mini-coder 0.2.3 → 0.3.1

package/docs/KNOWN_ISSUES.md

@@ -4,6 +4,7 @@
 
 - AI SDK expands `claude-3-5-haiku` → dated variant that Zen doesn't serve (404).
 - Shell tool: model can `tmux kill-session` the host tmux session if names collide (e.g. audit skill creates session named "audit" matching the user's). Not a code bug — the skill/model just picks a conflicting name. Mitigate via skill wording or session name prefixing.
+- Shell tool output truncation only stops reading stdout/stderr; it does not terminate the underlying process yet. Commands that emit a lot of output and then keep running can still block until they exit or hit timeout.
 
 ## Features
 

package/docs/design-decisions.md

@@ -1,49 +1,6 @@
 # Design Decisions
 
-Documenting why mini-coder makes certain architectural choices — especially where we intentionally diverge from AI SDK defaults or common patterns.
-
-## Why not ToolLoopAgent?
-
-**Decision:** Use `streamText` directly instead of the AI SDK's `ToolLoopAgent`.
-
-`ToolLoopAgent` is a convenience wrapper that manages the tool-call loop, context, and stopping conditions. Mini-coder needs explicit control over every aspect it abstracts away:
-
-- **Streaming event rendering** — We yield granular `TurnEvent`s (text deltas, tool calls, tool results, reasoning, context-pruned notifications) as they arrive from `fullStream`. The reporter renders them append-only into the terminal in real time. `ToolLoopAgent` gives you the final result; we need the firehose.
-- **ESC interrupt mid-turn** — An `AbortController` is wired through to `streamText`'s `signal`. On ESC, we abort, preserve partial messages, and append an interrupt stub so the LLM retains context. `ToolLoopAgent` doesn't expose this kind of mid-stream abort-and-preserve behavior.
-- **Custom context pruning** — After every turn, `SessionRunner` runs `applyContextPruning` + `compactToolResultPayloads` on the in-memory history. This is rolling, per-turn pruning that must not break prompt caching. `ToolLoopAgent`'s built-in context management doesn't match these constraints.
-- **Per-step DB persistence** — Each turn's messages are saved to SQLite with a turn index as they complete. The in-memory `coreHistory` diverges from the DB history (pruned vs. full). `ToolLoopAgent` has no hook for this.
-- **Provider-specific caching annotations** — `annotateToolCaching` adds caching metadata to the tool set based on the model string, injected directly into the `streamText` call.
-- **No step/tool-call limits** — Per the design: "No max steps or tool call limits — user can interrupt." `ToolLoopAgent` defaults to `stopWhen: stepCountIs(20)`.
-
-**Summary:** `ToolLoopAgent` reduces boilerplate for simple request→response agents. Mini-coder is a shell-first coding agent where the loop _is_ the product. Using `ToolLoopAgent` would mean fighting the abstraction at every turn.
-
-## Why no cross-session memory?
-
-**Decision:** No agent-managed persistent memory across sessions. The repo and user-authored config files are the memory.
-
-The AI SDK offers several memory approaches (Anthropic memory tool, Mem0, Letta, custom tools) that let agents save facts and recall them in future conversations. We intentionally don't use any of these.
-
-### What we have instead
-
-- **Within-session persistence** — Full message history saved to SQLite per-turn, sessions resumable via `/session`.
-- **Context pruning** — `applyContextPruning` and `applyStepPruning` strip old reasoning/tool-calls to fit context windows without breaking prompt caching.
-- **Static cross-session context** — `AGENTS.md`/`CLAUDE.md` files loaded into the system prompt. This is user-curated project knowledge, not agent-managed memory.
-- **Skills** — Reusable instruction sets discoverable via `/` autocomplete.
-
-### Why not agent-written memory?
-
-We considered having the agent write to `~/.agents/AGENTS.md` for cross-session recall. Rejected because:
-
-- **Intrusive** — `~/.agents/` is the user's space. Agent writes would mix generated noise with intentional configuration, creating surprises ("where did this line come from?").
-- **Violates conventions** — `AGENTS.md`/`CLAUDE.md` are community standards meant to be human-authored instructions _to_ the agent, not an agent scratchpad. Using them as memory inverts the relationship.
-- **Safety conflict** — Our own system prompt requires confirmation before irreversible actions. Silently modifying a user's global config violates that principle.
-- **Complexity** — Memory adds storage, retrieval, relevance ranking, and non-determinism. The design philosophy is performance first, minimal setup.
-
-### If we ever want this
-
-A dedicated `~/.config/mini-coder/memories.md` that's clearly agent-owned and separate from user config would be the right path — not overloading existing community standards.
-
-**Summary:** For a coding agent that operates on a repo, the repo _is_ the memory. Users who want cross-session context write it in `AGENTS.md` themselves — that's an intentional act, not an LLM side effect.
+Documenting why mini-coder makes certain architectural choices — especially where we intentionally diverge from common patterns.
 
 ## Why no tool-call permissions?
 
@@ -63,7 +20,7 @@ A coding agent runs dozens of shell commands per task. Requiring approval for ea
 
 ### Isolation is a separate concern
 
-Sandboxing is a real need, but it belongs at the OS/container level — not inside the agent. Tools like [nono](https://nono.sh/) provide proper filesystem and network isolation that the LLM cannot circumvent. This is defense in depth done right: the agent runs unrestricted inside a sandbox that enforces actual boundaries.
+Sandboxing is a real need, but it belongs at the OS/container level — not inside the agent. Tools like [Anthropic Sandbox Runtime (`srt`)](https://github.com/anthropic-experimental/sandbox-runtime) and [nono](https://nono.sh/) provide proper filesystem and network isolation that the LLM cannot circumvent. This is defense in depth done right: the agent runs unrestricted inside a sandbox that enforces actual boundaries.
 
 ### Our approach
 

package/docs/mini-coder.1.md

@@ -73,14 +73,11 @@ _prompt_
 `/mcp remove` _name_
 : Remove MCP server.
 
-`/review`
-: Review recent changes (global skill, auto-created at first run).
-
 `/login`
 : Show OAuth login status.
 
 `/login` _provider_
-: Login via OAuth (opens browser for device flow). Currently supports `anthropic`.
+: Login via OAuth (opens browser for device flow). Currently supports `openai`.
 
 `/logout` _provider_
 : Clear saved OAuth tokens.
@@ -169,15 +166,13 @@ Skills are reusable instruction files at `.agents/skills/<name>/SKILL.md`.
 `description`
 : Help text.
 
-Skills are never auto-loaded. Load explicitly:
+Skills are auto discovered. To load explicitly:
 
 - `/skill-name` in prompts (injects body as a user message).
 - **listSkills** / **readSkill** tools at runtime.
 
 Local discovery walks up from cwd to the git worktree root.
 
-A default **review** skill is created at `~/.agents/skills/review/SKILL.md` on first run if it doesn't exist. It can be customized or shadowed locally.
-
 ## CONFIGURATION
 
 Config roots: `.agents/`, `.claude/` — local (repo) or global (`~/`).
@@ -216,7 +211,7 @@ Config roots: `.agents/`, `.claude/` — local (repo) or global (`~/`).
 ## FILES
 
 `~/.config/mini-coder/`
-: App data directory (sessions.db, api.log, errors.log).
+: App data directory (sessions.db, with tables for error and other logs).
 
 `.agents/` or `.claude/`
 : Config directories for skills and context files.

package/docs/superpowers/plans/2026-03-30-anthropic-oauth-removal.md

@@ -0,0 +1,61 @@
+# Anthropic OAuth Removal Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Remove Claude Code subscription OAuth support without affecting Anthropic API-key access or Zen Claude models.
+
+**Architecture:** Delete the Anthropic OAuth provider registration and stop consulting Anthropic OAuth state in discovery/model-info paths. Preserve all direct `ANTHROPIC_API_KEY` behavior and Anthropic-family handling needed by Zen and direct API use.
+
+**Tech Stack:** Bun, TypeScript, bun:test, SQLite-backed auth storage, AI SDK providers.
+
+---
+
+### Task 1: Track the work and lock the user-facing contract
+
+**Files:**
+
+- Modify: `TODO.md`
+- Reference: `docs/superpowers/specs/2026-03-30-anthropic-oauth-removal-design.md`
+
+- [ ] **Step 1: Update TODO.md with active work item**
+- [ ] **Step 2: Keep TODO.md current as tasks complete**
+
+### Task 2: Write failing tests for Anthropic OAuth removal
+
+**Files:**
+
+- Modify: `src/llm-api/providers-resolve.test.ts`
+- Modify: `src/llm-api/model-info.test.ts`
+- Create: `src/session/oauth/auth-storage.test.ts`
+
+- [ ] **Step 1: Add a test asserting OAuth providers list only OpenAI**
+- [ ] **Step 2: Add tests asserting Anthropic discovery requires `ANTHROPIC_API_KEY`**
+- [ ] **Step 3: Run focused tests to verify they fail for the expected reason**
+
+### Task 3: Remove Anthropic OAuth registration and discovery usage
+
+**Files:**
+
+- Delete: `src/session/oauth/anthropic.ts`
+- Modify: `src/session/oauth/auth-storage.ts`
+- Modify: `src/llm-api/providers.ts`
+- Modify: `src/llm-api/model-info.ts`
+- Modify: `src/llm-api/model-info-fetch.ts`
+
+- [ ] **Step 1: Remove the Anthropic OAuth provider from auth storage**
+- [ ] **Step 2: Remove Anthropic OAuth-based provider discovery/autodiscovery**
+- [ ] **Step 3: Remove Anthropic OAuth-based model list fetching**
+- [ ] **Step 4: Run the focused tests and make them pass**
+
+### Task 4: Update CLI/docs and finish verification
+
+**Files:**
+
+- Modify: `src/cli/commands-help.ts`
+- Modify: `docs/mini-coder.1.md`
+- Modify: `TODO.md`
+
+- [ ] **Step 1: Remove Anthropic OAuth mentions from help/manpage**
+- [ ] **Step 2: Run formatting if needed**
+- [ ] **Step 3: Run focused tests, then broader verification commands**
+- [ ] **Step 4: Clear the completed TODO item**

package/docs/superpowers/specs/2026-03-30-anthropic-oauth-removal-design.md

@@ -0,0 +1,47 @@
+# Anthropic OAuth Removal Design
+
+## Goal
+
+Remove Claude Code subscription OAuth support from mini-coder while preserving:
+
+- direct Anthropic API key support via `ANTHROPIC_API_KEY`
+- Anthropic-family models served through Opencode Zen (`zen/claude-*`)
+
+## Approved behavior
+
+- `anthropic` is removed completely from the user-facing OAuth surface.
+- `/login anthropic` is no longer supported and behaves like any unknown provider.
+- `/logout anthropic` is no longer documented or advertised as a supported path.
+- Existing saved Anthropic OAuth rows in SQLite are ignored; no migration or cleanup is required.
+- Anthropic remains available through `ANTHROPIC_API_KEY`.
+- Zen-backed Claude models remain available and unchanged.
+
+## Approach
+
+Use a narrow OAuth-only removal:
+
+1. Remove the Anthropic OAuth provider module and provider registration.
+2. Stop consulting Anthropic OAuth state during provider discovery and model-info refresh visibility.
+3. Keep direct Anthropic provider resolution via `ANTHROPIC_API_KEY`.
+4. Keep Anthropic-family request handling and Zen backend routing unchanged.
+5. Update tests and docs to match the new OAuth surface.
+
+## Files in scope
+
+- `src/session/oauth/anthropic.ts` — delete
+- `src/session/oauth/auth-storage.ts` — unregister Anthropic OAuth
+- `src/llm-api/providers.ts` — stop treating Anthropic OAuth as connected
+- `src/llm-api/model-info.ts` — stop treating Anthropic OAuth as a refresh/visibility source
+- `src/llm-api/model-info-fetch.ts` — stop fetching Anthropic models via OAuth tokens
+- `src/cli/commands-help.ts` — remove Anthropic OAuth example text
+- `docs/mini-coder.1.md` — document OpenAI-only OAuth support
+- tests around provider discovery/model info — update to be deterministic and Anthropic-OAuth-free
+
+## Risks and mitigations
+
+- Risk: accidentally breaking direct Anthropic API-key support.
+  - Mitigation: keep direct provider resolver and add/update tests that verify `ANTHROPIC_API_KEY` still wins.
+- Risk: accidentally breaking Zen Claude behavior.
+  - Mitigation: avoid touching Anthropic-family routing/caching code used for Zen.
+- Risk: stale Anthropic OAuth tokens still affecting behavior.
+  - Mitigation: remove all Anthropic OAuth checks from discovery and model fetching paths.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mini-coder",
-  "version": "0.2.3",
+  "version": "0.3.1",
   "description": "A small, fast CLI coding agent",
   "module": "src/index.ts",
   "type": "module",