agent-relay-server 0.16.0 → 0.18.0

package/src/db.ts

@@ -1,6 +1,8 @@
 import { Database } from "bun:sqlite";
 import { randomUUID } from "node:crypto";
+import { isRecord, stringValue } from "agent-relay-sdk";
 import { ORCHESTRATOR_PROTOCOL_VERSION, VERSION } from "./config.ts";
+import { parseJson } from "./utils";
 import {
   CONTRACT_REQUIREMENTS,
   contractCompatibility,
@@ -239,7 +241,8 @@ export function initDb(path: string = "agent-relay.db"): Database {
       payload TEXT NOT NULL DEFAULT '{}',
       meta TEXT NOT NULL DEFAULT '{}',
       read_by TEXT NOT NULL DEFAULT '[]',
-      created_at INTEGER NOT NULL
+      created_at INTEGER NOT NULL,
+      occurred_at INTEGER
     );
 
     CREATE INDEX IF NOT EXISTS idx_msg_to ON messages(to_target);
@@ -890,6 +893,11 @@ export function initDb(path: string = "agent-relay.db"): Database {
   if (!colNames.includes("resolved_to_agent")) {
     db.run("ALTER TABLE messages ADD COLUMN resolved_to_agent TEXT");
   }
+  // Event time (#196): when a Runner queues a message in its durable outbox during an
+  // outage, occurred_at preserves when it really happened vs. the later receive time.
+  if (!colNames.includes("occurred_at")) {
+    db.run("ALTER TABLE messages ADD COLUMN occurred_at INTEGER");
+  }
   db.query(
     "UPDATE messages SET claim_expires_at = coalesce(claimed_at, ?) + ? WHERE claimed_by IS NOT NULL AND claim_expires_at IS NULL",
   ).run(Date.now(), CLAIM_LEASE_MS);
@@ -1167,13 +1175,6 @@ export function getDb(): Database {
 export class ValidationError extends Error {}
 class ClaimError extends Error {}
 
-function parseJson<T>(raw: string, fallback: T): T {
-  try {
-    return JSON.parse(raw);
-  } catch {
-    return fallback;
-  }
-}
 
 function parseStringArray(raw: string): string[] {
   const parsed = parseJson<unknown>(raw, []);
@@ -1185,10 +1186,6 @@ function normalizeTags(tags: string[] | undefined): string[] {
   return [...new Set((tags ?? []).map((tag) => tag.trim()).filter(Boolean))];
 }
 
-function stringValue(value: unknown): string | undefined {
-  return typeof value === "string" && value.trim() ? value.trim() : undefined;
-}
-
 function inferAgentKind(input: Pick<RegisterAgentInput, "id" | "kind" | "tags" | "capabilities" | "meta">): AgentKind {
   if (input.kind) return input.kind;
   if (input.id === "user") return "user";
@@ -1308,6 +1305,7 @@ function rowToMessage(row: any): Message {
     reactions: parseJson(row.reactions_json ?? "[]", []),
     readBy: parseJson(row.read_by_agents ?? "[]", []),
     createdAt: row.created_at,
+    occurredAt: row.occurred_at ?? undefined,
   };
 }
 
@@ -2411,10 +2409,6 @@ function runtimeTokenJtisFromMeta(meta: Record<string, unknown>): string[] {
   return [...jtis];
 }
 
-function isRecord(value: unknown): value is Record<string, unknown> {
-  return Boolean(value) && typeof value === "object" && !Array.isArray(value);
-}
-
 // --- Tasks ---
 
 const TASK_SELECT = "SELECT * FROM tasks";
@@ -3680,6 +3674,16 @@ function findRecentDuplicateReply(input: SendMessageInput, threadId: number | nu
   return row ? rowToMessage(row) : null;
 }
 
+// Event time may be queued-then-backfilled, so it can legitimately be older than the
+// receive time — but it must be a sane epoch-ms value. Returns null (column stays NULL, so
+// readers fall back to created_at) for absent/invalid values or anything more than a minute
+// in the future (clock-skew guard). Only a real backfilled time is stored.
+function sanitizeOccurredAt(occurredAt: number | undefined, receivedAt: number): number | null {
+  if (typeof occurredAt !== "number" || !Number.isFinite(occurredAt)) return null;
+  if (occurredAt <= 0 || occurredAt > receivedAt + 60_000) return null;
+  return Math.floor(occurredAt);
+}
+
 export function sendMessageWithResult(input: SendMessageInput): { message: Message; created: boolean } {
   const now = Date.now();
   const payload = input.payload ?? {};
@@ -3710,12 +3714,12 @@ export function sendMessageWithResult(input: SendMessageInput): { message: Messa
     INSERT INTO messages (
       from_agent, to_target, kind, channel, subject, body, thread_id, reply_to, claimable,
       idempotency_key, delivery_status, queued_at, max_age_seconds, resolved_to_agent,
-      payload, meta, created_at
+      payload, meta, created_at, occurred_at
     )
     VALUES (
       $from, $to, $kind, $channel, $subject, $body, $threadId, $replyTo, $claimable,
       $idempotencyKey, $deliveryStatus, $queuedAt, $maxAgeSeconds, $resolvedToAgent,
-      $payload, $meta, $now
+      $payload, $meta, $now, $occurredAt
     )
   `);
   const setSelfThread = db.query("UPDATE messages SET thread_id = ? WHERE id = ?");
@@ -3756,6 +3760,8 @@ export function sendMessageWithResult(input: SendMessageInput): { message: Messa
       $payload: JSON.stringify(payload),
       $meta: JSON.stringify(input.meta ?? {}),
       $now: now,
+      // Sanitize: only accept a plausible epoch-ms event time, else fall back to receive time.
+      $occurredAt: sanitizeOccurredAt(input.occurredAt, now),
     });
     const newId = Number(result.lastInsertRowid);
     if (threadId === null) setSelfThread.run(newId, newId);
@@ -5222,6 +5228,18 @@ export function updateWorkspaceStatus(id: string, status: WorkspaceStatus, metad
   return getWorkspace(id);
 }
 
+// Repoint a workspace row at a recycled branch after a land-and-continue merge
+// (#206): the worktree switched to a fresh branch cut from the advanced base, so
+// the row must track the new branch (else the next merge command targets a branch
+// that no longer exists) and the new base sha. No-op if the row is gone.
+export function setWorkspaceBranch(id: string, branch: string, baseSha?: string): WorkspaceRecord | null {
+  const existing = getWorkspace(id);
+  if (!existing) return null;
+  db.query(`UPDATE workspaces SET branch = ?, base_sha = coalesce(?, base_sha), updated_at = ? WHERE id = ?`)
+    .run(branch, baseSha ?? null, Date.now(), id);
+  return getWorkspace(id);
+}
+
 // Workspace statuses that count as "live" for stewardship — an agent owning one
 // of these is a candidate steward; the repo is worth coordinating.
 const STEWARD_LIVE_STATUSES = "'active', 'ready', 'conflict', 'review_requested', 'merge_planned'";

package/src/index.ts

@@ -11,6 +11,7 @@ import { getCompactionWatch } from "./compaction-watch";
 import { getConfig, setConfig } from "./config-store";
 import { startConnectorStatusPoller } from "./connectors";
 import { resolve, sep } from "path";
+import { gzipSync, brotliCompressSync, constants as zlibConstants } from "node:zlib";
 import {
   VERSION,
 } from "./config";
@@ -264,8 +265,7 @@ export function createFetchHandler(
     }
     const file = Bun.file(resolved);
     if (await file.exists()) {
-      const headers = staticHeaders(requested);
-      return new Response(file, { headers });
+      return await serveStaticFile(req, resolved, requested, file);
     }
 
     return Response.json({ error: "not found" }, { status: 404 });
@@ -275,13 +275,108 @@ export function createFetchHandler(
   };
 }
 
+// In-memory compressed-variant cache, keyed by absolute path. Invalidated when
+// the file's mtime/size changes, so a rebuilt bundle is recompressed on next
+// request. The single-file dashboard bundle (~10 MB unminified) is served
+// uncompressed by Bun.serve otherwise; brotli/gzip cuts it ~6-7x on the wire,
+// which is the dominant cost over high-latency links. Further wins (minify,
+// code-split) tracked in #200 / #201.
+type CompressedVariant = { body: Uint8Array; encoding: "br" | "gzip" };
+const compressedCache = new Map<
+  string,
+  { mtimeMs: number; size: number; br?: Uint8Array; gzip?: Uint8Array }
+>();
+
+const COMPRESSIBLE = /\.(html|js|css|svg|json|webmanifest|map)$/;
+
+function isCompressible(pathname: string): boolean {
+  return pathname === "/" || pathname.endsWith("/") || COMPRESSIBLE.test(pathname);
+}
+
+function negotiateEncoding(req: Request): "br" | "gzip" | null {
+  const accept = req.headers.get("accept-encoding") ?? "";
+  if (/\bbr\b/.test(accept)) return "br";
+  if (/\bgzip\b/.test(accept)) return "gzip";
+  return null;
+}
+
+async function getCompressedVariant(
+  resolved: string,
+  mtimeMs: number,
+  size: number,
+  encoding: "br" | "gzip",
+  raw: () => Promise<Uint8Array>,
+): Promise<CompressedVariant> {
+  let entry = compressedCache.get(resolved);
+  if (!entry || entry.mtimeMs !== mtimeMs || entry.size !== size) {
+    entry = { mtimeMs, size };
+    compressedCache.set(resolved, entry);
+  }
+  const cached = entry[encoding];
+  if (cached) return { body: cached, encoding };
+  const data = await raw();
+  const body =
+    encoding === "br"
+      ? brotliCompressSync(data, {
+          params: {
+            // Quality 5 ~ near-gzip CPU, much better ratio; this runs once per
+            // file version then serves from cache, so cost is amortized away.
+            [zlibConstants.BROTLI_PARAM_QUALITY]: 5,
+            [zlibConstants.BROTLI_PARAM_SIZE_HINT]: data.byteLength,
+          },
+        })
+      : gzipSync(data, { level: 6 });
+  entry[encoding] = body;
+  return { body, encoding };
+}
+
+async function serveStaticFile(
+  req: Request,
+  resolved: string,
+  requested: string,
+  file: ReturnType<typeof Bun.file>,
+): Promise<Response> {
+  const stat = await file.stat();
+  const headers = staticHeaders(requested);
+  // Strong-ish validator from mtime + size; encoding-suffixed so a client never
+  // gets a 304 for a variant it didn't store.
+  const baseTag = `${stat.mtime.getTime().toString(36)}-${stat.size.toString(36)}`;
+
+  const encoding = isCompressible(requested) ? negotiateEncoding(req) : null;
+  const etag = `"${baseTag}${encoding ? `-${encoding}` : ""}"`;
+  headers.set("ETag", etag);
+  if (req.headers.get("if-none-match") === etag) {
+    return new Response(null, { status: 304, headers });
+  }
+
+  if (encoding) {
+    const { body } = await getCompressedVariant(
+      resolved,
+      stat.mtime.getTime(),
+      stat.size,
+      encoding,
+      () => file.bytes(),
+    );
+    headers.set("Content-Encoding", encoding);
+    headers.set("Vary", "Accept-Encoding");
+    headers.set("Content-Length", String(body.byteLength));
+    // Uint8Array is a valid BodyInit at runtime in Bun; the DOM lib types omit it.
+    return new Response(body as unknown as BodyInit, { headers });
+  }
+
+  return new Response(file, { headers });
+}
+
 function staticHeaders(pathname: string): Headers {
   const headers = new Headers();
   const contentType = staticContentType(pathname);
   if (contentType) headers.set("Content-Type", contentType);
-  if (pathname === "/sw.js") {
+  // The shell + PWA control files must always revalidate (ETag makes this a
+  // cheap 304 when unchanged). Hashing isn't available — viteSingleFile inlines
+  // everything into index.html — so no immutable long-cache assets exist.
+  if (pathname === "/sw.js" || pathname === "/manifest.webmanifest") {
     headers.set("Cache-Control", "no-cache");
-  } else if (pathname === "/manifest.webmanifest") {
+  } else if (pathname === "/" || pathname.endsWith("/") || pathname.endsWith(".html")) {
     headers.set("Cache-Control", "no-cache");
   }
   return headers;

package/src/lifecycle-manager.ts

@@ -1,5 +1,5 @@
-import { isAbsolute, relative, resolve } from "node:path";
 import { createCommand } from "./commands-db";
+import { isPathWithinBase } from "./utils";
 import { createActivityEvent, deleteWorkspace, getAgent, getDb, getOrchestrator, listOrchestrators, listWorkspaces, resolveQueuedPolicyMessages } from "./db";
 import {
   getManagedAgentState,
@@ -8,7 +8,9 @@ import {
   upsertManagedAgentState,
 } from "./config-store";
 import { emitRelayEvent } from "./events";
+import { emitCommandEvent } from "./command-events";
 import { buildManagedSpawnParams } from "./managed-policy";
+import { generateSpawnRequestId } from "./spawn-command";
 import type { Command, ManagedAgent, ManagedAgentState, ManagedSessionExitDiagnostics, SpawnPolicy } from "./types";
 
 const DEFAULT_TICK_MS = 10_000;
@@ -208,7 +210,7 @@ export class LifecycleManager {
       this.emitState(state);
       return null;
     }
-    const spawnRequestId = `sp_${crypto.randomUUID()}`;
+    const spawnRequestId = generateSpawnRequestId();
     const state = upsertManagedAgentState({
       policyName: policy.name,
       status: "starting",
@@ -230,7 +232,7 @@ export class LifecycleManager {
         reason,
       },
     });
-    this.emitCommand(command);
+    emitCommandEvent(command, "command.requested");
     return command;
   }
 
@@ -270,7 +272,7 @@ export class LifecycleManager {
         requestedAt: this.now(),
       },
     });
-    this.emitCommand(command);
+    emitCommandEvent(command, "command.requested");
     return command;
   }
 
@@ -278,7 +280,7 @@ export class LifecycleManager {
     const orch = getOrchestrator(policy.orchestratorId);
     if (!orch) return null;
     const state = getManagedAgentState(policy.name);
-    const restartRequestId = `sp_${crypto.randomUUID()}`;
+    const restartRequestId = generateSpawnRequestId();
     const restartSpawn = buildManagedSpawnParams(policy, restartRequestId, { createdBy: "lifecycle-manager", requestedAt: this.now() });
     const restarted = upsertManagedAgentState({
       policyName: policy.name,
@@ -314,7 +316,7 @@ export class LifecycleManager {
         requestedAt: this.now(),
       },
     });
-    this.emitCommand(command);
+    emitCommandEvent(command, "command.requested");
     return command;
   }
 
@@ -406,7 +408,7 @@ export class LifecycleManager {
         requestedAt: this.now(),
       },
     });
-    this.emitCommand(command);
+    emitCommandEvent(command, "command.requested");
     return command;
   }
 
@@ -564,15 +566,6 @@ export class LifecycleManager {
     });
   }
 
-  private emitCommand(command: Command): void {
-    emitRelayEvent({
-      type: "command.requested",
-      source: command.source,
-      subject: command.id,
-      data: { command },
-    });
-  }
-
   // When an agent disappears, its isolated worktrees would otherwise sit
   // `active` on disk forever. Dispatch a workspace.reconcile command to the
   // owning orchestrator, which probes the worktree and either removes it (no
@@ -593,7 +586,7 @@ export class LifecycleManager {
     const orchestrators = listOrchestrators();
     for (const ws of candidates) {
       const orch = orchestrators.find(
-        (candidate) => candidate.status === "online" && pathWithinBaseDir(ws.sourceCwd, candidate.baseDir),
+        (candidate) => candidate.status === "online" && isPathWithinBase(ws.sourceCwd, candidate.baseDir),
       );
       if (!orch) continue;
       const command = createCommand({
@@ -614,17 +607,11 @@ export class LifecycleManager {
           requestedAt: this.now(),
         },
       });
-      this.emitCommand(command);
+      emitCommandEvent(command, "command.requested");
     }
   }
 }
 
-function pathWithinBaseDir(path: string | undefined, baseDir: string | undefined): boolean {
-  if (!path || !baseDir) return false;
-  const rel = relative(resolve(baseDir), resolve(path));
-  return rel === "" || (!!rel && !rel.startsWith("..") && !isAbsolute(rel));
-}
-
 let singleton: LifecycleManager | null = null;
 
 export function getLifecycleManager(): LifecycleManager {

package/src/maintenance.ts

@@ -33,6 +33,8 @@ import {
 } from "./db";
 import type { WorkspaceMergePreview, WorkspaceRecord, WorkspaceStatus } from "./types";
 import { requestWorkspaceMerge } from "./workspace-merge";
+import { workspaceActiveClaim } from "./workspace-claim";
+import { RELAY_TOKEN_HEADER } from "agent-relay-sdk";
 import { getStewardConfig } from "./config-store";
 import { ensureRepoSteward } from "./steward";
 import { emitRelayEvent } from "./events";
@@ -392,7 +394,7 @@ const definitions: MaintenanceJobDefinition[] = [
   {
     id: "workspace-auto-merge",
     title: "Workspace auto-merge",
-    description: "Auto-merge clean fast-forward review_requested worktrees into base under the per-repo lease; conflicts and diverged bases are left for the steward.",
+    description: "Auto-merge any non-conflicting review_requested worktree into base under the per-repo lease (rebasing when the base moved on); only real or unknown conflicts are left for the steward.",
     intervalMs: WORKSPACE_AUTO_MERGE_INTERVAL_MS,
     runOnStart: false,
     timeoutMs: 60 * 1000,
@@ -421,7 +423,7 @@ async function fetchHostMergePreview(apiUrl: string, workspace: WorkspaceRecord)
   if (workspace.baseSha) query.set("baseSha", workspace.baseSha);
   const headers: Record<string, string> = {};
   const token = process.env.AGENT_RELAY_TOKEN;
-  if (token) headers["X-Agent-Relay-Token"] = token;
+  if (token) headers[RELAY_TOKEN_HEADER] = token;
   try {
     const res = await fetch(`${apiUrl}/api/workspace/merge-preview?${query.toString()}`, { headers, signal: AbortSignal.timeout(8_000) });
     if (!res.ok) return null;
@@ -535,7 +537,7 @@ function wakeRepoSteward(ws: WorkspaceRecord, reason: string): string | null {
       to: `policy:${policyName}`,
       kind: "system",
       subject: `Steward: ${ws.status} workspace needs attention`,
-      body: `Workspace \`${ws.branch ?? ws.id}\` in ${ws.repoRoot} is ${ws.status} and could not auto-land (${reason}). cd into ${ws.worktreePath}, rebase onto ${ws.baseRef ?? "base"}, resolve, run checks, then land it via POST /api/workspaces/${ws.id}/actions {"action":"merge","strategy":"rebase-ff"} — or escalate if you can't.`,
+      body: `Workspace \`${ws.branch ?? ws.id}\` (id ${ws.id}) in ${ws.repoRoot} is ${ws.status} and could not auto-land (${reason}). Claim it first so auto-merge yields: \`agent-relay workspace claim --id ${ws.id} --purpose steward\`. Inspect: \`agent-relay steward inspect ${ws.id}\`. Then cd into ${ws.worktreePath}, rebase onto ${ws.baseRef ?? "base"}, resolve, run checks, and land: \`agent-relay workspace land --id ${ws.id} --strategy rebase-ff\` — or \`agent-relay workspace release --id ${ws.id}\` and escalate if you can't.`,
       payload: { kind: "workspace.steward-task", workspaceId: ws.id, repoRoot: ws.repoRoot, worktreePath: ws.worktreePath, branch: ws.branch, baseRef: ws.baseRef, status: ws.status, reason },
     });
     emitNewMessage(msg);
@@ -655,14 +657,12 @@ async function scanWorkspaceConflicts(): Promise<Record<string, unknown>> {
   return { scanned: candidates.length, flagged, cleared, merged, notifiedStewards };
 }
 
-// Deterministic auto-land (Layer 0, issue #167). Walk the "ready to land" queue
-// (`review_requested` isolated worktrees) and, for any whose work is a strict
-// clean fast-forward (no conflict, base hasn't moved, real commits ahead), land
-// it via the shared merge helper — the same lease-serialized path the merge route
-// uses. Conflicts and diverged bases (`behind>0`, even if cleanly rebasable) are
-// deliberately left for the steward (a human or, later, the managed steward
-// agent): per the chosen "Clean FF immediate" gate, anything needing a rebase or
-// conflict reasoning is not auto-landed. No agent in the loop for the easy case.
+// Deterministic auto-land (Layer 0, issue #167 / #207). Walk the "ready to land"
+// queue (`review_requested` isolated worktrees) and land any whose merge is
+// predicted conflict-free, via the shared lease-serialized merge helper — even
+// when the base moved on (behind>0): mergeRebaseFf rebases onto the current base
+// before fast-forwarding. Only a predicted conflict or an unknown merge state is
+// left for the steward; clean parallel work lands with no agent in the loop.
 async function autoMergeCleanFastForwards(): Promise<Record<string, unknown>> {
   if (process.env.AGENT_RELAY_WORKSPACE_AUTO_MERGE === "0") return { skipped: "disabled" };
   const orchestrators = listOrchestrators().filter((orch) => orch.status === "online" && orch.apiUrl);
@@ -674,10 +674,13 @@ async function autoMergeCleanFastForwards(): Promise<Record<string, unknown>> {
   const stewardEnabled = getStewardConfig().enabled;
   const merged: string[] = [];
   const heldByLease: string[] = [];
+  const heldByClaim: string[] = [];
   const leftForSteward: string[] = [];
   const wokeStewards: string[] = [];
 
   for (const ws of candidates) {
+    // A claimed workspace is being validated by a steward — don't race it (#208).
+    if (workspaceActiveClaim(ws)) { heldByClaim.push(ws.id); continue; }
     const orch = orchestrators.find((candidate) => workspacePathWithinBase(ws.sourceCwd, candidate.baseDir));
     if (!orch?.apiUrl) continue;
     const preview = await fetchHostMergePreview(orch.apiUrl, ws);
@@ -686,14 +689,17 @@ async function autoMergeCleanFastForwards(): Promise<Record<string, unknown>> {
     if (p.error || p.missing) continue;
 
     const ahead = p.unmergedAhead ?? p.ahead ?? 0;
-    const cleanFF = p.cleanFastForward === true && p.conflict !== true && (p.behind ?? 0) === 0 && ahead > 0;
-    if (!cleanFF) {
-      // Base moved on (behind>0) or conflict — needs reasoning/rebase, which is the
-      // steward's job. Wake the managed steward when enabled (cooldown-guarded);
-      // otherwise leave it for conflict-scan's legacy ping / human review.
+    const behind = p.behind ?? 0;
+    // Land anything that won't conflict — including a base that moved on (behind>0)
+    // but rebases cleanly. The merge-tree prediction already accounts for the moved
+    // base, and mergeRebaseFf rebases then aborts-to-conflict on a real replay
+    // conflict, so a too-optimistic prediction degrades safely to review_requested.
+    // Only a predicted conflict (true) or unknown state (undefined) goes to the steward.
+    const canLand = p.conflict === false && ahead > 0;
+    if (!canLand) {
       leftForSteward.push(ws.id);
       if (stewardEnabled) {
-        const woke = wakeRepoSteward(ws, (p.behind ?? 0) > 0 ? "base moved on (behind>0)" : "conflict");
+        const woke = wakeRepoSteward(ws, p.conflict === true ? "conflict" : "merge state unknown");
         if (woke) wokeStewards.push(woke);
       }
       continue;
@@ -710,8 +716,8 @@ async function autoMergeCleanFastForwards(): Promise<Record<string, unknown>> {
     createActivityEvent({
       clientId: `workspace-auto-merge-${ws.id}-${Date.now()}`,
       kind: "state",
-      title: "Workspace auto-merging (clean fast-forward)",
-      body: `${ws.branch ?? ws.id} → ${p.baseRef ?? "base"} (${ahead} ahead, clean)`,
+      title: behind > 0 ? "Workspace auto-merging (rebase)" : "Workspace auto-merging (clean fast-forward)",
+      body: `${ws.branch ?? ws.id} → ${p.baseRef ?? "base"} (${ahead} ahead${behind > 0 ? `, ${behind} behind — rebasing` : ", clean"})`,
       meta: ws.branch ?? ws.id,
       icon: "ti-git-merge",
       view: "orchestrators",
@@ -719,7 +725,7 @@ async function autoMergeCleanFastForwards(): Promise<Record<string, unknown>> {
     });
   }
 
-  return { scanned: candidates.length, merged, heldByLease, leftForSteward, wokeStewards };
+  return { scanned: candidates.length, merged, heldByLease, heldByClaim, leftForSteward, wokeStewards };
 }
 
 // Send a system DM, swallowing failures (a stale/missing/misconfigured target

package/src/managed-policy.ts

@@ -1,6 +1,6 @@
-import { resolveProviderSelection } from "agent-relay-sdk/provider-catalog";
 import { getAgentProfile } from "./config-store";
 import { runnerRuntimeTokenEnv } from "./runtime-tokens";
+import { buildSpawnCommand, resolveSpawnModelParams } from "./spawn-command";
 import type { SpawnPolicy, WorkspaceMode } from "./types";
 
 export function managedPolicyProviderArgs(policy: SpawnPolicy): string[] {
@@ -20,23 +20,6 @@ export function effectiveManagedPolicyWorkspaceMode(policy: SpawnPolicy): Worksp
   return policy.binding?.type === "channel" ? "shared" : "inherit";
 }
 
-function resolvedModelParams(policy: SpawnPolicy): Record<string, string> {
-  if (!policy.model && !policy.effort) return {};
-  try {
-    const selection = resolveProviderSelection({ provider: policy.provider, model: policy.model, effort: policy.effort });
-    return {
-      ...(selection.modelAlias ? { model: selection.modelAlias } : {}),
-      ...(selection.providerModel ? { providerModel: selection.providerModel } : {}),
-      ...(selection.effort ? { effort: selection.effort } : {}),
-    };
-  } catch {
-    return {
-      ...(policy.model ? { model: policy.model } : {}),
-      ...(policy.effort ? { effort: policy.effort } : {}),
-    };
-  }
-}
-
 export interface ManagedSpawnContext {
   createdBy: string;
   requestedAt?: number;
@@ -46,22 +29,21 @@ export function buildManagedSpawnParams(policy: SpawnPolicy, requestId: string,
   const providerArgs = managedPolicyProviderArgs(policy);
   const prompt = managedPolicyLaunchPrompt(policy);
   const agentProfile = policy.profile ? getAgentProfile(policy.profile)?.value : undefined;
-  return {
-    action: "spawn",
+  return buildSpawnCommand({
     provider: policy.provider,
     cwd: policy.cwd,
     workspaceMode: effectiveManagedPolicyWorkspaceMode(policy),
-    ...(policy.rig ? { rig: policy.rig } : {}),
-    ...resolvedModelParams(policy),
-    ...(policy.profile ? { profile: policy.profile } : {}),
-    ...(agentProfile ? { agentProfile } : {}),
+    rig: policy.rig || undefined,
+    modelParams: resolveSpawnModelParams(policy.provider, policy.model, policy.effort, { onError: "passthrough", skipDefaultWhenEmpty: true }),
+    profile: policy.profile || undefined,
+    agentProfile,
     label: policy.label,
     tags: policy.tags,
     capabilities: policy.capabilities,
     approvalMode: policy.permissionMode,
     permissionMode: policy.permissionMode,
     providerArgs,
-    ...(prompt ? { prompt } : {}),
+    prompt: prompt || undefined,
     headless: true,
     policyName: policy.name,
     spawnRequestId: requestId,
@@ -76,5 +58,5 @@ export function buildManagedSpawnParams(policy: SpawnPolicy, requestId: string,
     }),
     requestedBy: ctx.createdBy,
     requestedAt: ctx.requestedAt ?? Date.now(),
-  };
+  });
 }