create-quiver 0.12.0 → 0.13.0

package/src/create-quiver/lib/ai/github.js

@@ -4,6 +4,8 @@ const path = require('node:path');
 const { spawnSync } = require('node:child_process');
 
 const { currentBranch, hasRemote, isCleanWorktree } = require('../git');
+const { parseJsonWithComments } = require('../json');
+const { formatActionableError } = require('../actionable-error');
 
 const DEFAULT_GH_COMMAND = 'gh';
 const DEFAULT_REMOTE = 'origin';
@@ -61,6 +63,60 @@ function formatGhInstallGuidance() {
   ].join('\n');
 }
 
+function quotePosixArg(arg) {
+  const value = String(arg);
+  return /^[A-Za-z0-9_./:=@-]+$/.test(value) ? value : `'${value.replace(/'/g, "'\\''")}'`;
+}
+
+function quotePowerShellArg(arg) {
+  const value = String(arg);
+  return /^[A-Za-z0-9_./:=@-]+$/.test(value) ? value : `'${value.replace(/'/g, "''")}'`;
+}
+
+function hasShellSensitivePath(...values) {
+  return values.some((value) => /\s/.test(String(value || '')));
+}
+
+function formatShellPathGuidance(optionName, examplePath) {
+  const fallbackPath = examplePath || '~/ssh/github work';
+  const windowsFallback = examplePath || '$HOME\\ssh\\github work';
+  return [
+    'Path guidance:',
+    `- macOS/Linux: ${optionName} ${quotePosixArg(fallbackPath)}`,
+    `- Windows PowerShell: ${optionName} ${quotePowerShellArg(windowsFallback)}`,
+    `- Git Bash/WSL: ${optionName} ${quotePosixArg(fallbackPath)}`,
+    '- Quote paths with spaces; do not remove spaces from real file names.',
+  ].join('\n');
+}
+
+function formatCommandForShell(command, args, quoter) {
+  return `${command} ${args.map(quoter).join(' ')}`;
+}
+
+function classifyGhAuthFailure(output) {
+  const text = String(output || '').toLowerCase();
+  const issues = [];
+
+  if (/not logged|not authenticated|authentication required|no account/.test(text)) {
+    issues.push('no GitHub account is authenticated for this host');
+  }
+  if (/scope|permission|forbidden|403|oauth/.test(text)) {
+    issues.push('the active token may be missing repo/org scopes');
+  }
+  if (/account|user|login|host/.test(text) && !issues.some((issue) => issue.includes('account'))) {
+    issues.push('the active GitHub account or host may not match this repository');
+  }
+  if (/ssh|identity|alias|public key|permission denied/.test(text)) {
+    issues.push('the SSH alias or identity may not match the authenticated GitHub account');
+  }
+
+  if (issues.length === 0) {
+    issues.push('GitHub CLI authentication is not usable for this repository yet');
+  }
+
+  return `Likely issue: ${issues.join('; ')}.`;
+}
+
 function createError(code, message, details = {}) {
   return new GitHubPreflightError(code, message, details);
 }
@@ -148,7 +204,15 @@ function ensureGhAuthenticated(options = {}) {
     const details = [stderr, stdout].filter(Boolean).join('\n');
     throw createError(
       'GH_NOT_AUTHENTICATED',
-      `${formatError('gh auth status failed. Run gh auth login and then re-run the preflight.')}${details ? `\n${details}` : ''}`,
+      `${formatActionableError({
+        failure: 'gh auth status failed. GitHub CLI is not authenticated or the active account/scopes are not usable.',
+        impact: 'Quiver cannot verify the GitHub account, repository permissions, or PR readiness.',
+        fix: [
+          classifyGhAuthFailure(details),
+          'Run `gh auth login`, confirm the expected GitHub account and host, verify repo/org scopes, and if you use --ssh-host-alias run `ssh -T <alias>` to confirm the SSH identity.',
+        ].join(' '),
+        nextCommand: 'gh auth status',
+      })}${details ? `\nDetails:\n${details}` : ''}`,
       {
         command,
         authArgs,
@@ -238,7 +302,12 @@ function ensureIdentityFile(repoRoot, identityFile) {
   if (!fs.existsSync(resolved)) {
     throw createError(
       'MISSING_IDENTITY_FILE',
-      formatError(`missing SSH identity file at ${resolved}. Check the path you passed as identityFile.`),
+      formatActionableError({
+        failure: `missing SSH identity file at ${resolved}.`,
+        impact: 'Quiver cannot verify the SSH identity that should be used for GitHub PR commands.',
+        fix: `Check the path passed with --identity-file and quote it for your shell when it contains spaces.\n${formatShellPathGuidance('--identity-file', normalized)}`,
+        nextCommand: 'npx create-quiver ai doctor --dry-run --ssh-host-alias <alias> --identity-file <path>',
+      }),
       {
         identityFile: normalized,
         resolvedIdentityFile: resolved,
@@ -249,6 +318,82 @@ function ensureIdentityFile(repoRoot, identityFile) {
   return resolved;
 }
 
+function ensureSshHostAlias(sshHostAlias) {
+  const value = String(sshHostAlias || '').trim();
+  if (!value) {
+    throw createError(
+      'MISSING_SSH_HOST_ALIAS',
+      formatActionableError({
+        failure: 'missing SSH host alias. Pass --ssh-host-alias <alias> before opening the PR.',
+        impact: 'Quiver cannot verify which GitHub SSH identity should be used for this PR flow.',
+        fix: 'macOS/Linux/Git Bash/WSL: add a Host entry in ~/.ssh/config, for example `Host github-work`. Windows PowerShell: add the Host entry in $HOME\\.ssh\\config.',
+        nextCommand: 'ssh -T <alias>',
+      }),
+    );
+  }
+  return value;
+}
+
+function prBodySpecDir(repoRoot, prBodyPath) {
+  const relative = path.relative(repoRoot, prBodyPath).split(path.sep).join('/');
+  const parts = relative.split('/');
+  if (parts[0] !== 'specs' || parts.length !== 3 || parts[2] !== 'pr.md') {
+    return '';
+  }
+  return path.join(repoRoot, parts[0], parts[1]);
+}
+
+function listOpenSlicesForSpec(specDir) {
+  const slicesDir = path.join(specDir, 'slices');
+  if (!fs.existsSync(slicesDir)) {
+    return [];
+  }
+
+  return fs.readdirSync(slicesDir, { withFileTypes: true })
+    .filter((entry) => entry.isDirectory())
+    .map((entry) => {
+      const slicePath = path.join(slicesDir, entry.name, 'slice.json');
+      if (!fs.existsSync(slicePath)) {
+        return null;
+      }
+      const json = parseJsonWithComments(fs.readFileSync(slicePath, 'utf8'));
+      const status = String(json.status || 'draft').trim() || 'draft';
+      return {
+        id: json.slice_id || entry.name,
+        status,
+      };
+    })
+    .filter(Boolean)
+    .filter((slice) => slice.status !== 'completed')
+    .sort((left, right) => left.id.localeCompare(right.id));
+}
+
+function ensureNoOpenSlicesForPrBody(repoRoot, prBodyPath) {
+  const specDir = prBodySpecDir(repoRoot, prBodyPath);
+  if (!specDir) {
+    return [];
+  }
+
+  const openSlices = listOpenSlicesForSpec(specDir);
+  if (openSlices.length > 0) {
+    throw createError(
+      'OPEN_SLICES',
+      formatActionableError({
+        failure: `cannot create PR while spec slices are still open: ${openSlices.map((slice) => `${slice.id} (${slice.status})`).join(', ')}.`,
+        impact: 'The PR would not represent a closed spec and could miss required slice commits or evidence.',
+        fix: 'Finish, validate, and close every slice in the spec before creating the PR.',
+        nextCommand: 'npx create-quiver ai execute-plan --dry-run --commit',
+      }),
+      {
+        openSlices,
+        specDir,
+      },
+    );
+  }
+
+  return openSlices;
+}
+
 function findPrBodyCandidates(repoRoot) {
   const candidates = [];
   const rootPr = path.join(repoRoot, 'pr.md');
@@ -352,6 +497,7 @@ function buildPrCreateArgs(plan) {
 
 function buildPrCreatePlan(repoRoot, preflightReport, options = {}) {
   const prBody = readPrBody(repoRoot, options.prBodyPath || options.input);
+  ensureNoOpenSlicesForPrBody(repoRoot, prBody.path);
   const baseBranch = String(options.baseBranch || 'main').trim() || 'main';
   const title = String(options.title || '').trim() || extractPrTitle(prBody.body, preflightReport.branchName);
   const plan = {
@@ -420,6 +566,7 @@ function preflightGitHubPr(repoRoot, options = {}) {
   const guidePath = ensureGitFlowGuide(repoRoot, options.gitFlowGuidePath);
   const remote = ensureRemote(repoRoot, options.remote || DEFAULT_REMOTE);
   const branchName = ensureWorktreeReady(repoRoot, options);
+  const sshHostAlias = ensureSshHostAlias(options.sshHostAlias);
   const identityFile = ensureIdentityFile(repoRoot, options.identityFile);
 
   return buildPreflightReport(repoRoot, options, {
@@ -428,6 +575,7 @@ function preflightGitHubPr(repoRoot, options = {}) {
     guidePath,
     remote,
     branchName,
+    sshHostAlias,
     identityFile,
   });
 }
@@ -450,6 +598,10 @@ function formatPreflightReport(report, options = {}) {
     lines.push(`Identity file: ${report.identityFile}`);
   }
 
+  if (hasShellSensitivePath(report.repoRoot, report.guidePath, report.identityFile)) {
+    lines.push(formatShellPathGuidance('--identity-file', report.identityFile || '<path with spaces>'));
+  }
+
   lines.push('Checks: gh, gh auth status, git remote, worktree branch, GitFlow guide, SSH identity file');
 
   if (dryRun) {
@@ -487,6 +639,12 @@ function formatPrCreateReport({ preflight, plan, result }, options = {}) {
     lines.push(`Identity file: ${preflight.identityFile}`);
   }
 
+  if (hasShellSensitivePath(preflight.repoRoot, preflight.identityFile, plan.prBodyPath, ...plan.args)) {
+    lines.push('Shell-safe command examples:');
+    lines.push(`- macOS/Linux/Git Bash/WSL: ${formatCommandForShell(plan.ghCommand, plan.args, quotePosixArg)}`);
+    lines.push(`- Windows PowerShell: ${formatCommandForShell(plan.ghCommand, plan.args, quotePowerShellArg)}`);
+  }
+
   if (dryRun) {
     lines.push('No PR will be created in dry-run mode.');
   } else if (!create) {
@@ -511,7 +669,9 @@ module.exports = {
   ensureGhInstalled,
   ensureGitFlowGuide,
   ensureIdentityFile,
+  ensureNoOpenSlicesForPrBody,
   ensureRemote,
+  ensureSshHostAlias,
   ensureWorktreeReady,
   findPrBodyCandidates,
   formatGhInstallGuidance,

package/src/create-quiver/lib/ai/onboarding-template.js

@@ -114,6 +114,119 @@ function markPendingConfirmation(value) {
   return `Pending confirmation: ${text}`;
 }
 
+function readJsonIfExists(filePath) {
+  if (!fs.existsSync(filePath)) {
+    return null;
+  }
+
+  try {
+    return JSON.parse(fs.readFileSync(filePath, 'utf8'));
+  } catch {
+    return null;
+  }
+}
+
+function detectPackageManager(projectRoot) {
+  if (hasPath(projectRoot, 'bun.lockb') || hasPath(projectRoot, 'bun.lock')) return 'bun';
+  if (hasPath(projectRoot, 'pnpm-lock.yaml')) return 'pnpm';
+  if (hasPath(projectRoot, 'yarn.lock')) return 'yarn';
+  return 'npm';
+}
+
+function detectSourceDirectories(projectRoot) {
+  const names = ['src', 'app', 'apps', 'packages', 'lib', 'server', 'client', 'web'];
+  return names.filter((name) => {
+    try {
+      return fs.statSync(path.join(projectRoot, name)).isDirectory();
+    } catch {
+      return false;
+    }
+  });
+}
+
+function collectRootNames(projectRoot) {
+  try {
+    return fs.readdirSync(projectRoot, { withFileTypes: true })
+      .filter((entry) => !entry.name.startsWith('.') && entry.name !== 'node_modules')
+      .map((entry) => `${entry.name}${entry.isDirectory() ? '/' : ''}`)
+      .slice(0, 20);
+  } catch {
+    return [];
+  }
+}
+
+function detectStackSummary(packageJson, projectRoot) {
+  const dependencies = {
+    ...(packageJson?.dependencies || {}),
+    ...(packageJson?.devDependencies || {}),
+  };
+  const signals = [];
+
+  if (dependencies.next || hasPath(projectRoot, 'next.config.js') || hasPath(projectRoot, 'next.config.mjs')) signals.push('Next.js');
+  if (dependencies.vite || hasPath(projectRoot, 'vite.config.js') || hasPath(projectRoot, 'vite.config.ts')) signals.push('Vite');
+  if (dependencies.react) signals.push('React');
+  if (dependencies.vue) signals.push('Vue');
+  if (dependencies.angular || dependencies['@angular/core'] || hasPath(projectRoot, 'angular.json')) signals.push('Angular');
+  if (dependencies.svelte || hasPath(projectRoot, 'svelte.config.js')) signals.push('Svelte');
+  if (dependencies.express) signals.push('Express');
+  if (hasPath(projectRoot, 'pyproject.toml') || hasPath(projectRoot, 'requirements.txt')) signals.push('Python');
+  if (hasPath(projectRoot, 'go.mod')) signals.push('Go');
+
+  return signals.length > 0 ? signals.join(', ') : 'Pending confirmation: no primary stack could be inferred from root signals.';
+}
+
+function collectProjectFacts(projectRoot) {
+  const packageJson = readJsonIfExists(path.join(projectRoot, 'package.json'));
+  const scripts = packageJson?.scripts && typeof packageJson.scripts === 'object' ? packageJson.scripts : {};
+  const packageManager = packageJson?.packageManager
+    ? String(packageJson.packageManager).split('@')[0]
+    : detectPackageManager(projectRoot);
+
+  return {
+    packageJsonPresent: Boolean(packageJson),
+    packageManager,
+    stackSummary: detectStackSummary(packageJson, projectRoot),
+    scripts,
+    rootNames: collectRootNames(projectRoot),
+    sourceDirectories: detectSourceDirectories(projectRoot),
+    commands: {
+      install: packageManager === 'pnpm' ? 'pnpm install' : packageManager === 'yarn' ? 'yarn install' : packageManager === 'bun' ? 'bun install' : 'npm install',
+      dev: scripts.dev || scripts.start || 'Pending confirmation: no dev/start script detected.',
+      build: scripts.build || 'Pending confirmation: no build script detected.',
+      test: scripts.test || 'Pending confirmation: no test script detected.',
+      lint: scripts.lint || 'Pending confirmation: no lint script detected.',
+    },
+  };
+}
+
+function readProjectMapField(projectRoot, label) {
+  const filePath = path.join(projectRoot, 'docs', 'PROJECT_MAP.md');
+  if (!fs.existsSync(filePath)) {
+    return '';
+  }
+
+  const text = fs.readFileSync(filePath, 'utf8');
+  const escaped = label.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+  const match = text.match(new RegExp(`^- ${escaped}:\\s*(.+)$`, 'mi'));
+  return match ? match[1].trim() : '';
+}
+
+function collectContextContradictions(projectRoot, plan, facts) {
+  const contradictions = [];
+  const mappedName = readProjectMapField(projectRoot, 'Name');
+  const mappedPackageManager = readProjectMapField(projectRoot, 'Package manager');
+
+  if (mappedName && mappedName !== plan.projectName) {
+    contradictions.push(`docs/PROJECT_MAP.md reports project name '${mappedName}', but package/root identity resolves to '${plan.projectName}'.`);
+  }
+
+  if (mappedPackageManager && mappedPackageManager !== facts.packageManager) {
+    contradictions.push(`docs/PROJECT_MAP.md reports package manager '${mappedPackageManager}', but current root signals resolve to '${facts.packageManager}'.`);
+  }
+
+  return contradictions.map(markPendingConfirmation);
+}
+
 function formatDocStatusLines(items) {
   if (!Array.isArray(items) || items.length === 0) {
     return ['- none'];
@@ -182,6 +295,7 @@ function collectOnboardingContextPlan(projectRoot) {
 function collectContextPreparationPlan(projectRoot) {
   const onboardingPlan = collectOnboardingContextPlan(projectRoot);
   const identity = resolveProjectIdentity(projectRoot);
+  const facts = collectProjectFacts(projectRoot);
   const filesConsidered = CONTEXT_PREP_SOURCE_DOCS.map(([relativePath, reason]) => ({
     path: relativePath,
     reason,
@@ -202,8 +316,7 @@ function collectContextPreparationPlan(projectRoot) {
       ? 'Pending confirmation: docs/INDEX.md is missing, so navigation should stay conservative and index-first.'
       : null,
   ]);
-
-  return {
+  const plan = {
     ...onboardingPlan,
     ...identity,
     approvedDocPaths: getPreparedContextDocPaths(),
@@ -211,6 +324,12 @@ function collectContextPreparationPlan(projectRoot) {
     omittedPaths: onboardingPlan.omittedByDefault.slice(),
     assumptions,
     risks,
+    facts,
+  };
+
+  return {
+    ...plan,
+    contradictions: collectContextContradictions(projectRoot, plan, facts),
   };
 }
 
@@ -230,6 +349,9 @@ function buildContextPreparationNotes(plan) {
     '### Risks',
     ...formatSimpleBullets(plan.risks, 'none'),
     '',
+    '### Contradictions',
+    ...formatSimpleBullets(plan.contradictions, 'none'),
+    '',
     '### Omitted Paths',
     ...formatSimpleBullets(plan.omittedPaths, 'none'),
   ];
@@ -247,6 +369,76 @@ function readTemplate(relativePath) {
   return fs.readFileSync(path.join(PACKAGE_ROOT, relativePath), 'utf8');
 }
 
+function renderProjectMapDraft(plan) {
+  const facts = plan.facts;
+  const lines = [
+    '# Project Map',
+    '',
+    'This file was prepared by `npx create-quiver ai prepare-context`.',
+    'Run `npx create-quiver analyze` to refresh it with a deeper repository scan.',
+    '',
+    '## Project',
+    `- Name: ${plan.projectName}`,
+    `- Slug: ${plan.projectSlug}`,
+    `- Package manager: ${facts.packageManager}`,
+    `- package.json present: ${facts.packageJsonPresent ? 'yes' : 'no'}`,
+    `- Stack summary: ${facts.stackSummary}`,
+    '',
+    '## Commands',
+    `- Install: ${facts.commands.install}`,
+    `- Dev: ${facts.commands.dev}`,
+    `- Build: ${facts.commands.build}`,
+    `- Test: ${facts.commands.test}`,
+    `- Lint: ${facts.commands.lint}`,
+    '',
+    '## Structure',
+    `- Source directories: ${facts.sourceDirectories.length > 0 ? facts.sourceDirectories.join(', ') : 'Pending confirmation: no common source directory detected.'}`,
+    `- Root entries: ${facts.rootNames.length > 0 ? facts.rootNames.join(', ') : 'Pending confirmation: root entries could not be listed.'}`,
+    '',
+    '## Assumptions',
+    ...formatSimpleBullets(plan.assumptions, 'none'),
+    '',
+    '## Risks',
+    ...formatSimpleBullets(plan.risks, 'none'),
+    '',
+    '## Contradictions',
+    ...formatSimpleBullets(plan.contradictions, 'none'),
+  ];
+
+  return `${lines.join('\n')}\n`;
+}
+
+function renderArchitectureDraft(plan) {
+  const facts = plan.facts;
+  const lines = [
+    `# ${plan.projectName} Architecture`,
+    '',
+    'This document captures only what Quiver can infer safely from repository structure and docs.',
+    '',
+    '## Current Understanding',
+    `- Stack: ${facts.stackSummary}`,
+    `- Source directories: ${facts.sourceDirectories.length > 0 ? facts.sourceDirectories.join(', ') : 'Pending confirmation: no common source directory detected.'}`,
+    `- Package manager: ${facts.packageManager}`,
+    '',
+    '## Boundaries',
+    '- TODO: confirm application boundaries with the team.',
+    '- Pending confirmation: no architecture decision should be treated as approved unless it appears in `docs/DECISIONS.md` or an approved spec.',
+    '',
+    '## Commands That Shape Architecture',
+    `- Build: ${facts.commands.build}`,
+    `- Test: ${facts.commands.test}`,
+    `- Lint: ${facts.commands.lint}`,
+    '',
+    '## Risks',
+    ...formatSimpleBullets(plan.risks, 'none'),
+    '',
+    '## Contradictions',
+    ...formatSimpleBullets(plan.contradictions, 'none'),
+  ];
+
+  return `${lines.join('\n')}\n`;
+}
+
 function buildContextPreparationDrafts(projectRoot) {
   const plan = collectContextPreparationPlan(projectRoot);
   const currentDate = new Date().toISOString().slice(0, 10);
@@ -257,6 +449,11 @@ function buildContextPreparationDrafts(projectRoot) {
     estado: 'En preparación',
     fase: 'Fase 0',
     progress: 0,
+    packageManager: plan.facts.packageManager,
+    stackSummary: plan.facts.stackSummary,
+    primaryInstall: plan.facts.commands.install,
+    primaryDev: plan.facts.commands.dev,
+    primaryTest: plan.facts.commands.test,
   };
   const notes = buildContextPreparationNotes(plan);
   const decisionSection = [
@@ -266,6 +463,14 @@ function buildContextPreparationDrafts(projectRoot) {
     `| ${currentDate} | ai prepare-context must remain docs-only | Keeps context prep from touching product code. | Broader write targets | Draft generation stays safe and reviewable |`,
   ].join('\n');
   const docs = [
+    {
+      path: 'docs/INDEX.md',
+      content: appendNotes(renderTemplate(readTemplate('docs/INDEX.md.template'), replacements), notes),
+    },
+    {
+      path: 'docs/PROJECT_MAP.md',
+      content: appendNotes(renderProjectMapDraft(plan), notes),
+    },
     {
       path: 'docs/AI_CONTEXT.md',
       content: appendNotes(renderTemplate(readTemplate('docs/AI_CONTEXT.md.template'), replacements), notes),
@@ -278,6 +483,14 @@ function buildContextPreparationDrafts(projectRoot) {
       path: 'docs/CONTEXTO.md',
       content: appendNotes(renderTemplate(readTemplate('docs/CONTEXTO.md.template'), replacements), notes),
     },
+    {
+      path: 'docs/WORKFLOW.md',
+      content: appendNotes(renderTemplate(readTemplate('docs/WORKFLOW.md.template'), replacements), notes),
+    },
+    {
+      path: 'docs/ARCHITECTURE.md',
+      content: appendNotes(renderArchitectureDraft(plan), notes),
+    },
     {
       path: 'docs/STATUS.md',
       content: appendNotes(renderTemplate(readTemplate('docs/STATUS.md.template'), replacements), notes),

package/src/create-quiver/lib/ai/plan-review.js

@@ -192,6 +192,8 @@ function savePlanReview(projectRoot, options = {}) {
     source_kind: options.inputKind || null,
     source_version: options.inputVersion || null,
     path: toRelativePosix(projectRoot, reviewPath),
+    raw_artifact_path: options.rawArtifactPath || null,
+    output_source: options.outputSource || null,
     reviewed_at: now,
   };
   fs.writeFileSync(planReviewMetaPath(projectRoot), `${JSON.stringify(meta, null, 2)}\n`);
@@ -208,8 +210,11 @@ function assertPlanReviewed(projectRoot) {
   if (review.status !== 'reviewed') {
     const nextCommand = review.status === 'unapproved'
       ? 'npx create-quiver ai approve --phase technical-plan --version <n>'
-      : 'npx create-quiver ai review-plan';
-    throw new Error(formatError(`ai plan phase 'spec' requires a reviewed and approved technical-plan input; current review status: ${review.status}. Run \`${nextCommand}\`.`));
+      : 'npx create-quiver ai review-plan --dry-run';
+    const followUp = review.status === 'unapproved'
+      ? ''
+      : ' Preview the review first, then run `npx create-quiver ai review-plan` to persist it.';
+    throw new Error(formatError(`ai plan phase 'spec' requires a reviewed and approved technical-plan input; current review status: ${review.status}. Run \`${nextCommand}\`.${followUp}`));
   }
   return review;
 }

package/src/create-quiver/lib/ai/providers.js

@@ -2,6 +2,7 @@ const fs = require('node:fs');
 const { spawn } = require('node:child_process');
 
 const { finalizePromptTransport, preparePromptTransport, describePromptTransport } = require('./prompt-transport');
+const { redactSecrets } = require('../evidence');
 
 const SUPPORTED_PROVIDERS = ['codex', 'claude', 'gemini'];
 
@@ -107,7 +108,7 @@ function serializeError(error, provider, invocation) {
 
   return {
     code: error.code || 'PROVIDER_ERROR',
-    message: error.message || String(error),
+    message: redactSecrets(error.message || String(error)),
     provider,
     command: invocation.command,
     args: invocation.args.slice(),
@@ -178,8 +179,8 @@ function runSpawn(command, args, options = {}) {
         ok: payload.exitCode === 0,
         exitCode: payload.exitCode,
         signal: payload.signal || null,
-        stdout,
-        stderr,
+        stdout: redactSecrets(stdout),
+        stderr: redactSecrets(stderr),
         error: payload.error ? serializeError(payload.error, options.provider, options.invocation) : null,
       });
     };