@phren/agent 0.0.1 → 0.1.0

package/dist/multi/provider-manager.js

@@ -0,0 +1,151 @@
+/**
+ * Provider management: auth, model registry, live switching.
+ *
+ * /provider        — show configured providers + auth status
+ * /provider add    — interactive provider setup (enter key, auth login, etc.)
+ * /provider switch — change active provider mid-session
+ * /model add <id>  — add a custom model to the catalog
+ */
+import * as fs from "fs";
+import * as path from "path";
+import * as os from "os";
+import { hasCodexToken } from "../providers/codex-auth.js";
+const CONFIG_DIR = path.join(os.homedir(), ".phren-agent");
+const PROVIDERS_FILE = path.join(CONFIG_DIR, "providers.json");
+export function getProviderStatuses() {
+    return [
+        {
+            name: "openrouter",
+            configured: !!process.env.OPENROUTER_API_KEY,
+            authMethod: "api-key",
+            keyEnvVar: "OPENROUTER_API_KEY",
+            models: ["anthropic/claude-sonnet-4", "anthropic/claude-opus-4", "openai/gpt-4o", "openai/o4-mini", "google/gemini-2.5-pro", "deepseek/deepseek-r1"],
+        },
+        {
+            name: "anthropic",
+            configured: !!process.env.ANTHROPIC_API_KEY,
+            authMethod: "api-key",
+            keyEnvVar: "ANTHROPIC_API_KEY",
+            models: ["claude-sonnet-4-20250514", "claude-opus-4-20250514", "claude-haiku-4-5-20251001"],
+        },
+        {
+            name: "openai",
+            configured: !!process.env.OPENAI_API_KEY,
+            authMethod: "api-key",
+            keyEnvVar: "OPENAI_API_KEY",
+            models: ["gpt-4o", "o4-mini", "o3"],
+        },
+        {
+            name: "codex",
+            configured: hasCodexToken(),
+            authMethod: "oauth",
+            models: ["gpt-4o", "o4-mini", "o3"],
+        },
+        {
+            name: "ollama",
+            configured: (process.env.PHREN_OLLAMA_URL ?? "").toLowerCase() !== "off",
+            authMethod: "local",
+            models: ["qwen2.5-coder:14b", "llama3.2", "deepseek-r1:14b"],
+        },
+    ];
+}
+function loadConfig() {
+    try {
+        return JSON.parse(fs.readFileSync(PROVIDERS_FILE, "utf-8"));
+    }
+    catch {
+        return { customModels: [] };
+    }
+}
+function saveConfig(config) {
+    fs.mkdirSync(CONFIG_DIR, { recursive: true });
+    const tmp = `${PROVIDERS_FILE}.${process.pid}.tmp`;
+    fs.writeFileSync(tmp, JSON.stringify(config, null, 2) + "\n");
+    fs.renameSync(tmp, PROVIDERS_FILE);
+}
+export function addCustomModel(id, provider, opts) {
+    const config = loadConfig();
+    // Remove existing with same id
+    config.customModels = config.customModels.filter((m) => m.id !== id);
+    const entry = {
+        id,
+        provider,
+        label: opts?.label ?? id,
+        contextWindow: opts?.contextWindow ?? 128_000,
+        reasoning: opts?.reasoning ?? null,
+        reasoningRange: opts?.reasoningRange ?? [],
+        addedAt: new Date().toISOString(),
+    };
+    config.customModels.push(entry);
+    saveConfig(config);
+    return entry;
+}
+export function removeCustomModel(id) {
+    const config = loadConfig();
+    const before = config.customModels.length;
+    config.customModels = config.customModels.filter((m) => m.id !== id);
+    if (config.customModels.length === before)
+        return false;
+    saveConfig(config);
+    return true;
+}
+export function getCustomModels() {
+    return loadConfig().customModels;
+}
+/** Get all models for a provider (built-in + custom). */
+export async function getAllModelsForProvider(provider, currentModel) {
+    // Import dynamically to avoid circular dep
+    const { getAvailableModels } = await import("./model-picker.js");
+    const builtIn = getAvailableModels(provider, currentModel);
+    // Add custom models for this provider
+    const custom = getCustomModels().filter((m) => m.provider === provider);
+    for (const c of custom) {
+        if (!builtIn.some((b) => b.id === c.id)) {
+            builtIn.push({
+                id: c.id,
+                provider: provider,
+                label: c.label + " ★",
+                reasoning: c.reasoning,
+                reasoningRange: c.reasoningRange,
+                contextWindow: c.contextWindow,
+            });
+        }
+    }
+    return builtIn;
+}
+// ── Format helpers for CLI display ──────────────────────────────────────────
+const DIM = "\x1b[2m";
+const BOLD = "\x1b[1m";
+const GREEN = "\x1b[32m";
+const RED = "\x1b[31m";
+const CYAN = "\x1b[36m";
+const YELLOW = "\x1b[33m";
+const RESET = "\x1b[0m";
+export function formatProviderList() {
+    const statuses = getProviderStatuses();
+    const lines = [`\n  ${BOLD}Providers${RESET}\n`];
+    for (const p of statuses) {
+        const icon = p.configured ? `${GREEN}●${RESET}` : `${RED}○${RESET}`;
+        const auth = p.configured ? `${GREEN}configured${RESET}` : p.authMethod === "oauth"
+            ? `${DIM}run: phren agent auth login${RESET}`
+            : p.keyEnvVar
+                ? `${DIM}set ${p.keyEnvVar}${RESET}`
+                : `${DIM}local${RESET}`;
+        const modelCount = `${DIM}${p.models.length} models${RESET}`;
+        lines.push(`  ${icon} ${BOLD}${p.name}${RESET}  ${auth}  ${modelCount}`);
+    }
+    const custom = getCustomModels();
+    if (custom.length > 0) {
+        lines.push(`\n  ${DIM}Custom models: ${custom.map((m) => m.id).join(", ")}${RESET}`);
+    }
+    lines.push(`\n  ${DIM}/provider add${RESET} to configure  ${DIM}/model add <id>${RESET} to add model\n`);
+    return lines.join("\n");
+}
+export function formatModelAddHelp() {
+    return `${DIM}Usage: /model add <model-id> [provider=X] [context=128000] [reasoning=low|medium|high|max]
+
+Examples:
+  /model add meta-llama/llama-3.1-405b provider=openrouter context=128000
+  /model add claude-3-haiku-20240307 provider=anthropic
+  /model add codestral:latest provider=ollama reasoning=medium${RESET}`;
+}

package/dist/multi/syntax-highlight.js

@@ -0,0 +1,188 @@
+/**
+ * Regex-based syntax highlighter for terminal code blocks.
+ * Zero external dependencies — uses raw ANSI escape codes.
+ * Line-by-line, single-pass processing.
+ */
+const ESC = "\x1b[";
+const RESET = `${ESC}0m`;
+const BOLD = `${ESC}1m`;
+const DIM = `${ESC}2m`;
+const MAGENTA = `${ESC}35m`;
+const GREEN = `${ESC}32m`;
+const YELLOW = `${ESC}33m`;
+const CYAN = `${ESC}36m`;
+const GRAY = `${ESC}90m`;
+// ── Language detection ──────────────────────────────────────────────
+const EXT_MAP = {
+    ts: "typescript", tsx: "typescript", mts: "typescript", cts: "typescript",
+    js: "javascript", jsx: "javascript", mjs: "javascript", cjs: "javascript",
+    py: "python", pyw: "python",
+    sh: "bash", bash: "bash", zsh: "bash", fish: "bash",
+    json: "json", jsonc: "json", json5: "json",
+    css: "css", scss: "scss", sass: "scss", less: "css",
+    // pass-through aliases
+    typescript: "typescript", javascript: "javascript",
+    python: "python", shell: "bash",
+};
+export function detectLanguage(filename) {
+    const lower = filename.toLowerCase().replace(/^\./, "");
+    return EXT_MAP[lower] ?? "generic";
+}
+// Helper: replace matches while preserving non-matched segments
+function colorize(line, rules) {
+    // We process rules sequentially; each rule operates on uncolored segments only.
+    // Segments already colored are wrapped in \x1b and end with RESET.
+    let result = line;
+    for (const [re, color] of rules) {
+        result = result.replace(re, (match) => `${color}${match}${RESET}`);
+    }
+    return result;
+}
+// ── TypeScript / JavaScript ─────────────────────────────────────────
+const TS_KEYWORDS = /\b(const|let|var|function|return|if|else|for|while|do|switch|case|break|continue|new|typeof|instanceof|void|delete|throw|try|catch|finally|import|export|from|default|class|extends|implements|async|await|yield|type|interface|enum|namespace|declare|readonly|abstract|static|get|set|of|in|as|is)\b/g;
+const tsHighlight = (line) => {
+    // Single-line comment
+    const commentIdx = line.indexOf("//");
+    if (commentIdx !== -1 && !isInsideString(line, commentIdx)) {
+        const code = line.slice(0, commentIdx);
+        const comment = line.slice(commentIdx);
+        return highlightTSCode(code) + `${GRAY}${comment}${RESET}`;
+    }
+    // Block comment (whole line)
+    if (line.trimStart().startsWith("/*") || line.trimStart().startsWith("*")) {
+        return `${GRAY}${line}${RESET}`;
+    }
+    return highlightTSCode(line);
+};
+function highlightTSCode(line) {
+    return colorize(line, [
+        [/"(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*'|`(?:[^`\\]|\\.)*`/g, GREEN], // strings
+        [/\b\d+(\.\d+)?\b/g, YELLOW], // numbers
+        [TS_KEYWORDS, MAGENTA], // keywords
+        [/(?<=[:]\s*)\b[A-Z]\w*/g, CYAN], // types after :
+        [/(?<=\bas\s+)\b[A-Z]\w*/g, CYAN], // types after as
+    ]);
+}
+// ── Python ──────────────────────────────────────────────────────────
+const PY_KEYWORDS = /\b(def|class|if|elif|else|for|while|return|import|from|with|as|try|except|finally|raise|pass|break|continue|yield|lambda|and|or|not|in|is|None|True|False|global|nonlocal|assert|del|async|await)\b/g;
+const pyHighlight = (line) => {
+    // Comment
+    const hashIdx = line.indexOf("#");
+    if (hashIdx !== -1 && !isInsideString(line, hashIdx)) {
+        const code = line.slice(0, hashIdx);
+        const comment = line.slice(hashIdx);
+        return highlightPYCode(code) + `${GRAY}${comment}${RESET}`;
+    }
+    // Decorator
+    if (line.trimStart().startsWith("@")) {
+        return `${YELLOW}${line}${RESET}`;
+    }
+    return highlightPYCode(line);
+};
+function highlightPYCode(line) {
+    return colorize(line, [
+        [/""".*?"""|'''.*?'''|"(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*'/g, GREEN], // strings
+        [/\b\d+(\.\d+)?\b/g, YELLOW], // numbers
+        [PY_KEYWORDS, MAGENTA], // keywords
+    ]);
+}
+// ── Bash / Shell ────────────────────────────────────────────────────
+const BASH_KEYWORDS = /\b(if|then|else|elif|fi|for|do|done|while|until|case|esac|in|function|select|time|coproc|local|export|declare|unset|readonly|return|exit|source|eval)\b/g;
+const bashHighlight = (line) => {
+    // Comment
+    const hashIdx = line.indexOf("#");
+    if (hashIdx === 0 || (hashIdx > 0 && line[hashIdx - 1] === " " && !isInsideString(line, hashIdx))) {
+        const code = line.slice(0, hashIdx);
+        const comment = line.slice(hashIdx);
+        return highlightBashCode(code) + `${GRAY}${comment}${RESET}`;
+    }
+    return highlightBashCode(line);
+};
+function highlightBashCode(line) {
+    return colorize(line, [
+        [/"(?:[^"\\]|\\.)*"|'[^']*'/g, GREEN], // strings
+        [/\$\{?\w+\}?/g, CYAN], // variables
+        [/\b\d+\b/g, YELLOW], // numbers
+        [BASH_KEYWORDS, MAGENTA], // keywords
+        [/(?<=\|\s*)\w+/g, BOLD], // commands after pipe
+    ]);
+}
+// ── JSON ────────────────────────────────────────────────────────────
+const jsonHighlight = (line) => {
+    return colorize(line, [
+        [/"[^"]*"\s*(?=:)/g, CYAN], // keys
+        [/:\s*"[^"]*"/g, GREEN], // string values
+        [/\b\d+(\.\d+)?([eE][+-]?\d+)?\b/g, YELLOW], // numbers
+        [/\b(true|false|null)\b/g, MAGENTA], // literals
+    ]);
+};
+// ── CSS / SCSS ──────────────────────────────────────────────────────
+const cssHighlight = (line) => {
+    const trimmed = line.trimStart();
+    // Comment
+    if (trimmed.startsWith("/*") || trimmed.startsWith("*") || trimmed.startsWith("//")) {
+        return `${GRAY}${line}${RESET}`;
+    }
+    // Selector line (no colon, or starts with . # & @ or tag)
+    if (/^[.#&@a-zA-Z]/.test(trimmed) && !trimmed.includes(":")) {
+        return `${CYAN}${line}${RESET}`;
+    }
+    // Property: value
+    const propMatch = line.match(/^(\s*)([\w-]+)(\s*:\s*)(.+)/);
+    if (propMatch) {
+        return `${propMatch[1]}${MAGENTA}${propMatch[2]}${RESET}${propMatch[3]}${GREEN}${propMatch[4]}${RESET}`;
+    }
+    return line;
+};
+// ── Generic fallback ────────────────────────────────────────────────
+const genericHighlight = (line) => {
+    return colorize(line, [
+        [/"(?:[^"\\]|\\.)*"|'(?:[^'\\]|\\.)*'/g, GREEN], // strings
+        [/\/\/.*$|#.*$/g, GRAY], // comments
+        [/\b\d+(\.\d+)?\b/g, YELLOW], // numbers
+    ]);
+};
+// ── Dispatcher ──────────────────────────────────────────────────────
+const HIGHLIGHTERS = {
+    typescript: tsHighlight,
+    javascript: tsHighlight,
+    python: pyHighlight,
+    bash: bashHighlight,
+    json: jsonHighlight,
+    css: cssHighlight,
+    scss: cssHighlight,
+    generic: genericHighlight,
+};
+/**
+ * Highlight a code string for terminal output.
+ * Returns the input with ANSI color codes applied.
+ */
+export function highlightCode(code, language) {
+    const lang = EXT_MAP[language.toLowerCase()] ?? language.toLowerCase();
+    const hl = HIGHLIGHTERS[lang] ?? genericHighlight;
+    return code
+        .split("\n")
+        .map((line) => hl(line))
+        .join("\n");
+}
+// ── Utilities ───────────────────────────────────────────────────────
+/** Rough check: is position idx inside a string literal? */
+function isInsideString(line, idx) {
+    let inSingle = false;
+    let inDouble = false;
+    let inTemplate = false;
+    for (let i = 0; i < idx; i++) {
+        const ch = line[i];
+        if (ch === "\\" && (inSingle || inDouble || inTemplate)) {
+            i++; // skip escaped char
+            continue;
+        }
+        if (ch === "'" && !inDouble && !inTemplate)
+            inSingle = !inSingle;
+        else if (ch === '"' && !inSingle && !inTemplate)
+            inDouble = !inDouble;
+        else if (ch === "`" && !inSingle && !inDouble)
+            inTemplate = !inTemplate;
+    }
+    return inSingle || inDouble || inTemplate;
+}

package/dist/multi/tui-multi.js

@@ -83,15 +83,6 @@ function statusColor(status) {
         case "cancelled": return s.gray;
     }
 }
-function statusBg(status, selected) {
-    if (selected)
-        return s.invert;
-    switch (status) {
-        case "running": return s.bgGreen;
-        case "error": return s.bgRed;
-        default: return s.bgGray;
-    }
-}
 // ── Tool call formatting ─────────────────────────────────────────────────────
 function formatToolStart(toolName, input) {
     const preview = JSON.stringify(input).slice(0, 60);

package/dist/permissions/allowlist.js

@@ -44,7 +44,10 @@ export function isAllowed(toolName, input) {
 export function addAllow(toolName, input, scope) {
     if (scope === "once")
         return; // "once" approvals don't persist
-    const pattern = scope === "tool" ? "*" : extractPattern(toolName, input);
+    // For shell commands, never allow "*" — always scope to the binary name
+    const pattern = scope === "tool" && toolName !== "shell"
+        ? "*"
+        : extractPattern(toolName, input);
     // Avoid duplicates
     const exists = sessionAllowlist.some((e) => e.toolName === toolName && e.pattern === pattern);
     if (!exists) {

package/dist/permissions/prompt.js

@@ -9,6 +9,9 @@
  */
 import * as readline from "node:readline";
 import { addAllow } from "./allowlist.js";
+// ── Prompt serialization lock ───────────────────────────────────────────
+// Prevents concurrent askUser() calls from interleaving their prompts.
+let promptQueue = Promise.resolve();
 // ── ANSI colors ─────────────────────────────────────────────────────────
 const RESET = "\x1b[0m";
 const BOLD = "\x1b[1m";
@@ -94,31 +97,42 @@ function summarizeCall(toolName, input) {
  * Side effect: "a" and "s" responses add to the session allowlist.
  */
 export async function askUser(toolName, input, reason) {
-    const risk = classifyRisk(toolName);
-    const color = riskColor(risk);
-    const label = riskLabel(risk);
-    const summary = summarizeCall(toolName, input);
-    // Header
-    process.stderr.write(`\n${color}${BOLD}[${label}]${RESET} ${BOLD}${toolName}${RESET}\n`);
-    process.stderr.write(`${DIM}  ${reason}${RESET}\n`);
-    process.stderr.write(`${CYAN}  ${summary}${RESET}\n`);
-    // Show full input for shell commands or when details matter
-    if (toolName === "shell") {
-        const cmd = input.command || "";
-        if (cmd.length > 120) {
-            process.stderr.write(`${DIM}  Full command:${RESET}\n`);
-            process.stderr.write(`${DIM}  ${cmd}${RESET}\n`);
+    // Serialize: wait for any prior prompt to finish before showing ours
+    let resolve;
+    const gate = new Promise((r) => { resolve = r; });
+    const previous = promptQueue;
+    promptQueue = gate;
+    await previous;
+    try {
+        const risk = classifyRisk(toolName);
+        const color = riskColor(risk);
+        const label = riskLabel(risk);
+        const summary = summarizeCall(toolName, input);
+        // Header
+        process.stderr.write(`\n${color}${BOLD}[${label}]${RESET} ${BOLD}${toolName}${RESET}\n`);
+        process.stderr.write(`${DIM}  ${reason}${RESET}\n`);
+        process.stderr.write(`${CYAN}  ${summary}${RESET}\n`);
+        // Show full input for shell commands or when details matter
+        if (toolName === "shell") {
+            const cmd = input.command || "";
+            if (cmd.length > 120) {
+                process.stderr.write(`${DIM}  Full command:${RESET}\n`);
+                process.stderr.write(`${DIM}  ${cmd}${RESET}\n`);
+            }
         }
+        const result = await promptKey();
+        // Persist allowlist entries for session/tool scopes
+        if (result === "allow-session") {
+            addAllow(toolName, input, "session");
+        }
+        else if (result === "allow-tool") {
+            addAllow(toolName, input, "tool");
+        }
+        return result !== "deny";
     }
-    const result = await promptKey();
-    // Persist allowlist entries for session/tool scopes
-    if (result === "allow-session") {
-        addAllow(toolName, input, "session");
-    }
-    else if (result === "allow-tool") {
-        addAllow(toolName, input, "tool");
+    finally {
+        resolve();
     }
-    return result !== "deny";
 }
 /**
  * Read a single keypress from stdin.

package/dist/permissions/shell-safety.js

@@ -34,6 +34,8 @@ const KEY_PATTERNS = [
     "DATABASE_URL",
     "KUBECONFIG",
     "DOCKER_AUTH_CONFIG",
+    "PGPASSWORD",
+    "MYSQL_PWD",
 ];
 /** Suffix patterns that also match connection strings and auth configs. */
 const SECRET_SUFFIX_PATTERNS = ["_URI", "_DSN"];

package/dist/providers/anthropic.js

@@ -1,11 +1,13 @@
 export class AnthropicProvider {
     name = "anthropic";
     contextWindow = 200_000;
+    maxOutputTokens;
     apiKey;
     model;
-    constructor(apiKey, model) {
+    constructor(apiKey, model, maxOutputTokens) {
         this.apiKey = apiKey;
         this.model = model ?? "claude-sonnet-4-20250514";
+        this.maxOutputTokens = maxOutputTokens ?? 8192;
     }
     async chat(system, messages, tools) {
         const body = {
@@ -15,7 +17,7 @@ export class AnthropicProvider {
                 role: m.role,
                 content: m.content,
             })),
-            max_tokens: 8192,
+            max_tokens: this.maxOutputTokens,
         };
         if (tools.length > 0) {
             body.tools = tools.map((t) => ({
@@ -54,7 +56,7 @@ export class AnthropicProvider {
             model: this.model,
             system,
             messages: messages.map((m) => ({ role: m.role, content: m.content })),
-            max_tokens: 8192,
+            max_tokens: this.maxOutputTokens,
             stream: true,
         };
         if (tools.length > 0) {

package/dist/providers/codex-auth.js

@@ -15,7 +15,7 @@ const CALLBACK_PORT = 1455;
 const SCOPES = "openid profile email offline_access";
 function tokenPath() {
     const dir = path.join(os.homedir(), ".phren-agent");
-    fs.mkdirSync(dir, { recursive: true });
+    fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
     return path.join(dir, "codex-token.json");
 }
 function generatePKCE() {

package/dist/providers/codex.js

@@ -114,9 +114,11 @@ function parseResponsesOutput(data) {
 export class CodexProvider {
     name = "codex";
     contextWindow = 128_000;
+    maxOutputTokens;
     model;
-    constructor(model) {
-        this.model = model ?? "gpt-5.2-codex";
+    constructor(model, maxOutputTokens) {
+        this.model = model ?? "gpt-5.3-codex";
+        this.maxOutputTokens = maxOutputTokens ?? 8192;
     }
     async chat(system, messages, tools) {
         const { accessToken } = await getAccessToken();

package/dist/providers/ollama.js

@@ -33,16 +33,19 @@ function toOllamaMessages(system, messages) {
 export class OllamaProvider {
     name = "ollama";
     contextWindow = 32_000;
+    maxOutputTokens;
     baseUrl;
     model;
-    constructor(model, baseUrl) {
+    constructor(model, baseUrl, maxOutputTokens) {
         this.baseUrl = baseUrl ?? "http://localhost:11434";
         this.model = model ?? "qwen2.5-coder:14b";
+        this.maxOutputTokens = maxOutputTokens ?? 8192;
     }
     async chat(system, messages, tools) {
         const body = {
             model: this.model,
             messages: toOllamaMessages(system, messages),
+            options: { num_predict: this.maxOutputTokens },
             stream: false,
         };
         if (tools.length > 0)
@@ -81,6 +84,7 @@ export class OllamaProvider {
         const body = {
             model: this.model,
             messages: toOllamaMessages(system, messages),
+            options: { num_predict: this.maxOutputTokens },
             stream: true,
         };
         if (tools.length > 0)

package/dist/providers/openrouter.js

@@ -2,19 +2,21 @@ import { toOpenAiTools, toOpenAiMessages, parseOpenAiResponse, parseOpenAiStream
 export class OpenRouterProvider {
     name = "openrouter";
     contextWindow = 200_000;
+    maxOutputTokens;
     apiKey;
     model;
     baseUrl;
-    constructor(apiKey, model, baseUrl) {
+    constructor(apiKey, model, baseUrl, maxOutputTokens) {
         this.apiKey = apiKey;
         this.model = model ?? "anthropic/claude-sonnet-4-20250514";
         this.baseUrl = baseUrl ?? "https://openrouter.ai/api/v1";
+        this.maxOutputTokens = maxOutputTokens ?? 8192;
     }
     async chat(system, messages, tools) {
         const body = {
             model: this.model,
             messages: toOpenAiMessages(system, messages),
-            max_tokens: 8192,
+            max_tokens: this.maxOutputTokens,
         };
         if (tools.length > 0)
             body.tools = toOpenAiTools(tools);
@@ -38,7 +40,7 @@ export class OpenRouterProvider {
         const body = {
             model: this.model,
             messages: toOpenAiMessages(system, messages),
-            max_tokens: 8192,
+            max_tokens: this.maxOutputTokens,
             stream: true,
             stream_options: { include_usage: true },
         };
@@ -65,19 +67,21 @@ export class OpenRouterProvider {
 export class OpenAiProvider {
     name = "openai";
     contextWindow = 128_000;
+    maxOutputTokens;
     apiKey;
     model;
     baseUrl;
-    constructor(apiKey, model, baseUrl) {
+    constructor(apiKey, model, baseUrl, maxOutputTokens) {
         this.apiKey = apiKey;
         this.model = model ?? "gpt-4o";
         this.baseUrl = baseUrl ?? "https://api.openai.com/v1";
+        this.maxOutputTokens = maxOutputTokens ?? 8192;
     }
     async chat(system, messages, tools) {
         const body = {
             model: this.model,
             messages: toOpenAiMessages(system, messages),
-            max_tokens: 8192,
+            max_tokens: this.maxOutputTokens,
         };
         if (tools.length > 0)
             body.tools = toOpenAiTools(tools);
@@ -96,7 +100,7 @@ export class OpenAiProvider {
         const body = {
             model: this.model,
             messages: toOpenAiMessages(system, messages),
-            max_tokens: 8192,
+            max_tokens: this.maxOutputTokens,
             stream: true,
             stream_options: { include_usage: true },
         };

package/dist/providers/resolve.js

@@ -3,36 +3,45 @@ import { AnthropicProvider } from "./anthropic.js";
 import { OllamaProvider } from "./ollama.js";
 import { CodexProvider } from "./codex.js";
 import { hasCodexToken } from "./codex-auth.js";
-export function resolveProvider(overrideProvider, overrideModel) {
+import { lookupMaxOutputTokens } from "../cost.js";
+export function resolveProvider(overrideProvider, overrideModel, overrideMaxOutput) {
     const explicit = overrideProvider ?? process.env.PHREN_AGENT_PROVIDER;
+    // Resolve max output tokens: CLI override > model lookup > default 8192
+    const resolveLimit = (model) => overrideMaxOutput ?? lookupMaxOutputTokens(model);
     if (explicit === "openrouter" || (!explicit && process.env.OPENROUTER_API_KEY)) {
         const key = process.env.OPENROUTER_API_KEY;
         if (!key)
             throw new Error("OPENROUTER_API_KEY is required for OpenRouter provider.");
-        return new OpenRouterProvider(key, overrideModel);
+        const model = overrideModel ?? "anthropic/claude-sonnet-4-20250514";
+        return new OpenRouterProvider(key, overrideModel, undefined, resolveLimit(model));
     }
     if (explicit === "anthropic" || (!explicit && process.env.ANTHROPIC_API_KEY)) {
         const key = process.env.ANTHROPIC_API_KEY;
         if (!key)
             throw new Error("ANTHROPIC_API_KEY is required for Anthropic provider.");
-        return new AnthropicProvider(key, overrideModel);
+        const model = overrideModel ?? "claude-sonnet-4-20250514";
+        return new AnthropicProvider(key, overrideModel, resolveLimit(model));
     }
     if (explicit === "openai" || (!explicit && process.env.OPENAI_API_KEY)) {
         const key = process.env.OPENAI_API_KEY;
         if (!key)
             throw new Error("OPENAI_API_KEY is required for OpenAI provider.");
-        return new OpenAiProvider(key, overrideModel);
+        const model = overrideModel ?? "gpt-4o";
+        return new OpenAiProvider(key, overrideModel, undefined, resolveLimit(model));
     }
     // Codex: uses your ChatGPT subscription directly — no API key, no middleman
     if (explicit === "codex" || (!explicit && hasCodexToken())) {
-        return new CodexProvider(overrideModel);
+        const model = overrideModel ?? "gpt-5.2-codex";
+        return new CodexProvider(overrideModel, resolveLimit(model));
     }
     if (explicit === "ollama" || (!explicit && process.env.PHREN_OLLAMA_URL && process.env.PHREN_OLLAMA_URL !== "off")) {
-        return new OllamaProvider(overrideModel, process.env.PHREN_OLLAMA_URL);
+        const model = overrideModel ?? "qwen2.5-coder:14b";
+        return new OllamaProvider(overrideModel, process.env.PHREN_OLLAMA_URL, resolveLimit(model));
     }
     // Last resort: try Ollama at default URL
     if (!explicit) {
-        return new OllamaProvider(overrideModel);
+        const model = overrideModel ?? "qwen2.5-coder:14b";
+        return new OllamaProvider(overrideModel, undefined, resolveLimit(model));
     }
     throw new Error(`Unknown provider "${explicit}". Supported: openrouter, anthropic, openai, codex, ollama.\n` +
         "Set one of: OPENROUTER_API_KEY, ANTHROPIC_API_KEY, OPENAI_API_KEY, or run 'phren-agent auth login' for Codex.");