pullfrog 0.1.23 → 0.1.25

package/dist/agents/claudePretoolGate.d.ts

@@ -54,8 +54,17 @@ export declare const CLAUDE_PRETOOL_GATE_SOURCE: string;
  * literal JSON string per claude-code source `src/main.tsx` (`Path to a
  * settings JSON file or a JSON string`), but we use a path so the script
  * and its config sit side-by-side under `ctx.tmpdir`.
+ *
+ * `execToolDenyRules` are the native exec tools (Bash/Monitor/REPL/Workflow +
+ * their `Agent(...)` forms) to deny at a settings-source rule — the
+ * authoritative, bypass-immune layer. `--disallowedTools` alone (a `cliArg`
+ * deny) was observed to leak under `--dangerously-skip-permissions`, so the
+ * deny is carried here too. Both consumers use both returned fields: the flag
+ * `--settings` JSON (covers non-CI runs) writes the whole object, and
+ * `buildManagedSettings` (CI, /etc managed settings) spreads `hooks` and folds
+ * `permissions.deny` into its richer deny list.
  */
-export declare function buildClaudePretoolGateSettings(scriptAbsolutePath: string): {
+export declare function buildClaudePretoolGateSettings(scriptAbsolutePath: string, execToolDenyRules: string[]): {
     hooks: {
         PreToolUse: Array<{
             matcher: string;
@@ -66,4 +75,7 @@ export declare function buildClaudePretoolGateSettings(scriptAbsolutePath: strin
             }>;
         }>;
     };
+    permissions: {
+        deny: string[];
+    };
 };

package/dist/cli.mjs

@@ -100992,7 +100992,7 @@ var providers = {
         openRouterResolve: "openrouter/moonshotai/kimi-k2.6"
       },
       "minimax-m2.5": {
-        displayName: "MiniMax M2.5",
+        displayName: "MiniMax M2",
         resolve: "opencode/minimax-m2.5",
         openRouterResolve: "openrouter/minimax/minimax-m2.5"
       },
@@ -101009,7 +101009,7 @@ var providers = {
         fallback: "opencode/big-pickle"
       },
       "minimax-m2.5-free": {
-        displayName: "MiniMax M2.5",
+        displayName: "MiniMax M2",
         resolve: "opencode/minimax-m2.5-free",
         envVars: [],
         isFree: true,
@@ -101166,7 +101166,7 @@ var providers = {
         openRouterResolve: "openrouter/moonshotai/kimi-k2.6"
       },
       "minimax-m2.5": {
-        displayName: "MiniMax M2.5",
+        displayName: "MiniMax M2",
         resolve: "openrouter/minimax/minimax-m2.5",
         openRouterResolve: "openrouter/minimax/minimax-m2.5"
       }
@@ -101867,7 +101867,7 @@ var import_semver = __toESM(require_semver2(), 1);
 // package.json
 var package_default = {
   name: "pullfrog",
-  version: "0.1.23",
+  version: "0.1.25",
   type: "module",
   bin: {
     pullfrog: "dist/cli.mjs",
@@ -102520,7 +102520,7 @@ process.stdin.on("end", () => {
   process.exit(2);
 });
 `;
-function buildClaudePretoolGateSettings(scriptAbsolutePath) {
+function buildClaudePretoolGateSettings(scriptAbsolutePath, execToolDenyRules) {
   return {
     hooks: {
       PreToolUse: [
@@ -102539,7 +102539,8 @@ function buildClaudePretoolGateSettings(scriptAbsolutePath) {
           ]
         }
       ]
-    }
+    },
+    permissions: { deny: execToolDenyRules }
   };
 }
 
@@ -103565,10 +103566,11 @@ async function installClaudeCli() {
   });
 }
 var CLAUDE_EXEC_TOOLS = ["Bash", "Monitor", "REPL", "Workflow"];
-var CLAUDE_DISALLOWED_TOOLS = [
+var CLAUDE_EXEC_TOOL_DENY_RULES = [
   ...CLAUDE_EXEC_TOOLS,
   ...CLAUDE_EXEC_TOOLS.map((t2) => `Agent(${t2})`)
-].join(",");
+];
+var CLAUDE_DISALLOWED_TOOLS = CLAUDE_EXEC_TOOL_DENY_RULES.join(",");
 function writeMcpConfig(ctx) {
   const configDir = join5(ctx.tmpdir, ".claude");
   mkdirSync4(configDir, { recursive: true });
@@ -103588,7 +103590,8 @@ function writePretoolGateAssets(ctx) {
   writeFileSync4(scriptPath, CLAUDE_PRETOOL_GATE_SOURCE);
   chmodSync2(scriptPath, 493);
   const settingsPath = join5(ctx.tmpdir, "pullfrog-claude-settings.json");
-  writeFileSync4(settingsPath, JSON.stringify(buildClaudePretoolGateSettings(scriptPath)));
+  const settings = buildClaudePretoolGateSettings(scriptPath, CLAUDE_EXEC_TOOL_DENY_RULES);
+  writeFileSync4(settingsPath, JSON.stringify(settings));
   return { scriptPath, settingsPath };
 }
 function buildAgentsJson() {
@@ -103990,11 +103993,20 @@ function buildManagedSettings(params) {
     `Glob(${path4}/**)`,
     `Glob(/${path4}/**)`
   ]);
+  const gate = buildClaudePretoolGateSettings(
+    params.pretoolGateScriptPath,
+    CLAUDE_EXEC_TOOL_DENY_RULES
+  );
   const base = {
     allowManagedPermissionRulesOnly: true,
     allowManagedHooksOnly: true,
     permissions: {
       deny: [
+        // native exec tools — the authoritative, bypass-immune deny.
+        // `--disallowedTools` (a cliArg-source deny) leaked under
+        // `--dangerously-skip-permissions`; policySettings denies survive
+        // bypassPermissions mode. covers top-level + Agent(...) subagent use.
+        ...gate.permissions.deny,
         "Read(//proc/**)",
         "Read(//sys/**)",
         "Grep(//proc/**)",
@@ -104020,7 +104032,7 @@ function buildManagedSettings(params) {
     }
   };
   const hooks = {
-    ...buildClaudePretoolGateSettings(params.pretoolGateScriptPath).hooks
+    ...gate.hooks
   };
   if (params.stopHookPath) {
     hooks.Stop = [
@@ -107629,6 +107641,7 @@ function installCodexAuth() {
   mkdirSync5(opencodeDir, { recursive: true });
   writeFileSync5(authPath, `${JSON.stringify(opencodeAuth, null, 2)}
 `, { mode: 384 });
+  process.env.XDG_DATA_HOME = xdgDataHome;
   log.info(`\xBB installed Codex auth at ${authPath}`);
   return {
     authPath,
@@ -117953,6 +117966,9 @@ var addTools = (ctx, server, tools) => {
 };
 
 // mcp/comment.ts
+function isNotFoundError(error49) {
+  return error49 instanceof Error && error49.message.includes("Not Found");
+}
 function buildCommentFooter(ctx, customParts) {
   const runId = ctx.runId;
   return buildPullfrogFooter({
@@ -118109,7 +118125,30 @@ async function reportProgress(ctx, params) {
     const bodyWithoutFooter = stripExistingFooter(body);
     const footer = buildCommentFooter(ctx, customParts);
     const bodyWithFooter = `${bodyWithoutFooter}${footer}`;
-    const result = await updateProgressComment(apiCtx, existingComment, bodyWithFooter);
+    let result;
+    try {
+      result = await updateProgressComment(apiCtx, existingComment, bodyWithFooter);
+    } catch (error49) {
+      if (params.liveProgress || existingComment.type !== "review" || !isNotFoundError(error49) || issueNumber === void 0) {
+        throw error49;
+      }
+      log.warning(
+        `progress review comment ${existingComment.id} is gone (404); posting a top-level comment on #${issueNumber} instead`
+      );
+      const created2 = await createLeapingProgressComment(
+        apiCtx,
+        { kind: "issue", issueNumber },
+        bodyWithFooter
+      );
+      ctx.toolState.progressComment = created2.comment;
+      if (!params.liveProgress) ctx.toolState.wasUpdated = true;
+      return {
+        commentId: created2.comment.id,
+        url: created2.html_url,
+        body: created2.body || "",
+        action: "created"
+      };
+    }
     if (!params.liveProgress) ctx.toolState.wasUpdated = true;
     if (isPlanMode && result.node_id) {
       await patchWorkflowRunFields(ctx, { planCommentNodeId: result.node_id });
@@ -118212,10 +118251,7 @@ async function deleteProgressComment(ctx) {
       existing
     );
   } catch (error49) {
-    if (error49 instanceof Error && error49.message.includes("Not Found")) {
-    } else {
-      throw error49;
-    }
+    if (!isNotFoundError(error49)) throw error49;
   }
   ctx.toolState.progressComment = null;
   return true;
@@ -151957,7 +151993,7 @@ function classifyPushError(msg) {
   if (TRANSIENT_PATTERNS.some((p2) => p2.test(msg))) return "transient";
   return "unknown";
 }
-var TRANSIENT_RETRY_DELAYS_MS = [2e3, 5e3];
+var TRANSIENT_RETRY_DELAYS_MS = [2e3, 4e3, 8e3, 16e3, 3e4];
 async function pushWithRetry(args2, token) {
   let lastErr;
   for (let attempt = 0; attempt <= TRANSIENT_RETRY_DELAYS_MS.length; attempt++) {
@@ -155835,6 +155871,7 @@ function selectFallbackModelIfNeeded(input) {
   if (!input.resolvedModel) return { fallback: false };
   if (input.resolvedModel === FREE_FALLBACK_SLUG) return { fallback: false };
   if (!input.resolvedModel.includes("/")) return { fallback: false };
+  if (input.agentName === "claude") return { fallback: false };
   if (input.authorized.has(input.resolvedModel)) return { fallback: false };
   return {
     fallback: true,
@@ -161815,7 +161852,8 @@ async function main() {
         const fallback = selectFallbackModelIfNeeded({
           resolvedModel: initialResolvedModel,
           proxyModel: payload.proxyModel,
-          authorized: authorized2
+          authorized: authorized2,
+          agentName: resolveAgent({ model: initialResolvedModel }).name
         });
         const effectiveSlug = fallback.fallback ? fallback.to : payload.model;
         const resolvedModel = fallback.fallback ? fallback.to : initialResolvedModel;
@@ -163004,7 +163042,7 @@ async function run2() {
 }
 
 // cli.ts
-var VERSION10 = "0.1.23";
+var VERSION10 = "0.1.25";
 var bin = basename2(process.argv[1] || "");
 var PROG = bin === "pf" || bin === "pullfrog" ? bin : "pullfrog";
 var rawArgs = process.argv.slice(2);

package/dist/index.js

@@ -99192,7 +99192,7 @@ var providers = {
         openRouterResolve: "openrouter/moonshotai/kimi-k2.6"
       },
       "minimax-m2.5": {
-        displayName: "MiniMax M2.5",
+        displayName: "MiniMax M2",
         resolve: "opencode/minimax-m2.5",
         openRouterResolve: "openrouter/minimax/minimax-m2.5"
       },
@@ -99209,7 +99209,7 @@ var providers = {
         fallback: "opencode/big-pickle"
       },
       "minimax-m2.5-free": {
-        displayName: "MiniMax M2.5",
+        displayName: "MiniMax M2",
         resolve: "opencode/minimax-m2.5-free",
         envVars: [],
         isFree: true,
@@ -99366,7 +99366,7 @@ var providers = {
         openRouterResolve: "openrouter/moonshotai/kimi-k2.6"
       },
       "minimax-m2.5": {
-        displayName: "MiniMax M2.5",
+        displayName: "MiniMax M2",
         resolve: "openrouter/minimax/minimax-m2.5",
         openRouterResolve: "openrouter/minimax/minimax-m2.5"
       }
@@ -100067,7 +100067,7 @@ var import_semver = __toESM(require_semver2(), 1);
 // package.json
 var package_default = {
   name: "pullfrog",
-  version: "0.1.23",
+  version: "0.1.25",
   type: "module",
   bin: {
     pullfrog: "dist/cli.mjs",
@@ -100720,7 +100720,7 @@ process.stdin.on("end", () => {
   process.exit(2);
 });
 `;
-function buildClaudePretoolGateSettings(scriptAbsolutePath) {
+function buildClaudePretoolGateSettings(scriptAbsolutePath, execToolDenyRules) {
   return {
     hooks: {
       PreToolUse: [
@@ -100739,7 +100739,8 @@ function buildClaudePretoolGateSettings(scriptAbsolutePath) {
           ]
         }
       ]
-    }
+    },
+    permissions: { deny: execToolDenyRules }
   };
 }
 
@@ -101765,10 +101766,11 @@ async function installClaudeCli() {
   });
 }
 var CLAUDE_EXEC_TOOLS = ["Bash", "Monitor", "REPL", "Workflow"];
-var CLAUDE_DISALLOWED_TOOLS = [
+var CLAUDE_EXEC_TOOL_DENY_RULES = [
   ...CLAUDE_EXEC_TOOLS,
   ...CLAUDE_EXEC_TOOLS.map((t) => `Agent(${t})`)
-].join(",");
+];
+var CLAUDE_DISALLOWED_TOOLS = CLAUDE_EXEC_TOOL_DENY_RULES.join(",");
 function writeMcpConfig(ctx) {
   const configDir = join4(ctx.tmpdir, ".claude");
   mkdirSync4(configDir, { recursive: true });
@@ -101788,7 +101790,8 @@ function writePretoolGateAssets(ctx) {
   writeFileSync3(scriptPath, CLAUDE_PRETOOL_GATE_SOURCE);
   chmodSync2(scriptPath, 493);
   const settingsPath = join4(ctx.tmpdir, "pullfrog-claude-settings.json");
-  writeFileSync3(settingsPath, JSON.stringify(buildClaudePretoolGateSettings(scriptPath)));
+  const settings = buildClaudePretoolGateSettings(scriptPath, CLAUDE_EXEC_TOOL_DENY_RULES);
+  writeFileSync3(settingsPath, JSON.stringify(settings));
   return { scriptPath, settingsPath };
 }
 function buildAgentsJson() {
@@ -102190,11 +102193,20 @@ function buildManagedSettings(params) {
     `Glob(${path4}/**)`,
     `Glob(/${path4}/**)`
   ]);
+  const gate = buildClaudePretoolGateSettings(
+    params.pretoolGateScriptPath,
+    CLAUDE_EXEC_TOOL_DENY_RULES
+  );
   const base = {
     allowManagedPermissionRulesOnly: true,
     allowManagedHooksOnly: true,
     permissions: {
       deny: [
+        // native exec tools — the authoritative, bypass-immune deny.
+        // `--disallowedTools` (a cliArg-source deny) leaked under
+        // `--dangerously-skip-permissions`; policySettings denies survive
+        // bypassPermissions mode. covers top-level + Agent(...) subagent use.
+        ...gate.permissions.deny,
         "Read(//proc/**)",
         "Read(//sys/**)",
         "Grep(//proc/**)",
@@ -102220,7 +102232,7 @@ function buildManagedSettings(params) {
     }
   };
   const hooks = {
-    ...buildClaudePretoolGateSettings(params.pretoolGateScriptPath).hooks
+    ...gate.hooks
   };
   if (params.stopHookPath) {
     hooks.Stop = [
@@ -105871,6 +105883,7 @@ function installCodexAuth() {
   mkdirSync5(opencodeDir, { recursive: true });
   writeFileSync4(authPath, `${JSON.stringify(opencodeAuth, null, 2)}
 `, { mode: 384 });
+  process.env.XDG_DATA_HOME = xdgDataHome;
   log.info(`\xBB installed Codex auth at ${authPath}`);
   return {
     authPath,
@@ -116195,6 +116208,9 @@ var addTools = (ctx, server, tools) => {
 };
 
 // mcp/comment.ts
+function isNotFoundError(error49) {
+  return error49 instanceof Error && error49.message.includes("Not Found");
+}
 function buildCommentFooter(ctx, customParts) {
   const runId = ctx.runId;
   return buildPullfrogFooter({
@@ -116351,7 +116367,30 @@ async function reportProgress(ctx, params) {
     const bodyWithoutFooter = stripExistingFooter(body);
     const footer = buildCommentFooter(ctx, customParts);
     const bodyWithFooter = `${bodyWithoutFooter}${footer}`;
-    const result = await updateProgressComment(apiCtx, existingComment, bodyWithFooter);
+    let result;
+    try {
+      result = await updateProgressComment(apiCtx, existingComment, bodyWithFooter);
+    } catch (error49) {
+      if (params.liveProgress || existingComment.type !== "review" || !isNotFoundError(error49) || issueNumber === void 0) {
+        throw error49;
+      }
+      log.warning(
+        `progress review comment ${existingComment.id} is gone (404); posting a top-level comment on #${issueNumber} instead`
+      );
+      const created2 = await createLeapingProgressComment(
+        apiCtx,
+        { kind: "issue", issueNumber },
+        bodyWithFooter
+      );
+      ctx.toolState.progressComment = created2.comment;
+      if (!params.liveProgress) ctx.toolState.wasUpdated = true;
+      return {
+        commentId: created2.comment.id,
+        url: created2.html_url,
+        body: created2.body || "",
+        action: "created"
+      };
+    }
     if (!params.liveProgress) ctx.toolState.wasUpdated = true;
     if (isPlanMode && result.node_id) {
       await patchWorkflowRunFields(ctx, { planCommentNodeId: result.node_id });
@@ -116454,10 +116493,7 @@ async function deleteProgressComment(ctx) {
       existing
     );
   } catch (error49) {
-    if (error49 instanceof Error && error49.message.includes("Not Found")) {
-    } else {
-      throw error49;
-    }
+    if (!isNotFoundError(error49)) throw error49;
   }
   ctx.toolState.progressComment = null;
   return true;
@@ -150199,7 +150235,7 @@ function classifyPushError(msg) {
   if (TRANSIENT_PATTERNS.some((p) => p.test(msg))) return "transient";
   return "unknown";
 }
-var TRANSIENT_RETRY_DELAYS_MS = [2e3, 5e3];
+var TRANSIENT_RETRY_DELAYS_MS = [2e3, 4e3, 8e3, 16e3, 3e4];
 async function pushWithRetry(args2, token) {
   let lastErr;
   for (let attempt = 0; attempt <= TRANSIENT_RETRY_DELAYS_MS.length; attempt++) {
@@ -154077,6 +154113,7 @@ function selectFallbackModelIfNeeded(input) {
   if (!input.resolvedModel) return { fallback: false };
   if (input.resolvedModel === FREE_FALLBACK_SLUG) return { fallback: false };
   if (!input.resolvedModel.includes("/")) return { fallback: false };
+  if (input.agentName === "claude") return { fallback: false };
   if (input.authorized.has(input.resolvedModel)) return { fallback: false };
   return {
     fallback: true,
@@ -160057,7 +160094,8 @@ async function main() {
         const fallback = selectFallbackModelIfNeeded({
           resolvedModel: initialResolvedModel,
           proxyModel: payload.proxyModel,
-          authorized: authorized2
+          authorized: authorized2,
+          agentName: resolveAgent({ model: initialResolvedModel }).name
         });
         const effectiveSlug = fallback.fallback ? fallback.to : payload.model;
         const resolvedModel = fallback.fallback ? fallback.to : initialResolvedModel;

package/dist/internal.js

@@ -258,7 +258,7 @@ var providers = {
         openRouterResolve: "openrouter/moonshotai/kimi-k2.6"
       },
       "minimax-m2.5": {
-        displayName: "MiniMax M2.5",
+        displayName: "MiniMax M2",
         resolve: "opencode/minimax-m2.5",
         openRouterResolve: "openrouter/minimax/minimax-m2.5"
       },
@@ -275,7 +275,7 @@ var providers = {
         fallback: "opencode/big-pickle"
       },
       "minimax-m2.5-free": {
-        displayName: "MiniMax M2.5",
+        displayName: "MiniMax M2",
         resolve: "opencode/minimax-m2.5-free",
         envVars: [],
         isFree: true,
@@ -432,7 +432,7 @@ var providers = {
         openRouterResolve: "openrouter/moonshotai/kimi-k2.6"
       },
       "minimax-m2.5": {
-        displayName: "MiniMax M2.5",
+        displayName: "MiniMax M2",
         resolve: "openrouter/minimax/minimax-m2.5",
         openRouterResolve: "openrouter/minimax/minimax-m2.5"
       }

package/dist/utils/byokFallback.d.ts

@@ -1,3 +1,4 @@
+import type { AgentId } from "../external.ts";
 /**
  * Slug we fall back to when a BYOK-required model is configured but the
  * runner has no provider key in env. Picked because it's free, stable, and
@@ -30,9 +31,14 @@ export type FallbackDecision = {
  *   - Resolved model is a raw Bedrock / Vertex ID (no `/`): the routing
  *     validators (`validateBedrockSetup` / `validateVertexSetup`) cover
  *     auth + region/location/model-id; `opencode models` does not.
+ *   - The selected agent is `claude`: the Claude Code harness brings its own
+ *     auth and `resolveAgent` only returns it when that auth is present.
+ *     `opencode models` can't see `CLAUDE_CODE_OAUTH_TOKEN`, so without this
+ *     an OAuth-subscription run on an Anthropic model would wrongly fall back.
  */
 export declare function selectFallbackModelIfNeeded(input: {
     resolvedModel: string | undefined;
     proxyModel: string | undefined;
     authorized: Set<string>;
+    agentName: AgentId;
 }): FallbackDecision;

package/dist/utils/codexHome.d.ts

@@ -23,6 +23,7 @@ export interface InstalledCodexAuth {
  * caller treats null as "no codex auth, fall through to API key flow".
  *
  * The env value is server-side guaranteed fresh by `maybeRotateCodexSecret`
- * in the run-context endpoint. We only parse + write it here; no refresh,
- * no DB interaction. */
+ * in the run-context endpoint. We parse + write it here and set
+ * `process.env.XDG_DATA_HOME` so every opencode subprocess discovers the
+ * auth.json; no refresh, no DB interaction. */
 export declare function installCodexAuth(): InstalledCodexAuth | null;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pullfrog",
-  "version": "0.1.23",
+  "version": "0.1.25",
   "type": "module",
   "bin": {
     "pullfrog": "dist/cli.mjs",