@scira/cli 0.1.5 → 0.1.7

package/dist/config/env-store.js

@@ -1,10 +1,12 @@
 import process from "node:process";
 import { readFileSync } from "node:fs";
-import { mkdir, readFile, writeFile } from "node:fs/promises";
+import { mkdir } from "node:fs/promises";
 import { homedir } from "node:os";
 import { join } from "node:path";
 export const MANAGED_ENV_KEYS = [
     "AI_GATEWAY_API_KEY",
+    "ANTHROPIC_API_KEY",
+    "OPENAI_API_KEY",
     "XAI_API_KEY",
     "CLOUDFLARE_ACCOUNT_ID",
     "CLOUDFLARE_API_TOKEN",
@@ -79,7 +81,7 @@ export async function setEnvKey(name, value) {
     await mkdir(join(homedir(), ".scira"), { recursive: true });
     let content = "";
     try {
-        content = await readFile(path, "utf8");
+        content = await Bun.file(path).text();
     }
     catch {
         content = "";
@@ -95,6 +97,6 @@ export async function setEnvKey(name, value) {
             lines.pop();
         lines.push(entry);
     }
-    await writeFile(path, `${lines.join("\n")}\n`);
+    await Bun.write(path, `${lines.join("\n")}\n`);
     process.env[name] = value;
 }

package/dist/config/load-config.js

@@ -1,4 +1,4 @@
-import { mkdir, readFile, writeFile } from "node:fs/promises";
+import { mkdir } from "node:fs/promises";
 import { homedir } from "node:os";
 import { dirname, join } from "node:path";
 import { SciraConfigSchema } from "../types/index.js";
@@ -25,34 +25,29 @@ export async function loadConfig(projectRoot = process.cwd()) {
 }
 export async function saveGlobalConfig(config) {
     await mkdir(dirname(globalConfigPath), { recursive: true });
-    await writeFile(globalConfigPath, `${JSON.stringify(config, null, 2)}\n`);
+    await Bun.write(globalConfigPath, `${JSON.stringify(config, null, 2)}\n`);
 }
 export async function saveGlobalMcpConfig(config) {
     const globalConfig = await readConfigFile(globalConfigPath);
     const next = { ...globalConfig, mcp: config };
     await mkdir(dirname(globalConfigPath), { recursive: true });
-    await writeFile(globalConfigPath, `${JSON.stringify(next, null, 2)}\n`);
+    await Bun.write(globalConfigPath, `${JSON.stringify(next, null, 2)}\n`);
 }
 export async function saveProjectConfig(config, projectRoot = process.cwd()) {
     const projectConfigPath = join(projectRoot, ".scira", "config.json");
     await mkdir(dirname(projectConfigPath), { recursive: true });
-    await writeFile(projectConfigPath, `${JSON.stringify(config, null, 2)}\n`);
+    await Bun.write(projectConfigPath, `${JSON.stringify(config, null, 2)}\n`);
 }
 export async function saveProjectMcpConfig(config, projectRoot = process.cwd()) {
     const projectConfigPath = join(projectRoot, ".scira", "config.json");
     const projectConfig = await readConfigFile(projectConfigPath);
     const next = { ...projectConfig, mcp: config };
     await mkdir(dirname(projectConfigPath), { recursive: true });
-    await writeFile(projectConfigPath, `${JSON.stringify(next, null, 2)}\n`);
+    await Bun.write(projectConfigPath, `${JSON.stringify(next, null, 2)}\n`);
 }
 async function readConfigFile(path) {
-    try {
-        return JSON.parse(await readFile(path, "utf8"));
-    }
-    catch (error) {
-        if (error.code === "ENOENT") {
-            return {};
-        }
-        throw error;
-    }
+    const file = Bun.file(path);
+    if (!(await file.exists()))
+        return {};
+    return (await file.json());
 }

package/dist/providers/harness/local-sandbox.js

@@ -0,0 +1,143 @@
+import { promises as fs } from "node:fs";
+import net from "node:net";
+import path from "node:path";
+/** Ask the OS for a free TCP port by binding to :0, then release it for the bridge to claim. */
+function reserveFreePort() {
+    return new Promise((resolve, reject) => {
+        const srv = net.createServer();
+        srv.once("error", reject);
+        srv.listen(0, "127.0.0.1", () => {
+            const address = srv.address();
+            const port = typeof address === "object" && address ? address.port : 0;
+            srv.close(() => (port ? resolve(port) : reject(new Error("Could not reserve a free port"))));
+        });
+    });
+}
+function spawnProcess(command, opts, rootDir, baseEnv, stripEnv) {
+    const env = { ...process.env, ...baseEnv, ...opts.env };
+    for (const name of stripEnv)
+        delete env[name];
+    // Bun.spawn takes an argv array, not a shell string — wrap in the platform shell.
+    const argv = process.platform === "win32" ? ["cmd", "/c", command] : ["sh", "-c", command];
+    const proc = Bun.spawn(argv, {
+        cwd: opts.workingDirectory ?? rootDir,
+        env,
+        stdout: "pipe",
+        stderr: "pipe",
+        ...(opts.abortSignal ? { signal: opts.abortSignal } : {}),
+    });
+    return {
+        pid: proc.pid,
+        // Bun.spawn pipes are already web ReadableStreams — no node:stream bridging.
+        stdout: proc.stdout,
+        stderr: proc.stderr,
+        wait: () => proc.exited.then((exitCode) => ({ exitCode })),
+        kill: async () => {
+            proc.kill();
+        },
+    };
+}
+function createLocalSession(rootDir, baseEnv, stripEnv) {
+    const resolve = (p) => (path.isAbsolute(p) ? p : path.join(rootDir, p));
+    return {
+        description: `Local machine sandbox. Root directory: ${rootDir}. Commands run as the ` +
+            `current OS user with full local filesystem and network access.`,
+        readFile: async ({ path: p }) => {
+            const file = Bun.file(resolve(p));
+            return (await file.exists()) ? file.stream() : null;
+        },
+        readBinaryFile: async ({ path: p }) => {
+            try {
+                return new Uint8Array(await fs.readFile(resolve(p)));
+            }
+            catch (e) {
+                if (e.code === "ENOENT")
+                    return null;
+                throw e;
+            }
+        },
+        readTextFile: async ({ path: p, encoding = "utf-8", startLine, endLine }) => {
+            let text;
+            try {
+                text = await fs.readFile(resolve(p), { encoding: encoding });
+            }
+            catch (e) {
+                if (e.code === "ENOENT")
+                    return null;
+                throw e;
+            }
+            if (startLine === undefined && endLine === undefined)
+                return text;
+            const lines = text.split("\n");
+            return lines.slice((startLine ?? 1) - 1, endLine ?? lines.length).join("\n");
+        },
+        writeFile: async ({ path: p, content }) => {
+            await fs.mkdir(path.dirname(resolve(p)), { recursive: true });
+            const chunks = [];
+            for await (const chunk of content) {
+                chunks.push(Buffer.from(chunk));
+            }
+            await fs.writeFile(resolve(p), Buffer.concat(chunks));
+        },
+        writeBinaryFile: async ({ path: p, content }) => {
+            await fs.mkdir(path.dirname(resolve(p)), { recursive: true });
+            await fs.writeFile(resolve(p), content);
+        },
+        writeTextFile: async ({ path: p, content, encoding = "utf-8" }) => {
+            await fs.mkdir(path.dirname(resolve(p)), { recursive: true });
+            await fs.writeFile(resolve(p), content, { encoding: encoding });
+        },
+        spawn: async (options) => spawnProcess(options.command, options, rootDir, baseEnv, stripEnv),
+        run: async (options) => {
+            const proc = spawnProcess(options.command, options, rootDir, baseEnv, stripEnv);
+            const [stdout, stderr, { exitCode }] = await Promise.all([
+                new Response(proc.stdout).text(),
+                new Response(proc.stderr).text(),
+                proc.wait(),
+            ]);
+            return { exitCode, stdout, stderr };
+        },
+    };
+}
+/**
+ * A {@link HarnessV1SandboxProvider} that runs everything on the local machine.
+ * Pair it with `claudeCode`/`codex` from the harness adapters.
+ */
+export function createLocalSandbox(options = {}) {
+    const rootDir = path.resolve(options.rootDir ?? process.cwd());
+    const baseEnv = options.env ?? {};
+    const stripEnv = options.stripEnv ?? [];
+    // A local "sandbox" has no durable remote resource — the bridge process is
+    // the only state, and it dies with this process. So create and resume are the
+    // same operation: a fresh bridge bound to the same rootDir. Cross-process
+    // continuity comes from the adapter's resume state (the CLI's native session
+    // id) replaying conversation history from ~/.claude / ~/.codex, plus the files
+    // persisting on disk.
+    const buildSession = async () => {
+        await fs.mkdir(rootDir, { recursive: true });
+        const session = createLocalSession(rootDir, baseEnv, stripEnv);
+        // The bridge binds to a sandbox-declared TCP port. On a local sandbox we
+        // reserve a free loopback port and advertise it; the bridge listens there
+        // and we reach it over 127.0.0.1.
+        const bridgePort = await reserveFreePort();
+        return {
+            ...session,
+            id: `local-${path.basename(rootDir)}`,
+            defaultWorkingDirectory: rootDir,
+            ports: [bridgePort],
+            getPortUrl: async ({ port, protocol = "http" }) => {
+                const scheme = protocol === "ws" ? "ws" : protocol;
+                return `${scheme}://127.0.0.1:${port}`;
+            },
+            stop: async () => { },
+            destroy: async () => { },
+            restricted: () => session,
+        };
+    };
+    return {
+        specificationVersion: "harness-sandbox-v1",
+        providerId: "local-fs",
+        createSession: buildSession,
+        resumeSession: buildSession,
+    };
+}

package/dist/providers/llm/gateway.js

@@ -1,5 +1,5 @@
 import { generateText, gateway } from "ai";
-import { getLanguageModel, requireLlmKeys, defaultModelFor } from "./registry.js";
+import { getLanguageModel, requireLlmKeys, defaultModelFor, isHarnessProvider } from "./registry.js";
 async function fetchModelsRaw() {
     const headers = {};
     if (process.env.AI_GATEWAY_API_KEY) {
@@ -55,8 +55,11 @@ export async function chooseConfiguredModel(config) {
     return config.model || defaultModelFor(config.llmProvider);
 }
 export async function generateWithGateway(config, prompt, system) {
+    // Harness providers aren't language models; use the AI Gateway directly for
+    // these utility generations (e.g. run titles) when a gateway key is present.
+    const model = isHarnessProvider(config.llmProvider) ? gateway(DEFAULT_MODEL) : getLanguageModel(config);
     const result = await generateText({
-        model: getLanguageModel(config),
+        model,
         system,
         prompt
     });

package/dist/providers/llm/models.js

@@ -24,6 +24,17 @@ const STATIC_MODELS = {
         { id: "Qwen/Qwen2.5-72B-Instruct", name: "Qwen 2.5 72B Instruct" },
         { id: "mistralai/Mistral-7B-Instruct-v0.3", name: "Mistral 7B Instruct v0.3" },
         { id: "deepseek-ai/DeepSeek-V3", name: "DeepSeek V3" }
+    ],
+    "claude-code": [
+        { id: "claude-sonnet-4-6", name: "Claude Sonnet 4.6" },
+        { id: "claude-opus-4-8", name: "Claude Opus 4.8" },
+        { id: "claude-haiku-4-5", name: "Claude Haiku 4.5" }
+    ],
+    codex: [
+        { id: "gpt-5.5", name: "GPT-5.5" },
+        { id: "gpt-5.4", name: "GPT-5.4" },
+        { id: "gpt-5.4-mini", name: "GPT-5.4-Mini" },
+        { id: "gpt-5.3-codex-spark", name: "GPT-5.3-Codex-Spark" }
     ]
 };
 async function listXaiModels() {
@@ -31,15 +42,16 @@ async function listXaiModels() {
     if (!key)
         return STATIC_MODELS.xai;
     try {
-        // OpenAI-compatible models endpoint
-        const response = await fetch("https://api.x.ai/v1/models", {
+        // The language-models endpoint returns only text/chat models (it excludes
+        // the image/video/embedding models that /v1/models lists).
+        const response = await fetch("https://api.x.ai/v1/language-models", {
             headers: { Authorization: `Bearer ${key}` },
             signal: AbortSignal.timeout(15000)
         });
         if (!response.ok)
-            throw new Error(`xAI models endpoint returned ${response.status}`);
+            throw new Error(`xAI language-models endpoint returned ${response.status}`);
         const payload = await response.json();
-        const models = (payload.data ?? []).map((m) => ({ id: m.id }));
+        const models = (payload.models ?? payload.data ?? []).map((m) => ({ id: m.id }));
         return models.length > 0 ? models : STATIC_MODELS.xai;
     }
     catch {
@@ -92,6 +104,8 @@ export async function listModels(config) {
         case "xai": return listXaiModels();
         case "workers-ai": return listWorkersAiModels();
         case "huggingface": return listHuggingFaceModelsWrapper();
+        case "claude-code": return STATIC_MODELS["claude-code"];
+        case "codex": return STATIC_MODELS.codex;
         default: return (await listToolUseModels()).map((m) => ({ id: m.id, name: m.name }));
     }
 }

package/dist/providers/llm/readiness.js

@@ -25,17 +25,21 @@ export function requireSearchProvider(provider) {
 }
 const LLM_ENV_CHECKS = [
     { name: AI_GATEWAY_ENV, provider: "gateway", purpose: "Vercel AI Gateway LLM access" },
+    { name: "ANTHROPIC_API_KEY", provider: "claude-code", purpose: "Claude Code (local harness) access" },
+    { name: "OPENAI_API_KEY", provider: "codex", purpose: "Codex (local harness) access" },
     { name: "XAI_API_KEY", provider: "xai", purpose: "xAI (Grok) LLM access" },
     { name: "CLOUDFLARE_ACCOUNT_ID", provider: "workers-ai", purpose: "Cloudflare Workers AI account" },
     { name: "CLOUDFLARE_API_TOKEN", provider: "workers-ai", purpose: "Cloudflare Workers AI LLM access" },
     { name: "HF_API_KEY", provider: "huggingface", purpose: "HuggingFace Inference API access" }
 ];
 export function detectEnv(provider, llmProvider = "gateway") {
+    // Local harness providers authenticate via the CLI login, so their API key is optional.
+    const harnessActive = llmProvider === "claude-code" || llmProvider === "codex";
     const checks = LLM_ENV_CHECKS.map((c) => ({
         name: c.name,
         present: hasEnv(c.name),
         purpose: c.purpose,
-        required: c.provider === llmProvider
+        required: c.provider === llmProvider && !harnessActive
     }));
     for (const key of Object.keys(PROVIDER_ENV)) {
         const name = PROVIDER_ENV[key];

package/dist/providers/llm/registry.js

@@ -3,31 +3,49 @@ import { createXai } from "@ai-sdk/xai";
 import { createWorkersAI } from "workers-ai-provider";
 import { createOpenAICompatible } from "@ai-sdk/openai-compatible";
 import { hasEnv } from "./readiness.js";
-export const LLM_PROVIDERS = ["gateway", "xai", "workers-ai", "huggingface"];
+/** Providers that run a local agent harness (their own tool loop + CLI) rather than a bare language model. */
+export const HARNESS_PROVIDERS = ["claude-code", "codex"];
+export function isHarnessProvider(provider) {
+    return HARNESS_PROVIDERS.includes(provider);
+}
+export const LLM_PROVIDERS = ["gateway", "xai", "workers-ai", "huggingface", "claude-code", "codex"];
 /** Human-readable names for the provider picker and status messages. */
 export const LLM_PROVIDER_LABELS = {
     gateway: "Vercel AI Gateway",
     xai: "xAI",
     "workers-ai": "Cloudflare Workers AI",
-    huggingface: "HuggingFace"
+    huggingface: "HuggingFace",
+    "claude-code": "Claude Code (local)",
+    codex: "Codex (local)"
 };
 /** Env vars each LLM provider needs before it can generate. */
 export const LLM_PROVIDER_ENV = {
     gateway: ["AI_GATEWAY_API_KEY"],
     xai: ["XAI_API_KEY"],
     "workers-ai": ["CLOUDFLARE_ACCOUNT_ID", "CLOUDFLARE_API_TOKEN"],
-    huggingface: ["HF_API_KEY"]
+    huggingface: ["HF_API_KEY"],
+    // Harness providers accept their native key OR the AI Gateway key (OR-checked
+    // in requireLlmKeys, not the default AND-of-all logic).
+    "claude-code": ["ANTHROPIC_API_KEY"],
+    codex: ["OPENAI_API_KEY"]
 };
 export function defaultModelFor(provider) {
     switch (provider) {
         case "xai": return "grok-build-0.1";
         case "workers-ai": return "@cf/moonshotai/kimi-k2.6";
         case "huggingface": return "meta-llama/Llama-3.3-70B-Instruct";
+        case "claude-code": return "claude-sonnet-4-6";
+        case "codex": return "gpt-5.5";
         default: return "deepseek/deepseek-v4-flash";
     }
 }
 /** Throw a setup-oriented error when the active LLM provider's env keys are missing. */
 export function requireLlmKeys(config) {
+    if (isHarnessProvider(config.llmProvider)) {
+        // No key required: the local harness uses the user's CLI login
+        // (claude login / codex login). An explicit API key is optional.
+        return;
+    }
     const missing = LLM_PROVIDER_ENV[config.llmProvider].filter((name) => !hasEnv(name));
     if (missing.length > 0) {
         throw new Error(`${missing.join(" and ")} ${missing.length === 1 ? "is" : "are"} required for the "${config.llmProvider}" LLM provider. Set ${missing.length === 1 ? "it" : "them"} with /key or in your environment.`);
@@ -36,6 +54,9 @@ export function requireLlmKeys(config) {
 /** Build the AI SDK language model for the configured provider + model id. */
 export function getLanguageModel(config) {
     requireLlmKeys(config);
+    if (isHarnessProvider(config.llmProvider)) {
+        throw new Error(`The "${config.llmProvider}" provider runs as a local agent harness, not a language model — drive it through the harness agent path, not getLanguageModel().`);
+    }
     switch (config.llmProvider) {
         case "xai":
             return createXai({ apiKey: process.env.XAI_API_KEY })(config.model);

package/dist/storage/jsonl.js

@@ -1,4 +1,4 @@
-import { mkdir, readFile, writeFile } from "node:fs/promises";
+import { mkdir, writeFile } from "node:fs/promises";
 import { dirname } from "node:path";
 export async function appendJsonl(path, value) {
     await mkdir(dirname(path), { recursive: true });
@@ -6,7 +6,7 @@ export async function appendJsonl(path, value) {
 }
 export async function readJsonl(path) {
     try {
-        const text = await readFile(path, "utf8");
+        const text = await Bun.file(path).text();
         const results = [];
         for (const line of text.split("\n")) {
             if (!line.trim())

package/dist/storage/run-store.js

@@ -1,7 +1,8 @@
-import { mkdir, readFile, readdir, rm, stat, writeFile } from "node:fs/promises";
+import { mkdir, readdir, rm, stat } from "node:fs/promises";
 import { join, resolve } from "node:path";
 import { createRunId } from "../utils/ids.js";
 import { appendJsonl, readJsonl } from "./jsonl.js";
+import { isHarnessProvider } from "../providers/llm/registry.js";
 export function getRunPaths(runPath) {
     return {
         root: runPath,
@@ -26,26 +27,32 @@ export async function createRun(goal, config, projectRoot = process.cwd()) {
     const paths = getRunPaths(runPath);
     await mkdir(paths.artifacts, { recursive: true });
     await mkdir(paths.snapshots, { recursive: true });
-    await writeFile(paths.goal, `# Goal\n\n${goal}\n`);
-    await writeFile(paths.plan, "# Research Plan\n\nPending plan generation.\n");
-    await writeFile(paths.research, researchInstructions());
-    await writeFile(paths.scope, `${JSON.stringify({ goal, maxSources: config.maxSources, citationPolicy: config.citationPolicy }, null, 2)}\n`);
-    await writeFile(paths.progress, progressText("created", "Generate and approve research plan."));
-    await writeFile(paths.sources, "");
-    await writeFile(paths.claims, "");
-    await writeFile(paths.notes, "# Notes\n\n");
-    await writeFile(paths.report, "# Report\n\nDraft not generated yet.\n");
-    await writeFile(paths.handoff, handoffText(goal, "created"));
+    await Bun.write(paths.goal, `# Goal\n\n${goal}\n`);
+    await Bun.write(paths.research, researchInstructions());
+    await Bun.write(paths.scope, `${JSON.stringify({ goal, maxSources: config.maxSources, citationPolicy: config.citationPolicy }, null, 2)}\n`);
+    await Bun.write(paths.progress, progressText("created", "Generate and approve research plan."));
+    await Bun.write(paths.handoff, handoffText(goal, "created"));
+    // The local-harness providers (claude-code / codex) run their own CLI, whose
+    // Write tool refuses to overwrite a file it hasn't Read first. Pre-seeding the
+    // agent-written artifacts would block it, so leave those for the agent to
+    // create fresh. summarizeRun tolerates the missing files.
+    if (!isHarnessProvider(config.llmProvider)) {
+        await Bun.write(paths.plan, "# Research Plan\n\nPending plan generation.\n");
+        await Bun.write(paths.sources, "");
+        await Bun.write(paths.claims, "");
+        await Bun.write(paths.notes, "# Notes\n\n");
+        await Bun.write(paths.report, "# Report\n\nDraft not generated yet.\n");
+    }
     await logEvent(paths.root, "run.created", { goal });
     return summarizeRun(paths.root);
 }
 export async function summarizeRun(runPath) {
     const paths = getRunPaths(runPath);
-    const goal = (await readFile(paths.goal, "utf8").catch(() => "")).replace(/^# Goal\s*/u, "").trim();
-    const title = (await readFile(join(runPath, "title.md"), "utf8").catch(() => "")).trim() || undefined;
+    const goal = (await Bun.file(paths.goal).text().catch(() => "")).replace(/^# Goal\s*/u, "").trim();
+    const title = (await Bun.file(join(runPath, "title.md")).text().catch(() => "")).trim() || undefined;
     const sources = await readJsonl(paths.sources);
     const claims = await readJsonl(paths.claims);
-    const report = await readFile(paths.report, "utf8").catch(() => "");
+    const report = await Bun.file(paths.report).text().catch(() => "");
     // last activity = newest mtime among the files that change as a run progresses
     const mtimes = await Promise.all([join(runPath, "convo.json"), paths.report, runPath].map((p) => stat(p).then((s) => s.mtimeMs).catch(() => 0)));
     const updatedAt = Math.max(0, ...mtimes);
@@ -63,7 +70,7 @@ export async function summarizeRun(runPath) {
     };
 }
 export async function setRunTitle(runPath, title) {
-    await writeFile(join(runPath, "title.md"), title.trim());
+    await Bun.write(join(runPath, "title.md"), title.trim());
 }
 export async function deleteRun(runPath) {
     await rm(runPath, { recursive: true, force: true });

package/dist/tools/agent-tools.js

@@ -1,6 +1,6 @@
 import { exec, execFile } from "node:child_process";
 import { promisify } from "node:util";
-import { readFile, writeFile, mkdir, readdir } from "node:fs/promises";
+import { mkdir, readdir } from "node:fs/promises";
 import { dirname, join, relative } from "node:path";
 import { tool } from "ai";
 import { z } from "zod";
@@ -226,7 +226,7 @@ export function createResearchTools(runPath, config, onApprovalRequired, workspa
                 if (needsApproval) {
                     let description;
                     if (harnessName === "report.md" && resolved.scope === "run") {
-                        const existing = await readFile(resolved.abs, "utf8").catch(() => "");
+                        const existing = await Bun.file(resolved.abs).text().catch(() => "");
                         const parts = diffLines(existing, content);
                         const added = parts.filter((p) => p.added).reduce((n, p) => n + (p.count ?? 0), 0);
                         const removed = parts.filter((p) => p.removed).reduce((n, p) => n + (p.count ?? 0), 0);
@@ -248,7 +248,7 @@ export function createResearchTools(runPath, config, onApprovalRequired, workspa
                         return `Write to ${resolved.displayPath} rejected by user.`;
                 }
                 await mkdir(dirname(resolved.abs), { recursive: true });
-                await writeFile(resolved.abs, content);
+                await Bun.write(resolved.abs, content);
                 const eventType = harnessName === "report.md" ? "report.updated" : harnessName === "plan.md" ? "plan.updated" : "file.written";
                 await logEvent(runPath, eventType, { path: resolved.displayPath, scope: resolved.scope, chars: content.length });
                 const where = resolved.scope === "workspace" ? "workspace" : "run";
@@ -268,7 +268,7 @@ export function createResearchTools(runPath, config, onApprovalRequired, workspa
                 const blocked = planModeBlocksEdit(getPlanMode, resolved.scope, harnessName);
                 if (blocked)
                     return blocked;
-                const current = await readFile(resolved.abs, "utf8");
+                const current = await Bun.file(resolved.abs).text();
                 const occurrences = current.split(oldString).length - 1;
                 if (occurrences === 0) {
                     return `No match for the given oldString in ${resolved.displayPath}. No changes made.`;
@@ -287,7 +287,7 @@ export function createResearchTools(runPath, config, onApprovalRequired, workspa
                         return `Edit to ${resolved.displayPath} rejected by user.`;
                     }
                 }
-                await writeFile(resolved.abs, current.replace(oldString, newString));
+                await Bun.write(resolved.abs, current.replace(oldString, newString));
                 await logEvent(runPath, "file.edited", { path: resolved.displayPath, scope: resolved.scope });
                 return `Edited ${resolved.displayPath}`;
             }
@@ -327,7 +327,7 @@ export function createResearchTools(runPath, config, onApprovalRequired, workspa
                 }
                 claims[idx] = { ...claims[idx], status, reason };
                 await mkdir(dirname(claimsPath), { recursive: true });
-                await writeFile(claimsPath, claims.map((c) => JSON.stringify(c)).join("\n") + "\n");
+                await Bun.write(claimsPath, claims.map((c) => JSON.stringify(c)).join("\n") + "\n");
                 await logEvent(runPath, "claim.verified", { id, status });
                 return `Claim ${id} → ${status}`;
             }
@@ -339,7 +339,7 @@ export function createResearchTools(runPath, config, onApprovalRequired, workspa
             }),
             execute: async ({ path }) => {
                 const resolved = resolveToolPath(runPath, workspacePath, path);
-                return truncate(await readFile(resolved.abs, "utf8"));
+                return truncate(await Bun.file(resolved.abs).text());
             }
         }),
         webSearch: tool({

package/dist/tools/background-tasks.js

@@ -1,6 +1,5 @@
-import { randomUUID } from "node:crypto";
 import { spawn } from "node:child_process";
-import { readFile, writeFile, mkdir } from "node:fs/promises";
+import { mkdir } from "node:fs/promises";
 import { dirname, join } from "node:path";
 const MAX_OUTPUT_LINES = 500;
 const MAX_TAIL_CHARS = 4000;
@@ -48,7 +47,7 @@ export class BackgroundTaskManager {
     runtime = new Map();
     records = [];
     loaded = false;
-    sessionToken = randomUUID();
+    sessionToken = crypto.randomUUID();
     constructor(persistPath, defaultCwd) {
         this.persistPath = persistPath;
         this.defaultCwd = defaultCwd;
@@ -58,7 +57,7 @@ export class BackgroundTaskManager {
             return;
         this.loaded = true;
         try {
-            const raw = await readFile(this.persistPath, "utf8");
+            const raw = await Bun.file(this.persistPath).text();
             const parsed = JSON.parse(raw);
             if (Array.isArray(parsed)) {
                 this.records = parsed.filter(isValidRecord);
@@ -94,7 +93,7 @@ export class BackgroundTaskManager {
     }
     async persist() {
         await mkdir(dirname(this.persistPath), { recursive: true });
-        await writeFile(this.persistPath, JSON.stringify(this.records, null, 2) + "\n");
+        await Bun.write(this.persistPath, JSON.stringify(this.records, null, 2) + "\n");
     }
     syncRecord(task) {
         const idx = this.records.findIndex((r) => r.id === task.record.id);

package/dist/tools/mcp-oauth.js

@@ -1,15 +1,12 @@
-import { createHash, randomBytes } from "node:crypto";
-import { createServer } from "node:http";
-import { exec } from "node:child_process";
 import { saveGlobalMcpConfig } from "../config/load-config.js";
 function toBase64Url(buf) {
-    return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+    return Buffer.from(buf).toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
 }
 function createVerifier() {
-    return toBase64Url(randomBytes(48));
+    return toBase64Url(crypto.getRandomValues(new Uint8Array(48)));
 }
 function createChallenge(verifier) {
-    return toBase64Url(createHash("sha256").update(verifier).digest());
+    return toBase64Url(new Bun.CryptoHasher("sha256").update(verifier).digest());
 }
 async function fetchJson(url) {
     try {
@@ -128,31 +125,38 @@ function patchClientId(mcp, name, clientId, clientSecret) {
     };
 }
 function openBrowser(url) {
-    const cmd = process.platform === "darwin" ? `open "${url}"` :
-        process.platform === "win32" ? `start "" "${url}"` :
-            `xdg-open "${url}"`;
-    exec(cmd, () => { });
+    const argv = process.platform === "darwin" ? ["open", url] :
+        process.platform === "win32" ? ["cmd", "/c", "start", "", url] :
+            ["xdg-open", url];
+    Bun.spawn(argv, { stdout: "ignore", stderr: "ignore" });
 }
 function waitForCallback(port, timeoutMs = 120_000) {
     return new Promise((resolve, reject) => {
-        const server = createServer((req, res) => {
-            const u = new URL(req.url ?? "/", `http://localhost:${port}`);
-            const code = u.searchParams.get("code");
-            const state = u.searchParams.get("state");
-            res.writeHead(200, { "Content-Type": "text/html" });
-            res.end("<html><body><h2>OAuth connected — you can close this tab.</h2></body></html>");
-            server.close();
-            if (code && state)
-                resolve({ code, state });
-            else
-                reject(new Error("OAuth callback missing code or state"));
+        const server = Bun.serve({
+            port,
+            hostname: "127.0.0.1",
+            fetch(req) {
+                const u = new URL(req.url);
+                const code = u.searchParams.get("code");
+                const state = u.searchParams.get("state");
+                queueMicrotask(() => {
+                    clearTimeout(timer);
+                    // Graceful stop: let the response flush to the browser before closing.
+                    void server.stop();
+                    if (code && state)
+                        resolve({ code, state });
+                    else
+                        reject(new Error("OAuth callback missing code or state"));
+                });
+                return new Response("<html><body><h2>OAuth connected — you can close this tab.</h2></body></html>", {
+                    headers: { "Content-Type": "text/html" },
+                });
+            },
         });
-        server.listen(port, "127.0.0.1");
         const timer = setTimeout(() => {
-            server.close();
+            void server.stop(true);
             reject(new Error("OAuth flow timed out (2 min). Run `scira mcp oauth <name>` to retry."));
         }, timeoutMs);
-        server.once("close", () => clearTimeout(timer));
     });
 }
 async function exchangeCode(opts) {
@@ -235,7 +239,7 @@ export async function runOAuthFlow(srv, config) {
     }
     const verifier = createVerifier();
     const challenge = createChallenge(verifier);
-    const state = toBase64Url(randomBytes(16));
+    const state = toBase64Url(crypto.getRandomValues(new Uint8Array(16)));
     const scope = srv.oauthScopes ?? endpoints.suggestedScope ?? undefined;
     const params = new URLSearchParams({
         response_type: "code",