comisai 1.0.34 → 1.0.36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (284) hide show
  1. package/node_modules/@comis/agent/dist/background/auto-background-middleware.d.ts +11 -1
  2. package/node_modules/@comis/agent/dist/background/auto-background-middleware.js +21 -4
  3. package/node_modules/@comis/agent/dist/background/background-task-manager.d.ts +2 -2
  4. package/node_modules/@comis/agent/dist/background/background-task-manager.js +61 -20
  5. package/node_modules/@comis/agent/dist/background/background-task-persistence.js +10 -3
  6. package/node_modules/@comis/agent/dist/background/background-task-types.d.ts +10 -3
  7. package/node_modules/@comis/agent/dist/background/background-task-types.js +1 -1
  8. package/node_modules/@comis/agent/dist/background/completion-formatter.d.ts +39 -0
  9. package/node_modules/@comis/agent/dist/background/completion-formatter.js +77 -0
  10. package/node_modules/@comis/agent/dist/background/completion-runner.d.ts +53 -0
  11. package/node_modules/@comis/agent/dist/background/completion-runner.js +151 -0
  12. package/node_modules/@comis/agent/dist/background/index.d.ts +4 -0
  13. package/node_modules/@comis/agent/dist/background/index.js +2 -0
  14. package/node_modules/@comis/agent/dist/bridge/bridge-metrics.d.ts +17 -2
  15. package/node_modules/@comis/agent/dist/bridge/bridge-metrics.js +14 -2
  16. package/node_modules/@comis/agent/dist/bridge/pi-event-bridge.d.ts +23 -23
  17. package/node_modules/@comis/agent/dist/bridge/pi-event-bridge.js +72 -60
  18. package/node_modules/@comis/agent/dist/bridge/thinking-block-hash-invariant.d.ts +6 -7
  19. package/node_modules/@comis/agent/dist/bridge/thinking-block-hash-invariant.js +24 -25
  20. package/node_modules/@comis/agent/dist/budget/cost-tracker.d.ts +1 -1
  21. package/node_modules/@comis/agent/dist/context-engine/constants.d.ts +5 -5
  22. package/node_modules/@comis/agent/dist/context-engine/constants.js +12 -12
  23. package/node_modules/@comis/agent/dist/context-engine/context-engine.js +13 -4
  24. package/node_modules/@comis/agent/dist/context-engine/dag-annotator.d.ts +1 -2
  25. package/node_modules/@comis/agent/dist/context-engine/dag-annotator.js +1 -2
  26. package/node_modules/@comis/agent/dist/context-engine/llm-compaction.js +20 -16
  27. package/node_modules/@comis/agent/dist/context-engine/rehydration.js +6 -6
  28. package/node_modules/@comis/agent/dist/context-engine/signature-replay-scrubber.d.ts +12 -12
  29. package/node_modules/@comis/agent/dist/context-engine/signature-replay-scrubber.js +36 -22
  30. package/node_modules/@comis/agent/dist/context-engine/types-core.d.ts +15 -0
  31. package/node_modules/@comis/agent/dist/executor/cache-break-detection.d.ts +6 -6
  32. package/node_modules/@comis/agent/dist/executor/cache-break-detection.js +8 -8
  33. package/node_modules/@comis/agent/dist/executor/executor-context-engine-setup.d.ts +16 -0
  34. package/node_modules/@comis/agent/dist/executor/executor-context-engine-setup.js +46 -5
  35. package/node_modules/@comis/agent/dist/executor/executor-post-execution.d.ts +30 -0
  36. package/node_modules/@comis/agent/dist/executor/executor-post-execution.js +17 -1
  37. package/node_modules/@comis/agent/dist/executor/executor-prompt-runner.js +1 -1
  38. package/node_modules/@comis/agent/dist/executor/executor-response-filter.d.ts +7 -6
  39. package/node_modules/@comis/agent/dist/executor/executor-response-filter.js +9 -42
  40. package/node_modules/@comis/agent/dist/executor/executor-tool-assembly.js +2 -3
  41. package/node_modules/@comis/agent/dist/executor/gemini-cache-injector.d.ts +2 -2
  42. package/node_modules/@comis/agent/dist/executor/gemini-cache-injector.js +4 -4
  43. package/node_modules/@comis/agent/dist/executor/phase-filter.d.ts +2 -2
  44. package/node_modules/@comis/agent/dist/executor/phase-filter.js +5 -7
  45. package/node_modules/@comis/agent/dist/executor/pi-executor.d.ts +13 -0
  46. package/node_modules/@comis/agent/dist/executor/pi-executor.js +71 -6
  47. package/node_modules/@comis/agent/dist/executor/post-batch-continuation.js +7 -7
  48. package/node_modules/@comis/agent/dist/executor/stream-wrappers/request-body-injector.d.ts +1 -1
  49. package/node_modules/@comis/agent/dist/executor/stream-wrappers/request-body-injector.js +1 -1
  50. package/node_modules/@comis/agent/dist/executor/tool-deferral.d.ts +2 -2
  51. package/node_modules/@comis/agent/dist/executor/tool-deferral.js +7 -7
  52. package/node_modules/@comis/agent/dist/index.d.ts +17 -0
  53. package/node_modules/@comis/agent/dist/index.js +32 -11
  54. package/node_modules/@comis/agent/dist/model/auth-provider.d.ts +25 -2
  55. package/node_modules/@comis/agent/dist/model/auth-provider.js +6 -0
  56. package/node_modules/@comis/agent/dist/model/compaction-model-resolver.d.ts +3 -3
  57. package/node_modules/@comis/agent/dist/model/compaction-model-resolver.js +3 -3
  58. package/node_modules/@comis/agent/dist/model/oauth-credential-store-file.d.ts +37 -0
  59. package/node_modules/@comis/agent/dist/model/oauth-credential-store-file.js +279 -0
  60. package/node_modules/@comis/agent/dist/model/oauth-credential-store-selector.d.ts +49 -0
  61. package/node_modules/@comis/agent/dist/model/oauth-credential-store-selector.js +50 -0
  62. package/node_modules/@comis/agent/dist/model/oauth-device-code.d.ts +57 -0
  63. package/node_modules/@comis/agent/dist/model/oauth-device-code.js +302 -0
  64. package/node_modules/@comis/agent/dist/model/oauth-env.d.ts +33 -0
  65. package/node_modules/@comis/agent/dist/model/oauth-env.js +38 -0
  66. package/node_modules/@comis/agent/dist/model/oauth-errors.d.ts +41 -0
  67. package/node_modules/@comis/agent/dist/model/oauth-errors.js +88 -0
  68. package/node_modules/@comis/agent/dist/model/oauth-identity.d.ts +53 -0
  69. package/node_modules/@comis/agent/dist/model/oauth-identity.js +141 -0
  70. package/node_modules/@comis/agent/dist/model/oauth-login-runner.d.ts +99 -0
  71. package/node_modules/@comis/agent/dist/model/oauth-login-runner.js +374 -0
  72. package/node_modules/@comis/agent/dist/model/oauth-tls-preflight.d.ts +58 -0
  73. package/node_modules/@comis/agent/dist/model/oauth-tls-preflight.js +82 -0
  74. package/node_modules/@comis/agent/dist/model/oauth-token-manager.d.ts +86 -16
  75. package/node_modules/@comis/agent/dist/model/oauth-token-manager.js +961 -66
  76. package/node_modules/@comis/agent/dist/model/operation-model-defaults.d.ts +9 -4
  77. package/node_modules/@comis/agent/dist/model/operation-model-defaults.js +36 -9
  78. package/node_modules/@comis/agent/dist/model/resolve-provider-api-key.d.ts +48 -0
  79. package/node_modules/@comis/agent/dist/model/resolve-provider-api-key.js +66 -0
  80. package/node_modules/@comis/agent/dist/provider/capabilities.d.ts +5 -5
  81. package/node_modules/@comis/agent/dist/provider/capabilities.js +10 -23
  82. package/node_modules/@comis/agent/dist/safety/tool-output-safety.js +3 -3
  83. package/node_modules/@comis/agent/dist/session/comis-session-manager.d.ts +1 -1
  84. package/node_modules/@comis/agent/dist/session/comis-session-manager.js +1 -1
  85. package/node_modules/@comis/agent/dist/spawn/narrative-caster.d.ts +10 -0
  86. package/node_modules/@comis/agent/dist/spawn/narrative-caster.js +5 -1
  87. package/node_modules/@comis/agent/package.json +1 -1
  88. package/node_modules/@comis/channels/dist/email/email-adapter.js +6 -6
  89. package/node_modules/@comis/channels/dist/email/imap-lifecycle.js +7 -7
  90. package/node_modules/@comis/channels/dist/shared/deliver-to-channel.js +12 -10
  91. package/node_modules/@comis/channels/dist/telegram/telegram-adapter.js +1 -1
  92. package/node_modules/@comis/channels/package.json +1 -1
  93. package/node_modules/@comis/cli/dist/cli.js +2 -0
  94. package/node_modules/@comis/cli/dist/commands/agent.d.ts +3 -3
  95. package/node_modules/@comis/cli/dist/commands/agent.js +46 -3
  96. package/node_modules/@comis/cli/dist/commands/auth.d.ts +37 -0
  97. package/node_modules/@comis/cli/dist/commands/auth.js +433 -0
  98. package/node_modules/@comis/cli/dist/commands/doctor.d.ts +4 -1
  99. package/node_modules/@comis/cli/dist/commands/doctor.js +20 -5
  100. package/node_modules/@comis/cli/dist/doctor/checks/oauth-health.d.ts +39 -0
  101. package/node_modules/@comis/cli/dist/doctor/checks/oauth-health.js +399 -0
  102. package/node_modules/@comis/cli/dist/doctor/types.d.ts +19 -0
  103. package/node_modules/@comis/cli/dist/index.d.ts +1 -0
  104. package/node_modules/@comis/cli/dist/index.js +10 -4
  105. package/node_modules/@comis/cli/dist/output/relative-time.d.ts +23 -0
  106. package/node_modules/@comis/cli/dist/output/relative-time.js +36 -0
  107. package/node_modules/@comis/cli/dist/wizard/non-interactive.js +17 -8
  108. package/node_modules/@comis/cli/dist/wizard/steps/03-provider.js +2 -1
  109. package/node_modules/@comis/cli/dist/wizard/steps/04-credentials.js +223 -34
  110. package/node_modules/@comis/cli/dist/wizard/steps/10-write-config.js +14 -0
  111. package/node_modules/@comis/cli/dist/wizard/steps/11-daemon-start.js +3 -3
  112. package/node_modules/@comis/cli/dist/wizard/types.d.ts +7 -0
  113. package/node_modules/@comis/cli/package.json +1 -1
  114. package/node_modules/@comis/core/dist/bootstrap.d.ts +1 -1
  115. package/node_modules/@comis/core/dist/config/env-substitution.d.ts +66 -0
  116. package/node_modules/@comis/core/dist/config/env-substitution.js +115 -0
  117. package/node_modules/@comis/core/dist/config/index.d.ts +3 -1
  118. package/node_modules/@comis/core/dist/config/index.js +2 -1
  119. package/node_modules/@comis/core/dist/config/loader.js +61 -0
  120. package/node_modules/@comis/core/dist/config/managed-sections.d.ts +3 -3
  121. package/node_modules/@comis/core/dist/config/managed-sections.js +10 -5
  122. package/node_modules/@comis/core/dist/config/schema-agent.d.ts +4 -0
  123. package/node_modules/@comis/core/dist/config/schema-agent.js +16 -1
  124. package/node_modules/@comis/core/dist/config/schema-background-tasks.d.ts +7 -0
  125. package/node_modules/@comis/core/dist/config/schema-background-tasks.js +7 -0
  126. package/node_modules/@comis/core/dist/config/schema-delivery.d.ts +2 -0
  127. package/node_modules/@comis/core/dist/config/schema-delivery.js +2 -0
  128. package/node_modules/@comis/core/dist/config/schema-gemini-cache.d.ts +0 -2
  129. package/node_modules/@comis/core/dist/config/schema-gemini-cache.js +0 -2
  130. package/node_modules/@comis/core/dist/config/schema-oauth.d.ts +23 -0
  131. package/node_modules/@comis/core/dist/config/schema-oauth.js +19 -0
  132. package/node_modules/@comis/core/dist/config/schema-skills.d.ts +6 -8
  133. package/node_modules/@comis/core/dist/config/schema-skills.js +3 -4
  134. package/node_modules/@comis/core/dist/config/schema.d.ts +10 -0
  135. package/node_modules/@comis/core/dist/config/schema.js +3 -0
  136. package/node_modules/@comis/core/dist/domain/background-task-origin.d.ts +39 -0
  137. package/node_modules/@comis/core/dist/domain/background-task-origin.js +39 -0
  138. package/node_modules/@comis/core/dist/event-bus/events-infra.d.ts +71 -2
  139. package/node_modules/@comis/core/dist/exports/config.d.ts +2 -2
  140. package/node_modules/@comis/core/dist/exports/config.js +1 -1
  141. package/node_modules/@comis/core/dist/exports/domain.d.ts +2 -0
  142. package/node_modules/@comis/core/dist/exports/domain.js +1 -0
  143. package/node_modules/@comis/core/dist/exports/ports.d.ts +2 -2
  144. package/node_modules/@comis/core/dist/exports/ports.js +1 -1
  145. package/node_modules/@comis/core/dist/ports/delivery-queue.d.ts +23 -0
  146. package/node_modules/@comis/core/dist/ports/delivery-queue.js +2 -0
  147. package/node_modules/@comis/core/dist/ports/index.d.ts +2 -0
  148. package/node_modules/@comis/core/dist/ports/index.js +1 -0
  149. package/node_modules/@comis/core/dist/ports/oauth-credential-store.d.ts +64 -0
  150. package/node_modules/@comis/core/dist/ports/oauth-credential-store.js +37 -0
  151. package/node_modules/@comis/core/dist/tool-metadata.d.ts +20 -0
  152. package/node_modules/@comis/core/package.json +1 -1
  153. package/node_modules/@comis/daemon/dist/daemon-types.d.ts +23 -3
  154. package/node_modules/@comis/daemon/dist/daemon.js +82 -19
  155. package/node_modules/@comis/daemon/dist/index.d.ts +2 -0
  156. package/node_modules/@comis/daemon/dist/index.js +5 -0
  157. package/node_modules/@comis/daemon/dist/observability/channel-health-logger.js +3 -3
  158. package/node_modules/@comis/daemon/dist/observability/delivery-queue-logger.js +1 -1
  159. package/node_modules/@comis/daemon/dist/rpc/agent-handlers.d.ts +22 -1
  160. package/node_modules/@comis/daemon/dist/rpc/agent-handlers.js +84 -21
  161. package/node_modules/@comis/daemon/dist/rpc/agent-inline-workspace.js +2 -2
  162. package/node_modules/@comis/daemon/dist/rpc/config-handlers.d.ts +9 -1
  163. package/node_modules/@comis/daemon/dist/rpc/config-handlers.js +104 -23
  164. package/node_modules/@comis/daemon/dist/rpc/credential-resolver.d.ts +30 -1
  165. package/node_modules/@comis/daemon/dist/rpc/credential-resolver.js +74 -11
  166. package/node_modules/@comis/daemon/dist/rpc/mcp-handlers.d.ts +8 -0
  167. package/node_modules/@comis/daemon/dist/rpc/mcp-handlers.js +22 -8
  168. package/node_modules/@comis/daemon/dist/rpc/provider-handlers.js +9 -12
  169. package/node_modules/@comis/daemon/dist/rpc/rpc-dispatch.d.ts +1 -0
  170. package/node_modules/@comis/daemon/dist/rpc/rpc-dispatch.js +27 -2
  171. package/node_modules/@comis/daemon/dist/setup-docker-restart-warn.js +0 -1
  172. package/node_modules/@comis/daemon/dist/wiring/index.d.ts +2 -0
  173. package/node_modules/@comis/daemon/dist/wiring/index.js +1 -0
  174. package/node_modules/@comis/daemon/dist/wiring/oauth-preflight.d.ts +21 -0
  175. package/node_modules/@comis/daemon/dist/wiring/oauth-preflight.js +134 -0
  176. package/node_modules/@comis/daemon/dist/wiring/setup-agents.d.ts +46 -1
  177. package/node_modules/@comis/daemon/dist/wiring/setup-agents.js +127 -3
  178. package/node_modules/@comis/daemon/dist/wiring/setup-background-completion-runner.d.ts +39 -0
  179. package/node_modules/@comis/daemon/dist/wiring/setup-background-completion-runner.js +32 -0
  180. package/node_modules/@comis/daemon/dist/wiring/setup-background-tasks.d.ts +10 -3
  181. package/node_modules/@comis/daemon/dist/wiring/setup-background-tasks.js +11 -5
  182. package/node_modules/@comis/daemon/dist/wiring/setup-channels.js +20 -1
  183. package/node_modules/@comis/daemon/dist/wiring/setup-cross-session.js +1 -1
  184. package/node_modules/@comis/daemon/dist/wiring/setup-delivery.d.ts +14 -5
  185. package/node_modules/@comis/daemon/dist/wiring/setup-delivery.js +52 -19
  186. package/node_modules/@comis/daemon/dist/wiring/setup-schedulers.js +4 -0
  187. package/node_modules/@comis/daemon/package.json +1 -1
  188. package/node_modules/@comis/gateway/dist/index.d.ts +2 -0
  189. package/node_modules/@comis/gateway/dist/index.js +2 -0
  190. package/node_modules/@comis/gateway/dist/oauth/oauth-callback-route.d.ts +66 -0
  191. package/node_modules/@comis/gateway/dist/oauth/oauth-callback-route.js +212 -0
  192. package/node_modules/@comis/gateway/dist/server/hono-server.d.ts +14 -0
  193. package/node_modules/@comis/gateway/dist/server/hono-server.js +10 -0
  194. package/node_modules/@comis/gateway/package.json +1 -1
  195. package/node_modules/@comis/infra/dist/logging/log-fields.d.ts +23 -0
  196. package/node_modules/@comis/infra/package.json +1 -1
  197. package/node_modules/@comis/memory/dist/compaction.d.ts +3 -5
  198. package/node_modules/@comis/memory/dist/compaction.js +2 -3
  199. package/node_modules/@comis/memory/dist/delivery-queue-adapter.d.ts +2 -2
  200. package/node_modules/@comis/memory/dist/delivery-queue-adapter.js +49 -1
  201. package/node_modules/@comis/memory/dist/index.d.ts +2 -0
  202. package/node_modules/@comis/memory/dist/index.js +3 -0
  203. package/node_modules/@comis/memory/dist/memory-api.d.ts +1 -1
  204. package/node_modules/@comis/memory/dist/memory-api.js +1 -1
  205. package/node_modules/@comis/memory/dist/oauth-profile-schema.d.ts +17 -0
  206. package/node_modules/@comis/memory/dist/oauth-profile-schema.js +33 -0
  207. package/node_modules/@comis/memory/dist/oauth-profile-store-encrypted.d.ts +27 -0
  208. package/node_modules/@comis/memory/dist/oauth-profile-store-encrypted.js +144 -0
  209. package/node_modules/@comis/memory/dist/session-store.d.ts +1 -1
  210. package/node_modules/@comis/memory/dist/session-store.js +1 -1
  211. package/node_modules/@comis/memory/dist/sqlite-secret-store.d.ts +29 -3
  212. package/node_modules/@comis/memory/dist/sqlite-secret-store.js +11 -3
  213. package/node_modules/@comis/memory/package.json +1 -1
  214. package/node_modules/@comis/scheduler/dist/execution/execution-lock.d.ts +13 -0
  215. package/node_modules/@comis/scheduler/dist/execution/execution-lock.js +1 -1
  216. package/node_modules/@comis/scheduler/dist/execution/index.d.ts +2 -0
  217. package/node_modules/@comis/scheduler/dist/execution/index.js +2 -0
  218. package/node_modules/@comis/scheduler/dist/heartbeat/agent-heartbeat-source.js +1 -1
  219. package/node_modules/@comis/scheduler/dist/index.d.ts +2 -0
  220. package/node_modules/@comis/scheduler/dist/index.js +2 -0
  221. package/node_modules/@comis/scheduler/package.json +1 -1
  222. package/node_modules/@comis/shared/package.json +1 -1
  223. package/node_modules/@comis/skills/dist/bridge/schema-validator.d.ts +38 -0
  224. package/node_modules/@comis/skills/dist/bridge/schema-validator.js +169 -0
  225. package/node_modules/@comis/skills/dist/bridge/tool-metadata-enforcement.js +12 -0
  226. package/node_modules/@comis/skills/dist/bridge/tool-metadata-registry.js +130 -0
  227. package/node_modules/@comis/skills/dist/builtin/exec-diagnostics.d.ts +32 -0
  228. package/node_modules/@comis/skills/dist/builtin/exec-diagnostics.js +127 -0
  229. package/node_modules/@comis/skills/dist/builtin/exec-security.js +38 -0
  230. package/node_modules/@comis/skills/dist/builtin/exec-tool.js +9 -0
  231. package/node_modules/@comis/skills/dist/builtin/file-tools/grep-tool.js +6 -6
  232. package/node_modules/@comis/skills/dist/builtin/platform/agents-manage-tool.d.ts +5 -4
  233. package/node_modules/@comis/skills/dist/builtin/platform/agents-manage-tool.js +38 -27
  234. package/node_modules/@comis/skills/dist/builtin/platform/background-tasks-tool.d.ts +4 -1
  235. package/node_modules/@comis/skills/dist/builtin/platform/background-tasks-tool.js +3 -3
  236. package/node_modules/@comis/skills/dist/builtin/platform/cron-tool.js +1 -1
  237. package/node_modules/@comis/skills/dist/builtin/platform/gateway-tool.js +6 -6
  238. package/node_modules/@comis/skills/dist/builtin/platform/mcp-manage-tool.d.ts +1 -1
  239. package/node_modules/@comis/skills/dist/builtin/platform/mcp-manage-tool.js +9 -9
  240. package/node_modules/@comis/skills/dist/builtin/sandbox/bwrap-provider.d.ts +11 -0
  241. package/node_modules/@comis/skills/dist/builtin/sandbox/bwrap-provider.js +114 -1
  242. package/node_modules/@comis/skills/dist/builtin/sandbox/detect-provider.js +40 -15
  243. package/node_modules/@comis/skills/dist/media/ssrf-fetcher.d.ts +7 -0
  244. package/node_modules/@comis/skills/dist/media/ssrf-fetcher.js +9 -2
  245. package/node_modules/@comis/skills/package.json +1 -1
  246. package/node_modules/@comis/web/dist/assets/{agent-detail-71BSbSfD.js → agent-detail-q8t1NB7w.js} +1 -1
  247. package/node_modules/@comis/web/dist/assets/{agent-editor-CTSDZhwT.js → agent-editor-B46io5gv.js} +1 -1
  248. package/node_modules/@comis/web/dist/assets/{agent-list-BEhni2ea.js → agent-list-DQ6g2Rcx.js} +1 -1
  249. package/node_modules/@comis/web/dist/assets/{billing-view-DVP1IvVs.js → billing-view-IWPR8LgF.js} +1 -1
  250. package/node_modules/@comis/web/dist/assets/{channel-detail-N_YK74xC.js → channel-detail-DlNNZuuC.js} +1 -1
  251. package/node_modules/@comis/web/dist/assets/{channel-list-DRk6ZJaF.js → channel-list-DhGwxiMc.js} +1 -1
  252. package/node_modules/@comis/web/dist/assets/{chat-console-Dm-GtSf9.js → chat-console-Nv6fM3Rc.js} +1 -1
  253. package/node_modules/@comis/web/dist/assets/{config-editor-CIferYX6.js → config-editor-BYKuJF76.js} +1 -1
  254. package/node_modules/@comis/web/dist/assets/{context-dag-browser-CL84rXXM.js → context-dag-browser-ClNEtzYE.js} +1 -1
  255. package/node_modules/@comis/web/dist/assets/{context-engine-B1HOTEZv.js → context-engine-BZJ6HChd.js} +1 -1
  256. package/node_modules/@comis/web/dist/assets/{delivery-view-Y6JKYVFw.js → delivery-view-Cb7I3vGu.js} +1 -1
  257. package/node_modules/@comis/web/dist/assets/{diagnostics-view-DWV1UQjz.js → diagnostics-view-9u9Lyu5a.js} +1 -1
  258. package/node_modules/@comis/web/dist/assets/{ic-chat-message-DfSERzzg.js → ic-chat-message-BFt3cVpx.js} +1 -1
  259. package/node_modules/@comis/web/dist/assets/{ic-connection-dot-CXyhlJup.js → ic-connection-dot-y77LZ3Gu.js} +1 -1
  260. package/node_modules/@comis/web/dist/assets/{ic-tool-call-DNmwTjek.js → ic-tool-call-qt6w1NQl.js} +1 -1
  261. package/node_modules/@comis/web/dist/assets/{index-CBr0Tm9_.js → index-8Tg9oc-C.js} +2 -2
  262. package/node_modules/@comis/web/dist/assets/{mcp-management-BaH2-vox.js → mcp-management-69dtH_kY.js} +2 -2
  263. package/node_modules/@comis/web/dist/assets/{media-config-CZLshJoN.js → media-config-BdjLj5c1.js} +1 -1
  264. package/node_modules/@comis/web/dist/assets/{media-test-C9NUWgo_.js → media-test-DuPqrixi.js} +1 -1
  265. package/node_modules/@comis/web/dist/assets/{memory-inspector-D_fmTcRN.js → memory-inspector-B-Pepbq-.js} +1 -1
  266. package/node_modules/@comis/web/dist/assets/{message-center-BBFlNCZn.js → message-center-B7l0yNYY.js} +1 -1
  267. package/node_modules/@comis/web/dist/assets/{models-BytGLm99.js → models-JHFHuv5S.js} +1 -1
  268. package/node_modules/@comis/web/dist/assets/{observe-view-VXtHqaqq.js → observe-view-r8mqhy4O.js} +1 -1
  269. package/node_modules/@comis/web/dist/assets/{pipeline-builder-CfXczlfJ.js → pipeline-builder-XjkiZRcR.js} +1 -1
  270. package/node_modules/@comis/web/dist/assets/{pipeline-history-CPmXFnbe.js → pipeline-history-CZqJv_Hj.js} +1 -1
  271. package/node_modules/@comis/web/dist/assets/{pipeline-history-detail-DcueTMs9.js → pipeline-history-detail-BEFGMoDy.js} +1 -1
  272. package/node_modules/@comis/web/dist/assets/{pipeline-list-B-xG5WZh.js → pipeline-list-B6q5LvO1.js} +1 -1
  273. package/node_modules/@comis/web/dist/assets/{pipeline-monitor-pnIOYaSY.js → pipeline-monitor-BNomXjVL.js} +1 -1
  274. package/node_modules/@comis/web/dist/assets/{scheduler-BtUIFHhA.js → scheduler-BJEjcGKA.js} +1 -1
  275. package/node_modules/@comis/web/dist/assets/{security-C8mWRq2y.js → security-2G1jhBfV.js} +1 -1
  276. package/node_modules/@comis/web/dist/assets/{session-detail-DgdkO5ka.js → session-detail-DmVPzFBR.js} +1 -1
  277. package/node_modules/@comis/web/dist/assets/{session-list-DcylcfTn.js → session-list-CsqMQoHs.js} +1 -1
  278. package/node_modules/@comis/web/dist/assets/{setup-wizard-BP5yjsuL.js → setup-wizard-CAdM-gSP.js} +1 -1
  279. package/node_modules/@comis/web/dist/assets/{skills-DXt1bX8Z.js → skills-2ODqKaWr.js} +1 -1
  280. package/node_modules/@comis/web/dist/assets/{subagents-C7YbUHXY.js → subagents-BFlwfTbD.js} +1 -1
  281. package/node_modules/@comis/web/dist/assets/{workspace-manager-DP6pW4wa.js → workspace-manager--CbOx_dI.js} +1 -1
  282. package/node_modules/@comis/web/dist/index.html +1 -1
  283. package/node_modules/@comis/web/package.json +1 -1
  284. package/package.json +17 -16
@@ -27,6 +27,7 @@ tryGetContext, ContextEngineConfigSchema, } from "@comis/core";
27
27
  import { suppressError } from "@comis/shared";
28
28
  import { createToolRetryBreaker } from "../safety/tool-retry-breaker.js";
29
29
  import { createMessageSendLimiter } from "../safety/message-send-limiter.js";
30
+ import { resolveProviderApiKey } from "../model/resolve-provider-api-key.js";
30
31
  import { repairOrphanedMessages, scrubPoisonedThinkingBlocks } from "../session/orphaned-message-repair.js";
31
32
  import { scrubRedactedToolCalls } from "../session/scrub-redacted-tool-calls.js";
32
33
  import { createPiEventBridge } from "../bridge/pi-event-bridge.js";
@@ -51,7 +52,7 @@ import { validateInput } from "./executor-input-guard.js";
51
52
  import { scanWithOutputGuard } from "./executor-response-filter.js";
52
53
  import { normalizeModelCompat } from "../provider/model-compat.js";
53
54
  import { normalizeModelId } from "../provider/model-id-normalize.js";
54
- import { isAnthropicFamily, isGoogleFamily } from "../provider/capabilities.js";
55
+ import { isAnthropicFamily, isGoogleFamily, resolveProviderCapabilities } from "../provider/capabilities.js";
55
56
  import { detectOnboardingState } from "../workspace/onboarding-detector.js";
56
57
  import { PromptTimeoutError } from "./prompt-timeout.js";
57
58
  import { classifyError, classifyPromptTimeout } from "./error-classifier.js";
@@ -197,6 +198,27 @@ export function createPiExecutor(config, deps) {
197
198
  async execute(msg, sessionKey, tools, onDelta, agentId, _directives, _prevTimestamp, overrides) {
198
199
  // a. Record execution start time
199
200
  const executionStartMs = Date.now();
201
+ // a-bis. Pre-resolve OAuth token before any pi-coding-agent
202
+ // dispatch. The setRuntimeApiKey side-effect inside resolveProviderApiKey
203
+ // carries the token into pi-coding-agent's outbound LLM request via the
204
+ // runtime-override priority path. For OAuth-eligible
205
+ // providers (openai-codex, anthropic, github-copilot via pi-ai's
206
+ // built-in registry) the resolver chain (agent-config -> lastGood ->
207
+ // first available) runs and refreshes the token if expired. For
208
+ // non-OAuth providers the helper falls through to authStorage.getApiKey.
209
+ //
210
+ // Throw-propagation: on OAuthError the helper throws
211
+ // an Error containing the OAuthError.message. Outer async callers
212
+ // (gateway routes via Hono, channel handlers via try/catch) lift the
213
+ // throw into a user-facing error response. OAuthError
214
+ // is fatal — no env-var fallback, no retry, no silent rotation.
215
+ // CLAUDE.md "no empty catch" honored because we don't add a catch
216
+ // here at all; the resolver itself logs via the oauth-resolver module.
217
+ await resolveProviderApiKey(config.provider, {
218
+ authStorage: deps.authStorage,
219
+ oauthManager: deps.oauthManager,
220
+ agentConfig: config,
221
+ });
200
222
  // b. Initialize result
201
223
  const result = {
202
224
  response: "",
@@ -775,7 +797,7 @@ export function createPiExecutor(config, deps) {
775
797
  session.abortCompaction();
776
798
  suppressError(session.abort(), "session abort on compaction cancel");
777
799
  },
778
- // 260501-dkl: cancel the SDK's internal auto-retry loop when the
800
+ // Cancel the SDK's internal auto-retry loop when the
779
801
  // bridge classifies the auto_retry_start error as `rate_limited`.
780
802
  // Rate-limit windows (per-minute) outlast the SDK's retry budget
781
803
  // (~30s), so retrying within the window cannot succeed.
@@ -820,7 +842,7 @@ export function createPiExecutor(config, deps) {
820
842
  sepConfig: sepEnabled ? { maxSteps: config.sep?.maxSteps ?? 15, minSteps: config.sep?.minSteps ?? 3 } : undefined,
821
843
  sepMessageText: sepEnabled ? (msg.text ?? "") : undefined,
822
844
  sepExecutionStartMs: sepEnabled ? executionStartMs : undefined,
823
- // Cache break detection Phase 2 callback.
845
+ // Cache break detection post-call callback.
824
846
  // Enrich with elapsed time for tiered server-side attribution.
825
847
  checkCacheBreak: (input) => cacheBreakDetector.checkResponseForCacheBreak({
826
848
  ...input,
@@ -841,7 +863,7 @@ export function createPiExecutor(config, deps) {
841
863
  timestamp: Date.now(),
842
864
  };
843
865
  },
844
- // 260428-hoy: pre-LLM-call hook -- runs once per `turn_start`,
866
+ // Pre-LLM-call hook -- runs once per `turn_start`,
845
867
  // BEFORE pi-ai serializes the next request. Asserts the
846
868
  // cross-turn hash invariant (logs ERROR per mutated block, with
847
869
  // module:"agent.bridge.hash-invariant"), then heals any mutated
@@ -893,7 +915,7 @@ export function createPiExecutor(config, deps) {
893
915
  }
894
916
  return live;
895
917
  },
896
- // 260428-iag wire-edge diagnostic: resolves the per-session JSONL
918
+ // Wire-edge diagnostic: resolves the per-session JSONL
897
919
  // path on demand. The bridge invokes this only after detecting the
898
920
  // signed-replay rejection signature on a 400 — never on the happy
899
921
  // path. Path comes from the same sessionAdapter that already
@@ -996,12 +1018,46 @@ export function createPiExecutor(config, deps) {
996
1018
  // Applied AFTER sideEffects so the background placeholder is returned instead of
997
1019
  // waiting for sideEffects processing. When the tool completes in background,
998
1020
  // the sideEffects are still processed by the original wrapped execute.
1021
+ // Capture origin at wrap-time via explicit threading.
1022
+ // The closure reads runPrompt-scope variables synchronously each invocation
1023
+ // so the captured origin reflects the originating session, not the
1024
+ // background-continuation context (which lacks these locals).
999
1025
  if (deps.backgroundTaskManager && config.backgroundTasks?.enabled !== false) {
1000
1026
  const bgConfig = BackgroundTasksConfigSchema.parse(config.backgroundTasks ?? {});
1027
+ const resolvedAgentId = agentId ?? "default";
1028
+ const originResolver = () => {
1029
+ // Defensive: if any required field is unexpectedly missing, fall through
1030
+ // to foreground execution (no background promotion). Promotion requires
1031
+ // a complete origin.
1032
+ if (!formattedKey || formattedKey.length === 0)
1033
+ return undefined;
1034
+ if (!msg.channelType || msg.channelType.length === 0)
1035
+ return undefined;
1036
+ if (!msg.channelId || msg.channelId.length === 0)
1037
+ return undefined;
1038
+ // Read incoming hop count off msg.metadata so the runner can enforce
1039
+ // the recursion bound. Top-level user messages have no
1040
+ // metadata.backgroundHopCount -> default to 0.
1041
+ // Cast metadata defensively because NormalizedMessageSchema.metadata
1042
+ // is z.record(z.string(), z.unknown()).
1043
+ const meta = msg.metadata;
1044
+ const rawHopCount = meta?.backgroundHopCount;
1045
+ const incomingHopCount = typeof rawHopCount === "number" && Number.isFinite(rawHopCount) && rawHopCount >= 0
1046
+ ? Math.floor(rawHopCount)
1047
+ : 0;
1048
+ return {
1049
+ agentId: resolvedAgentId,
1050
+ sessionKey: formattedKey,
1051
+ channelType: msg.channelType,
1052
+ channelId: msg.channelId,
1053
+ traceId: executionId ?? null,
1054
+ backgroundHopCount: incomingHopCount,
1055
+ };
1056
+ };
1001
1057
  for (const tool of mergedCustomTools) {
1002
1058
  const wrapped = wrapToolForAutoBackground(
1003
1059
  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- SDK interop boundary
1004
- tool, deps.backgroundTaskManager, bgConfig, deps.backgroundNotifyFn ?? (async () => { }), agentId ?? "default");
1060
+ tool, deps.backgroundTaskManager, bgConfig, deps.backgroundNotifyFn ?? (async () => { }), originResolver);
1005
1061
  tool.execute = wrapped.execute;
1006
1062
  }
1007
1063
  }
@@ -1095,6 +1151,15 @@ export function createPiExecutor(config, deps) {
1095
1151
  getTruncationSummary, getTurnBudgetSummary,
1096
1152
  executionPlanRef, sepEnabled, isOnboarding,
1097
1153
  geminiCacheHit, geminiCachedTokens, modelTier,
1154
+ // Provider attribution tag for the bookend log.
1155
+ // resolvedModel?.provider is the post-resolution / post-override
1156
+ // provider; falling back to config.provider records operator
1157
+ // INTENT on the silent-fallback misconfig path (resolvedModel
1158
+ // undefined). resolveProviderCapabilities is computed once here
1159
+ // to keep executor-post-execution.ts free of capability-cascade
1160
+ // imports.
1161
+ provider: resolvedModel?.provider ?? config.provider,
1162
+ providerFamily: resolveProviderCapabilities(resolvedModel?.provider ?? config.provider).providerFamily,
1098
1163
  deferralResult, mergedCustomTools, deliveredGuides,
1099
1164
  deps: {
1100
1165
  eventBus: deps.eventBus,
@@ -15,7 +15,7 @@ import { fromPromise, ok, err } from "@comis/shared";
15
15
  // ---------------------------------------------------------------------------
16
16
  // Implementation
17
17
  // ---------------------------------------------------------------------------
18
- const MODULE = "agent.executor.post-batch-continuation";
18
+ const SUBMODULE = "executor.post-batch-continuation";
19
19
  /* eslint-disable @typescript-eslint/no-explicit-any */
20
20
  function isToolCallBlock(block) {
21
21
  return block?.type === "toolCall" || block?.type === "tool_use";
@@ -84,7 +84,7 @@ export async function runPostBatchContinuation(deps) {
84
84
  const { session, messages, config, logger, agentId, getVisibleAssistantText } = deps;
85
85
  // Step 1: disable check.
86
86
  if (!config.enabled || config.maxRetries === 0) {
87
- logger.info({ module: MODULE, agentId, decision: "skip", reason: "disabled" }, "Post-batch continuation skipped");
87
+ logger.info({ submodule: SUBMODULE, agentId, decision: "skip", reason: "disabled" }, "Post-batch continuation skipped");
88
88
  return ok({
89
89
  recovered: false,
90
90
  attempts: 0,
@@ -97,7 +97,7 @@ export async function runPostBatchContinuation(deps) {
97
97
  /* eslint-disable @typescript-eslint/no-explicit-any */
98
98
  const msgs = messages;
99
99
  if (!Array.isArray(msgs) || msgs.length === 0) {
100
- logger.info({ module: MODULE, agentId, decision: "skip", reason: "non_empty_final" }, "Post-batch continuation skipped");
100
+ logger.info({ submodule: SUBMODULE, agentId, decision: "skip", reason: "non_empty_final" }, "Post-batch continuation skipped");
101
101
  return ok({
102
102
  recovered: false,
103
103
  attempts: 0,
@@ -113,7 +113,7 @@ export async function runPostBatchContinuation(deps) {
113
113
  !hasThinkingBlock(last.content) &&
114
114
  !hasToolCallBlock(last.content);
115
115
  if (!lastIsEmpty) {
116
- logger.info({ module: MODULE, agentId, decision: "skip", reason: "non_empty_final" }, "Post-batch continuation skipped");
116
+ logger.info({ submodule: SUBMODULE, agentId, decision: "skip", reason: "non_empty_final" }, "Post-batch continuation skipped");
117
117
  return ok({
118
118
  recovered: false,
119
119
  attempts: 0,
@@ -141,7 +141,7 @@ export async function runPostBatchContinuation(deps) {
141
141
  /* eslint-enable @typescript-eslint/no-explicit-any */
142
142
  const priorToolNames = [...priorToolNamesSet];
143
143
  if (priorToolCallCount === 0) {
144
- logger.info({ module: MODULE, agentId, decision: "skip", reason: "no_tool_calls" }, "Post-batch continuation skipped");
144
+ logger.info({ submodule: SUBMODULE, agentId, decision: "skip", reason: "no_tool_calls" }, "Post-batch continuation skipped");
145
145
  return ok({
146
146
  recovered: false,
147
147
  attempts: 0,
@@ -152,7 +152,7 @@ export async function runPostBatchContinuation(deps) {
152
152
  }
153
153
  // Step 4: decision-log fire.
154
154
  logger.info({
155
- module: MODULE,
155
+ submodule: SUBMODULE,
156
156
  agentId,
157
157
  decision: "fire",
158
158
  reason: "empty_after_tool_batch",
@@ -170,7 +170,7 @@ export async function runPostBatchContinuation(deps) {
170
170
  const text = getVisibleAssistantText(session);
171
171
  const outcomeForLog = text && text.length > 0 ? "recovered" : "still_empty";
172
172
  logger.info({
173
- module: MODULE,
173
+ submodule: SUBMODULE,
174
174
  agentId,
175
175
  attempt,
176
176
  maxAttempts: config.maxRetries,
@@ -40,7 +40,7 @@ export interface RequestBodyInjectorConfig {
40
40
  * but system prompt + tools are still worth caching. */
41
41
  getMinTokensOverride?: () => number | undefined;
42
42
  /** Callback invoked with the API-ready payload after cache breakpoint
43
- * placement. Used by cache break detector Phase 1 to extract prompt state for
43
+ * placement. Used by the cache break detector to extract prompt state for
44
44
  * change detection. Receives the mutated params, the model, and (for Anthropic) the HTTP headers. */
45
45
  onPayloadForCacheDetection?: (params: Record<string, unknown>, model: {
46
46
  id: string;
@@ -1484,7 +1484,7 @@ export function createRequestBodyInjector(config, logger) {
1484
1484
  mergedHeaders["anthropic-beta"] = allBetas.join(", ");
1485
1485
  }
1486
1486
  }
1487
- // Feed payload to cache break detector Phase 1 (after breakpoint placement)
1487
+ // Feed payload to cache break detector (after breakpoint placement)
1488
1488
  if (config.onPayloadForCacheDetection) {
1489
1489
  config.onPayloadForCacheDetection(result, model, mergedHeaders);
1490
1490
  }
@@ -107,7 +107,7 @@ export declare function resolveToolCallingTemperature(modelTier: ModelTier): num
107
107
  * When this returns true, request-body-injector strips client-side
108
108
  * `discover_tools` from the API payload and appends `tool_search_tool_regex`
109
109
  * instead -- so any model-facing teaching string about `discover_tools`
110
- * contradicts the actual tool list and must be suppressed (260428-oyc).
110
+ * contradicts the actual tool list and must be suppressed.
111
111
  *
112
112
  * Lowercase-normalize so provider-prefixed model ids
113
113
  * (`anthropic/claude-sonnet-4`, `bedrock/anthropic.claude-opus-4`) resolve
@@ -149,7 +149,7 @@ export declare function resolveToolDescription(tool: ToolDefinition): string;
149
149
  * teaching string therefore points at direct invocation + tool-search by
150
150
  * regex, never at `discover_tools`. Without this conditional, the model
151
151
  * reads its own preamble ("call discover_tools") against a tool list that
152
- * doesn't contain that tool and gives up (260428-oyc production repro).
152
+ * doesn't contain that tool and gives up (production repro).
153
153
  *
154
154
  * @param entries - Deferred tool entries (remaining after discovery re-inclusion)
155
155
  * @param options - Optional flags. `useToolSearch=true` switches the third
@@ -102,7 +102,7 @@ export function resolveToolCallingTemperature(modelTier) {
102
102
  * When this returns true, request-body-injector strips client-side
103
103
  * `discover_tools` from the API payload and appends `tool_search_tool_regex`
104
104
  * instead -- so any model-facing teaching string about `discover_tools`
105
- * contradicts the actual tool list and must be suppressed (260428-oyc).
105
+ * contradicts the actual tool list and must be suppressed.
106
106
  *
107
107
  * Lowercase-normalize so provider-prefixed model ids
108
108
  * (`anthropic/claude-sonnet-4`, `bedrock/anthropic.claude-opus-4`) resolve
@@ -183,7 +183,7 @@ export function resolveToolDescription(tool) {
183
183
  * teaching string therefore points at direct invocation + tool-search by
184
184
  * regex, never at `discover_tools`. Without this conditional, the model
185
185
  * reads its own preamble ("call discover_tools") against a tool list that
186
- * doesn't contain that tool and gives up (260428-oyc production repro).
186
+ * doesn't contain that tool and gives up (production repro).
187
187
  *
188
188
  * @param entries - Deferred tool entries (remaining after discovery re-inclusion)
189
189
  * @param options - Optional flags. `useToolSearch=true` switches the third
@@ -257,7 +257,7 @@ export function applyToolDeferral(tools, _contextWindow, deferralContext, logger
257
257
  for (const t of tools) {
258
258
  originalToolMap.set(t.name, t);
259
259
  }
260
- // Phase 1: Rule-based deferral
260
+ // Rule-based deferral
261
261
  for (const rule of DEFERRAL_RULES) {
262
262
  if (!rule.activeWhen(deferralContext)) {
263
263
  for (const toolName of rule.tools) {
@@ -267,7 +267,7 @@ export function applyToolDeferral(tools, _contextWindow, deferralContext, logger
267
267
  }
268
268
  }
269
269
  }
270
- // Phase 2: MCP tools deferred by default (only for providers with mid-turn injection)
270
+ // MCP tools deferred by default (only for providers with mid-turn injection)
271
271
  // Providers without mid-turn injection (OpenAI, xAI, etc.) get MCP tools from the start,
272
272
  // because sub-agents only call execute() once and there is no "next execution" for
273
273
  // discovered tools to appear in.
@@ -282,7 +282,7 @@ export function applyToolDeferral(tools, _contextWindow, deferralContext, logger
282
282
  }
283
283
  }
284
284
  }
285
- // Phase 3: Small model aggressive deferral
285
+ // Small model aggressive deferral
286
286
  if (deferralContext.modelTier === "small") {
287
287
  for (const t of tools) {
288
288
  if (!deferredSet.has(t.name) && !CORE_TOOLS.has(t.name) && !deferralContext.recentlyUsedToolNames.has(t.name)) {
@@ -290,7 +290,7 @@ export function applyToolDeferral(tools, _contextWindow, deferralContext, logger
290
290
  }
291
291
  }
292
292
  }
293
- // Phase 4: Merge lifecycle-demoted tools into deferral set for unified discover_tools
293
+ // Merge lifecycle-demoted tools into deferral set for unified discover_tools
294
294
  // Clear discovery state for lifecycle-demoted tools (prevents appearing
295
295
  // in both discoveredTools and deferredEntries simultaneously)
296
296
  if (deferralContext.lifecycleDemotedNames) {
@@ -301,7 +301,7 @@ export function applyToolDeferral(tools, _contextWindow, deferralContext, logger
301
301
  }
302
302
  }
303
303
  }
304
- // Phase 5: Operator overrides (neverDefer / alwaysDefer from DeferredToolsConfigSchema)
304
+ // Operator overrides (neverDefer / alwaysDefer from DeferredToolsConfigSchema)
305
305
  if (deferralContext.neverDefer) {
306
306
  for (const name of deferralContext.neverDefer) {
307
307
  deferredSet.delete(name);
@@ -50,6 +50,23 @@ export { createModelScanner } from "./model/model-scanner.js";
50
50
  export type { ScanResult, ModelScanner, ModelScannerDeps } from "./model/model-scanner.js";
51
51
  export { createOAuthTokenManager } from "./model/oauth-token-manager.js";
52
52
  export type { OAuthTokenManager, OAuthTokenManagerDeps, OAuthError } from "./model/oauth-token-manager.js";
53
+ export { resolveProviderApiKey } from "./model/resolve-provider-api-key.js";
54
+ export type { ResolveProviderApiKeyDeps } from "./model/resolve-provider-api-key.js";
55
+ export { decodeCodexJwtPayload, resolveCodexAuthIdentity, resolveCodexStableSubject, resolveCodexAccessTokenExpiry, redactEmailForLog } from "./model/oauth-identity.js";
56
+ export { createOAuthCredentialStoreFile } from "./model/oauth-credential-store-file.js";
57
+ export type { OAuthCredentialStoreFileConfig } from "./model/oauth-credential-store-file.js";
58
+ export { selectOAuthCredentialStore } from "./model/oauth-credential-store-selector.js";
59
+ export type { SelectOAuthCredentialStoreInput, OAuthStorageMode, } from "./model/oauth-credential-store-selector.js";
60
+ export { isRemoteEnvironment } from "./model/oauth-env.js";
61
+ export type { IsRemoteEnvironmentInput } from "./model/oauth-env.js";
62
+ export { loginOpenAICodexOAuth } from "./model/oauth-login-runner.js";
63
+ export type { LoginError, LoginRunnerSuccess, LoginRunnerParams, RunnerPrompter, } from "./model/oauth-login-runner.js";
64
+ export { loginOpenAICodexDeviceCode } from "./model/oauth-device-code.js";
65
+ export type { DeviceCodeVerificationPrompt, LoginOpenAICodexDeviceCodeOptions, } from "./model/oauth-device-code.js";
66
+ export { runOAuthTlsPreflight } from "./model/oauth-tls-preflight.js";
67
+ export type { TlsPreflightResult, TlsPreflightFailureKind, RunOAuthTlsPreflightOptions, } from "./model/oauth-tls-preflight.js";
68
+ export { rewriteOAuthError } from "./model/oauth-errors.js";
69
+ export type { OAuthErrorCode, RewrittenOAuthError, } from "./model/oauth-errors.js";
53
70
  export { createAuthUsageTracker } from "./model/auth-usage-tracker.js";
54
71
  export type { AuthUsageTracker, ProfileStats, ProfileUsageInput } from "./model/auth-usage-tracker.js";
55
72
  export { createLastKnownModelTracker } from "./model/last-known-model.js";
@@ -26,7 +26,7 @@ export { createAuthProvider } from "./model/auth-provider.js";
26
26
  export { createAuthProfileManager } from "./model/auth-profile.js";
27
27
  // Auth rotation adapter (key rotation with cooldown)
28
28
  export { createAuthRotationAdapter } from "./model/auth-rotation-adapter.js";
29
- // Image-aware model routing (existing + image fallback chain from 62-05)
29
+ // Image-aware model routing (existing + image fallback chain)
30
30
  export { resolveModelForMessage, isVisionCapable, createImageFallbackChain } from "./model/image-router.js";
31
31
  // Model allowlist
32
32
  export { createModelAllowlist } from "./model/model-allowlist.js";
@@ -40,9 +40,30 @@ export { createModelCatalog, resolveModelPricing, ZERO_COST } from "./model/mode
40
40
  export { getCacheProviderInfo } from "./executor/cache-usage-helpers.js";
41
41
  // Model scanner
42
42
  export { createModelScanner } from "./model/model-scanner.js";
43
- // OAuth token manager (from 62-03)
43
+ // OAuth token manager
44
44
  export { createOAuthTokenManager } from "./model/oauth-token-manager.js";
45
- // Auth usage tracker (from 62-05)
45
+ // Per-LLM-call OAuth dispatch helper — shared helper used by PiExecutor.execute()
46
+ // pre-hook and the two compaction getApiKey callbacks. Re-exported so the
47
+ // integration test can drive the same resolver hook the executor uses.
48
+ export { resolveProviderApiKey } from "./model/resolve-provider-api-key.js";
49
+ // OAuth identity — pure-function JWT decoder + identity resolver + redaction helper
50
+ export { decodeCodexJwtPayload, resolveCodexAuthIdentity, resolveCodexStableSubject, resolveCodexAccessTokenExpiry, redactEmailForLog } from "./model/oauth-identity.js";
51
+ // OAuth credential store — file adapter (plaintext file-backed adapter with atomic write + per-profile lock + schema versioning)
52
+ export { createOAuthCredentialStoreFile } from "./model/oauth-credential-store-file.js";
53
+ // OAuth credential store selector — lives here so the CLI process can
54
+ // instantiate the same adapter the daemon uses
55
+ export { selectOAuthCredentialStore } from "./model/oauth-credential-store-selector.js";
56
+ // OAuth env detection — pure function for VPS/headless heuristic
57
+ export { isRemoteEnvironment } from "./model/oauth-env.js";
58
+ // OAuth login runner — interactive login orchestrator
59
+ export { loginOpenAICodexOAuth } from "./model/oauth-login-runner.js";
60
+ // Device-code OAuth flow
61
+ export { loginOpenAICodexDeviceCode } from "./model/oauth-device-code.js";
62
+ // OAuth TLS preflight
63
+ export { runOAuthTlsPreflight } from "./model/oauth-tls-preflight.js";
64
+ // OAuth error catalogue
65
+ export { rewriteOAuthError } from "./model/oauth-errors.js";
66
+ // Auth usage tracker
46
67
  export { createAuthUsageTracker } from "./model/auth-usage-tracker.js";
47
68
  // Last-known-working model tracker (auth-failure fallback)
48
69
  export { createLastKnownModelTracker } from "./model/last-known-model.js";
@@ -107,15 +128,15 @@ export { withPromptTimeout, withResettablePromptTimeout, PromptTimeoutError } fr
107
128
  // Error classification (user-safe error messages)
108
129
  export { classifyError, classifyPromptTimeout } from "./executor/error-classifier.js";
109
130
  export { composeStreamWrappers, createConfigResolver, createRequestBodyInjector, createCacheTraceWriter, createApiPayloadTraceWriter, createToolResultSizeBouncer, clearSessionRenderedToolCache } from "./executor/stream-wrappers/index.js";
110
- // Active run registry (-- tracks running sessions for mid-stream steering)
131
+ // Active run registry (tracks running sessions for mid-stream steering)
111
132
  export { createActiveRunRegistry } from "./executor/active-run-registry.js";
112
133
  // Cache break detection
113
134
  export { clearCacheBreakDetectorSession, extractGeminiPromptState } from "./executor/cache-break-detection.js";
114
- // Cache break diff writer ()
135
+ // Cache break diff writer
115
136
  export { createCacheBreakDiffWriter } from "./executor/cache-break-diff-writer.js";
116
137
  // Gemini cache injector
117
138
  export { createGeminiCacheInjector } from "./executor/gemini-cache-injector.js";
118
- // Gemini cache manager ()
139
+ // Gemini cache manager
119
140
  export { createGeminiCacheManager, computeCacheContentHash } from "./executor/gemini-cache-manager.js";
120
141
  // Gemini cache lifecycle
121
142
  export { wireGeminiCacheCleanup } from "./executor/gemini-cache-lifecycle.js";
@@ -166,24 +187,24 @@ export { createResultCondenser } from "./spawn/index.js";
166
187
  export { createNarrativeCaster } from "./spawn/index.js";
167
188
  export { createLifecycleHooks, deriveSubagentContextEngineConfig } from "./spawn/index.js";
168
189
  export { createEphemeralComisSessionManager } from "./spawn/index.js";
169
- // Context engine (, )
190
+ // Context engine
170
191
  export { createContextEngine } from "./context-engine/index.js";
171
192
  export { createThinkingBlockCleaner } from "./context-engine/index.js";
172
193
  export { computeTokenBudget } from "./context-engine/index.js";
173
- // DAG reconciliation, compaction, integrity, and assembler (Phases 411-414)
194
+ // DAG reconciliation, compaction, integrity, and assembler
174
195
  export { reconcileJsonlToDag, installDagIngestionHook, createDagContextEngine, runLeafPass, runCondensedPass, resolveFreshTailBoundary, shouldCompact, markAncestorsDirty, recomputeDescendantCounts, runDagCompaction, checkIntegrity, CHARS_PER_TOKEN_RATIO, } from "./context-engine/index.js";
175
196
  // Provider capabilities
176
197
  export { DEFAULTS as PROVIDER_CAPABILITY_DEFAULTS, resolveProviderCapabilities, normalizeProviderId, isAnthropicFamily, isOpenAiFamily, shouldDropThinkingBlocks, resolveToolCallIdMode, validateProviderOverrides, } from "./provider/capabilities.js";
177
198
  // Model compatibility auto-detection (xAI compat flags)
178
199
  export { normalizeModelCompat } from "./provider/model-compat.js";
179
- // Model ID normalization ()
200
+ // Model ID normalization
180
201
  export { normalizeModelId } from "./provider/model-id-normalize.js";
181
202
  // Response sanitization pipeline
182
203
  export { sanitizeAssistantResponse, setSanitizeLogger, extractFinalTagContent } from "./provider/response/sanitize-pipeline.js";
183
- // Response filter utilities ( -- used by ThinkingTagFilter)
204
+ // Response filter utilities (used by ThinkingTagFilter)
184
205
  export { stripReasoningTagsFromText } from "./response-filter/reasoning-tags.js";
185
206
  export { findCodeRegions, isInsideCode } from "./response-filter/code-regions.js";
186
- // Thinking tag filter ( -- moved from @comis/channels)
207
+ // Thinking tag filter (moved from @comis/channels)
187
208
  export { createThinkingTagFilter } from "./response-filter/thinking-tag-filter.js";
188
209
  // Operation model resolver
189
210
  export { resolveOperationModel, resolveProviderFamily } from "./model/operation-model-resolver.js";
@@ -12,7 +12,8 @@
12
12
  */
13
13
  import type { AuthStorage } from "@mariozechner/pi-coding-agent";
14
14
  import type { SecretManager } from "@comis/core";
15
- import type { TypedEventBus } from "@comis/core";
15
+ import type { TypedEventBus, OAuthCredentialStorePort } from "@comis/core";
16
+ import type { ComisLogger } from "@comis/infra";
16
17
  import { type AuthProfileManager, type AuthProfile, type OrderingStrategy } from "./auth-profile.js";
17
18
  import { type AuthRotationAdapter } from "./auth-rotation-adapter.js";
18
19
  import { type AuthUsageTracker } from "./auth-usage-tracker.js";
@@ -35,10 +36,32 @@ export interface AuthProviderConfig {
35
36
  cooldownCapMs?: number;
36
37
  /** OAuth configuration. When provided, creates an OAuthTokenManager. */
37
38
  oauth?: {
38
- /** EventBus for emitting auth:token_rotated events. */
39
+ /** EventBus for emitting auth events (token_rotated, profile_bootstrapped, refresh_failed). */
39
40
  eventBus: TypedEventBus;
41
+ /** Credential store for persistent refresh — REQUIRED. */
42
+ credentialStore: OAuthCredentialStorePort;
43
+ /** Logger for OAuth log events — REQUIRED. */
44
+ logger: ComisLogger;
45
+ /** Data directory for lock-file path resolution — REQUIRED. */
46
+ dataDir: string;
40
47
  /** Prefix for SecretManager key names (default: "OAUTH_"). */
41
48
  keyPrefix?: string;
49
+ /**
50
+ * Absolute path to auth-profiles.json for the chokidar watcher. When set,
51
+ * OAuthTokenManager registers a file watcher that invalidates its in-memory
52
+ * cache on external rewrites (CLI auth login). Pass `undefined` for
53
+ * encrypted-store mode (documented limitation).
54
+ */
55
+ watchPath?: string;
56
+ /**
57
+ * Getter for the agent's oauthProfiles map. Called fresh on every
58
+ * OAuthTokenManager.getApiKey() invocation. Optional — falls back to a
59
+ * no-agent-level-preference contract when absent. The closure implementation
60
+ * should dereference the daemon's stable
61
+ * `container.config.agents[agentId]?.oauthProfiles` so the value is observed
62
+ * across `agents.update` reference-replacements without a daemon restart.
63
+ */
64
+ getAgentOauthProfiles?: () => Record<string, string> | undefined;
42
65
  };
43
66
  }
44
67
  /** Unified auth provider exposing all composed auth modules. */
@@ -69,7 +69,13 @@ export function createAuthProvider(config) {
69
69
  const oauthDeps = {
70
70
  secretManager,
71
71
  eventBus: oauth.eventBus,
72
+ credentialStore: oauth.credentialStore,
73
+ logger: oauth.logger,
74
+ dataDir: oauth.dataDir,
72
75
  keyPrefix: oauth.keyPrefix,
76
+ watchPath: oauth.watchPath,
77
+ // Thread the agent oauthProfiles getter through.
78
+ getAgentOauthProfiles: oauth.getAgentOauthProfiles,
73
79
  };
74
80
  oauthManager = createOAuthTokenManager(oauthDeps);
75
81
  }
@@ -10,9 +10,9 @@
10
10
  * still routed to Claude Haiku, defeating the cost-tiering intent and
11
11
  * causing cross-provider auth confusion (no Anthropic API key configured).
12
12
  *
13
- * Phase 2C-2 changes the schema default to "" and resolves at runtime:
14
- * pick the fast-tier model from `resolveOperationDefaults(primaryProvider)`,
15
- * with `getModels(primaryProvider)[0]` as the catalog-fallback.
13
+ * The schema default is "" and the value is resolved at runtime: pick the
14
+ * fast-tier model from `resolveOperationDefaults(primaryProvider)`, with
15
+ * `getModels(primaryProvider)[0]` as the catalog-fallback.
16
16
  *
17
17
  * Note: explicit `compactionModel` values from existing YAML configs win
18
18
  * unchanged (length > 0 short-circuits the resolver). No backward-compat
@@ -11,9 +11,9 @@
11
11
  * still routed to Claude Haiku, defeating the cost-tiering intent and
12
12
  * causing cross-provider auth confusion (no Anthropic API key configured).
13
13
  *
14
- * Phase 2C-2 changes the schema default to "" and resolves at runtime:
15
- * pick the fast-tier model from `resolveOperationDefaults(primaryProvider)`,
16
- * with `getModels(primaryProvider)[0]` as the catalog-fallback.
14
+ * The schema default is "" and the value is resolved at runtime: pick the
15
+ * fast-tier model from `resolveOperationDefaults(primaryProvider)`, with
16
+ * `getModels(primaryProvider)[0]` as the catalog-fallback.
17
17
  *
18
18
  * Note: explicit `compactionModel` values from existing YAML configs win
19
19
  * unchanged (length > 0 short-circuits the resolver). No backward-compat
@@ -0,0 +1,37 @@
1
+ /**
2
+ * Plaintext file-backed OAuthCredentialStorePort adapter.
3
+ *
4
+ * Default storage backend for OAuth credentials (derives from existing
5
+ * dataDir, no separate config key). Stores all profiles in a single JSON
6
+ * file at ${dataDir}/auth-profiles.json with mode 0o600.
7
+ *
8
+ * Atomic write sequence (full POSIX crash safety on ext4):
9
+ * write tmp 0o600 → fsync(tmpFd) → close(tmpFd) → rename(tmp, canonical)
10
+ * → fsync(parentDirFd) → close(parentDirFd)
11
+ *
12
+ * cron-store.ts does NOT fsync the parent directory; this adapter MUST
13
+ * because OAuth credentials are security-critical (a lost rename due to
14
+ * power-loss-after-data-write would silently log the user out).
15
+ *
16
+ * Per-profile-ID locking via withExecutionLock: different providers and
17
+ * different identities for the same provider can refresh in parallel.
18
+ *
19
+ * Schema versioning: single integer version at top level. Hard-fail on
20
+ * mismatch — pre-1.0 software, no migration plumbing.
21
+ *
22
+ * @module
23
+ */
24
+ import { type OAuthCredentialStorePort } from "@comis/core";
25
+ export interface OAuthCredentialStoreFileConfig {
26
+ /** Comis data directory (e.g. ~/.comis). The adapter writes to ${dataDir}/auth-profiles.json. */
27
+ dataDir: string;
28
+ }
29
+ /**
30
+ * Create a plaintext file-backed OAuthCredentialStorePort adapter.
31
+ *
32
+ * Atomic, lock-protected, version-validated. Lifecycle:
33
+ * - On factory call: ensures dataDir exists (mkdir 0o700 recursive); cleans up stale .tmp files.
34
+ * - On every set/delete: per-profile-ID file lock → load → mutate → atomic-write.
35
+ * - On every get/has/list: load (no lock — readers see snapshot per POSIX rename atomicity).
36
+ */
37
+ export declare function createOAuthCredentialStoreFile(config: OAuthCredentialStoreFileConfig): OAuthCredentialStorePort;