karajan-code 1.34.4 → 1.36.0

package/src/commands/doctor.js

@@ -1,5 +1,7 @@
 import { readFileSync } from "node:fs";
+import fs from "node:fs/promises";
 import { fileURLToPath } from "node:url";
+import os from "node:os";
 import path from "node:path";
 import { runCommand } from "../utils/process.js";
 import { exists } from "../utils/fs.js";
@@ -239,6 +241,101 @@ async function checkRuleFiles(config) {
   ];
 }
 
+/**
+ * Detect duplicate TOML table headers (e.g. [mcp_servers."karajan-mcp"] appearing twice).
+ * Full TOML parsing would require a dependency — this catches the most common config error.
+ */
+function findDuplicateTomlKeys(content) {
+  const tableHeaders = [];
+  const duplicates = [];
+  for (const line of content.split("\n")) {
+    const match = line.match(/^\s*\[([^\]]+)\]\s*$/);
+    if (match) {
+      const key = match[1].trim();
+      if (tableHeaders.includes(key)) {
+        duplicates.push(key);
+      } else {
+        tableHeaders.push(key);
+      }
+    }
+  }
+  return duplicates;
+}
+
+async function checkAgentConfigs() {
+  const checks = [];
+  const home = os.homedir();
+
+  // Claude: ~/.claude.json
+  const claudeJsonPath = path.join(home, ".claude.json");
+  try {
+    const raw = await fs.readFile(claudeJsonPath, "utf8");
+    JSON.parse(raw);
+    checks.push({ name: "agent-config:claude", label: "Agent config: claude (~/.claude.json)", ok: true, detail: "Valid JSON", fix: null });
+  } catch (err) {
+    if (err.code === "ENOENT") {
+      // File doesn't exist — not an error, Claude may not be configured
+    } else {
+      checks.push({
+        name: "agent-config:claude",
+        label: "Agent config: claude (~/.claude.json)",
+        ok: false,
+        detail: `Invalid JSON: ${err.message.split("\n")[0]}`,
+        fix: "Fix the JSON syntax in ~/.claude.json. Common issues: trailing commas, missing quotes."
+      });
+    }
+  }
+
+  // Codex: ~/.codex/config.toml
+  const codexTomlPath = path.join(home, ".codex", "config.toml");
+  try {
+    const raw = await fs.readFile(codexTomlPath, "utf8");
+    const duplicates = findDuplicateTomlKeys(raw);
+    if (duplicates.length > 0) {
+      checks.push({
+        name: "agent-config:codex",
+        label: "Agent config: codex (~/.codex/config.toml)",
+        ok: false,
+        detail: `Duplicate TOML keys: ${duplicates.join(", ")}`,
+        fix: `Remove duplicate entries in ~/.codex/config.toml: ${duplicates.join(", ")}`
+      });
+    } else {
+      checks.push({ name: "agent-config:codex", label: "Agent config: codex (~/.codex/config.toml)", ok: true, detail: "Valid TOML (no duplicate keys)", fix: null });
+    }
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      checks.push({
+        name: "agent-config:codex",
+        label: "Agent config: codex (~/.codex/config.toml)",
+        ok: false,
+        detail: `Cannot read: ${err.message.split("\n")[0]}`,
+        fix: "Check file permissions on ~/.codex/config.toml"
+      });
+    }
+  }
+
+  // KJ config: ~/.karajan/kj.config.yml (validate YAML)
+  const kjConfigPath = getConfigPath();
+  try {
+    const raw = await fs.readFile(kjConfigPath, "utf8");
+    const yaml = await import("js-yaml");
+    yaml.default.load(raw);
+    checks.push({ name: "agent-config:karajan", label: "Agent config: karajan (kj.config.yml)", ok: true, detail: "Valid YAML", fix: null });
+  } catch (err) {
+    if (err.code !== "ENOENT") {
+      checks.push({
+        name: "agent-config:karajan",
+        label: "Agent config: karajan (kj.config.yml)",
+        ok: false,
+        detail: `Invalid YAML: ${err.message.split("\n")[0]}`,
+        fix: `Fix YAML syntax in ${kjConfigPath}. Run 'kj init' to regenerate if needed.`
+      });
+    }
+  }
+
+  return checks;
+}
+
 export async function runChecks({ config }) {
   const checks = [];
 
@@ -260,6 +357,7 @@ export async function runChecks({ config }) {
     checks.push(...await checkBecariaInfra(config));
   }
 
+  checks.push(...await checkAgentConfigs());
   checks.push(...await checkRuleFiles(config));
   checks.push(await checkRtk());
 

package/src/config.js

@@ -77,7 +77,7 @@ const DEFAULTS = {
     },
     token: null,
     project_key: null,
-    admin_user: "admin",
+    admin_user: null,
     admin_password: null,
     coverage: {
       enabled: false,

package/src/mcp/server-handlers.js

@@ -24,6 +24,7 @@ import { resolveReviewProfile } from "../review/profiles.js";
 import { createRunLog, readRunLog } from "../utils/run-log.js";
 import { currentBranch } from "../utils/git.js";
 import { isPreflightAcked, ackPreflight, getSessionOverrides } from "./preflight.js";
+import { ensureBootstrap } from "../bootstrap.js";
 
 /**
  * Resolve the user's project directory.
@@ -118,6 +119,11 @@ const ERROR_CLASSIFIERS = [
     test: (lower) => lower.includes("not a git repository"),
     category: "git_error",
     suggestion: "Current directory is not a git repository. Navigate to your project root or initialize git with 'git init'."
+  },
+  {
+    test: (lower) => lower.includes("bootstrap failed"),
+    category: "bootstrap_error",
+    suggestion: "Environment prerequisites not met. Run kj_doctor for diagnostics, then fix the issues listed. Do NOT work around these — fix them properly."
   }
 ];
 
@@ -149,6 +155,16 @@ export async function assertNotOnBaseBranch(config) {
   }
 }
 
+/**
+ * Run bootstrap gate: validate all environment prerequisites before execution.
+ * Throws if any prerequisite fails.
+ */
+async function runBootstrapGate(server, a) {
+  const projectDir = await resolveProjectDir(server, a.projectDir);
+  const { config } = await loadConfig(projectDir);
+  await ensureBootstrap(projectDir, config);
+}
+
 export function enrichedFailPayload(error, toolName) {
   const msg = error?.message || String(error);
   const { category, suggestion } = classifyError(error);
@@ -191,7 +207,7 @@ export function buildAskQuestion(server) {
 
 const MAX_AUTO_RESUMES = 2;
 const NON_RECOVERABLE_CATEGORIES = new Set([
-  "config_error", "auth_error", "agent_missing", "branch_error", "git_error"
+  "config_error", "auth_error", "agent_missing", "branch_error", "git_error", "bootstrap_error"
 ]);
 
 async function attemptAutoResume({ err, config, logger, emitter, askQuestion, runLog }) {
@@ -783,6 +799,7 @@ async function handleResume(a, server, extra) {
   if (!a.sessionId) {
     return failPayload("Missing required field: sessionId");
   }
+  await runBootstrapGate(server, a);
   if (a.answer) {
     const validation = validateResumeAnswer(a.answer);
     if (!validation.valid) {
@@ -804,6 +821,7 @@ async function handleRun(a, server, extra) {
       return failPayload(`Invalid taskType "${a.taskType}". Valid values: ${[...validTypes].join(", ")}`);
     }
   }
+  await runBootstrapGate(server, a);
   if (!isPreflightAcked()) {
     // Auto-acknowledge with defaults for autonomous operation
     ackPreflight({});
@@ -818,6 +836,7 @@ async function handleCode(a, server, extra) {
   if (!a.task) {
     return failPayload("Missing required field: task");
   }
+  await runBootstrapGate(server, a);
   if (!isPreflightAcked()) {
     // Auto-acknowledge with defaults for autonomous operation
     ackPreflight({});
@@ -832,6 +851,7 @@ async function handleReview(a, server, extra) {
   if (!a.task) {
     return failPayload("Missing required field: task");
   }
+  await runBootstrapGate(server, a);
   return handleReviewDirect(a, server, extra);
 }
 
@@ -839,6 +859,7 @@ async function handlePlan(a, server, extra) {
   if (!a.task) {
     return failPayload("Missing required field: task");
   }
+  await runBootstrapGate(server, a);
   return handlePlanDirect(a, server, extra);
 }
 
@@ -850,6 +871,7 @@ async function handleDiscover(a, server, extra) {
   if (a.mode && !validModes.has(a.mode)) {
     return failPayload(`Invalid mode "${a.mode}". Valid values: ${[...validModes].join(", ")}`);
   }
+  await runBootstrapGate(server, a);
   return handleDiscoverDirect(a, server, extra);
 }
 
@@ -857,6 +879,7 @@ async function handleTriage(a, server, extra) {
   if (!a.task) {
     return failPayload("Missing required field: task");
   }
+  await runBootstrapGate(server, a);
   return handleTriageDirect(a, server, extra);
 }
 
@@ -864,6 +887,7 @@ async function handleResearcher(a, server, extra) {
   if (!a.task) {
     return failPayload("Missing required field: task");
   }
+  await runBootstrapGate(server, a);
   return handleResearcherDirect(a, server, extra);
 }
 
@@ -871,10 +895,12 @@ async function handleArchitect(a, server, extra) {
   if (!a.task) {
     return failPayload("Missing required field: task");
   }
+  await runBootstrapGate(server, a);
   return handleArchitectDirect(a, server, extra);
 }
 
 async function handleAudit(a, server, extra) {
+  await runBootstrapGate(server, a);
   return handleAuditDirect(a, server, extra);
 }
 
@@ -892,6 +918,11 @@ async function handleBoard(a) {
   }
 }
 
+async function handleScan(a, server) {
+  await runBootstrapGate(server, a);
+  return runKjCommand({ command: "scan", options: a });
+}
+
 /* ── Handler dispatch map ─────────────────────────────────────────── */
 
 const toolHandlers = {
@@ -901,7 +932,7 @@ const toolHandlers = {
   kj_agents:    (a) => handleAgents(a),
   kj_preflight: (a) => handlePreflight(a),
   kj_config:    (a) => runKjCommand({ command: "config", commandArgs: a.json ? ["--json"] : [], options: a }),
-  kj_scan:      (a) => runKjCommand({ command: "scan", options: a }),
+  kj_scan:      (a, server) => handleScan(a, server),
   kj_roles:     (a) => handleRoles(a),
   kj_report:    (a) => runKjCommand({ command: "report", commandArgs: buildReportArgs(a), options: a }),
   kj_resume:    (a, server, extra) => handleResume(a, server, extra),

package/src/orchestrator/preflight-checks.js

@@ -2,16 +2,18 @@
  * Preflight environment checks for kj_run.
  *
  * Runs AFTER policy resolution (so we know which stages are active)
- * and BEFORE session iteration loop (so we fail fast or degrade gracefully).
+ * and BEFORE session iteration loop (so we fail fast).
  *
- * Design: always returns ok:true (graceful degradation, never hard-fail).
- * Disabled stages are auto-disabled via configOverrides instead of blocking.
+ * Design: SonarQube checks are BLOCKING when enabled — if SonarQube is
+ * configured but not available, the pipeline STOPS with a clear error.
+ * Security agent checks remain graceful (warning, auto-disable).
  */
 
 import { checkBinary } from "../utils/agent-detect.js";
 import { isSonarReachable, sonarUp } from "../sonar/manager.js";
 import { runCommand } from "../utils/process.js";
 import { emitProgress, makeEvent } from "../utils/events.js";
+import { loadSonarCredentials } from "../sonar/credentials.js";
 
 function normalizeApiHost(rawHost) {
   return String(rawHost || "http://localhost:9000").replace(/host\.docker\.internal/g, "localhost");
@@ -75,14 +77,19 @@ async function checkSonarAuth(config) {
     }
   }
 
-  // Try admin credentials to generate a token
-  const adminUser = process.env.KJ_SONAR_ADMIN_USER || config.sonarqube?.admin_user || "admin";
+  // Try admin credentials: env vars → config → ~/.karajan/sonar-credentials.json (NO default admin/admin)
+  const fileCreds = await loadSonarCredentials() || {};
+  const adminUser = process.env.KJ_SONAR_ADMIN_USER || config.sonarqube?.admin_user || fileCreds.user;
   const candidates = [
     process.env.KJ_SONAR_ADMIN_PASSWORD,
     config.sonarqube?.admin_password,
-    "admin"
+    fileCreds.password
   ].filter(Boolean);
 
+  if (!adminUser || candidates.length === 0) {
+    return { name: "sonar-auth", ok: false, detail: "No Sonar token or admin credentials configured. Set KJ_SONAR_TOKEN, configure sonarqube.token in kj.config.yml, or save credentials in ~/.karajan/sonar-credentials.json." };
+  }
+
   for (const password of [...new Set(candidates)]) {
     const validateRes = await runCommand("curl", [
       "-sS", "-u", `${adminUser}:${password}`,
@@ -128,6 +135,10 @@ async function checkSecurityAgent(config) {
 /**
  * Run preflight environment checks.
  *
+ * SonarQube checks are BLOCKING: if SonarQube is enabled but not available,
+ * ok will be false and errors[] will contain actionable fix instructions.
+ * Security agent checks remain graceful (auto-disable via configOverrides).
+ *
  * @param {object} opts
  * @param {object} opts.config - Karajan config
  * @param {object} opts.logger - Logger instance
@@ -135,7 +146,7 @@ async function checkSecurityAgent(config) {
  * @param {object} opts.eventBase - Base event data
  * @param {object} opts.resolvedPolicies - Output from applyPolicies()
  * @param {boolean} opts.securityEnabled - Whether security stage is enabled
- * @returns {{ ok: boolean, checks: object[], remediations: string[], configOverrides: object, warnings: string[] }}
+ * @returns {{ ok: boolean, checks: object[], remediations: string[], configOverrides: object, warnings: string[], errors: object[] }}
  */
 export async function runPreflightChecks({ config, logger, emitter, eventBase, resolvedPolicies, securityEnabled }) {
   const sonarEnabled = Boolean(config.sonarqube?.enabled) && resolvedPolicies.sonar !== false;
@@ -148,6 +159,7 @@ export async function runPreflightChecks({ config, logger, emitter, eventBase, r
     remediations: [],
     configOverrides: {},
     warnings: [],
+    errors: [],
   };
 
   // Short-circuit: nothing to check
@@ -171,20 +183,24 @@ export async function runPreflightChecks({ config, logger, emitter, eventBase, r
     result.checks.push(dockerCheck);
 
     emitProgress(emitter, makeEvent("preflight:check", { ...eventBase, stage: "preflight" }, {
-      status: dockerCheck.ok ? "ok" : "warn",
+      status: dockerCheck.ok ? "ok" : "fail",
       message: `Docker: ${dockerCheck.detail}`,
       detail: dockerCheck
     }));
 
     if (!dockerCheck.ok) {
-      result.configOverrides.sonarDisabled = true;
-      result.warnings.push("Docker not available — SonarQube auto-disabled");
-      logger.warn("Preflight: Docker not found, disabling SonarQube");
+      result.ok = false;
+      result.errors.push({
+        check: "docker",
+        message: "Docker not available but SonarQube is enabled.",
+        fix: "Start Docker, or disable SonarQube: set sonarqube.enabled: false in kj.config.yml, or pass --no-sonar."
+      });
+      logger.error("Preflight: Docker not found — SonarQube requires Docker");
 
       // Skip remaining sonar checks, continue to security
       if (!securityEnabled) {
         emitProgress(emitter, makeEvent("preflight:end", { ...eventBase, stage: "preflight" }, {
-          status: "warn", message: "Preflight completed with warnings", detail: result
+          status: "fail", message: "Preflight FAILED — environment not ready", detail: result
         }));
         return result;
       }
@@ -192,7 +208,7 @@ export async function runPreflightChecks({ config, logger, emitter, eventBase, r
   }
 
   // --- 2. SonarQube reachable ---
-  if (sonarEnabled && !result.configOverrides.sonarDisabled) {
+  if (sonarEnabled && result.ok) {
     const reachableCheck = await checkSonarReachable(sonarHost);
     result.checks.push(reachableCheck);
 
@@ -201,25 +217,29 @@ export async function runPreflightChecks({ config, logger, emitter, eventBase, r
     }
 
     emitProgress(emitter, makeEvent("preflight:check", { ...eventBase, stage: "preflight" }, {
-      status: reachableCheck.ok ? "ok" : "warn",
+      status: reachableCheck.ok ? "ok" : "fail",
       message: `SonarQube reachability: ${reachableCheck.detail}`,
       detail: reachableCheck
     }));
 
     if (!reachableCheck.ok) {
-      result.configOverrides.sonarDisabled = true;
-      result.warnings.push("SonarQube not reachable — auto-disabled");
-      logger.warn("Preflight: SonarQube not reachable after remediation, disabling");
+      result.ok = false;
+      result.errors.push({
+        check: "sonar-reachable",
+        message: `SonarQube not reachable at ${sonarHost}.`,
+        fix: "Start SonarQube: 'docker start karajan-sonarqube', or disable it: set sonarqube.enabled: false in kj.config.yml, or pass --no-sonar."
+      });
+      logger.error("Preflight: SonarQube not reachable after remediation attempt");
     }
   }
 
   // --- 3. SonarQube auth/token ---
-  if (sonarEnabled && !result.configOverrides.sonarDisabled) {
+  if (sonarEnabled && result.ok) {
     const authCheck = await checkSonarAuth(config);
     result.checks.push(authCheck);
 
     emitProgress(emitter, makeEvent("preflight:check", { ...eventBase, stage: "preflight" }, {
-      status: authCheck.ok ? "ok" : "warn",
+      status: authCheck.ok ? "ok" : "fail",
       message: `SonarQube auth: ${authCheck.detail}`,
       detail: { name: authCheck.name, ok: authCheck.ok, detail: authCheck.detail }
     }));
@@ -229,13 +249,17 @@ export async function runPreflightChecks({ config, logger, emitter, eventBase, r
       result.remediations.push("Sonar token resolved and cached in KJ_SONAR_TOKEN");
       logger.info("Preflight: Sonar token resolved and cached");
     } else if (!authCheck.ok) {
-      result.configOverrides.sonarDisabled = true;
-      result.warnings.push("SonarQube auth failed — auto-disabled");
-      logger.warn("Preflight: Sonar auth failed, disabling SonarQube");
+      result.ok = false;
+      result.errors.push({
+        check: "sonar-auth",
+        message: "SonarQube authentication failed.",
+        fix: "Regenerate the SonarQube token and update it via kj_init or in kj.config.yml under sonarqube.token."
+      });
+      logger.error("Preflight: Sonar auth failed");
     }
   }
 
-  // --- 4. Security agent ---
+  // --- 4. Security agent (graceful — only warning, not blocking) ---
   if (securityEnabled) {
     const secCheck = await checkSecurityAgent(config);
     result.checks.push(secCheck);
@@ -253,12 +277,15 @@ export async function runPreflightChecks({ config, logger, emitter, eventBase, r
     }
   }
 
+  const hasErrors = result.errors.length > 0;
   const hasWarnings = result.warnings.length > 0;
   emitProgress(emitter, makeEvent("preflight:end", { ...eventBase, stage: "preflight" }, {
-    status: hasWarnings ? "warn" : "ok",
-    message: hasWarnings
-      ? `Preflight completed with ${result.warnings.length} warning(s)`
-      : "Preflight passed — all checks OK",
+    status: hasErrors ? "fail" : hasWarnings ? "warn" : "ok",
+    message: hasErrors
+      ? `Preflight FAILED — ${result.errors.length} blocking issue(s)`
+      : hasWarnings
+        ? `Preflight completed with ${result.warnings.length} warning(s)`
+        : "Preflight passed — all checks OK",
     detail: result
   }));
 

package/src/orchestrator/solomon-escalation.js

@@ -30,10 +30,17 @@ export async function invokeSolomon({ config, logger, emitter, eventBase, stage,
     });
   }
 
+  const solomonError = ruling.result?.error;
+  if (!ruling.ok && solomonError) {
+    logger.warn(`Solomon execution failed: ${solomonError}`);
+  }
+
   emitProgress(
     emitter,
     makeEvent("solomon:end", { ...eventBase, stage: "solomon" }, {
-      message: `Solomon ruling: ${ruling.result?.ruling || "unknown"}`,
+      message: ruling.ok
+        ? `Solomon ruling: ${ruling.result?.ruling || "unknown"}`
+        : `Solomon failed: ${(solomonError || ruling.summary || "unknown error").slice(0, 200)}`,
       detail: ruling.result
     })
   );
@@ -43,13 +50,15 @@ export async function invokeSolomon({ config, logger, emitter, eventBase, stage,
     iteration,
     ruling: ruling.result?.ruling,
     escalate: ruling.result?.escalate,
+    error: solomonError ? solomonError.slice(0, 500) : undefined,
     subtask: ruling.result?.subtask?.title || null
   });
 
   if (!ruling.ok) {
+    const reason = ruling.result?.escalate_reason || solomonError || ruling.summary;
     return escalateToHuman({
       askQuestion, session, emitter, eventBase, stage, iteration,
-      conflict: { ...conflict, solomonReason: ruling.result?.escalate_reason }
+      conflict: { ...conflict, solomonReason: reason }
     });
   }
 

package/src/orchestrator.js

@@ -886,9 +886,16 @@ async function runPreLoopStages({ config, logger, emitter, eventBase, session, f
   session.preflight = preflightResult;
   await saveSession(session);
 
-  if (preflightResult.configOverrides.sonarDisabled) {
-    updatedConfig = { ...updatedConfig, sonarqube: { ...updatedConfig.sonarqube, enabled: false } };
+  // Hard fail if blocking checks failed (SonarQube enabled but not available)
+  if (!preflightResult.ok) {
+    const errorLines = (preflightResult.errors || [])
+      .map(e => `  - ${e.message}\n    Fix: ${e.fix}`)
+      .join("\n");
+    throw new Error(
+      `Preflight FAILED — environment changed during session. Fix the issues and retry:\n${errorLines}`
+    );
   }
+
   if (preflightResult.configOverrides.securityDisabled) {
     pipelineFlags.securityEnabled = false;
   }

package/src/roles/solomon-role.js

@@ -62,12 +62,28 @@ function buildPrompt({ conflict, task, instructions }) {
   const iterationCount = conflict?.iterationCount ?? "?";
   const maxIterations = conflict?.maxIterations ?? "?";
 
+  const isFirstRejection = conflict?.isFirstRejection ?? false;
+  const isRepeat = conflict?.isRepeat ?? false;
+
   sections.push(
     `## Conflict context`,
     `Stage: ${stage}`,
-    `Iterations exhausted: ${iterationCount}/${maxIterations}`
+    `Iterations exhausted: ${iterationCount}/${maxIterations}`,
+    `isFirstRejection: ${isFirstRejection}`,
+    `isRepeat: ${isRepeat}`
   );
 
+  if (conflict?.issueCategories) {
+    sections.push(`## Issue categories\n${JSON.stringify(conflict.issueCategories, null, 2)}`);
+  }
+
+  if (conflict?.blockingIssues?.length) {
+    const issueList = conflict.blockingIssues
+      .map((issue, i) => `${i + 1}. [${issue.severity || "unknown"}] ${issue.description || issue}`)
+      .join("\n");
+    sections.push(`## Blocking issues\n${issueList}`);
+  }
+
   if (task) {
     sections.push(`## Original task\n${task}`);
   }

package/src/sonar/credentials.js

@@ -0,0 +1,35 @@
+/**
+ * Load SonarQube admin credentials from ~/.karajan/sonar-credentials.json.
+ *
+ * File format:
+ * {
+ *   "user": "admin",
+ *   "password": "your-password"
+ * }
+ *
+ * Returns { user, password } or { user: null, password: null } if file missing.
+ */
+
+import fs from "node:fs/promises";
+import path from "node:path";
+import { getKarajanHome } from "../utils/paths.js";
+
+const CREDENTIALS_FILENAME = "sonar-credentials.json";
+
+export async function loadSonarCredentials() {
+  try {
+    const filePath = path.join(getKarajanHome(), CREDENTIALS_FILENAME);
+    const raw = await fs.readFile(filePath, "utf8");
+    const data = JSON.parse(raw);
+    return {
+      user: data.user || null,
+      password: data.password || null
+    };
+  } catch {
+    return { user: null, password: null };
+  }
+}
+
+export function credentialsPath() {
+  return path.join(getKarajanHome(), CREDENTIALS_FILENAME);
+}

package/src/sonar/scanner.js

@@ -4,6 +4,7 @@ import path from "node:path";
 import { runCommand } from "../utils/process.js";
 import { sonarUp } from "./manager.js";
 import { resolveSonarProjectKey } from "./project-key.js";
+import { loadSonarCredentials } from "./credentials.js";
 
 export function buildScannerOpts(projectKey, scanner = {}) {
   const opts = [`-Dsonar.projectKey=${projectKey}`];
@@ -136,18 +137,18 @@ async function resolveSonarToken(config, apiHost) {
   const explicitToken = process.env.KJ_SONAR_TOKEN || process.env.SONAR_TOKEN || config.sonarqube.token;
   if (explicitToken) return explicitToken;
 
-  const adminUser = process.env.KJ_SONAR_ADMIN_USER || config.sonarqube.admin_user || "admin";
+  // Resolve admin credentials from: env vars → config → ~/.karajan/sonar-credentials.json
+  const fileCreds = await loadSonarCredentials() || {};
+  const adminUser = process.env.KJ_SONAR_ADMIN_USER || config.sonarqube.admin_user || fileCreds.user;
   const candidates = [
     process.env.KJ_SONAR_ADMIN_PASSWORD,
     config.sonarqube.admin_password,
-    "admin"
+    fileCreds.password
   ].filter(Boolean);
 
+  if (!adminUser || candidates.length === 0) return null;
+
   for (const password of new Set(candidates)) {
-    if (password === "admin") {
-      // eslint-disable-next-line no-console
-      console.warn("[karajan] WARNING: Using default admin/admin credentials for SonarQube. Set KJ_SONAR_TOKEN for production use.");
-    }
     const valid = await validateAdminCredentials(apiHost, adminUser, password);
     if (!valid) continue;
     const token = await generateUserToken(apiHost, adminUser, password);
@@ -224,7 +225,7 @@ export async function runSonarScan(config, projectKey = null) {
       ok: false,
       stdout: "",
       stderr:
-        "Unable to resolve Sonar token. Tried configured token/password and fallback admin/admin.",
+        "Unable to resolve Sonar token. Set KJ_SONAR_TOKEN env var, configure sonarqube.token in kj.config.yml, or save credentials in ~/.karajan/sonar-credentials.json.",
       exitCode: 1
     };
   }

package/src/utils/budget.js

@@ -40,18 +40,22 @@ export function extractUsageMetrics(result, defaultModel = null) {
     null;
 
   // If no real token data AND no explicit cost, estimate from prompt/output sizes.
-  // Estimation is opt-in: only triggered when result.promptSize is explicitly provided.
+  // Primary: uses result.promptSize when explicitly provided.
+  // Fallback: estimates from result.output or result.error text length.
   let estimated = false;
   let finalTokensIn = tokens_in;
   let finalTokensOut = tokens_out;
   const hasExplicitCost = cost_usd !== undefined && cost_usd !== null && cost_usd !== "";
-  if (!tokens_in && !tokens_out && !hasExplicitCost && result?.promptSize > 0) {
-    const promptSize = result.promptSize;
-    const outputSize = (result?.output || result?.summary || "").length;
-    const est = estimateTokens(promptSize, outputSize);
-    finalTokensIn = est.tokens_in;
-    finalTokensOut = est.tokens_out;
-    estimated = true;
+  if (!tokens_in && !tokens_out && !hasExplicitCost) {
+    const outputText = result?.output || result?.error || result?.summary || "";
+    const promptSize = result?.promptSize || 0;
+    const MIN_TEXT_FOR_ESTIMATION = 40;
+    if (promptSize > 0 || outputText.length >= MIN_TEXT_FOR_ESTIMATION) {
+      const est = estimateTokens(promptSize, outputText.length);
+      finalTokensIn = est.tokens_in;
+      finalTokensOut = est.tokens_out;
+      estimated = true;
+    }
   }
 
   return { tokens_in: finalTokensIn, tokens_out: finalTokensOut, cost_usd, model, estimated };

package/src/utils/model-selector.js

@@ -1,7 +1,7 @@
 const DEFAULT_MODEL_TIERS = {
-  claude: { trivial: "claude/haiku", simple: "claude/haiku", medium: "claude/sonnet", complex: "claude/opus" },
-  codex: { trivial: "codex/o4-mini", simple: "codex/o4-mini", medium: "codex/o4-mini", complex: "codex/o3" },
-  gemini: { trivial: "gemini/flash", simple: "gemini/flash", medium: "gemini/pro", complex: "gemini/pro" },
+  claude: { trivial: "haiku", simple: "haiku", medium: "sonnet", complex: "opus" },
+  codex: { trivial: "o4-mini", simple: "o4-mini", medium: "o4-mini", complex: "o3" },
+  gemini: { trivial: "gemini-2.0-flash", simple: "gemini-2.0-flash", medium: "gemini-2.5-pro", complex: "gemini-2.5-pro" },
   aider: { trivial: null, simple: null, medium: null, complex: null }
 };