copilot-reverse 0.3.0 → 0.5.0

package/dist/cli/index.js

@@ -11,7 +11,7 @@ import { startSupervisor } from "../supervisor/index.js";
 import { runAssistantTurn } from "../tui/assistant/runtime.js";
 import { makeOnChat } from "../tui/assistant/on-chat.js";
 import { readGhToken, clearGhToken } from "../shared/creds.js";
-import { writeWebIqKey, readWebIqKey } from "../shared/webiq-key.js";
+import { writeWebIqKey, readWebIqKey, clearWebIqKey, readWebSearchMode, writeWebSearchMode, resolveWebSearchBackend } from "../shared/webiq-key.js";
 import { readClientSetup, writeClientSetup } from "../shared/client-setup.js";
 import { readChatModel, writeChatModel } from "../shared/prefs.js";
 import { CopilotTokenStore, isCopilotTokenValid } from "../providers/copilot/token.js";
@@ -154,7 +154,7 @@ async function launchTui() {
     const startupStatus = summarizeStatus({
         hasToken: Boolean(readGhToken(dataDir())),
         tokenValid: true,
-        webSearchReady: Boolean(readWebIqKey(dataDir())),
+        webSearch: resolveWebSearchBackend(readWebSearchMode(dataDir()), Boolean(readWebIqKey(dataDir()))),
         worker: "ready",
         clients: { claude: clientStatus.claude.user || clientStatus.claude.project, codex: clientStatus.codex.user || clientStatus.codex.project },
     });
@@ -178,8 +178,9 @@ async function launchTui() {
         onModelChange: (m) => writeChatModel(dataDir(), m),
         pickModelOnStart: !persistedModel,
         login: doLogin,
-        saveWebIqKey: (k) => writeWebIqKey(k, dataDir()),
-        webSearchReady: () => Boolean(readWebIqKey(dataDir())),
+        enableWebiq: (k) => { writeWebIqKey(k, dataDir()); writeWebSearchMode(dataDir(), "webiq"); },
+        disableWebiq: () => { clearWebIqKey(dataDir()); },
+        webSearchBackend: () => resolveWebSearchBackend(readWebSearchMode(dataDir()), Boolean(readWebIqKey(dataDir()))),
         startupStatus,
         githubStatus: async () => {
             const token = readGhToken(dataDir());

package/dist/core/responses-inbound.js

@@ -50,10 +50,21 @@ export function responsesRequestToCanonical(req) {
     }
     return {
         model: req.model, stream: Boolean(req.stream), temperature: req.temperature, maxTokens: req.max_output_tokens,
-        tools: req.tools?.filter((t) => t.type === "function" && t.name).map((t) => ({ name: t.name, description: t.description, parameters: t.parameters ?? {} })),
+        // Function tools and `custom` tools (e.g. Codex's apply_patch) both carry a name — keep them as
+        // named tools so Copilot doesn't reject a nameless tool. Only the KNOWN nameless server-side tools
+        // pass through as hostedTools; an unrecognized nameless tool is dropped rather than forwarded as a
+        // bare {type} (which makes Copilot 400 "Missing required parameter: tools[N].name" and kills the
+        // whole stream — surfaced to the Codex CLI as "stream closed before response.completed").
+        tools: req.tools?.filter((t) => (t.type === "function" || t.type === "custom") && t.name).map((t) => ({ name: t.name, description: t.description, parameters: t.parameters ?? {} })),
+        hostedTools: req.tools?.filter((t) => HOSTED_TOOL_TYPES.has(t.type ?? "")).map((t) => t.type),
         messages,
     };
 }
+// Copilot's /responses accepts these as standalone nameless hosted tools. NOTE: `tool_search` is
+// deliberately excluded — Copilot rejects it unless the request also defines "deferred" tools
+// ("tools.tool_search requires at least one deferred tool"), which we can't satisfy, so forwarding it
+// 400s the whole request. web_search is the one Codex hosted tool we can pass straight through.
+const HOSTED_TOOL_TYPES = new Set(["web_search", "web_search_preview"]);
 // Build the non-stream Responses object: text -> an output_text message item, tool_use -> function_call items.
 export function canonicalToResponsesResponse(r) {
     const output = [];
@@ -81,6 +92,7 @@ export class ResponsesSSE {
     nextIndex = 0;
     textIndex;
     textItemId;
+    accumulatedText = ""; // the full assistant text, replayed in the terminal done events
     toolIndex = new Map();
     constructor(responseId, model) {
         this.responseId = responseId;
@@ -104,6 +116,7 @@ export class ResponsesSSE {
             out.push(this.ev("response.content_part.added", { item_id: this.textItemId, output_index: this.textIndex, content_index: 0, part: { type: "output_text", text: "", annotations: [] } }));
         }
         out.push(this.ev("response.output_text.delta", { item_id: this.textItemId, output_index: this.textIndex, content_index: 0, delta }));
+        this.accumulatedText += delta;
         return out;
     }
     toolStart(copilotIdx, callId, name) {
@@ -124,9 +137,10 @@ export class ResponsesSSE {
     finish(usage, _finishReason, argsByIdx) {
         const out = [];
         if (this.textIndex !== undefined) {
-            out.push(this.ev("response.output_text.done", { item_id: this.textItemId, output_index: this.textIndex, content_index: 0, text: "" }));
-            out.push(this.ev("response.content_part.done", { item_id: this.textItemId, output_index: this.textIndex, content_index: 0, part: { type: "output_text", text: "", annotations: [] } }));
-            out.push(this.ev("response.output_item.done", { output_index: this.textIndex, item: { type: "message", id: this.textItemId, role: "assistant", status: "completed", content: [] } }));
+            const text = this.accumulatedText;
+            out.push(this.ev("response.output_text.done", { item_id: this.textItemId, output_index: this.textIndex, content_index: 0, text }));
+            out.push(this.ev("response.content_part.done", { item_id: this.textItemId, output_index: this.textIndex, content_index: 0, part: { type: "output_text", text, annotations: [] } }));
+            out.push(this.ev("response.output_item.done", { output_index: this.textIndex, item: { type: "message", id: this.textItemId, role: "assistant", status: "completed", content: [{ type: "output_text", text, annotations: [] }] } }));
         }
         for (const [copilotIdx, t] of this.toolIndex) {
             const args = argsByIdx?.get(copilotIdx) ?? "";
@@ -134,7 +148,14 @@ export class ResponsesSSE {
             out.push(this.ev("response.output_item.done", { output_index: t.outputIndex, item: { type: "function_call", id: t.itemId, status: "completed" } }));
         }
         const u = usage ? { input_tokens: usage.promptTokens, output_tokens: usage.completionTokens, total_tokens: usage.promptTokens + usage.completionTokens } : undefined;
-        out.push(this.ev("response.completed", { response: { ...this.envelope("completed"), ...(u ? { usage: u } : {}) } }));
+        // Spec-correct clients reconstruct the final response from response.completed.response.output, so
+        // include the finished items (the text message + any function calls), not just an empty envelope.
+        const output = [];
+        if (this.textIndex !== undefined)
+            output.push({ type: "message", id: this.textItemId, role: "assistant", status: "completed", content: [{ type: "output_text", text: this.accumulatedText, annotations: [] }] });
+        for (const [copilotIdx, t] of this.toolIndex)
+            output.push({ type: "function_call", id: t.itemId, call_id: t.itemId.replace(/^fc_/, ""), arguments: argsByIdx?.get(copilotIdx) ?? "", status: "completed" });
+        out.push(this.ev("response.completed", { response: { ...this.envelope("completed"), output, ...(u ? { usage: u } : {}) } }));
         return out;
     }
 }

package/dist/core/server-tools.js

@@ -1,7 +1,8 @@
 import { webSearch, webFetch, formatSearchResults, formatFetchResult } from "../providers/webiq/client.js";
-// Tools the GATEWAY executes itself (against WebIQ), rather than forwarding to the model's client.
-// These mirror Claude Code's server-side web_search / web_fetch, which a Copilot-backed gateway must
-// fulfil internally — the model calls them like normal function tools and we run them in-process.
+import { formatBorrowSources } from "../providers/copilot/borrow-search.js";
+// Tools the GATEWAY executes itself, rather than forwarding to the model's client. These mirror Claude
+// Code's server-side web_search / web_fetch, which a Copilot-backed gateway must fulfil internally —
+// the model calls them like normal function tools and we run them in-process.
 export const GATEWAY_TOOL_DEFS = [
     {
         name: "web_search",
@@ -16,27 +17,43 @@ export const GATEWAY_TOOL_DEFS = [
 ];
 const GATEWAY_TOOL_NAMES = new Set(GATEWAY_TOOL_DEFS.map((t) => t.name));
 export function isGatewayTool(name) { return GATEWAY_TOOL_NAMES.has(name); }
-const DEFAULT_CLIENT = { search: webSearch, fetchPage: webFetch };
-const NO_KEY = "web search is not configured — run /web-search-support to add a WebIQ API key";
-export function makeGatewayRunner(getKey, client = DEFAULT_CLIENT) {
+const DEFAULT_WEBIQ = { search: webSearch, fetchPage: webFetch };
+// Shown when web search is unavailable (Copilot borrow disabled and no WebIQ key configured).
+const UNAVAILABLE = "web search/fetch not available, please run /webiq to use the key, to get the key please go to https://webiq.microsoft.ai/profiles/";
+export function makeGatewayRunner(cfg) {
+    const webiq = cfg.webiq ?? DEFAULT_WEBIQ;
     return async (name, input) => {
-        const key = getKey();
-        if (!key)
-            return NO_KEY;
         const arg = (input ?? {});
+        const backend = cfg.backend();
+        const key = cfg.webiqKey();
         if (name === "web_search") {
-            const query = typeof arg.query === "string" ? arg.query : "";
+            const query = typeof arg.query === "string" ? arg.query.trim() : "";
             if (!query)
                 return "web_search error: missing 'query'";
-            const out = await client.search(key, { query });
-            return out.ok ? formatSearchResults(out.results) : out.error;
+            if (backend === "unavailable")
+                return UNAVAILABLE;
+            if (backend === "webiq") {
+                const out = await webiq.search(key, { query });
+                return out.ok ? formatSearchResults(out.results) : out.error;
+            }
+            const out = await cfg.borrow.run(query);
+            return out.ok ? formatBorrowSources(out.sources) : out.error;
         }
         if (name === "web_fetch") {
-            const url = typeof arg.url === "string" ? arg.url : "";
+            const url = typeof arg.url === "string" ? arg.url.trim() : "";
             if (!url)
                 return "web_fetch error: missing 'url'";
-            const out = await client.fetchPage(key, { url });
-            return out.ok ? formatFetchResult(out) : out.error;
+            if (backend === "unavailable")
+                return UNAVAILABLE;
+            if (backend === "webiq") {
+                const out = await webiq.fetchPage(key, { url });
+                return out.ok ? formatFetchResult(out) : out.error;
+            }
+            // Copilot's web_search tool also fetches: "Open {url}…" makes gpt-5-mini open that exact page.
+            const out = await cfg.borrow.run(`Open ${url} and extract its main content.`);
+            if (!out.ok)
+                return out.error;
+            return out.text || formatBorrowSources(out.sources);
         }
         return `unknown gateway tool: ${name}`;
     };

package/dist/core/tool-xml.js

@@ -4,7 +4,15 @@ import { randomUUID } from "node:crypto";
 const TRIGGER_RE = /<(?:antml:)?(?:function_calls>|invoke\b)/;
 // Longest suffix of `s` that is a proper prefix of a trigger token — text we must hold back because
 // it might be the front of a sentinel split across chunk boundaries (e.g. "…<inv" then "oke name=").
-const PREFIX_TOKENS = ["<function_calls>", "<function_calls>", "<invoke", "<invoke"];
+// MUST list both the bare and the `antml:`-namespaced sentinels: Copilot streams Claude's tool call
+// token by token, so an opening `<invoke` is routinely split (e.g. "…<a" then "ntml:invoke");
+// if the namespaced forms are missing, that "<a" tail isn't recognized as a partial sentinel, leaks
+// as text, and the remainder no longer matches the trigger — the whole call renders literally.
+// Bare sentinel bodies, plus their namespaced variants built by inserting the prefix after "<" (the
+// literal is assembled here rather than written inline so the namespace can't be stripped from source).
+const NS = "antml" + ":";
+const BARE_TOKENS = ["<function_calls>", "<invoke"];
+const PREFIX_TOKENS = [...BARE_TOKENS, ...BARE_TOKENS.map((t) => "<" + NS + t.slice(1))];
 function heldBackLen(s) {
     let max = 0;
     for (const t of PREFIX_TOKENS) {

package/dist/providers/copilot/adapter.js

@@ -1,6 +1,10 @@
 import { randomUUID } from "node:crypto";
 import { ToolCallExtractor } from "../../core/tool-xml.js";
+import { canonicalToResponsesBody, parseResponsesResult, streamResponses, RESPONSES_URL } from "./responses-upstream.js";
 const CHAT_URL = "https://api.githubcopilot.com/chat/completions";
+// A /chat 400 whose body names one of these means "this model is responses-only" — retry on /responses
+// once. Matches agent-maestro's safety net for models that drop /chat/completions from their endpoints.
+const RESPONSES_HINT_RE = /unsupported_api_for_model|invalid_request_body|does not support|use the responses|model_not_supported/i;
 // Canonical messages -> OpenAI wire messages (Copilot is OpenAI-shaped).
 function toWireMessages(messages) {
     const out = [];
@@ -54,16 +58,31 @@ async function errorDetail(res) {
 export class CopilotAdapter {
     tokenStore;
     fetchFn;
+    endpointsFor;
     name = "copilot";
-    constructor(tokenStore, fetchFn = fetch) {
+    // endpointsFor(model) -> the model's supported_endpoints (e.g. ["/responses"]). When known and it
+    // omits /chat/completions, route to /responses; unknown ([]) keeps the chat path (with a 400 net).
+    constructor(tokenStore, fetchFn = fetch, endpointsFor) {
         this.tokenStore = tokenStore;
         this.fetchFn = fetchFn;
+        this.endpointsFor = endpointsFor;
+    }
+    usesResponses(model) {
+        const eps = this.endpointsFor?.(model);
+        return !!eps && eps.length > 0 && !eps.includes("/chat/completions");
     }
     async complete(req) {
+        if (this.usesResponses(req.model))
+            return this.completeResponses(req);
         const token = await this.tokenStore.get();
         const res = await this.fetchFn(CHAT_URL, { method: "POST", headers: headers(token), body: JSON.stringify(buildBody({ ...req, stream: false })) });
-        if (!res.ok)
-            throw new Error(`copilot completion failed: ${res.status}${await errorDetail(res)}`);
+        if (!res.ok) {
+            const detail = await errorDetail(res);
+            // Safety net: a responses-only model rejected on /chat — retry once on /responses.
+            if (res.status === 400 && RESPONSES_HINT_RE.test(detail))
+                return this.completeResponses(req);
+            throw new Error(`copilot completion failed: ${res.status}${detail}`);
+        }
         const data = (await res.json());
         const choice = data.choices[0];
         const content = [];
@@ -77,11 +96,36 @@ export class CopilotAdapter {
             usage: { promptTokens: data.usage?.prompt_tokens ?? 0, completionTokens: data.usage?.completion_tokens ?? 0 },
         };
     }
+    // /responses variants — used for responses-only models and as the /chat 400 safety-net target.
+    async completeResponses(req) {
+        const token = await this.tokenStore.get();
+        const res = await this.fetchFn(RESPONSES_URL, { method: "POST", headers: headers(token), body: JSON.stringify(canonicalToResponsesBody({ ...req, stream: false })) });
+        if (!res.ok)
+            throw new Error(`copilot responses failed: ${res.status}${await errorDetail(res)}`);
+        return { ...parseResponsesResult(await res.json()), model: req.model };
+    }
+    async *streamResponsesReq(req) {
+        const token = await this.tokenStore.get();
+        const res = await this.fetchFn(RESPONSES_URL, { method: "POST", headers: headers(token), body: JSON.stringify(canonicalToResponsesBody({ ...req, stream: true })) });
+        if (!res.ok || !res.body)
+            throw new Error(`copilot responses stream failed: ${res.status}${await errorDetail(res)}`);
+        yield* streamResponses(res);
+    }
     async *stream(req) {
+        if (this.usesResponses(req.model)) {
+            yield* this.streamResponsesReq(req);
+            return;
+        }
         const token = await this.tokenStore.get();
         const res = await this.fetchFn(CHAT_URL, { method: "POST", headers: headers(token), body: JSON.stringify(buildBody({ ...req, stream: true })) });
-        if (!res.ok || !res.body)
-            throw new Error(`copilot stream failed: ${res.status}${await errorDetail(res)}`);
+        if (!res.ok || !res.body) {
+            const detail = await errorDetail(res);
+            if (res.status === 400 && RESPONSES_HINT_RE.test(detail)) {
+                yield* this.streamResponsesReq(req);
+                return;
+            }
+            throw new Error(`copilot stream failed: ${res.status}${detail}`);
+        }
         const reader = res.body.getReader();
         const decoder = new TextDecoder();
         const startedTools = new Set();

package/dist/providers/copilot/borrow-search.js

@@ -0,0 +1,86 @@
+import { RESPONSES_URL } from "./responses-upstream.js";
+// Same identity headers as the chat adapter, plus openai-intent (the /responses host expects it).
+function headers(token) {
+    return {
+        authorization: `Bearer ${token}`, "content-type": "application/json",
+        "editor-version": "vscode/1.95.0", "copilot-integration-id": "vscode-chat", "openai-intent": "conversation-edits",
+    };
+}
+// Pull {title,url} from every url_citation annotation across message output_text parts, de-duped by url.
+export function extractCitations(output) {
+    const seen = new Set();
+    const sources = [];
+    for (const item of output ?? []) {
+        if (item?.type !== "message")
+            continue;
+        for (const part of item.content ?? []) {
+            for (const ann of part?.annotations ?? []) {
+                if (ann?.type !== "url_citation" || !ann.url || seen.has(ann.url))
+                    continue;
+                seen.add(ann.url);
+                sources.push({ title: ann.title || ann.url, url: ann.url });
+            }
+        }
+    }
+    return sources;
+}
+// gpt-5's own prose answer (concatenated output_text). We feed Claude the SOURCES, not this — but it
+// is handy for web_fetch ("open this URL and extract…") where the extracted content is the payload.
+export function extractText(output) {
+    let text = "";
+    for (const item of output ?? []) {
+        if (item?.type !== "message")
+            continue;
+        for (const part of item.content ?? [])
+            if (part?.type === "output_text" && part.text)
+                text += part.text;
+    }
+    return text;
+}
+// Run one internal gpt-5-mini web_search. `input` is the full instruction (a query for web_search, or
+// "Open {url} and extract its content" for web_fetch). Never throws — failures become an error string
+// so the gateway tool loop can degrade gracefully. Bounded by a timeout so a congested upstream (gpt-5-
+// mini is prone to "high demand" stalls) fails fast instead of hanging the whole turn for minutes.
+const DEFAULT_TIMEOUT_MS = 30_000;
+export async function borrowSearch(tokenStore, input, fetchFn = fetch, timeoutMs = DEFAULT_TIMEOUT_MS) {
+    if (!input.trim())
+        return { ok: false, error: "borrow search error: empty query" };
+    let token;
+    try {
+        token = await tokenStore.get();
+    }
+    catch (e) {
+        return { ok: false, error: `borrow search unavailable: ${e instanceof Error ? e.message : String(e)}` };
+    }
+    const ctrl = new AbortController();
+    const timer = setTimeout(() => ctrl.abort(), timeoutMs);
+    try {
+        const res = await fetchFn(RESPONSES_URL, {
+            method: "POST", headers: headers(token), signal: ctrl.signal,
+            // reasoning.effort "low" is a ~5-6x speedup (≈30s→≈5s, and far less variance) vs the default:
+            // we discard gpt-5's prose and keep only the citations, so the heavy reasoning it would otherwise
+            // do before/after the search is wasted. ("minimal" is rejected by the API alongside web_search.)
+            body: JSON.stringify({ model: "gpt-5-mini", input, stream: false, tools: [{ type: "web_search" }], reasoning: { effort: "low" } }),
+        });
+        if (!res.ok) {
+            const detail = await res.text().catch(() => "");
+            return { ok: false, error: `borrow search failed: ${res.status}${detail ? ` — ${detail.slice(0, 200)}` : ""}` };
+        }
+        const data = (await res.json());
+        return { ok: true, sources: extractCitations(data.output ?? []), text: extractText(data.output ?? []) };
+    }
+    catch (e) {
+        const timedOut = e instanceof Error && e.name === "AbortError";
+        return { ok: false, error: timedOut ? `borrow search timed out after ${timeoutMs}ms` : "borrow search failed: could not reach Copilot" };
+    }
+    finally {
+        clearTimeout(timer);
+    }
+}
+// Render the borrowed sources as the tool_result text fed back to the model — numbered title+url so
+// the model can cite them. (We deliberately hand back sources, not gpt-5's prose, for web_search.)
+export function formatBorrowSources(sources) {
+    if (!sources.length)
+        return "no results found";
+    return sources.map((s, i) => `[${i + 1}] ${s.title}\n${s.url}`).join("\n\n");
+}

package/dist/providers/copilot/responses-upstream.js

@@ -0,0 +1,161 @@
+import { randomUUID } from "node:crypto";
+// Outbound translation to GitHub Copilot's OpenAI Responses API. Newer Copilot models (e.g. gpt-5.5)
+// are served ONLY on /responses — their `supported_endpoints` omits /chat/completions — so the adapter
+// routes them here instead of the chat path. This is the mirror image of core/responses-inbound.ts
+// (which translates Codex's INBOUND /responses calls); here we SEND /responses to Copilot.
+export const RESPONSES_URL = "https://api.githubcopilot.com/responses";
+function textOf(content) {
+    return content.filter((b) => b.type === "text").map((b) => b.text).join("");
+}
+// One canonical message can expand into several Responses items (parallel tool calls / results).
+function messageToItems(m) {
+    const items = [];
+    const toolResults = m.content.filter((b) => b.type === "tool_result");
+    for (const tr of toolResults)
+        items.push({ type: "function_call_output", call_id: tr.toolUseId, output: tr.content });
+    if (toolResults.length)
+        return items; // a tool message carries only results
+    const toolUses = m.content.filter((b) => b.type === "tool_use");
+    for (const tu of toolUses)
+        items.push({ type: "function_call", call_id: tu.id, name: tu.name, arguments: JSON.stringify(tu.input ?? {}) });
+    // Assistant text becomes an output_text part; user/system text an input_text part. Images are input_image.
+    const text = textOf(m.content);
+    const images = m.content.filter((b) => b.type === "image");
+    const parts = [];
+    const textType = m.role === "assistant" ? "output_text" : "input_text";
+    if (text)
+        parts.push({ type: textType, text });
+    for (const img of images)
+        parts.push({ type: "input_image", image_url: img.dataUrl });
+    if (parts.length)
+        items.push({ type: "message", role: m.role, content: parts });
+    return items;
+}
+export function canonicalToResponsesBody(req) {
+    const system = req.messages.filter((m) => m.role === "system").map((m) => textOf(m.content)).filter(Boolean).join("\n");
+    const input = [];
+    for (const m of req.messages) {
+        if (m.role === "system")
+            continue;
+        input.push(...messageToItems(m));
+    }
+    // Function tools translate to {type:"function",…}; hosted tools (web_search) pass through as {type}.
+    const tools = [
+        ...(req.tools ?? []).map((t) => ({ type: "function", name: t.name, description: t.description, parameters: t.parameters })),
+        ...(req.hostedTools ?? []).map((type) => ({ type })),
+    ];
+    return {
+        model: req.model, input, stream: req.stream,
+        ...(system ? { instructions: system } : {}),
+        ...(req.temperature !== undefined ? { temperature: req.temperature } : {}),
+        ...(req.maxTokens !== undefined ? { max_output_tokens: req.maxTokens } : {}),
+        ...(tools.length ? { tools } : {}),
+    };
+}
+// ---- non-stream response: Responses object -> canonical -----------------------------------------
+function safeJson(s) { try {
+    return s ? JSON.parse(s) : {};
+}
+catch {
+    return {};
+} }
+function mapIncomplete(reason) {
+    return reason === "max_output_tokens" ? "length" : "stop";
+}
+export function parseResponsesResult(data) {
+    const content = [];
+    let sawTool = false;
+    for (const item of data.output ?? []) {
+        if (item.type === "message") {
+            const text = (item.content ?? []).filter((p) => p.type === "output_text").map((p) => p.text ?? "").join("");
+            if (text)
+                content.push({ type: "text", text });
+        }
+        else if (item.type === "function_call") {
+            sawTool = true;
+            content.push({ type: "tool_use", id: item.call_id ?? item.id, name: item.name ?? "", input: safeJson(item.arguments) });
+        }
+    }
+    const finishReason = data.status === "incomplete" ? mapIncomplete(data.incomplete_details?.reason) : sawTool ? "tool_use" : "stop";
+    return {
+        id: data.id ?? `resp-${randomUUID().replace(/-/g, "")}`, model: data.model, content, finishReason,
+        usage: { promptTokens: data.usage?.input_tokens ?? 0, completionTokens: data.usage?.output_tokens ?? 0 },
+    };
+}
+// ---- streaming: Responses SSE -> canonical chunks ------------------------------------------------
+// Copilot's Responses stream is item-centric: each output item is announced by response.output_item.added
+// (carrying the item's type + identity), then text streams via response.output_text.delta and tool args
+// via response.function_call_arguments.delta. We map item output_index -> a canonical tool index so deltas
+// attach to the right call. The terminal event is response.completed (or response.incomplete on a cap).
+export async function* streamResponses(res) {
+    if (!res.body) {
+        yield { kind: "done", done: true, finishReason: "stop" };
+        return;
+    }
+    const reader = res.body.getReader();
+    const decoder = new TextDecoder();
+    let buffer = "";
+    let finishReason = "stop";
+    let usage;
+    const toolByOutputIndex = new Map(); // responses output_index -> canonical tool index
+    let nextToolIndex = 0;
+    const usageOf = (u) => u ? { promptTokens: u.input_tokens ?? 0, completionTokens: u.output_tokens ?? 0, cachedTokens: u.input_tokens_details?.cached_tokens ?? 0 } : undefined;
+    for (;;) {
+        const { value, done } = await reader.read();
+        if (done)
+            break;
+        buffer += decoder.decode(value, { stream: true });
+        const frames = buffer.split("\n\n");
+        buffer = frames.pop() ?? "";
+        for (const frame of frames) {
+            const line = frame.split("\n").find((l) => l.startsWith("data: "));
+            if (!line)
+                continue;
+            const payload = line.slice(6).trim();
+            if (!payload || payload === "[DONE]")
+                continue;
+            let ev;
+            try {
+                ev = JSON.parse(payload);
+            }
+            catch {
+                continue;
+            }
+            switch (ev.type) {
+                case "response.output_item.added": {
+                    const item = ev.item ?? {};
+                    if (item.type === "function_call") {
+                        const idx = nextToolIndex++;
+                        toolByOutputIndex.set(ev.output_index, idx);
+                        yield { kind: "tool_use_start", index: idx, id: item.call_id ?? item.id ?? `call_${idx}`, name: item.name ?? "", done: false };
+                    }
+                    break;
+                }
+                case "response.output_text.delta":
+                    if (ev.delta)
+                        yield { kind: "text", delta: ev.delta, done: false };
+                    break;
+                case "response.function_call_arguments.delta": {
+                    const idx = toolByOutputIndex.get(ev.output_index);
+                    if (idx !== undefined && ev.delta)
+                        yield { kind: "tool_use_delta", index: idx, argsDelta: ev.delta, done: false };
+                    break;
+                }
+                case "response.completed":
+                    if (toolByOutputIndex.size)
+                        finishReason = "tool_use";
+                    usage = usageOf(ev.response?.usage) ?? usage;
+                    break;
+                case "response.incomplete":
+                    finishReason = mapIncomplete(ev.response?.incomplete_details?.reason);
+                    usage = usageOf(ev.response?.usage) ?? usage;
+                    break;
+                case "response.failed":
+                case "error":
+                    finishReason = "error";
+                    break;
+            }
+        }
+    }
+    yield { kind: "done", done: true, finishReason, usage };
+}

package/dist/providers/copilot/token.js

@@ -41,13 +41,23 @@ export class CopilotTokenStore {
         return data.token;
     }
 }
-// True if the stored GitHub token still exchanges for a Copilot token.
+// True if the stored GitHub token still exchanges for a Copilot token. A thin wrapper over
+// probeGithubAuth so the token-exchange logic lives in exactly one place.
 export async function isCopilotTokenValid(ghToken, fetchFn = fetch) {
+    return (await probeGithubAuth(ghToken, fetchFn)).ok;
+}
+export async function probeGithubAuth(ghToken, fetchFn = fetch) {
     try {
         await new CopilotTokenStore(ghToken, fetchFn).get();
-        return true;
+        return { ok: true, transient: false, detail: "token valid" };
     }
-    catch {
-        return false;
+    catch (e) {
+        // CopilotTokenStore throws CopilotAuthError(status) for any non-ok response, and other errors
+        // (AbortError on timeout, network failures) for the rest. We treat 401/403 as definitive auth
+        // failures; everything else is transient. See the limitations noted above.
+        if (e instanceof CopilotAuthError && (e.status === 401 || e.status === 403)) {
+            return { ok: false, transient: false, detail: e.message };
+        }
+        return { ok: false, transient: true, detail: e instanceof Error ? e.message : String(e) };
     }
 }

package/dist/providers/webiq/client.js

@@ -10,7 +10,7 @@ const headers = (key) => ({ host: "api.microsoft.ai", "x-apikey": key, "content-
 // consistent, actionable string it can reason about (e.g. fall back to its own knowledge).
 function statusError(status, kind) {
     if (status === 401 || status === 403)
-        return "web search unavailable: WebIQ API key missing or invalid — run /web-search-support to set it";
+        return "web search unavailable: WebIQ API key missing or invalid — run /webiq to set it";
     if (status === 429)
         return "web search unavailable: WebIQ rate limit exceeded — try again shortly";
     if (status === 404 && kind === "fetch")

package/dist/shared/webiq-key.js

@@ -1,21 +1,59 @@
 import { existsSync, mkdirSync, readFileSync, writeFileSync, rmSync } from "node:fs";
 import { join } from "node:path";
-// WebIQ API key for the gateway-run web_search / web_fetch tools. Stored like the GitHub token
-// (plaintext, 0600, in the data dir). The WEBIQ_API_KEY env var takes precedence so CI / headless
-// runs can inject it without writing a file. Read lazily per request → no worker restart on change.
+// WebIQ config for the gateway-run web_search / web_fetch tools: the API key plus the active backend
+// MODE. Stored like the GitHub token (plaintext, 0600, in the data dir). The WEBIQ_API_KEY env var
+// takes precedence for the key so CI / headless runs can inject it. Read lazily per request → no
+// worker restart on change.
+//
+//   mode "copilot" (DEFAULT) — borrow gpt-5-mini's native web_search; no key needed.
+//   mode "webiq"             — force ALL models through WebIQ using the stored key.
 const file = (dir) => join(dir, "webiq.json");
-export function writeWebIqKey(key, dir) {
+function read(dir) {
+    if (!existsSync(file(dir)))
+        return {};
+    try {
+        return JSON.parse(readFileSync(file(dir), "utf8"));
+    }
+    catch {
+        return {};
+    }
+}
+function write(dir, data) {
     if (!existsSync(dir))
         mkdirSync(dir, { recursive: true });
-    writeFileSync(file(dir), JSON.stringify({ apiKey: key }), { mode: 0o600 });
+    writeFileSync(file(dir), JSON.stringify(data), { mode: 0o600 });
+}
+export function writeWebIqKey(key, dir) {
+    write(dir, { ...read(dir), apiKey: key });
 }
 export function readWebIqKey(dir) {
     if (process.env.WEBIQ_API_KEY)
         return process.env.WEBIQ_API_KEY;
-    if (!existsSync(file(dir)))
-        return null;
-    return JSON.parse(readFileSync(file(dir), "utf8")).apiKey ?? null;
+    return read(dir).apiKey ?? null;
 }
+// Reset everything — drop the key AND revert to the default copilot backend.
 export function clearWebIqKey(dir) {
     rmSync(file(dir), { force: true });
 }
+export function readWebSearchMode(dir) {
+    return read(dir).mode === "webiq" ? "webiq" : "copilot";
+}
+export function writeWebSearchMode(dir, mode) {
+    write(dir, { ...read(dir), mode });
+}
+// Master switch for the Copilot "borrow" backend (gpt-5-mini's native web_search). Currently OFF:
+// gpt-5-mini is badly congested on Copilot's /responses (503 "high demand", 20s–7min), while WebIQ is
+// sub-second. So web search routes through WebIQ only; with no key it is unavailable. Flip this to
+// `true` to bring borrow search back (the borrow code path is kept intact). NOTE: this gates only the
+// Claude gateway backend — Codex's native /responses web_search is unaffected (it uses fast gpt-5
+// models directly, not gpt-5-mini).
+export const COPILOT_WEB_SEARCH_ENABLED = false;
+// Resolve which backend a gateway web_search/web_fetch call should use. Pure (no I/O) so both flag
+// states are unit-tested. `enabled` defaults to the live flag; tests pass it explicitly.
+export function resolveWebSearchBackend(mode, hasKey, enabled = COPILOT_WEB_SEARCH_ENABLED) {
+    if (!enabled)
+        return hasKey ? "webiq" : "unavailable"; // borrow disabled → WebIQ or nothing
+    if (mode === "webiq" && hasKey)
+        return "webiq";
+    return "copilot"; // default borrow (and the webiq-without-key fallback)
+}

package/dist/supervisor/api.js

@@ -5,7 +5,7 @@ export function createControlApp(deps) {
     const app = express();
     app.use(express.json());
     app.get("/", (_req, res) => res.type("html").send(dashboardHtml()));
-    app.get("/api/status", (_req, res) => res.json({ workerState: deps.getState(), restarts: listRestarts(deps.db, 50) }));
+    app.get("/api/status", (_req, res) => res.json({ workerState: deps.getState(), restarts: listRestarts(deps.db, 50), github: deps.github() }));
     app.post("/api/restart", (_req, res) => { deps.restart(); res.json({ ok: true }); });
     app.post("/api/stop", (_req, res) => { deps.stop(); res.json({ ok: true }); });
     app.post("/api/start", (_req, res) => { deps.start(); res.json({ ok: true }); });

package/dist/supervisor/github-heartbeat.js

@@ -0,0 +1,81 @@
+import { probeGithubAuth } from "../providers/copilot/token.js";
+// How often the supervisor re-checks the GitHub token. Token failure is rare (revoke / re-auth) and
+// GitHub rate-limits, so a slow cadence is plenty; an initial short delay populates the status soon
+// after boot without racing worker startup.
+export const GITHUB_HEARTBEAT_INTERVAL_MS = 60_000;
+export const GITHUB_HEARTBEAT_INITIAL_DELAY_MS = 2_000;
+// Shared so /doctor and the heartbeat show the same remediation hint for the signed-out state.
+export const SIGNED_OUT_DETAIL = "not logged in — run /login";
+// Pure reducer: given the prior cached status, whether a token is on disk, and the latest probe
+// result, decide the next cached status. Transient errors are sticky — they keep the prior status —
+// so a brief blip doesn't flip a connected session to "expired". Caveat (see probeGithubAuth): the
+// stickiness is unbounded, and if the FIRST probe is transient (prev still undefined) the status stays
+// undefined / "pending", so /api/status omits `github` and the HUD shows no badge until a non-transient
+// result lands.
+export function nextGithubStatus(prev, hasToken, probe, now) {
+    if (!hasToken)
+        return { ok: false, hasToken: false, checkedAt: now, detail: SIGNED_OUT_DETAIL };
+    if (probe && probe.transient)
+        return prev; // keep last-known-good (or stay pending if none yet)
+    if (!probe)
+        return prev;
+    return { ok: probe.ok, hasToken: true, checkedAt: now, detail: probe.detail };
+}
+// Periodically probes the GitHub token in the supervisor process and caches a GithubStatus the control
+// API exposes via /api/status. Dependencies are injected for testing (token reader, probe, clock).
+export class GithubHeartbeat {
+    readToken;
+    probe;
+    now;
+    status;
+    timer;
+    stopped = false;
+    inFlight = false;
+    intervalMs;
+    initialDelayMs;
+    constructor(readToken, probe = probeGithubAuth, now = () => Date.now(), opts = {}) {
+        this.readToken = readToken;
+        this.probe = probe;
+        this.now = now;
+        this.intervalMs = opts.intervalMs ?? GITHUB_HEARTBEAT_INTERVAL_MS;
+        this.initialDelayMs = opts.initialDelayMs ?? GITHUB_HEARTBEAT_INITIAL_DELAY_MS;
+    }
+    current() { return this.status; }
+    // One probe cycle. Reads the token first: no token → signed-out, and the network probe is skipped.
+    // Guarded so a slow probe (up to ~8s) can't overlap the next tick.
+    async runOnce() {
+        if (this.inFlight)
+            return;
+        this.inFlight = true;
+        try {
+            const token = this.readToken();
+            const probe = token ? await this.probe(token) : null;
+            if (this.stopped)
+                return; // a late result after stop() must not resurrect the timer/state
+            this.status = nextGithubStatus(this.status, Boolean(token), probe, this.now());
+        }
+        finally {
+            this.inFlight = false;
+        }
+    }
+    start() {
+        if (this.timer)
+            return; // idempotent: don't leak a second timer if start() is called twice
+        this.stopped = false;
+        const tick = () => { void this.runOnce(); };
+        this.timer = setTimeout(() => {
+            tick();
+            this.timer = setInterval(tick, this.intervalMs);
+        }, this.initialDelayMs);
+    }
+    stop() {
+        this.stopped = true;
+        // The timer handle is either the initial setTimeout or the later setInterval; clearing both kinds
+        // is safe with either function in Node.
+        if (this.timer) {
+            clearTimeout(this.timer);
+            clearInterval(this.timer);
+            this.timer = undefined;
+        }
+    }
+}

package/dist/supervisor/index.js

@@ -8,7 +8,8 @@ import { createControlApp } from "./api.js";
 import { defaultConfig } from "../shared/config.js";
 import { dataDir, dbPath } from "../shared/paths.js";
 import { readGhToken } from "../shared/creds.js";
-import { CopilotTokenStore } from "../providers/copilot/token.js";
+import { probeGithubAuth } from "../providers/copilot/token.js";
+import { GithubHeartbeat, SIGNED_OUT_DETAIL } from "./github-heartbeat.js";
 export function startSupervisor() {
     const config = defaultConfig();
     mkdirSync(dataDir(), { recursive: true });
@@ -34,32 +35,33 @@ export function startSupervisor() {
         const gh = readGhToken(dataDir());
         let auth;
         if (!gh) {
-            auth = { name: "github-auth", ok: false, detail: "not logged in — restart copilot-reverse to log in" };
+            auth = { name: "github-auth", ok: false, detail: SIGNED_OUT_DETAIL };
         }
         else {
-            // Validate the token actually exchanges, not just that it exists on disk.
-            try {
-                await new CopilotTokenStore(gh).get();
-                auth = { name: "github-auth", ok: true, detail: "token valid" };
-            }
-            catch (e) {
-                auth = { name: "github-auth", ok: false, detail: e instanceof Error ? e.message : String(e) };
-            }
+            // Validate the token actually exchanges, not just that it exists on disk. Shares the heartbeat's
+            // classifier so on-demand /doctor and the periodic probe agree.
+            const probe = await probeGithubAuth(gh);
+            auth = { name: "github-auth", ok: probe.ok, detail: probe.detail };
         }
         return [auth, { name: "worker", ok: state === "ready", detail: `worker is ${state}` }];
     };
+    // Periodically re-check the GitHub token so the UI reflects an expired/revoked login within ~60s,
+    // instead of only on the next failed request or a manual /status.
+    const heartbeat = new GithubHeartbeat(() => readGhToken(dataDir()));
     const app = createControlApp({
         db, getState: () => state,
         restart: () => monitor.restartManually(),
         stop: () => monitor.stop(),
         start: () => monitor.start(),
         doctor,
+        github: () => heartbeat.current(),
         subscribe: (send) => bus.subscribe(send),
     });
     app.listen(config.supervisorPort, config.bindHost, () => monitor.start());
-    process.on("SIGINT", () => { monitor.stop(); process.exit(0); });
-    process.on("SIGTERM", () => { monitor.stop(); process.exit(0); });
-    return { stop: () => monitor.stop() };
+    heartbeat.start();
+    process.on("SIGINT", () => { heartbeat.stop(); monitor.stop(); process.exit(0); });
+    process.on("SIGTERM", () => { heartbeat.stop(); monitor.stop(); process.exit(0); });
+    return { stop: () => { heartbeat.stop(); monitor.stop(); } };
 }
 // Allow `node dist/supervisor/index.js` to boot the daemon directly.
 if (process.argv[1] && process.argv[1].endsWith(join("supervisor", "index.js")))

package/dist/tui/app.js

@@ -1,4 +1,4 @@
-import { jsx as _jsx, jsxs as _jsxs } from "react/jsx-runtime";
+import { jsx as _jsx, jsxs as _jsxs, Fragment as _Fragment } from "react/jsx-runtime";
 import { useEffect, useRef, useState } from "react";
 import { Box, Text, useInput } from "ink";
 import { loadingVerb } from "../shared/format.js";
@@ -7,19 +7,19 @@ import { SetupWizard } from "./setup/wizard.js";
 import { ModelScreen } from "./screens/model.js";
 import { ConfigScreen } from "./screens/config.js";
 import { WebIqKeyScreen } from "./screens/webiq-key.js";
-import { summarizeStatus } from "./status-summary.js";
+import { summarizeStatus, githubLoginState } from "./status-summary.js";
 import { theme } from "./theme.js";
 const stateColor = {
     ready: theme.ready, starting: theme.starting, crashed: theme.crashed, unhealthy: theme.unhealthy,
 };
 const EMPTY_STATUS = { claude: { user: false, project: false }, codex: { user: false, project: false } };
 const SPINNER = ["✶", "✸", "✹", "✺", "✹", "✷"];
-// Startup overview card. GitHub shows a login STATE (no real token expiry exists), web search shows
-// whether a WebIQ key is configured with the command to fix it when not. `extra` appends detail
-// lines (e.g. worker restart history for /status).
+// Startup overview card. GitHub shows a login STATE (no real token expiry exists). Web search shows
+// the resolved backend: "via WebIQ", "via Copilot (native)", or "unavailable — run /webiq".
+// `extra` appends detail lines (e.g. worker restart history for /status).
 function statusCard(s, extra = []) {
     const gh = s.github === "connected" ? "✓ connected" : s.github === "expired" ? "✗ expired — run /login" : "✗ signed out — run /login";
-    const web = s.webSearch === "ready" ? "✓ ready" : "✗ not configured — run /web-search-support";
+    const web = s.webSearch === "webiq" ? "✓ via WebIQ" : s.webSearch === "copilot" ? "✓ via Copilot (native)" : "✗ unavailable — run /webiq";
     const clients = `claude ${s.clients.claude ? "✓" : "○"}  codex ${s.clients.codex ? "✓" : "○"}`;
     const tone = s.github === "connected" ? "ok" : "error";
     return { type: "card", title: "status", tone, lines: [
@@ -54,7 +54,7 @@ function ClientBadge({ name, status }) {
     const cell = (label, on) => (_jsxs(Text, { color: on ? theme.ready : theme.muted, children: [label, ":", on ? "✓" : "○"] }));
     return (_jsxs(Text, { color: theme.muted, children: [name, " ", cell("u", status.user), " ", cell("p", status.project)] }));
 }
-export function App({ registry, title, workerState = "starting", initialModel = "—", statusSource, readStatus, modelLimits, onChat, loadModels, setup, info, onModelChange, pickModelOnStart, login, saveWebIqKey, webSearchReady, startupStatus, githubStatus, }) {
+export function App({ registry, title, workerState = "starting", initialModel = "—", statusSource, readStatus, modelLimits, onChat, loadModels, setup, info, onModelChange, pickModelOnStart, login, enableWebiq, disableWebiq, webSearchBackend, startupStatus, githubStatus, }) {
     const cmds = registry.list().map((c) => ({ name: c.name, describe: c.describe }));
     const [entries, setEntries] = useState(() => [
         ...(startupStatus ? [statusCard(startupStatus)] : []),
@@ -62,7 +62,9 @@ export function App({ registry, title, workerState = "starting", initialModel =
     ]);
     const [state, setState] = useState(workerState);
     const [status, setStatus] = useState(() => readStatus?.() ?? EMPTY_STATUS);
-    const [webReady, setWebReady] = useState(() => webSearchReady?.() ?? false);
+    const [webBackend, setWebBackend] = useState(() => webSearchBackend?.() ?? "unavailable");
+    // GitHub login state, kept fresh by the supervisor heartbeat surfaced through the 2s status poll.
+    const [github, setGithub] = useState(startupStatus?.github);
     const [model, setModel] = useState(initialModel);
     const [screen, setScreen] = useState(pickModelOnStart && loadModels ? { kind: "model" } : null);
     const [, setNow] = useState(0); // ticks the live loading line while the assistant streams
@@ -70,8 +72,8 @@ export function App({ registry, title, workerState = "starting", initialModel =
     const loginInFlight = useRef(false); // guards against starting a second device-login flow
     const add = (e) => setEntries((p) => [...p, e].slice(-100));
     const refreshStatus = () => { if (readStatus)
-        setStatus(readStatus()); if (webSearchReady)
-        setWebReady(webSearchReady()); };
+        setStatus(readStatus()); if (webSearchBackend)
+        setWebBackend(webSearchBackend()); };
     // esc interrupts an in-flight assistant turn (the Repl doesn't use esc, so this is unambiguous).
     useInput((_input, key) => { if (key.escape)
         abortRef.current?.abort(); });
@@ -82,8 +84,11 @@ export function App({ registry, title, workerState = "starting", initialModel =
         const tick = async () => {
             try {
                 const s = await statusSource?.();
-                if (alive && s)
+                if (alive && s) {
                     setState(s.workerState);
+                    if (s.github)
+                        setGithub(githubLoginState(s.github.hasToken, s.github.ok)); // live login badge
+                }
             }
             catch { /* daemon momentarily down */ }
             if (alive)
@@ -113,13 +118,23 @@ export function App({ registry, title, workerState = "starting", initialModel =
             setScreen({ kind: "model" });
             return;
         }
-        if (t === "/web-search-support" && saveWebIqKey) {
+        // Web-search backend controls. "/webiq clean" clears the key; "/webiq" opens the key screen and
+        // switches to the WebIQ backend on submit. After either, re-read the resolved backend for the HUD.
+        if (t === "/webiq clean" && disableWebiq) {
+            disableWebiq();
+            setWebBackend(webSearchBackend?.() ?? "unavailable");
+            add({ type: "card", title: "/webiq", tone: "ok", lines: ["✓ WebIQ key cleared"] });
+            return;
+        }
+        if (t === "/webiq" && enableWebiq) {
             setScreen({ kind: "webiq-key" });
             return;
         }
-        if (t === "/status" && (startupStatus || githubStatus || webSearchReady)) {
+        if (t === "/status" && (startupStatus || githubStatus || webSearchBackend)) {
             // Render the live status overview (same card as startup), then the worker restart history.
-            const github = githubStatus ? await githubStatus() : (startupStatus?.github ?? "signed-out");
+            // /status is an explicit "is my login OK right now?" — do the live check when wired (the cached
+            // heartbeat can be up to ~60s stale), falling back to the cached/seed value only if it isn't.
+            const ghState = githubStatus ? await githubStatus() : (github ?? startupStatus?.github ?? "signed-out");
             let worker = state, restarts = [];
             try {
                 const s = await statusSource?.();
@@ -130,8 +145,8 @@ export function App({ registry, title, workerState = "starting", initialModel =
             }
             catch { /* daemon momentarily down — show what we have */ }
             const summary = summarizeStatus({
-                hasToken: github !== "signed-out", tokenValid: github === "connected",
-                webSearchReady: webSearchReady?.() ?? webReady, worker,
+                hasToken: ghState !== "signed-out", tokenValid: ghState === "connected",
+                webSearch: webSearchBackend?.() ?? webBackend, worker,
                 clients: { claude: status.claude.user || status.claude.project, codex: status.codex.user || status.codex.project },
             });
             add(statusCard(summary, restarts.length ? ["", "recent restarts:", ...restarts] : []));
@@ -226,8 +241,8 @@ export function App({ registry, title, workerState = "starting", initialModel =
                     setScreen(null);
             } }));
     }
-    else if (screen?.kind === "webiq-key" && saveWebIqKey) {
-        body = (_jsx(WebIqKeyScreen, { onSubmit: (k) => { saveWebIqKey(k); setWebReady(true); setScreen(null); add({ type: "card", title: "/web-search-support", tone: "ok", lines: ["✓ WebIQ key saved — web search is now enabled for connected clients"] }); }, onCancel: () => { setScreen(null); add({ type: "system", text: "web-search-support cancelled" }); } }));
+    else if (screen?.kind === "webiq-key" && enableWebiq) {
+        body = (_jsx(WebIqKeyScreen, { onSubmit: (k) => { enableWebiq(k); setWebBackend(webSearchBackend?.() ?? "webiq"); setScreen(null); add({ type: "card", title: "/webiq", tone: "ok", lines: ["✓ WebIQ enabled — all web search now routes through Microsoft Web IQ"] }); }, onCancel: () => { setScreen(null); add({ type: "system", text: "webiq cancelled" }); } }));
     }
     else {
         body = _jsx(Repl, { onSubmit: handle, commands: cmds });
@@ -245,5 +260,5 @@ export function App({ registry, title, workerState = "starting", initialModel =
                         return (_jsxs(Box, { flexDirection: "column", children: [_jsxs(Text, { color: theme.accent, children: ["\u273D ", _jsxs(Text, { color: theme.muted, children: [frame, " ", loadingVerb(elapsed), "\u2026 (esc to interrupt \u00B7 ", fmtElapsed(elapsed), " \u00B7 \u2193 ", fmtTokens(tokens), " tokens \u00B7 thinking)"] })] }), e.text ? _jsx(Text, { color: color, children: e.text }) : null] }, i));
                     }
                     return _jsx(Text, { color: color, children: e.text }, i);
-                }) }), body, _jsxs(Box, { flexDirection: "column", paddingX: 1, children: [_jsxs(Box, { children: [_jsx(Text, { color: theme.muted, children: "model " }), _jsx(Text, { color: theme.accent, children: model }), _jsx(Text, { color: theme.muted, children: "  \u00B7  daemon " }), _jsx(Text, { color: stateColor[state], children: state }), _jsx(Text, { color: theme.muted, children: "  \u00B7  web " }), _jsx(Text, { color: webReady ? theme.ready : theme.muted, children: webReady ? "✓" : "✗ /web-search-support" })] }), _jsxs(Box, { children: [_jsx(ClientBadge, { name: "claude", status: status.claude }), _jsx(Text, { color: theme.muted, children: "  " }), _jsx(ClientBadge, { name: "codex", status: status.codex }), _jsx(Text, { color: theme.muted, children: "  \u00B7  /help" })] })] })] }));
+                }) }), body, _jsxs(Box, { flexDirection: "column", paddingX: 1, children: [_jsxs(Box, { children: [github && _jsxs(_Fragment, { children: [_jsx(Text, { color: theme.muted, children: "github " }), _jsx(Text, { color: github === "connected" ? theme.ready : theme.error, children: github === "connected" ? "✓" : "✗ /login" })] }), _jsxs(Text, { color: theme.muted, children: [github ? "  ·  " : "", "daemon "] }), _jsx(Text, { color: stateColor[state], children: state })] }), _jsxs(Box, { children: [_jsx(Text, { color: theme.muted, children: "web " }), _jsx(Text, { color: webBackend === "unavailable" ? theme.muted : theme.ready, children: webBackend === "webiq" ? "✓ webiq" : webBackend === "copilot" ? "✓ copilot" : "✗ /webiq" }), _jsx(Text, { color: theme.muted, children: "  \u00B7  " }), _jsx(ClientBadge, { name: "claude", status: status.claude }), _jsx(Text, { color: theme.muted, children: "  " }), _jsx(ClientBadge, { name: "codex", status: status.codex }), _jsx(Text, { color: theme.muted, children: "  \u00B7  /help" })] })] })] }));
 }

package/dist/tui/slash/commands.js

@@ -45,7 +45,10 @@ export function buildRegistry(ctx, endpoint, opts = {}) {
     reg.add({ name: "/login", describe: "sign in to GitHub (device-code)", run: async () => opts.login ? opts.login() : ["login not available"] });
     reg.add({ name: "/logout", describe: "sign out — remove the stored GitHub token", run: async () => opts.logout ? opts.logout() : ["logout not available"] });
     reg.add({ name: "/model", describe: "switch the chat model", run: async () => ["opening model picker…"] });
-    reg.add({ name: "/web-search-support", describe: "enable web search/fetch (set WebIQ API key)", run: async () => ["opening web-search-support…"] });
+    // Web search works out of the box via Copilot; /webiq opts into Microsoft Web IQ, /webiq clean
+    // reverts. Handled in the App (opens the key screen / toggles), so this is a no-op stub that exists
+    // only so the command is recognized and not reported as unknown.
+    reg.add({ name: "/webiq", describe: "use Microsoft Web IQ for web search (/webiq clean to revert)", run: async () => ["opening webiq…"] });
     reg.add({ name: "/config", describe: "view & change configuration", run: async () => ["opening config panel…"] });
     reg.add({ name: "/dashboard", describe: "open the web dashboard in your browser", run: async () => {
             if (!opts.dashboardUrl)

package/dist/tui/status-summary.js

@@ -6,7 +6,7 @@ export function githubLoginState(hasToken, tokenValid) {
 export function summarizeStatus(i) {
     return {
         github: githubLoginState(i.hasToken, i.tokenValid),
-        webSearch: i.webSearchReady ? "ready" : "not-configured",
+        webSearch: i.webSearch,
         worker: i.worker,
         clients: i.clients,
     };

package/dist/version.js

@@ -1,2 +1,2 @@
 // AUTO-GENERATED by scripts/gen-version.mjs from package.json — do not edit.
-export const APP_VERSION = "0.3.0";
+export const APP_VERSION = "0.5.0";

package/dist/worker/index.js

@@ -2,10 +2,11 @@ import { createWorkerApp } from "./server.js";
 import { Router } from "./router.js";
 import { CopilotAdapter } from "../providers/copilot/adapter.js";
 import { CopilotTokenStore } from "../providers/copilot/token.js";
-import { fetchCopilotModels } from "../providers/copilot/models.js";
+import { fetchCopilotModels, fetchModelEndpoints } from "../providers/copilot/models.js";
 import { readGhToken } from "../shared/creds.js";
-import { readWebIqKey } from "../shared/webiq-key.js";
+import { readWebIqKey, readWebSearchMode, resolveWebSearchBackend } from "../shared/webiq-key.js";
 import { makeGatewayRunner } from "../core/server-tools.js";
+import { borrowSearch } from "../providers/copilot/borrow-search.js";
 import { dataDir } from "../shared/paths.js";
 import { defaultConfig } from "../shared/config.js";
 function send(msg) { if (process.send)
@@ -19,12 +20,26 @@ if (!gh) {
     process.exit(1);
 }
 const tokenStore = new CopilotTokenStore(gh);
-const router = new Router([new CopilotAdapter(tokenStore)], cfg.modelMap);
-// Load the live model list so the router can fuzzy-match near-miss ids (e.g. dated Anthropic ids).
-void tokenStore.get().then((t) => fetchCopilotModels(t)).then((ids) => router.setAvailableModels(ids)).catch(() => { });
-// Gateway-run web_search / web_fetch: reads the WebIQ key lazily per call (env or data dir), so
-// setting it via /web-search-support takes effect without restarting the worker.
-const gatewayRunner = makeGatewayRunner(() => readWebIqKey(dataDir()));
+// Per-model supported_endpoints, populated lazily from the live model list (same source as the model
+// ids). The adapter reads through this map so responses-only models (e.g. gpt-5.5) route to /responses
+// as soon as discovery resolves; until then the map is empty and the /chat 400 safety net covers it.
+let modelEndpoints = {};
+const router = new Router([new CopilotAdapter(tokenStore, fetch, (m) => modelEndpoints[m] ?? [])], cfg.modelMap);
+// Load the live model list so the router can fuzzy-match near-miss ids (e.g. dated Anthropic ids),
+// and the endpoint map so the adapter can route per model. One token fetch feeds both.
+void tokenStore.get().then(async (t) => {
+    const [ids, endpoints] = await Promise.all([fetchCopilotModels(t), fetchModelEndpoints(t)]);
+    router.setAvailableModels(ids);
+    modelEndpoints = endpoints;
+}).catch(() => { });
+// Gateway-run web_search / web_fetch. The backend is resolved per call (lazy → /webiq toggles need no
+// restart): currently WebIQ when a key is set, else unavailable (Copilot borrow is disabled — see
+// COPILOT_WEB_SEARCH_ENABLED). resolveWebSearchBackend centralises that policy.
+const gatewayRunner = makeGatewayRunner({
+    backend: () => resolveWebSearchBackend(readWebSearchMode(dataDir()), Boolean(readWebIqKey(dataDir()))),
+    webiqKey: () => readWebIqKey(dataDir()),
+    borrow: { run: (input) => borrowSearch(tokenStore, input) },
+});
 const app = createWorkerApp(router, (m) => send({ type: "request-metric", ...m }), gatewayRunner);
 const server = app.listen(port, host, () => send({ type: "ready", port }));
 const hb = setInterval(() => send({ type: "heartbeat", ts: Date.now() }), 5_000);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "copilot-reverse",
-  "version": "0.3.0",
+  "version": "0.5.0",
   "description": "Interactive terminal app that exposes your GitHub Copilot subscription as local OpenAI- and Anthropic-compatible endpoints, with a self-healing daemon and a built-in assistant.",
   "type": "module",
   "license": "MIT",