funolio-agent 1.0.47 → 1.0.49

package/dist/bot-manager.js

@@ -42,7 +42,6 @@ const data = __importStar(require("./local-data"));
 const message_loop_1 = require("./message-loop");
 const auto_detect_1 = require("./auth/auto-detect");
 const agent_config_1 = require("./agent-config");
-const default_tool_profile_1 = require("./default-tool-profile");
 /** Dedup recent command IDs (MQTT QoS 1 can redeliver) */
 const DEDUP_WINDOW_MS = 30_000;
 const DEDUP_MAX_SIZE = 200;
@@ -50,10 +49,6 @@ const DEDUP_MAX_SIZE = 200;
  * Manages agent MessageLoops, keyed by agent ID.
  * The active agent runs as "__default__" loop.
  * Runtime source of truth: config.agents[] + config.activeAgentId.
- *
- * Auth modes supported:
- *   1. CLI providers (claude-cli, codex-cli) — handle their own auth
- *   2. API key (BYOK) — standard x-api-key authentication
  */
 class BotManager {
     loops = new Map();
@@ -64,21 +59,18 @@ class BotManager {
     constructor(options) {
         this.options = options;
     }
-    /** Start the active agent loop */
+    /** Start the active agent loop, auto-detecting OAuth credentials if no API key is configured */
     async startActive() {
         let provider = this.options.defaultProvider;
         let model = this.options.defaultModel;
         let apiKey = this.options.defaultApiKey;
         let oauthToken = this.options.defaultOauthToken;
-        let authMode;
-        let baseUrl;
-        let apiStyle;
-        let resolvedAuth;
-        // Resolve auth — handles API key detection plus OAuth/subscription runtimes
+        // Resolve auth — handles token refresh for OAuth, auto-detection if no key/token
         try {
             const auth = await (0, auto_detect_1.resolveAuth)({
                 provider,
                 model,
+                accessMode: this.options.defaultAccessMode,
                 apiKey,
                 oauthToken,
                 oauthRefreshToken: this.options.defaultOauthRefreshToken,
@@ -86,36 +78,28 @@ class BotManager {
             });
             if (auth) {
                 this.resolvedAuth = auth;
-                resolvedAuth = auth;
                 provider = auth.provider;
                 model = auth.model;
-                apiKey = auth.source === 'api-key' || auth.source === 'env' ? auth.apiKey : undefined;
-                oauthToken = auth.source === 'oauth' ? auth.apiKey : oauthToken;
-                authMode = auth.authMode;
-                baseUrl = auth.baseUrl;
-                apiStyle = auth.apiStyle;
+                oauthToken = auth.apiKey;
+                apiKey = auth.source === 'api-key' ? auth.apiKey : undefined;
                 console.log(chalk_1.default.green(`✓ Auth resolved: provider=${auth.provider}, source=${auth.source}`));
             }
-            else if (!apiKey) {
-                console.log(chalk_1.default.yellow('⚠ No API key found — LLM calls may fail'));
+            else if (!apiKey && !oauthToken) {
+                console.log(chalk_1.default.yellow('⚠ No API key or OAuth credentials found — LLM calls may fail'));
             }
         }
         catch (err) {
             console.error(chalk_1.default.red(`✗ Auth resolution failed: ${err}`));
         }
-        const effectiveKey = apiKey || oauthToken || '';
-        const isOAuthBearer = effectiveKey.startsWith('sk-ant-oat');
         this.startLoop({
             id: '__default__',
             name: 'active',
             provider,
             model,
-            apiKey: effectiveKey || undefined,
-            oauthToken: authMode === 'oauth-bearer' || provider === 'openai' ? effectiveKey : undefined,
-            authMode: authMode || (isOAuthBearer ? 'oauth-bearer' : undefined),
-            baseUrl,
-            apiStyle,
-            resolvedAuth,
+            accessMode: this.options.defaultAccessMode,
+            apiKey,
+            oauthToken,
+            resolvedAuth: this.resolvedAuth || undefined,
         });
     }
     /**
@@ -140,31 +124,11 @@ class BotManager {
                 const defaultLoop = this.loops.get('__default__');
                 if (defaultLoop) {
                     const defaultOpts = defaultLoop.options;
-                    if (defaultOpts.provider === agentCfg.provider && defaultOpts.model === agentCfg.model) {
+                    if (defaultOpts.provider === (agentCfg.runtimeProvider || agentCfg.provider) &&
+                        defaultOpts.model === (agentCfg.runtimeModel || agentCfg.model)) {
                         // Same provider+model as default — just register the botId mapping
                         if (agentCfg.botId) {
                             this.botIdToLoopId.set(agentCfg.botId, '__default__');
-                            // Ensure agent_profile exists in local DB so the clerk prompt builder works.
-                            const profileFields = {
-                                provider: agentCfg.provider,
-                                model: agentCfg.model,
-                                name: agentCfg.name || name,
-                                permissionMode: agentCfg.permissionMode || 'approve-destructive',
-                                enabledBuiltinToolsJson: JSON.stringify((0, default_tool_profile_1.normalizeEnabledTools)(agentCfg.enabledTools)),
-                                enabledMcpToolsJson: JSON.stringify(agentCfg.enabledMcpTools || []),
-                                isActive: true,
-                            };
-                            const existingProfile = data.getAgentProfile(agentCfg.botId);
-                            if (existingProfile) {
-                                data.updateAgentProfile(agentCfg.botId, profileFields);
-                            }
-                            else {
-                                data.createAgentProfile({
-                                    ...profileFields,
-                                    providerConnectionId: data.findProviderConnection(agentCfg.provider)?.id,
-                                    isDefault: false,
-                                });
-                            }
                         }
                         continue;
                     }
@@ -175,30 +139,21 @@ class BotManager {
             // Resolve auth for this bot
             let apiKey = agentCfg.apiKey;
             let oauthToken = agentCfg.oauthToken;
-            let provider = agentCfg.provider;
-            let model = agentCfg.model;
-            let authMode;
-            let baseUrl;
-            let apiStyle;
-            let resolvedAuth;
+            let loopResolvedAuth = null;
             try {
                 const auth = await (0, auto_detect_1.resolveAuth)({
-                    provider,
-                    model,
+                    provider: agentCfg.runtimeProvider || agentCfg.provider,
+                    model: agentCfg.runtimeModel || agentCfg.model,
+                    accessMode: agentCfg.accessMode,
                     apiKey,
                     oauthToken,
                     oauthRefreshToken: agentCfg.oauthRefreshToken,
                     oauthExpiresAt: agentCfg.oauthExpiresAt,
                 });
                 if (auth) {
-                    resolvedAuth = auth;
-                    provider = auth.provider;
-                    model = auth.model;
-                    apiKey = auth.source === 'api-key' || auth.source === 'env' ? auth.apiKey : undefined;
-                    oauthToken = auth.source === 'oauth' ? auth.apiKey : oauthToken;
-                    authMode = auth.authMode;
-                    baseUrl = auth.baseUrl;
-                    apiStyle = auth.apiStyle;
+                    loopResolvedAuth = auth;
+                    oauthToken = auth.apiKey;
+                    apiKey = auth.source === 'api-key' ? auth.apiKey : undefined;
                 }
             }
             catch (err) {
@@ -206,28 +161,27 @@ class BotManager {
                 continue;
             }
             if (!apiKey && !oauthToken) {
-                console.warn(chalk_1.default.yellow(`⚠ No credentials for bot "${name}" (${provider}) — skipping`));
+                console.warn(chalk_1.default.yellow(`⚠ No credentials for bot "${name}" (${agentCfg.provider}) — skipping`));
                 continue;
             }
             this.startLoop({
                 id: loopId,
                 name: agentCfg.name || name,
-                provider,
-                model,
-                apiKey: apiKey || oauthToken,
+                provider: agentCfg.runtimeProvider || agentCfg.provider,
+                model: agentCfg.runtimeModel || agentCfg.model,
+                accessMode: agentCfg.accessMode,
+                apiKey,
                 oauthToken,
+                resolvedAuth: loopResolvedAuth || undefined,
                 enabledTools: agentCfg.enabledTools,
-                authMode,
-                baseUrl,
-                apiStyle,
-                resolvedAuth,
+                enabledMcpTools: agentCfg.enabledMcpTools,
             });
             // Register botId → loopId mapping
             if (agentCfg.botId) {
                 this.botIdToLoopId.set(agentCfg.botId, loopId);
             }
             started++;
-            console.log(chalk_1.default.green(`✓ Bot "${agentCfg.name || name}" loaded (${agentCfg.provider}/${agentCfg.model})`));
+            console.log(chalk_1.default.green(`✓ Bot "${agentCfg.name || name}" loaded (${agentCfg.runtimeProvider || agentCfg.provider}/${agentCfg.runtimeModel || agentCfg.model})`));
         }
         if (started > 0) {
             console.log(chalk_1.default.blue(`  ${started + 1} bot(s) active (1 default + ${started} additional)`));
@@ -242,7 +196,6 @@ class BotManager {
             // Try direct lookup by botId
             if (this.loops.has(botId))
                 return this.loops.get(botId);
-            return undefined;
         }
         return this.getDefaultLoop();
     }
@@ -340,25 +293,25 @@ class BotManager {
     startLoop(agent) {
         if (this.loops.has(agent.id))
             return;
-        const isOAuthBearer = !!agent.oauthToken && agent.oauthToken.startsWith('sk-ant-oat');
         const loop = new message_loop_1.MessageLoop({
             provider: agent.provider,
             model: agent.model,
             apiKey: agent.apiKey || '',
             oauthToken: agent.oauthToken,
-            ...(agent.authMode ? { authMode: agent.authMode } : {}),
-            ...(agent.baseUrl ? { baseUrl: agent.baseUrl } : {}),
-            ...(agent.apiStyle ? { apiStyle: agent.apiStyle } : {}),
+            accessMode: agent.accessMode,
+            resolvedAuth: agent.resolvedAuth ? {
+                ...agent.resolvedAuth,
+                credential: agent.resolvedAuth.credential ? { ...agent.resolvedAuth.credential } : undefined,
+            } : undefined,
             projectDir: this.options.projectDir,
             userId: this.options.userId,
             mqttClient: this.options.mqttClient,
             permissionMode: this.options.permissionMode,
-            enabledTools: agent.enabledTools || this.options.enabledTools,
+            enabledTools: agent.enabledTools !== undefined ? agent.enabledTools : this.options.enabledTools,
+            enabledMcpTools: agent.enabledMcpTools !== undefined ? agent.enabledMcpTools : this.options.enabledMcpTools,
             systemPrompt: this.options.systemPrompt,
             mcpManager: this.options.mcpManager,
             agentName: agent.name,
-            resolvedAuth: agent.resolvedAuth || undefined,
-            ...(!agent.authMode && isOAuthBearer ? { authMode: 'oauth-bearer' } : {}),
         });
         this.loops.set(agent.id, loop);
     }
@@ -371,260 +324,22 @@ class BotManager {
     getDefaultLoop() {
         return this.loops.get('__default__');
     }
-    async fetchServerConfig() {
-        const { loadConfig, FUNOLIO_API_URL } = require('./config');
-        const cfg = loadConfig();
-        const authToken = cfg.auth?.token;
-        if (!authToken) {
-            console.warn(chalk_1.default.yellow('  [bot-manager] No auth token — cannot fetch config from server'));
-            return null;
-        }
-        try {
-            const res = await fetch(`${FUNOLIO_API_URL}/api/v1/agent/config`, {
-                headers: { Authorization: `Bearer ${authToken}` },
-            });
-            if (!res.ok)
-                return null;
-            return await res.json();
-        }
-        catch (err) {
-            console.warn(chalk_1.default.yellow(`  [bot-manager] Server config fetch failed: ${err?.message}`));
-            return null;
-        }
-    }
-    /**
-     * Re-fetch full config from server, returning the bot and its resolved credential.
-     * This is the single source of truth for bot credentials — no secrets over MQTT.
-     * Handles both API key and OAuth credential types.
-     */
-    async fetchBotFromServer(botId) {
-        const body = await this.fetchServerConfig();
-        if (!body)
-            return null;
-        return this.resolveBotFromConfig(botId, body);
-    }
-    /** Extract a single bot's credentials from a server config response */
-    resolveBotFromConfig(botId, body) {
-        const bot = (body.bots || []).find((b) => b.id === botId);
-        if (!bot?.llmProvider)
-            return null;
-        // Find the credential for this bot — match by provider id AND credential type
-        // Multiple providers can share the same id (e.g., two "openai" entries: one oauth, one apiKey)
-        const providers = body.providers || [];
-        const botRole = bot.role || bot.credentialSource; // "oauth", "apikey", "subscription"
-        let credential;
-        if (botRole === 'oauth') {
-            // OAuth bots → match provider with connectionType "oauth"
-            credential = providers.find((p) => p.id === bot.llmProvider && p.connectionType === 'oauth');
-        }
-        else if (botRole === 'apikey') {
-            // API key bots → prefer bot-specific key (label starts with "bot:"), then any apiKey type
-            credential = providers.find((p) => p.label?.startsWith('bot:') && p.id === bot.llmProvider && p.connectionType === 'apiKey')
-                || providers.find((p) => p.id === bot.llmProvider && p.connectionType === 'apiKey');
-        }
-        else if (botRole === 'subscription') {
-            // Subscription bots → match provider with connectionType "subscription"
-            credential = providers.find((p) => p.id === bot.llmProvider && p.connectionType === 'subscription');
-        }
-        // Fallback: any provider matching the bot's provider id
-        if (!credential) {
-            credential = providers.find((p) => p.id === bot.llmProvider);
-        }
-        if (!credential)
-            return null;
-        // Handle OAuth credentials (access_token/refresh_token) vs plain API keys
-        if (credential.connectionType === 'oauth' || credential.access_token) {
-            return {
-                provider: bot.llmProvider,
-                model: bot.llmModel || '',
-                name: bot.name,
-                oauthToken: credential.access_token,
-                oauthRefreshToken: credential.refresh_token,
-            };
-        }
-        return {
-            provider: bot.llmProvider,
-            model: bot.llmModel || '',
-            name: bot.name,
-            apiKey: credential.apiKey,
-        };
-    }
-    /**
-     * Fix B: Sync all cloud-configured bots at startup.
-     * Calls /api/v1/agent/config and starts loops for bots that aren't already running locally.
-     * This ensures bots created on the web UI are available without manual local config.
-     */
-    async syncBotsFromCloud() {
-        console.log(chalk_1.default.gray('  Syncing bot configs from cloud...'));
-        const body = await this.fetchServerConfig();
-        if (!body) {
-            console.log(chalk_1.default.gray('  Cloud sync skipped — no server config available'));
-            return;
-        }
-        const bots = body.bots || [];
-        let synced = 0;
-        for (const bot of bots) {
-            if (!bot.id || !bot.llmProvider)
-                continue;
-            // Skip if this bot already has a loop running (loaded from local config)
-            if (this.botIdToLoopId.has(bot.id) || this.loops.has(bot.id)) {
-                continue;
-            }
-            // Resolve credentials from the server config
-            const resolved = this.resolveBotFromConfig(bot.id, body);
-            if (!resolved) {
-                console.warn(chalk_1.default.yellow(`  ⚠ Cloud bot "${bot.name}" (${bot.llmProvider}) — no credentials found, skipping`));
-                continue;
-            }
-            // Resolve auth (handles OAuth token detection, refresh, baseUrl/apiStyle for OpenAI sub)
-            let provider = resolved.provider;
-            let model = resolved.model;
-            let apiKey = resolved.apiKey;
-            let oauthToken = resolved.oauthToken;
-            let authMode;
-            let baseUrl;
-            let apiStyle;
-            let resolvedAuth;
-            try {
-                const auth = await (0, auto_detect_1.resolveAuth)({
-                    provider,
-                    model,
-                    apiKey,
-                    oauthToken,
-                    oauthRefreshToken: resolved.oauthRefreshToken,
-                });
-                if (auth) {
-                    resolvedAuth = auth;
-                    provider = auth.provider;
-                    model = auth.model;
-                    apiKey = auth.source === 'api-key' || auth.source === 'env' ? auth.apiKey : undefined;
-                    oauthToken = auth.source === 'oauth' ? auth.apiKey : oauthToken;
-                    authMode = auth.authMode;
-                    baseUrl = auth.baseUrl;
-                    apiStyle = auth.apiStyle;
-                }
-            }
-            catch (err) {
-                console.warn(chalk_1.default.yellow(`  ⚠ Auth resolution failed for cloud bot "${bot.name}": ${err} — skipping`));
-                continue;
-            }
-            if (!apiKey && !oauthToken) {
-                console.warn(chalk_1.default.yellow(`  ⚠ No usable credentials for cloud bot "${bot.name}" (${provider}) — skipping`));
-                continue;
-            }
-            const effectiveKey = apiKey || oauthToken || '';
-            // Start the loop
-            this.startLoop({
-                id: bot.id,
-                name: bot.name,
-                provider,
-                model,
-                apiKey: effectiveKey,
-                oauthToken,
-                authMode,
-                baseUrl,
-                apiStyle,
-                resolvedAuth,
-            });
-            this.botIdToLoopId.set(bot.id, bot.id);
-            // Persist agent profile locally for prompt building
-            const profileFields = {
-                provider,
-                model,
-                name: bot.name,
-                permissionMode: default_tool_profile_1.DEFAULT_PERMISSION_MODE,
-                enabledBuiltinToolsJson: JSON.stringify([]),
-                enabledMcpToolsJson: JSON.stringify([]),
-                isActive: true,
-            };
-            const existing = data.getAgentProfile(bot.id);
-            if (existing) {
-                data.updateAgentProfile(bot.id, profileFields);
-            }
-            else {
-                data.createAgentProfile({
-                    ...profileFields,
-                    providerConnectionId: data.findProviderConnection(provider)?.id,
-                    isDefault: false,
-                });
-            }
-            synced++;
-            console.log(chalk_1.default.green(`  ✓ Cloud bot "${bot.name}" synced (${provider}/${model})`));
-        }
-        if (synced > 0) {
-            console.log(chalk_1.default.blue(`  ${synced} bot(s) synced from cloud`));
-        }
-        else {
-            console.log(chalk_1.default.gray('  No additional cloud bots to sync'));
-        }
-    }
-    /** Add a new agent — re-fetches config from server to get credentials */
-    async handleAgentAdd(command) {
+    /** Add a new agent — persists to config.agents[] */
+    handleAgentAdd(command) {
         if (!command.bot) {
             console.error(chalk_1.default.red('agent_add command missing agent payload'));
             return;
         }
         const agent = command.bot;
-        let provider = agent.provider;
-        let model = agent.model;
-        // Fail closed: if provider is missing, do not fall through to default
-        if (!provider) {
-            console.error(chalk_1.default.red(`✗ Agent "${agent.name}" has no provider binding — cannot start. Fix in Mission Control.`));
-            return;
-        }
-        // Re-fetch credentials from server (secrets stay on authenticated HTTPS, not MQTT)
-        const serverCreds = await this.fetchBotFromServer(agent.id);
-        let apiKey;
-        let oauthToken;
-        let oauthRefreshToken;
-        if (serverCreds) {
-            apiKey = serverCreds.apiKey;
-            oauthToken = serverCreds.oauthToken;
-            oauthRefreshToken = serverCreds.oauthRefreshToken;
-        }
-        else {
-            // Fallback: try local provider config
-            const { loadConfig, getProvider } = require('./config');
-            const localProvider = getProvider(loadConfig(), provider);
-            if (localProvider) {
-                apiKey = localProvider.apiKey;
-            }
-        }
-        if (!apiKey && !oauthToken) {
-            console.error(chalk_1.default.red(`✗ Agent "${agent.name}" (${provider}/${model}) has no credential binding — cannot start.`));
-            return;
-        }
-        // Resolve auth (handles OAuth → baseUrl/apiStyle for OpenAI subscription, token refresh, etc.)
-        let authMode;
-        let baseUrl;
-        let apiStyle;
-        let resolvedAuth;
-        try {
-            const auth = await (0, auto_detect_1.resolveAuth)({ provider, model, apiKey, oauthToken, oauthRefreshToken });
-            if (auth) {
-                resolvedAuth = auth;
-                provider = auth.provider;
-                model = auth.model;
-                apiKey = auth.source === 'api-key' || auth.source === 'env' ? auth.apiKey : undefined;
-                oauthToken = auth.source === 'oauth' ? auth.apiKey : oauthToken;
-                authMode = auth.authMode;
-                baseUrl = auth.baseUrl;
-                apiStyle = auth.apiStyle;
-            }
-        }
-        catch (err) {
-            console.warn(chalk_1.default.yellow(`  ⚠ Auth resolution failed for "${agent.name}": ${err}`));
-        }
-        const effectiveKey = apiKey || oauthToken || '';
         const existing = data.getAgentProfile(agent.id);
         const fields = {
-            provider,
-            model,
+            provider: agent.provider,
+            model: agent.model,
             name: agent.name,
-            permissionMode: agent.permissionMode || default_tool_profile_1.DEFAULT_PERMISSION_MODE,
+            permissionMode: agent.permissionMode || 'autopilot',
             finalPrompt: agent.systemPrompt || undefined,
             purposeMd: agent.agentDescription || undefined,
-            enabledBuiltinToolsJson: JSON.stringify((0, default_tool_profile_1.normalizeEnabledTools)(agent.enabledTools)),
+            enabledBuiltinToolsJson: JSON.stringify(agent.enabledTools || []),
             enabledMcpToolsJson: JSON.stringify(agent.enabledMcpTools || []),
             isActive: true,
         };
@@ -634,15 +349,16 @@ class BotManager {
         else {
             data.createAgentProfile({
                 ...fields,
-                providerConnectionId: data.findProviderConnection(provider)?.id,
+                providerConnectionId: data.findProviderConnection(agent.provider)?.id,
                 isDefault: false,
             });
         }
-        this.startLoop({ ...agent, provider, model, apiKey: effectiveKey, oauthToken, authMode, baseUrl, apiStyle, resolvedAuth });
+        this.startLoop(agent);
+        // Register botId → loopId mapping
         if (agent.id) {
             this.botIdToLoopId.set(agent.id, agent.id);
         }
-        console.log(chalk_1.default.green(`✓ Agent added: "${agent.name}" (${provider} / ${model})`));
+        console.log(chalk_1.default.green(`✓ Agent added: "${agent.name}" (${agent.provider} / ${agent.model})`));
     }
     /** Remove an agent — persists to config.agents[] */
     handleAgentRemove(command) {
@@ -661,72 +377,22 @@ class BotManager {
             console.log(chalk_1.default.gray(`  Agent "${agentId}" was not running`));
         }
     }
-    /** Update an agent — re-fetches config from server to get credentials */
-    async handleAgentUpdate(command) {
+    /** Update an agent — persists to config.agents[] */
+    handleAgentUpdate(command) {
         if (!command.bot) {
             console.error(chalk_1.default.red('agent_update command missing agent payload'));
             return;
         }
         const agent = command.bot;
-        let provider = agent.provider;
-        let model = agent.model;
         this.stopLoop(agent.id);
-        // Fail closed: if provider is missing, do not fall through to default
-        if (!provider) {
-            console.error(chalk_1.default.red(`✗ Agent "${agent.name}" has no provider binding — cannot update. Fix in Mission Control.`));
-            return;
-        }
-        // Re-fetch credentials from server
-        const serverCreds = await this.fetchBotFromServer(agent.id);
-        let apiKey;
-        let oauthToken;
-        let oauthRefreshToken;
-        if (serverCreds) {
-            apiKey = serverCreds.apiKey;
-            oauthToken = serverCreds.oauthToken;
-            oauthRefreshToken = serverCreds.oauthRefreshToken;
-        }
-        else {
-            const { loadConfig, getProvider } = require('./config');
-            const localProvider = getProvider(loadConfig(), provider);
-            if (localProvider) {
-                apiKey = localProvider.apiKey;
-            }
-        }
-        if (!apiKey && !oauthToken) {
-            console.error(chalk_1.default.red(`✗ Agent "${agent.name}" (${provider}/${model}) has no credential binding — cannot update.`));
-            return;
-        }
-        // Resolve auth (handles OAuth → baseUrl/apiStyle for OpenAI subscription, token refresh, etc.)
-        let authMode;
-        let baseUrl;
-        let apiStyle;
-        let resolvedAuth;
-        try {
-            const auth = await (0, auto_detect_1.resolveAuth)({ provider, model, apiKey, oauthToken, oauthRefreshToken });
-            if (auth) {
-                resolvedAuth = auth;
-                provider = auth.provider;
-                model = auth.model;
-                apiKey = auth.source === 'api-key' || auth.source === 'env' ? auth.apiKey : undefined;
-                oauthToken = auth.source === 'oauth' ? auth.apiKey : oauthToken;
-                authMode = auth.authMode;
-                baseUrl = auth.baseUrl;
-                apiStyle = auth.apiStyle;
-            }
-        }
-        catch (err) {
-            console.warn(chalk_1.default.yellow(`  ⚠ Auth resolution failed for "${agent.name}": ${err}`));
-        }
-        const effectiveKey = apiKey || oauthToken || '';
         const fields = {
-            provider,
-            model,
+            provider: agent.provider,
+            model: agent.model,
             name: agent.name,
-            permissionMode: agent.permissionMode || default_tool_profile_1.DEFAULT_PERMISSION_MODE,
+            permissionMode: agent.permissionMode || 'autopilot',
             finalPrompt: agent.systemPrompt || undefined,
             purposeMd: agent.agentDescription || undefined,
-            enabledBuiltinToolsJson: JSON.stringify((0, default_tool_profile_1.normalizeEnabledTools)(agent.enabledTools)),
+            enabledBuiltinToolsJson: JSON.stringify(agent.enabledTools || []),
             enabledMcpToolsJson: JSON.stringify(agent.enabledMcpTools || []),
             isActive: true,
         };
@@ -736,15 +402,22 @@ class BotManager {
         else {
             data.createAgentProfile({
                 ...fields,
-                providerConnectionId: data.findProviderConnection(provider)?.id,
+                providerConnectionId: data.findProviderConnection(agent.provider)?.id,
                 isDefault: false,
             });
         }
-        this.startLoop({ ...agent, provider, model, apiKey: effectiveKey, oauthToken, authMode, baseUrl, apiStyle, resolvedAuth });
+        this.startLoop(agent);
         if (agent.id) {
             this.botIdToLoopId.set(agent.id, agent.id);
         }
-        console.log(chalk_1.default.blue(`✓ Agent updated: "${agent.name}" (${provider} / ${agent.model})`));
+        console.log(chalk_1.default.blue(`✓ Agent updated: "${agent.name}" (${agent.provider} / ${agent.model})`));
+    }
+    /** Update OAuth token for all running loops (used by token refresh) */
+    updateDefaultToken(token) {
+        this.options.defaultOauthToken = token;
+        for (const [_id, loop] of this.loops) {
+            loop.updateToken(token);
+        }
     }
     async handleUpdateCommand(command) {
         console.log(chalk_1.default.cyan('⟳ Remote update requested via MQTT'));