@poolzin/pool-bot 2026.2.25 → 2026.2.26

package/dist/agents/bash-tools.exec-host-gateway.js

@@ -1,5 +1,5 @@
 import crypto from "node:crypto";
-import { addAllowlistEntry, buildSafeBinsShellCommand, buildSafeShellCommand, evaluateShellAllowlist, maxAsk, minSecurity, recordAllowlistUse, requiresExecApproval, resolveExecApprovals, } from "../infra/exec-approvals.js";
+import { addAllowlistEntry, buildSafeBinsShellCommand, buildSafeShellCommand, evaluateShellAllowlist, maxAsk, minSecurity, recordAllowlistUse, requiresExecApproval, resolveAllowAlwaysPatterns, resolveExecApprovals, } from "../infra/exec-approvals.js";
 import { markBackgrounded, tail } from "./bash-process-registry.js";
 import { requestExecApprovalDecision } from "./bash-tools.exec-approval-request.js";
 import { DEFAULT_APPROVAL_TIMEOUT_MS, DEFAULT_NOTIFY_TAIL_CHARS, createApprovalSlug, emitExecSystemEvent, normalizeNotifyOutput, runExecProcess, } from "./bash-tools.exec-runtime.js";
@@ -26,12 +26,17 @@ export async function processGatewayAllowlist(params) {
     const allowlistMatches = allowlistEval.allowlistMatches;
     const analysisOk = allowlistEval.analysisOk;
     const allowlistSatisfied = hostSecurity === "allowlist" && analysisOk ? allowlistEval.allowlistSatisfied : false;
+    const hasHeredocSegment = allowlistEval.segments.some((segment) => segment.argv.some((token) => token.startsWith("<<")));
+    const requiresHeredocApproval = hostSecurity === "allowlist" && analysisOk && allowlistSatisfied && hasHeredocSegment;
     const requiresAsk = requiresExecApproval({
         ask: hostAsk,
         security: hostSecurity,
         analysisOk,
         allowlistSatisfied,
-    });
+    }) || requiresHeredocApproval;
+    if (requiresHeredocApproval) {
+        params.warnings.push("Warning: heredoc execution requires explicit approval in allowlist mode.");
+    }
     if (requiresAsk) {
         const approvalId = crypto.randomUUID();
         const approvalSlug = createApprovalSlug(approvalId);
@@ -90,8 +95,13 @@ export async function processGatewayAllowlist(params) {
             else if (decision === "allow-always") {
                 approvedByAsk = true;
                 if (hostSecurity === "allowlist") {
-                    for (const segment of allowlistEval.segments) {
-                        const pattern = segment.resolution?.resolvedPath ?? "";
+                    const patterns = resolveAllowAlwaysPatterns({
+                        segments: allowlistEval.segments,
+                        cwd: params.workdir,
+                        env: params.env,
+                        platform: process.platform,
+                    });
+                    for (const pattern of patterns) {
                         if (pattern) {
                             addAllowlistEntry(approvals.file, params.agentId, pattern);
                         }

package/dist/agents/bash-tools.exec-runtime.js

@@ -1,6 +1,7 @@
 import path from "node:path";
 import { Type } from "@sinclair/typebox";
 import { requestHeartbeatNow } from "../infra/heartbeat-wake.js";
+import { isDangerousHostEnvVarName } from "../infra/host-env-security.js";
 import { mergePathPrepend } from "../infra/path-prepend.js";
 import { enqueueSystemEvent } from "../infra/system-events.js";
 export { applyPathPrepend, normalizePathPrepend } from "../infra/path-prepend.js";
@@ -10,37 +11,13 @@ import { addSession, appendOutput, createSessionSlug, markExited, tail, } from "
 import { buildDockerExecArgs, chunkString, clampWithDefault, readEnvInt, } from "./bash-tools.shared.js";
 import { buildCursorPositionResponse, stripDsrRequests } from "./pty-dsr.js";
 import { getShellConfig, sanitizeBinaryOutput } from "./shell-utils.js";
-// Security: Blocklist of environment variables that could alter execution flow
-// or inject code when running on non-sandboxed hosts (Gateway/Node).
-const DANGEROUS_HOST_ENV_VARS = new Set([
-    "LD_PRELOAD",
-    "LD_LIBRARY_PATH",
-    "LD_AUDIT",
-    "DYLD_INSERT_LIBRARIES",
-    "DYLD_LIBRARY_PATH",
-    "NODE_OPTIONS",
-    "NODE_PATH",
-    "PYTHONPATH",
-    "PYTHONHOME",
-    "RUBYLIB",
-    "PERL5LIB",
-    "BASH_ENV",
-    "ENV",
-    "GCONV_PATH",
-    "IFS",
-    "SSLKEYLOGFILE",
-]);
-const DANGEROUS_HOST_ENV_PREFIXES = ["DYLD_", "LD_"];
 // Centralized sanitization helper.
 // Throws an error if dangerous variables or PATH modifications are detected on the host.
 export function validateHostEnv(env) {
     for (const key of Object.keys(env)) {
         const upperKey = key.toUpperCase();
         // 1. Block known dangerous variables (Fail Closed)
-        if (DANGEROUS_HOST_ENV_PREFIXES.some((prefix) => upperKey.startsWith(prefix))) {
-            throw new Error(`Security Violation: Environment variable '${key}' is forbidden during host execution.`);
-        }
-        if (DANGEROUS_HOST_ENV_VARS.has(upperKey)) {
+        if (isDangerousHostEnvVarName(upperKey)) {
             throw new Error(`Security Violation: Environment variable '${key}' is forbidden during host execution.`);
         }
         // 2. Strictly block PATH modification on host

package/dist/agents/bedrock-discovery.js

@@ -1,4 +1,6 @@
 import { BedrockClient, ListFoundationModelsCommand, } from "@aws-sdk/client-bedrock";
+import { createSubsystemLogger } from "../logging/subsystem.js";
+const log = createSubsystemLogger("bedrock-discovery");
 const DEFAULT_REFRESH_INTERVAL_SECONDS = 3600;
 const DEFAULT_CONTEXT_WINDOW = 32000;
 const DEFAULT_MAX_TOKENS = 4096;
@@ -150,7 +152,7 @@ export async function discoverBedrockModels(params) {
         }
         if (!hasLoggedBedrockError) {
             hasLoggedBedrockError = true;
-            console.warn(`[bedrock-discovery] Failed to list models: ${String(error)}`);
+            log.warn(`Failed to list models: ${String(error)}`);
         }
         return [];
     }

package/dist/agents/byteplus-models.js

@@ -0,0 +1,97 @@
+export const BYTEPLUS_BASE_URL = "https://ark.ap-southeast.bytepluses.com/api/v3";
+export const BYTEPLUS_CODING_BASE_URL = "https://ark.ap-southeast.bytepluses.com/api/coding/v3";
+export const BYTEPLUS_DEFAULT_MODEL_ID = "seed-1-8-251228";
+export const BYTEPLUS_CODING_DEFAULT_MODEL_ID = "ark-code-latest";
+export const BYTEPLUS_DEFAULT_MODEL_REF = `byteplus/${BYTEPLUS_DEFAULT_MODEL_ID}`;
+// BytePlus pricing (approximate, adjust based on actual pricing)
+export const BYTEPLUS_DEFAULT_COST = {
+    input: 0.0001, // $0.0001 per 1K tokens
+    output: 0.0002, // $0.0002 per 1K tokens
+    cacheRead: 0,
+    cacheWrite: 0,
+};
+/**
+ * Complete catalog of BytePlus ARK models.
+ *
+ * BytePlus ARK provides access to various models
+ * through the ARK API. Authentication requires a BYTEPLUS_API_KEY.
+ */
+export const BYTEPLUS_MODEL_CATALOG = [
+    {
+        id: "seed-1-8-251228",
+        name: "Seed 1.8",
+        reasoning: false,
+        input: ["text", "image"],
+        contextWindow: 256000,
+        maxTokens: 4096,
+    },
+    {
+        id: "kimi-k2-5-260127",
+        name: "Kimi K2.5",
+        reasoning: false,
+        input: ["text", "image"],
+        contextWindow: 256000,
+        maxTokens: 4096,
+    },
+    {
+        id: "glm-4-7-251222",
+        name: "GLM 4.7",
+        reasoning: false,
+        input: ["text", "image"],
+        contextWindow: 200000,
+        maxTokens: 4096,
+    },
+];
+export function buildBytePlusModelDefinition(entry) {
+    return {
+        id: entry.id,
+        name: entry.name,
+        reasoning: entry.reasoning,
+        input: [...entry.input],
+        cost: BYTEPLUS_DEFAULT_COST,
+        contextWindow: entry.contextWindow,
+        maxTokens: entry.maxTokens,
+    };
+}
+export const BYTEPLUS_CODING_MODEL_CATALOG = [
+    {
+        id: "ark-code-latest",
+        name: "Ark Coding Plan",
+        reasoning: false,
+        input: ["text"],
+        contextWindow: 256000,
+        maxTokens: 4096,
+    },
+    {
+        id: "doubao-seed-code",
+        name: "Doubao Seed Code",
+        reasoning: false,
+        input: ["text"],
+        contextWindow: 256000,
+        maxTokens: 4096,
+    },
+    {
+        id: "glm-4.7",
+        name: "GLM 4.7 Coding",
+        reasoning: false,
+        input: ["text"],
+        contextWindow: 200000,
+        maxTokens: 4096,
+    },
+    {
+        id: "kimi-k2-thinking",
+        name: "Kimi K2 Thinking",
+        reasoning: false,
+        input: ["text"],
+        contextWindow: 256000,
+        maxTokens: 4096,
+    },
+    {
+        id: "kimi-k2.5",
+        name: "Kimi K2.5 Coding",
+        reasoning: false,
+        input: ["text"],
+        contextWindow: 256000,
+        maxTokens: 4096,
+    },
+];

package/dist/agents/chutes-oauth.js

@@ -126,6 +126,7 @@ export async function refreshChutesTokens(params) {
     return {
         ...params.credential,
         access,
+        // RFC 6749 section 6: new refresh token is optional; if present, replace old.
         refresh: newRefresh || refreshToken,
         expires: coerceExpiresAt(expiresIn, now),
         clientId,

package/dist/agents/cli-runner/helpers.js

@@ -52,6 +52,10 @@ export function buildSystemPrompt(params) {
         defaultThinkLevel: params.defaultThinkLevel,
         extraSystemPrompt: params.extraSystemPrompt,
         ownerNumbers: params.ownerNumbers,
+        ownerDisplay: params.config?.commands?.ownerDisplay,
+        ownerDisplaySecret: params.config?.commands?.ownerDisplaySecret ??
+            params.config?.gateway?.auth?.token ??
+            params.config?.gateway?.remote?.token,
         reasoningTagHint: false,
         heartbeatPrompt: params.heartbeatPrompt,
         docsPath: params.docsPath,

package/dist/agents/compaction.js

@@ -1,6 +1,9 @@
 import { estimateTokens, generateSummary } from "@mariozechner/pi-coding-agent";
+import { retryAsync } from "../infra/retry.js";
+import { createSubsystemLogger } from "../logging/subsystem.js";
 import { DEFAULT_CONTEXT_TOKENS } from "./defaults.js";
-import { repairToolUseResultPairing } from "./session-transcript-repair.js";
+import { repairToolUseResultPairing, stripToolResultDetails } from "./session-transcript-repair.js";
+const log = createSubsystemLogger("compaction");
 export const BASE_CHUNK_RATIO = 0.4;
 export const MIN_CHUNK_RATIO = 0.15;
 export const SAFETY_MARGIN = 1.2; // 20% buffer for estimateTokens() inaccuracy
@@ -9,19 +12,24 @@ const DEFAULT_PARTS = 2;
 const MERGE_SUMMARIES_INSTRUCTIONS = "Merge these partial summaries into a single cohesive summary. Preserve decisions," +
     " TODOs, open questions, and any constraints.";
 export function estimateMessagesTokens(messages) {
-    return messages.reduce((sum, message) => sum + estimateTokens(message), 0);
+    // SECURITY: toolResult.details can contain untrusted/verbose payloads; never include in LLM-facing compaction.
+    const safe = stripToolResultDetails(messages);
+    return safe.reduce((sum, message) => sum + estimateTokens(message), 0);
 }
 function normalizeParts(parts, messageCount) {
-    if (!Number.isFinite(parts) || parts <= 1)
+    if (!Number.isFinite(parts) || parts <= 1) {
         return 1;
+    }
     return Math.min(Math.max(1, Math.floor(parts)), Math.max(1, messageCount));
 }
 export function splitMessagesByTokenShare(messages, parts = DEFAULT_PARTS) {
-    if (messages.length === 0)
+    if (messages.length === 0) {
         return [];
+    }
     const normalizedParts = normalizeParts(parts, messages.length);
-    if (normalizedParts <= 1)
+    if (normalizedParts <= 1) {
         return [messages];
+    }
     const totalTokens = estimateMessagesTokens(messages);
     const targetTokens = totalTokens / normalizedParts;
     const chunks = [];
@@ -44,22 +52,30 @@ export function splitMessagesByTokenShare(messages, parts = DEFAULT_PARTS) {
     }
     return chunks;
 }
+// Overhead reserved for summarization prompt, system prompt, previous summary,
+// and serialization wrappers (<conversation> tags, instructions, etc.).
+// generateSummary uses reasoning: "high" which also consumes context budget.
+export const SUMMARIZATION_OVERHEAD_TOKENS = 4096;
 export function chunkMessagesByMaxTokens(messages, maxTokens) {
-    if (messages.length === 0)
+    if (messages.length === 0) {
         return [];
+    }
+    // Apply safety margin to compensate for estimateTokens() underestimation
+    // (chars/4 heuristic misses multi-byte chars, special tokens, code tokens, etc.)
+    const effectiveMax = Math.max(1, Math.floor(maxTokens / SAFETY_MARGIN));
     const chunks = [];
     let currentChunk = [];
     let currentTokens = 0;
     for (const message of messages) {
         const messageTokens = estimateTokens(message);
-        if (currentChunk.length > 0 && currentTokens + messageTokens > maxTokens) {
+        if (currentChunk.length > 0 && currentTokens + messageTokens > effectiveMax) {
             chunks.push(currentChunk);
             currentChunk = [];
             currentTokens = 0;
         }
         currentChunk.push(message);
         currentTokens += messageTokens;
-        if (messageTokens > maxTokens) {
+        if (messageTokens > effectiveMax) {
             // Split oversized messages to avoid unbounded chunk growth.
             chunks.push(currentChunk);
             currentChunk = [];
@@ -76,8 +92,9 @@ export function chunkMessagesByMaxTokens(messages, maxTokens) {
  * When messages are large, we use smaller chunks to avoid exceeding model limits.
  */
 export function computeAdaptiveChunkRatio(messages, contextWindow) {
-    if (messages.length === 0)
+    if (messages.length === 0) {
         return BASE_CHUNK_RATIO;
+    }
     const totalTokens = estimateMessagesTokens(messages);
     const avgTokens = totalTokens / messages.length;
     // Apply safety margin to account for estimation inaccuracy
@@ -102,10 +119,19 @@ async function summarizeChunks(params) {
     if (params.messages.length === 0) {
         return params.previousSummary ?? DEFAULT_SUMMARY_FALLBACK;
     }
-    const chunks = chunkMessagesByMaxTokens(params.messages, params.maxChunkTokens);
+    // SECURITY: never feed toolResult.details into summarization prompts.
+    const safeMessages = stripToolResultDetails(params.messages);
+    const chunks = chunkMessagesByMaxTokens(safeMessages, params.maxChunkTokens);
     let summary = params.previousSummary;
     for (const chunk of chunks) {
-        summary = await generateSummary(chunk, params.model, params.reserveTokens, params.apiKey, params.signal, params.customInstructions, summary);
+        summary = await retryAsync(() => generateSummary(chunk, params.model, params.reserveTokens, params.apiKey, params.signal, params.customInstructions, summary), {
+            attempts: 3,
+            minDelayMs: 500,
+            maxDelayMs: 5000,
+            jitter: 0.2,
+            label: "compaction/generateSummary",
+            shouldRetry: (err) => !(err instanceof Error && err.name === "AbortError"),
+        });
     }
     return summary ?? DEFAULT_SUMMARY_FALLBACK;
 }
@@ -123,7 +149,7 @@ export async function summarizeWithFallback(params) {
         return await summarizeChunks(params);
     }
     catch (fullError) {
-        console.warn(`Full summarization failed, trying partial: ${fullError instanceof Error ? fullError.message : String(fullError)}`);
+        log.warn(`Full summarization failed, trying partial: ${fullError instanceof Error ? fullError.message : String(fullError)}`);
     }
     // Fallback 1: Summarize only small messages, note oversized ones
     const smallMessages = [];
@@ -148,7 +174,7 @@ export async function summarizeWithFallback(params) {
             return partialSummary + notes;
         }
         catch (partialError) {
-            console.warn(`Partial summarization also failed: ${partialError instanceof Error ? partialError.message : String(partialError)}`);
+            log.warn(`Partial summarization also failed: ${partialError instanceof Error ? partialError.message : String(partialError)}`);
         }
     }
     // Final fallback: Just note what was there
@@ -206,8 +232,9 @@ export function pruneHistoryForContextShare(params) {
     const parts = normalizeParts(params.parts ?? DEFAULT_PARTS, keptMessages.length);
     while (keptMessages.length > 0 && estimateMessagesTokens(keptMessages) > budgetTokens) {
         const chunks = splitMessagesByTokenShare(keptMessages, parts);
-        if (chunks.length <= 1)
+        if (chunks.length <= 1) {
             break;
+        }
         const [dropped, ...rest] = chunks;
         const flatRest = rest.flat();
         // After dropping a chunk, repair tool_use/tool_result pairing to handle

package/dist/agents/doubao-models.js

@@ -0,0 +1,121 @@
+export const DOUBAO_BASE_URL = "https://ark.cn-beijing.volces.com/api/v3";
+export const DOUBAO_CODING_BASE_URL = "https://ark.cn-beijing.volces.com/api/coding/v3";
+export const DOUBAO_DEFAULT_MODEL_ID = "doubao-seed-1-8-251228";
+export const DOUBAO_CODING_DEFAULT_MODEL_ID = "ark-code-latest";
+export const DOUBAO_DEFAULT_MODEL_REF = `volcengine/${DOUBAO_DEFAULT_MODEL_ID}`;
+// Volcano Engine Doubao pricing (approximate, adjust based on actual pricing)
+export const DOUBAO_DEFAULT_COST = {
+    input: 0.0001, // ¥0.0001 per 1K tokens
+    output: 0.0002, // ¥0.0002 per 1K tokens
+    cacheRead: 0,
+    cacheWrite: 0,
+};
+/**
+ * Complete catalog of Volcano Engine models.
+ *
+ * Volcano Engine provides access to models
+ * through the API. Authentication requires a Volcano Engine API Key.
+ */
+export const DOUBAO_MODEL_CATALOG = [
+    {
+        id: "doubao-seed-code-preview-251028",
+        name: "doubao-seed-code-preview-251028",
+        reasoning: false,
+        input: ["text", "image"],
+        contextWindow: 256000,
+        maxTokens: 4096,
+    },
+    {
+        id: "doubao-seed-1-8-251228",
+        name: "Doubao Seed 1.8",
+        reasoning: false,
+        input: ["text", "image"],
+        contextWindow: 256000,
+        maxTokens: 4096,
+    },
+    {
+        id: "kimi-k2-5-260127",
+        name: "Kimi K2.5",
+        reasoning: false,
+        input: ["text", "image"],
+        contextWindow: 256000,
+        maxTokens: 4096,
+    },
+    {
+        id: "glm-4-7-251222",
+        name: "GLM 4.7",
+        reasoning: false,
+        input: ["text", "image"],
+        contextWindow: 200000,
+        maxTokens: 4096,
+    },
+    {
+        id: "deepseek-v3-2-251201",
+        name: "DeepSeek V3.2",
+        reasoning: false,
+        input: ["text", "image"],
+        contextWindow: 128000,
+        maxTokens: 4096,
+    },
+];
+export function buildDoubaoModelDefinition(entry) {
+    return {
+        id: entry.id,
+        name: entry.name,
+        reasoning: entry.reasoning,
+        input: [...entry.input],
+        cost: DOUBAO_DEFAULT_COST,
+        contextWindow: entry.contextWindow,
+        maxTokens: entry.maxTokens,
+    };
+}
+export const DOUBAO_CODING_MODEL_CATALOG = [
+    {
+        id: "ark-code-latest",
+        name: "Ark Coding Plan",
+        reasoning: false,
+        input: ["text"],
+        contextWindow: 256000,
+        maxTokens: 4096,
+    },
+    {
+        id: "doubao-seed-code",
+        name: "Doubao Seed Code",
+        reasoning: false,
+        input: ["text"],
+        contextWindow: 256000,
+        maxTokens: 4096,
+    },
+    {
+        id: "glm-4.7",
+        name: "GLM 4.7 Coding",
+        reasoning: false,
+        input: ["text"],
+        contextWindow: 200000,
+        maxTokens: 4096,
+    },
+    {
+        id: "kimi-k2-thinking",
+        name: "Kimi K2 Thinking",
+        reasoning: false,
+        input: ["text"],
+        contextWindow: 256000,
+        maxTokens: 4096,
+    },
+    {
+        id: "kimi-k2.5",
+        name: "Kimi K2.5 Coding",
+        reasoning: false,
+        input: ["text"],
+        contextWindow: 256000,
+        maxTokens: 4096,
+    },
+    {
+        id: "doubao-seed-code-preview-251028",
+        name: "Doubao Seed Code Preview",
+        reasoning: false,
+        input: ["text"],
+        contextWindow: 256000,
+        maxTokens: 4096,
+    },
+];

package/dist/agents/failover-error.js

@@ -34,6 +34,8 @@ export function resolveFailoverStatus(reason) {
             return 408;
         case "format":
             return 400;
+        case "model_not_found":
+            return 404;
         default:
             return undefined;
     }

package/dist/agents/huggingface-models.js

@@ -1,3 +1,5 @@
+import { createSubsystemLogger } from "../logging/subsystem.js";
+const log = createSubsystemLogger("huggingface-models");
 /** Hugging Face Inference Providers (router) — OpenAI-compatible chat completions. */
 export const HUGGINGFACE_BASE_URL = "https://router.huggingface.co/v1";
 /** Router policy suffixes: router picks backend by cost or speed; no specific provider selection. */
@@ -114,13 +116,13 @@ export async function discoverHuggingfaceModels(apiKey) {
             },
         });
         if (!response.ok) {
-            console.warn(`[huggingface-models] GET /v1/models failed: HTTP ${response.status}, using static catalog`);
+            log.warn(`GET /v1/models failed: HTTP ${response.status}, using static catalog`);
             return HUGGINGFACE_MODEL_CATALOG.map(buildHuggingfaceModelDefinition);
         }
         const body = (await response.json());
         const data = body?.data;
         if (!Array.isArray(data) || data.length === 0) {
-            console.warn("[huggingface-models] No models in response, using static catalog");
+            log.warn("No models in response, using static catalog");
             return HUGGINGFACE_MODEL_CATALOG.map(buildHuggingfaceModelDefinition);
         }
         const catalogById = new Map(HUGGINGFACE_MODEL_CATALOG.map((m) => [m.id, m]));
@@ -160,7 +162,7 @@ export async function discoverHuggingfaceModels(apiKey) {
             : HUGGINGFACE_MODEL_CATALOG.map(buildHuggingfaceModelDefinition);
     }
     catch (error) {
-        console.warn(`[huggingface-models] Discovery failed: ${String(error)}, using static catalog`);
+        log.warn(`Discovery failed: ${String(error)}, using static catalog`);
         return HUGGINGFACE_MODEL_CATALOG.map(buildHuggingfaceModelDefinition);
     }
 }

package/dist/agents/live-model-filter.js

@@ -64,6 +64,11 @@ export function isModernModelRef(ref) {
     if (provider === "opencode" && id === "alpha-glm-4.7") {
         return false;
     }
+    // Opencode MiniMax variants have been intermittently unstable in live runs;
+    // prefer the rest of the modern catalog for deterministic smoke coverage.
+    if (provider === "opencode" && matchesPrefix(id, MINIMAX_PREFIXES)) {
+        return false;
+    }
     if (provider === "openrouter" || provider === "opencode") {
         return matchesAny(id, [
             ...ANTHROPIC_PREFIXES,

package/dist/agents/minimax-vlm.js

@@ -1,3 +1,5 @@
+import { isRecord } from "../utils.js";
+import { normalizeSecretInput } from "../utils/normalize-secret-input.js";
 function coerceApiHost(params) {
     const env = params.env ?? process.env;
     const raw = params.apiHost?.trim() ||
@@ -17,23 +19,23 @@ function coerceApiHost(params) {
         return "https://api.minimax.io";
     }
 }
-function isRecord(value) {
-    return Boolean(value && typeof value === "object" && !Array.isArray(value));
-}
 function pickString(rec, key) {
     const v = rec[key];
     return typeof v === "string" ? v : "";
 }
 export async function minimaxUnderstandImage(params) {
-    const apiKey = params.apiKey.trim();
-    if (!apiKey)
+    const apiKey = normalizeSecretInput(params.apiKey);
+    if (!apiKey) {
         throw new Error("MiniMax VLM: apiKey required");
+    }
     const prompt = params.prompt.trim();
-    if (!prompt)
+    if (!prompt) {
         throw new Error("MiniMax VLM: prompt required");
+    }
     const imageDataUrl = params.imageDataUrl.trim();
-    if (!imageDataUrl)
+    if (!imageDataUrl) {
         throw new Error("MiniMax VLM: imageDataUrl required");
+    }
     if (!/^data:image\/(png|jpeg|webp);base64,/i.test(imageDataUrl)) {
         throw new Error("MiniMax VLM: imageDataUrl must be a base64 data:image/(png|jpeg|webp) URL");
     }
@@ -47,7 +49,7 @@ export async function minimaxUnderstandImage(params) {
         headers: {
             Authorization: `Bearer ${apiKey}`,
             "Content-Type": "application/json",
-            "MM-API-Source": "Poolbot",
+            "MM-API-Source": "Pool Bot",
         },
         body: JSON.stringify({
             prompt,

package/dist/agents/model-auth.js

@@ -211,6 +211,12 @@ export function resolveEnvApiKey(provider) {
     if (normalized === "qwen-portal") {
         return pick("QWEN_OAUTH_TOKEN") ?? pick("QWEN_PORTAL_API_KEY");
     }
+    if (normalized === "volcengine" || normalized === "volcengine-plan") {
+        return pick("VOLCANO_ENGINE_API_KEY");
+    }
+    if (normalized === "byteplus" || normalized === "byteplus-plan") {
+        return pick("BYTEPLUS_API_KEY");
+    }
     if (normalized === "minimax-portal") {
         return pick("MINIMAX_OAUTH_TOKEN") ?? pick("MINIMAX_API_KEY");
     }

package/dist/agents/model-catalog.js

@@ -1,6 +1,8 @@
 import { loadConfig } from "../config/config.js";
+import { createSubsystemLogger } from "../logging/subsystem.js";
 import { resolvePoolbotAgentDir } from "./agent-paths.js";
 import { ensurePoolbotModelsJson } from "./models-config.js";
+const log = createSubsystemLogger("model-catalog");
 let modelCatalogPromise = null;
 let hasLoggedModelCatalogError = false;
 const defaultImportPiSdk = () => import("./pi-model-discovery.js");
@@ -97,7 +99,7 @@ export async function loadModelCatalog(params) {
         catch (error) {
             if (!hasLoggedModelCatalogError) {
                 hasLoggedModelCatalogError = true;
-                console.warn(`[model-catalog] Failed to load model catalog: ${String(error)}`);
+                log.warn(`Failed to load model catalog: ${String(error)}`);
             }
             // Don't poison the cache on transient dependency/filesystem issues.
             modelCatalogPromise = null;

package/dist/agents/model-selection.js

@@ -1,6 +1,8 @@
+import { createSubsystemLogger } from "../logging/subsystem.js";
 import { resolveAgentConfig, resolveAgentModelPrimary } from "./agent-scope.js";
 import { DEFAULT_MODEL, DEFAULT_PROVIDER } from "./defaults.js";
 import { normalizeGoogleModelId } from "./models-config.providers.js";
+const log = createSubsystemLogger("model-selection");
 const ANTHROPIC_MODEL_ALIASES = {
     "opus-4.6": "claude-opus-4-6",
     "opus-4.5": "claude-opus-4-5",
@@ -28,6 +30,10 @@ export function normalizeProviderId(provider) {
     if (normalized === "kimi-code") {
         return "kimi-coding";
     }
+    // Backward compatibility for older provider naming.
+    if (normalized === "bytedance" || normalized === "doubao") {
+        return "volcengine";
+    }
     return normalized;
 }
 export function findNormalizedProviderValue(entries, provider) {
@@ -208,7 +214,7 @@ export function resolveConfiguredModelRef(params) {
                 return aliasMatch.ref;
             }
             // Default to anthropic if no provider is specified, but warn as this is deprecated.
-            console.warn(`[poolbot] Model "${trimmed}" specified without provider. Falling back to "anthropic/${trimmed}". Please use "anthropic/${trimmed}" in your config.`);
+            log.warn(`Model "${trimmed}" specified without provider. Falling back to "anthropic/${trimmed}". Please use "anthropic/${trimmed}" in your config.`);
             return { provider: "anthropic", model: trimmed };
         }
         const resolved = resolveModelRefFromString({