@skaile/workspaces 0.11.1 → 0.12.0

package/CHANGELOG.md

@@ -1,5 +1,42 @@
 # Changelog
 
+## 0.12.0
+
+### Minor Changes
+
+- [#21](https://github.com/skaile-ai/workspaces/pull/21) [`e06401f`](https://github.com/skaile-ai/workspaces/commit/e06401f771ac58b484ccbf7e465d3048e7e7a70d) Thanks [@peteralbert](https://github.com/peteralbert)! - Dependency upgrades.
+
+  - **Optional peer ranges raised** (consumers using these drivers should move to the new ranges): `@anthropic-ai/claude-agent-sdk` `^0.2.89` → `^0.3.150`, `@openai/codex-sdk` `^0.118.0` → `^0.133.0`. No driver code changes were required — the used API surface is unchanged.
+  - **Runtime dependencies bumped:** `commander` 13 → 14, `@clack/prompts` 0.9 → 1.4, `ulid` 2 → 3, `@octokit/rest` → 22.0.1, `semver` → 7.8.1, `ws` → 8.21.0. No source changes needed.
+
+  `marked` is intentionally held at 15.x — it is capped by `marked-terminal`'s peer range (`>=1 <16`) until an upstream release lifts it.
+
+### Patch Changes
+
+- [#20](https://github.com/skaile-ai/workspaces/pull/20) [`843b611`](https://github.com/skaile-ai/workspaces/commit/843b6113075e6ecfd041d66ff161357f5eca1fb6) Thanks [@peteralbert](https://github.com/peteralbert)! - Remove the unused `glob` direct dependency. It was declared in `dependencies` but never imported anywhere in the source, and it resolved to the now-deprecated `glob@11.1.0`, which printed a deprecation warning on `npm i -g @skaile/workspaces`. Dropping it removes the warning and shrinks the install footprint.
+
+## 0.11.2
+
+### Patch Changes
+
+- 4d91d69: fix(bridge): self-heal expired Claude OAuth credentials that surface as "Not logged in"
+
+  The claude-sdk driver's credential self-heal (`onAuthError`) failed to fire in two
+  cases, leaving sessions stuck on a misleading `Not logged in · Please run /login`
+  error after the OAuth access token expired:
+
+  - **Classification**: the bare `Not logged in · Please run /login` string the
+    Claude Code CLI emits (no JSON body) fell through to `category: "unknown"`, so it
+    was never promoted to `AuthError` and the self-heal never triggered. It is now
+    classified as `auth`.
+  - **Retry budget**: a stale-resume retry ("No conversation found with session ID")
+    consumed the single shared retry slot, so a subsequent auth failure on the
+    fresh-session retry could not reach the self-heal branch. Each recovery path
+    (stale-resume, poisoned-transcript, auth) now owns an independent one-shot budget.
+
+  Together these let the runner re-mint the credential and continue the turn instead
+  of dead-ending. Surfaced by a prod cloud session (2026-05-21).
+
 ## 0.11.1
 
 ### Patch Changes
@@ -125,6 +162,7 @@ authenticate. API Error: 401` even on every successful self-heal.
   `scrubPoisonedTranscript()` to repair the on-disk SDK JSONL transcript, then
   retries the resume once, keeping the same session so conversation context is
   preserved. Four poison classes are repaired in a single pass:
+
   - **Image `media_type` mismatch** — corrected by sniffing the base64 magic
     bytes (Claude Code `Read`-tool bug, anthropics/claude-code#55338 / #30124).
   - **Missing image `media_type`** — filled in from the sniffed bytes (#33179).

package/dist/base-assets/connectors/flow/run-flow.js

@@ -1,4 +1,4 @@
-export { resumeFlow, runFlow } from '../../../chunk-XYEFV7XN.js';
+export { resumeFlow, runFlow } from '../../../chunk-DDVKNST3.js';
 import '../../../chunk-GCJXPUHG.js';
 import '../../../chunk-IPUYL6TD.js';
 import '../../../chunk-EAJKY27M.js';

package/dist/bridge/drivers/claude-sdk.js

@@ -1,7 +1,7 @@
-import { classifyClaudeSdkError, AuthError } from '../../chunk-EWP5HZBV.js';
+import { AuthError, classifyClaudeSdkError } from '../../chunk-DQWREFRQ.js';
 import { fetchProviderModels } from '../../chunk-KOVLSBXK.js';
 import { dispatchCapability } from '../../chunk-RRVQAE5D.js';
-import { registerDriver, DRIVER_CATALOG, AgentDriver, getBridgeLogger } from '../../chunk-YOFKTALB.js';
+import { registerDriver, DRIVER_CATALOG, AgentDriver, getBridgeLogger } from '../../chunk-4ACWI5YT.js';
 import '../../chunk-24UIWON4.js';
 import '../../chunk-NSBPE2FW.js';
 import { spawnSync } from 'child_process';
@@ -215,6 +215,9 @@ if (typeof globalThis.require === "undefined") {
   } catch {
   }
 }
+function freshRetryBudget() {
+  return { staleResume: false, poison: false, auth: false };
+}
 var ClaudeSdkDriver = class extends AgentDriver {
   driverInfo = {
     id: "claude-sdk",
@@ -238,16 +241,15 @@ var ClaudeSdkDriver = class extends AgentDriver {
   /** Guards against duplicate agent_end emissions per turn. */
   turnCompleted = false;
   /**
-   * Mirror of the `_retryCount` argument of the in-flight {@link prompt} call.
-   * Read by {@link failTurn} to decide whether to defer the `agent-event:
-   * error` emission for a self-healable auth error. `0` means "first
-   * attempt"; `prompt()` increments to `1` before recursing on its
-   * `onAuthError` self-heal branch.
+   * Mirror of the in-flight {@link prompt} call's auth retry budget: `false`
+   * while the `onAuthError` self-heal is still available, `true` once it has
+   * been spent. Read by {@link failTurn} to decide whether to defer the
+   * `agent-event: error` emission for a self-healable auth error.
    *
    * Set unconditionally at the top of every {@link prompt} invocation; never
    * reset elsewhere — the next call's set is the only legitimate transition.
    */
-  currentRetryCount = 0;
+  authSelfHealUsed = false;
   /** Tracks whether a session has been started (for continue: true). */
   hasSession = false;
   /** Session ID from the SDK — used for streamInput messages. */
@@ -323,11 +325,12 @@ var ClaudeSdkDriver = class extends AgentDriver {
    * "No conversation found with session ID …" — a recoverable stale-resume error that
    * occurs after a container crash that prevented the SDK from flushing its session file.
    */
-  async prompt(message, _retryCount = 0) {
-    this.currentRetryCount = _retryCount;
+  async prompt(message, _budget = freshRetryBudget()) {
+    this.authSelfHealUsed = _budget.auth;
     if (!this.sdk) await this.start();
     let retrying = false;
-    if (_retryCount === 0) this._lastTokens = null;
+    const isFirstAttempt = !_budget.staleResume && !_budget.poison && !_budget.auth;
+    if (isFirstAttempt) this._lastTokens = null;
     this.running = true;
     this.prevText = "";
     this.turnCompleted = false;
@@ -352,7 +355,7 @@ var ClaudeSdkDriver = class extends AgentDriver {
       await turnPromise;
     } catch (err) {
       const errMsg = err instanceof Error ? err.message : String(err);
-      const isStaleResume = _retryCount === 0 && /No conversation found with session ID/i.test(errMsg);
+      const isStaleResume = !_budget.staleResume && /No conversation found with session ID/i.test(errMsg);
       if (isStaleResume) {
         const staleId = this.config.resumeSessionId || this.sessionId || "unknown";
         this.log.warn("stale Claude Code session, retrying with a fresh session", { staleId });
@@ -374,9 +377,9 @@ var ClaudeSdkDriver = class extends AgentDriver {
         this.turnReject = null;
         this.running = false;
         retrying = true;
-        return this.prompt(message, _retryCount + 1);
+        return this.prompt(message, { ..._budget, staleResume: true });
       }
-      const isPoisonedHistory = _retryCount === 0 && /invalid_request_error/i.test(errMsg) && /media[_ ]?type|could not process image|image exceeds|cache_control/i.test(errMsg);
+      const isPoisonedHistory = !_budget.poison && /invalid_request_error/i.test(errMsg) && /media[_ ]?type|could not process image|image exceeds|cache_control/i.test(errMsg);
       const poisonSessionId = this.config.resumeSessionId || this.sessionId;
       if (isPoisonedHistory && poisonSessionId) {
         const scrub = scrubPoisonedTranscript({
@@ -416,14 +419,14 @@ var ClaudeSdkDriver = class extends AgentDriver {
           this.turnReject = null;
           this.running = false;
           retrying = true;
-          return this.prompt(message, _retryCount + 1);
+          return this.prompt(message, { ..._budget, poison: true });
         }
         this.log.warn("poisoned-transcript error but scrub found nothing to repair", {
           sessionId: poisonSessionId,
           filePath: scrub.filePath
         });
       }
-      const isAuthError = err instanceof AuthError && _retryCount === 0;
+      const isAuthError = err instanceof AuthError && !_budget.auth;
       if (isAuthError && this.config.onAuthError) {
         this.log.info("auth error caught; invoking onAuthError refresh callback");
         let refreshed = false;
@@ -449,7 +452,7 @@ var ClaudeSdkDriver = class extends AgentDriver {
           this.turnReject = null;
           this.running = false;
           retrying = true;
-          return this.prompt(message, _retryCount + 1);
+          return this.prompt(message, { ..._budget, auth: true });
         }
         try {
           this.emit("agent-event", {
@@ -785,16 +788,16 @@ var ClaudeSdkDriver = class extends AgentDriver {
    * caller transitions even if the listener chain misbehaves; the emit is
    * wrapped in try/catch so a listener failure cannot leak out.
    *
-   * Self-heal deferral: when the failure is an {@link AuthError} on the
-   * first attempt (`currentRetryCount === 0`) AND the caller wired an
-   * `onAuthError` callback, the downstream `agent-event: error` emission
-   * is deferred. The rejected turn promise still travels to {@link prompt}'s
-   * catch block where the self-heal runs; if the retry succeeds the user
-   * never sees a 401, if the retry fails the second `failTurn` call (now
-   * with `currentRetryCount === 1`) emits the error normally. This stops
-   * the historical "401 flashes in the UI even though self-heal worked"
-   * misbehaviour where the bridge emitted the error event before the
-   * retry decision was known.
+   * Self-heal deferral: when the failure is an {@link AuthError} and the auth
+   * self-heal budget is still available (`!authSelfHealUsed`) AND the caller
+   * wired an `onAuthError` callback, the downstream `agent-event: error`
+   * emission is deferred. The rejected turn promise still travels to
+   * {@link prompt}'s catch block where the self-heal runs; if the retry
+   * succeeds the user never sees a 401, if the retry fails the second
+   * `failTurn` call (now with `authSelfHealUsed === true`) emits the error
+   * normally. This stops the historical "401 flashes in the UI even though
+   * self-heal worked" misbehaviour where the bridge emitted the error event
+   * before the retry decision was known.
    *
    * Spec: `_devlog/specs/2026-05-07-unified-credential-mediation.md`
    * § "Runner-side handling on 401" (the AI 401 mediation path that
@@ -807,7 +810,7 @@ var ClaudeSdkDriver = class extends AgentDriver {
       this.turnReject = null;
     }
     this.turnCompleted = true;
-    const willSelfHeal = err instanceof AuthError && this.currentRetryCount === 0 && this.config.onAuthError != null;
+    const willSelfHeal = err instanceof AuthError && !this.authSelfHealUsed && this.config.onAuthError != null;
     if (willSelfHeal) {
       this.log.info("deferring auth-error event; self-heal will attempt refresh");
       return;