demian-cli 1.0.7 → 1.0.8

package/dist/index.mjs

@@ -92,7 +92,7 @@ var claudeCodeAgent = {
   name: "claudecode",
   description: "Claude Code external coding agent for focused delegated workspace tasks.",
   mode: "subagent",
-  provider: { profile: "claudecode-subagent", permissionProfile: "build" },
+  provider: { profile: "claudecode", permissionProfile: "build" },
   tools: [],
   systemPrompt: [
     "You are demian claudecode, a Claude Code external runtime working as a sub agent for Demian.",
@@ -137,7 +137,7 @@ var claudeCodeExplorerAgent = {
   name: "claudecode-explorer",
   description: "Claude Code external read-only explorer for cowork repository inspection.",
   mode: "subagent",
-  provider: { profile: "claudecode-subagent", permissionProfile: "explore" },
+  provider: { profile: "claudecode", permissionProfile: "explore" },
   tools: [],
   systemPrompt: [
     "You are demian claudecode-explorer, a Claude Code external runtime working as a read-only cowork sub agent for Demian.",
@@ -172,7 +172,7 @@ var claudeCodeBuilderAgent = {
   name: "claudecode-builder",
   description: "Claude Code-backed builder for bounded cowork implementation tasks.",
   mode: "subagent",
-  provider: { profile: "claudecode-subagent", permissionProfile: "build" },
+  provider: { profile: "claudecode", permissionProfile: "build" },
   tools: [],
   systemPrompt: [
     "You are demian claudecode-builder, a Claude Code external runtime working as a writer cowork sub agent for Demian.",
@@ -477,7 +477,7 @@ import { readFile as readFile6 } from "node:fs/promises";
 import crypto4 from "node:crypto";
 import fs7 from "node:fs";
 import os7 from "node:os";
-import path12 from "node:path";
+import path13 from "node:path";
 
 // src/providers/retry.ts
 var RETRY_STATUS = /* @__PURE__ */ new Set([408, 409, 425, 429, 500, 502, 503, 504]);
@@ -870,12 +870,14 @@ var dynamicImport = new Function("specifier", "return import(specifier)");
 var AnthropicProvider = class {
   id = "anthropic";
   #apiKey;
+  #baseURL;
   #defaultModel;
   #defaultMaxTokens;
   #client;
   #onRetry;
   constructor(config) {
     this.#apiKey = config.apiKey;
+    this.#baseURL = config.baseURL;
     this.#defaultModel = config.defaultModel;
     this.#defaultMaxTokens = config.defaultMaxTokens ?? 4096;
     this.#client = config.client;
@@ -920,7 +922,7 @@ var AnthropicProvider = class {
     if (this.#client) return this.#client;
     if (!this.#apiKey) throw new Error("AnthropicProvider requires apiKey");
     const Anthropic = await loadAnthropicConstructor();
-    this.#client = new Anthropic({ apiKey: this.#apiKey });
+    this.#client = new Anthropic({ apiKey: this.#apiKey, baseURL: this.#baseURL });
     return this.#client;
   }
 };
@@ -1153,19 +1155,56 @@ import { execFile } from "node:child_process";
 import { promisify } from "node:util";
 import fs2 from "node:fs";
 import { chmod, mkdir as mkdir2, readFile as readFile2, rename, writeFile as writeFile2 } from "node:fs/promises";
-import path2 from "node:path";
+import path3 from "node:path";
 
 // src/providers/codex-state.ts
 import crypto from "node:crypto";
 import fs from "node:fs";
 import { mkdir, readFile, writeFile } from "node:fs/promises";
+import os2 from "node:os";
+import path2 from "node:path";
+
+// src/path-expansion.ts
 import os from "node:os";
 import path from "node:path";
+function expandPathReferences(value) {
+  let expanded = expandTilde(value);
+  expanded = expanded.replace(/\$\{([A-Za-z_][A-Za-z0-9_]*)\}|\$([A-Za-z_][A-Za-z0-9_]*)/g, (match, braced, bare) => envPathValue(braced ?? bare) ?? match);
+  expanded = expanded.replace(/%([A-Za-z_][A-Za-z0-9_]*)%/g, (match, name) => envPathValue(name) ?? match);
+  return expanded;
+}
+function resolveExpandedPath(value) {
+  return path.resolve(expandPathReferences(value));
+}
+function expandTilde(value) {
+  if (value === "~") return os.homedir();
+  if (value.startsWith("~/") || value.startsWith("~\\")) return path.join(os.homedir(), value.slice(2));
+  return value;
+}
+function envPathValue(name) {
+  if (!name) return void 0;
+  const value = processEnvValue(name);
+  if (value !== void 0) return value;
+  const upper = name.toUpperCase();
+  if (upper === "HOME" || upper === "USERPROFILE") return os.homedir();
+  if (process.platform === "win32" && upper === "HOMEDRIVE") return path.win32.parse(os.homedir()).root.replace(/[\\/]$/, "");
+  if (process.platform === "win32" && upper === "HOMEPATH") return os.homedir().replace(/^[A-Za-z]:/, "");
+  return void 0;
+}
+function processEnvValue(name) {
+  if (process.env[name] !== void 0) return process.env[name];
+  if (process.platform !== "win32") return void 0;
+  const upper = name.toUpperCase();
+  const key = Object.keys(process.env).find((item) => item.toUpperCase() === upper);
+  return key ? process.env[key] : void 0;
+}
+
+// src/providers/codex-state.ts
 function resolveCodexHome(configured) {
-  return path.resolve(expandCodexPath(configured ?? process.env.CODEX_HOME ?? path.join(os.homedir(), ".codex")));
+  return resolveExpandedPath(configured ?? process.env.CODEX_HOME ?? path2.join(os2.homedir(), ".codex"));
 }
 async function loadOrCreateInstallationId(codexHome) {
-  const filePath = path.join(codexHome, "installation_id");
+  const filePath = path2.join(codexHome, "installation_id");
   try {
     const existing = (await readFile(filePath, "utf8")).trim();
     if (isUuid(existing)) return existing;
@@ -1187,15 +1226,6 @@ function isNodeError(error, code) {
 function fileExists(filePath) {
   return fs.existsSync(filePath);
 }
-function expandCodexPath(value) {
-  let expanded = value;
-  if (expanded === "~") return os.homedir();
-  if (expanded.startsWith("~/")) expanded = path.join(os.homedir(), expanded.slice(2));
-  return expanded.replace(/\$\{([A-Z_][A-Z0-9_]*)\}|\$([A-Z_][A-Z0-9_]*)/gi, (match, braced, bare) => {
-    const name = braced ?? bare;
-    return name && process.env[name] !== void 0 ? process.env[name] : match;
-  });
-}
 
 // src/providers/codex-auth.ts
 var execFileAsync = promisify(execFile);
@@ -1418,10 +1448,10 @@ var CodexAuthStore = class {
   }
 };
 function authFilePath(codexHome) {
-  return path2.join(codexHome, "auth.json");
+  return path3.join(codexHome, "auth.json");
 }
 function codexKeyringAccount(codexHome) {
-  const resolved = path2.resolve(codexHome);
+  const resolved = path3.resolve(codexHome);
   const canonical = fs2.existsSync(resolved) ? fs2.realpathSync.native(resolved) : resolved;
   const hash = crypto2.createHash("sha256").update(canonical).digest("hex").slice(0, 16);
   return `cli|${hash}`;
@@ -1856,8 +1886,8 @@ import { randomUUID } from "node:crypto";
 import { execFile as execFile2 } from "node:child_process";
 import fs3 from "node:fs";
 import { chmod as chmod2, mkdir as mkdir3, readFile as readFile3, rename as rename2, writeFile as writeFile3 } from "node:fs/promises";
-import os2 from "node:os";
-import path3 from "node:path";
+import os3 from "node:os";
+import path4 from "node:path";
 import { promisify as promisify2 } from "node:util";
 var execFileAsync2 = promisify2(execFile2);
 var CLAUDE_CODE_KEYRING_SERVICE = "Claude Code-credentials";
@@ -1890,7 +1920,7 @@ function getSharedClaudeCodeAuthStore(options = {}) {
     proactiveRefreshMinutes: options.proactiveRefreshMinutes ?? 30,
     refreshCache: options.refreshCache ?? "claude-store",
     refreshTokenURL: options.refreshTokenURL ?? DEFAULT_CLAUDE_CODE_REFRESH_TOKEN_URL,
-    keychainAccount: options.keychainAccount ?? os2.userInfo().username
+    keychainAccount: options.keychainAccount ?? os3.userInfo().username
   });
   const existing = sharedAuthStores2.get(key);
   if (existing) return existing;
@@ -1919,7 +1949,7 @@ var ClaudeCodeAuthStore = class {
     this.#proactiveRefreshMinutes = options.proactiveRefreshMinutes ?? 30;
     this.#refreshCache = options.refreshCache ?? "claude-store";
     this.#refreshTokenURL = options.refreshTokenURL ?? DEFAULT_CLAUDE_CODE_REFRESH_TOKEN_URL;
-    this.#keychainAccount = options.keychainAccount ?? os2.userInfo().username;
+    this.#keychainAccount = options.keychainAccount ?? os3.userInfo().username;
     this.#fetch = options.fetch ?? fetch;
     this.#keyring = options.keyring ?? new MacOSSecurityKeyring2();
   }
@@ -2120,10 +2150,10 @@ var ClaudeCodeAuthStore = class {
   }
 };
 function resolveClaudeConfigDir(configured) {
-  return path3.resolve(expandClaudePath(configured ?? process.env.CLAUDE_CONFIG_DIR ?? path3.join(os2.homedir(), ".claude")));
+  return resolveExpandedPath(configured ?? process.env.CLAUDE_CONFIG_DIR ?? path4.join(os3.homedir(), ".claude"));
 }
 function claudeCodeAuthFilePath(claudeConfigDir) {
-  return path3.join(claudeConfigDir, ".credentials.json");
+  return path4.join(claudeConfigDir, ".credentials.json");
 }
 function oauthPayload(auth) {
   const raw = auth.claudeAiOauth;
@@ -2182,15 +2212,6 @@ async function writeClaudeCodeAuthFileAtomic(claudeConfigDir, auth) {
   await chmod2(tempPath, 384);
   await rename2(tempPath, filePath);
 }
-function expandClaudePath(value) {
-  let expanded = value;
-  if (expanded === "~") return os2.homedir();
-  if (expanded.startsWith("~/")) expanded = path3.join(os2.homedir(), expanded.slice(2));
-  return expanded.replace(/\$\{([A-Z_][A-Z0-9_]*)\}|\$([A-Z_][A-Z0-9_]*)/gi, (match, braced, bare) => {
-    const name = braced ?? bare;
-    return name && process.env[name] !== void 0 ? process.env[name] : match;
-  });
-}
 var MacOSSecurityKeyring2 = class {
   async load(service, account) {
     if (process.platform !== "darwin") return void 0;
@@ -2427,6 +2448,111 @@ function parseClaudeCodeErrorBody(body) {
   }
 }
 
+// src/providers/ollama.ts
+var OllamaProvider = class {
+  id = "ollama";
+  #baseURL;
+  #apiKey;
+  #defaultModel;
+  #fetch;
+  #onRetry;
+  constructor(config) {
+    this.#baseURL = config.baseURL.replace(/\/+$/, "");
+    this.#apiKey = config.apiKey;
+    this.#defaultModel = config.defaultModel;
+    this.#fetch = config.fetch ?? fetch;
+    this.#onRetry = config.onRetry;
+  }
+  async chat(req) {
+    return chatWithRetry(() => this.#rawChat(req), {
+      signal: req.signal,
+      onRetry: this.#onRetry
+    });
+  }
+  async #rawChat(req) {
+    const response = await this.#fetch(`${this.#baseURL}/chat`, {
+      method: "POST",
+      headers: {
+        "content-type": "application/json",
+        ...this.#authHeaders()
+      },
+      body: JSON.stringify({
+        model: req.model || this.#defaultModel,
+        messages: req.messages.map(toOllamaMessage),
+        ...req.tools.length > 0 ? { tools: req.tools.map(toOpenAITool) } : {},
+        stream: false,
+        ...req.temperature !== void 0 ? { options: { temperature: req.temperature } } : {}
+      }),
+      signal: req.signal
+    });
+    const text = await response.text();
+    if (!response.ok) throw new ProviderHttpError(response.status, text, parseRetryAfter(response.headers.get("retry-after")));
+    return normalizeOllamaResponse(text ? JSON.parse(text) : {});
+  }
+  #authHeaders() {
+    return this.#apiKey ? { authorization: `Bearer ${this.#apiKey}` } : {};
+  }
+};
+function toOllamaMessage(message) {
+  if (message.role === "tool") {
+    return {
+      role: "tool",
+      content: message.content,
+      tool_name: message.name
+    };
+  }
+  const out = {
+    role: message.role,
+    content: typeof message.content === "string" ? message.content : JSON.stringify(message.content ?? "")
+  };
+  if (message.role === "assistant" && message.toolCalls?.length) {
+    out.tool_calls = message.toolCalls.map((call) => ({
+      function: {
+        name: call.name,
+        arguments: call.input ?? {}
+      }
+    }));
+  }
+  return out;
+}
+function normalizeOllamaResponse(raw) {
+  const data = raw;
+  const toolCalls = [];
+  for (const call of data.message?.tool_calls ?? []) {
+    const name = call.function?.name;
+    if (!name) continue;
+    toolCalls.push({
+      id: call.id ?? `call_${toolCalls.length + 1}`,
+      name,
+      input: normalizeToolArguments(call.function?.arguments)
+    });
+  }
+  const message = {
+    role: "assistant",
+    content: data.message?.content ?? null,
+    ...toolCalls.length ? { toolCalls } : {}
+  };
+  return {
+    message,
+    toolCalls,
+    stopReason: toolCalls.length ? "tool_use" : data.done_reason === "length" ? "max_tokens" : "end_turn",
+    usage: data.prompt_eval_count !== void 0 || data.eval_count !== void 0 ? {
+      inputTokens: data.prompt_eval_count,
+      outputTokens: data.eval_count,
+      totalTokens: (data.prompt_eval_count ?? 0) + (data.eval_count ?? 0)
+    } : void 0,
+    raw
+  };
+}
+function normalizeToolArguments(value) {
+  if (typeof value !== "string") return value ?? {};
+  try {
+    return JSON.parse(value);
+  } catch {
+    return {};
+  }
+}
+
 // src/external-runtime/claudecode-cli.ts
 import { spawn as spawn3 } from "node:child_process";
 import readline from "node:readline";
@@ -2434,7 +2560,7 @@ import readline from "node:readline";
 // src/external-runtime/claudecode-attachments.ts
 import crypto3 from "node:crypto";
 import fs4 from "node:fs";
-import path4 from "node:path";
+import path5 from "node:path";
 async function resolveClaudeCodeAttachmentPrompt(runtimeLabel, config, req) {
   const attachments = req.attachments ?? [];
   if (attachments.length === 0) return req.prompt;
@@ -2476,7 +2602,7 @@ function unsupportedAttachmentError(runtimeLabel, count, detail) {
 }
 function formatAttachmentReference(value, cwd) {
   if (isUrl(value)) return imageMimeFromPath(value) ? `[image: ${value} (${imageMimeFromPath(value)}, remote)]` : `[attachment: ${value}]`;
-  const target = path4.isAbsolute(value) ? value : path4.resolve(cwd, value);
+  const target = path5.isAbsolute(value) ? value : path5.resolve(cwd, value);
   try {
     const stats = fs4.statSync(target);
     if (!stats.isFile()) return `[attachment: ${value} (${stats.size} bytes)]`;
@@ -2493,7 +2619,7 @@ function isUrl(value) {
 }
 function imageMimeFromPath(value) {
   const pathname = isUrl(value) ? new URL(value).pathname : value;
-  const ext = path4.extname(pathname).toLowerCase();
+  const ext = path5.extname(pathname).toLowerCase();
   if (ext === ".png") return "image/png";
   if (ext === ".jpg" || ext === ".jpeg") return "image/jpeg";
   if (ext === ".gif") return "image/gif";
@@ -2525,15 +2651,14 @@ function hasAnthropicApiKeyEnv(env = process.env) {
 
 // src/external-runtime/claudecode-paths.ts
 import fs5 from "node:fs";
-import os3 from "node:os";
-import path5 from "node:path";
+import path6 from "node:path";
 function resolveClaudeCodeCliPath(configured) {
   if (configured) return expandHome(configured);
   if (process.env.CLAUDE_CODE_CLI) return expandHome(process.env.CLAUDE_CODE_CLI);
   const candidates = ["~/.local/bin/claude", "claude"];
   for (const candidate of candidates) {
     const expanded = expandHome(candidate);
-    if (path5.isAbsolute(expanded)) {
+    if (path6.isAbsolute(expanded)) {
       if (isExecutableFile(expanded)) return expanded;
       continue;
     }
@@ -2542,9 +2667,7 @@ function resolveClaudeCodeCliPath(configured) {
   return void 0;
 }
 function expandHome(value) {
-  if (value === "~") return os3.homedir();
-  if (value.startsWith("~/")) return path5.join(os3.homedir(), value.slice(2));
-  return value;
+  return expandPathReferences(value);
 }
 function isExecutableFile(filePath) {
   try {
@@ -2810,14 +2933,14 @@ function numberValue2(value) {
 // src/external-runtime/session-lock.ts
 import { mkdir as mkdir4, open, readFile as readFile4, unlink } from "node:fs/promises";
 import os4 from "node:os";
-import path6 from "node:path";
+import path7 from "node:path";
 var DEFAULT_STALE_MS = 30 * 60 * 1e3;
 async function acquireClaudeCodeSessionLock(sessionId, options = {}) {
-  const dir = options.dir ?? path6.join(os4.homedir(), ".demian", "claude-sessions");
+  const dir = options.dir ?? path7.join(os4.homedir(), ".demian", "claude-sessions");
   const staleMs = options.staleMs ?? DEFAULT_STALE_MS;
   const now2 = options.now ?? (() => Date.now());
   await mkdir4(dir, { recursive: true });
-  const lockPath = path6.join(dir, `${encodeURIComponent(sessionId)}.lock`);
+  const lockPath = path7.join(dir, `${encodeURIComponent(sessionId)}.lock`);
   for (let attempt = 0; attempt < 2; attempt++) {
     try {
       const handle = await open(lockPath, "wx");
@@ -2881,14 +3004,14 @@ function isAlreadyExists(error) {
 // src/external-runtime/usage-ledger.ts
 import { mkdir as mkdir5, readFile as readFile5, rename as rename3, writeFile as writeFile4 } from "node:fs/promises";
 import os5 from "node:os";
-import path7 from "node:path";
+import path8 from "node:path";
 var processLedger = /* @__PURE__ */ new Map();
 var ClaudeCodeUsageLedger = class {
   #scope;
   #filePath;
   constructor(options = {}) {
     this.#scope = options.scope ?? "process";
-    this.#filePath = options.filePath ?? path7.join(os5.homedir(), ".demian", "usage-ledger.json");
+    this.#filePath = options.filePath ?? path8.join(os5.homedir(), ".demian", "usage-ledger.json");
   }
   async spentUsd(key, now2 = /* @__PURE__ */ new Date()) {
     if (this.#scope === "process") return processLedger.get(processKey(key)) ?? 0;
@@ -2919,7 +3042,7 @@ var ClaudeCodeUsageLedger = class {
     return { version: 1, buckets: {} };
   }
   async #write(file) {
-    await mkdir5(path7.dirname(this.#filePath), { recursive: true });
+    await mkdir5(path8.dirname(this.#filePath), { recursive: true });
     const temp = `${this.#filePath}.${process.pid}.tmp`;
     await writeFile4(temp, `${JSON.stringify(file, null, 2)}
 `, "utf8");
@@ -22580,10 +22703,10 @@ function now() {
 }
 
 // src/permissions/engine.ts
-import path10 from "node:path";
+import path11 from "node:path";
 
 // src/permissions/grants.ts
-import path8 from "node:path";
+import path9 from "node:path";
 
 // src/util.ts
 function stableStringify(value) {
@@ -22638,8 +22761,8 @@ function grantKeyFor(tool, input2, cwd) {
   }
   if (tool === "write_file" || tool === "edit_file") {
     const filePath = typeof object2.path === "string" ? object2.path : "";
-    const parent = filePath ? path8.dirname(path8.resolve(cwd, filePath)) : cwd;
-    return `${tool}:${path8.relative(cwd, parent) || "."}`;
+    const parent = filePath ? path9.dirname(path9.resolve(cwd, filePath)) : cwd;
+    return `${tool}:${path9.relative(cwd, parent) || "."}`;
   }
   return `${tool}:${stableStringify(input2)}`;
 }
@@ -22666,30 +22789,30 @@ function firstCommandTokens(command, count) {
 }
 
 // src/workspace/paths.ts
-import path9 from "node:path";
+import path10 from "node:path";
 function normalizePathForMatch(value) {
-  return value.split(path9.sep).join("/");
+  return value.split(path10.sep).join("/");
 }
 function isInsidePath(root, candidate) {
-  const relative = path9.relative(path9.resolve(root), path9.resolve(candidate));
-  return relative === "" || !relative.startsWith("..") && !path9.isAbsolute(relative);
+  const relative = path10.relative(path10.resolve(root), path10.resolve(candidate));
+  return relative === "" || !relative.startsWith("..") && !path10.isAbsolute(relative);
 }
 function resolveInsideCwd(cwd, inputPath) {
   if (typeof inputPath !== "string" || inputPath.length === 0) {
     throw new Error("path must be a non-empty string");
   }
-  const resolved = path9.resolve(cwd, inputPath);
+  const resolved = path10.resolve(cwd, inputPath);
   if (!isInsidePath(cwd, resolved)) {
     throw new Error(`Path is outside the workspace: ${inputPath}`);
   }
   return resolved;
 }
 function relativeToCwd(cwd, absolutePath) {
-  const relative = path9.relative(cwd, absolutePath);
+  const relative = path10.relative(cwd, absolutePath);
   return normalizePathForMatch(relative || ".");
 }
 function isEnvFile(filePath) {
-  const base = path9.basename(filePath);
+  const base = path10.basename(filePath);
   if (base === ".env.example") return false;
   return base === ".env" || base.startsWith(".env.");
 }
@@ -22796,7 +22919,7 @@ var PermissionEngine = class {
   #hardDeny(tool, input2, grantKey) {
     const paths = inputPaths(tool, input2);
     for (const item of paths) {
-      const resolved = path10.resolve(this.#cwd, item);
+      const resolved = path11.resolve(this.#cwd, item);
       if (!isInsidePath(this.#cwd, resolved)) {
         return {
           decision: "deny",
@@ -22850,7 +22973,7 @@ function matchesRule(rule, tool, input2, cwd) {
   if (rule.match.pathGlob) {
     const paths = inputPaths(tool, input2);
     if (paths.length === 0) return false;
-    if (!paths.some((item) => matchesPathRule(rule.match?.pathGlob, relativeToCwd(cwd, path10.resolve(cwd, item))))) {
+    if (!paths.some((item) => matchesPathRule(rule.match?.pathGlob, relativeToCwd(cwd, path11.resolve(cwd, item))))) {
       return false;
     }
   }
@@ -22897,7 +23020,7 @@ function rulePriority(rule, ref) {
 }
 function matchesPathRule(pattern, relativePath) {
   if (!pattern) return true;
-  if (path10.basename(relativePath) === ".env.example" && pattern.includes(".env.*")) return false;
+  if (path11.basename(relativePath) === ".env.example" && pattern.includes(".env.*")) return false;
   return matchGlob(pattern, relativePath);
 }
 function mostSpecificRule(rules, input2, cwd, ref) {
@@ -22975,13 +23098,13 @@ function permissionLabel(req) {
   if ((req.tool === "write_file" || req.tool === "edit_file" || req.tool === "read_file") && typeof inputObject.path === "string") {
     return `${req.tool}: ${inputObject.path}`;
   }
-  const path27 = typeof inputObject.path === "string" ? inputObject.path : typeof inputObject.file_path === "string" ? inputObject.file_path : void 0;
-  if (path27) return `${tool}: ${path27}`;
+  const path29 = typeof inputObject.path === "string" ? inputObject.path : typeof inputObject.file_path === "string" ? inputObject.file_path : void 0;
+  if (path29) return `${tool}: ${path29}`;
   return tool;
 }
 
 // src/workspace/write-scope.ts
-import path11 from "node:path";
+import path12 from "node:path";
 var WRITE_TOOLS = /* @__PURE__ */ new Set(["write_file", "edit_file", "Write", "Edit", "MultiEdit", "NotebookEdit"]);
 var WORKSPACE_SCOPE = "**";
 function normalizeWriteScope(cwd, scope) {
@@ -23003,7 +23126,7 @@ function enforceToolWriteScope(input2) {
   if (paths.length === 0) return { ok: true, paths: [] };
   const checked = [];
   for (const target of paths) {
-    const resolved = path11.resolve(input2.cwd, target);
+    const resolved = path12.resolve(input2.cwd, target);
     const relative = relativeToCwd(input2.cwd, resolved);
     checked.push(relative);
     const allowed = isPathAllowedByWriteScope(input2.cwd, target, input2.writeScope);
@@ -23027,7 +23150,7 @@ function outOfScopeDiffFiles(cwd, summary, writeScope) {
   return out;
 }
 function isPathAllowedByWriteScope(cwd, inputPath, writeScope) {
-  const resolved = path11.resolve(cwd, inputPath);
+  const resolved = path12.resolve(cwd, inputPath);
   if (!isInsidePath(cwd, resolved)) {
     return { ok: false, error: "path is outside the workspace", paths: [inputPath] };
   }
@@ -23046,9 +23169,9 @@ function normalizeScopePattern(cwd, raw) {
   if (!value) return { ok: false, error: "writeScope entries must be non-empty." };
   if (value.includes("\0")) return { ok: false, error: "writeScope entries must not contain NUL bytes." };
   const hasGlob2 = /[*?[\]{}]/.test(value);
-  if (path11.isAbsolute(value)) {
+  if (path12.isAbsolute(value)) {
     if (hasGlob2) return { ok: false, error: `writeScope absolute globs are not supported: ${raw}` };
-    const resolved = path11.resolve(value);
+    const resolved = path12.resolve(value);
     if (!isInsidePath(cwd, resolved)) return { ok: false, error: `writeScope path is outside the workspace: ${raw}` };
     value = relativeToCwd(cwd, resolved);
   }
@@ -23425,6 +23548,7 @@ function claudeCodePreviewEnabled(config = {}, env = process.env) {
 }
 
 // src/config.ts
+var BUILTIN_PROVIDER_ORDER = ["openai", "anthropic", "gemini", "groq", "azure", "lmstudio", "ollama-local", "ollama-cloud", "llamacpp", "vllm", "codex", "claudecode"];
 var CLAUDE_CODE_SONNET_MODEL = "claude-sonnet-4-6";
 var CLAUDE_CODE_OPUS_MODEL = "claude-opus-4-7";
 var CLAUDE_CODE_MODELS = [CLAUDE_CODE_SONNET_MODEL, CLAUDE_CODE_OPUS_MODEL];
@@ -23462,7 +23586,7 @@ var defaultConfig = {
     maxConcurrentExpensive: 1,
     maxConcurrentWriters: 1,
     maxConcurrentPerProvider: {
-      "claudecode-subagent": 1
+      claudecode: 1
     },
     tokenBudget: null,
     defaultMergeStrategy: "synthesize",
@@ -23584,73 +23708,102 @@ var defaultConfig = {
   providers: {
     openai: {
       type: "openai-compatible",
-      model: "openai-model-name",
       baseURL: "https://api.openai.com/v1",
-      apiKeyEnv: "OPENAI_API_KEY"
+      apiKeyEnv: "OPENAI_API_KEY",
+      catalog: {
+        type: "openai-models",
+        endpoint: "https://api.openai.com/v1/models"
+      }
+    },
+    anthropic: {
+      type: "anthropic",
+      baseURL: "https://api.anthropic.com/v1",
+      apiKeyEnv: "ANTHROPIC_API_KEY",
+      catalog: {
+        type: "anthropic-models",
+        endpoint: "https://api.anthropic.com/v1/models"
+      }
     },
     gemini: {
       type: "openai-compatible",
-      model: "gemini-model-name",
       baseURL: "https://generativelanguage.googleapis.com/v1beta/openai/",
-      apiKeyEnv: "GOOGLE_API_KEY"
+      apiKeyEnv: "GEMINI_API_KEY",
+      apiKeyEnvAliases: ["GOOGLE_API_KEY"],
+      catalog: {
+        type: "gemini-openai-models",
+        endpoint: "https://generativelanguage.googleapis.com/v1beta/openai/models"
+      }
     },
-    ollama: {
+    groq: {
       type: "openai-compatible",
-      model: "local-coder-model",
-      baseURL: "http://localhost:11434/v1",
-      apiKey: "ollama",
-      quirks: { omitTemperature: true }
+      baseURL: "https://api.groq.com/openai/v1",
+      apiKeyEnv: "GROQ_API_KEY",
+      catalog: {
+        type: "groq-models",
+        endpoint: "https://api.groq.com/openai/v1/models"
+      }
+    },
+    azure: {
+      type: "openai-compatible",
+      auth: { type: "api-key", header: "api-key" },
+      modelProfiles: [
+        {
+          name: "azure-example",
+          displayName: "Azure example",
+          model: "azure-deployment-name",
+          baseURL: "https://example.openai.azure.com/openai/v1",
+          apiKeyEnv: "AZURE_OPENAI_API_KEY"
+        }
+      ]
     },
     lmstudio: {
       type: "openai-compatible",
-      model: "local-coder-model",
       baseURL: "http://localhost:1234/v1",
-      apiKey: "lm-studio"
+      apiKey: "lm-studio",
+      catalog: {
+        type: "openai-compatible-models",
+        endpoint: "http://localhost:1234/v1/models"
+      }
     },
-    vllm: {
+    "ollama-local": {
       type: "openai-compatible",
-      model: "local-coder-model",
-      baseURL: "http://localhost:8000/v1",
-      apiKey: "vllm"
+      baseURL: "http://localhost:11434/v1",
+      apiKey: "ollama",
+      quirks: { omitTemperature: true },
+      catalog: {
+        type: "openai-compatible-models",
+        endpoint: "http://localhost:11434/v1/models"
+      }
+    },
+    "ollama-cloud": {
+      type: "ollama",
+      baseURL: "https://ollama.com/api",
+      apiKeyEnv: "OLLAMA_API_KEY",
+      catalog: {
+        type: "ollama-tags",
+        endpoint: "https://ollama.com/api/tags"
+      }
     },
     llamacpp: {
       type: "openai-compatible",
-      model: "local-coder-model",
       baseURL: "http://localhost:8080/v1",
-      apiKey: "llama.cpp"
-    },
-    openrouter: {
-      type: "openai-compatible",
-      model: "provider/model-name",
-      baseURL: "https://openrouter.ai/api/v1",
-      apiKeyEnv: "OPENROUTER_API_KEY"
-    },
-    together: {
-      type: "openai-compatible",
-      model: "provider/model-name",
-      baseURL: "https://api.together.xyz/v1",
-      apiKeyEnv: "TOGETHER_API_KEY"
-    },
-    groq: {
-      type: "openai-compatible",
-      model: "provider/model-name",
-      baseURL: "https://api.groq.com/openai/v1",
-      apiKeyEnv: "GROQ_API_KEY"
+      apiKey: "llama.cpp",
+      catalog: {
+        type: "openai-compatible-models",
+        endpoint: "http://localhost:8080/v1/models"
+      }
     },
-    azure: {
+    vllm: {
       type: "openai-compatible",
-      model: "azure-deployment-name",
-      baseURL: "https://example.openai.azure.com/openai/v1",
-      apiKeyEnv: "AZURE_OPENAI_API_KEY"
-    },
-    anthropic: {
-      type: "anthropic",
-      model: "anthropic-model-name",
-      apiKeyEnv: "ANTHROPIC_API_KEY"
+      baseURL: "http://localhost:8000/v1",
+      apiKey: "vllm",
+      catalog: {
+        type: "openai-compatible-models",
+        endpoint: "http://localhost:8000/v1/models"
+      }
     },
     codex: {
       type: "codex",
-      model: "gpt-5.1-codex",
       baseURL: "https://chatgpt.com/backend-api/codex",
       authStore: "auto",
       allowApiKeyFallback: false,
@@ -23662,6 +23815,9 @@ var defaultConfig = {
           effort: "medium",
           summary: "auto"
         }
+      },
+      catalog: {
+        type: "codex-oauth-models"
       }
     },
     claudecode: {
@@ -23680,67 +23836,37 @@ var defaultConfig = {
       useBareMode: false,
       usageLedgerScope: "process",
       sessionLock: true,
-      abortPolicy: "record-only"
-    },
-    "claudecode-plan": {
-      type: "claudecode",
-      runtime: "agent-sdk",
-      model: CLAUDE_CODE_SONNET_MODEL,
-      models: [...CLAUDE_CODE_MODELS],
-      permissionProfile: "plan",
-      cliPath: "~/.local/bin/claude",
-      cwdMode: "session",
-      historyPolicy: "passthrough-resume",
-      onInvalidResume: "fresh",
-      attachmentFallback: "block",
-      allowSubagents: false,
-      sanitizeApiKeyEnv: true,
-      authPreflight: true,
-      useBareMode: false,
-      usageLedgerScope: "process",
-      sessionLock: true,
-      abortPolicy: "record-only",
-      hidden: true
-    },
-    "claudecode-subagent": {
-      type: "claudecode",
-      runtime: "agent-sdk",
-      model: CLAUDE_CODE_SONNET_MODEL,
-      models: [...CLAUDE_CODE_MODELS],
-      permissionProfile: "build",
-      cliPath: "~/.local/bin/claude",
-      cwdMode: "session",
-      historyPolicy: "passthrough-resume",
-      onInvalidResume: "fresh",
-      attachmentFallback: "block",
-      allowSubagents: false,
-      sanitizeApiKeyEnv: true,
-      authPreflight: true,
-      useBareMode: false,
-      usageLedgerScope: "process",
-      sessionLock: true,
       abortPolicy: "record-only",
-      hidden: true
+      catalog: {
+        type: "claudecode-supported-models"
+      }
     }
   }
 };
 async function loadConfig(options) {
   const configs = [];
-  const userConfigDir = path12.join(os7.homedir(), ".demian");
-  const projectConfigDir = path12.join(options.cwd, ".demian");
-  const configPaths = [
-    path12.join(userConfigDir, "config.json"),
-    path12.join(userConfigDir, "config.jsond"),
-    path12.join(projectConfigDir, "config.json"),
-    path12.join(projectConfigDir, "config.jsond"),
-    options.configPath
-  ].filter(Boolean);
+  const userConfigDir = path13.join(os7.homedir(), ".demian");
+  const configPaths = [path13.join(userConfigDir, "config.json"), path13.join(userConfigDir, "config.jsond"), options.configPath].filter(Boolean);
   for (const filePath of configPaths) {
     if (!fs7.existsSync(filePath)) continue;
-    configs.push(parseConfigText(await readFile6(filePath, "utf8"), filePath));
+    const parsed = parseConfigText(await readFile6(filePath, "utf8"), filePath);
+    warnIfV1Config(parsed, filePath);
+    configs.push(parsed);
   }
   return configs.reduce((acc, item) => mergeConfig(acc, item), structuredClone(defaultConfig));
 }
+function warnIfV1Config(parsed, filePath) {
+  if (parsed.version === 2) return;
+  const providers = parsed.providers ?? {};
+  const hasLegacyShape = Object.values(providers).some((provider) => {
+    const candidate = provider;
+    return (typeof candidate.model === "string" || Array.isArray(candidate.models)) && !Array.isArray(candidate.modelProfiles);
+  });
+  if (!hasLegacyShape && parsed.version === void 0 && Object.keys(providers).length === 0) return;
+  if (!hasLegacyShape) return;
+  process.stderr.write(`[demian] warning: ${filePath} uses the v1 schema (provider.model/models). v2 expects modelProfiles. Run \`demian config init\` to scaffold a v2 template.
+`);
+}
 function parseConfigText(text, filePath) {
   try {
     return JSON.parse(filePath.endsWith(".jsond") ? stripJsonD(text) : text);
@@ -23947,7 +24073,168 @@ function mergeConfig(base, overlay) {
   };
 }
 function normalizeProviderAlias(providerName) {
-  return providerName === "claudecode-plan" ? "claudecode" : providerName;
+  if (providerName === "claudecode-plan" || providerName === "claudecode-subagent") return "claudecode";
+  if (providerName === "ollama") return "ollama-local";
+  return providerName;
+}
+function sortProviderNames(names) {
+  const order = new Map(BUILTIN_PROVIDER_ORDER.map((name, index) => [name, index]));
+  return [...names].sort((left, right) => {
+    const leftIndex = order.get(left);
+    const rightIndex = order.get(right);
+    if (leftIndex !== void 0 && rightIndex !== void 0) return leftIndex - rightIndex;
+    if (leftIndex !== void 0) return -1;
+    if (rightIndex !== void 0) return 1;
+    return left.localeCompare(right);
+  });
+}
+function providerModelProfiles(providerName, providerConfig) {
+  const explicit = Array.isArray(providerConfig.modelProfiles) ? providerConfig.modelProfiles.filter((profile) => typeof profile?.model === "string" && profile.model.trim()).map((profile) => ({
+    ...profile,
+    name: profile.name?.trim() || profile.displayName?.trim() || profile.model.trim(),
+    displayName: profile.displayName?.trim() || profile.name?.trim() || profile.model.trim(),
+    model: profile.model.trim()
+  })) : [];
+  const seenNames = /* @__PURE__ */ new Set();
+  const seenDisplayNames = /* @__PURE__ */ new Set();
+  const seenModels = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const profile of explicit) {
+    if (seenNames.has(profile.name)) {
+      process.stderr.write(`[demian] warning: provider ${providerName} has duplicate modelProfile name "${profile.name}". Later entry ignored.
+`);
+      continue;
+    }
+    if (profile.displayName && seenDisplayNames.has(profile.displayName)) {
+      process.stderr.write(`[demian] warning: provider ${providerName} has duplicate modelProfile displayName "${profile.displayName}". Later entry ignored.
+`);
+      continue;
+    }
+    seenNames.add(profile.name);
+    if (profile.displayName) seenDisplayNames.add(profile.displayName);
+    seenModels.add(profile.model);
+    out.push(profile);
+  }
+  const legacy = [...typeof providerConfig.model === "string" && providerConfig.model.trim() ? [providerConfig.model.trim()] : [], ...(providerConfig.models ?? []).filter((model) => typeof model === "string" && model.trim())];
+  for (const model of legacy) {
+    const trimmed = model.trim();
+    if (!trimmed || seenModels.has(trimmed)) continue;
+    seenModels.add(trimmed);
+    const name = trimmed;
+    if (!seenNames.has(name)) seenNames.add(name);
+    out.push({ name, displayName: name, model: trimmed });
+  }
+  const fallback = fallbackModelForProvider(providerName, providerConfig);
+  if (out.length === 0 && fallback) out.push({ name: fallback, displayName: fallback, model: fallback });
+  return out;
+}
+function providerModelOptions(providerName, providerConfig) {
+  return providerModelProfiles(providerName, providerConfig).filter((profile) => !profile.hidden).map((profile) => profile.displayName ?? profile.name ?? profile.model);
+}
+function defaultModelForProvider(providerName, providerConfig) {
+  return providerModelProfiles(providerName, providerConfig)[0]?.model ?? "";
+}
+function resolveConfiguredApiKey(providerConfig) {
+  if (providerConfig.apiKey) return { value: providerConfig.apiKey };
+  for (const envName of [providerConfig.apiKeyEnv, ...providerConfig.apiKeyEnvAliases ?? []]) {
+    if (!envName) continue;
+    const value = process.env[envName];
+    if (value) return { value, envName };
+  }
+  return { envName: providerConfig.apiKeyEnv ?? providerConfig.apiKeyEnvAliases?.[0] };
+}
+function resolveProviderRuntimeConfig(config, selection) {
+  const providerName = normalizeProviderAlias(selection.providerName);
+  const providerConfig = resolveProviderConfig(config, providerName);
+  const profiles = providerModelProfiles(providerName, providerConfig);
+  let profile;
+  if (selection.modelProfileName) profile = profiles.find((item) => item.name === selection.modelProfileName);
+  if (!profile && selection.model) profile = profiles.find((item) => item.displayName === selection.model);
+  if (!profile && selection.model) profile = profiles.find((item) => item.model === selection.model);
+  if (!profile) profile = profiles[0];
+  if (!profile) {
+    const model = selection.model ?? defaultModelForProvider(providerName, providerConfig);
+    if (!model) throw new Error(`Provider ${providerName} has no model. Run \`demian config models ${providerName} --refresh\` or add a model profile.`);
+    return { providerName, providerConfig, model };
+  }
+  const merged = mergeModelProfile(providerConfig, profile);
+  return {
+    providerName,
+    providerConfig: merged,
+    model: profile.model,
+    modelProfileName: profile.name
+  };
+}
+function resolveInternalAgentBackend(config, options = {}) {
+  const tried = [];
+  const candidates = uniqueProviderCandidates([options.preferredProvider, config.defaultProvider, ...Object.keys(config.providers)]);
+  let lastError;
+  for (const candidate of candidates) {
+    tried.push(candidate);
+    const provider = config.providers[normalizeProviderAlias(candidate)];
+    if (!provider || provider.hidden) continue;
+    try {
+      const runtime = resolveProviderRuntimeConfig(config, {
+        providerName: candidate,
+        modelProfileName: candidate === options.preferredProvider ? options.modelProfileName : void 0,
+        model: candidate === options.preferredProvider ? options.model : void 0
+      });
+      const source = candidate === options.preferredProvider ? "preferred" : candidate === config.defaultProvider ? "default" : "first-available";
+      return {
+        providerName: runtime.providerName,
+        providerConfig: runtime.providerConfig,
+        model: runtime.model,
+        modelProfileName: runtime.modelProfileName,
+        source,
+        fallbackReason: source !== "preferred" && options.preferredProvider ? `preferred provider ${options.preferredProvider} unavailable` : void 0
+      };
+    } catch (error) {
+      lastError = error instanceof Error ? error : new Error(String(error));
+    }
+  }
+  throw new Error(`No usable provider for internal agent. Tried: ${tried.join(", ") || "(none)"}. Last error: ${lastError?.message ?? "no providers configured"}.`);
+}
+function uniqueProviderCandidates(values) {
+  const seen = /* @__PURE__ */ new Set();
+  const out = [];
+  for (const value of values) {
+    if (!value) continue;
+    const normalized = normalizeProviderAlias(value);
+    if (seen.has(normalized)) continue;
+    seen.add(normalized);
+    out.push(normalized);
+  }
+  return out;
+}
+function mergeModelProfile(providerConfig, profile) {
+  const merged = {
+    ...providerConfig,
+    ...definedOnly({
+      baseURL: profile.baseURL,
+      apiKey: profile.apiKey,
+      apiKeyEnv: profile.apiKeyEnv,
+      apiKeyEnvAliases: profile.apiKeyEnvAliases,
+      auth: profile.auth,
+      headers: profile.headers,
+      quirks: profile.quirks,
+      maxTokens: profile.maxTokens
+    }),
+    model: profile.model
+  };
+  return merged;
+}
+function definedOnly(input2) {
+  return Object.fromEntries(Object.entries(input2).filter(([, value]) => value !== void 0));
+}
+function fallbackModelForProvider(providerName, providerConfig) {
+  if (typeof providerConfig.model === "string" && providerConfig.model.trim()) return providerConfig.model.trim();
+  if (providerName === "openai") return "gpt-5.5";
+  if (providerName === "anthropic") return CLAUDE_CODE_SONNET_MODEL;
+  if (providerName === "codex" || providerConfig.type === "codex") return "gpt-5.5";
+  if (providerName === "claudecode") return CLAUDE_CODE_SONNET_MODEL;
+  if (providerName === "gemini") return "gemini-2.5-pro";
+  if (providerName === "groq") return "openai/gpt-oss-120b";
+  return void 0;
 }
 function migrateProviderConfig(provider, baseProvider) {
   if (isLegacyClaudeCodeShape(provider)) {
@@ -24029,12 +24316,14 @@ function resolveAgentMode(config, flagMode) {
   return "single-agent";
 }
 function resolveProviderConfig(config, providerName) {
-  const provider = config.providers[providerName];
+  const normalized = normalizeProviderAlias(providerName);
+  const provider = config.providers[normalized];
   if (!provider) throw new Error(`Unknown provider: ${providerName}`);
   return provider;
 }
 function resolveProvider(providerConfig, options = {}) {
   const model = options.model ?? providerConfig.model;
+  if (!model) throw new Error("Provider has no selected model. Choose a model or add a model profile.");
   if (providerConfig.type === "claudecode") {
     throw new Error("claudecode is an external agent runtime. Use resolveExecutionBackend().");
   }
@@ -24081,20 +24370,36 @@ function resolveProvider(providerConfig, options = {}) {
     };
   }
   if (providerConfig.type === "anthropic") {
-    const apiKey2 = providerConfig.apiKey ?? (providerConfig.apiKeyEnv ? process.env[providerConfig.apiKeyEnv] : void 0);
+    const apiKey2 = resolveConfiguredApiKey(providerConfig).value;
     if (!apiKey2) {
       throw new Error(`Missing API key for provider. Set ${providerConfig.apiKeyEnv ?? "apiKey"} or configure apiKey.`);
     }
     return {
       provider: new AnthropicProvider({
         apiKey: apiKey2,
+        baseURL: providerConfig.baseURL,
         defaultModel: model,
         onRetry: options.onRetry
       }),
       model
     };
   }
-  const apiKey = providerConfig.apiKey ?? (providerConfig.apiKeyEnv ? process.env[providerConfig.apiKeyEnv] : void 0);
+  if (providerConfig.type === "ollama") {
+    const apiKey2 = resolveConfiguredApiKey(providerConfig).value;
+    if (!apiKey2) {
+      throw new Error(`Missing API key for provider. Set ${providerConfig.apiKeyEnv ?? "apiKey"} or configure apiKey.`);
+    }
+    return {
+      provider: new OllamaProvider({
+        baseURL: providerConfig.baseURL,
+        apiKey: apiKey2,
+        defaultModel: model,
+        onRetry: options.onRetry
+      }),
+      model
+    };
+  }
+  const apiKey = resolveConfiguredApiKey(providerConfig).value;
   if (!apiKey) {
     throw new Error(`Missing API key for provider. Set ${providerConfig.apiKeyEnv ?? "apiKey"} or configure apiKey.`);
   }
@@ -24113,6 +24418,7 @@ function resolveProvider(providerConfig, options = {}) {
 }
 function resolveExecutionBackend(providerConfig, options = {}) {
   const model = options.model ?? providerConfig.model;
+  if (!model) throw new Error("Provider has no selected model. Choose a model or add a model profile.");
   if (providerConfig.type === "claudecode") {
     const runtimeConfig = options.config || providerConfig.permissionProfile ? resolveClaudeCodeRuntimeConfig(providerConfig, options.config ?? defaultConfig, options.agent) : providerConfig;
     return {
@@ -24321,7 +24627,7 @@ function safeJson(value) {
 }
 
 // src/hooks/dispatcher.ts
-import path14 from "node:path";
+import path15 from "node:path";
 
 // src/hooks/command.ts
 import { spawn as spawn4 } from "node:child_process";
@@ -24414,7 +24720,7 @@ var blockDangerousBashHook = {
 };
 
 // src/hooks/builtin/protect-env-files.ts
-import path13 from "node:path";
+import path14 from "node:path";
 var protectEnvFilesHook = {
   name: "protect-env-files",
   event: "PreToolUse",
@@ -24422,7 +24728,7 @@ var protectEnvFilesHook = {
   run(ctx) {
     if (ctx.toolName !== "write_file" && ctx.toolName !== "edit_file") return { decision: "allow" };
     const input2 = ctx.toolInput && typeof ctx.toolInput === "object" ? ctx.toolInput : {};
-    const filePath = typeof input2.path === "string" ? path13.resolve(ctx.cwd, input2.path) : "";
+    const filePath = typeof input2.path === "string" ? path14.resolve(ctx.cwd, input2.path) : "";
     if (filePath && isEnvFile(filePath)) {
       return {
         decision: "block",
@@ -24537,14 +24843,426 @@ function matchesHook(match, ctx) {
     const input2 = ctx.toolInput && typeof ctx.toolInput === "object" ? ctx.toolInput : {};
     const filePath = typeof input2.path === "string" ? input2.path : typeof input2.workdir === "string" ? input2.workdir : void 0;
     if (!filePath) return false;
-    if (!matchGlob(match.pathGlob, relativeToCwd(ctx.cwd, path14.resolve(ctx.cwd, filePath)))) return false;
+    if (!matchGlob(match.pathGlob, relativeToCwd(ctx.cwd, path15.resolve(ctx.cwd, filePath)))) return false;
   }
   return true;
 }
 
+// src/models/catalog.ts
+import crypto5 from "node:crypto";
+import { mkdir as mkdir6, readFile as readFile7, rename as rename4, writeFile as writeFile5 } from "node:fs/promises";
+import os9 from "node:os";
+import path16 from "node:path";
+var DEFAULT_CACHE_TTL_MS = 5 * 60 * 1e3;
+var PING_TIMEOUT_MS = 1500;
+var DEFAULT_CODEX_CLIENT_VERSION = "0.0.0";
+var dynamicImport2 = new Function("specifier", "return import(specifier)");
+var inflight = /* @__PURE__ */ new Map();
+var pingCache = /* @__PURE__ */ new Map();
+var PING_CACHE_TTL_MS = 30 * 1e3;
+var packageVersionPromise;
+async function listProviderModelCatalog(providerName, providerConfig, options = {}) {
+  const key = `${catalogCacheKey(providerName, providerConfig)}:${options.refresh ? "refresh" : "default"}`;
+  const existing = inflight.get(key);
+  if (existing) return existing;
+  const promise = doListProviderModelCatalog(providerName, providerConfig, options).finally(() => inflight.delete(key));
+  inflight.set(key, promise);
+  return promise;
+}
+async function doListProviderModelCatalog(providerName, providerConfig, options) {
+  const staticModels = staticModelEntries(providerName, providerConfig);
+  const catalog = providerConfig.catalog;
+  if (!catalog || catalog.type === "static") {
+    return { status: staticModels.length ? "ready" : "unavailable", providerName, models: staticModels, source: "config" };
+  }
+  const missingAuthEnv = missingCatalogAuth(providerConfig);
+  if (missingAuthEnv) {
+    return {
+      status: "missing-auth",
+      providerName,
+      models: staticModels,
+      source: staticModels.length ? "config" : "fallback",
+      message: `missing-auth:${missingAuthEnv}`
+    };
+  }
+  const cacheKey = catalogCacheKey(providerName, providerConfig);
+  const ttlMs = catalog.refreshTtlMs ?? DEFAULT_CACHE_TTL_MS;
+  const cached = await readCatalogCache(cacheKey, ttlMs, options.refresh !== true);
+  if (cached && !options.refresh) return { ...cached, models: mergeCatalogWithStatic(staticModels, cached.models) };
+  if (catalog.endpoint) {
+    const reachable = await pingEndpoint(catalog.endpoint, options.fetch);
+    if (!reachable) {
+      const stale = await readCatalogCache(cacheKey, Number.POSITIVE_INFINITY, true);
+      if (stale) return { ...stale, models: mergeCatalogWithStatic(staticModels, stale.models), message: `endpoint ${catalog.endpoint} unreachable; using cached models` };
+      if (staticModels.length) return { status: "ready", providerName, models: staticModels, source: "config", message: `endpoint ${catalog.endpoint} unreachable; using configured profiles` };
+      return { status: "unavailable", providerName, models: [], source: "fallback", message: `endpoint ${catalog.endpoint} unreachable` };
+    }
+  }
+  try {
+    const remote = await fetchCatalog(providerName, providerConfig, options);
+    const merged = mergeCatalogWithStatic(staticModels, remote.models);
+    const result = { ...remote, models: merged };
+    if (result.status === "ready") await writeCatalogCache(cacheKey, result);
+    return result;
+  } catch (error) {
+    const authMissing = isMissingAuthError(error);
+    const stale = await readCatalogCache(cacheKey, Number.POSITIVE_INFINITY, true);
+    if (stale) return { ...stale, status: authMissing ? "missing-auth" : stale.status, models: mergeCatalogWithStatic(staticModels, stale.models), message: errorMessage2(error) };
+    if (staticModels.length) return { status: authMissing ? "missing-auth" : "ready", providerName, models: staticModels, source: "config", message: errorMessage2(error) };
+    return { status: authMissing ? "missing-auth" : "unavailable", providerName, models: [], source: "fallback", message: errorMessage2(error) };
+  }
+}
+async function pingEndpoint(endpoint, fetcher) {
+  const now2 = Date.now();
+  const cached = pingCache.get(endpoint);
+  if (cached && cached.expiresAt > now2) return cached.ok;
+  const ok2 = await tryPing(endpoint, fetcher);
+  pingCache.set(endpoint, { ok: ok2, expiresAt: now2 + PING_CACHE_TTL_MS });
+  return ok2;
+}
+async function tryPing(endpoint, fetcher) {
+  const fn = fetcher ?? fetch;
+  try {
+    const response = await fn(endpoint, { method: "HEAD", signal: AbortSignal.timeout(PING_TIMEOUT_MS) });
+    if (response.status < 500) return true;
+  } catch {
+  }
+  try {
+    const response = await fn(endpoint, { method: "GET", signal: AbortSignal.timeout(PING_TIMEOUT_MS), headers: { range: "bytes=0-0" } });
+    return response.status < 500;
+  } catch {
+    return false;
+  }
+}
+function invalidateCatalogPingCache(endpoint) {
+  if (endpoint) pingCache.delete(endpoint);
+  else pingCache.clear();
+}
+async function fetchCatalog(providerName, providerConfig, options) {
+  if (providerConfig.type === "codex" || providerConfig.catalog?.type === "codex-oauth-models") return fetchCodexCatalog(providerName, providerConfig, options);
+  if (providerConfig.type === "claudecode" || providerConfig.catalog?.type === "claudecode-supported-models") return fetchClaudeCodeCatalog(providerName, providerConfig, options);
+  if (providerConfig.catalog?.type === "anthropic-models") return fetchAnthropicCatalog(providerName, providerConfig, options);
+  if (providerConfig.catalog?.type === "ollama-tags") return fetchOllamaTagsCatalog(providerName, providerConfig, options);
+  return fetchOpenAIStyleCatalog(providerName, providerConfig, options);
+}
+async function fetchOpenAIStyleCatalog(providerName, providerConfig, options) {
+  if (providerConfig.type !== "openai-compatible") throw new Error(`Provider ${providerName} is not OpenAI-compatible.`);
+  const apiKey = resolveConfiguredApiKey(providerConfig);
+  if (!apiKey.value) throw missingAuth(providerConfig.apiKeyEnv ?? "apiKey");
+  const endpoint = providerConfig.catalog?.endpoint ?? `${providerConfig.baseURL.replace(/\/+$/, "")}/models`;
+  const response = await fetchJson(endpoint, {
+    fetcher: options.fetch,
+    timeoutMs: options.timeoutMs,
+    headers: {
+      ...authHeadersForOpenAICompatible(providerConfig, apiKey.value),
+      ...providerConfig.headers ?? {}
+    }
+  });
+  return {
+    status: "ready",
+    providerName,
+    models: normalizeOpenAIModels(response).map((entry) => ({ ...entry, source: "api" })),
+    source: "api"
+  };
+}
+async function fetchAnthropicCatalog(providerName, providerConfig, options) {
+  if (providerConfig.type !== "anthropic") throw new Error(`Provider ${providerName} is not Anthropic.`);
+  const apiKey = resolveConfiguredApiKey(providerConfig);
+  if (!apiKey.value) throw missingAuth(providerConfig.apiKeyEnv ?? "apiKey");
+  const base = providerConfig.baseURL ?? "https://api.anthropic.com/v1";
+  const endpoint = providerConfig.catalog?.endpoint ?? `${base.replace(/\/+$/, "")}/models`;
+  const models = [];
+  let afterId;
+  for (; ; ) {
+    const url = new URL(endpoint);
+    if (afterId) url.searchParams.set("after_id", afterId);
+    url.searchParams.set("limit", "100");
+    const response = await fetchJson(url.toString(), {
+      fetcher: options.fetch,
+      timeoutMs: options.timeoutMs,
+      headers: {
+        "x-api-key": apiKey.value,
+        "anthropic-version": "2023-06-01"
+      }
+    });
+    const page = normalizeAnthropicModels(response);
+    models.push(...page);
+    if (!response.has_more || !response.last_id) break;
+    afterId = response.last_id;
+  }
+  return { status: "ready", providerName, models, source: "api" };
+}
+async function fetchOllamaTagsCatalog(providerName, providerConfig, options) {
+  if (providerConfig.type !== "ollama") throw new Error(`Provider ${providerName} is not Ollama native.`);
+  const apiKey = resolveConfiguredApiKey(providerConfig);
+  if (!apiKey.value) throw missingAuth(providerConfig.apiKeyEnv ?? "apiKey");
+  const endpoint = providerConfig.catalog?.endpoint ?? `${providerConfig.baseURL.replace(/\/+$/, "")}/tags`;
+  const response = await fetchJson(endpoint, {
+    fetcher: options.fetch,
+    timeoutMs: options.timeoutMs,
+    headers: { authorization: `Bearer ${apiKey.value}` }
+  });
+  return {
+    status: "ready",
+    providerName,
+    models: normalizeOllamaTags(response).map((entry) => ({ ...entry, source: "api" })),
+    source: "api"
+  };
+}
+async function fetchCodexCatalog(providerName, providerConfig, options) {
+  if (providerConfig.type !== "codex") throw new Error(`Provider ${providerName} is not Codex.`);
+  const fetcher = options.fetch ?? fetch;
+  const baseURL = (providerConfig.baseURL ?? "https://chatgpt.com/backend-api/codex").replace(/\/+$/, "");
+  const installationId = await loadOrCreateInstallationId(resolveCodexHome(providerConfig.codexHome));
+  const auth = getSharedCodexAuthStore({
+    codexHome: providerConfig.codexHome,
+    authStore: providerConfig.authStore,
+    allowApiKeyFallback: providerConfig.allowApiKeyFallback,
+    proactiveRefreshMinutes: providerConfig.refresh?.proactiveRefreshMinutes,
+    refreshCache: providerConfig.refresh?.cache,
+    fetch: fetcher
+  });
+  const headers = await auth.requestHeaders(installationId);
+  const url = new URL(`${baseURL}/models`);
+  url.searchParams.set("client_version", await codexClientVersion(options.clientVersion));
+  const response = await fetchJson(url.toString(), {
+    fetcher,
+    timeoutMs: options.timeoutMs,
+    headers
+  });
+  return {
+    status: "ready",
+    providerName,
+    models: normalizeCodexModels(response).map((entry) => ({ ...entry, source: "oauth" })),
+    source: "oauth"
+  };
+}
+async function fetchClaudeCodeCatalog(providerName, providerConfig, options) {
+  if (providerConfig.type !== "claudecode") throw new Error(`Provider ${providerName} is not Claude Code.`);
+  const fallback = staticModelEntries(providerName, providerConfig);
+  try {
+    const module = await dynamicImport2("@anthropic-ai/claude-agent-sdk");
+    if (!module.query) throw new Error("Claude Agent SDK query export is unavailable.");
+    const query = module.query({
+      prompt: "",
+      options: {
+        model: defaultModelForProvider(providerName, providerConfig),
+        maxTurns: 0,
+        pathToClaudeCodeExecutable: resolveClaudeCodeCliPath(providerConfig.cliPath),
+        env: sanitizedClaudeCodeEnv(providerConfig.env, providerConfig.sanitizeApiKeyEnv ?? true)
+      }
+    });
+    try {
+      if (typeof query.supportedModels !== "function") throw new Error("Claude Agent SDK supportedModels is unavailable.");
+      const models = await withTimeout(query.supportedModels(), options.timeoutMs ?? 5e3);
+      return {
+        status: "ready",
+        providerName,
+        models: models.map((model, index) => ({
+          name: model.displayName || model.value,
+          displayName: model.displayName || model.value,
+          model: model.value,
+          description: model.description,
+          isDefault: index === 0,
+          source: "oauth"
+        })),
+        source: "oauth"
+      };
+    } finally {
+      query.close?.();
+    }
+  } catch (error) {
+    if (fallback.length) return { status: "ready", providerName, models: fallback, source: "fallback", message: errorMessage2(error) };
+    throw error;
+  }
+}
+function staticModelEntries(providerName, providerConfig) {
+  return providerModelProfiles(providerName, providerConfig).filter((profile) => !profile.hidden).map((profile, index) => ({
+    name: profile.displayName ?? profile.name,
+    displayName: profile.displayName ?? profile.name,
+    model: profile.model,
+    description: profile.description,
+    isDefault: index === 0,
+    source: "config"
+  }));
+}
+function mergeCatalogWithStatic(staticModels, remoteModels) {
+  const byModel = /* @__PURE__ */ new Map();
+  for (const model of remoteModels) byModel.set(model.model, model);
+  for (const model of staticModels) byModel.set(model.model, { ...byModel.get(model.model), ...model, source: model.source });
+  return [...byModel.values()];
+}
+function normalizeOpenAIModels(raw) {
+  const items = Array.isArray(raw.data) ? raw.data : Array.isArray(raw.models) ? raw.models : [];
+  return items.map((item) => {
+    const object2 = item;
+    const id = stringValue4(object2.id) ?? stringValue4(object2.name) ?? stringValue4(object2.model);
+    if (!id) return void 0;
+    return {
+      name: id,
+      displayName: stringValue4(object2.display_name) ?? stringValue4(object2.displayName) ?? id,
+      model: id,
+      description: stringValue4(object2.description)
+    };
+  }).filter(Boolean);
+}
+function normalizeAnthropicModels(raw) {
+  return (raw.data ?? []).map((item) => {
+    const object2 = item;
+    const id = stringValue4(object2.id);
+    if (!id) return void 0;
+    return {
+      name: stringValue4(object2.display_name) ?? id,
+      displayName: stringValue4(object2.display_name) ?? id,
+      model: id,
+      description: stringValue4(object2.description),
+      source: "api"
+    };
+  }).filter(Boolean);
+}
+function normalizeOllamaTags(raw) {
+  const items = Array.isArray(raw.models) ? raw.models : [];
+  return items.map((item) => {
+    const object2 = item;
+    const id = stringValue4(object2.name) ?? stringValue4(object2.model);
+    if (!id) return void 0;
+    return { name: id, displayName: id, model: id };
+  }).filter(Boolean);
+}
+function normalizeCodexModels(raw) {
+  const items = Array.isArray(raw.models) ? raw.models : [];
+  return items.map((item, index) => {
+    const object2 = item;
+    const id = stringValue4(object2.slug) ?? stringValue4(object2.id) ?? stringValue4(object2.model);
+    if (!id) return void 0;
+    return {
+      name: stringValue4(object2.display_name) ?? id,
+      displayName: stringValue4(object2.display_name) ?? id,
+      model: id,
+      description: stringValue4(object2.description),
+      isDefault: index === 0
+    };
+  }).filter(Boolean);
+}
+function authHeadersForOpenAICompatible(providerConfig, apiKey) {
+  const auth = inferOpenAICompatibleAuth(providerConfig.baseURL, providerConfig.auth);
+  const type = auth.type ?? "bearer";
+  const header = auth.header ?? (type === "api-key" ? "api-key" : "authorization");
+  return { [header]: type === "bearer" ? `Bearer ${apiKey}` : apiKey };
+}
+async function fetchJson(url, options) {
+  const response = await (options.fetcher ?? fetch)(url, {
+    method: "GET",
+    headers: {
+      accept: "application/json",
+      ...options.headers ?? {}
+    },
+    signal: AbortSignal.timeout(options.timeoutMs ?? 5e3)
+  });
+  const text = await response.text();
+  if (!response.ok) throw new Error(`HTTP ${response.status}: ${text}`);
+  return text ? JSON.parse(text) : {};
+}
+function cachePath(cacheKey) {
+  return path16.join(os9.homedir(), ".demian", "cache", "models", `${safeCacheName(cacheKey)}.json`);
+}
+async function readCatalogCache(cacheKey, ttlMs, allow) {
+  if (!allow) return void 0;
+  try {
+    const raw = JSON.parse(await readFile7(cachePath(cacheKey), "utf8"));
+    if (!raw.result) return void 0;
+    if (ttlMs !== Number.POSITIVE_INFINITY && Date.now() - (raw.savedAt ?? 0) > ttlMs) return void 0;
+    return { ...raw.result, source: "cache", models: raw.result.models.map((model) => ({ ...model, source: "cache" })) };
+  } catch {
+    return void 0;
+  }
+}
+async function writeCatalogCache(cacheKey, result) {
+  const filePath = cachePath(cacheKey);
+  await mkdir6(path16.dirname(filePath), { recursive: true, mode: 448 });
+  const temp = `${filePath}.${process.pid}.${Date.now()}.tmp`;
+  await writeFile5(temp, JSON.stringify({ savedAt: Date.now(), result }, null, 2), { mode: 384 });
+  await rename4(temp, filePath);
+}
+function safeCacheName(providerName) {
+  return providerName.replace(/[^a-zA-Z0-9_.-]+/g, "_");
+}
+function catalogCacheKey(providerName, providerConfig) {
+  const identity = {
+    providerName,
+    type: providerConfig.type,
+    catalogType: providerConfig.catalog?.type,
+    endpoint: providerConfig.catalog?.endpoint,
+    baseURL: "baseURL" in providerConfig ? providerConfig.baseURL : void 0,
+    apiKeyEnv: "apiKeyEnv" in providerConfig ? providerConfig.apiKeyEnv : void 0,
+    apiKeyEnvAliases: "apiKeyEnvAliases" in providerConfig ? providerConfig.apiKeyEnvAliases : void 0,
+    auth: "auth" in providerConfig ? providerConfig.auth : void 0
+  };
+  const digest = crypto5.createHash("sha256").update(JSON.stringify(identity)).digest("hex").slice(0, 16);
+  return `${providerName}-${digest}`;
+}
+function missingCatalogAuth(providerConfig) {
+  if (providerConfig.type !== "openai-compatible" && providerConfig.type !== "anthropic" && providerConfig.type !== "ollama") return void 0;
+  if (providerConfig.catalog?.requiresAuth === false) return void 0;
+  const expectsAuth = providerConfig.catalog?.requiresAuth === true || !!providerConfig.apiKey || !!providerConfig.apiKeyEnv || !!providerConfig.apiKeyEnvAliases?.length;
+  if (!expectsAuth) return void 0;
+  const apiKey = resolveConfiguredApiKey(providerConfig);
+  return apiKey.value ? void 0 : apiKey.envName ?? "apiKey";
+}
+function stringValue4(value) {
+  return typeof value === "string" && value.trim() ? value.trim() : void 0;
+}
+function missingAuth(envName) {
+  const error = new Error(`missing-auth:${envName}`);
+  return error;
+}
+function isMissingAuthError(error) {
+  if (error instanceof CodexAuthError) {
+    return error.code === "missing_auth" || error.code === "missing_chatgpt_tokens" || error.code === "refresh_unavailable" || error.code === "keyring_write_unsupported" || error.code === "refresh_expired" || error.code === "refresh_invalidated" || error.code === "refresh_reused" || error.code === "refresh_other";
+  }
+  return error instanceof Error && error.message.startsWith("missing-auth:");
+}
+function errorMessage2(error) {
+  return error instanceof Error ? error.message : String(error);
+}
+async function codexClientVersion(override) {
+  const normalized = semverLike(override);
+  if (normalized) return normalized;
+  packageVersionPromise ??= readPackageVersion();
+  return packageVersionPromise;
+}
+async function readPackageVersion() {
+  try {
+    const raw = JSON.parse(await readFile7(new URL("../package.json", import.meta.url), "utf8"));
+    return semverLike(raw.version) ?? DEFAULT_CODEX_CLIENT_VERSION;
+  } catch {
+    return DEFAULT_CODEX_CLIENT_VERSION;
+  }
+}
+function semverLike(value) {
+  if (typeof value !== "string") return void 0;
+  const trimmed = value.trim();
+  return /^\d+\.\d+\.\d+(?:[-+][0-9A-Za-z.-]+)?$/.test(trimmed) ? trimmed : void 0;
+}
+function withTimeout(promise, timeoutMs) {
+  return new Promise((resolve, reject) => {
+    const timer = setTimeout(() => reject(new Error(`Timed out after ${timeoutMs}ms`)), timeoutMs);
+    promise.then(
+      (value) => {
+        clearTimeout(timer);
+        resolve(value);
+      },
+      (error) => {
+        clearTimeout(timer);
+        reject(error);
+      }
+    );
+  });
+}
+
 // src/multimodal.ts
-import { readFile as readFile7, stat as stat3 } from "node:fs/promises";
-import path15 from "node:path";
+import { readFile as readFile8, stat as stat3 } from "node:fs/promises";
+import path17 from "node:path";
 var DEFAULT_MAX_IMAGE_BYTES = 8 * 1024 * 1024;
 async function buildUserContent(prompt, images = [], options) {
   if (images.length === 0) return prompt;
@@ -24568,11 +25286,11 @@ async function imageToUrl(input2, options) {
   const maxImageBytes = options.maxImageBytes ?? DEFAULT_MAX_IMAGE_BYTES;
   if (info.size > maxImageBytes) throw new Error(`Image is larger than ${maxImageBytes} bytes: ${input2}`);
   const mime = mimeFromPath(filePath);
-  const bytes = await readFile7(filePath);
+  const bytes = await readFile8(filePath);
   return `data:${mime};base64,${bytes.toString("base64")}`;
 }
 function mimeFromPath(filePath) {
-  switch (path15.extname(filePath).toLowerCase()) {
+  switch (path17.extname(filePath).toLowerCase()) {
     case ".jpg":
     case ".jpeg":
       return "image/jpeg";
@@ -24583,15 +25301,15 @@ function mimeFromPath(filePath) {
     case ".webp":
       return "image/webp";
     default:
-      throw new Error(`Unsupported image extension: ${path15.extname(filePath) || "(none)"}`);
+      throw new Error(`Unsupported image extension: ${path17.extname(filePath) || "(none)"}`);
   }
 }
 
 // src/permissions/persistent-grants.ts
-import { mkdir as mkdir6, readFile as readFile8, writeFile as writeFile5 } from "node:fs/promises";
+import { mkdir as mkdir7, readFile as readFile9, writeFile as writeFile6 } from "node:fs/promises";
 import fs8 from "node:fs";
-import os9 from "node:os";
-import path16 from "node:path";
+import os10 from "node:os";
+import path18 from "node:path";
 var DEFAULT_TTL_MS = 7 * 24 * 60 * 60 * 1e3;
 var PersistentGrantStore = class {
   filePath;
@@ -24622,22 +25340,22 @@ var PersistentGrantStore = class {
   }
   async #read() {
     if (!fs8.existsSync(this.filePath)) return { version: 1, grants: [] };
-    const data = JSON.parse(await readFile8(this.filePath, "utf8"));
+    const data = JSON.parse(await readFile9(this.filePath, "utf8"));
     return {
       version: 1,
       grants: Array.isArray(data.grants) ? data.grants.filter(isGrantRecord) : []
     };
   }
   async #write(file) {
-    await mkdir6(path16.dirname(this.filePath), { recursive: true });
-    await writeFile5(this.filePath, `${JSON.stringify(file, null, 2)}
+    await mkdir7(path18.dirname(this.filePath), { recursive: true });
+    await writeFile6(this.filePath, `${JSON.stringify(file, null, 2)}
 `, { mode: 384 });
   }
 };
 function resolveGrantPath(cwd, config) {
-  if (config.path) return path16.resolve(cwd, config.path);
-  if ((config.scope ?? "project") === "user") return path16.join(os9.homedir(), ".demian", "grants.json");
-  return path16.join(cwd, ".demian", "grants.json");
+  if (config.path) return path18.resolve(cwd, config.path);
+  if ((config.scope ?? "project") === "user") return path18.join(os10.homedir(), ".demian", "grants.json");
+  return path18.join(cwd, ".demian", "grants.json");
 }
 function isGrantRecord(value) {
   if (!value || typeof value !== "object") return false;
@@ -24696,12 +25414,13 @@ function applyPermissionPresetToConfig(config, preset) {
 
 // src/root-session.ts
 import { cp, mkdtemp, rm as rm2 } from "node:fs/promises";
-import os10 from "node:os";
-import path26 from "node:path";
+import os12 from "node:os";
+import path28 from "node:path";
 
 // src/transcript.ts
-import { mkdir as mkdir7, appendFile, writeFile as writeFile6 } from "node:fs/promises";
-import path17 from "node:path";
+import { mkdir as mkdir8, appendFile, writeFile as writeFile7 } from "node:fs/promises";
+import os11 from "node:os";
+import path19 from "node:path";
 var TranscriptWriter = class {
   filePath;
   #enabled;
@@ -24709,9 +25428,9 @@ var TranscriptWriter = class {
   #queue = Promise.resolve();
   constructor(options) {
     this.#enabled = options.enabled !== false;
-    const dir = path17.join(options.cwd, ".demian", "transcripts", options.sessionId);
-    this.filePath = path17.join(dir, "session.jsonl");
-    this.#ready = this.#enabled ? mkdir7(dir, { recursive: true }).then(() => writeFile6(this.filePath, "", { flag: "a" })) : Promise.resolve();
+    const dir = path19.join(options.storageDir ?? defaultDemianStorageDir(), "transcripts", options.sessionId);
+    this.filePath = path19.join(dir, "session.jsonl");
+    this.#ready = this.#enabled ? mkdir8(dir, { recursive: true }).then(() => writeFile7(this.filePath, "", { flag: "a" })) : Promise.resolve();
   }
   write(event) {
     if (!this.#enabled) return Promise.resolve();
@@ -24726,12 +25445,15 @@ var TranscriptWriter = class {
     await this.#queue;
   }
 };
+function defaultDemianStorageDir() {
+  return path19.join(os11.homedir(), ".demian");
+}
 
 // src/external-runtime/snapshot-diff.ts
 import { createHash as createHash2 } from "node:crypto";
 import { createReadStream } from "node:fs";
-import { readdir, readFile as readFile9, stat as stat4 } from "node:fs/promises";
-import path18 from "node:path";
+import { readdir, readFile as readFile10, stat as stat4 } from "node:fs/promises";
+import path20 from "node:path";
 
 // src/workspace/diff.ts
 var CONTEXT_LINES = 3;
@@ -24941,7 +25663,7 @@ async function diffWorkspaceSnapshot(before) {
 }
 async function walk(root, relativeDir, entries, options) {
   if (entries.size >= options.maxFiles) return;
-  const absoluteDir = path18.join(root, relativeDir);
+  const absoluteDir = path20.join(root, relativeDir);
   let items;
   try {
     items = await readdir(absoluteDir, { withFileTypes: true });
@@ -24952,8 +25674,8 @@ async function walk(root, relativeDir, entries, options) {
     if (entries.size >= options.maxFiles) return;
     if (item.name.startsWith(".") && item.name !== ".env.example" && SKIP_DIRS.has(item.name)) continue;
     if (SKIP_DIRS.has(item.name)) continue;
-    const relativePath = normalizeRelativePath(path18.join(relativeDir, item.name));
-    const absolutePath = path18.join(root, relativePath);
+    const relativePath = normalizeRelativePath(path20.join(relativeDir, item.name));
+    const absolutePath = path20.join(root, relativePath);
     if (item.isDirectory()) {
       await walk(root, relativePath, entries, options);
       continue;
@@ -24975,7 +25697,7 @@ function snapshotDiffText(entry) {
 `;
 }
 async function readTextContent(filePath) {
-  const buffer = await readFile9(filePath);
+  const buffer = await readFile10(filePath);
   if (buffer.includes(0)) return void 0;
   return buffer.toString("utf8");
 }
@@ -24989,7 +25711,7 @@ function sha256File(filePath) {
   });
 }
 function normalizeRelativePath(value) {
-  return value.split(path18.sep).join("/");
+  return value.split(path20.sep).join("/");
 }
 
 // src/external-runtime/session-runner.ts
@@ -25682,25 +26404,25 @@ function fail(content, metadata) {
 }
 
 // src/tools/output.ts
-import { mkdir as mkdir8, writeFile as writeFile7 } from "node:fs/promises";
-import path19 from "node:path";
+import { mkdir as mkdir9, writeFile as writeFile8 } from "node:fs/promises";
+import path21 from "node:path";
 var DEFAULT_CAP_BYTES = 32 * 1024;
 var HALF_PREVIEW_BYTES = 16 * 1024;
 async function capToolOutput(result, options) {
   const capBytes = options.capBytes ?? DEFAULT_CAP_BYTES;
   const bytes = Buffer.byteLength(result.content, "utf8");
   if (bytes <= capBytes) return result;
-  const dir = path19.join(options.cwd, ".demian", "tmp");
-  await mkdir8(dir, { recursive: true });
-  const outputPath = path19.join(dir, `output-${safeCallId(options.callId)}.txt`);
-  await writeFile7(outputPath, result.content, "utf8");
+  const dir = path21.join(options.cwd, ".demian", "tmp");
+  await mkdir9(dir, { recursive: true });
+  const outputPath = path21.join(dir, `output-${safeCallId(options.callId)}.txt`);
+  await writeFile8(outputPath, result.content, "utf8");
   return {
     ...result,
     content: [
       sliceUtf8(result.content, 0, HALF_PREVIEW_BYTES),
       `
 
-[Full output saved to ${path19.relative(options.cwd, outputPath)}; showing head and tail because output exceeded ${capBytes} bytes]
+[Full output saved to ${path21.relative(options.cwd, outputPath)}; showing head and tail because output exceeded ${capBytes} bytes]
 
 `,
       sliceUtf8(result.content, Math.max(0, bytes - HALF_PREVIEW_BYTES), bytes)
@@ -25726,7 +26448,7 @@ function sliceUtf8(text, startByte, endByte) {
 
 // src/tools/read-file.ts
 import { open as open2, stat as stat5 } from "node:fs/promises";
-import path20 from "node:path";
+import path22 from "node:path";
 
 // src/tools/validation.ts
 function assertObject(input2, toolName) {
@@ -25810,7 +26532,7 @@ var readFileTool = {
     const truncated = start + sliced.length < lines.length;
     return ok(content + (truncated ? `
 ... (${lines.length - start - sliced.length} more lines)` : ""), {
-      path: path20.relative(ctx.cwd, filePath),
+      path: path22.relative(ctx.cwd, filePath),
       lines: sliced.length,
       totalLines: lines.length,
       truncated
@@ -25848,8 +26570,8 @@ function looksBinary(buffer) {
 }
 
 // src/tools/write-file.ts
-import { mkdir as mkdir9, readFile as readFile10, writeFile as writeFile8 } from "node:fs/promises";
-import path21 from "node:path";
+import { mkdir as mkdir10, readFile as readFile11, writeFile as writeFile9 } from "node:fs/promises";
+import path23 from "node:path";
 var writeFileTool = {
   name: "write_file",
   description: "Create or replace a text file inside the workspace.",
@@ -25867,8 +26589,8 @@ var writeFileTool = {
     const filePath = resolveInsideCwd(ctx.cwd, stringField(object2, "path"));
     const content = stringField(object2, "content", { allowEmpty: true });
     const before = await readOptionalTextFile(filePath);
-    await mkdir9(path21.dirname(filePath), { recursive: true });
-    await writeFile8(filePath, content, "utf8");
+    await mkdir10(path23.dirname(filePath), { recursive: true });
+    await writeFile9(filePath, content, "utf8");
     const relative = relativeToCwd(ctx.cwd, filePath);
     const diff = createTextDiff(before, content, relative);
     return ok(`Wrote ${relativeToCwd(ctx.cwd, filePath)} (${Buffer.byteLength(content, "utf8")} bytes).`, {
@@ -25881,7 +26603,7 @@ var writeFileTool = {
 };
 async function readOptionalTextFile(filePath) {
   try {
-    return await readFile10(filePath, "utf8");
+    return await readFile11(filePath, "utf8");
   } catch (error) {
     if (isNotFound(error)) return void 0;
     throw error;
@@ -25892,7 +26614,7 @@ function isNotFound(error) {
 }
 
 // src/tools/edit-file.ts
-import { readFile as readFile11, writeFile as writeFile9 } from "node:fs/promises";
+import { readFile as readFile12, writeFile as writeFile10 } from "node:fs/promises";
 var editFileTool = {
   name: "edit_file",
   description: "Replace an exact string in a text file inside the workspace.",
@@ -25914,12 +26636,12 @@ var editFileTool = {
     const newString = stringField(object2, "newString", { allowEmpty: true });
     const replaceAll = optionalBooleanField(object2, "replaceAll") ?? false;
     if (oldString === newString) throw new Error("oldString and newString must be different");
-    const before = await readFile11(filePath, "utf8");
+    const before = await readFile12(filePath, "utf8");
     const matches = countMatches(before, oldString);
     if (matches === 0) throw new Error("oldString was not found");
     if (matches > 1 && !replaceAll) throw new Error(`oldString matched ${matches} times; set replaceAll=true to replace all matches`);
     const after = replaceAll ? before.split(oldString).join(newString) : before.replace(oldString, newString);
-    await writeFile9(filePath, after, "utf8");
+    await writeFile10(filePath, after, "utf8");
     const relative = relativeToCwd(ctx.cwd, filePath);
     const diff = createTextDiff(before, after, relative);
     return ok(`Edited ${relative} (${replaceAll ? matches : 1} replacement${matches === 1 ? "" : "s"}).`, {
@@ -25943,7 +26665,7 @@ function countMatches(text, needle) {
 
 // src/tools/bash.ts
 import { spawn as spawn5 } from "node:child_process";
-import path23 from "node:path";
+import path25 from "node:path";
 
 // src/sandbox/env-only.ts
 function buildEnvOnlyLaunch(command, config) {
@@ -26003,7 +26725,7 @@ function bwrapPath() {
 
 // src/sandbox/macos.ts
 import { existsSync as existsSync3 } from "node:fs";
-import path22 from "node:path";
+import path24 from "node:path";
 function canUseMacOSSandbox() {
   return process.platform === "darwin" && existsSync3("/usr/bin/sandbox-exec");
 }
@@ -26029,7 +26751,7 @@ function macosProfile(cwd, config) {
   }
   if (mode === "workspace-write") {
     lines.push("(deny file-write*)");
-    lines.push(`(allow file-write* (subpath "${escapeProfilePath(path22.resolve(cwd))}"))`);
+    lines.push(`(allow file-write* (subpath "${escapeProfilePath(path24.resolve(cwd))}"))`);
     lines.push('(allow file-write* (subpath "/tmp"))');
     lines.push('(allow file-write* (subpath "/private/tmp"))');
     lines.push('(allow file-write* (subpath "/private/var/folders"))');
@@ -26091,7 +26813,7 @@ ${result.stderr}` : ""
     ].filter(Boolean).join("\n");
     return ok(content, {
       command,
-      workdir: path23.relative(ctx.cwd, workdir) || ".",
+      workdir: path25.relative(ctx.cwd, workdir) || ".",
       exitCode: result.exitCode,
       signal: result.signal,
       timedOut: result.timedOut,
@@ -26143,8 +26865,8 @@ function runCommand(command, cwd, timeoutMs, signal, sandbox = { mode: "workspac
 
 // src/tools/grep.ts
 import { spawn as spawn6 } from "node:child_process";
-import { readdir as readdir2, readFile as readFile12, stat as stat6 } from "node:fs/promises";
-import path24 from "node:path";
+import { readdir as readdir2, readFile as readFile13, stat as stat6 } from "node:fs/promises";
+import path26 from "node:path";
 var MAX_MATCHES = 200;
 var grepTool = {
   name: "grep",
@@ -26219,7 +26941,7 @@ function runRg(cwd, base, pattern, glob, signal) {
 }
 function rewriteRgPath(cwd, line) {
   const [file, rest] = splitFirst(line, ":");
-  if (!path24.isAbsolute(file)) return line;
+  if (!path26.isAbsolute(file)) return line;
   return `${relativeToCwd(cwd, file)}:${rest}`;
 }
 function splitFirst(value, delimiter) {
@@ -26236,11 +26958,11 @@ async function fallbackSearch(cwd, base, pattern, glob) {
     if (isIgnoredPath(relative)) return;
     const info = await stat6(item);
     if (info.isDirectory()) {
-      for (const entry of await readdir2(item)) await walk2(path24.join(item, entry));
+      for (const entry of await readdir2(item)) await walk2(path26.join(item, entry));
       return;
     }
     if (glob && !matchGlob(glob, relative)) return;
-    const buffer = await readFile12(item);
+    const buffer = await readFile13(item);
     if (buffer.includes(0)) return;
     const lines = buffer.toString("utf8").split(/\r?\n/);
     for (let i = 0; i < lines.length; i++) {
@@ -26255,7 +26977,7 @@ async function fallbackSearch(cwd, base, pattern, glob) {
 
 // src/tools/glob.ts
 import { readdir as readdir3, stat as stat7 } from "node:fs/promises";
-import path25 from "node:path";
+import path27 from "node:path";
 var MAX_PATHS = 1e3;
 var globTool = {
   name: "glob",
@@ -26287,7 +27009,7 @@ async function collectPaths(cwd, root, pattern) {
   async function walk2(dir) {
     const entries = await readdir3(dir, { withFileTypes: true });
     for (const entry of entries) {
-      const absolute = path25.join(dir, entry.name);
+      const absolute = path27.join(dir, entry.name);
       const relative = relativeToCwd(cwd, absolute);
       if (isIgnoredPath(relative)) continue;
       const info = await stat7(absolute);
@@ -26428,7 +27150,7 @@ async function runBraveSearch(config, options) {
   if (config.country) url.searchParams.set("country", config.country);
   if (config.searchLang) url.searchParams.set("search_lang", config.searchLang);
   if (config.safeSearch) url.searchParams.set("safesearch", config.safeSearch);
-  const json = await fetchJson(url, {
+  const json = await fetchJson2(url, {
     method: "GET",
     headers: {
       accept: "application/json",
@@ -26447,7 +27169,7 @@ async function runTavilySearch(config, options) {
   if (!apiKey.ok) return apiKey;
   const maxResults = Math.min(positiveInteger(options.maxResults, config.maxResults ?? 5, "maxResults"), TAVILY_MAX_RESULTS);
   const endpoint = config.endpoint ?? defaultConfig.webSearch.providers.tavily.endpoint ?? "https://api.tavily.com/search";
-  const json = await fetchJson(endpoint, {
+  const json = await fetchJson2(endpoint, {
     method: "POST",
     headers: {
       "content-type": "application/json",
@@ -26473,7 +27195,7 @@ async function runExaSearch(config, options) {
   if (!apiKey.ok) return apiKey;
   const numResults = Math.min(positiveInteger(options.maxResults, config.numResults ?? 5, "maxResults"), EXA_MAX_RESULTS);
   const endpoint = config.endpoint ?? defaultConfig.webSearch.providers.exa.endpoint ?? "https://api.exa.ai/search";
-  const json = await fetchJson(endpoint, {
+  const json = await fetchJson2(endpoint, {
     method: "POST",
     headers: {
       "content-type": "application/json",
@@ -26502,7 +27224,7 @@ function resolveApiKey(provider, config) {
   if (value) return { ok: true, value };
   return toolFail(`Missing API key for web_search provider "${provider}". Set webSearch.providers.${provider}.apiKey or set ${config.apiKeyEnv ?? "the configured apiKeyEnv"}.`);
 }
-async function fetchJson(url, options) {
+async function fetchJson2(url, options) {
   const { fetcher, provider, ...init } = options;
   const response = await fetcher(url, init);
   const text = await response.text();
@@ -26520,10 +27242,10 @@ function normalizeBraveResults(raw, limit) {
   return (data.web?.results ?? []).slice(0, limit).map((item) => {
     const result = item;
     return {
-      title: stringValue4(result.title) ?? "Untitled",
-      url: stringValue4(result.url) ?? "",
-      snippet: cleanSnippet(stringValue4(result.description) ?? stringValue4(result.snippet)),
-      publishedDate: stringValue4(result.age)
+      title: stringValue5(result.title) ?? "Untitled",
+      url: stringValue5(result.url) ?? "",
+      snippet: cleanSnippet(stringValue5(result.description) ?? stringValue5(result.snippet)),
+      publishedDate: stringValue5(result.age)
     };
   }).filter((item) => item.url.length > 0);
 }
@@ -26532,9 +27254,9 @@ function normalizeTavilyResults(raw, limit) {
   return (data.results ?? []).slice(0, limit).map((item) => {
     const result = item;
     return {
-      title: stringValue4(result.title) ?? "Untitled",
-      url: stringValue4(result.url) ?? "",
-      snippet: cleanSnippet(stringValue4(result.content) ?? stringValue4(result.raw_content)),
+      title: stringValue5(result.title) ?? "Untitled",
+      url: stringValue5(result.url) ?? "",
+      snippet: cleanSnippet(stringValue5(result.content) ?? stringValue5(result.raw_content)),
       score: numberValue3(result.score)
     };
   }).filter((item) => item.url.length > 0);
@@ -26544,10 +27266,10 @@ function normalizeExaResults(raw, limit) {
   return (data.results ?? []).slice(0, limit).map((item) => {
     const result = item;
     return {
-      title: stringValue4(result.title) ?? "Untitled",
-      url: stringValue4(result.url) ?? "",
+      title: stringValue5(result.title) ?? "Untitled",
+      url: stringValue5(result.url) ?? "",
       snippet: exaSnippet(result),
-      publishedDate: stringValue4(result.publishedDate),
+      publishedDate: stringValue5(result.publishedDate),
       score: numberValue3(result.score)
     };
   }).filter((item) => item.url.length > 0);
@@ -26558,7 +27280,7 @@ function exaSnippet(result) {
     const joined = highlights.map((item) => typeof item === "string" ? item : "").filter(Boolean).join(" ");
     if (joined) return cleanSnippet(joined);
   }
-  return cleanSnippet(stringValue4(result.text) ?? stringValue4(result.summary));
+  return cleanSnippet(stringValue5(result.text) ?? stringValue5(result.summary));
 }
 function searchResult(provider, query, results, raw) {
   const content = [
@@ -26582,7 +27304,7 @@ function formatResult(index, result) {
   if (result.snippet) lines.push(`   Snippet: ${result.snippet}`);
   return lines.join("\n");
 }
-function stringValue4(value) {
+function stringValue5(value) {
   return typeof value === "string" && value.length > 0 ? value : void 0;
 }
 function numberValue3(value) {
@@ -27462,7 +28184,7 @@ function stringArray2(value) {
 }
 
 // src/external-runtime/session-map.ts
-import crypto5 from "node:crypto";
+import crypto6 from "node:crypto";
 var ClaudeCodeSessionMap = class {
   #sessions = /* @__PURE__ */ new Map();
   get(key) {
@@ -27515,7 +28237,7 @@ function normalizeInstruction(value) {
   return value.replace(/\r\n/g, "\n").trim().split("\n").map((line) => line.replace(/[ \t]+$/g, "")).join("\n");
 }
 function sha256(value) {
-  return crypto5.createHash("sha256").update(value).digest("hex").slice(0, 16);
+  return crypto6.createHash("sha256").update(value).digest("hex").slice(0, 16);
 }
 
 // src/root-session.ts
@@ -28154,8 +28876,8 @@ Writer changed files outside writeScope: ${outOfScope.join(", ")}` : result.erro
     }
   }
   async createCoworkIsolatedWorkspace(groupId, memberId) {
-    const root = await mkdtemp(path26.join(os10.tmpdir(), `demian-cowork-${groupId}-${memberId}-`));
-    const cwd = path26.join(root, "workspace");
+    const root = await mkdtemp(path28.join(os12.tmpdir(), `demian-cowork-${groupId}-${memberId}-`));
+    const cwd = path28.join(root, "workspace");
     await cp(this.#options.cwd, cwd, {
       recursive: true,
       filter: (source) => shouldCopyIntoCoworkWorkspace(this.#options.cwd, source)
@@ -28303,7 +29025,7 @@ Writer changed files outside writeScope: ${outOfScope.join(", ")}` : result.erro
     const denyTools = ["write_file", "edit_file", "bash", "claudecode.Edit", "claudecode.Write", "claudecode.MultiEdit", "claudecode.Bash"];
     return this.withPermissionPreset({
       ...agent,
-      provider: agent.provider?.profile === "claudecode-subagent" ? { ...agent.provider, permissionProfile: "explore" } : agent.provider,
+      provider: agent.provider?.profile === "claudecode" && agent.name === "claudecode-explorer" ? { ...agent.provider, permissionProfile: "explore" } : agent.provider,
       tools: agent.tools.filter((tool) => readTools.has(tool)),
       permissions: [
         ...agent.permissions.filter((rule) => !denyTools.includes(rule.tool)),
@@ -28350,13 +29072,14 @@ Writer changed files outside writeScope: ${outOfScope.join(", ")}` : result.erro
     return lines.join("\n");
   }
   resolveInvocationBackend(profileName, modelOverride, agent) {
-    const providerConfig = resolveProviderConfig(this.#options.config, profileName);
+    const runtime = resolveProviderRuntimeConfig(this.#options.config, { providerName: profileName, model: modelOverride });
+    const providerConfig = runtime.providerConfig;
     if (this.#options.resolveExecutionBackend) return this.#options.resolveExecutionBackend(profileName, providerConfig, modelOverride);
     if (this.#options.resolveProvider) {
-      const resolved = this.#options.resolveProvider(profileName, providerConfig, modelOverride);
+      const resolved = this.#options.resolveProvider(profileName, providerConfig, runtime.model);
       return { kind: "provider", ...resolved };
     }
-    return resolveExecutionBackend(providerConfig, { model: modelOverride, config: this.#options.config, agent });
+    return resolveExecutionBackend(providerConfig, { model: runtime.model, config: this.#options.config, agent });
   }
   loadAgentSession(agent, providerProfile, model, sessionScope, cwd = this.#options.cwd) {
     const key = `${this.id}:${sessionScope ?? "delegate"}:${agent.name}:${providerProfile}:${model}:${cwd}`;
@@ -28458,17 +29181,17 @@ function findDependencyCycle(group) {
   const byId = new Map(group.map((member) => [member.memberId, member]));
   const visiting = /* @__PURE__ */ new Set();
   const visited = /* @__PURE__ */ new Set();
-  const path27 = [];
+  const path29 = [];
   const visit = (id) => {
-    if (visiting.has(id)) return [...path27.slice(path27.indexOf(id)), id];
+    if (visiting.has(id)) return [...path29.slice(path29.indexOf(id)), id];
     if (visited.has(id)) return void 0;
     visiting.add(id);
-    path27.push(id);
+    path29.push(id);
     for (const dep of byId.get(id)?.dependsOn ?? []) {
       const cycle = visit(dep);
       if (cycle) return cycle;
     }
-    path27.pop();
+    path29.pop();
     visiting.delete(id);
     visited.add(id);
     return void 0;
@@ -28509,7 +29232,7 @@ function scopeStaticPrefix(pattern) {
   return prefix.replace(/\/+$/, "").split("/").filter(Boolean).join("/") || ".";
 }
 function shouldCopyIntoCoworkWorkspace(root, source) {
-  const relative = path26.relative(root, source).split(path26.sep).join("/");
+  const relative = path28.relative(root, source).split(path28.sep).join("/");
   if (!relative) return true;
   const parts = relative.split("/");
   return !parts.includes(".git") && !parts.includes("node_modules") && !parts.includes(".demian");
@@ -28703,6 +29426,7 @@ function sumUsage(outcomes) {
 export {
   AgentRegistry,
   AnthropicProvider,
+  BUILTIN_PROVIDER_ORDER,
   CLAUDE_CODE_KEYRING_SERVICE,
   CLAUDE_CODE_MODELS,
   CLAUDE_CODE_OAUTH_BETA_HEADER,
@@ -28730,6 +29454,7 @@ export {
   DEFAULT_CODEX_BASE_URL,
   EventBus,
   HookDispatcher,
+  OllamaProvider,
   OpenAIProvider,
   PERMISSION_PRESETS,
   PermissionEngine,
@@ -28764,6 +29489,8 @@ export {
   decodeJwtPayload,
   defaultConfig,
   defaultDecisionForPermissionPreset,
+  defaultDemianStorageDir,
+  defaultModelForProvider,
   estimateMessageTokens,
   estimateMessagesTokens,
   estimateToolSchemaTokens,
@@ -28780,6 +29507,7 @@ export {
   imageToUrl,
   inferOpenAICompatibleAuth,
   injectClaudeCodeSystemPrefix,
+  invalidateCatalogPingCache,
   isAzureOpenAIEndpoint,
   isCallableAgent,
   isCoworkableAgent,
@@ -28788,6 +29516,7 @@ export {
   isInsidePath,
   isPermissionPreset,
   isPrimaryAgent,
+  listProviderModelCatalog,
   loadConfig,
   loadOrCreateInstallationId,
   matchGlob,
@@ -28796,6 +29525,7 @@ export {
   normalizeAgent,
   normalizeAnthropicResponse,
   normalizeCodexResponse,
+  normalizeOllamaResponse,
   normalizeOpenAIResponse,
   normalizePathForMatch,
   normalizePermissionPreset,
@@ -28807,16 +29537,22 @@ export {
   parseOpenAIStream,
   parseRetryAfter,
   permissionDecisionLine,
+  providerModelOptions,
+  providerModelProfiles,
   relativeToCwd,
   resolveAgentMode,
   resolveClaudeCodeRuntimeConfig,
   resolveClaudeConfigDir,
   resolveCodexHome,
+  resolveConfiguredApiKey,
   resolveExecutionBackend,
   resolveGrantPath,
   resolveInsideCwd,
+  resolveInternalAgentBackend,
   resolveProvider,
   resolveProviderConfig,
+  resolveProviderRuntimeConfig,
+  sortProviderNames,
   toClaudeCodeMessagesPayload,
   toCodexResponsesPayload,
   toCodexResponsesTool,