agor-live 0.17.2 → 0.17.3

package/dist/core/config/index.cjs

@@ -421,6 +421,9 @@ function loadConfigSync() {
     );
   }
 }
+function isConfigCredentialKey(key) {
+  return CONFIG_CREDENTIAL_KEYS.has(key);
+}
 function getCredential(key) {
   try {
     const config = loadConfigSync();
@@ -516,7 +519,7 @@ async function getReposDirAsync() {
 async function getWorktreesDirAsync() {
   return import_node_path.default.join(await getDataHomeAsync(), "worktrees");
 }
-var import_node_fs2, import_promises, import_node_os, import_node_path, import_js_yaml2, PublicBaseUrlNotConfiguredError;
+var import_node_fs2, import_promises, import_node_os, import_node_path, import_js_yaml2, PublicBaseUrlNotConfiguredError, CONFIG_CREDENTIAL_KEYS;
 var init_config_manager = __esm({
   "src/config/config-manager.ts"() {
     "use strict";
@@ -534,6 +537,13 @@ var init_config_manager = __esm({
         this.name = "PublicBaseUrlNotConfiguredError";
       }
     };
+    CONFIG_CREDENTIAL_KEYS = /* @__PURE__ */ new Set([
+      "ANTHROPIC_API_KEY",
+      "ANTHROPIC_AUTH_TOKEN",
+      "ANTHROPIC_BASE_URL",
+      "OPENAI_API_KEY",
+      "GEMINI_API_KEY"
+    ]);
   }
 });
 
@@ -993,6 +1003,7 @@ var init_schema_postgres = __esm({
         completed_at: t.timestamp("completed_at"),
         status: (0, import_pg_core.text)("status", {
           enum: [
+            "queued",
             "created",
             "running",
             "stopping",
@@ -1004,6 +1015,8 @@ var init_schema_postgres = __esm({
             "stopped"
           ]
         }).notNull(),
+        // Queue position (lower drains first); only populated for status='queued'
+        queue_position: (0, import_pg_core.integer)("queue_position"),
         // User attribution
         created_by: (0, import_pg_core.varchar)("created_by", { length: 36 }).notNull().default("anonymous"),
         // MD5 of SDK session file at task completion (only populated when stateless_fs_mode is enabled)
@@ -1013,7 +1026,12 @@ var init_schema_postgres = __esm({
       (table) => ({
         sessionIdx: (0, import_pg_core.index)("tasks_session_idx").on(table.session_id),
         statusIdx: (0, import_pg_core.index)("tasks_status_idx").on(table.status),
-        createdIdx: (0, import_pg_core.index)("tasks_created_idx").on(table.created_at)
+        createdIdx: (0, import_pg_core.index)("tasks_created_idx").on(table.created_at),
+        queueIdx: (0, import_pg_core.index)("tasks_queue_idx").on(table.session_id, table.status, table.queue_position),
+        // Partial unique index — defense-in-depth for `tasks.createPending` race
+        // serialization. Only QUEUED rows are constrained; CREATED/RUNNING/done
+        // rows have NULL queue_position and are unaffected.
+        queuedPositionUnique: (0, import_pg_core.uniqueIndex)("tasks_queued_position_unique").on(table.session_id, table.queue_position).where(import_drizzle_orm2.sql`${table.status} = 'queued'`)
       })
     );
     serializedSessions = (0, import_pg_core.pgTable)(
@@ -1073,11 +1091,9 @@ var init_schema_postgres = __esm({
         // First 200 chars for list views
         // Parent tool use ID (for nested tool calls - e.g., Task tool spawning Read/Grep)
         parent_tool_use_id: (0, import_pg_core.text)("parent_tool_use_id"),
-        // Message queueing fields
-        status: (0, import_pg_core.text)("status", { enum: ["queued"] }),
-        // 'queued' or null (normal message)
-        queue_position: (0, import_pg_core.integer)("queue_position"),
-        // Position in queue (1, 2, 3, ...)
+        // NOTE: queueing moved off `messages` and onto `tasks.status='queued'` as
+        // of migration sqlite/0040 (postgres/0030). The legacy `status` and
+        // `queue_position` columns are gone — see `tasks.queue_position` instead.
         // Full data (JSON blob)
         data: t.json("data").$type().notNull()
       },
@@ -1085,8 +1101,7 @@ var init_schema_postgres = __esm({
         // Indexes for efficient lookups
         sessionIdx: (0, import_pg_core.index)("messages_session_id_idx").on(table.session_id),
         taskIdx: (0, import_pg_core.index)("messages_task_id_idx").on(table.task_id),
-        sessionIndexIdx: (0, import_pg_core.index)("messages_session_index_idx").on(table.session_id, table.index),
-        queueIdx: (0, import_pg_core.index)("messages_queue_idx").on(table.session_id, table.status, table.queue_position)
+        sessionIndexIdx: (0, import_pg_core.index)("messages_session_index_idx").on(table.session_id, table.index)
       })
     );
     boards = (0, import_pg_core.pgTable)(
@@ -1723,6 +1738,7 @@ var init_schema_sqlite = __esm({
         completed_at: t2.timestamp("completed_at"),
         status: (0, import_sqlite_core.text)("status", {
           enum: [
+            "queued",
             "created",
             "running",
             "stopping",
@@ -1734,6 +1750,8 @@ var init_schema_sqlite = __esm({
             "stopped"
           ]
         }).notNull(),
+        // Queue position (lower drains first); only populated for status='queued'
+        queue_position: (0, import_sqlite_core.integer)("queue_position"),
         // User attribution
         created_by: (0, import_sqlite_core.text)("created_by", { length: 36 }).notNull().default("anonymous"),
         // MD5 of SDK session file at task completion (only populated when stateless_fs_mode is enabled)
@@ -1743,7 +1761,12 @@ var init_schema_sqlite = __esm({
       (table) => ({
         sessionIdx: (0, import_sqlite_core.index)("tasks_session_idx").on(table.session_id),
         statusIdx: (0, import_sqlite_core.index)("tasks_status_idx").on(table.status),
-        createdIdx: (0, import_sqlite_core.index)("tasks_created_idx").on(table.created_at)
+        createdIdx: (0, import_sqlite_core.index)("tasks_created_idx").on(table.created_at),
+        queueIdx: (0, import_sqlite_core.index)("tasks_queue_idx").on(table.session_id, table.status, table.queue_position),
+        // Partial unique index — defense-in-depth for `tasks.createPending` race
+        // serialization. Only QUEUED rows are constrained; CREATED/RUNNING/done
+        // rows have NULL queue_position and are unaffected.
+        queuedPositionUnique: (0, import_sqlite_core.uniqueIndex)("tasks_queued_position_unique").on(table.session_id, table.queue_position).where(import_drizzle_orm3.sql`${table.status} = 'queued'`)
       })
     );
     serializedSessions2 = (0, import_sqlite_core.sqliteTable)(
@@ -1803,11 +1826,9 @@ var init_schema_sqlite = __esm({
         // First 200 chars for list views
         // Parent tool use ID (for nested tool calls - e.g., Task tool spawning Read/Grep)
         parent_tool_use_id: (0, import_sqlite_core.text)("parent_tool_use_id"),
-        // Message queueing fields
-        status: (0, import_sqlite_core.text)("status", { enum: ["queued"] }),
-        // 'queued' or null (normal message)
-        queue_position: (0, import_sqlite_core.integer)("queue_position"),
-        // Position in queue (1, 2, 3, ...)
+        // NOTE: queueing moved off `messages` and onto `tasks.status='queued'` as
+        // of migration sqlite/0040 (postgres/0030). The legacy `status` and
+        // `queue_position` columns are gone — see `tasks.queue_position` instead.
         // Full data (JSON blob)
         data: t2.json("data").$type().notNull()
       },
@@ -1815,8 +1836,7 @@ var init_schema_sqlite = __esm({
         // Indexes for efficient lookups
         sessionIdx: (0, import_sqlite_core.index)("messages_session_id_idx").on(table.session_id),
         taskIdx: (0, import_sqlite_core.index)("messages_task_id_idx").on(table.task_id),
-        sessionIndexIdx: (0, import_sqlite_core.index)("messages_session_index_idx").on(table.session_id, table.index),
-        queueIdx: (0, import_sqlite_core.index)("messages_queue_idx").on(table.session_id, table.status, table.queue_position)
+        sessionIndexIdx: (0, import_sqlite_core.index)("messages_session_index_idx").on(table.session_id, table.index)
       })
     );
     boards2 = (0, import_sqlite_core.sqliteTable)(
@@ -2486,6 +2506,7 @@ __export(config_exports, {
   getWorktreesDir: () => getWorktreesDir,
   getWorktreesDirAsync: () => getWorktreesDirAsync,
   initConfig: () => initConfig,
+  isConfigCredentialKey: () => isConfigCredentialKey,
   isEnvVarAllowed: () => isEnvVarAllowed,
   isUnixImpersonationEnabled: () => isUnixImpersonationEnabled,
   isValid: () => isValid,
@@ -3147,6 +3168,7 @@ var ALLOWED_ENV_VARS = /* @__PURE__ */ new Set([
   "ANTHROPIC_BASE_URL",
   "ANTHROPIC_AUTH_TOKEN",
   "OPENAI_API_KEY",
+  "OPENAI_BASE_URL",
   "GEMINI_API_KEY",
   "GOOGLE_API_KEY",
   // Vertex AI (Claude Code on GCP)
@@ -3187,7 +3209,7 @@ var AGOR_INTERNAL_ENV_VARS = /* @__PURE__ */ new Set([
 ]);
 async function resolveUserEnvironment(userId, db, options = {}) {
   const env = {};
-  const { sessionId } = options;
+  const { sessionId, tool } = options;
   try {
     const row = await select(db).from(users3).where((0, import_drizzle_orm5.eq)(users3.user_id, userId)).one();
     if (row) {
@@ -3221,16 +3243,22 @@ async function resolveUserEnvironment(userId, db, options = {}) {
           console.error(`Failed to decrypt env var ${key} for user ${userId}:`, err);
         }
       }
-      const encryptedApiKeys = data.api_keys;
-      if (encryptedApiKeys) {
-        for (const [key, encryptedValue] of Object.entries(encryptedApiKeys)) {
-          try {
-            const decryptedValue = decryptApiKey(encryptedValue);
-            if (decryptedValue && decryptedValue.trim() !== "") {
-              env[key] = decryptedValue;
+      if (tool) {
+        const toolFields = data.agentic_tools?.[tool];
+        if (toolFields) {
+          for (const [key, encryptedValue] of Object.entries(toolFields)) {
+            if (!encryptedValue) continue;
+            try {
+              const decryptedValue = decryptApiKey(encryptedValue);
+              if (decryptedValue && decryptedValue.trim() !== "") {
+                env[key] = decryptedValue;
+              }
+            } catch (err) {
+              console.error(
+                `Failed to decrypt agentic_tools.${tool}.${key} for user ${userId}:`,
+                err
+              );
             }
-          } catch (err) {
-            console.error(`Failed to decrypt API key ${key} for user ${userId}:`, err);
           }
         }
       }
@@ -3268,7 +3296,7 @@ function buildAllowlistedEnv() {
   }
   return env;
 }
-async function createUserProcessEnvironment(userId, db, additionalEnv, forImpersonation = false, gatewayEnv, sessionId) {
+async function createUserProcessEnvironment(userId, db, additionalEnv, forImpersonation = false, gatewayEnv, sessionId, tool) {
   const env = buildAllowlistedEnv();
   const USER_IDENTITY_VARS = ["HOME", "USER", "LOGNAME", "SHELL"];
   if (forImpersonation) {
@@ -3286,7 +3314,7 @@ async function createUserProcessEnvironment(userId, db, additionalEnv, forImpers
     }
   }
   if (userId && db) {
-    const userEnv = await resolveUserEnvironment(userId, db, { sessionId });
+    const userEnv = await resolveUserEnvironment(userId, db, { sessionId, tool });
     for (const [key, value] of Object.entries(userEnv)) {
       if (value && value.trim() !== "") {
         env[key] = value;
@@ -3607,6 +3635,7 @@ init_schema();
 
 // src/db/repositories/users.ts
 init_cjs_shims();
+init_types();
 var import_drizzle_orm24 = require("drizzle-orm");
 init_ids();
 init_database_wrapper();
@@ -3652,7 +3681,18 @@ async function resolveApiKey(keyName, context = {}) {
     const row = await select(context.db).from(users3).where((0, import_drizzle_orm27.eq)(users3.user_id, context.userId)).one();
     if (row) {
       const data = row.data;
-      const encryptedKey = data.api_keys?.[keyName];
+      let encryptedKey;
+      const tools = data.agentic_tools ?? {};
+      if (context.tool) {
+        encryptedKey = tools[context.tool]?.[keyName];
+      } else {
+        for (const fields of Object.values(tools)) {
+          if (fields?.[keyName]) {
+            encryptedKey = fields[keyName];
+            break;
+          }
+        }
+      }
       if (encryptedKey) {
         try {
           const decryptedKey = decryptApiKey(encryptedKey);
@@ -3677,12 +3717,13 @@ async function resolveApiKey(keyName, context = {}) {
   } else if (!context.db) {
     console.log(`   \u2192 Skipping user-level check (no database connection)`);
   }
-  console.log(`   \u2192 Checking app-level configuration (config.yaml)...`);
-  const globalKey = getCredential(keyName);
-  if (globalKey && globalKey.length > 0) {
-    console.log(`   \u2713 Found app-level API key for ${keyName} (from config.yaml)`);
-    return { apiKey: globalKey, source: "config", useNativeAuth: false };
-  } else {
+  if (isConfigCredentialKey(keyName)) {
+    console.log(`   \u2192 Checking app-level configuration (config.yaml)...`);
+    const globalKey = getCredential(keyName);
+    if (globalKey && globalKey.length > 0) {
+      console.log(`   \u2713 Found app-level API key for ${keyName} (from config.yaml)`);
+      return { apiKey: globalKey, source: "config", useNativeAuth: false };
+    }
     console.log(`   \u2717 No app-level API key for ${keyName}`);
   }
   console.log(`   \u2192 Checking OS-level environment variables...`);
@@ -3690,16 +3731,17 @@ async function resolveApiKey(keyName, context = {}) {
   if (envKey && envKey.length > 0) {
     console.log(`   \u2713 Found OS-level environment variable ${keyName}`);
     return { apiKey: envKey, source: "env", useNativeAuth: false };
-  } else {
-    console.log(`   \u2717 No OS-level environment variable ${keyName}`);
   }
+  console.log(`   \u2717 No OS-level environment variable ${keyName}`);
   console.log(`   \u2139\uFE0F  No API key found for ${keyName} - SDK will use native authentication`);
   return { apiKey: void 0, source: "none", useNativeAuth: true };
 }
 function resolveApiKeySync(keyName) {
-  const globalKey = getCredential(keyName);
-  if (globalKey && globalKey.length > 0) {
-    return { apiKey: globalKey, source: "config", useNativeAuth: false };
+  if (isConfigCredentialKey(keyName)) {
+    const globalKey = getCredential(keyName);
+    if (globalKey && globalKey.length > 0) {
+      return { apiKey: globalKey, source: "config", useNativeAuth: false };
+    }
   }
   const envKey = process.env[keyName];
   if (envKey && envKey.length > 0) {
@@ -4299,6 +4341,7 @@ var CredentialKey = /* @__PURE__ */ ((CredentialKey2) => {
   getWorktreesDir,
   getWorktreesDirAsync,
   initConfig,
+  isConfigCredentialKey,
   isEnvVarAllowed,
   isUnixImpersonationEnabled,
   isValid,

package/dist/core/config/index.d.cts

@@ -1,25 +1,25 @@
 import { b as RepoEnvironment, d as RepoEnvironmentConfigV1 } from '../repo-Ckl-vaAk.cjs';
-export { P as PublicBaseUrlNotConfiguredError, e as ensureCodexHome, a as expandHomePath, g as getAgorHome, b as getBaseUrl, c as getConfigPath, d as getConfigValue, f as getCredential, h as getDaemonUrl, i as getDaemonUser, j as getDataHome, k as getDataHomeAsync, l as getDefaultConfig, m as getReposDir, n as getReposDirAsync, o as getWorktreePath, p as getWorktreesDir, q as getWorktreesDirAsync, r as initConfig, s as isUnixImpersonationEnabled, t as isWorktreeRbacEnabled, u as loadConfig, v as loadConfigFromFile, w as loadConfigSync, x as requireDaemonUser, y as requirePublicBaseUrl, z as resolveCodexHome, A as saveConfig, B as setConfigValue, C as unsetConfigValue } from '../config-manager-TxxjFMRd.cjs';
+export { C as ConfigCredentialKey, P as PublicBaseUrlNotConfiguredError, e as ensureCodexHome, a as expandHomePath, g as getAgorHome, b as getBaseUrl, c as getConfigPath, d as getConfigValue, f as getCredential, h as getDaemonUrl, i as getDaemonUser, j as getDataHome, k as getDataHomeAsync, l as getDefaultConfig, m as getReposDir, n as getReposDirAsync, o as getWorktreePath, p as getWorktreesDir, q as getWorktreesDirAsync, r as initConfig, s as isConfigCredentialKey, t as isUnixImpersonationEnabled, u as isWorktreeRbacEnabled, v as loadConfig, w as loadConfigFromFile, x as loadConfigSync, y as requireDaemonUser, z as requirePublicBaseUrl, A as resolveCodexHome, B as saveConfig, D as setConfigValue, E as unsetConfigValue } from '../config-manager-B8TP9Kz0.cjs';
 export { AgorYmlSchema, DAEMON, DATABASE, ENVIRONMENT, GIT, MCP_TOKEN, PAGINATION, REPO_SLUG_PATTERN, RepoReference, RepoReferenceOption, SESSION, WEBSOCKET, YamlVariant, extractSlugFromUrl, formatRepoReference, getDefaultRepoReference, getGroupedRepoReferenceOptions, getRepoReferenceOptions, isValidGitUrl, isValidSlug, normalizeRepoUrl, parseAgorYmlString, parseRepoReference, resolveRepoReference, resolveVariant, resolveVariantOrThrow, validateAgorYmlSchema, validateExtends, validateRepoEnvironment } from './browser.cjs';
-import { j as Database } from '../client-B5PyIvNc.cjs';
+import { j as Database } from '../client-CemqXk0v.cjs';
 import { f as UserID, S as SessionID } from '../id-CoIbY_uc.cjs';
-import { c as GatewayEnvVar } from '../gateway-BnOlAelY.cjs';
-import { e as EnvVarScope } from '../user-DkNdeFoz.cjs';
+import { c as AgenticToolName } from '../agentic-tool-BulhIUGb.cjs';
+import { c as GatewayEnvVar } from '../gateway-BWq4j_Ll.cjs';
+import { n as EnvVarScope } from '../user-CpfkcV2C.cjs';
 import { z } from 'zod';
-import { b as AgorCorsMode, e as AgorCspDirectives, a as AgorConfig } from '../types-DNqfdt1z.cjs';
-export { A as AgorCodexSettings, c as AgorCorsSettings, d as AgorCredentials, f as AgorCspSettings, g as AgorDaemonSettings, h as AgorDatabaseSettings, i as AgorDefaults, j as AgorDisplaySettings, k as AgorExecutionSettings, l as AgorOnboardingSettings, m as AgorOpenCodeSettings, n as AgorPathSettings, o as AgorSecuritySettings, p as AgorUISettings, q as AgorWorktreesSettings, C as ConfigKey, r as CredentialKey, M as ManagedEnvsMinimumRole, U as UnixUserMode, s as UnknownJson } from '../types-DNqfdt1z.cjs';
+import { b as AgorCorsMode, e as AgorCspDirectives, a as AgorConfig } from '../types-D4Rl6ZKN.cjs';
+export { A as AgorCodexSettings, c as AgorCorsSettings, d as AgorCredentials, f as AgorCspSettings, g as AgorDaemonSettings, h as AgorDatabaseSettings, i as AgorDefaults, j as AgorDisplaySettings, k as AgorExecutionSettings, l as AgorOnboardingSettings, m as AgorOpenCodeSettings, n as AgorPathSettings, o as AgorSecuritySettings, p as AgorUISettings, q as AgorWorktreesSettings, C as ConfigKey, r as CredentialKey, M as ManagedEnvsMinimumRole, U as UnixUserMode, s as UnknownJson } from '../types-D4Rl6ZKN.cjs';
 import 'drizzle-orm/libsql';
 import 'drizzle-orm/postgres-js';
 import 'drizzle-orm';
-import '../message-DinITA7a.cjs';
-import '../agentic-tool-BulhIUGb.cjs';
+import '../message-CSWOsdcZ.cjs';
 import '../board-D7SnPqp-.cjs';
 import '../session-MNU4BQv4.cjs';
 import '../context-BpkCELpO.cjs';
-import '../task-wht1RJEL.cjs';
+import '../task-C2Hy7H6u.cjs';
 import 'drizzle-orm/pg-core';
 import 'drizzle-orm/sqlite-core';
-import '../config-services-YEZ4DwCD.cjs';
+import '../config-services-CXyQKEK5.cjs';
 
 /**
  * `.agor.yml` file I/O.
@@ -178,16 +178,34 @@ interface ResolveUserEnvOptions {
      * contexts without a session — e.g. worktree-level terminals).
      */
     sessionId?: SessionID;
+    /**
+     * If set, the user's per-tool credentials for THIS tool are merged into the
+     * resolved env (e.g. claude-code → ANTHROPIC_API_KEY, ANTHROPIC_BASE_URL).
+     * Other tools' credentials are NEVER merged regardless of value.
+     *
+     * If omitted, NO per-tool credentials are merged — safe default for
+     * worktree-level terminals and other contexts that don't run an SDK.
+     */
+    tool?: AgenticToolName;
 }
 /**
- * Resolve user environment variables (decrypted from database, no system env vars)
- * Includes both env_vars and api_keys from user data.
+ * Resolve user environment variables (decrypted from database, no system env vars).
+ *
+ * Includes:
+ *   - User-defined env vars from `data.env_vars` (scope-filtered)
+ *   - If `options.tool` is set, the matching tool's credentials from
+ *     `data.agentic_tools[tool]` (e.g. claude-code → ANTHROPIC_API_KEY +
+ *     ANTHROPIC_BASE_URL). Other tools' credentials are NEVER merged.
  *
- * Scope filtering (v0.5):
+ * Precedence (later wins): tool credentials > user env vars. This matches the
+ * UX intent: per-tool config screens are the explicit, "this is the credential
+ * I want for this SDK" surface; global env vars are the fallback. The caller
+ * (`createUserProcessEnvironment`) layers config.yaml/system env underneath.
+ *
+ * Scope filtering on env_vars (v0.5):
  *   - `scope: 'global'` → always included
  *   - `scope: 'session'` → only included if `options.sessionId` is provided
- *     AND the var name has an entry in `session_env_selections` for that
- *     session.
+ *     AND the var name has an entry in `session_env_selections` for that session.
  *   - Any other scope value (reserved for v1+) is skipped.
  *
  * Legacy entries (plain-string values on disk) are treated as global-scope.
@@ -257,7 +275,14 @@ gatewayEnv?: GatewayEnvVar[],
  * If provided, session-scope env vars selected for this session are
  * included in the user env. Session-scope vars are otherwise excluded.
  */
-sessionId?: SessionID): Promise<Record<string, string>>;
+sessionId?: SessionID, 
+/**
+ * If provided, the user's per-tool credentials for THIS tool are merged
+ * into the environment (e.g. claude-code → ANTHROPIC_*). Other tools'
+ * credentials are NEVER merged. Omit for non-SDK contexts (worktree
+ * terminals, generic background jobs).
+ */
+tool?: AgenticToolName): Promise<Record<string, string>>;
 
 /**
  * Validation constraints for environment variables
@@ -348,12 +373,29 @@ declare function normalizeStoredEnvVar(raw: RawStoredEnvVar): StoredEnvVar;
  */
 declare function normalizeStoredEnvMap(raw: Record<string, RawStoredEnvVar> | undefined): Record<string, StoredEnvVar>;
 
-type ApiKeyName = 'ANTHROPIC_API_KEY' | 'OPENAI_API_KEY' | 'GEMINI_API_KEY';
+/**
+ * The set of credential env-var names the resolver knows how to look up at the
+ * per-user (`agentic_tools[tool][keyName]`), config.yaml, and OS-env layers.
+ *
+ * Kept as an explicit union (rather than `string`) so callers can't accidentally
+ * ask the resolver for an unrelated env var like `PATH` or `AGOR_MASTER_SECRET`.
+ * Add new entries here when a tool's per-tool field config grows.
+ */
+type ApiKeyName = 'ANTHROPIC_API_KEY' | 'ANTHROPIC_AUTH_TOKEN' | 'CLAUDE_CODE_OAUTH_TOKEN' | 'OPENAI_API_KEY' | 'GEMINI_API_KEY' | 'COPILOT_GITHUB_TOKEN';
 interface KeyResolutionContext {
     /** User ID for per-user key lookup */
     userId?: UserID;
     /** Database instance for user lookup */
     db?: Database;
+    /**
+     * Restrict the per-user lookup to a specific tool's credential bucket
+     * (`data.agentic_tools[tool][keyName]`). When omitted, the resolver sweeps
+     * every tool bucket — kept for back-compat with non-SDK callers (e.g. CLI).
+     *
+     * SDK executors should ALWAYS pass this so a Codex spawn never resolves a
+     * key stored under `agentic_tools['claude-code']`, and vice versa.
+     */
+    tool?: AgenticToolName;
 }
 /**
  * Result of API key resolution

package/dist/core/config/index.d.ts

@@ -1,25 +1,25 @@
 import { b as RepoEnvironment, d as RepoEnvironmentConfigV1 } from '../repo-84E0A2gV.js';
-export { P as PublicBaseUrlNotConfiguredError, e as ensureCodexHome, a as expandHomePath, g as getAgorHome, b as getBaseUrl, c as getConfigPath, d as getConfigValue, f as getCredential, h as getDaemonUrl, i as getDaemonUser, j as getDataHome, k as getDataHomeAsync, l as getDefaultConfig, m as getReposDir, n as getReposDirAsync, o as getWorktreePath, p as getWorktreesDir, q as getWorktreesDirAsync, r as initConfig, s as isUnixImpersonationEnabled, t as isWorktreeRbacEnabled, u as loadConfig, v as loadConfigFromFile, w as loadConfigSync, x as requireDaemonUser, y as requirePublicBaseUrl, z as resolveCodexHome, A as saveConfig, B as setConfigValue, C as unsetConfigValue } from '../config-manager-DTrsj6G3.js';
+export { C as ConfigCredentialKey, P as PublicBaseUrlNotConfiguredError, e as ensureCodexHome, a as expandHomePath, g as getAgorHome, b as getBaseUrl, c as getConfigPath, d as getConfigValue, f as getCredential, h as getDaemonUrl, i as getDaemonUser, j as getDataHome, k as getDataHomeAsync, l as getDefaultConfig, m as getReposDir, n as getReposDirAsync, o as getWorktreePath, p as getWorktreesDir, q as getWorktreesDirAsync, r as initConfig, s as isConfigCredentialKey, t as isUnixImpersonationEnabled, u as isWorktreeRbacEnabled, v as loadConfig, w as loadConfigFromFile, x as loadConfigSync, y as requireDaemonUser, z as requirePublicBaseUrl, A as resolveCodexHome, B as saveConfig, D as setConfigValue, E as unsetConfigValue } from '../config-manager-CDEB0FY4.js';
 export { AgorYmlSchema, DAEMON, DATABASE, ENVIRONMENT, GIT, MCP_TOKEN, PAGINATION, REPO_SLUG_PATTERN, RepoReference, RepoReferenceOption, SESSION, WEBSOCKET, YamlVariant, extractSlugFromUrl, formatRepoReference, getDefaultRepoReference, getGroupedRepoReferenceOptions, getRepoReferenceOptions, isValidGitUrl, isValidSlug, normalizeRepoUrl, parseAgorYmlString, parseRepoReference, resolveRepoReference, resolveVariant, resolveVariantOrThrow, validateAgorYmlSchema, validateExtends, validateRepoEnvironment } from './browser.js';
-import { j as Database } from '../client-C1CsRi19.js';
+import { j as Database } from '../client-uYEOha6g.js';
 import { f as UserID, S as SessionID } from '../id-CoIbY_uc.js';
-import { c as GatewayEnvVar } from '../gateway-B_4X-v07.js';
-import { e as EnvVarScope } from '../user-BfVWBmXA.js';
+import { c as AgenticToolName } from '../agentic-tool-cYqsU5i5.js';
+import { c as GatewayEnvVar } from '../gateway-C3Jm_akw.js';
+import { n as EnvVarScope } from '../user-DP-XZMIM.js';
 import { z } from 'zod';
-import { b as AgorCorsMode, e as AgorCspDirectives, a as AgorConfig } from '../types-DqPMmTad.js';
-export { A as AgorCodexSettings, c as AgorCorsSettings, d as AgorCredentials, f as AgorCspSettings, g as AgorDaemonSettings, h as AgorDatabaseSettings, i as AgorDefaults, j as AgorDisplaySettings, k as AgorExecutionSettings, l as AgorOnboardingSettings, m as AgorOpenCodeSettings, n as AgorPathSettings, o as AgorSecuritySettings, p as AgorUISettings, q as AgorWorktreesSettings, C as ConfigKey, r as CredentialKey, M as ManagedEnvsMinimumRole, U as UnixUserMode, s as UnknownJson } from '../types-DqPMmTad.js';
+import { b as AgorCorsMode, e as AgorCspDirectives, a as AgorConfig } from '../types-n61iaXub.js';
+export { A as AgorCodexSettings, c as AgorCorsSettings, d as AgorCredentials, f as AgorCspSettings, g as AgorDaemonSettings, h as AgorDatabaseSettings, i as AgorDefaults, j as AgorDisplaySettings, k as AgorExecutionSettings, l as AgorOnboardingSettings, m as AgorOpenCodeSettings, n as AgorPathSettings, o as AgorSecuritySettings, p as AgorUISettings, q as AgorWorktreesSettings, C as ConfigKey, r as CredentialKey, M as ManagedEnvsMinimumRole, U as UnixUserMode, s as UnknownJson } from '../types-n61iaXub.js';
 import 'drizzle-orm/libsql';
 import 'drizzle-orm/postgres-js';
 import 'drizzle-orm';
-import '../message-CHUUP6OS.js';
-import '../agentic-tool-cYqsU5i5.js';
+import '../message-DZa8g0s0.js';
 import '../board-D3YJ0_ih.js';
 import '../session-CAfhv1qL.js';
 import '../context-BpkCELpO.js';
-import '../task-BLPFCORT.js';
+import '../task-BHV-YHg1.js';
 import 'drizzle-orm/pg-core';
 import 'drizzle-orm/sqlite-core';
-import '../config-services-DcO2GRgh.js';
+import '../config-services-DhM7_yWn.js';
 
 /**
  * `.agor.yml` file I/O.
@@ -178,16 +178,34 @@ interface ResolveUserEnvOptions {
      * contexts without a session — e.g. worktree-level terminals).
      */
     sessionId?: SessionID;
+    /**
+     * If set, the user's per-tool credentials for THIS tool are merged into the
+     * resolved env (e.g. claude-code → ANTHROPIC_API_KEY, ANTHROPIC_BASE_URL).
+     * Other tools' credentials are NEVER merged regardless of value.
+     *
+     * If omitted, NO per-tool credentials are merged — safe default for
+     * worktree-level terminals and other contexts that don't run an SDK.
+     */
+    tool?: AgenticToolName;
 }
 /**
- * Resolve user environment variables (decrypted from database, no system env vars)
- * Includes both env_vars and api_keys from user data.
+ * Resolve user environment variables (decrypted from database, no system env vars).
+ *
+ * Includes:
+ *   - User-defined env vars from `data.env_vars` (scope-filtered)
+ *   - If `options.tool` is set, the matching tool's credentials from
+ *     `data.agentic_tools[tool]` (e.g. claude-code → ANTHROPIC_API_KEY +
+ *     ANTHROPIC_BASE_URL). Other tools' credentials are NEVER merged.
  *
- * Scope filtering (v0.5):
+ * Precedence (later wins): tool credentials > user env vars. This matches the
+ * UX intent: per-tool config screens are the explicit, "this is the credential
+ * I want for this SDK" surface; global env vars are the fallback. The caller
+ * (`createUserProcessEnvironment`) layers config.yaml/system env underneath.
+ *
+ * Scope filtering on env_vars (v0.5):
  *   - `scope: 'global'` → always included
  *   - `scope: 'session'` → only included if `options.sessionId` is provided
- *     AND the var name has an entry in `session_env_selections` for that
- *     session.
+ *     AND the var name has an entry in `session_env_selections` for that session.
  *   - Any other scope value (reserved for v1+) is skipped.
  *
  * Legacy entries (plain-string values on disk) are treated as global-scope.
@@ -257,7 +275,14 @@ gatewayEnv?: GatewayEnvVar[],
  * If provided, session-scope env vars selected for this session are
  * included in the user env. Session-scope vars are otherwise excluded.
  */
-sessionId?: SessionID): Promise<Record<string, string>>;
+sessionId?: SessionID, 
+/**
+ * If provided, the user's per-tool credentials for THIS tool are merged
+ * into the environment (e.g. claude-code → ANTHROPIC_*). Other tools'
+ * credentials are NEVER merged. Omit for non-SDK contexts (worktree
+ * terminals, generic background jobs).
+ */
+tool?: AgenticToolName): Promise<Record<string, string>>;
 
 /**
  * Validation constraints for environment variables
@@ -348,12 +373,29 @@ declare function normalizeStoredEnvVar(raw: RawStoredEnvVar): StoredEnvVar;
  */
 declare function normalizeStoredEnvMap(raw: Record<string, RawStoredEnvVar> | undefined): Record<string, StoredEnvVar>;
 
-type ApiKeyName = 'ANTHROPIC_API_KEY' | 'OPENAI_API_KEY' | 'GEMINI_API_KEY';
+/**
+ * The set of credential env-var names the resolver knows how to look up at the
+ * per-user (`agentic_tools[tool][keyName]`), config.yaml, and OS-env layers.
+ *
+ * Kept as an explicit union (rather than `string`) so callers can't accidentally
+ * ask the resolver for an unrelated env var like `PATH` or `AGOR_MASTER_SECRET`.
+ * Add new entries here when a tool's per-tool field config grows.
+ */
+type ApiKeyName = 'ANTHROPIC_API_KEY' | 'ANTHROPIC_AUTH_TOKEN' | 'CLAUDE_CODE_OAUTH_TOKEN' | 'OPENAI_API_KEY' | 'GEMINI_API_KEY' | 'COPILOT_GITHUB_TOKEN';
 interface KeyResolutionContext {
     /** User ID for per-user key lookup */
     userId?: UserID;
     /** Database instance for user lookup */
     db?: Database;
+    /**
+     * Restrict the per-user lookup to a specific tool's credential bucket
+     * (`data.agentic_tools[tool][keyName]`). When omitted, the resolver sweeps
+     * every tool bucket — kept for back-compat with non-SDK callers (e.g. CLI).
+     *
+     * SDK executors should ALWAYS pass this so a Codex spawn never resolves a
+     * key stored under `agentic_tools['claude-code']`, and vice versa.
+     */
+    tool?: AgenticToolName;
 }
 /**
  * Result of API key resolution