comisai 1.0.34 → 1.0.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (448) hide show
  1. package/node_modules/@comis/agent/dist/background/auto-background-middleware.d.ts +11 -1
  2. package/node_modules/@comis/agent/dist/background/auto-background-middleware.js +30 -4
  3. package/node_modules/@comis/agent/dist/background/background-task-manager.d.ts +22 -2
  4. package/node_modules/@comis/agent/dist/background/background-task-manager.js +88 -40
  5. package/node_modules/@comis/agent/dist/background/background-task-persistence.js +34 -4
  6. package/node_modules/@comis/agent/dist/background/background-task-types.d.ts +59 -3
  7. package/node_modules/@comis/agent/dist/background/background-task-types.js +1 -1
  8. package/node_modules/@comis/agent/dist/background/completion-dispatcher.d.ts +130 -0
  9. package/node_modules/@comis/agent/dist/background/completion-dispatcher.js +215 -0
  10. package/node_modules/@comis/agent/dist/background/completion-formatter.d.ts +39 -0
  11. package/node_modules/@comis/agent/dist/background/completion-formatter.js +77 -0
  12. package/node_modules/@comis/agent/dist/background/completion-runner.d.ts +62 -0
  13. package/node_modules/@comis/agent/dist/background/completion-runner.js +234 -0
  14. package/node_modules/@comis/agent/dist/background/index.d.ts +10 -1
  15. package/node_modules/@comis/agent/dist/background/index.js +4 -0
  16. package/node_modules/@comis/agent/dist/background/session-resolver.d.ts +85 -0
  17. package/node_modules/@comis/agent/dist/background/session-resolver.js +78 -0
  18. package/node_modules/@comis/agent/dist/bootstrap/sections/messaging-sections.js +1 -0
  19. package/node_modules/@comis/agent/dist/bootstrap/sections/tool-descriptions.js +3 -3
  20. package/node_modules/@comis/agent/dist/bootstrap/sections/tooling-sections.d.ts +30 -2
  21. package/node_modules/@comis/agent/dist/bootstrap/sections/tooling-sections.js +51 -2
  22. package/node_modules/@comis/agent/dist/bootstrap/system-prompt-assembler.d.ts +22 -0
  23. package/node_modules/@comis/agent/dist/bootstrap/system-prompt-assembler.js +2 -2
  24. package/node_modules/@comis/agent/dist/bridge/bridge-event-handlers.d.ts +1 -5
  25. package/node_modules/@comis/agent/dist/bridge/bridge-event-handlers.js +2 -14
  26. package/node_modules/@comis/agent/dist/bridge/bridge-metrics.d.ts +43 -2
  27. package/node_modules/@comis/agent/dist/bridge/bridge-metrics.js +17 -2
  28. package/node_modules/@comis/agent/dist/bridge/pi-event-bridge.d.ts +32 -23
  29. package/node_modules/@comis/agent/dist/bridge/pi-event-bridge.js +145 -62
  30. package/node_modules/@comis/agent/dist/bridge/thinking-block-hash-invariant.d.ts +6 -7
  31. package/node_modules/@comis/agent/dist/bridge/thinking-block-hash-invariant.js +24 -25
  32. package/node_modules/@comis/agent/dist/budget/cost-tracker.d.ts +1 -1
  33. package/node_modules/@comis/agent/dist/context-engine/constants.d.ts +5 -5
  34. package/node_modules/@comis/agent/dist/context-engine/constants.js +12 -12
  35. package/node_modules/@comis/agent/dist/context-engine/context-engine.js +13 -4
  36. package/node_modules/@comis/agent/dist/context-engine/dag-annotator.d.ts +1 -2
  37. package/node_modules/@comis/agent/dist/context-engine/dag-annotator.js +1 -2
  38. package/node_modules/@comis/agent/dist/context-engine/llm-compaction.js +20 -16
  39. package/node_modules/@comis/agent/dist/context-engine/rehydration.js +6 -6
  40. package/node_modules/@comis/agent/dist/context-engine/signature-replay-scrubber.d.ts +12 -12
  41. package/node_modules/@comis/agent/dist/context-engine/signature-replay-scrubber.js +36 -22
  42. package/node_modules/@comis/agent/dist/context-engine/signature-surrogate-guard.d.ts +10 -10
  43. package/node_modules/@comis/agent/dist/context-engine/signature-surrogate-guard.js +14 -14
  44. package/node_modules/@comis/agent/dist/context-engine/thinking-block-cleaner.d.ts +11 -13
  45. package/node_modules/@comis/agent/dist/context-engine/thinking-block-cleaner.js +14 -15
  46. package/node_modules/@comis/agent/dist/context-engine/types-core.d.ts +15 -0
  47. package/node_modules/@comis/agent/dist/executor/cache-break-detection.d.ts +6 -6
  48. package/node_modules/@comis/agent/dist/executor/cache-break-detection.js +8 -8
  49. package/node_modules/@comis/agent/dist/executor/capability-index-context.d.ts +72 -0
  50. package/node_modules/@comis/agent/dist/executor/capability-index-context.js +329 -0
  51. package/node_modules/@comis/agent/dist/executor/drain-helper.d.ts +122 -0
  52. package/node_modules/@comis/agent/dist/executor/drain-helper.js +173 -0
  53. package/node_modules/@comis/agent/dist/executor/error-classifier.js +2 -2
  54. package/node_modules/@comis/agent/dist/executor/executor-context-engine-setup.d.ts +16 -0
  55. package/node_modules/@comis/agent/dist/executor/executor-context-engine-setup.js +46 -5
  56. package/node_modules/@comis/agent/dist/executor/executor-post-execution.d.ts +78 -4
  57. package/node_modules/@comis/agent/dist/executor/executor-post-execution.js +150 -31
  58. package/node_modules/@comis/agent/dist/executor/executor-prompt-runner.d.ts +7 -0
  59. package/node_modules/@comis/agent/dist/executor/executor-prompt-runner.js +26 -5
  60. package/node_modules/@comis/agent/dist/executor/executor-response-filter.d.ts +7 -6
  61. package/node_modules/@comis/agent/dist/executor/executor-response-filter.js +9 -42
  62. package/node_modules/@comis/agent/dist/executor/executor-tool-assembly.d.ts +18 -1
  63. package/node_modules/@comis/agent/dist/executor/executor-tool-assembly.js +20 -18
  64. package/node_modules/@comis/agent/dist/executor/gemini-cache-injector.d.ts +2 -2
  65. package/node_modules/@comis/agent/dist/executor/gemini-cache-injector.js +4 -4
  66. package/node_modules/@comis/agent/dist/executor/jit-guide-injector.d.ts +11 -2
  67. package/node_modules/@comis/agent/dist/executor/jit-guide-injector.js +16 -2
  68. package/node_modules/@comis/agent/dist/executor/phase-filter.d.ts +2 -2
  69. package/node_modules/@comis/agent/dist/executor/phase-filter.js +5 -7
  70. package/node_modules/@comis/agent/dist/executor/pi-executor.d.ts +21 -2
  71. package/node_modules/@comis/agent/dist/executor/pi-executor.js +96 -18
  72. package/node_modules/@comis/agent/dist/executor/post-batch-continuation.js +7 -7
  73. package/node_modules/@comis/agent/dist/executor/prompt-assembly.d.ts +9 -1
  74. package/node_modules/@comis/agent/dist/executor/prompt-assembly.js +15 -1
  75. package/node_modules/@comis/agent/dist/executor/stream-wrappers/request-body-injector.d.ts +1 -1
  76. package/node_modules/@comis/agent/dist/executor/stream-wrappers/request-body-injector.js +1 -1
  77. package/node_modules/@comis/agent/dist/executor/tool-deferral.d.ts +18 -27
  78. package/node_modules/@comis/agent/dist/executor/tool-deferral.js +34 -43
  79. package/node_modules/@comis/agent/dist/index.d.ts +17 -0
  80. package/node_modules/@comis/agent/dist/index.js +32 -11
  81. package/node_modules/@comis/agent/dist/model/auth-provider.d.ts +25 -2
  82. package/node_modules/@comis/agent/dist/model/auth-provider.js +6 -0
  83. package/node_modules/@comis/agent/dist/model/compaction-model-resolver.d.ts +3 -3
  84. package/node_modules/@comis/agent/dist/model/compaction-model-resolver.js +3 -3
  85. package/node_modules/@comis/agent/dist/model/model-registry-adapter.js +1 -1
  86. package/node_modules/@comis/agent/dist/model/model-scanner.js +1 -1
  87. package/node_modules/@comis/agent/dist/model/oauth-credential-store-file.d.ts +37 -0
  88. package/node_modules/@comis/agent/dist/model/oauth-credential-store-file.js +279 -0
  89. package/node_modules/@comis/agent/dist/model/oauth-credential-store-selector.d.ts +49 -0
  90. package/node_modules/@comis/agent/dist/model/oauth-credential-store-selector.js +50 -0
  91. package/node_modules/@comis/agent/dist/model/oauth-device-code.d.ts +57 -0
  92. package/node_modules/@comis/agent/dist/model/oauth-device-code.js +302 -0
  93. package/node_modules/@comis/agent/dist/model/oauth-env.d.ts +33 -0
  94. package/node_modules/@comis/agent/dist/model/oauth-env.js +38 -0
  95. package/node_modules/@comis/agent/dist/model/oauth-errors.d.ts +41 -0
  96. package/node_modules/@comis/agent/dist/model/oauth-errors.js +88 -0
  97. package/node_modules/@comis/agent/dist/model/oauth-identity.d.ts +53 -0
  98. package/node_modules/@comis/agent/dist/model/oauth-identity.js +141 -0
  99. package/node_modules/@comis/agent/dist/model/oauth-login-runner.d.ts +99 -0
  100. package/node_modules/@comis/agent/dist/model/oauth-login-runner.js +374 -0
  101. package/node_modules/@comis/agent/dist/model/oauth-tls-preflight.d.ts +58 -0
  102. package/node_modules/@comis/agent/dist/model/oauth-tls-preflight.js +82 -0
  103. package/node_modules/@comis/agent/dist/model/oauth-token-manager.d.ts +86 -16
  104. package/node_modules/@comis/agent/dist/model/oauth-token-manager.js +961 -66
  105. package/node_modules/@comis/agent/dist/model/operation-model-defaults.d.ts +9 -4
  106. package/node_modules/@comis/agent/dist/model/operation-model-defaults.js +36 -9
  107. package/node_modules/@comis/agent/dist/model/resolve-provider-api-key.d.ts +48 -0
  108. package/node_modules/@comis/agent/dist/model/resolve-provider-api-key.js +66 -0
  109. package/node_modules/@comis/agent/dist/provider/capabilities.d.ts +5 -5
  110. package/node_modules/@comis/agent/dist/provider/capabilities.js +10 -23
  111. package/node_modules/@comis/agent/dist/safety/tool-output-safety.js +3 -3
  112. package/node_modules/@comis/agent/dist/safety/tool-retry-breaker.d.ts +11 -1
  113. package/node_modules/@comis/agent/dist/safety/tool-retry-breaker.js +19 -22
  114. package/node_modules/@comis/agent/dist/session/comis-session-manager.d.ts +17 -3
  115. package/node_modules/@comis/agent/dist/session/comis-session-manager.js +1 -1
  116. package/node_modules/@comis/agent/dist/spawn/narrative-caster.d.ts +10 -0
  117. package/node_modules/@comis/agent/dist/spawn/narrative-caster.js +5 -1
  118. package/node_modules/@comis/agent/dist/spawn/pi-mono-adapters.d.ts +1 -1
  119. package/node_modules/@comis/agent/dist/spawn/pi-mono-adapters.js +5 -5
  120. package/node_modules/@comis/agent/dist/workspace/data-env.d.ts +38 -0
  121. package/node_modules/@comis/agent/dist/workspace/data-env.js +56 -0
  122. package/node_modules/@comis/agent/dist/workspace/index.d.ts +1 -0
  123. package/node_modules/@comis/agent/dist/workspace/index.js +1 -0
  124. package/node_modules/@comis/agent/dist/workspace/templates.js +5 -1
  125. package/node_modules/@comis/agent/package.json +1 -1
  126. package/node_modules/@comis/channels/dist/email/email-adapter.js +6 -6
  127. package/node_modules/@comis/channels/dist/email/imap-lifecycle.js +7 -7
  128. package/node_modules/@comis/channels/dist/index.d.ts +1 -1
  129. package/node_modules/@comis/channels/dist/index.js +1 -1
  130. package/node_modules/@comis/channels/dist/shared/channel-manager.d.ts +9 -3
  131. package/node_modules/@comis/channels/dist/shared/deliver-to-channel.js +12 -10
  132. package/node_modules/@comis/channels/dist/shared/inbound-gate.d.ts +1 -1
  133. package/node_modules/@comis/channels/dist/shared/inbound-gate.js +22 -7
  134. package/node_modules/@comis/channels/dist/shared/inbound-pipeline.d.ts +10 -3
  135. package/node_modules/@comis/channels/dist/shared/inbound-route.d.ts +1 -1
  136. package/node_modules/@comis/channels/dist/shared/inbound-route.js +13 -2
  137. package/node_modules/@comis/channels/dist/shared/response-filter.d.ts +11 -24
  138. package/node_modules/@comis/channels/dist/shared/response-filter.js +25 -53
  139. package/node_modules/@comis/channels/dist/telegram/telegram-adapter.js +1 -1
  140. package/node_modules/@comis/channels/package.json +1 -1
  141. package/node_modules/@comis/cli/dist/cli.js +2 -0
  142. package/node_modules/@comis/cli/dist/commands/agent.d.ts +3 -3
  143. package/node_modules/@comis/cli/dist/commands/agent.js +46 -3
  144. package/node_modules/@comis/cli/dist/commands/auth.d.ts +37 -0
  145. package/node_modules/@comis/cli/dist/commands/auth.js +433 -0
  146. package/node_modules/@comis/cli/dist/commands/doctor.d.ts +4 -1
  147. package/node_modules/@comis/cli/dist/commands/doctor.js +20 -5
  148. package/node_modules/@comis/cli/dist/commands/providers.d.ts +1 -2
  149. package/node_modules/@comis/cli/dist/commands/providers.js +5 -6
  150. package/node_modules/@comis/cli/dist/doctor/checks/oauth-health.d.ts +39 -0
  151. package/node_modules/@comis/cli/dist/doctor/checks/oauth-health.js +399 -0
  152. package/node_modules/@comis/cli/dist/doctor/types.d.ts +19 -0
  153. package/node_modules/@comis/cli/dist/index.d.ts +1 -0
  154. package/node_modules/@comis/cli/dist/index.js +10 -4
  155. package/node_modules/@comis/cli/dist/output/relative-time.d.ts +23 -0
  156. package/node_modules/@comis/cli/dist/output/relative-time.js +36 -0
  157. package/node_modules/@comis/cli/dist/wizard/non-interactive.js +17 -8
  158. package/node_modules/@comis/cli/dist/wizard/steps/03-provider.js +2 -1
  159. package/node_modules/@comis/cli/dist/wizard/steps/04-credentials.js +223 -34
  160. package/node_modules/@comis/cli/dist/wizard/steps/10-write-config.js +14 -0
  161. package/node_modules/@comis/cli/dist/wizard/steps/11-daemon-start.js +3 -3
  162. package/node_modules/@comis/cli/dist/wizard/types.d.ts +7 -0
  163. package/node_modules/@comis/cli/package.json +1 -1
  164. package/node_modules/@comis/core/dist/bootstrap.d.ts +1 -1
  165. package/node_modules/@comis/core/dist/config/env-substitution.d.ts +66 -0
  166. package/node_modules/@comis/core/dist/config/env-substitution.js +115 -0
  167. package/node_modules/@comis/core/dist/config/field-metadata.js +2 -0
  168. package/node_modules/@comis/core/dist/config/immutable-keys.js +4 -1
  169. package/node_modules/@comis/core/dist/config/index.d.ts +7 -1
  170. package/node_modules/@comis/core/dist/config/index.js +4 -1
  171. package/node_modules/@comis/core/dist/config/loader.js +61 -0
  172. package/node_modules/@comis/core/dist/config/managed-sections.d.ts +3 -3
  173. package/node_modules/@comis/core/dist/config/managed-sections.js +10 -5
  174. package/node_modules/@comis/core/dist/config/schema-agent.d.ts +4 -792
  175. package/node_modules/@comis/core/dist/config/schema-agent.js +16 -1
  176. package/node_modules/@comis/core/dist/config/schema-approvals.d.ts +0 -14
  177. package/node_modules/@comis/core/dist/config/schema-auto-reply-engine.d.ts +0 -6
  178. package/node_modules/@comis/core/dist/config/schema-background-tasks.d.ts +1 -6
  179. package/node_modules/@comis/core/dist/config/schema-background-tasks.js +7 -0
  180. package/node_modules/@comis/core/dist/config/schema-browser.d.ts +0 -18
  181. package/node_modules/@comis/core/dist/config/schema-channel.d.ts +0 -158
  182. package/node_modules/@comis/core/dist/config/schema-coalescer.d.ts +0 -5
  183. package/node_modules/@comis/core/dist/config/schema-daemon.d.ts +0 -32
  184. package/node_modules/@comis/core/dist/config/schema-delivery.d.ts +1 -17
  185. package/node_modules/@comis/core/dist/config/schema-delivery.js +2 -0
  186. package/node_modules/@comis/core/dist/config/schema-documentation.d.ts +0 -12
  187. package/node_modules/@comis/core/dist/config/schema-embedding.d.ts +0 -20
  188. package/node_modules/@comis/core/dist/config/schema-envelope.d.ts +0 -15
  189. package/node_modules/@comis/core/dist/config/schema-gateway.d.ts +0 -37
  190. package/node_modules/@comis/core/dist/config/schema-gemini-cache.d.ts +0 -4
  191. package/node_modules/@comis/core/dist/config/schema-gemini-cache.js +0 -2
  192. package/node_modules/@comis/core/dist/config/schema-integrations.d.ts +0 -318
  193. package/node_modules/@comis/core/dist/config/schema-lifecycle-reactions.d.ts +0 -18
  194. package/node_modules/@comis/core/dist/config/schema-memory-review.d.ts +0 -7
  195. package/node_modules/@comis/core/dist/config/schema-memory.d.ts +0 -16
  196. package/node_modules/@comis/core/dist/config/schema-messages.d.ts +0 -8
  197. package/node_modules/@comis/core/dist/config/schema-models.d.ts +0 -15
  198. package/node_modules/@comis/core/dist/config/schema-notification.d.ts +0 -5
  199. package/node_modules/@comis/core/dist/config/schema-oauth.d.ts +18 -0
  200. package/node_modules/@comis/core/dist/config/schema-oauth.js +19 -0
  201. package/node_modules/@comis/core/dist/config/schema-observability.d.ts +0 -38
  202. package/node_modules/@comis/core/dist/config/schema-output-retention.d.ts +34 -0
  203. package/node_modules/@comis/core/dist/config/schema-output-retention.js +48 -0
  204. package/node_modules/@comis/core/dist/config/schema-plugins.d.ts +0 -8
  205. package/node_modules/@comis/core/dist/config/schema-providers.d.ts +0 -64
  206. package/node_modules/@comis/core/dist/config/schema-queue.d.ts +0 -58
  207. package/node_modules/@comis/core/dist/config/schema-response-prefix.d.ts +0 -2
  208. package/node_modules/@comis/core/dist/config/schema-retry.d.ts +0 -6
  209. package/node_modules/@comis/core/dist/config/schema-scheduler.d.ts +0 -39
  210. package/node_modules/@comis/core/dist/config/schema-secrets.d.ts +0 -3
  211. package/node_modules/@comis/core/dist/config/schema-security.d.ts +0 -18
  212. package/node_modules/@comis/core/dist/config/schema-send-policy.d.ts +0 -13
  213. package/node_modules/@comis/core/dist/config/schema-sender-trust-display.d.ts +0 -5
  214. package/node_modules/@comis/core/dist/config/schema-serializer.js +2 -0
  215. package/node_modules/@comis/core/dist/config/schema-skills.d.ts +0 -63
  216. package/node_modules/@comis/core/dist/config/schema-skills.js +3 -4
  217. package/node_modules/@comis/core/dist/config/schema-streaming.d.ts +0 -38
  218. package/node_modules/@comis/core/dist/config/schema-telegram-file-guard.d.ts +0 -3
  219. package/node_modules/@comis/core/dist/config/schema-tooling.d.ts +87 -0
  220. package/node_modules/@comis/core/dist/config/schema-tooling.js +152 -0
  221. package/node_modules/@comis/core/dist/config/schema-verbosity.d.ts +0 -12
  222. package/node_modules/@comis/core/dist/config/schema-webhooks.d.ts +0 -40
  223. package/node_modules/@comis/core/dist/config/schema.d.ts +50 -37
  224. package/node_modules/@comis/core/dist/config/schema.js +9 -0
  225. package/node_modules/@comis/core/dist/context/context.d.ts +0 -4
  226. package/node_modules/@comis/core/dist/domain/approval-request.d.ts +0 -17
  227. package/node_modules/@comis/core/dist/domain/background-task-origin.d.ts +29 -0
  228. package/node_modules/@comis/core/dist/domain/background-task-origin.js +39 -0
  229. package/node_modules/@comis/core/dist/domain/delivery-origin.d.ts +0 -5
  230. package/node_modules/@comis/core/dist/domain/execution-graph.d.ts +0 -48
  231. package/node_modules/@comis/core/dist/domain/memory-entry.d.ts +0 -3
  232. package/node_modules/@comis/core/dist/domain/model-compat.d.ts +0 -4
  233. package/node_modules/@comis/core/dist/domain/normalized-message.d.ts +0 -15
  234. package/node_modules/@comis/core/dist/domain/provider-capabilities.d.ts +0 -6
  235. package/node_modules/@comis/core/dist/domain/rich-message.d.ts +0 -14
  236. package/node_modules/@comis/core/dist/domain/subagent-context-config.d.ts +0 -22
  237. package/node_modules/@comis/core/dist/domain/subagent-context-types.d.ts +0 -8
  238. package/node_modules/@comis/core/dist/event-bus/events-agent.d.ts +31 -0
  239. package/node_modules/@comis/core/dist/event-bus/events-infra.d.ts +76 -2
  240. package/node_modules/@comis/core/dist/exports/config.d.ts +2 -2
  241. package/node_modules/@comis/core/dist/exports/config.js +3 -1
  242. package/node_modules/@comis/core/dist/exports/domain.d.ts +2 -0
  243. package/node_modules/@comis/core/dist/exports/domain.js +1 -0
  244. package/node_modules/@comis/core/dist/exports/hooks.d.ts +1 -1
  245. package/node_modules/@comis/core/dist/exports/ports.d.ts +2 -2
  246. package/node_modules/@comis/core/dist/exports/ports.js +1 -1
  247. package/node_modules/@comis/core/dist/ports/channel-plugin.d.ts +0 -13
  248. package/node_modules/@comis/core/dist/ports/delivery-queue.d.ts +23 -0
  249. package/node_modules/@comis/core/dist/ports/delivery-queue.js +2 -0
  250. package/node_modules/@comis/core/dist/ports/index.d.ts +4 -0
  251. package/node_modules/@comis/core/dist/ports/index.js +5 -0
  252. package/node_modules/@comis/core/dist/ports/no-op-tool-capability.d.ts +30 -0
  253. package/node_modules/@comis/core/dist/ports/no-op-tool-capability.js +47 -0
  254. package/node_modules/@comis/core/dist/ports/oauth-credential-store.d.ts +64 -0
  255. package/node_modules/@comis/core/dist/ports/oauth-credential-store.js +37 -0
  256. package/node_modules/@comis/core/dist/ports/tool-capability.d.ts +165 -0
  257. package/node_modules/@comis/core/dist/ports/tool-capability.js +15 -0
  258. package/node_modules/@comis/core/dist/security/audit.d.ts +0 -11
  259. package/node_modules/@comis/core/dist/tool-metadata.d.ts +41 -1
  260. package/node_modules/@comis/core/dist/tool-metadata.js +1 -1
  261. package/node_modules/@comis/core/package.json +1 -1
  262. package/node_modules/@comis/daemon/bundled-skills/skill-creator/scripts/validate-skill.py +1 -1
  263. package/node_modules/@comis/daemon/dist/daemon-types.d.ts +23 -3
  264. package/node_modules/@comis/daemon/dist/daemon.js +168 -30
  265. package/node_modules/@comis/daemon/dist/index.d.ts +2 -0
  266. package/node_modules/@comis/daemon/dist/index.js +5 -0
  267. package/node_modules/@comis/daemon/dist/observability/channel-health-logger.js +3 -3
  268. package/node_modules/@comis/daemon/dist/observability/delivery-queue-logger.js +1 -1
  269. package/node_modules/@comis/daemon/dist/rpc/agent-handlers.d.ts +22 -1
  270. package/node_modules/@comis/daemon/dist/rpc/agent-handlers.js +84 -21
  271. package/node_modules/@comis/daemon/dist/rpc/agent-inline-workspace.d.ts +1 -1
  272. package/node_modules/@comis/daemon/dist/rpc/agent-inline-workspace.js +3 -3
  273. package/node_modules/@comis/daemon/dist/rpc/builtin-provider-guard.js +2 -2
  274. package/node_modules/@comis/daemon/dist/rpc/config-handlers.d.ts +9 -1
  275. package/node_modules/@comis/daemon/dist/rpc/config-handlers.js +104 -23
  276. package/node_modules/@comis/daemon/dist/rpc/credential-resolver.d.ts +30 -1
  277. package/node_modules/@comis/daemon/dist/rpc/credential-resolver.js +74 -11
  278. package/node_modules/@comis/daemon/dist/rpc/mcp-handlers.d.ts +8 -0
  279. package/node_modules/@comis/daemon/dist/rpc/mcp-handlers.js +22 -8
  280. package/node_modules/@comis/daemon/dist/rpc/model-handlers.d.ts +1 -1
  281. package/node_modules/@comis/daemon/dist/rpc/model-handlers.js +2 -2
  282. package/node_modules/@comis/daemon/dist/rpc/provider-handlers.js +9 -12
  283. package/node_modules/@comis/daemon/dist/rpc/rpc-dispatch.d.ts +1 -0
  284. package/node_modules/@comis/daemon/dist/rpc/rpc-dispatch.js +27 -2
  285. package/node_modules/@comis/daemon/dist/setup-docker-restart-warn.js +0 -1
  286. package/node_modules/@comis/daemon/dist/sub-agent-runner.d.ts +18 -0
  287. package/node_modules/@comis/daemon/dist/sub-agent-runner.js +41 -9
  288. package/node_modules/@comis/daemon/dist/wiring/index.d.ts +4 -0
  289. package/node_modules/@comis/daemon/dist/wiring/index.js +2 -0
  290. package/node_modules/@comis/daemon/dist/wiring/oauth-preflight.d.ts +21 -0
  291. package/node_modules/@comis/daemon/dist/wiring/oauth-preflight.js +134 -0
  292. package/node_modules/@comis/daemon/dist/wiring/setup-agents.d.ts +81 -2
  293. package/node_modules/@comis/daemon/dist/wiring/setup-agents.js +164 -3
  294. package/node_modules/@comis/daemon/dist/wiring/setup-background-completion-runner.d.ts +58 -0
  295. package/node_modules/@comis/daemon/dist/wiring/setup-background-completion-runner.js +59 -0
  296. package/node_modules/@comis/daemon/dist/wiring/setup-background-tasks.d.ts +10 -3
  297. package/node_modules/@comis/daemon/dist/wiring/setup-background-tasks.js +13 -7
  298. package/node_modules/@comis/daemon/dist/wiring/setup-channels.d.ts +9 -2
  299. package/node_modules/@comis/daemon/dist/wiring/setup-channels.js +35 -10
  300. package/node_modules/@comis/daemon/dist/wiring/setup-cross-session.d.ts +20 -5
  301. package/node_modules/@comis/daemon/dist/wiring/setup-cross-session.js +21 -16
  302. package/node_modules/@comis/daemon/dist/wiring/setup-delivery.d.ts +14 -5
  303. package/node_modules/@comis/daemon/dist/wiring/setup-delivery.js +65 -20
  304. package/node_modules/@comis/daemon/dist/wiring/setup-gateway.d.ts +4 -6
  305. package/node_modules/@comis/daemon/dist/wiring/setup-gateway.js +3 -5
  306. package/node_modules/@comis/daemon/dist/wiring/setup-heartbeat.d.ts +20 -5
  307. package/node_modules/@comis/daemon/dist/wiring/setup-heartbeat.js +11 -2
  308. package/node_modules/@comis/daemon/dist/wiring/setup-output-retention.d.ts +89 -0
  309. package/node_modules/@comis/daemon/dist/wiring/setup-output-retention.js +212 -0
  310. package/node_modules/@comis/daemon/dist/wiring/setup-schedulers.js +4 -0
  311. package/node_modules/@comis/daemon/dist/wiring/setup-tools.d.ts +18 -4
  312. package/node_modules/@comis/daemon/dist/wiring/setup-tools.js +29 -10
  313. package/node_modules/@comis/daemon/dist/wiring/tool-capability-adapter.d.ts +75 -0
  314. package/node_modules/@comis/daemon/dist/wiring/tool-capability-adapter.js +253 -0
  315. package/node_modules/@comis/daemon/package.json +1 -1
  316. package/node_modules/@comis/gateway/dist/index.d.ts +2 -0
  317. package/node_modules/@comis/gateway/dist/index.js +2 -0
  318. package/node_modules/@comis/gateway/dist/oauth/oauth-callback-route.d.ts +66 -0
  319. package/node_modules/@comis/gateway/dist/oauth/oauth-callback-route.js +212 -0
  320. package/node_modules/@comis/gateway/dist/server/hono-server.d.ts +14 -0
  321. package/node_modules/@comis/gateway/dist/server/hono-server.js +10 -0
  322. package/node_modules/@comis/gateway/dist/webhook/webhook-endpoint.d.ts +0 -4
  323. package/node_modules/@comis/gateway/package.json +1 -1
  324. package/node_modules/@comis/infra/dist/logging/log-fields.d.ts +23 -0
  325. package/node_modules/@comis/infra/package.json +1 -1
  326. package/node_modules/@comis/memory/dist/compaction.d.ts +3 -5
  327. package/node_modules/@comis/memory/dist/compaction.js +2 -3
  328. package/node_modules/@comis/memory/dist/delivery-queue-adapter.d.ts +2 -2
  329. package/node_modules/@comis/memory/dist/delivery-queue-adapter.js +49 -1
  330. package/node_modules/@comis/memory/dist/index.d.ts +2 -0
  331. package/node_modules/@comis/memory/dist/index.js +3 -0
  332. package/node_modules/@comis/memory/dist/memory-api.d.ts +1 -1
  333. package/node_modules/@comis/memory/dist/memory-api.js +1 -1
  334. package/node_modules/@comis/memory/dist/oauth-profile-schema.d.ts +17 -0
  335. package/node_modules/@comis/memory/dist/oauth-profile-schema.js +33 -0
  336. package/node_modules/@comis/memory/dist/oauth-profile-store-encrypted.d.ts +27 -0
  337. package/node_modules/@comis/memory/dist/oauth-profile-store-encrypted.js +144 -0
  338. package/node_modules/@comis/memory/dist/session-store.d.ts +1 -1
  339. package/node_modules/@comis/memory/dist/session-store.js +1 -1
  340. package/node_modules/@comis/memory/dist/sqlite-secret-store.d.ts +29 -3
  341. package/node_modules/@comis/memory/dist/sqlite-secret-store.js +11 -3
  342. package/node_modules/@comis/memory/package.json +1 -1
  343. package/node_modules/@comis/scheduler/dist/cron/cron-types.d.ts +0 -42
  344. package/node_modules/@comis/scheduler/dist/execution/execution-lock.d.ts +13 -0
  345. package/node_modules/@comis/scheduler/dist/execution/execution-lock.js +1 -1
  346. package/node_modules/@comis/scheduler/dist/execution/index.d.ts +2 -0
  347. package/node_modules/@comis/scheduler/dist/execution/index.js +2 -0
  348. package/node_modules/@comis/scheduler/dist/heartbeat/agent-heartbeat-source.d.ts +29 -8
  349. package/node_modules/@comis/scheduler/dist/heartbeat/agent-heartbeat-source.js +20 -8
  350. package/node_modules/@comis/scheduler/dist/index.d.ts +2 -0
  351. package/node_modules/@comis/scheduler/dist/index.js +2 -0
  352. package/node_modules/@comis/scheduler/dist/system-events/system-event-types.d.ts +0 -3
  353. package/node_modules/@comis/scheduler/dist/tasks/task-types.d.ts +0 -17
  354. package/node_modules/@comis/scheduler/package.json +1 -1
  355. package/node_modules/@comis/shared/dist/index.d.ts +3 -0
  356. package/node_modules/@comis/shared/dist/index.js +4 -0
  357. package/node_modules/@comis/shared/dist/mcp-tool-name.d.ts +78 -0
  358. package/node_modules/@comis/shared/dist/mcp-tool-name.js +92 -0
  359. package/node_modules/@comis/shared/dist/silent-tokens.d.ts +38 -0
  360. package/node_modules/@comis/shared/dist/silent-tokens.js +51 -0
  361. package/node_modules/@comis/shared/dist/visible-delivery.d.ts +28 -0
  362. package/node_modules/@comis/shared/dist/visible-delivery.js +16 -0
  363. package/node_modules/@comis/shared/package.json +1 -1
  364. package/node_modules/@comis/skills/dist/bridge/mcp-tool-bridge.d.ts +2 -13
  365. package/node_modules/@comis/skills/dist/bridge/mcp-tool-bridge.js +3 -21
  366. package/node_modules/@comis/skills/dist/bridge/schema-validator.d.ts +38 -0
  367. package/node_modules/@comis/skills/dist/bridge/schema-validator.js +169 -0
  368. package/node_modules/@comis/skills/dist/bridge/tool-metadata-enforcement.js +12 -0
  369. package/node_modules/@comis/skills/dist/bridge/tool-metadata-registry.js +133 -3
  370. package/node_modules/@comis/skills/dist/builtin/exec-diagnostics.d.ts +32 -0
  371. package/node_modules/@comis/skills/dist/builtin/exec-diagnostics.js +127 -0
  372. package/node_modules/@comis/skills/dist/builtin/exec-security.js +38 -0
  373. package/node_modules/@comis/skills/dist/builtin/exec-tool.d.ts +55 -9
  374. package/node_modules/@comis/skills/dist/builtin/exec-tool.js +392 -19
  375. package/node_modules/@comis/skills/dist/builtin/file-tools/grep-tool.js +6 -6
  376. package/node_modules/@comis/skills/dist/builtin/install-detour.d.ts +67 -0
  377. package/node_modules/@comis/skills/dist/builtin/install-detour.js +342 -0
  378. package/node_modules/@comis/skills/dist/builtin/platform/admin-manage-factory.js +5 -5
  379. package/node_modules/@comis/skills/dist/builtin/platform/agents-manage-tool.d.ts +7 -6
  380. package/node_modules/@comis/skills/dist/builtin/platform/agents-manage-tool.js +40 -29
  381. package/node_modules/@comis/skills/dist/builtin/platform/background-tasks-tool.d.ts +4 -1
  382. package/node_modules/@comis/skills/dist/builtin/platform/background-tasks-tool.js +3 -3
  383. package/node_modules/@comis/skills/dist/builtin/platform/cron-tool.js +1 -1
  384. package/node_modules/@comis/skills/dist/builtin/platform/gateway-tool.js +6 -6
  385. package/node_modules/@comis/skills/dist/builtin/platform/mcp-manage-tool.d.ts +1 -1
  386. package/node_modules/@comis/skills/dist/builtin/platform/mcp-manage-tool.js +9 -9
  387. package/node_modules/@comis/skills/dist/builtin/platform/message-tool.js +18 -0
  388. package/node_modules/@comis/skills/dist/builtin/platform/messaging-factory.d.ts +18 -1
  389. package/node_modules/@comis/skills/dist/builtin/platform/messaging-factory.js +18 -2
  390. package/node_modules/@comis/skills/dist/builtin/platform/models-manage-tool.js +3 -3
  391. package/node_modules/@comis/skills/dist/builtin/process-registry.d.ts +14 -0
  392. package/node_modules/@comis/skills/dist/builtin/process-tool.d.ts +24 -4
  393. package/node_modules/@comis/skills/dist/builtin/process-tool.js +25 -7
  394. package/node_modules/@comis/skills/dist/builtin/sandbox/bwrap-provider.d.ts +11 -0
  395. package/node_modules/@comis/skills/dist/builtin/sandbox/bwrap-provider.js +123 -1
  396. package/node_modules/@comis/skills/dist/builtin/sandbox/detect-provider.js +40 -15
  397. package/node_modules/@comis/skills/dist/index.d.ts +4 -1
  398. package/node_modules/@comis/skills/dist/index.js +3 -1
  399. package/node_modules/@comis/skills/dist/manifest/capability-parser.d.ts +44 -0
  400. package/node_modules/@comis/skills/dist/manifest/capability-parser.js +68 -0
  401. package/node_modules/@comis/skills/dist/manifest/schema.d.ts +44 -37
  402. package/node_modules/@comis/skills/dist/manifest/schema.js +35 -0
  403. package/node_modules/@comis/skills/dist/media/ssrf-fetcher.d.ts +7 -0
  404. package/node_modules/@comis/skills/dist/media/ssrf-fetcher.js +9 -2
  405. package/node_modules/@comis/skills/dist/registry/discovery.d.ts +8 -0
  406. package/node_modules/@comis/skills/dist/registry/discovery.js +10 -3
  407. package/node_modules/@comis/skills/dist/registry/skill-registry.d.ts +45 -1
  408. package/node_modules/@comis/skills/dist/registry/skill-registry.js +70 -7
  409. package/node_modules/@comis/skills/package.json +1 -1
  410. package/node_modules/@comis/web/dist/assets/{agent-detail-71BSbSfD.js → agent-detail-q8t1NB7w.js} +1 -1
  411. package/node_modules/@comis/web/dist/assets/{agent-editor-CTSDZhwT.js → agent-editor-B46io5gv.js} +1 -1
  412. package/node_modules/@comis/web/dist/assets/{agent-list-BEhni2ea.js → agent-list-DQ6g2Rcx.js} +1 -1
  413. package/node_modules/@comis/web/dist/assets/{billing-view-DVP1IvVs.js → billing-view-IWPR8LgF.js} +1 -1
  414. package/node_modules/@comis/web/dist/assets/{channel-detail-N_YK74xC.js → channel-detail-DlNNZuuC.js} +1 -1
  415. package/node_modules/@comis/web/dist/assets/{channel-list-DRk6ZJaF.js → channel-list-DhGwxiMc.js} +1 -1
  416. package/node_modules/@comis/web/dist/assets/{chat-console-Dm-GtSf9.js → chat-console-Nv6fM3Rc.js} +1 -1
  417. package/node_modules/@comis/web/dist/assets/{config-editor-CIferYX6.js → config-editor-BYKuJF76.js} +1 -1
  418. package/node_modules/@comis/web/dist/assets/{context-dag-browser-CL84rXXM.js → context-dag-browser-ClNEtzYE.js} +1 -1
  419. package/node_modules/@comis/web/dist/assets/{context-engine-B1HOTEZv.js → context-engine-BZJ6HChd.js} +1 -1
  420. package/node_modules/@comis/web/dist/assets/{delivery-view-Y6JKYVFw.js → delivery-view-Cb7I3vGu.js} +1 -1
  421. package/node_modules/@comis/web/dist/assets/{diagnostics-view-DWV1UQjz.js → diagnostics-view-9u9Lyu5a.js} +1 -1
  422. package/node_modules/@comis/web/dist/assets/{ic-chat-message-DfSERzzg.js → ic-chat-message-BFt3cVpx.js} +1 -1
  423. package/node_modules/@comis/web/dist/assets/{ic-connection-dot-CXyhlJup.js → ic-connection-dot-y77LZ3Gu.js} +1 -1
  424. package/node_modules/@comis/web/dist/assets/{ic-tool-call-DNmwTjek.js → ic-tool-call-qt6w1NQl.js} +1 -1
  425. package/node_modules/@comis/web/dist/assets/{index-CBr0Tm9_.js → index-8Tg9oc-C.js} +2 -2
  426. package/node_modules/@comis/web/dist/assets/{mcp-management-BaH2-vox.js → mcp-management-69dtH_kY.js} +2 -2
  427. package/node_modules/@comis/web/dist/assets/{media-config-CZLshJoN.js → media-config-BdjLj5c1.js} +1 -1
  428. package/node_modules/@comis/web/dist/assets/{media-test-C9NUWgo_.js → media-test-DuPqrixi.js} +1 -1
  429. package/node_modules/@comis/web/dist/assets/{memory-inspector-D_fmTcRN.js → memory-inspector-B-Pepbq-.js} +1 -1
  430. package/node_modules/@comis/web/dist/assets/{message-center-BBFlNCZn.js → message-center-B7l0yNYY.js} +1 -1
  431. package/node_modules/@comis/web/dist/assets/{models-BytGLm99.js → models-JHFHuv5S.js} +1 -1
  432. package/node_modules/@comis/web/dist/assets/{observe-view-VXtHqaqq.js → observe-view-r8mqhy4O.js} +1 -1
  433. package/node_modules/@comis/web/dist/assets/{pipeline-builder-CfXczlfJ.js → pipeline-builder-XjkiZRcR.js} +1 -1
  434. package/node_modules/@comis/web/dist/assets/{pipeline-history-CPmXFnbe.js → pipeline-history-CZqJv_Hj.js} +1 -1
  435. package/node_modules/@comis/web/dist/assets/{pipeline-history-detail-DcueTMs9.js → pipeline-history-detail-BEFGMoDy.js} +1 -1
  436. package/node_modules/@comis/web/dist/assets/{pipeline-list-B-xG5WZh.js → pipeline-list-B6q5LvO1.js} +1 -1
  437. package/node_modules/@comis/web/dist/assets/{pipeline-monitor-pnIOYaSY.js → pipeline-monitor-BNomXjVL.js} +1 -1
  438. package/node_modules/@comis/web/dist/assets/{scheduler-BtUIFHhA.js → scheduler-BJEjcGKA.js} +1 -1
  439. package/node_modules/@comis/web/dist/assets/{security-C8mWRq2y.js → security-2G1jhBfV.js} +1 -1
  440. package/node_modules/@comis/web/dist/assets/{session-detail-DgdkO5ka.js → session-detail-DmVPzFBR.js} +1 -1
  441. package/node_modules/@comis/web/dist/assets/{session-list-DcylcfTn.js → session-list-CsqMQoHs.js} +1 -1
  442. package/node_modules/@comis/web/dist/assets/{setup-wizard-BP5yjsuL.js → setup-wizard-CAdM-gSP.js} +1 -1
  443. package/node_modules/@comis/web/dist/assets/{skills-DXt1bX8Z.js → skills-2ODqKaWr.js} +1 -1
  444. package/node_modules/@comis/web/dist/assets/{subagents-C7YbUHXY.js → subagents-BFlwfTbD.js} +1 -1
  445. package/node_modules/@comis/web/dist/assets/{workspace-manager-DP6pW4wa.js → workspace-manager--CbOx_dI.js} +1 -1
  446. package/node_modules/@comis/web/dist/index.html +1 -1
  447. package/node_modules/@comis/web/package.json +1 -1
  448. package/package.json +25 -24
@@ -5,8 +5,7 @@
5
5
  * Provides `comis providers list` for browsing available providers from
6
6
  * the live pi-ai catalog (with daemon RPC + local fallback). Status
7
7
  * column indicates whether a provider's API key is resolvable from the
8
- * env (mirrors credential-resolver.ts Source B semantics from
9
- * 260501-2pz).
8
+ * env (mirrors credential-resolver.ts Source B semantics).
10
9
  *
11
10
  * Mirrors `commands/models.ts` shape -- RPC-first, local catalog
12
11
  * fallback, `--format` flag, no `set` subcommand (provider switching
@@ -64,9 +63,9 @@ async function getModelCount(provider) {
64
63
  * - `configured` : pi-ai's `getEnvApiKey` resolves a non-empty key
65
64
  * - `missing key` : no env key found
66
65
  *
67
- * Mirrors `credential-resolver.ts` Source B semantics from 260501-2pz.
68
- * Status reflects only env-key presence; it does NOT include the key
69
- * value itself (T-260501-kqq-02 information-disclosure threat).
66
+ * Mirrors `credential-resolver.ts` Source B semantics. Status reflects
67
+ * only env-key presence; it does NOT include the key value itself
68
+ * (information-disclosure threat).
70
69
  */
71
70
  function getProviderStatus(provider) {
72
71
  if (KEYLESS_PROVIDERS.has(provider))
@@ -99,7 +98,7 @@ export function registerProvidersCommand(program) {
99
98
  }
100
99
  // Sequentially fetch model counts. With ~11-23 providers this
101
100
  // is acceptable (single-digit RPC roundtrips). N+1 batching is
102
- // a v1.5 enhancement (T-260501-kqq-03 DoS disposition: accept).
101
+ // a v1.5 enhancement (DoS disposition: accept).
103
102
  const rows = [];
104
103
  for (const id of ids) {
105
104
  const modelCount = await getModelCount(id);
@@ -0,0 +1,39 @@
1
+ /**
2
+ * OAuth health check for `comis doctor`.
3
+ *
4
+ * Per-profile diagnostics: JWT decode → expiry + numeric `secsUntilExpiry`;
5
+ * flag profiles expiring < 7 days as warn, expired as fail; surface
6
+ * schema-version mismatch from the file adapter's hard-fail verbatim
7
+ * (`port.list()` returns `err()` whose message already contains the version
8
+ * + remediation hint). Environmental sub-checks: ca-certificates bundle
9
+ * existence with distro-aware install hint, HTTPS_PROXY env-var heuristic
10
+ * (Node's built-in fetch ignores HTTPS_PROXY by default), TLS preflight
11
+ * against `auth.openai.com` (delegates to `runOAuthTlsPreflight`).
12
+ *
13
+ * Optional `--refresh-test` flag (default OFF): exercises a real OAuth
14
+ * refresh against the provider; rotates the refresh token at OpenAI's end
15
+ * as a side effect (--help warns the operator). Doctor does NOT persist
16
+ * the new credentials; the success suggestion warns the stored token is
17
+ * now stale.
18
+ *
19
+ * Storage mode handling: the CLI process cannot bootstrap the encrypted
20
+ * secrets store without `SECRETS_MASTER_KEY`, so when
21
+ * `appConfig.oauth.storage === "encrypted"` the per-profile sub-check
22
+ * returns a single skip finding pointing the operator at the daemon host.
23
+ *
24
+ * NEVER prints `profile.access` or `profile.refresh` in any DoctorFinding
25
+ * field. Identity labels go through `redactEmailForLog`. The token-leakage
26
+ * test in oauth-health.test.ts asserts no `TEST_LEAK_SENTINEL` substring
27
+ * leakage.
28
+ *
29
+ * @module
30
+ */
31
+ import type { DoctorCheck } from "../types.js";
32
+ /**
33
+ * Doctor check: OAuth subsystem health.
34
+ *
35
+ * Returns 4 baseline sub-checks (per-profile expiry × N + ca-certificates +
36
+ * HTTPS_PROXY + TLS preflight); +N when `context.refreshTest === true`.
37
+ * Never throws — every failure path returns a finding.
38
+ */
39
+ export declare const oauthHealthCheck: DoctorCheck;
@@ -0,0 +1,399 @@
1
+ // SPDX-License-Identifier: Apache-2.0
2
+ /**
3
+ * OAuth health check for `comis doctor`.
4
+ *
5
+ * Per-profile diagnostics: JWT decode → expiry + numeric `secsUntilExpiry`;
6
+ * flag profiles expiring < 7 days as warn, expired as fail; surface
7
+ * schema-version mismatch from the file adapter's hard-fail verbatim
8
+ * (`port.list()` returns `err()` whose message already contains the version
9
+ * + remediation hint). Environmental sub-checks: ca-certificates bundle
10
+ * existence with distro-aware install hint, HTTPS_PROXY env-var heuristic
11
+ * (Node's built-in fetch ignores HTTPS_PROXY by default), TLS preflight
12
+ * against `auth.openai.com` (delegates to `runOAuthTlsPreflight`).
13
+ *
14
+ * Optional `--refresh-test` flag (default OFF): exercises a real OAuth
15
+ * refresh against the provider; rotates the refresh token at OpenAI's end
16
+ * as a side effect (--help warns the operator). Doctor does NOT persist
17
+ * the new credentials; the success suggestion warns the stored token is
18
+ * now stale.
19
+ *
20
+ * Storage mode handling: the CLI process cannot bootstrap the encrypted
21
+ * secrets store without `SECRETS_MASTER_KEY`, so when
22
+ * `appConfig.oauth.storage === "encrypted"` the per-profile sub-check
23
+ * returns a single skip finding pointing the operator at the daemon host.
24
+ *
25
+ * NEVER prints `profile.access` or `profile.refresh` in any DoctorFinding
26
+ * field. Identity labels go through `redactEmailForLog`. The token-leakage
27
+ * test in oauth-health.test.ts asserts no `TEST_LEAK_SENTINEL` substring
28
+ * leakage.
29
+ *
30
+ * @module
31
+ */
32
+ import { stat, readFile } from "node:fs/promises";
33
+ import { selectOAuthCredentialStore, redactEmailForLog, runOAuthTlsPreflight, rewriteOAuthError, } from "@comis/agent";
34
+ import { formatRelativeExpiry } from "../../output/relative-time.js";
35
+ const CATEGORY = "oauth";
36
+ const NEAR_EXPIRY_THRESHOLD_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
37
+ const REFRESH_TEST_TIMEOUT_MS = 10_000;
38
+ const TLS_PREFLIGHT_TIMEOUT_MS = 5_000;
39
+ // Public OpenAI Codex client_id — same value pi-ai uses; using our own
40
+ // would fingerprint Comis traffic in OpenAI's logs.
41
+ const OPENAI_CODEX_CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
42
+ const OPENAI_TOKEN_URL = "https://auth.openai.com/oauth/token";
43
+ const CA_BUNDLE_PATHS = [
44
+ "/etc/ssl/certs/ca-certificates.crt", // Debian/Ubuntu
45
+ "/etc/ssl/cert.pem", // Alpine, macOS, FreeBSD
46
+ "/etc/pki/tls/certs/ca-bundle.crt", // RHEL/CentOS/Fedora
47
+ "/etc/ssl/ca-bundle.pem", // openSUSE
48
+ ];
49
+ /**
50
+ * Doctor check: OAuth subsystem health.
51
+ *
52
+ * Returns 4 baseline sub-checks (per-profile expiry × N + ca-certificates +
53
+ * HTTPS_PROXY + TLS preflight); +N when `context.refreshTest === true`.
54
+ * Never throws — every failure path returns a finding.
55
+ */
56
+ export const oauthHealthCheck = {
57
+ id: "oauth-health",
58
+ name: "OAuth",
59
+ run: async (context) => {
60
+ const findings = [];
61
+ // Sub-check 1: schema integrity + per-profile expiry (uses port.list())
62
+ findings.push(...(await checkProfiles(context)));
63
+ // Sub-check 2: ca-certificates bundle on disk
64
+ findings.push(await checkCaBundle());
65
+ // Sub-check 3: HTTPS_PROXY env-var heuristic
66
+ findings.push(checkHttpsProxyHeuristic());
67
+ // Sub-check 4: TLS preflight against auth.openai.com
68
+ findings.push(await checkTlsPreflight());
69
+ return findings;
70
+ },
71
+ };
72
+ // ---------------------------------------------------------------------------
73
+ // Sub-check: per-profile expiry + schema-mismatch surfacing
74
+ // ---------------------------------------------------------------------------
75
+ async function checkProfiles(context) {
76
+ const findings = [];
77
+ const storage = (context.config?.oauth?.storage ?? "file");
78
+ if (storage === "encrypted") {
79
+ // CLI cannot bootstrap encrypted store without SECRETS_MASTER_KEY.
80
+ // Surface as skip + operator hint (doctor reads only the active store,
81
+ // does not cross-check inactive).
82
+ return [
83
+ {
84
+ category: CATEGORY,
85
+ check: "Profile store",
86
+ status: "skip",
87
+ message: "OAuth storage mode is 'encrypted' — doctor cannot read profiles from CLI",
88
+ suggestion: "Run doctor on the daemon host (with SECRETS_MASTER_KEY set), " +
89
+ "or set oauth.storage to 'file' to use the plaintext file backend.",
90
+ repairable: false,
91
+ },
92
+ ];
93
+ }
94
+ // Open the store using the same selector daemon + auth CLI use.
95
+ let store;
96
+ try {
97
+ store = selectOAuthCredentialStore({
98
+ storage: "file",
99
+ dataDir: context.dataDir,
100
+ });
101
+ }
102
+ catch (e) {
103
+ return [
104
+ {
105
+ category: CATEGORY,
106
+ check: "Profile store",
107
+ status: "fail",
108
+ message: `Failed to open OAuth store: ${e instanceof Error ? e.message : String(e)}`,
109
+ repairable: false,
110
+ },
111
+ ];
112
+ }
113
+ // port.list() returns err() with the version-mismatch hint baked into
114
+ // the error message — surface verbatim. NO migration logic.
115
+ const listResult = await store.list();
116
+ if (!listResult.ok) {
117
+ findings.push({
118
+ category: CATEGORY,
119
+ check: "Profile schema",
120
+ status: "fail",
121
+ message: listResult.error.message, // e.g. "version mismatch: ... Hint: delete X and re-run comis auth login"
122
+ repairable: false,
123
+ });
124
+ return findings; // can't iterate profiles after schema-mismatch
125
+ }
126
+ if (listResult.value.length === 0) {
127
+ findings.push({
128
+ category: CATEGORY,
129
+ check: "Profile inventory",
130
+ status: "skip",
131
+ message: "No OAuth profiles stored",
132
+ repairable: false,
133
+ });
134
+ return findings;
135
+ }
136
+ // Per-profile expiry + identity reporting; +refresh-test when opted in.
137
+ for (const profile of listResult.value) {
138
+ findings.push(profileExpiryFinding(profile));
139
+ if (context.refreshTest === true) {
140
+ findings.push(await refreshTestFinding(profile));
141
+ }
142
+ }
143
+ return findings;
144
+ }
145
+ /**
146
+ * Build a DoctorFinding for a single profile's expiry status.
147
+ *
148
+ * Status ladder:
149
+ * - msUntilExpiry <= 0 → fail (re-login required)
150
+ * - msUntilExpiry < 7d → warn (refresh proactively)
151
+ * - else → pass
152
+ *
153
+ * Always populates the literal numeric field `secsUntilExpiry`.
154
+ * Sign is preserved (negative for already-expired) so consumers can
155
+ * distinguish "expired 1h ago" from "expired 30d ago" without parsing
156
+ * the human-readable message.
157
+ */
158
+ function profileExpiryFinding(profile) {
159
+ const msUntilExpiry = profile.expires - Date.now();
160
+ const secsUntilExpiry = Math.floor(msUntilExpiry / 1000);
161
+ const identityLabel = redactEmailForLog(profile.email) ?? profile.profileId;
162
+ // CRITICAL: NEVER include profile.access or profile.refresh in any
163
+ // DoctorFinding field. Use only profileId, redacted email, and the
164
+ // expiry timestamp.
165
+ if (msUntilExpiry <= 0) {
166
+ return {
167
+ category: CATEGORY,
168
+ check: `Profile ${profile.profileId}`,
169
+ status: "fail",
170
+ message: `Profile ${profile.profileId} (${identityLabel}) expired ${formatRelativeExpiry(profile.expires)}`,
171
+ suggestion: `Re-authenticate: comis auth login --provider ${profile.provider}`,
172
+ repairable: false,
173
+ secsUntilExpiry,
174
+ };
175
+ }
176
+ if (msUntilExpiry < NEAR_EXPIRY_THRESHOLD_MS) {
177
+ return {
178
+ category: CATEGORY,
179
+ check: `Profile ${profile.profileId}`,
180
+ status: "warn",
181
+ message: `Profile ${profile.profileId} (${identityLabel}) expires in ${formatRelativeExpiry(profile.expires)}`,
182
+ suggestion: `Refresh proactively: comis auth login --provider ${profile.provider}`,
183
+ repairable: false,
184
+ secsUntilExpiry,
185
+ };
186
+ }
187
+ return {
188
+ category: CATEGORY,
189
+ check: `Profile ${profile.profileId}`,
190
+ status: "pass",
191
+ message: `Profile ${profile.profileId} (${identityLabel}) expires in ${formatRelativeExpiry(profile.expires)}`,
192
+ repairable: false,
193
+ secsUntilExpiry,
194
+ };
195
+ }
196
+ /**
197
+ * Run a real OAuth refresh against `auth.openai.com` per profile.
198
+ *
199
+ * Opt-in only (gated by `--refresh-test` flag); --help text in
200
+ * `commands/doctor.ts` warns operator. Doctor does NOT persist the new
201
+ * tokens — subsequent LLM calls will hit refresh_token_reused on the
202
+ * stored (now-stale) token.
203
+ *
204
+ * Duplicates ~30 LoC of refresh-POST machinery from
205
+ * `refreshOpenAICodexTokenLocal`. Per AGENTS.md §2.3 rule of three, two
206
+ * call-sites is below the extraction threshold — duplicate over premature
207
+ * abstraction.
208
+ *
209
+ * NEVER prints `profile.refresh` in any returned finding.
210
+ */
211
+ async function refreshTestFinding(profile) {
212
+ const identityLabel = redactEmailForLog(profile.email) ?? profile.profileId;
213
+ const body = new URLSearchParams({
214
+ grant_type: "refresh_token",
215
+ refresh_token: profile.refresh,
216
+ client_id: OPENAI_CODEX_CLIENT_ID,
217
+ });
218
+ try {
219
+ const response = await fetch(OPENAI_TOKEN_URL, {
220
+ method: "POST",
221
+ headers: { "Content-Type": "application/x-www-form-urlencoded" },
222
+ body,
223
+ signal: AbortSignal.timeout(REFRESH_TEST_TIMEOUT_MS),
224
+ });
225
+ if (!response.ok) {
226
+ const text = await response.text().catch(() => "");
227
+ let parsed = {};
228
+ try {
229
+ parsed = JSON.parse(text);
230
+ }
231
+ catch {
232
+ // Body wasn't JSON — fall back to status code.
233
+ }
234
+ const classifyMessage = parsed.error_description ?? parsed.error ?? `HTTP ${response.status}`;
235
+ const rewritten = rewriteOAuthError(new Error(classifyMessage));
236
+ return {
237
+ category: CATEGORY,
238
+ check: `Profile ${profile.profileId} refresh test`,
239
+ status: "fail",
240
+ message: `Refresh test for ${identityLabel} failed (${rewritten.errorKind}): ${rewritten.userMessage}`,
241
+ suggestion: rewritten.hint,
242
+ repairable: false,
243
+ };
244
+ }
245
+ // Success: token rotated at OpenAI's end. We are NOT persisting —
246
+ // surface the side effect explicitly.
247
+ return {
248
+ category: CATEGORY,
249
+ check: `Profile ${profile.profileId} refresh test`,
250
+ status: "pass",
251
+ message: `Refresh test for ${identityLabel} succeeded`,
252
+ suggestion: "WARNING: refresh token at OpenAI was rotated. The stored token " +
253
+ "is now stale; the next LLM call will trigger a real refresh.",
254
+ repairable: false,
255
+ };
256
+ }
257
+ catch (e) {
258
+ return {
259
+ category: CATEGORY,
260
+ check: `Profile ${profile.profileId} refresh test`,
261
+ status: "fail",
262
+ message: `Refresh test for ${identityLabel} threw: ${e instanceof Error ? e.message : String(e)}`,
263
+ suggestion: "Check network reachability to auth.openai.com and retry without " +
264
+ "--refresh-test for a pure-local check.",
265
+ repairable: false,
266
+ };
267
+ }
268
+ }
269
+ // ---------------------------------------------------------------------------
270
+ // Sub-check: ca-certificates bundle existence + distro-aware install hint
271
+ // ---------------------------------------------------------------------------
272
+ async function checkCaBundle() {
273
+ for (const p of CA_BUNDLE_PATHS) {
274
+ try {
275
+ await stat(p);
276
+ return {
277
+ category: CATEGORY,
278
+ check: "ca-certificates",
279
+ status: "pass",
280
+ message: `CA bundle present at ${p}`,
281
+ repairable: false,
282
+ };
283
+ }
284
+ catch {
285
+ // Try next path
286
+ }
287
+ }
288
+ const os = await readOsRelease();
289
+ return {
290
+ category: CATEGORY,
291
+ check: "ca-certificates",
292
+ status: "fail",
293
+ message: "No system CA bundle found at any standard location -- TLS verification will fail",
294
+ suggestion: caCertificatesInstallHint(os),
295
+ repairable: false,
296
+ };
297
+ }
298
+ async function readOsRelease(path = "/etc/os-release") {
299
+ try {
300
+ const text = await readFile(path, "utf-8");
301
+ const map = new Map();
302
+ for (const line of text.split("\n")) {
303
+ const m = line.match(/^([A-Z_]+)=(.*)$/);
304
+ if (m)
305
+ map.set(m[1], m[2].replace(/^"|"$/g, ""));
306
+ }
307
+ const id = map.get("ID") ?? "";
308
+ const idLike = (map.get("ID_LIKE") ?? "").split(/\s+/).filter(Boolean);
309
+ return { id, idLike };
310
+ }
311
+ catch {
312
+ return null;
313
+ }
314
+ }
315
+ function caCertificatesInstallHint(os) {
316
+ if (!os) {
317
+ return "Install ca-certificates via your distro's package manager and retry";
318
+ }
319
+ const idChain = [os.id, ...os.idLike];
320
+ if (idChain.includes("alpine")) {
321
+ return "apk add ca-certificates && update-ca-certificates";
322
+ }
323
+ if (idChain.includes("debian") || idChain.includes("ubuntu")) {
324
+ return "sudo apt-get install -y ca-certificates && sudo update-ca-certificates";
325
+ }
326
+ if (idChain.includes("fedora") ||
327
+ idChain.includes("rhel") ||
328
+ idChain.includes("centos")) {
329
+ return "sudo dnf install -y ca-certificates && sudo update-ca-trust";
330
+ }
331
+ if (idChain.includes("arch")) {
332
+ return "sudo pacman -S ca-certificates && sudo trust extract-compat";
333
+ }
334
+ if (idChain.includes("suse") || idChain.includes("opensuse")) {
335
+ return "sudo zypper install ca-certificates && sudo update-ca-certificates";
336
+ }
337
+ return "Install ca-certificates via your distro's package manager and retry";
338
+ }
339
+ // ---------------------------------------------------------------------------
340
+ // Sub-check: HTTPS_PROXY env-var heuristic
341
+ // ---------------------------------------------------------------------------
342
+ function checkHttpsProxyHeuristic() {
343
+ // eslint-disable-next-line no-restricted-syntax -- CLI bootstrap before SecretManager
344
+ const httpsProxy = process.env["HTTPS_PROXY"] ?? process.env["https_proxy"];
345
+ if (!httpsProxy) {
346
+ return {
347
+ category: CATEGORY,
348
+ check: "HTTPS_PROXY",
349
+ status: "pass",
350
+ message: "HTTPS_PROXY not set (no proxy expected)",
351
+ repairable: false,
352
+ };
353
+ }
354
+ return {
355
+ category: CATEGORY,
356
+ check: "HTTPS_PROXY",
357
+ status: "warn",
358
+ message: `HTTPS_PROXY is set (${httpsProxy}) but Node's built-in fetch ignores it by default`,
359
+ suggestion: "Either install undici and call setGlobalDispatcher(new EnvHttpProxyAgent()) at startup, " +
360
+ "or rely on a system-wide proxy. See docs/operations/proxy.md.",
361
+ repairable: false,
362
+ };
363
+ }
364
+ // ---------------------------------------------------------------------------
365
+ // Sub-check: TLS preflight
366
+ // ---------------------------------------------------------------------------
367
+ async function checkTlsPreflight() {
368
+ const result = await runOAuthTlsPreflight({
369
+ timeoutMs: TLS_PREFLIGHT_TIMEOUT_MS,
370
+ });
371
+ if (result.ok) {
372
+ return {
373
+ category: CATEGORY,
374
+ check: "TLS preflight",
375
+ status: "pass",
376
+ message: "TLS handshake to auth.openai.com succeeded",
377
+ repairable: false,
378
+ };
379
+ }
380
+ if (result.kind === "tls-cert") {
381
+ return {
382
+ category: CATEGORY,
383
+ check: "TLS preflight",
384
+ status: "fail",
385
+ message: `TLS certificate validation failed: ${result.code ?? "unknown"} (${result.message})`,
386
+ suggestion: caCertificatesInstallHint(await readOsRelease()),
387
+ repairable: false,
388
+ };
389
+ }
390
+ return {
391
+ category: CATEGORY,
392
+ check: "TLS preflight",
393
+ status: "warn",
394
+ message: `Network probe to auth.openai.com failed: ${result.message}`,
395
+ suggestion: "Verify DNS, firewall, and proxy settings. Doctor cannot distinguish " +
396
+ "transient failures from persistent network failures.",
397
+ repairable: false,
398
+ };
399
+ }
@@ -23,6 +23,17 @@ export interface DoctorFinding {
23
23
  readonly message: string;
24
24
  readonly suggestion?: string;
25
25
  readonly repairable: boolean;
26
+ /**
27
+ * Numeric seconds until profile expiry.
28
+ *
29
+ * Exposed as a structured numeric so JSON-format consumers (log
30
+ * aggregators, dashboards) can compare it against thresholds without
31
+ * parsing the human-readable `message` string. Only `oauth-health.ts`
32
+ * `profileExpiryFinding` populates this; all other doctor-check findings
33
+ * leave it undefined. Value is `Math.floor(msUntilExpiry / 1000)`
34
+ * (negative for already-expired profiles to preserve sign-of-direction).
35
+ */
36
+ readonly secsUntilExpiry?: number;
26
37
  }
27
38
  /**
28
39
  * A doctor check that can be executed against a diagnostic context.
@@ -47,6 +58,14 @@ export interface DoctorContext {
47
58
  readonly dataDir: string;
48
59
  readonly daemonPidFile: string;
49
60
  readonly gatewayUrl?: string;
61
+ /**
62
+ * Opt-in refresh-test toggle from the `--refresh-test` flag on
63
+ * `comis doctor`. When true, the OAuth health check performs a real
64
+ * refresh against the provider per profile -- a side effect that rotates
65
+ * the refresh token at OpenAI's end (default OFF; --help warns the
66
+ * operator).
67
+ */
68
+ readonly refreshTest?: boolean;
50
69
  }
51
70
  /**
52
71
  * Aggregated result of running all doctor checks.
@@ -21,3 +21,4 @@ export { registerResetCommand } from "./commands/reset.js";
21
21
  export { registerSignalSetupCommand } from "./commands/signal-setup.js";
22
22
  export { registerSecretsCommand } from "./commands/secrets.js";
23
23
  export { registerUninstallCommand } from "./commands/uninstall.js";
24
+ export { credentialsStep } from "./wizard/steps/04-credentials.js";
@@ -25,10 +25,16 @@ export { registerResetCommand } from "./commands/reset.js";
25
25
  export { registerSignalSetupCommand } from "./commands/signal-setup.js";
26
26
  export { registerSecretsCommand } from "./commands/secrets.js";
27
27
  export { registerUninstallCommand } from "./commands/uninstall.js";
28
+ // Wizard steps — exported for integration tests in
29
+ // test/integration/oauth-login.test.ts which dynamically imports
30
+ // `credentialsStep` to drive the wizard-state assertion end-to-end
31
+ // against the mock OAuth server.
32
+ export { credentialsStep } from "./wizard/steps/04-credentials.js";
28
33
  // ── Dead Export Audit ─────────────────────────────────────────────────
29
- // Total exports: 29 (28 value, 1 type)
30
- // Exports with external consumers: 1
34
+ // Total exports: 30 (29 value, 1 type)
35
+ // Exports with external consumers: 2
31
36
  // - withClient (test/integration/env-vars-unit.test.ts, test/integration/env-vars-daemon.test.ts)
37
+ // - credentialsStep (consumed by test/integration/oauth-login.test.ts)
32
38
  // Exports with zero external consumers: 28
33
39
  // All register* command exports and output utilities are consumed only by the CLI's
34
40
  // own main.ts binary (not importable as @comis/cli by other packages).
@@ -37,7 +43,7 @@ export { registerUninstallCommand } from "./commands/uninstall.js";
37
43
  // Types (1):
38
44
  // RpcClient
39
45
  //
40
- // Values (28):
46
+ // Values (29):
41
47
  // createRpcClient, withClient, success, error, warn, info, json,
42
48
  // renderTable, renderKeyValue, withSpinner, registerDaemonCommand,
43
49
  // registerConfigCommand, registerAgentCommand, registerChannelCommand,
@@ -45,4 +51,4 @@ export { registerUninstallCommand } from "./commands/uninstall.js";
45
51
  // registerInitCommand, registerConfigureCommand, registerStatusCommand,
46
52
  // registerHealthCommand, registerModelsCommand, registerPm2Command,
47
53
  // registerSessionsCommand, registerResetCommand, registerSignalSetupCommand,
48
- // registerSecretsCommand
54
+ // registerSecretsCommand, credentialsStep
@@ -0,0 +1,23 @@
1
+ /**
2
+ * Relative-time formatter for OAuth expiry rendering.
3
+ *
4
+ * Produces compact strings like "5m", "27d", or "expired" for UI tables.
5
+ * Used by `comis auth list` (expiresIn column) and `comis auth status`
6
+ * (per-provider nextExpiry field).
7
+ *
8
+ * Branches:
9
+ * - delta <= 0 → "expired"
10
+ * - delta < 1h → "<m>m" (e.g., "5m", "32m")
11
+ * - 1h <= delta < 1d → "<h>h"
12
+ * - delta >= 1d → "<d>d"
13
+ *
14
+ * @module
15
+ */
16
+ /**
17
+ * Format the time-until-expiry for an absolute epoch-ms expiry timestamp.
18
+ *
19
+ * @param expiresAtMs - Absolute epoch-ms when the credential expires
20
+ * @param now - Reference "now" (defaulted to Date.now() — overridable for tests)
21
+ * @returns "expired" | "<n>m" | "<n>h" | "<n>d"
22
+ */
23
+ export declare function formatRelativeExpiry(expiresAtMs: number, now?: number): string;
@@ -0,0 +1,36 @@
1
+ // SPDX-License-Identifier: Apache-2.0
2
+ /**
3
+ * Relative-time formatter for OAuth expiry rendering.
4
+ *
5
+ * Produces compact strings like "5m", "27d", or "expired" for UI tables.
6
+ * Used by `comis auth list` (expiresIn column) and `comis auth status`
7
+ * (per-provider nextExpiry field).
8
+ *
9
+ * Branches:
10
+ * - delta <= 0 → "expired"
11
+ * - delta < 1h → "<m>m" (e.g., "5m", "32m")
12
+ * - 1h <= delta < 1d → "<h>h"
13
+ * - delta >= 1d → "<d>d"
14
+ *
15
+ * @module
16
+ */
17
+ const MS_PER_MIN = 60_000;
18
+ const MS_PER_HOUR = 60 * MS_PER_MIN;
19
+ const MS_PER_DAY = 24 * MS_PER_HOUR;
20
+ /**
21
+ * Format the time-until-expiry for an absolute epoch-ms expiry timestamp.
22
+ *
23
+ * @param expiresAtMs - Absolute epoch-ms when the credential expires
24
+ * @param now - Reference "now" (defaulted to Date.now() — overridable for tests)
25
+ * @returns "expired" | "<n>m" | "<n>h" | "<n>d"
26
+ */
27
+ export function formatRelativeExpiry(expiresAtMs, now = Date.now()) {
28
+ const delta = expiresAtMs - now;
29
+ if (delta <= 0)
30
+ return "expired";
31
+ if (delta < MS_PER_HOUR)
32
+ return `${Math.floor(delta / MS_PER_MIN)}m`;
33
+ if (delta < MS_PER_DAY)
34
+ return `${Math.floor(delta / MS_PER_HOUR)}h`;
35
+ return `${Math.floor(delta / MS_PER_DAY)}d`;
36
+ }
@@ -56,12 +56,21 @@ export function validateNonInteractiveOptions(opts) {
56
56
  if (!opts.provider || opts.provider.trim().length === 0) {
57
57
  throw new NonInteractiveError("--provider is required in non-interactive mode", "provider");
58
58
  }
59
+ // openai-codex requires interactive OAuth login (browser callback,
60
+ // device-code prompt, or manual paste). Non-interactive mode has no
61
+ // way to drive the OAuth flow, so reject up front with a clear hint
62
+ // pointing at `comis auth login --method device-code`. Placed BEFORE
63
+ // the soft "unknown provider" warning so the literal error fires
64
+ // even though openai-codex IS in the pi-ai catalog.
65
+ if (opts.provider === "openai-codex") {
66
+ throw new NonInteractiveError("openai-codex requires interactive login; run `comis init` interactively or run `comis auth login --provider openai-codex --method device-code` separately.", "provider");
67
+ }
59
68
  // Soft validation: warn for unknown providers but do not throw.
60
- // Daemon-side guards (260501-2pz credential-resolver, 260501-gyy
61
- // builtin-provider-guard) catch genuinely-invalid providers downstream
62
- // when the agent attempts to use the config. This loosening enables
63
- // forward compat when a new pi-ai version adds a provider before
64
- // comis releases. The "custom" provider is always allowed (synthetic).
69
+ // Daemon-side guards (credential-resolver, builtin-provider-guard)
70
+ // catch genuinely-invalid providers downstream when the agent
71
+ // attempts to use the config. This loosening enables forward compat
72
+ // when a new pi-ai version adds a provider before comis releases.
73
+ // The "custom" provider is always allowed (synthetic).
65
74
  if (opts.provider !== "custom") {
66
75
  try {
67
76
  const catalog = createModelCatalog();
@@ -160,9 +169,9 @@ export function buildNonInteractiveState(opts) {
160
169
  };
161
170
  // Model selection -- delegate to daemon when not specified.
162
171
  // The literal "default" is resolved at agent-execution time via the
163
- // pi-ai catalog (builtin-provider-guard.ts:45 baseUrl pattern). Pre-
164
- // 260501-kqq, this read a hardcoded provider->model map; that lookup
165
- // was removed -- the daemon decides at runtime.
172
+ // pi-ai catalog (builtin-provider-guard.ts:45 baseUrl pattern). The
173
+ // previous hardcoded provider->model map was removed -- the daemon
174
+ // decides at runtime.
166
175
  const model = opts.model ?? "default";
167
176
  // Channel configs
168
177
  const channels = [];
@@ -37,7 +37,8 @@ import { loadProvidersWithFallback } from "../../client/provider-list.js";
37
37
  */
38
38
  const PROVIDER_UI_HINTS = {
39
39
  anthropic: { label: "Anthropic (Claude)", hint: "Recommended for agents", category: "recommended" },
40
- openai: { label: "OpenAI (GPT)", hint: "GPT-4o, o1, o3 models", category: "recommended" },
40
+ openai: { label: "OpenAI (GPT)", hint: "GPT-4o, o1, o3 — API key (pay per token)", category: "recommended" },
41
+ "openai-codex": { label: "OpenAI Codex", hint: "ChatGPT/Codex subscription — OAuth login", category: "recommended" },
41
42
  google: { label: "Google (Gemini)", hint: "Gemini models", category: "other" },
42
43
  groq: { label: "Groq", hint: "Fast inference (Llama, Mixtral)", category: "other" },
43
44
  mistral: { label: "Mistral", hint: "Mistral models", category: "other" },