@wrongstack/cli 0.265.1 → 0.267.0

package/dist/index.js

@@ -1,21 +1,21 @@
 #!/usr/bin/env node
+import { color, writeErr, loadPlugins, renderProgress, SpecStore, TaskGraphStore, analyzeCriticalPath, getTemplate, listTemplates, templateToMarkdown, SpecParser, renderSpecAnalysis, AISpecBuilder, expectDefined, DefaultTaskStore, TaskTracker, renderTaskGraph, withFileLock, DefaultSecretScrubber, projectHash, wstackGlobalRoot, resolveProjectDir, GlobalMailbox, TOKENS, ToolRegistry, resolveSessionLoggingConfig, createSessionEventBridge, HookRegistry, HookRunner, normalizeTokenSavingTier, SlashCommandRegistry, attachDepWatcherBridge, SessionMemoryConsolidator, BrainDecisionQueue, ObservableBrainArbiter, HumanEscalatingBrainArbiter, createTieredBrainArbiter, DefaultBrainArbiter, BrainMonitor, mailboxSessionTag, createDelegateTool, FLEET_ROSTER, createMcpControlTool, startTechStackConsumer, startPackageOutdatedWatcher, recordFileAction, createAutonomyBrain, DefaultPluginAPI, SpecVersioning, DEFAULT_CONTEXT_WINDOW_MODE_ID, recentTextTurns, enhanceUserPrompt, projectSlug, DefaultSystemPromptBuilder, mutateTasks, loadTasks, resolveContextWindowPolicy, repairToolUseAdjacency, mutatePlan, setPlanItemStatus, getPlanTemplate, loadPlan, emptyPlan, addPlanItem, savePlan, resolveProviderModelList, DefaultLogger, DefaultModelsRegistry, isStdinTTY, atomicWrite, DefaultPathResolver, EventBus, runProviderWithRetry, ReplayLogStore, ReplayProviderRunner, mergeCustomModelDefs, makeAutonomyPromptContributor, createContextManagerTool, makeMailboxTool, makeMailSendTool, makeMailInboxTool, InMemoryMetricsSink, wireMetricsToEvents, DefaultHealthRegistry, startMetricsServer, DEFAULT_SESSION_PRUNE_DAYS, RecoveryLock, DefaultAttachmentStore, Context, QueueStore, loadTodosCheckpoint, attachTodosCheckpoint, loadDirectorState, createDefaultPipelines, resolveAuditLevel, AutoCompactionMiddleware, estimateRequestTokensCalibrated, Agent, FleetManager, makeDirectorSessionFactory, Director, makeFleetEmitTool, makeFleetStatusTool, resolveModelMatrix, DEFAULT_SUBAGENT_BASELINE, AutoApprovePermissionPolicy, WIDE_SUBAGENT_CAPABILITIES, PhaseStore, AutoPhasePlanner, PhaseGraphBuilder, WorktreeManager, PhaseOrchestrator, makeLLMClassifier, writeOut, ParallelEternalEngine, EternalAutonomyEngine, allServers as allServers$1, CHIMERA_REVIEW_PROMPT, AutonomousCoordinator, noOpVault, decryptConfigSecrets as decryptConfigSecrets$1, encryptConfigSecrets as encryptConfigSecrets$1, setQueuedMessagesSnapshot, DefaultSessionRewinder, bootConfig as bootConfig$1, setOutputLineGuard, setRawMode, DefaultSessionReader, resolveWstackPaths, ToolAuditLog, DefaultSessionStore as DefaultSessionStore$1, ProviderRegistry, StreamHangError, ProviderError, makeAgentSubagentRunner, NULL_FLEET_BUS, buildChildEnv, formatContextWindowModeList, getContextWindowMode, AGENT_CATALOG, dispatchAgent, formatTodosList, formatTaskList, formatTaskProgress, formatPlan, SessionRecovery, loadGoal, goalFilePath, summarizeUsage, saveGoal, formatGoal, emptyGoal, buildGoalPreamble, pendingBtwCount, setBtwNote, MATRIX_PHASE_KEYS, matrixKeyKind, phaseForRole, onResize, ERROR_CODES, FsError, ConfigError, InputBuilder, truncate, estimateMessageTokens, AGENTS_BY_PHASE, validateAgainstSchema, resolveMailboxIdentity, isSecretField as isSecretField$1 } from '@wrongstack/core';
 import * as fsp5 from 'fs/promises';
+import { decryptConfigSecrets, encryptConfigSecrets, DefaultSecretVault, isSecretField } from '@wrongstack/core/security';
 import * as path4 from 'path';
 import { join } from 'path';
-import { color, writeErr, loadPlugins, renderProgress, SpecStore, TaskGraphStore, analyzeCriticalPath, getTemplate, listTemplates, templateToMarkdown, SpecParser, renderSpecAnalysis, AISpecBuilder, expectDefined, DefaultTaskStore, TaskTracker, renderTaskGraph, withFileLock, DefaultSecretScrubber, projectHash, wstackGlobalRoot, resolveProjectDir, GlobalMailbox, TOKENS, ToolRegistry, resolveSessionLoggingConfig, createSessionEventBridge, HookRegistry, HookRunner, normalizeTokenSavingTier, SlashCommandRegistry, attachDepWatcherBridge, SessionMemoryConsolidator, BrainDecisionQueue, ObservableBrainArbiter, HumanEscalatingBrainArbiter, createTieredBrainArbiter, DefaultBrainArbiter, BrainMonitor, mailboxSessionTag, createDelegateTool, FLEET_ROSTER, createMcpControlTool, startTechStackConsumer, startPackageOutdatedWatcher, recordFileAction, createAutonomyBrain, DefaultPluginAPI, SpecVersioning, DEFAULT_CONTEXT_WINDOW_MODE_ID, recentTextTurns, enhanceUserPrompt, projectSlug, DefaultSystemPromptBuilder, mutateTasks, loadTasks, resolveContextWindowPolicy, repairToolUseAdjacency, mutatePlan, setPlanItemStatus, getPlanTemplate, loadPlan, emptyPlan, addPlanItem, savePlan, DefaultLogger, DefaultModelsRegistry, isStdinTTY, DefaultPathResolver, EventBus, runProviderWithRetry, ReplayLogStore, ReplayProviderRunner, mergeCustomModelDefs, makeAutonomyPromptContributor, createContextManagerTool, makeMailboxTool, makeMailSendTool, makeMailInboxTool, InMemoryMetricsSink, wireMetricsToEvents, DefaultHealthRegistry, startMetricsServer, DEFAULT_SESSION_PRUNE_DAYS, RecoveryLock, DefaultAttachmentStore, Context, QueueStore, loadTodosCheckpoint, attachTodosCheckpoint, loadDirectorState, createDefaultPipelines, resolveAuditLevel, AutoCompactionMiddleware, estimateRequestTokensCalibrated, Agent, FleetManager, makeDirectorSessionFactory, Director, makeFleetEmitTool, makeFleetStatusTool, resolveModelMatrix, DEFAULT_SUBAGENT_BASELINE, AutoApprovePermissionPolicy, PhaseStore, AutoPhasePlanner, PhaseGraphBuilder, WorktreeManager, PhaseOrchestrator, makeLLMClassifier, writeOut, ParallelEternalEngine, EternalAutonomyEngine, allServers as allServers$1, CHIMERA_REVIEW_PROMPT, AutonomousCoordinator, noOpVault, decryptConfigSecrets, encryptConfigSecrets, atomicWrite, setQueuedMessagesSnapshot, DefaultSessionRewinder, bootConfig as bootConfig$1, setOutputLineGuard, setRawMode, DefaultSessionReader, resolveWstackPaths, ToolAuditLog, DefaultSessionStore as DefaultSessionStore$1, ProviderRegistry, StreamHangError, ProviderError, makeAgentSubagentRunner, NULL_FLEET_BUS, buildChildEnv, formatContextWindowModeList, getContextWindowMode, AGENT_CATALOG, dispatchAgent, formatTodosList, formatTaskList, formatTaskProgress, formatPlan, SessionRecovery, loadGoal, goalFilePath, summarizeUsage, saveGoal, formatGoal, emptyGoal, buildGoalPreamble, pendingBtwCount, setBtwNote, MATRIX_PHASE_KEYS, matrixKeyKind, phaseForRole, onResize, ERROR_CODES, FsError, ConfigError, InputBuilder, truncate, estimateMessageTokens, AGENTS_BY_PHASE, validateAgainstSchema, resolveMailboxIdentity, isSecretField as isSecretField$1 } from '@wrongstack/core';
-import { decryptConfigSecrets as decryptConfigSecrets$1, encryptConfigSecrets as encryptConfigSecrets$1, DefaultSecretVault, isSecretField } from '@wrongstack/core/security';
 import * as crypto3 from 'crypto';
 import { createHash, randomBytes, randomUUID } from 'crypto';
 import { createRequire } from 'module';
 import * as os from 'os';
 import os__default from 'os';
-import { findFreePort, AutoPhaseWebSocketHandler, generateAuthToken, verifyClient, handleGitInfo, handleShellOpen, handleSkillsExport, handleSkillsEdit, handleSkillsCreate, handleSkillsUpdate, handleSkillsUninstall, handleSkillsInstall, handleSkillsContent, handleMemoryForget, handleMemoryRemember, handleMemoryList, handleFilesWrite, handleFilesRead, handleFilesTree, handleFilesList, createEternalSubscription, createHttpServer, registerInstance, openBrowser, unregisterInstance, estimateTokens as estimateTokens$1, stringifyContent, messagePreview, messageTokens, createCustomModeStore } from '@wrongstack/webui/server';
-import { makeProviderFromConfig, capabilitiesFor, buildProviderFactoriesFromRegistry } from '@wrongstack/providers';
+import { findFreePort, AutoPhaseWebSocketHandler, generateAuthToken, verifyClient, handleGitInfo, handleShellOpen, handleGitDiff, handleGitChanges, handleSkillsExport, handleSkillsEdit, handleSkillsCreate, handleSkillsUpdate, handleSkillsUninstall, handleSkillsInstall, handleSkillsContent, handleMcpRestart, handleMcpDisable, handleMcpEnable, handleMcpDiscover, handleMcpSleep, handleMcpWake, handleMcpUpdate, handleMcpRemove, handleMcpAdd, handleMcpList, handleMemoryForget, handleMemoryRemember, handleMemoryList, handleFilesWrite, handleFilesRead, handleFilesTree, handleFilesList, createEternalSubscription, createHttpServer, registerInstance, openBrowser as openBrowser$1, unregisterInstance, estimateTokens as estimateTokens$1, stringifyContent, messagePreview, messageTokens, createCustomModeStore } from '@wrongstack/webui/server';
+import { setOAuthTokenPersister, makeProviderFromConfig, capabilitiesFor, buildProviderFactoriesFromRegistry, refreshCopilotToken, copilotBaseUrlFromToken } from '@wrongstack/providers';
 import { toErrorMessage } from '@wrongstack/core/utils';
 import { getProcessRegistry, builtinToolsPack, rememberTool, forgetTool, searchMemoryTool, relatedMemoryTool, runStartupIndex, isIndexableFile, enqueueReindex, cancelPendingReindexes, shutdownCodebaseIndexHost, TIER2_TOOLS, TIER3_TOOLS, TIER1_TOOLS, resetIndexCircuitBreaker } from '@wrongstack/tools';
 import { DefaultSessionStore } from '@wrongstack/core/storage';
 import { probeLocalLlm } from '@wrongstack/runtime/probe';
-import * as fs2 from 'fs';
+import * as fs3 from 'fs';
 import { watch, writeFileSync, existsSync, readFileSync } from 'fs';
 import { SkillInstaller } from '@wrongstack/core/skills';
 import { WebSocketServer, WebSocket } from 'ws';
@@ -28,6 +28,7 @@ import { ACP_AGENT_COMMANDS, makeACPSubagentRunner, runEnsemble, renderEnsembleT
 import { parseNextSteps } from '@wrongstack/tui';
 import { WrongStackACPServer } from '@wrongstack/acp/agent';
 import { SubagentBudget } from '@wrongstack/core/coordination';
+import { createServer } from 'http';
 import { loadBenchConfig, reportHeaderLine, readSummary, renderMarkdownReport, createPolyglotSuite, createSwebenchSuite, runBenchmark, writeJsonArtifacts, collectCellPredictions, writePredictionsJsonl, gradePolyglot, gradeSwebench } from '@wrongstack/bench';
 import { allServers } from '@wrongstack/core/infrastructure';
 import { ToolExecutor } from '@wrongstack/core/execution';
@@ -53,6 +54,108 @@ var __export = (target, all) => {
   for (var name in all)
     __defProp(target, name, { get: all[name], enumerable: true });
 };
+function normalizeKeys(cfg) {
+  if (Array.isArray(cfg.apiKeys) && cfg.apiKeys.length > 0) {
+    return cfg.apiKeys.map((k) => ({ ...k }));
+  }
+  if (typeof cfg.apiKey === "string" && cfg.apiKey.length > 0) {
+    return [{ label: "default", apiKey: cfg.apiKey, createdAt: "" }];
+  }
+  return [];
+}
+function writeKeysBack(cfg, keys) {
+  if (keys.length === 0) {
+    delete cfg.apiKeys;
+    delete cfg.apiKey;
+    delete cfg.activeKey;
+    return;
+  }
+  cfg.apiKeys = keys;
+  const active = keys.find((k) => k.label === cfg.activeKey) ?? expectDefined(keys[0]);
+  delete cfg.apiKey;
+  if (!cfg.activeKey || !keys.some((k) => k.label === cfg.activeKey)) {
+    cfg.activeKey = active.label;
+  }
+}
+function resolveActiveApiKey(cfg) {
+  if (Array.isArray(cfg.apiKeys) && cfg.apiKeys.length > 0) {
+    const active = cfg.activeKey ? cfg.apiKeys.find((k) => k.label === cfg.activeKey) : void 0;
+    return (active ?? cfg.apiKeys[0])?.apiKey;
+  }
+  return cfg.apiKey && cfg.apiKey.length > 0 ? cfg.apiKey : void 0;
+}
+function activeLabel(cfg, keys) {
+  if (cfg.activeKey && keys.some((k) => k.label === cfg.activeKey)) return cfg.activeKey;
+  return keys[0]?.label;
+}
+function maskedKey(key) {
+  if (!key) return color.dim("\u2014");
+  if (key.length <= 8) return color.dim("\u2022".repeat(key.length));
+  const head = key.slice(0, 4);
+  const tail = key.slice(-4);
+  return `${color.dim(head + "\u2026")}${tail}`;
+}
+function nowIso() {
+  return (/* @__PURE__ */ new Date()).toISOString();
+}
+async function loadConfigProviders(configPath2, vault, opts) {
+  const warn = opts?.warn;
+  let raw;
+  try {
+    raw = await fsp5.readFile(configPath2, "utf8");
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      warn?.(`Could not read ${configPath2}: ${err.message}. Treating as empty.`);
+    }
+    return {};
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    warn?.(`Config at ${configPath2} is not valid JSON: ${err.message}`);
+    return {};
+  }
+  const decrypted = decryptConfigSecrets(parsed, vault);
+  return decrypted.providers ?? {};
+}
+async function mutateConfigProviders(configPath2, vault, mutator) {
+  let raw;
+  let fileExists2 = true;
+  try {
+    raw = await fsp5.readFile(configPath2, "utf8");
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      throw new Error(`Refusing to mutate ${configPath2}: ${err.message}`, {
+        cause: err
+      });
+    }
+    fileExists2 = false;
+    raw = "{}";
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch (err) {
+    if (fileExists2) {
+      throw new Error(
+        `Refusing to overwrite corrupt config at ${configPath2} (${err.message}). Fix or move the file aside before retrying.`,
+        { cause: err }
+      );
+    }
+    parsed = {};
+  }
+  const decrypted = decryptConfigSecrets(parsed, vault);
+  const providers = decrypted.providers ?? {};
+  mutator(providers);
+  decrypted.providers = providers;
+  const encrypted = encryptConfigSecrets(decrypted, vault);
+  await atomicWrite(configPath2, JSON.stringify(encrypted, null, 2), { mode: 384 });
+}
+var init_provider_config_utils = __esm({
+  "src/provider-config-utils.ts"() {
+  }
+});
 function parseSubcommand(args) {
   const parts = args.trim().split(/\s+/);
   return { cmd: (parts[0] ?? "").toLowerCase(), rest: parts.slice(1) };
@@ -524,108 +627,6 @@ var init_helpers = __esm({
     ENTRY_BASENAMES = /* @__PURE__ */ new Set(["main", "index", "app", "cli", "server", "__main__"]);
   }
 });
-function normalizeKeys(cfg) {
-  if (Array.isArray(cfg.apiKeys) && cfg.apiKeys.length > 0) {
-    return cfg.apiKeys.map((k) => ({ ...k }));
-  }
-  if (typeof cfg.apiKey === "string" && cfg.apiKey.length > 0) {
-    return [{ label: "default", apiKey: cfg.apiKey, createdAt: "" }];
-  }
-  return [];
-}
-function writeKeysBack(cfg, keys) {
-  if (keys.length === 0) {
-    delete cfg.apiKeys;
-    delete cfg.apiKey;
-    delete cfg.activeKey;
-    return;
-  }
-  cfg.apiKeys = keys;
-  const active = keys.find((k) => k.label === cfg.activeKey) ?? expectDefined(keys[0]);
-  delete cfg.apiKey;
-  if (!cfg.activeKey || !keys.some((k) => k.label === cfg.activeKey)) {
-    cfg.activeKey = active.label;
-  }
-}
-function resolveActiveApiKey(cfg) {
-  if (Array.isArray(cfg.apiKeys) && cfg.apiKeys.length > 0) {
-    const active = cfg.activeKey ? cfg.apiKeys.find((k) => k.label === cfg.activeKey) : void 0;
-    return (active ?? cfg.apiKeys[0])?.apiKey;
-  }
-  return cfg.apiKey && cfg.apiKey.length > 0 ? cfg.apiKey : void 0;
-}
-function activeLabel(cfg, keys) {
-  if (cfg.activeKey && keys.some((k) => k.label === cfg.activeKey)) return cfg.activeKey;
-  return keys[0]?.label;
-}
-function maskedKey(key) {
-  if (!key) return color.dim("\u2014");
-  if (key.length <= 8) return color.dim("\u2022".repeat(key.length));
-  const head = key.slice(0, 4);
-  const tail = key.slice(-4);
-  return `${color.dim(head + "\u2026")}${tail}`;
-}
-function nowIso() {
-  return (/* @__PURE__ */ new Date()).toISOString();
-}
-async function loadConfigProviders(configPath2, vault, opts) {
-  const warn = opts?.warn;
-  let raw;
-  try {
-    raw = await fsp5.readFile(configPath2, "utf8");
-  } catch (err) {
-    if (err.code !== "ENOENT") {
-      warn?.(`Could not read ${configPath2}: ${err.message}. Treating as empty.`);
-    }
-    return {};
-  }
-  let parsed;
-  try {
-    parsed = JSON.parse(raw);
-  } catch (err) {
-    warn?.(`Config at ${configPath2} is not valid JSON: ${err.message}`);
-    return {};
-  }
-  const decrypted = decryptConfigSecrets$1(parsed, vault);
-  return decrypted.providers ?? {};
-}
-async function mutateConfigProviders(configPath2, vault, mutator) {
-  let raw;
-  let fileExists2 = true;
-  try {
-    raw = await fsp5.readFile(configPath2, "utf8");
-  } catch (err) {
-    if (err.code !== "ENOENT") {
-      throw new Error(`Refusing to mutate ${configPath2}: ${err.message}`, {
-        cause: err
-      });
-    }
-    fileExists2 = false;
-    raw = "{}";
-  }
-  let parsed;
-  try {
-    parsed = JSON.parse(raw);
-  } catch (err) {
-    if (fileExists2) {
-      throw new Error(
-        `Refusing to overwrite corrupt config at ${configPath2} (${err.message}). Fix or move the file aside before retrying.`,
-        { cause: err }
-      );
-    }
-    parsed = {};
-  }
-  const decrypted = decryptConfigSecrets$1(parsed, vault);
-  const providers = decrypted.providers ?? {};
-  mutator(providers);
-  decrypted.providers = providers;
-  const encrypted = encryptConfigSecrets$1(decrypted, vault);
-  await atomicWrite(configPath2, JSON.stringify(encrypted, null, 2), { mode: 384 });
-}
-var init_provider_config_utils = __esm({
-  "src/provider-config-utils.ts"() {
-  }
-});
 function createApi(ownerName, base) {
   return new DefaultPluginAPI({ ownerName, ...base });
 }
@@ -654,26 +655,26 @@ function fmtDuration(ms) {
   const remMin = m - h * 60;
   return `${h}h${remMin}m`;
 }
-function fmtTaskResultLine(r, color74) {
+function fmtTaskResultLine(r, color77) {
   const stats = `${r.iterations}it ${r.toolCalls}tc ${fmtDuration(r.durationMs)}`;
   const errMsg = typeof r.error === "string" ? r.error : r.error?.message;
   const errKind = typeof r.error === "object" ? r.error?.kind : void 0;
   const errTail = errMsg ? ` \u2014 ${errMsg.replace(/\s+/g, " ").slice(0, 80)}${errMsg.length > 80 ? "\u2026" : ""}` : "";
-  const errKindChip = errKind ? color74.dim(` [${errKind}]`) : "";
-  const errSnip = errMsg || errKind ? `${errKindChip}${color74.dim(errTail)}` : "";
+  const errKindChip = errKind ? color77.dim(` [${errKind}]`) : "";
+  const errSnip = errMsg || errKind ? `${errKindChip}${color77.dim(errTail)}` : "";
   switch (r.status) {
     case "success":
-      return { mark: color74.green("\u2713"), stats, tail: "" };
+      return { mark: color77.green("\u2713"), stats, tail: "" };
     case "timeout":
       return {
-        mark: color74.yellow("\u23F1"),
-        stats: `${color74.yellow("timeout")} ${stats}`,
+        mark: color77.yellow("\u23F1"),
+        stats: `${color77.yellow("timeout")} ${stats}`,
         tail: errSnip
       };
     case "stopped":
-      return { mark: color74.dim("\u2298"), stats: `${color74.dim("stopped")} ${stats}`, tail: errSnip };
+      return { mark: color77.dim("\u2298"), stats: `${color77.dim("stopped")} ${stats}`, tail: errSnip };
     case "failed":
-      return { mark: color74.red("\u2717"), stats: `${color74.red("failed")} ${stats}`, tail: errSnip };
+      return { mark: color77.red("\u2717"), stats: `${color77.red("failed")} ${stats}`, tail: errSnip };
   }
 }
 var init_utils = __esm({
@@ -3028,6 +3029,23 @@ var init_update_check = __esm({
     CACHE_TTL_MS = 24 * 60 * 60 * 1e3;
   }
 });
+
+// src/webui-server/cost-helpers.ts
+function getCostRates(model) {
+  const cost = model?.cost;
+  return {
+    input: cost?.input ?? 0,
+    output: cost?.output ?? 0,
+    cacheRead: cost?.cache_read ?? 0
+  };
+}
+function computeUsageCost(usage, rates) {
+  return (usage.input * rates.input + usage.output * rates.output + (usage.cacheRead ?? 0) * rates.cacheRead) / 1e6;
+}
+var init_cost_helpers = __esm({
+  "src/webui-server/cost-helpers.ts"() {
+  }
+});
 function registerWebuiInstance(p, deps = {}) {
   const register = deps.registerFn ?? registerInstance;
   void register(
@@ -3047,7 +3065,7 @@ function registerWebuiInstance(p, deps = {}) {
 }
 function announceWebuiReady(p) {
   const log = p.log ?? ((m) => console.log(m));
-  const launch = p.openBrowserFn ?? openBrowser;
+  const launch = p.openBrowserFn ?? openBrowser$1;
   const openUrl = p.wsToken ? `http://${p.host}:${p.httpPort}?token=${encodeURIComponent(p.wsToken)}` : `http://${p.host}:${p.httpPort}`;
   p.server.on("listening", () => {
     log(
@@ -3100,6 +3118,40 @@ var init_lifecycle = __esm({
   "src/webui-server/lifecycle.ts"() {
   }
 });
+
+// src/webui-server/logger-shim.ts
+var structuredLine, consoleLogger;
+var init_logger_shim = __esm({
+  "src/webui-server/logger-shim.ts"() {
+    structuredLine = (level, message) => JSON.stringify({
+      level,
+      event: "webui.autophase",
+      message,
+      timestamp: (/* @__PURE__ */ new Date()).toISOString()
+    });
+    consoleLogger = {
+      level: "debug",
+      error(msg, _ctx) {
+        console.error(structuredLine("error", msg));
+      },
+      warn(msg, _ctx) {
+        console.warn(structuredLine("warn", msg));
+      },
+      info(msg, _ctx) {
+        console.log(structuredLine("info", msg));
+      },
+      debug(msg, _ctx) {
+        console.debug(structuredLine("debug", msg));
+      },
+      trace(msg, _ctx) {
+        console.debug(structuredLine("trace", msg));
+      },
+      child(_bindings) {
+        return this;
+      }
+    };
+  }
+});
 function getVault(globalConfigPath) {
   const keyFile = path4.join(path4.dirname(globalConfigPath ?? ""), ".key");
   return new DefaultSecretVault({ keyFile });
@@ -3618,23 +3670,6 @@ var init_context = __esm({
     init_context_breakdown();
   }
 });
-
-// src/webui-server/cost-helpers.ts
-function getCostRates(model) {
-  const cost = model?.cost;
-  return {
-    input: cost?.input ?? 0,
-    output: cost?.output ?? 0,
-    cacheRead: cost?.cache_read ?? 0
-  };
-}
-function computeUsageCost(usage, rates) {
-  return (usage.input * rates.input + usage.output * rates.output + (usage.cacheRead ?? 0) * rates.cacheRead) / 1e6;
-}
-var init_cost_helpers = __esm({
-  "src/webui-server/cost-helpers.ts"() {
-  }
-});
 async function handleSkillsList(ctx, ws) {
   if (!ctx.skillLoader) {
     ctx.send(ws, { type: "skills.list", payload: { skills: [], enabled: false } });
@@ -4046,29 +4081,15 @@ async function handleProviderModels(ctx, ws, providerId) {
     return;
   }
   try {
-    const provider = await ctx.modelsRegistry.getProvider(providerId);
-    if (!provider) {
-      sendResult7(ctx, ws, false, `Provider "${providerId}" not found in catalog`);
-      return;
-    }
+    const saved = await ctx.providerStore.load();
+    const cfg = saved[providerId];
+    const catalogId = cfg?.type && cfg.type !== providerId ? cfg.type : providerId;
+    const provider = await ctx.modelsRegistry.getProvider(catalogId);
     ctx.send(ws, {
       type: "provider.models",
       payload: {
         provider: providerId,
-        models: provider.models.map((m) => ({
-          id: m.id,
-          name: m.name,
-          releaseDate: m.release_date,
-          contextWindow: m.limit?.context,
-          inputCost: m.cost?.input,
-          outputCost: m.cost?.output,
-          capabilities: [
-            ...m.tool_call ? ["tools"] : [],
-            ...m.reasoning ? ["reasoning"] : [],
-            ...m.modalities?.input?.includes("image") ? ["vision"] : [],
-            ...m.open_weights ? ["open_weights"] : []
-          ]
-        }))
+        models: resolveProviderModelList(cfg?.models, provider)
       }
     });
   } catch (err) {
@@ -4665,40 +4686,6 @@ var init_ws_handlers = __esm({
   }
 });
 
-// src/webui-server/logger-shim.ts
-var structuredLine, consoleLogger;
-var init_logger_shim = __esm({
-  "src/webui-server/logger-shim.ts"() {
-    structuredLine = (level, message) => JSON.stringify({
-      level,
-      event: "webui.autophase",
-      message,
-      timestamp: (/* @__PURE__ */ new Date()).toISOString()
-    });
-    consoleLogger = {
-      level: "debug",
-      error(msg, _ctx) {
-        console.error(structuredLine("error", msg));
-      },
-      warn(msg, _ctx) {
-        console.warn(structuredLine("warn", msg));
-      },
-      info(msg, _ctx) {
-        console.log(structuredLine("info", msg));
-      },
-      debug(msg, _ctx) {
-        console.debug(structuredLine("debug", msg));
-      },
-      trace(msg, _ctx) {
-        console.debug(structuredLine("trace", msg));
-      },
-      child(_bindings) {
-        return this;
-      }
-    };
-  }
-});
-
 // src/webui-server.ts
 var webui_server_exports = {};
 __export(webui_server_exports, {
@@ -4835,7 +4822,7 @@ async function runWebUI(opts) {
       const vault = new DefaultSecretVault({
         keyFile: path4.join(path4.dirname(configPath2), ".key")
       });
-      const decrypted = decryptConfigSecrets$1(parsed, vault);
+      const decrypted = decryptConfigSecrets(parsed, vault);
       const autonomyCfg = decrypted.autonomy ?? {};
       let autonomyTouched = false;
       const setAutonomy = (key, val) => {
@@ -4910,13 +4897,16 @@ async function runWebUI(opts) {
       if (tgTouched) {
         const ext = decrypted.extensions ?? {};
         const tg = ext["telegram"] ?? {};
-        if (typeof payload["tgSessionEnd"] === "boolean") tg["notifyOnSessionEnd"] = payload["tgSessionEnd"];
-        if (typeof payload["tgDelegate"] === "boolean") tg["notifyOnDelegate"] = payload["tgDelegate"];
-        if (typeof payload["tgLongToolMs"] === "number") tg["longToolThresholdMs"] = payload["tgLongToolMs"];
+        if (typeof payload["tgSessionEnd"] === "boolean")
+          tg["notifyOnSessionEnd"] = payload["tgSessionEnd"];
+        if (typeof payload["tgDelegate"] === "boolean")
+          tg["notifyOnDelegate"] = payload["tgDelegate"];
+        if (typeof payload["tgLongToolMs"] === "number")
+          tg["longToolThresholdMs"] = payload["tgLongToolMs"];
         ext["telegram"] = tg;
         decrypted.extensions = ext;
       }
-      const encrypted = encryptConfigSecrets$1(decrypted, vault);
+      const encrypted = encryptConfigSecrets(decrypted, vault);
       await atomicWrite(configPath2, JSON.stringify(encrypted, null, 2), { mode: 384 });
     };
     const next = prefWriteLock.then(write);
@@ -5615,7 +5605,13 @@ async function runWebUI(opts) {
       case "key.add":
       case "key.update": {
         const m = msg;
-        await handleKeyUpsert(wsHandlerCtx, ws, m.payload.providerId, m.payload.label, m.payload.apiKey);
+        await handleKeyUpsert(
+          wsHandlerCtx,
+          ws,
+          m.payload.providerId,
+          m.payload.label,
+          m.payload.apiKey
+        );
         break;
       }
       case "key.delete": {
@@ -5819,52 +5815,39 @@ async function runWebUI(opts) {
         }
         return handleMemoryForget(ws, msg, opts.memoryStore);
       }
-      // ── MCP operations — MCP servers are read directly from config file ──
-      case "mcp.list": {
-        const servers = [];
-        if (opts.globalConfigPath) {
-          try {
-            const raw = await fsp5.readFile(opts.globalConfigPath, "utf8");
-            const cfg = JSON.parse(raw);
-            const mcpServers = cfg.mcpServers;
-            if (mcpServers) {
-              for (const [name, serverCfg] of Object.entries(mcpServers)) {
-                servers.push({
-                  name,
-                  transport: serverCfg.transport ?? "stdio",
-                  status: "stopped",
-                  enabled: serverCfg.enabled ?? true,
-                  // Conditional spreads keep these absent (not explicitly
-                  // `undefined`) to satisfy exactOptionalPropertyTypes.
-                  ...serverCfg.description !== void 0 && { description: serverCfg.description },
-                  ...serverCfg.allowedTools !== void 0 && { tools: serverCfg.allowedTools }
-                });
-              }
-            }
-          } catch {
-          }
-        }
-        send(ws, { type: "mcp.list", payload: { servers } });
+      // ── MCP operations — delegated to the shared handlers in
+      // @wrongstack/webui/server, which run against the same on-disk config
+      // and the live MCPRegistry the agent loop + `/mcp` use. ──
+      case "mcp.list":
+        await handleMcpList(ws, msg, opts.globalConfigPath ?? "", opts.mcpRegistry);
         break;
-      }
       case "mcp.add":
+        await handleMcpAdd(ws, msg, opts.globalConfigPath ?? "", opts.mcpRegistry);
+        break;
       case "mcp.remove":
+        await handleMcpRemove(ws, msg, opts.globalConfigPath ?? "", opts.mcpRegistry);
+        break;
       case "mcp.update":
+        await handleMcpUpdate(ws, msg, opts.globalConfigPath ?? "", opts.mcpRegistry);
+        break;
       case "mcp.wake":
+        await handleMcpWake(ws, msg, opts.globalConfigPath ?? "", opts.mcpRegistry);
+        break;
       case "mcp.sleep":
+        await handleMcpSleep(ws, msg, opts.globalConfigPath ?? "", opts.mcpRegistry);
+        break;
       case "mcp.discover":
+        await handleMcpDiscover(ws, msg, opts.globalConfigPath ?? "", opts.mcpRegistry);
+        break;
       case "mcp.enable":
+        await handleMcpEnable(ws, msg, opts.globalConfigPath ?? "", opts.mcpRegistry);
+        break;
       case "mcp.disable":
-      case "mcp.restart": {
-        send(ws, {
-          type: "mcp.operation_result",
-          payload: {
-            success: false,
-            message: 'MCP management operations require the standalone WebUI server. Please run "wrongstack webui" instead of "wrongstack --webui".'
-          }
-        });
+        await handleMcpDisable(ws, msg, opts.globalConfigPath ?? "", opts.mcpRegistry);
+        break;
+      case "mcp.restart":
+        await handleMcpRestart(ws, msg, opts.globalConfigPath ?? "", opts.mcpRegistry);
         break;
-      }
       case "skills.list": {
         await handleSkillsList(introspectionCtx, ws);
         break;
@@ -6050,6 +6033,17 @@ async function runWebUI(opts) {
         );
         break;
       }
+      case "git.changes": {
+        const projectRoot = opts.projectRoot ?? opts.agent.ctx.projectRoot ?? "";
+        await handleGitChanges(ws, projectRoot);
+        break;
+      }
+      case "git.diff": {
+        const projectRoot = opts.projectRoot ?? opts.agent.ctx.projectRoot ?? "";
+        const filePath = msg.payload?.path ?? "";
+        await handleGitDiff(ws, projectRoot, filePath);
+        break;
+      }
       case "shell.open": {
         const result = await handleShellOpen(
           msg.payload,
@@ -6059,7 +6053,11 @@ async function runWebUI(opts) {
         break;
       }
       case "model.refine": {
-        await handleModelRefine(agentConfigCtx, ws, msg.payload.text);
+        await handleModelRefine(
+          agentConfigCtx,
+          ws,
+          msg.payload.text
+        );
         break;
       }
       case "webui.shutdown":
@@ -6246,14 +6244,17 @@ async function runWebUI(opts) {
 }
 var init_webui_server = __esm({
   "src/webui-server.ts"() {
+    init_cost_helpers();
     init_lifecycle();
+    init_logger_shim();
     init_provider_config();
     init_static_serve();
     init_ws_handlers();
-    init_logger_shim();
-    init_cost_helpers();
   }
 });
+
+// src/cli-main.ts
+init_provider_config_utils();
 var WORKTREE_PHASE_CONCURRENCY = 4;
 var MAX_CMD_OUTPUT = 2e5;
 function gitText(args, cwd) {
@@ -7157,12 +7158,12 @@ function pickGroupIndex(opts) {
     try {
       let current = 0;
       try {
-        const parsed = Number.parseInt(fs2.readFileSync(opts.cursorFile, "utf8").trim(), 10);
+        const parsed = Number.parseInt(fs3.readFileSync(opts.cursorFile, "utf8").trim(), 10);
         if (Number.isFinite(parsed)) current = wrap(parsed);
       } catch {
       }
-      fs2.mkdirSync(path4.dirname(opts.cursorFile), { recursive: true });
-      fs2.writeFileSync(opts.cursorFile, String(wrap(current + 1)));
+      fs3.mkdirSync(path4.dirname(opts.cursorFile), { recursive: true });
+      fs3.writeFileSync(opts.cursorFile, String(wrap(current + 1)));
       return current;
     } catch {
     }
@@ -7649,7 +7650,19 @@ ${color.bold(theme.primary("WrongStack") + color.dim(" \u2014 Provider & Model S
     families.set(p.family, list);
   }
   const ordered = [];
-  const familyOrder = ["anthropic", "openai", "google", "openai-compatible"];
+  const preferredOrder = [
+    "anthropic",
+    "anthropic-oauth",
+    "openai",
+    "openai-codex",
+    "github-copilot",
+    "google",
+    "openai-compatible"
+  ];
+  const familyOrder = [
+    ...preferredOrder.filter((f) => families.has(f)),
+    ...[...families.keys()].filter((f) => !preferredOrder.includes(f))
+  ];
   let idx = 1;
   let defaultIdx;
   renderer.write("\n");
@@ -9742,7 +9755,7 @@ async function persistAutonomySetting(deps, mutator) {
     }
     parsed = {};
   }
-  const decrypted = decryptConfigSecrets(parsed, deps.vault);
+  const decrypted = decryptConfigSecrets$1(parsed, deps.vault);
   const autonomy = decrypted.autonomy ?? {};
   mutator(
     autonomy
@@ -9754,7 +9767,7 @@ async function persistAutonomySetting(deps, mutator) {
     await ensureProjectDir(actualTarget);
   }
   const toWrite = actualTarget === deps.globalConfigPath ? decrypted : filterSafeForProject(decrypted);
-  const encrypted = encryptConfigSecrets(toWrite, deps.vault);
+  const encrypted = encryptConfigSecrets$1(toWrite, deps.vault);
   await atomicWrite(actualTarget, JSON.stringify(encrypted, null, 2), { mode: 384 });
   deps.configStore.update({
     autonomy: decrypted.autonomy
@@ -9793,7 +9806,7 @@ async function persistConfigSetting(deps, mutator) {
     }
     parsed = {};
   }
-  const decrypted = decryptConfigSecrets(parsed, deps.vault);
+  const decrypted = decryptConfigSecrets$1(parsed, deps.vault);
   mutator(decrypted);
   const newScope = decrypted.configScope;
   const actualTarget = newScope === "project" && deps.inProjectConfigPath ? deps.inProjectConfigPath : newScope === "global" ? deps.globalConfigPath : targetPath;
@@ -9801,7 +9814,7 @@ async function persistConfigSetting(deps, mutator) {
     await ensureProjectDir(actualTarget);
   }
   const toWrite = actualTarget === deps.globalConfigPath ? decrypted : filterSafeForProject(decrypted);
-  const encrypted = encryptConfigSecrets(toWrite, deps.vault);
+  const encrypted = encryptConfigSecrets$1(toWrite, deps.vault);
   await atomicWrite(actualTarget, JSON.stringify(encrypted, null, 2), { mode: 384 });
   deps.configStore.update(decrypted);
 }
@@ -9828,13 +9841,13 @@ async function persistTelegramConfig(deps, mutator) {
     }
     parsed = {};
   }
-  const decrypted = decryptConfigSecrets(parsed, deps.vault);
+  const decrypted = decryptConfigSecrets$1(parsed, deps.vault);
   const extensions = decrypted.extensions ?? {};
   const telegram = extensions.telegram ?? {};
   mutator(telegram);
   extensions.telegram = telegram;
   decrypted.extensions = extensions;
-  const encrypted = encryptConfigSecrets(decrypted, deps.vault);
+  const encrypted = encryptConfigSecrets$1(decrypted, deps.vault);
   await atomicWrite(deps.globalConfigPath, JSON.stringify(encrypted, null, 2), { mode: 384 });
   deps.configStore.update({
     extensions
@@ -10300,9 +10313,9 @@ async function patchGlobalConfig(globalConfigPath, mutate) {
       throw new Error(`Config at ${globalConfigPath} is not valid JSON: ${err.message}`);
     parsed = {};
   }
-  const decrypted = decryptConfigSecrets(parsed, noOpVault);
+  const decrypted = decryptConfigSecrets$1(parsed, noOpVault);
   mutate(decrypted);
-  const encrypted = encryptConfigSecrets(decrypted, noOpVault);
+  const encrypted = encryptConfigSecrets$1(decrypted, noOpVault);
   await atomicWrite(globalConfigPath, JSON.stringify(encrypted, null, 2), { mode: 384 });
   return decrypted;
 }
@@ -11765,6 +11778,67 @@ function handleFleetHelp(opts) {
   return { message: msg };
 }
 
+// src/slash-commands/f-keys.ts
+var F_PANELS = {
+  "1": { action: "projectPickerOpen", label: "project switcher" },
+  "2": { action: "toggleMonitor", label: "fleet orchestration monitor" },
+  "3": { action: "toggleAgentsMonitor", label: "agents live monitor" },
+  "4": { action: "toggleWorktreeMonitor", label: "worktree monitor" },
+  "5": { action: "togglePlanPanel", label: "autonomy settings" },
+  "6": { action: "toggleTodosMonitor", label: "todos monitor overlay" },
+  "7": { action: "toggleQueuePanel", label: "queue panel" },
+  "8": { action: "toggleProcessList", label: "process list overlay" },
+  "9": { action: "toggleGoalPanel", label: "goal panel" },
+  "10": { action: "toggleSessionsPanel", label: "live sessions panel" },
+  "11": { action: "toggleCoordinatorMonitor", label: "coordinator monitor" },
+  "12": { action: "statuslineOpen", label: "status line picker" }
+};
+function buildFKeysCommand(opts) {
+  return {
+    name: "f",
+    description: "Open F-key panels (F1\u2013F12). Type /f for numbered options.",
+    hidden: false,
+    async run(args) {
+      const n = args.trim();
+      if (!n) {
+        const lines = ["F-key panels:"];
+        for (const [num, { label }] of Object.entries(F_PANELS)) {
+          lines.push(`  /f ${num} \u2014 ${label}`);
+        }
+        lines.push("", "Or use /f1 \u2026 /f12 directly (hidden from the picker).");
+        return { message: lines.join("\n") };
+      }
+      const entry = F_PANELS[n];
+      if (!entry) {
+        return { message: `Unknown F-key: ${n}. Use /f to list available panels (1\u201312).` };
+      }
+      if (opts.onPanelOpen.current) {
+        const ok = opts.onPanelOpen.current(entry.action);
+        if (ok) return {};
+      }
+      return { message: `Opening ${entry.label}\u2026 (REPL/headless mode \u2014 panel may not be available)` };
+    }
+  };
+}
+function buildFKeyAliasCommands(opts) {
+  return Object.entries(F_PANELS).map(([num, { action, label }]) => {
+    const cmd = {
+      name: `f${num}`,
+      description: `Open ${label} (same as F${num})`,
+      hidden: true,
+      // not shown in the main slash picker
+      async run() {
+        if (opts.onPanelOpen.current) {
+          const ok = opts.onPanelOpen.current(action);
+          if (ok) return {};
+        }
+        return { message: `Opening ${label}\u2026` };
+      }
+    };
+    return cmd;
+  });
+}
+
 // src/slash-commands/goal-refiner.ts
 async function refineGoal(rawGoal, provider, model) {
   const prompt = buildRefinementPrompt(rawGoal);
@@ -13604,9 +13678,9 @@ async function patchGlobalConfig2(globalConfigPath, mutate) {
     }
     parsed = {};
   }
-  const decrypted = decryptConfigSecrets(parsed, noOpVault);
+  const decrypted = decryptConfigSecrets$1(parsed, noOpVault);
   mutate(decrypted);
-  const encrypted = encryptConfigSecrets(decrypted, noOpVault);
+  const encrypted = encryptConfigSecrets$1(decrypted, noOpVault);
   await atomicWrite(globalConfigPath, JSON.stringify(encrypted, null, 2), { mode: 384 });
   return decrypted;
 }
@@ -14541,9 +14615,9 @@ async function patchGlobalConfig3(globalConfigPath, mutate) {
       throw new Error(`Config at ${globalConfigPath} is not valid JSON: ${err.message}`);
     parsed = {};
   }
-  const decrypted = decryptConfigSecrets(parsed, noOpVault);
+  const decrypted = decryptConfigSecrets$1(parsed, noOpVault);
   mutate(decrypted);
-  const encrypted = encryptConfigSecrets(decrypted, noOpVault);
+  const encrypted = encryptConfigSecrets$1(decrypted, noOpVault);
   await atomicWrite(globalConfigPath, JSON.stringify(encrypted, null, 2), { mode: 384 });
   return decrypted;
 }
@@ -15708,6 +15782,12 @@ function buildSettingsCommand(opts) {
     "  /settings semver-part patch|minor|major|auto   Default part for /semver and the semver_bump tool",
     "  /settings breaker on|off   Enable/disable the process circuit breaker (gates bash/exec)",
     "  /settings breaker-timeout <seconds>   Auto kill/reset delay when the breaker trips (0 = manual)",
+    "  /settings context-mode balanced|frugal|deep|archival   Context window policy",
+    "  /settings context-strategy hybrid|intelligent|selective   Compactor strategy",
+    "  /settings context-auto-compact on|off   Auto-compact context when thresholds crossed",
+    "  /settings token-saving off|minimal|light|medium|aggressive   Token-saving mode",
+    "  /settings max-concurrent <n>   Max concurrent subagents (0 = unlimited)",
+    "  /settings title-animation on|off   Terminal title animation",
     "  /settings defaults            Show built-in default values",
     "",
     "Settings are persisted to ~/.wrongstack/config.json."
@@ -15727,6 +15807,13 @@ function buildSettingsCommand(opts) {
     const cb = opts.configStore.get().circuitBreaker;
     const breakerEnabled = cb?.enabled === true;
     const breakerTimeout = cb?.autoKillResetMs ?? 6e4;
+    const context = opts.configStore.get().context;
+    const contextMode = context?.mode ?? "balanced";
+    const contextStrategy = context?.strategy ?? "hybrid";
+    const contextAutoCompact = context?.autoCompact !== false;
+    const features = opts.configStore.get().features;
+    const tokenSavingTier = features?.tokenSavingMode ?? "off";
+    const maxConcurrent = opts.configStore.get().maxConcurrent ?? 0;
     return [
       `${color.bold("WrongStack")} ${color.dim("\u2014 Settings")}`,
       "",
@@ -15741,6 +15828,11 @@ function buildSettingsCommand(opts) {
       `  refine-language:     ${color.cyan(enhanceLanguage)}   ${color.dim("change: /settings refine-language original|english")}`,
       `  semver default part: ${color.cyan(semverPart)}   ${color.dim("change: /settings semver-part patch|minor|major|auto")}`,
       `  circuit breaker:     ${breakerEnabled ? color.cyan("on") : color.dim("off")} (kill/reset ${breakerTimeout > 0 ? formatDelay(breakerTimeout) : color.dim("manual")})   ${color.dim("change: /settings breaker on|off")}`,
+      `  context mode:        ${color.cyan(contextMode)}   ${color.dim("change: /settings context-mode balanced|frugal|deep|archival")}`,
+      `  context strategy:    ${color.cyan(contextStrategy)}   ${color.dim("change: /settings context-strategy hybrid|intelligent|selective")}`,
+      `  context auto-compact: ${contextAutoCompact ? color.cyan("on") : color.dim("off")}   ${color.dim("change: /settings context-auto-compact on|off")}`,
+      `  token-saving:       ${color.cyan(tokenSavingTier)}   ${color.dim("change: /settings token-saving off|minimal|light|medium|aggressive")}`,
+      `  max-concurrent:     ${color.cyan(maxConcurrent === 0 ? "unlimited" : String(maxConcurrent))}   ${color.dim("change: /settings max-concurrent <n>")}`,
       "",
       color.dim("  Persisted to ~/.wrongstack/config.json \xB7 /settings help for more")
     ].join("\n");
@@ -15748,7 +15840,7 @@ function buildSettingsCommand(opts) {
   return {
     name: "settings",
     category: "Config",
-    description: "View or change settings (auto-proceed delay, default autonomy mode, launch hints).",
+    description: "View or change settings (auto-proceed, autonomy, context, features, token-saving).",
     help,
     async run(args) {
       const { cmd, rest } = parseSubcommand(args);
@@ -15970,8 +16062,101 @@ function buildSettingsCommand(opts) {
             message: `${color.green("\u2713")} breaker kill/reset timeout \u2192 ${ms > 0 ? formatDelay(ms) : color.dim("manual")}   ${color.dim(ms > 0 ? "statusline shows a countdown when the breaker trips" : "breaker trips require /kill reset")}`
           };
         }
+        if (sub === "context-mode") {
+          const raw = (rest[0] ?? "").toLowerCase();
+          const modes = ["balanced", "frugal", "deep", "archival"];
+          if (!modes.includes(raw)) {
+            return { message: `${color.amber("Usage:")} /settings context-mode balanced|frugal|deep|archival` };
+          }
+          await persistConfigSetting(persistDeps, (cfg) => {
+            const ctx = cfg.context ?? {};
+            ctx.mode = raw;
+            cfg.context = ctx;
+          });
+          return {
+            message: `${color.green("\u2713")} context mode \u2192 ${color.cyan(raw)}   ${color.dim("context window policy")}`
+          };
+        }
+        if (sub === "context-strategy") {
+          const raw = (rest[0] ?? "").toLowerCase();
+          const strategies = ["hybrid", "intelligent", "selective"];
+          if (!strategies.includes(raw)) {
+            return { message: `${color.amber("Usage:")} /settings context-strategy hybrid|intelligent|selective` };
+          }
+          await persistConfigSetting(persistDeps, (cfg) => {
+            const ctx = cfg.context ?? {};
+            ctx.strategy = raw;
+            cfg.context = ctx;
+          });
+          return {
+            message: `${color.green("\u2713")} context strategy \u2192 ${color.cyan(raw)}   ${color.dim("compactor strategy")}`
+          };
+        }
+        if (sub === "context-auto-compact") {
+          const raw = (rest[0] ?? "").toLowerCase();
+          if (!["on", "off"].includes(raw)) {
+            return { message: `${color.amber("Usage:")} /settings context-auto-compact on|off` };
+          }
+          const on = raw === "on";
+          await persistConfigSetting(persistDeps, (cfg) => {
+            const ctx = cfg.context ?? {};
+            ctx.autoCompact = on;
+            cfg.context = ctx;
+          });
+          return {
+            message: `${color.green("\u2713")} context auto-compact \u2192 ${on ? color.cyan("on") : color.dim("off")}   ${color.dim("auto-compact context when thresholds crossed")}`
+          };
+        }
+        if (sub === "token-saving") {
+          const raw = (rest[0] ?? "").toLowerCase();
+          const tiers = ["off", "minimal", "light", "medium", "aggressive"];
+          if (!tiers.includes(raw)) {
+            return { message: `${color.amber("Usage:")} /settings token-saving off|minimal|light|medium|aggressive` };
+          }
+          await persistConfigSetting(persistDeps, (cfg) => {
+            const feat = cfg.features ?? {};
+            feat.tokenSavingMode = raw;
+            cfg.features = feat;
+          });
+          return {
+            message: `${color.green("\u2713")} token-saving \u2192 ${color.cyan(raw)}   ${color.dim("token-saving mode")}`
+          };
+        }
+        if (sub === "max-concurrent") {
+          const raw = rest[0];
+          if (raw === void 0) {
+            return {
+              message: `${color.amber("Usage:")} /settings max-concurrent <n>   ${color.dim("(0 = unlimited)")}`
+            };
+          }
+          const n = Number.parseInt(raw, 10);
+          if (Number.isNaN(n) || n < 0) {
+            return {
+              message: `${color.red("Invalid number")}: "${raw}". Enter a non-negative integer (0 = unlimited)`
+            };
+          }
+          await persistConfigSetting(persistDeps, (cfg) => {
+            cfg.maxConcurrent = n;
+          });
+          return {
+            message: `${color.green("\u2713")} max-concurrent \u2192 ${color.cyan(n === 0 ? "unlimited" : String(n))}   ${color.dim("max concurrent subagents")}`
+          };
+        }
+        if (sub === "title-animation") {
+          const raw = (rest[0] ?? "").toLowerCase();
+          if (!["on", "off"].includes(raw)) {
+            return { message: `${color.amber("Usage:")} /settings title-animation on|off` };
+          }
+          const on = raw === "on";
+          await persistConfigSetting(persistDeps, (cfg) => {
+            cfg.titleAnimation = on;
+          });
+          return {
+            message: `${color.green("\u2713")} title animation \u2192 ${on ? color.cyan("on") : color.dim("off")}   ${color.dim("terminal title animation")}`
+          };
+        }
         return {
-          message: `${color.red("Unknown setting")} "${sub}". ${unknownSubcommand(sub, ["delay", "mode", "hints", "debug-stream", "config-scope", "fs-access", "refine", "refine-delay", "refine-language", "semver-part", "breaker", "breaker-timeout", "defaults"], "settings")}`
+          message: `${color.red("Unknown setting")} "${sub}". ${unknownSubcommand(sub, ["delay", "mode", "hints", "debug-stream", "config-scope", "fs-access", "refine", "refine-delay", "refine-language", "semver-part", "breaker", "breaker-timeout", "context-mode", "context-strategy", "context-auto-compact", "token-saving", "max-concurrent", "title-animation", "defaults"], "settings")}`
         };
       } catch (err) {
         return {
@@ -16609,8 +16794,10 @@ function buildTechStackTask(opts) {
     "1. **Read** each package.json and extract ALL dependencies (dependencies +",
     "   devDependencies + peerDependencies). Include the workspace root.",
     "",
-    "2. **For every dependency**, look up its latest version from the npm registry:",
-    '   - `fetch("https://registry.npmjs.org/<package>/latest")`',
+    "2. **For every dependency**, look up its latest version from the npm registry",
+    "   using the `fetch` tool (NOT shell `curl`/`wget`, and NOT a Node script \u2014",
+    "   you run under a director and only the `fetch` tool is permitted for network):",
+    '   - Call the `fetch` tool with `url: "https://registry.npmjs.org/<package>/latest"`',
     "   - Extract the `version` field from the JSON response",
     "   - Also check `description`, `license`, and `time` fields for age/dead checks",
     "",
@@ -16625,7 +16812,7 @@ function buildTechStackTask(opts) {
     "   - Flag dead packages (no release >2 years + critical issues)",
     "   - Prefer Node.js built-ins over third-party packages",
     "",
-    `5. **Write the report** to \`${outputPath}\` in the project root:`,
+    `5. **Write the report** to \`${outputPath}\` in the project root using the \`write\` tool:`,
     "   - Markdown format: grouped by category, with version tables and warnings",
     "   - JSON format: structured array with name, current, latest, status, notes",
     "",
@@ -16658,11 +16845,15 @@ function buildTechStackTask(opts) {
     "",
     "### Guardrails",
     "",
-    "- Use `fetch()` with `AbortSignal.timeout(10000)` on every npm registry call.",
-    "- Skip packages that return 404 (private/internal packages).",
+    "- Network access is ONLY via the `fetch` tool. The `bash`, `exec`, and other",
+    "  shell tools are denied for this subagent \u2014 do NOT try `curl`, `wget`, or a",
+    "  Node/`fetch()` script as a fallback; they will be blocked. If a `fetch`",
+    "  call fails, retry the `fetch` tool, do not switch transports.",
+    "- File writes are ONLY via the `write` tool (it is permitted for this run).",
+    "- Skip packages whose `fetch` returns HTTP 404 (private/internal packages).",
     "- Deduplicate: same package in multiple package.json files = one row.",
     "- Do NOT modify any files except writing the report.",
-    "- Run in 2-3 iterations max. Parallel fetch where possible.",
+    "- Run in 2-3 iterations max. Issue several `fetch` calls per turn where possible.",
     "- **IMPORTANT**: Output the chat summary FIRST, then write the file. I need to see results."
   ].join("\n");
 }
@@ -16717,6 +16908,15 @@ function buildTechStackCommand(opts) {
         opts.renderer.writeWarning(msg);
         return { message: msg };
       }
+      const hasFetchTool = opts.toolRegistry.list().some((t) => t.name === "fetch");
+      if (!hasFetchTool) {
+        opts.renderer.writeWarning(
+          "The `fetch` tool is not registered in this session \u2014 a token-saving tier (minimal/light) omits it. The techstack subagent cannot query the npm registry without it. Raise the tier to `medium` or higher (/settings \u2192 token saving) and re-run /techstack."
+        );
+        return {
+          message: "techstack aborted: `fetch` tool unavailable in the current token-saving tier."
+        };
+      }
       const header = isInit ? "Tech Stack Init Audit" : "Tech Stack Audit";
       const label = `${color.cyan("\u{1F50D}")} ${color.bold(header)} ${color.dim(`(${packageFiles.length} package files)`)}`;
       opts.renderer.write(label);
@@ -16728,7 +16928,11 @@ function buildTechStackCommand(opts) {
       );
       try {
         const name = isInit ? "techstack-init" : "techstack-audit";
-        const summary = await opts.onSpawnAndWait(task, { name });
+        const summary = await opts.onSpawnAndWait(task, {
+          name,
+          tools: ["read", "glob", "grep", "tree", "fetch", "write"],
+          allowedCapabilities: ["fs.read", "net.outbound", "fs.write"]
+        });
         return { message: summary };
       } catch (err) {
         const msg = `Tech stack scan failed: ${toErrorMessage(err)}`;
@@ -17346,6 +17550,8 @@ function buildBuiltinSlashCommands(opts) {
     buildAgentsCommand(opts),
     buildDirectorCommand(opts),
     buildFleetCommand(opts),
+    buildFKeysCommand(opts),
+    ...buildFKeyAliasCommands(opts),
     buildEnhanceCommand(opts),
     buildEnsembleCommand(),
     buildMemoryCommand(opts),
@@ -17387,6 +17593,8 @@ function buildBuiltinSlashCommands(opts) {
       }),
       getConfig: opts.statuslineConfig?.get ?? (async () => ({})),
       setConfig: opts.statuslineConfig?.set ?? (async () => {
+      }),
+      saveStatuslineHiddenItems: opts.saveStatuslineHiddenItems ?? (async () => {
       })
     })
   ];
@@ -17486,9 +17694,9 @@ async function runProjectCheck(opts) {
     }
     if (answer2 === "y" || answer2 === "yes") {
       try {
-        const { spawn: spawn6 } = await import('child_process');
+        const { spawn: spawn9 } = await import('child_process');
         await new Promise((resolve11, reject) => {
-          const child = spawn6("git", ["init"], {
+          const child = spawn9("git", ["init"], {
             cwd,
             signal: AbortSignal.timeout(1e4),
             windowsHide: true
@@ -18560,6 +18768,10 @@ ${color.bold("WrongStack")} ${color.dim("\u2014 API key manager")}
 `);
   renderer.write(`    ${color.bold("c")}  Add a custom provider
 `);
+  renderer.write(
+    `    ${color.bold("s")}  Sign in with a subscription ${color.dim("(ChatGPT / Claude / Copilot)")}
+`
+  );
   if (ids.length > 0) {
     renderer.write(
       `    ${color.dim("1-")}${color.dim(String(ids.length))}  ${color.bold("Manage a provider")}
@@ -18798,123 +19010,961 @@ async function addKeyForCatalogProvider(deps, chosen) {
       return false;
     }
   }
-  return addKeyForProvider(alias, deps, {
-    type: chosen.id,
-    family,
-    baseUrl,
-    envVars: chosen.envVars
-  });
+  return addKeyForProvider(alias, deps, {
+    type: chosen.id,
+    family,
+    baseUrl,
+    envVars: chosen.envVars
+  });
+}
+async function addCustomProvider(deps) {
+  deps.renderer.write(
+    `
+${color.bold("Custom provider")} ${color.dim("\u2014 for local models or proxies not in the catalog.")}
+`
+  );
+  const type = (await deps.reader.readLine(
+    `  ${color.amber("?")} Provider id ${color.dim('(e.g. "local-llama", "my-proxy", q to quit)')}: `
+  )).trim();
+  if (!type || type === "q") return false;
+  const existing = (await loadProviders(deps))[type];
+  if (existing) {
+    deps.renderer.writeWarning(`"${type}" already exists. Pick it from the main menu to edit.`);
+    return false;
+  }
+  const familyRaw = (await deps.reader.readLine(
+    `  ${color.amber("?")} Wire family ${color.dim("(anthropic | openai | openai-compatible | google)")} ${color.dim("(q to quit)")}: `
+  )).trim();
+  if (familyRaw === "q") return false;
+  const family = validateFamily(familyRaw);
+  if (!family) {
+    deps.renderer.writeError(`Invalid family: "${familyRaw}"`);
+    return false;
+  }
+  const baseUrl = (await deps.reader.readLine(
+    `  ${color.amber("?")} Base URL ${color.dim("(e.g. http://localhost:11434/v1, optional)")}: `
+  )).trim();
+  const modelsRaw = (await deps.reader.readLine(
+    `  ${color.amber("?")} Model ids ${color.dim("(comma-separated, optional)")}: `
+  )).trim();
+  const models = modelsRaw ? modelsRaw.split(",").map((s) => s.trim()).filter(Boolean) : void 0;
+  const envVarsRaw = (await deps.reader.readLine(
+    `  ${color.amber("?")} Env var names ${color.dim("(comma-separated, optional)")}: `
+  )).trim();
+  const envVars = envVarsRaw ? envVarsRaw.split(",").map((s) => s.trim()).filter(Boolean) : void 0;
+  return addKeyForProvider(type, deps, {
+    type,
+    family,
+    ...baseUrl ? { baseUrl } : {},
+    ...models ? { models } : {},
+    ...envVars ? { envVars } : {}
+  });
+}
+async function addManualEntry(deps) {
+  const pid = (await deps.reader.readLine(`  ${color.amber("?")} Provider id ${color.dim("[q to quit]")}: `)).trim();
+  if (!pid || pid === "q") return false;
+  const famRaw = (await deps.reader.readLine(
+    `  ${color.amber("?")} Family ${color.dim("(anthropic/openai/openai-compatible/google)")}: `
+  )).trim();
+  const family = validateFamily(famRaw);
+  if (!family) {
+    deps.renderer.writeError(`Invalid family: "${famRaw}"`);
+    return false;
+  }
+  const baseUrl = (await deps.reader.readLine(`  ${color.amber("?")} Base URL ${color.dim("(optional)")}: `)).trim();
+  return addKeyForProvider(pid, deps, {
+    type: pid,
+    family,
+    ...baseUrl ? { baseUrl } : {}
+  });
+}
+async function addKeyForProvider(providerId, deps, template) {
+  const providers = await loadProviders(deps);
+  const existing = providers[providerId];
+  const existingKeys = existing ? normalizeKeys(existing) : [];
+  const usedLabels = new Set(existingKeys.map((k) => k.label));
+  const label = await promptForLabel(deps, usedLabels);
+  if (!label) return false;
+  const apiKey = await readKeyInput(deps, `API key for ${providerId}/${label}`);
+  if (!apiKey) return false;
+  await mutateConfigProviders(deps.globalConfigPath, deps.vault, (all) => {
+    const existingProv = all[providerId] ?? {
+      type: providerId,
+      ...template
+    };
+    if (!existingProv.type) existingProv.type = providerId;
+    if (!existingProv.family && template.family) {
+      existingProv.family = template.family;
+    }
+    if (!existingProv.baseUrl && template.baseUrl) {
+      existingProv.baseUrl = template.baseUrl;
+    }
+    if (!existingProv.envVars && template.envVars) {
+      existingProv.envVars = template.envVars;
+    }
+    const list = normalizeKeys(existingProv);
+    list.push({ label, apiKey, createdAt: nowIso() });
+    writeKeysBack(existingProv, list);
+    if (!existingProv.activeKey) existingProv.activeKey = label;
+    all[providerId] = existingProv;
+  });
+  deps.renderer.write(
+    `  ${color.green("\u2713")} Saved ${color.bold(providerId)}/${color.bold(label)}.
+`
+  );
+  deps.renderer.write(color.dim(`  Launch: wstack --provider ${providerId} "<task>"
+`));
+  return true;
+}
+async function promptForLabel(deps, usedLabels) {
+  const defaultLabel = suggestLabel(usedLabels);
+  const labelRaw = (await deps.reader.readLine(
+    `  ${color.amber("?")} Label for this key ${color.dim(`[${defaultLabel}]`)}: `
+  )).trim();
+  const label = labelRaw || defaultLabel;
+  if (usedLabels.has(label)) {
+    deps.renderer.writeError(`Label "${label}" is already used. Use update (u) instead.`);
+    return null;
+  }
+  return label;
+}
+
+// src/auth-menu/anthropic-oauth.ts
+init_provider_config_utils();
+var CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
+var AUTHORIZE_URL = "https://claude.ai/oauth/authorize";
+var TOKEN_URL = "https://platform.claude.com/v1/oauth/token";
+var REDIRECT_PORT = 53692;
+var REDIRECT_HOST = "127.0.0.1";
+var REDIRECT_PATH = "/callback";
+var REDIRECT_URI = `http://localhost:${REDIRECT_PORT}${REDIRECT_PATH}`;
+var SCOPES = "org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload";
+var CLAUDE_PROVIDER_ID = "anthropic-oauth";
+var CLAUDE_BASE_URL = "https://api.anthropic.com";
+function base64url(buf) {
+  return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function generatePkce() {
+  const verifier = base64url(randomBytes(32));
+  const challenge = base64url(createHash("sha256").update(verifier).digest());
+  return { verifier, challenge };
+}
+function buildAuthorizeUrl(challenge, verifier) {
+  const params = new URLSearchParams({
+    code: "true",
+    client_id: CLIENT_ID,
+    response_type: "code",
+    redirect_uri: REDIRECT_URI,
+    scope: SCOPES,
+    code_challenge: challenge,
+    code_challenge_method: "S256",
+    state: verifier
+  });
+  return `${AUTHORIZE_URL}?${params.toString()}`;
+}
+function parseAuthorizationInput(input) {
+  const value = input.trim();
+  if (!value) return {};
+  try {
+    const url = new URL(value);
+    return {
+      code: url.searchParams.get("code") ?? void 0,
+      state: url.searchParams.get("state") ?? void 0
+    };
+  } catch {
+  }
+  if (value.includes("#")) {
+    const [code, state] = value.split("#", 2);
+    return { code, state };
+  }
+  if (value.includes("code=")) {
+    const params = new URLSearchParams(value);
+    return {
+      code: params.get("code") ?? void 0,
+      state: params.get("state") ?? void 0
+    };
+  }
+  return { code: value };
+}
+async function readTokens(res, op) {
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`Claude token ${op} failed (${res.status}): ${text || res.statusText}`);
+  }
+  const json = await res.json();
+  if (!json?.access_token || !json.refresh_token || typeof json.expires_in !== "number") {
+    throw new Error(`Claude token ${op} response missing fields`);
+  }
+  return {
+    access: json.access_token,
+    refresh: json.refresh_token,
+    expires: Date.now() + json.expires_in * 1e3
+  };
+}
+async function exchangeAuthorizationCode(code, state, verifier, signal) {
+  const res = await fetch(TOKEN_URL, {
+    method: "POST",
+    headers: { "content-type": "application/json", accept: "application/json" },
+    body: JSON.stringify({
+      grant_type: "authorization_code",
+      client_id: CLIENT_ID,
+      code,
+      state,
+      redirect_uri: REDIRECT_URI,
+      code_verifier: verifier
+    }),
+    signal: signal ? AbortSignal.any([signal, AbortSignal.timeout(3e4)]) : AbortSignal.timeout(3e4)
+  });
+  return readTokens(res, "exchange");
+}
+async function fetchClaudeModels(accessToken, signal) {
+  try {
+    const res = await fetch(`${CLAUDE_BASE_URL}/v1/models?limit=100`, {
+      headers: {
+        accept: "application/json",
+        authorization: `Bearer ${accessToken}`,
+        "anthropic-version": "2023-06-01",
+        "anthropic-beta": "claude-code-20250219,oauth-2025-04-20"
+      },
+      signal: AbortSignal.any([signal, AbortSignal.timeout(8e3)])
+    });
+    if (!res.ok) return [];
+    const json = await res.json();
+    const ids = (json?.data ?? []).map((m) => m.id).filter((id) => typeof id === "string" && id.startsWith("claude-"));
+    return ids;
+  } catch {
+    return [];
+  }
+}
+function callbackHtml(ok, message) {
+  const heading = ok ? "Authentication successful" : "Authentication failed";
+  return `<!doctype html><html lang="en"><head><meta charset="utf-8"/><title>${heading}</title><style>body{margin:0;min-height:100vh;display:flex;align-items:center;justify-content:center;background:#09090b;color:#fafafa;font-family:ui-sans-serif,system-ui,sans-serif;text-align:center}h1{font-size:26px;margin:0 0 8px}p{color:#a1a1aa}</style></head><body><main><h1>${heading}</h1><p>${message}</p></main></body></html>`;
+}
+function startLoopbackServer(expectedState) {
+  let resolveCode = () => {
+  };
+  const codePromise = new Promise((resolve11) => {
+    let settled = false;
+    resolveCode = (v) => {
+      if (settled) return;
+      settled = true;
+      resolve11(v);
+    };
+  });
+  const server = createServer((req2, res) => {
+    let url;
+    try {
+      url = new URL(req2.url ?? "", `http://${REDIRECT_HOST}`);
+    } catch {
+      res.statusCode = 400;
+      res.end();
+      return;
+    }
+    if (url.pathname !== REDIRECT_PATH) {
+      res.statusCode = 404;
+      res.setHeader("content-type", "text/html; charset=utf-8");
+      res.end(callbackHtml(false, "Callback route not found."));
+      return;
+    }
+    res.setHeader("content-type", "text/html; charset=utf-8");
+    const err = url.searchParams.get("error");
+    if (err) {
+      res.statusCode = 400;
+      res.end(callbackHtml(false, `Authorization error: ${err}`));
+      resolveCode(null);
+      return;
+    }
+    const code = url.searchParams.get("code");
+    const state = url.searchParams.get("state");
+    if (!code || !state) {
+      res.statusCode = 400;
+      res.end(callbackHtml(false, "Missing code or state."));
+      return;
+    }
+    if (state !== expectedState) {
+      res.statusCode = 400;
+      res.end(callbackHtml(false, "State mismatch \u2014 please restart the login."));
+      resolveCode(null);
+      return;
+    }
+    res.statusCode = 200;
+    res.end(callbackHtml(true, "You can close this window and return to the terminal."));
+    resolveCode({ code, state });
+  });
+  return new Promise((resolve11) => {
+    server.on("error", () => {
+      resolveCode(null);
+      resolve11({
+        bound: false,
+        waitForCode: () => Promise.resolve(null),
+        close: () => {
+          try {
+            server.close();
+          } catch {
+          }
+        }
+      });
+    });
+    server.listen(REDIRECT_PORT, REDIRECT_HOST, () => {
+      resolve11({
+        bound: true,
+        waitForCode: () => codePromise,
+        close: () => {
+          resolveCode(null);
+          try {
+            server.close();
+          } catch {
+          }
+        }
+      });
+    });
+  });
+}
+function openBrowser(url) {
+  try {
+    const platform3 = process.platform;
+    const { command, args } = platform3 === "win32" ? { command: "cmd", args: ["/c", "start", "", url] } : platform3 === "darwin" ? { command: "open", args: [url] } : { command: "xdg-open", args: [url] };
+    const child = spawn(command, args, { stdio: "ignore", windowsHide: true });
+    child.on("error", () => {
+    });
+    child.unref();
+  } catch {
+  }
+}
+async function runClaudeOAuthLogin(deps, opts = {}) {
+  const providerId = opts.providerId ?? CLAUDE_PROVIDER_ID;
+  const { verifier, challenge } = generatePkce();
+  const state = verifier;
+  const authorizeUrl = buildAuthorizeUrl(challenge, verifier);
+  const ac = new AbortController();
+  const onSig = () => ac.abort();
+  process.on("SIGINT", onSig);
+  const server = await startLoopbackServer(state);
+  deps.renderer.write(
+    color.bold(`
+  Sign in with Claude \u2014 ${color.cyan(providerId)}
+`) + color.dim("  Uses your Claude Pro/Max subscription (not an API key).\n") + color.amber("  \u26A0 Using a subscription outside the official Claude Code client is against\n") + color.amber("    Anthropic\u2019s Terms \u2014 your account could be rate-limited or banned.\n") + color.dim("    Sanctioned programmatic use = an API key: ") + color.bold("wstack auth anthropic") + color.dim("\n\n") + color.bold(`  ${"\u2500".repeat(56)}
+`) + color.bold("  Open this URL in your browser to sign in:\n") + color.cyan(`  ${authorizeUrl}
+`) + color.bold(`  ${"\u2500".repeat(56)}
+
+`)
+  );
+  if (server.bound) {
+    openBrowser(authorizeUrl);
+    deps.renderer.write(
+      color.dim("  A browser window should open. Waiting for you to finish signing in...\n") + color.dim("  (Listening on http://localhost:53692 \u2014 press Ctrl+C to cancel.)\n")
+    );
+  } else {
+    deps.renderer.write(
+      color.amber("  \u26A0 Could not start the local callback listener (port 53692 in use).\n") + color.dim("  After signing in, paste the full redirect URL (or the code) below.\n")
+    );
+  }
+  let code;
+  try {
+    if (server.bound) {
+      const got = await server.waitForCode();
+      if (got) code = got.code;
+    }
+    if (!code) {
+      const input = (await deps.reader.readLine(
+        `
+  ${color.amber("?")} Paste the redirect URL or code ${color.dim("(or q to cancel)")}: `
+      )).trim();
+      if (input.toLowerCase() === "q" || input === "") {
+        deps.renderer.write(color.dim("  Cancelled.\n"));
+        return 1;
+      }
+      const parsed = parseAuthorizationInput(input);
+      if (parsed.state && parsed.state !== state) {
+        deps.renderer.writeError("  State mismatch \u2014 please restart the login flow.");
+        return 1;
+      }
+      code = parsed.code;
+    }
+    if (!code) {
+      deps.renderer.writeError("  No authorization code received.");
+      return 1;
+    }
+    deps.renderer.write(color.dim("\n  Exchanging authorization code for tokens...\n"));
+    const tokens = await exchangeAuthorizationCode(code, state, verifier, ac.signal);
+    const models = await fetchClaudeModels(tokens.access, ac.signal);
+    const saved = await saveClaudeTokens(deps, providerId, tokens, models);
+    if (!saved) return 1;
+    deps.renderer.write(color.green("\n  \u2713 Signed in with Claude!\n"));
+    const modelHint = models.find((m) => m.includes("sonnet")) ?? models[0] ?? "claude-sonnet-4-6";
+    deps.renderer.writeInfo(
+      `  Saved as provider ${color.bold(providerId)}${models.length ? ` (${models.length} models)` : ""}.
+  Use: ${color.bold(`wstack --provider ${providerId} --model ${modelHint}`)} "<task>"
+` + color.dim("  Tokens refresh automatically before they expire.\n")
+    );
+    return 0;
+  } catch (err) {
+    const msg = err instanceof DOMException && err.name === "AbortError" ? "Login cancelled." : err.message;
+    deps.renderer.writeError(`  Login failed: ${msg}`);
+    return 1;
+  } finally {
+    server.close();
+    process.off("SIGINT", onSig);
+  }
+}
+async function saveClaudeTokens(deps, providerId, tokens, models) {
+  const entry = {
+    label: "oauth-default",
+    apiKey: tokens.access,
+    createdAt: nowIso(),
+    authMethod: "oauth",
+    expiresAt: new Date(tokens.expires).toISOString(),
+    refreshToken: tokens.refresh,
+    tokenType: "bearer",
+    scope: SCOPES
+  };
+  try {
+    await mutateConfigProviders(deps.globalConfigPath, deps.vault, (all) => {
+      const existing = all[providerId];
+      const p = existing ? { ...existing } : { type: providerId };
+      p.family = "anthropic-oauth";
+      if (!p.baseUrl) p.baseUrl = CLAUDE_BASE_URL;
+      if (models.length > 0) p.models = models;
+      else if (!p.models || p.models.length === 0)
+        p.models = ["claude-sonnet-4-6", "claude-opus-4-8"];
+      const keys = normalizeKeys(p).filter((k) => k.label !== entry.label);
+      keys.push(entry);
+      writeKeysBack(p, keys);
+      p.activeKey = entry.label;
+      all[providerId] = p;
+    });
+    return true;
+  } catch (err) {
+    deps.renderer.writeError(`  Failed to save tokens: ${err.message}`);
+    return false;
+  }
+}
+
+// src/auth-menu/github-copilot-oauth.ts
+init_provider_config_utils();
+var CLIENT_ID2 = "Iv1.b507a08c87ecfe98";
+var DEVICE_CODE_URL = "https://github.com/login/device/code";
+var ACCESS_TOKEN_URL = "https://github.com/login/oauth/access_token";
+var COPILOT_HEADERS = {
+  "User-Agent": "GitHubCopilotChat/0.35.0",
+  "Editor-Version": "vscode/1.107.0",
+  "Editor-Plugin-Version": "copilot-chat/0.35.0",
+  "Copilot-Integration-Id": "vscode-chat"
+};
+var COPILOT_API_VERSION = "2026-06-01";
+var COPILOT_PROVIDER_ID = "github-copilot";
+function openBrowser2(url) {
+  try {
+    const platform3 = process.platform;
+    const { command, args } = platform3 === "win32" ? { command: "cmd", args: ["/c", "start", "", url] } : platform3 === "darwin" ? { command: "open", args: [url] } : { command: "xdg-open", args: [url] };
+    const child = spawn(command, args, { stdio: "ignore", windowsHide: true });
+    child.on("error", () => {
+    });
+    child.unref();
+  } catch {
+  }
+}
+function sleep(ms, signal) {
+  return new Promise((resolve11, reject) => {
+    if (signal.aborted) return reject(new DOMException("Aborted", "AbortError"));
+    const t = setTimeout(resolve11, ms);
+    signal.addEventListener(
+      "abort",
+      () => {
+        clearTimeout(t);
+        reject(new DOMException("Aborted", "AbortError"));
+      },
+      { once: true }
+    );
+  });
+}
+async function startDeviceFlow(signal) {
+  const res = await fetch(DEVICE_CODE_URL, {
+    method: "POST",
+    headers: {
+      accept: "application/json",
+      "content-type": "application/x-www-form-urlencoded",
+      "user-agent": COPILOT_HEADERS["User-Agent"]
+    },
+    body: new URLSearchParams({ client_id: CLIENT_ID2, scope: "read:user" }).toString(),
+    signal: signal ? AbortSignal.any([signal, AbortSignal.timeout(15e3)]) : AbortSignal.timeout(15e3)
+  });
+  if (!res.ok) throw new Error(`GitHub device-code request failed (${res.status})`);
+  const json = await res.json();
+  if (!json?.device_code || !json.user_code || !json.verification_uri || typeof json.expires_in !== "number") {
+    throw new Error("Invalid device-code response");
+  }
+  return {
+    device_code: json.device_code,
+    user_code: json.user_code,
+    verification_uri: json.verification_uri,
+    interval: json.interval ?? 5,
+    expires_in: json.expires_in
+  };
+}
+async function pollForGitHubToken(device, signal) {
+  let intervalMs = device.interval * 1e3;
+  const expiresAt = Date.now() + device.expires_in * 1e3;
+  while (Date.now() < expiresAt) {
+    await sleep(intervalMs, signal);
+    const res = await fetch(ACCESS_TOKEN_URL, {
+      method: "POST",
+      headers: {
+        accept: "application/json",
+        "content-type": "application/x-www-form-urlencoded",
+        "user-agent": COPILOT_HEADERS["User-Agent"]
+      },
+      body: new URLSearchParams({
+        client_id: CLIENT_ID2,
+        device_code: device.device_code,
+        grant_type: "urn:ietf:params:oauth:grant-type:device_code"
+      }).toString(),
+      signal: AbortSignal.any([signal, AbortSignal.timeout(15e3)])
+    });
+    const json = await res.json().catch(() => ({}));
+    if (json.access_token) return json.access_token;
+    if (json.error === "authorization_pending") continue;
+    if (json.error === "slow_down") {
+      intervalMs += 5e3;
+      continue;
+    }
+    throw new Error(`Device flow failed: ${json.error ?? "unknown error"}`);
+  }
+  throw new Error("Device code expired \u2014 please restart the login.");
+}
+function isUsableCopilotChatModel(item) {
+  if (typeof item.id !== "string" || item.id.length === 0) return false;
+  const cap = item.capabilities;
+  if (cap?.type !== "chat") return false;
+  if (cap.supports?.tool_calls !== true) return false;
+  const eps = item.supported_endpoints;
+  if (Array.isArray(eps) && !eps.includes("/chat/completions")) return false;
+  if (item.policy?.state === "disabled") return false;
+  if (item.vendor === "Experimental") return false;
+  return true;
+}
+async function fetchCopilotModels(copilotToken, signal) {
+  try {
+    const base = copilotBaseUrlFromToken(copilotToken);
+    const res = await fetch(`${base}/models`, {
+      headers: {
+        accept: "application/json",
+        authorization: `Bearer ${copilotToken}`,
+        "X-GitHub-Api-Version": COPILOT_API_VERSION,
+        ...COPILOT_HEADERS
+      },
+      signal: AbortSignal.any([signal, AbortSignal.timeout(8e3)])
+    });
+    if (!res.ok) return [];
+    const json = await res.json();
+    const data = json?.data;
+    if (!Array.isArray(data)) return [];
+    const usable = data.filter(isUsableCopilotChatModel);
+    usable.sort((a, b) => copilotModelRank(a) - copilotModelRank(b));
+    return usable.map((m) => m.id);
+  } catch {
+    return [];
+  }
+}
+function copilotModelRank(item) {
+  if (item.is_chat_default === true) return 0;
+  if (item.is_chat_fallback === true) return 1;
+  return 2;
+}
+async function runCopilotOAuthLogin(deps, opts = {}) {
+  const providerId = opts.providerId ?? COPILOT_PROVIDER_ID;
+  const ac = new AbortController();
+  const onSig = () => ac.abort();
+  process.on("SIGINT", onSig);
+  try {
+    deps.renderer.write(
+      color.bold(`
+  Sign in with GitHub Copilot \u2014 ${color.cyan(providerId)}
+`) + color.dim("  Uses your GitHub Copilot subscription (not an API key).\n") + color.amber("  \u26A0 Using Copilot outside its official editor integrations may violate\n") + color.amber("    GitHub\u2019s Terms \u2014 your account could be rate-limited or banned.\n\n")
+    );
+    const device = await startDeviceFlow(ac.signal);
+    deps.renderer.write(
+      color.bold(`  ${"\u2500".repeat(56)}
+`) + color.bold("  Open this URL and enter the code:\n") + color.cyan(`  ${device.verification_uri}
+`) + color.bold("  Code: ") + color.green(color.bold(device.user_code)) + "\n" + color.bold(`  ${"\u2500".repeat(56)}
+
+`)
+    );
+    openBrowser2(device.verification_uri);
+    deps.renderer.write(color.dim("  Waiting for you to authorize in the browser...\n"));
+    const githubToken = await pollForGitHubToken(device, ac.signal);
+    deps.renderer.write(color.dim("  Authorized. Fetching your Copilot token...\n"));
+    const copilot = await refreshCopilotToken(githubToken, ac.signal);
+    const models = await fetchCopilotModels(copilot.token, ac.signal);
+    const saved = await saveCopilotTokens(
+      deps,
+      providerId,
+      copilot.token,
+      githubToken,
+      copilot.expires,
+      models
+    );
+    if (!saved) return 1;
+    deps.renderer.write(color.green("\n  \u2713 Signed in with GitHub Copilot!\n"));
+    const modelHint = models[0] ?? "gpt-4o";
+    deps.renderer.writeInfo(
+      `  Saved as provider ${color.bold(providerId)}${models.length ? ` (${models.length} models)` : ""}.
+  Use: ${color.bold(`wstack --provider ${providerId} --model ${modelHint}`)} "<task>"
+` + color.dim("  The Copilot token refreshes automatically.\n")
+    );
+    return 0;
+  } catch (err) {
+    const msg = err instanceof DOMException && err.name === "AbortError" ? "Login cancelled." : err.message;
+    deps.renderer.writeError(`  Login failed: ${msg}`);
+    return 1;
+  } finally {
+    process.off("SIGINT", onSig);
+  }
 }
-async function addCustomProvider(deps) {
-  deps.renderer.write(
-    `
-${color.bold("Custom provider")} ${color.dim("\u2014 for local models or proxies not in the catalog.")}
-`
-  );
-  const type = (await deps.reader.readLine(
-    `  ${color.amber("?")} Provider id ${color.dim('(e.g. "local-llama", "my-proxy", q to quit)')}: `
-  )).trim();
-  if (!type || type === "q") return false;
-  const existing = (await loadProviders(deps))[type];
-  if (existing) {
-    deps.renderer.writeWarning(`"${type}" already exists. Pick it from the main menu to edit.`);
+async function saveCopilotTokens(deps, providerId, copilotToken, githubToken, expires, models) {
+  const entry = {
+    label: "oauth-default",
+    apiKey: copilotToken,
+    createdAt: nowIso(),
+    authMethod: "oauth",
+    expiresAt: new Date(expires).toISOString(),
+    refreshToken: githubToken,
+    tokenType: "bearer"
+  };
+  try {
+    await mutateConfigProviders(deps.globalConfigPath, deps.vault, (all) => {
+      const existing = all[providerId];
+      const p = existing ? { ...existing } : { type: providerId };
+      p.family = "github-copilot";
+      if (!p.baseUrl) p.baseUrl = copilotBaseUrlFromToken(copilotToken);
+      if (models.length > 0) p.models = models;
+      else if (!p.models || p.models.length === 0) p.models = ["gpt-4o"];
+      const keys = normalizeKeys(p).filter((k) => k.label !== entry.label);
+      keys.push(entry);
+      writeKeysBack(p, keys);
+      p.activeKey = entry.label;
+      all[providerId] = p;
+    });
+    return true;
+  } catch (err) {
+    deps.renderer.writeError(`  Failed to save tokens: ${err.message}`);
     return false;
   }
-  const familyRaw = (await deps.reader.readLine(
-    `  ${color.amber("?")} Wire family ${color.dim("(anthropic | openai | openai-compatible | google)")} ${color.dim("(q to quit)")}: `
-  )).trim();
-  if (familyRaw === "q") return false;
-  const family = validateFamily(familyRaw);
-  if (!family) {
-    deps.renderer.writeError(`Invalid family: "${familyRaw}"`);
-    return false;
+}
+
+// src/auth-menu/openai-codex-oauth.ts
+init_provider_config_utils();
+var CLIENT_ID3 = "app_EMoamEEZ73f0CkXaXp7hrann";
+var AUTH_BASE_URL = "https://auth.openai.com";
+var AUTHORIZE_URL2 = `${AUTH_BASE_URL}/oauth/authorize`;
+var TOKEN_URL2 = `${AUTH_BASE_URL}/oauth/token`;
+var REDIRECT_PORT2 = 1455;
+var REDIRECT_HOST2 = "127.0.0.1";
+var REDIRECT_PATH2 = "/auth/callback";
+var REDIRECT_URI2 = `http://localhost:${REDIRECT_PORT2}${REDIRECT_PATH2}`;
+var SCOPE = "openid profile email offline_access";
+var JWT_CLAIM_PATH = "https://api.openai.com/auth";
+var ORIGINATOR = "wrongstack";
+var CODEX_PROVIDER_ID = "openai-codex";
+var CODEX_BASE_URL = "https://chatgpt.com/backend-api";
+function base64url2(buf) {
+  return buf.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/, "");
+}
+function generatePkce2() {
+  const verifier = base64url2(randomBytes(32));
+  const challenge = base64url2(createHash("sha256").update(verifier).digest());
+  return { verifier, challenge };
+}
+function createState() {
+  return randomBytes(16).toString("hex");
+}
+function buildAuthorizeUrl2(challenge, state) {
+  const url = new URL(AUTHORIZE_URL2);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("client_id", CLIENT_ID3);
+  url.searchParams.set("redirect_uri", REDIRECT_URI2);
+  url.searchParams.set("scope", SCOPE);
+  url.searchParams.set("code_challenge", challenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  url.searchParams.set("state", state);
+  url.searchParams.set("id_token_add_organizations", "true");
+  url.searchParams.set("codex_cli_simplified_flow", "true");
+  url.searchParams.set("originator", ORIGINATOR);
+  return url.toString();
+}
+function decodeJwtPayload(token) {
+  try {
+    const parts = token.split(".");
+    if (parts.length !== 3) return null;
+    const json = Buffer.from(parts[1], "base64url").toString("utf8");
+    return JSON.parse(json);
+  } catch {
+    return null;
   }
-  const baseUrl = (await deps.reader.readLine(
-    `  ${color.amber("?")} Base URL ${color.dim("(e.g. http://localhost:11434/v1, optional)")}: `
-  )).trim();
-  const modelsRaw = (await deps.reader.readLine(
-    `  ${color.amber("?")} Model ids ${color.dim("(comma-separated, optional)")}: `
-  )).trim();
-  const models = modelsRaw ? modelsRaw.split(",").map((s) => s.trim()).filter(Boolean) : void 0;
-  const envVarsRaw = (await deps.reader.readLine(
-    `  ${color.amber("?")} Env var names ${color.dim("(comma-separated, optional)")}: `
-  )).trim();
-  const envVars = envVarsRaw ? envVarsRaw.split(",").map((s) => s.trim()).filter(Boolean) : void 0;
-  return addKeyForProvider(type, deps, {
-    type,
-    family,
-    ...baseUrl ? { baseUrl } : {},
-    ...models ? { models } : {},
-    ...envVars ? { envVars } : {}
-  });
 }
-async function addManualEntry(deps) {
-  const pid = (await deps.reader.readLine(`  ${color.amber("?")} Provider id ${color.dim("[q to quit]")}: `)).trim();
-  if (!pid || pid === "q") return false;
-  const famRaw = (await deps.reader.readLine(
-    `  ${color.amber("?")} Family ${color.dim("(anthropic/openai/openai-compatible/google)")}: `
-  )).trim();
-  const family = validateFamily(famRaw);
-  if (!family) {
-    deps.renderer.writeError(`Invalid family: "${famRaw}"`);
-    return false;
+function extractAccountId(token) {
+  const payload = decodeJwtPayload(token);
+  const auth = payload?.[JWT_CLAIM_PATH];
+  const id = auth?.chatgpt_account_id;
+  return typeof id === "string" && id.length > 0 ? id : null;
+}
+async function readTokens2(res, op) {
+  if (!res.ok) {
+    const text = await res.text().catch(() => "");
+    throw new Error(`Codex token ${op} failed (${res.status}): ${text || res.statusText}`);
   }
-  const baseUrl = (await deps.reader.readLine(`  ${color.amber("?")} Base URL ${color.dim("(optional)")}: `)).trim();
-  return addKeyForProvider(pid, deps, {
-    type: pid,
-    family,
-    ...baseUrl ? { baseUrl } : {}
+  const json = await res.json();
+  if (!json?.access_token || !json.refresh_token || typeof json.expires_in !== "number") {
+    throw new Error(`Codex token ${op} response missing fields`);
+  }
+  return {
+    access: json.access_token,
+    refresh: json.refresh_token,
+    expires: Date.now() + json.expires_in * 1e3
+  };
+}
+async function exchangeAuthorizationCode2(code, verifier, signal) {
+  const res = await fetch(TOKEN_URL2, {
+    method: "POST",
+    headers: { "content-type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "authorization_code",
+      client_id: CLIENT_ID3,
+      code,
+      code_verifier: verifier,
+      redirect_uri: REDIRECT_URI2
+    }).toString(),
+    signal: signal ? AbortSignal.any([signal, AbortSignal.timeout(3e4)]) : AbortSignal.timeout(3e4)
   });
+  return readTokens2(res, "exchange");
 }
-async function addKeyForProvider(providerId, deps, template) {
-  const providers = await loadProviders(deps);
-  const existing = providers[providerId];
-  const existingKeys = existing ? normalizeKeys(existing) : [];
-  const usedLabels = new Set(existingKeys.map((k) => k.label));
-  const label = await promptForLabel(deps, usedLabels);
-  if (!label) return false;
-  const apiKey = await readKeyInput(deps, `API key for ${providerId}/${label}`);
-  if (!apiKey) return false;
-  await mutateConfigProviders(deps.globalConfigPath, deps.vault, (all) => {
-    const existingProv = all[providerId] ?? {
-      type: providerId,
-      ...template
+function callbackHtml2(ok, message) {
+  const heading = ok ? "Authentication successful" : "Authentication failed";
+  return `<!doctype html><html lang="en"><head><meta charset="utf-8"/><title>${heading}</title><style>body{margin:0;min-height:100vh;display:flex;align-items:center;justify-content:center;background:#09090b;color:#fafafa;font-family:ui-sans-serif,system-ui,sans-serif;text-align:center}h1{font-size:26px;margin:0 0 8px}p{color:#a1a1aa}</style></head><body><main><h1>${heading}</h1><p>${message}</p></main></body></html>`;
+}
+function startLoopbackServer2(state) {
+  let resolveCode = () => {
+  };
+  const codePromise = new Promise((resolve11) => {
+    let settled = false;
+    resolveCode = (v) => {
+      if (settled) return;
+      settled = true;
+      resolve11(v);
     };
-    if (!existingProv.type) existingProv.type = providerId;
-    if (!existingProv.family && template.family) {
-      existingProv.family = template.family;
+  });
+  const server = createServer((req2, res) => {
+    let url;
+    try {
+      url = new URL(req2.url ?? "", `http://${REDIRECT_HOST2}`);
+    } catch {
+      res.statusCode = 400;
+      res.end();
+      return;
     }
-    if (!existingProv.baseUrl && template.baseUrl) {
-      existingProv.baseUrl = template.baseUrl;
+    if (url.pathname !== REDIRECT_PATH2) {
+      res.statusCode = 404;
+      res.setHeader("content-type", "text/html; charset=utf-8");
+      res.end(callbackHtml2(false, "Callback route not found."));
+      return;
     }
-    if (!existingProv.envVars && template.envVars) {
-      existingProv.envVars = template.envVars;
+    res.setHeader("content-type", "text/html; charset=utf-8");
+    const err = url.searchParams.get("error");
+    if (err) {
+      res.statusCode = 400;
+      res.end(callbackHtml2(false, `Authorization error: ${err}`));
+      resolveCode(null);
+      return;
     }
-    const list = normalizeKeys(existingProv);
-    list.push({ label, apiKey, createdAt: nowIso() });
-    writeKeysBack(existingProv, list);
-    if (!existingProv.activeKey) existingProv.activeKey = label;
-    all[providerId] = existingProv;
+    if (url.searchParams.get("state") !== state) {
+      res.statusCode = 400;
+      res.end(callbackHtml2(false, "State mismatch \u2014 please restart the login."));
+      resolveCode(null);
+      return;
+    }
+    const code = url.searchParams.get("code");
+    if (!code) {
+      res.statusCode = 400;
+      res.end(callbackHtml2(false, "Missing authorization code."));
+      return;
+    }
+    res.statusCode = 200;
+    res.end(callbackHtml2(true, "You can close this window and return to the terminal."));
+    resolveCode(code);
+  });
+  return new Promise((resolve11) => {
+    server.on("error", () => {
+      resolveCode(null);
+      resolve11({
+        bound: false,
+        waitForCode: () => Promise.resolve(null),
+        close: () => {
+          try {
+            server.close();
+          } catch {
+          }
+        }
+      });
+    });
+    server.listen(REDIRECT_PORT2, REDIRECT_HOST2, () => {
+      resolve11({
+        bound: true,
+        waitForCode: () => codePromise,
+        close: () => {
+          resolveCode(null);
+          try {
+            server.close();
+          } catch {
+          }
+        }
+      });
+    });
   });
+}
+function openBrowser3(url) {
+  try {
+    const platform3 = process.platform;
+    const { command, args } = platform3 === "win32" ? { command: "cmd", args: ["/c", "start", "", url] } : platform3 === "darwin" ? { command: "open", args: [url] } : { command: "xdg-open", args: [url] };
+    const child = spawn(command, args, { stdio: "ignore", windowsHide: true });
+    child.on("error", () => {
+    });
+    child.unref();
+  } catch {
+  }
+}
+function parseAuthorizationInput2(input) {
+  const value = input.trim();
+  if (!value) return {};
+  try {
+    const url = new URL(value);
+    return {
+      code: url.searchParams.get("code") ?? void 0,
+      state: url.searchParams.get("state") ?? void 0
+    };
+  } catch {
+  }
+  if (value.includes("code=")) {
+    const params = new URLSearchParams(value);
+    return {
+      code: params.get("code") ?? void 0,
+      state: params.get("state") ?? void 0
+    };
+  }
+  return { code: value };
+}
+async function runCodexOAuthLogin(deps, opts = {}) {
+  const providerId = opts.providerId ?? CODEX_PROVIDER_ID;
+  const pkce = generatePkce2();
+  const state = createState();
+  const authorizeUrl = buildAuthorizeUrl2(pkce.challenge, state);
+  const ac = new AbortController();
+  const onSig = () => ac.abort();
+  process.on("SIGINT", onSig);
+  const server = await startLoopbackServer2(state);
   deps.renderer.write(
-    `  ${color.green("\u2713")} Saved ${color.bold(providerId)}/${color.bold(label)}.
-`
+    color.bold(`
+  Sign in with ChatGPT \u2014 ${color.cyan(providerId)}
+`) + color.dim("  Uses your ChatGPT Plus/Pro/Team subscription (not an API key).\n") + color.amber("  \u26A0 Using a subscription outside the official Codex client may violate\n") + color.amber("    OpenAI\u2019s Terms \u2014 your account could be rate-limited or banned.\n") + color.dim("    Sanctioned programmatic use = an API key: ") + color.bold("wstack auth openai") + color.dim("\n\n") + color.bold(`  ${"\u2500".repeat(56)}
+`) + color.bold("  Open this URL in your browser to sign in:\n") + color.cyan(`  ${authorizeUrl}
+`) + color.bold(`  ${"\u2500".repeat(56)}
+
+`)
   );
-  deps.renderer.write(color.dim(`  Launch: wstack --provider ${providerId} "<task>"
-`));
-  return true;
+  if (server.bound) {
+    openBrowser3(authorizeUrl);
+    deps.renderer.write(
+      color.dim("  A browser window should open. Waiting for you to finish signing in...\n") + color.dim("  (Listening on http://localhost:1455 \u2014 press Ctrl+C to cancel.)\n")
+    );
+  } else {
+    deps.renderer.write(
+      color.amber("  \u26A0 Could not start the local callback listener (port 1455 in use).\n") + color.dim("  After signing in, copy the full redirect URL from your browser\n") + color.dim("  (it starts with http://localhost:1455/auth/callback) and paste it below.\n")
+    );
+  }
+  let code;
+  try {
+    if (server.bound) {
+      const got = await server.waitForCode();
+      if (got) code = got;
+    }
+    if (!code) {
+      const input = (await deps.reader.readLine(
+        `
+  ${color.amber("?")} Paste the redirect URL or code ${color.dim("(or q to cancel)")}: `
+      )).trim();
+      if (input.toLowerCase() === "q" || input === "") {
+        deps.renderer.write(color.dim("  Cancelled.\n"));
+        return 1;
+      }
+      const parsed = parseAuthorizationInput2(input);
+      if (parsed.state && parsed.state !== state) {
+        deps.renderer.writeError("  State mismatch \u2014 please restart the login flow.");
+        return 1;
+      }
+      code = parsed.code;
+    }
+    if (!code) {
+      deps.renderer.writeError("  No authorization code received.");
+      return 1;
+    }
+    deps.renderer.write(color.dim("\n  Exchanging authorization code for tokens...\n"));
+    const tokens = await exchangeAuthorizationCode2(code, pkce.verifier, ac.signal);
+    const accountId = extractAccountId(tokens.access);
+    if (!accountId) {
+      deps.renderer.writeError(
+        "  Signed in, but the token has no ChatGPT account id.\n  This account may not have Codex/ChatGPT subscription access."
+      );
+      return 1;
+    }
+    const saved = await saveCodexTokens(deps, providerId, tokens, accountId);
+    if (!saved) return 1;
+    deps.renderer.write(color.green("\n  \u2713 Signed in with ChatGPT!\n"));
+    deps.renderer.writeInfo(
+      `  Saved as provider ${color.bold(providerId)}.
+  Use: ${color.bold(`wstack --provider ${providerId} --model gpt-5.5`)} "<task>"
+` + color.dim("  Tokens refresh automatically before they expire.\n")
+    );
+    return 0;
+  } catch (err) {
+    const msg = err instanceof DOMException && err.name === "AbortError" ? "Login cancelled." : err.message;
+    deps.renderer.writeError(`  Login failed: ${msg}`);
+    return 1;
+  } finally {
+    server.close();
+    process.off("SIGINT", onSig);
+  }
 }
-async function promptForLabel(deps, usedLabels) {
-  const defaultLabel = suggestLabel(usedLabels);
-  const labelRaw = (await deps.reader.readLine(
-    `  ${color.amber("?")} Label for this key ${color.dim(`[${defaultLabel}]`)}: `
-  )).trim();
-  const label = labelRaw || defaultLabel;
-  if (usedLabels.has(label)) {
-    deps.renderer.writeError(`Label "${label}" is already used. Use update (u) instead.`);
-    return null;
+async function saveCodexTokens(deps, providerId, tokens, accountId) {
+  const entry = {
+    label: "oauth-default",
+    apiKey: tokens.access,
+    createdAt: nowIso(),
+    authMethod: "oauth",
+    expiresAt: new Date(tokens.expires).toISOString(),
+    refreshToken: tokens.refresh,
+    tokenType: "bearer",
+    scope: SCOPE,
+    accountId
+  };
+  try {
+    await mutateConfigProviders(deps.globalConfigPath, deps.vault, (all) => {
+      const existing = all[providerId];
+      const p = existing ? { ...existing } : { type: providerId };
+      p.family = "openai-codex";
+      if (!p.baseUrl) p.baseUrl = CODEX_BASE_URL;
+      if (!p.models || p.models.length === 0) {
+        p.models = ["gpt-5.5", "gpt-5.4", "gpt-5.4-mini", "gpt-5.3-codex-spark"];
+      }
+      const keys = normalizeKeys(p).filter((k) => k.label !== entry.label);
+      keys.push(entry);
+      writeKeysBack(p, keys);
+      p.activeKey = entry.label;
+      all[providerId] = p;
+    });
+    return true;
+  } catch (err) {
+    deps.renderer.writeError(`  Failed to save tokens: ${err.message}`);
+    return false;
   }
-  return label;
 }
 
 // src/auth-menu/provider-menu.ts
@@ -19092,6 +20142,24 @@ function validKeyIndex(arg, max, deps, verb) {
 }
 
 // src/auth-menu/top-menu.ts
+async function runSignInMenu(deps) {
+  deps.renderer.write(
+    `
+  ${color.bold("Sign in with a subscription:")}
+` + color.amber("  \u26A0 Subscription tokens used outside official clients may violate provider\n") + color.amber("    Terms \u2014 your account could be rate-limited or banned. An API key is the\n") + color.dim("    sanctioned path for programmatic use.\n") + `    ${color.bold("1")}  ChatGPT Plus/Pro  ${color.dim("(\u2192 openai-codex)")}
+    ${color.bold("2")}  Claude Pro/Max    ${color.dim("(\u2192 anthropic-oauth)")}
+    ${color.bold("3")}  GitHub Copilot    ${color.dim("(\u2192 github-copilot)")}
+`
+  );
+  const pick = (await deps.reader.readLine(`  ${color.amber("?")} Pick ${color.dim("(or b to go back)")}: `)).trim().toLowerCase();
+  if (pick === "1" || pick === "chatgpt" || pick === "openai" || pick === "codex") {
+    await runCodexOAuthLogin(deps);
+  } else if (pick === "2" || pick === "claude" || pick === "anthropic") {
+    await runClaudeOAuthLogin(deps);
+  } else if (pick === "3" || pick === "copilot" || pick === "github") {
+    await runCopilotOAuthLogin(deps);
+  }
+}
 async function runTopMenu(deps) {
   for (; ; ) {
     const providers = await loadProviders(deps);
@@ -19111,6 +20179,10 @@ ${color.amber("?")} Pick: `)).trim().toLowerCase();
       await addCustomProvider(deps);
       continue;
     }
+    if (choice === "s" || choice === "signin" || choice === "login") {
+      await runSignInMenu(deps);
+      continue;
+    }
     const idx = Number.parseInt(choice, 10);
     if (!Number.isNaN(idx) && idx >= 1 && idx <= ids.length) {
       const pid = ids[idx - 1];
@@ -19189,6 +20261,26 @@ var authCmd = async (args, deps) => {
     }
     return runAuthRemove(menuDeps, pid);
   }
+  if (first === "login") {
+    const pid = (flags.positional[1] ?? "").toLowerCase();
+    const codexAliases = /* @__PURE__ */ new Set(["", "openai", "codex", "chatgpt", "codex-cli", CODEX_PROVIDER_ID]);
+    const claudeAliases = /* @__PURE__ */ new Set(["claude", "anthropic", "claude-pro", "claude-max", "anthropic-oauth"]);
+    const copilotAliases = /* @__PURE__ */ new Set(["copilot", "github", "github-copilot", "gh"]);
+    if (claudeAliases.has(pid)) {
+      return runClaudeOAuthLogin(menuDeps);
+    }
+    if (copilotAliases.has(pid)) {
+      return runCopilotOAuthLogin(menuDeps);
+    }
+    if (codexAliases.has(pid)) {
+      return runCodexOAuthLogin(menuDeps);
+    }
+    deps.renderer.writeError("OAuth login is only supported for ChatGPT, Claude, and GitHub Copilot.");
+    deps.renderer.write(
+      color.dim("  Sign in with ChatGPT: ") + color.bold("wstack auth login chatgpt") + "\n" + color.dim("  Sign in with Claude:  ") + color.bold("wstack auth login claude") + "\n" + color.dim("  Sign in with Copilot: ") + color.bold("wstack auth login copilot") + "\n" + color.dim("  For an API key instead: ") + color.bold(`wstack auth ${pid}`) + "\n"
+    );
+    return 1;
+  }
   return runAuthDirect(menuDeps, {
     providerId: first,
     label: flags.label,
@@ -21165,8 +22257,11 @@ var providersCmd = async (args, deps) => {
     const all = await deps.modelsRegistry.listProviders();
     const byFamily = {
       anthropic: [],
+      "anthropic-oauth": [],
       openai: [],
       "openai-compatible": [],
+      "openai-codex": [],
+      "github-copilot": [],
       google: [],
       unsupported: []
     };
@@ -21370,11 +22465,11 @@ async function mutateModelsConfig(deps, mutator) {
     }
     parsed = {};
   }
-  const decrypted = decryptConfigSecrets(parsed, vault);
+  const decrypted = decryptConfigSecrets$1(parsed, vault);
   const models = decrypted.models ?? {};
   mutator(models);
   decrypted.models = models;
-  const encrypted = encryptConfigSecrets(decrypted, vault);
+  const encrypted = encryptConfigSecrets$1(decrypted, vault);
   await atomicWrite(configPath2, JSON.stringify(encrypted, null, 2), { mode: 384 });
 }
 function parseSizeFlag(raw) {
@@ -22578,9 +23673,9 @@ async function checkGitInCwd(opts) {
     const answer = (await reader.readLine(`  ${color.amber("?")} Initialize one here? ${color.dim("[y/N]")} `)).trim().toLowerCase();
     if (answer === "y" || answer === "yes") {
       try {
-        const { spawn: spawn6 } = await import('child_process');
+        const { spawn: spawn9 } = await import('child_process');
         await new Promise((resolve11, reject) => {
-          const child = spawn6("git", ["init"], {
+          const child = spawn9("git", ["init"], {
             cwd,
             signal: AbortSignal.timeout(1e4),
             windowsHide: true
@@ -22886,6 +23981,7 @@ function bindSystemPromptBuilder(deps) {
       modeId: deps.modeId,
       modePrompt: deps.modePrompt,
       modelCapabilities: deps.modelCapabilities,
+      tokenSavingMode: deps.tokenSavingMode,
       planPath: () => deps.sessionRef.current ? deps.pathJoiner.join(
         deps.paths.projectSessions,
         `${deps.sessionRef.current.id}.plan.json`
@@ -22905,12 +24001,32 @@ function bindSystemPromptBuilder(deps) {
     })
   );
 }
+var SIBLING_CATALOG = {
+  "anthropic-oauth": "anthropic",
+  "openai-codex": "openai",
+  "github-copilot": "openai"
+};
 async function resolveRuntimeMaxContext(input) {
   const explicitContext = positiveNumber(input.config.context?.effectiveMaxContext);
   if (explicitContext) return explicitContext;
   const providerConfig = input.runtimeProviderConfig ?? input.config.providers?.[input.providerId];
   const providerOverride = positiveNumber(readConfiguredMaxContext(providerConfig));
   if (providerOverride) return providerOverride;
+  const sibling = providerConfig?.family ? SIBLING_CATALOG[providerConfig.family] : void 0;
+  if (sibling && input.modelsRegistry) {
+    const mergedModels = mergeCustomModelDefs(providerConfig?.customModels, input.config.models);
+    const caps = await capabilitiesFor(
+      input.modelsRegistry,
+      sibling,
+      input.modelId,
+      mergedModels
+    ).catch(() => void 0);
+    const siblingMax = positiveNumber(caps?.maxContext);
+    if (siblingMax) return siblingMax;
+    const directModel = await input.modelsRegistry.getModel(sibling, input.modelId).catch(() => void 0);
+    const directMax = positiveNumber(directModel?.capabilities.maxContext);
+    if (directMax) return directMax;
+  }
   const catalogId = providerConfig?.type && providerConfig.type !== input.providerId ? providerConfig.type : input.providerId;
   if (input.modelsRegistry) {
     const topLevelBaseUrlApplies = input.providerId === input.config.provider;
@@ -24178,7 +25294,9 @@ async function execute(deps) {
     enhanceController,
     statuslineHiddenItems,
     setStatuslineHiddenItems,
+    saveStatuslineHiddenItems,
     agentsMonitorController,
+    onPanelOpen,
     getYolo,
     getAutonomy,
     onAutonomy,
@@ -24629,6 +25747,11 @@ Reply with ONLY the JSON object.`
               allowOutsideProjectRoot: cfg.features?.allowOutsideProjectRoot ?? true,
               contextAutoCompact: cfg.context?.autoCompact !== false,
               contextStrategy: cfg.context?.strategy ?? "hybrid",
+              contextMode: (() => {
+                const m = cfg.context?.["mode"];
+                return m === "frugal" || m === "deep" || m === "archival" ? m : "balanced";
+              })(),
+              maxConcurrent: cfg.maxConcurrent ?? 0,
               logLevel: cfg.log?.level ?? "info",
               auditLevel: cfg.session?.auditLevel ?? "standard",
               indexOnStart: cfg.indexing?.onSessionStart !== false,
@@ -24685,7 +25808,7 @@ Reply with ONLY the JSON object.`
                   );
                 }
                 const parsed = JSON.parse(raw);
-                const decrypted = decryptConfigSecrets(parsed, noOpVault);
+                const decrypted = decryptConfigSecrets$1(parsed, noOpVault);
                 if (s.nextPrediction !== void 0) {
                   decrypted.nextPrediction = s.nextPrediction;
                 }
@@ -24755,7 +25878,7 @@ Reply with ONLY the JSON object.`
                   decrypted.autonomy = autonomy;
                 }
                 const toWrite = targetPath === wpaths.globalConfig ? decrypted : filterSafeForProject(decrypted);
-                const encrypted = encryptConfigSecrets(toWrite, noOpVault);
+                const encrypted = encryptConfigSecrets$1(toWrite, noOpVault);
                 if (targetPath !== wpaths.globalConfig) {
                   await fsp5.mkdir(path4.dirname(targetPath), { recursive: true });
                 }
@@ -24855,6 +25978,7 @@ Reply with ONLY the JSON object.`
           enhanceController,
           statuslineHiddenItems,
           setStatuslineHiddenItems,
+          saveStatuslineHiddenItems,
           agentsMonitorController,
           getLiveSessions: async () => {
             const { SessionRegistry } = await import('@wrongstack/core');
@@ -25180,12 +26304,13 @@ ${parts.join("\n")}
           // `wrongstack quick` sets flags.quick — open the F3 agents monitor by default.
           initialAgentsMonitorOpen: !!flags.quick,
           tokenSavingMode: normalizeTokenSavingTier(config.features.tokenSavingMode) !== "off",
-          toolCount: agent.tools.list().length
+          toolCount: agent.tools.list().length,
+          onPanelOpen
         });
         if (code === PROJECT_SWITCH_EXIT_CODE && pendingProjectSwitch) {
           const { root, name, resumeSessionId } = pendingProjectSwitch;
           process.stdout.write("\x1B[2J\x1B[H");
-          const { spawn: spawn6 } = await import('child_process');
+          const { spawn: spawn9 } = await import('child_process');
           const { createRequire: createRequire8 } = await import('module');
           let cliPath;
           try {
@@ -25204,7 +26329,7 @@ ${parts.join("\n")}
           const nodeExe = process.execPath;
           const spawnArgs = [cliPath, "--no-interactive"];
           if (resumeSessionId) spawnArgs.push("--resume", resumeSessionId);
-          spawn6(nodeExe, spawnArgs, {
+          spawn9(nodeExe, spawnArgs, {
             cwd: root,
             stdio: "ignore",
             detached: true
@@ -25239,6 +26364,7 @@ ${parts.join("\n")}
         open: !!flags.open,
         modelsRegistry,
         globalConfigPath: wpaths.globalConfig,
+        mcpRegistry,
         subscribeEternalIteration,
         sessionStore,
         sessionsDir: wpaths.projectSessions,
@@ -25748,8 +26874,9 @@ var MultiAgentHost = class _MultiAgentHost {
       const baseRegistry = this.subagentToolRegistry(tools);
       if (injectedFleetEmit) baseRegistry.register(injectedFleetEmit);
       if (injectedFleetStatus) baseRegistry.register(injectedFleetStatus);
+      const subAllowedCaps = this.resolveSubagentCapabilities(subCfg);
       const toolExecutor = new ToolExecutor(baseRegistry, {
-        permissionPolicy: new AutoApprovePermissionPolicy(),
+        permissionPolicy: new AutoApprovePermissionPolicy(subAllowedCaps),
         secretScrubber: this.deps.secretScrubber,
         renderer: this.deps.renderer,
         events,
@@ -25767,9 +26894,9 @@ var MultiAgentHost = class _MultiAgentHost {
         context: ctx,
         // Subagents cannot answer interactive permission prompts — they
         // run under a director, not the user. Auto-approve everything
-        // (except tool-level hard denies); the user already authorized
-        // the work when they invoked the leader.
-        permissionPolicy: new AutoApprovePermissionPolicy(),
+        // whose capability is in the (possibly widened) allowlist; the
+        // user already authorized the work when they invoked the leader.
+        permissionPolicy: new AutoApprovePermissionPolicy(subAllowedCaps),
         toolExecutor
       });
       agent.extensions.register(
@@ -25915,6 +27042,36 @@ var MultiAgentHost = class _MultiAgentHost {
     const allowSet = new Set(allow);
     return all.filter((t) => allowSet.has(t.name));
   }
+  /**
+   * Resolve the capability allowlist for a subagent's auto-approve policy.
+   *
+   * Precedence:
+   *   1. Explicit `subCfg.allowedCapabilities` — the spawn site knows best
+   *      (e.g. `/techstack` grants exactly `fs.write` on top of the safe set).
+   *   2. A scoped `subCfg.tools` slice — the granted tool slice IS the intended
+   *      capability grant. The leader/roster deliberately chose these tools, so
+   *      allow exactly the capabilities they declare (plus the read-only safe
+   *      floor). Without this, a role given the `write`/`build` tool presets
+   *      could *see* those tools but the policy would deny execution (`fs.write`
+   *      and `shell.*` are not in the read-only default), silently crippling
+   *      every code-writing / build role in the catalog.
+   *   3. No tool restriction (full registry) → the WIDE working set
+   *      (`WIDE_SUBAGENT_CAPABILITIES`: read, write, net, shell, install). The
+   *      user authorized full developer work when they invoked the leader, so a
+   *      delegated agent runs the same toolchain end-to-end. The genuinely
+   *      blast-radius-escaping capabilities (fs.write.outside-project, mcp.proxy,
+   *      subagent.spawn, config.mutate) stay off and need an explicit (1) grant.
+   */
+  resolveSubagentCapabilities(subCfg) {
+    if (subCfg.allowedCapabilities) return subCfg.allowedCapabilities;
+    const allow = subCfg.tools;
+    if (!allow || allow.length === 0) return WIDE_SUBAGENT_CAPABILITIES;
+    const caps = new Set(WIDE_SUBAGENT_CAPABILITIES);
+    for (const tool of this.filterTools([...allow])) {
+      for (const c of tool.capabilities ?? []) caps.add(c);
+    }
+    return [...caps];
+  }
   subagentToolRegistry(allow) {
     if (!allow || allow.length === 0) return this.deps.toolRegistry;
     const sub = new ToolRegistry();
@@ -25937,7 +27094,8 @@ var MultiAgentHost = class _MultiAgentHost {
       role: "general",
       provider: opts?.provider,
       model: opts?.model,
-      tools: opts?.tools
+      tools: opts?.tools,
+      allowedCapabilities: opts?.allowedCapabilities
     };
     const { subagentId, taskId } = await this._spawnAndAssign(subagentConfig, description);
     this.fleetManager?.addPendingTask(taskId, subagentId, description);
@@ -26563,7 +27721,7 @@ async function setupCodebaseIndexing(deps) {
   let watcher;
   if (idx.watchExternal) {
     try {
-      watcher = fs2.watch(projectRoot, { recursive: true }, (_event, filename) => {
+      watcher = fs3.watch(projectRoot, { recursive: true }, (_event, filename) => {
         if (!filename) return;
         const rel = filename.toString();
         if (isIgnored(rel)) return;
@@ -26971,7 +28129,17 @@ async function setupProvider(params) {
     resolvedProvider = await modelsRegistry.getProvider(savedProviderCfg.type).catch(() => void 0);
   }
   if (!resolvedProvider) {
-    if (!savedProviderCfg?.family) {
+    if (savedProviderCfg?.family) {
+      resolvedProvider = {
+        id: config.provider,
+        name: config.provider,
+        family: savedProviderCfg.family,
+        apiBase: savedProviderCfg.baseUrl,
+        envVars: savedProviderCfg.envVars ?? [],
+        models: (savedProviderCfg.models ?? []).map((m) => ({ id: m, name: m })),
+        npm: void 0
+      };
+    } else {
       logger.warn(
         `Provider "${config.provider}" not found in models.dev. Continuing with raw config.`
       );
@@ -27053,11 +28221,13 @@ async function resolveModeAndCapabilities(deps) {
     ).catch(() => void 0),
     deps.modelsRegistry.getModel(deps.config.provider, deps.config.model).catch(() => void 0)
   ]);
-  const modelCapabilities = resolvedCaps ? {
-    maxContextTokens: resolvedCaps.maxContext,
-    supportsTools: resolvedCaps.tools,
-    supportsVision: resolvedCaps.vision,
-    supportsReasoning: resolvedModel?.capabilities.reasoning ?? false
+  const instanceCaps = provider.capabilities;
+  const useInstanceCaps = !resolvedModel && !!instanceCaps;
+  const modelCapabilities = resolvedCaps || useInstanceCaps ? {
+    maxContextTokens: (useInstanceCaps ? instanceCaps?.maxContext : resolvedCaps?.maxContext) || instanceCaps?.maxContext || 0,
+    supportsTools: useInstanceCaps ? !!instanceCaps?.tools : resolvedCaps?.tools ?? false,
+    supportsVision: useInstanceCaps ? !!instanceCaps?.vision : resolvedCaps?.vision ?? false,
+    supportsReasoning: resolvedModel?.capabilities.reasoning ?? instanceCaps?.reasoning ?? false
   } : void 0;
   return {
     kind: "ok",
@@ -27105,6 +28275,21 @@ async function main(argv) {
   } = ctx;
   const { updateInfo: refreshedUpdateInfo } = await runPreflight(config, updateInfo);
   updateInfo = refreshedUpdateInfo;
+  setOAuthTokenPersister((providerId, creds) => {
+    void mutateConfigProviders(wpaths.globalConfig, vault, (all) => {
+      const p = all[providerId];
+      if (!p) return;
+      const keys = normalizeKeys(p);
+      const active = p.activeKey ? keys.find((k) => k.label === p.activeKey) : keys[0];
+      if (!active) return;
+      active.apiKey = creds.accessToken;
+      active.refreshToken = creds.refreshToken;
+      active.expiresAt = new Date(creds.expiresAt).toISOString();
+      if (creds.accountId) active.accountId = creds.accountId;
+      writeKeysBack(p, keys);
+    }).catch(() => {
+    });
+  });
   const { events, container } = wireContainer({
     config,
     wpaths,
@@ -27168,6 +28353,7 @@ async function main(argv) {
     modePrompt,
     modelCapabilities,
     skillsEnabled: config.features.skills,
+    tokenSavingMode: config.features.tokenSavingMode,
     paths: {
       projectGoal: wpaths.projectGoal,
       projectSessions: wpaths.projectSessions
@@ -27594,7 +28780,10 @@ async function main(argv) {
     toolRegistry,
     events,
     log: logger,
-    lazyMode: normalizeTokenSavingTier(config.features.tokenSavingMode) !== "off"
+    lazyMode: normalizeTokenSavingTier(config.features.tokenSavingMode) !== "off",
+    // Lazy-connect (per-server `lazy`) needs a manifest cache to register tools
+    // cold; idle auto-sleep uses the default timeout.
+    cacheDir: wpaths.cacheDir
   });
   if (config.features.mcp) {
     for (const cfg of Object.values(config.mcpServers ?? {})) {
@@ -27996,12 +29185,24 @@ async function main(argv) {
   const setStatuslineHiddenItems = (items) => {
     currentHiddenItems = items;
   };
+  const ALL_STATUSLINE_KEYS = ["todos", "plan", "tasks", "fleet", "git", "elapsed", "context", "cost", "working_dir"];
+  const saveStatuslineHiddenItems = async (items) => {
+    currentHiddenItems = items;
+    const cfg = { ...DEFAULTS };
+    for (const k of ALL_STATUSLINE_KEYS) {
+      cfg[k] = !items.includes(k);
+    }
+    await saveStatuslineConfig(cfg);
+  };
   const agentsMonitorController = {
     visible: false,
     setVisible(visible) {
       this.visible = visible;
     }
   };
+  const onPanelOpen = {
+    current: null
+  };
   const autoPhaseHost = createAutoPhaseHost({
     multiAgentHost,
     getConfig: () => config,
@@ -28045,7 +29246,9 @@ async function main(argv) {
     statuslineConfig: statuslineConfigDeps,
     statuslineHiddenItems: [...currentHiddenItems],
     setStatuslineHiddenItems,
+    saveStatuslineHiddenItems,
     agentsMonitorController,
+    onPanelOpen,
     configStore,
     reader,
     brain,
@@ -28805,6 +30008,7 @@ Restart WrongStack to load or unload plugin code in this session.`;
     enhanceController,
     statuslineHiddenItems,
     setStatuslineHiddenItems,
+    saveStatuslineHiddenItems,
     getYolo: () => {
       const policy = container.resolve(TOKENS.PermissionPolicy);
       return policy.getYolo?.() ?? config.yolo ?? false;