@sentry/junior 0.28.0 → 0.30.0

package/dist/app.js

@@ -6,11 +6,17 @@ import {
   parseSkillInvocation
 } from "./chunk-ICIRAL6Y.js";
 import {
+  GEN_AI_PROVIDER_NAME,
+  MISSING_GATEWAY_CREDENTIALS_ERROR,
   SANDBOX_DATA_ROOT,
   SANDBOX_SKILLS_ROOT,
   SANDBOX_WORKSPACE_ROOT,
   botConfig,
   buildNonInteractiveShellScript,
+  completeObject,
+  completeText,
+  getGatewayApiKey,
+  getPiGatewayApiKeyOverride,
   getRuntimeDependencyProfileHash,
   getRuntimeMetadata,
   getSlackBotToken,
@@ -20,19 +26,18 @@ import {
   getStateAdapter,
   getVercelSandboxCredentials,
   isSnapshotMissingError,
+  resolveGatewayModel,
   resolveRuntimeDependencySnapshot,
   runNonInteractiveCommand,
   sandboxSkillDir,
-  sandboxSkillFile,
-  toOptionalTrimmed
-} from "./chunk-375D5V4U.js";
+  sandboxSkillFile
+} from "./chunk-LEYD42MR.js";
 import {
   CredentialUnavailableError,
   buildOAuthTokenRequest,
   createChatSdkLogger,
   createPluginBroker,
   createRequestContext,
-  extractGenAiUsageAttributes,
   extractGenAiUsageSummary,
   getActiveTraceId,
   getPluginDefinition,
@@ -387,6 +392,26 @@ function defaultConversationState() {
     }
   };
 }
+function coercePendingAuthState(value) {
+  if (!isRecord(value)) {
+    return void 0;
+  }
+  const kind = value.kind;
+  const provider = toOptionalString(value.provider);
+  const requesterId = toOptionalString(value.requesterId);
+  const sessionId = toOptionalString(value.sessionId);
+  const linkSentAtMs = toOptionalNumber(value.linkSentAtMs);
+  if (kind !== "mcp" && kind !== "plugin" || !provider || !requesterId || !sessionId || typeof linkSentAtMs !== "number") {
+    return void 0;
+  }
+  return {
+    kind,
+    provider,
+    requesterId,
+    sessionId,
+    linkSentAtMs
+  };
+}
 function coerceThreadConversationState(value) {
   if (!isRecord(value)) {
     return defaultConversationState();
@@ -437,7 +462,8 @@ function coerceThreadConversationState(value) {
   const rawProcessing = isRecord(rawConversation.processing) ? rawConversation.processing : {};
   const processing = {
     activeTurnId: toOptionalString(rawProcessing.activeTurnId),
-    lastCompletedAtMs: toOptionalNumber(rawProcessing.lastCompletedAtMs)
+    lastCompletedAtMs: toOptionalNumber(rawProcessing.lastCompletedAtMs),
+    pendingAuth: coercePendingAuthState(rawProcessing.pendingAuth)
   };
   const rawStats = isRecord(rawConversation.stats) ? rawConversation.stats : {};
   const stats = {
@@ -1996,11 +2022,13 @@ function buildThreadParticipants(messages) {
   return participants;
 }
 
-// src/chat/runtime/turn.ts
+// src/chat/state/turn-id.ts
 function buildDeterministicTurnId(messageId) {
   const sanitized = messageId.replace(/[^a-zA-Z0-9_-]/g, "_");
   return `turn_${sanitized}`;
 }
+
+// src/chat/runtime/turn.ts
 var RetryableTurnError = class extends Error {
   code = "retryable_turn";
   metadata;
@@ -2026,12 +2054,16 @@ function startActiveTurn(args) {
   args.updateConversationStats(args.conversation);
 }
 function markTurnCompleted(args) {
-  args.conversation.processing.activeTurnId = void 0;
+  if (!args.sessionId || args.conversation.processing.activeTurnId === args.sessionId) {
+    args.conversation.processing.activeTurnId = void 0;
+  }
   args.conversation.processing.lastCompletedAtMs = args.nowMs;
   args.updateConversationStats(args.conversation);
 }
 function markTurnFailed(args) {
-  args.conversation.processing.activeTurnId = void 0;
+  if (!args.sessionId || args.conversation.processing.activeTurnId === args.sessionId) {
+    args.conversation.processing.activeTurnId = void 0;
+  }
   args.conversation.processing.lastCompletedAtMs = args.nowMs;
   args.markConversationMessage(args.conversation, args.userMessageId, {
     replied: false,
@@ -2066,232 +2098,6 @@ function getTurnUserReplyAttachmentContext(message) {
   };
 }
 
-// src/chat/pi/client.ts
-import {
-  completeSimple,
-  getEnvApiKey,
-  getModels,
-  registerApiProvider
-} from "@mariozechner/pi-ai";
-import {
-  streamAnthropic,
-  streamSimpleAnthropic
-} from "@mariozechner/pi-ai/anthropic";
-registerApiProvider({
-  api: "anthropic-messages",
-  stream: streamAnthropic,
-  streamSimple: streamSimpleAnthropic
-});
-var GATEWAY_PROVIDER = "vercel-ai-gateway";
-var GEN_AI_PROVIDER_NAME = GATEWAY_PROVIDER;
-var GEN_AI_OPERATION_CHAT = "chat";
-var MISSING_GATEWAY_CREDENTIALS_ERROR = "Missing AI gateway credentials (AI_GATEWAY_API_KEY or VERCEL_OIDC_TOKEN)";
-function getGatewayApiKey() {
-  return toOptionalTrimmed(getEnvApiKey("vercel-ai-gateway")) ?? toOptionalTrimmed(process.env.VERCEL_OIDC_TOKEN);
-}
-function getPiGatewayApiKeyOverride() {
-  return toOptionalTrimmed(process.env.VERCEL_OIDC_TOKEN);
-}
-function extractText(message) {
-  return (message.content ?? []).filter((part) => part.type === "text" && typeof part.text === "string").map((part) => part.text ?? "").join("").trim();
-}
-function parseJsonCandidate(text) {
-  const trimmed = text.trim();
-  if (!trimmed) return void 0;
-  try {
-    return JSON.parse(trimmed);
-  } catch {
-    const fencedBlocks = [
-      ...trimmed.matchAll(/```(?:json)?\s*([\s\S]*?)\s*```/gi)
-    ];
-    for (const block of fencedBlocks) {
-      try {
-        return JSON.parse(block[1]);
-      } catch {
-      }
-    }
-    const openBraceIndex = trimmed.indexOf("{");
-    if (openBraceIndex >= 0) {
-      let depth = 0;
-      let inString = false;
-      let escaped = false;
-      for (let index = openBraceIndex; index < trimmed.length; index += 1) {
-        const char = trimmed[index];
-        if (inString) {
-          if (escaped) {
-            escaped = false;
-            continue;
-          }
-          if (char === "\\") {
-            escaped = true;
-            continue;
-          }
-          if (char === '"') {
-            inString = false;
-          }
-          continue;
-        }
-        if (char === '"') {
-          inString = true;
-          continue;
-        }
-        if (char === "{") {
-          depth += 1;
-          continue;
-        }
-        if (char === "}") {
-          depth -= 1;
-          if (depth === 0) {
-            const slice = trimmed.slice(openBraceIndex, index + 1);
-            try {
-              return JSON.parse(slice);
-            } catch {
-              break;
-            }
-          }
-        }
-      }
-    }
-    return void 0;
-  }
-}
-function resolveGatewayModel(modelId) {
-  const models = getModels(GATEWAY_PROVIDER);
-  const matched = models.find((model) => model.id === modelId);
-  if (!matched) {
-    throw new Error(`Unknown AI Gateway model id: ${modelId}`);
-  }
-  return matched;
-}
-async function completeText(params) {
-  const model = resolveGatewayModel(params.modelId);
-  const apiKey = getPiGatewayApiKeyOverride();
-  const requestMessagesAttribute = serializeGenAiAttribute(params.messages);
-  const systemInstructionsAttribute = params.system ? serializeGenAiAttribute([{ type: "text", content: params.system }]) : void 0;
-  const startAttributes = {
-    "gen_ai.provider.name": GEN_AI_PROVIDER_NAME,
-    "gen_ai.operation.name": GEN_AI_OPERATION_CHAT,
-    "gen_ai.request.model": params.modelId,
-    ...systemInstructionsAttribute ? { "gen_ai.system_instructions": systemInstructionsAttribute } : {},
-    ...requestMessagesAttribute ? { "gen_ai.input.messages": requestMessagesAttribute } : {},
-    "app.ai.auth_mode": apiKey ? "oidc" : "api_key",
-    ...params.thinkingLevel ? { "app.ai.reasoning_effort": params.thinkingLevel } : {}
-  };
-  setSpanAttributes(startAttributes);
-  const message = await completeSimple(
-    model,
-    {
-      systemPrompt: params.system,
-      messages: params.messages
-    },
-    {
-      ...apiKey ? { apiKey } : {},
-      temperature: params.temperature,
-      maxTokens: params.maxTokens,
-      reasoning: params.thinkingLevel,
-      signal: params.signal,
-      metadata: params.metadata
-    }
-  );
-  const outputText = extractText(message);
-  const outputMessagesAttribute = serializeGenAiAttribute([
-    {
-      role: "assistant",
-      content: outputText ? [{ type: "text", text: outputText }] : []
-    }
-  ]);
-  const usageAttributes = extractGenAiUsageAttributes(message);
-  const endAttributes = {
-    "gen_ai.provider.name": GEN_AI_PROVIDER_NAME,
-    "gen_ai.operation.name": GEN_AI_OPERATION_CHAT,
-    "gen_ai.request.model": params.modelId,
-    ...outputMessagesAttribute ? { "gen_ai.output.messages": outputMessagesAttribute } : {},
-    ...usageAttributes,
-    ...message.stopReason ? { "gen_ai.response.finish_reasons": [message.stopReason] } : {},
-    ...params.thinkingLevel ? { "app.ai.reasoning_effort": params.thinkingLevel } : {}
-  };
-  setSpanAttributes(endAttributes);
-  if (message.stopReason === "error") {
-    const providerMessage = message.errorMessage?.trim() || "Unknown provider error";
-    logWarn(
-      "ai_completion_provider_error",
-      {},
-      {
-        "gen_ai.provider.name": GEN_AI_PROVIDER_NAME,
-        "gen_ai.operation.name": GEN_AI_OPERATION_CHAT,
-        "gen_ai.request.model": params.modelId,
-        "error.message": providerMessage
-      },
-      "AI completion returned provider error"
-    );
-    throw new Error(`AI provider error: ${providerMessage}`);
-  }
-  return {
-    message,
-    text: outputText
-  };
-}
-async function completeObject(params) {
-  const startedAt = Date.now();
-  let text = "";
-  try {
-    ({ text } = await completeText({
-      modelId: params.modelId,
-      system: params.system,
-      thinkingLevel: params.thinkingLevel,
-      temperature: params.temperature,
-      maxTokens: params.maxTokens,
-      signal: params.signal,
-      metadata: params.metadata,
-      messages: [
-        {
-          role: "user",
-          content: params.prompt,
-          timestamp: Date.now()
-        }
-      ]
-    }));
-  } catch (error) {
-    logException(
-      error,
-      "ai_completion_failed",
-      {},
-      {
-        "gen_ai.provider.name": GEN_AI_PROVIDER_NAME,
-        "gen_ai.operation.name": GEN_AI_OPERATION_CHAT,
-        "gen_ai.request.model": params.modelId,
-        "app.ai.duration_ms": Date.now() - startedAt
-      },
-      "AI object completion failed"
-    );
-    throw error;
-  }
-  const candidate = parseJsonCandidate(text);
-  const parsed = params.schema.safeParse(candidate);
-  if (!parsed.success) {
-    const preview = text.length > 400 ? `${text.slice(0, 400)}...` : text;
-    logWarn(
-      "ai_completion_schema_parse_failed",
-      {},
-      {
-        "gen_ai.provider.name": GEN_AI_PROVIDER_NAME,
-        "gen_ai.operation.name": GEN_AI_OPERATION_CHAT,
-        "gen_ai.request.model": params.modelId,
-        "app.ai.duration_ms": Date.now() - startedAt,
-        "app.ai.response_preview": preview
-      },
-      "AI object completion schema parse failed"
-    );
-    throw new Error(
-      `Model did not return valid JSON for schema: ${parsed.error.message}. Raw response: ${preview}`
-    );
-  }
-  return {
-    object: parsed.data,
-    text
-  };
-}
-
 // src/chat/slack/message.ts
 function getSlackMessageTs(message) {
   if (message.id.endsWith(":message_changed_mention") && message.raw && typeof message.raw === "object") {
@@ -5071,11 +4877,11 @@ function createReadFileTool() {
 import { Type as Type6 } from "@sinclair/typebox";
 function createReportProgressTool() {
   return tool({
-    description: "Update the user-visible assistant loading message with a short progress phase. For every non-trivial turn, call this early with the initial major work phase, then call it again only when the major phase meaningfully changes. Use concrete labels like Searching docs, Reviewing results, or Running checks. Skip trivial direct answers, generic filler, and minor substeps.",
+    description: "Update the user-visible assistant loading message with a short progress phase. For every non-trivial turn, call this early with the initial major work phase, then call it again only when the major phase meaningfully changes. Messages must be written in sentence case with a present-participle verb (e.g. 'Searching docs', 'Reviewing results', 'Running checks'). Skip trivial direct answers, generic filler, and minor substeps.",
     inputSchema: Type6.Object({
       message: Type6.String({
         minLength: 1,
-        description: "Short user-facing progress message. The UI truncates it if needed."
+        description: "Short user-facing progress message."
       })
     })
   });
@@ -8442,134 +8248,21 @@ function shouldEmitDevAgentTrace() {
   return process.env.NODE_ENV === "development";
 }
 
-// src/chat/credentials/unlink-provider.ts
-async function unlinkProvider(userId, provider, userTokenStore) {
-  await Promise.all([
-    userTokenStore.delete(userId, provider),
-    deleteMcpStoredOAuthCredentials(userId, provider),
-    deleteMcpServerSessionId(userId, provider),
-    deleteMcpAuthSessionsForUserProvider(userId, provider)
-  ]);
-}
-
-// src/chat/services/plugin-auth-orchestration.ts
-var PluginAuthorizationPauseError = class extends Error {
+// src/chat/services/auth-pause.ts
+var AuthorizationPauseError = class extends Error {
+  disposition;
+  kind;
   provider;
-  constructor(provider) {
-    super(`Plugin authorization started for ${provider}`);
-    this.name = "PluginAuthorizationPauseError";
+  constructor(kind, provider, disposition) {
+    super(
+      kind === "mcp" ? `MCP authorization started for ${provider}` : `Plugin authorization started for ${provider}`
+    );
+    this.name = kind === "mcp" ? "McpAuthorizationPauseError" : "PluginAuthorizationPauseError";
+    this.disposition = disposition;
+    this.kind = kind;
     this.provider = provider;
   }
 };
-function isCommandAuthFailure(details) {
-  if (!details || typeof details !== "object") {
-    return false;
-  }
-  const result = details;
-  if (typeof result.exit_code !== "number" || result.exit_code === 0) {
-    return false;
-  }
-  const text = `${typeof result.stdout === "string" ? result.stdout : ""}
-${typeof result.stderr === "string" ? result.stderr : ""}`.toLowerCase();
-  if (!text.trim()) {
-    return false;
-  }
-  return [
-    /\b401\b/,
-    /\bunauthorized\b/,
-    /\bbad credentials\b/,
-    /\binvalid token\b/,
-    /\btoken (?:expired|revoked)\b/,
-    /\bexpired token\b/,
-    /\bmissing scopes?\b/,
-    /\binsufficient scope\b/,
-    /\binvalid grant\b/,
-    /\breauthoriz/
-  ].some((pattern) => pattern.test(text));
-}
-function commandTargetsProvider(provider, command, details) {
-  const normalizedCommand = command.trim().toLowerCase();
-  if (!normalizedCommand) {
-    return false;
-  }
-  if (provider === "github" && /^(gh|git)\b/.test(normalizedCommand)) {
-    return true;
-  }
-  const plugin = getPluginDefinition(provider);
-  const candidates = /* @__PURE__ */ new Set([provider.toLowerCase()]);
-  const credentials = plugin?.manifest.credentials;
-  if (credentials) {
-    candidates.add(credentials.authTokenEnv.toLowerCase());
-    for (const domain of credentials.apiDomains) {
-      candidates.add(domain.toLowerCase());
-    }
-  }
-  const combinedText = `${normalizedCommand}
-${details.stdout?.toLowerCase() ?? ""}
-${details.stderr?.toLowerCase() ?? ""}`;
-  return [...candidates].some((candidate) => combinedText.includes(candidate));
-}
-function createPluginAuthOrchestration(deps, abortAgent) {
-  let pendingPause;
-  const startAuthorizationPause = async (provider, activeSkill, options) => {
-    if (pendingPause) {
-      throw pendingPause;
-    }
-    if (!deps.requesterId || !getPluginOAuthConfig(provider)) {
-      throw new Error(`Cannot start plugin authorization for ${provider}`);
-    }
-    const providerLabel = formatProviderLabel(provider);
-    const oauthResult = await startOAuthFlow(provider, {
-      requesterId: deps.requesterId,
-      channelId: deps.channelId,
-      threadTs: deps.threadTs,
-      userMessage: deps.userMessage,
-      channelConfiguration: deps.channelConfiguration,
-      activeSkillName: activeSkill?.name ?? void 0,
-      resumeConversationId: deps.conversationId,
-      resumeSessionId: deps.sessionId
-    });
-    if (!oauthResult.ok) {
-      throw new Error(oauthResult.error);
-    }
-    if (!oauthResult.delivery) {
-      throw new Error(
-        `I need to connect your ${providerLabel} account first, but I wasn't able to send you a private authorization link. Please send me a direct message and try again.`
-      );
-    }
-    if (options?.unlinkExistingProvider && deps.requesterId && deps.userTokenStore) {
-      await unlinkProvider(deps.requesterId, provider, deps.userTokenStore);
-    }
-    pendingPause = new PluginAuthorizationPauseError(provider);
-    abortAgent();
-    throw pendingPause;
-  };
-  const handleCredentialUnavailable = async (input) => {
-    if (pendingPause) {
-      throw pendingPause;
-    }
-    if (!deps.requesterId || !getPluginOAuthConfig(input.error.provider)) {
-      throw input.error;
-    }
-    return await startAuthorizationPause(
-      input.error.provider,
-      input.activeSkill
-    );
-  };
-  return {
-    handleCredentialUnavailable,
-    handleCommandFailure: async (input) => {
-      const provider = input.activeSkill?.pluginProvider;
-      if (!provider || !deps.requesterId || !deps.userTokenStore || !getPluginOAuthConfig(provider) || !isCommandAuthFailure(input.details) || !commandTargetsProvider(provider, input.command, input.details)) {
-        return;
-      }
-      await startAuthorizationPause(provider, input.activeSkill, {
-        unlinkExistingProvider: true
-      });
-    },
-    getPendingPause: () => pendingPause
-  };
-}
 
 // src/chat/runtime/report-progress.ts
 function buildReportedProgressStatus(input) {
@@ -8617,15 +8310,16 @@ function resolveCredentialInjection(toolName, command, capabilityRuntime, sandbo
     const headerDomains = (headerTransforms ?? []).map(
       (transform) => transform.domain
     );
+    const skillName = sandbox.getActiveSkill()?.name;
     logInfo(
       "credential_inject_start",
       {},
       {
-        "app.skill.name": sandbox.getActiveSkill()?.name,
+        "app.skill.name": skillName,
         "app.credential.delivery": "header_transform",
         "app.credential.header_domains": headerDomains
       },
-      "Injecting scoped credential headers for sandbox command"
+      `Injecting scoped credential headers for sandbox command (${skillName ?? "unknown skill"} \u2192 ${headerDomains.join(", ")})`
     );
   }
   return { headerTransforms, env };
@@ -8798,7 +8492,7 @@ function createAgentTools(tools, sandbox, spanContext, onStatus, sandboxExecutor
             }
             return normalized;
           } catch (error) {
-            if (error instanceof PluginAuthorizationPauseError) {
+            if (error instanceof AuthorizationPauseError) {
               throw error;
             }
             handleToolExecutionError(
@@ -8846,7 +8540,7 @@ function isExecutionEscapeResponse(text) {
   if (!trimmed) return false;
   return isExecutionDeferralResponse(trimmed) || isToolAccessDisclaimerResponse(trimmed);
 }
-function parseJsonCandidate2(text) {
+function parseJsonCandidate(text) {
   const trimmed = text.trim();
   if (!trimmed) return void 0;
   try {
@@ -8874,7 +8568,7 @@ function isToolPayloadShape(payload) {
   return false;
 }
 function isRawToolPayloadResponse(text) {
-  const parsed = parseJsonCandidate2(text);
+  const parsed = parseJsonCandidate(text);
   if (Array.isArray(parsed)) {
     return parsed.some((entry) => isToolPayloadShape(entry));
   }
@@ -9009,14 +8703,6 @@ function getTerminalAssistantMessages(messages) {
   }
   return messages.slice(lastToolResultIndex + 1).filter(isAssistantMessage);
 }
-function hasCompletedAssistantTurn(messages) {
-  const message = getTerminalAssistantMessages(messages).at(-1);
-  if (!message) {
-    return false;
-  }
-  const stopReason = message.stopReason;
-  return typeof stopReason === "string" && stopReason !== "error" && extractAssistantText(message).trim().length > 0;
-}
 function upsertActiveSkill(activeSkills, next) {
   const existing = activeSkills.find((skill) => skill.name === next.name);
   if (existing) {
@@ -9244,7 +8930,10 @@ function buildTurnResult(input) {
 // src/chat/services/turn-thinking-level.ts
 import { z } from "zod";
 var CLASSIFIER_CONFIDENCE_THRESHOLD = 0.75;
-var MAX_ROUTER_CONTEXT_CHARS = 1200;
+var MAX_ROUTER_CONTEXT_CHARS = 8e3;
+var ROUTER_CONTEXT_HEAD_CHARS = 3e3;
+var ROUTER_CONTEXT_TAIL_CHARS = 5e3;
+var TRUNCATION_MARKER = "\n\u2026[truncated]\u2026\n";
 var TURN_THINKING_LEVELS = ["none", "low", "medium", "high"];
 var turnExecutionProfileSchema = z.object({
   thinking_level: z.enum(TURN_THINKING_LEVELS),
@@ -9255,9 +8944,22 @@ var DEFAULT_THINKING_LEVEL = "low";
 function trimContextForRouter(text) {
   const trimmed = text?.trim();
   if (!trimmed) {
-    return void 0;
+    return null;
+  }
+  if (trimmed.length <= MAX_ROUTER_CONTEXT_CHARS) {
+    return {
+      text: trimmed,
+      truncated: false,
+      originalCharCount: trimmed.length
+    };
   }
-  return trimmed.length <= MAX_ROUTER_CONTEXT_CHARS ? trimmed : trimmed.slice(-MAX_ROUTER_CONTEXT_CHARS);
+  const head = trimmed.slice(0, ROUTER_CONTEXT_HEAD_CHARS).trimEnd();
+  const tail = trimmed.slice(-ROUTER_CONTEXT_TAIL_CHARS).trimStart();
+  return {
+    text: `${head}${TRUNCATION_MARKER}${tail}`,
+    truncated: true,
+    originalCharCount: trimmed.length
+  };
 }
 function buildClassifierSystemPrompt() {
   return [
@@ -9269,22 +8971,23 @@ function buildClassifierSystemPrompt() {
     "Use medium for investigations, ambiguous asks, multi-step analysis, or likely multi-tool work.",
     "Use high for code changes, debugging/root-cause analysis, research-heavy work, non-trivial drafting, or explicit requests to be thorough.",
     "",
+    "Classify based on the substance of the task, not the length of the current message. When the current instruction is a short affirmation (for example: 'go', 'do it', 'yes please', 'proceed') and the thread-background contains a pending task, classify the pending task \u2014 not the affirmation.",
+    "",
     "Return JSON only with thinking_level, confidence, and reason."
   ].join("\n");
 }
 function buildClassifierPrompt(args) {
   const sections = [];
-  const context = trimContextForRouter(args.conversationContext);
-  if (context) {
-    sections.push("<thread-background>", context, "</thread-background>", "");
+  if (args.conversationContext) {
+    sections.push(
+      "<thread-background>",
+      args.conversationContext.text,
+      "</thread-background>",
+      ""
+    );
   }
   sections.push(
-    "<turn-context>",
-    `- active_skills: ${args.activeSkillNames.join(", ") || "none"}`,
-    `- attachment_count: ${args.attachmentCount}`,
-    "</turn-context>",
-    "",
-    '<current-instruction priority="highest">',
+    "<current-instruction>",
     args.messageText.trim() || "[empty]",
     "</current-instruction>"
   );
@@ -9298,42 +9001,81 @@ function buildClassifierPrompt(args) {
   return sections.join("\n");
 }
 async function selectTurnThinkingLevel(args) {
-  const activeSkillNames = [...new Set(args.activeSkillNames ?? [])].sort();
+  const trimmedContext = trimContextForRouter(args.conversationContext);
+  const instructionLength = args.messageText.trim().length;
+  const turnBlockCount = (args.currentTurnBlocks ?? []).filter(
+    (block) => block.trim().length > 0
+  ).length;
+  const prompt = buildClassifierPrompt({
+    conversationContext: trimmedContext,
+    currentTurnBlocks: args.currentTurnBlocks,
+    messageText: args.messageText
+  });
+  const logContext = {
+    slackThreadId: args.context?.threadId,
+    slackChannelId: args.context?.channelId,
+    slackUserId: args.context?.requesterId,
+    runId: args.context?.runId,
+    modelId: args.fastModelId
+  };
+  return withSpan(
+    "chat.route_thinking",
+    "chat.route_thinking",
+    logContext,
+    async () => {
+      setSpanAttributes({
+        "app.ai.router.prompt_char_count": prompt.length,
+        "app.ai.router.instruction_char_count": instructionLength,
+        "app.ai.router.context_char_count": trimmedContext?.originalCharCount ?? 0,
+        "app.ai.router.context_trimmed": trimmedContext?.truncated ?? false,
+        "app.ai.router.turn_block_count": turnBlockCount
+      });
+      const selection = await classifyTurn({
+        completeObject: args.completeObject,
+        fastModelId: args.fastModelId,
+        metadata: {
+          modelId: args.fastModelId,
+          threadId: args.context?.threadId ?? "",
+          channelId: args.context?.channelId ?? "",
+          requesterId: args.context?.requesterId ?? "",
+          runId: args.context?.runId ?? ""
+        },
+        prompt
+      });
+      setSpanAttributes({
+        "app.ai.thinking_level": selection.thinkingLevel,
+        "app.ai.thinking_level_reason": selection.reason,
+        ...selection.confidence !== void 0 ? { "app.ai.thinking_level_confidence": selection.confidence } : {}
+      });
+      return selection;
+    }
+  );
+}
+async function classifyTurn(args) {
   try {
     const result = await args.completeObject({
       modelId: args.fastModelId,
       schema: turnExecutionProfileSchema,
       maxTokens: 120,
-      metadata: {
-        modelId: args.fastModelId,
-        threadId: args.context?.threadId ?? "",
-        channelId: args.context?.channelId ?? "",
-        requesterId: args.context?.requesterId ?? "",
-        runId: args.context?.runId ?? ""
-      },
-      prompt: buildClassifierPrompt({
-        activeSkillNames,
-        attachmentCount: args.attachmentCount ?? 0,
-        conversationContext: args.conversationContext,
-        currentTurnBlocks: args.currentTurnBlocks,
-        messageText: args.messageText
-      }),
+      metadata: args.metadata,
+      prompt: args.prompt,
       thinkingLevel: "low",
       system: buildClassifierSystemPrompt(),
       temperature: 0
     });
     const parsed = turnExecutionProfileSchema.parse(result.object);
+    const reason = parsed.reason.trim();
     if (parsed.confidence < CLASSIFIER_CONFIDENCE_THRESHOLD) {
       return {
         confidence: parsed.confidence,
         thinkingLevel: DEFAULT_THINKING_LEVEL,
-        reason: `low_confidence_default:${parsed.reason.trim()}`
+        reason: `low_confidence_default:${reason}`
       };
     }
     return {
       confidence: parsed.confidence,
       thinkingLevel: parsed.thinking_level,
-      reason: parsed.reason.trim()
+      reason
     };
   } catch {
     return {
@@ -9371,7 +9113,7 @@ function parseAgentTurnSessionCheckpoint(value) {
       return void 0;
     }
     const status = parsed.state;
-    if (status !== "running" && status !== "awaiting_resume" && status !== "completed" && status !== "failed") {
+    if (status !== "running" && status !== "awaiting_resume" && status !== "completed" && status !== "failed" && status !== "superseded") {
       return void 0;
     }
     const conversationId = parsed.conversationId;
@@ -9443,6 +9185,26 @@ async function upsertAgentTurnSessionCheckpoint(args) {
   );
   return checkpoint;
 }
+async function supersedeAgentTurnSessionCheckpoint(args) {
+  const existing = await getAgentTurnSessionCheckpoint(
+    args.conversationId,
+    args.sessionId
+  );
+  if (!existing || existing.state === "completed" || existing.state === "failed" || existing.state === "superseded") {
+    return void 0;
+  }
+  return await upsertAgentTurnSessionCheckpoint({
+    conversationId: existing.conversationId,
+    sessionId: existing.sessionId,
+    sliceId: existing.sliceId,
+    state: "superseded",
+    piMessages: existing.piMessages,
+    loadedSkillNames: existing.loadedSkillNames,
+    resumeReason: existing.resumeReason,
+    resumedFromSliceId: existing.resumedFromSliceId,
+    errorMessage: args.errorMessage ?? existing.errorMessage
+  });
+}
 
 // src/chat/services/turn-checkpoint.ts
 async function loadTurnCheckpoint(ctx) {
@@ -9557,17 +9319,71 @@ async function persistTimeoutCheckpoint(args) {
   }
 }
 
-// src/chat/services/mcp-auth-orchestration.ts
-var McpAuthorizationPauseError = class extends Error {
-  provider;
-  constructor(provider) {
-    super(`MCP authorization started for ${provider}`);
-    this.name = "McpAuthorizationPauseError";
-    this.provider = provider;
+// src/chat/services/pending-auth.ts
+var AUTH_LINK_REUSE_WINDOW_MS = 10 * 60 * 1e3;
+function canReusePendingAuthLink(args) {
+  const { pendingAuth } = args;
+  if (!pendingAuth) {
+    return false;
   }
-};
-function createMcpAuthOrchestration(deps, abortAgent) {
-  let pendingPause;
+  return pendingAuth.kind === args.kind && pendingAuth.provider === args.provider && pendingAuth.requesterId === args.requesterId && pendingAuth.linkSentAtMs + AUTH_LINK_REUSE_WINDOW_MS > (args.nowMs ?? Date.now());
+}
+function buildAuthPauseReplyText(args) {
+  const providerLabel = args.provider ? formatProviderLabel(args.provider) : "";
+  if (args.disposition === "link_already_sent") {
+    return providerLabel ? `I still need your ${providerLabel} access to continue. I already sent you a private link.` : "I still need additional access to continue. I already sent you a private link.";
+  }
+  return providerLabel ? `I need your ${providerLabel} access to continue. I sent you a private link.` : "I need additional access to continue. I sent you a private link.";
+}
+function getConversationPendingAuth(args) {
+  const pendingAuth = args.conversation.processing.pendingAuth;
+  if (!pendingAuth) {
+    return void 0;
+  }
+  if (pendingAuth.kind !== args.kind || pendingAuth.provider !== args.provider || pendingAuth.requesterId !== args.requesterId) {
+    return void 0;
+  }
+  return pendingAuth;
+}
+function clearPendingAuth(conversation, sessionId) {
+  if (!conversation.processing.pendingAuth) {
+    return;
+  }
+  if (sessionId && conversation.processing.pendingAuth.sessionId !== sessionId) {
+    return;
+  }
+  conversation.processing.pendingAuth = void 0;
+}
+async function applyPendingAuthUpdate(args) {
+  const previousPendingAuth = args.conversation.processing.pendingAuth;
+  args.conversation.processing.pendingAuth = args.nextPendingAuth;
+  if (previousPendingAuth && previousPendingAuth.sessionId !== args.nextPendingAuth.sessionId && args.conversationId) {
+    await supersedeAgentTurnSessionCheckpoint({
+      conversationId: args.conversationId,
+      sessionId: previousPendingAuth.sessionId,
+      errorMessage: "Superseded by a newer auth-blocked request in the same conversation."
+    });
+  }
+}
+function isPendingAuthLatestRequest(conversation, pendingAuth) {
+  for (let index = conversation.messages.length - 1; index >= 0; index -= 1) {
+    const message = conversation.messages[index];
+    if (message?.role !== "user") {
+      continue;
+    }
+    return buildDeterministicTurnId(message.id) === pendingAuth.sessionId;
+  }
+  return false;
+}
+
+// src/chat/services/mcp-auth-orchestration.ts
+var McpAuthorizationPauseError = class extends AuthorizationPauseError {
+  constructor(provider, disposition) {
+    super("mcp", provider, disposition);
+  }
+};
+function createMcpAuthOrchestration(deps, abortAgent) {
+  let pendingPause;
   const authSessionIdsByProvider = /* @__PURE__ */ new Map();
   const authProviderFactory = async (plugin) => {
     if (!deps.conversationId || !deps.sessionId || !deps.requesterId) {
@@ -9608,18 +9424,40 @@ function createMcpAuthOrchestration(deps, abortAgent) {
     if (!authSession?.authorizationUrl) {
       throw new Error(`Missing MCP authorization URL for plugin "${provider}"`);
     }
-    const delivery = await deliverPrivateMessage({
-      channelId: authSession.channelId,
-      threadTs: authSession.threadTs,
-      userId: authSession.userId,
-      text: `<${authSession.authorizationUrl}|Click here to link your ${formatProviderLabel(provider)} MCP access>. Once you've authorized, this thread will continue automatically.`
+    const reusingPendingLink = canReusePendingAuthLink({
+      pendingAuth: deps.currentPendingAuth,
+      kind: "mcp",
+      provider,
+      requesterId: deps.requesterId
     });
-    if (!delivery) {
-      throw new Error(
-        `Unable to deliver MCP authorization link for plugin "${provider}"`
-      );
+    if (!reusingPendingLink) {
+      const delivery = await deliverPrivateMessage({
+        channelId: authSession.channelId,
+        threadTs: authSession.threadTs,
+        userId: authSession.userId,
+        text: `<${authSession.authorizationUrl}|Click here to link your ${formatProviderLabel(provider)} MCP access>. Once you've authorized, this thread will continue automatically.`
+      });
+      if (!delivery) {
+        throw new Error(
+          `Unable to deliver MCP authorization link for plugin "${provider}"`
+        );
+      }
+    } else {
+      await deleteMcpAuthSession(authSessionId);
     }
-    pendingPause = new McpAuthorizationPauseError(provider);
+    if (deps.sessionId && deps.requesterId) {
+      await deps.onPendingAuth?.({
+        kind: "mcp",
+        provider,
+        requesterId: deps.requesterId,
+        sessionId: deps.sessionId,
+        linkSentAtMs: reusingPendingLink ? deps.currentPendingAuth.linkSentAtMs : Date.now()
+      });
+    }
+    pendingPause = new McpAuthorizationPauseError(
+      provider,
+      reusingPendingLink ? "link_already_sent" : "link_sent"
+    );
     abortAgent();
     return true;
   };
@@ -9630,6 +9468,152 @@ function createMcpAuthOrchestration(deps, abortAgent) {
   };
 }
 
+// src/chat/credentials/unlink-provider.ts
+async function unlinkProvider(userId, provider, userTokenStore) {
+  await Promise.all([
+    userTokenStore.delete(userId, provider),
+    deleteMcpStoredOAuthCredentials(userId, provider),
+    deleteMcpServerSessionId(userId, provider),
+    deleteMcpAuthSessionsForUserProvider(userId, provider)
+  ]);
+}
+
+// src/chat/services/plugin-auth-orchestration.ts
+var PluginAuthorizationPauseError = class extends AuthorizationPauseError {
+  constructor(provider, disposition) {
+    super("plugin", provider, disposition);
+  }
+};
+function isCommandAuthFailure(details) {
+  if (!details || typeof details !== "object") {
+    return false;
+  }
+  const result = details;
+  if (typeof result.exit_code !== "number" || result.exit_code === 0) {
+    return false;
+  }
+  const text = `${typeof result.stdout === "string" ? result.stdout : ""}
+${typeof result.stderr === "string" ? result.stderr : ""}`.toLowerCase();
+  if (!text.trim()) {
+    return false;
+  }
+  return [
+    /\b401\b/,
+    /\bunauthorized\b/,
+    /\bbad credentials\b/,
+    /\binvalid token\b/,
+    /\btoken (?:expired|revoked)\b/,
+    /\bexpired token\b/,
+    /\bmissing scopes?\b/,
+    /\binsufficient scope\b/,
+    /\binvalid grant\b/,
+    /\breauthoriz/
+  ].some((pattern) => pattern.test(text));
+}
+function commandTargetsProvider(provider, command, details) {
+  const normalizedCommand = command.trim().toLowerCase();
+  if (!normalizedCommand) {
+    return false;
+  }
+  if (provider === "github" && /^(gh|git)\b/.test(normalizedCommand)) {
+    return true;
+  }
+  const plugin = getPluginDefinition(provider);
+  const candidates = /* @__PURE__ */ new Set([provider.toLowerCase()]);
+  const credentials = plugin?.manifest.credentials;
+  if (credentials) {
+    candidates.add(credentials.authTokenEnv.toLowerCase());
+    for (const domain of credentials.apiDomains) {
+      candidates.add(domain.toLowerCase());
+    }
+  }
+  const combinedText = `${normalizedCommand}
+${details.stdout?.toLowerCase() ?? ""}
+${details.stderr?.toLowerCase() ?? ""}`;
+  return [...candidates].some((candidate) => combinedText.includes(candidate));
+}
+function createPluginAuthOrchestration(deps, abortAgent) {
+  let pendingPause;
+  const startAuthorizationPause = async (provider, activeSkill, options) => {
+    if (pendingPause) {
+      throw pendingPause;
+    }
+    if (!deps.requesterId || !getPluginOAuthConfig(provider)) {
+      throw new Error(`Cannot start plugin authorization for ${provider}`);
+    }
+    const providerLabel = formatProviderLabel(provider);
+    const reusingPendingLink = canReusePendingAuthLink({
+      pendingAuth: deps.currentPendingAuth,
+      kind: "plugin",
+      provider,
+      requesterId: deps.requesterId
+    });
+    if (!reusingPendingLink) {
+      const oauthResult = await startOAuthFlow(provider, {
+        requesterId: deps.requesterId,
+        channelId: deps.channelId,
+        threadTs: deps.threadTs,
+        userMessage: deps.userMessage,
+        channelConfiguration: deps.channelConfiguration,
+        activeSkillName: activeSkill?.name ?? void 0,
+        resumeConversationId: deps.conversationId,
+        resumeSessionId: deps.sessionId
+      });
+      if (!oauthResult.ok) {
+        throw new Error(oauthResult.error);
+      }
+      if (!oauthResult.delivery) {
+        throw new Error(
+          `I need to connect your ${providerLabel} account first, but I wasn't able to send you a private authorization link. Please send me a direct message and try again.`
+        );
+      }
+    }
+    if (options?.unlinkExistingProvider && deps.requesterId && deps.userTokenStore) {
+      await unlinkProvider(deps.requesterId, provider, deps.userTokenStore);
+    }
+    if (deps.sessionId) {
+      await deps.onPendingAuth?.({
+        kind: "plugin",
+        provider,
+        requesterId: deps.requesterId,
+        sessionId: deps.sessionId,
+        linkSentAtMs: reusingPendingLink ? deps.currentPendingAuth.linkSentAtMs : Date.now()
+      });
+    }
+    pendingPause = new PluginAuthorizationPauseError(
+      provider,
+      reusingPendingLink ? "link_already_sent" : "link_sent"
+    );
+    abortAgent();
+    throw pendingPause;
+  };
+  const handleCredentialUnavailable = async (input) => {
+    if (pendingPause) {
+      throw pendingPause;
+    }
+    if (!deps.requesterId || !getPluginOAuthConfig(input.error.provider)) {
+      throw input.error;
+    }
+    return await startAuthorizationPause(
+      input.error.provider,
+      input.activeSkill
+    );
+  };
+  return {
+    handleCredentialUnavailable,
+    handleCommandFailure: async (input) => {
+      const provider = input.activeSkill?.pluginProvider;
+      if (!provider || !deps.requesterId || !deps.userTokenStore || !getPluginOAuthConfig(provider) || !isCommandAuthFailure(input.details) || !commandTargetsProvider(provider, input.command, input.details)) {
+        return;
+      }
+      await startAuthorizationPause(provider, input.activeSkill, {
+        unlinkExistingProvider: true
+      });
+    },
+    getPendingPause: () => pendingPause
+  };
+}
+
 // src/chat/respond.ts
 var startupDiscoveryLogged = false;
 var MAX_ROUTER_ATTACHMENT_PREVIEW_CHARS = 2e3;
@@ -9746,6 +9730,7 @@ async function generateAssistantReply(messageText, context = {}) {
   let timeoutResumeSessionId;
   let timeoutResumeSliceId = 1;
   let timeoutResumeMessages = [];
+  let beforeMessageCount = 0;
   let lastKnownSandboxId = context.sandbox?.sandboxId;
   let lastKnownSandboxDependencyProfileHash = context.sandbox?.sandboxDependencyProfileHash;
   let loadedSkillNamesForResume = [];
@@ -9938,8 +9923,6 @@ async function generateAssistantReply(messageText, context = {}) {
       userTurnText
     });
     thinkingSelection = await selectTurnThinkingLevel({
-      activeSkillNames: activeSkills.map((skill) => skill.name),
-      attachmentCount: context.userAttachments?.length,
       completeObject,
       conversationContext: context.conversationContext,
       context: {
@@ -9975,9 +9958,11 @@ async function generateAssistantReply(messageText, context = {}) {
         threadTs: context.correlation?.threadTs,
         toolChannelId: context.toolChannelId,
         userMessage: userInput,
+        currentPendingAuth: context.pendingAuth,
         getConfiguration: () => configurationValues,
         getArtifactState: () => context.artifactState,
-        getMergedArtifactState: () => mergeArtifactsState(context.artifactState ?? {}, artifactStatePatch)
+        getMergedArtifactState: () => mergeArtifactsState(context.artifactState ?? {}, artifactStatePatch),
+        onPendingAuth: context.onAuthPending
       },
       () => agent?.abort()
     );
@@ -9990,6 +9975,8 @@ async function generateAssistantReply(messageText, context = {}) {
         threadTs: context.correlation?.threadTs,
         userMessage: userInput,
         channelConfiguration: context.channelConfiguration,
+        currentPendingAuth: context.pendingAuth,
+        onPendingAuth: context.onAuthPending,
         userTokenStore
       },
       () => agent?.abort()
@@ -10208,12 +10195,11 @@ async function generateAssistantReply(messageText, context = {}) {
         );
       });
     });
-    let beforeMessageCount = agent.state.messages.length;
     let newMessages = [];
-    let completedAssistantTurn = false;
+    beforeMessageCount = agent.state.messages.length;
     try {
       if (resumedFromCheckpoint) {
-        agent.replaceMessages(existingCheckpoint.piMessages);
+        agent.state.messages = existingCheckpoint.piMessages;
       }
       beforeMessageCount = agent.state.messages.length;
       await withSpan(
@@ -10277,11 +10263,6 @@ async function generateAssistantReply(messageText, context = {}) {
             }
           }
           newMessages = agent.state.messages.slice(beforeMessageCount);
-          completedAssistantTurn = hasCompletedAssistantTurn(newMessages);
-          if (getPendingAuthPause() && !completedAssistantTurn) {
-            timeoutResumeMessages = [...agent.state.messages];
-            throw getPendingAuthPause();
-          }
           const outputMessages = newMessages.filter(isAssistantMessage);
           const outputMessagesAttribute = serializeGenAiAttribute(outputMessages);
           const usageSummary = extractGenAiUsageSummary(
@@ -10297,6 +10278,10 @@ async function generateAssistantReply(messageText, context = {}) {
             ...usageSummary.inputTokens !== void 0 ? { "gen_ai.usage.input_tokens": usageSummary.inputTokens } : {},
             ...usageSummary.outputTokens !== void 0 ? { "gen_ai.usage.output_tokens": usageSummary.outputTokens } : {}
           });
+          if (getPendingAuthPause()) {
+            timeoutResumeMessages = [...agent.state.messages];
+            throw getPendingAuthPause();
+          }
         },
         {
           "gen_ai.provider.name": GEN_AI_PROVIDER_NAME,
@@ -10309,9 +10294,6 @@ async function generateAssistantReply(messageText, context = {}) {
     } finally {
       unsubscribe();
     }
-    if (getPendingAuthPause() && !completedAssistantTurn) {
-      throw getPendingAuthPause();
-    }
     if (checkpointState.canUseTurnSession && sessionConversationId && sessionId) {
       await persistCompletedCheckpoint({
         conversationId: sessionConversationId,
@@ -10369,7 +10351,15 @@ async function generateAssistantReply(messageText, context = {}) {
         );
       }
     }
-    if ((error instanceof McpAuthorizationPauseError || error instanceof PluginAuthorizationPauseError) && timeoutResumeConversationId && timeoutResumeSessionId) {
+    if (error instanceof AuthorizationPauseError && timeoutResumeConversationId && timeoutResumeSessionId) {
+      if (!turnUsage && timeoutResumeMessages.length > 0) {
+        const fallbackUsage = extractGenAiUsageSummary(
+          ...timeoutResumeMessages.slice(beforeMessageCount).filter(isAssistantMessage)
+        );
+        turnUsage = Object.values(fallbackUsage).some(
+          (value) => value !== void 0
+        ) ? fallbackUsage : void 0;
+      }
       const nextSliceId = await persistAuthPauseCheckpoint({
         conversationId: timeoutResumeConversationId,
         sessionId: timeoutResumeSessionId,
@@ -10387,9 +10377,15 @@ async function generateAssistantReply(messageText, context = {}) {
         }
       });
       throw new RetryableTurnError(
-        error instanceof PluginAuthorizationPauseError ? "plugin_auth_resume" : "mcp_auth_resume",
+        error.kind === "plugin" ? "plugin_auth_resume" : "mcp_auth_resume",
         `conversation=${timeoutResumeConversationId} session=${timeoutResumeSessionId} slice=${nextSliceId}`,
         {
+          authDisposition: error.disposition,
+          authDurationMs: Date.now() - replyStartedAtMs,
+          authKind: error.kind,
+          authProvider: error.provider,
+          authThinkingLevel: thinkingSelection?.thinkingLevel,
+          authUsage: turnUsage,
           conversationId: timeoutResumeConversationId,
           sessionId: timeoutResumeSessionId,
           sliceId: nextSliceId
@@ -10862,11 +10858,10 @@ function buildSlackReplyFooter(args) {
       value: formatSlackDuration(durationMs)
     });
   }
-  const traceId = args.traceId?.trim();
-  if (traceId) {
+  if (args.thinkingLevel) {
     items.push({
-      label: "Trace",
-      value: traceId
+      label: "Thinking",
+      value: args.thinkingLevel
     });
   }
   return items.length > 0 ? { items } : void 0;
@@ -11189,7 +11184,7 @@ async function resumeSlackTurn(args) {
     const footer = buildSlackReplyFooter({
       conversationId: args.replyContext?.correlation?.conversationId ?? lockKey,
       durationMs: reply.diagnostics.durationMs,
-      traceId: getActiveTraceId(),
+      thinkingLevel: reply.diagnostics.thinkingLevel,
       usage: reply.diagnostics.usage
     });
     await postSlackApiReplyPosts({
@@ -11263,6 +11258,82 @@ async function resumeAuthorizedRequest(args) {
   });
 }
 
+// src/chat/runtime/auth-pause-reply.ts
+function buildAuthPauseSlackMessage(args) {
+  const footer = buildSlackReplyFooter({
+    conversationId: args.conversationId,
+    durationMs: args.durationMs,
+    thinkingLevel: args.thinkingLevel,
+    usage: args.usage
+  });
+  const blocks = buildSlackReplyBlocks(args.text, footer);
+  return blocks ? { text: args.text, blocks } : { text: args.text };
+}
+function completeAuthPauseTurn(args) {
+  markConversationMessage(
+    args.conversation,
+    getTurnUserMessageId(args.conversation, args.sessionId),
+    {
+      replied: true,
+      skippedReason: void 0
+    }
+  );
+  upsertConversationMessage(args.conversation, {
+    id: generateConversationId("assistant"),
+    role: "assistant",
+    text: normalizeConversationText(args.text) || "[empty response]",
+    createdAtMs: Date.now(),
+    author: {
+      userName: botConfig.userName,
+      isBot: true
+    },
+    meta: {
+      replied: true
+    }
+  });
+  markTurnCompleted({
+    conversation: args.conversation,
+    nowMs: Date.now(),
+    sessionId: args.sessionId,
+    updateConversationStats
+  });
+}
+async function persistAuthPauseReplyState(args) {
+  const currentState = await getPersistedThreadState(args.threadStateId);
+  const conversation = coerceThreadConversationState(currentState);
+  completeAuthPauseTurn({
+    conversation,
+    sessionId: args.sessionId,
+    text: args.text
+  });
+  await persistThreadStateById(args.threadStateId, { conversation });
+}
+async function deliverAuthPauseReply(args) {
+  const retryable = isRetryableTurnError(args.error) ? args.error : void 0;
+  const text = retryable ? buildAuthPauseReplyText({
+    disposition: retryable.metadata?.authDisposition,
+    provider: retryable.metadata?.authProvider
+  }) : buildAuthPauseReplyText({ provider: args.fallbackProvider });
+  const message = buildAuthPauseSlackMessage({
+    conversationId: args.conversationId,
+    durationMs: retryable?.metadata?.authDurationMs,
+    text,
+    thinkingLevel: retryable?.metadata?.authThinkingLevel,
+    usage: retryable?.metadata?.authUsage
+  });
+  await postSlackMessage({
+    channelId: args.channelId,
+    threadTs: args.threadTs,
+    text: message.text,
+    ...message.blocks ? { blocks: message.blocks } : {}
+  });
+  await persistAuthPauseReplyState({
+    sessionId: args.sessionId,
+    text,
+    threadStateId: args.threadStateId
+  });
+}
+
 // src/chat/services/timeout-resume.ts
 import { createHmac, timingSafeEqual } from "crypto";
 var TURN_TIMEOUT_RESUME_PATH = "/api/internal/turn-resume";
@@ -11435,6 +11506,7 @@ async function persistCompletedReplyState(channelId, threadTs, sessionId, reply)
   const artifacts = coerceThreadArtifactsState(currentState);
   const nextArtifacts = reply.artifactStatePatch ? mergeArtifactsState(artifacts, reply.artifactStatePatch) : void 0;
   const userMessageId = getTurnUserMessageId(conversation, sessionId);
+  clearPendingAuth(conversation, sessionId);
   markConversationMessage(conversation, userMessageId, {
     replied: true,
     skippedReason: void 0
@@ -11455,6 +11527,7 @@ async function persistCompletedReplyState(channelId, threadTs, sessionId, reply)
   markTurnCompleted({
     conversation,
     nowMs: Date.now(),
+    sessionId,
     updateConversationStats
   });
   await persistThreadStateById(threadId, {
@@ -11468,9 +11541,11 @@ async function persistFailedReplyState(channelId, threadTs, sessionId) {
   const threadId = `slack:${channelId}:${threadTs}`;
   const currentState = await getPersistedThreadState(threadId);
   const conversation = coerceThreadConversationState(currentState);
+  clearPendingAuth(conversation, sessionId);
   markTurnFailed({
     conversation,
     nowMs: Date.now(),
+    sessionId,
     userMessageId: getTurnUserMessageId(conversation, sessionId),
     markConversationMessage,
     updateConversationStats
@@ -11488,8 +11563,29 @@ async function resumeAuthorizedMcpTurn(args) {
   const currentState = await getPersistedThreadState(threadId);
   const conversation = coerceThreadConversationState(currentState);
   const artifacts = coerceThreadArtifactsState(currentState);
-  const userMessage = getTurnUserMessage(conversation, authSession.sessionId);
-  if (conversation.processing.activeTurnId !== authSession.sessionId) {
+  const pendingAuth = getConversationPendingAuth({
+    conversation,
+    kind: "mcp",
+    provider,
+    requesterId: authSession.userId
+  });
+  const resolvedSessionId = pendingAuth?.sessionId ?? authSession.sessionId;
+  const userMessage = getTurnUserMessage(conversation, resolvedSessionId);
+  if (pendingAuth) {
+    if (!isPendingAuthLatestRequest(conversation, pendingAuth)) {
+      clearPendingAuth(conversation, pendingAuth.sessionId);
+      await persistThreadStateById(threadId, { conversation });
+      await supersedeAgentTurnSessionCheckpoint({
+        conversationId: authSession.conversationId,
+        sessionId: pendingAuth.sessionId,
+        errorMessage: "Auth completed after a newer thread message superseded this blocked request."
+      });
+      return;
+    }
+  } else if (conversation.processing.activeTurnId !== authSession.sessionId) {
+    return;
+  }
+  if (!userMessage) {
     return;
   }
   const channelConfiguration = getChannelConfigurationServiceById(
@@ -11498,14 +11594,14 @@ async function resumeAuthorizedMcpTurn(args) {
   const conversationContext = await buildResumeConversationContext(
     authSession.channelId,
     authSession.threadTs,
-    authSession.sessionId
+    resolvedSessionId
   );
   await resumeAuthorizedRequest({
-    messageText: authSession.userMessage,
+    messageText: userMessage.text,
     channelId: authSession.channelId,
     threadTs: authSession.threadTs,
     lockKey: authSession.conversationId,
-    connectedText: `Your ${provider} MCP access is now connected. Continuing the original request...`,
+    connectedText: "",
     failureText: "MCP authorization completed, but resuming the request failed. Please retry the original command.",
     replyContext: {
       assistant: { userName: botConfig.userName },
@@ -11516,7 +11612,7 @@ async function resumeAuthorizedMcpTurn(args) {
       },
       correlation: {
         conversationId: authSession.conversationId,
-        turnId: authSession.sessionId,
+        turnId: resolvedSessionId,
         channelId: authSession.channelId,
         threadTs: authSession.threadTs,
         requesterId: authSession.userId
@@ -11525,9 +11621,18 @@ async function resumeAuthorizedMcpTurn(args) {
       conversationContext,
       artifactState: artifacts,
       configuration: authSession.configuration,
+      pendingAuth,
       channelConfiguration,
       sandbox: getPersistedSandboxState(currentState),
       threadParticipants: buildThreadParticipants(conversation.messages),
+      onAuthPending: async (nextPendingAuth) => {
+        await applyPendingAuthUpdate({
+          conversation,
+          conversationId: authSession.conversationId,
+          nextPendingAuth
+        });
+        await persistThreadStateById(threadId, { conversation });
+      },
       ...getTurnUserReplyAttachmentContext(userMessage)
     },
     onSuccess: async (reply) => {
@@ -11535,7 +11640,7 @@ async function resumeAuthorizedMcpTurn(args) {
         await persistCompletedReplyState(
           authSession.channelId,
           authSession.threadTs,
-          authSession.sessionId,
+          resolvedSessionId,
           reply
         );
       } catch (persistError) {
@@ -11560,7 +11665,7 @@ async function resumeAuthorizedMcpTurn(args) {
         await persistFailedReplyState(
           authSession.channelId,
           authSession.threadTs,
-          authSession.sessionId
+          resolvedSessionId
         );
       } catch (persistError) {
         logException(
@@ -11572,7 +11677,16 @@ async function resumeAuthorizedMcpTurn(args) {
         );
       }
     },
-    onAuthPause: async () => {
+    onAuthPause: async (error) => {
+      await deliverAuthPauseReply({
+        channelId: authSession.channelId,
+        conversationId: authSession.conversationId,
+        error,
+        fallbackProvider: provider,
+        sessionId: resolvedSessionId,
+        threadStateId: `slack:${authSession.channelId}:${authSession.threadTs}`,
+        threadTs: authSession.threadTs
+      });
       logWarn(
         "mcp_oauth_callback_resume_reparked_for_auth",
         {},
@@ -11607,7 +11721,7 @@ async function resumeAuthorizedMcpTurn(args) {
       }
       await scheduleTurnTimeoutResume({
         conversationId: authSession.conversationId,
-        sessionId: authSession.sessionId,
+        sessionId: resolvedSessionId,
         expectedCheckpointVersion: checkpointVersion
       });
     }
@@ -11832,6 +11946,7 @@ async function persistCompletedOAuthReplyState(args) {
   const artifacts = coerceThreadArtifactsState(currentState);
   const nextArtifacts = args.reply.artifactStatePatch ? mergeArtifactsState(artifacts, args.reply.artifactStatePatch) : void 0;
   const userMessage = getTurnUserMessage(conversation, args.sessionId);
+  clearPendingAuth(conversation, args.sessionId);
   markConversationMessage(conversation, userMessage?.id, {
     replied: true,
     skippedReason: void 0
@@ -11852,6 +11967,7 @@ async function persistCompletedOAuthReplyState(args) {
   markTurnCompleted({
     conversation,
     nowMs: Date.now(),
+    sessionId: args.sessionId,
     updateConversationStats
   });
   await persistThreadStateById(args.conversationId, {
@@ -11864,9 +11980,11 @@ async function persistCompletedOAuthReplyState(args) {
 async function persistFailedOAuthReplyState(args) {
   const currentState = await getPersistedThreadState(args.conversationId);
   const conversation = coerceThreadConversationState(currentState);
+  clearPendingAuth(conversation, args.sessionId);
   markTurnFailed({
     conversation,
     nowMs: Date.now(),
+    sessionId: args.sessionId,
     userMessageId: getTurnUserMessage(conversation, args.sessionId)?.id,
     markConversationMessage,
     updateConversationStats
@@ -11883,35 +12001,65 @@ async function resumeCheckpointedOAuthTurn(stored) {
     stored.resumeConversationId,
     stored.resumeSessionId
   );
-  if (!checkpoint || checkpoint.state !== "awaiting_resume" || checkpoint.resumeReason !== "auth") {
+  if (!checkpoint) {
     return false;
   }
+  if (checkpoint.state === "completed" || checkpoint.state === "failed" || checkpoint.state === "superseded") {
+    return true;
+  }
+  if (checkpoint.state !== "awaiting_resume" || checkpoint.resumeReason !== "auth") {
+    return true;
+  }
   const currentState = await getPersistedThreadState(
     stored.resumeConversationId
   );
   const conversation = coerceThreadConversationState(currentState);
   const artifacts = coerceThreadArtifactsState(currentState);
-  const userMessage = getTurnUserMessage(conversation, stored.resumeSessionId);
-  if (!userMessage?.author?.userId) {
-    return false;
+  const pendingAuth = getConversationPendingAuth({
+    conversation,
+    kind: "plugin",
+    provider: stored.provider,
+    requesterId: stored.userId
+  });
+  const resolvedSessionId = pendingAuth?.sessionId ?? stored.resumeSessionId;
+  const userMessage = resolvedSessionId ? getTurnUserMessage(conversation, resolvedSessionId) : void 0;
+  if (pendingAuth) {
+    if (!isPendingAuthLatestRequest(conversation, pendingAuth)) {
+      clearPendingAuth(conversation, pendingAuth.sessionId);
+      await persistThreadStateById(stored.resumeConversationId, {
+        conversation
+      });
+      await supersedeAgentTurnSessionCheckpoint({
+        conversationId: stored.resumeConversationId,
+        sessionId: pendingAuth.sessionId,
+        errorMessage: "Auth completed after a newer thread message superseded this blocked request."
+      });
+      return true;
+    }
+  } else {
+    if (!userMessage?.author?.userId) {
+      return false;
+    }
+    if (conversation.processing.activeTurnId !== stored.resumeSessionId) {
+      return true;
+    }
   }
-  if (conversation.processing.activeTurnId !== stored.resumeSessionId) {
-    return true;
+  if (!userMessage?.author?.userId || !resolvedSessionId) {
+    return false;
   }
   const conversationContext = await buildCheckpointConversationContext(
     stored.resumeConversationId,
-    stored.resumeSessionId
+    resolvedSessionId
   );
   const channelConfiguration = getChannelConfigurationServiceById(
     stored.channelId
   );
-  const providerLabel = formatProviderLabel(stored.provider);
   await resumeSlackTurn({
     messageText: stored.pendingMessage ?? userMessage.text,
     channelId: stored.channelId,
     threadTs: stored.threadTs,
     lockKey: stored.resumeConversationId,
-    initialText: `Your ${providerLabel} account is now connected. Processing your request...`,
+    initialText: "",
     failureText: "I connected your account but hit an error processing your request. Please try the command again.",
     replyContext: {
       assistant: { userName: botConfig.userName },
@@ -11927,10 +12075,21 @@ async function resumeCheckpointedOAuthTurn(stored) {
       },
       toolChannelId: artifacts.assistantContextChannelId ?? stored.channelId,
       artifactState: artifacts,
+      pendingAuth,
       conversationContext,
       channelConfiguration,
       sandbox: getPersistedSandboxState(currentState),
       threadParticipants: buildThreadParticipants(conversation.messages),
+      onAuthPending: async (nextPendingAuth) => {
+        await applyPendingAuthUpdate({
+          conversation,
+          conversationId: stored.resumeConversationId,
+          nextPendingAuth
+        });
+        await persistThreadStateById(stored.resumeConversationId, {
+          conversation
+        });
+      },
       ...getTurnUserReplyAttachmentContext(userMessage)
     },
     onSuccess: async (reply) => {
@@ -11942,11 +12101,11 @@ async function resumeCheckpointedOAuthTurn(stored) {
           "app.ai.outcome": reply.diagnostics.outcome,
           "app.ai.tool_calls": reply.diagnostics.toolCalls.length
         },
-        "Auto-resumed checkpointed turn after OAuth callback"
+        "OAuth callback auto-resumed checkpoint finished replying"
       );
       await persistCompletedOAuthReplyState({
         conversationId: stored.resumeConversationId,
-        sessionId: stored.resumeSessionId,
+        sessionId: resolvedSessionId,
         reply
       });
     },
@@ -11960,17 +12119,19 @@ async function resumeCheckpointedOAuthTurn(stored) {
       );
       await persistFailedOAuthReplyState({
         conversationId: stored.resumeConversationId,
-        sessionId: stored.resumeSessionId
+        sessionId: resolvedSessionId
       });
     },
     onAuthPause: async (error) => {
-      logException(
+      await deliverAuthPauseReply({
+        channelId: stored.channelId,
+        conversationId: stored.resumeConversationId,
         error,
-        "oauth_callback_resume_reparked_for_auth",
-        {},
-        { "app.credential.provider": stored.provider },
-        "Resumed OAuth turn requested another authorization flow"
-      );
+        fallbackProvider: stored.provider,
+        sessionId: resolvedSessionId,
+        threadStateId: stored.resumeConversationId,
+        threadTs: stored.threadTs
+      });
     },
     onTimeoutPause: async (error) => {
       if (!isRetryableTurnError(error, "turn_timeout_resume")) {
@@ -11990,7 +12151,7 @@ async function resumeCheckpointedOAuthTurn(stored) {
       }
       await scheduleTurnTimeoutResume({
         conversationId: stored.resumeConversationId,
-        sessionId: stored.resumeSessionId,
+        sessionId: resolvedSessionId,
         expectedCheckpointVersion: checkpointVersion
       });
     }
@@ -11999,7 +12160,6 @@ async function resumeCheckpointedOAuthTurn(stored) {
 }
 async function resumePendingOAuthMessage(stored) {
   if (!stored.pendingMessage || !stored.channelId || !stored.threadTs) return;
-  const providerLabel = formatProviderLabel(stored.provider);
   const conversationContext = await buildResumeConversationContext2(
     stored.channelId,
     stored.threadTs
@@ -12008,7 +12168,7 @@ async function resumePendingOAuthMessage(stored) {
     messageText: stored.pendingMessage,
     channelId: stored.channelId,
     threadTs: stored.threadTs,
-    connectedText: `Your ${providerLabel} account is now connected. Processing your request...`,
+    connectedText: "",
     failureText: `I connected your account but hit an error processing your request. Please try \`${stored.pendingMessage}\` again.`,
     replyContext: {
       requester: { userId: stored.userId },
@@ -12024,7 +12184,7 @@ async function resumePendingOAuthMessage(stored) {
           "app.ai.outcome": reply.diagnostics.outcome,
           "app.ai.tool_calls": reply.diagnostics.toolCalls.length
         },
-        "Auto-resumed pending message after OAuth callback"
+        "OAuth callback auto-resumed pending message finished replying"
       );
     },
     onFailure: async (error) => {
@@ -12273,6 +12433,7 @@ async function persistCompletedReplyState2(args) {
     conversation,
     args.checkpoint.sessionId
   );
+  clearPendingAuth(conversation, args.checkpoint.sessionId);
   markConversationMessage(conversation, userMessage?.id, {
     replied: true,
     skippedReason: void 0
@@ -12293,6 +12454,7 @@ async function persistCompletedReplyState2(args) {
   markTurnCompleted({
     conversation,
     nowMs: Date.now(),
+    sessionId: args.checkpoint.sessionId,
     updateConversationStats
   });
   await persistThreadStateById(args.checkpoint.conversationId, {
@@ -12305,9 +12467,11 @@ async function persistCompletedReplyState2(args) {
 async function persistFailedReplyState2(checkpoint) {
   const currentState = await getPersistedThreadState(checkpoint.conversationId);
   const conversation = coerceThreadConversationState(currentState);
+  clearPendingAuth(conversation, checkpoint.sessionId);
   markTurnFailed({
     conversation,
     nowMs: Date.now(),
+    sessionId: checkpoint.sessionId,
     userMessageId: getTurnUserMessage(conversation, checkpoint.sessionId)?.id,
     markConversationMessage,
     updateConversationStats
@@ -12371,10 +12535,21 @@ async function resumeTimedOutTurn(payload) {
       },
       toolChannelId: artifacts.assistantContextChannelId ?? thread.channelId,
       artifactState: artifacts,
+      pendingAuth: conversation.processing.pendingAuth,
       conversationContext,
       channelConfiguration,
       sandbox,
       threadParticipants: buildThreadParticipants(conversation.messages),
+      onAuthPending: async (nextPendingAuth) => {
+        await applyPendingAuthUpdate({
+          conversation,
+          conversationId: payload.conversationId,
+          nextPendingAuth
+        });
+        await persistThreadStateById(payload.conversationId, {
+          conversation
+        });
+      },
       ...getTurnUserReplyAttachmentContext(userMessage)
     },
     onSuccess: async (reply) => {
@@ -12406,7 +12581,15 @@ async function resumeTimedOutTurn(payload) {
       );
       await persistFailedReplyState2(checkpoint);
     },
-    onAuthPause: async () => {
+    onAuthPause: async (error) => {
+      await deliverAuthPauseReply({
+        channelId: thread.channelId,
+        conversationId: payload.conversationId,
+        error,
+        sessionId: payload.sessionId,
+        threadStateId: payload.conversationId,
+        threadTs: thread.threadTs
+      });
       logWarn(
         "timeout_resume_reparked_for_auth",
         {},
@@ -14145,6 +14328,7 @@ function createReplyToThread(deps) {
             },
             conversationContext: preparedState.routingContext ?? preparedState.conversationContext,
             artifactState: preparedState.artifacts,
+            pendingAuth: preparedState.conversation.processing.pendingAuth,
             configuration: preparedState.configuration,
             channelConfiguration: preparedState.channelConfiguration,
             inboundAttachmentCount: message.attachments.length,
@@ -14174,6 +14358,16 @@ function createReplyToThread(deps) {
             onArtifactStateUpdated: async (artifacts) => {
               await persistThreadState(thread, { artifacts });
             },
+            onAuthPending: async (pendingAuth) => {
+              await applyPendingAuthUpdate({
+                conversation: preparedState.conversation,
+                conversationId,
+                nextPendingAuth: pendingAuth
+              });
+              await persistThreadState(thread, {
+                conversation: preparedState.conversation
+              });
+            },
             threadParticipants,
             onStatus: (nextStatus) => status.update(nextStatus)
           });
@@ -14258,7 +14452,7 @@ function createReplyToThread(deps) {
           const replyFooter = buildSlackReplyFooter({
             conversationId,
             durationMs: reply.diagnostics.durationMs,
-            traceId: getActiveTraceId(),
+            thinkingLevel: reply.diagnostics.thinkingLevel,
             usage: reply.diagnostics.usage
           });
           const shouldUseSlackFooter = Boolean(replyFooter) && Boolean(channelId && threadTs) && thread.adapter?.name === "slack";
@@ -14351,8 +14545,42 @@ function createReplyToThread(deps) {
           }
         } catch (error) {
           if (isRetryableTurnError(error, "mcp_auth_resume") || isRetryableTurnError(error, "plugin_auth_resume")) {
+            const authPauseText = buildAuthPauseReplyText({
+              disposition: error.metadata?.authDisposition,
+              provider: error.metadata?.authProvider
+            });
+            const authPauseFooter = buildSlackReplyFooter({
+              conversationId,
+              durationMs: error.metadata?.authDurationMs,
+              thinkingLevel: error.metadata?.authThinkingLevel,
+              usage: error.metadata?.authUsage
+            });
+            const useSlackFooterForAuthPause = Boolean(authPauseFooter) && Boolean(channelId && threadTs) && thread.adapter?.name === "slack";
+            if (useSlackFooterForAuthPause && channelId && threadTs) {
+              await beforeFirstResponsePost();
+              await postSlackApiReplyPosts({
+                channelId,
+                threadTs,
+                footer: authPauseFooter,
+                posts: [{ stage: "thread_reply", text: authPauseText }]
+              });
+            } else {
+              await postThreadReply(
+                buildSlackOutputMessage(authPauseText),
+                "thread_reply"
+              );
+            }
+            completeAuthPauseTurn({
+              conversation: preparedState.conversation,
+              sessionId: error.metadata?.sessionId ?? turnId,
+              text: authPauseText
+            });
+            await persistThreadState(thread, {
+              conversation: preparedState.conversation
+            });
+            persistedAtLeastOnce = true;
             shouldPersistFailureState = false;
-            throw error;
+            return;
           }
           if (isRetryableTurnError(error, "turn_timeout_resume")) {
             const conversationIdForResume = error.metadata?.conversationId;