npm - nemoris - Versions diffs - 0.1.0 → 0.1.2 - Mend

nemoris 0.1.0 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (248) hide show

package/.env.example +49 -49
package/LICENSE +21 -21
package/README.md +209 -209
package/SECURITY.md +59 -119
package/bin/nemoris +46 -46
package/config/agents/agent.toml.example +28 -28
package/config/agents/content.toml +23 -0
package/config/agents/default.toml +22 -22
package/config/agents/heartbeat.toml +35 -0
package/config/agents/iris.toml +23 -0
package/config/agents/lab.toml +23 -0
package/config/agents/main.toml +45 -0
package/config/agents/nemo.toml +21 -0
package/config/agents/ops.toml +38 -0
package/config/agents/orchestrator.toml +18 -18
package/config/agents/revenue.toml +23 -0
package/config/agents/testyboo.toml +19 -0
package/config/delivery.toml +73 -73
package/config/embeddings.toml +5 -5
package/config/identity/content-purpose.md +11 -0
package/config/identity/content-soul.md +45 -0
package/config/identity/default-purpose.md +1 -1
package/config/identity/default-soul.md +3 -3
package/config/identity/heartbeat-purpose.md +9 -0
package/config/identity/heartbeat-soul.md +16 -0
package/config/identity/iris-purpose.md +17 -0
package/config/identity/iris-soul.md +68 -0
package/config/identity/lab-purpose.md +10 -0
package/config/identity/lab-soul.md +38 -0
package/config/identity/main-purpose.md +17 -0
package/config/identity/main-soul.md +66 -0
package/config/identity/main-user.md +22 -0
package/config/identity/ops-purpose.md +9 -0
package/config/identity/ops-soul.md +16 -0
package/config/identity/orchestrator-purpose.md +1 -1
package/config/identity/orchestrator-soul.md +1 -1
package/config/identity/revenue-purpose.md +9 -0
package/config/identity/revenue-soul.md +41 -0
package/config/identity/testyboo-purpose.md +13 -0
package/config/identity/testyboo-soul.md +20 -0
package/config/improvement-targets.toml +15 -15
package/config/jobs/heartbeat-check.toml +30 -30
package/config/jobs/memory-rollup.toml +46 -46
package/config/jobs/workspace-health.toml +63 -63
package/config/mcp.toml +16 -16
package/config/output-contracts.toml +17 -17
package/config/peers.toml +32 -32
package/config/peers.toml.example +32 -32
package/config/policies/memory-default.toml +10 -10
package/config/policies/memory-heartbeat.toml +5 -5
package/config/policies/memory-ops.toml +10 -10
package/config/policies/tools-heartbeat-minimal.toml +8 -8
package/config/policies/tools-interactive-safe.toml +8 -8
package/config/policies/tools-ops-bounded.toml +8 -8
package/config/policies/tools-orchestrator.toml +7 -7
package/config/providers/anthropic.toml +15 -15
package/config/providers/ollama.toml +5 -5
package/config/providers/openai-codex.toml +9 -9
package/config/providers/openrouter.toml +5 -5
package/config/router.toml +22 -22
package/config/runtime.toml +114 -114
package/config/skills/self-improvement.toml +15 -15
package/config/skills/telegram-onboarding-spec.md +240 -240
package/config/skills/workspace-monitor.toml +15 -15
package/config/task-router.toml +42 -42
package/install.sh +50 -50
package/package.json +91 -90
package/src/auth/auth-profiles.js +169 -169
package/src/auth/openai-codex-oauth.js +285 -285
package/src/battle.js +449 -449
package/src/cli/help.js +265 -265
package/src/cli/output-filter.js +49 -49
package/src/cli/runtime-control.js +704 -704
package/src/cli-main.js +2763 -2763
package/src/cli.js +78 -78
package/src/config/loader.js +332 -332
package/src/config/schema-validator.js +214 -214
package/src/config/toml-lite.js +8 -8
package/src/daemon/action-handlers.js +71 -71
package/src/daemon/healing-tick.js +87 -87
package/src/daemon/health-probes.js +90 -90
package/src/daemon/notifier.js +57 -57
package/src/daemon/nurse.js +218 -218
package/src/daemon/repair-log.js +106 -106
package/src/daemon/rule-staging.js +90 -90
package/src/daemon/rules.js +29 -29
package/src/daemon/telegram-commands.js +54 -54
package/src/daemon/updater.js +85 -85
package/src/jobs/job-runner.js +78 -78
package/src/mcp/consumer.js +129 -129
package/src/memory/active-recall.js +171 -171
package/src/memory/backend-manager.js +97 -97
package/src/memory/backends/file-backend.js +38 -38
package/src/memory/backends/qmd-backend.js +219 -219
package/src/memory/embedding-guards.js +24 -24
package/src/memory/embedding-index.js +118 -118
package/src/memory/embedding-service.js +179 -179
package/src/memory/file-index.js +177 -177
package/src/memory/memory-signature.js +5 -5
package/src/memory/memory-store.js +648 -648
package/src/memory/retrieval-planner.js +66 -66
package/src/memory/scoring.js +145 -145
package/src/memory/simhash.js +78 -78
package/src/memory/sqlite-active-store.js +824 -824
package/src/memory/write-policy.js +36 -36
package/src/onboarding/aliases.js +33 -33
package/src/onboarding/auth/api-key.js +224 -224
package/src/onboarding/auth/ollama-detect.js +42 -42
package/src/onboarding/clack-prompter.js +77 -77
package/src/onboarding/doctor.js +530 -530
package/src/onboarding/lock.js +42 -42
package/src/onboarding/model-catalog.js +344 -344
package/src/onboarding/phases/auth.js +576 -589
package/src/onboarding/phases/build.js +130 -130
package/src/onboarding/phases/choose.js +82 -82
package/src/onboarding/phases/detect.js +98 -98
package/src/onboarding/phases/hatch.js +216 -216
package/src/onboarding/phases/identity.js +79 -79
package/src/onboarding/phases/ollama.js +345 -345
package/src/onboarding/phases/scaffold.js +99 -99
package/src/onboarding/phases/telegram.js +377 -377
package/src/onboarding/phases/validate.js +204 -204
package/src/onboarding/phases/verify.js +206 -206
package/src/onboarding/platform.js +482 -482
package/src/onboarding/status-bar.js +95 -95
package/src/onboarding/templates.js +794 -794
package/src/onboarding/toml-writer.js +38 -38
package/src/onboarding/tui.js +250 -250
package/src/onboarding/uninstall.js +153 -153
package/src/onboarding/wizard.js +516 -499
package/src/providers/anthropic.js +168 -168
package/src/providers/base.js +247 -247
package/src/providers/circuit-breaker.js +136 -136
package/src/providers/ollama.js +163 -163
package/src/providers/openai-codex.js +149 -149
package/src/providers/openrouter.js +136 -136
package/src/providers/registry.js +36 -36
package/src/providers/router.js +16 -16
package/src/runtime/bootstrap-cache.js +47 -47
package/src/runtime/capabilities-prompt.js +25 -25
package/src/runtime/completion-ping.js +99 -99
package/src/runtime/config-validator.js +121 -121
package/src/runtime/context-ledger.js +360 -360
package/src/runtime/cutover-readiness.js +42 -42
package/src/runtime/daemon.js +729 -729
package/src/runtime/delivery-ack.js +195 -195
package/src/runtime/delivery-adapters/local-file.js +41 -41
package/src/runtime/delivery-adapters/openclaw-cli.js +94 -94
package/src/runtime/delivery-adapters/openclaw-peer.js +98 -98
package/src/runtime/delivery-adapters/shadow.js +13 -13
package/src/runtime/delivery-adapters/standalone-http.js +98 -98
package/src/runtime/delivery-adapters/telegram.js +104 -104
package/src/runtime/delivery-adapters/tui.js +128 -128
package/src/runtime/delivery-manager.js +807 -807
package/src/runtime/delivery-store.js +168 -168
package/src/runtime/dependency-health.js +118 -118
package/src/runtime/envelope.js +114 -114
package/src/runtime/evaluation.js +1089 -1089
package/src/runtime/exec-approvals.js +216 -216
package/src/runtime/executor.js +500 -500
package/src/runtime/failure-ping.js +67 -67
package/src/runtime/flows.js +83 -83
package/src/runtime/guards.js +45 -45
package/src/runtime/handoff.js +51 -51
package/src/runtime/identity-cache.js +28 -28
package/src/runtime/improvement-engine.js +109 -109
package/src/runtime/improvement-harness.js +581 -581
package/src/runtime/input-sanitiser.js +72 -72
package/src/runtime/interaction-contract.js +347 -347
package/src/runtime/lane-readiness.js +226 -226
package/src/runtime/migration.js +323 -323
package/src/runtime/model-resolution.js +78 -78
package/src/runtime/network.js +64 -64
package/src/runtime/notification-store.js +97 -97
package/src/runtime/notifier.js +256 -256
package/src/runtime/orchestrator.js +53 -53
package/src/runtime/orphan-reaper.js +41 -41
package/src/runtime/output-contract-schema.js +139 -139
package/src/runtime/output-contract-validator.js +439 -439
package/src/runtime/peer-readiness.js +69 -69
package/src/runtime/peer-registry.js +133 -133
package/src/runtime/pilot-status.js +108 -108
package/src/runtime/prompt-builder.js +261 -261
package/src/runtime/provider-attempt.js +582 -582
package/src/runtime/report-fallback.js +71 -71
package/src/runtime/result-normalizer.js +183 -183
package/src/runtime/retention.js +74 -74
package/src/runtime/review.js +244 -244
package/src/runtime/route-job.js +15 -15
package/src/runtime/run-store.js +38 -38
package/src/runtime/schedule.js +88 -88
package/src/runtime/scheduler-state.js +434 -434
package/src/runtime/scheduler.js +656 -656
package/src/runtime/session-compactor.js +182 -182
package/src/runtime/session-search.js +155 -155
package/src/runtime/slack-inbound.js +249 -249
package/src/runtime/ssrf.js +102 -102
package/src/runtime/status-aggregator.js +330 -330
package/src/runtime/task-contract.js +140 -140
package/src/runtime/task-packet.js +107 -107
package/src/runtime/task-router.js +140 -140
package/src/runtime/telegram-inbound.js +1565 -1565
package/src/runtime/token-counter.js +134 -134
package/src/runtime/token-estimator.js +59 -59
package/src/runtime/tool-loop.js +200 -200
package/src/runtime/transport-server.js +311 -311
package/src/runtime/tui-server.js +411 -411
package/src/runtime/ulid.js +44 -44
package/src/security/ssrf-check.js +197 -197
package/src/setup.js +369 -369
package/src/shadow/bridge.js +303 -303
package/src/skills/loader.js +84 -84
package/src/tools/catalog.json +49 -49
package/src/tools/cli-delegate.js +44 -44
package/src/tools/mcp-client.js +106 -106
package/src/tools/micro/cancel-task.js +6 -6
package/src/tools/micro/complete-task.js +6 -6
package/src/tools/micro/fail-task.js +6 -6
package/src/tools/micro/http-fetch.js +74 -74
package/src/tools/micro/index.js +36 -36
package/src/tools/micro/lcm-recall.js +60 -60
package/src/tools/micro/list-dir.js +17 -17
package/src/tools/micro/list-skills.js +46 -46
package/src/tools/micro/load-skill.js +38 -38
package/src/tools/micro/memory-search.js +45 -45
package/src/tools/micro/read-file.js +11 -11
package/src/tools/micro/session-search.js +54 -54
package/src/tools/micro/shell-exec.js +43 -43
package/src/tools/micro/trigger-job.js +79 -79
package/src/tools/micro/web-search.js +58 -58
package/src/tools/micro/workspace-paths.js +39 -39
package/src/tools/micro/write-file.js +14 -14
package/src/tools/micro/write-memory.js +41 -41
package/src/tools/registry.js +348 -348
package/src/tools/tool-result-contract.js +36 -36
package/src/tui/chat.js +835 -835
package/src/tui/renderer.js +175 -175
package/src/tui/socket-client.js +217 -217
package/src/utils/canonical-json.js +29 -29
package/src/utils/compaction.js +30 -30
package/src/utils/env-loader.js +5 -5
package/src/utils/errors.js +80 -80
package/src/utils/fs.js +101 -101
package/src/utils/ids.js +5 -5
package/src/utils/model-context-limits.js +30 -30
package/src/utils/token-budget.js +74 -74
package/src/utils/usage-cost.js +25 -25
package/src/utils/usage-metrics.js +14 -14

package/src/onboarding/phases/auth.js CHANGED Viewed

@@ -1,589 +1,576 @@
-/**
- * Auth phase — orchestrates key detection, validation, .env writing,
- * and provider/router TOML generation.
- *
- * Phase 3 of the onboarding wizard. Zero LLM tokens consumed; does network
- * probes for health checks only.
- */
-import fs from "node:fs";
-import path from "node:path";
-import { providerTemplate, routerTemplate } from "../templates.js";
-import {
-  detectExistingKeys,
-  validateApiKey,
-  validateApiKeyFormat,
-  writeEnvFile,
-  resolveProviders
-} from "../auth/api-key.js";
-import { detectOllama } from "../auth/ollama-detect.js";
-import {
-  initiateOpenAICodexOAuthFlow,
-  inspectOpenAICodexProfile,
-  OPENAI_CODEX_DEFAULT_PROFILE_ID,
-  resolveOpenAICodexAccess,
-} from "../../auth/openai-codex-oauth.js";
-import { getAuthProfile, resolveAuthProfilesPath } from "../../auth/auth-profiles.js";
-import { buildModelSelectionOptions, fetchOpenAIModels } from "../model-catalog.js";
-const PROVIDER_CONFIGS = {
-  anthropic: {
-    providerId: "anthropic",
-    adapter: "anthropic",
-    authEnv: "NEMORIS_ANTHROPIC_API_KEY",
-    baseUrl: "https://api.anthropic.com",
-    healthcheck: "messages.create",
-  },
-  openrouter: {
-    providerId: "openrouter",
-    adapter: "openrouter",
-    authEnv: "OPENROUTER_API_KEY",
-    baseUrl: "https://openrouter.ai/api/v1",
-  },
-  openai: {
-    providerId: "openai-codex",
-    adapter: "openai-codex",
-    authEnv: "NEMORIS_OPENAI_API_KEY",
-    baseUrl: "https://api.openai.com/v1",
-  },
-  ollama: {
-    providerId: "ollama",
-    adapter: "ollama",
-    authEnv: "",
-    baseUrl: "http://localhost:11434",
-    healthcheck: "http://localhost:11434/api/tags",
-  },
-};
-const MODEL_ROLE_ORDER = ["cheap_interactive", "fallback", "manual_bump"];
-const PROVIDER_MODEL_PRESETS = {
-  anthropic: [
-    {
-      key: "haiku",
-      id: "anthropic/claude-haiku-4-5",
-      label: "Claude Haiku 4.5",
-      description: "Fastest and cheapest for interactive work.",
-    },
-    {
-      key: "sonnet",
-      id: "anthropic/claude-sonnet-4-6",
-      label: "Claude Sonnet 4.6",
-      description: "Balanced default for most serious work.",
-    },
-    {
-      key: "opus",
-      id: "anthropic/claude-opus-4-6",
-      label: "Claude Opus 4.6",
-      description: "Highest quality, slowest and most expensive.",
-    },
-  ],
-  openrouter: [
-    {
-      key: "haiku",
-      id: "openrouter/anthropic/claude-haiku-4-5",
-      label: "Claude Haiku 4.5",
-      description: "Lowest-cost OpenRouter default.",
-    },
-    {
-      key: "sonnet",
-      id: "openrouter/anthropic/claude-sonnet-4-6",
-      label: "Claude Sonnet 4.6",
-      description: "Strong general-purpose default.",
-    },
-    {
-      key: "gpt4o",
-      id: "openrouter/openai/gpt-4o",
-      label: "GPT-4o",
-      description: "Fast multimodal OpenAI route through OpenRouter.",
-    },
-    {
-      key: "opus",
-      id: "openrouter/anthropic/claude-opus-4-6",
-      label: "Claude Opus 4.6",
-      description: "Highest quality. Use when Sonnet isn't enough.",
-    },
-  ],
-  openai: [
-    {
-      key: "gpt41",
-      id: "openai-codex/gpt-4.1",
-      label: "GPT-4.1",
-      description: "Latest large-context default.",
-    },
-    {
-      key: "gpt4o",
-      id: "openai-codex/gpt-4o",
-      label: "GPT-4o",
-      description: "Fast multimodal fallback.",
-    },
-    {
-      key: "o4mini",
-      id: "openai-codex/o4-mini",
-      label: "o4-mini",
-      description: "Efficient reasoning path.",
-    },
-    {
-      key: "o3",
-      id: "openai-codex/o3",
-      label: "o3",
-      description: "Most capable reasoning option.",
-    },
-  ],
-};
-function stripProviderPrefix(provider, modelId) {
-  if (provider === "openrouter") {
-    return modelId.replace(/^openrouter\//, "");
-  }
-  if (provider === "openai") {
-    return modelId.replace(/^openai-codex\//, "");
-  }
-  if (provider === "anthropic") {
-    return modelId.replace(/^anthropic\//, "");
-  }
-  return modelId;
-}
-function ensureProviderModelPrefix(provider, modelId) {
-  const trimmed = String(modelId || "").trim();
-  if (!trimmed) return "";
-  if (provider === "openrouter") {
-    return trimmed.startsWith("openrouter/") ? trimmed : `openrouter/${trimmed}`;
-  }
-  if (provider === "openai") {
-    return trimmed.startsWith("openai-codex/") ? trimmed : `openai-codex/${trimmed}`;
-  }
-  if (provider === "anthropic") {
-    return trimmed.startsWith("anthropic/") ? trimmed : `anthropic/${trimmed}`;
-  }
-  return trimmed;
-}
-function buildProviderModelEntries(provider, selectedModels = []) {
-  const presets = PROVIDER_MODEL_PRESETS[provider] || [];
-  return selectedModels.map((id, index) => {
-    const preset = presets.find((item) => item.id === id);
-    return {
-      key: preset?.key || `model${index + 1}`,
-      id,
-      role: MODEL_ROLE_ORDER[index] || MODEL_ROLE_ORDER.at(-1),
-    };
-  });
-}
-function providerDisplayName(provider) {
-  if (provider === "openrouter") return "OpenRouter";
-  if (provider === "openai") return "OpenAI";
-  if (provider === "anthropic") return "Anthropic";
-  return provider;
-}
-async function fetchProviderModelIds(provider, key, { fetchImpl = globalThis.fetch } = {}) {
-  if (provider === "anthropic") {
-    return PROVIDER_MODEL_PRESETS.anthropic.map((item) => item.id);
-  }
-  const target = provider === "openrouter"
-    ? {
-        url: "https://openrouter.ai/api/v1/models",
-        headers: { authorization: `Bearer ${key}` },
-      }
-    : provider === "openai"
-      ? {
-          url: "https://api.openai.com/v1/models",
-          headers: { authorization: `Bearer ${key}` },
-        }
-      : null;
-  if (!target) {
-    return [];
-  }
-  try {
-    const response = await fetchImpl(target.url, {
-      method: "GET",
-      headers: target.headers,
-      signal: AbortSignal.timeout(10000),
-    });
-    const data = await response.json();
-    if (!response.ok) {
-      return [];
-    }
-    const ids = Array.isArray(data?.data)
-      ? data.data.map((item) => item?.id).filter(Boolean)
-      : [];
-    if (provider === "openrouter") {
-      return ids.map((id) => ensureProviderModelPrefix(provider, id));
-    }
-    if (provider === "openai") {
-      return ids.map((id) => ensureProviderModelPrefix(provider, id));
-    }
-    return ids;
-  } catch {
-    return [];
-  }
-}
-async function buildProviderSelectionOptions(provider, key, { fetchImpl = globalThis.fetch } = {}) {
-  if (provider === "openai") {
-    const discoveredModels = await fetchOpenAIModels(key, { fetchImpl });
-    return buildModelSelectionOptions({
-      provider,
-      discoveredModels,
-      includeKeep: false,
-      includeManual: true,
-    }).map((entry) => ({
-      value: entry.value,
-      label: entry.label,
-      description: entry.hint,
-    }));
-  }
-  const curated = PROVIDER_MODEL_PRESETS[provider] || [];
-  const available = new Set(await fetchProviderModelIds(provider, key, { fetchImpl }));
-  const selectable = curated.filter((item) => available.size === 0 || available.has(item.id));
-  const options = selectable.length > 0 ? selectable : curated;
-  return options.map((item) => ({
-    value: item.id,
-    label: item.label,
-    description: item.description,
-  }));
-}
-async function promptForProviderModels(provider, key, tui, { fetchImpl = globalThis.fetch } = {}) {
-  const { select, prompt, dim, cyan } = tui;
-  if (!select) return [];
-  const options = await buildProviderSelectionOptions(provider, key, { fetchImpl });
-  const chosen = [];
-  const manualOptionValue = provider === "openai" ? "__manual__" : "__custom__";
-  const defaultModelValue = options.find((item) => !String(item.value).startsWith("__"))?.value || "";
-  console.log(`\n  ${cyan(`Choose ${provider === "openrouter" ? "OpenRouter" : provider === "openai" ? "OpenAI" : "Anthropic"} models`)}`);
-  console.log(`  ${dim("Pick up to three models. The first is your default. The others are fallbacks when the default is slow or unavailable.")}`);
-  while (chosen.length < 3) {
-    const remaining = options.filter((item) => !chosen.includes(item.value));
-    const pickerOptions = remaining.map((item) => ({
-      label: item.label,
-      value: item.value,
-      description: item.description,
-    }));
-    if (chosen.length > 0) {
-      pickerOptions.push({
-        label: "Done",
-        value: "__done__",
-        description: "Continue setup with the models already selected.",
-      });
-    }
-    if (provider !== "openai") {
-      pickerOptions.push({
-        label: "Enter a different model name...",
-        value: manualOptionValue,
-        description: "Use a specific model id not shown in the curated list.",
-      });
-    }
-    const picked = await select(
-      chosen.length === 0 ? "Default model:" : `Add another model (${chosen.length}/3 selected):`,
-      pickerOptions,
-    );
-    if (picked === "__done__") {
-      break;
-    }
-    let modelId = picked;
-    if (picked === manualOptionValue) {
-      const custom = await prompt("Model id", stripProviderPrefix(provider, defaultModelValue));
-      modelId = ensureProviderModelPrefix(provider, custom);
-      if (!modelId) {
-        continue;
-      }
-    }
-    if (!chosen.includes(modelId)) {
-      chosen.push(modelId);
-    }
-  }
-  return chosen;
-}
-export function writeProviderConfigs(installDir, providerInput) {
-  const providersDir = path.join(installDir, "config", "providers");
-  fs.mkdirSync(providersDir, { recursive: true });
-  const selections = Array.isArray(providerInput)
-    ? Object.fromEntries(providerInput.map((id) => [id, []]))
-    : (providerInput || {});
-  for (const [provider, rawSelection] of Object.entries(selections)) {
-    const selection = Array.isArray(rawSelection)
-      ? { models: rawSelection }
-      : (rawSelection || {});
-    const baseConfig = PROVIDER_CONFIGS[provider] ?? {};
-    const providerId = baseConfig.providerId || provider;
-    const config = {
-      ...baseConfig,
-      ...("authRef" in selection ? { authRef: selection.authRef } : {}),
-      models: buildProviderModelEntries(provider, selection.models || []),
-    };
-    const content = providerTemplate(providerId, config);
-    fs.writeFileSync(path.join(providersDir, `${providerId}.toml`), content, "utf8");
-  }
-}
-export function writeRouter(installDir, providers, selectedModels = {}) {
-  const configDir = path.join(installDir, "config");
-  fs.mkdirSync(configDir, { recursive: true });
-  const content = routerTemplate({ ...providers, selectedModels });
-  fs.writeFileSync(path.join(configDir, "router.toml"), content, "utf8");
-}
-async function promptForProviderKey(provider, tui, validateApiKeyImpl = validateApiKey) {
-  const { promptSecret, bold, dim, green, red, yellow } = tui;
-  if (!promptSecret) return null;
-  while (true) {
-    if (provider === "anthropic") {
-      console.log(`\n  ${bold("Anthropic setup-token")} ${dim("(recommended if you have Claude Code)")}`);
-      console.log(`     1. Run: ${green("claude setup-token")} ${dim("(on any machine with Claude Code)")}`);
-      console.log(`     2. Paste the token here ${dim("(leave blank to skip)")}`);
-      console.log(`\n     ${dim("-- OR --")}\n`);
-      console.log(`     ${bold("API key")} ${dim("(from console.anthropic.com/settings/keys)")}`);
-    } else if (provider === "openai") {
-      console.log(`\n  ${bold("OpenAI API key")} ${dim("(from platform.openai.com/api-keys; leave blank to skip)")}`);
-    } else if (provider === "openrouter") {
-      console.log(`\n  ${bold("OpenRouter API key")} ${dim("(from openrouter.ai/keys; leave blank to skip)")}`);
-    }
-    const question = provider === "anthropic"
-      ? "Paste your Anthropic token"
-      : provider === "openrouter"
-        ? "Paste your OpenRouter key"
-        : "Paste your sk-... key";
-    const raw = await promptSecret(question);
-    const token = raw.trim();
-    if (!token) return null;
-    const format = validateApiKeyFormat(provider, token);
-    if (!format.ok) {
-      console.log(`  ${red("✗")} ${format.error}`);
-      continue;
-    }
-    console.log(`  ${dim("Verifying key...")}`);
-    const slowValidationNotice = setTimeout(() => {
-      console.log(`  ${dim("This may take a few seconds...")}`);
-    }, 3000);
-    let result;
-    try {
-      result = await validateApiKeyImpl(provider, token);
-    } finally {
-      clearTimeout(slowValidationNotice);
-    }
-    if (result.ok) {
-      const providerLabel = provider === "anthropic" ? "Anthropic" : provider === "openrouter" ? "OpenRouter" : "OpenAI";
-      console.log(`  ${green("✓")} ${providerLabel} key verified`);
-      return token;
-    }
-    if (result.status === 401 || result.status === 403) {
-      console.log(`  ${red("✗")} Authentication failed (${result.status}). Try again.`);
-      continue;
-    }
-    const detail = result.status ? `HTTP ${result.status}` : (result.error || "request failed");
-    console.log(`  ${yellow("!")} Couldn't verify the key (${detail}). Check the key and try again, or press Enter to skip.`);
-  }
-}
-async function confirmLocalOnlySetup(tui) {
-  const { confirm, yellow = (value) => value, dim = (value) => value } = tui;
-  if (!confirm) {
-    return true;
-  }
-  console.log(`\n  ${yellow("⚠")} You haven't configured any cloud providers.`);
-  console.log(`  ${dim("Your agent will only use local models (Ollama).")}`);
-  return confirm("Continue anyway?", false);
-}
-async function maybeResolveOpenAIOAuth({
-  tui,
-  enableOpenAIOAuthChoice = false,
-  openAIOAuthImpl = initiateOpenAICodexOAuthFlow,
-}) {
-  const authProfilesPath = resolveAuthProfilesPath();
-  const existingProfile = getAuthProfile(OPENAI_CODEX_DEFAULT_PROFILE_ID, authProfilesPath);
-  const inspection = inspectOpenAICodexProfile(existingProfile, { now: Date.now() });
-  if (inspection.state === "usable_token" || inspection.state === "refresh_needed") {
-    const resolved = await resolveOpenAICodexAccess(OPENAI_CODEX_DEFAULT_PROFILE_ID, {
-      filePath: authProfilesPath,
-    });
-    return {
-      authRef: `profile:${OPENAI_CODEX_DEFAULT_PROFILE_ID}`,
-      token: resolved.token,
-      mode: "oauth",
-    };
-  }
-  if (!enableOpenAIOAuthChoice || !tui?.select) {
-    return null;
-  }
-  const method = await tui.select("OpenAI auth method:", [
-    {
-      label: "API key",
-      value: "api_key",
-      description: "Paste an OpenAI API key from platform.openai.com.",
-    },
-    {
-      label: "ChatGPT OAuth",
-      value: "oauth",
-      description: "Open browser login and store a refreshable local profile.",
-    },
-  ]);
-  if (method !== "oauth") {
-    return null;
-  }
-  const profile = await openAIOAuthImpl({
-    filePath: authProfilesPath,
-    promptForPasteImpl: async (message) => (tui.prompt ? tui.prompt(message, "") : ""),
-  });
-  return {
-    authRef: `profile:${OPENAI_CODEX_DEFAULT_PROFILE_ID}`,
-    token: profile.access,
-    mode: "oauth",
-  };
-}
-/**
- * @param {string} installDir
- * @param {object} [options]
- * @param {object} [options.tui]
- * @param {object} [options.detectionCache]
- * @param {Function} [options.validateApiKeyImpl]
- * @returns {Promise<{ providers: string[], providerFlags: object, keys: object }>}
- */
-export async function runAuthPhase(installDir, options = {}) {
-  const {
-    tui,
-    detectionCache,
-    validateApiKeyImpl = validateApiKey,
-    fetchImpl = globalThis.fetch,
-    providerOrder = ["openrouter", "anthropic", "openai"],
-    enableOpenAIOAuthChoice = false,
-    openAIOAuthImpl = initiateOpenAICodexOAuthFlow,
-  } = options;
-  const existingKeys = detectionCache?.rawKeys || detectExistingKeys();
-  const ollamaResult = detectionCache?.ollamaResult || await detectOllama();
-  const keys = { ...existingKeys };
-  const prevalidatedKeys = new Set();
-  const selectedModels = {};
-  const providerAuthRefs = {};
-  const providerSecrets = {};
-  if (tui) {
-    let promptingComplete = false;
-    while (!promptingComplete) {
-      for (const provider of providerOrder) {
-        if (keys[provider]) continue;
-        if (provider === "openai") {
-          const oauthResult = await maybeResolveOpenAIOAuth({
-            tui,
-            enableOpenAIOAuthChoice,
-            openAIOAuthImpl,
-          });
-          if (oauthResult) {
-            providerAuthRefs.openai = oauthResult.authRef;
-            providerSecrets.openai = oauthResult.token;
-            continue;
-          }
-        }
-        keys[provider] = await promptForProviderKey(provider, tui, validateApiKeyImpl);
-        if (keys[provider]) {
-          prevalidatedKeys.add(provider);
-        }
-      }
-      const hasCloudProvider = Boolean(
-        keys.openrouter || keys.anthropic || keys.openai || providerAuthRefs.openai
-      );
-      if (hasCloudProvider || !ollamaResult.ok) {
-        promptingComplete = true;
-        continue;
-      }
-      const continueWithLocalOnly = await confirmLocalOnlySetup(tui);
-      if (continueWithLocalOnly) {
-        promptingComplete = true;
-      }
-    }
-  }
-  const validatedKeys = {};
-  const providerFlags = { anthropic: false, openrouter: false, openai: false, ollama: ollamaResult.ok };
-  for (const [provider, key] of Object.entries(keys)) {
-    if (!key) continue;
-    const format = validateApiKeyFormat(provider, key);
-    if (!format.ok) continue;
-    const result = prevalidatedKeys.has(provider)
-      ? { ok: true, status: 200 }
-      : await validateApiKeyImpl(provider, key);
-    if (!result.ok) continue;
-    validatedKeys[provider] = key;
-    providerSecrets[provider] = key;
-    if (provider in providerFlags) {
-      providerFlags[provider] = true;
-    }
-  }
-  if (providerAuthRefs.openai) {
-    providerFlags.openai = true;
-  }
-  if (tui) {
-    for (const provider of ["openrouter", "anthropic", "openai"]) {
-      const providerToken = providerSecrets[provider];
-      if (!providerToken) continue;
-      selectedModels[provider] = await promptForProviderModels(provider, providerToken, tui, { fetchImpl });
-    }
-  }
-  const envKeys = {};
-  if (validatedKeys.anthropic) {
-    envKeys.NEMORIS_ANTHROPIC_API_KEY = validatedKeys.anthropic;
-  }
-  if (validatedKeys.openai) {
-    envKeys.NEMORIS_OPENAI_API_KEY = validatedKeys.openai;
-  }
-  if (validatedKeys.openrouter) {
-    envKeys.OPENROUTER_API_KEY = validatedKeys.openrouter;
-  }
-  if (Object.keys(envKeys).length > 0) {
-    writeEnvFile(installDir, envKeys);
-  }
-  const providerIds = resolveProviders({
-    anthropic: validatedKeys.anthropic || null,
-    openrouter: validatedKeys.openrouter || null,
-    openai: validatedKeys.openai || providerAuthRefs.openai || null,
-    ollama: ollamaResult.ok,
-  });
-  writeProviderConfigs(installDir, Object.fromEntries(providerIds.map((id) => [id, {
-    models: selectedModels[id] || [],
-    ...(providerAuthRefs[id] ? { authRef: providerAuthRefs[id] } : {}),
-  }])));
-  writeRouter(installDir, providerFlags, selectedModels);
-  return { providers: providerIds, providerFlags, keys: validatedKeys, selectedModels };
-}
+/**
+ * Auth phase — orchestrates key detection, validation, .env writing,
+ * and provider/router TOML generation.
+ *
+ * Phase 3 of the onboarding wizard. Zero LLM tokens consumed; does network
+ * probes for health checks only.
+ */
+import fs from "node:fs";
+import path from "node:path";
+import { providerTemplate, routerTemplate } from "../templates.js";
+import {
+  detectExistingKeys,
+  validateApiKey,
+  validateApiKeyFormat,
+  writeEnvFile,
+  resolveProviders
+} from "../auth/api-key.js";
+import { detectOllama } from "../auth/ollama-detect.js";
+import {
+  initiateOpenAICodexOAuthFlow,
+  inspectOpenAICodexProfile,
+  OPENAI_CODEX_DEFAULT_PROFILE_ID,
+  resolveOpenAICodexAccess,
+} from "../../auth/openai-codex-oauth.js";
+import { getAuthProfile, resolveAuthProfilesPath } from "../../auth/auth-profiles.js";
+const PROVIDER_CONFIGS = {
+  anthropic: {
+    providerId: "anthropic",
+    adapter: "anthropic",
+    authEnv: "NEMORIS_ANTHROPIC_API_KEY",
+    baseUrl: "https://api.anthropic.com",
+    healthcheck: "messages.create",
+  },
+  openrouter: {
+    providerId: "openrouter",
+    adapter: "openrouter",
+    authEnv: "OPENROUTER_API_KEY",
+    baseUrl: "https://openrouter.ai/api/v1",
+  },
+  openai: {
+    providerId: "openai-codex",
+    adapter: "openai-codex",
+    authEnv: "NEMORIS_OPENAI_API_KEY",
+    baseUrl: "https://api.openai.com/v1",
+  },
+  ollama: {
+    providerId: "ollama",
+    adapter: "ollama",
+    authEnv: "",
+    baseUrl: "http://localhost:11434",
+    healthcheck: "http://localhost:11434/api/tags",
+  },
+};
+const MODEL_ROLE_ORDER = ["cheap_interactive", "fallback", "manual_bump"];
+const PROVIDER_MODEL_PRESETS = {
+  anthropic: [
+    {
+      key: "haiku",
+      id: "anthropic/claude-haiku-4-5",
+      label: "Claude Haiku 4.5",
+      description: "Fastest and cheapest for interactive work.",
+    },
+    {
+      key: "sonnet",
+      id: "anthropic/claude-sonnet-4-6",
+      label: "Claude Sonnet 4.6",
+      description: "Balanced default for most serious work.",
+    },
+    {
+      key: "opus",
+      id: "anthropic/claude-opus-4-6",
+      label: "Claude Opus 4.6",
+      description: "Highest quality, slowest and most expensive.",
+    },
+  ],
+  openrouter: [
+    {
+      key: "haiku",
+      id: "openrouter/anthropic/claude-haiku-4-5",
+      label: "Claude Haiku 4.5",
+      description: "Lowest-cost OpenRouter default.",
+    },
+    {
+      key: "sonnet",
+      id: "openrouter/anthropic/claude-sonnet-4-6",
+      label: "Claude Sonnet 4.6",
+      description: "Strong general-purpose default.",
+    },
+    {
+      key: "gpt4o",
+      id: "openrouter/openai/gpt-4o",
+      label: "GPT-4o",
+      description: "Fast multimodal OpenAI route through OpenRouter.",
+    },
+    {
+      key: "opus",
+      id: "openrouter/anthropic/claude-opus-4-6",
+      label: "Claude Opus 4.6",
+      description: "Highest quality. Use when Sonnet isn't enough.",
+    },
+  ],
+  openai: [
+    {
+      key: "gpt41",
+      id: "openai-codex/gpt-4.1",
+      label: "GPT-4.1",
+      description: "Latest large-context default.",
+    },
+    {
+      key: "gpt4o",
+      id: "openai-codex/gpt-4o",
+      label: "GPT-4o",
+      description: "Fast multimodal fallback.",
+    },
+    {
+      key: "o4mini",
+      id: "openai-codex/o4-mini",
+      label: "o4-mini",
+      description: "Efficient reasoning path.",
+    },
+    {
+      key: "o3",
+      id: "openai-codex/o3",
+      label: "o3",
+      description: "Most capable reasoning option.",
+    },
+  ],
+};
+function stripProviderPrefix(provider, modelId) {
+  if (provider === "openrouter") {
+    return modelId.replace(/^openrouter\//, "");
+  }
+  if (provider === "openai") {
+    return modelId.replace(/^openai-codex\//, "");
+  }
+  if (provider === "anthropic") {
+    return modelId.replace(/^anthropic\//, "");
+  }
+  return modelId;
+}
+function ensureProviderModelPrefix(provider, modelId) {
+  const trimmed = String(modelId || "").trim();
+  if (!trimmed) return "";
+  if (provider === "openrouter") {
+    return trimmed.startsWith("openrouter/") ? trimmed : `openrouter/${trimmed}`;
+  }
+  if (provider === "openai") {
+    return trimmed.startsWith("openai-codex/") ? trimmed : `openai-codex/${trimmed}`;
+  }
+  if (provider === "anthropic") {
+    return trimmed.startsWith("anthropic/") ? trimmed : `anthropic/${trimmed}`;
+  }
+  return trimmed;
+}
+function buildProviderModelEntries(provider, selectedModels = []) {
+  const presets = PROVIDER_MODEL_PRESETS[provider] || [];
+  return selectedModels.map((id, index) => {
+    const preset = presets.find((item) => item.id === id);
+    return {
+      key: preset?.key || `model${index + 1}`,
+      id,
+      role: MODEL_ROLE_ORDER[index] || MODEL_ROLE_ORDER.at(-1),
+    };
+  });
+}
+function providerDisplayName(provider) {
+  if (provider === "openrouter") return "OpenRouter";
+  if (provider === "openai") return "OpenAI";
+  if (provider === "anthropic") return "Anthropic";
+  return provider;
+}
+async function fetchProviderModelIds(provider, key, { fetchImpl = globalThis.fetch } = {}) {
+  const targets = {
+    anthropic: {
+      url: "https://api.anthropic.com/v1/models",
+      headers: { "x-api-key": key, "anthropic-version": "2023-06-01" },
+    },
+    openrouter: {
+      url: "https://openrouter.ai/api/v1/models",
+      headers: { authorization: `Bearer ${key}` },
+    },
+    openai: {
+      url: "https://api.openai.com/v1/models",
+      headers: { authorization: `Bearer ${key}` },
+    },
+  };
+  const target = targets[provider];
+  if (!target) return [];
+  try {
+    const response = await fetchImpl(target.url, {
+      method: "GET",
+      headers: target.headers,
+      signal: AbortSignal.timeout(10000),
+    });
+    const data = await response.json();
+    if (!response.ok) return PROVIDER_MODEL_PRESETS[provider]?.map((item) => item.id) ?? [];
+    const ids = Array.isArray(data?.data)
+      ? data.data.map((item) => item?.id).filter(Boolean)
+      : [];
+    return ids.map((id) => ensureProviderModelPrefix(provider, id));
+  } catch {
+    return PROVIDER_MODEL_PRESETS[provider]?.map((item) => item.id) ?? [];
+  }
+}
+async function buildProviderSelectionOptions(provider, key, { fetchImpl = globalThis.fetch } = {}) {
+  const curated = PROVIDER_MODEL_PRESETS[provider] || [];
+  const fetched = await fetchProviderModelIds(provider, key, { fetchImpl });
+  const fetchedSet = new Set(fetched);
+  // Curated models that exist in the fetched list (fall back to all curated if fetch failed)
+  const curatedAvailable = fetched.length > 0
+    ? curated.filter((item) => fetchedSet.has(item.id))
+    : curated;
+  const curatedIds = new Set(curatedAvailable.map((item) => item.id));
+  // Remaining fetched models not already shown as curated
+  const extra = fetched
+    .filter((id) => !curatedIds.has(id))
+    .map((id) => {
+      const displayId = id
+        .replace(/^openrouter\//, "")
+        .replace(/^openai-codex\//, "")
+        .replace(/^anthropic\//, "");
+      return { value: id, label: displayId, description: "available from provider" };
+    });
+  return [
+    ...curatedAvailable.map((item) => ({ value: item.id, label: item.label, description: item.description })),
+    ...extra,
+    { value: "__custom__", label: "Enter a different model name...", description: "Use a specific model id not shown in the list." },
+  ];
+}
+async function promptForProviderModels(provider, key, tui, { fetchImpl = globalThis.fetch } = {}) {
+  const { select, prompt, dim, cyan } = tui;
+  if (!select) return [];
+  const options = await buildProviderSelectionOptions(provider, key, { fetchImpl });
+  const chosen = [];
+  const manualOptionValue = "__custom__";
+  const defaultModelValue = options.find((item) => !String(item.value).startsWith("__"))?.value || "";
+  console.log(`\n  ${cyan(`Choose ${provider === "openrouter" ? "OpenRouter" : provider === "openai" ? "OpenAI" : "Anthropic"} models`)}`);
+  console.log(`  ${dim("Pick up to three models. The first is your default. The others are fallbacks when the default is slow or unavailable.")}`);
+  while (chosen.length < 3) {
+    const remaining = options.filter((item) => !chosen.includes(item.value));
+    const pickerOptions = remaining.map((item) => ({
+      label: item.label,
+      value: item.value,
+      description: item.description,
+    }));
+    if (chosen.length > 0) {
+      // Insert "Done" before the custom-entry option at the end
+      const customIndex = pickerOptions.findIndex((item) => item.value === "__custom__");
+      const doneOption = { label: "Done", value: "__done__", description: "Continue setup with the models already selected." };
+      if (customIndex >= 0) {
+        pickerOptions.splice(customIndex, 0, doneOption);
+      } else {
+        pickerOptions.push(doneOption);
+      }
+    }
+    const picked = await select(
+      chosen.length === 0 ? "Default model:" : `Add another model (${chosen.length}/3 selected):`,
+      pickerOptions,
+    );
+    if (picked === "__done__") {
+      break;
+    }
+    let modelId = picked;
+    if (picked === manualOptionValue) {
+      const custom = await prompt("Model id", stripProviderPrefix(provider, defaultModelValue));
+      modelId = ensureProviderModelPrefix(provider, custom);
+      if (!modelId) {
+        continue;
+      }
+    }
+    if (!chosen.includes(modelId)) {
+      chosen.push(modelId);
+    }
+  }
+  return chosen;
+}
+export function writeProviderConfigs(installDir, providerInput) {
+  const providersDir = path.join(installDir, "config", "providers");
+  fs.mkdirSync(providersDir, { recursive: true });
+  const selections = Array.isArray(providerInput)
+    ? Object.fromEntries(providerInput.map((id) => [id, []]))
+    : (providerInput || {});
+  for (const [provider, rawSelection] of Object.entries(selections)) {
+    const selection = Array.isArray(rawSelection)
+      ? { models: rawSelection }
+      : (rawSelection || {});
+    const baseConfig = PROVIDER_CONFIGS[provider] ?? {};
+    const providerId = baseConfig.providerId || provider;
+    const config = {
+      ...baseConfig,
+      ...("authRef" in selection ? { authRef: selection.authRef } : {}),
+      models: buildProviderModelEntries(provider, selection.models || []),
+    };
+    const content = providerTemplate(providerId, config);
+    fs.writeFileSync(path.join(providersDir, `${providerId}.toml`), content, "utf8");
+  }
+}
+export function writeRouter(installDir, providers, selectedModels = {}) {
+  const configDir = path.join(installDir, "config");
+  fs.mkdirSync(configDir, { recursive: true });
+  const content = routerTemplate({ ...providers, selectedModels });
+  fs.writeFileSync(path.join(configDir, "router.toml"), content, "utf8");
+}
+async function promptForProviderKey(provider, tui, validateApiKeyImpl = validateApiKey) {
+  const { promptSecret, bold, dim, green, red, yellow } = tui;
+  if (!promptSecret) return null;
+  while (true) {
+    if (provider === "anthropic") {
+      console.log(`\n  ${bold("Anthropic setup-token")} ${dim("(recommended if you have Claude Code)")}`);
+      console.log(`     1. Run: ${green("claude setup-token")} ${dim("(on any machine with Claude Code)")}`);
+      console.log(`     2. Paste the token here ${dim("(leave blank to skip)")}`);
+      console.log(`\n     ${dim("-- OR --")}\n`);
+      console.log(`     ${bold("API key")} ${dim("(from console.anthropic.com/settings/keys)")}`);
+    } else if (provider === "openai") {
+      console.log(`\n  ${bold("OpenAI API key")} ${dim("(from platform.openai.com/api-keys; leave blank to skip)")}`);
+    } else if (provider === "openrouter") {
+      console.log(`\n  ${bold("OpenRouter API key")} ${dim("(from openrouter.ai/keys; leave blank to skip)")}`);
+    }
+    const question = provider === "anthropic"
+      ? "Paste your Anthropic token"
+      : provider === "openrouter"
+        ? "Paste your OpenRouter key"
+        : "Paste your sk-... key";
+    const raw = await promptSecret(question);
+    const token = raw.trim();
+    if (!token) return null;
+    const format = validateApiKeyFormat(provider, token);
+    if (!format.ok) {
+      console.log(`  ${red("✗")} ${format.error}`);
+      continue;
+    }
+    console.log(`  ${dim("Verifying key...")}`);
+    const slowValidationNotice = setTimeout(() => {
+      console.log(`  ${dim("This may take a few seconds...")}`);
+    }, 3000);
+    let result;
+    try {
+      result = await validateApiKeyImpl(provider, token);
+    } finally {
+      clearTimeout(slowValidationNotice);
+    }
+    if (result.ok) {
+      const providerLabel = provider === "anthropic" ? "Anthropic" : provider === "openrouter" ? "OpenRouter" : "OpenAI";
+      console.log(`  ${green("✓")} ${providerLabel} key verified`);
+      return token;
+    }
+    if (result.status === 401 || result.status === 403) {
+      console.log(`  ${red("✗")} Authentication failed (${result.status}). Try again.`);
+      continue;
+    }
+    const detail = result.status ? `HTTP ${result.status}` : (result.error || "request failed");
+    console.log(`  ${yellow("!")} Couldn't verify the key (${detail}). Check the key and try again, or press Enter to skip.`);
+  }
+}
+async function confirmLocalOnlySetup(tui) {
+  const { confirm, yellow = (value) => value, dim = (value) => value } = tui;
+  if (!confirm) {
+    return true;
+  }
+  console.log(`\n  ${yellow("⚠")} You haven't configured any cloud providers.`);
+  console.log(`  ${dim("Your agent will only use local models (Ollama).")}`);
+  return confirm("Continue anyway?", false);
+}
+async function maybeResolveOpenAIOAuth({
+  tui,
+  enableOpenAIOAuthChoice = false,
+  openAIOAuthImpl = initiateOpenAICodexOAuthFlow,
+}) {
+  const authProfilesPath = resolveAuthProfilesPath();
+  const existingProfile = getAuthProfile(OPENAI_CODEX_DEFAULT_PROFILE_ID, authProfilesPath);
+  const inspection = inspectOpenAICodexProfile(existingProfile, { now: Date.now() });
+  if (inspection.state === "usable_token" || inspection.state === "refresh_needed") {
+    const resolved = await resolveOpenAICodexAccess(OPENAI_CODEX_DEFAULT_PROFILE_ID, {
+      filePath: authProfilesPath,
+    });
+    return {
+      authRef: `profile:${OPENAI_CODEX_DEFAULT_PROFILE_ID}`,
+      token: resolved.token,
+      mode: "oauth",
+    };
+  }
+  if (!enableOpenAIOAuthChoice || !tui?.select) {
+    return null;
+  }
+  const method = await tui.select("OpenAI auth method:", [
+    {
+      label: "API key",
+      value: "api_key",
+      description: "Paste an OpenAI API key from platform.openai.com.",
+    },
+    {
+      label: "ChatGPT OAuth",
+      value: "oauth",
+      description: "Open browser login and store a refreshable local profile.",
+    },
+  ]);
+  if (method !== "oauth") {
+    return null;
+  }
+  const profile = await openAIOAuthImpl({
+    filePath: authProfilesPath,
+    promptForPasteImpl: async (message) => (tui.prompt ? tui.prompt(message, "") : ""),
+  });
+  return {
+    authRef: `profile:${OPENAI_CODEX_DEFAULT_PROFILE_ID}`,
+    token: profile.access,
+    mode: "oauth",
+  };
+}
+/**
+ * @param {string} installDir
+ * @param {object} [options]
+ * @param {object} [options.tui]
+ * @param {object} [options.detectionCache]
+ * @param {Function} [options.validateApiKeyImpl]
+ * @returns {Promise<{ providers: string[], providerFlags: object, keys: object }>}
+ */
+export async function runAuthPhase(installDir, options = {}) {
+  const {
+    tui,
+    detectionCache,
+    validateApiKeyImpl = validateApiKey,
+    fetchImpl = globalThis.fetch,
+    providerOrder = ["openrouter", "anthropic", "openai"],
+    enableOpenAIOAuthChoice = false,
+    openAIOAuthImpl = initiateOpenAICodexOAuthFlow,
+  } = options;
+  const existingKeys = detectionCache?.rawKeys || detectExistingKeys();
+  const ollamaResult = detectionCache?.ollamaResult || await detectOllama();
+  const keys = { ...existingKeys };
+  const prevalidatedKeys = new Set();
+  const selectedModels = {};
+  const providerAuthRefs = {};
+  const providerSecrets = {};
+  if (tui) {
+    let promptingComplete = false;
+    while (!promptingComplete) {
+      for (const provider of providerOrder) {
+        if (keys[provider]) continue;
+        if (provider === "openai") {
+          const oauthResult = await maybeResolveOpenAIOAuth({
+            tui,
+            enableOpenAIOAuthChoice,
+            openAIOAuthImpl,
+          });
+          if (oauthResult) {
+            providerAuthRefs.openai = oauthResult.authRef;
+            providerSecrets.openai = oauthResult.token;
+            continue;
+          }
+        }
+        keys[provider] = await promptForProviderKey(provider, tui, validateApiKeyImpl);
+        if (keys[provider]) {
+          prevalidatedKeys.add(provider);
+        }
+      }
+      const hasCloudProvider = Boolean(
+        keys.openrouter || keys.anthropic || keys.openai || providerAuthRefs.openai
+      );
+      if (hasCloudProvider || !ollamaResult.ok) {
+        promptingComplete = true;
+        continue;
+      }
+      const continueWithLocalOnly = await confirmLocalOnlySetup(tui);
+      if (continueWithLocalOnly) {
+        promptingComplete = true;
+      }
+    }
+  }
+  const validatedKeys = {};
+  const providerFlags = { anthropic: false, openrouter: false, openai: false, ollama: ollamaResult.ok };
+  for (const [provider, key] of Object.entries(keys)) {
+    if (!key) continue;
+    const format = validateApiKeyFormat(provider, key);
+    if (!format.ok) continue;
+    const result = prevalidatedKeys.has(provider)
+      ? { ok: true, status: 200 }
+      : await validateApiKeyImpl(provider, key);
+    if (!result.ok) continue;
+    validatedKeys[provider] = key;
+    providerSecrets[provider] = key;
+    if (provider in providerFlags) {
+      providerFlags[provider] = true;
+    }
+  }
+  if (providerAuthRefs.openai) {
+    providerFlags.openai = true;
+  }
+  if (tui) {
+    for (const provider of ["openrouter", "anthropic", "openai"]) {
+      const providerToken = providerSecrets[provider];
+      if (!providerToken) continue;
+      selectedModels[provider] = await promptForProviderModels(provider, providerToken, tui, { fetchImpl });
+    }
+  }
+  const envKeys = {};
+  if (validatedKeys.anthropic) {
+    envKeys.NEMORIS_ANTHROPIC_API_KEY = validatedKeys.anthropic;
+  }
+  if (validatedKeys.openai) {
+    envKeys.NEMORIS_OPENAI_API_KEY = validatedKeys.openai;
+  }
+  if (validatedKeys.openrouter) {
+    envKeys.OPENROUTER_API_KEY = validatedKeys.openrouter;
+  }
+  if (Object.keys(envKeys).length > 0) {
+    writeEnvFile(installDir, envKeys);
+  }
+  const providerIds = resolveProviders({
+    anthropic: validatedKeys.anthropic || null,
+    openrouter: validatedKeys.openrouter || null,
+    openai: validatedKeys.openai || providerAuthRefs.openai || null,
+    ollama: ollamaResult.ok,
+  });
+  writeProviderConfigs(installDir, Object.fromEntries(providerIds.map((id) => [id, {
+    models: selectedModels[id] || [],
+    ...(providerAuthRefs[id] ? { authRef: providerAuthRefs[id] } : {}),
+  }])));
+  writeRouter(installDir, providerFlags, selectedModels);
+  return { providers: providerIds, providerFlags, keys: validatedKeys, selectedModels };
+}