github-router 0.3.41 → 0.3.42

package/dist/{lifecycle-CpnAVVQ_.js → lifecycle-DU0UI2t5.js}

@@ -1,4 +1,4 @@
-import { c as writeRuntimeFileSecure, t as PATHS } from "./paths-cZle37Jp.js";
+import { c as writeRuntimeFileSecure, t as PATHS } from "./paths-lwEqM5-i.js";
 import { randomBytes, randomUUID } from "node:crypto";
 import fs from "node:fs/promises";
 import path from "node:path";
@@ -307,4 +307,4 @@ async function sweepStaleWorktreesAtBoot() {
 
 //#endregion
 export { sweepRegistry as a, registerExitHandlers as i, getInstanceUuid as n, sweepStaleWorktreesAtBoot as o, recordWorkerRepo as r, WorktreeRegistry as t };
-//# sourceMappingURL=lifecycle-CpnAVVQ_.js.map
+//# sourceMappingURL=lifecycle-DU0UI2t5.js.map

package/dist/{lifecycle-CpnAVVQ_.js.map → lifecycle-DU0UI2t5.js.map}

@@ -1 +1 @@
-{"version":3,"file":"lifecycle-CpnAVVQ_.js","names":["_instanceUuid: string | null","_activeRegistry: WorktreeRegistry | null","_exitHandler: (() => void) | null","_sigintHandler: (() => void) | null","_sigtermHandler: (() => void) | null","raw: string","cleaned: Array<LedgerEntry>","_ledgerChain: Promise<void>","ledger: LedgerFile","names: Array<string>"],"sources":["../src/lib/worker-agent/lifecycle.ts"],"sourcesContent":["/**\n * Lifecycle plumbing for worker worktrees: in-memory registry, signal\n * handlers, ledger of repos touched, and the boot-time PID+instance\n * safety net.\n *\n * Plan: see `plans/we-have-added-a-dreamy-tide.md` (\"Worktree mode\" →\n * \"Cleanup paths\"). Three layers cooperate, none of them sufficient\n * alone:\n *\n *   1. Per-call cleanup (`engine.ts` finally block invoking\n *      `WorktreeHandle.remove()`) — covers the happy path.\n *\n *   2. Session-end signal sweep (this file, registered via\n *      `registerExitHandlers`) — covers Ctrl+C, service-manager stop,\n *      and (in `github-router claude` mode) the spawned child's exit.\n *      Synchronous `execFileSync` is intentional: exit handlers can't\n *      reliably await async work.\n *\n *   3. Boot-time PID+instance sweep (`sweepStaleWorktreesAtBoot`) —\n *      covers SIGKILL, OOM, container restart. Walks the ledger of\n *      repos this proxy has touched and removes worktree dirs whose\n *      `<pid>` is dead OR whose `<instance>` UUID doesn't match the\n *      current proxy's UUID.\n *\n * Ledger writes are ATOMIC (temp + rename) per peer review — a\n * concurrent-RMW corruption would silently strand worktrees because\n * the boot sweep can't find their repo roots.\n */\n\nimport { execFileSync } from \"node:child_process\"\nimport { randomBytes, randomUUID } from \"node:crypto\"\nimport fs from \"node:fs/promises\"\nimport path from \"node:path\"\nimport process from \"node:process\"\n\nimport { PATHS, writeRuntimeFileSecure } from \"../paths\"\n\n/**\n * Same regex worktree.ts uses for its per-call age sweep — kept in\n * sync intentionally. `<pid>-<uuid>-<8hex>` strictly.\n */\nconst WORKTREE_DIR_NAME_RE =\n  /^(\\d+)-([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})-([0-9a-f]{8})$/\n\n/**\n * Cap on the ledger: how many repos we remember across boots, and how\n * old an entry may be before it's pruned. Both are belt-and-suspenders\n * — the per-call age sweep is the primary guard against accumulation\n * inside any single repo.\n */\nconst LEDGER_MAX_ENTRIES = 100\nconst LEDGER_MAX_AGE_MS = 30 * 24 * 60 * 60 * 1000\n\nexport interface WorktreeRegistryEntry {\n  repoRoot: string\n  dir: string\n  branch: string\n}\n\n/**\n * Set-like in-memory registry of worktrees this proxy created. Engine\n * passes it to `createWorktree` so per-call cleanup deletes the entry\n * on success; the signal handlers walk what's left at shutdown.\n *\n * Not a bare `Set` because we want to expose only the operations we\n * actually use, and we want a stable testable surface.\n */\nexport class WorktreeRegistry {\n  private readonly entries = new Set<WorktreeRegistryEntry>()\n\n  add(entry: WorktreeRegistryEntry): void {\n    this.entries.add(entry)\n  }\n  delete(entry: WorktreeRegistryEntry): void {\n    this.entries.delete(entry)\n  }\n  has(entry: WorktreeRegistryEntry): boolean {\n    return this.entries.has(entry)\n  }\n  values(): IterableIterator<WorktreeRegistryEntry> {\n    return this.entries.values()\n  }\n  get size(): number {\n    return this.entries.size\n  }\n  clear(): void {\n    this.entries.clear()\n  }\n}\n\n// ---------------------------------------------------------------------\n// Per-launch instance UUID\n// ---------------------------------------------------------------------\n\nlet _instanceUuid: string | null = null\n\n/**\n * Stable UUID4 generated once per proxy process. Used in worktree\n * dir/branch names so the boot sweep can reliably distinguish \"this\n * proxy's still-live worktrees\" from \"stranded dirs from a prior\n * proxy that happens to have a recycled PID\" — Docker PID-1 across\n * container restarts is the classic case (peer-review HIGH finding).\n */\nexport function getInstanceUuid(): string {\n  if (_instanceUuid === null) {\n    _instanceUuid = randomUUID()\n  }\n  return _instanceUuid\n}\n\n/** Test-only: reset the cached UUID. */\nexport function __resetInstanceUuidForTests(): void {\n  _instanceUuid = null\n}\n\n// ---------------------------------------------------------------------\n// Signal handlers + sweepRegistry\n// ---------------------------------------------------------------------\n\nlet _registered = false\nlet _activeRegistry: WorktreeRegistry | null = null\nlet _exitHandler: (() => void) | null = null\nlet _sigintHandler: (() => void) | null = null\nlet _sigtermHandler: (() => void) | null = null\n\n/**\n * Synchronous cleanup of every registry entry. Best-effort:\n * `execFileSync` failures are swallowed (the dir may have been\n * removed already, or git may not be on PATH any more in some\n * environments). After a successful removal we drop the entry from\n * the registry so a second call is a true no-op.\n *\n * Synchronous on purpose — exit handlers can't reliably await async\n * work; the process would die before the promise settled.\n */\nexport function sweepRegistry(): void {\n  if (!_activeRegistry) return\n  // Snapshot the values first so we can mutate the underlying set\n  // during iteration without skipping entries.\n  const snapshot = [..._activeRegistry.values()]\n  for (const entry of snapshot) {\n    try {\n      // `-C entry.repoRoot` is load-bearing: without it git resolves\n      // the worktree path relative to the proxy's cwd (which is the\n      // user's launch dir, typically NOT inside the target repo), and\n      // fails with `fatal: '<path>' is not a working tree`. The E2E\n      // boot-sweep test (worker-agent-boot-sweep.test.ts) is what\n      // caught the missing flag.\n      execFileSync(\n        \"git\",\n        [\"-C\", entry.repoRoot, \"worktree\", \"remove\", \"--force\", entry.dir],\n        { stdio: \"ignore\", timeout: 10_000, windowsHide: true },\n      )\n    } catch {\n      // Already gone, EBUSY, or git not on PATH — best effort.\n    }\n    try {\n      execFileSync(\"git\", [\"-C\", entry.repoRoot, \"branch\", \"-D\", entry.branch], {\n        stdio: \"ignore\",\n        timeout: 5_000,\n        windowsHide: true,\n      })\n    } catch {\n      // Same as above.\n    }\n    _activeRegistry.delete(entry)\n  }\n}\n\n/**\n * Windows ConPTY / node-pty signal behavior:\n *\n * When a ConPTY host (VS Code terminal, Windows Terminal, node-pty) closes\n * the pseudo-console, the ConPTY layer sends CTRL_CLOSE_EVENT to the\n * process group. Node.js translates this into SIGINT (NOT SIGTERM). The\n * process has a ~5-second window before forced termination.\n *\n * Implication: the SIGTERM handler below may NEVER fire in node-pty\n * environments. This is by design — the three-layer cleanup architecture\n * ensures coverage:\n *   1. Per-call cleanup (engine.ts finally block) — happy path\n *   2. SIGINT handler (this file) — ConPTY close, Ctrl+C\n *   3. `exit` handler (this file) — unconditional, fires on any exit\n *   4. Boot-time PID+instance sweep (sweepStaleWorktreesAtBoot) — crash recovery\n *\n * Layers 1+2+3 cover ConPTY; layer 4 covers SIGKILL/OOM/container restart.\n */\n\n/**\n * Wire up SIGINT/SIGTERM/exit handlers that walk the registry and\n * remove every entry. Idempotent: subsequent calls swap the registry\n * pointer but do NOT register additional process listeners (otherwise\n * we'd leak listeners on every `runWorkerAgent`).\n *\n * Signal handlers re-raise the signal after sweeping. Naively running\n * the sweep on SIGINT/SIGTERM and returning would *suppress* the\n * signal: Node defaults to terminating the process on these, but only\n * if no user listener is attached. Once we attach a listener, the\n * default action is cancelled and the process keeps running — which\n * means Ctrl-C would clean worktrees but not actually exit, leaving\n * orphan processes in dev. The `process.kill(pid, sig)` re-raise\n * after removing our own listener restores the default behaviour\n * (the second delivery now hits an empty listener list, so Node\n * terminates with the conventional `128 + signum` exit code).\n */\nexport function registerExitHandlers(registry: WorktreeRegistry): void {\n  _activeRegistry = registry\n  if (_registered) return\n  _registered = true\n  _exitHandler = () => sweepRegistry()\n  _sigintHandler = () => {\n    sweepRegistry()\n    if (_sigintHandler) process.off(\"SIGINT\", _sigintHandler)\n    process.kill(process.pid, \"SIGINT\")\n  }\n  _sigtermHandler = () => {\n    sweepRegistry()\n    if (_sigtermHandler) process.off(\"SIGTERM\", _sigtermHandler)\n    process.kill(process.pid, \"SIGTERM\")\n  }\n  process.on(\"SIGINT\", _sigintHandler)\n  process.on(\"SIGTERM\", _sigtermHandler)\n  // `exit` handlers can only run synchronous code — exactly what\n  // sweepRegistry does. Async work here would never complete.\n  process.on(\"exit\", _exitHandler)\n}\n\n/**\n * Test-only: unregister the handlers and reset module state. Tests\n * that want to verify `registerExitHandlers` semantics must clean up\n * after themselves or future tests in the same process inherit the\n * (now stale) registry pointer.\n */\nexport function __unregisterExitHandlersForTests(): void {\n  if (_sigintHandler) {\n    process.off(\"SIGINT\", _sigintHandler)\n    _sigintHandler = null\n  }\n  if (_sigtermHandler) {\n    process.off(\"SIGTERM\", _sigtermHandler)\n    _sigtermHandler = null\n  }\n  if (_exitHandler) {\n    process.off(\"exit\", _exitHandler)\n    _exitHandler = null\n  }\n  _registered = false\n  _activeRegistry = null\n}\n\n// ---------------------------------------------------------------------\n// Ledger: which repos has this proxy touched?\n// ---------------------------------------------------------------------\n\ninterface LedgerEntry {\n  repoRoot: string\n  lastSeenMs: number\n}\n\ninterface LedgerFile {\n  entries: Array<LedgerEntry>\n}\n\nfunction ledgerPath(): string {\n  return path.join(PATHS.APP_DIR, \"worker-repos.json\")\n}\n\nasync function readLedger(): Promise<LedgerFile> {\n  let raw: string\n  try {\n    raw = await fs.readFile(ledgerPath(), \"utf8\")\n  } catch (err) {\n    if ((err as NodeJS.ErrnoException).code === \"ENOENT\") {\n      return { entries: [] }\n    }\n    return { entries: [] }\n  }\n  try {\n    const parsed = JSON.parse(raw) as Partial<LedgerFile>\n    if (!parsed || !Array.isArray(parsed.entries)) return { entries: [] }\n    const cleaned: Array<LedgerEntry> = []\n    for (const e of parsed.entries) {\n      if (\n        e &&\n        typeof e === \"object\" &&\n        typeof (e as LedgerEntry).repoRoot === \"string\" &&\n        typeof (e as LedgerEntry).lastSeenMs === \"number\"\n      ) {\n        cleaned.push({\n          repoRoot: (e as LedgerEntry).repoRoot,\n          lastSeenMs: (e as LedgerEntry).lastSeenMs,\n        })\n      }\n    }\n    return { entries: cleaned }\n  } catch {\n    // Corrupted JSON — start fresh rather than crashing the proxy.\n    return { entries: [] }\n  }\n}\n\n/**\n * Per-process serializer for ledger writes. Multiple concurrent\n * `recordWorkerRepo` calls (legitimate: several workers may start at\n * once) would otherwise race read-modify-write on the JSON file. Each\n * call chains onto the previous so the on-disk sequence is\n * deterministic from this process's perspective.\n *\n * Cross-process safety is provided by the atomic temp+rename below,\n * which makes the final state of the file always be a well-formed\n * full snapshot from ONE writer — never a partial write or\n * interleaved JSON.\n */\nlet _ledgerChain: Promise<void> = Promise.resolve()\n\n/**\n * Append `repoRoot` to the ledger (or update its `lastSeenMs`).\n * Atomic temp+rename per peer review.\n */\nexport function recordWorkerRepo(repoRoot: string): Promise<void> {\n  const next = _ledgerChain.then(async () => {\n    await fs.mkdir(PATHS.APP_DIR, { recursive: true })\n    const current = await readLedger()\n    // Dedup: drop any existing entry for this root before appending\n    // the fresh one so the array doesn't grow unbounded with repeats.\n    const filtered = current.entries.filter((e) => e.repoRoot !== repoRoot)\n    filtered.push({ repoRoot, lastSeenMs: Date.now() })\n    // Prune by age and cap entry count (newest wins).\n    const now = Date.now()\n    const pruned = filtered\n      .filter((e) => now - e.lastSeenMs < LEDGER_MAX_AGE_MS)\n      .slice(-LEDGER_MAX_ENTRIES)\n    const ledger: LedgerFile = { entries: pruned }\n\n    // Atomic temp+rename. The temp filename is unique per call\n    // (PID + 8 random hex chars) so concurrent processes don't\n    // collide on the temp name; the final `rename` is atomic on\n    // POSIX and on Windows (both with same filesystem).\n    const tmp = `${ledgerPath()}.tmp.${process.pid}.${randomBytes(4).toString(\n      \"hex\",\n    )}`\n    try {\n      await writeRuntimeFileSecure(tmp, JSON.stringify(ledger, null, 2))\n      await fs.rename(tmp, ledgerPath())\n    } catch (err) {\n      // Clean up the temp file if rename failed midway.\n      await fs.unlink(tmp).catch(() => {})\n      throw err\n    }\n  })\n  // Swallow chain-internal errors so one failed write doesn't poison\n  // the chain for every subsequent caller. Each call still sees its\n  // own rejection (we return `next`, not the catch-handler chain).\n  _ledgerChain = next.catch(() => undefined)\n  return next\n}\n\nfunction isPidAlive(pid: number): boolean {\n  if (!Number.isInteger(pid) || pid <= 0) return false\n  try {\n    process.kill(pid, 0)\n    return true\n  } catch (err) {\n    const code = (err as NodeJS.ErrnoException).code\n    // EPERM = process exists but we can't signal it — still alive\n    // for our purposes (we just need to know whether to clean up).\n    if (code === \"EPERM\") return true\n    return false\n  }\n}\n\n/**\n * Boot-time sweep. For every repo we recorded in the ledger,\n * enumerate `<repoRoot>/.git/worker-worktrees/` (the conventional\n * location — for repos already inside a worktree, the actual\n * `git-common-dir` may differ, in which case we'll miss this batch\n * and the per-call age sweep will catch them within 7 days) and\n * remove dirs that aren't owned by THIS proxy.\n *\n * Ownership rule: dir is \"ours\" iff its embedded PID is alive AND\n * its embedded UUID equals `getInstanceUuid()`. Either condition\n * failing → remove.\n */\nexport async function sweepStaleWorktreesAtBoot(): Promise<void> {\n  const ledger = await readLedger()\n  if (ledger.entries.length === 0) return\n  const currentUuid = getInstanceUuid()\n  for (const entry of ledger.entries) {\n    const parent = path.join(entry.repoRoot, \".git\", \"worker-worktrees\")\n    let names: Array<string>\n    try {\n      names = await fs.readdir(parent)\n    } catch {\n      continue\n    }\n    for (const name of names) {\n      const m = WORKTREE_DIR_NAME_RE.exec(name)\n      if (!m) continue\n      const pid = Number.parseInt(m[1], 10)\n      const uuid = m[2]\n      const isOurs = isPidAlive(pid) && uuid === currentUuid\n      if (isOurs) continue\n\n      const fullDir = path.join(parent, name)\n      const branch = `worker/${pid}-${uuid}-${m[3]}`\n      try {\n        // `-C entry.repoRoot` is load-bearing here too — see the\n        // matching comment in `sweepRegistry`. The boot sweep runs\n        // BEFORE any worker tool has set cwd, so the proxy's cwd is\n        // the user's launch dir, which is almost never inside the\n        // target repo.\n        execFileSync(\n          \"git\",\n          [\"-C\", entry.repoRoot, \"worktree\", \"remove\", \"--force\", fullDir],\n          { stdio: \"ignore\", timeout: 10_000, windowsHide: true },\n        )\n      } catch {\n        // ignore\n      }\n      try {\n        execFileSync(\n          \"git\",\n          [\"-C\", entry.repoRoot, \"branch\", \"-D\", branch],\n          { stdio: \"ignore\", timeout: 5_000, windowsHide: true },\n        )\n      } catch {\n        // ignore\n      }\n      try {\n        await fs.rm(fullDir, { recursive: true, force: true })\n      } catch {\n        // ignore — git may have removed it already\n      }\n    }\n  }\n}\n\n/** Test-only: clear the ledger file (does NOT remove on-disk worktrees). */\nexport async function __clearLedgerForTests(): Promise<void> {\n  await fs.unlink(ledgerPath()).catch(() => {})\n}\n\n/** Test-only: read the ledger as a plain array (no side effects). */\nexport async function __readLedgerForTests(): Promise<Array<LedgerEntry>> {\n  return (await readLedger()).entries\n}\n"],"mappings":";;;;;;;;;;;;AAyCA,MAAM,uBACJ;;;;;;;AAQF,MAAM,qBAAqB;AAC3B,MAAM,oBAAoB,MAAU,KAAK,KAAK;;;;;;;;;AAgB9C,IAAa,mBAAb,MAA8B;CAC5B,AAAiB,0BAAU,IAAI,KAA4B;CAE3D,IAAI,OAAoC;AACtC,OAAK,QAAQ,IAAI,MAAM;;CAEzB,OAAO,OAAoC;AACzC,OAAK,QAAQ,OAAO,MAAM;;CAE5B,IAAI,OAAuC;AACzC,SAAO,KAAK,QAAQ,IAAI,MAAM;;CAEhC,SAAkD;AAChD,SAAO,KAAK,QAAQ,QAAQ;;CAE9B,IAAI,OAAe;AACjB,SAAO,KAAK,QAAQ;;CAEtB,QAAc;AACZ,OAAK,QAAQ,OAAO;;;AAQxB,IAAIA,gBAA+B;;;;;;;;AASnC,SAAgB,kBAA0B;AACxC,KAAI,kBAAkB,KACpB,iBAAgB,YAAY;AAE9B,QAAO;;AAYT,IAAI,cAAc;AAClB,IAAIC,kBAA2C;AAC/C,IAAIC,eAAoC;AACxC,IAAIC,iBAAsC;AAC1C,IAAIC,kBAAuC;;;;;;;;;;;AAY3C,SAAgB,gBAAsB;AACpC,KAAI,CAAC,gBAAiB;CAGtB,MAAM,WAAW,CAAC,GAAG,gBAAgB,QAAQ,CAAC;AAC9C,MAAK,MAAM,SAAS,UAAU;AAC5B,MAAI;AAOF,gBACE,OACA;IAAC;IAAM,MAAM;IAAU;IAAY;IAAU;IAAW,MAAM;IAAI,EAClE;IAAE,OAAO;IAAU,SAAS;IAAQ,aAAa;IAAM,CACxD;UACK;AAGR,MAAI;AACF,gBAAa,OAAO;IAAC;IAAM,MAAM;IAAU;IAAU;IAAM,MAAM;IAAO,EAAE;IACxE,OAAO;IACP,SAAS;IACT,aAAa;IACd,CAAC;UACI;AAGR,kBAAgB,OAAO,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAwCjC,SAAgB,qBAAqB,UAAkC;AACrE,mBAAkB;AAClB,KAAI,YAAa;AACjB,eAAc;AACd,sBAAqB,eAAe;AACpC,wBAAuB;AACrB,iBAAe;AACf,MAAI,eAAgB,SAAQ,IAAI,UAAU,eAAe;AACzD,UAAQ,KAAK,QAAQ,KAAK,SAAS;;AAErC,yBAAwB;AACtB,iBAAe;AACf,MAAI,gBAAiB,SAAQ,IAAI,WAAW,gBAAgB;AAC5D,UAAQ,KAAK,QAAQ,KAAK,UAAU;;AAEtC,SAAQ,GAAG,UAAU,eAAe;AACpC,SAAQ,GAAG,WAAW,gBAAgB;AAGtC,SAAQ,GAAG,QAAQ,aAAa;;AAuClC,SAAS,aAAqB;AAC5B,QAAO,KAAK,KAAK,MAAM,SAAS,oBAAoB;;AAGtD,eAAe,aAAkC;CAC/C,IAAIC;AACJ,KAAI;AACF,QAAM,MAAM,GAAG,SAAS,YAAY,EAAE,OAAO;UACtC,KAAK;AACZ,MAAK,IAA8B,SAAS,SAC1C,QAAO,EAAE,SAAS,EAAE,EAAE;AAExB,SAAO,EAAE,SAAS,EAAE,EAAE;;AAExB,KAAI;EACF,MAAM,SAAS,KAAK,MAAM,IAAI;AAC9B,MAAI,CAAC,UAAU,CAAC,MAAM,QAAQ,OAAO,QAAQ,CAAE,QAAO,EAAE,SAAS,EAAE,EAAE;EACrE,MAAMC,UAA8B,EAAE;AACtC,OAAK,MAAM,KAAK,OAAO,QACrB,KACE,KACA,OAAO,MAAM,YACb,OAAQ,EAAkB,aAAa,YACvC,OAAQ,EAAkB,eAAe,SAEzC,SAAQ,KAAK;GACX,UAAW,EAAkB;GAC7B,YAAa,EAAkB;GAChC,CAAC;AAGN,SAAO,EAAE,SAAS,SAAS;SACrB;AAEN,SAAO,EAAE,SAAS,EAAE,EAAE;;;;;;;;;;;;;;;AAgB1B,IAAIC,eAA8B,QAAQ,SAAS;;;;;AAMnD,SAAgB,iBAAiB,UAAiC;CAChE,MAAM,OAAO,aAAa,KAAK,YAAY;AACzC,QAAM,GAAG,MAAM,MAAM,SAAS,EAAE,WAAW,MAAM,CAAC;EAIlD,MAAM,YAHU,MAAM,YAAY,EAGT,QAAQ,QAAQ,MAAM,EAAE,aAAa,SAAS;AACvE,WAAS,KAAK;GAAE;GAAU,YAAY,KAAK,KAAK;GAAE,CAAC;EAEnD,MAAM,MAAM,KAAK,KAAK;EAItB,MAAMC,SAAqB,EAAE,SAHd,SACZ,QAAQ,MAAM,MAAM,EAAE,aAAa,kBAAkB,CACrD,MAAM,CAAC,mBAAmB,EACiB;EAM9C,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,QAAQ,IAAI,GAAG,YAAY,EAAE,CAAC,SAC/D,MACD;AACD,MAAI;AACF,SAAM,uBAAuB,KAAK,KAAK,UAAU,QAAQ,MAAM,EAAE,CAAC;AAClE,SAAM,GAAG,OAAO,KAAK,YAAY,CAAC;WAC3B,KAAK;AAEZ,SAAM,GAAG,OAAO,IAAI,CAAC,YAAY,GAAG;AACpC,SAAM;;GAER;AAIF,gBAAe,KAAK,YAAY,OAAU;AAC1C,QAAO;;AAGT,SAAS,WAAW,KAAsB;AACxC,KAAI,CAAC,OAAO,UAAU,IAAI,IAAI,OAAO,EAAG,QAAO;AAC/C,KAAI;AACF,UAAQ,KAAK,KAAK,EAAE;AACpB,SAAO;UACA,KAAK;AAIZ,MAHc,IAA8B,SAG/B,QAAS,QAAO;AAC7B,SAAO;;;;;;;;;;;;;;;AAgBX,eAAsB,4BAA2C;CAC/D,MAAM,SAAS,MAAM,YAAY;AACjC,KAAI,OAAO,QAAQ,WAAW,EAAG;CACjC,MAAM,cAAc,iBAAiB;AACrC,MAAK,MAAM,SAAS,OAAO,SAAS;EAClC,MAAM,SAAS,KAAK,KAAK,MAAM,UAAU,QAAQ,mBAAmB;EACpE,IAAIC;AACJ,MAAI;AACF,WAAQ,MAAM,GAAG,QAAQ,OAAO;UAC1B;AACN;;AAEF,OAAK,MAAM,QAAQ,OAAO;GACxB,MAAM,IAAI,qBAAqB,KAAK,KAAK;AACzC,OAAI,CAAC,EAAG;GACR,MAAM,MAAM,OAAO,SAAS,EAAE,IAAI,GAAG;GACrC,MAAM,OAAO,EAAE;AAEf,OADe,WAAW,IAAI,IAAI,SAAS,YAC/B;GAEZ,MAAM,UAAU,KAAK,KAAK,QAAQ,KAAK;GACvC,MAAM,SAAS,UAAU,IAAI,GAAG,KAAK,GAAG,EAAE;AAC1C,OAAI;AAMF,iBACE,OACA;KAAC;KAAM,MAAM;KAAU;KAAY;KAAU;KAAW;KAAQ,EAChE;KAAE,OAAO;KAAU,SAAS;KAAQ,aAAa;KAAM,CACxD;WACK;AAGR,OAAI;AACF,iBACE,OACA;KAAC;KAAM,MAAM;KAAU;KAAU;KAAM;KAAO,EAC9C;KAAE,OAAO;KAAU,SAAS;KAAO,aAAa;KAAM,CACvD;WACK;AAGR,OAAI;AACF,UAAM,GAAG,GAAG,SAAS;KAAE,WAAW;KAAM,OAAO;KAAM,CAAC;WAChD"}
+{"version":3,"file":"lifecycle-DU0UI2t5.js","names":["_instanceUuid: string | null","_activeRegistry: WorktreeRegistry | null","_exitHandler: (() => void) | null","_sigintHandler: (() => void) | null","_sigtermHandler: (() => void) | null","raw: string","cleaned: Array<LedgerEntry>","_ledgerChain: Promise<void>","ledger: LedgerFile","names: Array<string>"],"sources":["../src/lib/worker-agent/lifecycle.ts"],"sourcesContent":["/**\n * Lifecycle plumbing for worker worktrees: in-memory registry, signal\n * handlers, ledger of repos touched, and the boot-time PID+instance\n * safety net.\n *\n * Plan: see `plans/we-have-added-a-dreamy-tide.md` (\"Worktree mode\" →\n * \"Cleanup paths\"). Three layers cooperate, none of them sufficient\n * alone:\n *\n *   1. Per-call cleanup (`engine.ts` finally block invoking\n *      `WorktreeHandle.remove()`) — covers the happy path.\n *\n *   2. Session-end signal sweep (this file, registered via\n *      `registerExitHandlers`) — covers Ctrl+C, service-manager stop,\n *      and (in `github-router claude` mode) the spawned child's exit.\n *      Synchronous `execFileSync` is intentional: exit handlers can't\n *      reliably await async work.\n *\n *   3. Boot-time PID+instance sweep (`sweepStaleWorktreesAtBoot`) —\n *      covers SIGKILL, OOM, container restart. Walks the ledger of\n *      repos this proxy has touched and removes worktree dirs whose\n *      `<pid>` is dead OR whose `<instance>` UUID doesn't match the\n *      current proxy's UUID.\n *\n * Ledger writes are ATOMIC (temp + rename) per peer review — a\n * concurrent-RMW corruption would silently strand worktrees because\n * the boot sweep can't find their repo roots.\n */\n\nimport { execFileSync } from \"node:child_process\"\nimport { randomBytes, randomUUID } from \"node:crypto\"\nimport fs from \"node:fs/promises\"\nimport path from \"node:path\"\nimport process from \"node:process\"\n\nimport { PATHS, writeRuntimeFileSecure } from \"../paths\"\n\n/**\n * Same regex worktree.ts uses for its per-call age sweep — kept in\n * sync intentionally. `<pid>-<uuid>-<8hex>` strictly.\n */\nconst WORKTREE_DIR_NAME_RE =\n  /^(\\d+)-([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})-([0-9a-f]{8})$/\n\n/**\n * Cap on the ledger: how many repos we remember across boots, and how\n * old an entry may be before it's pruned. Both are belt-and-suspenders\n * — the per-call age sweep is the primary guard against accumulation\n * inside any single repo.\n */\nconst LEDGER_MAX_ENTRIES = 100\nconst LEDGER_MAX_AGE_MS = 30 * 24 * 60 * 60 * 1000\n\nexport interface WorktreeRegistryEntry {\n  repoRoot: string\n  dir: string\n  branch: string\n}\n\n/**\n * Set-like in-memory registry of worktrees this proxy created. Engine\n * passes it to `createWorktree` so per-call cleanup deletes the entry\n * on success; the signal handlers walk what's left at shutdown.\n *\n * Not a bare `Set` because we want to expose only the operations we\n * actually use, and we want a stable testable surface.\n */\nexport class WorktreeRegistry {\n  private readonly entries = new Set<WorktreeRegistryEntry>()\n\n  add(entry: WorktreeRegistryEntry): void {\n    this.entries.add(entry)\n  }\n  delete(entry: WorktreeRegistryEntry): void {\n    this.entries.delete(entry)\n  }\n  has(entry: WorktreeRegistryEntry): boolean {\n    return this.entries.has(entry)\n  }\n  values(): IterableIterator<WorktreeRegistryEntry> {\n    return this.entries.values()\n  }\n  get size(): number {\n    return this.entries.size\n  }\n  clear(): void {\n    this.entries.clear()\n  }\n}\n\n// ---------------------------------------------------------------------\n// Per-launch instance UUID\n// ---------------------------------------------------------------------\n\nlet _instanceUuid: string | null = null\n\n/**\n * Stable UUID4 generated once per proxy process. Used in worktree\n * dir/branch names so the boot sweep can reliably distinguish \"this\n * proxy's still-live worktrees\" from \"stranded dirs from a prior\n * proxy that happens to have a recycled PID\" — Docker PID-1 across\n * container restarts is the classic case (peer-review HIGH finding).\n */\nexport function getInstanceUuid(): string {\n  if (_instanceUuid === null) {\n    _instanceUuid = randomUUID()\n  }\n  return _instanceUuid\n}\n\n/** Test-only: reset the cached UUID. */\nexport function __resetInstanceUuidForTests(): void {\n  _instanceUuid = null\n}\n\n// ---------------------------------------------------------------------\n// Signal handlers + sweepRegistry\n// ---------------------------------------------------------------------\n\nlet _registered = false\nlet _activeRegistry: WorktreeRegistry | null = null\nlet _exitHandler: (() => void) | null = null\nlet _sigintHandler: (() => void) | null = null\nlet _sigtermHandler: (() => void) | null = null\n\n/**\n * Synchronous cleanup of every registry entry. Best-effort:\n * `execFileSync` failures are swallowed (the dir may have been\n * removed already, or git may not be on PATH any more in some\n * environments). After a successful removal we drop the entry from\n * the registry so a second call is a true no-op.\n *\n * Synchronous on purpose — exit handlers can't reliably await async\n * work; the process would die before the promise settled.\n */\nexport function sweepRegistry(): void {\n  if (!_activeRegistry) return\n  // Snapshot the values first so we can mutate the underlying set\n  // during iteration without skipping entries.\n  const snapshot = [..._activeRegistry.values()]\n  for (const entry of snapshot) {\n    try {\n      // `-C entry.repoRoot` is load-bearing: without it git resolves\n      // the worktree path relative to the proxy's cwd (which is the\n      // user's launch dir, typically NOT inside the target repo), and\n      // fails with `fatal: '<path>' is not a working tree`. The E2E\n      // boot-sweep test (worker-agent-boot-sweep.test.ts) is what\n      // caught the missing flag.\n      execFileSync(\n        \"git\",\n        [\"-C\", entry.repoRoot, \"worktree\", \"remove\", \"--force\", entry.dir],\n        { stdio: \"ignore\", timeout: 10_000, windowsHide: true },\n      )\n    } catch {\n      // Already gone, EBUSY, or git not on PATH — best effort.\n    }\n    try {\n      execFileSync(\"git\", [\"-C\", entry.repoRoot, \"branch\", \"-D\", entry.branch], {\n        stdio: \"ignore\",\n        timeout: 5_000,\n        windowsHide: true,\n      })\n    } catch {\n      // Same as above.\n    }\n    _activeRegistry.delete(entry)\n  }\n}\n\n/**\n * Windows ConPTY / node-pty signal behavior:\n *\n * When a ConPTY host (VS Code terminal, Windows Terminal, node-pty) closes\n * the pseudo-console, the ConPTY layer sends CTRL_CLOSE_EVENT to the\n * process group. Node.js translates this into SIGINT (NOT SIGTERM). The\n * process has a ~5-second window before forced termination.\n *\n * Implication: the SIGTERM handler below may NEVER fire in node-pty\n * environments. This is by design — the three-layer cleanup architecture\n * ensures coverage:\n *   1. Per-call cleanup (engine.ts finally block) — happy path\n *   2. SIGINT handler (this file) — ConPTY close, Ctrl+C\n *   3. `exit` handler (this file) — unconditional, fires on any exit\n *   4. Boot-time PID+instance sweep (sweepStaleWorktreesAtBoot) — crash recovery\n *\n * Layers 1+2+3 cover ConPTY; layer 4 covers SIGKILL/OOM/container restart.\n */\n\n/**\n * Wire up SIGINT/SIGTERM/exit handlers that walk the registry and\n * remove every entry. Idempotent: subsequent calls swap the registry\n * pointer but do NOT register additional process listeners (otherwise\n * we'd leak listeners on every `runWorkerAgent`).\n *\n * Signal handlers re-raise the signal after sweeping. Naively running\n * the sweep on SIGINT/SIGTERM and returning would *suppress* the\n * signal: Node defaults to terminating the process on these, but only\n * if no user listener is attached. Once we attach a listener, the\n * default action is cancelled and the process keeps running — which\n * means Ctrl-C would clean worktrees but not actually exit, leaving\n * orphan processes in dev. The `process.kill(pid, sig)` re-raise\n * after removing our own listener restores the default behaviour\n * (the second delivery now hits an empty listener list, so Node\n * terminates with the conventional `128 + signum` exit code).\n */\nexport function registerExitHandlers(registry: WorktreeRegistry): void {\n  _activeRegistry = registry\n  if (_registered) return\n  _registered = true\n  _exitHandler = () => sweepRegistry()\n  _sigintHandler = () => {\n    sweepRegistry()\n    if (_sigintHandler) process.off(\"SIGINT\", _sigintHandler)\n    process.kill(process.pid, \"SIGINT\")\n  }\n  _sigtermHandler = () => {\n    sweepRegistry()\n    if (_sigtermHandler) process.off(\"SIGTERM\", _sigtermHandler)\n    process.kill(process.pid, \"SIGTERM\")\n  }\n  process.on(\"SIGINT\", _sigintHandler)\n  process.on(\"SIGTERM\", _sigtermHandler)\n  // `exit` handlers can only run synchronous code — exactly what\n  // sweepRegistry does. Async work here would never complete.\n  process.on(\"exit\", _exitHandler)\n}\n\n/**\n * Test-only: unregister the handlers and reset module state. Tests\n * that want to verify `registerExitHandlers` semantics must clean up\n * after themselves or future tests in the same process inherit the\n * (now stale) registry pointer.\n */\nexport function __unregisterExitHandlersForTests(): void {\n  if (_sigintHandler) {\n    process.off(\"SIGINT\", _sigintHandler)\n    _sigintHandler = null\n  }\n  if (_sigtermHandler) {\n    process.off(\"SIGTERM\", _sigtermHandler)\n    _sigtermHandler = null\n  }\n  if (_exitHandler) {\n    process.off(\"exit\", _exitHandler)\n    _exitHandler = null\n  }\n  _registered = false\n  _activeRegistry = null\n}\n\n// ---------------------------------------------------------------------\n// Ledger: which repos has this proxy touched?\n// ---------------------------------------------------------------------\n\ninterface LedgerEntry {\n  repoRoot: string\n  lastSeenMs: number\n}\n\ninterface LedgerFile {\n  entries: Array<LedgerEntry>\n}\n\nfunction ledgerPath(): string {\n  return path.join(PATHS.APP_DIR, \"worker-repos.json\")\n}\n\nasync function readLedger(): Promise<LedgerFile> {\n  let raw: string\n  try {\n    raw = await fs.readFile(ledgerPath(), \"utf8\")\n  } catch (err) {\n    if ((err as NodeJS.ErrnoException).code === \"ENOENT\") {\n      return { entries: [] }\n    }\n    return { entries: [] }\n  }\n  try {\n    const parsed = JSON.parse(raw) as Partial<LedgerFile>\n    if (!parsed || !Array.isArray(parsed.entries)) return { entries: [] }\n    const cleaned: Array<LedgerEntry> = []\n    for (const e of parsed.entries) {\n      if (\n        e &&\n        typeof e === \"object\" &&\n        typeof (e as LedgerEntry).repoRoot === \"string\" &&\n        typeof (e as LedgerEntry).lastSeenMs === \"number\"\n      ) {\n        cleaned.push({\n          repoRoot: (e as LedgerEntry).repoRoot,\n          lastSeenMs: (e as LedgerEntry).lastSeenMs,\n        })\n      }\n    }\n    return { entries: cleaned }\n  } catch {\n    // Corrupted JSON — start fresh rather than crashing the proxy.\n    return { entries: [] }\n  }\n}\n\n/**\n * Per-process serializer for ledger writes. Multiple concurrent\n * `recordWorkerRepo` calls (legitimate: several workers may start at\n * once) would otherwise race read-modify-write on the JSON file. Each\n * call chains onto the previous so the on-disk sequence is\n * deterministic from this process's perspective.\n *\n * Cross-process safety is provided by the atomic temp+rename below,\n * which makes the final state of the file always be a well-formed\n * full snapshot from ONE writer — never a partial write or\n * interleaved JSON.\n */\nlet _ledgerChain: Promise<void> = Promise.resolve()\n\n/**\n * Append `repoRoot` to the ledger (or update its `lastSeenMs`).\n * Atomic temp+rename per peer review.\n */\nexport function recordWorkerRepo(repoRoot: string): Promise<void> {\n  const next = _ledgerChain.then(async () => {\n    await fs.mkdir(PATHS.APP_DIR, { recursive: true })\n    const current = await readLedger()\n    // Dedup: drop any existing entry for this root before appending\n    // the fresh one so the array doesn't grow unbounded with repeats.\n    const filtered = current.entries.filter((e) => e.repoRoot !== repoRoot)\n    filtered.push({ repoRoot, lastSeenMs: Date.now() })\n    // Prune by age and cap entry count (newest wins).\n    const now = Date.now()\n    const pruned = filtered\n      .filter((e) => now - e.lastSeenMs < LEDGER_MAX_AGE_MS)\n      .slice(-LEDGER_MAX_ENTRIES)\n    const ledger: LedgerFile = { entries: pruned }\n\n    // Atomic temp+rename. The temp filename is unique per call\n    // (PID + 8 random hex chars) so concurrent processes don't\n    // collide on the temp name; the final `rename` is atomic on\n    // POSIX and on Windows (both with same filesystem).\n    const tmp = `${ledgerPath()}.tmp.${process.pid}.${randomBytes(4).toString(\n      \"hex\",\n    )}`\n    try {\n      await writeRuntimeFileSecure(tmp, JSON.stringify(ledger, null, 2))\n      await fs.rename(tmp, ledgerPath())\n    } catch (err) {\n      // Clean up the temp file if rename failed midway.\n      await fs.unlink(tmp).catch(() => {})\n      throw err\n    }\n  })\n  // Swallow chain-internal errors so one failed write doesn't poison\n  // the chain for every subsequent caller. Each call still sees its\n  // own rejection (we return `next`, not the catch-handler chain).\n  _ledgerChain = next.catch(() => undefined)\n  return next\n}\n\nfunction isPidAlive(pid: number): boolean {\n  if (!Number.isInteger(pid) || pid <= 0) return false\n  try {\n    process.kill(pid, 0)\n    return true\n  } catch (err) {\n    const code = (err as NodeJS.ErrnoException).code\n    // EPERM = process exists but we can't signal it — still alive\n    // for our purposes (we just need to know whether to clean up).\n    if (code === \"EPERM\") return true\n    return false\n  }\n}\n\n/**\n * Boot-time sweep. For every repo we recorded in the ledger,\n * enumerate `<repoRoot>/.git/worker-worktrees/` (the conventional\n * location — for repos already inside a worktree, the actual\n * `git-common-dir` may differ, in which case we'll miss this batch\n * and the per-call age sweep will catch them within 7 days) and\n * remove dirs that aren't owned by THIS proxy.\n *\n * Ownership rule: dir is \"ours\" iff its embedded PID is alive AND\n * its embedded UUID equals `getInstanceUuid()`. Either condition\n * failing → remove.\n */\nexport async function sweepStaleWorktreesAtBoot(): Promise<void> {\n  const ledger = await readLedger()\n  if (ledger.entries.length === 0) return\n  const currentUuid = getInstanceUuid()\n  for (const entry of ledger.entries) {\n    const parent = path.join(entry.repoRoot, \".git\", \"worker-worktrees\")\n    let names: Array<string>\n    try {\n      names = await fs.readdir(parent)\n    } catch {\n      continue\n    }\n    for (const name of names) {\n      const m = WORKTREE_DIR_NAME_RE.exec(name)\n      if (!m) continue\n      const pid = Number.parseInt(m[1], 10)\n      const uuid = m[2]\n      const isOurs = isPidAlive(pid) && uuid === currentUuid\n      if (isOurs) continue\n\n      const fullDir = path.join(parent, name)\n      const branch = `worker/${pid}-${uuid}-${m[3]}`\n      try {\n        // `-C entry.repoRoot` is load-bearing here too — see the\n        // matching comment in `sweepRegistry`. The boot sweep runs\n        // BEFORE any worker tool has set cwd, so the proxy's cwd is\n        // the user's launch dir, which is almost never inside the\n        // target repo.\n        execFileSync(\n          \"git\",\n          [\"-C\", entry.repoRoot, \"worktree\", \"remove\", \"--force\", fullDir],\n          { stdio: \"ignore\", timeout: 10_000, windowsHide: true },\n        )\n      } catch {\n        // ignore\n      }\n      try {\n        execFileSync(\n          \"git\",\n          [\"-C\", entry.repoRoot, \"branch\", \"-D\", branch],\n          { stdio: \"ignore\", timeout: 5_000, windowsHide: true },\n        )\n      } catch {\n        // ignore\n      }\n      try {\n        await fs.rm(fullDir, { recursive: true, force: true })\n      } catch {\n        // ignore — git may have removed it already\n      }\n    }\n  }\n}\n\n/** Test-only: clear the ledger file (does NOT remove on-disk worktrees). */\nexport async function __clearLedgerForTests(): Promise<void> {\n  await fs.unlink(ledgerPath()).catch(() => {})\n}\n\n/** Test-only: read the ledger as a plain array (no side effects). */\nexport async function __readLedgerForTests(): Promise<Array<LedgerEntry>> {\n  return (await readLedger()).entries\n}\n"],"mappings":";;;;;;;;;;;;AAyCA,MAAM,uBACJ;;;;;;;AAQF,MAAM,qBAAqB;AAC3B,MAAM,oBAAoB,MAAU,KAAK,KAAK;;;;;;;;;AAgB9C,IAAa,mBAAb,MAA8B;CAC5B,AAAiB,0BAAU,IAAI,KAA4B;CAE3D,IAAI,OAAoC;AACtC,OAAK,QAAQ,IAAI,MAAM;;CAEzB,OAAO,OAAoC;AACzC,OAAK,QAAQ,OAAO,MAAM;;CAE5B,IAAI,OAAuC;AACzC,SAAO,KAAK,QAAQ,IAAI,MAAM;;CAEhC,SAAkD;AAChD,SAAO,KAAK,QAAQ,QAAQ;;CAE9B,IAAI,OAAe;AACjB,SAAO,KAAK,QAAQ;;CAEtB,QAAc;AACZ,OAAK,QAAQ,OAAO;;;AAQxB,IAAIA,gBAA+B;;;;;;;;AASnC,SAAgB,kBAA0B;AACxC,KAAI,kBAAkB,KACpB,iBAAgB,YAAY;AAE9B,QAAO;;AAYT,IAAI,cAAc;AAClB,IAAIC,kBAA2C;AAC/C,IAAIC,eAAoC;AACxC,IAAIC,iBAAsC;AAC1C,IAAIC,kBAAuC;;;;;;;;;;;AAY3C,SAAgB,gBAAsB;AACpC,KAAI,CAAC,gBAAiB;CAGtB,MAAM,WAAW,CAAC,GAAG,gBAAgB,QAAQ,CAAC;AAC9C,MAAK,MAAM,SAAS,UAAU;AAC5B,MAAI;AAOF,gBACE,OACA;IAAC;IAAM,MAAM;IAAU;IAAY;IAAU;IAAW,MAAM;IAAI,EAClE;IAAE,OAAO;IAAU,SAAS;IAAQ,aAAa;IAAM,CACxD;UACK;AAGR,MAAI;AACF,gBAAa,OAAO;IAAC;IAAM,MAAM;IAAU;IAAU;IAAM,MAAM;IAAO,EAAE;IACxE,OAAO;IACP,SAAS;IACT,aAAa;IACd,CAAC;UACI;AAGR,kBAAgB,OAAO,MAAM;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAwCjC,SAAgB,qBAAqB,UAAkC;AACrE,mBAAkB;AAClB,KAAI,YAAa;AACjB,eAAc;AACd,sBAAqB,eAAe;AACpC,wBAAuB;AACrB,iBAAe;AACf,MAAI,eAAgB,SAAQ,IAAI,UAAU,eAAe;AACzD,UAAQ,KAAK,QAAQ,KAAK,SAAS;;AAErC,yBAAwB;AACtB,iBAAe;AACf,MAAI,gBAAiB,SAAQ,IAAI,WAAW,gBAAgB;AAC5D,UAAQ,KAAK,QAAQ,KAAK,UAAU;;AAEtC,SAAQ,GAAG,UAAU,eAAe;AACpC,SAAQ,GAAG,WAAW,gBAAgB;AAGtC,SAAQ,GAAG,QAAQ,aAAa;;AAuClC,SAAS,aAAqB;AAC5B,QAAO,KAAK,KAAK,MAAM,SAAS,oBAAoB;;AAGtD,eAAe,aAAkC;CAC/C,IAAIC;AACJ,KAAI;AACF,QAAM,MAAM,GAAG,SAAS,YAAY,EAAE,OAAO;UACtC,KAAK;AACZ,MAAK,IAA8B,SAAS,SAC1C,QAAO,EAAE,SAAS,EAAE,EAAE;AAExB,SAAO,EAAE,SAAS,EAAE,EAAE;;AAExB,KAAI;EACF,MAAM,SAAS,KAAK,MAAM,IAAI;AAC9B,MAAI,CAAC,UAAU,CAAC,MAAM,QAAQ,OAAO,QAAQ,CAAE,QAAO,EAAE,SAAS,EAAE,EAAE;EACrE,MAAMC,UAA8B,EAAE;AACtC,OAAK,MAAM,KAAK,OAAO,QACrB,KACE,KACA,OAAO,MAAM,YACb,OAAQ,EAAkB,aAAa,YACvC,OAAQ,EAAkB,eAAe,SAEzC,SAAQ,KAAK;GACX,UAAW,EAAkB;GAC7B,YAAa,EAAkB;GAChC,CAAC;AAGN,SAAO,EAAE,SAAS,SAAS;SACrB;AAEN,SAAO,EAAE,SAAS,EAAE,EAAE;;;;;;;;;;;;;;;AAgB1B,IAAIC,eAA8B,QAAQ,SAAS;;;;;AAMnD,SAAgB,iBAAiB,UAAiC;CAChE,MAAM,OAAO,aAAa,KAAK,YAAY;AACzC,QAAM,GAAG,MAAM,MAAM,SAAS,EAAE,WAAW,MAAM,CAAC;EAIlD,MAAM,YAHU,MAAM,YAAY,EAGT,QAAQ,QAAQ,MAAM,EAAE,aAAa,SAAS;AACvE,WAAS,KAAK;GAAE;GAAU,YAAY,KAAK,KAAK;GAAE,CAAC;EAEnD,MAAM,MAAM,KAAK,KAAK;EAItB,MAAMC,SAAqB,EAAE,SAHd,SACZ,QAAQ,MAAM,MAAM,EAAE,aAAa,kBAAkB,CACrD,MAAM,CAAC,mBAAmB,EACiB;EAM9C,MAAM,MAAM,GAAG,YAAY,CAAC,OAAO,QAAQ,IAAI,GAAG,YAAY,EAAE,CAAC,SAC/D,MACD;AACD,MAAI;AACF,SAAM,uBAAuB,KAAK,KAAK,UAAU,QAAQ,MAAM,EAAE,CAAC;AAClE,SAAM,GAAG,OAAO,KAAK,YAAY,CAAC;WAC3B,KAAK;AAEZ,SAAM,GAAG,OAAO,IAAI,CAAC,YAAY,GAAG;AACpC,SAAM;;GAER;AAIF,gBAAe,KAAK,YAAY,OAAU;AAC1C,QAAO;;AAGT,SAAS,WAAW,KAAsB;AACxC,KAAI,CAAC,OAAO,UAAU,IAAI,IAAI,OAAO,EAAG,QAAO;AAC/C,KAAI;AACF,UAAQ,KAAK,KAAK,EAAE;AACpB,SAAO;UACA,KAAK;AAIZ,MAHc,IAA8B,SAG/B,QAAS,QAAO;AAC7B,SAAO;;;;;;;;;;;;;;;AAgBX,eAAsB,4BAA2C;CAC/D,MAAM,SAAS,MAAM,YAAY;AACjC,KAAI,OAAO,QAAQ,WAAW,EAAG;CACjC,MAAM,cAAc,iBAAiB;AACrC,MAAK,MAAM,SAAS,OAAO,SAAS;EAClC,MAAM,SAAS,KAAK,KAAK,MAAM,UAAU,QAAQ,mBAAmB;EACpE,IAAIC;AACJ,MAAI;AACF,WAAQ,MAAM,GAAG,QAAQ,OAAO;UAC1B;AACN;;AAEF,OAAK,MAAM,QAAQ,OAAO;GACxB,MAAM,IAAI,qBAAqB,KAAK,KAAK;AACzC,OAAI,CAAC,EAAG;GACR,MAAM,MAAM,OAAO,SAAS,EAAE,IAAI,GAAG;GACrC,MAAM,OAAO,EAAE;AAEf,OADe,WAAW,IAAI,IAAI,SAAS,YAC/B;GAEZ,MAAM,UAAU,KAAK,KAAK,QAAQ,KAAK;GACvC,MAAM,SAAS,UAAU,IAAI,GAAG,KAAK,GAAG,EAAE;AAC1C,OAAI;AAMF,iBACE,OACA;KAAC;KAAM,MAAM;KAAU;KAAY;KAAU;KAAW;KAAQ,EAChE;KAAE,OAAO;KAAU,SAAS;KAAQ,aAAa;KAAM,CACxD;WACK;AAGR,OAAI;AACF,iBACE,OACA;KAAC;KAAM,MAAM;KAAU;KAAU;KAAM;KAAO,EAC9C;KAAE,OAAO;KAAU,SAAS;KAAO,aAAa;KAAM,CACvD;WACK;AAGR,OAAI;AACF,UAAM,GAAG,GAAG,SAAS;KAAE,WAAW;KAAM,OAAO;KAAM,CAAC;WAChD"}

package/dist/{lifecycle-DpnTmHCo.js → lifecycle-zr19Ot-e.js}

@@ -1,4 +1,4 @@
-import "./paths-cZle37Jp.js";
-import { a as sweepRegistry, i as registerExitHandlers, n as getInstanceUuid, o as sweepStaleWorktreesAtBoot, r as recordWorkerRepo, t as WorktreeRegistry } from "./lifecycle-CpnAVVQ_.js";
+import "./paths-lwEqM5-i.js";
+import { a as sweepRegistry, i as registerExitHandlers, n as getInstanceUuid, o as sweepStaleWorktreesAtBoot, r as recordWorkerRepo, t as WorktreeRegistry } from "./lifecycle-DU0UI2t5.js";
 
 export { WorktreeRegistry, getInstanceUuid, recordWorkerRepo, registerExitHandlers, sweepRegistry, sweepStaleWorktreesAtBoot };

package/dist/main.js

@@ -1,6 +1,6 @@
 #!/usr/bin/env node
-import { c as writeRuntimeFileSecure, i as removeOwnClaudeConfigMirror, n as ensureClaudeConfigMirror, r as ensurePaths, t as PATHS } from "./paths-cZle37Jp.js";
-import { a as sweepRegistry, i as registerExitHandlers, n as getInstanceUuid, r as recordWorkerRepo, t as WorktreeRegistry } from "./lifecycle-CpnAVVQ_.js";
+import { c as writeRuntimeFileSecure, i as removeOwnClaudeConfigMirror, n as ensureClaudeConfigMirror, r as ensurePaths, t as PATHS } from "./paths-lwEqM5-i.js";
+import { a as sweepRegistry, i as registerExitHandlers, n as getInstanceUuid, r as recordWorkerRepo, t as WorktreeRegistry } from "./lifecycle-DU0UI2t5.js";
 import { createRequire } from "node:module";
 import { defineCommand, runMain } from "citty";
 import consola from "consola";
@@ -447,8 +447,8 @@ function normalizeModelId(id) {
 * 6. Return as-is with a warning
 */
 function resolveModel(modelId) {
-	const models = state.models?.data;
-	if (!models) return modelId;
+	const models$1 = state.models?.data;
+	if (!models$1) return modelId;
 	const oneMMatch = modelId.match(/^(.*)\[1m\]$/i);
 	if (oneMMatch) {
 		const stripped = oneMMatch[1];
@@ -456,31 +456,31 @@ function resolveModel(modelId) {
 		if (!/-1m(?:$|-)/.test(resolved)) consola.warn(`Model "${modelId}" requested 1M context but no -1m backend is in Copilot's catalog for this tier/family; downgrading upstream to "${resolved}" (200K). Claude Code's local context accounting will still assume 1M — expect premature auto-compact. Drop the [1m] suffix (or unset CLAUDE_CODE_DISABLE_1M_CONTEXT if you set it) to silence.`);
 		return resolved;
 	}
-	if (models.some((m) => m.id === modelId)) return modelId;
+	if (models$1.some((m) => m.id === modelId)) return modelId;
 	const lower = modelId.toLowerCase();
-	const ciMatch = models.find((m) => m.id.toLowerCase() === lower);
+	const ciMatch = models$1.find((m) => m.id.toLowerCase() === lower);
 	if (ciMatch) return ciMatch.id;
 	if (lower.includes("opus")) {
-		const oneMs = models.filter((m) => m.id.includes("opus") && /-1m(?:$|-)/.test(m.id));
+		const oneMs = models$1.filter((m) => m.id.includes("opus") && /-1m(?:$|-)/.test(m.id));
 		const versionMatch = lower.match(/opus-(\d+)[.-](\d+)/);
 		const requestedVersion = versionMatch ? `${versionMatch[1]}.${versionMatch[2]}` : void 0;
 		const oneM = (requestedVersion ? oneMs.find((m) => m.id.includes(`opus-${requestedVersion}-`)) : void 0) ?? (requestedVersion ? void 0 : oneMs[0]);
 		if (oneM) return oneM.id;
 	}
 	if (lower.includes("codex")) {
-		const codexModels = models.filter((m) => m.id.includes("codex") && !m.id.includes("mini"));
+		const codexModels = models$1.filter((m) => m.id.includes("codex") && !m.id.includes("mini"));
 		if (codexModels.length > 0) {
 			codexModels.sort((a, b) => b.id.localeCompare(a.id));
 			return codexModels[0].id;
 		}
 	}
 	const normalized = normalizeModelId(modelId);
-	const normMatch = models.find((m) => normalizeModelId(m.id) === normalized);
+	const normMatch = models$1.find((m) => normalizeModelId(m.id) === normalized);
 	if (normMatch) return normMatch.id;
 	const dateStripped = modelId.replace(/^(claude-[\w.-]+)-20\d{6}$/i, "$1");
 	if (dateStripped !== modelId) {
 		const retried = resolveModel(dateStripped);
-		if (retried !== dateStripped || models.some((m) => m.id === dateStripped)) {
+		if (retried !== dateStripped || models$1.some((m) => m.id === dateStripped)) {
 			consola.info(`Resolved Anthropic dated slug "${modelId}" → "${retried}" (stripped -YYYYMMDD; pass an explicit catalog id to pin a snapshot)`);
 			return retried;
 		}
@@ -490,7 +490,7 @@ function resolveModel(modelId) {
 		const matchHaiku = /(?:^|-)haiku(?:-|$)/.test(lower);
 		if (matchSonnet || matchHaiku) {
 			const family = matchSonnet ? "sonnet" : "haiku";
-			const familyMembers = models.filter((m) => (/* @__PURE__ */ new RegExp(`(?:^|-)${family}(?:-|$|\\.)`)).test(m.id));
+			const familyMembers = models$1.filter((m) => (/* @__PURE__ */ new RegExp(`(?:^|-)${family}(?:-|$|\\.)`)).test(m.id));
 			if (familyMembers.length > 0) {
 				familyMembers.sort((a, b) => b.id.localeCompare(a.id, void 0, { numeric: true }));
 				const best = familyMembers[0].id;
@@ -499,7 +499,7 @@ function resolveModel(modelId) {
 			}
 		}
 	}
-	consola.warn(`Model "${modelId}" not found in Copilot model list. Available: ${models.map((m) => m.id).join(", ")}`);
+	consola.warn(`Model "${modelId}" not found in Copilot model list. Available: ${models$1.map((m) => m.id).join(", ")}`);
 	return modelId;
 }
 /**
@@ -508,10 +508,10 @@ function resolveModel(modelId) {
 */
 function resolveCodexModel(modelId) {
 	const resolved = resolveModel(modelId);
-	const models = state.models?.data;
-	if (!models) return resolved;
-	if (models.some((m) => m.id === resolved)) return resolved;
-	const candidates = models.filter((m) => {
+	const models$1 = state.models?.data;
+	if (!models$1) return resolved;
+	if (models$1.some((m) => m.id === resolved)) return resolved;
+	const candidates = models$1.filter((m) => {
 		const endpoints = m.supported_endpoints ?? [];
 		if (m.id.includes("mini") || m.id.includes("nano")) return false;
 		return endpoints.length === 0 || endpoints.includes("/responses");
@@ -971,9 +971,9 @@ function pickClaudeDefault(opusFamily = DEFAULT_OPUS_FAMILY) {
 	const versionPattern = dotted.replace(/\./g, "[.-]");
 	const oneMRegex = new RegExp(`opus-${versionPattern}-1m(?:$|-)`, "i");
 	const familyRegex = new RegExp(`opus-${versionPattern}(?:$|[-.])`, "i");
-	const models = state.models?.data ?? [];
-	const has1m = models.some((m) => oneMRegex.test(m.id));
-	if (opusFamily !== DEFAULT_OPUS_FAMILY && state.models && models.length > 0 && !models.some((m) => familyRegex.test(m.id))) consola.warn(`Requested Opus family "${dotted}" not found in Copilot catalog; using "${bareSlug}" anyway (resolveModel may not find a backend for it).`);
+	const models$1 = state.models?.data ?? [];
+	const has1m = models$1.some((m) => oneMRegex.test(m.id));
+	if (opusFamily !== DEFAULT_OPUS_FAMILY && state.models && models$1.length > 0 && !models$1.some((m) => familyRegex.test(m.id))) consola.warn(`Requested Opus family "${dotted}" not found in Copilot catalog; using "${bareSlug}" anyway (resolveModel may not find a backend for it).`);
 	if (has1m) {
 		consola.info(`Catalog contains opus-${dotted}-1m variant; defaulting ANTHROPIC_MODEL to "${bareSlug}[1m]" so Claude Code accounts for 1M context locally. Set CLAUDE_CODE_DISABLE_1M_CONTEXT=1 to opt out (HIPAA), or pass --model ${bareSlug} to pin 200K.`);
 		return `${bareSlug}[1m]`;
@@ -3197,7 +3197,7 @@ function logAudit$1(record) {
 		try {
 			const fs$2 = await import("node:fs/promises");
 			const path$2 = await import("node:path");
-			const { PATHS: PATHS$1 } = await import("./paths-B7jmIPYq.js");
+			const { PATHS: PATHS$1 } = await import("./paths-nd-94lLq.js");
 			const dir = path$2.join(PATHS$1.APP_DIR, "browser-mcp");
 			await fs$2.mkdir(dir, { recursive: true });
 			const line = JSON.stringify({
@@ -3651,9 +3651,9 @@ const MODELS = {};
 //#endregion
 //#region src/vendor/pi/ai/models.ts
 const modelRegistry = /* @__PURE__ */ new Map();
-for (const [provider, models] of Object.entries(MODELS)) {
+for (const [provider, models$1] of Object.entries(MODELS)) {
 	const providerModels = /* @__PURE__ */ new Map();
-	for (const [id, model] of Object.entries(models)) providerModels.set(id, model);
+	for (const [id, model] of Object.entries(models$1)) providerModels.set(id, model);
 	modelRegistry.set(provider, providerModels);
 }
 
@@ -6338,9 +6338,9 @@ function checkAuth(c) {
 	return { ok: true };
 }
 function geminiAvailable() {
-	const models = state.models?.data;
-	if (!models) return false;
-	return models.some((m) => /^gemini-3\..*pro/i.test(m.id));
+	const models$1 = state.models?.data;
+	if (!models$1) return false;
+	return models$1.some((m) => /^gemini-3\..*pro/i.test(m.id));
 }
 /**
 * Gate for the `stand_in` tool.
@@ -6364,11 +6364,11 @@ function geminiAvailable() {
 * land under the dotted slug, so we match by Copilot's actual id shape.
 */
 function standInToolEnabled() {
-	const models = state.models?.data;
-	if (!models) return false;
-	const hasGpt55 = models.some((m) => m.id === "gpt-5.5");
-	const hasOpus = models.some((m) => m.id === "claude-opus-4-7" || m.id === "claude-opus-4.7");
-	const hasGeminiPro = models.some((m) => /^gemini-3\..*pro/i.test(m.id));
+	const models$1 = state.models?.data;
+	if (!models$1) return false;
+	const hasGpt55 = models$1.some((m) => m.id === "gpt-5.5");
+	const hasOpus = models$1.some((m) => m.id === "claude-opus-4-7" || m.id === "claude-opus-4.7");
+	const hasGeminiPro = models$1.some((m) => /^gemini-3\..*pro/i.test(m.id));
 	return hasGpt55 && hasOpus && hasGeminiPro;
 }
 /**
@@ -6398,9 +6398,9 @@ function standInToolEnabled() {
 */
 function workerToolsEnabled() {
 	if (process.env.GH_ROUTER_DISABLE_WORKER_TOOLS === "1") return false;
-	const models = state.models?.data;
-	if (!models) return false;
-	const found = models.find((m) => m.id === DEFAULT_MODEL);
+	const models$1 = state.models?.data;
+	if (!models$1) return false;
+	const found = models$1.find((m) => m.id === DEFAULT_MODEL);
 	if (!found) return false;
 	return found.capabilities?.supports?.tool_calls === true;
 }
@@ -9073,9 +9073,9 @@ function lookupPersona(critic) {
 	return persona;
 }
 function geminiInCatalog() {
-	const models = state.models?.data;
-	if (!models) return false;
-	return models.some((m) => /^gemini-3\..*pro/i.test(m.id));
+	const models$1 = state.models?.data;
+	if (!models$1) return false;
+	return models$1.some((m) => /^gemini-3\..*pro/i.test(m.id));
 }
 const ADVISOR_PARAMS = Type.Object({ concern: Type.String({
 	description: "What you want a second pair of eyes on — your current approach, the blocker you're stuck on, or the decision you're about to commit. Required: the advisor needs a focal point.",
@@ -11459,7 +11459,7 @@ function initProxyFromEnv() {
 //#endregion
 //#region package.json
 var name = "github-router";
-var version = "0.3.41";
+var version = "0.3.42";
 
 //#endregion
 //#region src/lib/approval.ts
@@ -11518,7 +11518,7 @@ async function doCheck(state$1, ticket) {
 /**
 * Format a number with K/M suffix for compact display.
 */
-function formatTokens(n) {
+function formatTokens$1(n) {
 	if (n >= 1e6) return `${(n / 1e6).toFixed(1)}M`;
 	if (n >= 1e3) return `${(n / 1e3).toFixed(1)}K`;
 	return String(n);
@@ -11532,9 +11532,9 @@ function formatTokenInfo(inputTokens, outputTokens, model) {
 	const maxPrompt = model?.capabilities?.limits?.max_prompt_tokens;
 	if (maxPrompt) {
 		const pct = (inputTokens / maxPrompt * 100).toFixed(1);
-		parts.push(`in:${formatTokens(inputTokens)}/${formatTokens(maxPrompt)} (${pct}%)`);
-	} else parts.push(`in:${formatTokens(inputTokens)}`);
-	if (outputTokens !== void 0) parts.push(`out:${formatTokens(outputTokens)}`);
+		parts.push(`in:${formatTokens$1(inputTokens)}/${formatTokens$1(maxPrompt)} (${pct}%)`);
+	} else parts.push(`in:${formatTokens$1(inputTokens)}`);
+	if (outputTokens !== void 0) parts.push(`out:${formatTokens$1(outputTokens)}`);
 	return parts.join(" ");
 }
 /**
@@ -12703,7 +12703,7 @@ const modelRoutes = new Hono();
 modelRoutes.get("/", async (c) => {
 	try {
 		if (!state.models) await cacheModels();
-		const models = state.models?.data.map((model) => {
+		const models$1 = state.models?.data.map((model) => {
 			const { requestHeaders,...rest } = model;
 			return {
 				...rest,
@@ -12717,7 +12717,7 @@ modelRoutes.get("/", async (c) => {
 		});
 		return c.json({
 			object: "list",
-			data: models,
+			data: models$1,
 			has_more: false
 		});
 	} catch (error) {
@@ -13673,6 +13673,154 @@ const debug = defineCommand({
 	}
 });
 
+//#endregion
+//#region src/models.ts
+const models = defineCommand({
+	meta: {
+		name: "models",
+		description: "List available GitHub Copilot models and their capabilities. Pass an optional pattern to filter (case-insensitive substring match on id, name, vendor, family)."
+	},
+	args: {
+		pattern: {
+			type: "positional",
+			required: false,
+			description: "Substring to filter models by (matches id, name, vendor, or family)."
+		},
+		json: {
+			type: "boolean",
+			default: false,
+			description: "Emit raw JSON instead of the pretty layout."
+		}
+	},
+	async run({ args }) {
+		await ensurePaths();
+		await setupGitHubToken();
+		try {
+			await setupCopilotToken();
+		} catch (err) {
+			consola.error("Failed to obtain Copilot token:", err);
+			process.exit(1);
+		}
+		let catalog;
+		try {
+			catalog = await getModels();
+		} catch (err) {
+			consola.error("Failed to fetch Copilot model catalog:", err);
+			process.exit(1);
+		}
+		const all = catalog.data;
+		const pattern = args.pattern?.toString().trim();
+		const filtered = pattern ? filterModels(all, pattern) : all;
+		if (args.json) {
+			process.stdout.write(`${JSON.stringify(filtered, null, 2)}\n`);
+			return;
+		}
+		if (filtered.length === 0) {
+			consola.warn(`No models matched "${pattern}". ${all.length} models available — try a different substring or run without an argument to list everything.`);
+			process.exit(1);
+		}
+		const grouped = groupByVendor(filtered);
+		const lines = [];
+		const header = pattern ? `${filtered.length}/${all.length} models match "${pattern}"` : `${all.length} models available`;
+		lines.push(header);
+		lines.push("");
+		for (const [vendor, list] of grouped) {
+			lines.push(`▾ ${vendor} (${list.length})`);
+			for (const model of list) lines.push(...formatModel(model));
+			lines.push("");
+		}
+		process.stdout.write(lines.join("\n"));
+	}
+});
+function filterModels(models$1, pattern) {
+	const needle = pattern.toLowerCase();
+	return models$1.filter((m) => {
+		return [
+			m.id,
+			m.name,
+			m.vendor,
+			m.capabilities.family,
+			m.capabilities.type,
+			m.model_picker_category ?? ""
+		].join(" ").toLowerCase().includes(needle);
+	});
+}
+function groupByVendor(models$1) {
+	const map = /* @__PURE__ */ new Map();
+	for (const m of models$1) {
+		const key = m.vendor || "(unknown vendor)";
+		const bucket = map.get(key);
+		if (bucket) bucket.push(m);
+		else map.set(key, [m]);
+	}
+	return [...map.entries()].sort(([a], [b]) => a.localeCompare(b));
+}
+function formatModel(model) {
+	const lines = [];
+	const tags = [];
+	if (model.preview) tags.push("preview");
+	if (model.is_chat_default) tags.push("chat-default");
+	if (model.is_chat_fallback) tags.push("chat-fallback");
+	if (model.billing?.is_premium) tags.push("premium");
+	if (model.billing?.restricted_to?.length) tags.push(`restricted:${model.billing.restricted_to.join("/")}`);
+	if (model.policy && model.policy.state !== "enabled") tags.push(`policy:${model.policy.state}`);
+	const tagStr = tags.length > 0 ? ` [${tags.join(", ")}]` : "";
+	lines.push(`  • ${model.id}${tagStr}`);
+	if (model.name && model.name !== model.id) lines.push(`      name: ${model.name}`);
+	const meta = [`family: ${model.capabilities.family}`, `type: ${model.capabilities.type}`];
+	if (model.capabilities.tokenizer) meta.push(`tokenizer: ${model.capabilities.tokenizer}`);
+	if (model.version) meta.push(`version: ${model.version}`);
+	lines.push(`      ${meta.join("  ·  ")}`);
+	const limits = model.capabilities.limits;
+	const limitParts = [];
+	if (limits.max_context_window_tokens) limitParts.push(`ctx ${formatTokens(limits.max_context_window_tokens)}`);
+	else if (limits.max_prompt_tokens) limitParts.push(`prompt ${formatTokens(limits.max_prompt_tokens)}`);
+	if (limits.max_output_tokens) limitParts.push(`out ${formatTokens(limits.max_output_tokens)}`);
+	if (limits.max_non_streaming_output_tokens && limits.max_non_streaming_output_tokens !== limits.max_output_tokens) limitParts.push(`out-non-stream ${formatTokens(limits.max_non_streaming_output_tokens)}`);
+	if (limits.max_inputs) limitParts.push(`inputs ${limits.max_inputs}`);
+	if (limits.vision?.max_prompt_images) limitParts.push(`images ${limits.vision.max_prompt_images}`);
+	if (limitParts.length > 0) lines.push(`      limits: ${limitParts.join("  ·  ")}`);
+	const supports = model.capabilities.supports;
+	const supportFlags = [];
+	if (supports.tool_calls) supportFlags.push("tools");
+	if (supports.parallel_tool_calls) supportFlags.push("parallel-tools");
+	if (supports.streaming) supportFlags.push("streaming");
+	if (supports.vision) supportFlags.push("vision");
+	if (supports.structured_outputs) supportFlags.push("structured-outputs");
+	if (supports.dimensions) supportFlags.push("dimensions");
+	if (supports.adaptive_thinking) {
+		const min = supports.min_thinking_budget;
+		const max = supports.max_thinking_budget;
+		const range = min !== void 0 && max !== void 0 ? `(${formatTokens(min)}-${formatTokens(max)})` : "";
+		supportFlags.push(`adaptive-thinking${range}`);
+	}
+	if (supports.reasoning_effort && supports.reasoning_effort.length > 0) supportFlags.push(`reasoning:${supports.reasoning_effort.join("/")}`);
+	if (supportFlags.length > 0) lines.push(`      supports: ${supportFlags.join(", ")}`);
+	if (model.supported_endpoints && model.supported_endpoints.length > 0) lines.push(`      endpoints: ${model.supported_endpoints.join(", ")}`);
+	if (model.billing) {
+		const billParts = [];
+		if (model.billing.is_premium) billParts.push("premium");
+		if (typeof model.billing.multiplier === "number") billParts.push(`×${model.billing.multiplier}`);
+		if (billParts.length > 0) lines.push(`      billing: ${billParts.join(" ")}`);
+	}
+	return lines;
+}
+/**
+* Format a token count in a compact human-readable form: `1024` →
+* `1k`, `4096` → `4k`, `131072` → `128k`, `1048576` → `1M`. Prefer
+* binary multiples (mebi, kibi) since Claude Code / Copilot context
+* windows are reported in binary units (`1M context` = 1024 × 1024
+* tokens). Fall back to decimal (`64k` for `64000`) when the value
+* is a clean decimal multiple but not binary.
+*/
+function formatTokens(n) {
+	if (n >= 1048576 && n % 1048576 === 0) return `${n / 1048576}M`;
+	if (n >= 1024 && n % 1024 === 0) return `${n / 1024}k`;
+	if (n >= 1e6 && n % 1e6 === 0) return `${n / 1e6}M`;
+	if (n >= 1e3 && n % 1e3 === 0) return `${n / 1e3}k`;
+	return `${n}`;
+}
+
 //#endregion
 //#region src/lib/shell.ts
 function getShell() {
@@ -13809,6 +13957,7 @@ await runMain(defineCommand({
 		start,
 		claude,
 		codex,
+		models,
 		"check-usage": checkUsage,
 		debug
 	}