsClear = opts.clearReasoningEffort === true;
+	if (wantsEffort === wantsClear) return fail("pass exactly one of --reasoning-effort or --clear-reasoning-effort");
+	const effort = normalizeReasoningEffortFlag(opts.reasoningEffort);
+	if (wantsEffort && !effort) return fail(`--reasoning-effort must be one of ${REASONING_EFFORTS.join(", ")}`);
+	const reg = await apiFetch("GET", "/api/routing/registry");
+	const matches = reg.models.filter((m) => m.id === id && (!opts.provider || m.providerId === opts.provider));
+	if (matches.length === 0) {
+		const suffix = opts.provider ? ` under provider "${opts.provider}"` : "";
+		return fail(`unknown model "${id}"${suffix}`);
+	}
+	if (matches.length > 1) return fail(`model "${id}" exists under multiple providers: ${matches.map((m) => m.providerId).join(", ")}; pass --provider`);
+	const model = matches[0];
+	await apiFetch("POST", "/api/routing/model", {
+		id: model.id,
+		providerId: model.providerId,
+		label: model.label,
+		...model.api ? { api: model.api } : {},
+		input: model.input,
+		...typeof model.contextWindow === "number" ? { contextWindow: model.contextWindow } : {},
+		...typeof model.maxTokens === "number" ? { maxTokens: model.maxTokens } : {},
+		...model.cost ? { cost: model.cost } : {},
+		...effort ? { reasoningEffort: effort } : {}
+	});
+	logger.print(`✓ model ${model.providerId}/${model.id} reasoning effort → ${effort ?? "provider default"}`);
+}));
 const secretSet = new Command("set").description("Store a secret value under a ref (prompted, no echo).").argument("<ref>", "secret ref, e.g. provider:my-provider").action((ref) => run$3(async () => {
 	const value = await promptSecret(`Value for ${ref}: `);
 	if (!value) return fail("no value entered");
@@ -4409,11 +5736,106 @@ function providerIdFromUrl(baseUrl) {
 		return "custom";
 	}
 }
+const CUSTOM_PROVIDER_LABEL = "Custom — enter a base URL manually";
 /** Run the interactive provider wizard once. Returns the registered provider
 *  id and its model ids on success, or null when the user skipped it. Exported
-*  so the first-run onboarding flow can reuse the exact same prompts + probe. */
+*  so the first-run onboarding flow can reuse the exact same prompts + probe.
+*
+*  Starts from a curated catalog of well-known providers (base URL + wire
+*  format + known models pre-filled) so the common case is a couple of menu
+*  picks; "Custom" drops to the manual base-URL flow for anything not listed. */
 async function addOneProvider() {
-	let baseUrl = await promptText("Provider base URL (e.g. https://api.openai.com/v1)");
+	if (!process$1.stdin.isTTY) return addCustomProvider();
+	const labels = [...PROVIDER_CATALOG.map((p) => p.label), CUSTOM_PROVIDER_LABEL];
+	const choice = await promptChoice("Which model provider?", labels);
+	if (choice === CUSTOM_PROVIDER_LABEL) return addCustomProvider();
+	const preset = PROVIDER_CATALOG.find((p) => p.label === choice);
+	return preset ? addCatalogProvider(preset) : addCustomProvider();
+}
+/** Catalog path: provider host + wire format are known, so we only ask which
+*  models to enable (multi-select from the known list, plus any extra ids) and
+*  for the API key. */
+async function addCatalogProvider(preset) {
+	logger.print(`\n${preset.label} — ${preset.baseUrl}`);
+	const models = [];
+	if (preset.models.length > 0) {
+		const labels = preset.models.map((m) => `${m.label}  (${m.id})`);
+		const chosen = await promptMultiChoice("Select models to enable", labels);
+		for (const lbl of chosen) {
+			const m = preset.models[labels.indexOf(lbl)];
+			if (m) models.push({
+				id: m.id,
+				label: m.label,
+				vision: m.vision === true,
+				...m.contextWindow ? { contextWindow: m.contextWindow } : {},
+				...m.maxTokens ? { maxTokens: m.maxTokens } : {}
+			});
+		}
+	}
+	for (;;) {
+		const id = await promptText(models.length === 0 ? "Model id" : "Add another model id (blank to finish)");
+		if (!id) break;
+		models.push({
+			id,
+			vision: false
+		});
+	}
+	if (models.length === 0) {
+		logger.print("  (no models selected — skipping)");
+		return null;
+	}
+	if (preset.oauthKey) {
+		const apiKeyLabel = "API key";
+		const oauthLabel = "Log in with your subscription (OAuth — afw stores its own token)";
+		const method = await promptChoice(`How should afw authenticate to ${preset.label}?`, [oauthLabel, apiKeyLabel]);
+		if (method === oauthLabel) return registerOAuthProvider(preset, models);
+	}
+	const key = await promptSecret(`API key${preset.apiKeyUrl ? ` — get one at ${preset.apiKeyUrl}` : ""} (leave blank for none): `);
+	const providerId = await promptText("Provider id", preset.id);
+	return finalizeProvider({
+		baseUrl: preset.baseUrl,
+		api: preset.api,
+		key,
+		providerId,
+		label: preset.label,
+		models
+	});
+}
+/** OAuth path: run afw's own subscription login, then register the provider
+*  with `agent-oauth` auth (the token is resolved + refreshed from afw's own
+*  store at request time) plus the selected models. */
+async function registerOAuthProvider(preset, models) {
+	const def = await oauthLogin(preset.oauthKey);
+	if (!def) {
+		logger.print("  (login not completed — skipping this provider)");
+		return null;
+	}
+	const providerId = await promptText("Provider id", preset.id);
+	await daemonFetch("POST", "/api/routing/provider", {
+		id: providerId,
+		name: preset.label,
+		baseUrl: def.register.baseUrl,
+		api: def.register.api,
+		authKind: "agent-oauth",
+		agent: def.register.agent
+	});
+	for (const m of models) await daemonFetch("POST", "/api/routing/model", {
+		id: m.id,
+		providerId,
+		...m.label ? { label: m.label } : {},
+		input: m.vision ? ["text", "image"] : ["text"],
+		...m.contextWindow ? { contextWindow: m.contextWindow } : {},
+		...m.maxTokens ? { maxTokens: m.maxTokens } : {}
+	});
+	logger.print(`✓ provider ${providerId} + ${models.length} model(s) registered (OAuth subscription)`);
+	return {
+		providerId,
+		modelIds: models.map((m) => m.id)
+	};
+}
+/** Manual path: ask for everything (base URL, wire format, models, vision). */
+async function addCustomProvider() {
+	const baseUrl = await promptText("Provider base URL (e.g. https://api.openai.com/v1)");
 	if (!baseUrl) {
 		logger.print("  (no base URL — skipping)");
 		return null;
@@ -4424,24 +5846,41 @@ async function addOneProvider() {
 		"openai-responses",
 		"anthropic"
 	]);
-	let key = await promptSecret("API key (leave blank for none): ");
-	const modelIds = [];
+	const key = await promptSecret("API key (leave blank for none): ");
+	const ids = [];
 	for (;;) {
-		const id = await promptText(modelIds.length === 0 ? "Model id" : "Another model id (blank to finish)");
+		const id = await promptText(ids.length === 0 ? "Model id" : "Another model id (blank to finish)");
 		if (!id) break;
-		modelIds.push(id);
+		ids.push(id);
 		if (!process$1.stdin.isTTY) break;
 	}
-	if (modelIds.length === 0) {
+	if (ids.length === 0) {
 		logger.print("  (no models — skipping)");
 		return null;
 	}
 	const vision = await confirmYesNo("Do these models accept image input?", false);
 	const providerId = await promptText("Provider id", providerIdFromUrl(baseUrl));
+	return finalizeProvider({
+		baseUrl,
+		api: apiChoice,
+		key,
+		providerId,
+		models: ids.map((id) => ({
+			id,
+			vision
+		}))
+	});
+}
+/** Shared tail of both paths: validate with a live probe (best-effort retry
+*  loop), then register the provider + its models via the daemon. */
+async function finalizeProvider(p) {
+	let baseUrl = p.baseUrl;
+	let key = p.key;
+	const apiChoice = p.api;
 	let resolvedApi;
 	for (;;) {
 		logger.print(`  probing ${baseUrl} …`);
-		const { result, api: api$1 } = await probe(apiChoice, baseUrl, key, modelIds[0]);
+		const { result, api: api$1 } = await probe(apiChoice, baseUrl, key, p.models[0].id);
 		if (result.ok && (api$1 ?? (apiChoice !== "auto" ? apiChoice : void 0))) {
 			resolvedApi = api$1 ?? apiChoice;
 			logger.print(`  ✓ reachable (${resolvedApi}, HTTP ${result.status})`);
@@ -4465,28 +5904,32 @@ async function addOneProvider() {
 			break;
 		}
 		if (retry === "edit base URL") baseUrl = await promptText("Provider base URL", baseUrl) || baseUrl;
-		if (retry === "edit model id") modelIds[0] = await promptText("Model id", modelIds[0]) || modelIds[0];
+		if (retry === "edit model id") p.models[0].id = await promptText("Model id", p.models[0].id) || p.models[0].id;
 		if (retry === "edit API key") key = await promptSecret("API key (leave blank for none): ");
 	}
 	const modelApi = API_TO_MODEL_API[resolvedApi ?? "openai-chat"];
 	const authKind = key ? resolvedApi === "anthropic" ? "api-key" : "bearer" : "passthrough";
 	await daemonFetch("POST", "/api/routing/provider", {
-		id: providerId,
+		id: p.providerId,
+		...p.label ? { name: p.label } : {},
 		baseUrl,
 		api: modelApi,
 		authKind,
 		...authKind === "api-key" ? { authHeader: "x-api-key" } : {},
 		...key ? { apiKey: key } : {}
 	});
-	for (const id of modelIds) await daemonFetch("POST", "/api/routing/model", {
-		id,
-		providerId,
-		input: vision ? ["text", "image"] : ["text"]
+	for (const m of p.models) await daemonFetch("POST", "/api/routing/model", {
+		id: m.id,
+		providerId: p.providerId,
+		...m.label ? { label: m.label } : {},
+		input: m.vision ? ["text", "image"] : ["text"],
+		...m.contextWindow ? { contextWindow: m.contextWindow } : {},
+		...m.maxTokens ? { maxTokens: m.maxTokens } : {}
 	});
-	logger.print(`✓ provider ${providerId} + ${modelIds.length} model(s) registered`);
+	logger.print(`✓ provider ${p.providerId} + ${p.models.length} model(s) registered`);
 	return {
-		providerId,
-		modelIds
+		providerId: p.providerId,
+		modelIds: p.models.map((m) => m.id)
 	};
 }
 const addCmd$1 = new Command("add").description("Interactively add one or more model providers (validated with a live probe).").action(async () => {
@@ -4508,9 +5951,16 @@ const listCmd$2 = new Command("list").description("List registered providers and
 	try {
 		const reg = await daemonFetch("GET", "/api/routing/registry");
 		logger.print("Providers:");
-		for (const p of reg.providers) logger.print(`  ${p.id.padEnd(20)} ${p.api.padEnd(18)} ${p.baseUrl}`);
+		for (const p of reg.providers) {
+			const path$1 = `path=${p.generationPath ?? "versioned"}`;
+			const effort = p.reasoningEffort ? ` effort=${p.reasoningEffort}` : "";
+			logger.print(`  ${p.id.padEnd(20)} ${p.api.padEnd(18)} ${path$1}${effort}  ${p.baseUrl}`);
+		}
 		logger.print("Models:");
-		for (const m of reg.models) logger.print(`  ${m.id.padEnd(28)} ${m.providerId}${m.input.includes("image") ? "  (vision)" : ""}`);
+		for (const m of reg.models) {
+			const effort = m.reasoningEffort ? `  effort=${m.reasoningEffort}` : "";
+			logger.print(`  ${m.id.padEnd(28)} ${m.providerId}${m.input.includes("image") ? "  (vision)" : ""}${effort}`);
+		}
 		if (reg.combos && reg.combos.length > 0) {
 			logger.print("Fusion models:");
 			for (const c of reg.combos) {
@@ -4523,7 +5973,7 @@ const listCmd$2 = new Command("list").description("List registered providers and
 		process$1.exitCode = 1;
 	}
 });
-const modelCommand = new Command("model").description("Manage the providers, models, and API-key secrets afw can route to.").addCommand(addCmd$1).addCommand(listCmd$2).addCommand(modelRm).addCommand(providerCmd).addCommand(secretCmd);
+const modelCommand = new Command("model").description("Manage the providers, models, and API-key secrets afw can route to.").addCommand(addCmd$1).addCommand(listCmd$2).addCommand(modelRm).addCommand(modelSet).addCommand(providerCmd).addCommand(secretCmd);
 
 //#endregion
 //#region src/cli/launch/onboard.ts
@@ -8131,10 +9581,10 @@ var require_resolve_block_map = __commonJS({ "../../node_modules/yaml/dist/compo
 		let offset = bm.offset;
 		let commentEnd = null;
 		for (const collItem of bm.items) {
-			const { start, key, sep, value } = collItem;
+			const { start, key, sep: sep$1, value } = collItem;
 			const keyProps = resolveProps$3.resolveProps(start, {
 				indicator: "explicit-key-ind",
-				next: key ?? sep?.[0],
+				next: key ?? sep$1?.[0],
 				offset,
 				onError,
 				parentIndent: bm.indent,
@@ -8146,7 +9596,7 @@ var require_resolve_block_map = __commonJS({ "../../node_modules/yaml/dist/compo
 					if (key.type === "block-seq") onError(offset, "BLOCK_AS_IMPLICIT_KEY", "A block sequence may not be used as an implicit map key");
 					else if ("indent" in key && key.indent !== bm.indent) onError(offset, "BAD_INDENT", startColMsg);
 				}
-				if (!keyProps.anchor && !keyProps.tag && !sep) {
+				if (!keyProps.anchor && !keyProps.tag && !sep$1) {
 					commentEnd = keyProps.end;
 					if (keyProps.comment) if (map$6.comment) map$6.comment += "\n" + keyProps.comment;
 					else map$6.comment = keyProps.comment;
@@ -8160,7 +9610,7 @@ var require_resolve_block_map = __commonJS({ "../../node_modules/yaml/dist/compo
 			if (ctx.schema.compat) utilFlowIndentCheck$1.flowIndentCheck(bm.indent, key, onError);
 			ctx.atKey = false;
 			if (utilMapIncludes$1.mapIncludes(ctx, map$6.items, keyNode)) onError(keyStart, "DUPLICATE_KEY", "Map keys must be unique");
-			const valueProps = resolveProps$3.resolveProps(sep ?? [], {
+			const valueProps = resolveProps$3.resolveProps(sep$1 ?? [], {
 				indicator: "map-value-ind",
 				next: value,
 				offset: keyNode.range[2],
@@ -8174,7 +9624,7 @@ var require_resolve_block_map = __commonJS({ "../../node_modules/yaml/dist/compo
 					if (value?.type === "block-map" && !valueProps.hasNewline) onError(offset, "BLOCK_AS_IMPLICIT_KEY", "Nested mappings are not allowed in compact mappings");
 					if (ctx.options.strict && keyProps.start < valueProps.found.offset - 1024) onError(keyNode.range, "KEY_OVER_1024_CHARS", "The : indicator must be at most 1024 chars after the start of an implicit block mapping key");
 				}
-				const valueNode = value ? composeNode$2(ctx, value, valueProps, onError) : composeEmptyNode$1(ctx, offset, sep, null, valueProps, onError);
+				const valueNode = value ? composeNode$2(ctx, value, valueProps, onError) : composeEmptyNode$1(ctx, offset, sep$1, null, valueProps, onError);
 				if (ctx.schema.compat) utilFlowIndentCheck$1.flowIndentCheck(bm.indent, value, onError);
 				offset = valueNode.range[2];
 				const pair = new Pair$2.Pair(keyNode, valueNode);
@@ -8251,7 +9701,7 @@ var require_resolve_end = __commonJS({ "../../node_modules/yaml/dist/compose/res
 		let comment = "";
 		if (end) {
 			let hasSpace = false;
-			let sep = "";
+			let sep$1 = "";
 			for (const token of end) {
 				const { source, type } = token;
 				switch (type) {
@@ -8262,12 +9712,12 @@ var require_resolve_end = __commonJS({ "../../node_modules/yaml/dist/compose/res
 						if (reqSpace && !hasSpace) onError(token, "MISSING_CHAR", "Comments must be separated from other tokens by white space characters");
 						const cb = source.substring(1) || " ";
 						if (!comment) comment = cb;
-						else comment += sep + cb;
-						sep = "";
+						else comment += sep$1 + cb;
+						sep$1 = "";
 						break;
 					}
 					case "newline":
-						if (comment) sep += source;
+						if (comment) sep$1 += source;
 						hasSpace = true;
 						break;
 					default: onError(token, "UNEXPECTED_TOKEN", `Unexpected ${type} at node end`);
@@ -8308,18 +9758,18 @@ var require_resolve_flow_collection = __commonJS({ "../../node_modules/yaml/dist
 		let offset = fc.offset + fc.start.source.length;
 		for (let i = 0; i < fc.items.length; ++i) {
 			const collItem = fc.items[i];
-			const { start, key, sep, value } = collItem;
+			const { start, key, sep: sep$1, value } = collItem;
 			const props = resolveProps$1.resolveProps(start, {
 				flow: fcName,
 				indicator: "explicit-key-ind",
-				next: key ?? sep?.[0],
+				next: key ?? sep$1?.[0],
 				offset,
 				onError,
 				parentIndent: fc.indent,
 				startOnNewline: false
 			});
 			if (!props.found) {
-				if (!props.anchor && !props.tag && !sep && !value) {
+				if (!props.anchor && !props.tag && !sep$1 && !value) {
 					if (i === 0 && props.comma) onError(props.comma, "UNEXPECTED_TOKEN", `Unexpected , in ${fcName}`);
 					else if (i < fc.items.length - 1) onError(props.start, "UNEXPECTED_TOKEN", `Unexpected empty item in ${fcName}`);
 					if (props.comment) if (coll.comment) coll.comment += "\n" + props.comment;
@@ -8352,8 +9802,8 @@ var require_resolve_flow_collection = __commonJS({ "../../node_modules/yaml/dist
 					}
 				}
 			}
-			if (!isMap$1 && !sep && !props.found) {
-				const valueNode = value ? composeNode$2(ctx, value, props, onError) : composeEmptyNode$1(ctx, props.end, sep, null, props, onError);
+			if (!isMap$1 && !sep$1 && !props.found) {
+				const valueNode = value ? composeNode$2(ctx, value, props, onError) : composeEmptyNode$1(ctx, props.end, sep$1, null, props, onError);
 				coll.items.push(valueNode);
 				offset = valueNode.range[2];
 				if (isBlock(value)) onError(valueNode.range, "BLOCK_IN_FLOW", blockMsg);
@@ -8363,7 +9813,7 @@ var require_resolve_flow_collection = __commonJS({ "../../node_modules/yaml/dist
 				const keyNode = key ? composeNode$2(ctx, key, props, onError) : composeEmptyNode$1(ctx, keyStart, start, null, props, onError);
 				if (isBlock(key)) onError(keyNode.range, "BLOCK_IN_FLOW", blockMsg);
 				ctx.atKey = false;
-				const valueProps = resolveProps$1.resolveProps(sep ?? [], {
+				const valueProps = resolveProps$1.resolveProps(sep$1 ?? [], {
 					flow: fcName,
 					indicator: "map-value-ind",
 					next: value,
@@ -8374,7 +9824,7 @@ var require_resolve_flow_collection = __commonJS({ "../../node_modules/yaml/dist
 				});
 				if (valueProps.found) {
 					if (!isMap$1 && !props.found && ctx.options.strict) {
-						if (sep) for (const st of sep) {
+						if (sep$1) for (const st of sep$1) {
 							if (st === valueProps.found) break;
 							if (st.type === "newline") {
 								onError(st, "MULTILINE_IMPLICIT_KEY", "Implicit keys of flow sequence pairs need to be on a single line");
@@ -8385,7 +9835,7 @@ var require_resolve_flow_collection = __commonJS({ "../../node_modules/yaml/dist
 					}
 				} else if (value) if ("source" in value && value.source?.[0] === ":") onError(value, "MISSING_CHAR", `Missing space after : in ${fcName}`);
 				else onError(valueProps.start, "MISSING_CHAR", `Missing , or : between ${fcName} items`);
-				const valueNode = value ? composeNode$2(ctx, value, valueProps, onError) : valueProps.found ? composeEmptyNode$1(ctx, valueProps.end, sep, null, valueProps, onError) : null;
+				const valueNode = value ? composeNode$2(ctx, value, valueProps, onError) : valueProps.found ? composeEmptyNode$1(ctx, valueProps.end, sep$1, null, valueProps, onError) : null;
 				if (valueNode) {
 					if (isBlock(value)) onError(valueNode.range, "BLOCK_IN_FLOW", blockMsg);
 				} else if (valueProps.comment) if (keyNode.comment) keyNode.comment += "\n" + valueProps.comment;
@@ -8560,7 +10010,7 @@ var require_resolve_block_scalar = __commonJS({ "../../node_modules/yaml/dist/co
 		}
 		for (let i = lines.length - 1; i >= chompStart; --i) if (lines[i][0].length > trimIndent) chompStart = i + 1;
 		let value = "";
-		let sep = "";
+		let sep$1 = "";
 		let prevMoreIndented = false;
 		for (let i = 0; i < contentStart; ++i) value += lines[i][0].slice(trimIndent) + "\n";
 		for (let i = contentStart; i < chompStart; ++i) {
@@ -8576,19 +10026,19 @@ var require_resolve_block_scalar = __commonJS({ "../../node_modules/yaml/dist/co
 				indent = "";
 			}
 			if (type === Scalar$3.Scalar.BLOCK_LITERAL) {
-				value += sep + indent.slice(trimIndent) + content;
-				sep = "\n";
+				value += sep$1 + indent.slice(trimIndent) + content;
+				sep$1 = "\n";
 			} else if (indent.length > trimIndent || content[0] === "	") {
-				if (sep === " ") sep = "\n";
-				else if (!prevMoreIndented && sep === "\n") sep = "\n\n";
-				value += sep + indent.slice(trimIndent) + content;
-				sep = "\n";
+				if (sep$1 === " ") sep$1 = "\n";
+				else if (!prevMoreIndented && sep$1 === "\n") sep$1 = "\n\n";
+				value += sep$1 + indent.slice(trimIndent) + content;
+				sep$1 = "\n";
 				prevMoreIndented = true;
-			} else if (content === "") if (sep === "\n") value += "\n";
-			else sep = "\n";
+			} else if (content === "") if (sep$1 === "\n") value += "\n";
+			else sep$1 = "\n";
 			else {
-				value += sep + content;
-				sep = " ";
+				value += sep$1 + content;
+				sep$1 = " ";
 				prevMoreIndented = false;
 			}
 		}
@@ -8782,22 +10232,22 @@ var require_resolve_flow_scalar = __commonJS({ "../../node_modules/yaml/dist/com
 		let match$1 = first.exec(source);
 		if (!match$1) return source;
 		let res = match$1[1];
-		let sep = " ";
+		let sep$1 = " ";
 		let pos = first.lastIndex;
 		line.lastIndex = pos;
 		while (match$1 = line.exec(source)) {
-			if (match$1[1] === "") if (sep === "\n") res += sep;
-			else sep = "\n";
+			if (match$1[1] === "") if (sep$1 === "\n") res += sep$1;
+			else sep$1 = "\n";
 			else {
-				res += sep + match$1[1];
-				sep = " ";
+				res += sep$1 + match$1[1];
+				sep$1 = " ";
 			}
 			pos = line.lastIndex;
 		}
 		const last = /[ \t]*(.*)/sy;
 		last.lastIndex = pos;
 		match$1 = last.exec(source);
-		return res + sep + (match$1?.[1] ?? "");
+		return res + sep$1 + (match$1?.[1] ?? "");
 	}
 	function doubleQuotedValue(source, onError) {
 		let res = "";
@@ -9633,11 +11083,11 @@ var require_cst_stringify = __commonJS({ "../../node_modules/yaml/dist/parse/cst
 			}
 		}
 	}
-	function stringifyItem({ start, key, sep, value }) {
+	function stringifyItem({ start, key, sep: sep$1, value }) {
 		let res = "";
 		for (const st of start) res += st.source;
 		if (key) res += stringifyToken(key);
-		if (sep) for (const st of sep) res += st.source;
+		if (sep$1) for (const st of sep$1) res += st.source;
 		if (value) res += stringifyToken(value);
 		return res;
 	}
@@ -10772,12 +12222,12 @@ var require_parser = __commonJS({ "../../node_modules/yaml/dist/parse/parser.js"
 			if (this.type === "map-value-ind") {
 				const prev = getPrevProps(this.peek(2));
 				const start = getFirstKeyStartProps(prev);
-				let sep;
+				let sep$1;
 				if (scalar.end) {
-					sep = scalar.end;
-					sep.push(this.sourceToken);
+					sep$1 = scalar.end;
+					sep$1.push(this.sourceToken);
 					delete scalar.end;
-				} else sep = [this.sourceToken];
+				} else sep$1 = [this.sourceToken];
 				const map$6 = {
 					type: "block-map",
 					offset: scalar.offset,
@@ -10785,7 +12235,7 @@ var require_parser = __commonJS({ "../../node_modules/yaml/dist/parse/parser.js"
 					items: [{
 						start,
 						key: scalar,
-						sep
+						sep: sep$1
 					}]
 				};
 				this.onKeyLine = true;
@@ -10937,8 +12387,8 @@ var require_parser = __commonJS({ "../../node_modules/yaml/dist/parse/parser.js"
 						else if (isFlowToken(it.key) && !includesToken(it.sep, "newline")) {
 							const start$1 = getFirstKeyStartProps(it.start);
 							const key = it.key;
-							const sep = it.sep;
-							sep.push(this.sourceToken);
+							const sep$1 = it.sep;
+							sep$1.push(this.sourceToken);
 							delete it.key;
 							delete it.sep;
 							this.stack.push({
@@ -10948,7 +12398,7 @@ var require_parser = __commonJS({ "../../node_modules/yaml/dist/parse/parser.js"
 								items: [{
 									start: start$1,
 									key,
-									sep
+									sep: sep$1
 								}]
 							});
 						} else if (start.length > 0) it.sep = it.sep.concat(start, this.sourceToken);
@@ -11143,8 +12593,8 @@ var require_parser = __commonJS({ "../../node_modules/yaml/dist/parse/parser.js"
 					const prev = getPrevProps(parent);
 					const start = getFirstKeyStartProps(prev);
 					fixFlowSeqItems(fc);
-					const sep = fc.end.splice(1, fc.end.length);
-					sep.push(this.sourceToken);
+					const sep$1 = fc.end.splice(1, fc.end.length);
+					sep$1.push(this.sourceToken);
 					const map$6 = {
 						type: "block-map",
 						offset: fc.offset,
@@ -11152,7 +12602,7 @@ var require_parser = __commonJS({ "../../node_modules/yaml/dist/parse/parser.js"
 						items: [{
 							start,
 							key: fc,
-							sep
+							sep: sep$1
 						}]
 					};
 					this.onKeyLine = true;
@@ -11412,245 +12862,9 @@ var require_dist = __commonJS({ "../../node_modules/yaml/dist/index.js"(exports)
 } });
 var import_dist = __toESM(require_dist(), 1);
 
-//#endregion
-//#region src/daemon/orchestrator/oauth/lock.ts
-const STALE_MS = 3e4;
-const MAX_WAIT_MS = 5e3;
-const POLL_MS = 100;
-async function withFileLock(path$1, fn) {
-	const held = await acquire(path$1);
-	try {
-		return await fn();
-	} finally {
-		if (held) await unlink(path$1).catch(() => {});
-	}
-}
-async function acquire(path$1) {
-	const deadline = Date.now() + MAX_WAIT_MS;
-	for (;;) try {
-		const fh = await open(path$1, "wx");
-		await fh.close();
-		return true;
-	} catch (err) {
-		if (err.code !== "EEXIST") return false;
-		try {
-			const st = await stat(path$1);
-			if (Date.now() - st.mtimeMs > STALE_MS) {
-				await unlink(path$1).catch(() => {});
-				continue;
-			}
-		} catch {
-			continue;
-		}
-		if (Date.now() > deadline) return false;
-		await new Promise((r) => setTimeout(r, POLL_MS));
-	}
-}
-
-//#endregion
-//#region src/daemon/orchestrator/oauth/claude-code.ts
-const execFileP = promisify(execFile);
-const KEYCHAIN_SERVICE = "Claude Code-credentials";
-const CREDENTIALS_FILE = join(homedir(), ".claude", ".credentials.json");
-const TOKEN_URL$1 = "https://platform.claude.com/v1/oauth/token";
-const CLIENT_ID$1 = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
-const SCOPE = "user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload";
-const EXPIRY_BUFFER_MS$1 = 5 * 60 * 1e3;
-/** The ~/.claude/.credentials.json store (also the test seam). */
-function fileStore(path$1 = CREDENTIALS_FILE) {
-	return {
-		label: `file ${path$1}`,
-		async read() {
-			try {
-				return JSON.parse(await readFile(path$1, "utf8"));
-			} catch {
-				return void 0;
-			}
-		},
-		async write(creds) {
-			await atomicWrite(path$1, `${JSON.stringify(creds, null, 2)}\n`, { mode: 384 });
-		}
-	};
-}
-async function runSecurity(args) {
-	try {
-		const { stdout } = await execFileP("security", args);
-		return stdout;
-	} catch {
-		return void 0;
-	}
-}
-/** `security -w` returns the password verbatim when printable; for a blob it
-*  may hex-encode it. Claude Code stores JSON, so accept either form. */
-function decodeKeychainValue(raw$1) {
-	const v = raw$1.trim();
-	if (v === "") return void 0;
-	if (v.startsWith("{")) return v;
-	if (/^[0-9a-fA-F]+$/.test(v) && v.length % 2 === 0) try {
-		const decoded = Buffer$1.from(v, "hex").toString("utf8");
-		if (decoded.startsWith("{")) return decoded;
-	} catch {}
-	return v;
-}
-async function keychainAccount() {
-	try {
-		const { stdout, stderr } = await execFileP("security", [
-			"find-generic-password",
-			"-s",
-			KEYCHAIN_SERVICE,
-			"-g"
-		]);
-		const m = `${stderr}${stdout}`.match(/"acct"<blob>=(?:0x[0-9A-Fa-f]+\s+)?"([^"]*)"/);
-		return m?.[1];
-	} catch {
-		return void 0;
-	}
-}
-function keychainStore() {
-	let account = "";
-	return {
-		label: `keychain ${KEYCHAIN_SERVICE}`,
-		async read() {
-			const pw = await runSecurity([
-				"find-generic-password",
-				"-s",
-				KEYCHAIN_SERVICE,
-				"-w"
-			]);
-			if (pw === void 0) return void 0;
-			const json = decodeKeychainValue(pw);
-			if (!json) return void 0;
-			try {
-				const creds = JSON.parse(json);
-				account = await keychainAccount() ?? "";
-				return creds;
-			} catch {
-				return void 0;
-			}
-		},
-		async write(creds) {
-			if (account === "") {
-				logger.warn("oauth: claude-code keychain account unknown; skipped token write-back");
-				return;
-			}
-			try {
-				await execFileP("security", [
-					"add-generic-password",
-					"-U",
-					"-a",
-					account,
-					"-s",
-					KEYCHAIN_SERVICE,
-					"-w",
-					JSON.stringify(creds)
-				]);
-			} catch (err) {
-				logger.warn(`oauth: claude-code keychain write-back failed — ${err.message}`);
-			}
-		}
-	};
-}
-async function keychainHasItem() {
-	try {
-		await execFileP("security", [
-			"find-generic-password",
-			"-s",
-			KEYCHAIN_SERVICE
-		]);
-		return true;
-	} catch {
-		return false;
-	}
-}
-/** Pick the live credential store: Keychain on macOS, else the JSON file. */
-async function pickStore() {
-	if (process$1.platform === "darwin" && await keychainHasItem()) return keychainStore();
-	if (await fileExists(CREDENTIALS_FILE)) return fileStore();
-	return void 0;
-}
-/** Exchange a refresh token for a fresh access token. The rotated refresh
-*  token (when the provider returns one) is in the result and must be
-*  written back to the agent's store by the caller. */
-async function refreshClaudeToken(refreshToken) {
-	const res = await fetch(TOKEN_URL$1, {
-		method: "POST",
-		headers: { "content-type": "application/json" },
-		body: JSON.stringify({
-			grant_type: "refresh_token",
-			refresh_token: refreshToken,
-			client_id: CLIENT_ID$1,
-			scope: SCOPE
-		})
-	});
-	if (!res.ok) throw new Error(`claude-code OAuth refresh failed: HTTP ${res.status}`);
-	const j = await res.json();
-	if (!j.access_token) throw new Error("claude-code OAuth refresh: response carried no access_token");
-	return {
-		accessToken: j.access_token,
-		refreshToken: j.refresh_token ?? refreshToken,
-		expiresAt: Date.now() + (j.expires_in ?? 3600) * 1e3
-	};
-}
-/** Resolve a usable access token from `store`, refreshing + writing back the
-*  rotated token when the stored one is within the expiry buffer. No
-*  in-memory cache and no lock — the production entry point adds those; this
-*  is the unit-test seam. */
-async function resolveClaudeToken(store$1) {
-	const creds = await store$1.read();
-	const oauth = creds?.claudeAiOauth;
-	if (!creds || !oauth?.accessToken || !oauth.refreshToken) throw new Error(`claude-code OAuth credentials unavailable (${store$1.label})`);
-	const expiresAt = typeof oauth.expiresAt === "number" ? oauth.expiresAt : 0;
-	if (Date.now() < expiresAt - EXPIRY_BUFFER_MS$1) return {
-		token: oauth.accessToken,
-		expiresAt
-	};
-	const refreshed = await refreshClaudeToken(oauth.refreshToken);
-	const updated = {
-		...creds,
-		claudeAiOauth: {
-			...oauth,
-			accessToken: refreshed.accessToken,
-			refreshToken: refreshed.refreshToken,
-			expiresAt: refreshed.expiresAt
-		}
-	};
-	await store$1.write(updated);
-	return {
-		token: refreshed.accessToken,
-		expiresAt: refreshed.expiresAt
-	};
-}
-let cache$1;
-let inflight$1;
-/** True when Claude Code has subscription OAuth credentials on this machine
-*  — used at wire time to mark the route `agent-oauth`. */
-async function claudeCodeOAuthAvailable() {
-	const store$1 = await pickStore();
-	if (!store$1) return false;
-	const creds = await store$1.read();
-	return typeof creds?.claudeAiOauth?.refreshToken === "string";
-}
-/** The orchestrator entry point: a fresh access token, cached in memory and
-*  refreshed at most once across concurrent callers. */
-async function getClaudeCodeToken() {
-	if (cache$1 && Date.now() < cache$1.expiresAt - EXPIRY_BUFFER_MS$1) return { token: cache$1.token };
-	if (inflight$1) return inflight$1;
-	inflight$1 = (async () => {
-		const store$1 = await pickStore();
-		if (!store$1) throw new Error("claude-code OAuth credentials not found");
-		const lockPath = join(paths.home, "oauth-claude-code.lock");
-		const resolved = await withFileLock(lockPath, () => resolveClaudeToken(store$1));
-		cache$1 = resolved;
-		return resolved;
-	})().finally(() => {
-		inflight$1 = void 0;
-	});
-	return inflight$1;
-}
-
 //#endregion
 //#region src/cli/detect/credentials.ts
-function isObj$9(v) {
+function isObj$8(v) {
 	return typeof v === "object" && v !== null && !Array.isArray(v);
 }
 /** The auth header convention for a wire decoder: Anthropic carries the key
@@ -11702,7 +12916,7 @@ async function readJsonFile(path$1) {
 * literal credential. Returns undefined when nothing resolves.
 */
 function resolveSecretInput(raw$1, env) {
-	if (isObj$9(raw$1)) {
+	if (isObj$8(raw$1)) {
 		if (raw$1.source === "env" && typeof raw$1.id === "string") {
 			const v = env[raw$1.id];
 			return v && v.trim() !== "" ? v.trim() : void 0;
@@ -11759,21 +12973,13 @@ async function captureClaudeCodeCredentials(opts) {
 	}
 	const legacy = await readJsonFile(opts?.legacyPath ?? paths.agent.claudeCode.legacy);
 	const primary = typeof legacy?.primaryApiKey === "string" ? legacy.primaryApiKey.trim() : "";
-	if (primary !== "") {
-		out.set("anthropic", {
-			auth: {
-				kind: "api-key",
-				header: "x-api-key"
-			},
-			value: primary
-		});
-		return out;
-	}
-	const oauthProbe = opts?.oauthProbe ?? claudeCodeOAuthAvailable;
-	if (await oauthProbe()) out.set("anthropic", { auth: {
-		kind: "agent-oauth",
-		agent: "claude-code"
-	} });
+	if (primary !== "") out.set("anthropic", {
+		auth: {
+			kind: "api-key",
+			header: "x-api-key"
+		},
+		value: primary
+	});
 	return out;
 }
 /** Codex — the API-key-mode credential is a literal `OPENAI_API_KEY` in
@@ -11783,17 +12989,10 @@ async function captureCodexCredentials(opts) {
 	const out = new Map();
 	const auth = await readJsonFile(opts?.authPath ?? paths.agent.codex.auth);
 	const key = typeof auth?.OPENAI_API_KEY === "string" ? auth.OPENAI_API_KEY.trim() : "";
-	if (key !== "") {
-		out.set("openai", {
-			auth: { kind: "bearer" },
-			value: key
-		});
-		return out;
-	}
-	if (auth?.auth_mode === "chatgpt" && isObj$9(auth.tokens)) out.set("openai", { auth: {
-		kind: "agent-oauth",
-		agent: "codex"
-	} });
+	if (key !== "") out.set("openai", {
+		auth: { kind: "bearer" },
+		value: key
+	});
 	return out;
 }
 /** Hermes — `model.api_key` and `custom_providers[].api_key` in
@@ -11806,15 +13005,15 @@ async function captureHermesCredentials(endpoints, opts) {
 	} catch {
 		return out;
 	}
-	if (!isObj$9(doc)) return out;
+	if (!isObj$8(doc)) return out;
 	const env = await readDotEnv(opts?.envPath ?? paths.agent.hermes.env);
 	const customSeq = Array.isArray(doc.custom_providers) ? doc.custom_providers : [];
 	for (const ep of endpoints) {
 		let rawKey;
-		if (ep.configLocation === "/model/base_url") rawKey = isObj$9(doc.model) ? doc.model.api_key : void 0;
+		if (ep.configLocation === "/model/base_url") rawKey = isObj$8(doc.model) ? doc.model.api_key : void 0;
 		else if (ep.configLocation.startsWith("/custom_providers/")) {
-			const found = customSeq.find((p) => isObj$9(p) && p.name === ep.modelId);
-			rawKey = isObj$9(found) ? found.api_key : void 0;
+			const found = customSeq.find((p) => isObj$8(p) && p.name === ep.modelId);
+			rawKey = isObj$8(found) ? found.api_key : void 0;
 		}
 		const value = resolveSecretInput(rawKey, env);
 		if (value !== void 0) out.set(ep.modelId, {
@@ -11865,7 +13064,7 @@ async function captureOpenClawCredentials(endpoints, opts) {
 	const agentId = opts?.agentId ?? "main";
 	for (const ep of endpoints) {
 		const provider = providers[ep.modelId];
-		if (!isObj$9(provider)) continue;
+		if (!isObj$8(provider)) continue;
 		const profileKey = await readOpenClawAuthProfileKey(ep.modelId, agentId, configPath);
 		if (profileKey) {
 			out.set(ep.modelId, {
@@ -12028,9 +13227,9 @@ function setTomlTopLevelString(text$1, key, value) {
 		sectionAdded: false,
 		keyAdded: true
 	};
-	const sep = isHeaderLine(text$1.split("\n", 1)[0] ?? "") ? "\n\n" : "\n";
+	const sep$1 = isHeaderLine(text$1.split("\n", 1)[0] ?? "") ? "\n\n" : "\n";
 	return {
-		text: `${newLine}${sep}${text$1}`,
+		text: `${newLine}${sep$1}${text$1}`,
 		sectionAdded: false,
 		keyAdded: true
 	};
@@ -12472,27 +13671,6 @@ async function revertEntries(entries, agent, opts) {
 	return { skipped };
 }
 
-//#endregion
-//#region src/cli/wire/decoder-for.ts
-/**
-* Heuristic decoder selection based on upstream URL. Users can override per
-* route in `~/.afw/wire/routes.json`.
-*/
-function decoderFor$1(upstream) {
-	let host;
-	try {
-		host = new URL(upstream).hostname;
-	} catch {
-		return "passthrough";
-	}
-	if (host.endsWith("anthropic.com")) return "anthropic";
-	if (host.endsWith("openai.com")) return "openai-chat";
-	if (host === "openrouter.ai") return "openai-chat";
-	if (host.endsWith("googleapis.com")) return "gemini";
-	if (host.endsWith("amazonaws.com")) return "bedrock";
-	return "openai-chat";
-}
-
 //#endregion
 //#region src/cli/detect/mcp.ts
 /**
@@ -12636,10 +13814,10 @@ function safeRealpath(p) {
 * here as one function instead of being copy-pasted per detector.
 */
 async function injectAfwToolsMcp(agent, filePath) {
-	const exists$1 = await fileExists(filePath);
+	const exists$2 = await fileExists(filePath);
 	let originalText = "";
 	let parsed;
-	if (exists$1) {
+	if (exists$2) {
 		originalText = await readFile(filePath, "utf8");
 		parsed = parseJsonc(originalText);
 		const existing = parsed?.mcpServers?.[AFW_TOOLS_MCP_KEY];
@@ -12653,7 +13831,7 @@ async function injectAfwToolsMcp(agent, filePath) {
 	const ts = new Date().toISOString().replace(/[:.]/g, "-");
 	const backupDir = join(paths.backups.dir, ts, agent);
 	const backupPath = join(backupDir, basename(filePath));
-	if (exists$1) await backupCopy(filePath, backupPath);
+	if (exists$2) await backupCopy(filePath, backupPath);
 	else await atomicWrite(backupPath, "");
 	const originalSha = sha256OfString(originalText);
 	let text$1 = originalText === "" ? "{}\n" : originalText;
@@ -12691,6 +13869,9 @@ async function injectAfwToolsMcp(agent, filePath) {
 //#region src/cli/detect/claude-code.ts
 const AGENT$4 = "claude-code";
 const ANTHROPIC_DEFAULT$1 = "https://api.anthropic.com";
+function decoderForClaudeCodeBaseUrl(_upstream) {
+	return "anthropic";
+}
 const claudeCodeDetector = {
 	agent: AGENT$4,
 	mode: "launch-per-task",
@@ -12716,7 +13897,7 @@ const claudeCodeDetector = {
 				originalBaseUrl: currentBaseUrl,
 				afwBaseUrl: afwBaseUrl$1,
 				upstream,
-				decoder: decoderFor$1(upstream),
+				decoder: decoderForClaudeCodeBaseUrl(upstream),
 				configLocation: "/env/ANTHROPIC_BASE_URL",
 				filePath: settingsPath,
 				active: true
@@ -12976,7 +14157,7 @@ const claudeDesktopDetector = {
 		}];
 		const ccCred = (await captureClaudeCodeCredentials()).get("anthropic");
 		if (ccCred) endpoints[0].auth = ccCred.auth;
-		else caveats.push("no Anthropic credential found via claude-code — wire claude-code first (e.g. set ANTHROPIC_API_KEY in ~/.claude/settings.json env, or sign in to Claude.ai via `claude /login`). Until then, Claude Desktop requests will be rejected by Anthropic with 401.");
+		else caveats.push("no Anthropic API key found via claude-code — set ANTHROPIC_API_KEY in ~/.claude/settings.json env, or run `afw oauth login anthropic` to route through a Claude.ai subscription. Until then, Claude Desktop requests will be rejected by Anthropic with 401.");
 		return {
 			agent: AGENT$3,
 			mode: "manual",
@@ -13305,6 +14486,27 @@ function execCapture(cmd, args) {
 	});
 }
 
+//#endregion
+//#region src/cli/wire/decoder-for.ts
+/**
+* Heuristic decoder selection based on upstream URL. Users can override per
+* route in `~/.afw/wire/routes.json`.
+*/
+function decoderFor$1(upstream) {
+	let host;
+	try {
+		host = new URL(upstream).hostname;
+	} catch {
+		return "passthrough";
+	}
+	if (host.endsWith("anthropic.com")) return "anthropic";
+	if (host.endsWith("openai.com")) return "openai-chat";
+	if (host === "openrouter.ai") return "openai-chat";
+	if (host.endsWith("googleapis.com")) return "gemini";
+	if (host.endsWith("amazonaws.com")) return "bedrock";
+	return "openai-chat";
+}
+
 //#endregion
 //#region src/cli/wire/routes.ts
 async function readRoutes() {
@@ -13768,7 +14970,7 @@ function findWrapTarget(c) {
 		originalPrimary: pick.originalPrimary
 	};
 }
-const MODALITIES$2 = new Set([
+const MODALITIES$1 = new Set([
 	"text",
 	"audio",
 	"image",
@@ -13794,7 +14996,7 @@ function harvestOpenClawModels(raw$1) {
 		const rec = m;
 		const id = typeof rec.id === "string" ? rec.id.trim() : "";
 		if (!id) continue;
-		const input = Array.isArray(rec.input) ? rec.input.filter((x) => MODALITIES$2.has(x)) : [];
+		const input = Array.isArray(rec.input) ? rec.input.filter((x) => MODALITIES$1.has(x)) : [];
 		const cost = harvestCost(rec.cost);
 		out.push({
 			id,
@@ -14224,16 +15426,17 @@ const FALLBACK$1 = {
 		decoder: "openai-responses"
 	}
 };
-async function ensureWireRoute(agent) {
+async function ensureWireRoute(agent, opts) {
 	const det = detectorFor(agent);
 	const detection = det ? await det.detect() : null;
+	const codexDecoder = agent === "codex" ? (await resolveCodexWireProtocol(opts?.modelOverride)).decoder : void 0;
 	const routeUpdates = {};
 	if (detection) {
 		for (const ep of detection.endpoints) {
 			if (!ep.active) continue;
 			routeUpdates[routeKeyForModel(agent, ep.modelId)] = {
 				upstream: ep.upstream,
-				decoder: ep.decoder,
+				decoder: codexDecoder ?? ep.decoder,
 				...ep.sourceModelId ? { sourceModelId: ep.sourceModelId } : {},
 				...ep.harvest ? { harvest: ep.harvest } : {},
 				...ep.auth ? { auth: ep.auth } : {}
@@ -14249,7 +15452,7 @@ async function ensureWireRoute(agent) {
 		const fb = FALLBACK$1[agent];
 		if (fb) routeUpdates[routeKeyForModel(agent, "*")] = {
 			upstream: fb.upstream,
-			decoder: fb.decoder
+			decoder: codexDecoder ?? fb.decoder
 		};
 	}
 	if (Object.keys(routeUpdates).length > 0) await upsertRoutes(routeUpdates);
@@ -14395,7 +15598,7 @@ function buildLauncher(agent, bin) {
 			};
 			if (flagGiven) await writeLaunchConfig(cwd, agent, cfg);
 			await ensureDaemonRunning();
-			await ensureWireRoute(agent);
+			await ensureWireRoute(agent, { modelOverride: cfg.model });
 			const instanceLabel = cfg.as ?? dirLabel(cwd);
 			if (cfg.mode !== "raw") try {
 				const { key, created } = await ensureSessionKey(agent, instanceIdFrom(instanceLabel));
@@ -14982,8 +16185,8 @@ var createAdaptorServer = (options) => {
 		overrideGlobalObjects: options.overrideGlobalObjects,
 		autoCleanupIncoming: options.autoCleanupIncoming
 	});
-	const createServer$1 = options.createServer || createServer;
-	const server = createServer$1(options.serverOptions || {}, requestListener);
+	const createServer$2 = options.createServer || createServer$1;
+	const server = createServer$2(options.serverOptions || {}, requestListener);
 	return server;
 };
 var serve = (options, listeningListener) => {
@@ -22384,11 +23587,11 @@ function generateToken(taken = []) {
 	}
 	return randToken();
 }
-function isObj$8(v) {
+function isObj$7(v) {
 	return typeof v === "object" && v !== null && !Array.isArray(v);
 }
 function normalizeEntry(raw$1) {
-	if (!isObj$8(raw$1)) return void 0;
+	if (!isObj$7(raw$1)) return void 0;
 	const id = typeof raw$1.id === "string" ? raw$1.id.trim() : "";
 	const token = typeof raw$1.token === "string" ? raw$1.token.trim() : "";
 	if (!id || !token) return void 0;
@@ -22403,7 +23606,7 @@ function normalizeEntry(raw$1) {
 	};
 }
 function normalizeAccessKeys(raw$1) {
-	if (!isObj$8(raw$1)) return { ...EMPTY_ACCESS_KEYS };
+	if (!isObj$7(raw$1)) return { ...EMPTY_ACCESS_KEYS };
 	if (raw$1.version !== ACCESS_KEYS_VERSION) throw new Error(`keys.json version ${String(raw$1.version)} not supported (expected ${ACCESS_KEYS_VERSION})`);
 	const keys = [];
 	if (Array.isArray(raw$1.keys)) for (const entry of raw$1.keys) {
@@ -22422,16 +23625,16 @@ async function readAccessKeys() {
 async function writeAccessKeys(store$1) {
 	await atomicWrite(paths.keys, `${JSON.stringify(store$1, null, 2)}\n`, { mode: KEYS_MODE });
 }
-let writeChain$3 = Promise.resolve();
+let writeChain$2 = Promise.resolve();
 /** Serialized read-modify-write — see model-registry.ts mutateModelRegistry. */
 function mutateAccessKeys(fn) {
-	const next = writeChain$3.then(async () => {
+	const next = writeChain$2.then(async () => {
 		const store$1 = await readAccessKeys();
 		const updated = fn(store$1);
 		if (updated) await writeAccessKeys(updated);
 		return updated ?? store$1;
 	});
-	writeChain$3 = next.catch(() => {});
+	writeChain$2 = next.catch(() => {});
 	return next;
 }
 
@@ -22486,14 +23689,14 @@ const EMPTY_TIERS = {
 function tierRouting(config, tier) {
 	return config.tiers[tier];
 }
-function isObj$7(v) {
+function isObj$6(v) {
 	return typeof v === "object" && v !== null && !Array.isArray(v);
 }
 function normalizeTiers(raw$1) {
-	if (!isObj$7(raw$1)) return { ...EMPTY_TIERS };
+	if (!isObj$6(raw$1)) return { ...EMPTY_TIERS };
 	if (raw$1.version !== TIERS_VERSION) throw new Error(`tiers.json version ${String(raw$1.version)} not supported (expected ${TIERS_VERSION})`);
 	const tiers$1 = {};
-	if (isObj$7(raw$1.tiers)) for (const t of TIERS) {
+	if (isObj$6(raw$1.tiers)) for (const t of TIERS) {
 		const routing = normalizeRouting(raw$1.tiers[t]);
 		if (routing && routing.target.kind !== "passthrough") tiers$1[t] = routing;
 	}
@@ -22509,28 +23712,28 @@ async function readTiers() {
 async function writeTiers(config) {
 	await atomicWrite(paths.tiers, `${JSON.stringify(config, null, 2)}\n`);
 }
-let writeChain$2 = Promise.resolve();
+let writeChain$1 = Promise.resolve();
 /** Serialized read-modify-write — see model-registry.ts mutateModelRegistry. */
 function mutateTiers(fn) {
-	const next = writeChain$2.then(async () => {
+	const next = writeChain$1.then(async () => {
 		const config = await readTiers();
 		const updated = fn(config);
 		if (updated) await writeTiers(updated);
 		return updated ?? config;
 	});
-	writeChain$2 = next.catch(() => {});
+	writeChain$1 = next.catch(() => {});
 	return next;
 }
 
 //#endregion
 //#region src/daemon/api/keys.ts
-function isObj$6(v) {
+function isObj$5(v) {
 	return typeof v === "object" && v !== null && !Array.isArray(v);
 }
 async function jsonBody$3(c) {
 	try {
 		const body = await c.req.json();
-		return isObj$6(body) ? body : null;
+		return isObj$5(body) ? body : null;
 	} catch {
 		return null;
 	}
@@ -22705,7 +23908,7 @@ const DEFAULT_MASKING_CONFIG = {
 	fakes: {},
 	custom: []
 };
-function isObj$5(v) {
+function isObj$4(v) {
 	return typeof v === "object" && v !== null && !Array.isArray(v);
 }
 /** Compile a stored custom rule into a runnable one. Returns null on a bad
@@ -22730,11 +23933,11 @@ function compileCustomRule(c) {
 	}
 }
 function normalizeMaskingConfig(raw$1) {
-	if (!isObj$5(raw$1) || raw$1.version !== MASKING_VERSION) return structuredCloneDefault();
+	if (!isObj$4(raw$1) || raw$1.version !== MASKING_VERSION) return structuredCloneDefault();
 	const custom = [];
 	const customIds = new Set();
 	if (Array.isArray(raw$1.custom)) for (const c of raw$1.custom) {
-		if (!isObj$5(c)) continue;
+		if (!isObj$4(c)) continue;
 		const cfg = {
 			id: String(c.id ?? ""),
 			label: String(c.label ?? c.id ?? ""),
@@ -22750,13 +23953,13 @@ function normalizeMaskingConfig(raw$1) {
 	}
 	const knownIds = new Set([...BUILTIN_IDS, ...customIds]);
 	const providers = {};
-	if (isObj$5(raw$1.providers)) for (const [providerId, ids] of Object.entries(raw$1.providers)) {
+	if (isObj$4(raw$1.providers)) for (const [providerId, ids] of Object.entries(raw$1.providers)) {
 		if (!Array.isArray(ids)) continue;
 		const valid = [...new Set(ids.filter((x) => typeof x === "string" && knownIds.has(x)))];
 		if (valid.length > 0) providers[providerId] = valid;
 	}
 	const fakes = {};
-	if (isObj$5(raw$1.fakes)) {
+	if (isObj$4(raw$1.fakes)) {
 		for (const [id, fake] of Object.entries(raw$1.fakes)) if (knownIds.has(id) && typeof fake === "string" && fake.length > 0) fakes[id] = fake;
 	}
 	return {
@@ -22785,17 +23988,17 @@ async function readMaskingConfig() {
 async function writeMaskingConfig(cfg) {
 	await atomicWrite(paths.masking, `${JSON.stringify(cfg, null, 2)}\n`);
 }
-let writeChain$1 = Promise.resolve();
+let writeChain = Promise.resolve();
 /** Serialized read-modify-write so concurrent edits can't clobber each other
 *  (mirrors core/secrets.ts). */
 function mutateMaskingConfig(fn) {
-	const next = writeChain$1.then(async () => {
+	const next = writeChain.then(async () => {
 		const cfg = await readMaskingConfig();
 		const updated = normalizeMaskingConfig(fn(cfg));
 		await writeMaskingConfig(updated);
 		return updated;
 	});
-	writeChain$1 = next.catch(() => {});
+	writeChain = next.catch(() => {});
 	return next;
 }
 /** The full runnable rule set for a config: built-ins followed by compiled
@@ -22960,245 +24163,6 @@ function maskCredentials(text$1, rules) {
 	};
 }
 
-//#endregion
-//#region src/core/model-registry.ts
-const MODEL_REGISTRY_VERSION = 3;
-/** OpenRouter Fusion caps its panel at 8 models; mirror that. */
-const MAX_FUSION_PANEL = 8;
-const EMPTY_REGISTRY = {
-	version: MODEL_REGISTRY_VERSION,
-	providers: [],
-	models: [],
-	combos: []
-};
-const MODEL_APIS$1 = [
-	"anthropic-messages",
-	"openai-chat",
-	"openai-responses"
-];
-const MODALITIES$1 = [
-	"text",
-	"audio",
-	"image",
-	"video",
-	"pdf"
-];
-const REASONING_EFFORTS$1 = [
-	"minimal",
-	"low",
-	"medium",
-	"high",
-	"xhigh"
-];
-function findProvider(reg, id) {
-	return reg.providers.find((p) => p.id === id);
-}
-/** Look up a model by id, optionally scoped to a provider.
-*
-*  Same model id can exist under multiple providers (e.g. a Xiangxin
-*  model harvested under `hermes/...` and also added by hand under a
-*  custom `og-text` provider). When `providerId` is supplied we match
-*  the exact pair; otherwise we fall back to the first matching id so
-*  legacy callers (and pre-providerId routing-policy entries) still
-*  resolve to *something* instead of breaking. */
-function findModel(reg, id, providerId) {
-	if (providerId !== void 0) return reg.models.find((m) => m.id === id && m.providerId === providerId);
-	return reg.models.find((m) => m.id === id);
-}
-/** A model's effective wire format: its own override, else its provider's. */
-function resolveApi(reg, model) {
-	return model.api ?? findProvider(reg, model.providerId)?.api;
-}
-function findCombo(reg, id) {
-	return reg.combos.find((c) => c.id === id);
-}
-function isObj$4(v) {
-	return typeof v === "object" && v !== null && !Array.isArray(v);
-}
-function normalizeAuth(raw$1) {
-	if (!isObj$4(raw$1)) return void 0;
-	if (raw$1.kind === "passthrough") return { kind: "passthrough" };
-	if (raw$1.kind === "agent-oauth" && (raw$1.agent === "claude-code" || raw$1.agent === "codex")) return {
-		kind: "agent-oauth",
-		agent: raw$1.agent
-	};
-	if (raw$1.kind === "bearer" && typeof raw$1.valueRef === "string") return {
-		kind: "bearer",
-		valueRef: raw$1.valueRef
-	};
-	if (raw$1.kind === "api-key" && typeof raw$1.header === "string" && raw$1.header !== "" && typeof raw$1.valueRef === "string") return {
-		kind: "api-key",
-		header: raw$1.header,
-		valueRef: raw$1.valueRef
-	};
-	return void 0;
-}
-function normalizeProvider(raw$1) {
-	if (!isObj$4(raw$1)) return void 0;
-	const { id, label, baseUrl, api: api$1, origin, seededFrom, reasoningEffort } = raw$1;
-	if (typeof id !== "string" || id === "") return void 0;
-	if (typeof baseUrl !== "string" || baseUrl === "") return void 0;
-	if (!MODEL_APIS$1.includes(api$1)) return void 0;
-	const auth = normalizeAuth(raw$1.auth);
-	if (!auth) return void 0;
-	return {
-		id,
-		label: typeof label === "string" ? label : id,
-		baseUrl,
-		api: api$1,
-		auth,
-		origin: origin === "manual" ? "manual" : "seeded",
-		...typeof seededFrom === "string" ? { seededFrom } : {},
-		...REASONING_EFFORTS$1.includes(reasoningEffort) ? { reasoningEffort } : {}
-	};
-}
-function normalizeCost(raw$1) {
-	if (!isObj$4(raw$1)) return void 0;
-	const { input, output, cacheRead, cacheWrite } = raw$1;
-	if (typeof input !== "number" || typeof output !== "number") return void 0;
-	return {
-		input,
-		output,
-		...typeof cacheRead === "number" ? { cacheRead } : {},
-		...typeof cacheWrite === "number" ? { cacheWrite } : {}
-	};
-}
-function normalizeModel(raw$1) {
-	if (!isObj$4(raw$1)) return void 0;
-	const { id, providerId, label, api: api$1, origin, contextWindow, maxTokens } = raw$1;
-	if (typeof id !== "string" || id === "") return void 0;
-	if (typeof providerId !== "string" || providerId === "") return void 0;
-	const input = Array.isArray(raw$1.input) ? raw$1.input.filter((m) => MODALITIES$1.includes(m)) : [];
-	const cost = normalizeCost(raw$1.cost);
-	return {
-		id,
-		providerId,
-		label: typeof label === "string" ? label : id,
-		...MODEL_APIS$1.includes(api$1) ? { api: api$1 } : {},
-		input: input.length > 0 ? input : ["text"],
-		...typeof contextWindow === "number" ? { contextWindow } : {},
-		...typeof maxTokens === "number" ? { maxTokens } : {},
-		...cost ? { cost } : {},
-		origin: origin === "manual" ? "manual" : "seeded"
-	};
-}
-function normalizeFusionEndpoint(raw$1) {
-	if (!isObj$4(raw$1)) return void 0;
-	if (typeof raw$1.modelId !== "string" || raw$1.modelId === "") return void 0;
-	return {
-		modelId: raw$1.modelId,
-		...typeof raw$1.providerId === "string" && raw$1.providerId !== "" ? { providerId: raw$1.providerId } : {}
-	};
-}
-function normalizeWebSearch(raw$1) {
-	if (!isObj$4(raw$1)) return void 0;
-	return typeof raw$1.providerId === "string" && raw$1.providerId !== "" ? { providerId: raw$1.providerId } : {};
-}
-/** A fusion panel member: the primary model, its per-member failover rules
-*  (`switchOn` — token/USD caps + error), and the `fallback` model they switch
-*  to. `normalizeMember` parses the {modelId, providerId, switchOn} part. */
-function normalizeFusionMember(raw$1) {
-	const base = normalizeMember(raw$1);
-	if (!base) return void 0;
-	const fallback = isObj$4(raw$1) ? normalizeFusionEndpoint(raw$1.fallback) : void 0;
-	return {
-		modelId: base.modelId,
-		...base.providerId ? { providerId: base.providerId } : {},
-		...base.switchOn ? { switchOn: base.switchOn } : {},
-		...fallback ? { fallback } : {}
-	};
-}
-/** Lift a legacy failover-combo's combo-level vision/web_search capabilities to
-*  the fusion's combo-level vision/web_search, so they survive the move from
-*  failover chains to fusion. */
-function legacyCaps(rawCaps) {
-	const caps = normalizeCapabilities(rawCaps);
-	const vision = caps?.vision?.via === "companion" ? {
-		modelId: caps.vision.modelId,
-		...caps.vision.providerId ? { providerId: caps.vision.providerId } : {}
-	} : void 0;
-	const webSearch = caps?.web_search?.via === "local" ? caps.web_search.providerId ? { providerId: caps.web_search.providerId } : {} : void 0;
-	return {
-		...vision ? { vision } : {},
-		...webSearch ? { webSearch } : {}
-	};
-}
-/** A fusion combination model. Accepts the current `panel` shape and migrates
-*  the legacy failover-combo shape (`members` + `capabilities`) forward: each
-*  member becomes a panel member, and the old combo-level vision/web_search
-*  capabilities become the combo-level `vision`/`webSearch`. Dropped when it has
-*  no id or no resolvable panel member. */
-function normalizeCombo(raw$1) {
-	if (!isObj$4(raw$1)) return void 0;
-	const { id, label } = raw$1;
-	if (typeof id !== "string" || id === "") return void 0;
-	let panel;
-	let migrated = {};
-	if (Array.isArray(raw$1.panel)) panel = raw$1.panel.map(normalizeFusionMember).filter((m) => m != null);
-	else if (Array.isArray(raw$1.members)) {
-		migrated = legacyCaps(raw$1.capabilities);
-		panel = raw$1.members.map(normalizeMember).filter((m) => m != null).map((m) => ({
-			modelId: m.modelId,
-			...m.providerId ? { providerId: m.providerId } : {},
-			...m.switchOn ? { switchOn: m.switchOn } : {}
-		}));
-	} else panel = [];
-	if (panel.length === 0) return void 0;
-	const vision = normalizeFusionEndpoint(raw$1.vision) ?? migrated.vision;
-	const webSearch = normalizeWebSearch(raw$1.webSearch) ?? migrated.webSearch;
-	const judge = normalizeFusionEndpoint(raw$1.judge);
-	const synthesizer = normalizeFusionEndpoint(raw$1.synthesizer);
-	const cheapModel = normalizeFusionEndpoint(raw$1.cheapModel);
-	return {
-		id,
-		label: typeof label === "string" && label !== "" ? label : id,
-		panel: panel.slice(0, MAX_FUSION_PANEL),
-		...vision ? { vision } : {},
-		...webSearch ? { webSearch } : {},
-		...judge ? { judge } : {},
-		...synthesizer ? { synthesizer } : {},
-		...cheapModel ? { cheapModel } : {},
-		origin: "manual"
-	};
-}
-/** Coerce parsed JSON into a valid registry — malformed entries are dropped,
-*  a hand-edited file with one bad entry never wipes the rest. v1 (no `combos`)
-*  and v2 (failover-style combos) are accepted and migrated forward by
-*  `normalizeCombo` — v2 combos' `members`/`capabilities` become a fusion
-*  `panel`. Throws only on an unsupported version, so a future format is never
-*  silently downgraded. */
-function normalizeModelRegistry(raw$1) {
-	if (!isObj$4(raw$1)) return { ...EMPTY_REGISTRY };
-	if (raw$1.version !== 1 && raw$1.version !== 2 && raw$1.version !== MODEL_REGISTRY_VERSION) throw new Error(`models.json version ${String(raw$1.version)} not supported (expected ${MODEL_REGISTRY_VERSION})`);
-	const providers = Array.isArray(raw$1.providers) ? raw$1.providers.map(normalizeProvider).filter((p) => p != null) : [];
-	const models = Array.isArray(raw$1.models) ? raw$1.models.map(normalizeModel).filter((m) => m != null) : [];
-	const combos = Array.isArray(raw$1.combos) ? raw$1.combos.map(normalizeCombo).filter((c) => c != null) : [];
-	return {
-		version: MODEL_REGISTRY_VERSION,
-		providers,
-		models,
-		combos
-	};
-}
-async function readModelRegistry() {
-	if (!await fileExists(paths.models)) return { ...EMPTY_REGISTRY };
-	return normalizeModelRegistry(JSON.parse(await readFile(paths.models, "utf8")));
-}
-async function writeModelRegistry(reg) {
-	await atomicWrite(paths.models, `${JSON.stringify(reg, null, 2)}\n`);
-}
-let writeChain = Promise.resolve();
-function mutateModelRegistry(fn) {
-	const next = writeChain.then(async () => {
-		const reg = await readModelRegistry();
-		const updated = fn(reg);
-		if (updated) await writeModelRegistry(updated);
-		return updated ?? reg;
-	});
-	writeChain = next.catch(() => {});
-	return next;
-}
-
 //#endregion
 //#region src/daemon/routing/load.ts
 let registry = EMPTY_REGISTRY;
@@ -23556,13 +24520,6 @@ const MODALITIES = [
 	"video",
 	"pdf"
 ];
-const REASONING_EFFORTS = [
-	"minimal",
-	"low",
-	"medium",
-	"high",
-	"xhigh"
-];
 const ONE_DAY = 24 * 36e5;
 function isObj$3(v) {
 	return typeof v === "object" && v !== null && !Array.isArray(v);
@@ -23575,6 +24532,16 @@ async function jsonBody$2(c) {
 		return null;
 	}
 }
+function normalizeReasoningEffort(raw$1) {
+	if (typeof raw$1 !== "string") return void 0;
+	const value = raw$1.trim().toLowerCase();
+	return REASONING_EFFORTS.includes(value) ? value : void 0;
+}
+function normalizeGenerationPath(raw$1) {
+	if (typeof raw$1 !== "string") return void 0;
+	const value = raw$1.trim().toLowerCase();
+	return GENERATION_PATH_MODES.includes(value) ? value : void 0;
+}
 async function handleGetRegistry(c) {
 	const reg = await readModelRegistry();
 	const secrets$1 = await readSecrets();
@@ -23613,13 +24580,24 @@ async function handlePostProvider(c) {
 	if (!providedId && !name) return c.json({ error: "provider name required" }, 400);
 	if (!baseUrl) return c.json({ error: "baseUrl required" }, 400);
 	if (!MODEL_APIS.includes(api$1)) return c.json({ error: `api must be one of ${MODEL_APIS.join(", ")}` }, 400);
+	const reasoningEffort = normalizeReasoningEffort(body.reasoningEffort);
+	if (body.reasoningEffort != null && !reasoningEffort) return c.json({ error: `reasoningEffort must be one of ${REASONING_EFFORTS.join(", ")}` }, 400);
+	const generationPath = normalizeGenerationPath(body.generationPath);
+	if (body.generationPath != null && !generationPath) return c.json({ error: `generationPath must be one of ${GENERATION_PATH_MODES.join(", ")}` }, 400);
 	const reg0 = await readModelRegistry();
 	const id = providedId || generateProviderId(name, reg0.providers.map((p) => p.id));
 	const label = name || reg0.providers.find((p) => p.id === id)?.label || id;
 	const authKind = body.authKind;
 	let auth;
 	if (authKind === "passthrough") auth = { kind: "passthrough" };
-	else if (authKind === "bearer" || authKind === "api-key") {
+	else if (authKind === "agent-oauth") {
+		const agent = body.agent;
+		if (agent !== "claude-code" && agent !== "codex") return c.json({ error: "agent-oauth requires agent \"claude-code\" or \"codex\"" }, 400);
+		auth = {
+			kind: "agent-oauth",
+			agent
+		};
+	} else if (authKind === "bearer" || authKind === "api-key") {
 		const valueRef = `provider:${id}`;
 		if (typeof body.apiKey === "string" && body.apiKey !== "") await setSecret(valueRef, body.apiKey);
 		if (authKind === "bearer") auth = {
@@ -23635,8 +24613,7 @@ async function handlePostProvider(c) {
 				valueRef
 			};
 		}
-	} else return c.json({ error: "authKind must be passthrough, bearer, or api-key" }, 400);
-	const reasoningEffort = REASONING_EFFORTS.includes(body.reasoningEffort) ? body.reasoningEffort : void 0;
+	} else return c.json({ error: "authKind must be passthrough, agent-oauth, bearer, or api-key" }, 400);
 	const provider = {
 		id,
 		label,
@@ -23644,6 +24621,7 @@ async function handlePostProvider(c) {
 		api: api$1,
 		auth,
 		origin: "manual",
+		...generationPath ? { generationPath } : {},
 		...reasoningEffort ? { reasoningEffort } : {}
 	};
 	const reg = await mutateModelRegistry((r) => ({
@@ -23664,15 +24642,15 @@ async function handlePostProviderEffort(c) {
 	const id = typeof body.id === "string" ? body.id.trim() : "";
 	if (!id) return c.json({ error: "provider id required" }, 400);
 	const raw$1 = body.reasoningEffort;
-	if (raw$1 != null && !REASONING_EFFORTS.includes(raw$1)) return c.json({ error: `reasoningEffort must be one of ${REASONING_EFFORTS.join(", ")} or null` }, 400);
-	const effort = raw$1 == null ? void 0 : raw$1;
+	const effort = raw$1 == null ? void 0 : normalizeReasoningEffort(raw$1);
+	if (raw$1 != null && !effort) return c.json({ error: `reasoningEffort must be one of ${REASONING_EFFORTS.join(", ")} or null` }, 400);
 	const reg = await mutateModelRegistry((r) => ({
 		...r,
 		providers: r.providers.map((p) => {
 			if (p.id !== id) return p;
 			const next = { ...p };
 			if (effort) next.reasoningEffort = effort;
-			else delete next.reasoningEffort;
+			else next.reasoningEffort = void 0;
 			return next;
 		})
 	}));
@@ -23712,15 +24690,51 @@ function normalizeCostInput(raw$1) {
 		...typeof cacheWrite === "number" ? { cacheWrite } : {}
 	};
 }
+function rewriteFusionEndpoint(endpoint, fromModelId, toModelId, providerId) {
+	if (!endpoint) return void 0;
+	if (endpoint.modelId !== fromModelId || endpoint.providerId !== providerId) return endpoint;
+	return {
+		...endpoint,
+		modelId: toModelId
+	};
+}
+function rewriteFusionMember(member, fromModelId, toModelId, providerId) {
+	const primary = rewriteFusionEndpoint(member, fromModelId, toModelId, providerId);
+	const fallback = rewriteFusionEndpoint(member.fallback, fromModelId, toModelId, providerId);
+	if (primary === member && fallback === member.fallback) return member;
+	return {
+		...member,
+		modelId: primary?.modelId ?? member.modelId,
+		...primary?.providerId ? { providerId: primary.providerId } : {},
+		...fallback ? { fallback } : {}
+	};
+}
+function rewriteComboModelRefs(combo, fromModelId, toModelId, providerId) {
+	const panel = combo.panel.map((m) => rewriteFusionMember(m, fromModelId, toModelId, providerId));
+	const vision = rewriteFusionEndpoint(combo.vision, fromModelId, toModelId, providerId);
+	const judge = rewriteFusionEndpoint(combo.judge, fromModelId, toModelId, providerId);
+	const synthesizer = rewriteFusionEndpoint(combo.synthesizer, fromModelId, toModelId, providerId);
+	if (panel.every((m, i) => m === combo.panel[i]) && vision === combo.vision && judge === combo.judge && synthesizer === combo.synthesizer) return combo;
+	return {
+		...combo,
+		panel,
+		...vision ? { vision } : {},
+		...judge ? { judge } : {},
+		...synthesizer ? { synthesizer } : {}
+	};
+}
 async function handlePostModel(c) {
 	const body = await jsonBody$2(c);
 	if (!body) return c.json({ error: "malformed JSON body" }, 400);
 	const id = typeof body.id === "string" ? body.id.trim() : "";
+	const previousId = typeof body.previousId === "string" ? body.previousId.trim() : "";
 	const providerId = typeof body.providerId === "string" ? body.providerId.trim() : "";
 	if (!id) return c.json({ error: "model id required" }, 400);
 	if (!providerId) return c.json({ error: "providerId required" }, 400);
 	const reg0 = await readModelRegistry();
 	if (!findProvider(reg0, providerId)) return c.json({ error: `unknown provider "${providerId}"` }, 400);
+	const reasoningEffort = normalizeReasoningEffort(body.reasoningEffort);
+	if (body.reasoningEffort != null && !reasoningEffort) return c.json({ error: `reasoningEffort must be one of ${REASONING_EFFORTS.join(", ")}` }, 400);
 	const cost = normalizeCostInput(body.cost);
 	const model = {
 		id,
@@ -23731,11 +24745,19 @@ async function handlePostModel(c) {
 		...typeof body.contextWindow === "number" ? { contextWindow: body.contextWindow } : {},
 		...typeof body.maxTokens === "number" ? { maxTokens: body.maxTokens } : {},
 		...cost ? { cost } : {},
+		...reasoningEffort ? { reasoningEffort } : {},
 		origin: "manual"
 	};
+	const isRename = previousId !== "" && previousId !== id;
 	const reg = await mutateModelRegistry((r) => ({
 		...r,
-		models: [...r.models.filter((m) => !(m.id === id && m.providerId === providerId)), model]
+		models: [...r.models.filter((m) => {
+			if (m.providerId !== providerId) return true;
+			if (m.id === id) return false;
+			if (isRename && m.id === previousId) return false;
+			return true;
+		}), model],
+		combos: isRename ? r.combos.map((combo) => rewriteComboModelRefs(combo, previousId, id, providerId)) : r.combos
 	}));
 	return c.json({
 		ok: true,
@@ -24049,7 +25071,7 @@ async function handlePostSubagent(c) {
 	if (typeof body.providerId === "string") {
 		const pid = body.providerId.trim();
 		if (pid) next.providerId = pid;
-		else delete next.providerId;
+		else next.providerId = void 0;
 	}
 	if (typeof body.minMaxTokens === "number" && body.minMaxTokens >= 0) next.minMaxTokens = body.minMaxTokens;
 	await mutateRoutingPolicy((p) => ({
@@ -24232,7 +25254,7 @@ async function handleDeleteCapability(c) {
 		const capabilities = { ...prior.capabilities };
 		delete capabilities[capabilityId];
 		const next = { ...prior };
-		if (Object.keys(capabilities).length === 0) delete next.capabilities;
+		if (Object.keys(capabilities).length === 0) next.capabilities = void 0;
 		else next.capabilities = capabilities;
 		return {
 			...p,
@@ -36079,8 +37101,8 @@ async function handlePostActiveToolProvider(c) {
 		const active = { ...s.active };
 		if (providerId === "") delete active[kind];
 		else {
-			const exists$1 = s.providers.some((p) => p.id === providerId && p.kind === kind);
-			if (!exists$1) return void 0;
+			const exists$2 = s.providers.some((p) => p.id === providerId && p.kind === kind);
+			if (!exists$2) return void 0;
 			active[kind] = providerId;
 		}
 		return {
@@ -38336,6 +39358,24 @@ function collectOutputBlocks(output) {
 				});
 				break;
 			}
+			case "local_shell_call": {
+				blocks.push({
+					type: "tool_use",
+					id: it.call_id ?? it.id ?? "",
+					name: "local_shell",
+					input: it.action && typeof it.action === "object" ? it.action : {}
+				});
+				break;
+			}
+			case "custom_tool_call": {
+				blocks.push({
+					type: "tool_use",
+					id: it.call_id ?? it.id ?? "",
+					name: typeof it.name === "string" ? it.name : "",
+					input: typeof it.input === "string" ? it.input : it.input ?? {}
+				});
+				break;
+			}
 			case "function_call":
 			case "tool_call": {
 				const name = typeof it.name === "string" ? it.name : it.function?.name ?? "";
@@ -38538,7 +39578,31 @@ function inputToMessages(input) {
 			});
 			continue;
 		}
-		if (it.type === "function_call_output" || it.type === "tool_result") {
+		if (it.type === "local_shell_call") {
+			out.push({
+				role: "assistant",
+				content: [{
+					type: "tool_use",
+					id: it.call_id ?? it.id ?? "",
+					name: "local_shell",
+					input: it.action && typeof it.action === "object" ? it.action : {}
+				}]
+			});
+			continue;
+		}
+		if (it.type === "custom_tool_call") {
+			out.push({
+				role: "assistant",
+				content: [{
+					type: "tool_use",
+					id: it.call_id ?? it.id ?? "",
+					name: it.name ?? "",
+					input: tryParseArgs(it.input)
+				}]
+			});
+			continue;
+		}
+		if (it.type === "function_call_output" || it.type === "tool_result" || it.type === "custom_tool_call_output" || it.type === "local_shell_call_output") {
 			out.push({
 				role: "tool",
 				tool_call_id: it.call_id ?? it.id ?? "",
@@ -38824,7 +39888,7 @@ Use the tools provided by the harness to accomplish the user's task. Persist unt
 */
 function adaptForCodexBackend(body, reasoningEffort) {
 	body.store = false;
-	delete body.max_output_tokens;
+	body.max_output_tokens = void 0;
 	const effort = EFFORT_TO_CODEX[reasoningEffort ?? "medium"];
 	const existingReasoning = typeof body.reasoning === "object" && body.reasoning !== null ? body.reasoning : {};
 	body.reasoning = {
@@ -38853,6 +39917,21 @@ function adaptForCodexBackend(body, reasoningEffort) {
 	}, ...input];
 	body.instructions = CODEX_IDENTITY_INSTRUCTIONS;
 }
+/** Apply the public/OpenAI-compatible Responses reasoning knob without
+*  clobbering an explicit client-supplied `reasoning.effort`. Unlike the
+*  codex ChatGPT backend adapter, this does not clamp `xhigh`; third-party
+*  Responses-compatible gateways may support it even when OpenAI's public API
+*  does not. */
+function applyOpenAIResponsesReasoning(body, reasoningEffort) {
+	if (!reasoningEffort) return false;
+	const existing = typeof body.reasoning === "object" && body.reasoning !== null ? body.reasoning : {};
+	if ("effort" in existing) return false;
+	body.reasoning = {
+		...existing,
+		effort: reasoningEffort
+	};
+	return true;
+}
 /** Anthropic's Messages thinking-budget tiers mapped from our shared
 *  effort knob. Values mirror Claude Code's documented presets (low /
 *  medium / high / "Ultrathink"); `minimal` falls back to the smallest
@@ -39033,6 +40112,64 @@ function stringifyToolArgs(input) {
 		return "{}";
 	}
 }
+const LOCAL_SHELL_TOOL = "local_shell";
+/** Function-tool JSON schema mirroring `local_shell`'s exec action — an argv
+*  array plus the optional working-directory / timeout codex passes through. */
+const LOCAL_SHELL_SCHEMA = {
+	type: "object",
+	properties: {
+		command: {
+			type: "array",
+			items: { type: "string" },
+			description: "The command to run as an argv array, e.g. [\"bash\",\"-lc\",\"ls -la\"]."
+		},
+		workdir: {
+			type: "string",
+			description: "Working directory for the command."
+		},
+		timeout_ms: {
+			type: "number",
+			description: "Timeout in milliseconds."
+		}
+	},
+	required: ["command"]
+};
+/** A `local_shell_call` action → the function-call input we hand the chat
+*  backend. Keeps `command` plus whatever optional knobs were present. */
+function shellActionToInput(action) {
+	const a = asObject(action);
+	const input = {};
+	if (Array.isArray(a.command) || typeof a.command === "string") input.command = a.command;
+	const workdir = a.workdir ?? a.working_directory;
+	if (typeof workdir === "string") input.workdir = workdir;
+	if (typeof a.timeout_ms === "number") input.timeout_ms = a.timeout_ms;
+	return input;
+}
+/** The chat backend's function-call input → a `local_shell_call` exec action,
+*  the shape codex consumes. Tolerates a `command` given as a string. */
+function inputToShellAction(input) {
+	const i = typeof input === "string" ? safeJson(input) : asObject(input);
+	const command = Array.isArray(i.command) ? i.command : typeof i.command === "string" ? [
+		"bash",
+		"-lc",
+		i.command
+	] : [];
+	const action = {
+		type: "exec",
+		command
+	};
+	const workdir = i.workdir ?? i.working_directory;
+	if (typeof workdir === "string") action.working_directory = workdir;
+	if (typeof i.timeout_ms === "number") action.timeout_ms = i.timeout_ms;
+	return action;
+}
+function safeJson(raw$1) {
+	try {
+		return asObject(JSON.parse(raw$1));
+	} catch {
+		return {};
+	}
+}
 
 //#endregion
 //#region src/daemon/translate/from-anthropic.ts
@@ -39575,16 +40712,25 @@ function requestToIR(body) {
 		});
 	} else if (Array.isArray(b.input)) for (const raw$1 of b.input) {
 		const it = asObject(raw$1);
-		if (it.type === "function_call") messages.push({
+		if (it.type === "function_call" || it.type === "custom_tool_call") messages.push({
 			role: "assistant",
 			content: [{
 				type: "tool_use",
 				id: str(it.call_id) ?? str(it.id) ?? "",
 				name: str(it.name) ?? "",
-				input: parseToolArgs(it.arguments)
+				input: parseToolArgs(it.arguments ?? it.input)
+			}]
+		});
+		else if (it.type === "local_shell_call") messages.push({
+			role: "assistant",
+			content: [{
+				type: "tool_use",
+				id: str(it.call_id) ?? str(it.id) ?? "",
+				name: LOCAL_SHELL_TOOL,
+				input: shellActionToInput(it.action)
 			}]
 		});
-		else if (it.type === "function_call_output" || it.type === "tool_result") messages.push({
+		else if (it.type === "function_call_output" || it.type === "tool_result" || it.type === "custom_tool_call_output" || it.type === "local_shell_call_output") messages.push({
 			role: "user",
 			content: [{
 				type: "tool_result",
@@ -39669,6 +40815,14 @@ function toolsToIR(tools) {
 	const out = [];
 	for (const raw$1 of tools) {
 		const t = asObject(raw$1);
+		if (t.type === "local_shell") {
+			out.push({
+				name: LOCAL_SHELL_TOOL,
+				description: "Run a shell command on the user's machine and return its stdout/stderr. Provide the command as an argv array.",
+				inputSchema: LOCAL_SHELL_SCHEMA
+			});
+			continue;
+		}
 		const fn = asObject(t.function);
 		const name = str(t.name) ?? str(fn.name);
 		if (!name) continue;
@@ -39997,6 +41151,13 @@ function responseFromIR(ir) {
 			annotations: []
 		}]
 	});
+	else if (b.type === "tool_use" && b.name === LOCAL_SHELL_TOOL) output.push({
+		type: "local_shell_call",
+		id: `lsh_${nanoid()}`,
+		call_id: b.id || `call_${nanoid()}`,
+		status: "completed",
+		action: inputToShellAction(b.input)
+	});
 	else if (b.type === "tool_use") output.push({
 		type: "function_call",
 		id: `fc_${nanoid()}`,
@@ -40699,7 +41860,8 @@ var OpenAIResponsesWriter = class {
 					return itemAdded + partAdded;
 				}
 				if (ev.block.type === "tool_use") {
-					const itemId = `fc_${nanoid()}`;
+					const isShell = ev.block.name === LOCAL_SHELL_TOOL;
+					const itemId = `${isShell ? "lsh" : "fc"}_${nanoid()}`;
 					this.acc.set(ev.index, {
 						block: {
 							type: "tool_use",
@@ -40713,16 +41875,26 @@ var OpenAIResponsesWriter = class {
 						contentIndex: 0
 					});
 					this.order.push(ev.index);
+					const callId = ev.block.id || `call_${nanoid()}`;
 					return frame("response.output_item.added", {
 						type: "response.output_item.added",
 						sequence_number: this.seq++,
 						output_index: outputIndex,
-						item: {
+						item: isShell ? {
+							id: itemId,
+							type: "local_shell_call",
+							status: "in_progress",
+							call_id: callId,
+							action: {
+								type: "exec",
+								command: []
+							}
+						} : {
 							id: itemId,
 							type: "function_call",
 							status: "in_progress",
 							arguments: "",
-							call_id: ev.block.id || `call_${nanoid()}`,
+							call_id: callId,
 							name: ev.block.name
 						}
 					});
@@ -40762,6 +41934,7 @@ var OpenAIResponsesWriter = class {
 				const entry = this.acc.get(ev.index);
 				if (!entry) return "";
 				entry.toolJson += ev.json;
+				if (entry.block.type === "tool_use" && entry.block.name === LOCAL_SHELL_TOOL) return "";
 				return frame("response.function_call_arguments.delta", {
 					type: "response.function_call_arguments.delta",
 					sequence_number: this.seq++,
@@ -40816,6 +41989,19 @@ var OpenAIResponsesWriter = class {
 				}
 				if (entry.block.type === "tool_use") {
 					const argsStr = entry.toolJson || "";
+					const callId = entry.block.id || `call_${nanoid()}`;
+					if (entry.block.name === LOCAL_SHELL_TOOL) return frame("response.output_item.done", {
+						type: "response.output_item.done",
+						sequence_number: this.seq++,
+						output_index: entry.outputIndex,
+						item: {
+							id: entry.itemId,
+							type: "local_shell_call",
+							status: "completed",
+							call_id: callId,
+							action: inputToShellAction(parseToolArgs(argsStr))
+						}
+					});
 					const argsDone = frame("response.function_call_arguments.done", {
 						type: "response.function_call_arguments.done",
 						sequence_number: this.seq++,
@@ -40832,7 +42018,7 @@ var OpenAIResponsesWriter = class {
 							type: "function_call",
 							status: "completed",
 							arguments: argsStr,
-							call_id: entry.block.id || `call_${nanoid()}`,
+							call_id: callId,
 							name: entry.block.name
 						}
 					});
@@ -40857,6 +42043,13 @@ var OpenAIResponsesWriter = class {
 							annotations: []
 						}]
 					});
+					else if (entry.block.type === "tool_use" && entry.block.name === LOCAL_SHELL_TOOL) output.push({
+						id: entry.itemId,
+						type: "local_shell_call",
+						status: "completed",
+						call_id: entry.block.id || `call_${nanoid()}`,
+						action: inputToShellAction(parseToolArgs(entry.toolJson || ""))
+					});
 					else if (entry.block.type === "tool_use") output.push({
 						id: entry.itemId,
 						type: "function_call",
@@ -40990,21 +42183,138 @@ function translateRequest(from, to, body) {
 }
 
 //#endregion
-//#region src/daemon/orchestrator/oauth/jwt.ts
-/** The `exp` claim (epoch seconds) of a JWT, or undefined when the token is
-*  malformed or carries no numeric `exp`. */
-function decodeJwtExp(token) {
-	const parts = token.split(".");
-	const payload = parts[1];
-	if (parts.length < 2 || !payload) return void 0;
+//#region src/daemon/orchestrator/oauth/lock.ts
+const STALE_MS = 3e4;
+const MAX_WAIT_MS = 5e3;
+const POLL_MS = 100;
+async function withFileLock(path$1, fn) {
+	const held = await acquire(path$1);
 	try {
-		const json = Buffer$1.from(payload, "base64url").toString("utf8");
-		const claims = JSON.parse(json);
-		return typeof claims.exp === "number" ? claims.exp : void 0;
-	} catch {
-		return void 0;
+		return await fn();
+	} finally {
+		if (held) await unlink(path$1).catch(() => {});
 	}
 }
+async function acquire(path$1) {
+	const deadline = Date.now() + MAX_WAIT_MS;
+	for (;;) try {
+		const fh = await open(path$1, "wx");
+		await fh.close();
+		return true;
+	} catch (err) {
+		if (err.code !== "EEXIST") return false;
+		try {
+			const st = await stat(path$1);
+			if (Date.now() - st.mtimeMs > STALE_MS) {
+				await unlink(path$1).catch(() => {});
+				continue;
+			}
+		} catch {
+			continue;
+		}
+		if (Date.now() > deadline) return false;
+		await new Promise((r) => setTimeout(r, POLL_MS));
+	}
+}
+
+//#endregion
+//#region src/daemon/orchestrator/oauth/claude-code.ts
+const TOKEN_URL$1 = "https://platform.claude.com/v1/oauth/token";
+const CLIENT_ID$1 = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
+const SCOPE = "user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload";
+const EXPIRY_BUFFER_MS$1 = 5 * 60 * 1e3;
+/** A JSON-file credential store (afw's own store path, and the test seam). */
+function fileStore(path$1) {
+	return {
+		label: `file ${path$1}`,
+		async read() {
+			try {
+				return JSON.parse(await readFile(path$1, "utf8"));
+			} catch {
+				return void 0;
+			}
+		},
+		async write(creds) {
+			await atomicWrite(path$1, `${JSON.stringify(creds, null, 2)}\n`, { mode: 384 });
+		}
+	};
+}
+/** afw's own token store. Returns undefined until the user has run
+*  `afw oauth login anthropic`. */
+async function pickStore() {
+	return await fileExists(paths.oauth.claudeCode) ? fileStore(paths.oauth.claudeCode) : void 0;
+}
+/** Exchange a refresh token for a fresh access token. The rotated refresh
+*  token (when the provider returns one) is in the result and must be
+*  written back to the agent's store by the caller. */
+async function refreshClaudeToken(refreshToken) {
+	const res = await fetch(TOKEN_URL$1, {
+		method: "POST",
+		headers: { "content-type": "application/json" },
+		body: JSON.stringify({
+			grant_type: "refresh_token",
+			refresh_token: refreshToken,
+			client_id: CLIENT_ID$1,
+			scope: SCOPE
+		})
+	});
+	if (!res.ok) throw new Error(`claude-code OAuth refresh failed: HTTP ${res.status}`);
+	const j = await res.json();
+	if (!j.access_token) throw new Error("claude-code OAuth refresh: response carried no access_token");
+	return {
+		accessToken: j.access_token,
+		refreshToken: j.refresh_token ?? refreshToken,
+		expiresAt: Date.now() + (j.expires_in ?? 3600) * 1e3
+	};
+}
+/** Resolve a usable access token from `store`, refreshing + writing back the
+*  rotated token when the stored one is within the expiry buffer. No
+*  in-memory cache and no lock — the production entry point adds those; this
+*  is the unit-test seam. */
+async function resolveClaudeToken(store$1) {
+	const creds = await store$1.read();
+	const oauth = creds?.claudeAiOauth;
+	if (!creds || !oauth?.accessToken || !oauth.refreshToken) throw new Error(`claude-code OAuth credentials unavailable (${store$1.label})`);
+	const expiresAt = typeof oauth.expiresAt === "number" ? oauth.expiresAt : 0;
+	if (Date.now() < expiresAt - EXPIRY_BUFFER_MS$1) return {
+		token: oauth.accessToken,
+		expiresAt
+	};
+	const refreshed = await refreshClaudeToken(oauth.refreshToken);
+	const updated = {
+		...creds,
+		claudeAiOauth: {
+			...oauth,
+			accessToken: refreshed.accessToken,
+			refreshToken: refreshed.refreshToken,
+			expiresAt: refreshed.expiresAt
+		}
+	};
+	await store$1.write(updated);
+	return {
+		token: refreshed.accessToken,
+		expiresAt: refreshed.expiresAt
+	};
+}
+let cache$1;
+let inflight$1;
+/** The orchestrator entry point: a fresh access token, cached in memory and
+*  refreshed at most once across concurrent callers. */
+async function getClaudeCodeToken() {
+	if (cache$1 && Date.now() < cache$1.expiresAt - EXPIRY_BUFFER_MS$1) return { token: cache$1.token };
+	if (inflight$1) return inflight$1;
+	inflight$1 = (async () => {
+		const store$1 = await pickStore();
+		if (!store$1) throw new Error("claude-code OAuth credentials not found");
+		const lockPath = join(paths.home, "oauth-claude-code.lock");
+		const resolved = await withFileLock(lockPath, () => resolveClaudeToken(store$1));
+		cache$1 = resolved;
+		return resolved;
+	})().finally(() => {
+		inflight$1 = void 0;
+	});
+	return inflight$1;
+}
 
 //#endregion
 //#region src/daemon/orchestrator/oauth/codex.ts
@@ -41106,7 +42416,7 @@ async function getCodexToken() {
 	if (inflight) return inflight;
 	inflight = (async () => {
 		const lockPath = join(paths.home, "oauth-codex.lock");
-		const resolved = await withFileLock(lockPath, () => resolveCodexToken(paths.agent.codex.auth));
+		const resolved = await withFileLock(lockPath, () => resolveCodexToken(paths.oauth.codex));
 		cache = resolved;
 		return resolved;
 	})().finally(() => {
@@ -41122,61 +42432,6 @@ function getAgentToken(agent) {
 	return agent === "codex" ? getCodexToken() : getClaudeCodeToken();
 }
 
-//#endregion
-//#region src/daemon/orchestrator/quota.ts
-/** Latest known quota usage per provider id — the binding (most-consumed)
-*  window, as a 0–100 percentage. Account-global, so it reflects all usage of
-*  the subscription, not just afw's routed calls. */
-const snapshots = new Map();
-/** Parse rate-limit headers into the highest used-percentage across every
-*  limit/remaining pair found. Handles both layouts seen in the wild:
-*    - Anthropic: `anthropic-ratelimit-<bucket>-{limit,remaining}`
-*    - OpenAI:    `x-ratelimit-{limit,remaining}-<bucket>`
-*  Returns undefined when no usable pair is present. */
-function usedPctFromHeaders(headers) {
-	const buckets = new Map();
-	const put = (bucket, field, raw$1) => {
-		const n = Number.parseFloat(raw$1);
-		if (!Number.isFinite(n)) return;
-		const b = buckets.get(bucket) ?? {};
-		b[field] = n;
-		buckets.set(bucket, b);
-	};
-	headers.forEach((value, key) => {
-		const k = key.toLowerCase();
-		let m = /^anthropic-ratelimit-(.+)-(limit|remaining)$/.exec(k);
-		if (m) {
-			put(`a:${m[1]}`, m[2], value);
-			return;
-		}
-		m = /^x-ratelimit-(limit|remaining)-(.+)$/.exec(k);
-		if (m) put(`o:${m[2]}`, m[1], value);
-	});
-	let maxUsed;
-	for (const { limit, remaining } of buckets.values()) {
-		if (limit === void 0 || remaining === void 0 || limit <= 0) continue;
-		const used = (limit - Math.max(0, remaining)) / limit * 100;
-		if (maxUsed === void 0 || used > maxUsed) maxUsed = used;
-	}
-	return maxUsed;
-}
-/** Record a routed upstream response's quota headers against its provider.
-*  No-op when the response carries no recognizable rate-limit headers. */
-function recordQuotaHeaders(providerId, headers) {
-	const usedPct = usedPctFromHeaders(headers);
-	if (usedPct === void 0) return;
-	snapshots.set(providerId, {
-		usedPct,
-		at: Date.now()
-	});
-}
-/** The latest known quota-used percentage for a provider, or undefined when
-*  none of its responses have carried rate-limit headers yet (so a `quota-pct`
-*  rule can't fire on missing data — we never switch blind). */
-function quotaUsedPct(providerId) {
-	return snapshots.get(providerId)?.usedPct;
-}
-
 //#endregion
 //#region src/daemon/orchestrator/exec.ts
 /** Does this path target the API's model-generation endpoint? Guards the
@@ -41196,12 +42451,16 @@ function isGenerationPath(api$1, path$1) {
 *  hits the right path because it constructs it itself; when an off-agent
 *  route (openclaw, hermes, …) sends through this provider via afw, we
 *  rebuild the URL here and must match codex's convention. */
-function generationUrl(baseUrl, api$1) {
+function generationUrl(baseUrl, api$1, opts = {}) {
 	const base = baseUrl.replace(/\/+$/, "");
 	const rest = api$1 === "anthropic-messages" ? "messages" : api$1 === "openai-chat" ? "chat/completions" : "responses";
+	if (opts.generationPath === "direct") return `${base}/${rest}`;
 	if (isCodexChatGptBackend(base)) return `${base}/${rest}`;
 	return base.endsWith("/v1") ? `${base}/${rest}` : `${base}/v1/${rest}`;
 }
+function effectiveReasoningEffort(member) {
+	return member.reasoningEffort ?? member.model.reasoningEffort ?? member.provider.reasoningEffort;
+}
 /** Rewrite the `model` field of a request body. All three wire formats carry
 *  the target model in a top-level `model` string, so one rewrite covers all.
 *  An unparseable body is forwarded unchanged. */
@@ -41267,16 +42526,20 @@ function withoutServerTools(body) {
 	});
 	if (kept.length === tools.length) return body;
 	const next = { ...body };
-	if (kept.length === 0) delete next.tools;
-	else next.tools = kept;
+	if (kept.length === 0) {
+		const { tools: _discardedTools,...rest } = next;
+		return rest;
+	}
+	next.tools = kept;
 	return next;
 }
 /** Apply an auth spec to forwarded request headers. Passthrough auth
 *  leaves the client's own headers intact; otherwise every auth header the
 *  client may have sent is dropped before the configured one is injected.
 *  `agent-oauth` providers inject a subscription token afw reads — and
-*  co-refreshes — from the owning agent's own credential store. `id` is
-*  used purely for log labelling (provider id or route key). */
+*  co-refreshes — from afw's OWN OAuth store (~/.afw/oauth/), populated by
+*  `afw oauth login`; afw never reads the agent's own credential store. `id`
+*  is used purely for log labelling (provider id or route key). */
 async function applyAuth(headers, auth, id) {
 	if (auth.kind === "passthrough") return;
 	if (auth.kind === "agent-oauth") {
@@ -41330,8 +42593,8 @@ function stripClientAuth(headers) {
 	headers.delete("x-api-key");
 	headers.delete("api-key");
 }
-const CODEX_CLIENT_UA = "codex_cli_rs/0.81.0 (afw; openafw.com)";
-const CLAUDE_CODE_CLIENT_UA = "claude-cli/2.0.0 (afw; openafw.com)";
+const CODEX_CLIENT_UA = "codex_cli_rs/0.81.0 (afw; openguardrails.com)";
+const CLAUDE_CODE_CLIENT_UA = "claude-cli/2.0.0 (afw; openguardrails.com)";
 function encodeJson(value) {
 	const bytes = new TextEncoder().encode(JSON.stringify(value));
 	const out = new ArrayBuffer(bytes.byteLength);
@@ -41405,6 +42668,20 @@ function clampOutputBudgetBytes(body, api$1, model) {
 	const obj = parsed;
 	return clampOutputBudget(obj, api$1, model) ? encodeJson(obj) : body;
 }
+/** Byte-level variant for the same-protocol fast path. Injects a configured
+*  OpenAI Responses reasoning effort without parsing the body elsewhere. */
+function applyOpenAIResponsesReasoningBytes(body, reasoningEffort) {
+	if (!reasoningEffort) return body;
+	let parsed;
+	try {
+		parsed = JSON.parse(new TextDecoder().decode(body));
+	} catch {
+		return body;
+	}
+	if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return body;
+	const obj = parsed;
+	return applyOpenAIResponsesReasoning(obj, reasoningEffort) ? encodeJson(obj) : body;
+}
 /** Recognized upstream context-overflow error signatures (lower-cased). Covers
 *  vLLM ("maximum context length is N tokens … reduce the length of the input"),
 *  OpenAI-compatible servers (`context_length_exceeded`), and Anthropic. */
@@ -41462,6 +42739,70 @@ function safeRetryBudget(text$1, model) {
 function isOverflowStatus(status) {
 	return status === 400 || status === 413 || status === 422;
 }
+const TRANSIENT_RETRY_DELAYS_MS = [250, 750];
+function isTransientUpstreamStatus(status) {
+	return status === 408 || status === 409 || status === 425 || status === 429 || status >= 500;
+}
+function retryDelayMs(attempt, res) {
+	const retryAfter = res?.headers.get("retry-after");
+	if (retryAfter) {
+		const seconds = Number.parseFloat(retryAfter);
+		if (Number.isFinite(seconds) && seconds >= 0) return Math.min(seconds * 1e3, 5e3);
+		const when = Date.parse(retryAfter);
+		if (Number.isFinite(when)) return Math.min(Math.max(when - Date.now(), 0), 5e3);
+	}
+	return TRANSIENT_RETRY_DELAYS_MS[attempt] ?? TRANSIENT_RETRY_DELAYS_MS.at(-1);
+}
+function sleep$1(ms) {
+	return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function fetchBufferedWithTransientRetries(build, label) {
+	let lastErr;
+	for (let attempt = 0; attempt <= TRANSIENT_RETRY_DELAYS_MS.length; attempt++) {
+		let built;
+		try {
+			built = await build();
+			const res = await fetch(built.request);
+			const text$1 = restoreText(await res.text(), built.restore);
+			if (!isTransientUpstreamStatus(res.status) || attempt === TRANSIENT_RETRY_DELAYS_MS.length) return {
+				res,
+				text: text$1
+			};
+			const delay = retryDelayMs(attempt, res);
+			logger.warn(`routing: transient HTTP ${res.status} from ${label}; retrying in ${delay}ms (${attempt + 1}/${TRANSIENT_RETRY_DELAYS_MS.length})`);
+			await sleep$1(delay);
+		} catch (err) {
+			lastErr = err;
+			if (attempt === TRANSIENT_RETRY_DELAYS_MS.length) throw err;
+			const delay = retryDelayMs(attempt);
+			logger.warn(`routing: transient upstream error from ${label}: ${err.message}; retrying in ${delay}ms (${attempt + 1}/${TRANSIENT_RETRY_DELAYS_MS.length})`);
+			await sleep$1(delay);
+		}
+	}
+	throw lastErr instanceof Error ? lastErr : new Error("upstream call failed");
+}
+async function fetchStreamWithTransientRetries(build, label) {
+	let lastErr;
+	for (let attempt = 0; attempt <= TRANSIENT_RETRY_DELAYS_MS.length; attempt++) try {
+		const built = await build();
+		const res = await fetch(built.request);
+		if (!isTransientUpstreamStatus(res.status) || attempt === TRANSIENT_RETRY_DELAYS_MS.length) return {
+			res,
+			restore: built.restore
+		};
+		await res.text().catch(() => "");
+		const delay = retryDelayMs(attempt, res);
+		logger.warn(`routing: transient HTTP ${res.status} from ${label} [stream]; retrying in ${delay}ms (${attempt + 1}/${TRANSIENT_RETRY_DELAYS_MS.length})`);
+		await sleep$1(delay);
+	} catch (err) {
+		lastErr = err;
+		if (attempt === TRANSIENT_RETRY_DELAYS_MS.length) throw err;
+		const delay = retryDelayMs(attempt);
+		logger.warn(`routing: transient upstream error from ${label} [stream]: ${err.message}; retrying in ${delay}ms (${attempt + 1}/${TRANSIENT_RETRY_DELAYS_MS.length})`);
+		await sleep$1(delay);
+	}
+	throw lastErr instanceof Error ? lastErr : new Error("upstream call failed");
+}
 /** Build the upstream HTTP request for a routed member: translate the client
 *  request into the member's wire format, force the model and the stream flag,
 *  apply provider auth, mask credentials for the member's provider, and target
@@ -41474,8 +42815,10 @@ async function buildUpstreamRequest(member, clientApi, clientRequest, ctx, upstr
 		model: member.model.id,
 		stream
 	};
-	if (member.api === "anthropic-messages" && member.provider.auth.kind === "agent-oauth" && member.provider.auth.agent === "claude-code") adaptForClaudeCodeOAuth(upstreamBody, member.provider.reasoningEffort);
-	if (member.api === "openai-responses" && isCodexChatGptBackend(member.provider.baseUrl)) adaptForCodexBackend(upstreamBody, member.provider.reasoningEffort);
+	const reasoningEffort = effectiveReasoningEffort(member);
+	if (member.api === "anthropic-messages" && member.provider.auth.kind === "agent-oauth" && member.provider.auth.agent === "claude-code") adaptForClaudeCodeOAuth(upstreamBody, reasoningEffort);
+	if (member.api === "openai-responses" && isCodexChatGptBackend(member.provider.baseUrl)) adaptForCodexBackend(upstreamBody, reasoningEffort);
+	else if (member.api === "openai-responses") applyOpenAIResponsesReasoning(upstreamBody, reasoningEffort);
 	clampOutputBudget(upstreamBody, member.api, member.model);
 	if (outputOverride != null) {
 		const fields = outputTokenFields(member.api);
@@ -41520,17 +42863,14 @@ function restoreStream(body, restore) {
 async function execAttempt(member, clientApi, clientRequest, ctx) {
 	const startedAtWall = Date.now();
 	const t0 = performance.now();
-	const upstreamUrl = generationUrl(member.provider.baseUrl, member.api);
+	const upstreamUrl = generationUrl(member.provider.baseUrl, member.api, { generationPath: member.provider.generationPath });
+	const label = `${member.provider.id}/${member.model.id}`;
 	try {
-		const { request, restore } = await buildUpstreamRequest(member, clientApi, clientRequest, ctx, upstreamUrl, false);
-		let res = await fetch(request);
-		let text$1 = restoreText(await res.text(), restore);
+		let { res, text: text$1 } = await fetchBufferedWithTransientRetries(() => buildUpstreamRequest(member, clientApi, clientRequest, ctx, upstreamUrl, false), label);
 		if (res.status >= 400 && isOverflowStatus(res.status)) {
 			const budget = safeRetryBudget(text$1, member.model);
 			if (budget != null) {
-				const retry = await buildUpstreamRequest(member, clientApi, clientRequest, ctx, upstreamUrl, false, budget);
-				const res2 = await fetch(retry.request);
-				const text2 = restoreText(await res2.text(), retry.restore);
+				const { res: res2, text: text2 } = await fetchBufferedWithTransientRetries(() => buildUpstreamRequest(member, clientApi, clientRequest, ctx, upstreamUrl, false, budget), `${label} overflow-retry`);
 				if (res2.status < 400) {
 					logger.info(`routing: ${member.model.id} retried with max output ${budget} after context overflow`);
 					res = res2;
@@ -41539,7 +42879,6 @@ async function execAttempt(member, clientApi, clientRequest, ctx) {
 			}
 		}
 		const durMs = performance.now() - t0;
-		recordQuotaHeaders(member.provider.id, res.headers);
 		if (res.status >= 400) return {
 			ok: false,
 			status: res.status,
@@ -41590,23 +42929,21 @@ async function execAttempt(member, clientApi, clientRequest, ctx) {
 async function execStream(member, clientApi, clientRequest, ctx) {
 	const startedAtWall = Date.now();
 	const t0 = performance.now();
-	const upstreamUrl = generationUrl(member.provider.baseUrl, member.api);
+	const upstreamUrl = generationUrl(member.provider.baseUrl, member.api, { generationPath: member.provider.generationPath });
+	const label = `${member.provider.id}/${member.model.id}`;
 	try {
-		const { request, restore } = await buildUpstreamRequest(member, clientApi, clientRequest, ctx, upstreamUrl, true);
-		const res = await fetch(request);
-		recordQuotaHeaders(member.provider.id, res.headers);
+		const { res, restore } = await fetchStreamWithTransientRetries(() => buildUpstreamRequest(member, clientApi, clientRequest, ctx, upstreamUrl, true), label);
 		if (res.status >= 400 && isOverflowStatus(res.status)) {
 			const text$1 = restoreText(await res.text(), restore);
 			const budget = safeRetryBudget(text$1, member.model);
 			if (budget != null) {
-				const retry = await buildUpstreamRequest(member, clientApi, clientRequest, ctx, upstreamUrl, true, budget);
-				const res2 = await fetch(retry.request);
+				const { res: res2, restore: restore2 } = await fetchStreamWithTransientRetries(() => buildUpstreamRequest(member, clientApi, clientRequest, ctx, upstreamUrl, true, budget), `${label} overflow-retry`);
 				if (res2.status < 400 && res2.body) {
 					logger.info(`routing: ${member.model.id} retried with max output ${budget} after context overflow [stream]`);
 					return {
 						ok: true,
 						status: res2.status,
-						body: restoreStream(res2.body, retry.restore),
+						body: restoreStream(res2.body, restore2),
 						durMs: performance.now() - t0,
 						startedAtWall,
 						upstreamUrl
@@ -42101,6 +43438,19 @@ function requestHasImageBlock(clientApi, clientRequest) {
 	return false;
 }
 
+//#endregion
+//#region src/daemon/orchestrator/quota.ts
+/** Latest known quota usage per provider id — the binding (most-consumed)
+*  window, as a 0–100 percentage. Account-global, so it reflects all usage of
+*  the subscription, not just afw's routed calls. */
+const snapshots = new Map();
+/** The latest known quota-used percentage for a provider, or undefined when
+*  none of its responses have carried rate-limit headers yet (so a `quota-pct`
+*  rule can't fire on missing data — we never switch blind). */
+function quotaUsedPct(providerId) {
+	return snapshots.get(providerId)?.usedPct;
+}
+
 //#endregion
 //#region src/daemon/orchestrator/resolve.ts
 /** A route's decoder → the wire API afw can translate, if any. */
@@ -42139,10 +43489,13 @@ function resolveModelRef(modelId, providerId) {
 	if (!provider) return void 0;
 	const api$1 = resolveApi(reg, model);
 	if (!api$1) return void 0;
+	const resolvedProvider = withResolvableAuth(provider);
+	const reasoningEffort = model.reasoningEffort ?? resolvedProvider.reasoningEffort;
 	return {
 		model,
-		provider: withResolvableAuth(provider),
-		api: api$1
+		provider: resolvedProvider,
+		api: api$1,
+		...reasoningEffort ? { reasoningEffort } : {}
 	};
 }
 /** Resolve a routeKey against the live routing policy. */
@@ -42193,6 +43546,7 @@ function resolveRouteFrom(routing, decoder, label = "route") {
 			model: only.model,
 			provider: only.provider,
 			api: only.api,
+			...only.reasoningEffort ? { reasoningEffort: only.reasoningEffort } : {},
 			capabilities,
 			configuredTarget: {
 				kind: "model",
@@ -42253,7 +43607,8 @@ function resolveFusion(routeKey, combo, clientApi) {
 	const firstRef = {
 		model: firstPrimary.model,
 		provider: firstPrimary.provider,
-		api: firstPrimary.api
+		api: firstPrimary.api,
+		...firstPrimary.reasoningEffort ? { reasoningEffort: firstPrimary.reasoningEffort } : {}
 	};
 	let synthesizer = firstRef;
 	if (combo.synthesizer) {
@@ -42646,6 +44001,12 @@ function synthOpenAIResponses(ir) {
 		id: `msg_${nanoid()}`,
 		text: b.text
 	});
+	else if (b.type === "tool_use" && b.name === LOCAL_SHELL_TOOL) items.push({
+		kind: "local_shell_call",
+		id: `lsh_${nanoid()}`,
+		callId: b.id || `call_${nanoid()}`,
+		action: inputToShellAction(b.input)
+	});
 	else if (b.type === "tool_use") items.push({
 		kind: "function_call",
 		id: `fc_${nanoid()}`,
@@ -42660,23 +44021,33 @@ function synthOpenAIResponses(ir) {
 	};
 	if (ir.usage.cacheRead != null) usage.input_tokens_details = { cached_tokens: ir.usage.cacheRead };
 	const incomplete = ir.stopReason === "max_tokens";
-	const finishedOutput = () => items.map((it) => it.kind === "message" ? {
-		id: it.id,
-		type: "message",
-		status: "completed",
-		role: "assistant",
-		content: [{
-			type: "output_text",
-			text: it.text,
-			annotations: []
-		}]
-	} : {
-		id: it.id,
-		type: "function_call",
-		status: "completed",
-		arguments: it.argsStr,
-		call_id: it.callId,
-		name: it.name
+	const finishedOutput = () => items.map((it) => {
+		if (it.kind === "message") return {
+			id: it.id,
+			type: "message",
+			status: "completed",
+			role: "assistant",
+			content: [{
+				type: "output_text",
+				text: it.text,
+				annotations: []
+			}]
+		};
+		if (it.kind === "local_shell_call") return {
+			id: it.id,
+			type: "local_shell_call",
+			status: "completed",
+			call_id: it.callId,
+			action: it.action
+		};
+		return {
+			id: it.id,
+			type: "function_call",
+			status: "completed",
+			arguments: it.argsStr,
+			call_id: it.callId,
+			name: it.name
+		};
 	});
 	const baseResponse = (status) => ({
 		id: responseId,
@@ -42793,6 +44164,37 @@ function synthOpenAIResponses(ir) {
 					}
 				})
 			});
+		} else if (it.kind === "local_shell_call") {
+			events.push({
+				event: "response.output_item.added",
+				data: JSON.stringify({
+					type: "response.output_item.added",
+					sequence_number: seq$6++,
+					output_index: outputIndex,
+					item: {
+						id: it.id,
+						type: "local_shell_call",
+						status: "in_progress",
+						call_id: it.callId,
+						action: it.action
+					}
+				})
+			});
+			events.push({
+				event: "response.output_item.done",
+				data: JSON.stringify({
+					type: "response.output_item.done",
+					sequence_number: seq$6++,
+					output_index: outputIndex,
+					item: {
+						id: it.id,
+						type: "local_shell_call",
+						status: "completed",
+						call_id: it.callId,
+						action: it.action
+					}
+				})
+			});
 		} else {
 			events.push({
 				event: "response.output_item.added",
@@ -42996,7 +44398,7 @@ async function runSearch(provider, query, count) {
 }
 async function readBackendSecret(ref) {
 	try {
-		const { readSecrets: readSecrets$1 } = await import("../secrets-9JqUBHyw.js");
+		const { readSecrets: readSecrets$1 } = await import("../secrets-DJCX60WS.js");
 		const secrets$1 = await readSecrets$1();
 		return getSecret(secrets$1, ref) ?? void 0;
 	} catch {
@@ -43257,6 +44659,38 @@ function parseJsonObject(body) {
 	} catch {}
 	return void 0;
 }
+const SAME_PROTOCOL_TRANSIENT_RETRY_DELAYS_MS = [250, 750];
+function sameProtocolRetryDelayMs(attempt, res) {
+	const retryAfter = res?.headers.get("retry-after");
+	if (retryAfter) {
+		const seconds = Number.parseFloat(retryAfter);
+		if (Number.isFinite(seconds) && seconds >= 0) return Math.min(seconds * 1e3, 5e3);
+		const when = Date.parse(retryAfter);
+		if (Number.isFinite(when)) return Math.min(Math.max(when - Date.now(), 0), 5e3);
+	}
+	return SAME_PROTOCOL_TRANSIENT_RETRY_DELAYS_MS[attempt] ?? SAME_PROTOCOL_TRANSIENT_RETRY_DELAYS_MS.at(-1);
+}
+function sameProtocolSleep(ms) {
+	return new Promise((resolve) => setTimeout(resolve, ms));
+}
+async function fetchSameProtocolWithTransientRetries(build, label) {
+	let lastErr;
+	for (let attempt = 0; attempt <= SAME_PROTOCOL_TRANSIENT_RETRY_DELAYS_MS.length; attempt++) try {
+		const res = await fetch(build());
+		if (!isTransientUpstreamStatus(res.status) || attempt === SAME_PROTOCOL_TRANSIENT_RETRY_DELAYS_MS.length) return res;
+		await res.text().catch(() => "");
+		const delay = sameProtocolRetryDelayMs(attempt, res);
+		logger.warn(`routing: transient HTTP ${res.status} from ${label} [same-protocol]; retrying in ${delay}ms (${attempt + 1}/${SAME_PROTOCOL_TRANSIENT_RETRY_DELAYS_MS.length})`);
+		await sameProtocolSleep(delay);
+	} catch (err) {
+		lastErr = err;
+		if (attempt === SAME_PROTOCOL_TRANSIENT_RETRY_DELAYS_MS.length) throw err;
+		const delay = sameProtocolRetryDelayMs(attempt);
+		logger.warn(`routing: transient upstream error from ${label} [same-protocol]: ${err.message}; retrying in ${delay}ms (${attempt + 1}/${SAME_PROTOCOL_TRANSIENT_RETRY_DELAYS_MS.length})`);
+		await sameProtocolSleep(delay);
+	}
+	throw lastErr instanceof Error ? lastErr : new Error("upstream call failed");
+}
 /** Buffer a single cross-protocol model swap: one upstream call, the response
 *  translated into the client's wire format, captured as one packet. When the
 *  route carries a vision capability and the request has images the model
@@ -43268,7 +44702,8 @@ async function runBuffered(ctx, resolved, req) {
 		model: resolved.model,
 		provider: resolved.provider,
 		api: resolved.api,
-		switchOn: []
+		switchOn: [],
+		...resolved.reasoningEffort ? { reasoningEffort: resolved.reasoningEffort } : {}
 	};
 	const execCtx = {
 		agent: ctx.agent,
@@ -43297,7 +44732,8 @@ async function runBuffered(ctx, resolved, req) {
 			model: visionCompanion.ref.model,
 			provider: visionCompanion.ref.provider,
 			api: visionCompanion.ref.api,
-			switchOn: []
+			switchOn: [],
+			...visionCompanion.ref.reasoningEffort ? { reasoningEffort: visionCompanion.ref.reasoningEffort } : {}
 		};
 		if (visionMemberToUse) {
 			const pre = await preDescribeImages(resolved.clientApi, req, visionMemberToUse, execCtx);
@@ -43396,14 +44832,15 @@ function visionCompanionShim(resolved) {
 		kind: "vision",
 		model: cap.ref.model,
 		provider: cap.ref.provider,
-		api: cap.ref.api
+		api: cap.ref.api,
+		...cap.ref.reasoningEffort ? { reasoningEffort: cap.ref.reasoningEffort } : {}
 	};
 }
 /** Render a single attempt as a client response, or an error JSON when it
 *  failed. A `stream:true` client gets a synthesized SSE body (the buffered
 *  path cannot true-stream — see synth-sse.ts). */
 function buildClientResponse(clientApi, winner, attempts, wantsStream) {
-	if (winner && winner.result.ok) {
+	if (winner?.result.ok) {
 		const { ir, json, status: status$1 } = winner.result;
 		if (wantsStream) return new Response(synthesizeSse(clientApi, ir), {
 			status: status$1,
@@ -43455,7 +44892,8 @@ async function runChain(ctx, resolved, req) {
 				model: visionToolModel.model,
 				provider: visionToolModel.provider,
 				api: visionToolModel.api,
-				switchOn: []
+				switchOn: [],
+				...visionToolModel.reasoningEffort ? { reasoningEffort: visionToolModel.reasoningEffort } : {}
 			};
 			const pre = await preDescribeImages(clientApi, req, visionMember, execCtx);
 			for (const a of pre.attempts) attempts.push({
@@ -43721,7 +45159,8 @@ async function runJudge(judge, clientApi, req, answers, execCtx) {
 		model: judge.model,
 		provider: judge.provider,
 		api: judge.api,
-		switchOn: []
+		switchOn: [],
+		...judge.reasoningEffort ? { reasoningEffort: judge.reasoningEffort } : {}
 	};
 	const userText = lastUserText(clientApi, req);
 	const judgeIR = {
@@ -43765,14 +45204,15 @@ async function runSynthesis(synth, clientApi, req, describedReq, answers, analys
 		model: synth.model,
 		provider: synth.provider,
 		api: synth.api,
-		switchOn: []
+		switchOn: [],
+		...synth.reasoningEffort ? { reasoningEffort: synth.reasoningEffort } : {}
 	};
 	const synthTextOnly = !(synth.model.input ?? []).includes("image");
 	const base = synthTextOnly && describedReq ? describedReq : req;
 	let body;
 	try {
 		const ir = parseRequestToIR(clientApi, base);
-		const deliberation = `${FUSION_SYNTH_GUIDANCE}\n\nPanel answers:\n${renderPanelAnswers(answers)}` + (analysis ? `\n\nJudge analysis:\n${analysis}` : "");
+		const deliberation = `${FUSION_SYNTH_GUIDANCE}\n\nPanel answers:\n${renderPanelAnswers(answers)}${analysis ? `\n\nJudge analysis:\n${analysis}` : ""}`;
 		const messages = mergeConsecutive([...ir.messages, {
 			role: "user",
 			content: [{
@@ -43845,7 +45285,8 @@ async function runFusion(ctx, resolved, req) {
 					model: resolved.vision.model,
 					provider: resolved.vision.provider,
 					api: resolved.vision.api,
-					switchOn: []
+					switchOn: [],
+					...resolved.vision.reasoningEffort ? { reasoningEffort: resolved.vision.reasoningEffort } : {}
 				};
 				const pre = await preDescribeImages(clientApi, req, visionMember, execCtx);
 				for (const a of pre.attempts) attempts.push(a);
@@ -43899,7 +45340,8 @@ async function runStreamingSwap(ctx, resolved, req) {
 		model: resolved.model,
 		provider: resolved.provider,
 		api: resolved.api,
-		switchOn: []
+		switchOn: [],
+		...resolved.reasoningEffort ? { reasoningEffort: resolved.reasoningEffort } : {}
 	};
 	beginRequest();
 	const attempt = await execStream(member, clientApi, req, {
@@ -43973,10 +45415,15 @@ async function runStreamingSwap(ctx, resolved, req) {
 }
 async function runSameProtocolSwap(ctx, resolved, reqBody) {
 	const { model, provider } = resolved;
-	const upstreamUrl = generationUrl(provider.baseUrl, resolved.api);
+	const upstreamUrl = generationUrl(provider.baseUrl, resolved.api, { generationPath: provider.generationPath });
 	let body = rewriteModel(reqBody, model.id);
 	if (!isAnthropicNative(provider)) body = stripAnthropicServerToolsFromBody(body);
 	body = clampOutputBudgetBytes(body, resolved.api, model);
+	if (resolved.api === "openai-responses") body = applyOpenAIResponsesReasoningBytes(body, effectiveReasoningEffort({
+		...resolved.reasoningEffort ? { reasoningEffort: resolved.reasoningEffort } : {},
+		model,
+		provider
+	}));
 	const masked = maskRequestBody(body, provider.id);
 	if (masked) body = masked.body;
 	const headers = filterRequestHeaders(ctx.reqHeaders, new URL(upstreamUrl).host);
@@ -43989,11 +45436,12 @@ async function runSameProtocolSwap(ctx, resolved, reqBody) {
 	beginRequest();
 	let upstreamRes;
 	try {
-		upstreamRes = await fetch(new Request(upstreamUrl, {
+		const label = `${provider.id}/${model.id}`;
+		upstreamRes = await fetchSameProtocolWithTransientRetries(() => new Request(upstreamUrl, {
 			method: "POST",
-			headers,
-			body
-		}));
+			headers: new Headers(headers),
+			body: body.slice(0)
+		}), label);
 	} catch (err) {
 		endRequest();
 		logger.error(`orchestrator: upstream fetch failed for ${ctx.routeKey} → ${model.id}: ${err.message}`);
@@ -44164,6 +45612,10 @@ function splitWireAgent(rawAgent) {
 		...instanceId ? { instanceId } : {}
 	};
 }
+function restPathForWireRequest(pathname, rawAgent) {
+	const prefix = `/wire/${rawAgent}`;
+	return pathname.slice(prefix.length) || "/";
+}
 async function handleWireRequest(c) {
 	const rawAgent = c.req.param("agent");
 	if (!rawAgent) return new Response(JSON.stringify({ error: "afw: malformed route" }), {
@@ -44174,8 +45626,7 @@ async function handleWireRequest(c) {
 	const req = c.req.raw;
 	{
 		const reqUrl$1 = new URL(c.req.url);
-		const prefix$1 = `/wire/${rawAgent}`;
-		const restPath$1 = reqUrl$1.pathname.slice(prefix$1.length) || "/";
+		const restPath$1 = restPathForWireRequest(reqUrl$1.pathname, rawAgent);
 		if (req.method === "GET" && isClaudeDesktopModelsRequest(agent, restPath$1)) {
 			const body = await synthesizeClaudeDesktopModels();
 			return new Response(JSON.stringify(body), {
@@ -44201,8 +45652,7 @@ async function handleWireRequest(c) {
 	const routeKey = route.sourceModelId ? `${agent}/${bodyModel}` : `${agent}/*`;
 	const policyKey = policyKeyFor(agent, bodyModel, instanceId);
 	const reqUrl = new URL(c.req.url);
-	const prefix = `/wire/${agent}`;
-	const restPath = reqUrl.pathname.slice(prefix.length) || "/";
+	const restPath = restPathForWireRequest(reqUrl.pathname, rawAgent);
 	const upstreamBase = route.upstream.replace(/\/$/, "");
 	const restWithSlash = restPath.startsWith("/") ? restPath : `/${restPath}`;
 	const upstreamUrl = new URL(upstreamBase + restWithSlash + reqUrl.search);
@@ -44631,6 +46081,35 @@ daemonCommand.command("restart").description("Restart the daemon — stop the ru
 	}
 });
 
+//#endregion
+//#region src/cli/commands/oauth.ts
+const PROVIDER_KEYS = Object.keys(OAUTH_PROVIDERS);
+const loginCmd = new Command("login").argument("[provider]", `provider to log in to (${PROVIDER_KEYS.join(", ")})`).description("Log in to a model provider via OAuth and store the token in afw.").action(async (provider) => {
+	try {
+		if (!process$1.stdin.isTTY) {
+			logger.print("oauth login needs an interactive terminal.");
+			process$1.exitCode = 1;
+			return;
+		}
+		const key = provider;
+		if (!key || !PROVIDER_KEYS.includes(key)) {
+			logger.print(`usage: afw oauth login <${PROVIDER_KEYS.join("|")}>`);
+			process$1.exitCode = 1;
+			return;
+		}
+		const def = await oauthLogin(key);
+		if (!def) {
+			process$1.exitCode = 1;
+			return;
+		}
+		logger.print(`\nDone. Register a route to it with \`afw model add\` (pick ${def.label}), or in the dashboard.`);
+	} catch (e) {
+		logger.print(`error: ${e.message}`);
+		process$1.exit(1);
+	}
+});
+const oauthCommand = new Command("oauth").description("Manage afw-owned OAuth subscription logins (Anthropic, OpenAI).").addCommand(loginCmd);
+
 //#endregion
 //#region src/cli/commands/tier.ts
 const SINGLE = "A single model";
@@ -44882,7 +46361,7 @@ const onboardCommand = new Command("onboard").description("Set up afw: register
 
 //#endregion
 //#region src/cli/commands/run.ts
-const runCommand = new Command("run").description("Launch one agent instance with its own wire identity — per-instance capture and routing, without touching the agent's shared config.\n  Examples:\n    afw run --as planner --model claude-opus-4-8 -- claude   # keep Opus\n    afw run --as worker --model claude-sonnet-4-6 -- claude  # downgrade\n    afw run --as audit --monitor -- claude                   # track, never reroute\n    afw run --as solo --raw -- claude                        # bypass afw").argument("<command...>", "the agent command to launch, e.g. `-- claude` (pass it after `--`)").option("--as <label>", "instance label — stable across relaunches; spend accrues to it").option("--model <id>", "route this instance to a single model").option("--monitor", "capture this instance but never reroute (passthrough)").option("--raw", "bypass afw entirely for this instance (no capture, no routing)").option("--agent <id>", "force the agent type instead of inferring it from the command").option("--ephemeral", "remove the instance routing policy when the process exits").action(async (command, opts) => {
+const runCommand = new Command("run").description("Launch one agent instance with its own wire identity — per-instance capture and routing, without touching the agent's shared config.\n  Examples:\n    afw run --as planner --model claude-opus-4-8 -- claude   # keep Opus\n    afw run --as worker --model claude-sonnet-4-6 -- claude  # downgrade\n    afw run --as audit --monitor -- claude                   # track, never reroute\n    afw run --as solo --raw -- claude                        # bypass afw").argument("<command...>", "the agent command to launch, e.g. `-- claude` (pass it after `--`)").option("--as <label>", "instance label — stable across relaunches; spend accrues to it").option("--model <id>", "route this instance to a single model").option("--monitor", "capture this instance but never reroute (passthrough)").option("--raw", "bypass afw entirely for this instance (no capture, no routing)").option("--agent <id>", "force the agent type instead of inferring it from the command").option("--ephemeral", "remove the instance routing policy when the process exits").allowUnknownOption().passThroughOptions().action(async (command, opts) => {
 	const fail$1 = (m) => {
 		logger.print(`error: ${m}`);
 		process$1.exit(1);
@@ -44900,7 +46379,7 @@ const runCommand = new Command("run").description("Launch one agent instance wit
 	try {
 		if (!opts.raw) {
 			await ensureDaemonRunning();
-			await ensureWireRoute(wiring.agent);
+			await ensureWireRoute(wiring.agent, { modelOverride: opts.model });
 		}
 		await launchInstance({
 			bin,
@@ -45214,6 +46693,7 @@ async function run() {
 	program$1.addCommand(runCommand);
 	program$1.addCommand(onboardCommand);
 	program$1.addCommand(modelCommand);
+	program$1.addCommand(oauthCommand);
 	program$1.addCommand(tierCommand);
 	program$1.addCommand(keyCommand);
 	program$1.addCommand(routeCommand);