circuschief 0.7.0 → 0.8.0

package/packages/server/src/services/gitCommitAttribution.js

@@ -0,0 +1,120 @@
+import { exec } from 'child_process';
+import { promisify } from 'util';
+import path from 'path';
+import { chmod, mkdir, writeFile } from 'fs/promises';
+
+const execAsync = promisify(exec);
+const MANAGED_HOOKS_PATH = '.circuschief-hooks';
+const ATTRIBUTION_CONFIG_KEY = 'circuschief.commitAttribution';
+const ATTRIBUTION_ENV_KEY = 'CIRCUSCHIEF_COMMIT_ATTRIBUTION';
+
+async function git(directory, command) {
+  const { stdout } = await execAsync(`git ${command}`, { cwd: directory });
+  return stdout.trim();
+}
+
+async function gitConfigValue(directory, key) {
+  try {
+    return await git(directory, `config --get ${key}`);
+  } catch {
+    return null;
+  }
+}
+
+function shellQuote(value) {
+  return `'${String(value).replace(/'/g, `'\\''`)}'`;
+}
+
+function buildCommitMsgHook() {
+  return `#!/bin/sh
+set -eu
+
+msg_file="$1"
+trailer="\${${ATTRIBUTION_ENV_KEY}:-}"
+
+[ -n "$trailer" ] || exit 0
+[ -n "$(printf '%s' "$trailer" | tr -d '[:space:]')" ] || exit 0
+
+if printf '%s' "$trailer" | grep '[[:cntrl:]]' >/dev/null 2>&1; then
+  echo "${ATTRIBUTION_ENV_KEY} must be a canonical Co-authored-by: Name <email> trailer." >&2
+  exit 1
+fi
+
+if ! printf '%s\\n' "$trailer" | grep -E '^Co-authored-by: [^<>[:space:]][^<>]* <[^[:space:]<>@]+@[^[:space:]<>@]+\\.[^[:space:]<>@]+>$' >/dev/null 2>&1; then
+  echo "${ATTRIBUTION_ENV_KEY} must be a canonical Co-authored-by: Name <email> trailer." >&2
+  exit 1
+fi
+
+if grep -F -x -i -- "$trailer" "$msg_file" >/dev/null 2>&1; then
+  exit 0
+fi
+
+git interpret-trailers --trailer "$trailer" --in-place "$msg_file"
+`;
+}
+
+export async function clearWorktreeCommitAttribution(worktreePath) {
+  const currentAttribution = await gitConfigValue(worktreePath, ATTRIBUTION_CONFIG_KEY);
+  const currentHooksPath = await gitConfigValue(worktreePath, 'core.hooksPath');
+  if (!currentAttribution && currentHooksPath !== MANAGED_HOOKS_PATH) {
+    return false;
+  }
+
+  await git(worktreePath, 'config extensions.worktreeConfig true');
+
+  if (currentAttribution) {
+    try {
+      await git(worktreePath, `config --worktree --unset ${ATTRIBUTION_CONFIG_KEY}`);
+    } catch {
+      // Unset is idempotent for callers that are clearing a value that was never set.
+    }
+  }
+
+  if (currentHooksPath === MANAGED_HOOKS_PATH) {
+    try {
+      await git(worktreePath, 'config --worktree --unset core.hooksPath');
+    } catch {
+      // Unset is idempotent for callers that are clearing stale managed hook config.
+    }
+  }
+  return false;
+}
+
+/**
+ * Install/update managed commit attribution enforcement for a worktree.
+ *
+ * Runtime attribution is process-scoped: the hook reads
+ * CIRCUSCHIEF_COMMIT_ATTRIBUTION from the `git commit` process environment.
+ *
+ * @param {string} worktreePath - The worktree directory
+ * @returns {Promise<boolean>} True when a hook is installed or updated
+ */
+export async function ensureWorktreeCommitAttributionHook(worktreePath) {
+  await git(worktreePath, 'config extensions.worktreeConfig true');
+
+  const currentHooksPath = await gitConfigValue(worktreePath, 'core.hooksPath');
+  if (currentHooksPath && currentHooksPath !== MANAGED_HOOKS_PATH) {
+    throw new Error(
+      `Cannot install managed commit attribution hook: worktree already has core.hooksPath set to "${currentHooksPath}"`
+    );
+  }
+
+  try {
+    await git(worktreePath, `config --worktree --unset ${ATTRIBUTION_CONFIG_KEY}`);
+  } catch {
+    // Unset is idempotent for stale worktrees that never stored attribution.
+  }
+
+  await git(worktreePath, `config --worktree core.hooksPath ${shellQuote(MANAGED_HOOKS_PATH)}`);
+
+  const hooksDir = path.join(worktreePath, MANAGED_HOOKS_PATH);
+  const hookPath = path.join(hooksDir, 'commit-msg');
+  await mkdir(hooksDir, { recursive: true });
+  await writeFile(hookPath, buildCommitMsgHook(), 'utf8');
+  await chmod(hookPath, 0o755);
+  return true;
+}
+
+export async function configureWorktreeCommitAttribution(worktreePath, _commitAttribution) {
+  return ensureWorktreeCommitAttributionHook(worktreePath);
+}

package/packages/server/src/services/gitService.js

@@ -2,6 +2,11 @@ import { exec } from 'child_process';
 import { promisify } from 'util';
 import path from 'path';
 import { realpath } from 'fs/promises';
+export {
+  clearWorktreeCommitAttribution,
+  configureWorktreeCommitAttribution,
+  ensureWorktreeCommitAttributionHook,
+} from './gitCommitAttribution.js';
 
 const execAsync = promisify(exec);
 
@@ -76,6 +81,10 @@ async function git(directory, command, opts = {}) {
   return stdout.trim();
 }
 
+function shellQuote(value) {
+  return `'${String(value).replace(/'/g, `'\\''`)}'`;
+}
+
 /**
  * Detect the default branch using git commands (symbolic-ref, rev-parse).
  * @param {string} directory
@@ -515,8 +524,8 @@ export async function pinAuthorInWorktree(worktreePath, projectDir, { env } = {}
 
   // Pin the human's identity in the worktree config so they are always
   // the commit Author, regardless of what the session does later
-  await git(worktreePath, `config --worktree user.name "${author.name}"`);
-  await git(worktreePath, `config --worktree user.email "${author.email}"`);
+  await git(worktreePath, `config --worktree user.name ${shellQuote(author.name)}`);
+  await git(worktreePath, `config --worktree user.email ${shellQuote(author.email)}`);
 
   return true;
 }

package/packages/server/src/services/gitSessionSetup.js

@@ -9,9 +9,17 @@ import * as gitService from './gitService.js';
  * @param {string|null} options.gitBranch - Branch name
  * @param {string} options.sessionId - Session ID
  * @param {string|null} [options.worktreeBasePath] - Custom base path for worktrees (overrides default .worktrees)
+ * @param {string|null} [options.commitAttributionOverride] - Deprecated; attribution is process-scoped at agent launch
  * @returns {Promise<{workingDirectory: string, gitWorktree: string|null}>}
  */
-export async function setupGitForSession({ projectDir, gitMode, gitBranch, sessionId, worktreeBasePath }) {
+export async function setupGitForSession({
+  projectDir,
+  gitMode,
+  gitBranch,
+  sessionId,
+  worktreeBasePath,
+  commitAttributionOverride = null,
+}) {
   // No git operations if gitMode is not specified
   if (!gitMode || !gitBranch) {
     return {
@@ -35,6 +43,8 @@ export async function setupGitForSession({ projectDir, gitMode, gitBranch, sessi
     await gitService.createWorktreeForBranch(projectDir, gitBranch, worktreePath);
     // Pin the human developer's git identity so they are the commit Author
     await gitService.pinAuthorInWorktree(worktreePath, projectDir);
+    void commitAttributionOverride;
+    await gitService.ensureWorktreeCommitAttributionHook(worktreePath);
     return {
       workingDirectory: worktreePath,
       gitWorktree: worktreePath,

package/packages/server/src/services/kanbanTriggers.js

@@ -5,11 +5,11 @@ import {
   projects,
 } from '../database.js';
 import { broadcastToProject } from '../websocket.js';
-import { WS_MESSAGE_TYPES } from '../../../shared/src/index.js';
+import { WS_MESSAGE_TYPES, DEFAULT_RESCHEDULE_DELAY_MINUTES } from '../../../shared/src/index.js';
 import { renderTemplatePrompt, getRootSession } from './templateTriggerService.js';
 import { setupGitForSession } from './gitSessionSetup.js';
 import { runSession } from './sessionManager.js';
-import { resolveAgentTypeFromModel } from './sessionProvider.js';
+import { resolveAgentTypeFromModel, resolveProviderMetadataFromModel } from './sessionProvider.js';
 
 // Maximum depth for recursive lane-entry template triggers
 export const MAX_LANE_TRIGGER_DEPTH = 5;
@@ -56,6 +56,8 @@ export async function determineWorkingDirectory(parentSession, project, gitOptio
       gitBranch: gitOptions.gitBranch || null,
       sessionId: gitOptions.sessionId,
       worktreeBasePath: project.worktreePath || null,
+      commitAttributionOverride:
+        resolveProviderMetadataFromModel(gitOptions.model)?.commitAttributionOverride ?? null,
     });
     return { workingDirectory: gitSetup.workingDirectory, gitWorktree: gitSetup.gitWorktree };
   }
@@ -190,6 +192,7 @@ export async function triggerOnEnterTemplate(sessionId, lane, options = {}) {
       gitMode: settings.gitMode,
       gitBranch: settings.gitBranch,
       sessionId: newSession.id,
+      model: settings.model,
     });
     if (gitWorktree) {
       sessions.update(newSession.id, { gitWorktree });
@@ -250,7 +253,7 @@ async function buildChildSessionFromPrompt(lane, session, depth) {
   if (lane.onEnterAutoRescheduleEnabled) {
     Object.assign(sessionUpdates, {
       autoRescheduleEnabled: true,
-      rescheduleDelayMinutes: lane.onEnterRescheduleDelayMinutes || 15,
+      rescheduleDelayMinutes: lane.onEnterRescheduleDelayMinutes || DEFAULT_RESCHEDULE_DELAY_MINUTES,
       rescheduleOnTokenLimit: lane.onEnterRescheduleOnTokenLimit ?? true,
       rescheduleOnServiceError: lane.onEnterRescheduleOnServiceError ?? true,
       maxRescheduleCount: lane.onEnterMaxRescheduleCount || null,

package/packages/server/src/services/nodeSpawnHelper.js

@@ -1,5 +1,10 @@
 import { spawn } from 'child_process';
 import path from 'path';
+import {
+  captureSpawnAttempt,
+  createCapturedSpawnProcess,
+  isE2ESpawnCaptureEnabled,
+} from './e2eSpawnCapture.js';
 
 /**
  * Get the directory containing the current Node.js executable.
@@ -42,6 +47,10 @@ export function createRobustEnv(baseEnv = process.env) {
 export function createClaudeCodeSpawner() {
   return (options) => {
     const { command, args, cwd, env, signal } = options;
+    if (isE2ESpawnCaptureEnabled()) {
+      captureSpawnAttempt('claude-code', options);
+      return createCapturedSpawnProcess('claude-code');
+    }
 
     // Replace 'node' with the absolute path to the current Node executable
     // This ensures we use the same Node that's running our app

package/packages/server/src/services/prUrlService.js

@@ -126,8 +126,8 @@ export async function extractPrUrlIfNeeded(sessionId) {
   const session = sessions.getById(sessionId);
   if (!session) return;
 
-  // Skip if session already has a PR URL
-  if (session.prUrl) return;
+  // Skip if session already has a PR URL or the user cleared automatic PR linking.
+  if (session.prUrl || session.prUrlAutoLinkDisabled) return;
 
   // Extract PR URL from messages
   const prUrl = extractPrUrlFromMessages(sessionId);
@@ -145,7 +145,7 @@ export async function extractPrUrlIfNeeded(sessionId) {
     if (session.parentSessionId) {
       const rootId = sessions.getRootSessionId(sessionId);
       const root = rootId && rootId !== sessionId ? sessions.getById(rootId) : null;
-      if (root && !root.prUrl) {
+      if (root && !root.prUrl && !root.prUrlAutoLinkDisabled) {
         sessions.update(root.id, { prUrl });
         console.log(`[PrUrlService] Propagated PR URL from session ${sessionId} to root ${root.id}: ${prUrl}`);
 

package/packages/server/src/services/queryParamBuilder.js

@@ -0,0 +1,90 @@
+import { createClaudeCodeSpawner } from './nodeSpawnHelper.js';
+import {
+  buildSystemPromptConfig,
+  getPermissionModeForSession,
+  getSandboxModeForSession,
+} from './sessionPrompts.js';
+
+/**
+ * Build query parameters for the Claude Code adapter.
+ * @returns {Object}
+ */
+function buildClaudeCodeQueryParams({
+  prompt, workingDirectory, controller, session, sessionId, systemPrompt,
+  model, sessionEnv, resumeSessionId = null,
+}) {
+  const isVCR = Boolean(process.env.VCR_MODE);
+  const effectiveModel = isVCR ? 'claude-haiku-4-5-20251001' : model;
+
+  return {
+    prompt,
+    options: {
+      cwd: workingDirectory,
+      abortController: controller,
+      includePartialMessages: true,
+      permissionMode: getPermissionModeForSession(session.mode),
+      // Match normal Claude Code CLI behavior: load user-level settings
+      // such as configured MCP servers, then project/local overrides.
+      settingSources: ['user', 'project', 'local'],
+      ...(resumeSessionId && { resume: resumeSessionId }),
+      env: sessionEnv,
+      spawnClaudeCodeProcess: createClaudeCodeSpawner(),
+      model: effectiveModel,
+      systemPrompt: buildSystemPromptConfig(sessionId, session.projectId, systemPrompt, session.mode),
+    },
+  };
+}
+
+/**
+ * Build query parameters for the Codex adapter.
+ *
+ * Codex in v1 is a simple Chat-Completions-shaped executor. It does not need
+ * or accept Claude-specific options such as permissionMode, settingSources,
+ * includePartialMessages, spawnClaudeCodeProcess, or resume.
+ *
+ * @returns {Object}
+ */
+function buildCodexQueryParams({
+  prompt, workingDirectory, controller, session, sessionId, systemPrompt, model, sessionEnv,
+}) {
+  const isVCR = Boolean(process.env.VCR_MODE);
+  const effectiveModel = isVCR ? 'gpt-4o-mini' : model;
+
+  return {
+    prompt,
+    options: {
+      cwd: workingDirectory,
+      abortController: controller,
+      env: sessionEnv,
+      model: effectiveModel,
+      effortLevel: session?.effortLevel ?? null,
+      systemPrompt: buildSystemPromptConfig(sessionId, session.projectId, systemPrompt, session.mode),
+      sandboxMode: getSandboxModeForSession(session?.mode),
+    },
+  };
+}
+
+/**
+ * Build query parameters for executing a session via the configured agent.
+ * Shared by runSession, continueSession, and continueSessionWithExistingMessage.
+ *
+ * @param {Object} options
+ * @param {string} options.prompt - The prompt text to send
+ * @param {string} options.workingDirectory - Session working directory
+ * @param {AbortController} options.controller - Abort controller for the session
+ * @param {Object} options.session - Session object from DB
+ * @param {string} options.sessionId - Session ID
+ * @param {string|null} options.systemPrompt - Custom system prompt from project settings
+ * @param {string|null} options.model - Model to use
+ * @param {Object} options.sessionEnv - Environment variables for the session
+ * @param {string|null} [options.resumeSessionId] - Session ID to resume (null for new session)
+ * @param {string} [options.agentType] - 'claude-code' (default) | 'codex'
+ * @returns {Object} Query parameters for agent.execute()
+ */
+export function buildQueryParams(options) {
+  const { agentType = 'claude-code' } = options || {};
+  if (agentType === 'codex') {
+    return buildCodexQueryParams(options);
+  }
+  return buildClaudeCodeQueryParams(options);
+}

package/packages/server/src/services/sessionDuplicator.js

@@ -3,7 +3,6 @@ import {
   conversations,
   messages,
   canvasItems,
-  sessionNotes,
   sessionSummaries,
   projects,
 } from '../db/index.js';
@@ -47,10 +46,7 @@ export async function duplicateSession(sourceSessionId, options = {}) {
     // 5. Duplicate canvas items
     canvasItems.duplicateForSession(sourceSessionId, newSession.id);
 
-    // 6. Duplicate session notes
-    sessionNotes.duplicateForSession(sourceSessionId, newSession.id);
-
-    // 7. Duplicate session summary (if exists)
+    // 6. Duplicate session summary (if exists)
     sessionSummaries.duplicateForSession(sourceSessionId, newSession.id);
 
     // Return the updated session

package/packages/server/src/services/sessionExecution.js

@@ -1,14 +1,13 @@
 import { sessions, messages, attachments, conversations } from '../database.js';
-import { createClaudeCodeSpawner } from './nodeSpawnHelper.js';
 import { createCodexSpawner } from './codexSpawnHelper.js';
-import { resolveProviderFromModel, buildSessionEnv } from './sessionProvider.js';
+import { resolveProviderFromModel, resolveProviderMetadataFromModel, buildSessionEnv } from './sessionProvider.js';
 import { agentGateway } from '../agents/AgentGateway.js';
 import { LoggingAgentWrapper } from '../agents/LoggingAgentWrapper.js';
 import { VCRAgentAdapter } from '../agents/vcr/VCRAgentAdapter.js';
+import { isE2ESpawnCaptureEnabled } from './e2eSpawnCapture.js';
+export { buildQueryParams } from './queryParamBuilder.js';
+import { buildQueryParams } from './queryParamBuilder.js';
 import {
-  buildSystemPromptConfig,
-  getPermissionModeForSession,
-  getSandboxModeForSession,
   buildPromptWithAttachments,
 } from './sessionPrompts.js';
 import {
@@ -23,6 +22,7 @@ import {
 import { shouldRescheduleOnError, _checkProactiveReschedule } from './sessionErrors.js';
 import { schedulerService } from './schedulerService.js';
 import { buildConversationContextForModelSwitch, buildConversationContextForContinuation } from './conversationContext.js';
+import { ensureWorktreeCommitAttributionHook } from './gitService.js';
 import { broadcastToSession } from '../websocket.js';
 import { WS_MESSAGE_TYPES } from '../../../shared/src/index.js';
 
@@ -40,6 +40,34 @@ function buildAgentConfig(agentType) {
   return {};
 }
 
+export function buildAgentEnv(sessionEnv, commitAttributionOverride) {
+  const env = { ...(sessionEnv || {}) };
+  if (commitAttributionOverride) {
+    env.CIRCUSCHIEF_COMMIT_ATTRIBUTION = commitAttributionOverride;
+  } else {
+    delete env.CIRCUSCHIEF_COMMIT_ATTRIBUTION;
+  }
+  return env;
+}
+
+async function resolveInitialSessionModelEnv(session, model) {
+  const effectiveModel = model || session.model;
+  const provider = resolveProviderFromModel(effectiveModel);
+  const providerMetadata = resolveProviderMetadataFromModel(effectiveModel);
+  const commitAttributionOverride = providerMetadata?.commitAttributionOverride ?? null;
+
+  if (session.gitWorktree && commitAttributionOverride) {
+    await ensureWorktreeCommitAttributionHook(session.gitWorktree);
+  }
+
+  const baseSessionEnv = buildSessionEnv(provider, session.thinkingEnabled, session.effortLevel);
+  return {
+    effectiveModel,
+    sessionEnv: buildAgentEnv(baseSessionEnv, commitAttributionOverride),
+    commitAttributionOverride,
+  };
+}
+
 /**
  * Create the agent for a session, using gateway + logging + VCR.
  *
@@ -56,7 +84,7 @@ export function createAgentForSession(agentType = 'claude-code', config = {}) {
   const baseAgent = agentGateway.createAgent(agentType, mergedConfig);
 
   // Wrap with VCR adapter if in VCR mode
-  const agent = process.env.VCR_MODE
+  const agent = process.env.VCR_MODE && !isE2ESpawnCaptureEnabled()
     ? new VCRAgentAdapter(baseAgent, { cassetteDir: 'tests/e2e/cassettes' })
     : baseAgent;
 
@@ -64,97 +92,6 @@ export function createAgentForSession(agentType = 'claude-code', config = {}) {
   return new LoggingAgentWrapper(agent);
 }
 
-/**
- * Build query parameters for the Claude Code adapter.
- * @returns {Object}
- */
-function buildClaudeCodeQueryParams({
-  prompt, workingDirectory, controller, session, sessionId, systemPrompt,
-  model, sessionEnv, resumeSessionId = null,
-}) {
-  const isVCR = Boolean(process.env.VCR_MODE);
-  const effectiveModel = isVCR ? 'claude-haiku-4-5-20251001' : model;
-
-  return {
-    prompt,
-    options: {
-      cwd: workingDirectory,
-      abortController: controller,
-      includePartialMessages: true,
-      permissionMode: getPermissionModeForSession(session.mode),
-      // Match normal Claude Code CLI behavior: load user-level settings
-      // such as configured MCP servers, then project/local overrides.
-      settingSources: ['user', 'project', 'local'],
-      ...(resumeSessionId && { resume: resumeSessionId }),
-      env: sessionEnv,
-      spawnClaudeCodeProcess: createClaudeCodeSpawner(),
-      model: effectiveModel,
-      systemPrompt: buildSystemPromptConfig(sessionId, session.projectId, systemPrompt, session.mode),
-    },
-  };
-}
-
-/**
- * Build query parameters for the Codex adapter.
- *
- * Codex in v1 is a simple Chat-Completions-shaped executor — it doesn't need
- * or accept Claude-specific options (permissionMode, settingSources,
- * includePartialMessages, spawnClaudeCodeProcess, resume).
- *
- * Codex does have its own sandboxing model, driven from {@code session.mode}
- * via {@link getSandboxModeForSession}. Codex CLI v0.124.0 also supports
- * resume via `codex resume` / `codex exec resume`, but Circus Chief v1
- * intentionally does NOT pass a resume token — wiring is deferred to a
- * later phase (see canvas plan §Phase 4.5).
- *
- * @returns {Object}
- */
-function buildCodexQueryParams({
-  prompt, workingDirectory, controller, session, sessionId, systemPrompt, model, sessionEnv,
-}) {
-  const isVCR = Boolean(process.env.VCR_MODE);
-  // In VCR mode, force the cheapest commonly-cassetted OpenAI model.
-  const effectiveModel = isVCR ? 'gpt-4o-mini' : model;
-
-  return {
-    prompt,
-    options: {
-      cwd: workingDirectory,
-      abortController: controller,
-      env: sessionEnv,
-      model: effectiveModel,
-      effortLevel: session?.effortLevel ?? null,
-      systemPrompt: buildSystemPromptConfig(sessionId, session.projectId, systemPrompt, session.mode),
-      sandboxMode: getSandboxModeForSession(session?.mode),
-    },
-  };
-}
-
-/**
- * Build query parameters for executing a session via the configured agent.
- * Shared by runSession, continueSession, and continueSessionWithExistingMessage.
- *
- * @param {Object} options
- * @param {string} options.prompt - The prompt text to send
- * @param {string} options.workingDirectory - Session working directory
- * @param {AbortController} options.controller - Abort controller for the session
- * @param {Object} options.session - Session object from DB
- * @param {string} options.sessionId - Session ID
- * @param {string|null} options.systemPrompt - Custom system prompt from project settings
- * @param {string|null} options.model - Model to use
- * @param {Object} options.sessionEnv - Environment variables for the session
- * @param {string|null} [options.resumeSessionId] - Session ID to resume (null for new session)
- * @param {string} [options.agentType] - 'claude-code' (default) | 'codex'
- * @returns {Object} Query parameters for agent.execute()
- */
-export function buildQueryParams(options) {
-  const { agentType = 'claude-code' } = options || {};
-  if (agentType === 'codex') {
-    return buildCodexQueryParams(options);
-  }
-  return buildClaudeCodeQueryParams(options);
-}
-
 /**
  * Execute the agent stream loop and handle post-turn completion, errors, and cleanup.
  * This is the shared core of runSession, continueSession, and continueSessionWithExistingMessage.
@@ -260,7 +197,12 @@ function buildContinueModelAndEnv(session, sessionId, model) {
 
   // Derive provider from the effective model ID (returns null for Anthropic/SDK defaults)
   const provider = resolveProviderFromModel(effectiveModel);
-  const sessionEnv = buildSessionEnv(provider, session.thinkingEnabled, session.effortLevel);
+  const providerMetadata = resolveProviderMetadataFromModel(effectiveModel);
+  const commitAttributionOverride = providerMetadata?.commitAttributionOverride ?? null;
+  const sessionEnv = buildAgentEnv(
+    buildSessionEnv(provider, session.thinkingEnabled, session.effortLevel),
+    commitAttributionOverride
+  );
 
   // Check if model changed from the session's last requested model
   // When model changes, we can't resume the previous session - thinking blocks and
@@ -275,7 +217,13 @@ function buildContinueModelAndEnv(session, sessionId, model) {
     updatedSession = sessions.getById(sessionId); // refresh
   }
 
-  return { effectiveModel, sessionEnv, modelChanged, session: updatedSession };
+  return {
+    effectiveModel,
+    sessionEnv,
+    commitAttributionOverride,
+    modelChanged,
+    session: updatedSession,
+  };
 }
 
 /**
@@ -286,7 +234,7 @@ function buildContinueModelAndEnv(session, sessionId, model) {
 async function buildContinueParams({
   sessionId, session, model, systemPrompt, effectiveModel, sessionEnv,
   modelChanged, activeConversation, promptWithAttachments,
-  workingDirectory, controller, agentType, agent,
+  workingDirectory, controller, agentType, agent, commitAttributionOverride,
 }) {
   // Only resume if we have a session ID AND model hasn't changed AND the
   // agent supports resume.
@@ -308,6 +256,7 @@ async function buildContinueParams({
     sessionEnv,
     resumeSessionId: canResume ? activeConversation.claudeSessionId : null,
     agentType,
+    commitAttributionOverride,
   });
 
   // Logging metadata for agent call tracking
@@ -394,11 +343,15 @@ export async function continueSessionCore(sessionId, content, workingDirectory,
   // Resolve model/provider and detect model changes
   const modelEnv = buildContinueModelAndEnv(session, sessionId, model);
   session = modelEnv.session;
+  if (session.gitWorktree && modelEnv.commitAttributionOverride) {
+    await ensureWorktreeCommitAttributionHook(session.gitWorktree);
+  }
 
   // Build query params and agent call meta
   const { queryParams, agentCallMeta } = await buildContinueParams({
     sessionId, session, model, systemPrompt,
     effectiveModel: modelEnv.effectiveModel, sessionEnv: modelEnv.sessionEnv,
+    commitAttributionOverride: modelEnv.commitAttributionOverride,
     modelChanged: modelEnv.modelChanged, activeConversation, promptWithAttachments,
     workingDirectory, controller, agentType, agent,
   });
@@ -459,14 +412,8 @@ export async function runSessionCore(sessionId, prompt, workingDirectory, config
   const agentType = session.agentType || 'claude-code';
   const agent = createAgentForSession(agentType);
 
-  // Resolve the effective model: fall back to session.model as defense-in-depth
-  // (draftSessionService already resolves the model upstream, but this ensures
-  // correctness if called directly).
-  const effectiveModel = model || session.model;
-
-  // Derive provider from the effective model ID (returns null for Anthropic/SDK defaults)
-  const provider = resolveProviderFromModel(effectiveModel);
-  const sessionEnv = buildSessionEnv(provider, session.thinkingEnabled, session.effortLevel);
+  const { effectiveModel, sessionEnv, commitAttributionOverride } =
+    await resolveInitialSessionModelEnv(session, model);
 
   const queryParams = buildQueryParams({
     prompt: promptWithAttachments,
@@ -478,6 +425,7 @@ export async function runSessionCore(sessionId, prompt, workingDirectory, config
     model: effectiveModel,
     sessionEnv,
     agentType,
+    commitAttributionOverride,
   });
 
   // Log query params for debugging third-party provider issues