mini-coder 0.3.0 → 0.4.0

package/docs/KNOWN_ISSUES.md

@@ -4,6 +4,7 @@
 
 - AI SDK expands `claude-3-5-haiku` → dated variant that Zen doesn't serve (404).
 - Shell tool: model can `tmux kill-session` the host tmux session if names collide (e.g. audit skill creates session named "audit" matching the user's). Not a code bug — the skill/model just picks a conflicting name. Mitigate via skill wording or session name prefixing.
+- Shell tool output truncation only stops reading stdout/stderr; it does not terminate the underlying process yet. Commands that emit a lot of output and then keep running can still block until they exit or hit timeout.
 
 ## Features
 

package/docs/design-decisions.md

@@ -20,7 +20,7 @@ A coding agent runs dozens of shell commands per task. Requiring approval for ea
 
 ### Isolation is a separate concern
 
-Sandboxing is a real need, but it belongs at the OS/container level — not inside the agent. Tools like [nono](https://nono.sh/) provide proper filesystem and network isolation that the LLM cannot circumvent. This is defense in depth done right: the agent runs unrestricted inside a sandbox that enforces actual boundaries.
+Sandboxing is a real need, but it belongs at the OS/container level — not inside the agent. Tools like [Anthropic Sandbox Runtime (`srt`)](https://github.com/anthropic-experimental/sandbox-runtime) and [nono](https://nono.sh/) provide proper filesystem and network isolation that the LLM cannot circumvent. This is defense in depth done right: the agent runs unrestricted inside a sandbox that enforces actual boundaries.
 
 ### Our approach
 

package/docs/mini-coder.1.md

@@ -40,9 +40,15 @@ _prompt_
 `/model`
 : List all available models.
 
+`/models`
+: Alias for `/model`.
+
 `/model` _id_
 : Switch model.
 
+`/models` _id_
+: Alias for `/model` _id_.
+
 `/model effort` _low|medium|high|xhigh|off_
 : Set reasoning effort.
 
@@ -73,14 +79,11 @@ _prompt_
 `/mcp remove` _name_
 : Remove MCP server.
 
-`/review`
-: Review recent changes (global skill, auto-created at first run).
-
 `/login`
 : Show OAuth login status.
 
 `/login` _provider_
-: Login via OAuth (opens browser for device flow). Currently supports `anthropic` and `openai` (`openai` uses the Codex / ChatGPT Plus/Pro flow).
+: Login via OAuth (opens browser for device flow). Currently supports `openai`.
 
 `/logout` _provider_
 : Clear saved OAuth tokens.
@@ -169,29 +172,28 @@ Skills are reusable instruction files at `.agents/skills/<name>/SKILL.md`.
 `description`
 : Help text.
 
-Skills are never auto-loaded. Load explicitly:
+Skills are auto discovered. To load explicitly:
 
 - `/skill-name` in prompts (injects body as a user message).
 - **listSkills** / **readSkill** tools at runtime.
 
 Local discovery walks up from cwd to the git worktree root.
 
-A default **review** skill is created at `~/.agents/skills/review/SKILL.md` on first run if it doesn't exist. It can be customized or shadowed locally.
-
 ## CONFIGURATION
 
 Config roots: `.agents/`, `.claude/` — local (repo) or global (`~/`).
 
-**Context files** (one global + one local loaded into the system prompt):
+**Context files** (global files first, then the nearest local directory with context files):
 
-- Global: `~/.agents/AGENTS.md` → `~/.agents/CLAUDE.md`
-- Local: `./.agents/AGENTS.md` → `./CLAUDE.md` → `./AGENTS.md`
+- Global files concatenate in this order: `~/.agents/AGENTS.md` → `~/.agents/CLAUDE.md` → `~/.claude/CLAUDE.md`
+- Local files concatenate in this order within the nearest matching directory (the same nearest-directory precedence applies to both `AGENTS.md` and `CLAUDE.md`): `./.agents/AGENTS.md` → `./.agents/CLAUDE.md` → `./.claude/CLAUDE.md` → `./CLAUDE.md` → `./AGENTS.md`
 
 **Precedence:**
 
-1. Local overrides global.
-2. Same scope: `.agents` wins over `.claude`.
-3. Skills: nearest ancestor directory wins.
+1. Local context is loaded from the nearest directory between cwd and the git root.
+2. Within one scope, matching files are concatenated in the order above.
+3. Global context appears before local context in the system prompt.
+4. Skills: nearest ancestor directory wins.
 
 ## ENVIRONMENT
 
@@ -216,7 +218,7 @@ Config roots: `.agents/`, `.claude/` — local (repo) or global (`~/`).
 ## FILES
 
 `~/.config/mini-coder/`
-: App data directory (sessions.db, api.log, errors.log).
+: App data directory (sessions.db, with tables for error and other logs).
 
 `.agents/` or `.claude/`
 : Config directories for skills and context files.

package/docs/superpowers/plans/2026-03-30-anthropic-oauth-removal.md

@@ -0,0 +1,61 @@
+# Anthropic OAuth Removal Implementation Plan
+
+> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
+
+**Goal:** Remove Claude Code subscription OAuth support without affecting Anthropic API-key access or Zen Claude models.
+
+**Architecture:** Delete the Anthropic OAuth provider registration and stop consulting Anthropic OAuth state in discovery/model-info paths. Preserve all direct `ANTHROPIC_API_KEY` behavior and Anthropic-family handling needed by Zen and direct API use.
+
+**Tech Stack:** Bun, TypeScript, bun:test, SQLite-backed auth storage, AI SDK providers.
+
+---
+
+### Task 1: Track the work and lock the user-facing contract
+
+**Files:**
+
+- Modify: `TODO.md`
+- Reference: `docs/superpowers/specs/2026-03-30-anthropic-oauth-removal-design.md`
+
+- [ ] **Step 1: Update TODO.md with active work item**
+- [ ] **Step 2: Keep TODO.md current as tasks complete**
+
+### Task 2: Write failing tests for Anthropic OAuth removal
+
+**Files:**
+
+- Modify: `src/llm-api/providers-resolve.test.ts`
+- Modify: `src/llm-api/model-info.test.ts`
+- Create: `src/session/oauth/auth-storage.test.ts`
+
+- [ ] **Step 1: Add a test asserting OAuth providers list only OpenAI**
+- [ ] **Step 2: Add tests asserting Anthropic discovery requires `ANTHROPIC_API_KEY`**
+- [ ] **Step 3: Run focused tests to verify they fail for the expected reason**
+
+### Task 3: Remove Anthropic OAuth registration and discovery usage
+
+**Files:**
+
+- Delete: `src/session/oauth/anthropic.ts`
+- Modify: `src/session/oauth/auth-storage.ts`
+- Modify: `src/llm-api/providers.ts`
+- Modify: `src/llm-api/model-info.ts`
+- Modify: `src/llm-api/model-info-fetch.ts`
+
+- [ ] **Step 1: Remove the Anthropic OAuth provider from auth storage**
+- [ ] **Step 2: Remove Anthropic OAuth-based provider discovery/autodiscovery**
+- [ ] **Step 3: Remove Anthropic OAuth-based model list fetching**
+- [ ] **Step 4: Run the focused tests and make them pass**
+
+### Task 4: Update CLI/docs and finish verification
+
+**Files:**
+
+- Modify: `src/cli/commands-help.ts`
+- Modify: `docs/mini-coder.1.md`
+- Modify: `TODO.md`
+
+- [ ] **Step 1: Remove Anthropic OAuth mentions from help/manpage**
+- [ ] **Step 2: Run formatting if needed**
+- [ ] **Step 3: Run focused tests, then broader verification commands**
+- [ ] **Step 4: Clear the completed TODO item**

package/docs/superpowers/specs/2026-03-30-anthropic-oauth-removal-design.md

@@ -0,0 +1,47 @@
+# Anthropic OAuth Removal Design
+
+## Goal
+
+Remove Claude Code subscription OAuth support from mini-coder while preserving:
+
+- direct Anthropic API key support via `ANTHROPIC_API_KEY`
+- Anthropic-family models served through Opencode Zen (`zen/claude-*`)
+
+## Approved behavior
+
+- `anthropic` is removed completely from the user-facing OAuth surface.
+- `/login anthropic` is no longer supported and behaves like any unknown provider.
+- `/logout anthropic` is no longer documented or advertised as a supported path.
+- Existing saved Anthropic OAuth rows in SQLite are ignored; no migration or cleanup is required.
+- Anthropic remains available through `ANTHROPIC_API_KEY`.
+- Zen-backed Claude models remain available and unchanged.
+
+## Approach
+
+Use a narrow OAuth-only removal:
+
+1. Remove the Anthropic OAuth provider module and provider registration.
+2. Stop consulting Anthropic OAuth state during provider discovery and model-info refresh visibility.
+3. Keep direct Anthropic provider resolution via `ANTHROPIC_API_KEY`.
+4. Keep Anthropic-family request handling and Zen backend routing unchanged.
+5. Update tests and docs to match the new OAuth surface.
+
+## Files in scope
+
+- `src/session/oauth/anthropic.ts` — delete
+- `src/session/oauth/auth-storage.ts` — unregister Anthropic OAuth
+- `src/llm-api/providers.ts` — stop treating Anthropic OAuth as connected
+- `src/llm-api/model-info.ts` — stop treating Anthropic OAuth as a refresh/visibility source
+- `src/llm-api/model-info-fetch.ts` — stop fetching Anthropic models via OAuth tokens
+- `src/cli/commands-help.ts` — remove Anthropic OAuth example text
+- `docs/mini-coder.1.md` — document OpenAI-only OAuth support
+- tests around provider discovery/model info — update to be deterministic and Anthropic-OAuth-free
+
+## Risks and mitigations
+
+- Risk: accidentally breaking direct Anthropic API-key support.
+  - Mitigation: keep direct provider resolver and add/update tests that verify `ANTHROPIC_API_KEY` still wins.
+- Risk: accidentally breaking Zen Claude behavior.
+  - Mitigation: avoid touching Anthropic-family routing/caching code used for Zen.
+- Risk: stale Anthropic OAuth tokens still affecting behavior.
+  - Mitigation: remove all Anthropic OAuth checks from discovery and model fetching paths.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mini-coder",
-  "version": "0.3.0",
+  "version": "0.4.0",
   "description": "A small, fast CLI coding agent",
   "module": "src/index.ts",
   "type": "module",