@sentry/junior 0.29.0 → 0.30.0

package/dist/app.js

@@ -392,6 +392,26 @@ function defaultConversationState() {
     }
   };
 }
+function coercePendingAuthState(value) {
+  if (!isRecord(value)) {
+    return void 0;
+  }
+  const kind = value.kind;
+  const provider = toOptionalString(value.provider);
+  const requesterId = toOptionalString(value.requesterId);
+  const sessionId = toOptionalString(value.sessionId);
+  const linkSentAtMs = toOptionalNumber(value.linkSentAtMs);
+  if (kind !== "mcp" && kind !== "plugin" || !provider || !requesterId || !sessionId || typeof linkSentAtMs !== "number") {
+    return void 0;
+  }
+  return {
+    kind,
+    provider,
+    requesterId,
+    sessionId,
+    linkSentAtMs
+  };
+}
 function coerceThreadConversationState(value) {
   if (!isRecord(value)) {
     return defaultConversationState();
@@ -442,7 +462,8 @@ function coerceThreadConversationState(value) {
   const rawProcessing = isRecord(rawConversation.processing) ? rawConversation.processing : {};
   const processing = {
     activeTurnId: toOptionalString(rawProcessing.activeTurnId),
-    lastCompletedAtMs: toOptionalNumber(rawProcessing.lastCompletedAtMs)
+    lastCompletedAtMs: toOptionalNumber(rawProcessing.lastCompletedAtMs),
+    pendingAuth: coercePendingAuthState(rawProcessing.pendingAuth)
   };
   const rawStats = isRecord(rawConversation.stats) ? rawConversation.stats : {};
   const stats = {
@@ -2001,11 +2022,13 @@ function buildThreadParticipants(messages) {
   return participants;
 }
 
-// src/chat/runtime/turn.ts
+// src/chat/state/turn-id.ts
 function buildDeterministicTurnId(messageId) {
   const sanitized = messageId.replace(/[^a-zA-Z0-9_-]/g, "_");
   return `turn_${sanitized}`;
 }
+
+// src/chat/runtime/turn.ts
 var RetryableTurnError = class extends Error {
   code = "retryable_turn";
   metadata;
@@ -2031,12 +2054,16 @@ function startActiveTurn(args) {
   args.updateConversationStats(args.conversation);
 }
 function markTurnCompleted(args) {
-  args.conversation.processing.activeTurnId = void 0;
+  if (!args.sessionId || args.conversation.processing.activeTurnId === args.sessionId) {
+    args.conversation.processing.activeTurnId = void 0;
+  }
   args.conversation.processing.lastCompletedAtMs = args.nowMs;
   args.updateConversationStats(args.conversation);
 }
 function markTurnFailed(args) {
-  args.conversation.processing.activeTurnId = void 0;
+  if (!args.sessionId || args.conversation.processing.activeTurnId === args.sessionId) {
+    args.conversation.processing.activeTurnId = void 0;
+  }
   args.conversation.processing.lastCompletedAtMs = args.nowMs;
   args.markConversationMessage(args.conversation, args.userMessageId, {
     replied: false,
@@ -8221,134 +8248,21 @@ function shouldEmitDevAgentTrace() {
   return process.env.NODE_ENV === "development";
 }
 
-// src/chat/credentials/unlink-provider.ts
-async function unlinkProvider(userId, provider, userTokenStore) {
-  await Promise.all([
-    userTokenStore.delete(userId, provider),
-    deleteMcpStoredOAuthCredentials(userId, provider),
-    deleteMcpServerSessionId(userId, provider),
-    deleteMcpAuthSessionsForUserProvider(userId, provider)
-  ]);
-}
-
-// src/chat/services/plugin-auth-orchestration.ts
-var PluginAuthorizationPauseError = class extends Error {
+// src/chat/services/auth-pause.ts
+var AuthorizationPauseError = class extends Error {
+  disposition;
+  kind;
   provider;
-  constructor(provider) {
-    super(`Plugin authorization started for ${provider}`);
-    this.name = "PluginAuthorizationPauseError";
+  constructor(kind, provider, disposition) {
+    super(
+      kind === "mcp" ? `MCP authorization started for ${provider}` : `Plugin authorization started for ${provider}`
+    );
+    this.name = kind === "mcp" ? "McpAuthorizationPauseError" : "PluginAuthorizationPauseError";
+    this.disposition = disposition;
+    this.kind = kind;
     this.provider = provider;
   }
 };
-function isCommandAuthFailure(details) {
-  if (!details || typeof details !== "object") {
-    return false;
-  }
-  const result = details;
-  if (typeof result.exit_code !== "number" || result.exit_code === 0) {
-    return false;
-  }
-  const text = `${typeof result.stdout === "string" ? result.stdout : ""}
-${typeof result.stderr === "string" ? result.stderr : ""}`.toLowerCase();
-  if (!text.trim()) {
-    return false;
-  }
-  return [
-    /\b401\b/,
-    /\bunauthorized\b/,
-    /\bbad credentials\b/,
-    /\binvalid token\b/,
-    /\btoken (?:expired|revoked)\b/,
-    /\bexpired token\b/,
-    /\bmissing scopes?\b/,
-    /\binsufficient scope\b/,
-    /\binvalid grant\b/,
-    /\breauthoriz/
-  ].some((pattern) => pattern.test(text));
-}
-function commandTargetsProvider(provider, command, details) {
-  const normalizedCommand = command.trim().toLowerCase();
-  if (!normalizedCommand) {
-    return false;
-  }
-  if (provider === "github" && /^(gh|git)\b/.test(normalizedCommand)) {
-    return true;
-  }
-  const plugin = getPluginDefinition(provider);
-  const candidates = /* @__PURE__ */ new Set([provider.toLowerCase()]);
-  const credentials = plugin?.manifest.credentials;
-  if (credentials) {
-    candidates.add(credentials.authTokenEnv.toLowerCase());
-    for (const domain of credentials.apiDomains) {
-      candidates.add(domain.toLowerCase());
-    }
-  }
-  const combinedText = `${normalizedCommand}
-${details.stdout?.toLowerCase() ?? ""}
-${details.stderr?.toLowerCase() ?? ""}`;
-  return [...candidates].some((candidate) => combinedText.includes(candidate));
-}
-function createPluginAuthOrchestration(deps, abortAgent) {
-  let pendingPause;
-  const startAuthorizationPause = async (provider, activeSkill, options) => {
-    if (pendingPause) {
-      throw pendingPause;
-    }
-    if (!deps.requesterId || !getPluginOAuthConfig(provider)) {
-      throw new Error(`Cannot start plugin authorization for ${provider}`);
-    }
-    const providerLabel = formatProviderLabel(provider);
-    const oauthResult = await startOAuthFlow(provider, {
-      requesterId: deps.requesterId,
-      channelId: deps.channelId,
-      threadTs: deps.threadTs,
-      userMessage: deps.userMessage,
-      channelConfiguration: deps.channelConfiguration,
-      activeSkillName: activeSkill?.name ?? void 0,
-      resumeConversationId: deps.conversationId,
-      resumeSessionId: deps.sessionId
-    });
-    if (!oauthResult.ok) {
-      throw new Error(oauthResult.error);
-    }
-    if (!oauthResult.delivery) {
-      throw new Error(
-        `I need to connect your ${providerLabel} account first, but I wasn't able to send you a private authorization link. Please send me a direct message and try again.`
-      );
-    }
-    if (options?.unlinkExistingProvider && deps.requesterId && deps.userTokenStore) {
-      await unlinkProvider(deps.requesterId, provider, deps.userTokenStore);
-    }
-    pendingPause = new PluginAuthorizationPauseError(provider);
-    abortAgent();
-    throw pendingPause;
-  };
-  const handleCredentialUnavailable = async (input) => {
-    if (pendingPause) {
-      throw pendingPause;
-    }
-    if (!deps.requesterId || !getPluginOAuthConfig(input.error.provider)) {
-      throw input.error;
-    }
-    return await startAuthorizationPause(
-      input.error.provider,
-      input.activeSkill
-    );
-  };
-  return {
-    handleCredentialUnavailable,
-    handleCommandFailure: async (input) => {
-      const provider = input.activeSkill?.pluginProvider;
-      if (!provider || !deps.requesterId || !deps.userTokenStore || !getPluginOAuthConfig(provider) || !isCommandAuthFailure(input.details) || !commandTargetsProvider(provider, input.command, input.details)) {
-        return;
-      }
-      await startAuthorizationPause(provider, input.activeSkill, {
-        unlinkExistingProvider: true
-      });
-    },
-    getPendingPause: () => pendingPause
-  };
-}
 
 // src/chat/runtime/report-progress.ts
 function buildReportedProgressStatus(input) {
@@ -8396,15 +8310,16 @@ function resolveCredentialInjection(toolName, command, capabilityRuntime, sandbo
     const headerDomains = (headerTransforms ?? []).map(
       (transform) => transform.domain
     );
+    const skillName = sandbox.getActiveSkill()?.name;
     logInfo(
       "credential_inject_start",
       {},
       {
-        "app.skill.name": sandbox.getActiveSkill()?.name,
+        "app.skill.name": skillName,
         "app.credential.delivery": "header_transform",
         "app.credential.header_domains": headerDomains
       },
-      "Injecting scoped credential headers for sandbox command"
+      `Injecting scoped credential headers for sandbox command (${skillName ?? "unknown skill"} \u2192 ${headerDomains.join(", ")})`
     );
   }
   return { headerTransforms, env };
@@ -8577,7 +8492,7 @@ function createAgentTools(tools, sandbox, spanContext, onStatus, sandboxExecutor
             }
             return normalized;
           } catch (error) {
-            if (error instanceof PluginAuthorizationPauseError) {
+            if (error instanceof AuthorizationPauseError) {
               throw error;
             }
             handleToolExecutionError(
@@ -8788,14 +8703,6 @@ function getTerminalAssistantMessages(messages) {
   }
   return messages.slice(lastToolResultIndex + 1).filter(isAssistantMessage);
 }
-function hasCompletedAssistantTurn(messages) {
-  const message = getTerminalAssistantMessages(messages).at(-1);
-  if (!message) {
-    return false;
-  }
-  const stopReason = message.stopReason;
-  return typeof stopReason === "string" && stopReason !== "error" && extractAssistantText(message).trim().length > 0;
-}
 function upsertActiveSkill(activeSkills, next) {
   const existing = activeSkills.find((skill) => skill.name === next.name);
   if (existing) {
@@ -9023,7 +8930,10 @@ function buildTurnResult(input) {
 // src/chat/services/turn-thinking-level.ts
 import { z } from "zod";
 var CLASSIFIER_CONFIDENCE_THRESHOLD = 0.75;
-var MAX_ROUTER_CONTEXT_CHARS = 1200;
+var MAX_ROUTER_CONTEXT_CHARS = 8e3;
+var ROUTER_CONTEXT_HEAD_CHARS = 3e3;
+var ROUTER_CONTEXT_TAIL_CHARS = 5e3;
+var TRUNCATION_MARKER = "\n\u2026[truncated]\u2026\n";
 var TURN_THINKING_LEVELS = ["none", "low", "medium", "high"];
 var turnExecutionProfileSchema = z.object({
   thinking_level: z.enum(TURN_THINKING_LEVELS),
@@ -9034,9 +8944,22 @@ var DEFAULT_THINKING_LEVEL = "low";
 function trimContextForRouter(text) {
   const trimmed = text?.trim();
   if (!trimmed) {
-    return void 0;
+    return null;
+  }
+  if (trimmed.length <= MAX_ROUTER_CONTEXT_CHARS) {
+    return {
+      text: trimmed,
+      truncated: false,
+      originalCharCount: trimmed.length
+    };
   }
-  return trimmed.length <= MAX_ROUTER_CONTEXT_CHARS ? trimmed : trimmed.slice(-MAX_ROUTER_CONTEXT_CHARS);
+  const head = trimmed.slice(0, ROUTER_CONTEXT_HEAD_CHARS).trimEnd();
+  const tail = trimmed.slice(-ROUTER_CONTEXT_TAIL_CHARS).trimStart();
+  return {
+    text: `${head}${TRUNCATION_MARKER}${tail}`,
+    truncated: true,
+    originalCharCount: trimmed.length
+  };
 }
 function buildClassifierSystemPrompt() {
   return [
@@ -9048,22 +8971,23 @@ function buildClassifierSystemPrompt() {
     "Use medium for investigations, ambiguous asks, multi-step analysis, or likely multi-tool work.",
     "Use high for code changes, debugging/root-cause analysis, research-heavy work, non-trivial drafting, or explicit requests to be thorough.",
     "",
+    "Classify based on the substance of the task, not the length of the current message. When the current instruction is a short affirmation (for example: 'go', 'do it', 'yes please', 'proceed') and the thread-background contains a pending task, classify the pending task \u2014 not the affirmation.",
+    "",
     "Return JSON only with thinking_level, confidence, and reason."
   ].join("\n");
 }
 function buildClassifierPrompt(args) {
   const sections = [];
-  const context = trimContextForRouter(args.conversationContext);
-  if (context) {
-    sections.push("<thread-background>", context, "</thread-background>", "");
+  if (args.conversationContext) {
+    sections.push(
+      "<thread-background>",
+      args.conversationContext.text,
+      "</thread-background>",
+      ""
+    );
   }
   sections.push(
-    "<turn-context>",
-    `- active_skills: ${args.activeSkillNames.join(", ") || "none"}`,
-    `- attachment_count: ${args.attachmentCount}`,
-    "</turn-context>",
-    "",
-    '<current-instruction priority="highest">',
+    "<current-instruction>",
     args.messageText.trim() || "[empty]",
     "</current-instruction>"
   );
@@ -9077,42 +9001,81 @@ function buildClassifierPrompt(args) {
   return sections.join("\n");
 }
 async function selectTurnThinkingLevel(args) {
-  const activeSkillNames = [...new Set(args.activeSkillNames ?? [])].sort();
+  const trimmedContext = trimContextForRouter(args.conversationContext);
+  const instructionLength = args.messageText.trim().length;
+  const turnBlockCount = (args.currentTurnBlocks ?? []).filter(
+    (block) => block.trim().length > 0
+  ).length;
+  const prompt = buildClassifierPrompt({
+    conversationContext: trimmedContext,
+    currentTurnBlocks: args.currentTurnBlocks,
+    messageText: args.messageText
+  });
+  const logContext = {
+    slackThreadId: args.context?.threadId,
+    slackChannelId: args.context?.channelId,
+    slackUserId: args.context?.requesterId,
+    runId: args.context?.runId,
+    modelId: args.fastModelId
+  };
+  return withSpan(
+    "chat.route_thinking",
+    "chat.route_thinking",
+    logContext,
+    async () => {
+      setSpanAttributes({
+        "app.ai.router.prompt_char_count": prompt.length,
+        "app.ai.router.instruction_char_count": instructionLength,
+        "app.ai.router.context_char_count": trimmedContext?.originalCharCount ?? 0,
+        "app.ai.router.context_trimmed": trimmedContext?.truncated ?? false,
+        "app.ai.router.turn_block_count": turnBlockCount
+      });
+      const selection = await classifyTurn({
+        completeObject: args.completeObject,
+        fastModelId: args.fastModelId,
+        metadata: {
+          modelId: args.fastModelId,
+          threadId: args.context?.threadId ?? "",
+          channelId: args.context?.channelId ?? "",
+          requesterId: args.context?.requesterId ?? "",
+          runId: args.context?.runId ?? ""
+        },
+        prompt
+      });
+      setSpanAttributes({
+        "app.ai.thinking_level": selection.thinkingLevel,
+        "app.ai.thinking_level_reason": selection.reason,
+        ...selection.confidence !== void 0 ? { "app.ai.thinking_level_confidence": selection.confidence } : {}
+      });
+      return selection;
+    }
+  );
+}
+async function classifyTurn(args) {
   try {
     const result = await args.completeObject({
       modelId: args.fastModelId,
       schema: turnExecutionProfileSchema,
       maxTokens: 120,
-      metadata: {
-        modelId: args.fastModelId,
-        threadId: args.context?.threadId ?? "",
-        channelId: args.context?.channelId ?? "",
-        requesterId: args.context?.requesterId ?? "",
-        runId: args.context?.runId ?? ""
-      },
-      prompt: buildClassifierPrompt({
-        activeSkillNames,
-        attachmentCount: args.attachmentCount ?? 0,
-        conversationContext: args.conversationContext,
-        currentTurnBlocks: args.currentTurnBlocks,
-        messageText: args.messageText
-      }),
+      metadata: args.metadata,
+      prompt: args.prompt,
       thinkingLevel: "low",
       system: buildClassifierSystemPrompt(),
       temperature: 0
     });
     const parsed = turnExecutionProfileSchema.parse(result.object);
+    const reason = parsed.reason.trim();
     if (parsed.confidence < CLASSIFIER_CONFIDENCE_THRESHOLD) {
       return {
         confidence: parsed.confidence,
         thinkingLevel: DEFAULT_THINKING_LEVEL,
-        reason: `low_confidence_default:${parsed.reason.trim()}`
+        reason: `low_confidence_default:${reason}`
       };
     }
     return {
       confidence: parsed.confidence,
       thinkingLevel: parsed.thinking_level,
-      reason: parsed.reason.trim()
+      reason
     };
   } catch {
     return {
@@ -9150,7 +9113,7 @@ function parseAgentTurnSessionCheckpoint(value) {
       return void 0;
     }
     const status = parsed.state;
-    if (status !== "running" && status !== "awaiting_resume" && status !== "completed" && status !== "failed") {
+    if (status !== "running" && status !== "awaiting_resume" && status !== "completed" && status !== "failed" && status !== "superseded") {
       return void 0;
     }
     const conversationId = parsed.conversationId;
@@ -9222,6 +9185,26 @@ async function upsertAgentTurnSessionCheckpoint(args) {
   );
   return checkpoint;
 }
+async function supersedeAgentTurnSessionCheckpoint(args) {
+  const existing = await getAgentTurnSessionCheckpoint(
+    args.conversationId,
+    args.sessionId
+  );
+  if (!existing || existing.state === "completed" || existing.state === "failed" || existing.state === "superseded") {
+    return void 0;
+  }
+  return await upsertAgentTurnSessionCheckpoint({
+    conversationId: existing.conversationId,
+    sessionId: existing.sessionId,
+    sliceId: existing.sliceId,
+    state: "superseded",
+    piMessages: existing.piMessages,
+    loadedSkillNames: existing.loadedSkillNames,
+    resumeReason: existing.resumeReason,
+    resumedFromSliceId: existing.resumedFromSliceId,
+    errorMessage: args.errorMessage ?? existing.errorMessage
+  });
+}
 
 // src/chat/services/turn-checkpoint.ts
 async function loadTurnCheckpoint(ctx) {
@@ -9336,13 +9319,67 @@ async function persistTimeoutCheckpoint(args) {
   }
 }
 
+// src/chat/services/pending-auth.ts
+var AUTH_LINK_REUSE_WINDOW_MS = 10 * 60 * 1e3;
+function canReusePendingAuthLink(args) {
+  const { pendingAuth } = args;
+  if (!pendingAuth) {
+    return false;
+  }
+  return pendingAuth.kind === args.kind && pendingAuth.provider === args.provider && pendingAuth.requesterId === args.requesterId && pendingAuth.linkSentAtMs + AUTH_LINK_REUSE_WINDOW_MS > (args.nowMs ?? Date.now());
+}
+function buildAuthPauseReplyText(args) {
+  const providerLabel = args.provider ? formatProviderLabel(args.provider) : "";
+  if (args.disposition === "link_already_sent") {
+    return providerLabel ? `I still need your ${providerLabel} access to continue. I already sent you a private link.` : "I still need additional access to continue. I already sent you a private link.";
+  }
+  return providerLabel ? `I need your ${providerLabel} access to continue. I sent you a private link.` : "I need additional access to continue. I sent you a private link.";
+}
+function getConversationPendingAuth(args) {
+  const pendingAuth = args.conversation.processing.pendingAuth;
+  if (!pendingAuth) {
+    return void 0;
+  }
+  if (pendingAuth.kind !== args.kind || pendingAuth.provider !== args.provider || pendingAuth.requesterId !== args.requesterId) {
+    return void 0;
+  }
+  return pendingAuth;
+}
+function clearPendingAuth(conversation, sessionId) {
+  if (!conversation.processing.pendingAuth) {
+    return;
+  }
+  if (sessionId && conversation.processing.pendingAuth.sessionId !== sessionId) {
+    return;
+  }
+  conversation.processing.pendingAuth = void 0;
+}
+async function applyPendingAuthUpdate(args) {
+  const previousPendingAuth = args.conversation.processing.pendingAuth;
+  args.conversation.processing.pendingAuth = args.nextPendingAuth;
+  if (previousPendingAuth && previousPendingAuth.sessionId !== args.nextPendingAuth.sessionId && args.conversationId) {
+    await supersedeAgentTurnSessionCheckpoint({
+      conversationId: args.conversationId,
+      sessionId: previousPendingAuth.sessionId,
+      errorMessage: "Superseded by a newer auth-blocked request in the same conversation."
+    });
+  }
+}
+function isPendingAuthLatestRequest(conversation, pendingAuth) {
+  for (let index = conversation.messages.length - 1; index >= 0; index -= 1) {
+    const message = conversation.messages[index];
+    if (message?.role !== "user") {
+      continue;
+    }
+    return buildDeterministicTurnId(message.id) === pendingAuth.sessionId;
+  }
+  return false;
+}
+
 // src/chat/services/mcp-auth-orchestration.ts
-var McpAuthorizationPauseError = class extends Error {
-  provider;
-  constructor(provider) {
-    super(`MCP authorization started for ${provider}`);
-    this.name = "McpAuthorizationPauseError";
-    this.provider = provider;
+var McpAuthorizationPauseError = class extends AuthorizationPauseError {
+  constructor(provider, disposition) {
+    super("mcp", provider, disposition);
   }
 };
 function createMcpAuthOrchestration(deps, abortAgent) {
@@ -9387,18 +9424,40 @@ function createMcpAuthOrchestration(deps, abortAgent) {
     if (!authSession?.authorizationUrl) {
       throw new Error(`Missing MCP authorization URL for plugin "${provider}"`);
     }
-    const delivery = await deliverPrivateMessage({
-      channelId: authSession.channelId,
-      threadTs: authSession.threadTs,
-      userId: authSession.userId,
-      text: `<${authSession.authorizationUrl}|Click here to link your ${formatProviderLabel(provider)} MCP access>. Once you've authorized, this thread will continue automatically.`
+    const reusingPendingLink = canReusePendingAuthLink({
+      pendingAuth: deps.currentPendingAuth,
+      kind: "mcp",
+      provider,
+      requesterId: deps.requesterId
     });
-    if (!delivery) {
-      throw new Error(
-        `Unable to deliver MCP authorization link for plugin "${provider}"`
-      );
+    if (!reusingPendingLink) {
+      const delivery = await deliverPrivateMessage({
+        channelId: authSession.channelId,
+        threadTs: authSession.threadTs,
+        userId: authSession.userId,
+        text: `<${authSession.authorizationUrl}|Click here to link your ${formatProviderLabel(provider)} MCP access>. Once you've authorized, this thread will continue automatically.`
+      });
+      if (!delivery) {
+        throw new Error(
+          `Unable to deliver MCP authorization link for plugin "${provider}"`
+        );
+      }
+    } else {
+      await deleteMcpAuthSession(authSessionId);
+    }
+    if (deps.sessionId && deps.requesterId) {
+      await deps.onPendingAuth?.({
+        kind: "mcp",
+        provider,
+        requesterId: deps.requesterId,
+        sessionId: deps.sessionId,
+        linkSentAtMs: reusingPendingLink ? deps.currentPendingAuth.linkSentAtMs : Date.now()
+      });
     }
-    pendingPause = new McpAuthorizationPauseError(provider);
+    pendingPause = new McpAuthorizationPauseError(
+      provider,
+      reusingPendingLink ? "link_already_sent" : "link_sent"
+    );
     abortAgent();
     return true;
   };
@@ -9409,6 +9468,152 @@ function createMcpAuthOrchestration(deps, abortAgent) {
   };
 }
 
+// src/chat/credentials/unlink-provider.ts
+async function unlinkProvider(userId, provider, userTokenStore) {
+  await Promise.all([
+    userTokenStore.delete(userId, provider),
+    deleteMcpStoredOAuthCredentials(userId, provider),
+    deleteMcpServerSessionId(userId, provider),
+    deleteMcpAuthSessionsForUserProvider(userId, provider)
+  ]);
+}
+
+// src/chat/services/plugin-auth-orchestration.ts
+var PluginAuthorizationPauseError = class extends AuthorizationPauseError {
+  constructor(provider, disposition) {
+    super("plugin", provider, disposition);
+  }
+};
+function isCommandAuthFailure(details) {
+  if (!details || typeof details !== "object") {
+    return false;
+  }
+  const result = details;
+  if (typeof result.exit_code !== "number" || result.exit_code === 0) {
+    return false;
+  }
+  const text = `${typeof result.stdout === "string" ? result.stdout : ""}
+${typeof result.stderr === "string" ? result.stderr : ""}`.toLowerCase();
+  if (!text.trim()) {
+    return false;
+  }
+  return [
+    /\b401\b/,
+    /\bunauthorized\b/,
+    /\bbad credentials\b/,
+    /\binvalid token\b/,
+    /\btoken (?:expired|revoked)\b/,
+    /\bexpired token\b/,
+    /\bmissing scopes?\b/,
+    /\binsufficient scope\b/,
+    /\binvalid grant\b/,
+    /\breauthoriz/
+  ].some((pattern) => pattern.test(text));
+}
+function commandTargetsProvider(provider, command, details) {
+  const normalizedCommand = command.trim().toLowerCase();
+  if (!normalizedCommand) {
+    return false;
+  }
+  if (provider === "github" && /^(gh|git)\b/.test(normalizedCommand)) {
+    return true;
+  }
+  const plugin = getPluginDefinition(provider);
+  const candidates = /* @__PURE__ */ new Set([provider.toLowerCase()]);
+  const credentials = plugin?.manifest.credentials;
+  if (credentials) {
+    candidates.add(credentials.authTokenEnv.toLowerCase());
+    for (const domain of credentials.apiDomains) {
+      candidates.add(domain.toLowerCase());
+    }
+  }
+  const combinedText = `${normalizedCommand}
+${details.stdout?.toLowerCase() ?? ""}
+${details.stderr?.toLowerCase() ?? ""}`;
+  return [...candidates].some((candidate) => combinedText.includes(candidate));
+}
+function createPluginAuthOrchestration(deps, abortAgent) {
+  let pendingPause;
+  const startAuthorizationPause = async (provider, activeSkill, options) => {
+    if (pendingPause) {
+      throw pendingPause;
+    }
+    if (!deps.requesterId || !getPluginOAuthConfig(provider)) {
+      throw new Error(`Cannot start plugin authorization for ${provider}`);
+    }
+    const providerLabel = formatProviderLabel(provider);
+    const reusingPendingLink = canReusePendingAuthLink({
+      pendingAuth: deps.currentPendingAuth,
+      kind: "plugin",
+      provider,
+      requesterId: deps.requesterId
+    });
+    if (!reusingPendingLink) {
+      const oauthResult = await startOAuthFlow(provider, {
+        requesterId: deps.requesterId,
+        channelId: deps.channelId,
+        threadTs: deps.threadTs,
+        userMessage: deps.userMessage,
+        channelConfiguration: deps.channelConfiguration,
+        activeSkillName: activeSkill?.name ?? void 0,
+        resumeConversationId: deps.conversationId,
+        resumeSessionId: deps.sessionId
+      });
+      if (!oauthResult.ok) {
+        throw new Error(oauthResult.error);
+      }
+      if (!oauthResult.delivery) {
+        throw new Error(
+          `I need to connect your ${providerLabel} account first, but I wasn't able to send you a private authorization link. Please send me a direct message and try again.`
+        );
+      }
+    }
+    if (options?.unlinkExistingProvider && deps.requesterId && deps.userTokenStore) {
+      await unlinkProvider(deps.requesterId, provider, deps.userTokenStore);
+    }
+    if (deps.sessionId) {
+      await deps.onPendingAuth?.({
+        kind: "plugin",
+        provider,
+        requesterId: deps.requesterId,
+        sessionId: deps.sessionId,
+        linkSentAtMs: reusingPendingLink ? deps.currentPendingAuth.linkSentAtMs : Date.now()
+      });
+    }
+    pendingPause = new PluginAuthorizationPauseError(
+      provider,
+      reusingPendingLink ? "link_already_sent" : "link_sent"
+    );
+    abortAgent();
+    throw pendingPause;
+  };
+  const handleCredentialUnavailable = async (input) => {
+    if (pendingPause) {
+      throw pendingPause;
+    }
+    if (!deps.requesterId || !getPluginOAuthConfig(input.error.provider)) {
+      throw input.error;
+    }
+    return await startAuthorizationPause(
+      input.error.provider,
+      input.activeSkill
+    );
+  };
+  return {
+    handleCredentialUnavailable,
+    handleCommandFailure: async (input) => {
+      const provider = input.activeSkill?.pluginProvider;
+      if (!provider || !deps.requesterId || !deps.userTokenStore || !getPluginOAuthConfig(provider) || !isCommandAuthFailure(input.details) || !commandTargetsProvider(provider, input.command, input.details)) {
+        return;
+      }
+      await startAuthorizationPause(provider, input.activeSkill, {
+        unlinkExistingProvider: true
+      });
+    },
+    getPendingPause: () => pendingPause
+  };
+}
+
 // src/chat/respond.ts
 var startupDiscoveryLogged = false;
 var MAX_ROUTER_ATTACHMENT_PREVIEW_CHARS = 2e3;
@@ -9525,6 +9730,7 @@ async function generateAssistantReply(messageText, context = {}) {
   let timeoutResumeSessionId;
   let timeoutResumeSliceId = 1;
   let timeoutResumeMessages = [];
+  let beforeMessageCount = 0;
   let lastKnownSandboxId = context.sandbox?.sandboxId;
   let lastKnownSandboxDependencyProfileHash = context.sandbox?.sandboxDependencyProfileHash;
   let loadedSkillNamesForResume = [];
@@ -9717,8 +9923,6 @@ async function generateAssistantReply(messageText, context = {}) {
       userTurnText
     });
     thinkingSelection = await selectTurnThinkingLevel({
-      activeSkillNames: activeSkills.map((skill) => skill.name),
-      attachmentCount: context.userAttachments?.length,
       completeObject,
       conversationContext: context.conversationContext,
       context: {
@@ -9754,9 +9958,11 @@ async function generateAssistantReply(messageText, context = {}) {
         threadTs: context.correlation?.threadTs,
         toolChannelId: context.toolChannelId,
         userMessage: userInput,
+        currentPendingAuth: context.pendingAuth,
         getConfiguration: () => configurationValues,
         getArtifactState: () => context.artifactState,
-        getMergedArtifactState: () => mergeArtifactsState(context.artifactState ?? {}, artifactStatePatch)
+        getMergedArtifactState: () => mergeArtifactsState(context.artifactState ?? {}, artifactStatePatch),
+        onPendingAuth: context.onAuthPending
       },
       () => agent?.abort()
     );
@@ -9769,6 +9975,8 @@ async function generateAssistantReply(messageText, context = {}) {
         threadTs: context.correlation?.threadTs,
         userMessage: userInput,
         channelConfiguration: context.channelConfiguration,
+        currentPendingAuth: context.pendingAuth,
+        onPendingAuth: context.onAuthPending,
         userTokenStore
       },
       () => agent?.abort()
@@ -9987,9 +10195,8 @@ async function generateAssistantReply(messageText, context = {}) {
         );
       });
     });
-    let beforeMessageCount = agent.state.messages.length;
     let newMessages = [];
-    let completedAssistantTurn = false;
+    beforeMessageCount = agent.state.messages.length;
     try {
       if (resumedFromCheckpoint) {
         agent.state.messages = existingCheckpoint.piMessages;
@@ -10056,11 +10263,6 @@ async function generateAssistantReply(messageText, context = {}) {
             }
           }
           newMessages = agent.state.messages.slice(beforeMessageCount);
-          completedAssistantTurn = hasCompletedAssistantTurn(newMessages);
-          if (getPendingAuthPause() && !completedAssistantTurn) {
-            timeoutResumeMessages = [...agent.state.messages];
-            throw getPendingAuthPause();
-          }
           const outputMessages = newMessages.filter(isAssistantMessage);
           const outputMessagesAttribute = serializeGenAiAttribute(outputMessages);
           const usageSummary = extractGenAiUsageSummary(
@@ -10076,6 +10278,10 @@ async function generateAssistantReply(messageText, context = {}) {
             ...usageSummary.inputTokens !== void 0 ? { "gen_ai.usage.input_tokens": usageSummary.inputTokens } : {},
             ...usageSummary.outputTokens !== void 0 ? { "gen_ai.usage.output_tokens": usageSummary.outputTokens } : {}
           });
+          if (getPendingAuthPause()) {
+            timeoutResumeMessages = [...agent.state.messages];
+            throw getPendingAuthPause();
+          }
         },
         {
           "gen_ai.provider.name": GEN_AI_PROVIDER_NAME,
@@ -10088,9 +10294,6 @@ async function generateAssistantReply(messageText, context = {}) {
     } finally {
       unsubscribe();
     }
-    if (getPendingAuthPause() && !completedAssistantTurn) {
-      throw getPendingAuthPause();
-    }
     if (checkpointState.canUseTurnSession && sessionConversationId && sessionId) {
       await persistCompletedCheckpoint({
         conversationId: sessionConversationId,
@@ -10148,7 +10351,15 @@ async function generateAssistantReply(messageText, context = {}) {
         );
       }
     }
-    if ((error instanceof McpAuthorizationPauseError || error instanceof PluginAuthorizationPauseError) && timeoutResumeConversationId && timeoutResumeSessionId) {
+    if (error instanceof AuthorizationPauseError && timeoutResumeConversationId && timeoutResumeSessionId) {
+      if (!turnUsage && timeoutResumeMessages.length > 0) {
+        const fallbackUsage = extractGenAiUsageSummary(
+          ...timeoutResumeMessages.slice(beforeMessageCount).filter(isAssistantMessage)
+        );
+        turnUsage = Object.values(fallbackUsage).some(
+          (value) => value !== void 0
+        ) ? fallbackUsage : void 0;
+      }
       const nextSliceId = await persistAuthPauseCheckpoint({
         conversationId: timeoutResumeConversationId,
         sessionId: timeoutResumeSessionId,
@@ -10166,9 +10377,15 @@ async function generateAssistantReply(messageText, context = {}) {
         }
       });
       throw new RetryableTurnError(
-        error instanceof PluginAuthorizationPauseError ? "plugin_auth_resume" : "mcp_auth_resume",
+        error.kind === "plugin" ? "plugin_auth_resume" : "mcp_auth_resume",
         `conversation=${timeoutResumeConversationId} session=${timeoutResumeSessionId} slice=${nextSliceId}`,
         {
+          authDisposition: error.disposition,
+          authDurationMs: Date.now() - replyStartedAtMs,
+          authKind: error.kind,
+          authProvider: error.provider,
+          authThinkingLevel: thinkingSelection?.thinkingLevel,
+          authUsage: turnUsage,
           conversationId: timeoutResumeConversationId,
           sessionId: timeoutResumeSessionId,
           sliceId: nextSliceId
@@ -11041,6 +11258,82 @@ async function resumeAuthorizedRequest(args) {
   });
 }
 
+// src/chat/runtime/auth-pause-reply.ts
+function buildAuthPauseSlackMessage(args) {
+  const footer = buildSlackReplyFooter({
+    conversationId: args.conversationId,
+    durationMs: args.durationMs,
+    thinkingLevel: args.thinkingLevel,
+    usage: args.usage
+  });
+  const blocks = buildSlackReplyBlocks(args.text, footer);
+  return blocks ? { text: args.text, blocks } : { text: args.text };
+}
+function completeAuthPauseTurn(args) {
+  markConversationMessage(
+    args.conversation,
+    getTurnUserMessageId(args.conversation, args.sessionId),
+    {
+      replied: true,
+      skippedReason: void 0
+    }
+  );
+  upsertConversationMessage(args.conversation, {
+    id: generateConversationId("assistant"),
+    role: "assistant",
+    text: normalizeConversationText(args.text) || "[empty response]",
+    createdAtMs: Date.now(),
+    author: {
+      userName: botConfig.userName,
+      isBot: true
+    },
+    meta: {
+      replied: true
+    }
+  });
+  markTurnCompleted({
+    conversation: args.conversation,
+    nowMs: Date.now(),
+    sessionId: args.sessionId,
+    updateConversationStats
+  });
+}
+async function persistAuthPauseReplyState(args) {
+  const currentState = await getPersistedThreadState(args.threadStateId);
+  const conversation = coerceThreadConversationState(currentState);
+  completeAuthPauseTurn({
+    conversation,
+    sessionId: args.sessionId,
+    text: args.text
+  });
+  await persistThreadStateById(args.threadStateId, { conversation });
+}
+async function deliverAuthPauseReply(args) {
+  const retryable = isRetryableTurnError(args.error) ? args.error : void 0;
+  const text = retryable ? buildAuthPauseReplyText({
+    disposition: retryable.metadata?.authDisposition,
+    provider: retryable.metadata?.authProvider
+  }) : buildAuthPauseReplyText({ provider: args.fallbackProvider });
+  const message = buildAuthPauseSlackMessage({
+    conversationId: args.conversationId,
+    durationMs: retryable?.metadata?.authDurationMs,
+    text,
+    thinkingLevel: retryable?.metadata?.authThinkingLevel,
+    usage: retryable?.metadata?.authUsage
+  });
+  await postSlackMessage({
+    channelId: args.channelId,
+    threadTs: args.threadTs,
+    text: message.text,
+    ...message.blocks ? { blocks: message.blocks } : {}
+  });
+  await persistAuthPauseReplyState({
+    sessionId: args.sessionId,
+    text,
+    threadStateId: args.threadStateId
+  });
+}
+
 // src/chat/services/timeout-resume.ts
 import { createHmac, timingSafeEqual } from "crypto";
 var TURN_TIMEOUT_RESUME_PATH = "/api/internal/turn-resume";
@@ -11213,6 +11506,7 @@ async function persistCompletedReplyState(channelId, threadTs, sessionId, reply)
   const artifacts = coerceThreadArtifactsState(currentState);
   const nextArtifacts = reply.artifactStatePatch ? mergeArtifactsState(artifacts, reply.artifactStatePatch) : void 0;
   const userMessageId = getTurnUserMessageId(conversation, sessionId);
+  clearPendingAuth(conversation, sessionId);
   markConversationMessage(conversation, userMessageId, {
     replied: true,
     skippedReason: void 0
@@ -11233,6 +11527,7 @@ async function persistCompletedReplyState(channelId, threadTs, sessionId, reply)
   markTurnCompleted({
     conversation,
     nowMs: Date.now(),
+    sessionId,
     updateConversationStats
   });
   await persistThreadStateById(threadId, {
@@ -11246,9 +11541,11 @@ async function persistFailedReplyState(channelId, threadTs, sessionId) {
   const threadId = `slack:${channelId}:${threadTs}`;
   const currentState = await getPersistedThreadState(threadId);
   const conversation = coerceThreadConversationState(currentState);
+  clearPendingAuth(conversation, sessionId);
   markTurnFailed({
     conversation,
     nowMs: Date.now(),
+    sessionId,
     userMessageId: getTurnUserMessageId(conversation, sessionId),
     markConversationMessage,
     updateConversationStats
@@ -11266,8 +11563,29 @@ async function resumeAuthorizedMcpTurn(args) {
   const currentState = await getPersistedThreadState(threadId);
   const conversation = coerceThreadConversationState(currentState);
   const artifacts = coerceThreadArtifactsState(currentState);
-  const userMessage = getTurnUserMessage(conversation, authSession.sessionId);
-  if (conversation.processing.activeTurnId !== authSession.sessionId) {
+  const pendingAuth = getConversationPendingAuth({
+    conversation,
+    kind: "mcp",
+    provider,
+    requesterId: authSession.userId
+  });
+  const resolvedSessionId = pendingAuth?.sessionId ?? authSession.sessionId;
+  const userMessage = getTurnUserMessage(conversation, resolvedSessionId);
+  if (pendingAuth) {
+    if (!isPendingAuthLatestRequest(conversation, pendingAuth)) {
+      clearPendingAuth(conversation, pendingAuth.sessionId);
+      await persistThreadStateById(threadId, { conversation });
+      await supersedeAgentTurnSessionCheckpoint({
+        conversationId: authSession.conversationId,
+        sessionId: pendingAuth.sessionId,
+        errorMessage: "Auth completed after a newer thread message superseded this blocked request."
+      });
+      return;
+    }
+  } else if (conversation.processing.activeTurnId !== authSession.sessionId) {
+    return;
+  }
+  if (!userMessage) {
     return;
   }
   const channelConfiguration = getChannelConfigurationServiceById(
@@ -11276,14 +11594,14 @@ async function resumeAuthorizedMcpTurn(args) {
   const conversationContext = await buildResumeConversationContext(
     authSession.channelId,
     authSession.threadTs,
-    authSession.sessionId
+    resolvedSessionId
   );
   await resumeAuthorizedRequest({
-    messageText: authSession.userMessage,
+    messageText: userMessage.text,
     channelId: authSession.channelId,
     threadTs: authSession.threadTs,
     lockKey: authSession.conversationId,
-    connectedText: `Your ${provider} MCP access is now connected. Continuing the original request...`,
+    connectedText: "",
     failureText: "MCP authorization completed, but resuming the request failed. Please retry the original command.",
     replyContext: {
       assistant: { userName: botConfig.userName },
@@ -11294,7 +11612,7 @@ async function resumeAuthorizedMcpTurn(args) {
       },
       correlation: {
         conversationId: authSession.conversationId,
-        turnId: authSession.sessionId,
+        turnId: resolvedSessionId,
         channelId: authSession.channelId,
         threadTs: authSession.threadTs,
         requesterId: authSession.userId
@@ -11303,9 +11621,18 @@ async function resumeAuthorizedMcpTurn(args) {
       conversationContext,
       artifactState: artifacts,
       configuration: authSession.configuration,
+      pendingAuth,
       channelConfiguration,
       sandbox: getPersistedSandboxState(currentState),
       threadParticipants: buildThreadParticipants(conversation.messages),
+      onAuthPending: async (nextPendingAuth) => {
+        await applyPendingAuthUpdate({
+          conversation,
+          conversationId: authSession.conversationId,
+          nextPendingAuth
+        });
+        await persistThreadStateById(threadId, { conversation });
+      },
       ...getTurnUserReplyAttachmentContext(userMessage)
     },
     onSuccess: async (reply) => {
@@ -11313,7 +11640,7 @@ async function resumeAuthorizedMcpTurn(args) {
         await persistCompletedReplyState(
           authSession.channelId,
           authSession.threadTs,
-          authSession.sessionId,
+          resolvedSessionId,
           reply
         );
       } catch (persistError) {
@@ -11338,7 +11665,7 @@ async function resumeAuthorizedMcpTurn(args) {
         await persistFailedReplyState(
           authSession.channelId,
           authSession.threadTs,
-          authSession.sessionId
+          resolvedSessionId
         );
       } catch (persistError) {
         logException(
@@ -11350,7 +11677,16 @@ async function resumeAuthorizedMcpTurn(args) {
         );
       }
     },
-    onAuthPause: async () => {
+    onAuthPause: async (error) => {
+      await deliverAuthPauseReply({
+        channelId: authSession.channelId,
+        conversationId: authSession.conversationId,
+        error,
+        fallbackProvider: provider,
+        sessionId: resolvedSessionId,
+        threadStateId: `slack:${authSession.channelId}:${authSession.threadTs}`,
+        threadTs: authSession.threadTs
+      });
       logWarn(
         "mcp_oauth_callback_resume_reparked_for_auth",
         {},
@@ -11385,7 +11721,7 @@ async function resumeAuthorizedMcpTurn(args) {
       }
       await scheduleTurnTimeoutResume({
         conversationId: authSession.conversationId,
-        sessionId: authSession.sessionId,
+        sessionId: resolvedSessionId,
         expectedCheckpointVersion: checkpointVersion
       });
     }
@@ -11610,6 +11946,7 @@ async function persistCompletedOAuthReplyState(args) {
   const artifacts = coerceThreadArtifactsState(currentState);
   const nextArtifacts = args.reply.artifactStatePatch ? mergeArtifactsState(artifacts, args.reply.artifactStatePatch) : void 0;
   const userMessage = getTurnUserMessage(conversation, args.sessionId);
+  clearPendingAuth(conversation, args.sessionId);
   markConversationMessage(conversation, userMessage?.id, {
     replied: true,
     skippedReason: void 0
@@ -11630,6 +11967,7 @@ async function persistCompletedOAuthReplyState(args) {
   markTurnCompleted({
     conversation,
     nowMs: Date.now(),
+    sessionId: args.sessionId,
     updateConversationStats
   });
   await persistThreadStateById(args.conversationId, {
@@ -11642,9 +11980,11 @@ async function persistCompletedOAuthReplyState(args) {
 async function persistFailedOAuthReplyState(args) {
   const currentState = await getPersistedThreadState(args.conversationId);
   const conversation = coerceThreadConversationState(currentState);
+  clearPendingAuth(conversation, args.sessionId);
   markTurnFailed({
     conversation,
     nowMs: Date.now(),
+    sessionId: args.sessionId,
     userMessageId: getTurnUserMessage(conversation, args.sessionId)?.id,
     markConversationMessage,
     updateConversationStats
@@ -11661,35 +12001,65 @@ async function resumeCheckpointedOAuthTurn(stored) {
     stored.resumeConversationId,
     stored.resumeSessionId
   );
-  if (!checkpoint || checkpoint.state !== "awaiting_resume" || checkpoint.resumeReason !== "auth") {
+  if (!checkpoint) {
     return false;
   }
+  if (checkpoint.state === "completed" || checkpoint.state === "failed" || checkpoint.state === "superseded") {
+    return true;
+  }
+  if (checkpoint.state !== "awaiting_resume" || checkpoint.resumeReason !== "auth") {
+    return true;
+  }
   const currentState = await getPersistedThreadState(
     stored.resumeConversationId
   );
   const conversation = coerceThreadConversationState(currentState);
   const artifacts = coerceThreadArtifactsState(currentState);
-  const userMessage = getTurnUserMessage(conversation, stored.resumeSessionId);
-  if (!userMessage?.author?.userId) {
-    return false;
+  const pendingAuth = getConversationPendingAuth({
+    conversation,
+    kind: "plugin",
+    provider: stored.provider,
+    requesterId: stored.userId
+  });
+  const resolvedSessionId = pendingAuth?.sessionId ?? stored.resumeSessionId;
+  const userMessage = resolvedSessionId ? getTurnUserMessage(conversation, resolvedSessionId) : void 0;
+  if (pendingAuth) {
+    if (!isPendingAuthLatestRequest(conversation, pendingAuth)) {
+      clearPendingAuth(conversation, pendingAuth.sessionId);
+      await persistThreadStateById(stored.resumeConversationId, {
+        conversation
+      });
+      await supersedeAgentTurnSessionCheckpoint({
+        conversationId: stored.resumeConversationId,
+        sessionId: pendingAuth.sessionId,
+        errorMessage: "Auth completed after a newer thread message superseded this blocked request."
+      });
+      return true;
+    }
+  } else {
+    if (!userMessage?.author?.userId) {
+      return false;
+    }
+    if (conversation.processing.activeTurnId !== stored.resumeSessionId) {
+      return true;
+    }
   }
-  if (conversation.processing.activeTurnId !== stored.resumeSessionId) {
-    return true;
+  if (!userMessage?.author?.userId || !resolvedSessionId) {
+    return false;
   }
   const conversationContext = await buildCheckpointConversationContext(
     stored.resumeConversationId,
-    stored.resumeSessionId
+    resolvedSessionId
   );
   const channelConfiguration = getChannelConfigurationServiceById(
     stored.channelId
   );
-  const providerLabel = formatProviderLabel(stored.provider);
   await resumeSlackTurn({
     messageText: stored.pendingMessage ?? userMessage.text,
     channelId: stored.channelId,
     threadTs: stored.threadTs,
     lockKey: stored.resumeConversationId,
-    initialText: `Your ${providerLabel} account is now connected. Processing your request...`,
+    initialText: "",
     failureText: "I connected your account but hit an error processing your request. Please try the command again.",
     replyContext: {
       assistant: { userName: botConfig.userName },
@@ -11705,10 +12075,21 @@ async function resumeCheckpointedOAuthTurn(stored) {
       },
       toolChannelId: artifacts.assistantContextChannelId ?? stored.channelId,
       artifactState: artifacts,
+      pendingAuth,
       conversationContext,
       channelConfiguration,
       sandbox: getPersistedSandboxState(currentState),
       threadParticipants: buildThreadParticipants(conversation.messages),
+      onAuthPending: async (nextPendingAuth) => {
+        await applyPendingAuthUpdate({
+          conversation,
+          conversationId: stored.resumeConversationId,
+          nextPendingAuth
+        });
+        await persistThreadStateById(stored.resumeConversationId, {
+          conversation
+        });
+      },
       ...getTurnUserReplyAttachmentContext(userMessage)
     },
     onSuccess: async (reply) => {
@@ -11720,11 +12101,11 @@ async function resumeCheckpointedOAuthTurn(stored) {
           "app.ai.outcome": reply.diagnostics.outcome,
           "app.ai.tool_calls": reply.diagnostics.toolCalls.length
         },
-        "Auto-resumed checkpointed turn after OAuth callback"
+        "OAuth callback auto-resumed checkpoint finished replying"
       );
       await persistCompletedOAuthReplyState({
         conversationId: stored.resumeConversationId,
-        sessionId: stored.resumeSessionId,
+        sessionId: resolvedSessionId,
         reply
       });
     },
@@ -11738,17 +12119,19 @@ async function resumeCheckpointedOAuthTurn(stored) {
       );
       await persistFailedOAuthReplyState({
         conversationId: stored.resumeConversationId,
-        sessionId: stored.resumeSessionId
+        sessionId: resolvedSessionId
       });
     },
     onAuthPause: async (error) => {
-      logException(
+      await deliverAuthPauseReply({
+        channelId: stored.channelId,
+        conversationId: stored.resumeConversationId,
         error,
-        "oauth_callback_resume_reparked_for_auth",
-        {},
-        { "app.credential.provider": stored.provider },
-        "Resumed OAuth turn requested another authorization flow"
-      );
+        fallbackProvider: stored.provider,
+        sessionId: resolvedSessionId,
+        threadStateId: stored.resumeConversationId,
+        threadTs: stored.threadTs
+      });
     },
     onTimeoutPause: async (error) => {
       if (!isRetryableTurnError(error, "turn_timeout_resume")) {
@@ -11768,7 +12151,7 @@ async function resumeCheckpointedOAuthTurn(stored) {
       }
       await scheduleTurnTimeoutResume({
         conversationId: stored.resumeConversationId,
-        sessionId: stored.resumeSessionId,
+        sessionId: resolvedSessionId,
         expectedCheckpointVersion: checkpointVersion
       });
     }
@@ -11777,7 +12160,6 @@ async function resumeCheckpointedOAuthTurn(stored) {
 }
 async function resumePendingOAuthMessage(stored) {
   if (!stored.pendingMessage || !stored.channelId || !stored.threadTs) return;
-  const providerLabel = formatProviderLabel(stored.provider);
   const conversationContext = await buildResumeConversationContext2(
     stored.channelId,
     stored.threadTs
@@ -11786,7 +12168,7 @@ async function resumePendingOAuthMessage(stored) {
     messageText: stored.pendingMessage,
     channelId: stored.channelId,
     threadTs: stored.threadTs,
-    connectedText: `Your ${providerLabel} account is now connected. Processing your request...`,
+    connectedText: "",
     failureText: `I connected your account but hit an error processing your request. Please try \`${stored.pendingMessage}\` again.`,
     replyContext: {
       requester: { userId: stored.userId },
@@ -11802,7 +12184,7 @@ async function resumePendingOAuthMessage(stored) {
           "app.ai.outcome": reply.diagnostics.outcome,
           "app.ai.tool_calls": reply.diagnostics.toolCalls.length
         },
-        "Auto-resumed pending message after OAuth callback"
+        "OAuth callback auto-resumed pending message finished replying"
       );
     },
     onFailure: async (error) => {
@@ -12051,6 +12433,7 @@ async function persistCompletedReplyState2(args) {
     conversation,
     args.checkpoint.sessionId
   );
+  clearPendingAuth(conversation, args.checkpoint.sessionId);
   markConversationMessage(conversation, userMessage?.id, {
     replied: true,
     skippedReason: void 0
@@ -12071,6 +12454,7 @@ async function persistCompletedReplyState2(args) {
   markTurnCompleted({
     conversation,
     nowMs: Date.now(),
+    sessionId: args.checkpoint.sessionId,
     updateConversationStats
   });
   await persistThreadStateById(args.checkpoint.conversationId, {
@@ -12083,9 +12467,11 @@ async function persistCompletedReplyState2(args) {
 async function persistFailedReplyState2(checkpoint) {
   const currentState = await getPersistedThreadState(checkpoint.conversationId);
   const conversation = coerceThreadConversationState(currentState);
+  clearPendingAuth(conversation, checkpoint.sessionId);
   markTurnFailed({
     conversation,
     nowMs: Date.now(),
+    sessionId: checkpoint.sessionId,
     userMessageId: getTurnUserMessage(conversation, checkpoint.sessionId)?.id,
     markConversationMessage,
     updateConversationStats
@@ -12149,10 +12535,21 @@ async function resumeTimedOutTurn(payload) {
       },
       toolChannelId: artifacts.assistantContextChannelId ?? thread.channelId,
       artifactState: artifacts,
+      pendingAuth: conversation.processing.pendingAuth,
       conversationContext,
       channelConfiguration,
       sandbox,
       threadParticipants: buildThreadParticipants(conversation.messages),
+      onAuthPending: async (nextPendingAuth) => {
+        await applyPendingAuthUpdate({
+          conversation,
+          conversationId: payload.conversationId,
+          nextPendingAuth
+        });
+        await persistThreadStateById(payload.conversationId, {
+          conversation
+        });
+      },
       ...getTurnUserReplyAttachmentContext(userMessage)
     },
     onSuccess: async (reply) => {
@@ -12184,7 +12581,15 @@ async function resumeTimedOutTurn(payload) {
       );
       await persistFailedReplyState2(checkpoint);
     },
-    onAuthPause: async () => {
+    onAuthPause: async (error) => {
+      await deliverAuthPauseReply({
+        channelId: thread.channelId,
+        conversationId: payload.conversationId,
+        error,
+        sessionId: payload.sessionId,
+        threadStateId: payload.conversationId,
+        threadTs: thread.threadTs
+      });
       logWarn(
         "timeout_resume_reparked_for_auth",
         {},
@@ -13923,6 +14328,7 @@ function createReplyToThread(deps) {
             },
             conversationContext: preparedState.routingContext ?? preparedState.conversationContext,
             artifactState: preparedState.artifacts,
+            pendingAuth: preparedState.conversation.processing.pendingAuth,
             configuration: preparedState.configuration,
             channelConfiguration: preparedState.channelConfiguration,
             inboundAttachmentCount: message.attachments.length,
@@ -13952,6 +14358,16 @@ function createReplyToThread(deps) {
             onArtifactStateUpdated: async (artifacts) => {
               await persistThreadState(thread, { artifacts });
             },
+            onAuthPending: async (pendingAuth) => {
+              await applyPendingAuthUpdate({
+                conversation: preparedState.conversation,
+                conversationId,
+                nextPendingAuth: pendingAuth
+              });
+              await persistThreadState(thread, {
+                conversation: preparedState.conversation
+              });
+            },
             threadParticipants,
             onStatus: (nextStatus) => status.update(nextStatus)
           });
@@ -14129,8 +14545,42 @@ function createReplyToThread(deps) {
           }
         } catch (error) {
           if (isRetryableTurnError(error, "mcp_auth_resume") || isRetryableTurnError(error, "plugin_auth_resume")) {
+            const authPauseText = buildAuthPauseReplyText({
+              disposition: error.metadata?.authDisposition,
+              provider: error.metadata?.authProvider
+            });
+            const authPauseFooter = buildSlackReplyFooter({
+              conversationId,
+              durationMs: error.metadata?.authDurationMs,
+              thinkingLevel: error.metadata?.authThinkingLevel,
+              usage: error.metadata?.authUsage
+            });
+            const useSlackFooterForAuthPause = Boolean(authPauseFooter) && Boolean(channelId && threadTs) && thread.adapter?.name === "slack";
+            if (useSlackFooterForAuthPause && channelId && threadTs) {
+              await beforeFirstResponsePost();
+              await postSlackApiReplyPosts({
+                channelId,
+                threadTs,
+                footer: authPauseFooter,
+                posts: [{ stage: "thread_reply", text: authPauseText }]
+              });
+            } else {
+              await postThreadReply(
+                buildSlackOutputMessage(authPauseText),
+                "thread_reply"
+              );
+            }
+            completeAuthPauseTurn({
+              conversation: preparedState.conversation,
+              sessionId: error.metadata?.sessionId ?? turnId,
+              text: authPauseText
+            });
+            await persistThreadState(thread, {
+              conversation: preparedState.conversation
+            });
+            persistedAtLeastOnce = true;
             shouldPersistFailureState = false;
-            throw error;
+            return;
           }
           if (isRetryableTurnError(error, "turn_timeout_resume")) {
             const conversationIdForResume = error.metadata?.conversationId;