jinzd-ai-cli 0.4.114 → 0.4.116

package/dist/{auth-VBV7HTLQ.js → auth-7KK5BOCA.js}

@@ -1,10 +1,12 @@
 #!/usr/bin/env node
 import {
   AuthManager,
+  TOKEN_EXPIRY_MS,
   __resetLoginAttemptsForTests
-} from "./chunk-5UPFMM2A.js";
+} from "./chunk-O7NM4WTS.js";
 import "./chunk-PDX44BCA.js";
 export {
   AuthManager,
+  TOKEN_EXPIRY_MS,
   __resetLoginAttemptsForTests
 };

package/dist/{batch-Q5NQCXKN.js → batch-GRHEH3JF.js}

@@ -1,9 +1,9 @@
 #!/usr/bin/env node
 import {
   ConfigManager
-} from "./chunk-CP6PALA4.js";
+} from "./chunk-KRTQDZMY.js";
 import "./chunk-2ZD3YTVM.js";
-import "./chunk-UF62SHR7.js";
+import "./chunk-H3F2E4MD.js";
 import "./chunk-PDX44BCA.js";
 
 // src/cli/batch.ts

package/dist/{chunk-W45U3KQE.js → chunk-BXDHW7JO.js}

@@ -6,7 +6,7 @@ import { platform } from "os";
 import chalk from "chalk";
 
 // src/core/constants.ts
-var VERSION = "0.4.114";
+var VERSION = "0.4.116";
 var APP_NAME = "ai-cli";
 var CONFIG_DIR_NAME = ".aicli";
 var CONFIG_FILE_NAME = "config.json";

package/dist/{chunk-UF62SHR7.js → chunk-H3F2E4MD.js}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 
 // src/core/constants.ts
-var VERSION = "0.4.114";
+var VERSION = "0.4.116";
 var APP_NAME = "ai-cli";
 var CONFIG_DIR_NAME = ".aicli";
 var CONFIG_FILE_NAME = "config.json";

package/dist/{chunk-CP6PALA4.js → chunk-KRTQDZMY.js}

@@ -8,7 +8,7 @@ import {
   CONFIG_FILE_NAME,
   HISTORY_DIR_NAME,
   PLUGINS_DIR_NAME
-} from "./chunk-UF62SHR7.js";
+} from "./chunk-H3F2E4MD.js";
 
 // src/config/config-manager.ts
 import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";

package/dist/{chunk-5UPFMM2A.js → chunk-O7NM4WTS.js}

@@ -1,11 +1,12 @@
 #!/usr/bin/env node
 
 // src/web/auth.ts
-import { existsSync, readFileSync, writeFileSync, mkdirSync, readdirSync, copyFileSync } from "fs";
+import { existsSync, readFileSync, writeFileSync, mkdirSync, readdirSync, copyFileSync, renameSync, unlinkSync } from "fs";
 import { join } from "path";
 import { createHmac, randomBytes, timingSafeEqual, pbkdf2Sync } from "crypto";
 var USERS_FILE = "users.json";
 var TOKEN_EXPIRY_HOURS = 24;
+var TOKEN_EXPIRY_MS = TOKEN_EXPIRY_HOURS * 3600 * 1e3;
 var USERS_DIR = "users";
 var LOGIN_MAX_FAILS = 5;
 var LOGIN_LOCKOUT_MS = 15 * 60 * 1e3;
@@ -252,7 +253,17 @@ var AuthManager = class {
   }
   saveDB(db) {
     mkdirSync(this.baseDir, { recursive: true });
-    writeFileSync(this.usersFile, JSON.stringify(db, null, 2), "utf-8");
+    const tmp = `${this.usersFile}.tmp`;
+    try {
+      writeFileSync(tmp, JSON.stringify(db, null, 2), "utf-8");
+      renameSync(tmp, this.usersFile);
+    } catch (err) {
+      try {
+        unlinkSync(tmp);
+      } catch {
+      }
+      throw err;
+    }
   }
   /** Legacy hash — kept only for migrating old users (v0.2.x) */
   hashPasswordLegacy(password, salt) {
@@ -278,6 +289,7 @@ var AuthManager = class {
 };
 
 export {
+  TOKEN_EXPIRY_MS,
   __resetLoginAttemptsForTests,
   AuthManager
 };

package/dist/{chunk-E24HT62E.js → chunk-QMT4T4PH.js}

@@ -2,7 +2,7 @@
 import {
   schemaToJsonSchema,
   truncateForPersist
-} from "./chunk-XXKWSBRC.js";
+} from "./chunk-YTP26DOV.js";
 import {
   AuthError,
   ProviderError,
@@ -18,7 +18,7 @@ import {
   MCP_PROTOCOL_VERSION,
   MCP_TOOL_PREFIX,
   VERSION
-} from "./chunk-UF62SHR7.js";
+} from "./chunk-H3F2E4MD.js";
 import {
   redactJson
 } from "./chunk-7ZJN4KLV.js";
@@ -72,10 +72,20 @@ var ClaudeProvider = class extends BaseProvider {
     ]
   };
   async initialize(apiKey, options) {
-    this.client = new Anthropic({
+    const clientOptions = {
       apiKey,
       baseURL: options?.baseUrl
-    });
+    };
+    const proxyUrl = options?.proxy;
+    try {
+      const { Agent, ProxyAgent, fetch: undiciFetch } = await import("undici");
+      const STREAM_BODY_TIMEOUT = 30 * 60 * 1e3;
+      const STREAM_HEADERS_TIMEOUT = 5 * 60 * 1e3;
+      const dispatcher = proxyUrl ? new ProxyAgent({ uri: proxyUrl, bodyTimeout: STREAM_BODY_TIMEOUT, headersTimeout: STREAM_HEADERS_TIMEOUT }) : new Agent({ bodyTimeout: STREAM_BODY_TIMEOUT, headersTimeout: STREAM_HEADERS_TIMEOUT });
+      clientOptions.fetch = ((url, init) => undiciFetch(url, { ...init, dispatcher }));
+    } catch {
+    }
+    this.client = new Anthropic(clientOptions);
   }
   /**
    * 将内部 MessageContentPart[] 格式转换为 Anthropic SDK 期望的 ContentBlockParam[]。
@@ -932,13 +942,20 @@ var OpenAICompatibleProvider = class extends BaseProvider {
       timeout: this.defaultTimeout
     };
     const proxyUrl = options?.proxy;
-    if (proxyUrl) {
-      try {
-        const { ProxyAgent, fetch: undiciFetch } = await import("undici");
-        const agent = new ProxyAgent({ uri: proxyUrl });
-        clientOptions.fetch = ((url, init) => undiciFetch(url, { ...init, dispatcher: agent }));
-      } catch {
-      }
+    try {
+      const { Agent, ProxyAgent, fetch: undiciFetch } = await import("undici");
+      const STREAM_BODY_TIMEOUT = 30 * 60 * 1e3;
+      const STREAM_HEADERS_TIMEOUT = 5 * 60 * 1e3;
+      const dispatcher = proxyUrl ? new ProxyAgent({
+        uri: proxyUrl,
+        bodyTimeout: STREAM_BODY_TIMEOUT,
+        headersTimeout: STREAM_HEADERS_TIMEOUT
+      }) : new Agent({
+        bodyTimeout: STREAM_BODY_TIMEOUT,
+        headersTimeout: STREAM_HEADERS_TIMEOUT
+      });
+      clientOptions.fetch = ((url, init) => undiciFetch(url, { ...init, dispatcher }));
+    } catch {
     }
     this.client = new OpenAI(clientOptions);
   }
@@ -1854,6 +1871,40 @@ function peelMetaNarration(content) {
   }
   return out.trim();
 }
+var META_NARRATION_HARD_MARKERS = [
+  /\[⚠️\s*CONTENT GENERATION MODE\]/,
+  /CONTENT_ONLY_STREAM_REMINDER\b/,
+  /<system-reminder>/i
+];
+var META_NARRATION_HEURISTICS = [
+  /\bthe user (?:is asking me|wants me|is requesting|expects me)\b/i,
+  /\blet me (?:re-?read|re-?consider|reconsider|think about|carefully (?:re-?read|consider))\b/i,
+  /\bI'?m (?:in (?:a )?content-only|in CONTENT-ONLY|currently in)\b/i,
+  /\bI think (?:there might be|I should|I cannot|the (?:user|best)|maybe)\b/i,
+  /\bWait,?\s+let me\b/i,
+  /\bActually,?\s+I\b/i,
+  /\bI need to be honest with the user\b/i,
+  /\bI(?:'m| am) in a special mode\b/i,
+  /\bGiven that I cannot\b/i
+];
+function detectMetaNarration(content) {
+  if (!content) return null;
+  const head = content.slice(0, 2e3);
+  for (const re of META_NARRATION_HARD_MARKERS) {
+    if (re.test(head)) return re.source;
+  }
+  if (/^#{1,3}\s+\S/m.test(head)) return null;
+  let hits = 0;
+  let firstMatch = "";
+  for (const re of META_NARRATION_HEURISTICS) {
+    if (re.test(head)) {
+      hits++;
+      if (!firstMatch) firstMatch = re.source;
+      if (hits >= 2) return `meta-narration:${firstMatch}`;
+    }
+  }
+  return null;
+}
 function looksLikeDocumentBody(content) {
   if (!content || content.length < 200) return false;
   if (/^#{1,6}\s+\S/m.test(content)) return true;
@@ -4156,6 +4207,7 @@ export {
   buildPhantomCorrectionMessage,
   detectPseudoToolCalls,
   stripPseudoToolCalls,
+  detectMetaNarration,
   looksLikeDocumentBody,
   stripToolCallReminder,
   TEE_FINAL_USER_NUDGE,

package/dist/{chunk-2WAF7FOX.js → chunk-VJE5V4H2.js}

@@ -1,7 +1,7 @@
 #!/usr/bin/env node
 import {
   TEST_TIMEOUT
-} from "./chunk-UF62SHR7.js";
+} from "./chunk-H3F2E4MD.js";
 
 // src/tools/builtin/run-tests.ts
 import { execSync, spawnSync } from "child_process";

package/dist/{chunk-XXKWSBRC.js → chunk-YTP26DOV.js}

@@ -5,7 +5,7 @@ import {
 } from "./chunk-3BICTI5M.js";
 import {
   runTestsTool
-} from "./chunk-2WAF7FOX.js";
+} from "./chunk-VJE5V4H2.js";
 import {
   EnvLoader,
   NetworkError,
@@ -18,7 +18,7 @@ import {
   SUBAGENT_ALLOWED_TOOLS,
   SUBAGENT_DEFAULT_MAX_ROUNDS,
   SUBAGENT_MAX_ROUNDS_LIMIT
-} from "./chunk-UF62SHR7.js";
+} from "./chunk-H3F2E4MD.js";
 import {
   fileCheckpoints
 } from "./chunk-4BKXL7SM.js";
@@ -372,7 +372,7 @@ Important rules:
       }
       updateCwdFromCommand(command, effectiveCwd);
       pushBashUndoEntries(beforeSnapshot, parsedTargetsBefore, effectiveCwd);
-      const result = IS_WINDOWS && Buffer.isBuffer(stdout) ? stdout.toString("utf-8") : stdout;
+      const result = Buffer.isBuffer(stdout) ? stdout.toString("utf-8") : String(stdout ?? "");
       return result || "(command completed with no output)";
     } catch (err) {
       pushBashUndoEntries(beforeSnapshot, parsedTargetsBefore, effectiveCwd);
@@ -400,12 +400,15 @@ How to recover (pick ONE \u2014 do NOT retry the same command):
           const stderr = IS_WINDOWS && Buffer.isBuffer(execErr.stderr) ? execErr.stderr.toString("utf-8").trim() : execErr.stderr?.toString().trim() ?? "";
           const stdout = IS_WINDOWS && Buffer.isBuffer(execErr.stdout) ? execErr.stdout.toString("utf-8").trim() : execErr.stdout?.toString().trim() ?? "";
           const combined = [stdout, stderr].filter(Boolean).join("\n");
+          const hint = buildErrorHint(command, combined);
           throw new ToolError(
             "bash",
             `Exit code ${execErr.status}:
 ${combined || (execErr.message ?? "Unknown error")}
 
-[Command failed. Report this error to the user. Do not retry with variant commands.]`
+` + (hint ? `${hint}
+
+` : "") + `[Command failed. Report this error to the user. Do not retry with variant commands.]`
           );
         }
       }
@@ -429,6 +432,31 @@ function fixWindowsDeleteCommand(command) {
     }
   );
 }
+function buildErrorHint(command, stderr) {
+  const hints = [];
+  if (IS_WINDOWS && /\|\|/.test(command) && /(\|\||is not a valid argument|不是此版本中的有效|ParserError|Unexpected token)/i.test(stderr)) {
+    hints.push(
+      `Hint: PowerShell parses '||' as a pipeline operator (PS 5.x) or logical-or (PS 7+), it CANNOT be passed inline as SQL string concatenation. Workaround: write the SQL to a local .sql file with write_file, then 'scp' it to the remote host and run 'psql -f /tmp/x.sql'. Do NOT try to escape || or wrap the command differently \u2014 it will not work.`
+    );
+  }
+  if (IS_WINDOWS && /\bpython3\b/.test(command) && /(not recognized|is not recognized|无法将.*识别)/i.test(stderr)) {
+    hints.push(
+      `Hint: On Windows the launcher is 'python' (or 'py'), not 'python3'. Replace 'python3' with 'python' and retry.`
+    );
+  }
+  if (IS_WINDOWS && /^\s*ssh\b/.test(command) && /\\"/.test(command) && /(syntax error|ERROR:|ParserError|unexpected|parser|意外的|语法|不是此版本)/i.test(stderr)) {
+    hints.push(
+      `Hint: SSH + nested quotes ("...\\"...\\"") is fragile across PS \u2192 ssh \u2192 remote-shell \u2192 psql layers. Use the file-based flow: (1) write_file locally to a .sql file, (2) 'scp x.sql root@host:/tmp/', (3) 'ssh root@host "sudo -u postgres psql -d <db> -f /tmp/x.sql"'. Or for remote-only SQL: 'ssh host "cat > /tmp/x.sql << \\'SQLEOF\\'\\n...\\nSQLEOF"' then run psql -f. Avoid inline psql -c with embedded quotes.`
+    );
+  }
+  const colMissing = stderr.match(/column "([^"]+)" does not exist/i);
+  if (colMissing) {
+    hints.push(
+      `Hint: PostgreSQL says column "${colMissing[1]}" does not exist. Do NOT retry with a guess \u2014 query the actual schema first: \`psql -c "\\d <table>"\` or \`SELECT column_name FROM information_schema.columns WHERE table_name='<table>';\`. Common pitfall: not every table has a 'deleted' soft-delete column.`
+    );
+  }
+  return hints.length > 0 ? hints.map((h) => `\u{1F4A1} ${h}`).join("\n\n") : null;
+}
 function snapshotDir(dir) {
   try {
     return new Set(readdirSync(dir).map((name) => resolve(dir, name)));

package/dist/{constants-YEBRZDBP.js → constants-NWATGC4A.js}

@@ -36,7 +36,7 @@ import {
   TEST_TIMEOUT,
   VERSION,
   buildUserIdentityPrompt
-} from "./chunk-UF62SHR7.js";
+} from "./chunk-H3F2E4MD.js";
 import "./chunk-PDX44BCA.js";
 export {
   AGENTIC_BEHAVIOR_GUIDELINE,

package/dist/electron-server.js

@@ -36,7 +36,7 @@ import {
   VERSION,
   buildUserIdentityPrompt,
   runTestsTool
-} from "./chunk-W45U3KQE.js";
+} from "./chunk-BXDHW7JO.js";
 import {
   hasSemanticIndex,
   semanticSearch
@@ -604,10 +604,20 @@ var ClaudeProvider = class extends BaseProvider {
     ]
   };
   async initialize(apiKey, options) {
-    this.client = new Anthropic({
+    const clientOptions = {
       apiKey,
       baseURL: options?.baseUrl
-    });
+    };
+    const proxyUrl = options?.proxy;
+    try {
+      const { Agent, ProxyAgent, fetch: undiciFetch } = await import("undici");
+      const STREAM_BODY_TIMEOUT = 30 * 60 * 1e3;
+      const STREAM_HEADERS_TIMEOUT = 5 * 60 * 1e3;
+      const dispatcher = proxyUrl ? new ProxyAgent({ uri: proxyUrl, bodyTimeout: STREAM_BODY_TIMEOUT, headersTimeout: STREAM_HEADERS_TIMEOUT }) : new Agent({ bodyTimeout: STREAM_BODY_TIMEOUT, headersTimeout: STREAM_HEADERS_TIMEOUT });
+      clientOptions.fetch = ((url, init) => undiciFetch(url, { ...init, dispatcher }));
+    } catch {
+    }
+    this.client = new Anthropic(clientOptions);
   }
   /**
    * 将内部 MessageContentPart[] 格式转换为 Anthropic SDK 期望的 ContentBlockParam[]。
@@ -1464,13 +1474,20 @@ var OpenAICompatibleProvider = class extends BaseProvider {
       timeout: this.defaultTimeout
     };
     const proxyUrl = options?.proxy;
-    if (proxyUrl) {
-      try {
-        const { ProxyAgent, fetch: undiciFetch } = await import("undici");
-        const agent = new ProxyAgent({ uri: proxyUrl });
-        clientOptions.fetch = ((url, init) => undiciFetch(url, { ...init, dispatcher: agent }));
-      } catch {
-      }
+    try {
+      const { Agent, ProxyAgent, fetch: undiciFetch } = await import("undici");
+      const STREAM_BODY_TIMEOUT = 30 * 60 * 1e3;
+      const STREAM_HEADERS_TIMEOUT = 5 * 60 * 1e3;
+      const dispatcher = proxyUrl ? new ProxyAgent({
+        uri: proxyUrl,
+        bodyTimeout: STREAM_BODY_TIMEOUT,
+        headersTimeout: STREAM_HEADERS_TIMEOUT
+      }) : new Agent({
+        bodyTimeout: STREAM_BODY_TIMEOUT,
+        headersTimeout: STREAM_HEADERS_TIMEOUT
+      });
+      clientOptions.fetch = ((url, init) => undiciFetch(url, { ...init, dispatcher }));
+    } catch {
     }
     this.client = new OpenAI(clientOptions);
   }
@@ -2268,6 +2285,40 @@ function peelMetaNarration(content) {
   }
   return out.trim();
 }
+var META_NARRATION_HARD_MARKERS = [
+  /\[⚠️\s*CONTENT GENERATION MODE\]/,
+  /CONTENT_ONLY_STREAM_REMINDER\b/,
+  /<system-reminder>/i
+];
+var META_NARRATION_HEURISTICS = [
+  /\bthe user (?:is asking me|wants me|is requesting|expects me)\b/i,
+  /\blet me (?:re-?read|re-?consider|reconsider|think about|carefully (?:re-?read|consider))\b/i,
+  /\bI'?m (?:in (?:a )?content-only|in CONTENT-ONLY|currently in)\b/i,
+  /\bI think (?:there might be|I should|I cannot|the (?:user|best)|maybe)\b/i,
+  /\bWait,?\s+let me\b/i,
+  /\bActually,?\s+I\b/i,
+  /\bI need to be honest with the user\b/i,
+  /\bI(?:'m| am) in a special mode\b/i,
+  /\bGiven that I cannot\b/i
+];
+function detectMetaNarration(content) {
+  if (!content) return null;
+  const head = content.slice(0, 2e3);
+  for (const re of META_NARRATION_HARD_MARKERS) {
+    if (re.test(head)) return re.source;
+  }
+  if (/^#{1,3}\s+\S/m.test(head)) return null;
+  let hits = 0;
+  let firstMatch = "";
+  for (const re of META_NARRATION_HEURISTICS) {
+    if (re.test(head)) {
+      hits++;
+      if (!firstMatch) firstMatch = re.source;
+      if (hits >= 2) return `meta-narration:${firstMatch}`;
+    }
+  }
+  return null;
+}
 function looksLikeDocumentBody(content) {
   if (!content || content.length < 200) return false;
   if (/^#{1,6}\s+\S/m.test(content)) return true;
@@ -3885,7 +3936,7 @@ Important rules:
       }
       updateCwdFromCommand(command, effectiveCwd);
       pushBashUndoEntries(beforeSnapshot, parsedTargetsBefore, effectiveCwd);
-      const result = IS_WINDOWS && Buffer.isBuffer(stdout) ? stdout.toString("utf-8") : stdout;
+      const result = Buffer.isBuffer(stdout) ? stdout.toString("utf-8") : String(stdout ?? "");
       return result || "(command completed with no output)";
     } catch (err) {
       pushBashUndoEntries(beforeSnapshot, parsedTargetsBefore, effectiveCwd);
@@ -3913,12 +3964,15 @@ How to recover (pick ONE \u2014 do NOT retry the same command):
           const stderr = IS_WINDOWS && Buffer.isBuffer(execErr.stderr) ? execErr.stderr.toString("utf-8").trim() : execErr.stderr?.toString().trim() ?? "";
           const stdout = IS_WINDOWS && Buffer.isBuffer(execErr.stdout) ? execErr.stdout.toString("utf-8").trim() : execErr.stdout?.toString().trim() ?? "";
           const combined = [stdout, stderr].filter(Boolean).join("\n");
+          const hint = buildErrorHint(command, combined);
           throw new ToolError(
             "bash",
             `Exit code ${execErr.status}:
 ${combined || (execErr.message ?? "Unknown error")}
 
-[Command failed. Report this error to the user. Do not retry with variant commands.]`
+` + (hint ? `${hint}
+
+` : "") + `[Command failed. Report this error to the user. Do not retry with variant commands.]`
           );
         }
       }
@@ -3942,6 +3996,31 @@ function fixWindowsDeleteCommand(command) {
     }
   );
 }
+function buildErrorHint(command, stderr) {
+  const hints = [];
+  if (IS_WINDOWS && /\|\|/.test(command) && /(\|\||is not a valid argument|不是此版本中的有效|ParserError|Unexpected token)/i.test(stderr)) {
+    hints.push(
+      `Hint: PowerShell parses '||' as a pipeline operator (PS 5.x) or logical-or (PS 7+), it CANNOT be passed inline as SQL string concatenation. Workaround: write the SQL to a local .sql file with write_file, then 'scp' it to the remote host and run 'psql -f /tmp/x.sql'. Do NOT try to escape || or wrap the command differently \u2014 it will not work.`
+    );
+  }
+  if (IS_WINDOWS && /\bpython3\b/.test(command) && /(not recognized|is not recognized|无法将.*识别)/i.test(stderr)) {
+    hints.push(
+      `Hint: On Windows the launcher is 'python' (or 'py'), not 'python3'. Replace 'python3' with 'python' and retry.`
+    );
+  }
+  if (IS_WINDOWS && /^\s*ssh\b/.test(command) && /\\"/.test(command) && /(syntax error|ERROR:|ParserError|unexpected|parser|意外的|语法|不是此版本)/i.test(stderr)) {
+    hints.push(
+      `Hint: SSH + nested quotes ("...\\"...\\"") is fragile across PS \u2192 ssh \u2192 remote-shell \u2192 psql layers. Use the file-based flow: (1) write_file locally to a .sql file, (2) 'scp x.sql root@host:/tmp/', (3) 'ssh root@host "sudo -u postgres psql -d <db> -f /tmp/x.sql"'. Or for remote-only SQL: 'ssh host "cat > /tmp/x.sql << \\'SQLEOF\\'\\n...\\nSQLEOF"' then run psql -f. Avoid inline psql -c with embedded quotes.`
+    );
+  }
+  const colMissing = stderr.match(/column "([^"]+)" does not exist/i);
+  if (colMissing) {
+    hints.push(
+      `Hint: PostgreSQL says column "${colMissing[1]}" does not exist. Do NOT retry with a guess \u2014 query the actual schema first: \`psql -c "\\d <table>"\` or \`SELECT column_name FROM information_schema.columns WHERE table_name='<table>';\`. Common pitfall: not every table has a 'deleted' soft-delete column.`
+    );
+  }
+  return hints.length > 0 ? hints.map((h) => `\u{1F4A1} ${h}`).join("\n\n") : null;
+}
 function snapshotDir(dir) {
   try {
     return new Set(readdirSync2(dir).map((name) => resolve(dir, name)));
@@ -10842,6 +10921,31 @@ ${summaryResult.content}`,
       await new Promise((resolve7, reject) => {
         fileStream.end((err) => err ? reject(err) : resolve7());
       });
+      const metaMatch = detectMetaNarration(fullContent);
+      if (metaMatch) {
+        try {
+          unlinkSync4(saveToFile);
+        } catch {
+        }
+        isError = true;
+        summary = `[save_last_response REJECTED] Your output was internal reasoning / meta-narration (e.g. "Let me re-read\u2026", "the user is asking me to\u2026") instead of the requested document body (matched: ${metaMatch}). ${saveToFile} was NOT saved.
+
+This fresh stream has NO tools. Produce ONLY the document body: start with a markdown heading and write the full content. Do NOT narrate that you will produce the document \u2014 produce it.`;
+        if (teeUsage) {
+          roundUsage.inputTokens += teeUsage.inputTokens;
+          roundUsage.outputTokens += teeUsage.outputTokens;
+          roundUsage.cacheCreationTokens += teeUsage.cacheCreationTokens ?? 0;
+          roundUsage.cacheReadTokens += teeUsage.cacheReadTokens ?? 0;
+        }
+        this.send({
+          type: "tool_call_result",
+          callId: call.id,
+          result: summary,
+          isError: true,
+          endTime: Date.now()
+        });
+        return { content: "", summary, isError: true };
+      }
       const pseudoMatch = detectPseudoToolCalls(fullContent);
       if (pseudoMatch) {
         const cleaned = stripPseudoToolCalls(fullContent);
@@ -10879,9 +10983,13 @@ ${summaryResult.content}`,
         } catch {
         }
       }
+      try {
+        unlinkSync4(saveToFile);
+      } catch {
+      }
       isError = true;
       const msg = err instanceof Error ? err.message : String(err);
-      summary = `[save_last_response failed] ${msg}`;
+      summary = `[save_last_response failed] streaming was interrupted: ${msg}. ${saveToFile} (partial) was deleted. Retry \u2014 and consider producing a more compact output (split very large reports across multiple save_last_response calls if the previous attempt timed out).`;
     }
     this.send({
       type: "tool_call_result",
@@ -11960,7 +12068,7 @@ ${undoResults.map((r) => `  \u2022 ${r}`).join("\n")}` });
       case "test": {
         this.send({ type: "info", message: "\u{1F9EA} Running tests..." });
         try {
-          const { executeTests } = await import("./run-tests-OB4CWKKX.js");
+          const { executeTests } = await import("./run-tests-OKQEMYZK.js");
           const argStr = args.join(" ").trim();
           let testArgs = {};
           if (argStr) {
@@ -12944,11 +13052,12 @@ async function setupProxy(configProxy) {
 }
 
 // src/web/auth.ts
-import { existsSync as existsSync21, readFileSync as readFileSync14, writeFileSync as writeFileSync9, mkdirSync as mkdirSync10, readdirSync as readdirSync10, copyFileSync } from "fs";
+import { existsSync as existsSync21, readFileSync as readFileSync14, writeFileSync as writeFileSync9, mkdirSync as mkdirSync10, readdirSync as readdirSync10, copyFileSync, renameSync as renameSync2, unlinkSync as unlinkSync5 } from "fs";
 import { join as join14 } from "path";
 import { createHmac, randomBytes, timingSafeEqual, pbkdf2Sync } from "crypto";
 var USERS_FILE = "users.json";
 var TOKEN_EXPIRY_HOURS = 24;
+var TOKEN_EXPIRY_MS = TOKEN_EXPIRY_HOURS * 3600 * 1e3;
 var USERS_DIR = "users";
 var LOGIN_MAX_FAILS = 5;
 var LOGIN_LOCKOUT_MS = 15 * 60 * 1e3;
@@ -13192,7 +13301,17 @@ var AuthManager = class {
   }
   saveDB(db) {
     mkdirSync10(this.baseDir, { recursive: true });
-    writeFileSync9(this.usersFile, JSON.stringify(db, null, 2), "utf-8");
+    const tmp = `${this.usersFile}.tmp`;
+    try {
+      writeFileSync9(tmp, JSON.stringify(db, null, 2), "utf-8");
+      renameSync2(tmp, this.usersFile);
+    } catch (err) {
+      try {
+        unlinkSync5(tmp);
+      } catch {
+      }
+      throw err;
+    }
   }
   /** Legacy hash — kept only for migrating old users (v0.2.x) */
   hashPasswordLegacy(password, salt) {
@@ -13406,7 +13525,7 @@ async function startWebServer(options = {}) {
     }
     const token = authManager.login(username, password);
     console.log(`   \u2713 User registered via API: ${username}${firstRun ? " (first-run)" : ""}`);
-    res.cookie("aicli_token", token, { httpOnly: true, sameSite: "strict", maxAge: 7 * 24 * 3600 * 1e3 });
+    res.cookie("aicli_token", token, { httpOnly: true, sameSite: "strict", maxAge: TOKEN_EXPIRY_MS });
     res.json({ success: true, username });
   });
   app.post("/api/auth/login", (req, res) => {
@@ -13420,7 +13539,7 @@ async function startWebServer(options = {}) {
       res.status(401).json({ error: "Invalid username or password" });
       return;
     }
-    res.cookie("aicli_token", token, { httpOnly: true, sameSite: "strict", maxAge: 7 * 24 * 3600 * 1e3 });
+    res.cookie("aicli_token", token, { httpOnly: true, sameSite: "strict", maxAge: TOKEN_EXPIRY_MS });
     res.json({ success: true, username });
   });
   app.post("/api/auth/logout", (_req, res) => {

package/dist/{hub-DGJC2RRF.js → hub-YNP5HCTT.js}

@@ -386,7 +386,7 @@ ${content}`);
   }
 }
 async function runTaskMode(config, providers, configManager, topic) {
-  const { TaskOrchestrator } = await import("./task-orchestrator-32YQ6HB2.js");
+  const { TaskOrchestrator } = await import("./task-orchestrator-SCH3JUKT.js");
   const orchestrator = new TaskOrchestrator(config, providers, configManager);
   let interrupted = false;
   const onSigint = () => {