pi-oracle 0.6.14 → 0.6.16

package/CHANGELOG.md

@@ -2,6 +2,25 @@
 
 ## Unreleased
 
+### Changed
+- made `/oracle-auth` success and failure output easier to scan, with compact source summaries and source-specific troubleshooting for configured Chromium cookie sources
+
+## 0.6.16 - 2026-05-07
+
+### Changed
+- migrated the local pi development baseline and peer metadata from deprecated `@mariozechner/*` packages to maintained `@earendil-works/*` `0.74.0`
+- regenerated the npm lockfile against the current stable dependency graph and refreshed the `basic-ftp` override to the current patched major
+
+### Compatibility
+- reviewed the pi `0.74.0` changelog and confirmed the oracle extension remains compatible with current extension lifecycle and package install/update guidance
+
+## 0.6.15 - 2026-05-03
+
+### Fixed
+- anchored the `oracle_submit.files[]` schema pattern so OpenAI-compatible parsers that require anchored JSON Schema regexes, including llama.cpp, can load the oracle tools
+- made background poller queued-job promotion best-effort under normal global admission-lock contention, avoiding noisy scan failures when multiple pi sessions are live
+- added configured Chromium-family cookie source support for `/oracle-auth`, including macOS Keychain decryption for browser cookie stores not handled by `@steipete/sweet-cookie`
+
 ## 0.6.14 - 2026-05-02
 
 ### Fixed

package/README.md

@@ -9,7 +9,7 @@ Use it when you want:
 - async background execution
 - durable saved responses/artifacts plus best-effort wake-ups back into `pi`
 
-Normal oracle jobs run in an isolated browser profile, not your active Chrome window.
+Normal oracle jobs run in an isolated browser profile, not your active browser window.
 
 > Status: experimental public beta. Validated primarily on macOS with Google Chrome and `pi` 0.65.0+.
 
@@ -43,7 +43,7 @@ pi install https://github.com/fitchmultz/pi-oracle
 ## Quickstart
 
 1. Start a normal persisted `pi` session. Do not use `pi --no-session` for oracle.
-2. Make sure ChatGPT already works in your local Chrome profile.
+2. Make sure ChatGPT already works in your configured local browser profile.
 3. Make sure these are installed: Google Chrome, `agent-browser`, `tar`, and `zstd`.
 4. Optional: create `~/.pi/agent/extensions/oracle.json` if you want non-default settings.
 5. Run `/oracle-auth`.
@@ -97,7 +97,7 @@ If concurrency is full, the job is queued and starts automatically later.
 User-facing commands:
 - `/oracle <request>` — prompt template that tells the agent to gather context and dispatch an oracle job
 - `/oracle-followup <job-id> <request>` — prompt template that continues an earlier oracle job in the same ChatGPT thread
-- `/oracle-auth` — sync ChatGPT cookies from your real Chrome profile into the isolated oracle auth profile
+- `/oracle-auth` — sync ChatGPT cookies from your configured local browser profile into the isolated oracle auth profile
 - `/oracle-read [job-id]` — inspect job status plus the saved response preview
 - `/oracle-status [job-id]` — inspect job status and list recent job ids when no explicit id is given
 - `/oracle-cancel <job-id>` — cancel a queued or active job by id
@@ -112,7 +112,7 @@ Agent-facing tools:
 
 ## Minimal config
 
-Most users can start with the packaged defaults and only set the Chrome profile if needed.
+Most users can start with the packaged defaults and only set the browser profile if needed.
 
 `~/.pi/agent/extensions/oracle.json`
 
@@ -133,6 +133,41 @@ Notes:
 - If the packaged default is fine, you can omit `defaults.preset` entirely.
 - You usually do not need to set browser paths unless auto-detection fails.
 
+### Custom Chromium cookie sources
+
+Most Chrome-compatible browsers should work through the default cookie importer. Use this alternate path only for a Chromium-family browser that is not one of `@steipete/sweet-cookie`'s built-in Chrome/Brave/Arc/Chromium targets or otherwise cannot import cookies without dependency patching.
+
+Before running `/oracle-auth` with this path:
+
+1. Log into ChatGPT in the target browser profile.
+2. Fully quit the browser so its `Cookies` database is stable.
+3. Find the profile `Cookies` SQLite DB path.
+4. Find the browser's macOS Keychain safe-storage item account and service name.
+5. Configure all of `browser.executablePath`, `auth.chromeCookiePath`, and `auth.chromiumKeychain` in the agent-level config at `~/.pi/agent/extensions/oracle.json`.
+
+Example Helium config:
+
+```json
+{
+  "browser": {
+    "executablePath": "/Applications/Helium.app/Contents/MacOS/Helium"
+  },
+  "auth": {
+    "chromeProfile": "Default",
+    "chromeCookiePath": "/Users/you/Library/Application Support/net.imput.helium/Default/Cookies",
+    "chromiumKeychain": {
+      "account": "Helium",
+      "services": ["Helium Storage Key"],
+      "label": "Helium Storage Key"
+    }
+  }
+}
+```
+
+`auth.chromeCookiePath` remains the cookie database path for backward compatibility. `auth.chromiumKeychain` must be paired with `auth.chromeCookiePath`; partial config is rejected so oracle does not silently fall back to a different browser source. When both are present, `/oracle-auth` uses pi-oracle's repo-owned generic Chromium cookie reader instead of patching `@steipete/sweet-cookie` internals.
+
+If macOS prompts for Keychain access during `/oracle-auth`, allow access for the configured browser safe-storage item. If auth still fails after cookies are synced, the cookie DB may be stale, from the wrong profile, or for an account that is logged out; reopen the configured browser profile, confirm ChatGPT works there, quit the browser, and rerun `/oracle-auth`.
+
 ## Available presets
 
 | Preset id | Description |
@@ -173,8 +208,8 @@ Project config should only override safe, non-privileged settings.
 
 - macOS
 - Node.js 22 or newer
-- Google Chrome installed
-- ChatGPT already signed into a local Chrome profile
+- Google Chrome or another Chromium-family browser installed
+- ChatGPT already signed into the configured local browser profile
 - `pi` 0.65.0 or newer
 - `agent-browser` available on the machine
 - `tar` and `zstd` available
@@ -183,10 +218,22 @@ Project config should only override safe, non-privileged settings.
 
 ### `/oracle-auth` fails or says login is required
 
-- Make sure ChatGPT works in the same local Chrome profile you configured.
+- Make sure ChatGPT works in the same local browser profile you configured.
+- For custom Chromium cookie sources, confirm `auth.chromeCookiePath` points at that profile's `Cookies` DB and `auth.chromiumKeychain.services` names the browser's safe-storage Keychain service.
 - Re-run `/oracle-auth`.
 - If ChatGPT is half-logged-in or challenge flow state looks weird, finish the login/challenge in the headed auth browser and retry.
 
+### Custom Chromium auth says cookies synced but the session is rejected
+
+This usually means the cookie import worked but the source cookies are not the active ChatGPT session you expected.
+
+1. Open the configured browser profile.
+2. Confirm ChatGPT works there without logging in again.
+3. Quit the browser fully so its `Cookies` DB is stable.
+4. Confirm `auth.chromeCookiePath` points at that exact profile's `Cookies` DB.
+5. Confirm `auth.chromiumKeychain.services` names the browser's safe-storage Keychain service for that DB.
+6. Re-run `/oracle-auth`.
+
 ### You hit a challenge / verification page
 
 - Solve it in the auth/bootstrap browser if prompted.
@@ -214,9 +261,10 @@ Project config should only override safe, non-privileged settings.
 
 - Install the missing local dependency and rerun the command.
 
-### Auto-detection picked the wrong Chrome profile
+### Auto-detection picked the wrong browser profile
 
 - Set `auth.chromeProfile` in `~/.pi/agent/extensions/oracle.json`.
+- For custom Chromium cookie sources, set `auth.chromeCookiePath` to the exact profile `Cookies` DB and pair it with `auth.chromiumKeychain`.
 - Re-run `/oracle-auth`.
 
 ### You want more details about a failed run
@@ -233,7 +281,7 @@ Project config should only override safe, non-privileged settings.
 ## Privacy / local data
 
 This extension is local-first, but it does read and persist local data:
-- `/oracle-auth` reads ChatGPT cookies from a local Chrome profile
+- `/oracle-auth` reads ChatGPT cookies from the configured local browser profile
 - job archives are uploaded to ChatGPT.com
 - responses and artifacts are written under the configured oracle jobs dir
 

package/docs/ORACLE_DESIGN.md

@@ -73,7 +73,7 @@ The extension now follows the current `pi` session lifecycle model:
 ### Commands
 
 - `/oracle-auth`
-  - syncs ChatGPT cookies from the user’s real Chrome into the isolated oracle profile and verifies them there
+  - syncs ChatGPT cookies from the configured local browser profile into the isolated oracle profile and verifies them there
 - `/oracle-read [job-id]`
   - shows job status plus the saved response preview
 - `/oracle-status [job-id]`
@@ -127,9 +127,10 @@ Auth bootstrap flow:
 
 1. load oracle config
 2. acquire the global auth-maintenance lock
-3. read ChatGPT cookies directly from the user’s real Chrome cookie store in read-only mode
+3. read ChatGPT cookies directly from the configured local browser cookie store in read-only mode
    - configurable source profile / cookie DB path
-   - no launch or mutation of the real Chrome profile
+   - optional configured Chromium Keychain source for browsers outside the default importer
+   - no launch or mutation of the real browser profile
 4. validate that `browser.authSeedProfileDir` is an absolute safe path and not inside the real Chrome user-data tree
 5. create a staged seed-profile path next to the target seed profile
 6. launch the isolated auth browser headed with:
@@ -246,15 +247,20 @@ Browser/auth settings are global-only because they control local privileged brow
     "chatUrl": "https://chatgpt.com/",
     "authUrl": "https://chatgpt.com/auth/login",
     "runMode": "headless",
-    "executablePath": "<optional absolute path to Chrome executable>",
+    "executablePath": "<optional absolute path to Chrome/Chromium executable>",
     "userAgent": "<optional real-Chrome UA override>",
     "args": ["--disable-blink-features=AutomationControlled"]
   },
   "auth": {
     "pollMs": 1000,
     "bootstrapTimeoutMs": 600000,
-    "chromeProfile": "<optional Chrome profile name>",
-    "chromeCookiePath": "<optional absolute path to Chrome Cookies DB>"
+    "chromeProfile": "<optional Chrome/Chromium profile name>",
+    "chromeCookiePath": "<optional absolute path to Chromium Cookies DB>",
+    "chromiumKeychain": {
+      "account": "<macOS Keychain account for non-built-in Chromium browsers>",
+      "services": ["<safe-storage service name>"],
+      "label": "<optional human-readable label>"
+    }
   },
   "worker": {
     "pollMs": 5000,
@@ -273,6 +279,23 @@ Browser/auth settings are global-only because they control local privileged brow
 }
 ```
 
+`auth.chromiumKeychain` is an opt-in alternate cookie source for Chromium-family browsers that are not handled by the default `@steipete/sweet-cookie` Chrome-compatible importer. It must be configured with `auth.chromeCookiePath`; partial config is rejected so `/oracle-auth` cannot silently fall back to a different browser profile.
+
+When both `auth.chromeCookiePath` and `auth.chromiumKeychain` are present, auth bootstrap:
+
+1. reads the configured macOS Keychain safe-storage password using `account` and the ordered `services` list
+2. snapshots the Chromium `Cookies` DB plus `Cookies-wal` / `Cookies-shm` sidecars, tolerating sidecars that disappear while the browser is closing
+3. decrypts Chromium AES-CBC cookie values, including Chromium v24+ host-hash-prefixed values
+4. dedupes duplicate cookie rows by keeping the first row after newest-expiry ordering
+5. filters importable ChatGPT auth cookies and seeds the isolated oracle auth profile
+
+Operational requirements for this path:
+
+- ChatGPT must already be logged in in the configured browser profile.
+- The target browser should be fully quit before `/oracle-auth` so the cookie DB snapshot is stable.
+- The configured Keychain item must be accessible to the current macOS user; allow Keychain access if prompted.
+- `browser.executablePath` should point at the same Chromium-family browser so the headed auth/bootstrap browser uses the intended app.
+
 ## Cleanup maintenance model
 
 Long-run hygiene is intentionally conservative:
@@ -565,7 +588,7 @@ Live-validated after the concurrency redesign:
 - the poller no longer needs the worker to stay alive just to observe completion for artifact-producing runs
 - expired/missing auth now fails as a clean auth-related error instead of generic UI/config drift
 - `/oracle-auth` repairs the seed profile and a post-repair probe succeeds again
-- live auth recovery also exposed and corrected a real source-profile misconfiguration during validation; the configured Chrome profile must actually contain the active ChatGPT session cookies
+- live auth recovery also exposed and corrected a real source-profile misconfiguration during validation; the configured browser profile must actually contain the active ChatGPT session cookies
 
 ## Known remaining work
 

package/extensions/oracle/index.ts

@@ -5,7 +5,7 @@
 // Invariants/Assumptions: Oracle only runs against persisted sessions, and startup maintenance should be best-effort without breaking session initialization.
 import { fileURLToPath } from "node:url";
 import { dirname, join } from "node:path";
-import type { ExtensionAPI, ExtensionContext } from "@mariozechner/pi-coding-agent";
+import type { ExtensionAPI, ExtensionContext } from "@earendil-works/pi-coding-agent";
 import { loadOracleConfig } from "./lib/config.js";
 import { registerOracleCommands } from "./lib/commands.js";
 import { getSessionFile, pruneTerminalOracleJobs, reconcileStaleOracleJobs } from "./lib/jobs.js";

package/extensions/oracle/lib/commands.ts

@@ -5,7 +5,7 @@
 // Invariants/Assumptions: Commands operate on persisted project-scoped jobs and rely on shared observability formatting for detached-state clarity.
 import { existsSync } from "node:fs";
 import { readFile } from "node:fs/promises";
-import type { ExtensionAPI, ExtensionCommandContext } from "@mariozechner/pi-coding-agent";
+import type { ExtensionAPI, ExtensionCommandContext } from "@earendil-works/pi-coding-agent";
 import { formatOracleCancelOutcome, formatOracleJobSummary } from "../shared/job-observability-helpers.mjs";
 import { runOracleAuthBootstrap } from "./auth.js";
 import {
@@ -67,9 +67,9 @@ function readScopedJob(jobId: string, cwd: string) {
 
 export function registerOracleCommands(pi: ExtensionAPI, authWorkerPath: string, workerPath: string): void {
   pi.registerCommand("oracle-auth", {
-    description: "Sync ChatGPT cookies from real Chrome into the oracle auth seed profile",
+    description: "Sync ChatGPT cookies from the configured local browser profile into the oracle auth seed profile",
     handler: async (_args, ctx) => {
-      ctx.ui.notify("Syncing ChatGPT cookies from real Chrome into the oracle auth seed profile…", "info");
+      ctx.ui.notify("Syncing ChatGPT cookies from the configured local browser profile into the oracle auth seed profile…", "info");
       try {
         const result = await runOracleAuthBootstrap(authWorkerPath, ctx.cwd);
         ctx.ui.notify(result, "info");

package/extensions/oracle/lib/config.ts

@@ -6,7 +6,7 @@
 import { execFileSync } from "node:child_process";
 import { existsSync, readFileSync } from "node:fs";
 import { homedir } from "node:os";
-import { getAgentDir } from "@mariozechner/pi-coding-agent";
+import { getAgentDir } from "@earendil-works/pi-coding-agent";
 import { isAbsolute, join, normalize } from "node:path";
 import { getProjectId } from "./runtime.js";
 
@@ -209,6 +209,11 @@ export interface OracleConfig {
     bootstrapTimeoutMs: number;
     chromeProfile: string;
     chromeCookiePath?: string;
+    chromiumKeychain?: {
+      account: string;
+      services: string[];
+      label?: string;
+    };
   };
   worker: {
     pollMs: number;
@@ -286,11 +291,12 @@ export function getOracleConfigLoadDetails(cwd: string): OracleConfigLoadDetails
 }
 
 export function formatOracleAuthConfigRemediation(details: OracleConfigLoadDetails): string {
+  const authFields = "auth.chromeProfile / auth.chromeCookiePath / auth.chromiumKeychain";
   if (!details.projectConfigExists) {
-    return `Set auth.chromeProfile / auth.chromeCookiePath in ${details.effectiveAuthConfigPath}.`;
+    return `Set ${authFields} in ${details.effectiveAuthConfigPath}.`;
   }
   return (
-    `Set auth.chromeProfile / auth.chromeCookiePath in ${details.effectiveAuthConfigPath}. ` +
+    `Set ${authFields} in ${details.effectiveAuthConfigPath}. ` +
     `Project overrides are also read from ${details.projectConfigPath}, but auth.* is loaded from ${details.effectiveAuthConfigPath}.`
   );
 }
@@ -330,6 +336,7 @@ export const DEFAULT_CONFIG: OracleConfig = {
     bootstrapTimeoutMs: 10 * 60 * 1000,
     chromeProfile: detectedChromeProfileName,
     chromeCookiePath: undefined,
+    chromiumKeychain: undefined,
   },
   worker: {
     pollMs: 5000,
@@ -439,6 +446,20 @@ function expectStringArray(value: unknown, path: string): string[] {
   return value;
 }
 
+function expectOptionalChromiumKeychain(value: unknown, path: string): OracleConfig["auth"]["chromiumKeychain"] {
+  if (value === undefined) return undefined;
+  const keychain = expectObject(value, path);
+  const services = expectStringArray(keychain.services, `${path}.services`);
+  if (services.length === 0) {
+    throw new Error(`Invalid oracle config: ${path}.services must include at least one service name`);
+  }
+  return {
+    account: expectString(keychain.account, `${path}.account`),
+    services,
+    label: expectOptionalString(keychain.label, `${path}.label`),
+  };
+}
+
 function expectInteger(value: unknown, path: string, minimum: number, maximum?: number): number {
   if (typeof value !== "number" || !Number.isInteger(value) || value < minimum || (maximum !== undefined && value > maximum)) {
     const range = maximum === undefined ? `>= ${minimum}` : `between ${minimum} and ${maximum}`;
@@ -523,6 +544,12 @@ function validateOracleConfig(value: unknown): OracleConfig {
     throw new Error("Invalid oracle config: browser.runtimeProfilesDir must be separate from browser.authSeedProfileDir");
   }
 
+  const chromeCookiePath = expectOptionalAbsoluteNormalizedPath(auth.chromeCookiePath, "auth.chromeCookiePath");
+  const chromiumKeychain = expectOptionalChromiumKeychain(auth.chromiumKeychain, "auth.chromiumKeychain");
+  if (chromiumKeychain !== undefined && chromeCookiePath === undefined) {
+    throw new Error("Invalid oracle config: auth.chromiumKeychain requires auth.chromeCookiePath");
+  }
+
   return {
     defaults: {
       preset,
@@ -544,7 +571,8 @@ function validateOracleConfig(value: unknown): OracleConfig {
       pollMs: expectInteger(auth.pollMs, "auth.pollMs", 100),
       bootstrapTimeoutMs: expectInteger(auth.bootstrapTimeoutMs, "auth.bootstrapTimeoutMs", 1000),
       chromeProfile: expectString(auth.chromeProfile, "auth.chromeProfile"),
-      chromeCookiePath: expectOptionalAbsoluteNormalizedPath(auth.chromeCookiePath, "auth.chromeCookiePath"),
+      chromeCookiePath,
+      chromiumKeychain,
     },
     worker: {
       pollMs: expectInteger(worker.pollMs, "worker.pollMs", 100),

package/extensions/oracle/lib/jobs.ts

@@ -7,7 +7,7 @@ import { createHash, randomUUID } from "node:crypto";
 import { existsSync, readdirSync, readFileSync, realpathSync } from "node:fs";
 import { chmod, mkdir, readFile, rename, rm, writeFile } from "node:fs/promises";
 import { isAbsolute, join, relative as relativePath, resolve, sep } from "node:path";
-import type { ExtensionContext } from "@mariozechner/pi-coding-agent";
+import type { ExtensionContext } from "@earendil-works/pi-coding-agent";
 import {
   ACTIVE_ORACLE_JOB_STATUSES,
   applyOracleJobCleanupWarnings,

package/extensions/oracle/lib/poller.ts

@@ -4,7 +4,7 @@
 // Usage: Imported by the oracle extension entrypoint to start or stop per-session oracle polling.
 // Invariants/Assumptions: Poller scans are serialized per session key, wake-up delivery is best-effort, and terminal-job notifications always re-read durable job state before send.
 import { existsSync } from "node:fs";
-import type { ExtensionAPI, ExtensionContext } from "@mariozechner/pi-coding-agent";
+import type { ExtensionAPI, ExtensionContext } from "@earendil-works/pi-coding-agent";
 import { buildOracleStatusText, buildOracleWakeupNotificationContent } from "../shared/job-observability-helpers.mjs";
 import { isProcessAlive, readProcessStartedAt } from "../shared/process-helpers.mjs";
 import { isLockTimeoutError, listLeaseMetadata, releaseLease, withGlobalReconcileLock, writeLeaseMetadata } from "./locks.js";
@@ -246,7 +246,11 @@ async function scan(
   }
   if (await releaseWakeupLeaseIfInactive(wakeupTargetLeaseKey, lifecycle)) return;
 
-  await promoteQueuedJobs({ workerPath, source: "poller" });
+  try {
+    await promoteQueuedJobs({ workerPath, source: "poller", lockTimeoutMs: POLLER_LOCK_TIMEOUT_MS });
+  } catch (error) {
+    if (!isLockTimeoutError(error, "admission", "global")) throw error;
+  }
   if (await releaseWakeupLeaseIfInactive(wakeupTargetLeaseKey, lifecycle)) return;
 
   const terminalJobs = listOracleJobDirs()

package/extensions/oracle/lib/queue.ts

@@ -25,6 +25,7 @@ export interface OracleQueuePosition {
 export interface PromoteQueuedJobsOptions {
   workerPath: string;
   source: string;
+  lockTimeoutMs?: number;
   spawnWorkerFn?: typeof spawnWorker;
   loadConfigFn?: typeof loadOracleConfig;
 }
@@ -141,7 +142,7 @@ export async function promoteQueuedJobsWithinAdmissionLock(options: PromoteQueue
 export async function promoteQueuedJobs(options: PromoteQueuedJobsOptions): Promise<{ promotedJobIds: string[] }> {
   return withLock("admission", "global", { processPid: process.pid, source: options.source }, async () => {
     return promoteQueuedJobsWithinAdmissionLock(options);
-  });
+  }, { timeoutMs: options.lockTimeoutMs });
 }
 
 export async function createQueuedJob(

package/extensions/oracle/lib/tools.ts

@@ -8,7 +8,7 @@ import { lstat, mkdtemp, readdir, rename, rm, stat, writeFile } from "node:fs/pr
 import { tmpdir } from "node:os";
 import { basename, join, posix } from "node:path";
 import { runOracleAuthBootstrap } from "./auth.js";
-import type { ExtensionAPI, ExtensionContext } from "@mariozechner/pi-coding-agent";
+import type { ExtensionAPI, ExtensionContext } from "@earendil-works/pi-coding-agent";
 import { Type } from "typebox";
 import { formatOracleCancelOutcome, formatOracleJobSummary, formatOracleSubmitResponse } from "../shared/job-observability-helpers.mjs";
 import { getLatestOracleJobLifecycleEvent, getLatestOracleTerminalLifecycleEvent, transitionOracleJobPhase } from "../shared/job-lifecycle-helpers.mjs";
@@ -63,7 +63,7 @@ const ORACLE_SUBMIT_PARAMS = Type.Object({
   files: Type.Array(Type.String({
     description: "Project-relative file or directory path to include in the archive.",
     minLength: 1,
-    pattern: ".*\\S.*",
+    pattern: "^.*\\S.*$",
   }), {
     description: "Exact project-relative files/directories to include in the oracle archive.",
     minItems: 1,
@@ -1055,7 +1055,7 @@ export function registerOracleTools(pi: ExtensionAPI, workerPath: string, authWo
   pi.registerTool({
     name: "oracle_auth",
     label: "Oracle Auth",
-    description: "Refresh the shared oracle auth seed profile by importing ChatGPT cookies from your configured real Chrome profile.",
+    description: "Refresh the shared oracle auth seed profile by importing ChatGPT cookies from your configured local browser profile.",
     promptSnippet: "Refresh oracle auth before retrying a login-required oracle run.",
     promptGuidelines: [
       "Call oracle_auth when an oracle run failed because ChatGPT login is required, the worker said to rerun /oracle-auth, or stale auth appears to be blocking submission execution.",

package/extensions/oracle/worker/auth-bootstrap.mjs

@@ -1,8 +1,8 @@
-// Purpose: Bootstrap isolated oracle browser auth by importing real Chrome cookies and validating ChatGPT session readiness.
+// Purpose: Bootstrap isolated oracle browser auth by importing real Chromium-family cookies and validating ChatGPT session readiness.
 // Responsibilities: Copy/import cookies, classify auth pages, drive lightweight account-selection flows, and persist diagnostics for auth failures.
 // Scope: Auth bootstrap worker only; long-running oracle job execution stays in run-job.mjs and shared lifecycle/state helpers stay elsewhere.
 // Usage: Spawned by /oracle-auth to prepare the shared auth seed profile used by future oracle jobs.
-// Invariants/Assumptions: Runs against a local macOS Chrome profile, preserves private diagnostics, and must fail clearly when auth state cannot be verified.
+// Invariants/Assumptions: Runs against a local macOS Chromium-family profile, preserves private diagnostics, and must fail clearly when auth state cannot be verified.
 import { withLock } from "./state-locks.mjs";
 import { spawn } from "node:child_process";
 import { existsSync } from "node:fs";
@@ -11,6 +11,7 @@ import { homedir, tmpdir } from "node:os";
 import { basename, dirname, join, resolve } from "node:path";
 import { getCookies } from "@steipete/sweet-cookie";
 import { ensureAccountCookie, filterImportableAuthCookies } from "./auth-cookie-policy.mjs";
+import { getCookiesFromConfiguredChromiumSource } from "./chromium-cookie-source.mjs";
 import { buildAllowedChatGptOrigins } from "./chatgpt-ui-helpers.mjs";
 import { buildAccountChooserCandidateLabels, classifyChatAuthPage, normalizeLoginProbeResult } from "./auth-flow-helpers.mjs";
 
@@ -91,11 +92,11 @@ function authConfigRemediation() {
   if (typeof configLoad?.remediation === "string" && configLoad.remediation) return configLoad.remediation;
   if (typeof configLoad?.projectConfigPath === "string" && configLoad.projectConfigPath && configLoad.projectConfigExists) {
     return (
-      `Set auth.chromeProfile / auth.chromeCookiePath in ${effectiveAuthConfigPath()}. ` +
+      `Set auth.chromeProfile / auth.chromeCookiePath / auth.chromiumKeychain in ${effectiveAuthConfigPath()}. ` +
       `Project overrides are also read from ${configLoad.projectConfigPath}, but auth.* is loaded from ${effectiveAuthConfigPath()}.`
     );
   }
-  return `Set auth.chromeProfile / auth.chromeCookiePath in ${effectiveAuthConfigPath()}.`;
+  return `Set auth.chromeProfile / auth.chromeCookiePath / auth.chromiumKeychain in ${effectiveAuthConfigPath()}.`;
 }
 
 function authConfigSummary() {
@@ -462,15 +463,109 @@ function cookieSource() {
   return config.auth.chromeCookiePath || config.auth.chromeProfile;
 }
 
+function usesConfiguredChromiumCookieSource() {
+  return Boolean(config.auth.chromeCookiePath && config.auth.chromiumKeychain);
+}
+
+function browserSourceName() {
+  if (config.browser.executablePath) return basename(config.browser.executablePath);
+  if (usesConfiguredChromiumCookieSource()) return "configured Chromium browser";
+  return "Google Chrome";
+}
+
+function keychainSummary() {
+  const keychain = config.auth.chromiumKeychain;
+  if (!keychain) return undefined;
+  const services = Array.isArray(keychain.services) && keychain.services.length > 0 ? keychain.services.join(", ") : "(none configured)";
+  const label = keychain.label || services;
+  return `${label} (account: ${keychain.account}, services: ${services})`;
+}
+
 function cookieSourceLabel() {
+  if (usesConfiguredChromiumCookieSource()) return `configured Chromium cookie DB ${config.auth.chromeCookiePath}`;
   return config.auth.chromeCookiePath
     ? `Chrome cookie DB ${config.auth.chromeCookiePath}`
     : `Chrome profile ${config.auth.chromeProfile}`;
 }
 
-async function readSourceCookies() {
-  await log(`Reading ChatGPT cookies from ${cookieSourceLabel()}`);
-  const { cookies, warnings } = await getCookies({
+function formatAuthSuccessMessage({ classificationMessage, appliedCount, targetDir }) {
+  const lines = [
+    "Oracle auth synced.",
+    "",
+    "Source:",
+    `- Browser: ${browserSourceName()}`,
+  ];
+
+  if (config.auth.chromeCookiePath) lines.push(`- Cookie DB: ${config.auth.chromeCookiePath}`);
+  else lines.push(`- Profile: ${config.auth.chromeProfile}`);
+
+  const keychain = keychainSummary();
+  if (keychain) lines.push(`- Keychain: ${keychain}`);
+  lines.push(`- Cookies synced: ${appliedCount}`);
+  lines.push("", "Auth seed profile:", targetDir, "", "Diagnostics:", DIAGNOSTICS_DIR, "", "Status:", classificationMessage);
+  return lines.join("\n");
+}
+
+function formatAuthFailureGuidance(error) {
+  const reason = error instanceof Error ? error.message : String(error);
+  const lines = ["Oracle auth failed.", "", `Reason: ${reason}`, "", "Likely causes:"];
+
+  if (usesConfiguredChromiumCookieSource()) {
+    lines.push(
+      "- the configured cookie DB is stale or from the wrong browser profile",
+      "- ChatGPT is logged out in that browser profile",
+      "- auth.chromiumKeychain does not match the browser safe-storage item for that cookie DB",
+      "- the target browser was still running while /oracle-auth read its Cookies DB",
+      "",
+      "Next:",
+      "1. Open the configured browser profile.",
+      "2. Confirm ChatGPT works there.",
+      "3. Quit the browser fully.",
+      "4. Confirm auth.chromeCookiePath points at that profile's Cookies DB.",
+      "5. Confirm auth.chromiumKeychain.services names the browser's safe-storage Keychain service.",
+      "6. Re-run /oracle-auth.",
+    );
+  } else {
+    lines.push(
+      "- ChatGPT is logged out in the configured local browser profile",
+      "- auth.chromeProfile or auth.chromeCookiePath points at the wrong profile",
+      "- the profile cookie store is stale or unreadable",
+      "",
+      "Next:",
+      "1. Open the configured local browser profile.",
+      "2. Confirm ChatGPT works there.",
+      "3. Quit the browser fully.",
+      "4. Re-run /oracle-auth.",
+    );
+  }
+
+  lines.push(
+    "",
+    "Details:",
+    `- Source: ${cookieSourceLabel()}`,
+    `- Browser: ${browserSourceName()}`,
+    `- Auth seed profile: ${config.browser.authSeedProfileDir}`,
+    `- Diagnostics: ${DIAGNOSTICS_DIR || "(oracle-auth diagnostics dir unavailable)"}`,
+    `- Log: ${LOG_PATH}`,
+    "",
+    authConfigSummary(),
+  );
+
+  return lines.join("\n");
+}
+
+async function readRawSourceCookies() {
+  if (config.auth.chromeCookiePath && config.auth.chromiumKeychain) {
+    return await getCookiesFromConfiguredChromiumSource({
+      dbPath: config.auth.chromeCookiePath,
+      keychain: config.auth.chromiumKeychain,
+      origins: cookieOrigins(),
+      profile: config.auth.chromeProfile,
+      timeoutMs: 5_000,
+    });
+  }
+
+  return await getCookies({
     url: config.browser.chatUrl,
     origins: cookieOrigins(),
     browsers: ["chrome"],
@@ -478,9 +573,14 @@ async function readSourceCookies() {
     chromeProfile: cookieSource(),
     timeoutMs: 5_000,
   });
+}
+
+async function readSourceCookies() {
+  await log(`Reading ChatGPT cookies from ${cookieSourceLabel()}`);
+  const { cookies, warnings } = await readRawSourceCookies();
 
   if (warnings.length) {
-    await log(`sweet-cookie warnings: ${warnings.join(" | ")}`);
+    await log(`Cookie source warnings: ${warnings.join(" | ")}`);
   }
 
   const filtered = filterImportableAuthCookies(cookies, config.browser.chatUrl);
@@ -501,7 +601,7 @@ async function readSourceCookies() {
 
   if (!hasSessionToken) {
     throw new Error(
-      `No ChatGPT session-token cookies were found in ${cookieSourceLabel()}. Make sure ChatGPT is logged into that Chrome profile. ${authConfigRemediation()}`,
+      `No ChatGPT session-token cookies were found in ${cookieSourceLabel()}. Make sure ChatGPT is logged into that browser profile. ${authConfigRemediation()}`,
     );
   }
 
@@ -809,9 +909,7 @@ async function run() {
       const generation = new Date().toISOString();
       await writeFile(join(profilePlan.targetDir, ".oracle-seed-generation"), `${generation}\n`, { encoding: "utf8", mode: 0o600 });
       committedProfile = true;
-      process.stdout.write(
-        `${classification.message} Synced ${appliedCount} cookies into ${profilePlan.targetDir}. Diagnostics: ${DIAGNOSTICS_DIR}`,
-      );
+      process.stdout.write(formatAuthSuccessMessage({ classificationMessage: classification.message, appliedCount, targetDir: profilePlan.targetDir }));
     } catch (error) {
       shouldPreserveBrowser = Boolean(error && typeof error === "object" && error.preserveBrowser === true);
       await log(`Auth bootstrap failed: ${error instanceof Error ? error.message : String(error)}`);
@@ -827,8 +925,6 @@ async function run() {
 }
 
 run().catch((error) => {
-  process.stderr.write(
-    `${error instanceof Error ? error.message : String(error)}\nSee ${LOG_PATH} and diagnostics in ${DIAGNOSTICS_DIR || "(oracle-auth diagnostics dir unavailable)"}\n${authConfigSummary()}\nIf needed, ensure the configured real Chrome profile is already logged into ChatGPT and grant macOS Keychain access when prompted.`,
-  );
+  process.stderr.write(formatAuthFailureGuidance(error));
   process.exit(1);
 });

package/extensions/oracle/worker/auth-flow-helpers.mjs

@@ -114,7 +114,8 @@ export function classifyChatAuthPage(args) {
       state: "login_required",
       message:
         `Synced cookies from ${args.cookieSourceLabel}, but ChatGPT still rejected the session ` +
-        `(status=${args.probe?.status ?? 0}). Check auth.chromeProfile/auth.chromeCookiePath and inspect ${args.logPath}.`,
+        `(status=${args.probe?.status ?? 0}); the cookie DB may be stale, from the wrong browser profile, or for an account that is logged out. ` +
+        `Check auth.chromeProfile/auth.chromeCookiePath/auth.chromiumKeychain and inspect ${args.logPath}.`,
     };
   }
 
@@ -131,7 +132,8 @@ export function classifyChatAuthPage(args) {
       state: "login_required",
       message:
         `Synced cookies from ${args.cookieSourceLabel}, but ChatGPT still rejected the session ` +
-        `(status=${args.probe?.status ?? 0}). Check auth.chromeProfile/auth.chromeCookiePath and inspect ${args.logPath}.`,
+        `(status=${args.probe?.status ?? 0}); the cookie DB may be stale, from the wrong browser profile, or for an account that is logged out. ` +
+        `Check auth.chromeProfile/auth.chromeCookiePath/auth.chromiumKeychain and inspect ${args.logPath}.`,
     };
   }
 

package/extensions/oracle/worker/chromium-cookie-source.d.mts

@@ -0,0 +1,21 @@
+import type { ImportedAuthCookie } from "./auth-cookie-policy.mjs";
+
+export interface ChromiumKeychainConfig {
+  account: string;
+  services: string[];
+  label?: string;
+  service?: string;
+}
+
+export interface ConfiguredChromiumSourceOptions {
+  dbPath: string;
+  keychain: ChromiumKeychainConfig;
+  origins: string[];
+  profile: string;
+  timeoutMs?: number;
+  includeExpired?: boolean;
+}
+
+export function getCookiesFromConfiguredChromiumSource(
+  options: ConfiguredChromiumSourceOptions,
+): Promise<{ cookies: ImportedAuthCookie[]; warnings: string[] }>;

package/extensions/oracle/worker/chromium-cookie-source.mjs

@@ -0,0 +1,291 @@
+// Purpose: Read ChatGPT cookies from arbitrary macOS Chromium-family cookie stores when sweet-cookie's built-in browser list is too narrow.
+// Responsibilities: Snapshot a Chromium Cookies SQLite DB, decrypt AES-CBC cookie values with a configured Keychain item, and return sweet-cookie-shaped cookie objects.
+// Scope: macOS Chromium cookie extraction only; auth policy filtering and browser seeding stay in auth-bootstrap.mjs.
+// Usage: auth-bootstrap.mjs uses this when auth.chromiumKeychain is configured alongside auth.chromeCookiePath.
+// Invariants/Assumptions: The configured cookie path points at a Chromium Cookies DB and the configured Keychain item is the browser's safe-storage secret.
+import { spawn } from "node:child_process";
+import { createDecipheriv, pbkdf2Sync } from "node:crypto";
+import { copyFileSync, existsSync, mkdtempSync, rmSync } from "node:fs";
+import { tmpdir } from "node:os";
+import { join } from "node:path";
+import { DatabaseSync } from "node:sqlite";
+
+const CHROMIUM_EPOCH_OFFSET_SECONDS = 11_644_473_600n;
+const COOKIE_VALUE_DECODER = new TextDecoder("utf-8", { fatal: true });
+const MACOS_CHROMIUM_KEY_ITERATIONS = 1003;
+
+function spawnCapture(command, args, options = {}) {
+  return new Promise((resolve) => {
+    const child = spawn(command, args, { stdio: ["ignore", "pipe", "pipe"] });
+    let stdout = "";
+    let stderr = "";
+    const timeoutMs = options.timeoutMs ?? 5_000;
+    let timedOut = false;
+    const timer = setTimeout(() => {
+      timedOut = true;
+      child.kill("SIGTERM");
+    }, timeoutMs);
+    timer.unref?.();
+
+    child.stdout.on("data", (data) => { stdout += String(data); });
+    child.stderr.on("data", (data) => { stderr += String(data); });
+    child.on("error", (error) => {
+      clearTimeout(timer);
+      resolve({ ok: false, stdout, stderr, error: error.message });
+    });
+    child.on("close", (code) => {
+      clearTimeout(timer);
+      resolve({
+        ok: code === 0 && !timedOut,
+        stdout,
+        stderr,
+        error: timedOut ? `Timed out after ${timeoutMs}ms` : stderr.trim(),
+      });
+    });
+  });
+}
+
+async function readKeychainPassword(keychain, timeoutMs) {
+  const services = Array.isArray(keychain.services) && keychain.services.length > 0 ? keychain.services : [keychain.service];
+  for (const service of services.filter(Boolean)) {
+    const result = await spawnCapture("security", ["find-generic-password", "-w", "-a", keychain.account, "-s", service], { timeoutMs });
+    if (result.ok) {
+      const password = result.stdout.trim();
+      if (password) return { ok: true, password, service };
+      return { ok: false, error: `macOS Keychain returned an empty ${keychain.label || service} password.` };
+    }
+  }
+  return { ok: false, error: `Failed to read macOS Keychain (${keychain.label || keychain.account}): no configured service returned a password.` };
+}
+
+function snapshotCookieDb(dbPath) {
+  const tempDir = mkdtempSync(join(tmpdir(), "pi-oracle-chromium-cookies-"));
+  const tempDbPath = join(tempDir, "Cookies");
+  try {
+    copyFileSync(dbPath, tempDbPath);
+    copySidecar(dbPath, `${tempDbPath}-wal`, "-wal");
+    copySidecar(dbPath, `${tempDbPath}-shm`, "-shm");
+    return { tempDir, tempDbPath };
+  } catch (error) {
+    rmSync(tempDir, { recursive: true, force: true });
+    throw error;
+  }
+}
+
+function copySidecar(sourceDbPath, targetPath, suffix) {
+  const sidecarPath = `${sourceDbPath}${suffix}`;
+  try {
+    copyFileSync(sidecarPath, targetPath);
+  } catch (error) {
+    if (isMissingFileError(error)) return;
+    throw error;
+  }
+}
+
+function isMissingFileError(error) {
+  return Boolean(error && typeof error === "object" && "code" in error && error.code === "ENOENT");
+}
+
+function readMetaVersion(db) {
+  try {
+    const row = db.prepare("SELECT value FROM meta WHERE key = 'version'").get();
+    const parsed = Number.parseInt(String(row?.value ?? "0"), 10);
+    return Number.isFinite(parsed) ? parsed : 0;
+  } catch {
+    return 0;
+  }
+}
+
+function parentCookieDomains(host) {
+  const labels = host.split(".").filter(Boolean);
+  const domains = new Set([host, `.${host}`]);
+  for (let index = 1; index < labels.length - 1; index += 1) {
+    const parent = labels.slice(index).join(".");
+    domains.add(parent);
+    domains.add(`.${parent}`);
+  }
+  return [...domains];
+}
+
+function sqlStringLiteral(value) {
+  return `'${value.replaceAll("'", "''")}'`;
+}
+
+function buildHostWhereClause(origins) {
+  const domains = new Set();
+  for (const origin of origins) {
+    try {
+      for (const domain of parentCookieDomains(new URL(origin).hostname)) domains.add(domain);
+    } catch {
+      // Ignore malformed origins; validated ChatGPT config supplies the real set.
+    }
+  }
+  if (domains.size === 0) return "0";
+  return `host_key IN (${[...domains].map(sqlStringLiteral).join(", ")})`;
+}
+
+function hostMatchesAny(originHosts, hostKey) {
+  const cookieDomain = hostKey.startsWith(".") ? hostKey.slice(1) : hostKey;
+  return originHosts.some((host) => host === cookieDomain || host.endsWith(`.${cookieDomain}`));
+}
+
+function chromiumExpirationToUnixSeconds(value) {
+  if (value === undefined || value === null || String(value) === "0") return undefined;
+  try {
+    const raw = BigInt(String(value));
+    const seconds = raw / 1_000_000n - CHROMIUM_EPOCH_OFFSET_SECONDS;
+    if (seconds <= 0n) return undefined;
+    return Number(seconds);
+  } catch {
+    return undefined;
+  }
+}
+
+function normalizeSameSite(value) {
+  const normalized = String(value ?? "").toLowerCase();
+  if (normalized === "2" || normalized === "strict") return "Strict";
+  if (normalized === "1" || normalized === "lax") return "Lax";
+  if (normalized === "0" || normalized === "none" || normalized === "no_restriction") return "None";
+  return undefined;
+}
+
+function deriveMacosChromiumKey(password) {
+  return pbkdf2Sync(password, "saltysalt", MACOS_CHROMIUM_KEY_ITERATIONS, 16, "sha1");
+}
+
+function decryptCookieValue(encryptedValue, key, options) {
+  const buffer = Buffer.from(encryptedValue);
+  if (buffer.length < 3) return null;
+  const prefix = buffer.subarray(0, 3).toString("utf8");
+  if (!/^v\d\d$/.test(prefix)) return decodeCookieBytes(buffer, false);
+
+  try {
+    const iv = Buffer.alloc(16, 0x20);
+    const decipher = createDecipheriv("aes-128-cbc", key, iv);
+    decipher.setAutoPadding(false);
+    const padded = Buffer.concat([decipher.update(buffer.subarray(3)), decipher.final()]);
+    const unpadded = removePkcs7Padding(padded);
+    return decodeCookieBytes(unpadded, options.stripHashPrefix);
+  } catch {
+    return null;
+  }
+}
+
+function removePkcs7Padding(value) {
+  if (!value.length) return value;
+  const padding = value[value.length - 1];
+  if (!padding || padding > 16) return value;
+  return value.subarray(0, value.length - padding);
+}
+
+function decodeCookieBytes(value, stripHashPrefix) {
+  const bytes = stripHashPrefix && value.length >= 32 ? value.subarray(32) : value;
+  try {
+    return stripLeadingControlChars(COOKIE_VALUE_DECODER.decode(bytes));
+  } catch {
+    return null;
+  }
+}
+
+function stripLeadingControlChars(value) {
+  let index = 0;
+  while (index < value.length && value.charCodeAt(index) < 0x20) index += 1;
+  return value.slice(index);
+}
+
+function collectCookies(rows, options, key, warnings) {
+  const cookies = [];
+  const now = Math.floor(Date.now() / 1000);
+  const hosts = options.origins.map((origin) => new URL(origin).hostname);
+  let warnedEncryptedType = false;
+
+  for (const row of rows) {
+    const name = typeof row.name === "string" ? row.name : "";
+    const hostKey = typeof row.host_key === "string" ? row.host_key : "";
+    if (!name || !hostKey || !hostMatchesAny(hosts, hostKey)) continue;
+
+    let value = typeof row.value === "string" && row.value.length > 0 ? row.value : null;
+    if (value === null) {
+      if (!(row.encrypted_value instanceof Uint8Array)) {
+        if (!warnedEncryptedType && row.encrypted_value !== undefined) {
+          warnings.push("Chromium cookie encrypted_value is in an unsupported type.");
+          warnedEncryptedType = true;
+        }
+        continue;
+      }
+      value = decryptCookieValue(row.encrypted_value, key, { stripHashPrefix: options.stripHashPrefix });
+    }
+    if (value === null) continue;
+
+    const expires = chromiumExpirationToUnixSeconds(row.expires_utc);
+    if (!options.includeExpired && expires !== undefined && expires < now) continue;
+
+    const cookie = {
+      name,
+      value,
+      domain: hostKey.startsWith(".") ? hostKey.slice(1) : hostKey,
+      path: typeof row.path === "string" && row.path ? row.path : "/",
+      secure: row.is_secure === 1 || row.is_secure === "1" || row.is_secure === true,
+      httpOnly: row.is_httponly === 1 || row.is_httponly === "1" || row.is_httponly === true,
+      source: { browser: "chromium", profile: options.profile },
+    };
+    if (expires !== undefined) cookie.expires = expires;
+    const sameSite = normalizeSameSite(row.samesite);
+    if (sameSite !== undefined) cookie.sameSite = sameSite;
+    cookies.push(cookie);
+  }
+
+  return dedupeCookies(cookies);
+}
+
+function dedupeCookies(cookies) {
+  const seen = new Map();
+  for (const cookie of cookies) {
+    const key = `${cookie.domain}\t${cookie.path}\t${cookie.name}`;
+    if (!seen.has(key)) seen.set(key, cookie);
+  }
+  return [...seen.values()];
+}
+
+export async function getCookiesFromConfiguredChromiumSource(options) {
+  const warnings = [];
+  if (!options.dbPath || !existsSync(options.dbPath)) {
+    return { cookies: [], warnings: [`Chromium cookies database not found: ${options.dbPath || "(missing path)"}`] };
+  }
+
+  const passwordResult = await readKeychainPassword(options.keychain, options.timeoutMs ?? 5_000);
+  if (!passwordResult.ok) return { cookies: [], warnings: [passwordResult.error] };
+
+  let snapshot;
+  try {
+    snapshot = snapshotCookieDb(options.dbPath);
+  } catch (error) {
+    return { cookies: [], warnings: [`Failed to copy Chromium cookie DB: ${error instanceof Error ? error.message : String(error)}`] };
+  }
+
+  try {
+    const db = new DatabaseSync(snapshot.tempDbPath, { readOnly: true });
+    try {
+      const metaVersion = readMetaVersion(db);
+      const where = buildHostWhereClause(options.origins);
+      const sql =
+        `SELECT name, value, host_key, path, CAST(expires_utc AS TEXT) AS expires_utc, samesite, encrypted_value, ` +
+        `is_secure AS is_secure, is_httponly AS is_httponly FROM cookies WHERE (${where}) ORDER BY cookies.expires_utc DESC;`;
+      const rows = db.prepare(sql).all();
+      const key = deriveMacosChromiumKey(passwordResult.password);
+      const cookies = collectCookies(rows, {
+        origins: options.origins,
+        profile: options.profile,
+        includeExpired: options.includeExpired === true,
+        stripHashPrefix: metaVersion >= 24,
+      }, key, warnings);
+      return { cookies, warnings };
+    } finally {
+      db.close();
+    }
+  } catch (error) {
+    return { cookies: [], warnings: [`Failed to read Chromium cookies (requires a modern Chromium cookie DB): ${error instanceof Error ? error.message : String(error)}`] };
+  } finally {
+    rmSync(snapshot.tempDir, { recursive: true, force: true });
+  }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-oracle",
-  "version": "0.6.14",
+  "version": "0.6.16",
   "description": "ChatGPT web-oracle extension for pi with isolated browser auth, async jobs, and project-context archives.",
   "private": false,
   "license": "MIT",
@@ -42,7 +42,7 @@
     ]
   },
   "scripts": {
-    "check:oracle-extension": "node --check extensions/oracle/shared/process-helpers.mjs && node --check extensions/oracle/shared/state-coordination-helpers.mjs && node --check extensions/oracle/shared/job-coordination-helpers.mjs && node --check extensions/oracle/shared/job-lifecycle-helpers.mjs && node --check extensions/oracle/shared/job-observability-helpers.mjs && node --check extensions/oracle/worker/run-job.mjs && node --check extensions/oracle/worker/state-locks.mjs && node --check extensions/oracle/worker/artifact-heuristics.mjs && node --check extensions/oracle/worker/chatgpt-ui-helpers.mjs && node --check extensions/oracle/worker/chatgpt-flow-helpers.mjs && node --check extensions/oracle/worker/auth-flow-helpers.mjs && node --check extensions/oracle/worker/auth-cookie-policy.mjs && node --check extensions/oracle/worker/auth-bootstrap.mjs && esbuild extensions/oracle/index.ts --bundle --platform=node --format=esm --external:@mariozechner/pi-coding-agent --external:@mariozechner/pi-ai --external:typebox --outfile=/tmp/pi-oracle-extension-check.js",
+    "check:oracle-extension": "node --check extensions/oracle/shared/process-helpers.mjs && node --check extensions/oracle/shared/state-coordination-helpers.mjs && node --check extensions/oracle/shared/job-coordination-helpers.mjs && node --check extensions/oracle/shared/job-lifecycle-helpers.mjs && node --check extensions/oracle/shared/job-observability-helpers.mjs && node --check extensions/oracle/worker/run-job.mjs && node --check extensions/oracle/worker/state-locks.mjs && node --check extensions/oracle/worker/artifact-heuristics.mjs && node --check extensions/oracle/worker/chatgpt-ui-helpers.mjs && node --check extensions/oracle/worker/chatgpt-flow-helpers.mjs && node --check extensions/oracle/worker/auth-flow-helpers.mjs && node --check extensions/oracle/worker/auth-cookie-policy.mjs && node --check extensions/oracle/worker/chromium-cookie-source.mjs && node --check extensions/oracle/worker/auth-bootstrap.mjs && esbuild extensions/oracle/index.ts --bundle --platform=node --format=esm --external:@earendil-works/pi-coding-agent --external:@earendil-works/pi-ai --external:typebox --outfile=/tmp/pi-oracle-extension-check.js",
     "typecheck": "tsc --noEmit -p tsconfig.json",
     "typecheck:worker-helpers": "tsc --noEmit -p tsconfig.worker-helpers.json",
     "sanity:oracle": "node scripts/oracle-sanity-runner.mjs",
@@ -55,19 +55,19 @@
     "@steipete/sweet-cookie": "^0.2.0"
   },
   "peerDependencies": {
-    "typebox": "*",
-    "@mariozechner/pi-coding-agent": "*"
+    "@earendil-works/pi-coding-agent": "*",
+    "typebox": "*"
   },
   "overrides": {
-    "basic-ftp": "5.3.0",
+    "basic-ftp": "6.0.1",
     "protobufjs": "7.5.5"
   },
   "devDependencies": {
-    "@mariozechner/pi-coding-agent": "^0.72.0",
-    "@types/node": "^25.6.0",
+    "@earendil-works/pi-coding-agent": "^0.74.0",
+    "@types/node": "^25.6.1",
     "esbuild": "^0.28.0",
     "tsx": "^4.21.0",
-    "typebox": "^1.1.37",
+    "typebox": "^1.1.38",
     "typescript": "^6.0.3"
   },
   "engines": {
@@ -76,5 +76,5 @@
   "os": [
     "darwin"
   ],
-  "packageManager": "npm@10.9.8"
+  "packageManager": "npm@11.14.0"
 }