pullfrog 0.1.14 → 0.1.16

package/dist/internal/index.d.ts

@@ -3,11 +3,13 @@
  * Re-exports shared types, values, and utilities needed by the Next.js app.
  */
 export type { AuthorPermission, ModelAlias, ModelProvider, Payload, PayloadEvent, ProviderConfig, PushPermission, ShellPermission, ToolPermission, WriteablePayload, } from "../external.ts";
-export { DEFAULT_PROXY_MODEL, getModelEnvVars, getModelManagedCredentials, getModelProvider, getProviderDisplayName, modelAliases, parseModel, providers, pullfrogMcpName, resolveCliModel, resolveDisplayAlias, resolveModelSlug, resolveOpenRouterModel, } from "../external.ts";
+export { DEFAULT_PROXY_MODEL, getAutoSelectHintModel, getModelEnvVars, getModelManagedCredentials, getModelProvider, getProviderDisplayName, modelAliases, parseModel, providers, pullfrogMcpName, resolveCliModel, resolveDisplayAlias, resolveModelSlug, resolveOpenRouterModel, } from "../external.ts";
 export type { Mode } from "../modes.ts";
 export { modes } from "../modes.ts";
 export type { BuildPullfrogFooterParams, WorkflowRunFooterInfo, } from "../utils/buildPullfrogFooter.ts";
 export { buildPullfrogFooter, PULLFROG_DIVIDER, stripExistingFooter, } from "../utils/buildPullfrogFooter.ts";
+export type { CodexAuthBody } from "../utils/codexOAuth.ts";
+export { decodeJwtExpMs, OAuthInvalidGrantError, parseCodexAuthBody, refreshCodexAuthBody, stringifyCodexAuthBody, } from "../utils/codexOAuth.ts";
 export type { ResourceUsage, UsageSummary } from "../utils/github.ts";
 export { isLeapingIntoActionCommentBody, LEAPING_INTO_ACTION_PREFIX, } from "../utils/leapingComment.ts";
 export { MAX_LEARNINGS_LENGTH, truncateAtLineBoundary } from "../utils/learningsTruncate.ts";

package/dist/internal.js

@@ -11,8 +11,8 @@ var providers = {
     models: {
       "claude-opus": {
         displayName: "Claude Opus",
-        resolve: "anthropic/claude-opus-4-7",
-        openRouterResolve: "openrouter/anthropic/claude-opus-4.7",
+        resolve: "anthropic/claude-opus-4-8",
+        openRouterResolve: "openrouter/anthropic/claude-opus-4.8",
         preferred: true,
         subagentModel: "claude-sonnet"
       },
@@ -101,7 +101,7 @@ var providers = {
       "gemini-flash": {
         displayName: "Gemini Flash",
         resolve: "google/gemini-3.5-flash",
-        openRouterResolve: "openrouter/google/gemini-3-flash-preview"
+        openRouterResolve: "openrouter/google/gemini-3.5-flash"
       }
     }
   }),
@@ -190,8 +190,8 @@ var providers = {
       },
       "claude-opus": {
         displayName: "Claude Opus",
-        resolve: "opencode/claude-opus-4-7",
-        openRouterResolve: "openrouter/anthropic/claude-opus-4.7",
+        resolve: "opencode/claude-opus-4-8",
+        openRouterResolve: "openrouter/anthropic/claude-opus-4.8",
         subagentModel: "claude-sonnet"
       },
       "claude-sonnet": {
@@ -249,8 +249,8 @@ var providers = {
       },
       "gemini-flash": {
         displayName: "Gemini Flash",
-        resolve: "opencode/gemini-3-flash",
-        openRouterResolve: "openrouter/google/gemini-3-flash-preview"
+        resolve: "opencode/gemini-3.5-flash",
+        openRouterResolve: "openrouter/google/gemini-3.5-flash"
       },
       "kimi-k2": {
         displayName: "Kimi K2",
@@ -323,8 +323,8 @@ var providers = {
     models: {
       "claude-opus": {
         displayName: "Claude Opus",
-        resolve: "openrouter/anthropic/claude-opus-4.7",
-        openRouterResolve: "openrouter/anthropic/claude-opus-4.7",
+        resolve: "openrouter/anthropic/claude-opus-4.8",
+        openRouterResolve: "openrouter/anthropic/claude-opus-4.8",
         preferred: true,
         subagentModel: "claude-sonnet"
       },
@@ -388,8 +388,8 @@ var providers = {
       },
       "gemini-flash": {
         displayName: "Gemini Flash",
-        resolve: "openrouter/google/gemini-3-flash-preview",
-        openRouterResolve: "openrouter/google/gemini-3-flash-preview"
+        resolve: "openrouter/google/gemini-3.5-flash",
+        openRouterResolve: "openrouter/google/gemini-3.5-flash"
       },
       grok: {
         displayName: "Grok",
@@ -481,6 +481,16 @@ if (!defaultProxyAlias?.openRouterResolve) {
   throw new Error("DEFAULT_PROXY_MODEL: moonshotai/kimi-k2 missing openRouterResolve");
 }
 var DEFAULT_PROXY_MODEL = defaultProxyAlias.openRouterResolve;
+function getAutoSelectHintModel() {
+  const alias = defaultProxyAlias;
+  if (!alias) return "Kimi 2.6";
+  const modelId = alias.resolve.split("/")[1] ?? "kimi-k2.6";
+  const version = modelId.replace(/^kimi-k2\./, "");
+  if (version && version !== modelId) {
+    return `Kimi 2.${version}`;
+  }
+  return alias.displayName;
+}
 function resolveModelSlug(slug) {
   return modelAliases.find((a) => a.slug === slug)?.resolve;
 }
@@ -704,6 +714,8 @@ function computeModes(agentId) {
 
    Otherwise delegate the \`${REVIEWER_AGENT_NAME}\` subagent to review your diff with fresh eyes against YOUR TASK. The subagent's baked-in system prompt enforces a non-mutative + non-recursive contract: read-only file/search/web tools and read-only MCP queries only; no writes, shell side effects, state-changing MCP calls, or nested subagent dispatch. Enforcement is prose-only \u2014 restate the constraint in your dispatch instructions and do not relax it.
 
+   Before dispatching, ensure \`origin/<base>\` is locally available \u2014 the runner is often a shallow single-branch \`actions/checkout\` (depth=1, head-only refspec), and the reviewer's \`git diff --merge-base origin/<base>\` will fail with \`ambiguous argument\` or \`no merge base\` otherwise. Run \`git fetch --no-tags --deepen=1000 origin <base>:refs/remotes/origin/<base>\` once (the explicit destination refspec is required \u2014 a shallow single-branch checkout configures a head-only refspec, so a bare \`origin <base>\` only updates \`FETCH_HEAD\` and never creates the \`origin/<base>\` tracking ref); it's a no-op if the ref already has enough history. (The reviewer is read-only by contract, so it cannot do this itself \u2014 fetching is the orchestrator's job.)
+
    Compose your \`${REVIEWER_AGENT_NAME}\` dispatch prompt using this template verbatim, substituting the \`<...>\` placeholders. The preamble aligns the orchestrator side of the dispatch contract with the reviewer's baked-in system prompt \u2014 both ends say the same thing about where the work lives and what to do on an empty diff.
 
    \`\`\`
@@ -711,9 +723,11 @@ function computeModes(agentId) {
    This is a PRE-COMMIT Build-mode self-review. The work to review lives in the working tree (uncommitted), NOT in committed history.
 
    Branch: <branch> (off <base>)
-   Canonical diff command: git diff origin/<base>
+   Canonical diff command: git diff --merge-base origin/<base>
+
+   Use \`--merge-base\` (single MCP \`git\` call, no shell substitution required). NOT bare \`git diff origin/<base>\` or two-dot \`git diff origin/<base>..HEAD\` \u2014 the symmetric forms include the inverse of every commit landed on \`<base>\` since this branch forked, which is noise (and the git tool will reject those forms when the divergence is detected). \`origin/<base>...HEAD\` (three-dot) and \`--cached\` both miss the uncommitted edits self-review runs on, so they're also wrong here.
 
-   If that command returns empty, treat it as "no changes \u2014 nothing to review" and stop per your system prompt. Do not search for the work elsewhere.
+   If the merge-base diff returns empty, treat it as "no changes \u2014 nothing to review" and stop per your system prompt. Do not search for the work elsewhere.
 
    ## Your task
    <YOUR TASK content>
@@ -722,7 +736,7 @@ function computeModes(agentId) {
    <tight summary \u2014 what broke, root cause, the fix \u2014 or "no build-phase failures">
    \`\`\`
 
-   Follow the template with the diff content (\`git diff origin/<base-branch>\`, single-rev form \u2014 \`main...HEAD\` and \`--cached\` both miss the uncommitted edits self-review runs on) and your task brief. Instruct the subagent to flag bugs, logic errors, missing edge cases, gaps between request and diff, and unintended changes.
+   Follow the template with the diff content (\`git diff --merge-base origin/<base-branch>\` \u2014 single MCP \`git\` call, captures committed + staged + unstaged, excludes base-branch progress) and your task brief. Instruct the subagent to flag bugs, logic errors, missing edge cases, gaps between request and diff, and unintended changes.
 
    Delegation + research discipline (distilled from \`/anneal\` canonical \u2014 these are codified learnings from many review rounds, not theoretical best practices):
    - Do NOT summarize what you implemented \u2014 that biases the subagent toward validating the shape of your solution rather than questioning it.
@@ -864,7 +878,7 @@ For simple, well-defined tasks, skip the plan phase and go straight to build.`
    You can also include your own \`read\` / \`grep\` / \`webfetch\` calls in the SAME turn as the parallel \`${REVIEWER_AGENT_NAME}\` dispatches \u2014 concurrent context-pulling on the orchestrator side runs in parallel with the lens fan-out and costs zero extra wall time.
 
    if a subagent errors out, times out, or returns nothing usable, retry once with the same lens; if it still fails, proceed with partial coverage and note the missing lens in the review body \u2014 do not skip the fan-out entirely on a single subagent failure. each subagent gets:
-   - the diff path / target \u2014 reading the diff and the codebase is its job
+   - **the absolute \`diffPath\` (and \`incrementalDiffPath\` if available) from step 2's \`${t("checkout_pr")}\` return, named verbatim in the dispatch prompt** (e.g. \`diffPath: /tmp/pullfrog-XXXX/pr-NNN-SHA.diff\`). the reviewer's baked-in system prompt selects its FIRST action on this token \u2014 paraphrasing ("review the diff", "look at this PR") sends it down the \`git diff origin/<base>\` fallback, which fails on shallow GHA checkouts. the subagent \`read\`s those files for scope; it must NOT re-derive the diff via \`git diff\` (bare \`git diff origin/<base>\` is symmetric and pulls in the inverse of any commits that landed on \`<base>\` since the branch forked \u2014 pure noise, and the git tool rejects it). reading and codebase exploration are still its job.
    - **only one lens** \u2014 never a multi-section "review for X, Y, and Z" prompt
    - **a Task \`description\` set to the lens name** (e.g. \`"security"\`, \`"correctness"\`, \`"billing-subsystem"\`) \u2014 the harness reads this field to label the subagent's log lines so parallel runs can be told apart in CI output. without it, every subagent shows up as \`subagent#N\`.
    - if the lens touches external contracts, instruct the subagent to verify load-bearing claims via web search rather than trust training data, and to quote source URLs in its reasoning. action runs are non-interactive \u2014 there's no human in the loop to catch "I'm pretty sure Stripe does X."
@@ -974,7 +988,7 @@ ${PR_SUMMARY_FORMAT}`
    You can also include your own \`read\` / \`grep\` / \`webfetch\` calls in the SAME turn as the parallel \`${REVIEWER_AGENT_NAME}\` dispatches.
 
    if a subagent errors out, times out, or returns nothing usable, retry once with the same lens; if it still fails, proceed with partial coverage and note the missing lens in the review body. each subagent gets:
-   - the diff scope (incremental diff path if available, full diff otherwise). do NOT tell them to skip pre-existing issues \u2014 that suppresses regressions the new commits amplified; the "issues must be NEW" filter lives at aggregation time (step 8), not in the subagent prompt
+   - **the absolute diff path(s) from step 2's \`${t("checkout_pr")}\` return, named verbatim in the dispatch prompt.** when \`incrementalDiffPath\` is present, name BOTH (\`incrementalDiffPath: /tmp/.../pr-NNN-SHA-incremental.diff\` then \`diffPath: /tmp/.../pr-NNN-SHA.diff\`) \u2014 the reviewer's baked-in prompt reads incremental first and uses full for context; when only \`diffPath\` exists, name it alone. the subagent \`read\`s those files; it must NOT re-derive via \`git diff\` (bare \`git diff origin/<base>\` is symmetric and pulls in the inverse of base-branch progress \u2014 pure noise, and the git tool rejects it), and paraphrasing ("review the new commits") sends it down that fallback, which also fails on shallow GHA checkouts. do NOT tell them to skip pre-existing issues \u2014 that suppresses regressions the new commits amplified; the "issues must be NEW" filter lives at aggregation time (step 8), not in the subagent prompt.
    - **only one lens** \u2014 never a multi-section "review for X, Y, and Z" prompt
    - **a Task \`description\` set to the lens name** \u2014 the harness reads this field to label log lines so parallel runs can be told apart.
    - if the lens touches external contracts, instruct the subagent to verify load-bearing claims via web search and quote source URLs.
@@ -1083,7 +1097,7 @@ ${PR_SUMMARY_FORMAT}`
 
 1. **task list**: create your task list for this run as your first action.
 
-2. Analyze the task. For simple operations (labeling, commenting, answering questions, running a single command), handle directly.
+2. Analyze the task. For simple operations (labeling, commenting, answering questions, running a single command), handle directly \u2014 but your answer only reaches the user through \`${t("report_progress")}\` (step 4); raw assistant text is discarded.
 
 3. For substantial work \u2014 code changes across multiple files, multi-step investigations:
    - plan your approach before starting
@@ -1157,6 +1171,92 @@ function stripExistingFooter(body) {
   return body.substring(0, dividerIndex).trimEnd();
 }
 
+// utils/codexOAuth.ts
+var CODEX_OAUTH_CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+var CODEX_OAUTH_TOKEN_URL = "https://auth.openai.com/oauth/token";
+var OAuthInvalidGrantError = class extends Error {
+  status;
+  constructor(status, body) {
+    super(`Codex token refresh failed: ${status} ${body}`);
+    this.name = "OAuthInvalidGrantError";
+    this.status = status;
+  }
+};
+async function refreshCodexAuthBody(body) {
+  const response = await fetch(CODEX_OAUTH_TOKEN_URL, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "refresh_token",
+      refresh_token: body.tokens.refresh_token,
+      client_id: CODEX_OAUTH_CLIENT_ID
+    }).toString(),
+    signal: AbortSignal.timeout(1e4)
+  });
+  if (!response.ok) {
+    const text = await response.text().catch(() => "");
+    if (response.status >= 400 && response.status < 500) {
+      throw new OAuthInvalidGrantError(response.status, text);
+    }
+    throw new Error(`Codex token refresh failed: ${response.status} ${text}`);
+  }
+  const tokens = await response.json();
+  const idToken = tokens.id_token ?? body.tokens.id_token;
+  const accountId = body.tokens.account_id;
+  return {
+    auth_mode: "chatgpt",
+    tokens: {
+      access_token: tokens.access_token,
+      refresh_token: tokens.refresh_token,
+      ...idToken ? { id_token: idToken } : {},
+      ...accountId ? { account_id: accountId } : {}
+    },
+    last_refresh: (/* @__PURE__ */ new Date()).toISOString()
+  };
+}
+function decodeJwtExpMs(token) {
+  const parts = token.split(".");
+  if (parts.length !== 3) return null;
+  let payload;
+  try {
+    payload = JSON.parse(Buffer.from(parts[1], "base64url").toString("utf8"));
+  } catch {
+    return null;
+  }
+  if (typeof payload.exp !== "number" || !Number.isFinite(payload.exp)) return null;
+  return payload.exp * 1e3;
+}
+function parseCodexAuthBody(raw) {
+  let parsed;
+  try {
+    parsed = JSON.parse(raw);
+  } catch {
+    return null;
+  }
+  if (!parsed || typeof parsed !== "object") return null;
+  const v = parsed;
+  if (v.auth_mode !== "chatgpt") return null;
+  const tokens = v.tokens;
+  if (!tokens || typeof tokens !== "object") return null;
+  const t = tokens;
+  if (typeof t.access_token !== "string" || t.access_token.length === 0) return null;
+  if (typeof t.refresh_token !== "string" || t.refresh_token.length === 0) return null;
+  return {
+    auth_mode: "chatgpt",
+    tokens: {
+      access_token: t.access_token,
+      refresh_token: t.refresh_token,
+      ...typeof t.id_token === "string" ? { id_token: t.id_token } : {},
+      ...typeof t.account_id === "string" ? { account_id: t.account_id } : {}
+    },
+    ...typeof v.last_refresh === "string" ? { last_refresh: v.last_refresh } : {}
+  };
+}
+function stringifyCodexAuthBody(body) {
+  return `${JSON.stringify(body, null, 2)}
+`;
+}
+
 // utils/leapingComment.ts
 var LEAPING_INTO_ACTION_PREFIX = "Leaping into action";
 function isLeapingIntoActionCommentBody(body) {
@@ -1292,11 +1392,14 @@ export {
   DEFAULT_PROXY_MODEL,
   LEAPING_INTO_ACTION_PREFIX,
   MAX_LEARNINGS_LENGTH,
+  OAuthInvalidGrantError,
   PULLFROG_DIVIDER,
   TIMEOUT_DISABLED,
   buildPullfrogFooter,
   createLeapingProgressComment,
+  decodeJwtExpMs,
   deleteProgressCommentApi,
+  getAutoSelectHintModel,
   getModelEnvVars,
   getModelManagedCredentials,
   getModelProvider,
@@ -1306,14 +1409,17 @@ export {
   isValidTimeString,
   modelAliases,
   modes,
+  parseCodexAuthBody,
   parseModel,
   parseTimeString,
   providers,
   pullfrogMcpName,
+  refreshCodexAuthBody,
   resolveCliModel,
   resolveDisplayAlias,
   resolveModelSlug,
   resolveOpenRouterModel,
+  stringifyCodexAuthBody,
   stripExistingFooter,
   truncateAtLineBoundary,
   updateProgressComment

package/dist/mcp/comment.d.ts

@@ -38,7 +38,8 @@ export declare const ReportProgress: import("arktype/internal/variants/object.ts
  *   - object:    active comment — will update it in place via the right REST endpoint for its type
  *   - null:      deliberately deleted (e.g. after submitting a PR review) — skips silently
  *
- * The body is always tracked in lastProgressBody for the job summary regardless of comment state.
+ * The body is tracked in lastProgressBody for the job summary regardless of comment state,
+ * EXCEPT for `liveProgress` (todo-tracker) writes — see the param note below.
  *
  * The "existing plan comment" path always targets a top-level issue comment (plan comments are
  * created by create_issue_comment with type:"Plan", never as review-thread replies).
@@ -46,6 +47,7 @@ export declare const ReportProgress: import("arktype/internal/variants/object.ts
 export declare function reportProgress(ctx: ToolContext, params: {
     body: string;
     target_plan_comment?: boolean;
+    liveProgress?: boolean;
 }): Promise<{
     commentId?: number;
     url?: string;

package/dist/mcp/reviewComments.d.ts

@@ -1,9 +1,10 @@
 import type { Octokit } from "@octokit/rest";
 import type { ToolContext } from "./server.ts";
-export declare const REVIEW_THREADS_QUERY = "\nquery ($owner: String!, $name: String!, $prNumber: Int!) {\n  repository(owner: $owner, name: $name) {\n    pullRequest(number: $prNumber) {\n      reviewThreads(first: 100) {\n        nodes {\n          id\n          path\n          line\n          startLine\n          diffSide\n          isResolved\n          isOutdated\n          comments(first: 50) {\n            nodes {\n              fullDatabaseId\n              body\n              createdAt\n              diffHunk\n              line\n              startLine\n              originalLine\n              originalStartLine\n              author { login }\n              pullRequestReview {\n                databaseId\n                author { login }\n              }\n              reactionGroups {\n                content\n                reactors(first: 10) {\n                  nodes {\n                    ... on Actor { login }\n                  }\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n";
+export declare const REVIEW_THREADS_QUERY = "\nquery ($owner: String!, $name: String!, $prNumber: Int!) {\n  repository(owner: $owner, name: $name) {\n    pullRequest(number: $prNumber) {\n      reviewThreads(first: 100) {\n        nodes {\n          id\n          path\n          line\n          startLine\n          diffSide\n          isResolved\n          isOutdated\n          comments(first: 50) {\n            nodes {\n              fullDatabaseId\n              body\n              bodyHTML\n              createdAt\n              diffHunk\n              line\n              startLine\n              originalLine\n              originalStartLine\n              author { login }\n              pullRequestReview {\n                databaseId\n                author { login }\n              }\n              reactionGroups {\n                content\n                reactors(first: 10) {\n                  nodes {\n                    ... on Actor { login }\n                  }\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n";
 export type ReviewThreadComment = {
     fullDatabaseId: string | null;
     body: string;
+    bodyHTML: string;
     createdAt: string;
     diffHunk: string;
     line: number | null;
@@ -96,6 +97,8 @@ interface GetReviewDataInput {
     pullNumber: number;
     reviewId: number;
     approvedBy?: string | undefined;
+    tmpdir: string;
+    githubToken: string;
 }
 export interface FormatReviewDataInput {
     review: ReviewResponse;

package/dist/models.d.ts

@@ -104,6 +104,8 @@ export declare function getModelEnvVars(slug: string): string[];
 export declare function getModelManagedCredentials(slug: string): string[];
 export declare const modelAliases: ModelAlias[];
 export declare const DEFAULT_PROXY_MODEL: string;
+/** short label for the model auto-select picks today (console hint copy). */
+export declare function getAutoSelectHintModel(): string;
 /** resolve a model slug to its concrete models.dev specifier (e.g. "anthropic/claude-opus-4-6") */
 export declare function resolveModelSlug(slug: string): string | undefined;
 /**

package/dist/prep/types.d.ts

@@ -20,6 +20,8 @@ export type PrepResult = NodePrepResult | PythonPrepResult | UnknownLanguagePrep
 export type PrepOptions = {
     /** when true, lifecycle scripts (postinstall, etc.) are suppressed */
     ignoreScripts: boolean;
+    /** directory the corepack shim is installed into (see `packageManagerBinDir`) */
+    binDir: string;
 };
 export interface PrepDefinition {
     name: string;

package/dist/toolState.d.ts

@@ -102,7 +102,7 @@ export interface ToolState {
     learningsFilePath?: string;
     learningsSeed?: string;
     learningsPersistAttempted?: boolean;
-    output?: string;
+    output?: string | undefined;
     usageEntries: AgentUsage[];
     model?: string | undefined;
     modelFallback?: {

package/dist/utils/apiKeys.d.ts

@@ -1,10 +1,19 @@
-/** check if the user has a BYOK key for the given model's provider (does not throw) */
-export declare function hasProviderKey(model: string): boolean;
+/**
+ * Validate that the resolved model can actually be served by the chosen
+ * agent. For routing slugs (Bedrock / Vertex) the auth shape is multi-var
+ * (auth + region/location + model-id) and `opencode models` doesn't catch
+ * gaps in the latter two — keep dedicated setup validators. For the
+ * opencode path, the authoritative answer comes from OpenCode's own model
+ * introspection (`authorized` set captured in `openCodeModels.ts`). For
+ * the claude path, fall back to the static check (`ANTHROPIC_API_KEY` /
+ * `CLAUDE_CODE_OAUTH_TOKEN`).
+ */
 export declare function validateAgentApiKey(params: {
     agent: {
         name: string;
     };
     model: string | undefined;
+    authorized: Set<string>;
     owner: string;
     name: string;
 }): void;

package/dist/utils/assets.d.ts

@@ -0,0 +1,8 @@
+/**
+ * downloads any github-hosted image/video assets referenced in `markdown` to
+ * `<tmpdir>/assets` and rewrites the urls to the local file paths, so the agent can
+ * read screenshots directly instead of relying on remote (often short-lived, signed)
+ * urls. unique urls are downloaded once and every occurrence is rewritten. assets that
+ * fail to download are left untouched.
+ */
+export declare function downloadAssetsInMarkdown(markdown: string, tmpdir: string, githubToken: string): Promise<string>;

package/dist/utils/body.d.ts

@@ -5,6 +5,8 @@ interface ResolveBodyContext {
     event: PayloadEvent;
     octokit: OctokitWithPlugins;
     repo: RunContextData["repo"];
+    tmpdir: string;
+    githubToken: string;
 }
 /**
  * resolves the body of an event by fetching body_html and converting to markdown.
@@ -13,4 +15,20 @@ interface ResolveBodyContext {
  * broken user-attachments URLs.
  */
 export declare function resolveBody(ctx: ResolveBodyContext): Promise<string | null>;
+interface ResolveBodyAssetsContext {
+    body: string | null | undefined;
+    bodyHtml: string | null | undefined;
+    tmpdir: string;
+    githubToken: string;
+}
+/**
+ * downloads github-hosted image assets in a body to disk and rewrites the urls to local
+ * paths so the agent can read them. when the body has images and a rendered `bodyHtml`
+ * is supplied, the html is turndowned first: github only exposes attachments as signed,
+ * self-authenticating `*.githubusercontent.com` urls through body_html — the raw
+ * `github.com/user-attachments/...` urls in unrendered markdown 404 for the installation
+ * token. callers that fetch a body should request it with the `application/vnd.github.full+json`
+ * media type and pass `body_html` here.
+ */
+export declare function resolveBodyAssets(ctx: ResolveBodyAssetsContext): Promise<string | null>;
 export {};

package/dist/utils/byokFallback.d.ts

@@ -1,7 +1,6 @@
 /**
  * Slug we fall back to when a BYOK-required model is configured but the
- * runner has no provider key in env. Picked because it's free
- * (`isFree: true`, `envVars: []` — see `action/models.ts`), stable, and
+ * runner has no provider key in env. Picked because it's free, stable, and
  * currently served by OpenCode Zen without a key.
  *
  * The slug is intentionally hard-coded and not a config knob — the
@@ -18,32 +17,22 @@ export type FallbackDecision = {
     to: string;
 };
 /**
- * If the resolved model requires a BYOK key but no provider key is
- * available in env, return `fallback: true` with a free OpenCode slug
- * so the run can still succeed. Caller is responsible for swapping the
- * model state and surfacing the fallback (log line + run summary).
+ * If the resolved model is NOT in OpenCode's `authorized` set (the
+ * authoritative "what can OpenCode route right now" snapshot captured
+ * after dbSecrets + Codex auth.json are in place), swap to a free
+ * OpenCode slug so the run can still produce value. Caller is responsible
+ * for surfacing the swap (log line + run summary).
  *
- * Gates on `resolvedModel` directly (not the configured slug) so the
- * decision matches both code paths that reach this point: payload-based
- * config (`repo.model` from DB) and `PULLFROG_MODEL` env var. Both end
- * up in `resolvedModel` after `resolveModel()` runs upstream.
- *
- * Skip cases:
- *   - Router / proxy runs (`proxyModel` set): Pullfrog mints the key,
- *     no BYOK in play — never fall back.
- *   - No resolved model: keeps the existing auto-select-with-throw
- *     behavior in `validateAgentApiKey` for the "neither model nor
- *     key" case (genuine misconfig the user should see).
- *   - Resolved model is itself the free fallback: avoid suggesting we
- *     fell back to the model we're already running.
- *   - Resolved model is a Bedrock raw ID (no `/`): Bedrock has its own
- *     auth shape (`AWS_BEARER_TOKEN_BEDROCK` + region + model ID), and
- *     `validateBedrockSetup` already surfaces a tailored error. Skipping
- *     here also avoids `parseModel`'s slash requirement crashing inside
- *     `hasProviderKey`.
- *   - Resolved model has its provider key present: no fallback needed.
+ * Skip cases (return `fallback: false` without consulting `authorized`):
+ *   - Router / proxy runs (`proxyModel` set): Pullfrog mints the key.
+ *   - No resolved model: auto-select handles it downstream.
+ *   - Resolved model is the free fallback already.
+ *   - Resolved model is a raw Bedrock / Vertex ID (no `/`): the routing
+ *     validators (`validateBedrockSetup` / `validateVertexSetup`) cover
+ *     auth + region/location/model-id; `opencode models` does not.
  */
 export declare function selectFallbackModelIfNeeded(input: {
     resolvedModel: string | undefined;
     proxyModel: string | undefined;
+    authorized: Set<string>;
 }): FallbackDecision;

package/dist/utils/codexHome.d.ts

@@ -1,15 +1,28 @@
+/** sandbox-hidden home for pullfrog-managed on-disk secrets in CI. bash via
+ * MCP shell tmpfs-overlays this path; opencode's internal auth module
+ * bypasses external_directory and reaches the real file. mirrors the
+ * pattern in action/agents/claude.ts installManagedSettings.
+ *
+ * not used for codex auth in local dev — the sandbox is no-op there, so
+ * the path doesn't matter. local dev keeps the existing $HOME path. */
+export declare const PULLFROG_DATA_DIR = "/var/lib/pullfrog";
 export interface InstalledCodexAuth {
     /** absolute path of the auth.json we wrote — caller passes this to the
      * post-hook via core.saveState for refresh-detection later. */
     authPath: string;
     /** value to set as XDG_DATA_HOME for the OpenCode subprocess. */
     xdgDataHome: string;
-    /** refresh_token from the env at materialization time. post-hook compares
-     * against the on-disk file after the run to detect whether OpenCode
-     * refreshed during the session. */
+    /** refresh_token from the env at materialization time. post-hook
+     * compares against the on-disk file after the run to detect whether
+     * OpenCode refreshed during the session (only happens on long runs
+     * that span >50min — see wiki/codex-auth.md "Concurrency"). */
     originalRefresh: string;
 }
 /** materialize CODEX_AUTH_JSON from env into a disk path OpenCode reads from.
  * returns null when the env var is absent, malformed, or wrong auth mode —
- * caller treats null as "no codex auth, fall through to API key flow". */
+ * caller treats null as "no codex auth, fall through to API key flow".
+ *
+ * The env value is server-side guaranteed fresh by `maybeRotateCodexSecret`
+ * in the run-context endpoint. We only parse + write it here; no refresh,
+ * no DB interaction. */
 export declare function installCodexAuth(): InstalledCodexAuth | null;

package/dist/utils/codexOAuth.d.ts

@@ -0,0 +1,60 @@
+/**
+ * Pure-stdlib (fetch + Buffer) Codex OAuth refresh + JWT exp decoding.
+ *
+ * Lives here (not in codexAuth.ts) so the Next.js server side can import it
+ * via pullfrog/internal without dragging in node:child_process / spawn /
+ * mkdtemp from the rest of codexAuth.ts. Used by:
+ *   - action/utils/codexAuth.ts (re-exports refreshCodexAuthBody)
+ *   - utils/codexSecretRotation.ts (server-side maybeRotate at run-context)
+ *
+ * See wiki/codex-auth.md for the end-to-end refresh lifecycle.
+ */
+export interface CodexAuthBody {
+    auth_mode: "chatgpt";
+    tokens: {
+        access_token: string;
+        refresh_token: string;
+        id_token?: string;
+        account_id?: string;
+    };
+    last_refresh?: string;
+}
+/** OAuth client id Codex CLI and OpenCode both use against `auth.openai.com`.
+ * Same chain — a refresh token minted via `codex login --device-auth` can be
+ * refreshed against this client_id. */
+export declare const CODEX_OAUTH_CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+export declare const CODEX_OAUTH_TOKEN_URL = "https://auth.openai.com/oauth/token";
+/** thrown when the OAuth provider rejects the refresh token (4xx). callers
+ * can distinguish "race-lost / token revoked" from network errors via
+ * `instanceof OAuthInvalidGrantError`. */
+export declare class OAuthInvalidGrantError extends Error {
+    readonly status: number;
+    constructor(status: number, body: string);
+}
+/** force one refresh round-trip against the OAuth provider. returns the
+ * rotated Codex-shaped blob (the auth.json body verbatim). does NOT persist
+ * — caller is responsible for writing back to wherever the token lives.
+ *
+ * server-side callers (maybeRotateCodexSecret) hold a DB row lock around
+ * this call so concurrent runs serialize: first one rotates, subsequent
+ * ones see the fresh value and skip. The 10s timeout is critical for that
+ * use: it caps how long a stalled auth.openai.com holds the row lock,
+ * keeping us well under the enclosing 30s transaction budget so the lock
+ * always releases and queued callers get a turn instead of timing out on
+ * the tx wrapper. Real OAuth latency is sub-second; 10s is generous. */
+export declare function refreshCodexAuthBody(body: CodexAuthBody): Promise<CodexAuthBody>;
+/** decode the access_token's JWT payload and return its `exp` claim in ms
+ * since epoch. returns null if the token isn't a parseable JWT or has no
+ * `exp` claim — caller falls back to "treat as expired".
+ *
+ * We don't verify the JWT signature (we'd need OpenAI's JWKS); we're only
+ * using the claim as a freshness hint. The actual auth check happens
+ * server-side at OpenAI when the token is used — trusting a fake JWT here
+ * would just delay the inevitable 401 from OpenAI. No security boundary
+ * at this decode step. */
+export declare function decodeJwtExpMs(token: string): number | null;
+/** parse + validate a Codex auth.json body from its JSON-string form.
+ * returns null on any shape mismatch — caller treats as "no codex auth". */
+export declare function parseCodexAuthBody(raw: string): CodexAuthBody | null;
+/** serialize a CodexAuthBody to its canonical on-disk form. */
+export declare function stringifyCodexAuthBody(body: CodexAuthBody): string;

package/dist/utils/instructions.d.ts

@@ -17,6 +17,10 @@ interface InstructionsContext {
      * inline into the LEARNINGS prompt section so the agent can `read_file`
      * targeted line ranges instead of pulling the whole file into context. */
     learningsHeadings: LearningsHeading[];
+    /** agent-facing description of a setup lifecycle hook failure (see
+     * `describeSetupFailure`), rendered as a SETUP HOOK FAILED banner. empty
+     * string when the hook succeeded, was skipped, or wasn't configured. */
+    setupHookFailure: string;
 }
 export interface ResolvedInstructions {
     full: string;

package/dist/utils/lifecycle.d.ts

@@ -1,6 +1,18 @@
 export interface ExecuteLifecycleHookParams {
     event: string;
     script: string | null;
+    /**
+     * when true, after the hook runs (success or failure), discard tracked-file
+     * mods so the agent doesn't see hook-generated drift (e.g. `pnpm install`
+     * rewriting a lockfile). untracked files are preserved — hooks that
+     * intentionally materialize files (e.g. a `.env` from a template) stay
+     * visible to the agent. skipped (with a warning) if the tree had
+     * pre-existing tracked changes before the hook ran, so we never clobber
+     * pre-existing work; pre-existing untracked files are ignored for this
+     * gate because `git restore --staged --worktree .` doesn't touch them
+     * anyway. no-op when no script was configured.
+     */
+    normalizeWorkingTreeAfter?: boolean;
 }
 /** structured failure info — `output` on the `exit` variant is trimmed
  * stderr, falling back to stdout when stderr is empty. */
@@ -14,6 +26,10 @@ export type LifecycleHookFailure = {
     kind: "spawn";
     spawnError: string;
 };
+/** one-line, agent-facing description of a hook failure. empty string when
+ * there was no failure, so callers can pass the result straight through to a
+ * prompt section that omits itself on empty. */
+export declare function describeSetupFailure(failure: LifecycleHookFailure | undefined): string;
 export interface LifecycleHookResult {
     /**
      * human-readable warning when the hook failed. includes retry guidance:
@@ -34,8 +50,8 @@ export interface LifecycleHookResult {
  * execute a lifecycle hook script if one is configured.
  *
  * soft-fails: instead of throwing on hook errors, returns a warning string
- * (and structured failure info) so callers can choose whether to surface
- * it (mcp tools) or upgrade it to a fatal error (setup). timeouts are
- * flagged as non-retryable in the warning text.
+ * (and structured failure info) so callers can choose how to surface it
+ * (mcp tools relay it to the agent; setup logs it and adds a prompt banner).
+ * timeouts are flagged as non-retryable in the warning text.
  */
 export declare function executeLifecycleHook(params: ExecuteLifecycleHookParams): Promise<LifecycleHookResult>;

package/dist/utils/openCodeModels.d.ts

@@ -0,0 +1,11 @@
+/** Snapshot the set of models OpenCode can serve from the current env, BEFORE
+ * Pullfrog-stored credentials are merged in. Call once early in `main.ts`. */
+export declare function captureBaselineModels(cliPath: string): void;
+/** Snapshot the set of models OpenCode can serve AFTER dbSecrets +
+ * Codex auth.json are in place. Logs the diff against the baseline as
+ * `» BYOK auth enabled N model(s): …`. */
+export declare function captureAuthorizedModels(cliPath: string): void;
+/** Authorized set captured after Pullfrog-stored auth is applied. Throws if
+ * called before `captureAuthorizedModels` — the call sites (fallback gate,
+ * api-key validation, auto-select) all run strictly after capture. */
+export declare function getAuthorizedModels(): Set<string>;