gsd-pi 2.76.0-dev.82e249f7b → 2.76.0-dev.97f5583d9

package/packages/pi-coding-agent/src/core/model-registry-custom-caps.test.ts

@@ -0,0 +1,245 @@
+/**
+ * Regression tests for #4563:
+ *   Bug 1 — custom/Anthropic-compatible models were hard-capped to 32 k output tokens
+ *   Bug 2 — custom models in models.json could not declare capabilities.supportsXhigh
+ */
+import assert from "node:assert/strict";
+import { mkdirSync, rmSync, writeFileSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { afterEach, beforeEach, describe, it } from "node:test";
+import { AuthStorage } from "./auth-storage.js";
+import { ModelRegistry } from "./model-registry.js";
+
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+
+let testDir: string;
+
+beforeEach(() => {
+	testDir = join(
+		tmpdir(),
+		`model-registry-custom-caps-${Date.now()}-${Math.random().toString(36).slice(2)}`,
+	);
+	mkdirSync(testDir, { recursive: true });
+});
+
+afterEach(() => {
+	try {
+		rmSync(testDir, { recursive: true, force: true });
+	} catch {
+		// best-effort cleanup
+	}
+});
+
+function createRegistry(modelsJson: object): ModelRegistry {
+	const path = join(testDir, "models.json");
+	writeFileSync(path, JSON.stringify(modelsJson));
+	return new ModelRegistry(AuthStorage.inMemory(), path);
+}
+
+function writeModelsJson(obj: object): string {
+	const path = join(testDir, "models.json");
+	writeFileSync(path, JSON.stringify(obj));
+	return path;
+}
+
+// ─── Bug 1: 32 k cap must not apply to custom/OpenAI-compatible models ────────
+
+describe("Bug 1 — maxTokens cap (#4563)", () => {
+	it("custom openai-completions model with maxTokens > 32 k is not capped", () => {
+		const registry = createRegistry({
+			providers: {
+				"kimi-custom": {
+					baseUrl: "https://api.example.com/v1",
+					apiKey: "sk-test",
+					api: "openai-completions",
+					models: [
+						{
+							id: "kimi-k2.6-code-preview",
+							name: "Kimi K2.6 Code Preview",
+							maxTokens: 131072,
+							contextWindow: 262144,
+						},
+					],
+				},
+			},
+		});
+
+		const model = registry.getAll().find((m) => m.id === "kimi-k2.6-code-preview");
+		assert.ok(model, "model should be registered");
+		assert.equal(
+			model.maxTokens,
+			131072,
+			"maxTokens must be preserved as declared — not capped to 32 000",
+		);
+	});
+
+	it("custom model with maxTokens exactly 32 k is not affected", () => {
+		const registry = createRegistry({
+			providers: {
+				"custom-provider": {
+					baseUrl: "https://api.example.com/v1",
+					apiKey: "sk-test",
+					api: "openai-completions",
+					models: [{ id: "model-32k", maxTokens: 32000, contextWindow: 128000 }],
+				},
+			},
+		});
+
+		const model = registry.getAll().find((m) => m.id === "model-32k");
+		assert.ok(model);
+		assert.equal(model.maxTokens, 32000);
+	});
+
+	it("custom model with maxTokens 65 k is stored at full value", () => {
+		const registry = createRegistry({
+			providers: {
+				"dashscope-custom": {
+					baseUrl: "https://dashscope-intl.aliyuncs.com/compatible-mode/v1",
+					apiKey: "sk-test",
+					api: "openai-completions",
+					models: [
+						{
+							id: "qwen3.5-plus",
+							name: "Qwen3.5 Plus",
+							maxTokens: 65536,
+							contextWindow: 1000000,
+						},
+					],
+				},
+			},
+		});
+
+		const model = registry.getAll().find((m) => m.id === "qwen3.5-plus" && m.provider === "dashscope-custom");
+		assert.ok(model);
+		assert.equal(model.maxTokens, 65536);
+	});
+});
+
+// ─── Bug 2: capabilities.supportsXhigh must be declarable in models.json ──────
+
+describe("Bug 2 — capabilities.supportsXhigh in models.json (#4563)", () => {
+	it("model with capabilities.supportsXhigh: true surfaces the flag", () => {
+		const registry = createRegistry({
+			providers: {
+				"kimi-custom": {
+					baseUrl: "https://api.example.com/v1",
+					apiKey: "sk-test",
+					api: "anthropic-messages",
+					models: [
+						{
+							id: "kimi-k2.6-code-preview",
+							name: "Kimi K2.6 Code Preview",
+							maxTokens: 131072,
+							contextWindow: 262144,
+							capabilities: { supportsXhigh: true },
+						},
+					],
+				},
+			},
+		});
+
+		const model = registry.getAll().find((m) => m.id === "kimi-k2.6-code-preview");
+		assert.ok(model, "model should be registered");
+		assert.equal(
+			model.capabilities?.supportsXhigh,
+			true,
+			"supportsXhigh must be true as declared in models.json",
+		);
+	});
+
+	it("model without capabilities declaration has no supportsXhigh", () => {
+		const registry = createRegistry({
+			providers: {
+				"plain-provider": {
+					baseUrl: "https://api.example.com/v1",
+					apiKey: "sk-test",
+					api: "openai-completions",
+					models: [{ id: "plain-model", maxTokens: 16384, contextWindow: 128000 }],
+				},
+			},
+		});
+
+		const model = registry.getAll().find((m) => m.id === "plain-model");
+		assert.ok(model);
+		// supportsXhigh should be absent or explicitly false — never implicitly true
+		assert.ok(
+			!model.capabilities?.supportsXhigh,
+			"supportsXhigh must not be set for models that don't declare it",
+		);
+	});
+
+	it("capabilities.supportsXhigh: false is respected", () => {
+		const registry = createRegistry({
+			providers: {
+				"explicit-provider": {
+					baseUrl: "https://api.example.com/v1",
+					apiKey: "sk-test",
+					api: "openai-completions",
+					models: [
+						{
+							id: "no-xhigh-model",
+							capabilities: { supportsXhigh: false },
+						},
+					],
+				},
+			},
+		});
+
+		const model = registry.getAll().find((m) => m.id === "no-xhigh-model");
+		assert.ok(model);
+		assert.equal(model.capabilities?.supportsXhigh, false);
+	});
+
+	it("supportsXhigh declared in models.json is not overwritten by capability patches", () => {
+		// The capability-patches system must not overwrite an explicit declaration in models.json.
+		// applyCapabilityPatches uses spread: { ...patch.caps, ...model.capabilities }
+		// so model.capabilities wins. This test verifies the precedence end-to-end.
+		const registry = createRegistry({
+			providers: {
+				"compat-provider": {
+					baseUrl: "https://api.example.com/v1",
+					apiKey: "sk-test",
+					api: "openai-completions",
+					models: [
+						{
+							id: "custom-xhigh-model",
+							capabilities: { supportsXhigh: true },
+						},
+					],
+				},
+			},
+		});
+
+		const model = registry.getAll().find((m) => m.id === "custom-xhigh-model");
+		assert.ok(model);
+		assert.equal(model.capabilities?.supportsXhigh, true);
+	});
+
+	it("modelOverrides can set capabilities.supportsXhigh on built-in models", () => {
+		// A user-facing override in models.json should be able to add supportsXhigh
+		// to a built-in model that doesn't declare it.
+		const path = writeModelsJson({
+			providers: {
+				anthropic: {
+					modelOverrides: {
+						"claude-3-5-haiku-20241022": {
+							capabilities: { supportsXhigh: true },
+						},
+					},
+				},
+			},
+		});
+
+		const registry = new ModelRegistry(AuthStorage.inMemory(), path);
+		const model = registry.getAll().find(
+			(m) => m.provider === "anthropic" && m.id === "claude-3-5-haiku-20241022",
+		);
+		assert.ok(model, "built-in model must still be present");
+		assert.equal(
+			model.capabilities?.supportsXhigh,
+			true,
+			"modelOverrides must be able to set capabilities.supportsXhigh",
+		);
+	});
+});

package/packages/pi-coding-agent/src/core/model-registry.ts

@@ -48,6 +48,14 @@ const VercelGatewayRoutingSchema = Type.Object({
 	order: Type.Optional(Type.Array(Type.String())),
 });
 
+// Schema for model capability declarations (mirrors ModelCapabilities in pi-ai types)
+const ModelCapabilitiesSchema = Type.Object({
+	supportsXhigh: Type.Optional(Type.Boolean()),
+	requiresToolCallId: Type.Optional(Type.Boolean()),
+	supportsServiceTier: Type.Optional(Type.Boolean()),
+	charsPerToken: Type.Optional(Type.Number()),
+});
+
 // Schema for OpenAI compatibility settings
 const OpenAICompletionsCompatSchema = Type.Object({
 	supportsStore: Type.Optional(Type.Boolean()),
@@ -91,6 +99,7 @@ const ModelDefinitionSchema = Type.Object({
 	maxTokens: Type.Optional(Type.Number()),
 	headers: Type.Optional(Type.Record(Type.String(), Type.String())),
 	compat: Type.Optional(OpenAICompatSchema),
+	capabilities: Type.Optional(ModelCapabilitiesSchema),
 });
 
 // Schema for per-model overrides (all fields optional, merged with built-in model)
@@ -110,6 +119,7 @@ const ModelOverrideSchema = Type.Object({
 	maxTokens: Type.Optional(Type.Number()),
 	headers: Type.Optional(Type.Record(Type.String(), Type.String())),
 	compat: Type.Optional(OpenAICompatSchema),
+	capabilities: Type.Optional(ModelCapabilitiesSchema),
 });
 
 type ModelOverride = Static<typeof ModelOverrideSchema>;
@@ -219,6 +229,11 @@ function applyModelOverride(model: Model<Api>, override: ModelOverride): Model<A
 	// Deep merge compat
 	result.compat = mergeCompat(model.compat, override.compat);
 
+	// Merge capabilities (override wins per-field)
+	if (override.capabilities) {
+		result.capabilities = { ...model.capabilities, ...override.capabilities };
+	}
+
 	return result;
 }
 
@@ -514,6 +529,7 @@ export class ModelRegistry {
 					maxTokens: modelDef.maxTokens ?? 16384,
 					headers,
 					compat: modelDef.compat,
+					capabilities: modelDef.capabilities,
 				} as Model<Api>);
 			}
 		}

package/packages/pi-coding-agent/src/core/redact-secrets.test.ts

@@ -0,0 +1,86 @@
+// pi-coding-agent — unit tests for session-log secret redaction
+
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+
+import { redactSecrets } from "./redact-secrets.js";
+
+describe("redactSecrets", () => {
+	it("is a no-op on plain text with no secret markers", () => {
+		const input = "Hello world — this is just some prose with numbers 12345 and dashes - - -.";
+		assert.equal(redactSecrets(input), input);
+	});
+
+	it("redacts Anthropic keys before generic openai sk- pattern", () => {
+		const out = redactSecrets("key=sk-ant-api03-abcDEF1234567890abcDEF1234567890");
+		assert.equal(out, "key=[REDACTED:anthropic]");
+	});
+
+	it("redacts legacy OpenAI sk- keys", () => {
+		const out = redactSecrets("OPENAI_API_KEY=sk-abcDEF1234567890abcDEF12");
+		assert.equal(out, "OPENAI_API_KEY=[REDACTED:openai]");
+	});
+
+	it("redacts OpenAI project sk-proj- keys with hyphens/underscores in body", () => {
+		const out = redactSecrets("OPENAI_API_KEY=sk-proj-AbCd_1234-EfGh_5678-IjKl_9012");
+		assert.equal(out, "OPENAI_API_KEY=[REDACTED:openai]");
+	});
+
+	it("redacts OpenAI admin sk-admin- keys", () => {
+		const out = redactSecrets("OPENAI_ADMIN_KEY=sk-admin-AbCd1234EfGh5678IjKl9012");
+		assert.equal(out, "OPENAI_ADMIN_KEY=[REDACTED:openai]");
+	});
+
+	it("redacts LlamaCloud llx- keys", () => {
+		const out = redactSecrets("LLAMA_CLOUD_API_KEY=llx-abcDEF1234567890abcDEF1234567890");
+		assert.equal(out, "LLAMA_CLOUD_API_KEY=[REDACTED:llamacloud]");
+	});
+
+	it("redacts AWS access key ids", () => {
+		const out = redactSecrets("aws_access_key_id = AKIAIOSFODNN7EXAMPLE");
+		assert.equal(out, "aws_access_key_id = [REDACTED:aws-access-key]");
+	});
+
+	it("redacts GitHub personal/oauth/app/server/refresh tokens", () => {
+		const out = redactSecrets("token=ghp_abcdefghijklmnopqrstuvwxyz0123456789");
+		assert.equal(out, "token=[REDACTED:github-token]");
+	});
+
+	it("redacts Slack tokens", () => {
+		const out = redactSecrets("slack=xoxb-1234567890-abcdefghij");
+		assert.equal(out, "slack=[REDACTED:slack-token]");
+	});
+
+	it("redacts Google API keys", () => {
+		// Google API keys are exactly AIza + 35 chars (39 total).
+		const out = redactSecrets("key=AIzaSyA-1234567890abcdefghijklmnopqrstu");
+		assert.equal(out, "key=[REDACTED:google-api-key]");
+	});
+
+	it("redacts PEM private key blocks across newlines", () => {
+		const pem = [
+			"-----BEGIN RSA PRIVATE KEY-----",
+			"MIIEowIBAAKCAQEAabcDEF...",
+			"morekeymaterial==",
+			"-----END RSA PRIVATE KEY-----",
+		].join("\n");
+		const out = redactSecrets(`before\n${pem}\nafter`);
+		assert.equal(out, "before\n[REDACTED:pem-private-key]\nafter");
+	});
+
+	it("redacts multiple secrets in the same string", () => {
+		const out = redactSecrets(
+			"AZURE_CLIENT_SECRET: also llx-abcDEF1234567890abcDEF1234567890 and AKIAIOSFODNN7EXAMPLE",
+		);
+		assert.equal(
+			out,
+			"AZURE_CLIENT_SECRET: also [REDACTED:llamacloud] and [REDACTED:aws-access-key]",
+		);
+	});
+
+	it("does not redact short strings that merely contain sk- prose", () => {
+		// "sk-foo" is too short to match the openai pattern — must be 20+ chars.
+		const input = "the sk- prefix isn't always a secret";
+		assert.equal(redactSecrets(input), input);
+	});
+});

package/packages/pi-coding-agent/src/core/redact-secrets.ts

@@ -0,0 +1,58 @@
+// pi-coding-agent — secret redaction for session log persistence
+//
+// Called by prepareForPersistence() in session-manager.ts on every string
+// before it lands in the JSONL transcript. Replaces well-known secret shapes
+// with [REDACTED:<kind>] placeholders so credentials pasted by the user or
+// read from .env-style files never persist to disk.
+//
+// Pattern selection bias: high-specificity shapes only. Loose patterns
+// (e.g. FOO_SECRET=...) produce too many false positives in docs and code
+// samples and are intentionally excluded.
+
+interface SecretPattern {
+	kind: string;
+	regex: RegExp;
+}
+
+// Order matters: more-specific patterns first (sk-ant- before generic sk-).
+const PATTERNS: readonly SecretPattern[] = [
+	{ kind: "anthropic", regex: /sk-ant-[A-Za-z0-9_-]{20,}/g },
+	{ kind: "llamacloud", regex: /llx-[A-Za-z0-9_-]{20,}/g },
+	// Covers all three official OpenAI key shapes: legacy `sk-…`, project `sk-proj-…`,
+	// and admin `sk-admin-…`. Hyphens and underscores appear inside real project keys
+	// so the remainder class must allow them. `sk-ant-` is matched earlier by the
+	// anthropic pattern and already replaced by the time this runs.
+	{ kind: "openai", regex: /sk-(?:proj-|admin-)?[A-Za-z0-9_-]{20,}/g },
+	{ kind: "aws-access-key", regex: /\b(?:AKIA|ASIA|AROA)[0-9A-Z]{16}\b/g },
+	{ kind: "github-token", regex: /\bgh[pousr]_[A-Za-z0-9]{30,}\b/g },
+	{ kind: "slack-token", regex: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/g },
+	{ kind: "google-api-key", regex: /\bAIza[0-9A-Za-z_-]{35}\b/g },
+	{
+		kind: "pem-private-key",
+		regex: /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]*?-----END [A-Z ]*PRIVATE KEY-----/g,
+	},
+];
+
+export function redactSecrets(input: string): string {
+	// Short-circuit: skip regex work on strings with no plausible secret markers.
+	// Cheap heuristic — if none of these substrings are present, no pattern can match.
+	if (
+		!input.includes("sk-") &&
+		!input.includes("llx-") &&
+		!input.includes("AKIA") &&
+		!input.includes("ASIA") &&
+		!input.includes("AROA") &&
+		!input.includes("gh") &&
+		!input.includes("xox") &&
+		!input.includes("AIza") &&
+		!input.includes("PRIVATE KEY")
+	) {
+		return input;
+	}
+
+	let out = input;
+	for (const { kind, regex } of PATTERNS) {
+		out = out.replace(regex, `[REDACTED:${kind}]`);
+	}
+	return out;
+}

package/packages/pi-coding-agent/src/core/session-manager.test.ts

@@ -1,6 +1,6 @@
 import assert from "node:assert/strict";
 import { describe, it, afterEach } from "node:test";
-import { mkdtempSync, rmSync } from "node:fs";
+import { mkdtempSync, readFileSync, rmSync } from "node:fs";
 import { join } from "node:path";
 import { tmpdir } from "node:os";
 
@@ -63,3 +63,38 @@ describe("SessionManager usage totals", () => {
 		});
 	});
 });
+
+describe("SessionManager secret redaction on persistence", () => {
+	let dir: string;
+
+	afterEach(() => {
+		if (dir) {
+			rmSync(dir, { recursive: true, force: true });
+		}
+	});
+
+	it("scrubs known secret shapes from JSONL on disk", () => {
+		dir = mkdtempSync(join(tmpdir(), "gsd-session-redact-test-"));
+		const manager = SessionManager.create(dir, dir);
+
+		const leakedKey = "llx-abcDEF1234567890abcDEF1234567890";
+		manager.appendMessage({
+			role: "user",
+			content: [{ type: "text", text: `here is my key: ${leakedKey}` }],
+		} as any);
+		// Persistence is gated on an assistant message being present.
+		manager.appendMessage(makeAssistantMessage(1, 1, 0, 0, 0));
+
+		const sessionFile = manager.getSessionFile();
+		assert.ok(sessionFile, "session file should be set");
+		const contents = readFileSync(sessionFile!, "utf8");
+		assert.ok(
+			!contents.includes(leakedKey),
+			"raw secret must not appear in persisted JSONL",
+		);
+		assert.ok(
+			contents.includes("[REDACTED:llamacloud]"),
+			"redaction placeholder must appear in persisted JSONL",
+		);
+	});
+});

package/packages/pi-coding-agent/src/core/session-manager.ts

@@ -26,6 +26,7 @@ import {
 	createCustomMessage,
 } from "./messages.js";
 import { BlobStore, externalizeImageData, isBlobRef, resolveImageData } from "./blob-store.js";
+import { redactSecrets } from "./redact-secrets.js";
 
 /** Inline concurrency limiter to cap parallel async operations. */
 function pLimit(concurrency: number) {
@@ -499,15 +500,18 @@ function prepareForPersistence(obj: unknown, blobStore: BlobStore, key?: string)
 	if (obj === null || obj === undefined) return obj;
 
 	if (typeof obj === "string") {
-		if (obj.length > MAX_PERSIST_CHARS) {
-			// Cryptographic signatures must be preserved exactly or cleared entirely
-			if (key === "thinkingSignature" || key === "thoughtSignature" || key === "textSignature") {
+		// Cryptographic signatures must be preserved byte-exact — never redact or truncate
+		// their contents, only the oversize-clear path below handles them.
+		const isSignature = key === "thinkingSignature" || key === "thoughtSignature" || key === "textSignature";
+		const redacted = isSignature ? obj : redactSecrets(obj);
+		if (redacted.length > MAX_PERSIST_CHARS) {
+			if (isSignature) {
 				return "";
 			}
 			const limit = Math.max(0, MAX_PERSIST_CHARS - TRUNCATION_NOTICE.length);
-			return `${truncateString(obj, limit)}${TRUNCATION_NOTICE}`;
+			return `${truncateString(redacted, limit)}${TRUNCATION_NOTICE}`;
 		}
-		return obj;
+		return redacted;
 	}
 
 	if (Array.isArray(obj)) {

package/packages/pi-coding-agent/src/modes/interactive/components/chat-frame.ts

@@ -2,7 +2,7 @@ import { truncateToWidth, visibleWidth } from "@gsd/pi-tui";
 import { theme } from "../theme/theme.js";
 import { formatTimestamp, type TimestampFormat } from "./timestamp.js";
 
-type FrameTone = "assistant" | "user" | "compaction";
+type FrameTone = "assistant" | "user" | "compaction" | "skill";
 
 function trimOuterBlankLines(lines: string[]): string[] {
 	let start = 0;
@@ -25,14 +25,14 @@ export function renderChatFrame(
 ): string[] {
 	const outerWidth = Math.max(20, width);
 	const contentWidth = Math.max(1, outerWidth - 2); // "│ " + content
+	const isPurple = opts.tone === "compaction" || opts.tone === "skill";
 	const borderColor =
 		opts.tone === "user"
 			? "border"
-			: opts.tone === "compaction"
+			: isPurple
 				? "customMessageLabel"
 				: "borderAccent";
-	const borderMuted =
-		opts.tone === "compaction" ? "customMessageLabel" : "borderMuted";
+	const borderMuted = isPurple ? "customMessageLabel" : "borderMuted";
 	const border = (s: string) => theme.fg(borderColor, s);
 	const leftRaw = `• ${opts.label}`;
 	const rightRaw =
@@ -47,7 +47,7 @@ export function renderChatFrame(
 	const labelColor =
 		opts.tone === "user"
 			? "border"
-			: opts.tone === "compaction"
+			: isPurple
 				? "customMessageLabel"
 				: "borderAccent";
 	const dashIdx = left.indexOf(" - ");
@@ -71,7 +71,7 @@ export function renderChatFrame(
 	const bodyColor =
 		opts.tone === "user"
 			? "userMessageText"
-			: opts.tone === "compaction"
+			: isPurple
 				? "customMessageText"
 				: "assistantMessageText";
 	const bodyLines = (sourceLines.length > 0 ? sourceLines : [""]).map((line) => {

package/packages/pi-coding-agent/src/modes/interactive/components/skill-invocation-message.ts

@@ -1,55 +1,69 @@
-import { Box, Markdown, type MarkdownTheme, Text } from "@gsd/pi-tui";
+// GSD / pi-coding-agent — Skill invocation message component
+import { Container, Markdown, type MarkdownTheme, Text } from "@gsd/pi-tui";
 import type { ParsedSkillBlock } from "../../../core/agent-session.js";
 import { getMarkdownTheme, theme } from "../theme/theme.js";
+import { renderChatFrame } from "./chat-frame.js";
 import { editorKey } from "./keybinding-hints.js";
 
 /**
- * Component that renders a skill invocation message with collapsed/expanded state.
- * Uses same background color as custom messages for visual consistency.
- * Only renders the skill block itself - user message is rendered separately.
+ * Renders a skill invocation in the shared chat-frame style (top rule,
+ * `• skill - <name>` header, `│ ` body margin) with purple border/label
+ * matching compaction so it visually aligns with user/assistant messages.
  */
-export class SkillInvocationMessageComponent extends Box {
+export class SkillInvocationMessageComponent extends Container {
 	private expanded = false;
 	private skillBlock: ParsedSkillBlock;
 	private markdownTheme: MarkdownTheme;
 
 	constructor(skillBlock: ParsedSkillBlock, markdownTheme: MarkdownTheme = getMarkdownTheme()) {
-		super(1, 1, (t) => theme.bg("customMessageBg", t));
+		super();
 		this.skillBlock = skillBlock;
 		this.markdownTheme = markdownTheme;
-		this.updateDisplay();
+		this.rebuild();
 	}
 
 	setExpanded(expanded: boolean): void {
-		this.expanded = expanded;
-		this.updateDisplay();
+		if (this.expanded !== expanded) {
+			this.expanded = expanded;
+			this.rebuild();
+		}
 	}
 
 	override invalidate(): void {
 		super.invalidate();
-		this.updateDisplay();
+		this.rebuild();
 	}
 
-	private updateDisplay(): void {
+	private rebuild(): void {
 		this.clear();
 
 		if (this.expanded) {
-			// Expanded: label + skill name header + full content
-			const label = theme.fg("customMessageLabel", theme.bold("[skill]"));
-			this.addChild(new Text(label, 0, 0));
-			const header = `**${this.skillBlock.name}**\n\n`;
 			this.addChild(
-				new Markdown(header + this.skillBlock.content, 0, 0, this.markdownTheme, {
+				new Markdown(this.skillBlock.content, 0, 0, this.markdownTheme, {
 					color: (text: string) => theme.fg("customMessageText", text),
 				}),
 			);
 		} else {
-			// Collapsed: single line - [skill] name (hint to expand)
-			const line =
-				theme.fg("customMessageLabel", theme.bold("[skill]") + " ") +
-				theme.fg("customMessageText", this.skillBlock.name) +
-				theme.fg("dim", ` (${editorKey("expandTools")} to expand)`);
-			this.addChild(new Text(line, 0, 0));
+			this.addChild(
+				new Text(
+					theme.fg("dim", `(${editorKey("expandTools")} to expand)`),
+					0,
+					0,
+				),
+			);
 		}
 	}
+
+	override render(width: number): string[] {
+		const frameWidth = Math.max(20, width);
+		const contentWidth = Math.max(1, frameWidth - 4);
+		const lines = super.render(contentWidth);
+		const framed = renderChatFrame(lines, frameWidth, {
+			label: `skill - ${this.skillBlock.name}`,
+			tone: "skill",
+			timestampFormat: "date-time-iso",
+			showTimestamp: false,
+		});
+		return framed.length > 0 ? ["", ...framed] : framed;
+	}
 }

package/packages/pi-coding-agent/src/modes/interactive/interactive-mode.ts

@@ -3585,7 +3585,19 @@ export class InteractiveMode {
 					this.ui.requestRender();
 				},
 				async (provider: string) => {
-					// Enter key → auth setup for selected provider (#3579)
+					// Enter key → auth setup for selected provider (#3579).
+					// Only OAuth providers support the login dialog flow.
+					// externalCli providers (e.g. claude-code) authenticate through
+					// their own CLI — sending them to the OAuth dialog produces
+					// "Unknown OAuth provider: claude-code" (#4548).
+					const isOAuthProvider = this.session.modelRegistry.authStorage
+						.getOAuthProviders()
+						.some((p) => p.id === provider);
+					if (!isOAuthProvider) {
+						done();
+						this.showStatus(`${provider} uses external CLI auth — use /model to select a model or run the provider's own auth command.`);
+						return;
+					}
 					done();
 					await this.showLoginDialog(provider);
 				},