mini-coder 0.4.1 → 0.5.0

package/docs/KNOWN_ISSUES.md

@@ -1,13 +0,0 @@
-# KNOWN ISSUES
-
-## Bugs
-
-- AI SDK expands `claude-3-5-haiku` → dated variant that Zen doesn't serve (404).
-- Shell tool: model can `tmux kill-session` the host tmux session if names collide (e.g. audit skill creates session named "audit" matching the user's). Not a code bug — the skill/model just picks a conflicting name. Mitigate via skill wording or session name prefixing.
-- Shell tool output truncation only stops reading stdout/stderr; it does not terminate the underlying process yet. Commands that emit a lot of output and then keep running can still block until they exit or hit timeout.
-
-## Features
-
-- Conversation summary on max context instead of just an error with `/new` suggestion.
-
-## Refactors

package/docs/design-decisions.md

@@ -1,31 +0,0 @@
-# Design Decisions
-
-Documenting why mini-coder makes certain architectural choices — especially where we intentionally diverge from common patterns.
-
-## Why no tool-call permissions?
-
-**Decision:** No approval prompts, no blacklists, no whitelists. Every tool call executes immediately.
-
-Our inspirations (Claude Code, OpenCode) require user approval for tool calls — shell commands, file writes, etc. We intentionally skip this.
-
-### Permission systems provide a false sense of security
-
-- **Shell bypasses everything.** An LLM with shell access can `curl`, `eval`, pipe through `bash`, encode payloads, or chain commands in ways no static blacklist can anticipate. Any permission scheme that allows shell but blocks specific patterns is playing whack-a-mole.
-- **Blacklists and whitelists always have gaps.** Block `rm -rf /`? The model uses `find -delete`. Block `git push --force`? It uses `git push origin +main`. The surface area is unbounded.
-- **Approval fatigue degrades security.** After the 20th "Allow shell command?" prompt, users auto-approve everything. The permission system trains the user to click "yes" reflexively — the opposite of its intent.
-
-### Permissions are cumbersome
-
-A coding agent runs dozens of shell commands per task. Requiring approval for each one destroys the flow that makes a CLI agent useful. The whole point of mini-coder is: small, fast, stays out of the way.
-
-### Isolation is a separate concern
-
-Sandboxing is a real need, but it belongs at the OS/container level — not inside the agent. Tools like [Anthropic Sandbox Runtime (`srt`)](https://github.com/anthropic-experimental/sandbox-runtime) and [nono](https://nono.sh/) provide proper filesystem and network isolation that the LLM cannot circumvent. This is defense in depth done right: the agent runs unrestricted inside a sandbox that enforces actual boundaries.
-
-### Our approach
-
-- The system prompt includes safety rules (no secrets, confirm destructive actions, no unauthorized reverts).
-- The user can interrupt at any time with ESC (preserve context) or Ctrl+C (hard exit).
-- For real isolation, run mini-coder inside a sandboxed environment.
-
-**Summary:** Permission dialogs give the appearance of safety without the substance. Real security comes from sandboxing the environment, not gatekeeping individual tool calls. Mini-coder codes — isolating it is a job for the right tool.

package/docs/mini-coder.1.md

@@ -1,227 +0,0 @@
-# MINI-CODER(1)
-
-## NAME
-
-**mini-coder** — a small, fast CLI coding agent (executable: `mc`)
-
-## SYNOPSIS
-
-`mc` \[_options_\] \[_prompt_\]
-
-## DESCRIPTION
-
-Developer-focused CLI coding agent. Prioritizes dev flow — no slow startup, no GUI, no vendor lock-in. Uses 16 ANSI colors to inherit terminal theme. Built on Bun.js.
-
-## OPTIONS
-
-`-m`, `--model` _id_
-: Model to use (e.g. `zen/claude-sonnet-4-6`).
-
-`-c`, `--continue`
-: Continue most recent session.
-
-`-r`, `--resume` _id_
-: Resume a specific session.
-
-`-l`, `--list`
-: List recent sessions.
-
-`--cwd` _path_
-: Set working directory.
-
-`-h`, `--help`
-: Display help.
-
-_prompt_
-: Optional one-shot prompt. Runs once then exits.
-
-## INTERACTIVE COMMANDS
-
-`/model`
-: List all available models.
-
-`/models`
-: Alias for `/model`.
-
-`/model` _id_
-: Switch model.
-
-`/models` _id_
-: Alias for `/model` _id_.
-
-`/model effort` _low|medium|high|xhigh|off_
-: Set reasoning effort.
-
-`/session` \[_id_\]
-: List sessions or switch to one.
-
-`/new`
-: Start a fresh session.
-
-`/undo`
-: Remove last turn (does NOT revert filesystem).
-
-`/reasoning` \[_on|off_\]
-: Toggle reasoning display.
-
-`/verbose` \[_on|off_\]
-: Toggle output truncation.
-
-`/mcp list`
-: List MCP servers.
-
-`/mcp add` _name_ `http` _url_
-: Add HTTP MCP server.
-
-`/mcp add` _name_ `stdio` _cmd_ \[_args..._\]
-: Add stdio MCP server.
-
-`/mcp remove` _name_
-: Remove MCP server.
-
-`/login`
-: Show OAuth login status.
-
-`/login` _provider_
-: Login via OAuth (opens browser for device flow). Currently supports `openai`.
-
-`/logout` _provider_
-: Clear saved OAuth tokens.
-
-`/help`
-: Command help.
-
-`/exit`, `/quit`, `/q`
-: Leave session.
-
-## INLINE FEATURES
-
-`!` prefix
-: Runs shell commands inline — output is sent to the LLM as a user message.
-
-`@` prefix
-: Embeds a file into the prompt (Tab to complete file paths).
-
-`/` prefix
-: Reference a skill in the prompt (Tab to complete skill names).
-
-## KEYS
-
-`ESC`
-: Interrupt the assistant response — partial output is preserved in history.
-
-`Ctrl+C`
-: Exit forcefully.
-
-`Ctrl+D`
-: Graceful exit (EOF).
-
-`↑` / `↓`
-: Navigate command history.
-
-`Ctrl+R`
-: Search command history.
-
-## BUILT-IN TOOLS
-
-**shell**
-: Execute bash commands; repo inspection and `mc-edit` edits happen here.
-
-**listSkills**
-: List discovered skills (metadata only).
-
-**readSkill**
-: Load one SKILL.md on demand.
-
-**webSearch**
-: Search the web (requires `EXA_API_KEY`).
-
-**webContent**
-: Fetch page content (requires `EXA_API_KEY`).
-
-MCP tools are connected dynamically from configured MCP servers.
-
-## FILE EDITING — mc-edit
-
-`mc-edit` is the helper for targeted file edits, invoked from **shell**.
-
-```
-mc-edit <path> (--old <text> | --old-file <path>) [--new <text> | --new-file <path>] [--cwd <path>]
-```
-
-- Applies one exact-text edit to an existing file.
-- The old text must match exactly once.
-- Omit `--new`/`--new-file` to delete the matched text.
-- Success: prints unified diff + metadata (`ok`, `path`, `changed`).
-- No-op: prints `(no changes)` + metadata.
-- Errors go to stderr.
-
-Workflow: inspect with **shell** → edit with **mc-edit** → verify with **shell**.
-
-## SKILLS
-
-Skills are reusable instruction files at `.agents/skills/<name>/SKILL.md`.
-
-`.claude/skills/<name>/SKILL.md` is also supported.
-
-**Frontmatter (both required):**
-
-`name`
-: Lowercase alphanumeric + hyphens, 1–64 chars.
-
-`description`
-: Help text.
-
-Skills are auto discovered. To load explicitly:
-
-- `/skill-name` in prompts (injects body as a user message).
-- **listSkills** / **readSkill** tools at runtime.
-
-Local discovery walks up from cwd to the git worktree root.
-
-## CONFIGURATION
-
-Config roots: `.agents/`, `.claude/` — local (repo) or global (`~/`).
-
-**Context files** (global files first, then the nearest local directory with context files):
-
-- Global files concatenate in this order: `~/.agents/AGENTS.md` → `~/.agents/CLAUDE.md` → `~/.claude/CLAUDE.md`
-- Local files concatenate in this order within the nearest matching directory (the same nearest-directory precedence applies to both `AGENTS.md` and `CLAUDE.md`): `./.agents/AGENTS.md` → `./.agents/CLAUDE.md` → `./.claude/CLAUDE.md` → `./CLAUDE.md` → `./AGENTS.md`
-
-**Precedence:**
-
-1. Local context is loaded from the nearest directory between cwd and the git root.
-2. Within one scope, matching files are concatenated in the order above.
-3. Global context appears before local context in the system prompt.
-4. Skills: nearest ancestor directory wins.
-
-## ENVIRONMENT
-
-`OPENCODE_API_KEY`
-: OpenCode Zen (recommended).
-
-`ANTHROPIC_API_KEY`
-: Direct Anthropic.
-
-`OPENAI_API_KEY`
-: Direct OpenAI.
-
-`GOOGLE_API_KEY` / `GEMINI_API_KEY`
-: Direct Gemini.
-
-`OLLAMA_BASE_URL`
-: Ollama local (defaults to `http://localhost:11434`).
-
-`EXA_API_KEY`
-: Enables **webSearch** / **webContent**.
-
-## FILES
-
-`~/.config/mini-coder/`
-: App data directory (sessions.db, with tables for error and other logs).
-
-`.agents/` or `.claude/`
-: Config directories for skills and context files.
-
-`AGENTS.md` / `CLAUDE.md`
-: Project context files.

package/docs/superpowers/plans/2026-03-30-anthropic-oauth-removal.md

@@ -1,61 +0,0 @@
-# Anthropic OAuth Removal Implementation Plan
-
-> **For agentic workers:** REQUIRED SUB-SKILL: Use superpowers:subagent-driven-development (recommended) or superpowers:executing-plans to implement this plan task-by-task. Steps use checkbox (`- [ ]`) syntax for tracking.
-
-**Goal:** Remove Claude Code subscription OAuth support without affecting Anthropic API-key access or Zen Claude models.
-
-**Architecture:** Delete the Anthropic OAuth provider registration and stop consulting Anthropic OAuth state in discovery/model-info paths. Preserve all direct `ANTHROPIC_API_KEY` behavior and Anthropic-family handling needed by Zen and direct API use.
-
-**Tech Stack:** Bun, TypeScript, bun:test, SQLite-backed auth storage, AI SDK providers.
-
----
-
-### Task 1: Track the work and lock the user-facing contract
-
-**Files:**
-
-- Modify: `TODO.md`
-- Reference: `docs/superpowers/specs/2026-03-30-anthropic-oauth-removal-design.md`
-
-- [ ] **Step 1: Update TODO.md with active work item**
-- [ ] **Step 2: Keep TODO.md current as tasks complete**
-
-### Task 2: Write failing tests for Anthropic OAuth removal
-
-**Files:**
-
-- Modify: `src/llm-api/providers-resolve.test.ts`
-- Modify: `src/llm-api/model-info.test.ts`
-- Create: `src/session/oauth/auth-storage.test.ts`
-
-- [ ] **Step 1: Add a test asserting OAuth providers list only OpenAI**
-- [ ] **Step 2: Add tests asserting Anthropic discovery requires `ANTHROPIC_API_KEY`**
-- [ ] **Step 3: Run focused tests to verify they fail for the expected reason**
-
-### Task 3: Remove Anthropic OAuth registration and discovery usage
-
-**Files:**
-
-- Delete: `src/session/oauth/anthropic.ts`
-- Modify: `src/session/oauth/auth-storage.ts`
-- Modify: `src/llm-api/providers.ts`
-- Modify: `src/llm-api/model-info.ts`
-- Modify: `src/llm-api/model-info-fetch.ts`
-
-- [ ] **Step 1: Remove the Anthropic OAuth provider from auth storage**
-- [ ] **Step 2: Remove Anthropic OAuth-based provider discovery/autodiscovery**
-- [ ] **Step 3: Remove Anthropic OAuth-based model list fetching**
-- [ ] **Step 4: Run the focused tests and make them pass**
-
-### Task 4: Update CLI/docs and finish verification
-
-**Files:**
-
-- Modify: `src/cli/commands-help.ts`
-- Modify: `docs/mini-coder.1.md`
-- Modify: `TODO.md`
-
-- [ ] **Step 1: Remove Anthropic OAuth mentions from help/manpage**
-- [ ] **Step 2: Run formatting if needed**
-- [ ] **Step 3: Run focused tests, then broader verification commands**
-- [ ] **Step 4: Clear the completed TODO item**

package/docs/superpowers/specs/2026-03-30-anthropic-oauth-removal-design.md

@@ -1,47 +0,0 @@
-# Anthropic OAuth Removal Design
-
-## Goal
-
-Remove Claude Code subscription OAuth support from mini-coder while preserving:
-
-- direct Anthropic API key support via `ANTHROPIC_API_KEY`
-- Anthropic-family models served through Opencode Zen (`zen/claude-*`)
-
-## Approved behavior
-
-- `anthropic` is removed completely from the user-facing OAuth surface.
-- `/login anthropic` is no longer supported and behaves like any unknown provider.
-- `/logout anthropic` is no longer documented or advertised as a supported path.
-- Existing saved Anthropic OAuth rows in SQLite are ignored; no migration or cleanup is required.
-- Anthropic remains available through `ANTHROPIC_API_KEY`.
-- Zen-backed Claude models remain available and unchanged.
-
-## Approach
-
-Use a narrow OAuth-only removal:
-
-1. Remove the Anthropic OAuth provider module and provider registration.
-2. Stop consulting Anthropic OAuth state during provider discovery and model-info refresh visibility.
-3. Keep direct Anthropic provider resolution via `ANTHROPIC_API_KEY`.
-4. Keep Anthropic-family request handling and Zen backend routing unchanged.
-5. Update tests and docs to match the new OAuth surface.
-
-## Files in scope
-
-- `src/session/oauth/anthropic.ts` — delete
-- `src/session/oauth/auth-storage.ts` — unregister Anthropic OAuth
-- `src/llm-api/providers.ts` — stop treating Anthropic OAuth as connected
-- `src/llm-api/model-info.ts` — stop treating Anthropic OAuth as a refresh/visibility source
-- `src/llm-api/model-info-fetch.ts` — stop fetching Anthropic models via OAuth tokens
-- `src/cli/commands-help.ts` — remove Anthropic OAuth example text
-- `docs/mini-coder.1.md` — document OpenAI-only OAuth support
-- tests around provider discovery/model info — update to be deterministic and Anthropic-OAuth-free
-
-## Risks and mitigations
-
-- Risk: accidentally breaking direct Anthropic API-key support.
-  - Mitigation: keep direct provider resolver and add/update tests that verify `ANTHROPIC_API_KEY` still wins.
-- Risk: accidentally breaking Zen Claude behavior.
-  - Mitigation: avoid touching Anthropic-family routing/caching code used for Zen.
-- Risk: stale Anthropic OAuth tokens still affecting behavior.
-  - Mitigation: remove all Anthropic OAuth checks from discovery and model fetching paths.

package/lefthook.yml

@@ -1,4 +0,0 @@
-pre-commit:
-  commands:
-    check:
-      run: bun run check