gsd-pi 2.63.0 → 2.64.0-dev.9c14bd0

package/src/resources/extensions/gsd/workflow-projections.ts

@@ -19,6 +19,22 @@ import { logWarning } from "./workflow-logger.js";
 import { deriveState } from "./state.js";
 import type { GSDState } from "./types.js";
 
+// ─── Helpers ─────────────────────────────────────────────────────────────
+
+/**
+ * Strip a leading ID prefix (e.g. "M001: " or "S04: ") from a title
+ * to prevent double-prefixing when the renderer adds its own prefix.
+ * Handles repeated prefixes (e.g. "M001: M001: M001: Title" → "Title").
+ */
+export function stripIdPrefix(title: string, id: string): string {
+  const prefix = `${id}: `;
+  let result = title;
+  while (result.startsWith(prefix)) {
+    result = result.slice(prefix.length);
+  }
+  return result.trim() || title;
+}
+
 // ─── PLAN.md Projection ──────────────────────────────────────────────────
 
 /**
@@ -28,7 +44,8 @@ import type { GSDState } from "./types.js";
 export function renderPlanContent(sliceRow: SliceRow, taskRows: TaskRow[]): string {
   const lines: string[] = [];
 
-  lines.push(`# ${sliceRow.id}: ${sliceRow.title}`);
+  const displayTitle = stripIdPrefix(sliceRow.title, sliceRow.id);
+  lines.push(`# ${sliceRow.id}: ${displayTitle}`);
   lines.push("");
   // #2945: never use full_summary_md/full_uat_md as display fallbacks —
   // they contain multi-line rendered markdown that corrupts single-line fields.
@@ -97,7 +114,8 @@ export function renderPlanProjection(basePath: string, milestoneId: string, slic
 export function renderRoadmapContent(milestoneRow: MilestoneRow, sliceRows: SliceRow[]): string {
   const lines: string[] = [];
 
-  lines.push(`# ${milestoneRow.id}: ${milestoneRow.title}`);
+  const displayTitle = stripIdPrefix(milestoneRow.title, milestoneRow.id);
+  lines.push(`# ${milestoneRow.id}: ${displayTitle}`);
   lines.push("");
   lines.push("## Vision");
   lines.push(milestoneRow.vision || milestoneRow.title || "TBD");
@@ -265,14 +283,14 @@ export function renderStateContent(state: GSDState): string {
   lines.push("# GSD State", "");
 
   const activeSlice = state.activeSlice
-    ? `${state.activeSlice.id}: ${state.activeSlice.title}`
+    ? `${state.activeSlice.id}: ${stripIdPrefix(state.activeSlice.title, state.activeSlice.id)}`
     : "None";
 
   if (state.phase === 'complete' && state.lastCompletedMilestone) {
     lines.push(`**Last Completed Milestone:** ${state.lastCompletedMilestone.id}: ${state.lastCompletedMilestone.title}`);
   } else {
     const activeMilestone = state.activeMilestone
-      ? `${state.activeMilestone.id}: ${state.activeMilestone.title}`
+      ? `${state.activeMilestone.id}: ${stripIdPrefix(state.activeMilestone.title, state.activeMilestone.id)}`
       : "None";
     lines.push(`**Active Milestone:** ${activeMilestone}`);
   }
@@ -286,7 +304,7 @@ export function renderStateContent(state: GSDState): string {
 
   for (const entry of state.registry) {
     const glyph = entry.status === "complete" ? "\u2705" : entry.status === "active" ? "\uD83D\uDD04" : entry.status === "parked" ? "\u23F8\uFE0F" : "\u2B1C";
-    lines.push(`- ${glyph} **${entry.id}:** ${entry.title}`);
+    lines.push(`- ${glyph} **${entry.id}:** ${stripIdPrefix(entry.title, entry.id)}`);
   }
 
   lines.push("");

package/src/resources/extensions/gsd/worktree-manager.ts

@@ -113,6 +113,22 @@ export function worktreeBranchName(name: string): string {
   return `worktree/${name}`;
 }
 
+/**
+ * Validate that a path is inside the .gsd/worktrees/ directory.
+ * Resolves symlinks and normalizes ".." traversals before comparison
+ * so that a symlink-resolved or crafted path cannot escape containment.
+ *
+ * Used as a safety gate before any destructive operation (rmSync,
+ * nativeWorktreeRemove --force) to prevent #2365-style data loss.
+ */
+export function isInsideWorktreesDir(basePath: string, targetPath: string): boolean {
+  const wtDir = resolve(worktreesDir(basePath));
+  const resolved = resolve(targetPath);
+  // The resolved path must start with the worktrees dir followed by a separator,
+  // not merely be a prefix match (e.g. ".gsd/worktrees-extra" must not match).
+  return resolved === wtDir || resolved.startsWith(wtDir + sep);
+}
+
 // ─── Core Operations ───────────────────────────────────────────────────────
 
 /**
@@ -370,16 +386,37 @@ export function removeWorktree(
   // time, so its registered path points to the resolved external location.
   // If syncStateToProjectRoot later creates a real .gsd/ directory that
   // shadows the symlink, the computed path diverges from git's record.
+  let gitReportedPath: string | null = null;
   try {
     const entries = nativeWorktreeList(basePath);
     const entry = entries.find(e => e.branch === branch);
     if (entry?.path) {
-      wtPath = entry.path;
+      gitReportedPath = entry.path;
     }
   } catch (e) { logWarning("worktree", `nativeWorktreeList parse failed: ${(e as Error).message}`); }
 
+  // Safety gate (#2365): only use the git-reported path if it is actually
+  // inside .gsd/worktrees/.  When .gsd/ was a symlink, git may have resolved
+  // it to an external directory (e.g. a project data folder).  Using that
+  // path for removal would destroy user data.
+  if (gitReportedPath && isInsideWorktreesDir(basePath, gitReportedPath)) {
+    wtPath = gitReportedPath;
+  } else if (gitReportedPath) {
+    console.error(
+      `[GSD] WARNING: git worktree list reported path outside .gsd/worktrees/: ${gitReportedPath}\n` +
+        `  Refusing to use it for removal — falling back to computed path: ${wtPath}`,
+    );
+    // Still tell git to unregister the worktree entry via its reported path,
+    // but do NOT use force and do NOT fall back to rmSync on this path.
+    try { nativeWorktreeRemove(basePath, gitReportedPath, false); } catch (e) { logWarning("worktree", `non-force worktree remove failed for ${gitReportedPath}: ${e instanceof Error ? e.message : String(e)}`); }
+  }
+
   const resolvedWtPath = existsSync(wtPath) ? realpathSync(wtPath) : wtPath;
 
+  // Double-check: the resolved path (after symlink resolution) must also be
+  // inside .gsd/worktrees/ — a symlink inside the directory could point out.
+  const resolvedPathSafe = isInsideWorktreesDir(basePath, resolvedWtPath);
+
   // If we're inside the worktree, move out first — git can't remove an in-use directory
   const cwd = process.cwd();
   const resolvedCwd = existsSync(cwd) ? realpathSync(cwd) : cwd;
@@ -453,37 +490,48 @@ export function removeWorktree(
     }
   }
 
-  // Remove worktree: try non-force first when submodules have changes,
-  // falling back to force only after submodule state has been preserved.
-  const useForce = hasSubmoduleChanges ? false : force;
-  try { nativeWorktreeRemove(basePath, resolvedWtPath, useForce); } catch (e) { logWarning("worktree", `nativeWorktreeRemove failed: ${(e as Error).message}`); }
+  // Remove worktree — only use force/rmSync when the path is safely contained
+  if (resolvedPathSafe) {
+    // Remove worktree: try non-force first when submodules have changes,
+    // falling back to force only after submodule state has been preserved.
+    const useForce = hasSubmoduleChanges ? false : force;
+    try { nativeWorktreeRemove(basePath, resolvedWtPath, useForce); } catch (e) { logWarning("worktree", `nativeWorktreeRemove failed: ${(e as Error).message}`); }
 
-  // If the directory is still there (e.g. locked), try harder with force
-  if (existsSync(resolvedWtPath)) {
-    try { nativeWorktreeRemove(basePath, resolvedWtPath, true); } catch (e) { logWarning("worktree", `nativeWorktreeRemove (force) failed: ${(e as Error).message}`); }
-  }
+    // If the directory is still there (e.g. locked), try harder with force
+    if (existsSync(resolvedWtPath)) {
+      try { nativeWorktreeRemove(basePath, resolvedWtPath, true); } catch (e) { logWarning("worktree", `nativeWorktreeRemove (force) failed: ${(e as Error).message}`); }
+    }
 
-  // (#2821) If the worktree directory STILL exists after both native removal
-  // attempts (e.g. untracked files like ASSESSMENT/UAT-RESULT prevent git
-  // worktree remove), force-remove the git internal worktree metadata first,
-  // then remove the filesystem directory. Without this, the .git/worktrees/<name>
-  // lock prevents rmSync from cleaning up, and the orphaned worktree directory
-  // causes every subsequent `/gsd auto` to re-enter the stale worktree.
-  if (existsSync(resolvedWtPath)) {
-    try {
-      const wtInternalDir = join(basePath, ".git", "worktrees", name);
-      if (existsSync(wtInternalDir)) {
-        rmSync(wtInternalDir, { recursive: true, force: true });
+    // (#2821) If the worktree directory STILL exists after both native removal
+    // attempts (e.g. untracked files like ASSESSMENT/UAT-RESULT prevent git
+    // worktree remove), force-remove the git internal worktree metadata first,
+    // then remove the filesystem directory. Without this, the .git/worktrees/<name>
+    // lock prevents rmSync from cleaning up, and the orphaned worktree directory
+    // causes every subsequent `/gsd auto` to re-enter the stale worktree.
+    if (existsSync(resolvedWtPath)) {
+      try {
+        const wtInternalDir = join(basePath, ".git", "worktrees", name);
+        if (existsSync(wtInternalDir)) {
+          rmSync(wtInternalDir, { recursive: true, force: true });
+        }
+        rmSync(resolvedWtPath, { recursive: true, force: true });
+      } catch {
+        logWarning(
+          "reconcile",
+          `Worktree directory could not be removed after git internal cleanup: ${resolvedWtPath}. ` +
+            `Manual cleanup: rm -rf "${resolvedWtPath.replaceAll("\\", "/")}"`,
+          { worktree: name },
+        );
       }
-      rmSync(resolvedWtPath, { recursive: true, force: true });
-    } catch {
-      logWarning(
-        "reconcile",
-        `Worktree directory could not be removed after git internal cleanup: ${resolvedWtPath}. ` +
-          `Manual cleanup: rm -rf "${resolvedWtPath.replaceAll("\\", "/")}"`,
-        { worktree: name },
-      );
     }
+  } else {
+    // Path is outside containment — only do a non-force git worktree remove
+    // (which refuses to delete dirty worktrees) and never fall back to rmSync.
+    console.error(
+      `[GSD] WARNING: Resolved worktree path is outside .gsd/worktrees/: ${resolvedWtPath}\n` +
+        `  Skipping forced removal to prevent data loss.`,
+    );
+    try { nativeWorktreeRemove(basePath, resolvedWtPath, false); } catch (e) { logWarning("worktree", `non-force worktree remove failed for ${resolvedWtPath}: ${e instanceof Error ? e.message : String(e)}`); }
   }
 
   // Prune stale entries so git knows the worktree is gone

package/src/resources/extensions/gsd/worktree-resolver.ts

@@ -497,10 +497,11 @@ export class WorktreeResolver {
       });
       // Surface a clear, actionable error. The worktree and milestone branch are
       // intentionally preserved — nothing has been deleted. The user can retry
-      // /gsd dispatch complete-milestone or merge manually once the underlying issue is fixed
-      // (e.g. checkout to wrong branch, unresolved conflicts). (#1668)
+      // /gsd dispatch complete-milestone or merge manually once the underlying
+      // issue is fixed (e.g. checkout to wrong branch, unresolved conflicts).
+      // (#1668, #1891)
       ctx.notify(
-        `Milestone merge failed: ${msg}. Your worktree and milestone branch are preserved — retry /gsd dispatch complete-milestone or merge manually.`,
+        `Milestone merge failed: ${msg}. Your worktree and milestone branch are preserved — retry with \`/gsd dispatch complete-milestone\` or merge manually.`,
         "warning",
       );
 

package/src/resources/extensions/mcp-client/auth.ts

@@ -0,0 +1,149 @@
+/**
+ * MCP Client OAuth / Auth helpers
+ *
+ * Builds transport options (headers, OAuthClientProvider) from MCP server
+ * config entries so that HTTP transports can authenticate with remote
+ * servers (Sentry, Linear, etc.).
+ *
+ * Fixes #2160 — MCP HTTP transport lacked an OAuth auth provider.
+ */
+
+import type { OAuthClientProvider } from "@modelcontextprotocol/sdk/client/auth.js";
+import type { StreamableHTTPClientTransportOptions } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
+
+// ─── Types ────────────────────────────────────────────────────────────────────
+
+export interface McpHttpAuthHeaders {
+	/** Static headers to attach to every request, e.g. `{ Authorization: "Bearer ${TOKEN}" }`. */
+	headers?: Record<string, string>;
+}
+
+export interface McpHttpOAuthConfig {
+	/** OAuth configuration for servers that require the full OAuth flow. */
+	oauth?: {
+		clientId: string;
+		clientSecret?: string;
+		scopes?: string[];
+		redirectUrl?: string;
+	};
+}
+
+/** Union of all auth-related config fields for an HTTP MCP server. */
+export type McpHttpAuthConfig = McpHttpAuthHeaders & McpHttpOAuthConfig;
+
+// ─── Env resolution ───────────────────────────────────────────────────────────
+
+/** Resolve `${VAR}` references in a string against `process.env`. */
+function resolveEnvValue(value: string): string {
+	return value.replace(
+		/\$\{([^}]+)\}/g,
+		(_match, varName) => process.env[varName] ?? "",
+	);
+}
+
+function resolveHeaders(raw: Record<string, string>): Record<string, string> {
+	const resolved: Record<string, string> = {};
+	for (const [key, value] of Object.entries(raw)) {
+		resolved[key] = typeof value === "string" ? resolveEnvValue(value) : value;
+	}
+	return resolved;
+}
+
+// ─── OAuth provider (minimal CLI-friendly implementation) ─────────────────────
+
+/**
+ * Creates a minimal `OAuthClientProvider` suitable for CLI / headless use.
+ *
+ * This provider supports:
+ *  - Pre-configured client credentials (client_id, optional client_secret)
+ *  - Token storage in memory (per-session)
+ *  - Scopes
+ *
+ * For full interactive OAuth flows (browser redirect), a richer provider would
+ * be needed, but for server-to-server and pre-authed scenarios this is
+ * sufficient.
+ */
+function createCliOAuthProvider(config: NonNullable<McpHttpOAuthConfig["oauth"]>): OAuthClientProvider {
+	let storedTokens: { access_token: string; token_type: string; refresh_token?: string } | undefined;
+	let storedCodeVerifier = "";
+
+	return {
+		get redirectUrl() {
+			return config.redirectUrl ?? "http://localhost:0/callback";
+		},
+
+		get clientMetadata() {
+			return {
+				redirect_uris: [config.redirectUrl ?? "http://localhost:0/callback"],
+				client_name: "gsd",
+				...(config.scopes ? { scope: config.scopes.join(" ") } : {}),
+			};
+		},
+
+		clientInformation() {
+			return {
+				client_id: config.clientId,
+				...(config.clientSecret ? { client_secret: config.clientSecret } : {}),
+			};
+		},
+
+		tokens() {
+			return storedTokens;
+		},
+
+		saveTokens(tokens) {
+			storedTokens = tokens as typeof storedTokens;
+		},
+
+		redirectToAuthorization(authorizationUrl: URL) {
+			// In a CLI context we can't open a browser automatically.
+			// Log the URL so the user can manually visit it.
+			// eslint-disable-next-line no-console
+			console.error(
+				`[MCP OAuth] Authorization required. Visit:\n  ${authorizationUrl.toString()}`,
+			);
+		},
+
+		saveCodeVerifier(codeVerifier: string) {
+			storedCodeVerifier = codeVerifier;
+		},
+
+		codeVerifier() {
+			return storedCodeVerifier;
+		},
+	};
+}
+
+// ─── Public API ───────────────────────────────────────────────────────────────
+
+/**
+ * Build `StreamableHTTPClientTransportOptions` from an MCP server config's
+ * auth-related fields.
+ *
+ * Supports two auth strategies:
+ *  1. **`headers`** — static Authorization (or other) headers, with `${VAR}` env resolution.
+ *  2. **`oauth`**  — full OAuthClientProvider for servers that implement MCP OAuth.
+ *
+ * When both are provided, `oauth` takes precedence (the SDK's built-in OAuth
+ * flow handles token refresh automatically).
+ */
+export function buildHttpTransportOpts(
+	authConfig: McpHttpAuthConfig,
+): StreamableHTTPClientTransportOptions {
+	const opts: StreamableHTTPClientTransportOptions = {};
+
+	// OAuth takes precedence
+	if (authConfig.oauth) {
+		opts.authProvider = createCliOAuthProvider(authConfig.oauth);
+		return opts;
+	}
+
+	// Static headers (with env var resolution)
+	if (authConfig.headers && Object.keys(authConfig.headers).length > 0) {
+		opts.requestInit = {
+			headers: resolveHeaders(authConfig.headers),
+		};
+	}
+
+	return opts;
+}

package/src/resources/extensions/mcp-client/index.ts

@@ -25,6 +25,8 @@ import { StdioClientTransport } from "@modelcontextprotocol/sdk/client/stdio.js"
 import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
 import { readFileSync, existsSync } from "node:fs";
 import { join } from "node:path";
+import { buildHttpTransportOpts } from "./auth.js";
+import type { McpHttpAuthConfig } from "./auth.js";
 
 // ─── Types ────────────────────────────────────────────────────────────────────
 
@@ -36,6 +38,10 @@ interface McpServerConfig {
 	env?: Record<string, string>;
 	url?: string;
 	cwd?: string;
+	/** Static headers for HTTP transport (supports ${VAR} env resolution). */
+	headers?: Record<string, string>;
+	/** OAuth config for HTTP transport. */
+	oauth?: McpHttpAuthConfig["oauth"];
 }
 
 interface McpToolSchema {
@@ -87,6 +93,9 @@ function readConfigs(): McpServerConfig[] {
 						? "http"
 						: "unknown";
 
+				const hasHeaders = hasUrl && config.headers && typeof config.headers === "object";
+				const hasOAuth = hasUrl && config.oauth && typeof config.oauth === "object";
+
 				servers.push({
 					name,
 					transport,
@@ -99,6 +108,8 @@ function readConfigs(): McpServerConfig[] {
 						cwd: typeof config.cwd === "string" ? config.cwd : undefined,
 					}),
 					...(hasUrl && { url: config.url as string }),
+					headers: hasHeaders ? config.headers as Record<string, string> : undefined,
+					oauth: hasOAuth ? config.oauth as McpHttpAuthConfig["oauth"] : undefined,
 				});
 			}
 		} catch {
@@ -159,7 +170,11 @@ async function getOrConnect(name: string, signal?: AbortSignal): Promise<Client>
 			/\$\{([^}]+)\}/g,
 			(_, varName) => process.env[varName] ?? "",
 		);
-		transport = new StreamableHTTPClientTransport(new URL(resolvedUrl));
+		const httpOpts = buildHttpTransportOpts({
+			headers: config.headers,
+			oauth: config.oauth,
+		});
+		transport = new StreamableHTTPClientTransport(new URL(resolvedUrl), httpOpts);
 	} else {
 		throw new Error(`Server "${config.name}" has unsupported transport: ${config.transport}`);
 	}

package/src/resources/extensions/ollama/index.ts

@@ -17,19 +17,10 @@
  */
 
 import { importExtensionModule, type ExtensionAPI } from "@gsd/pi-coding-agent";
-import type { OpenAICompletionsCompat } from "@gsd/pi-ai";
 import * as client from "./ollama-client.js";
-import { discoverModels, getOllamaOpenAIBaseUrl } from "./ollama-discovery.js";
+import { discoverModels } from "./ollama-discovery.js";
 import { registerOllamaCommands } from "./ollama-commands.js";
-
-/** Default compat settings for Ollama models via OpenAI-compat endpoint */
-const OLLAMA_COMPAT: OpenAICompletionsCompat = {
-	supportsDeveloperRole: false,
-	supportsReasoningEffort: false,
-	supportsUsageInStreaming: false,
-	maxTokensField: "max_tokens",
-	supportsStore: false,
-};
+import { streamOllamaChat } from "./ollama-chat-provider.js";
 
 let toolsPromise: Promise<void> | null = null;
 
@@ -68,12 +59,18 @@ async function probeAndRegister(pi: ExtensionAPI): Promise<boolean> {
 	const models = await discoverModels();
 	if (models.length === 0) return true; // Running but no models pulled
 
-	const baseUrl = getOllamaOpenAIBaseUrl();
+	const baseUrl = client.getOllamaHost();
 
+	// Use authMode "apiKey" with a dummy key (#3440).
+	// authMode "none" requires a custom streamSimple handler, but Ollama uses
+	// the standard OpenAI-compatible streaming endpoint. Ollama ignores the
+	// Authorization header so the dummy key is harmless.
 	pi.registerProvider("ollama", {
-		authMode: "none",
+		authMode: "apiKey",
+		apiKey: "ollama",
 		baseUrl,
-		api: "openai-completions",
+		api: "ollama-chat",
+		streamSimple: streamOllamaChat,
 		isReady: () => true,
 		models: models.map((m) => ({
 			id: m.id,
@@ -83,7 +80,7 @@ async function probeAndRegister(pi: ExtensionAPI): Promise<boolean> {
 			cost: m.cost,
 			contextWindow: m.contextWindow,
 			maxTokens: m.maxTokens,
-			compat: OLLAMA_COMPAT,
+			providerOptions: (m.ollamaOptions ?? {}) as Record<string, unknown>,
 		})),
 	});
 
@@ -108,16 +105,20 @@ export default function ollama(pi: ExtensionAPI) {
 			await registerOllamaTools(pi);
 		}
 
-		// Async probe — don't block startup
-		probeAndRegister(pi)
-			.then((found) => {
-				if (found && ctx.hasUI) {
-					ctx.ui.setStatus("ollama", "Ollama");
-				}
-			})
-			.catch(() => {
-				// Silently ignore probe failures
-			});
+		// In headless/auto mode, await the probe so the fallback resolver can
+		// see Ollama before the first LLM call (#3531 race condition).
+		// In interactive mode, keep it async for fast startup.
+		if (!ctx.hasUI) {
+			try {
+				await probeAndRegister(pi);
+			} catch { /* non-fatal */ }
+		} else {
+			probeAndRegister(pi)
+				.then((found) => {
+					if (found) ctx.ui.setStatus("ollama", "Ollama");
+				})
+				.catch(() => {});
+		}
 	});
 
 	pi.on("session_shutdown", async () => {

package/src/resources/extensions/ollama/model-capabilities.ts

@@ -8,11 +8,15 @@
  * Fallback: estimate from parameter count if model isn't in the table.
  */
 
+import type { OllamaChatOptions } from "./types.js";
+
 export interface ModelCapability {
 	contextWindow?: number;
 	maxTokens?: number;
 	input?: ("text" | "image")[];
 	reasoning?: boolean;
+	/** Ollama-specific default inference options for this model family. */
+	ollamaOptions?: OllamaChatOptions;
 }
 
 /**
@@ -20,58 +24,61 @@ export interface ModelCapability {
  * Keys are matched as prefixes against the model name (before the colon/tag).
  * More specific entries should appear first.
  */
+// Note: ollamaOptions.num_ctx is set for known model families where the context
+// window is authoritative. For unknown/estimated models, num_ctx is NOT sent
+// to avoid OOM risk — Ollama uses its own safe default instead.
 const KNOWN_MODELS: Array<[pattern: string, caps: ModelCapability]> = [
 	// ─── Reasoning models ───────────────────────────────────────────────
-	["deepseek-r1", { contextWindow: 131072, reasoning: true }],
-	["qwq", { contextWindow: 131072, reasoning: true }],
+	["deepseek-r1", { contextWindow: 131072, reasoning: true, ollamaOptions: { num_ctx: 131072 } }],
+	["qwq", { contextWindow: 131072, reasoning: true, ollamaOptions: { num_ctx: 131072 } }],
 
 	// ─── Vision models ──────────────────────────────────────────────────
-	["llava", { contextWindow: 4096, input: ["text", "image"] }],
-	["bakllava", { contextWindow: 4096, input: ["text", "image"] }],
-	["moondream", { contextWindow: 8192, input: ["text", "image"] }],
-	["llama3.2-vision", { contextWindow: 131072, input: ["text", "image"] }],
-	["minicpm-v", { contextWindow: 4096, input: ["text", "image"] }],
+	["llava", { contextWindow: 4096, input: ["text", "image"], ollamaOptions: { num_ctx: 4096 } }],
+	["bakllava", { contextWindow: 4096, input: ["text", "image"], ollamaOptions: { num_ctx: 4096 } }],
+	["moondream", { contextWindow: 8192, input: ["text", "image"], ollamaOptions: { num_ctx: 8192 } }],
+	["llama3.2-vision", { contextWindow: 131072, input: ["text", "image"], ollamaOptions: { num_ctx: 131072 } }],
+	["minicpm-v", { contextWindow: 4096, input: ["text", "image"], ollamaOptions: { num_ctx: 4096 } }],
 
 	// ─── Code models ────────────────────────────────────────────────────
-	["codestral", { contextWindow: 262144, maxTokens: 32768 }],
-	["qwen2.5-coder", { contextWindow: 131072, maxTokens: 32768 }],
-	["deepseek-coder-v2", { contextWindow: 131072, maxTokens: 16384 }],
-	["starcoder2", { contextWindow: 16384, maxTokens: 8192 }],
-	["codegemma", { contextWindow: 8192, maxTokens: 8192 }],
-	["codellama", { contextWindow: 16384, maxTokens: 8192 }],
-	["devstral", { contextWindow: 131072, maxTokens: 32768 }],
+	["codestral", { contextWindow: 262144, maxTokens: 32768, ollamaOptions: { num_ctx: 262144 } }],
+	["qwen2.5-coder", { contextWindow: 131072, maxTokens: 32768, ollamaOptions: { num_ctx: 131072 } }],
+	["deepseek-coder-v2", { contextWindow: 131072, maxTokens: 16384, ollamaOptions: { num_ctx: 131072 } }],
+	["starcoder2", { contextWindow: 16384, maxTokens: 8192, ollamaOptions: { num_ctx: 16384 } }],
+	["codegemma", { contextWindow: 8192, maxTokens: 8192, ollamaOptions: { num_ctx: 8192 } }],
+	["codellama", { contextWindow: 16384, maxTokens: 8192, ollamaOptions: { num_ctx: 16384 } }],
+	["devstral", { contextWindow: 131072, maxTokens: 32768, ollamaOptions: { num_ctx: 131072 } }],
 
 	// ─── Llama family ───────────────────────────────────────────────────
-	["llama3.3", { contextWindow: 131072, maxTokens: 16384 }],
-	["llama3.2", { contextWindow: 131072, maxTokens: 16384 }],
-	["llama3.1", { contextWindow: 131072, maxTokens: 16384 }],
-	["llama3", { contextWindow: 8192, maxTokens: 8192 }],
-	["llama2", { contextWindow: 4096, maxTokens: 4096 }],
+	["llama3.3", { contextWindow: 131072, maxTokens: 16384, ollamaOptions: { num_ctx: 131072 } }],
+	["llama3.2", { contextWindow: 131072, maxTokens: 16384, ollamaOptions: { num_ctx: 131072 } }],
+	["llama3.1", { contextWindow: 131072, maxTokens: 16384, ollamaOptions: { num_ctx: 131072 } }],
+	["llama3", { contextWindow: 8192, maxTokens: 8192, ollamaOptions: { num_ctx: 8192 } }],
+	["llama2", { contextWindow: 4096, maxTokens: 4096, ollamaOptions: { num_ctx: 4096 } }],
 
 	// ─── Qwen family ────────────────────────────────────────────────────
-	["qwen3", { contextWindow: 131072, maxTokens: 32768 }],
-	["qwen2.5", { contextWindow: 131072, maxTokens: 32768 }],
-	["qwen2", { contextWindow: 131072, maxTokens: 32768 }],
+	["qwen3", { contextWindow: 131072, maxTokens: 32768, ollamaOptions: { num_ctx: 131072 } }],
+	["qwen2.5", { contextWindow: 131072, maxTokens: 32768, ollamaOptions: { num_ctx: 131072 } }],
+	["qwen2", { contextWindow: 131072, maxTokens: 32768, ollamaOptions: { num_ctx: 131072 } }],
 
 	// ─── Gemma family ───────────────────────────────────────────────────
-	["gemma3", { contextWindow: 131072, maxTokens: 16384 }],
-	["gemma2", { contextWindow: 8192, maxTokens: 8192 }],
+	["gemma3", { contextWindow: 131072, maxTokens: 16384, ollamaOptions: { num_ctx: 131072 } }],
+	["gemma2", { contextWindow: 8192, maxTokens: 8192, ollamaOptions: { num_ctx: 8192 } }],
 
 	// ─── Mistral family ─────────────────────────────────────────────────
-	["mistral-large", { contextWindow: 131072, maxTokens: 16384 }],
-	["mistral-small", { contextWindow: 131072, maxTokens: 16384 }],
-	["mistral-nemo", { contextWindow: 131072, maxTokens: 16384 }],
-	["mistral", { contextWindow: 32768, maxTokens: 8192 }],
-	["mixtral", { contextWindow: 32768, maxTokens: 8192 }],
+	["mistral-large", { contextWindow: 131072, maxTokens: 16384, ollamaOptions: { num_ctx: 131072 } }],
+	["mistral-small", { contextWindow: 131072, maxTokens: 16384, ollamaOptions: { num_ctx: 131072 } }],
+	["mistral-nemo", { contextWindow: 131072, maxTokens: 16384, ollamaOptions: { num_ctx: 131072 } }],
+	["mistral", { contextWindow: 32768, maxTokens: 8192, ollamaOptions: { num_ctx: 32768 } }],
+	["mixtral", { contextWindow: 32768, maxTokens: 8192, ollamaOptions: { num_ctx: 32768 } }],
 
 	// ─── Phi family ─────────────────────────────────────────────────────
-	["phi4", { contextWindow: 16384, maxTokens: 16384 }],
-	["phi3.5", { contextWindow: 131072, maxTokens: 16384 }],
-	["phi3", { contextWindow: 131072, maxTokens: 4096 }],
+	["phi4", { contextWindow: 16384, maxTokens: 16384, ollamaOptions: { num_ctx: 16384 } }],
+	["phi3.5", { contextWindow: 131072, maxTokens: 16384, ollamaOptions: { num_ctx: 131072 } }],
+	["phi3", { contextWindow: 131072, maxTokens: 4096, ollamaOptions: { num_ctx: 131072 } }],
 
 	// ─── Command R ──────────────────────────────────────────────────────
-	["command-r-plus", { contextWindow: 131072, maxTokens: 16384 }],
-	["command-r", { contextWindow: 131072, maxTokens: 16384 }],
+	["command-r-plus", { contextWindow: 131072, maxTokens: 16384, ollamaOptions: { num_ctx: 131072 } }],
+	["command-r", { contextWindow: 131072, maxTokens: 16384, ollamaOptions: { num_ctx: 131072 } }],
 ];
 
 /**