myshell-tools 2.15.0 → 3.2.0

package/dist/interface/menu.js

@@ -19,17 +19,19 @@ import readline from 'node:readline';
 import { execa } from 'execa';
 import { saveConfig } from '../infra/config.js';
 import { readLedger } from '../infra/ledger.js';
-import { summarizeSpend, formatUsd } from '../infra/insights.js';
+import { summarizeSpend, formatTokens } from '../infra/insights.js';
 import { detectEnvironment, getInstallCommand } from '../providers/detect.js';
 import { installProvider, installCommandFor } from '../providers/install.js';
 import { listNativeSessions, importNativeSession } from '../providers/native-sessions.js';
 import { DEFAULT_POLICY, POLICY_PRESETS } from '../core/policy.js';
+import { planNativeSession } from '../core/native-session.js';
 import { runTask } from './run.js';
 import { runLogin } from '../commands/login.js';
 import { runDoctor } from '../commands/doctor.js';
 import { runCost } from '../commands/cost.js';
 import { runInstall } from '../commands/install.js';
 import { box, separator, menu, prompt } from '../ui/tui.js';
+import { loadClaudeTokenCapturedAt, claudeTokenStatus } from '../infra/credentials.js';
 // ---------------------------------------------------------------------------
 // Pure helpers — exported for unit tests
 // ---------------------------------------------------------------------------
@@ -130,6 +132,53 @@ export function relativeTime(thenMs, nowMs) {
     const days = Math.floor(diffMs / (24 * 60 * 60 * 1000));
     return `${days}d ago`;
 }
+/**
+ * Build the short version-status suffix shown next to the version number in the
+ * header title — so the user always knows, at a glance, whether they are current.
+ *
+ * Pure — no I/O. Returns a leading-space string ready to append to the title:
+ *   - update available + known latest → ` → 3.1.0 available`
+ *   - up to date (latest known, no update) → ` (latest)`
+ *   - check failed / offline (latest unknown) → `` (claim nothing)
+ *
+ * @param updateInfo - Result of the update check, or undefined when not run.
+ */
+export function versionStatusLabel(updateInfo) {
+    if (updateInfo === undefined)
+        return '';
+    if (updateInfo.updateAvailable && updateInfo.latest !== null) {
+        return ` → ${updateInfo.latest} available`;
+    }
+    if (updateInfo.latest !== null)
+        return ' (latest)';
+    return '';
+}
+/**
+ * Detect whether myshell-tools is running via `npx` rather than a global install.
+ *
+ * Pure — takes the running script path (process.argv[1]) and the environment.
+ * npx executes packages from a cache directory containing a `_npx` segment
+ * (e.g. ~/.npm/_npx/<hash>/node_modules/myshell-tools/dist/cli.js), so the
+ * presence of that segment in the script path is the reliable signal. Handles
+ * both POSIX and Windows separators. Never throws.
+ *
+ * Why it matters: self-update runs `npm install -g`, which an npx invocation
+ * will ignore on the next run (npx re-serves its own cache). So under npx we
+ * skip silent auto-update and instead tell the user to install globally.
+ *
+ * @param scriptPath - The running script path (typically process.argv[1]).
+ * @param env        - Environment to read npm_* hints from.
+ */
+export function isRunningUnderNpx(scriptPath, env) {
+    if (scriptPath !== undefined && (scriptPath.includes('/_npx/') || scriptPath.includes('\\_npx\\'))) {
+        return true;
+    }
+    const execpath = env['npm_execpath'];
+    if (execpath !== undefined && (execpath.includes('/_npx/') || execpath.includes('\\_npx\\'))) {
+        return true;
+    }
+    return false;
+}
 /**
  * Build the header box lines (provider status) from real EnvironmentStatus.
  * Returns string[] safe to pass as the `lines` arg to box().
@@ -139,8 +188,12 @@ export function relativeTime(thenMs, nowMs) {
  *   ⚠️  when ps.installed && !ps.authenticated  (append " not signed in")
  *   ❌  when !ps.installed                       (append install command)
  * Plan label appended when ps.plan is non-null (e.g. " (Max x5)").
+ *
+ * @param claudeToken - Optional pre-computed token lifetime status. When the token
+ *   is near expiry or expired, ONE concise warning line is appended. Computed by
+ *   the caller (startMenu) so this function stays pure and I/O-free.
  */
-export function renderHeaderLines(env, _version) {
+export function renderHeaderLines(env, _version, claudeToken) {
     const lines = [];
     for (const ps of [env.claude, env.codex]) {
         const planSuffix = ps.plan != null ? ` (${ps.plan})` : '';
@@ -160,30 +213,46 @@ export function renderHeaderLines(env, _version) {
         const ps = env.opencode;
         const planSuffix = ps.plan != null ? ` (${ps.plan})` : '';
         if (ps.authenticated) {
-            lines.push(`✅ ${ps.id}: ready${planSuffix}`);
+            // Be explicit that "ready" is based on free models, not a credential probe.
+            lines.push(`✅ ${ps.id}: ready (free models)${planSuffix}`);
         }
         else {
             lines.push(`⚠️  ${ps.id}: not signed in${planSuffix}`);
         }
     }
+    // Token expiry warning — only when near-expiry or expired (not on every launch).
+    if (claudeToken != null && (claudeToken.expired || claudeToken.nearExpiry)) {
+        if (claudeToken.expired) {
+            lines.push(`⚠️  claude token EXPIRED — run: myshell-tools login claude --code`);
+        }
+        else {
+            lines.push(`⚠️  claude token expires in ${claudeToken.daysLeft} days — run: myshell-tools login claude --code`);
+        }
+    }
     return lines;
 }
 /**
- * Render the budget/spend status line shown beneath the provider header.
+ * Render the activity status line shown beneath the provider header.
  *
- * Uses real numbers only — all values come from the SpendSummary which is
- * derived from `readLedger`. No digit-% literals appear in this function; it
- * shows dollar amounts only.
+ * This is a SUBSCRIPTION tool, not an API-key tool — per-token dollar figures
+ * don't map to flat subscription billing and read as misleading bloat, so the
+ * always-on line shows REAL, measured signals only: task count and tokens. The
+ * estimated-dollar view lives on-demand in `myshell-tools cost`, clearly
+ * captioned there as an API-equivalent (not your actual bill).
+ *
+ * Uses real numbers only — all values come from the SpendSummary derived from
+ * `readLedger`. No digit-% literals appear here.
  *
  * @param spend - Output of summarizeSpend() over real ledger entries.
  * @param color - When false, no ANSI escape codes are emitted.
  */
 export function renderBudgetLine(spend, _color) {
     if (spend.calls === 0) {
-        return 'Today: ' + formatUsd(0) + ' · no runs yet';
+        return 'No runs yet — press n to start';
     }
-    const todayPart = 'Today: ' + formatUsd(spend.todayUsd) + ' · ' + String(spend.calls) + ' calls';
-    const totalPart = 'Total: ' + formatUsd(spend.totalUsd);
+    const taskWord = spend.calls === 1 ? 'task' : 'tasks';
+    const todayPart = 'Today: ' + String(spend.calls) + ' ' + taskWord + ' · ' + formatTokens(spend.todayTokens) + ' tokens';
+    const totalPart = formatTokens(spend.totalTokens) + ' tokens all-time';
     return todayPart + '   ·   ' + totalPart;
 }
 /**
@@ -313,6 +382,8 @@ async function runWelcome(ctx, out, readLine, mutableConfig, installProviderFn,
     let env = ctx.env;
     const headerLines = renderHeaderLines(env, ctx.version);
     out.write('\n' + box(`🧠 myshell-tools v${ctx.version} — Setup`, headerLines) + '\n\n');
+    // ---- Orientation header --------------------------------------------------
+    out.write('Quick setup — a few questions, ~30 seconds. Press Enter to accept the [Capitalized] default.\n\n');
     // ---- Offer to install any missing provider (claude / codex) --------------
     // Consent is required: we ask once per missing provider.
     // Display: (Y/n) — default YES, so Enter installs; explicit n skips.
@@ -369,14 +440,12 @@ async function runWelcome(ctx, out, readLine, mutableConfig, installProviderFn,
             await loginFn(out, id, { readLine });
         }
     }
-    // ---- Mode / default-shell options ----------------------------------------
-    out.write('\n');
-    out.write('  [c]     Customize mode\n');
-    out.write('  [Enter] Continue\n\n');
-    out.write('> ');
-    const key = await readLine();
+    // ---- Mode selection — single collapsed prompt ----------------------------
+    // Accepts 1/2/3 directly; Enter (or empty) keeps current default (balanced).
+    out.write('\nMode — [1] cost-saver  [2] balanced (default)  [3] quality-first  (Enter = balanced): ');
+    const modeKey = await readLine();
     // EOF during setup — save bare onboarded config and return
-    if (key === null) {
+    if (modeKey === null) {
         const saved = {
             onboarded: true,
             setAsDefault: false,
@@ -385,11 +454,19 @@ async function runWelcome(ctx, out, readLine, mutableConfig, installProviderFn,
         await saveConfig(saved);
         return saved;
     }
-    let updated = mutableConfig;
-    if (key === 'c') {
-        updated = await runModeSelect(updated, out, readLine);
-    }
-    // [Enter] or anything else → fall through to save & go
+    let newMode = mutableConfig.mode;
+    if (modeKey === '1')
+        newMode = 'cost-saver';
+    else if (modeKey === '2')
+        newMode = 'balanced';
+    else if (modeKey === '3')
+        newMode = 'quality-first';
+    // Enter/empty/anything else → keep current (balanced default)
+    const updated = {
+        onboarded: mutableConfig.onboarded,
+        setAsDefault: mutableConfig.setAsDefault,
+        ...(newMode !== undefined ? { mode: newMode } : {}),
+    };
     // Default is NO for set-as-default — require explicit 'y' to enable.
     out.write('Set myshell-tools as your default shell tool? (y/N) ');
     const defaultAns = await readLine();
@@ -440,6 +517,9 @@ async function runModeSelect(config, out, readLine) {
         onboarded: config.onboarded,
         setAsDefault: config.setAsDefault,
         ...(newMode !== undefined ? { mode: newMode } : {}),
+        // Preserve other prefs so changing mode doesn't silently reset them.
+        ...(config.autoUpdate === false ? { autoUpdate: false } : {}),
+        ...(config.nativeSessions === true ? { nativeSessions: true } : {}),
     };
     await saveConfig(updated);
     out.write(`Mode set to: ${newMode ?? 'balanced'}\n`);
@@ -460,6 +540,9 @@ async function toggleDefaultShell(config, out) {
         onboarded: config.onboarded,
         setAsDefault,
         ...(config.mode !== undefined ? { mode: config.mode } : {}),
+        // Preserve other prefs so toggling default-shell doesn't silently reset them.
+        ...(config.autoUpdate === false ? { autoUpdate: false } : {}),
+        ...(config.nativeSessions === true ? { nativeSessions: true } : {}),
     };
     await saveConfig(updated);
     return updated;
@@ -471,6 +554,7 @@ async function runSettings(_ctx, mutableCtx, out, readLine) {
         `  [1] Mode: ${cfg.mode ?? 'balanced'}`,
         `  [2] Set as default shell: ${cfg.setAsDefault ? 'on' : 'off'}`,
         `  [3] Auto-update: ${cfg.autoUpdate !== false ? 'on' : 'off'}`,
+        `  [4] Native sessions (experimental): ${cfg.nativeSessions === true ? 'on' : 'off'}`,
         '',
         '  [Enter] Back',
         '',
@@ -490,6 +574,9 @@ async function runSettings(_ctx, mutableCtx, out, readLine) {
     else if (key === '3') {
         mutableCtx.config = await toggleAutoUpdate(mutableCtx.config, out);
     }
+    else if (key === '4') {
+        mutableCtx.config = await toggleNativeSessions(mutableCtx.config, out);
+    }
     // anything else → back
 }
 /**
@@ -509,11 +596,34 @@ async function toggleAutoUpdate(config, out) {
         setAsDefault: config.setAsDefault,
         ...(config.mode !== undefined ? { mode: config.mode } : {}),
         ...(!enable ? { autoUpdate: false } : {}),
+        ...(config.nativeSessions === true ? { nativeSessions: true } : {}),
     };
     await saveConfig(updated);
     out.write(`Auto-update: ${enable ? 'on' : 'off'}\n`);
     return updated;
 }
+/**
+ * Toggle the EXPERIMENTAL native-session preference and persist it.
+ *
+ * When on, conversations that stay on the same provider reuse that provider's
+ * native session (Claude `--session-id`/`--resume`) instead of replaying a
+ * compacted history block — better context fidelity and less re-sent context.
+ * Default OFF; live behavior should be verified with the gated integration test
+ * (`npm run test:integration`) before relying on it.
+ */
+async function toggleNativeSessions(config, out) {
+    const enable = config.nativeSessions !== true;
+    const updated = {
+        onboarded: config.onboarded,
+        setAsDefault: config.setAsDefault,
+        ...(config.mode !== undefined ? { mode: config.mode } : {}),
+        ...(config.autoUpdate === false ? { autoUpdate: false } : {}),
+        ...(enable ? { nativeSessions: true } : {}),
+    };
+    await saveConfig(updated);
+    out.write(`Native sessions (experimental): ${enable ? 'on' : 'off'}\n`);
+    return updated;
+}
 // ---------------------------------------------------------------------------
 // Manage conversations screen
 // ---------------------------------------------------------------------------
@@ -596,9 +706,9 @@ async function runManage(ctx, out, readLine) {
         if (!Number.isNaN(num) && num >= 1 && num <= metas.length) {
             const conv = metas[num - 1];
             if (conv !== undefined) {
-                out.write(`Delete "${conv.title}"? (y/n) `);
+                out.write(`Delete "${conv.title}"? (y/N) `);
                 const confirmAns = await readLine();
-                if ((confirmAns ?? '').toLowerCase() === 'y') {
+                if (parseYesNo(confirmAns, false)) {
                     await ctx.store.remove(conv.id);
                     out.write('Deleted.\n');
                 }
@@ -806,9 +916,10 @@ async function runChatLoop(ctx, mutableCtx, convId, out, readLine, loginFn, dete
     // can drive time with a fake clock.
     const interruptTimes = [];
     const INTERRUPT_WINDOW_MS = 1_500;
-    // The 'exit' signal is communicated from the SIGINT handler to the main
-    // loop via this flag (the handler can't break the outer while directly).
+    // The 'exit' and 'menu' signals are communicated from the SIGINT handler to
+    // the main loop via these flags (the handler can't break the outer while directly).
     let shouldExit = false;
+    let shouldMenu = false;
     // Handle Ctrl+C with the press-counting model.
     const sigintHandler = () => {
         const now = ctx.clock.now();
@@ -829,13 +940,10 @@ async function runChatLoop(ctx, mutableCtx, convId, out, readLine, loginFn, dete
                 currentAc.abort();
                 currentAc = null;
             }
-            // Signal the main loop; the loop checks this flag after each await.
-            shouldExit = false;
-            // We can't directly break the loop from an event handler, so we set a
-            // flag and resolve any pending readLine by closing (the loop checks the
-            // flag). In practice the loop is either awaiting readLine() or runTask().
-            // For the readLine case the user typed nothing yet — we need to interrupt
-            // that await. We use a shared resolver pattern: see loopBreaker below.
+            // Set shouldMenu so the loop returns 'menu' after any running task settles.
+            shouldMenu = true;
+            // For the readLine case (idle prompt) we can interrupt the await immediately
+            // via the loopBreaker resolver.
             loopBreaker?.('menu');
         }
         else {
@@ -855,7 +963,7 @@ async function runChatLoop(ctx, mutableCtx, convId, out, readLine, loginFn, dete
     let loopResult = 'menu';
     try {
         while (true) {
-            out.write('myshell-tools> ');
+            out.write('> ');
             // Race readLine() against a loopBreak signal from the SIGINT handler.
             // When Ctrl+C fires (to-menu or exit-app), loopBreaker is called with the
             // desired result, which wins the race and breaks the loop.
@@ -890,58 +998,89 @@ async function runChatLoop(ctx, mutableCtx, convId, out, readLine, loginFn, dete
             const policy = mutableCtx.config.mode !== undefined
                 ? POLICY_PRESETS[mutableCtx.config.mode]
                 : DEFAULT_POLICY;
+            // ---- Bug 4 fix: no-provider gate ----------------------------------------
+            // Check whether any provider is actually authenticated before dispatching a
+            // task that is doomed to fail.  opencode counts as authenticated-when-installed.
+            const hasAuthenticatedProvider = mutableCtx.env.claude.authenticated ||
+                mutableCtx.env.codex.authenticated ||
+                mutableCtx.env.opencode.authenticated ||
+                mutableCtx.env.opencode.installed;
+            if (!hasAuthenticatedProvider) {
+                out.write('\n[info] No signed-in provider yet — press Ctrl+C to go back, then [j] Claude / [k] Codex / [o] opencode to sign in.\n');
+                continue;
+            }
             // Load prior history before each turn so the provider receives conversation
             // context. load() returns only the entries persisted so far — the current
             // user turn is appended by orchestrate() after this point, so there is no
             // double-inclusion risk.
             const priorHistory = await ctx.store.load(convId);
-            // Build per-provider advertised model sets from the live env so route()
-            // can prefer a model the CLI actually advertises. Only include installed
-            // providers (exactOptionalPropertyTypes is ON).
-            // Use mutableCtx.env (not ctx.env) so post-login re-detect is reflected.
-            const menuAvailableModels = {};
-            if (mutableCtx.env.claude.installed && mutableCtx.env.claude.availableModels.length > 0) {
-                menuAvailableModels['claude'] = mutableCtx.env.claude.availableModels;
-            }
-            if (mutableCtx.env.codex.installed && mutableCtx.env.codex.availableModels.length > 0) {
-                menuAvailableModels['codex'] = mutableCtx.env.codex.availableModels;
-            }
-            if (mutableCtx.env.opencode.installed && mutableCtx.env.opencode.availableModels.length > 0) {
-                menuAvailableModels['opencode'] = mutableCtx.env.opencode.availableModels;
-            }
-            // Collect authenticated providers from the live env so route() prefers
-            // signed-in providers over signed-out ones. Uses mutableCtx.env so
-            // post-login re-detection is reflected without restart.
-            const menuAuthenticatedProviders = [];
-            if (mutableCtx.env.claude.authenticated)
-                menuAuthenticatedProviders.push('claude');
-            if (mutableCtx.env.codex.authenticated)
-                menuAuthenticatedProviders.push('codex');
-            if (mutableCtx.env.opencode.authenticated)
-                menuAuthenticatedProviders.push('opencode');
-            const deps = {
-                clock: ctx.clock,
-                session: ctx.store.writer(convId),
-                ledger: ctx.ledger,
-                policy,
-                providers: ctx.providers,
-                cwd: ctx.cwd,
-                sandbox: ctx.sandbox,
-                timeoutMs: ctx.timeoutMs,
-                ...(priorHistory.length > 0 ? { history: priorHistory } : {}),
-                ...(Object.keys(menuAvailableModels).length > 0 ? { availableModels: menuAvailableModels } : {}),
-                ...(menuAuthenticatedProviders.length > 0 ? { authenticatedProviders: menuAuthenticatedProviders } : {}),
+            // ---- Build deps from the live mutableCtx.env ----------------------------
+            // This helper is inlined as a function so it can be called again after
+            // inline re-login with the refreshed env (bug 5 fix: no stale auth state).
+            const buildDeps = () => {
+                // Build per-provider advertised model sets from the live env so route()
+                // can prefer a model the CLI actually advertises. Only include installed
+                // providers (exactOptionalPropertyTypes is ON).
+                // Use mutableCtx.env (not ctx.env) so post-login re-detect is reflected.
+                const availableModels = {};
+                if (mutableCtx.env.claude.installed && mutableCtx.env.claude.availableModels.length > 0) {
+                    availableModels['claude'] = mutableCtx.env.claude.availableModels;
+                }
+                if (mutableCtx.env.codex.installed && mutableCtx.env.codex.availableModels.length > 0) {
+                    availableModels['codex'] = mutableCtx.env.codex.availableModels;
+                }
+                if (mutableCtx.env.opencode.installed && mutableCtx.env.opencode.availableModels.length > 0) {
+                    availableModels['opencode'] = mutableCtx.env.opencode.availableModels;
+                }
+                // Collect authenticated providers from the live env so route() prefers
+                // signed-in providers over signed-out ones. Uses mutableCtx.env so
+                // post-login re-detection is reflected without restart.
+                const authenticatedProviders = [];
+                if (mutableCtx.env.claude.authenticated)
+                    authenticatedProviders.push('claude');
+                if (mutableCtx.env.codex.authenticated)
+                    authenticatedProviders.push('codex');
+                if (mutableCtx.env.opencode.authenticated)
+                    authenticatedProviders.push('opencode');
+                // EXPERIMENTAL native session plan (opt-in via config.nativeSessions).
+                // Pure decision; null when disabled. When present, orchestrate uses the
+                // provider's native session for matching tiers instead of replaying history.
+                const nativeSession = planNativeSession({
+                    enabled: mutableCtx.config.nativeSessions === true,
+                    conversationId: convId,
+                    history: priorHistory,
+                });
+                // planNativeSession returns [] when disabled / no conversation id.
+                return {
+                    clock: ctx.clock,
+                    session: ctx.store.writer(convId),
+                    ledger: ctx.ledger,
+                    policy,
+                    providers: ctx.providers,
+                    cwd: ctx.cwd,
+                    sandbox: ctx.sandbox,
+                    timeoutMs: ctx.timeoutMs,
+                    ...(priorHistory.length > 0 ? { history: priorHistory } : {}),
+                    ...(Object.keys(availableModels).length > 0 ? { availableModels } : {}),
+                    ...(authenticatedProviders.length > 0 ? { authenticatedProviders } : {}),
+                    ...(nativeSession.length > 0 ? { nativeSession } : {}),
+                };
             };
+            const deps = buildDeps();
             const ac = new AbortController();
             currentAc = ac;
             const result = await runTask(line, deps, out, ac.signal);
             currentAc = null;
-            // Check for a loopBreaker signal that fired during the task (e.g. 3×Ctrl+C
-            // while runTask was awaited — the abort fires and the flag is set).
+            // Check for SIGINT-driven signals that fired while runTask was awaited.
             if (shouldExit) {
                 loopResult = 'exit';
                 break;
             }
+            // Bug 3 fix: shouldMenu may have been set by a 2×Ctrl+C during the task.
+            if (shouldMenu) {
+                loopResult = 'menu';
+                break;
+            }
             // Inline re-login on auth failure: offer to sign in and retry once.
             if (result.final !== undefined &&
                 !result.final.success &&
@@ -953,16 +1092,23 @@ async function runChatLoop(ctx, mutableCtx, convId, out, readLine, loginFn, dete
                 const ans = await readLine();
                 if (parseYesNo(ans, true)) {
                     await loginFn(out, failingProvider, { readLine });
+                    // Bug 5 fix: re-detect with the freshly-authenticated env so the retry
+                    // deps reflect the now-signed-in provider (not the stale pre-login state).
                     mutableCtx.env = await detectEnvironmentFn();
+                    const retryDeps = buildDeps();
                     // Retry the same task once.
                     const retryAc = new AbortController();
                     currentAc = retryAc;
-                    const retryResult = await runTask(line, deps, out, retryAc.signal);
+                    const retryResult = await runTask(line, retryDeps, out, retryAc.signal);
                     currentAc = null;
                     if (shouldExit) {
                         loopResult = 'exit';
                         break;
                     }
+                    if (shouldMenu) {
+                        loopResult = 'menu';
+                        break;
+                    }
                     // If still auth failure after retry, inform and continue to prompt.
                     if (retryResult.final !== undefined &&
                         !retryResult.final.success &&
@@ -982,18 +1128,40 @@ async function runChatLoop(ctx, mutableCtx, convId, out, readLine, loginFn, dete
 // ---------------------------------------------------------------------------
 // Main screen render
 // ---------------------------------------------------------------------------
-async function renderMainScreen(ctx, mutableCtx, metas, out, updateInfo) {
+async function renderMainScreen(ctx, mutableCtx, metas, spend, out, updateInfo, claudeTokenInfo, runningUnderNpx = false, healthIssues = []) {
     out.write('\n');
-    // Header box — always box(), 🧠 emoji, real provider data
-    const headerLines = renderHeaderLines(mutableCtx.env, ctx.version);
-    out.write(box(`🧠 myshell-tools v${ctx.version}`, headerLines) + '\n\n');
-    // Update banner — only shown when a newer version is genuinely available
+    // Header box — always box(), 🧠 emoji, real provider data.
+    // Title carries the live version status so the user always knows whether they
+    // are current: "(latest)" when up to date, "→ X.Y.Z available" when not.
+    const headerLines = renderHeaderLines(mutableCtx.env, ctx.version, claudeTokenInfo ?? undefined);
+    const versionLabel = versionStatusLabel(updateInfo);
+    out.write(box(`🧠 myshell-tools v${ctx.version}${versionLabel}`, headerLines) + '\n\n');
+    // Update banner — only shown when a newer version is genuinely available.
     if (updateInfo?.updateAvailable === true && updateInfo.latest !== null) {
-        out.write(`  ▲ Update available: ${updateInfo.current} → ${updateInfo.latest}  (press u)\n\n`);
+        if (runningUnderNpx) {
+            // Self-update can't persist under npx (it re-serves its own cache next run).
+            // Be honest and point to the durable fix instead of a no-op "press u".
+            out.write(`  ▲ Update available: ${updateInfo.current} → ${updateInfo.latest}\n` +
+                `    You're running via npx, so updates won't stick. Install globally to stay current:\n` +
+                `      npm install -g myshell-tools@latest\n\n`);
+        }
+        else {
+            out.write(`  ▲ Update available: ${updateInfo.current} → ${updateInfo.latest}  (press u)\n\n`);
+        }
+    }
+    // Health issues — surfaced automatically, only when something is actually
+    // wrong (writable/Node/pricing). Silence means healthy; the user never runs a
+    // diagnostic command. Errors get ✗, warnings get ⚠️.
+    for (const issue of healthIssues) {
+        const marker = issue.severity === 'error' ? '✗' : '⚠️ ';
+        out.write(`  ${marker} ${issue.message}\n`);
     }
-    // Budget line — real ledger data, never fabricated
-    const entries = await readLedger(ctx.cwd);
-    const spend = summarizeSpend(entries, ctx.clock.isoNow());
+    if (healthIssues.length > 0)
+        out.write('\n');
+    // Budget line — real ledger data, never fabricated. The SpendSummary is
+    // computed by the caller and cached across keystrokes (the ledger only
+    // changes when a task completes), so navigating the menu never re-parses the
+    // unbounded ledger.jsonl on every keypress.
     out.write('  ' + renderBudgetLine(spend, out.color) + '\n\n');
     // Recent conversations — separator() then list
     out.write(separator('Recent Conversations') + '\n');
@@ -1020,8 +1188,9 @@ async function renderMainScreen(ctx, mutableCtx, metas, out, updateInfo) {
         { key: 'k', label: 'Login Codex', section: 'Auth' },
         { key: 'o', label: opencodeLabel, section: 'Auth' },
     ];
-    // [u] Update now — shown only when a newer version is actually available
-    const updateEntry = updateInfo?.updateAvailable === true && updateInfo.latest !== null
+    // [u] Update now — shown only when a newer version is actually available AND
+    // an in-place self-update can persist (not under npx, where it would be a no-op).
+    const updateEntry = updateInfo?.updateAvailable === true && updateInfo.latest !== null && !runningUnderNpx
         ? [{ key: 'u', label: `Update now (→ ${updateInfo.latest})`, section: 'Options' }]
         : [];
     // Menu — sectioned via menu()
@@ -1067,6 +1236,10 @@ export async function startMenu(ctx, out) {
     const checkForUpdateFn = ctx.checkForUpdate;
     const updateSelfFn = ctx.updateSelf;
     const relaunchFn = ctx.relaunch;
+    // npx context: real detection from the running script path, or test override.
+    const runningUnderNpx = ctx.runningUnderNpx !== undefined
+        ? ctx.runningUnderNpx
+        : isRunningUnderNpx(process.argv[1], process.env);
     // Build the readLine function — either injected (for tests) or backed by a
     // real readline interface driven by the event-driven LineReader queue.
     let readLine;
@@ -1114,7 +1287,11 @@ export async function startMenu(ctx, out) {
         // ---- Auto-update at launch (default ON) ----------------------------------
         // Guard: only runs once; requires both the update and relaunch seams to be wired.
         // Disabled when MYSHELL_NO_UPDATE is set in the environment or autoUpdate===false.
+        // Skipped under npx: `npm install -g` won't be picked up by the next npx run
+        // (it re-serves its own cache), so silently installing globally would surprise
+        // the user with no durable benefit. The main screen shows the install hint instead.
         if (autoUpdateEnabled(mutableCtx.config, process.env) &&
+            !runningUnderNpx &&
             updateInfo?.updateAvailable === true &&
             updateInfo.latest !== null &&
             updateSelfFn !== undefined) {
@@ -1130,9 +1307,31 @@ export async function startMenu(ctx, out) {
             out.write('Auto-update failed — continuing with current version.\n');
         }
         // ---- B. Main screen loop -------------------------------------------------
+        // Compute Claude token lifetime once per launch (real disk read, or injected
+        // value from ctx for tests). Passed to renderMainScreen so renderHeaderLines
+        // stays pure.
+        let claudeTokenInfo;
+        if (ctx.claudeTokenInfo !== undefined) {
+            // Injected by tests (including explicit null to suppress warning).
+            claudeTokenInfo = ctx.claudeTokenInfo;
+        }
+        else {
+            // Real path: load from disk. Never throws; null when no capture date stored.
+            const capturedAt = await loadClaudeTokenCapturedAt().catch(() => undefined);
+            claudeTokenInfo = claudeTokenStatus(capturedAt, Date.now());
+        }
+        // Spend summary is cached and only recomputed when the ledger may have
+        // changed (after a task runs). Avoids re-reading the unbounded ledger.jsonl
+        // on every keystroke — the menu hot path stays O(1) in ledger size.
+        let spend = summarizeSpend(await readLedger(ctx.cwd), ctx.clock.isoNow());
+        let spendDirty = false;
         while (true) {
+            if (spendDirty) {
+                spend = summarizeSpend(await readLedger(ctx.cwd), ctx.clock.isoNow());
+                spendDirty = false;
+            }
             const metas = await ctx.store.list();
-            await renderMainScreen(ctx, mutableCtx, metas, out, updateInfo);
+            await renderMainScreen(ctx, mutableCtx, metas, spend, out, updateInfo, claudeTokenInfo, runningUnderNpx, ctx.healthIssues ?? []);
             out.write('> ');
             const key = await readLine();
             // ---- EOF / close — exit gracefully (FIX 1: no ERR_USE_AFTER_CLOSE) ----
@@ -1150,6 +1349,7 @@ export async function startMenu(ctx, out) {
                 if (firstMsg !== null && firstMsg.length > 0) {
                     const meta = await ctx.store.create(firstMsg);
                     const chatResult = await runChatLoop(ctx, mutableCtx, meta.id, out, readLine, loginFn, detectEnvironmentFn);
+                    spendDirty = true; // a task may have run — refresh the spend summary
                     if (chatResult === 'exit')
                         break;
                 }
@@ -1161,6 +1361,7 @@ export async function startMenu(ctx, out) {
                 const latest = all[0];
                 if (latest !== undefined) {
                     const chatResult = await runChatLoop(ctx, mutableCtx, latest.id, out, readLine, loginFn, detectEnvironmentFn);
+                    spendDirty = true; // a task may have run — refresh the spend summary
                     if (chatResult === 'exit')
                         break;
                 }
@@ -1175,6 +1376,7 @@ export async function startMenu(ctx, out) {
                 const target = metas[digit - 1];
                 if (target !== undefined) {
                     const chatResult = await runChatLoop(ctx, mutableCtx, target.id, out, readLine, loginFn, detectEnvironmentFn);
+                    spendDirty = true; // a task may have run — refresh the spend summary
                     if (chatResult === 'exit')
                         break;
                 }
@@ -1191,6 +1393,7 @@ export async function startMenu(ctx, out) {
             // ---- [i] Import a native conversation -----------------------------------
             if (key === 'i') {
                 const importResult = await runImportNative(ctx, mutableCtx, out, readLine, loginFn, detectEnvironmentFn);
+                spendDirty = true; // an imported session may run a task — refresh spend
                 if (importResult === 'exit')
                     break;
                 continue;
@@ -1222,10 +1425,11 @@ export async function startMenu(ctx, out) {
             // tests stay hermetic). If install succeeds, proceeds to sign in.
             if (key === 'o') {
                 if (!mutableCtx.env.opencode.installed) {
-                    out.write(`Install opencode (${installCommandFor('opencode').replace('npm install -g ', '')})? [Enter] yes · [n] no\n`);
-                    out.write('> ');
+                    out.write(`Install opencode (${installCommandFor('opencode').replace('npm install -g ', '')})? (Y/n) `);
                     const ans = await readLine();
-                    const skip = ans === null || ans.toLowerCase() === 'n' || ans.toLowerCase() === 'no';
+                    // EOF (null) means no interactive user — never auto-install on a closed
+                    // pipe. Otherwise honor the (Y/n) default-yes (Enter = install).
+                    const skip = ans === null || !parseYesNo(ans, true);
                     if (skip) {
                         out.write(`Skipped. You can install it later: ${installCommandFor('opencode')}\n`);
                         continue;