gsd-pi 2.69.0 → 2.70.0

package/packages/pi-ai/src/providers/anthropic.ts

@@ -34,9 +34,6 @@ async function getAnthropicClass(): Promise<typeof Anthropic> {
 	return _AnthropicClass;
 }
 
-// Stealth mode: Mimic Claude Code's tool naming exactly
-const claudeCodeVersion = "2.1.62";
-
 function mergeHeaders(...headerSources: (Record<string, string> | undefined)[]): Record<string, string> {
 	const merged: Record<string, string> = {};
 	for (const headers of headerSources) {
@@ -47,10 +44,6 @@ function mergeHeaders(...headerSources: (Record<string, string> | undefined)[]):
 	return merged;
 }
 
-function isOAuthToken(apiKey: string): boolean {
-	return apiKey.includes("sk-ant-oat");
-}
-
 async function createClient(
 	model: Model<"anthropic-messages">,
 	apiKey: string,
@@ -97,30 +90,7 @@ async function createClient(
 		betaFeatures.push("interleaved-thinking-2025-05-14");
 	}
 
-	// OAuth: Bearer auth, Claude Code identity headers
-	if (isOAuthToken(apiKey)) {
-		const client = new AnthropicClass({
-			apiKey: null,
-			authToken: apiKey,
-			baseURL: model.baseUrl,
-			dangerouslyAllowBrowser: true,
-			defaultHeaders: mergeHeaders(
-				{
-					accept: "application/json",
-					"anthropic-dangerous-direct-browser-access": "true",
-					...(betaFeatures.length > 0 ? { "anthropic-beta": `claude-code-20250219,oauth-2025-04-20,${betaFeatures.join(",")}` } : {}),
-					"user-agent": `claude-cli/${claudeCodeVersion}`,
-					"x-app": "cli",
-				},
-				model.headers,
-				optionsHeaders,
-			),
-		});
-
-		return { client, isOAuthToken: true };
-	}
-
-	// API key auth
+	// API key auth (Anthropic OAuth removed per TOS compliance — use API keys or Claude CLI)
 	// Alibaba Coding Plan uses Bearer token auth instead of x-api-key
 	const isAlibabaProvider = model.provider === "alibaba-coding-plan";
 	const client = new AnthropicClass({

package/packages/pi-ai/src/utils/oauth/index.ts

@@ -3,14 +3,14 @@
  *
  * This module handles login, token refresh, and credential storage
  * for OAuth-based providers:
- * - Anthropic (Claude Pro/Max)
  * - GitHub Copilot
  * - Google Cloud Code Assist (Gemini CLI)
  * - Antigravity (Gemini 3, Claude, GPT-OSS via Google Cloud)
+ *
+ * Note: Anthropic OAuth was removed per TOS compliance (see docs/user-docs/claude-code-auth-compliance.md).
+ * Use API keys or the local Claude Code CLI for Anthropic access.
  */
 
-// Anthropic
-export { anthropicOAuthProvider, loginAnthropic, refreshAnthropicToken } from "./anthropic.js";
 // GitHub Copilot
 export {
 	getGitHubCopilotBaseUrl,
@@ -32,7 +32,6 @@ export * from "./types.js";
 // Provider Registry
 // ============================================================================
 
-import { anthropicOAuthProvider } from "./anthropic.js";
 import { githubCopilotOAuthProvider } from "./github-copilot.js";
 import { antigravityOAuthProvider } from "./google-antigravity.js";
 import { geminiCliOAuthProvider } from "./google-gemini-cli.js";
@@ -40,7 +39,6 @@ import { openaiCodexOAuthProvider } from "./openai-codex.js";
 import type { OAuthCredentials, OAuthProviderId, OAuthProviderInterface } from "./types.js";
 
 const BUILT_IN_OAUTH_PROVIDERS: OAuthProviderInterface[] = [
-	anthropicOAuthProvider,
 	githubCopilotOAuthProvider,
 	geminiCliOAuthProvider,
 	antigravityOAuthProvider,

package/packages/pi-coding-agent/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@gsd/pi-coding-agent",
-  "version": "2.69.0",
+  "version": "2.70.0",
   "description": "Coding agent CLI (vendored from pi-mono)",
   "type": "module",
   "piConfig": {

package/pkg/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@glittercowboy/gsd",
-  "version": "2.69.0",
+  "version": "2.70.0",
   "piConfig": {
     "name": "gsd",
     "configDir": ".gsd"

package/src/resources/extensions/gsd/bootstrap/system-context.ts

@@ -19,6 +19,7 @@ import { deriveState } from "../state.js";
 import { formatOverridesSection, formatShortcut, loadActiveOverrides, loadFile, parseContinue, parseSummary } from "../files.js";
 import { toPosixPath } from "../../shared/mod.js";
 import { markCmuxPromptShown, shouldPromptToEnableCmux } from "../../cmux/index.js";
+import { autoEnableCmuxPreferences } from "../commands-cmux.js";
 
 const gsdHome = process.env.GSD_HOME || join(homedir(), ".gsd");
 
@@ -76,13 +77,16 @@ export async function buildBeforeAgentStartResult(
     shortcutDashboard: formatShortcut("Ctrl+Alt+G"),
     shortcutShell: formatShortcut("Ctrl+Alt+B"),
   });
-  const loadedPreferences = loadEffectiveGSDPreferences();
+  let loadedPreferences = loadEffectiveGSDPreferences();
   if (shouldPromptToEnableCmux(loadedPreferences?.preferences)) {
     markCmuxPromptShown();
-    ctx.ui.notify(
-      "cmux detected. Run /gsd cmux on to enable sidebar metadata, notifications, and visual subagent splits for this project.",
-      "info",
-    );
+    if (autoEnableCmuxPreferences()) {
+      loadedPreferences = loadEffectiveGSDPreferences();
+      ctx.ui.notify(
+        "cmux detected — auto-enabled. Run /gsd cmux off to disable.",
+        "info",
+      );
+    }
   }
 
   let preferenceBlock = "";

package/src/resources/extensions/gsd/commands-cmux.ts

@@ -1,5 +1,5 @@
 import type { ExtensionCommandContext } from "@gsd/pi-coding-agent";
-import { existsSync, readFileSync } from "node:fs";
+import { existsSync, readFileSync, writeFileSync } from "node:fs";
 import { clearCmuxSidebar, CmuxClient, detectCmuxEnvironment, resolveCmuxConfig } from "../cmux/index.js";
 import { saveFile } from "./files.js";
 import {
@@ -9,6 +9,37 @@ import {
 } from "./preferences.js";
 import { ensurePreferencesFile, serializePreferencesToFrontmatter } from "./commands-prefs-wizard.js";
 
+/**
+ * Auto-enable cmux in project preferences when detected but never configured.
+ * Called at boot (before agent start) — no ExtensionCommandContext needed.
+ * Returns true if preferences were written, false if skipped.
+ */
+export function autoEnableCmuxPreferences(): boolean {
+  const path = getProjectGSDPreferencesPath();
+  if (!existsSync(path)) return false;
+
+  const existing = loadProjectGSDPreferences();
+  const prefs: Record<string, unknown> = existing?.preferences ? { ...existing.preferences } : { version: 1 };
+  prefs.cmux = {
+    enabled: true,
+    notifications: true,
+    sidebar: true,
+    splits: false,
+    browser: false,
+    ...((prefs.cmux as Record<string, unknown> | undefined) ?? {}),
+  };
+  (prefs.cmux as Record<string, unknown>).enabled = true;
+  prefs.version = prefs.version || 1;
+
+  const frontmatter = serializePreferencesToFrontmatter(prefs);
+  let body = "\n# GSD Skill Preferences\n\nSee `~/.gsd/agent/extensions/gsd/docs/preferences-reference.md` for full field documentation and examples.\n";
+  const preserved = extractBodyAfterFrontmatter(readFileSync(path, "utf-8"));
+  if (preserved) body = preserved;
+
+  writeFileSync(path, `---\n${frontmatter}---${body}`, "utf-8");
+  return true;
+}
+
 function extractBodyAfterFrontmatter(content: string): string | null {
   const start = content.startsWith("---\n") ? 4 : content.startsWith("---\r\n") ? 5 : -1;
   if (start === -1) return null;

package/src/resources/extensions/gsd/tests/cmux.test.ts

@@ -1,7 +1,8 @@
-import test, { describe } from "node:test";
+import test, { describe, beforeEach, afterEach } from "node:test";
 import assert from "node:assert/strict";
 import * as fs from "node:fs";
 import * as path from "node:path";
+import { tmpdir } from "node:os";
 import { fileURLToPath } from "node:url";
 import {
   buildCmuxProgress,
@@ -12,6 +13,7 @@ import {
   resolveCmuxConfig,
   shouldPromptToEnableCmux,
 } from "../../cmux/index.ts";
+import { autoEnableCmuxPreferences } from "../commands-cmux.ts";
 import type { GSDState } from "../types.ts";
 
 test("detectCmuxEnvironment requires workspace, surface, and socket", () => {
@@ -79,6 +81,70 @@ test("shouldPromptToEnableCmux only prompts once per session", () => {
   resetCmuxPromptState();
 });
 
+describe("autoEnableCmuxPreferences", () => {
+  let tmp: string;
+  let originalCwd: string;
+
+  beforeEach(() => {
+    originalCwd = process.cwd();
+    tmp = fs.mkdtempSync(path.join(tmpdir(), "cmux-auto-test-"));
+    fs.mkdirSync(path.join(tmp, ".gsd"), { recursive: true });
+    process.chdir(tmp);
+  });
+
+  afterEach(() => {
+    process.chdir(originalCwd);
+    fs.rmSync(tmp, { recursive: true, force: true });
+  });
+
+  test("writes cmux.enabled true when preferences file exists with no cmux config", () => {
+    const prefsPath = path.join(tmp, ".gsd", "preferences.md");
+    fs.writeFileSync(prefsPath, [
+      "---",
+      "version: 1",
+      "---",
+      "",
+      "# GSD Skill Preferences",
+    ].join("\n"));
+
+    const result = autoEnableCmuxPreferences();
+    assert.equal(result, true);
+
+    const content = fs.readFileSync(prefsPath, "utf-8");
+    assert.ok(content.includes("enabled: true"), "should write enabled: true");
+    assert.ok(content.includes("notifications: true"), "should default notifications on");
+    assert.ok(content.includes("sidebar: true"), "should default sidebar on");
+    assert.ok(content.includes("splits: false"), "should default splits off");
+  });
+
+  test("returns false when preferences file does not exist", () => {
+    const result = autoEnableCmuxPreferences();
+    assert.equal(result, false);
+  });
+
+  test("preserves existing cmux sub-preferences when auto-enabling", () => {
+    const prefsPath = path.join(tmp, ".gsd", "preferences.md");
+    fs.writeFileSync(prefsPath, [
+      "---",
+      "version: 1",
+      "cmux:",
+      "  splits: true",
+      "  browser: true",
+      "---",
+      "",
+      "# GSD Skill Preferences",
+    ].join("\n"));
+
+    const result = autoEnableCmuxPreferences();
+    assert.equal(result, true);
+
+    const content = fs.readFileSync(prefsPath, "utf-8");
+    assert.ok(content.includes("enabled: true"), "should set enabled: true");
+    assert.ok(content.includes("splits: true"), "should preserve existing splits: true");
+    assert.ok(content.includes("browser: true"), "should preserve existing browser: true");
+  });
+});
+
 test("buildCmuxStatusLabel and progress prefer deepest active unit", () => {
   const state: GSDState = {
     activeMilestone: { id: "M001", title: "Milestone" },

package/src/resources/extensions/gsd/tests/mcp-project-config.test.ts

@@ -26,8 +26,12 @@ test("ensureProjectWorkflowMcpConfig creates .mcp.json with the workflow server"
     assert.equal(typeof server?.command, "string");
     assert.equal(Array.isArray(server?.args), true);
     assert.equal(server?.env?.GSD_WORKFLOW_PROJECT_ROOT, projectRoot);
-    assert.match(server?.env?.GSD_WORKFLOW_EXECUTORS_MODULE ?? "", /workflow-tool-executors\.js$/);
-    assert.match(server?.env?.GSD_WORKFLOW_WRITE_GATE_MODULE ?? "", /write-gate\.js$/);
+    assert.match(server?.env?.GSD_WORKFLOW_EXECUTORS_MODULE ?? "", /workflow-tool-executors\.(js|ts)$/);
+    assert.match(server?.env?.GSD_WORKFLOW_WRITE_GATE_MODULE ?? "", /write-gate\.(js|ts)$/);
+    if ((server?.env?.GSD_WORKFLOW_EXECUTORS_MODULE ?? "").endsWith(".ts")) {
+      assert.match(server?.env?.NODE_OPTIONS ?? "", /--experimental-strip-types/);
+      assert.match(server?.env?.NODE_OPTIONS ?? "", /resolve-ts\.mjs/);
+    }
   } finally {
     rmSync(projectRoot, { recursive: true, force: true });
   }

package/src/resources/extensions/gsd/tests/workflow-mcp.test.ts

@@ -141,7 +141,11 @@ test("detectWorkflowMcpLaunchConfig resolves the bundled server relative to the
   assert.match(launch?.env?.GSD_WORKFLOW_EXECUTORS_MODULE ?? "", /workflow-tool-executors\.(js|ts)$/);
   assert.match(launch?.env?.GSD_WORKFLOW_WRITE_GATE_MODULE ?? "", /write-gate\.(js|ts)$/);
   assert.equal(typeof launch?.args?.[0], "string");
-  assert.match(launch?.args?.[0] ?? "", /packages[\/\\]mcp-server[\/\\]dist[\/\\]cli\.js$/);
+  assert.match(launch?.args?.[0] ?? "", /packages[\/\\]mcp-server[\/\\](dist[\/\\]cli\.js|src[\/\\]cli\.ts)$/);
+  if ((launch?.args?.[0] ?? "").endsWith(".ts")) {
+    assert.match(launch?.env?.NODE_OPTIONS ?? "", /--experimental-strip-types/);
+    assert.match(launch?.env?.NODE_OPTIONS ?? "", /resolve-ts\.mjs/);
+  }
 });
 
 test("detectWorkflowMcpLaunchConfig resolves the bundled server relative to the package without env hints", () => {
@@ -154,7 +158,11 @@ test("detectWorkflowMcpLaunchConfig resolves the bundled server relative to the
   assert.match(launch?.env?.GSD_WORKFLOW_EXECUTORS_MODULE ?? "", /workflow-tool-executors\.(js|ts)$/);
   assert.match(launch?.env?.GSD_WORKFLOW_WRITE_GATE_MODULE ?? "", /write-gate\.(js|ts)$/);
   assert.equal(typeof launch?.args?.[0], "string");
-  assert.match(launch?.args?.[0] ?? "", /packages[\/\\]mcp-server[\/\\]dist[\/\\]cli\.js$/);
+  assert.match(launch?.args?.[0] ?? "", /packages[\/\\]mcp-server[\/\\](dist[\/\\]cli\.js|src[\/\\]cli\.ts)$/);
+  if ((launch?.args?.[0] ?? "").endsWith(".ts")) {
+    assert.match(launch?.env?.NODE_OPTIONS ?? "", /--experimental-strip-types/);
+    assert.match(launch?.env?.NODE_OPTIONS ?? "", /resolve-ts\.mjs/);
+  }
 });
 
 test("workflow MCP launch config reaches mutation tools over stdio", async () => {
@@ -165,12 +173,16 @@ test("workflow MCP launch config reaches mutation tools over stdio", async () =>
   assert.ok(launch, "expected a workflow MCP launch config");
   assert.match(
     launch.env?.GSD_WORKFLOW_EXECUTORS_MODULE ?? "",
-    /dist[\/\\]resources[\/\\]extensions[\/\\]gsd[\/\\]tools[\/\\]workflow-tool-executors\.js$/,
+    /(dist[\/\\]resources[\/\\]extensions[\/\\]gsd[\/\\]tools[\/\\]workflow-tool-executors\.js|src[\/\\]resources[\/\\]extensions[\/\\]gsd[\/\\]tools[\/\\]workflow-tool-executors\.(js|ts))$/,
   );
   assert.match(
     launch.env?.GSD_WORKFLOW_WRITE_GATE_MODULE ?? "",
-    /dist[\/\\]resources[\/\\]extensions[\/\\]gsd[\/\\]bootstrap[\/\\]write-gate\.js$/,
+    /(dist[\/\\]resources[\/\\]extensions[\/\\]gsd[\/\\]bootstrap[\/\\]write-gate\.js|src[\/\\]resources[\/\\]extensions[\/\\]gsd[\/\\]bootstrap[\/\\]write-gate\.(js|ts))$/,
   );
+  if ((launch.env?.GSD_WORKFLOW_EXECUTORS_MODULE ?? "").endsWith(".ts")) {
+    assert.match(launch.env?.NODE_OPTIONS ?? "", /--experimental-strip-types/);
+    assert.match(launch.env?.NODE_OPTIONS ?? "", /resolve-ts\.mjs/);
+  }
 
   const client = new Client({ name: "workflow-mcp-transport-test", version: "1.0.0" });
   const transport = new StdioClientTransport({
@@ -189,6 +201,10 @@ test("workflow MCP launch config reaches mutation tools over stdio", async () =>
       (tools.tools ?? []).some((tool) => tool.name === "gsd_plan_slice"),
       "expected workflow MCP surface to expose gsd_plan_slice",
     );
+    assert.ok(
+      (tools.tools ?? []).some((tool) => tool.name === "ask_user_questions"),
+      "expected workflow MCP surface to expose ask_user_questions",
+    );
 
     const milestoneResult = await client.callTool(
       {
@@ -465,18 +481,18 @@ test("transport compatibility now allows replan-slice over workflow MCP surface"
 test("transport compatibility still blocks units whose MCP tools are not exposed", () => {
   const error = getWorkflowTransportSupportError(
     "claude-code",
-    ["gsd_skip_slice"],
+    ["secure_env_collect"],
     {
       projectRoot: "/tmp/project",
       env: { GSD_WORKFLOW_MCP_COMMAND: "node" },
       surface: "auto-mode",
-      unitType: "skip-slice",
+      unitType: "guided-discussion",
       authMode: "externalCli",
       baseUrl: "local://claude-code",
     },
   );
 
-  assert.match(error ?? "", /requires gsd_skip_slice/);
+  assert.match(error ?? "", /requires secure_env_collect/);
   assert.match(error ?? "", /currently exposes only/);
 });
 

package/src/resources/extensions/gsd/workflow-mcp.ts

@@ -1,7 +1,7 @@
 import { execSync } from "node:child_process";
 import { existsSync } from "node:fs";
 import { dirname, resolve } from "node:path";
-import { fileURLToPath } from "node:url";
+import { fileURLToPath, pathToFileURL } from "node:url";
 
 export interface WorkflowMcpLaunchConfig {
   name: string;
@@ -21,22 +21,35 @@ export interface WorkflowCapabilityOptions {
 }
 
 const MCP_WORKFLOW_TOOL_SURFACE = new Set([
+  "ask_user_questions",
+  "gsd_decision_save",
   "gsd_complete_milestone",
   "gsd_complete_task",
   "gsd_complete_slice",
+  "gsd_generate_milestone_id",
+  "gsd_journal_query",
   "gsd_milestone_complete",
+  "gsd_milestone_generate_id",
   "gsd_milestone_status",
   "gsd_milestone_validate",
+  "gsd_plan_task",
   "gsd_plan_milestone",
   "gsd_plan_slice",
   "gsd_replan_slice",
   "gsd_reassess_roadmap",
+  "gsd_requirement_save",
+  "gsd_requirement_update",
   "gsd_roadmap_reassess",
+  "gsd_save_decision",
   "gsd_save_gate_result",
+  "gsd_save_requirement",
+  "gsd_skip_slice",
   "gsd_slice_replan",
   "gsd_slice_complete",
   "gsd_summary_save",
+  "gsd_task_plan",
   "gsd_task_complete",
+  "gsd_update_requirement",
   "gsd_validate_milestone",
 ]);
 
@@ -95,6 +108,8 @@ function getBundledWorkflowMcpCliPath(env: NodeJS.ProcessEnv): string | null {
   }
 
   const candidates = [
+    resolve(fileURLToPath(new URL("../../../../packages/mcp-server/src/cli.ts", import.meta.url))),
+    resolve(fileURLToPath(new URL("../../../../../packages/mcp-server/src/cli.ts", import.meta.url))),
     resolve(fileURLToPath(new URL("../../../../packages/mcp-server/dist/cli.js", import.meta.url))),
     resolve(fileURLToPath(new URL("../../../../../packages/mcp-server/dist/cli.js", import.meta.url))),
   ];
@@ -108,9 +123,9 @@ function getBundledWorkflowMcpCliPath(env: NodeJS.ProcessEnv): string | null {
 
 function getBundledWorkflowExecutorModulePath(): string | null {
   const candidates = [
-    resolve(fileURLToPath(new URL("../../../../dist/resources/extensions/gsd/tools/workflow-tool-executors.js", import.meta.url))),
     resolve(fileURLToPath(new URL("./tools/workflow-tool-executors.js", import.meta.url))),
     resolve(fileURLToPath(new URL("./tools/workflow-tool-executors.ts", import.meta.url))),
+    resolve(fileURLToPath(new URL("../../../../dist/resources/extensions/gsd/tools/workflow-tool-executors.js", import.meta.url))),
   ];
 
   for (const candidate of candidates) {
@@ -122,9 +137,9 @@ function getBundledWorkflowExecutorModulePath(): string | null {
 
 function getBundledWorkflowWriteGateModulePath(): string | null {
   const candidates = [
-    resolve(fileURLToPath(new URL("../../../../dist/resources/extensions/gsd/bootstrap/write-gate.js", import.meta.url))),
     resolve(fileURLToPath(new URL("./bootstrap/write-gate.js", import.meta.url))),
     resolve(fileURLToPath(new URL("./bootstrap/write-gate.ts", import.meta.url))),
+    resolve(fileURLToPath(new URL("../../../../dist/resources/extensions/gsd/bootstrap/write-gate.js", import.meta.url))),
   ];
 
   for (const candidate of candidates) {
@@ -134,19 +149,58 @@ function getBundledWorkflowWriteGateModulePath(): string | null {
   return null;
 }
 
+function getResolveTsHookPath(): string | null {
+  const candidates = [
+    resolve(fileURLToPath(new URL("./tests/resolve-ts.mjs", import.meta.url))),
+    resolve(fileURLToPath(new URL("../../../../src/resources/extensions/gsd/tests/resolve-ts.mjs", import.meta.url))),
+  ];
+
+  for (const candidate of candidates) {
+    if (existsSync(candidate)) return candidate;
+  }
+
+  return null;
+}
+
+function mergeNodeOptions(existing: string | undefined, additions: string[]): string | undefined {
+  const tokens = (existing ?? "").split(/\s+/).map((value) => value.trim()).filter(Boolean);
+  for (const addition of additions) {
+    if (!tokens.includes(addition)) {
+      tokens.push(addition);
+    }
+  }
+  return tokens.length > 0 ? tokens.join(" ") : undefined;
+}
+
 function buildWorkflowLaunchEnv(
   projectRoot: string,
   gsdCliPath: string | undefined,
   explicitEnv?: Record<string, string>,
+  workflowCliPath?: string,
 ): Record<string, string> {
   const executorModulePath = getBundledWorkflowExecutorModulePath();
   const writeGateModulePath = getBundledWorkflowWriteGateModulePath();
+  const resolveTsHookPath = getResolveTsHookPath();
+  const wantsSourceTs =
+    Boolean(resolveTsHookPath) &&
+    (
+      (workflowCliPath?.endsWith(".ts") ?? false) ||
+      (executorModulePath?.endsWith(".ts") ?? false) ||
+      (writeGateModulePath?.endsWith(".ts") ?? false)
+    );
+  const nodeOptions = wantsSourceTs
+    ? mergeNodeOptions(explicitEnv?.NODE_OPTIONS, [
+        "--experimental-strip-types",
+        `--import=${pathToFileURL(resolveTsHookPath!).href}`,
+      ])
+    : explicitEnv?.NODE_OPTIONS;
 
   return {
     ...(explicitEnv ?? {}),
     ...(gsdCliPath ? { GSD_CLI_PATH: gsdCliPath } : {}),
     ...(executorModulePath ? { GSD_WORKFLOW_EXECUTORS_MODULE: executorModulePath } : {}),
     ...(writeGateModulePath ? { GSD_WORKFLOW_WRITE_GATE_MODULE: writeGateModulePath } : {}),
+    ...(nodeOptions ? { NODE_OPTIONS: nodeOptions } : {}),
     GSD_PERSIST_WRITE_GATE_STATE: "1",
     GSD_WORKFLOW_PROJECT_ROOT: projectRoot,
   };
@@ -188,7 +242,7 @@ export function detectWorkflowMcpLaunchConfig(
       command: process.execPath,
       args: [distCli],
       cwd: resolvedWorkflowProjectRoot,
-      env: buildWorkflowLaunchEnv(resolvedWorkflowProjectRoot, gsdCliPath),
+      env: buildWorkflowLaunchEnv(resolvedWorkflowProjectRoot, gsdCliPath, undefined, distCli),
     };
   }
 
@@ -199,7 +253,7 @@ export function detectWorkflowMcpLaunchConfig(
       command: process.execPath,
       args: [bundledCli],
       cwd: resolvedWorkflowProjectRoot,
-      env: buildWorkflowLaunchEnv(resolvedWorkflowProjectRoot, gsdCliPath),
+      env: buildWorkflowLaunchEnv(resolvedWorkflowProjectRoot, gsdCliPath, undefined, bundledCli),
     };
   }
 

package/packages/pi-ai/dist/utils/oauth/anthropic.d.ts

@@ -1,17 +0,0 @@
-/**
- * Anthropic OAuth flow (Claude Pro/Max)
- */
-import type { OAuthCredentials, OAuthProviderInterface } from "./types.js";
-/**
- * Login with Anthropic OAuth (device code flow)
- *
- * @param onAuthUrl - Callback to handle the authorization URL (e.g., open browser)
- * @param onPromptCode - Callback to prompt user for the authorization code
- */
-export declare function loginAnthropic(onAuthUrl: (url: string) => void, onPromptCode: () => Promise<string>): Promise<OAuthCredentials>;
-/**
- * Refresh Anthropic OAuth token
- */
-export declare function refreshAnthropicToken(refreshToken: string): Promise<OAuthCredentials>;
-export declare const anthropicOAuthProvider: OAuthProviderInterface;
-//# sourceMappingURL=anthropic.d.ts.map

package/packages/pi-ai/dist/utils/oauth/anthropic.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"anthropic.d.ts","sourceRoot":"","sources":["../../../src/utils/oauth/anthropic.ts"],"names":[],"mappings":"AAAA;;GAEG;AAGH,OAAO,KAAK,EAAE,gBAAgB,EAAuB,sBAAsB,EAAE,MAAM,YAAY,CAAC;AAShG;;;;;GAKG;AACH,wBAAsB,cAAc,CACnC,SAAS,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,EAChC,YAAY,EAAE,MAAM,OAAO,CAAC,MAAM,CAAC,GACjC,OAAO,CAAC,gBAAgB,CAAC,CA+D3B;AAED;;GAEG;AACH,wBAAsB,qBAAqB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC,CA4B3F;AAED,eAAO,MAAM,sBAAsB,EAAE,sBAkBpC,CAAC"}

package/packages/pi-ai/dist/utils/oauth/anthropic.js

@@ -1,106 +0,0 @@
-/**
- * Anthropic OAuth flow (Claude Pro/Max)
- */
-import { generatePKCE } from "./pkce.js";
-const decode = (s) => atob(s);
-const CLIENT_ID = decode("OWQxYzI1MGEtZTYxYi00NGQ5LTg4ZWQtNTk0NGQxOTYyZjVl");
-const AUTHORIZE_URL = "https://claude.ai/oauth/authorize";
-const TOKEN_URL = "https://platform.claude.com/v1/oauth/token";
-const REDIRECT_URI = "https://platform.claude.com/oauth/code/callback";
-const SCOPES = "org:create_api_key user:profile user:inference";
-/**
- * Login with Anthropic OAuth (device code flow)
- *
- * @param onAuthUrl - Callback to handle the authorization URL (e.g., open browser)
- * @param onPromptCode - Callback to prompt user for the authorization code
- */
-export async function loginAnthropic(onAuthUrl, onPromptCode) {
-    const { verifier, challenge } = await generatePKCE();
-    // Build authorization URL
-    const authParams = new URLSearchParams({
-        code: "true",
-        client_id: CLIENT_ID,
-        response_type: "code",
-        redirect_uri: REDIRECT_URI,
-        scope: SCOPES,
-        code_challenge: challenge,
-        code_challenge_method: "S256",
-        state: verifier,
-    });
-    const authUrl = `${AUTHORIZE_URL}?${authParams.toString()}`;
-    // Notify caller with URL to open
-    onAuthUrl(authUrl);
-    // Wait for user to paste authorization code (format: code#state)
-    const authCode = await onPromptCode();
-    const splits = authCode.split("#");
-    const code = splits[0];
-    const state = splits[1];
-    // Exchange code for tokens
-    const tokenResponse = await fetch(TOKEN_URL, {
-        method: "POST",
-        headers: {
-            "Content-Type": "application/json",
-        },
-        body: JSON.stringify({
-            grant_type: "authorization_code",
-            client_id: CLIENT_ID,
-            code: code,
-            state: state,
-            redirect_uri: REDIRECT_URI,
-            code_verifier: verifier,
-        }),
-        signal: AbortSignal.timeout(30_000),
-    });
-    if (!tokenResponse.ok) {
-        const error = await tokenResponse.text();
-        throw new Error(`Token exchange failed: ${error}`);
-    }
-    const tokenData = (await tokenResponse.json());
-    // Calculate expiry time (current time + expires_in seconds - 5 min buffer)
-    const expiresAt = Date.now() + tokenData.expires_in * 1000 - 5 * 60 * 1000;
-    // Save credentials
-    return {
-        refresh: tokenData.refresh_token,
-        access: tokenData.access_token,
-        expires: expiresAt,
-    };
-}
-/**
- * Refresh Anthropic OAuth token
- */
-export async function refreshAnthropicToken(refreshToken) {
-    const response = await fetch(TOKEN_URL, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({
-            grant_type: "refresh_token",
-            client_id: CLIENT_ID,
-            refresh_token: refreshToken,
-        }),
-        signal: AbortSignal.timeout(30_000),
-    });
-    if (!response.ok) {
-        const error = await response.text();
-        throw new Error(`Anthropic token refresh failed: ${error}`);
-    }
-    const data = (await response.json());
-    return {
-        refresh: data.refresh_token,
-        access: data.access_token,
-        expires: Date.now() + data.expires_in * 1000 - 5 * 60 * 1000,
-    };
-}
-export const anthropicOAuthProvider = {
-    id: "anthropic",
-    name: "Anthropic (Claude Pro/Max)",
-    async login(callbacks) {
-        return loginAnthropic((url) => callbacks.onAuth({ url }), () => callbacks.onPrompt({ message: "Paste the authorization code:" }));
-    },
-    async refreshToken(credentials) {
-        return refreshAnthropicToken(credentials.refresh);
-    },
-    getApiKey(credentials) {
-        return credentials.access;
-    },
-};
-//# sourceMappingURL=anthropic.js.map

package/packages/pi-ai/dist/utils/oauth/anthropic.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"anthropic.js","sourceRoot":"","sources":["../../../src/utils/oauth/anthropic.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,YAAY,EAAE,MAAM,WAAW,CAAC;AAGzC,MAAM,MAAM,GAAG,CAAC,CAAS,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACtC,MAAM,SAAS,GAAG,MAAM,CAAC,kDAAkD,CAAC,CAAC;AAC7E,MAAM,aAAa,GAAG,mCAAmC,CAAC;AAC1D,MAAM,SAAS,GAAG,4CAA4C,CAAC;AAC/D,MAAM,YAAY,GAAG,iDAAiD,CAAC;AACvE,MAAM,MAAM,GAAG,gDAAgD,CAAC;AAEhE;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CACnC,SAAgC,EAChC,YAAmC;IAEnC,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,MAAM,YAAY,EAAE,CAAC;IAErD,0BAA0B;IAC1B,MAAM,UAAU,GAAG,IAAI,eAAe,CAAC;QACtC,IAAI,EAAE,MAAM;QACZ,SAAS,EAAE,SAAS;QACpB,aAAa,EAAE,MAAM;QACrB,YAAY,EAAE,YAAY;QAC1B,KAAK,EAAE,MAAM;QACb,cAAc,EAAE,SAAS;QACzB,qBAAqB,EAAE,MAAM;QAC7B,KAAK,EAAE,QAAQ;KACf,CAAC,CAAC;IAEH,MAAM,OAAO,GAAG,GAAG,aAAa,IAAI,UAAU,CAAC,QAAQ,EAAE,EAAE,CAAC;IAE5D,iCAAiC;IACjC,SAAS,CAAC,OAAO,CAAC,CAAC;IAEnB,iEAAiE;IACjE,MAAM,QAAQ,GAAG,MAAM,YAAY,EAAE,CAAC;IACtC,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACnC,MAAM,IAAI,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IACvB,MAAM,KAAK,GAAG,MAAM,CAAC,CAAC,CAAC,CAAC;IAExB,2BAA2B;IAC3B,MAAM,aAAa,GAAG,MAAM,KAAK,CAAC,SAAS,EAAE;QAC5C,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACR,cAAc,EAAE,kBAAkB;SAClC;QACD,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACpB,UAAU,EAAE,oBAAoB;YAChC,SAAS,EAAE,SAAS;YACpB,IAAI,EAAE,IAAI;YACV,KAAK,EAAE,KAAK;YACZ,YAAY,EAAE,YAAY;YAC1B,aAAa,EAAE,QAAQ;SACvB,CAAC;QACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;KACnC,CAAC,CAAC;IAEH,IAAI,CAAC,aAAa,CAAC,EAAE,EAAE,CAAC;QACvB,MAAM,KAAK,GAAG,MAAM,aAAa,CAAC,IAAI,EAAE,CAAC;QACzC,MAAM,IAAI,KAAK,CAAC,0BAA0B,KAAK,EAAE,CAAC,CAAC;IACpD,CAAC;IAED,MAAM,SAAS,GAAG,CAAC,MAAM,aAAa,CAAC,IAAI,EAAE,CAI5C,CAAC;IAEF,2EAA2E;IAC3E,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC,UAAU,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;IAE3E,mBAAmB;IACnB,OAAO;QACN,OAAO,EAAE,SAAS,CAAC,aAAa;QAChC,MAAM,EAAE,SAAS,CAAC,YAAY;QAC9B,OAAO,EAAE,SAAS;KAClB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,YAAoB;IAC/D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,SAAS,EAAE;QACvC,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE;QAC/C,IAAI,EAAE,IAAI,CAAC,SAAS,CAAC;YACpB,UAAU,EAAE,eAAe;YAC3B,SAAS,EAAE,SAAS;YACpB,aAAa,EAAE,YAAY;SAC3B,CAAC;QACF,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,MAAM,CAAC;KACnC,CAAC,CAAC;IAEH,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QAClB,MAAM,KAAK,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACpC,MAAM,IAAI,KAAK,CAAC,mCAAmC,KAAK,EAAE,CAAC,CAAC;IAC7D,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAIlC,CAAC;IAEF,OAAO;QACN,OAAO,EAAE,IAAI,CAAC,aAAa;QAC3B,MAAM,EAAE,IAAI,CAAC,YAAY;QACzB,OAAO,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,UAAU,GAAG,IAAI,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI;KAC5D,CAAC;AACH,CAAC;AAED,MAAM,CAAC,MAAM,sBAAsB,GAA2B;IAC7D,EAAE,EAAE,WAAW;IACf,IAAI,EAAE,4BAA4B;IAElC,KAAK,CAAC,KAAK,CAAC,SAA8B;QACzC,OAAO,cAAc,CACpB,CAAC,GAAG,EAAE,EAAE,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,GAAG,EAAE,CAAC,EAClC,GAAG,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC,CACtE,CAAC;IACH,CAAC;IAED,KAAK,CAAC,YAAY,CAAC,WAA6B;QAC/C,OAAO,qBAAqB,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;IACnD,CAAC;IAED,SAAS,CAAC,WAA6B;QACtC,OAAO,WAAW,CAAC,MAAM,CAAC;IAC3B,CAAC;CACD,CAAC","sourcesContent":["/**\n * Anthropic OAuth flow (Claude Pro/Max)\n */\n\nimport { generatePKCE } from \"./pkce.js\";\nimport type { OAuthCredentials, OAuthLoginCallbacks, OAuthProviderInterface } from \"./types.js\";\n\nconst decode = (s: string) => atob(s);\nconst CLIENT_ID = decode(\"OWQxYzI1MGEtZTYxYi00NGQ5LTg4ZWQtNTk0NGQxOTYyZjVl\");\nconst AUTHORIZE_URL = \"https://claude.ai/oauth/authorize\";\nconst TOKEN_URL = \"https://platform.claude.com/v1/oauth/token\";\nconst REDIRECT_URI = \"https://platform.claude.com/oauth/code/callback\";\nconst SCOPES = \"org:create_api_key user:profile user:inference\";\n\n/**\n * Login with Anthropic OAuth (device code flow)\n *\n * @param onAuthUrl - Callback to handle the authorization URL (e.g., open browser)\n * @param onPromptCode - Callback to prompt user for the authorization code\n */\nexport async function loginAnthropic(\n\tonAuthUrl: (url: string) => void,\n\tonPromptCode: () => Promise<string>,\n): Promise<OAuthCredentials> {\n\tconst { verifier, challenge } = await generatePKCE();\n\n\t// Build authorization URL\n\tconst authParams = new URLSearchParams({\n\t\tcode: \"true\",\n\t\tclient_id: CLIENT_ID,\n\t\tresponse_type: \"code\",\n\t\tredirect_uri: REDIRECT_URI,\n\t\tscope: SCOPES,\n\t\tcode_challenge: challenge,\n\t\tcode_challenge_method: \"S256\",\n\t\tstate: verifier,\n\t});\n\n\tconst authUrl = `${AUTHORIZE_URL}?${authParams.toString()}`;\n\n\t// Notify caller with URL to open\n\tonAuthUrl(authUrl);\n\n\t// Wait for user to paste authorization code (format: code#state)\n\tconst authCode = await onPromptCode();\n\tconst splits = authCode.split(\"#\");\n\tconst code = splits[0];\n\tconst state = splits[1];\n\n\t// Exchange code for tokens\n\tconst tokenResponse = await fetch(TOKEN_URL, {\n\t\tmethod: \"POST\",\n\t\theaders: {\n\t\t\t\"Content-Type\": \"application/json\",\n\t\t},\n\t\tbody: JSON.stringify({\n\t\t\tgrant_type: \"authorization_code\",\n\t\t\tclient_id: CLIENT_ID,\n\t\t\tcode: code,\n\t\t\tstate: state,\n\t\t\tredirect_uri: REDIRECT_URI,\n\t\t\tcode_verifier: verifier,\n\t\t}),\n\t\tsignal: AbortSignal.timeout(30_000),\n\t});\n\n\tif (!tokenResponse.ok) {\n\t\tconst error = await tokenResponse.text();\n\t\tthrow new Error(`Token exchange failed: ${error}`);\n\t}\n\n\tconst tokenData = (await tokenResponse.json()) as {\n\t\taccess_token: string;\n\t\trefresh_token: string;\n\t\texpires_in: number;\n\t};\n\n\t// Calculate expiry time (current time + expires_in seconds - 5 min buffer)\n\tconst expiresAt = Date.now() + tokenData.expires_in * 1000 - 5 * 60 * 1000;\n\n\t// Save credentials\n\treturn {\n\t\trefresh: tokenData.refresh_token,\n\t\taccess: tokenData.access_token,\n\t\texpires: expiresAt,\n\t};\n}\n\n/**\n * Refresh Anthropic OAuth token\n */\nexport async function refreshAnthropicToken(refreshToken: string): Promise<OAuthCredentials> {\n\tconst response = await fetch(TOKEN_URL, {\n\t\tmethod: \"POST\",\n\t\theaders: { \"Content-Type\": \"application/json\" },\n\t\tbody: JSON.stringify({\n\t\t\tgrant_type: \"refresh_token\",\n\t\t\tclient_id: CLIENT_ID,\n\t\t\trefresh_token: refreshToken,\n\t\t}),\n\t\tsignal: AbortSignal.timeout(30_000),\n\t});\n\n\tif (!response.ok) {\n\t\tconst error = await response.text();\n\t\tthrow new Error(`Anthropic token refresh failed: ${error}`);\n\t}\n\n\tconst data = (await response.json()) as {\n\t\taccess_token: string;\n\t\trefresh_token: string;\n\t\texpires_in: number;\n\t};\n\n\treturn {\n\t\trefresh: data.refresh_token,\n\t\taccess: data.access_token,\n\t\texpires: Date.now() + data.expires_in * 1000 - 5 * 60 * 1000,\n\t};\n}\n\nexport const anthropicOAuthProvider: OAuthProviderInterface = {\n\tid: \"anthropic\",\n\tname: \"Anthropic (Claude Pro/Max)\",\n\n\tasync login(callbacks: OAuthLoginCallbacks): Promise<OAuthCredentials> {\n\t\treturn loginAnthropic(\n\t\t\t(url) => callbacks.onAuth({ url }),\n\t\t\t() => callbacks.onPrompt({ message: \"Paste the authorization code:\" }),\n\t\t);\n\t},\n\n\tasync refreshToken(credentials: OAuthCredentials): Promise<OAuthCredentials> {\n\t\treturn refreshAnthropicToken(credentials.refresh);\n\t},\n\n\tgetApiKey(credentials: OAuthCredentials): string {\n\t\treturn credentials.access;\n\t},\n};\n"]}