@poolzin/pool-bot 2026.3.22 → 2026.3.24

package/dist/commands/ollama-setup.js

@@ -0,0 +1,402 @@
+import { upsertAuthProfileWithLock } from "../agents/auth-profiles.js";
+import { OLLAMA_DEFAULT_BASE_URL, buildOllamaModelDefinition, enrichOllamaModelsWithContext, fetchOllamaModels, resolveOllamaApiBase, } from "../agents/ollama-models.js";
+import { WizardCancelledError } from "../wizard/prompts.js";
+import { isRemoteEnvironment } from "./oauth-env.js";
+import { applyAgentDefaultModelPrimary } from "./onboard-auth.config-shared.js";
+import { openUrl } from "./onboard-helpers.js";
+export { OLLAMA_DEFAULT_BASE_URL } from "../agents/ollama-models.js";
+export const OLLAMA_DEFAULT_MODEL = "glm-4.7-flash";
+const OLLAMA_SUGGESTED_MODELS_LOCAL = ["glm-4.7-flash"];
+const OLLAMA_SUGGESTED_MODELS_CLOUD = ["kimi-k2.5:cloud", "minimax-m2.5:cloud", "glm-5:cloud"];
+function normalizeOllamaModelName(value) {
+    const trimmed = value?.trim();
+    if (!trimmed) {
+        return undefined;
+    }
+    if (trimmed.toLowerCase().startsWith("ollama/")) {
+        const withoutPrefix = trimmed.slice("ollama/".length).trim();
+        return withoutPrefix || undefined;
+    }
+    return trimmed;
+}
+function isOllamaCloudModel(modelName) {
+    return Boolean(modelName?.trim().toLowerCase().endsWith(":cloud"));
+}
+function formatOllamaPullStatus(status) {
+    const trimmed = status.trim();
+    const partStatusMatch = trimmed.match(/^([a-z-]+)\s+(?:sha256:)?[a-f0-9]{8,}$/i);
+    if (partStatusMatch) {
+        return { text: `${partStatusMatch[1]} part`, hidePercent: false };
+    }
+    if (/^verifying\b.*\bdigest\b/i.test(trimmed)) {
+        return { text: "verifying digest", hidePercent: true };
+    }
+    return { text: trimmed, hidePercent: false };
+}
+/** Check if the user is signed in to Ollama cloud via /api/me. */
+async function checkOllamaCloudAuth(baseUrl) {
+    try {
+        const apiBase = resolveOllamaApiBase(baseUrl);
+        const response = await fetch(`${apiBase}/api/me`, {
+            method: "POST",
+            signal: AbortSignal.timeout(5000),
+        });
+        if (response.status === 401) {
+            // 401 body contains { error, signin_url }
+            const data = (await response.json());
+            return { signedIn: false, signinUrl: data.signin_url };
+        }
+        if (!response.ok) {
+            return { signedIn: false };
+        }
+        return { signedIn: true };
+    }
+    catch {
+        // /api/me not supported or unreachable — fail closed so cloud mode
+        // doesn't silently skip auth; the caller handles the fallback.
+        return { signedIn: false };
+    }
+}
+async function pullOllamaModelCore(params) {
+    const { onStatus } = params;
+    const baseUrl = resolveOllamaApiBase(params.baseUrl);
+    const modelName = normalizeOllamaModelName(params.modelName) ?? params.modelName.trim();
+    try {
+        const response = await fetch(`${baseUrl}/api/pull`, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({ name: modelName }),
+        });
+        if (!response.ok) {
+            return {
+                ok: false,
+                kind: "http",
+                message: `Failed to download ${modelName} (HTTP ${response.status})`,
+            };
+        }
+        if (!response.body) {
+            return {
+                ok: false,
+                kind: "no-body",
+                message: `Failed to download ${modelName} (no response body)`,
+            };
+        }
+        const reader = response.body.getReader();
+        const decoder = new TextDecoder();
+        let buffer = "";
+        const layers = new Map();
+        const parseLine = (line) => {
+            const trimmed = line.trim();
+            if (!trimmed) {
+                return { ok: true };
+            }
+            try {
+                const chunk = JSON.parse(trimmed);
+                if (chunk.error) {
+                    return {
+                        ok: false,
+                        kind: "chunk-error",
+                        message: `Download failed: ${chunk.error}`,
+                    };
+                }
+                if (!chunk.status) {
+                    return { ok: true };
+                }
+                if (chunk.total && chunk.completed !== undefined) {
+                    layers.set(chunk.status, { total: chunk.total, completed: chunk.completed });
+                    let totalSum = 0;
+                    let completedSum = 0;
+                    for (const layer of layers.values()) {
+                        totalSum += layer.total;
+                        completedSum += layer.completed;
+                    }
+                    const percent = totalSum > 0 ? Math.round((completedSum / totalSum) * 100) : null;
+                    onStatus?.(chunk.status, percent);
+                }
+                else {
+                    onStatus?.(chunk.status, null);
+                }
+            }
+            catch {
+                // Ignore malformed lines from streaming output.
+            }
+            return { ok: true };
+        };
+        for (;;) {
+            const { done, value } = await reader.read();
+            if (done) {
+                break;
+            }
+            buffer += decoder.decode(value, { stream: true });
+            const lines = buffer.split("\n");
+            buffer = lines.pop() ?? "";
+            for (const line of lines) {
+                const parsed = parseLine(line);
+                if (!parsed.ok) {
+                    return parsed;
+                }
+            }
+        }
+        const trailing = buffer.trim();
+        if (trailing) {
+            const parsed = parseLine(trailing);
+            if (!parsed.ok) {
+                return parsed;
+            }
+        }
+        return { ok: true };
+    }
+    catch (err) {
+        const reason = err instanceof Error ? err.message : String(err);
+        return {
+            ok: false,
+            kind: "network",
+            message: `Failed to download ${modelName}: ${reason}`,
+        };
+    }
+}
+/** Pull a model from Ollama, streaming progress updates. */
+async function pullOllamaModel(baseUrl, modelName, prompter) {
+    const spinner = prompter.progress(`Downloading ${modelName}...`);
+    const result = await pullOllamaModelCore({
+        baseUrl,
+        modelName,
+        onStatus: (status, percent) => {
+            const displayStatus = formatOllamaPullStatus(status);
+            if (displayStatus.hidePercent) {
+                spinner.update(`Downloading ${modelName} - ${displayStatus.text}`);
+            }
+            else {
+                spinner.update(`Downloading ${modelName} - ${displayStatus.text} - ${percent ?? 0}%`);
+            }
+        },
+    });
+    if (!result.ok) {
+        spinner.stop(result.message);
+        return false;
+    }
+    spinner.stop(`Downloaded ${modelName}`);
+    return true;
+}
+async function pullOllamaModelNonInteractive(baseUrl, modelName, runtime) {
+    runtime.log(`Downloading ${modelName}...`);
+    const result = await pullOllamaModelCore({ baseUrl, modelName });
+    if (!result.ok) {
+        runtime.error(result.message);
+        return false;
+    }
+    runtime.log(`Downloaded ${modelName}`);
+    return true;
+}
+function buildOllamaModelsConfig(modelNames, discoveredModelsByName) {
+    return modelNames.map((name) => buildOllamaModelDefinition(name, discoveredModelsByName?.get(name)?.contextWindow));
+}
+function applyOllamaProviderConfig(cfg, baseUrl, modelNames, discoveredModelsByName) {
+    return {
+        ...cfg,
+        models: {
+            ...cfg.models,
+            mode: cfg.models?.mode ?? "merge",
+            providers: {
+                ...cfg.models?.providers,
+                ollama: {
+                    baseUrl,
+                    api: "ollama",
+                    apiKey: "OLLAMA_API_KEY", // pragma: allowlist secret
+                    models: buildOllamaModelsConfig(modelNames, discoveredModelsByName),
+                },
+            },
+        },
+    };
+}
+async function storeOllamaCredential(agentDir) {
+    await upsertAuthProfileWithLock({
+        profileId: "ollama:default",
+        credential: { type: "api_key", provider: "ollama", key: "ollama-local" },
+        agentDir,
+    });
+}
+/**
+ * Interactive: prompt for base URL, discover models, configure provider.
+ * Model selection is handled by the standard model picker downstream.
+ */
+export async function promptAndConfigureOllama(params) {
+    const { prompter } = params;
+    // 1. Prompt base URL
+    const baseUrlRaw = await prompter.text({
+        message: "Ollama base URL",
+        initialValue: OLLAMA_DEFAULT_BASE_URL,
+        placeholder: OLLAMA_DEFAULT_BASE_URL,
+        validate: (value) => (value?.trim() ? undefined : "Required"),
+    });
+    const configuredBaseUrl = String(baseUrlRaw ?? "")
+        .trim()
+        .replace(/\/+$/, "");
+    const baseUrl = resolveOllamaApiBase(configuredBaseUrl);
+    // 2. Check reachability
+    const { reachable, models } = await fetchOllamaModels(baseUrl);
+    if (!reachable) {
+        await prompter.note([
+            `Ollama could not be reached at ${baseUrl}.`,
+            "Download it at https://ollama.com/download",
+            "",
+            "Start Ollama and re-run onboarding.",
+        ].join("\n"), "Ollama");
+        throw new WizardCancelledError("Ollama not reachable");
+    }
+    const enrichedModels = await enrichOllamaModelsWithContext(baseUrl, models.slice(0, 50));
+    const discoveredModelsByName = new Map(enrichedModels.map((model) => [model.name, model]));
+    const modelNames = models.map((m) => m.name);
+    // 3. Mode selection
+    const mode = (await prompter.select({
+        message: "Ollama mode",
+        options: [
+            { value: "remote", label: "Cloud + Local", hint: "Ollama cloud models + local models" },
+            { value: "local", label: "Local", hint: "Local models only" },
+        ],
+    }));
+    // 4. Cloud auth — check /api/me upfront for remote (cloud+local) mode
+    let cloudAuthVerified = false;
+    if (mode === "remote") {
+        const authResult = await checkOllamaCloudAuth(baseUrl);
+        if (!authResult.signedIn) {
+            if (authResult.signinUrl) {
+                if (!isRemoteEnvironment()) {
+                    await openUrl(authResult.signinUrl);
+                }
+                await prompter.note(["Sign in to Ollama Cloud:", authResult.signinUrl].join("\n"), "Ollama Cloud");
+                const confirmed = await prompter.confirm({
+                    message: "Have you signed in?",
+                });
+                if (!confirmed) {
+                    throw new WizardCancelledError("Ollama cloud sign-in cancelled");
+                }
+                // Re-check after user claims sign-in
+                const recheck = await checkOllamaCloudAuth(baseUrl);
+                if (!recheck.signedIn) {
+                    throw new WizardCancelledError("Ollama cloud sign-in required");
+                }
+                cloudAuthVerified = true;
+            }
+            else {
+                // No signin URL available (older server, unreachable /api/me, or custom gateway).
+                await prompter.note([
+                    "Could not verify Ollama Cloud authentication.",
+                    "Cloud models may not work until you sign in at https://ollama.com.",
+                ].join("\n"), "Ollama Cloud");
+                const continueAnyway = await prompter.confirm({
+                    message: "Continue without cloud auth?",
+                });
+                if (!continueAnyway) {
+                    throw new WizardCancelledError("Ollama cloud auth could not be verified");
+                }
+                // Cloud auth unverified — fall back to local defaults so the model
+                // picker doesn't steer toward cloud models that may fail.
+            }
+        }
+        else {
+            cloudAuthVerified = true;
+        }
+    }
+    // 5. Model ordering — suggested models first.
+    // Use cloud defaults only when auth was actually verified; otherwise fall
+    // back to local defaults so the user isn't steered toward cloud models
+    // that may fail at runtime.
+    const suggestedModels = mode === "local" || !cloudAuthVerified
+        ? OLLAMA_SUGGESTED_MODELS_LOCAL
+        : OLLAMA_SUGGESTED_MODELS_CLOUD;
+    const orderedModelNames = [
+        ...suggestedModels,
+        ...modelNames.filter((name) => !suggestedModels.includes(name)),
+    ];
+    const defaultModelId = suggestedModels[0] ?? OLLAMA_DEFAULT_MODEL;
+    const config = applyOllamaProviderConfig(params.cfg, baseUrl, orderedModelNames, discoveredModelsByName);
+    return { config, defaultModelId };
+}
+/** Non-interactive: auto-discover models and configure provider. */
+export async function configureOllamaNonInteractive(params) {
+    const { opts, runtime } = params;
+    const configuredBaseUrl = (opts.customBaseUrl?.trim() || OLLAMA_DEFAULT_BASE_URL).replace(/\/+$/, "");
+    const baseUrl = resolveOllamaApiBase(configuredBaseUrl);
+    const { reachable, models } = await fetchOllamaModels(baseUrl);
+    const explicitModel = normalizeOllamaModelName(opts.customModelId);
+    if (!reachable) {
+        runtime.error([
+            `Ollama could not be reached at ${baseUrl}.`,
+            "Download it at https://ollama.com/download",
+        ].join("\n"));
+        runtime.exit(1);
+        return params.nextConfig;
+    }
+    await storeOllamaCredential();
+    const enrichedModels = await enrichOllamaModelsWithContext(baseUrl, models.slice(0, 50));
+    const discoveredModelsByName = new Map(enrichedModels.map((model) => [model.name, model]));
+    const modelNames = models.map((m) => m.name);
+    // Apply local suggested model ordering.
+    const suggestedModels = OLLAMA_SUGGESTED_MODELS_LOCAL;
+    const orderedModelNames = [
+        ...suggestedModels,
+        ...modelNames.filter((name) => !suggestedModels.includes(name)),
+    ];
+    const requestedDefaultModelId = explicitModel ?? suggestedModels[0];
+    let pulledRequestedModel = false;
+    const availableModelNames = new Set(modelNames);
+    const requestedCloudModel = isOllamaCloudModel(requestedDefaultModelId);
+    if (requestedCloudModel) {
+        availableModelNames.add(requestedDefaultModelId);
+    }
+    // Pull if model not in discovered list and Ollama is reachable
+    if (!requestedCloudModel && !modelNames.includes(requestedDefaultModelId)) {
+        pulledRequestedModel = await pullOllamaModelNonInteractive(baseUrl, requestedDefaultModelId, runtime);
+        if (pulledRequestedModel) {
+            availableModelNames.add(requestedDefaultModelId);
+        }
+    }
+    let allModelNames = orderedModelNames;
+    let defaultModelId = requestedDefaultModelId;
+    if ((pulledRequestedModel || requestedCloudModel) &&
+        !allModelNames.includes(requestedDefaultModelId)) {
+        allModelNames = [...allModelNames, requestedDefaultModelId];
+    }
+    if (!availableModelNames.has(requestedDefaultModelId)) {
+        if (availableModelNames.size > 0) {
+            const firstAvailableModel = allModelNames.find((name) => availableModelNames.has(name)) ??
+                Array.from(availableModelNames)[0];
+            defaultModelId = firstAvailableModel;
+            runtime.log(`Ollama model ${requestedDefaultModelId} was not available; using ${defaultModelId} instead.`);
+        }
+        else {
+            runtime.error([
+                `No Ollama models are available at ${baseUrl}.`,
+                "Pull a model first, then re-run onboarding.",
+            ].join("\n"));
+            runtime.exit(1);
+            return params.nextConfig;
+        }
+    }
+    const config = applyOllamaProviderConfig(params.nextConfig, baseUrl, allModelNames, discoveredModelsByName);
+    const modelRef = `ollama/${defaultModelId}`;
+    runtime.log(`Default Ollama model: ${defaultModelId}`);
+    return applyAgentDefaultModelPrimary(config, modelRef);
+}
+/** Pull the configured default Ollama model if it isn't already available locally. */
+export async function ensureOllamaModelPulled(params) {
+    const modelCfg = params.config.agents?.defaults?.model;
+    const modelId = typeof modelCfg === "string" ? modelCfg : modelCfg?.primary;
+    if (!modelId?.startsWith("ollama/")) {
+        return;
+    }
+    const baseUrl = params.config.models?.providers?.ollama?.baseUrl ?? OLLAMA_DEFAULT_BASE_URL;
+    const modelName = modelId.slice("ollama/".length);
+    if (isOllamaCloudModel(modelName)) {
+        return;
+    }
+    const { models } = await fetchOllamaModels(baseUrl);
+    if (models.some((m) => m.name === modelName)) {
+        return;
+    }
+    const pulled = await pullOllamaModel(baseUrl, modelName, params.prompter);
+    if (!pulled) {
+        throw new WizardCancelledError("Failed to download selected Ollama model");
+    }
+}

package/dist/commands/security-owner-only.js

@@ -0,0 +1,86 @@
+/**
+ * Commands Security - Owner-Only Enforcement
+ *
+ * Security hardening for sensitive commands:
+ * - /config - Configuration management
+ * - /debug - Runtime debug information
+ *
+ * GHSA-commands-owner-only: Require sender ownership for owner-only commands
+ */
+/**
+ * List of owner-only commands
+ */
+export const OWNER_ONLY_COMMANDS = new Set([
+    "config",
+    "debug",
+    "config.set",
+    "config.get",
+    "config.reset",
+    "debug.gateway",
+    "debug.sessions",
+    "debug.memory",
+]);
+/**
+ * Check if a command requires owner-only access
+ */
+export function isOwnerOnlyCommand(command) {
+    const normalized = command.toLowerCase().trim();
+    return OWNER_ONLY_COMMANDS.has(normalized);
+}
+/**
+ * Validate sender ownership for owner-only commands
+ *
+ * Returns true if sender is authorized, false otherwise
+ */
+export function validateOwnerOnlyAccess(params) {
+    const { command, senderId, config } = params;
+    // Check if command requires owner-only access
+    if (!isOwnerOnlyCommand(command)) {
+        return true;
+    }
+    // Get owner ID from config (check multiple possible locations)
+    const ownerId = config.gateway?.ownerId ||
+        config?.ownerId ||
+        config.auth?.ownerId;
+    if (!ownerId) {
+        // No owner configured, allow access (legacy mode)
+        return true;
+    }
+    // Validate sender ownership
+    return senderId === ownerId;
+}
+/**
+ * Get owner-only command error message
+ */
+export function getOwnerOnlyErrorMessage(command) {
+    return `Command "${command}" requires owner access. Only the gateway owner can execute this command.`;
+}
+/**
+ * Analyze command security requirements
+ */
+export function analyzeCommandSecurity(params) {
+    const { command, senderId, config } = params;
+    const isOwnerOnly = isOwnerOnlyCommand(command);
+    const senderAuthorized = validateOwnerOnlyAccess({ command, senderId, config });
+    // Determine security level
+    let securityLevel;
+    if (isOwnerOnly) {
+        securityLevel = "owner";
+    }
+    else if (command.startsWith("admin.")) {
+        securityLevel = "admin";
+    }
+    else if (command.startsWith("user.")) {
+        securityLevel = "user";
+    }
+    else {
+        securityLevel = "public";
+    }
+    return {
+        command,
+        isOwnerOnly,
+        senderAuthorized,
+        requiresElevation: isOwnerOnly && !senderAuthorized,
+        securityLevel,
+    };
+}

package/dist/commands/self-hosted-provider-setup.js

@@ -0,0 +1,207 @@
+import { upsertAuthProfileWithLock } from "../agents/auth-profiles.js";
+import { applyAuthProfileConfig } from "./onboard-auth.js";
+export const SELF_HOSTED_DEFAULT_CONTEXT_WINDOW = 128000;
+export const SELF_HOSTED_DEFAULT_MAX_TOKENS = 8192;
+export const SELF_HOSTED_DEFAULT_COST = {
+    input: 0,
+    output: 0,
+    cacheRead: 0,
+    cacheWrite: 0,
+};
+export function applyProviderDefaultModel(cfg, modelRef) {
+    const existingModel = cfg.agents?.defaults?.model;
+    const fallbacks = existingModel && typeof existingModel === "object" && "fallbacks" in existingModel
+        ? existingModel.fallbacks
+        : undefined;
+    return {
+        ...cfg,
+        agents: {
+            ...cfg.agents,
+            defaults: {
+                ...cfg.agents?.defaults,
+                model: {
+                    ...(fallbacks ? { fallbacks } : undefined),
+                    primary: modelRef,
+                },
+            },
+        },
+    };
+}
+function buildOpenAICompatibleSelfHostedProviderConfig(params) {
+    const modelRef = `${params.providerId}/${params.modelId}`;
+    const profileId = `${params.providerId}:default`;
+    return {
+        config: {
+            ...params.cfg,
+            models: {
+                ...params.cfg.models,
+                mode: params.cfg.models?.mode ?? "merge",
+                providers: {
+                    ...params.cfg.models?.providers,
+                    [params.providerId]: {
+                        baseUrl: params.baseUrl,
+                        api: "openai-completions",
+                        apiKey: params.providerApiKey,
+                        models: [
+                            {
+                                id: params.modelId,
+                                name: params.modelId,
+                                reasoning: params.reasoning ?? false,
+                                input: params.input ?? ["text"],
+                                cost: SELF_HOSTED_DEFAULT_COST,
+                                contextWindow: params.contextWindow ?? SELF_HOSTED_DEFAULT_CONTEXT_WINDOW,
+                                maxTokens: params.maxTokens ?? SELF_HOSTED_DEFAULT_MAX_TOKENS,
+                            },
+                        ],
+                    },
+                },
+            },
+        },
+        modelId: params.modelId,
+        modelRef,
+        profileId,
+    };
+}
+function buildSelfHostedProviderAuthResult(result) {
+    return {
+        profiles: [
+            {
+                profileId: result.profileId,
+                credential: result.credential,
+            },
+        ],
+        configPatch: result.config,
+        defaultModel: result.modelRef,
+    };
+}
+export async function promptAndConfigureOpenAICompatibleSelfHostedProvider(params) {
+    const baseUrlRaw = await params.prompter.text({
+        message: `${params.providerLabel} base URL`,
+        initialValue: params.defaultBaseUrl,
+        placeholder: params.defaultBaseUrl,
+        validate: (value) => (value?.trim() ? undefined : "Required"),
+    });
+    const apiKeyRaw = await params.prompter.text({
+        message: `${params.providerLabel} API key`,
+        placeholder: "sk-... (or any non-empty string)",
+        validate: (value) => (value?.trim() ? undefined : "Required"),
+    });
+    const modelIdRaw = await params.prompter.text({
+        message: `${params.providerLabel} model`,
+        placeholder: params.modelPlaceholder,
+        validate: (value) => (value?.trim() ? undefined : "Required"),
+    });
+    const baseUrl = String(baseUrlRaw ?? "")
+        .trim()
+        .replace(/\/+$/, "");
+    const apiKey = String(apiKeyRaw ?? "").trim();
+    const modelId = String(modelIdRaw ?? "").trim();
+    const credential = {
+        type: "api_key",
+        provider: params.providerId,
+        key: apiKey,
+    };
+    const configured = buildOpenAICompatibleSelfHostedProviderConfig({
+        cfg: params.cfg,
+        providerId: params.providerId,
+        baseUrl,
+        providerApiKey: params.defaultApiKeyEnvVar,
+        modelId,
+        input: params.input,
+        reasoning: params.reasoning,
+        contextWindow: params.contextWindow,
+        maxTokens: params.maxTokens,
+    });
+    return {
+        config: configured.config,
+        credential,
+        modelId: configured.modelId,
+        modelRef: configured.modelRef,
+        profileId: configured.profileId,
+    };
+}
+export async function promptAndConfigureOpenAICompatibleSelfHostedProviderAuth(params) {
+    const result = await promptAndConfigureOpenAICompatibleSelfHostedProvider(params);
+    return buildSelfHostedProviderAuthResult(result);
+}
+export async function discoverOpenAICompatibleSelfHostedProvider(params) {
+    if (params.ctx.config.models?.providers?.[params.providerId]) {
+        return null;
+    }
+    const { apiKey, discoveryApiKey } = params.ctx.resolveProviderApiKey(params.providerId);
+    if (!apiKey) {
+        return null;
+    }
+    return {
+        provider: {
+            ...(await params.buildProvider({ apiKey: discoveryApiKey })),
+            apiKey,
+        },
+    };
+}
+function buildMissingNonInteractiveModelIdMessage(params) {
+    return [
+        `Missing --custom-model-id for --auth-choice ${params.authChoice}.`,
+        `Pass the ${params.providerLabel} model id to use, for example ${params.modelPlaceholder}.`,
+    ].join("\n");
+}
+function buildSelfHostedProviderCredential(params) {
+    return params.ctx.toApiKeyCredential({
+        provider: params.providerId,
+        resolved: params.resolved,
+    });
+}
+export async function configureOpenAICompatibleSelfHostedProviderNonInteractive(params) {
+    const baseUrl = (params.ctx.opts.customBaseUrl?.trim() || params.defaultBaseUrl).replace(/\/+$/, "");
+    const modelId = params.ctx.opts.customModelId?.trim();
+    if (!modelId) {
+        params.ctx.runtime.error(buildMissingNonInteractiveModelIdMessage({
+            authChoice: params.ctx.authChoice,
+            providerLabel: params.providerLabel,
+            modelPlaceholder: params.modelPlaceholder,
+        }));
+        params.ctx.runtime.exit(1);
+        return null;
+    }
+    const resolved = await params.ctx.resolveApiKey({
+        provider: params.providerId,
+        flagValue: params.ctx.opts.customApiKey,
+        flagName: "--custom-api-key",
+        envVar: params.defaultApiKeyEnvVar,
+        envVarName: params.defaultApiKeyEnvVar,
+    });
+    if (!resolved) {
+        return null;
+    }
+    const credential = buildSelfHostedProviderCredential({
+        ctx: params.ctx,
+        providerId: params.providerId,
+        resolved,
+    });
+    if (!credential) {
+        return null;
+    }
+    const configured = buildOpenAICompatibleSelfHostedProviderConfig({
+        cfg: params.ctx.config,
+        providerId: params.providerId,
+        baseUrl,
+        providerApiKey: params.defaultApiKeyEnvVar,
+        modelId,
+        input: params.input,
+        reasoning: params.reasoning,
+        contextWindow: params.contextWindow,
+        maxTokens: params.maxTokens,
+    });
+    await upsertAuthProfileWithLock({
+        profileId: configured.profileId,
+        credential,
+        agentDir: params.ctx.agentDir,
+    });
+    const withProfile = applyAuthProfileConfig(configured.config, {
+        profileId: configured.profileId,
+        provider: params.providerId,
+        mode: "api_key",
+    });
+    params.ctx.runtime.log(`Default ${params.providerLabel} model: ${modelId}`);
+    return applyProviderDefaultModel(withProfile, configured.modelRef);
+}