pi-oracle 0.7.7 → 0.7.9

package/CHANGELOG.md

@@ -2,6 +2,33 @@
 
 ## Unreleased
 
+## 0.7.9 - 2026-06-11
+
+### Fixed
+- made oracle workers launch their isolated Chrome runtime directly and attach `agent-browser` via DevTools, avoiding failures when unrelated `agent-browser` sessions or daemons are already running
+- tightened worker-owned browser cleanup so runtime profiles are deleted only after the isolated Chrome process has been closed or terminated
+- rejected `browser.args` overrides that would bypass oracle-managed Chrome profile or DevTools isolation
+
+### Validation
+- verified ChatGPT and Grok oracle smoke tests against the local source extension after the worker-owned browser launch fix
+
+## 0.7.8 - 2026-06-11
+
+### Changed
+- updated the local pi development baseline to `@earendil-works/pi-coding-agent` / `@earendil-works/pi-ai` `0.79.1` and regenerated the npm lockfile
+- documented `pi` `0.79.1+` as the suggested tested floor while keeping pi runtime packages as optional wildcard peers so npm peer ranges do not block users from trying newer pi releases
+- updated isolated local-extension and packed package validation workflows to pass explicit `--approve` when they intentionally trust their temporary project fixtures under Pi 0.79.1 project-trust rules
+- made TUI `/oracle` and `/oracle-followup` commands reappear as compact user messages for prompt-history/up-arrow recall while keeping verbose dispatch instructions hidden
+
+### Fixed
+- made project-local `.pi/extensions/oracle.json` overrides honor Pi's effective project trust decision (`ctx.isProjectTrusted()`), including `--no-approve` and saved “do not trust” decisions while preserving the historical default of loading safe project overrides for existing oracle users
+- updated ChatGPT model-selection handling for the current compact selector labels, including `Extra High`, `Pro Standard`, and `Pro Extended`
+- hardened ChatGPT/Grok send handling so oracle workers require provider acceptance evidence before entering `awaiting_response`, preventing unsent composer drafts from masquerading as running jobs
+- dismissed ChatGPT Pro feedback dialogs during model configuration instead of mistaking their generic `Close` control for configuration UI
+
+### Compatibility
+- reviewed the pi `0.79.1` changelog, project-trust docs, extension docs, package docs, prompt-template docs, SDK/RPC exports, and matching examples; the oracle extension remains compatible with current extension lifecycle and package install/update behavior
+
 ## 0.7.7 - 2026-06-08
 
 ### Changed

package/README.md

@@ -2,7 +2,7 @@
 
 `pi-oracle` lets a `pi` agent send hard, long-running work to ChatGPT.com or Grok through the web app, with repo archives, background execution, saved results, and a best-effort wake-up back into `pi` when the answer is ready.
 
-> Status: experimental public beta. Validated on macOS, Linux, and Windows native with Chromium-family browsers and pi `0.79.0`. Pi `0.79.0+` is the suggested tested floor for project-trust-aware package/runtime validation, but pi-bundled runtime packages remain optional wildcard peers so npm peer ranges do not block users from trying newer pi releases. Normal oracle jobs run in an isolated browser profile, not your active browser window.
+> Status: experimental public beta. Validated on macOS, Linux, and Windows native with Chromium-family browsers and pi `0.79.1`. Pi `0.79.1+` is the suggested tested floor for project-trust-aware package/runtime validation, but pi-bundled runtime packages remain optional wildcard peers so npm peer ranges do not block users from trying newer pi releases. Normal oracle jobs run in an isolated browser profile, not your active browser window.
 
 ## What a successful run looks like
 
@@ -77,7 +77,7 @@ You need:
 
 - macOS, Linux, or Windows native
 - Node.js 22 or newer
-- Suggested tested floor: `pi` 0.79.0 or newer; older pi versions are not blocked by package metadata but are outside the current validation baseline
+- Suggested tested floor: `pi` 0.79.1 or newer; older pi versions are not blocked by package metadata but are outside the current validation baseline
 - Google Chrome/Chromium or another Chromium-family browser
 - ChatGPT or Grok already signed in to the configured local browser profile for the provider you plan to use
 - `agent-browser`, `tar`, and `zstd` available on the machine
@@ -149,7 +149,7 @@ flowchart LR
 
 Key design choices:
 
-- **Prompt templates own context gathering.** `/oracle` and `/oracle-followup` tell the agent how to preflight, gather context, choose archive inputs, and then stop after dispatch.
+- **Extension-managed dispatch owns context gathering.** In the TUI, `/oracle` and `/oracle-followup` are intercepted before prompt-template expansion, re-added as compact user messages for prompt-history/up-arrow recall, and paired with detailed dispatch instructions as hidden context. The visible transcript stays compact while the agent still preflights, gathers context, chooses archive inputs, and stops after dispatch.
 - **Tools own execution.** `oracle_submit` builds the archive, admits or queues the job, starts the worker, and returns immediately.
 - **Auth uses a seed profile.** `/oracle-auth` imports cookies into an isolated seed profile; each job clones that seed into its own temporary runtime profile.
 - **Follow-ups preserve provider thread state.** `/oracle-followup <job-id> ...` resolves the prior job's saved provider URL and submits the next prompt with `followUpJobId`.
@@ -179,7 +179,7 @@ Agent-facing tools:
 
 Most users can start with defaults. Set an agent-level config only when you need a non-default provider, mode, preset, or browser profile.
 
-Pi 0.79.0 gates project-local inputs behind project trust. `pi-oracle` preserves its historical risk-on extension behavior for existing users: project-local `.pi/extensions/oracle.json` safe overrides still load by default for compatibility. They are ignored when you explicitly opt out of project-local inputs with `--no-approve` or save a “do not trust” decision for the project. Privileged browser/auth settings still come only from the agent-level config.
+Pi 0.79.1 gates project-local inputs behind project trust. `pi-oracle` preserves its historical risk-on extension behavior for existing users: project-local `.pi/extensions/oracle.json` safe overrides still load by default for compatibility. They are ignored when you explicitly opt out of project-local inputs with `--no-approve` or save a “do not trust” decision for the project. Privileged browser/auth settings still come only from the agent-level config.
 
 `~/.pi/agent/extensions/oracle.json`
 
@@ -406,8 +406,8 @@ For manual end-to-end local-extension smoke testing, use [`docs/ORACLE_ISOLATED_
 | `extensions/oracle/lib/` | Commands, tools, config, jobs, queueing, runtime, poller |
 | `extensions/oracle/worker/` | Detached provider web worker and UI/auth helpers |
 | `extensions/oracle/shared/` | Shared process, state, job, and observability helpers |
-| [`prompts/oracle.md`](prompts/oracle.md) | `/oracle` prompt-template workflow |
-| [`prompts/oracle-followup.md`](prompts/oracle-followup.md) | `/oracle-followup` prompt-template workflow |
+| [`prompts/oracle.md`](prompts/oracle.md) | Hidden `/oracle` command-dispatch workflow |
+| [`prompts/oracle-followup.md`](prompts/oracle-followup.md) | Hidden `/oracle-followup` command-dispatch workflow |
 | `scripts/oracle-sanity-*` | Local sanity and archive-safety checks |
 | `scripts/platform-smoke*` | Crabbox macOS, Ubuntu, and Windows release smoke gate |
 | [`docs/ORACLE_DESIGN.md`](docs/ORACLE_DESIGN.md) | Architecture, lifecycle, queueing, persistence, recovery behavior |

package/docs/ORACLE_DESIGN.md

@@ -7,7 +7,7 @@ Companion doc:
 - `docs/ORACLE_RECOVERY_DRILL.md` — safe expired-auth recovery validation drill
 
 Compatibility target:
-- `pi` 0.79.0+ is the suggested tested floor for current project-trust-aware package/runtime validation
+- `pi` 0.79.1+ is the suggested tested floor for current project-trust-aware package/runtime validation
 - package metadata keeps pi runtime packages as optional wildcard peers, so this suggested floor is not enforced as a hard npm install requirement
 - current extension lifecycle only; no backward-compatibility shims for removed `session_switch` / `session_fork` events
 
@@ -60,14 +60,15 @@ The extension now follows the current `pi` session lifecycle model:
 - previous runtimes are expected to clean up in `session_shutdown`
 - no new logic depends on removed post-transition events
 
-### Prompt template
+### Oracle dispatch commands
 
 - `/oracle <request>`
-  - implemented as a prompt template, not an extension command
+  - in TUI mode, intercepted by the extension before prompt-template expansion so verbose internal workflow rules stay hidden from the visible transcript
+  - injects the detailed dispatch instructions as a hidden custom message
+  - in print/json/rpc modes, the extension contributes the prompt templates so non-interactive prompt expansion still works
   - asks the agent to gather context and dispatch an oracle job
-  - intentionally uses native pi prompt/template queueing so submissions survive streaming and compaction
 - `/oracle-followup <job-id> <request>`
-  - implemented as a prompt template, not an extension command
+  - follows the same hidden-instructions TUI path and print/json prompt-template fallback
   - asks the agent to continue an earlier oracle job in the same provider thread via `followUpJobId`
   - keeps same-thread continuation available to normal users without requiring raw tool-call syntax
 
@@ -106,14 +107,14 @@ The extension now follows the current `pi` session lifecycle model:
 ### `/oracle ...`
 
 `/oracle <request>` should not directly drive ChatGPT or Grok.
-It expands through the prompt-template path so pi can apply its native queueing semantics before the agent starts work.
+In TUI mode, the extension intercepts it before prompt-template expansion, re-injects the compact slash request as the visible user message so prompt-history/up-arrow recall survives session reloads, injects hidden dispatch instructions before the agent starts, and shows only compact user-facing status. In print/json/rpc modes, the extension exposes the prompt template so one-shot `/oracle` still expands and runs normally.
 
-Instead it instructs the agent to:
+It instructs the agent to:
 
 1. call `oracle_preflight` immediately, passing `provider: "grok"` when the user explicitly asks for Grok
 2. stop right away if preflight reports the session or local oracle setup is not ready
 3. understand whether the request is explicitly narrow or genuinely broad
-4. if the immediately preceding oracle run failed because ChatGPT or Grok login is required or the worker explicitly said to rerun `/oracle-auth`, call `oracle_auth` once before retrying
+4. if auth is missing, stale, or the worker explicitly said to rerun `/oracle-auth`, stop and tell the user to run `/oracle-auth` rather than launching auth automatically
 5. gather enough repo context to submit well and bias toward context-rich archives when they fit within the provider ceiling: 250 MB for ChatGPT and 200 MiB for Grok
 6. if the request is narrow, start from the directly relevant area but still include nearby tests, docs, config, and adjacent modules when they may improve answer quality
 7. if the request is broad/repo-wide, gather broader context and usually archive `.`
@@ -229,7 +230,7 @@ Merged config locations:
 - global: `~/.pi/agent/extensions/oracle.json`
 - project: `.pi/extensions/oracle.json`
 
-Project config remains restricted to safe overrides only. On Pi 0.79.0+, pi itself gates project-local inputs behind project trust, but `pi-oracle` keeps its historical risk-on extension behavior for this package-specific safe override file: `.pi/extensions/oracle.json` loads by default for compatibility, and is ignored only when the run passes `--no-approve` or the project has a saved “do not trust” decision. This preserves the existing extension experience while still honoring explicit opt-out/distrust decisions. Browser/auth settings remain global-only because they control local privileged browser state.
+Project config remains restricted to safe overrides only. On Pi 0.79.1+, pi itself gates project-local inputs behind project trust, but `pi-oracle` keeps its historical risk-on extension behavior for this package-specific safe override file: `.pi/extensions/oracle.json` loads by default for compatibility, and is ignored when Pi reports the project is untrusted, including `--no-approve` or saved “do not trust” decisions. This preserves the existing extension experience while still honoring explicit opt-out/distrust decisions. Browser/auth settings remain global-only because they control local privileged browser state.
 
 ### Current config shape
 
@@ -631,6 +632,9 @@ Remaining non-blocking hardening work:
 - keep hardening model-selection verification against future ChatGPT UI variation
 
 Recent proof points:
+- Pi 0.79.1 release gate: `npm run release:check` passed on 2026-06-11 after the project-trust, prompt-history, ChatGPT selector, and send-acceptance updates, including `verify:oracle` plus Crabbox macOS, Ubuntu, and Windows native `platform-build` and `real-extension` suites
+- Pi 0.79.1 platform artifacts: `.artifacts/platform-smoke/run-1781196218405-311wzs` (macOS platform-build), `.artifacts/platform-smoke/run-1781196261807-eb0391` (macOS real-extension), `.artifacts/platform-smoke/run-1781196230636-ze1hai` (Ubuntu platform-build), `.artifacts/platform-smoke/run-1781196265638-kxiwh9` (Ubuntu real-extension), `.artifacts/platform-smoke/run-1781196255488-ucuf35` (Windows native platform-build), `.artifacts/platform-smoke/run-1781196369098-4qlzjs` (Windows native real-extension)
+- Pi 0.79.1 live source-extension send-acceptance smoke: new-chat job `4b98776f-d422-4bfb-8a6a-7aef73c31bf6` reached `https://chatgpt.com/c/6a2ac99d-fc5c-83e8-88d7-5e1e8f427499` and completed; same-thread follow-up job `abb4f590-96a1-4aab-b91a-c0a7cc15a162` completed on the unchanged conversation URL after send-acceptance evidence
 - Pi 0.79.0 release gate: `npm run release:check` passed on 2026-06-08, including `verify:oracle` plus Crabbox macOS, Ubuntu, and Windows native `platform-build` and `real-extension` suites
 - Pi 0.79.0 platform artifacts: `.artifacts/platform-smoke/run-1780938522145-50q2f2` (macOS platform-build), `.artifacts/platform-smoke/run-1780938572090-bi87g5` (macOS real-extension), `.artifacts/platform-smoke/run-1780938542847-quridb` (Ubuntu platform-build), `.artifacts/platform-smoke/run-1780938587248-c8uo4c` (Ubuntu real-extension), `.artifacts/platform-smoke/run-1780938585007-l0xapp` (Windows native platform-build), `.artifacts/platform-smoke/run-1780938820527-c1j8tt` (Windows native real-extension)
 - Pi 0.79.0 isolated local-extension model-agent smoke: `.artifacts/real-smoke/run-1780935835596-pfbn5o` passed with `PI_ORACLE_REAL_TEST_MODEL_AGENT=1 npm run smoke:real:source`

package/docs/ORACLE_ISOLATED_PI_VALIDATION.md

@@ -27,18 +27,13 @@ The extension is loaded from the local checkout with:
 pi --approve --no-extensions -e "$REPO/extensions/oracle/index.ts"
 ```
 
-That ensures the session is exercising the in-repo code, not a globally installed package. `--approve` is intentional for this isolated workflow on Pi 0.79.0+: the test fixture is this trusted checkout, and non-interactive/scripted validation must not block on the project-trust prompt.
+That ensures the session is exercising the in-repo code, not a globally installed package. `--approve` is intentional for this isolated workflow on Pi 0.79.1+: the test fixture is this trusted checkout, and non-interactive/scripted validation must not block on the project-trust prompt.
 
-If you also need the in-repo `/oracle` prompt template, load it explicitly instead of installing this repository as a project-local package:
+The local extension now intercepts TUI `/oracle` and `/oracle-followup` before prompt-template expansion, re-injects the compact slash request as the visible user message for prompt-history/up-arrow recall, and reads the in-repo prompt files as hidden dispatch instructions, so do not pass `--prompt-template` for normal local-extension validation. In print/json/rpc modes, the extension contributes the prompt templates itself.
 
-```bash
-pi --approve --no-extensions -e "$REPO/extensions/oracle/index.ts" \
-  --no-prompt-templates --prompt-template "$REPO/prompts/oracle.md"
-```
+Do not add `https://github.com/fitchmultz/pi-oracle` to this repository's `.pi/settings.json` just to test local oracle changes. If you already keep `npm:pi-oracle` installed globally, mixing the global npm package with a project-local git package creates two distinct package identities and can trigger prompt/tool conflicts. Use the explicit CLI extension flag above instead.
 
-Do not add `https://github.com/fitchmultz/pi-oracle` to this repository's `.pi/settings.json` just to test local oracle changes. If you already keep `npm:pi-oracle` installed globally, mixing the global npm package with a project-local git package creates two distinct package identities and can trigger prompt/tool conflicts. Use the explicit CLI resource flags above instead.
-
-`oracle_submit` now preflights a missing or unreadable auth seed profile before it creates an archive or persists a job. For archive-inspection smoke tests that intentionally run without real auth, create an empty isolated seed-profile directory under the temporary agent dir so submission can proceed far enough to write the archive while still staying isolated from your normal Chrome state.
+`oracle_submit` now preflights missing, unreadable, or unverified auth seed profiles before it creates an archive or persists a job. For archive-inspection smoke tests that intentionally run without real auth, use `oracle_preflight` for the blocker path or create a test seed only in a purpose-built fixture that includes the `.oracle-seed-generation` marker.
 
 ## Preset requirement
 
@@ -81,7 +76,12 @@ mkdir -p \
   "$TEST2_AGENT" "$TEST2_SESSIONS" "$TEST2_JOBS" \
   "$FIXTURE" "$OUTSIDE"
 
-mkdir -p "$TEST1_AGENT/extensions/oracle-auth-seed-profile"
+mkdir -p \
+  "$TEST1_AGENT/extensions/oracle-auth-seed-profile" \
+  "$TEST2_AGENT/extensions/oracle-auth-seed-profile"
+touch \
+  "$TEST1_AGENT/extensions/oracle-auth-seed-profile/.oracle-seed-generation" \
+  "$TEST2_AGENT/extensions/oracle-auth-seed-profile/.oracle-seed-generation"
 
 echo 'secret' > "$OUTSIDE/secret.txt"
 ln -s "$OUTSIDE" "$FIXTURE/linked-outside"
@@ -162,29 +162,30 @@ Expected behavior:
 Notes:
 
 - this smoke test does not require `/oracle-auth`
-- the snippet creates an empty isolated auth seed profile for `TEST1_AGENT` because `oracle_submit` now rejects a missing seed profile before archiving
-- with that empty seed profile, the worker still fails later due to missing real auth, which is useful because the archive remains on disk for inspection
+- the snippet creates an isolated test auth seed profile plus `.oracle-seed-generation` marker for `TEST1_AGENT` because `oracle_submit` now rejects missing or unverified seed profiles before archiving
+- with that marker-only seed profile, the worker still fails later due to missing real auth, which is useful because the archive remains on disk for inspection
 
 ### Test 2: symlink escape rejection
 
 Expected behavior:
 
 - `oracle_submit` rejects `linked-outside/secret.txt`
+- the snippet creates the same marker-only isolated auth seed profile for `TEST2_AGENT` so the test reaches archive input validation
 - the error should say the archive input must resolve inside the project cwd without symlink escapes
 - no oracle job directory should be created for the rejected submit
 
-## Testing local `/oracle` prompt changes too
+## Testing local `/oracle` command-prompt changes too
 
-The main smoke test above calls `oracle_submit` directly, so it only needs the local extension entrypoint. If you also changed `prompts/oracle.md`, start the isolated session with the local prompt template explicitly loaded:
+The main smoke test above calls `oracle_submit` directly, so it only needs the local extension entrypoint. If you also changed `prompts/oracle.md`, start the isolated session with the same local extension entrypoint; the extension reads the in-repo prompt file as hidden command-dispatch instructions:
 
 ```bash
-LOCAL_ORACLE_PI_CMD="pi --approve --session-dir '$TEST1_SESSIONS' --no-extensions -e '$REPO/extensions/oracle/index.ts' --no-prompt-templates --prompt-template '$REPO/prompts/oracle.md'"
+LOCAL_ORACLE_PI_CMD="pi --approve --session-dir '$TEST1_SESSIONS' --no-extensions -e '$REPO/extensions/oracle/index.ts'"
 TMUX_CMD1="cd '$REPO' && env PI_CODING_AGENT_DIR='$TEST1_AGENT' PI_ORACLE_JOBS_DIR='$TEST1_JOBS' PATH='$PATH' $LOCAL_ORACLE_PI_CMD"
 ```
 
-Use the same pattern for additional sessions, swapping the session/job directories as needed. This keeps the test on the in-repo extension and in-repo prompt template without depending on `.pi/settings.json` package entries.
+Use the same pattern for additional sessions, swapping the session/job directories as needed. This keeps the test on the in-repo extension and hidden in-repo command prompt without depending on `.pi/settings.json` package entries.
 
-`/oracle` now starts by calling `oracle_preflight`. If you want the prompt flow to proceed past that early guard in an isolated test without using your normal auth state, create an empty isolated auth seed profile first (for example `mkdir -p "$TEST1_AGENT/extensions/oracle-auth-seed-profile"`) or run `/oracle-auth` in the isolated agent dir.
+`/oracle` now starts by calling `oracle_preflight`. If you want the command flow to proceed past that early guard in an isolated test without using your normal auth state, run `/oracle-auth` in the isolated agent dir or create a purpose-built verified seed fixture with `.oracle-seed-generation`.
 
 ## Additional failure-mode smoke tests
 

package/docs/platform-smoke.md

@@ -90,7 +90,7 @@ On each required target, `platform-build`:
 5. runs `npm pack`;
 6. creates a fresh target-local pi project;
 7. runs `npm install --no-save <packed tarball>`;
-8. runs `pi install -l ./node_modules/pi-oracle --approve` so Pi 0.79.0 project-trust gating intentionally trusts the temporary fixture;
+8. runs `pi install -l ./node_modules/pi-oracle --approve` so Pi 0.79.1 project-trust gating intentionally trusts the temporary fixture;
 9. runs `pi list --approve`;
 10. asserts the installed package came from `node_modules/pi-oracle` and did not use `pi -e` / source-extension shortcuts.
 

package/extensions/oracle/index.ts

@@ -3,6 +3,7 @@
 // Scope: Extension entrypoint only; lifecycle mutation lives in lib modules and browser execution lives in worker scripts.
 // Usage: Loaded by pi as the extension module declared in package.json.
 // Invariants/Assumptions: Oracle only runs against persisted sessions, and startup maintenance should be best-effort without breaking session initialization.
+import { readFileSync } from "node:fs";
 import { fileURLToPath } from "node:url";
 import { dirname, join } from "node:path";
 import type { ExtensionAPI, ExtensionContext } from "@earendil-works/pi-coding-agent";
@@ -10,15 +11,59 @@ import { loadOracleConfig } from "./lib/config.js";
 import { registerOracleCommands } from "./lib/commands.js";
 import { getSessionFile, pruneTerminalOracleJobs, reconcileStaleOracleJobs } from "./lib/jobs.js";
 import { isLockTimeoutError, withGlobalReconcileLock } from "./lib/locks.js";
-import { refreshOracleStatus, startPoller, stopPoller } from "./lib/poller.js";
+import { refreshOracleStatus, setOracleReadiness, startPoller, stopPoller } from "./lib/poller.js";
 import { promoteQueuedJobs } from "./lib/queue.js";
-import { hasPersistedSessionFile } from "./lib/runtime.js";
+import { assertOracleSubmitPrerequisites, hasPersistedSessionFile } from "./lib/runtime.js";
 import { registerOracleTools } from "./lib/tools.js";
 
+function readPromptTemplate(path: string): string | undefined {
+  try {
+    return readFileSync(path, "utf8").replace(/^---\n[\s\S]*?\n---\n/, "");
+  } catch {
+    return undefined;
+  }
+}
+
+function oracleReadinessFromError(error: unknown): "auth_needed" | "config_error" {
+  const message = error instanceof Error ? error.message : String(error);
+  return /auth seed profile/i.test(message) ? "auth_needed" : "config_error";
+}
+
+function isProjectTrusted(ctx: ExtensionContext): boolean {
+  return (ctx as { isProjectTrusted?: () => boolean }).isProjectTrusted?.() ?? true;
+}
+
+function expandOraclePromptTemplate(source: string, args: string): string {
+  return source.replaceAll("$@", args).replaceAll("$ARGUMENTS", args);
+}
+
+function parseOracleInput(text: string): { command: "oracle" | "oracle-followup"; args: string } | undefined {
+  const match = text.match(/^\/(oracle(?:-followup)?)(?:\s+([\s\S]*))?$/);
+  if (!match) return undefined;
+  return { command: match[1] as "oracle" | "oracle-followup", args: (match[2] ?? "").trim() };
+}
+
+function formatOracleUserCommand(command: "oracle" | "oracle-followup", args: string): string {
+  return `/${command} ${args}`;
+}
+
+function oracleDispatchMessage(command: "oracle" | "oracle-followup", args: string, template: string) {
+  return {
+    customType: "oracle-dispatch-request",
+    content: expandOraclePromptTemplate(template, args),
+    display: false,
+    details: { command, userRequest: args },
+  };
+}
+
 export default function oracleExtension(pi: ExtensionAPI) {
   const extensionDir = dirname(fileURLToPath(import.meta.url));
   const workerPath = join(extensionDir, "worker", "run-job.mjs");
   const authWorkerPath = join(extensionDir, "worker", "auth-bootstrap.mjs");
+  const promptDir = join(extensionDir, "..", "..", "prompts");
+
+  const oraclePrompt = readPromptTemplate(join(promptDir, "oracle.md"));
+  const oracleFollowupPrompt = readPromptTemplate(join(promptDir, "oracle-followup.md"));
 
   registerOracleCommands(pi, authWorkerPath, workerPath);
   registerOracleTools(pi, workerPath, authWorkerPath);
@@ -49,7 +94,11 @@ export default function oracleExtension(pi: ExtensionAPI) {
         return;
       }
 
-      const config = loadOracleConfig(ctx.cwd);
+      const config = loadOracleConfig(ctx.cwd, { projectConfigTrusted: isProjectTrusted(ctx) });
+      setOracleReadiness(ctx, "loaded");
+      void assertOracleSubmitPrerequisites(config)
+        .then(() => setOracleReadiness(ctx, "ready"))
+        .catch((error) => setOracleReadiness(ctx, oracleReadinessFromError(error)));
       void runStartupMaintenance(ctx).catch((error) => {
         const message = `Oracle startup maintenance failed: ${error instanceof Error ? error.message : String(error)}`;
         console.error(message);
@@ -60,13 +109,44 @@ export default function oracleExtension(pi: ExtensionAPI) {
     } catch (error) {
       const message = error instanceof Error ? error.message : String(error);
       stopPoller(ctx);
+      setOracleReadiness(ctx, "config_error");
       if (ctx.hasUI) {
-        ctx.ui.setStatus("oracle", ctx.ui.theme.fg("error", "oracle: config error"));
         ctx.ui.notify(message, "warning");
       }
     }
   }
 
+  pi.on("resources_discover", async (_event, ctx) => {
+    return ["print", "json", "rpc"].includes(ctx.mode) ? { promptPaths: [promptDir] } : undefined;
+  });
+
+  pi.on("before_agent_start", async (event) => {
+    const parsed = parseOracleInput(event.prompt);
+    if (!parsed?.args || (parsed.command === "oracle-followup" && !/^\S+\s+\S/.test(parsed.args))) return;
+    const template = parsed.command === "oracle" ? oraclePrompt : oracleFollowupPrompt;
+    if (!template?.trim()) return;
+    return { message: oracleDispatchMessage(parsed.command, parsed.args, template) };
+  });
+
+  pi.on("input", (event, ctx) => {
+    if (ctx.mode !== "tui" || event.source !== "interactive") return { action: "continue" };
+    const parsed = parseOracleInput(event.text);
+    if (!parsed) return { action: "continue" };
+    if (!parsed.args || (parsed.command === "oracle-followup" && !/^\S+\s+\S/.test(parsed.args))) {
+      ctx.ui.notify(parsed.command === "oracle" ? "Usage: /oracle <request>" : "Usage: /oracle-followup <job-id> <request>", "warning");
+      return { action: "handled" };
+    }
+    const template = parsed.command === "oracle" ? oraclePrompt : oracleFollowupPrompt;
+    if (!template?.trim()) {
+      ctx.ui.notify(`/${parsed.command} is unavailable because its internal dispatch prompt could not be loaded.`, "warning");
+      return { action: "handled" };
+    }
+    ctx.ui.notify("Preparing oracle job… running preflight", "info");
+    const delivery = event.streamingBehavior ? { deliverAs: event.streamingBehavior } : undefined;
+    pi.sendUserMessage(formatOracleUserCommand(parsed.command, parsed.args), delivery);
+    return { action: "handled" };
+  });
+
   pi.on("session_start", async (_event, ctx) => {
     startPollerForContext(ctx);
   });

package/extensions/oracle/lib/auth.ts

@@ -4,14 +4,14 @@
 // Usage: Imported by oracle commands and tools whenever the shared oracle auth seed profile must be refreshed.
 // Invariants/Assumptions: Auth bootstrap runs under the global reconcile lock when available, uses the effective oracle config for the current workspace root, and returns the worker's stdout/stderr message verbatim on success or failure.
 import { spawn } from "node:child_process";
-import { formatOracleAuthConfigRemediation, formatOracleAuthConfigSummary, getOracleConfigLoadDetails, loadOracleConfig, resolveOracleConfigForProvider, type OracleProvider } from "./config.js";
+import { formatOracleAuthConfigRemediation, formatOracleAuthConfigSummary, getOracleConfigLoadDetails, loadOracleConfig, resolveOracleConfigForProvider, type OracleConfigLoadOptions, type OracleProvider } from "./config.js";
 import { pruneTerminalOracleJobs, reconcileStaleOracleJobs } from "./jobs.js";
 import { isLockTimeoutError, withGlobalReconcileLock } from "./locks.js";
 
-export async function runOracleAuthBootstrap(authWorkerPath: string, cwd: string, provider?: OracleProvider): Promise<string> {
-  const baseConfig = loadOracleConfig(cwd);
+export async function runOracleAuthBootstrap(authWorkerPath: string, cwd: string, provider?: OracleProvider, configOptions?: OracleConfigLoadOptions): Promise<string> {
+  const baseConfig = loadOracleConfig(cwd, configOptions);
   const config = resolveOracleConfigForProvider(baseConfig, provider ?? baseConfig.defaults.provider);
-  const configLoad = getOracleConfigLoadDetails(cwd);
+  const configLoad = getOracleConfigLoadDetails(cwd, configOptions);
   const authConfigGuidance = {
     ...configLoad,
     remediation: formatOracleAuthConfigRemediation(configLoad),

package/extensions/oracle/lib/commands.ts

@@ -27,6 +27,11 @@ import { refreshOracleStatus } from "./poller.js";
 import { isLockTimeoutError, withGlobalReconcileLock } from "./locks.js";
 import { getProjectId } from "./runtime.js";
 
+export interface OracleCommandPromptTemplates {
+  oracle?: string;
+  oracleFollowup?: string;
+}
+
 async function summarizeJob(jobId: string, options?: { responsePreview?: boolean }): Promise<string> {
   const job = readJob(jobId);
   if (!job) return `Oracle job ${jobId} not found.`;
@@ -74,18 +79,30 @@ function parseOracleAuthProvider(args: string): OracleProvider | undefined {
   throw new Error("Usage: /oracle-auth [chatgpt|grok]");
 }
 
-export function registerOracleCommands(pi: ExtensionAPI, authWorkerPath: string, workerPath: string): void {
+function isProjectTrusted(ctx: ExtensionCommandContext): boolean {
+  return (ctx as { isProjectTrusted?: () => boolean }).isProjectTrusted?.() ?? true;
+}
+
+function emitCommandOutput(ctx: ExtensionCommandContext, message: string, level: "info" | "warning" | "error" = "info"): void {
+  if (ctx.mode === "print") {
+    process.stdout.write(`${message}\n`);
+    return;
+  }
+  ctx.ui.notify(message, level);
+}
+
+export function registerOracleCommands(pi: ExtensionAPI, authWorkerPath: string, workerPath: string, _promptTemplates: OracleCommandPromptTemplates = {}): void {
   pi.registerCommand("oracle-auth", {
     description: "Sync ChatGPT or Grok cookies from the configured local browser profile into the provider auth seed profile",
     handler: async (args, ctx) => {
       try {
         const provider = parseOracleAuthProvider(args);
         const providerLabel = provider === "grok" ? "Grok" : provider === "chatgpt" ? "ChatGPT" : "configured provider";
-        ctx.ui.notify(`Syncing ${providerLabel} cookies from the configured local browser profile into the oracle auth seed profile…`, "info");
-        const result = await runOracleAuthBootstrap(authWorkerPath, ctx.cwd, provider);
-        ctx.ui.notify(result, "info");
+        emitCommandOutput(ctx, `Syncing ${providerLabel} cookies from the configured local browser profile into the oracle auth seed profile…`, "info");
+        const result = await runOracleAuthBootstrap(authWorkerPath, ctx.cwd, provider, { projectConfigTrusted: isProjectTrusted(ctx) });
+        emitCommandOutput(ctx, result, "info");
       } catch (error) {
-        ctx.ui.notify(error instanceof Error ? error.message : String(error), "warning");
+        emitCommandOutput(ctx, error instanceof Error ? error.message : String(error), "warning");
       }
     },
   });
@@ -96,12 +113,12 @@ export function registerOracleCommands(pi: ExtensionAPI, authWorkerPath: string,
       const explicitJobId = args.trim();
       const jobId = explicitJobId || getLatestJobId(ctx.cwd);
       if (!jobId) {
-        ctx.ui.notify("No oracle jobs found for this project", "info");
+        emitCommandOutput(ctx, "No oracle jobs found for this project", "info");
         return;
       }
       const job = readScopedJob(jobId, ctx.cwd);
       if (!job) {
-        ctx.ui.notify(`Oracle job ${jobId} was not found in this project`, "warning");
+        emitCommandOutput(ctx, `Oracle job ${jobId} was not found in this project`, "warning");
         return;
       }
       if (isTerminalOracleJob(job)) {
@@ -113,7 +130,7 @@ export function registerOracleCommands(pi: ExtensionAPI, authWorkerPath: string,
       }
       const summary = await summarizeJob(job.id);
       const recentJobs = !explicitJobId ? listRecentJobIds(ctx.cwd) : undefined;
-      ctx.ui.notify([summary, recentJobs ? `Recent jobs: ${recentJobs}` : undefined].filter(Boolean).join("\n"), "info");
+      emitCommandOutput(ctx, [summary, recentJobs ? `Recent jobs: ${recentJobs}` : undefined].filter(Boolean).join("\n"), "info");
     },
   });
 
@@ -123,12 +140,12 @@ export function registerOracleCommands(pi: ExtensionAPI, authWorkerPath: string,
       const explicitJobId = args.trim();
       const jobId = explicitJobId || getLatestJobId(ctx.cwd);
       if (!jobId) {
-        ctx.ui.notify("No oracle jobs found for this project", "info");
+        emitCommandOutput(ctx, "No oracle jobs found for this project", "info");
         return;
       }
       const job = readScopedJob(jobId, ctx.cwd);
       if (!job) {
-        ctx.ui.notify(`Oracle job ${jobId} was not found in this project`, "warning");
+        emitCommandOutput(ctx, `Oracle job ${jobId} was not found in this project`, "warning");
         return;
       }
       if (isTerminalOracleJob(job)) {
@@ -138,7 +155,7 @@ export function registerOracleCommands(pi: ExtensionAPI, authWorkerPath: string,
           cwd: ctx.cwd,
         });
       }
-      ctx.ui.notify(await summarizeJob(job.id, { responsePreview: true }), "info");
+      emitCommandOutput(ctx, await summarizeJob(job.id, { responsePreview: true }), "info");
     },
   });
 
@@ -147,17 +164,21 @@ export function registerOracleCommands(pi: ExtensionAPI, authWorkerPath: string,
     handler: async (args, ctx) => {
       const jobId = args.trim();
       if (!jobId) {
-        ctx.ui.notify("Usage: /oracle-cancel <job-id>\nUse /oracle-status to find the job id you want to cancel.", "warning");
+        emitCommandOutput(ctx, "Usage: /oracle-cancel <job-id>\nUse /oracle-status to find the job id you want to cancel.", "warning");
         return;
       }
 
       const job = readScopedJob(jobId, ctx.cwd);
       if (!job) {
-        ctx.ui.notify(`Oracle job ${jobId} not found in this project`, "warning");
+        emitCommandOutput(ctx, `Oracle job ${jobId} not found in this project`, "warning");
         return;
       }
       if (!isOpenOracleJob(job)) {
-        ctx.ui.notify(`Oracle job ${jobId} is not cancellable (${job.status})`, "info");
+        if (isTerminalOracleJob(job)) {
+          emitCommandOutput(ctx, `Job is already terminal: ${job.status}. Use /oracle-read ${job.id} for details or /oracle-clean ${job.id} to remove it.`, "info");
+        } else {
+          emitCommandOutput(ctx, `Oracle job ${jobId} is not cancellable (${job.status})`, "info");
+        }
         return;
       }
 
@@ -166,7 +187,7 @@ export function registerOracleCommands(pi: ExtensionAPI, authWorkerPath: string,
         await promoteQueuedJobs({ workerPath, source: "oracle_cancel_command" });
       }
       refreshOracleStatus(ctx);
-      ctx.ui.notify(formatOracleCancelOutcome(cancelled), "info");
+      emitCommandOutput(ctx, formatOracleCancelOutcome(cancelled), "info");
     },
   });
 
@@ -175,19 +196,20 @@ export function registerOracleCommands(pi: ExtensionAPI, authWorkerPath: string,
     handler: async (args, ctx: ExtensionCommandContext) => {
       const target = args.trim();
       if (!target) {
-        ctx.ui.notify("Usage: /oracle-clean <job-id|all>", "warning");
+        emitCommandOutput(ctx, "Usage: /oracle-clean <job-id|all>", "warning");
         return;
       }
 
       const jobs = target === "all" ? listJobsForCwd(ctx.cwd) : [readScopedJob(target, ctx.cwd)].filter(Boolean);
       if (jobs.length === 0) {
-        ctx.ui.notify("No matching oracle jobs found", "warning");
+        emitCommandOutput(ctx, "No matching oracle jobs found", "warning");
         return;
       }
 
       const nonTerminalJobs = jobs.filter((job): job is NonNullable<typeof job> => Boolean(job && !isTerminalOracleJob(job)));
       if (nonTerminalJobs.length > 0) {
-        ctx.ui.notify(
+        emitCommandOutput(
+          ctx,
           `Refusing to remove non-terminal oracle job${nonTerminalJobs.length === 1 ? "" : "s"}: ${nonTerminalJobs.map((job) => job.id).join(", ")}`,
           "warning",
         );
@@ -217,10 +239,14 @@ export function registerOracleCommands(pi: ExtensionAPI, authWorkerPath: string,
 
       refreshOracleStatus(ctx);
       const warningSuffix = cleanupWarnings.length > 0 ? ` Cleanup blockers/warnings:\n${cleanupWarnings.join("\n")}` : "";
-      const removalSummary = removedCount === jobs.length
-        ? `Removed ${removedCount} oracle job director${removedCount === 1 ? "y" : "ies"}.`
-        : `Removed ${removedCount} of ${jobs.length} oracle job director${jobs.length === 1 ? "y" : "ies"}; retained ${jobs.length - removedCount} due to cleanup blockers or warnings.`;
-      ctx.ui.notify(`${removalSummary}${warningSuffix}`, cleanupWarnings.length > 0 ? "warning" : "info");
+      const retentionWarning = cleanupWarnings.find((warning) => warning.includes("post-send retention grace window") && warning.includes("Retry after "));
+      const retryAfter = retentionWarning?.match(/Retry after ([^ ]+)/)?.[1];
+      const removalSummary = retryAfter && removedCount < jobs.length
+        ? `Job retained for wake-up safety. Retry cleanup after ${retryAfter}.`
+        : removedCount === jobs.length
+          ? `Removed ${removedCount} oracle job director${removedCount === 1 ? "y" : "ies"}.`
+          : `Removed ${removedCount} of ${jobs.length} oracle job director${jobs.length === 1 ? "y" : "ies"}; retained ${jobs.length - removedCount} due to cleanup blockers or warnings.`;
+      emitCommandOutput(ctx, `${removalSummary}${warningSuffix}`, cleanupWarnings.length > 0 ? "warning" : "info");
     },
   });
 }