@poolzin/pool-bot 2026.2.25 → 2026.2.26

package/dist/commands/onboard-auth.credentials.js

@@ -1,19 +1,93 @@
+import fs from "node:fs";
+import path from "node:path";
 import { resolvePoolbotAgentDir } from "../agents/agent-paths.js";
 import { upsertAuthProfile } from "../agents/auth-profiles.js";
+import { resolveStateDir } from "../config/paths.js";
 export { CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_REF } from "../agents/cloudflare-ai-gateway.js";
-export { XAI_DEFAULT_MODEL_REF, NVIDIA_DEFAULT_MODEL_REF } from "./onboard-auth.models.js";
+export { XAI_DEFAULT_MODEL_REF } from "./onboard-auth.models.js";
 const resolveAuthAgentDir = (agentDir) => agentDir ?? resolvePoolbotAgentDir();
-export async function writeOAuthCredentials(provider, creds, agentDir) {
+/** Resolve real path, returning null if the target doesn't exist. */
+function safeRealpathSync(dir) {
+    try {
+        return fs.realpathSync(path.resolve(dir));
+    }
+    catch {
+        return null;
+    }
+}
+function resolveSiblingAgentDirs(primaryAgentDir) {
+    const normalized = path.resolve(primaryAgentDir);
+    // Derive agentsRoot from primaryAgentDir when it matches the standard
+    // layout (.../agents/<name>/agent). Falls back to global state dir.
+    const parentOfAgent = path.dirname(normalized);
+    const candidateAgentsRoot = path.dirname(parentOfAgent);
+    const looksLikeStandardLayout = path.basename(normalized) === "agent" && path.basename(candidateAgentsRoot) === "agents";
+    const agentsRoot = looksLikeStandardLayout
+        ? candidateAgentsRoot
+        : path.join(resolveStateDir(), "agents");
+    const entries = (() => {
+        try {
+            return fs.readdirSync(agentsRoot, { withFileTypes: true });
+        }
+        catch {
+            return [];
+        }
+    })();
+    // Include both directories and symlinks-to-directories.
+    const discovered = entries
+        .filter((entry) => entry.isDirectory() || entry.isSymbolicLink())
+        .map((entry) => path.join(agentsRoot, entry.name, "agent"));
+    // Deduplicate via realpath to handle symlinks and path normalization.
+    const seen = new Set();
+    const result = [];
+    for (const dir of [normalized, ...discovered]) {
+        const real = safeRealpathSync(dir);
+        if (real && !seen.has(real)) {
+            seen.add(real);
+            result.push(real);
+        }
+    }
+    return result;
+}
+export async function writeOAuthCredentials(provider, creds, agentDir, options) {
     const email = typeof creds.email === "string" && creds.email.trim() ? creds.email.trim() : "default";
+    const profileId = `${provider}:${email}`;
+    const resolvedAgentDir = path.resolve(resolveAuthAgentDir(agentDir));
+    const targetAgentDirs = options?.syncSiblingAgents
+        ? resolveSiblingAgentDirs(resolvedAgentDir)
+        : [resolvedAgentDir];
+    const credential = {
+        type: "oauth",
+        provider,
+        ...creds,
+    };
+    // Primary write must succeed — let it throw on failure.
     upsertAuthProfile({
-        profileId: `${provider}:${email}`,
-        credential: {
-            type: "oauth",
-            provider,
-            ...creds,
-        },
-        agentDir: resolveAuthAgentDir(agentDir),
+        profileId,
+        credential,
+        agentDir: resolvedAgentDir,
     });
+    // Sibling sync is best-effort — log and ignore individual failures.
+    if (options?.syncSiblingAgents) {
+        const primaryReal = safeRealpathSync(resolvedAgentDir);
+        for (const targetAgentDir of targetAgentDirs) {
+            const targetReal = safeRealpathSync(targetAgentDir);
+            if (targetReal && primaryReal && targetReal === primaryReal) {
+                continue;
+            }
+            try {
+                upsertAuthProfile({
+                    profileId,
+                    credential,
+                    agentDir: targetAgentDir,
+                });
+            }
+            catch {
+                // Best-effort: sibling sync failure must not block primary onboarding.
+            }
+        }
+    }
+    return profileId;
 }
 export async function setAnthropicApiKey(key, agentDir) {
     // Write to resolved agent dir so gateway finds credentials on startup.
@@ -39,13 +113,14 @@ export async function setGeminiApiKey(key, agentDir) {
         agentDir: resolveAuthAgentDir(agentDir),
     });
 }
-export async function setMinimaxApiKey(key, agentDir) {
+export async function setMinimaxApiKey(key, agentDir, profileId = "minimax:default") {
+    const provider = profileId.split(":")[0] ?? "minimax";
     // Write to resolved agent dir so gateway finds credentials on startup.
     upsertAuthProfile({
-        profileId: "minimax:default",
+        profileId,
         credential: {
             type: "api_key",
-            provider: "minimax",
+            provider,
             key,
         },
         agentDir: resolveAuthAgentDir(agentDir),
@@ -237,7 +312,9 @@ export function setXaiApiKey(key, agentDir) {
         agentDir: resolveAuthAgentDir(agentDir),
     });
 }
-export function setNvidiaApiKey(key, agentDir) {
+// PB-specific: nvidia support
+export const NVIDIA_DEFAULT_MODEL_REF = "nvidia/llama-3.3-nemotron-super-49b-v1";
+export async function setNvidiaApiKey(key, agentDir) {
     upsertAuthProfile({
         profileId: "nvidia:default",
         credential: {

package/dist/commands/onboard-auth.js

@@ -1,7 +1,7 @@
 export { SYNTHETIC_DEFAULT_MODEL_ID, SYNTHETIC_DEFAULT_MODEL_REF, } from "../agents/synthetic-models.js";
 export { VENICE_DEFAULT_MODEL_ID, VENICE_DEFAULT_MODEL_REF } from "../agents/venice-models.js";
 export { applyAuthProfileConfig, applyCloudflareAiGatewayConfig, applyCloudflareAiGatewayProviderConfig, applyHuggingfaceConfig, applyHuggingfaceProviderConfig, applyQianfanConfig, applyQianfanProviderConfig, applyKimiCodeConfig, applyKimiCodeProviderConfig, applyLitellmConfig, applyLitellmProviderConfig, LITELLM_BASE_URL, LITELLM_DEFAULT_MODEL_ID, applyMoonshotConfig, applyMoonshotConfigCn, applyMoonshotProviderConfig, applyMoonshotProviderConfigCn, applyOpenrouterConfig, applyOpenrouterProviderConfig, applySyntheticConfig, applySyntheticProviderConfig, applyTogetherConfig, applyTogetherProviderConfig, applyVeniceConfig, applyVeniceProviderConfig, applyVercelAiGatewayConfig, applyVercelAiGatewayProviderConfig, applyNvidiaConfig, applyNvidiaProviderConfig, applyXaiConfig, applyXaiProviderConfig, applyXiaomiConfig, applyXiaomiProviderConfig, applyZaiConfig, applyZaiProviderConfig, } from "./onboard-auth.config-core.js";
-export { applyMinimaxApiConfig, applyMinimaxApiProviderConfig, applyMinimaxConfig, applyMinimaxHostedConfig, applyMinimaxHostedProviderConfig, applyMinimaxProviderConfig, } from "./onboard-auth.config-minimax.js";
+export { applyMinimaxApiConfig, applyMinimaxApiConfigCn, applyMinimaxApiProviderConfig, applyMinimaxApiProviderConfigCn, applyMinimaxConfig, applyMinimaxHostedConfig, applyMinimaxHostedProviderConfig, applyMinimaxProviderConfig, } from "./onboard-auth.config-minimax.js";
 export { applyOpencodeZenConfig, applyOpencodeZenProviderConfig, } from "./onboard-auth.config-opencode.js";
 export { CLOUDFLARE_AI_GATEWAY_DEFAULT_MODEL_REF, HUGGINGFACE_DEFAULT_MODEL_REF, LITELLM_DEFAULT_MODEL_REF, OPENROUTER_DEFAULT_MODEL_REF, setAnthropicApiKey, setCloudflareAiGatewayConfig, setQianfanApiKey, setGeminiApiKey, setHuggingfaceApiKey, setKimiCodingApiKey, setLitellmApiKey, setMinimaxApiKey, setMoonshotApiKey, setOpencodeZenApiKey, setOpenrouterApiKey, setSyntheticApiKey, setTogetherApiKey, setVeniceApiKey, setVercelAiGatewayApiKey, setXiaomiApiKey, setZaiApiKey, setNvidiaApiKey, setXaiApiKey, writeOAuthCredentials, VERCEL_AI_GATEWAY_DEFAULT_MODEL_REF, NVIDIA_DEFAULT_MODEL_REF, XIAOMI_DEFAULT_MODEL_REF, ZAI_DEFAULT_MODEL_REF, TOGETHER_DEFAULT_MODEL_REF, XAI_DEFAULT_MODEL_REF, } from "./onboard-auth.credentials.js";
 export { buildMinimaxApiModelDefinition, buildMinimaxModelDefinition, buildMoonshotModelDefinition, buildZaiModelDefinition, DEFAULT_MINIMAX_BASE_URL, MOONSHOT_CN_BASE_URL, QIANFAN_BASE_URL, QIANFAN_DEFAULT_MODEL_ID, QIANFAN_DEFAULT_MODEL_REF, KIMI_CODING_MODEL_ID, KIMI_CODING_MODEL_REF, MINIMAX_API_BASE_URL, MINIMAX_HOSTED_MODEL_ID, MINIMAX_HOSTED_MODEL_REF, MOONSHOT_BASE_URL, MOONSHOT_DEFAULT_MODEL_ID, MOONSHOT_DEFAULT_MODEL_REF, buildNvidiaModelDefinition, NVIDIA_BASE_URL, NVIDIA_DEFAULT_MODEL_ID, resolveZaiBaseUrl, ZAI_CODING_CN_BASE_URL, ZAI_DEFAULT_MODEL_ID, ZAI_CODING_GLOBAL_BASE_URL, ZAI_CN_BASE_URL, ZAI_GLOBAL_BASE_URL, } from "./onboard-auth.models.js";

package/dist/commands/onboard-auth.models.js

@@ -1,6 +1,7 @@
 import { QIANFAN_BASE_URL, QIANFAN_DEFAULT_MODEL_ID } from "../agents/models-config.providers.js";
 export const DEFAULT_MINIMAX_BASE_URL = "https://api.minimax.io/v1";
 export const MINIMAX_API_BASE_URL = "https://api.minimax.io/anthropic";
+export const MINIMAX_CN_API_BASE_URL = "https://api.minimaxi.com/anthropic";
 export const MINIMAX_HOSTED_MODEL_ID = "MiniMax-M2.1";
 export const MINIMAX_HOSTED_MODEL_REF = `minimax/${MINIMAX_HOSTED_MODEL_ID}`;
 export const DEFAULT_MINIMAX_CONTEXT_WINDOW = 200000;
@@ -34,12 +35,12 @@ export function resolveZaiBaseUrl(endpoint) {
             return ZAI_GLOBAL_BASE_URL;
     }
 }
-// Pricing: MiniMax doesn't publish public rates. Override in models.json for accurate costs.
+// Pricing per 1M tokens (USD) \u2014 https://platform.minimaxi.com/document/Price
 export const MINIMAX_API_COST = {
-    input: 15,
-    output: 60,
-    cacheRead: 2,
-    cacheWrite: 10,
+    input: 0.3,
+    output: 1.2,
+    cacheRead: 0.03,
+    cacheWrite: 0.12,
 };
 export const MINIMAX_HOSTED_COST = {
     input: 0,

package/dist/commands/onboard-hooks.js

@@ -4,7 +4,7 @@ import { formatCliCommand } from "../cli/command-format.js";
 export async function setupInternalHooks(cfg, runtime, prompter) {
     await prompter.note([
         "Hooks let you automate actions when agent commands are issued.",
-        "Example: Save session context to memory when you issue /new.",
+        "Example: Save session context to memory when you issue /new or /reset.",
         "",
         "Learn more: https://docs.molt.bot/hooks",
     ].join("\n"), "Hooks");

package/dist/commands/onboard-non-interactive/api-keys.js

@@ -10,31 +10,36 @@ async function resolveApiKeyFromProfiles(params) {
     });
     for (const profileId of order) {
         const cred = store.profiles[profileId];
-        if (cred?.type !== "api_key")
+        if (cred?.type !== "api_key") {
             continue;
+        }
         const resolved = await resolveApiKeyForProfile({
             cfg: params.cfg,
             store,
             profileId,
             agentDir: params.agentDir,
         });
-        if (resolved?.apiKey)
+        if (resolved?.apiKey) {
             return resolved.apiKey;
+        }
     }
     return null;
 }
 export async function resolveNonInteractiveApiKey(params) {
     const flagKey = normalizeOptionalSecretInput(params.flagValue);
-    if (flagKey)
+    if (flagKey) {
         return { key: flagKey, source: "flag" };
+    }
     const envResolved = resolveEnvApiKey(params.provider);
-    if (envResolved?.apiKey)
+    if (envResolved?.apiKey) {
         return { key: envResolved.apiKey, source: "env" };
+    }
     const explicitEnvVar = params.envVarName?.trim();
     if (explicitEnvVar) {
         const explicitEnvKey = normalizeOptionalSecretInput(process.env[explicitEnvVar]);
-        if (explicitEnvKey)
+        if (explicitEnvKey) {
             return { key: explicitEnvKey, source: "env" };
+        }
     }
     if (params.allowProfile ?? true) {
         const profileKey = await resolveApiKeyFromProfiles({
@@ -42,11 +47,13 @@ export async function resolveNonInteractiveApiKey(params) {
             cfg: params.cfg,
             agentDir: params.agentDir,
         });
-        if (profileKey)
+        if (profileKey) {
             return { key: profileKey, source: "profile" };
+        }
     }
-    if (params.required === false)
+    if (params.required === false) {
         return null;
+    }
     const profileHint = params.allowProfile === false ? "" : `, or existing ${params.provider} API-key profile`;
     params.runtime.error(`Missing ${params.flagName} (or ${params.envVar} in env${profileHint}).`);
     params.runtime.exit(1);

package/dist/commands/onboard-non-interactive/local/auth-choice.js

@@ -6,7 +6,8 @@ import { shortenHomePath } from "../../../utils.js";
 import { normalizeSecretInput } from "../../../utils/normalize-secret-input.js";
 import { buildTokenProfileId, validateAnthropicSetupToken } from "../../auth-token.js";
 import { applyGoogleGeminiModelDefault } from "../../google-gemini-model-default.js";
-import { applyAuthProfileConfig, applyCloudflareAiGatewayConfig, applyHuggingfaceConfig, applyKimiCodeConfig, applyLitellmConfig, applyMinimaxApiConfig, applyMinimaxConfig, applyMoonshotConfig, applyMoonshotConfigCn, applyNvidiaConfig, applyOpencodeZenConfig, applyOpenrouterConfig, applyQianfanConfig, applySyntheticConfig, applyTogetherConfig, applyVeniceConfig, applyVercelAiGatewayConfig, applyXaiConfig, applyXiaomiConfig, applyZaiConfig, setAnthropicApiKey, setCloudflareAiGatewayConfig, setGeminiApiKey, setHuggingfaceApiKey, setKimiCodingApiKey, setLitellmApiKey, setMinimaxApiKey, setMoonshotApiKey, setNvidiaApiKey, setOpencodeZenApiKey, setOpenrouterApiKey, setQianfanApiKey, setSyntheticApiKey, setTogetherApiKey, setVeniceApiKey, setVercelAiGatewayApiKey, setXaiApiKey, setXiaomiApiKey, setZaiApiKey, } from "../../onboard-auth.js";
+import { applyPrimaryModel } from "../../model-picker.js";
+import { applyAuthProfileConfig, applyCloudflareAiGatewayConfig, applyQianfanConfig, applyKimiCodeConfig, applyMinimaxApiConfig, applyMinimaxApiConfigCn, applyMinimaxConfig, applyMoonshotConfig, applyMoonshotConfigCn, applyOpencodeZenConfig, applyOpenrouterConfig, applySyntheticConfig, applyVeniceConfig, applyTogetherConfig, applyHuggingfaceConfig, applyVercelAiGatewayConfig, applyLitellmConfig, applyXaiConfig, applyXiaomiConfig, applyZaiConfig, setAnthropicApiKey, setCloudflareAiGatewayConfig, setQianfanApiKey, setGeminiApiKey, setKimiCodingApiKey, setLitellmApiKey, setMinimaxApiKey, setMoonshotApiKey, setOpencodeZenApiKey, setOpenrouterApiKey, setSyntheticApiKey, setXaiApiKey, setVeniceApiKey, setTogetherApiKey, setHuggingfaceApiKey, setVercelAiGatewayApiKey, setXiaomiApiKey, setZaiApiKey, } from "../../onboard-auth.js";
 import { applyCustomApiConfig, CustomApiError, parseNonInteractiveCustomApiFlags, resolveCustomProviderId, } from "../../onboard-custom.js";
 import { applyOpenAIConfig } from "../../openai-model-default.js";
 import { detectZaiEndpoint } from "../../zai-endpoint-detect.js";
@@ -232,6 +233,50 @@ export async function applyNonInteractiveAuthChoice(params) {
         });
         return applyXaiConfig(nextConfig);
     }
+    if (authChoice === "volcengine-api-key") {
+        const resolved = await resolveNonInteractiveApiKey({
+            provider: "volcengine",
+            cfg: baseConfig,
+            flagValue: opts.volcengineApiKey,
+            flagName: "--volcengine-api-key",
+            envVar: "VOLCANO_ENGINE_API_KEY",
+            runtime,
+        });
+        if (!resolved) {
+            return null;
+        }
+        if (resolved.source !== "profile") {
+            const result = upsertSharedEnvVar({
+                key: "VOLCANO_ENGINE_API_KEY",
+                value: resolved.key,
+            });
+            process.env.VOLCANO_ENGINE_API_KEY = resolved.key;
+            runtime.log(`Saved VOLCANO_ENGINE_API_KEY to ${shortenHomePath(result.path)}`);
+        }
+        return applyPrimaryModel(nextConfig, "volcengine-plan/ark-code-latest");
+    }
+    if (authChoice === "byteplus-api-key") {
+        const resolved = await resolveNonInteractiveApiKey({
+            provider: "byteplus",
+            cfg: baseConfig,
+            flagValue: opts.byteplusApiKey,
+            flagName: "--byteplus-api-key",
+            envVar: "BYTEPLUS_API_KEY",
+            runtime,
+        });
+        if (!resolved) {
+            return null;
+        }
+        if (resolved.source !== "profile") {
+            const result = upsertSharedEnvVar({
+                key: "BYTEPLUS_API_KEY",
+                value: resolved.key,
+            });
+            process.env.BYTEPLUS_API_KEY = resolved.key;
+            runtime.log(`Saved BYTEPLUS_API_KEY to ${shortenHomePath(result.path)}`);
+        }
+        return applyPrimaryModel(nextConfig, "byteplus-plan/ark-code-latest");
+    }
     if (authChoice === "qianfan-api-key") {
         const resolved = await resolveNonInteractiveApiKey({
             provider: "qianfan",
@@ -374,7 +419,7 @@ export async function applyNonInteractiveAuthChoice(params) {
             gatewayId,
         });
     }
-    if (authChoice === "moonshot-api-key") {
+    const applyMoonshotApiKeyChoice = async (applyConfig) => {
         const resolved = await resolveNonInteractiveApiKey({
             provider: "moonshot",
             cfg: baseConfig,
@@ -394,29 +439,13 @@ export async function applyNonInteractiveAuthChoice(params) {
             provider: "moonshot",
             mode: "api_key",
         });
-        return applyMoonshotConfig(nextConfig);
+        return applyConfig(nextConfig);
+    };
+    if (authChoice === "moonshot-api-key") {
+        return await applyMoonshotApiKeyChoice(applyMoonshotConfig);
     }
     if (authChoice === "moonshot-api-key-cn") {
-        const resolved = await resolveNonInteractiveApiKey({
-            provider: "moonshot",
-            cfg: baseConfig,
-            flagValue: opts.moonshotApiKey,
-            flagName: "--moonshot-api-key",
-            envVar: "MOONSHOT_API_KEY",
-            runtime,
-        });
-        if (!resolved) {
-            return null;
-        }
-        if (resolved.source !== "profile") {
-            await setMoonshotApiKey(resolved.key);
-        }
-        nextConfig = applyAuthProfileConfig(nextConfig, {
-            profileId: "moonshot:default",
-            provider: "moonshot",
-            mode: "api_key",
-        });
-        return applyMoonshotConfigCn(nextConfig);
+        return await applyMoonshotApiKeyChoice(applyMoonshotConfigCn);
     }
     if (authChoice === "kimi-code-api-key") {
         const resolved = await resolveNonInteractiveApiKey({
@@ -486,9 +515,13 @@ export async function applyNonInteractiveAuthChoice(params) {
     }
     if (authChoice === "minimax-cloud" ||
         authChoice === "minimax-api" ||
+        authChoice === "minimax-api-key-cn" ||
         authChoice === "minimax-api-lightning") {
+        const isCn = authChoice === "minimax-api-key-cn";
+        const providerId = isCn ? "minimax-cn" : "minimax";
+        const profileId = `${providerId}:default`;
         const resolved = await resolveNonInteractiveApiKey({
-            provider: "minimax",
+            provider: providerId,
             cfg: baseConfig,
             flagValue: opts.minimaxApiKey,
             flagName: "--minimax-api-key",
@@ -499,15 +532,17 @@ export async function applyNonInteractiveAuthChoice(params) {
             return null;
         }
         if (resolved.source !== "profile") {
-            await setMinimaxApiKey(resolved.key);
+            await setMinimaxApiKey(resolved.key, undefined, profileId);
         }
         nextConfig = applyAuthProfileConfig(nextConfig, {
-            profileId: "minimax:default",
-            provider: "minimax",
+            profileId,
+            provider: providerId,
             mode: "api_key",
         });
-        const modelId = authChoice === "minimax-api-lightning" ? "MiniMax-M2.1-lightning" : "MiniMax-M2.1";
-        return applyMinimaxApiConfig(nextConfig, modelId);
+        const modelId = authChoice === "minimax-api-lightning" ? "MiniMax-M2.5-Lightning" : "MiniMax-M2.5";
+        return isCn
+            ? applyMinimaxApiConfigCn(nextConfig, modelId)
+            : applyMinimaxApiConfig(nextConfig, modelId);
     }
     if (authChoice === "minimax") {
         return applyMinimaxConfig(nextConfig);
@@ -578,26 +613,6 @@ export async function applyNonInteractiveAuthChoice(params) {
         });
         return applyHuggingfaceConfig(nextConfig);
     }
-    if (authChoice === "nvidia-api-key") {
-        const resolved = await resolveNonInteractiveApiKey({
-            provider: "nvidia",
-            cfg: baseConfig,
-            flagValue: opts.nvidiaApiKey,
-            flagName: "--nvidia-api-key",
-            envVar: "NVIDIA_API_KEY",
-            runtime,
-        });
-        if (!resolved)
-            return null;
-        if (resolved.source !== "profile")
-            setNvidiaApiKey(resolved.key);
-        nextConfig = applyAuthProfileConfig(nextConfig, {
-            profileId: "nvidia:default",
-            provider: "nvidia",
-            mode: "api_key",
-        });
-        return applyNvidiaConfig(nextConfig);
-    }
     if (authChoice === "custom-api-key") {
         try {
             const customAuth = parseNonInteractiveCustomApiFlags({

package/dist/commands/onboard-provider-auth-flags.js

@@ -133,4 +133,18 @@ export const ONBOARD_PROVIDER_AUTH_FLAGS = [
         cliOption: "--qianfan-api-key <key>",
         description: "QIANFAN API key",
     },
+    {
+        optionKey: "volcengineApiKey",
+        authChoice: "volcengine-api-key",
+        cliFlag: "--volcengine-api-key",
+        cliOption: "--volcengine-api-key <key>",
+        description: "Volcano Engine API key",
+    },
+    {
+        optionKey: "byteplusApiKey",
+        authChoice: "byteplus-api-key",
+        cliFlag: "--byteplus-api-key",
+        cliOption: "--byteplus-api-key <key>",
+        description: "BytePlus API key",
+    },
 ];

package/dist/commands/onboard-remote.js

@@ -1,20 +1,24 @@
 import { discoverGatewayBeacons } from "../infra/bonjour-discovery.js";
+import { resolveWideAreaDiscoveryDomain } from "../infra/widearea-dns.js";
 import { detectBinary } from "./onboard-helpers.js";
 const DEFAULT_GATEWAY_URL = "ws://127.0.0.1:18789";
 function pickHost(beacon) {
-    return beacon.tailnetDns || beacon.lanHost || beacon.host;
+    // Security: TXT is unauthenticated. Prefer the resolved service endpoint host.
+    return beacon.host || beacon.tailnetDns || beacon.lanHost;
 }
 function buildLabel(beacon) {
     const host = pickHost(beacon);
-    const port = beacon.gatewayPort ?? beacon.port ?? 18789;
+    // Security: Prefer the resolved service endpoint port.
+    const port = beacon.port ?? beacon.gatewayPort ?? 18789;
     const title = beacon.displayName ?? beacon.instanceName;
     const hint = host ? `${host}:${port}` : "host unknown";
     return `${title} (${hint})`;
 }
 function ensureWsUrl(value) {
     const trimmed = value.trim();
-    if (!trimmed)
+    if (!trimmed) {
         return DEFAULT_GATEWAY_URL;
+    }
     return trimmed;
 }
 export async function promptRemoteGatewayConfig(cfg, prompter) {
@@ -34,8 +38,11 @@ export async function promptRemoteGatewayConfig(cfg, prompter) {
         ].join("\n"), "Discovery");
     }
     if (wantsDiscover) {
+        const wideAreaDomain = resolveWideAreaDiscoveryDomain({
+            configDomain: cfg.discovery?.wideArea?.domain,
+        });
         const spin = prompter.progress("Searching for gateways…");
-        const beacons = await discoverGatewayBeacons({ timeoutMs: 2000 });
+        const beacons = await discoverGatewayBeacons({ timeoutMs: 2000, wideAreaDomain });
         spin.stop(beacons.length > 0 ? `Found ${beacons.length} gateway(s)` : "No gateways found");
         if (beacons.length > 0) {
             const selection = await prompter.select({
@@ -56,7 +63,7 @@ export async function promptRemoteGatewayConfig(cfg, prompter) {
     }
     if (selectedBeacon) {
         const host = pickHost(selectedBeacon);
-        const port = selectedBeacon.gatewayPort ?? 18789;
+        const port = selectedBeacon.port ?? selectedBeacon.gatewayPort ?? 18789;
         if (host) {
             const mode = await prompter.select({
                 message: "Connection method",
@@ -89,13 +96,13 @@ export async function promptRemoteGatewayConfig(cfg, prompter) {
             : "URL must start with ws:// or wss://",
     });
     const url = ensureWsUrl(String(urlInput));
-    const authChoice = (await prompter.select({
+    const authChoice = await prompter.select({
         message: "Gateway auth",
         options: [
             { value: "token", label: "Token (recommended)" },
             { value: "off", label: "No auth" },
         ],
-    }));
+    });
     let token = cfg.gateway?.remote?.token ?? "";
     if (authChoice === "token") {
         token = String(await prompter.text({

package/dist/commands/onboard.js

@@ -1,31 +1,28 @@
+import { formatCliCommand } from "../cli/command-format.js";
 import { readConfigFileSnapshot } from "../config/config.js";
 import { assertSupportedRuntime } from "../infra/runtime-guard.js";
 import { defaultRuntime } from "../runtime.js";
 import { resolveUserPath } from "../utils.js";
+import { isDeprecatedAuthChoice, normalizeLegacyOnboardAuthChoice } from "./auth-choice-legacy.js";
 import { DEFAULT_WORKSPACE, handleReset } from "./onboard-helpers.js";
 import { runInteractiveOnboarding } from "./onboard-interactive.js";
 import { runNonInteractiveOnboarding } from "./onboard-non-interactive.js";
-import { formatCliCommand } from "../cli/command-format.js";
 export async function onboardCommand(opts, runtime = defaultRuntime) {
     assertSupportedRuntime(runtime);
-    const authChoice = opts.authChoice === "oauth" ? "setup-token" : opts.authChoice;
-    const normalizedAuthChoice = authChoice === "claude-cli"
-        ? "setup-token"
-        : authChoice === "codex-cli"
-            ? "openai-codex"
-            : authChoice;
-    if (opts.nonInteractive && (authChoice === "claude-cli" || authChoice === "codex-cli")) {
+    const originalAuthChoice = opts.authChoice;
+    const normalizedAuthChoice = normalizeLegacyOnboardAuthChoice(originalAuthChoice);
+    if (opts.nonInteractive && isDeprecatedAuthChoice(originalAuthChoice)) {
         runtime.error([
-            `Auth choice "${authChoice}" is deprecated.`,
+            `Auth choice "${String(originalAuthChoice)}" is deprecated.`,
             'Use "--auth-choice token" (Anthropic setup-token) or "--auth-choice openai-codex".',
         ].join("\n"));
         runtime.exit(1);
         return;
     }
-    if (authChoice === "claude-cli") {
+    if (originalAuthChoice === "claude-cli") {
         runtime.log('Auth choice "claude-cli" is deprecated; using setup-token flow instead.');
     }
-    if (authChoice === "codex-cli") {
+    if (originalAuthChoice === "codex-cli") {
         runtime.log('Auth choice "codex-cli" is deprecated; using OpenAI Codex OAuth instead.');
     }
     const flow = opts.flow === "manual" ? "advanced" : opts.flow;
@@ -49,8 +46,9 @@ export async function onboardCommand(opts, runtime = defaultRuntime) {
     }
     if (process.platform === "win32") {
         runtime.log([
-            "Windows detected.",
-            "WSL2 is strongly recommended; native Windows is untested and more problematic.",
+            "Windows detected — Pool Bot runs great on WSL2!",
+            "Native Windows might be trickier.",
+            "Quick setup: wsl --install (one command, one reboot)",
             "Guide: https://docs.molt.bot/windows",
         ].join("\n"));
     }

package/dist/commands/sandbox-display.js

@@ -2,7 +2,8 @@
  * Display utilities for sandbox CLI
  */
 import { formatCliCommand } from "../cli/command-format.js";
-import { formatAge, formatImageMatch, formatSimpleStatus, formatStatus, } from "./sandbox-formatters.js";
+import { formatDurationCompact } from "../infra/format-time/format-duration.js";
+import { formatImageMatch, formatSimpleStatus, formatStatus } from "./sandbox-formatters.js";
 function displayItems(items, config, runtime) {
     if (items.length === 0) {
         runtime.log(config.emptyMessage);
@@ -21,8 +22,8 @@ export function displayContainers(containers, runtime) {
             rt.log(`  ${container.containerName}`);
             rt.log(`    Status:  ${formatStatus(container.running)}`);
             rt.log(`    Image:   ${container.image} ${formatImageMatch(container.imageMatch)}`);
-            rt.log(`    Age:     ${formatAge(Date.now() - container.createdAtMs)}`);
-            rt.log(`    Idle:    ${formatAge(Date.now() - container.lastUsedAtMs)}`);
+            rt.log(`    Age:     ${formatDurationCompact(Date.now() - container.createdAtMs, { spaced: true }) ?? "0s"}`);
+            rt.log(`    Idle:    ${formatDurationCompact(Date.now() - container.lastUsedAtMs, { spaced: true }) ?? "0s"}`);
             rt.log(`    Session: ${container.sessionKey}`);
             rt.log("");
         },
@@ -40,8 +41,8 @@ export function displayBrowsers(browsers, runtime) {
             if (browser.noVncPort) {
                 rt.log(`    noVNC:   ${browser.noVncPort}`);
             }
-            rt.log(`    Age:     ${formatAge(Date.now() - browser.createdAtMs)}`);
-            rt.log(`    Idle:    ${formatAge(Date.now() - browser.lastUsedAtMs)}`);
+            rt.log(`    Age:     ${formatDurationCompact(Date.now() - browser.createdAtMs, { spaced: true }) ?? "0s"}`);
+            rt.log(`    Idle:    ${formatDurationCompact(Date.now() - browser.lastUsedAtMs, { spaced: true }) ?? "0s"}`);
             rt.log(`    Session: ${browser.sessionKey}`);
             rt.log("");
         },

package/dist/commands/status-all/diagnosis.js

@@ -1,7 +1,7 @@
 import { resolveGatewayLogPaths } from "../../daemon/launchd.js";
 import { formatPortDiagnostics } from "../../infra/ports.js";
 import { summarizeRestartSentinel, } from "../../infra/restart-sentinel.js";
-import { formatAge, redactSecrets } from "./format.js";
+import { formatTimeAgo, redactSecrets } from "./format.js";
 import { readFileTailLines, summarizeLogTail } from "./gateway.js";
 export async function appendStatusAllDiagnosis(params) {
     const { lines, muted, ok, warn, fail } = params;
@@ -11,7 +11,7 @@ export async function appendStatusAllDiagnosis(params) {
         lines.push(`${icon} ${colored}`);
     };
     lines.push("");
-    lines.push(`${muted("Gateway connection details:")}`);
+    lines.push(muted("Gateway connection details:"));
     for (const line of redactSecrets(params.connectionDetailsForReport)
         .split("\n")
         .map((l) => l.trimEnd())) {
@@ -40,7 +40,7 @@ export async function appendStatusAllDiagnosis(params) {
     }
     if (params.sentinel?.payload) {
         emitCheck("Restart sentinel present", "warn");
-        lines.push(`  ${muted(`${summarizeRestartSentinel(params.sentinel.payload)} · ${formatAge(Date.now() - params.sentinel.payload.ts)}`)}`);
+        lines.push(`  ${muted(`${summarizeRestartSentinel(params.sentinel.payload)} · ${formatTimeAgo(Date.now() - params.sentinel.payload.ts)}`)}`);
     }
     else {
         emitCheck("Restart sentinel: none", "ok");
@@ -49,7 +49,7 @@ export async function appendStatusAllDiagnosis(params) {
     const isTrivialLastErr = lastErrClean.length < 8 || lastErrClean === "}" || lastErrClean === "{";
     if (lastErrClean && !isTrivialLastErr) {
         lines.push("");
-        lines.push(`${muted("Gateway last log line:")}`);
+        lines.push(muted("Gateway last log line:"));
         lines.push(`  ${muted(redactSecrets(lastErrClean))}`);
     }
     if (params.portUsage) {
@@ -101,7 +101,7 @@ export async function appendStatusAllDiagnosis(params) {
         ]);
         if (stderrTail.length > 0 || stdoutTail.length > 0) {
             lines.push("");
-            lines.push(`${muted(`Gateway logs (tail, summarized): ${logPaths.logDir}`)}`);
+            lines.push(muted(`Gateway logs (tail, summarized): ${logPaths.logDir}`));
             lines.push(`  ${muted(`# stderr: ${logPaths.stderrPath}`)}`);
             for (const line of summarizeLogTail(stderrTail, { maxLines: 22 }).map(redactSecrets)) {
                 lines.push(`  ${muted(line)}`);
@@ -127,16 +127,20 @@ export async function appendStatusAllDiagnosis(params) {
         emitCheck(`Channel issues skipped (gateway ${params.gatewayReachable ? "query failed" : "unreachable"})`, "warn");
     }
     const healthErr = (() => {
-        if (!params.health || typeof params.health !== "object")
+        if (!params.health || typeof params.health !== "object") {
             return "";
+        }
         const record = params.health;
-        if (!("error" in record))
+        if (!("error" in record)) {
             return "";
+        }
         const value = record.error;
-        if (!value)
+        if (!value) {
             return "";
-        if (typeof value === "string")
+        }
+        if (typeof value === "string") {
             return value;
+        }
         try {
             return JSON.stringify(value, null, 2);
         }
@@ -146,7 +150,7 @@ export async function appendStatusAllDiagnosis(params) {
     })();
     if (healthErr) {
         lines.push("");
-        lines.push(`${muted("Gateway health:")}`);
+        lines.push(muted("Gateway health:"));
         lines.push(`  ${muted(redactSecrets(healthErr))}`);
     }
     lines.push("");