@ouro.bot/cli 0.1.0-alpha.32 → 0.1.0-alpha.321

package/dist/heart/providers/anthropic-token.js

@@ -0,0 +1,163 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.needsRefresh = needsRefresh;
+exports.refreshAnthropicToken = refreshAnthropicToken;
+exports.persistTokenState = persistTokenState;
+exports.ensureFreshToken = ensureFreshToken;
+/* v8 ignore start -- OAuth token lifecycle: requires live API calls, tested via integration @preserve */
+const fs = __importStar(require("fs"));
+const runtime_1 = require("../../nerves/runtime");
+const identity_1 = require("../identity");
+const OAUTH_TOKEN_ENDPOINT = "https://console.anthropic.com/v1/oauth/token";
+const OAUTH_CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
+const REFRESH_MARGIN_MS = 5 * 60 * 1000; // refresh 5 minutes before expiry
+/**
+ * Check if the Anthropic OAuth token needs refreshing.
+ * Returns true if no expiresAt is set (legacy token) or if within 5 min of expiry.
+ */
+function needsRefresh(expiresAt) {
+    if (!expiresAt)
+        return true; // legacy token with no expiry — always try refresh
+    return Date.now() > expiresAt - REFRESH_MARGIN_MS;
+}
+/**
+ * Refresh an Anthropic OAuth access token using the refresh token.
+ * Returns the new token state or null if refresh fails.
+ */
+async function refreshAnthropicToken(refreshToken, fetchImpl = fetch) {
+    try {
+        const response = await fetchImpl(OAUTH_TOKEN_ENDPOINT, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                grant_type: "refresh_token",
+                refresh_token: refreshToken,
+                client_id: OAUTH_CLIENT_ID,
+            }),
+        });
+        if (!response.ok) {
+            (0, runtime_1.emitNervesEvent)({
+                level: "warn",
+                component: "engine",
+                event: "engine.anthropic_token_refresh_failed",
+                message: `token refresh failed: ${response.status}`,
+                meta: { status: response.status },
+            });
+            return null;
+        }
+        const json = await response.json();
+        if (!json.access_token) {
+            (0, runtime_1.emitNervesEvent)({
+                level: "warn",
+                component: "engine",
+                event: "engine.anthropic_token_refresh_failed",
+                message: "token refresh returned no access_token",
+                meta: {},
+            });
+            return null;
+        }
+        const state = {
+            accessToken: json.access_token,
+            refreshToken: json.refresh_token ?? refreshToken, // keep old if not returned
+            expiresAt: Date.now() + (json.expires_in ?? 28800) * 1000, // default 8h
+        };
+        (0, runtime_1.emitNervesEvent)({
+            component: "engine",
+            event: "engine.anthropic_token_refreshed",
+            message: "anthropic OAuth token refreshed",
+            meta: { expiresAt: new Date(state.expiresAt).toISOString() },
+        });
+        return state;
+    }
+    catch (error) {
+        (0, runtime_1.emitNervesEvent)({
+            level: "warn",
+            component: "engine",
+            event: "engine.anthropic_token_refresh_error",
+            message: "token refresh threw",
+            meta: { error: error instanceof Error ? error.message : String(error) },
+        });
+        return null;
+    }
+}
+/**
+ * Persist refreshed token state back to secrets.json.
+ */
+function persistTokenState(agentName, state) {
+    try {
+        const secretsPath = (0, identity_1.getAgentSecretsPath)(agentName);
+        const raw = fs.readFileSync(secretsPath, "utf-8");
+        const secrets = JSON.parse(raw);
+        secrets.providers = secrets.providers ?? {};
+        secrets.providers.anthropic = secrets.providers.anthropic ?? {};
+        secrets.providers.anthropic.setupToken = state.accessToken;
+        secrets.providers.anthropic.refreshToken = state.refreshToken;
+        secrets.providers.anthropic.expiresAt = state.expiresAt;
+        fs.writeFileSync(secretsPath, JSON.stringify(secrets, null, 2) + "\n", "utf-8");
+        /* v8 ignore start -- defensive: persistence failure must not crash the provider @preserve */
+    }
+    catch (error) {
+        (0, runtime_1.emitNervesEvent)({
+            level: "warn",
+            component: "engine",
+            event: "engine.anthropic_token_persist_error",
+            message: "failed to persist refreshed token",
+            meta: { error: error instanceof Error ? error.message : String(error) },
+        });
+    }
+    /* v8 ignore stop */
+}
+/**
+ * Ensure the Anthropic token is fresh. If expired, refresh and persist.
+ * Returns the current valid access token, or null if refresh failed and
+ * the existing token is expired.
+ */
+async function ensureFreshToken(currentToken, refreshToken, expiresAt, agentName, fetchImpl) {
+    if (!needsRefresh(expiresAt)) {
+        return currentToken; // still fresh
+    }
+    if (!refreshToken) {
+        // No refresh token — use the current token as-is (may be expired)
+        return currentToken;
+    }
+    const newState = await refreshAnthropicToken(refreshToken, fetchImpl);
+    if (!newState) {
+        return currentToken; // refresh failed — try the old token
+    }
+    persistTokenState(agentName, newState);
+    return newState.accessToken;
+}
+/* v8 ignore stop */

package/dist/heart/providers/anthropic.js

@@ -1,14 +1,51 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.toAnthropicMessages = toAnthropicMessages;
+exports.classifyAnthropicError = classifyAnthropicError;
 exports.createAnthropicProviderRuntime = createAnthropicProviderRuntime;
 const sdk_1 = __importDefault(require("@anthropic-ai/sdk"));
 const config_1 = require("../config");
 const identity_1 = require("../identity");
 const runtime_1 = require("../../nerves/runtime");
 const streaming_1 = require("../streaming");
+const model_capabilities_1 = require("../model-capabilities");
+const error_classification_1 = require("./error-classification");
 const ANTHROPIC_SETUP_TOKEN_PREFIX = "sk-ant-oat01-";
 const ANTHROPIC_SETUP_TOKEN_MIN_LENGTH = 80;
 const ANTHROPIC_OAUTH_BETA_HEADER = "claude-code-20250219,oauth-2025-04-20,fine-grained-tool-streaming-2025-05-14,interleaved-thinking-2025-05-14";
@@ -22,10 +59,10 @@ function getAnthropicSetupTokenInstructions() {
     const agentName = getAnthropicAgentNameForGuidance();
     return [
         "Fix:",
-        `  1. Run \`npm run auth:claude-setup-token -- --agent ${agentName}\``,
-        "     (or run `claude setup-token` and paste the token manually)",
+        `  1. Run \`ouro auth --agent ${agentName}\``,
         `  2. Open ${getAnthropicSecretsPathForGuidance()}`,
         "  3. Confirm providers.anthropic.setupToken is set",
+        "  4. After reauth, retry the failed ouro command or reconnect this session.",
     ].join("\n");
 }
 function getAnthropicReauthGuidance(reason) {
@@ -93,6 +130,18 @@ function toAnthropicMessages(messages) {
         if (msg.role === "assistant") {
             const assistant = msg;
             const blocks = [];
+            // Restore thinking blocks before text/tool_use blocks
+            const thinkingBlocks = assistant._thinking_blocks;
+            if (thinkingBlocks) {
+                for (const tb of thinkingBlocks) {
+                    if (tb.type === "thinking") {
+                        blocks.push({ type: "thinking", thinking: tb.thinking, signature: tb.signature });
+                    }
+                    else {
+                        blocks.push({ type: "redacted_thinking", data: tb.data });
+                    }
+                }
+            }
             const text = toAnthropicTextContent(assistant.content);
             if (text) {
                 blocks.push({ type: "text", text });
@@ -173,53 +222,64 @@ function mergeAnthropicToolArguments(current, partial) {
     }
     return current + partial;
 }
+function classifyAnthropicError(error) {
+    return (0, error_classification_1.classifyHttpError)(error, {
+        isAuthFailure: isAnthropicAuthFailure,
+        isServerError: (e) => e.status === 529,
+    });
+}
 function isAnthropicAuthFailure(error) {
-    if (!(error instanceof Error))
-        return false;
-    const status = error.status;
-    if (status === 401 || status === 403)
-        return true;
     const lower = error.message.toLowerCase();
     return (lower.includes("oauth authentication") ||
         lower.includes("authentication failed") ||
         lower.includes("unauthorized") ||
         lower.includes("invalid api key"));
 }
-function withAnthropicAuthGuidance(error) {
-    const base = error instanceof Error ? error.message : String(error);
-    if (isAnthropicAuthFailure(error)) {
-        return new Error(getAnthropicReauthGuidance(`Anthropic authentication failed (${base}).`));
-    }
-    return error instanceof Error ? error : new Error(String(error));
-}
 async function streamAnthropicMessages(client, model, request) {
     const { system, messages } = toAnthropicMessages(request.messages);
     const anthropicTools = toAnthropicTools(request.activeTools);
+    const modelCaps = (0, model_capabilities_1.getModelCapabilities)(model);
+    const maxTokens = modelCaps.maxOutputTokens ?? 16384;
     const params = {
         model,
-        max_tokens: 4096,
+        max_tokens: maxTokens,
         messages,
         stream: true,
+        thinking: { type: "adaptive" },
+        output_config: { effort: request.reasoningEffort ?? "medium" },
     };
-    if (system)
-        params.system = system;
+    // The Anthropic API requires a Claude Code identification block in the system
+    // prompt when using OAuth setup tokens (sk-ant-oat01). Without it, Opus/Sonnet
+    // 4.6 requests are rejected with 400. This is the API's validation that the
+    // token is being used by a Claude Code client.
+    const claudeCodePreamble = { type: "text", text: "You are Claude Code, Anthropic's official CLI for Claude." };
+    if (system) {
+        params.system = [claudeCodePreamble, { type: "text", text: system }];
+    }
+    else {
+        params.system = [claudeCodePreamble];
+    }
     if (anthropicTools.length > 0)
         params.tools = anthropicTools;
     if (request.toolChoiceRequired && anthropicTools.length > 0) {
-        params.tool_choice = { type: "any" };
+        // Thinking (adaptive or enabled) only supports tool_choice "auto" or "none".
+        // "any" forces tool use which is incompatible with extended thinking.
+        params.tool_choice = params.thinking ? { type: "auto" } : /* v8 ignore next -- no-thinking path: thinking always set for 4.6 models @preserve */ { type: "any" };
     }
     let response;
     try {
         response = await client.messages.create(params, request.signal ? { signal: request.signal } : {});
     }
     catch (error) {
-        throw withAnthropicAuthGuidance(error);
+        throw error instanceof Error ? error : new Error(String(error));
     }
     let content = "";
     let streamStarted = false;
     let usage;
     const toolCalls = new Map();
-    const answerStreamer = new streaming_1.FinalAnswerStreamer(request.callbacks);
+    const thinkingBlocks = new Map();
+    const redactedBlocks = new Map();
+    const answerStreamer = new streaming_1.SettleStreamer(request.callbacks, request.eagerSettleStreaming);
     try {
         for await (const event of response) {
             if (request.signal?.aborted)
@@ -227,8 +287,14 @@ async function streamAnthropicMessages(client, model, request) {
             const eventType = String(event.type ?? "");
             if (eventType === "content_block_start") {
                 const block = event.content_block;
-                if (block?.type === "tool_use") {
-                    const index = Number(event.index);
+                const index = Number(event.index);
+                if (block?.type === "thinking") {
+                    thinkingBlocks.set(index, { type: "thinking", thinking: "", signature: "" });
+                }
+                else if (block?.type === "redacted_thinking") {
+                    redactedBlocks.set(index, { type: "redacted_thinking", data: String(block.data ?? "") });
+                }
+                else if (block?.type === "tool_use") {
                     const rawInput = block.input;
                     const input = rawInput && typeof rawInput === "object"
                         ? JSON.stringify(rawInput)
@@ -239,9 +305,9 @@ async function streamAnthropicMessages(client, model, request) {
                         name,
                         arguments: input,
                     });
-                    // Activate eager streaming for sole final_answer tool call
-                    /* v8 ignore next -- final_answer streaming activation, tested via FinalAnswerStreamer unit tests @preserve */
-                    if (name === "final_answer" && toolCalls.size === 1) {
+                    // Activate eager streaming for sole settle tool call
+                    /* v8 ignore next -- settle streaming activation, tested via SettleStreamer unit tests @preserve */
+                    if (name === "settle" && toolCalls.size === 1) {
                         answerStreamer.activate();
                     }
                 }
@@ -265,7 +331,19 @@ async function streamAnthropicMessages(client, model, request) {
                         request.callbacks.onModelStreamStart();
                         streamStarted = true;
                     }
-                    request.callbacks.onReasoningChunk(String(delta?.thinking ?? ""));
+                    const thinkingText = String(delta?.thinking ?? "");
+                    request.callbacks.onReasoningChunk(thinkingText);
+                    const thinkingIndex = Number(event.index);
+                    const thinkingBlock = thinkingBlocks.get(thinkingIndex);
+                    if (thinkingBlock)
+                        thinkingBlock.thinking += thinkingText;
+                    continue;
+                }
+                if (deltaType === "signature_delta") {
+                    const sigIndex = Number(event.index);
+                    const sigBlock = thinkingBlocks.get(sigIndex);
+                    if (sigBlock)
+                        sigBlock.signature += String(delta?.signature ?? "");
                     continue;
                 }
                 if (deltaType === "input_json_delta") {
@@ -274,8 +352,8 @@ async function streamAnthropicMessages(client, model, request) {
                     if (existing) {
                         const partialJson = String(delta?.partial_json ?? "");
                         existing.arguments = mergeAnthropicToolArguments(existing.arguments, partialJson);
-                        /* v8 ignore next -- final_answer delta streaming, tested via FinalAnswerStreamer unit tests @preserve */
-                        if (existing.name === "final_answer" && toolCalls.size === 1) {
+                        /* v8 ignore next -- settle delta streaming, tested via SettleStreamer unit tests @preserve */
+                        if (existing.name === "settle" && toolCalls.size === 1) {
                             answerStreamer.processDelta(partialJson);
                         }
                     }
@@ -299,17 +377,25 @@ async function streamAnthropicMessages(client, model, request) {
         }
     }
     catch (error) {
-        throw withAnthropicAuthGuidance(error);
+        throw error instanceof Error ? error : /* v8 ignore next -- defensive: stream errors are always Error @preserve */ new Error(String(error));
     }
+    // Collect all thinking blocks (regular + redacted) sorted by index to preserve ordering
+    const allThinkingIndices = [...thinkingBlocks.keys(), ...redactedBlocks.keys()].sort((a, b) => a - b);
+    const outputItems = allThinkingIndices.map((idx) => {
+        const tb = thinkingBlocks.get(idx);
+        if (tb)
+            return tb;
+        return redactedBlocks.get(idx);
+    });
     return {
         content,
         toolCalls: [...toolCalls.values()],
-        outputItems: [],
+        outputItems,
         usage,
-        finalAnswerStreamed: answerStreamer.streamed,
+        settleStreamed: answerStreamer.streamed,
     };
 }
-function createAnthropicProviderRuntime() {
+function createAnthropicProviderRuntime(model) {
     (0, runtime_1.emitNervesEvent)({
         component: "engine",
         event: "engine.provider_init",
@@ -317,30 +403,67 @@ function createAnthropicProviderRuntime() {
         meta: { provider: "anthropic" },
     });
     const anthropicConfig = (0, config_1.getAnthropicConfig)();
-    if (!(anthropicConfig.model && anthropicConfig.setupToken)) {
-        throw new Error(getAnthropicReauthGuidance("provider 'anthropic' is selected in agent.json but providers.anthropic.model/setupToken is incomplete in secrets.json."));
+    if (!anthropicConfig.setupToken) {
+        throw new Error(getAnthropicReauthGuidance("provider 'anthropic' is selected in agent.json but providers.anthropic.setupToken is missing in secrets.json."));
     }
+    const modelCaps = (0, model_capabilities_1.getModelCapabilities)(model);
+    const capabilities = new Set();
+    if (modelCaps.reasoningEffort)
+        capabilities.add("reasoning-effort");
     const credential = resolveAnthropicSetupTokenCredential();
-    const client = new sdk_1.default({
-        authToken: credential.token,
-        timeout: 30000,
-        maxRetries: 0,
-        defaultHeaders: {
-            "anthropic-beta": ANTHROPIC_OAUTH_BETA_HEADER,
-        },
-    });
+    const refreshToken = anthropicConfig.refreshToken;
+    const expiresAt = anthropicConfig.expiresAt;
+    function createClient(token) {
+        return new sdk_1.default({
+            authToken: token,
+            maxRetries: 0,
+            defaultHeaders: {
+                "anthropic-beta": ANTHROPIC_OAUTH_BETA_HEADER,
+                "anthropic-dangerous-direct-browser-access": "true",
+                "user-agent": "claude-cli/2.1.2 (external, cli)",
+                "x-app": "cli",
+            },
+        });
+    }
+    let currentToken = credential.token;
+    let client = createClient(currentToken);
+    /* v8 ignore start -- token refresh: dynamic import + ensureFreshToken, tested via integration @preserve */
+    async function ensureClient() {
+        try {
+            const { ensureFreshToken } = await Promise.resolve().then(() => __importStar(require("./anthropic-token")));
+            const { getAgentName } = await Promise.resolve().then(() => __importStar(require("../identity")));
+            const freshToken = await ensureFreshToken(currentToken, refreshToken, expiresAt, getAgentName());
+            if (freshToken !== currentToken) {
+                currentToken = freshToken;
+                client = createClient(freshToken);
+            }
+        }
+        catch {
+            // refresh failed — use existing client
+        }
+        return client;
+    }
+    /* v8 ignore stop */
     return {
         id: "anthropic",
-        model: anthropicConfig.model,
-        client,
+        model,
+        /* v8 ignore next -- getter: returns mutable client ref @preserve */
+        get client() { return client; },
+        capabilities,
+        supportedReasoningEfforts: modelCaps.reasoningEffort,
         resetTurnState(_messages) {
             // Anthropic request payload is derived from canonical messages each turn.
         },
         appendToolOutput(_callId, _output) {
             // Anthropic uses canonical messages for tool_result tracking.
         },
-        streamTurn(request) {
-            return streamAnthropicMessages(client, anthropicConfig.model, request);
+        async streamTurn(request) {
+            const freshClient = await ensureClient();
+            return streamAnthropicMessages(freshClient, model, request);
+        },
+        /* v8 ignore next 3 -- delegation: classification logic tested via classifyAnthropicError @preserve */
+        classifyError(error) {
+            return classifyAnthropicError(error);
         },
     };
 }

package/dist/heart/providers/azure.js

@@ -1,35 +1,118 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.classifyAzureError = classifyAzureError;
+exports.createAzureTokenProvider = createAzureTokenProvider;
 exports.createAzureProviderRuntime = createAzureProviderRuntime;
 const openai_1 = require("openai");
 const config_1 = require("../config");
 const runtime_1 = require("../../nerves/runtime");
 const streaming_1 = require("../streaming");
-function createAzureProviderRuntime() {
+const model_capabilities_1 = require("../model-capabilities");
+const error_classification_1 = require("./error-classification");
+const COGNITIVE_SERVICES_SCOPE = "https://cognitiveservices.azure.com/.default";
+function classifyAzureError(error) {
+    return (0, error_classification_1.classifyHttpError)(error);
+}
+// @azure/identity is imported dynamically (below) rather than at the top level
+// because it's a heavy package (~30+ transitive deps) and we only need it when
+// using the managed-identity auth path. API-key users and other providers
+// shouldn't pay the cold-start cost.
+function createAzureTokenProvider(managedIdentityClientId) {
+    let credential = null;
+    return async () => {
+        try {
+            if (!credential) {
+                const { DefaultAzureCredential } = await Promise.resolve().then(() => __importStar(require("@azure/identity")));
+                const credentialOptions = managedIdentityClientId
+                    ? { managedIdentityClientId }
+                    : undefined;
+                credential = new DefaultAzureCredential(credentialOptions);
+            }
+            const tokenResponse = await credential.getToken(COGNITIVE_SERVICES_SCOPE);
+            return tokenResponse.token;
+        }
+        catch (err) {
+            const detail = err instanceof Error ? err.message : String(err);
+            throw new Error(`Azure OpenAI authentication failed: ${detail}\n` +
+                "To fix this, either:\n" +
+                "  1. Set providers.azure.apiKey in secrets.json, or\n" +
+                "  2. Run 'az login' to authenticate with your Azure account (for local dev), or\n" +
+                "  3. Attach a managed identity to your App Service and set providers.azure.managedIdentityClientId in secrets.json (for deployed environments)");
+        }
+    };
+}
+function createAzureProviderRuntime(model) {
+    const azureConfig = (0, config_1.getAzureConfig)();
+    const useApiKey = !!azureConfig.apiKey;
+    const authMethod = useApiKey ? "key" : "managed-identity";
     (0, runtime_1.emitNervesEvent)({
         component: "engine",
         event: "engine.provider_init",
         message: "azure provider init",
-        meta: { provider: "azure" },
+        meta: { provider: "azure", authMethod },
     });
-    const azureConfig = (0, config_1.getAzureConfig)();
-    if (!(azureConfig.apiKey && azureConfig.endpoint && azureConfig.deployment && azureConfig.modelName)) {
+    if (!(azureConfig.endpoint && azureConfig.deployment)) {
         throw new Error("provider 'azure' is selected in agent.json but providers.azure is incomplete in secrets.json.");
     }
-    const client = new openai_1.AzureOpenAI({
-        apiKey: azureConfig.apiKey,
+    const modelCaps = (0, model_capabilities_1.getModelCapabilities)(model);
+    const capabilities = new Set();
+    if (modelCaps.reasoningEffort)
+        capabilities.add("reasoning-effort");
+    const clientOptions = {
         endpoint: azureConfig.endpoint.replace(/\/openai.*$/, ""),
         deployment: azureConfig.deployment,
         apiVersion: azureConfig.apiVersion,
-        timeout: 30000,
         maxRetries: 0,
-    });
+    };
+    if (useApiKey) {
+        clientOptions.apiKey = azureConfig.apiKey;
+    }
+    else {
+        const managedIdentityClientId = azureConfig.managedIdentityClientId || undefined;
+        clientOptions.azureADTokenProvider = createAzureTokenProvider(managedIdentityClientId);
+    }
+    const client = new openai_1.AzureOpenAI(clientOptions);
     let nativeInput = null;
     let nativeInstructions = "";
     return {
         id: "azure",
-        model: azureConfig.modelName,
+        model,
         client,
+        capabilities,
+        supportedReasoningEfforts: modelCaps.reasoningEffort,
         resetTurnState(messages) {
             const { instructions, input } = (0, streaming_1.toResponsesInput)(messages);
             nativeInput = input;
@@ -48,7 +131,7 @@ function createAzureProviderRuntime() {
                 input: nativeInput,
                 instructions: nativeInstructions,
                 tools: (0, streaming_1.toResponsesTools)(request.activeTools),
-                reasoning: { effort: "medium", summary: "detailed" },
+                reasoning: { effort: request.reasoningEffort ?? "medium", summary: "detailed" },
                 stream: true,
                 store: false,
                 include: ["reasoning.encrypted_content"],
@@ -57,10 +140,14 @@ function createAzureProviderRuntime() {
                 params.metadata = { trace_id: request.traceId };
             if (request.toolChoiceRequired)
                 params.tool_choice = "required";
-            const result = await (0, streaming_1.streamResponsesApi)(this.client, params, request.callbacks, request.signal);
+            const result = await (0, streaming_1.streamResponsesApi)(this.client, params, request.callbacks, request.signal, request.eagerSettleStreaming);
             for (const item of result.outputItems)
                 nativeInput.push(item);
             return result;
         },
+        /* v8 ignore next 3 -- delegation: classification logic tested via classifyAzureError @preserve */
+        classifyError(error) {
+            return classifyAzureError(error);
+        },
     };
 }