pullfrog 0.1.28 → 0.1.30

package/dist/cli.mjs

@@ -19991,10 +19991,10 @@ var require_core = __commonJS({
       (0, command_1.issueCommand)("set-env", { name }, convertedVal);
     }
     exports.exportVariable = exportVariable;
-    function setSecret6(secret) {
+    function setSecret7(secret) {
       (0, command_1.issueCommand)("add-mask", {}, secret);
     }
-    exports.setSecret = setSecret6;
+    exports.setSecret = setSecret7;
     function addPath(inputPath) {
       const filePath = process.env["GITHUB_PATH"] || "";
       if (filePath) {
@@ -20111,12 +20111,12 @@ Support boolean input list: \`true | True | TRUE | false | False | FALSE\``);
       return process.env[`STATE_${name}`] || "";
     }
     exports.getState = getState2;
-    function getIDToken4(aud) {
+    function getIDToken3(aud) {
       return __awaiter(this, void 0, void 0, function* () {
         return yield oidc_utils_1.OidcClient.getIDToken(aud);
       });
     }
-    exports.getIDToken = getIDToken4;
+    exports.getIDToken = getIDToken3;
     var summary_1 = require_summary();
     Object.defineProperty(exports, "summary", { enumerable: true, get: function() {
       return summary_1.summary;
@@ -93765,14 +93765,14 @@ var require_turndown_cjs = __commonJS({
         } else if (node2.nodeType === 1) {
           replacement = replacementForNode.call(self2, node2);
         }
-        return join23(output, replacement);
+        return join25(output, replacement);
       }, "");
     }
     function postProcess(output) {
       var self2 = this;
       this.rules.forEach(function(rule) {
         if (typeof rule.append === "function") {
-          output = join23(output, rule.append(self2.options));
+          output = join25(output, rule.append(self2.options));
         }
       });
       return output.replace(/^[\t\r\n]+/, "").replace(/[\t\r\n\s]+$/, "");
@@ -93784,7 +93784,7 @@ var require_turndown_cjs = __commonJS({
       if (whitespace.leading || whitespace.trailing) content = content.trim();
       return whitespace.leading + rule.replacement(content, node2, this.options) + whitespace.trailing;
     }
-    function join23(output, replacement) {
+    function join25(output, replacement) {
       var s1 = trimTrailingNewlines(output);
       var s2 = trimLeadingNewlines(replacement);
       var nls = Math.max(output.length - s1.length, replacement.length - s2.length);
@@ -100726,7 +100726,7 @@ import { dirname as dirname6 } from "node:path";
 // main.ts
 import { existsSync as existsSync8, readdirSync as readdirSync2 } from "node:fs";
 import { readFile as readFile5 } from "node:fs/promises";
-import { join as join22 } from "node:path";
+import { join as join24 } from "node:path";
 
 // agents/claude.ts
 import { execFileSync as execFileSync3 } from "node:child_process";
@@ -100743,11 +100743,20 @@ var providers = {
     displayName: "Anthropic",
     envVars: ["ANTHROPIC_API_KEY", "CLAUDE_CODE_OAUTH_TOKEN"],
     models: {
+      // OpenRouter serves claude-fable-5, but models.dev's OpenRouter mirror
+      // hasn't indexed it yet (shipped 2026-06-09), so the catalog drift gate
+      // can't validate an openRouterResolve. omit it until the mirror catches
+      // up; direct BYOK / Claude Code resolves anthropic/claude-fable-5 fine.
+      "claude-fable": {
+        displayName: "Claude Fable",
+        resolve: "anthropic/claude-fable-5",
+        preferred: true,
+        subagentModel: "claude-sonnet"
+      },
       "claude-opus": {
         displayName: "Claude Opus",
         resolve: "anthropic/claude-opus-4-8",
         openRouterResolve: "openrouter/anthropic/claude-opus-4.8",
-        preferred: true,
         subagentModel: "claude-sonnet"
       },
       "claude-sonnet": {
@@ -100813,7 +100822,8 @@ var providers = {
       },
       o3: {
         displayName: "O3",
-        resolve: "openai/o3"
+        resolve: "openai/o3",
+        openRouterResolve: "openrouter/openai/o3"
       }
     }
   }),
@@ -101183,6 +101193,18 @@ function parseModel(slug2) {
 function getModelProvider(slug2) {
   return parseModel(slug2).provider;
 }
+function getModelEnvVars(slug2) {
+  const parsed2 = parseModel(slug2);
+  const providerConfig = providers[parsed2.provider];
+  if (!providerConfig) {
+    return [];
+  }
+  const modelConfig = providerConfig.models[parsed2.model];
+  if (modelConfig?.envVars) {
+    return modelConfig.envVars.slice();
+  }
+  return providerConfig.envVars.slice();
+}
 var modelAliases = Object.entries(providers).flatMap(
   ([providerKey, config3]) => Object.entries(config3.models).map(([modelId, def]) => ({
     slug: `${providerKey}/${modelId}`,
@@ -101207,6 +101229,9 @@ if (!defaultProxyAlias?.openRouterResolve) {
 }
 var DEFAULT_PROXY_MODEL = defaultProxyAlias.openRouterResolve;
 var defaultProxyDisplayName = defaultProxyAlias.displayName;
+function resolveModelSlug(slug2) {
+  return modelAliases.find((a) => a.slug === slug2)?.resolve;
+}
 var MAX_FALLBACK_DEPTH = 10;
 function resolveDisplayAlias(slug2) {
   let current = slug2;
@@ -101354,6 +101379,51 @@ function createProcessOutputActivityTimeout(ctx) {
   };
 }
 
+// utils/claudeSubscription.ts
+var CLAUDE_CODE_IDENTITY = "You are Claude Code, Anthropic's official CLI for Claude.";
+var fallbackResolve = resolveModelSlug("anthropic/claude-haiku");
+if (!fallbackResolve) {
+  throw new Error("claudeSubscription preflight: anthropic/claude-haiku missing from registry");
+}
+var FALLBACK_PROBE_MODEL = fallbackResolve.slice(fallbackResolve.indexOf("/") + 1);
+async function preflightClaudeSubscription(params) {
+  let res;
+  try {
+    res = await fetch("https://api.anthropic.com/v1/messages", {
+      method: "POST",
+      headers: {
+        authorization: `Bearer ${params.token}`,
+        "anthropic-beta": "claude-code-20250219,oauth-2025-04-20",
+        "anthropic-version": "2023-06-01",
+        "content-type": "application/json",
+        "x-app": "cli"
+      },
+      body: JSON.stringify({
+        model: params.model ?? FALLBACK_PROBE_MODEL,
+        max_tokens: 1,
+        system: CLAUDE_CODE_IDENTITY,
+        messages: [{ role: "user", content: "ok" }]
+      }),
+      signal: AbortSignal.timeout(1e4)
+    });
+  } catch {
+    return { usable: true };
+  }
+  if (res.status !== 401 && res.status !== 429) return { usable: true };
+  const body = await res.text().catch(() => "");
+  return { usable: false, reason: `${res.status}: ${extractApiErrorMessage(body)}` };
+}
+function extractApiErrorMessage(body) {
+  try {
+    const parsed2 = JSON.parse(body);
+    if (typeof parsed2 === "object" && parsed2 !== null && "error" in parsed2 && typeof parsed2.error === "object" && parsed2.error !== null && "message" in parsed2.error && typeof parsed2.error.message === "string") {
+      return parsed2.error.message;
+    }
+  } catch {
+  }
+  return body.slice(0, 200);
+}
+
 // utils/log.ts
 var core = __toESM(require_core(), 1);
 var import_table = __toESM(require_src2(), 1);
@@ -101867,7 +101937,7 @@ var import_semver = __toESM(require_semver2(), 1);
 // package.json
 var package_default = {
   name: "pullfrog",
-  version: "0.1.28",
+  version: "0.1.30",
   type: "module",
   bin: {
     pullfrog: "dist/cli.mjs",
@@ -102442,10 +102512,13 @@ function resolveVertexOpenCodeModel(model) {
 var SUBAGENT_DENIED_TOOLS = [
   // working-tree mutation: switches HEAD onto pr-N and registers a push remote
   "checkout_pr",
-  // remote mutation: pushes commits / branches / tags / deletes a branch
+  // remote mutation: pushes commits / branches / tags / deletes a branch.
+  // commit_changes lands the orchestrator's (possibly half-finished) shared
+  // working tree directly on the remote — strictly worse than push_branch.
   "push_branch",
   "push_tags",
   "delete_branch",
+  "commit_changes",
   // GitHub PR state mutation
   "create_pull_request",
   "update_pull_request_body",
@@ -102710,8 +102783,10 @@ Inline comments use the same severity framing as body \`### \` sections, scaled
 - **Don't repeat diff content**, don't include raw \`+123 / -45\` stats, don't include a changelog section, don't use horizontal rules (\`---\`).
 - **Pull file/commit counts from \`checkout_pr\` metadata** \u2014 never count manually.
 - **Legacy headings REMOVED.** Do not use \`### Key changes\`, \`### Issues found\`, \`<b>TL;DR</b>\`, or \`<sub><b>Summary</b>\`. The new structure subsumes them.`;
-function computeModes(agentId) {
+function computeModes(agentId, signedCommits = false) {
   const t2 = (toolName) => formatMcpToolRef(agentId, toolName);
+  const commitStep = signedCommits ? `commit via \`${t2("commit_changes")}\` \u2014 it lands a GitHub-signed commit directly on the remote branch (no push step)` : `commit locally via shell (\`git add . && git commit -m "..."\`)`;
+  const finalizeStep = signedCommits ? `confirm a clean working tree (\`git status\`) \u2014 your \`${t2("commit_changes")}\` calls already landed the work on the remote` : `confirm a clean working tree, then push via \`${t2("push_branch")}\``;
   return [
     {
       name: "Build",
@@ -102782,10 +102857,10 @@ function computeModes(agentId) {
    - Do NOT defect-hunt the diff yourself in parallel with the subagent. Your role is dispatch + evaluation; doing the review yourself reintroduces the implementation bias the subagent is meant to mitigate.
    - For diffs that rely on third-party API contracts, SDK semantics, framework directives, or DB engine specifics, instruct the subagent to verify load-bearing claims via web search and quote source URLs rather than trust training data \u2014 this is the single most common review-quality failure mode.
 
-   Be **discerning** about what comes back. The reviewer is an AI subagent and is fallible \u2014 treat every finding as a hypothesis, not a directive, and **verify each one yourself** against the diff and the code before deciding whether to apply. You are searching for a solution that is **complete, minimal, and elegant** \u2014 you may need to think hard to find it. Do not over-engineer, do not be over-defensive, **do not write AI slop**. Reviewers bias toward *recommending additions*, and that bias has a recognizable slop texture: defensive checks for cases that cannot happen, extra logging, new abstractions used once, comments restating code, tests asserting tautologies, "just-in-case" guards, error handlers for cases the type system already rules out. Reject those. For each surviving finding, ask: would applying it leave the code more sound, correct, AND elegant? Two-out-of-three means look harder for a fix that gets all three before settling. After applying the fixes you accept, re-read your diff and be discerning about what *you just changed*: if any fix turned out to be bloat in context, revert it. Then verify only intended changes are present, no debug artifacts or commented-out code remain, no unrelated files were modified. Commit locally via shell (\`git add . && git commit -m "..."\`).
+   Be **discerning** about what comes back. The reviewer is an AI subagent and is fallible \u2014 treat every finding as a hypothesis, not a directive, and **verify each one yourself** against the diff and the code before deciding whether to apply. You are searching for a solution that is **complete, minimal, and elegant** \u2014 you may need to think hard to find it. Do not over-engineer, do not be over-defensive, **do not write AI slop**. Reviewers bias toward *recommending additions*, and that bias has a recognizable slop texture: defensive checks for cases that cannot happen, extra logging, new abstractions used once, comments restating code, tests asserting tautologies, "just-in-case" guards, error handlers for cases the type system already rules out. Reject those. For each surviving finding, ask: would applying it leave the code more sound, correct, AND elegant? Two-out-of-three means look harder for a fix that gets all three before settling. After applying the fixes you accept, re-read your diff and be discerning about what *you just changed*: if any fix turned out to be bloat in context, revert it. Then verify only intended changes are present, no debug artifacts or commented-out code remain, no unrelated files were modified. Then ${commitStep}.
 
 6. **finalize**:
-   - confirm a clean working tree, then push via \`${t2("push_branch")}\` (see *SYSTEM* Git rules if this fails \u2014 prepush errors are usually the repo's tests/lint, not infra timeouts)
+   - ${finalizeStep} (see *SYSTEM* Git rules if this fails \u2014 prepush errors are usually the repo's tests/lint, not infra timeouts)
    - create a PR via \`${t2("create_pull_request")}\`
    - call \`${t2("report_progress")}\` with the PR link or the exact error if push/PR failed
 
@@ -102813,12 +102888,12 @@ For simple, well-defined tasks, skip the plan phase and go straight to build.`
 
 5. Quality check:
    - test changes, then review the diff before committing \u2014 verify only intended changes are present, no debug artifacts remain, no fix turned out to be bloat in context (revert any that did), and the changes are clean enough that a senior engineer would approve without hesitation
-   - commit locally via shell (\`git add . && git commit -m "..."\`)
+   - ${commitStep}
 
 6. Finalize. Reply + resolve are paired write actions: do BOTH or NEITHER for each thread.
-   - confirm a clean working tree, then push via \`${t2("push_branch")}\` (same push/prepush guidance as Build mode in *SYSTEM*)
-   - **if push fails**, call \`${t2("report_progress")}\` with the exact error and STOP \u2014 do NOT reply or resolve any thread until the fix is live on the remote. Resolving a thread without the fix landing misleads the reviewer.
-   - **on push success**, for each thread you acted on:
+   - ${finalizeStep} (same push/prepush guidance as Build mode in *SYSTEM*)
+   - **if the push/commit fails**, call \`${t2("report_progress")}\` with the exact error and STOP \u2014 do NOT reply or resolve any thread until the fix is live on the remote. Resolving a thread without the fix landing misleads the reviewer.
+   - **once the fix is live on the remote**, for each thread you acted on:
      - reply ONCE via \`${t2("reply_to_review_comment")}\`. The \`comment_id\` parameter takes the root comment's numeric \`id=\` (from the first \`comment author=...\` tag in the \`${t2("get_review_comments")}\` output) \u2014 NOT the \`thread=\` value; that's a separate GraphQL ID used by resolve. The runtime dedupes identical bodies within a session.
      - **immediately** call \`${t2("resolve_review_thread")}\` with that thread's \`thread=\` value as \`thread_id\`. Resolve every thread where you (a) made the requested code change in full \u2014 partial fixes leave the thread open \u2014 OR (b) replied with a substantive answer the user explicitly asked for. Do NOT resolve threads where you pushed back on the request and the disagreement is unresolved; leave those open for the human to mediate.
    - call \`${t2("report_progress")}\` with a brief summary`
@@ -103093,10 +103168,10 @@ ${PR_SUMMARY_FORMAT}`
    - fix the issue using your native file and shell tools
    - verify the fix by re-running the exact CI command
    - review the diff before committing \u2014 verify only the fix is present, no debug artifacts, no unrelated changes. the fix should be clean enough that a senior engineer would approve without hesitation.
-   - commit locally via shell (\`git add . && git commit -m "..."\`)
+   - ${commitStep}
 
 6. Finalize:
-   - confirm a clean working tree, then push via \`${t2("push_branch")}\` (same push/prepush guidance as Build mode in *SYSTEM*)
+   - ${finalizeStep} (same push/prepush guidance as Build mode in *SYSTEM*)
    - call \`${t2("report_progress")}\` with the diagnosis and fix summary (or the exact push error if push failed)`
     },
     {
@@ -103112,8 +103187,8 @@ ${PR_SUMMARY_FORMAT}`
    - Call \`${t2("git_fetch")}\` to fetch the base branch.
 
 3. **Merge Attempt**:
-   - Run \`git merge origin/<base_branch>\` via shell.
-   - If it succeeds automatically, confirm a clean working tree, push via \`${t2("push_branch")}\` (same push/prepush guidance as Build mode in *SYSTEM*), and call \`${t2("report_progress")}\` with a brief success note or the exact push error if push failed \u2014 **then stop; do not run steps 4\u20135.**
+   - Run \`git merge ${signedCommits ? "--no-commit " : ""}origin/<base_branch>\` via shell.
+   - If it succeeds automatically, ${signedCommits ? `conclude it via \`${t2("commit_changes")}\` (it turns the pending merge into a signed merge commit on the remote)` : `confirm a clean working tree, push via \`${t2("push_branch")}\` (same push/prepush guidance as Build mode in *SYSTEM*)`}, and call \`${t2("report_progress")}\` with a brief success note or the exact error if it failed \u2014 **then stop; do not run steps 4\u20135.**
    - If it fails (conflicts), resolve them manually (continue to steps 4\u20135).
 
 4. **Resolve Conflicts**:
@@ -103123,8 +103198,8 @@ ${PR_SUMMARY_FORMAT}`
 
 5. **Finalize**:
    - Run a final verification (build/test) to ensure the resolution works.
-   - \`git add . && git commit -m "resolve merge conflicts"\`
-   - confirm a clean working tree, then push via \`${t2("push_branch")}\` (same push/prepush guidance as Build mode in *SYSTEM*)
+   - ${signedCommits ? `\`git add .\`, then conclude via \`${t2("commit_changes")}\` with message "resolve merge conflicts"` : `\`git add . && git commit -m "resolve merge conflicts"\``}
+   - ${finalizeStep} (same push/prepush guidance as Build mode in *SYSTEM*)
    - Call \`${t2("report_progress")}\` with a summary of what was resolved (or the exact push error if push failed)`
     },
     {
@@ -103143,7 +103218,7 @@ ${PR_SUMMARY_FORMAT}`
    - if code changes are needed: review your own diff before committing \u2014 verify only intended changes are present, no debug artifacts remain, and the changes are clean enough that a senior engineer would approve without hesitation
 
 4. Finalize:
-   - if code changes were made, push to a pull request (new or existing) using \`${t2("push_branch")}\` and \`${t2("create_pull_request")}\` as needed. \`git status\` must be clean before you finish (see *SYSTEM* Git rules if push fails).
+   - if code changes were made, get them onto a pull request (new or existing) using ${signedCommits ? `\`${t2("commit_changes")}\`` : `\`${t2("push_branch")}\``} and \`${t2("create_pull_request")}\` as needed. \`git status\` must be clean before you finish (see *SYSTEM* Git rules if this fails).
    - call \`${t2("report_progress")}\` once with results \u2014 include exact tool errors if push or PR creation failed
    - if the task involved labeling, commenting, or other GitHub operations, perform those directly`
     }
@@ -104123,10 +104198,21 @@ var claude = agent({
         env2.ANTHROPIC_MODEL = specifier;
       }
       if (env2.CLAUDE_CODE_OAUTH_TOKEN && !isBedrockRoute && env2.ANTHROPIC_API_KEY) {
-        log.debug(
-          "\xBB CLAUDE_CODE_OAUTH_TOKEN present \u2014 stripping ANTHROPIC_API_KEY from Claude Code env so the OAuth subscription is used"
-        );
-        delete env2.ANTHROPIC_API_KEY;
+        const preflight = await preflightClaudeSubscription({
+          token: env2.CLAUDE_CODE_OAUTH_TOKEN,
+          model
+        });
+        if (preflight.usable) {
+          log.debug(
+            "\xBB CLAUDE_CODE_OAUTH_TOKEN present \u2014 stripping ANTHROPIC_API_KEY from Claude Code env so the OAuth subscription is used"
+          );
+          delete env2.ANTHROPIC_API_KEY;
+        } else {
+          log.info(
+            `\xBB Claude subscription unusable (${preflight.reason}) \u2014 falling back to ANTHROPIC_API_KEY`
+          );
+          delete env2.CLAUDE_CODE_OAUTH_TOKEN;
+        }
       }
       log.info(`\xBB effort: ${effort}`);
       log.debug(`\xBB starting Pullfrog (Claude Code): ${cliPath} ${baseArgs.join(" ")}`);
@@ -117144,15 +117230,6 @@ function isLocalApiUrl() {
 // utils/buildPullfrogFooter.ts
 var PULLFROG_DIVIDER = "<!-- PULLFROG_DIVIDER_DO_NOT_REMOVE_PLZ -->";
 var FROG_LOGO = `<a href="https://pullfrog.com"><picture><source media="(prefers-color-scheme: dark)" srcset="https://pullfrog.com/logos/frog-white-full-18px.png"><img src="https://pullfrog.com/logos/frog-green-full-18px.png" width="9px" height="9px" style="vertical-align: middle; " alt="Pullfrog"></picture></a>`;
-function providerDisplayName(slug2) {
-  try {
-    const key = getModelProvider(slug2);
-    const meta3 = providers[key];
-    return meta3?.displayName ?? key;
-  } catch {
-    return slug2;
-  }
-}
 function formatModelLabel(params) {
   const alias = resolveDisplayAlias(params.model) ?? // reverse-lookup: when the caller passes an effective model (proxy or
   // resolved target like "openrouter/anthropic/claude-opus-4.7") instead of
@@ -117163,9 +117240,7 @@ function formatModelLabel(params) {
   if (params.oss) {
     return `\`${displayName}\` (free via [Pullfrog for OSS](https://pullfrog.com/for-oss))`;
   }
-  const base = alias?.isFree ? `\`${displayName}\` (free)` : `\`${displayName}\``;
-  if (!params.fallbackFrom) return base;
-  return `${base} (credentials for ${providerDisplayName(params.fallbackFrom)} not configured)`;
+  return alias?.isFree ? `\`${displayName}\` (free)` : `\`${displayName}\``;
 }
 function buildPullfrogFooter(params) {
   const parts = [];
@@ -117183,9 +117258,7 @@ function buildPullfrogFooter(params) {
     parts.push("via [Pullfrog](https://pullfrog.com)");
   }
   if (params.model) {
-    parts.push(
-      `Using ${formatModelLabel({ model: params.model, fallbackFrom: params.fallbackFrom, oss: params.oss })}`
-    );
+    parts.push(`Using ${formatModelLabel({ model: params.model, oss: params.oss })}`);
   }
   const allParts = [...parts, "[\u{1D54F}](https://x.com/pullfrogai)"];
   return `
@@ -117983,7 +118056,6 @@ function buildCommentFooter(ctx, customParts) {
     } : void 0,
     customParts,
     model: ctx.toolState.model,
-    fallbackFrom: ctx.toolState.modelFallback?.from,
     oss: ctx.oss
   });
 }
@@ -119057,24 +119129,60 @@ var installPythonDependencies = {
 
 // prep/index.ts
 var prepSteps = [installNodeDependencies, installPythonDependencies];
+async function dirtyTrackedPaths() {
+  const result = await spawn3({
+    cmd: "git",
+    args: ["diff", "--name-only", "HEAD"],
+    env: process.env,
+    activityTimeout: 0
+  });
+  if (result.exitCode !== 0) {
+    throw new Error(
+      `git diff --name-only HEAD failed (exit ${result.exitCode}): ${result.stderr.trim() || "(no stderr)"}`
+    );
+  }
+  return new Set(result.stdout.split("\n").filter(Boolean));
+}
+async function restorePrepDirtiedFiles(preDirty) {
+  const dirtied = [...await dirtyTrackedPaths()].filter((path4) => !preDirty.has(path4));
+  if (dirtied.length === 0) return;
+  const result = await spawn3({
+    cmd: "git",
+    args: ["restore", "--staged", "--worktree", "--", ...dirtied],
+    env: process.env,
+    activityTimeout: 0
+  });
+  if (result.exitCode !== 0) {
+    log.warning(
+      `\xBB failed to restore ${dirtied.length} tracked file(s) modified by prep: ${result.stderr.trim() || "(no stderr)"}`
+    );
+    return;
+  }
+  log.info(`\xBB restored ${dirtied.length} tracked file(s) modified by prep: ${dirtied.join(", ")}`);
+}
 async function runPrepPhase(options) {
   log.debug("\xBB starting prep phase...");
   const startTime = performance7.now();
   const results = [];
-  for (const step of prepSteps) {
-    const shouldRun = await step.shouldRun();
-    if (!shouldRun) {
-      log.debug(`\xBB skipping ${step.name} (not applicable)`);
-      continue;
-    }
-    log.debug(`\xBB running ${step.name}...`);
-    const result = await step.run(options);
-    results.push(result);
-    if (result.dependenciesInstalled) {
-      log.debug(`\xBB ${step.name}: dependencies installed`);
-    } else if (result.issues.length > 0) {
-      log.warning(`\xBB ${step.name}: ${result.issues[0]}`);
+  const preDirty = await dirtyTrackedPaths();
+  try {
+    for (const step of prepSteps) {
+      const shouldRun = await step.shouldRun();
+      if (!shouldRun) {
+        log.debug(`\xBB skipping ${step.name} (not applicable)`);
+        continue;
+      }
+      log.debug(`\xBB running ${step.name}...`);
+      const result = await step.run(options);
+      results.push(result);
+      if (result.dependenciesInstalled) {
+        log.debug(`\xBB ${step.name}: dependencies installed`);
+      } else if (result.issues.length > 0) {
+        log.warning(`\xBB ${step.name}: ${result.issues[0]}`);
+      }
     }
+  } finally {
+    await restorePrepDirtiedFiles(preDirty);
   }
   const totalDurationMs = performance7.now() - startTime;
   log.debug(`\xBB prep phase completed (${Math.round(totalDurationMs)}ms)`);
@@ -151257,7 +151365,7 @@ function closeBrowserDaemon(toolState) {
 // mcp/checkout.ts
 import { createHash as createHash2 } from "node:crypto";
 import { statSync, unlinkSync as unlinkSync3, writeFileSync as writeFileSync8 } from "node:fs";
-import { join as join13 } from "node:path";
+import { join as join15 } from "node:path";
 
 // utils/diffCoverage.ts
 import { isAbsolute, normalize as normalize2, resolve } from "node:path";
@@ -151527,6 +151635,7 @@ function readNumber(params) {
 import { execSync } from "node:child_process";
 import { createHash } from "node:crypto";
 import { readFileSync as readFileSync3, realpathSync, unlinkSync } from "node:fs";
+import { join as join11 } from "node:path";
 
 // utils/shell.ts
 import { spawnSync as spawnSync4 } from "node:child_process";
@@ -151596,6 +151705,18 @@ function verifyGitBinary() {
   }
   return gitBinary.path;
 }
+var hooksDirCache = /* @__PURE__ */ new Map();
+function resolveHooksDir(cwd, gitPath) {
+  const cached4 = hooksDirCache.get(cwd);
+  if (cached4) return cached4;
+  const commonDir = $2(gitPath, ["rev-parse", "--path-format=absolute", "--git-common-dir"], {
+    cwd,
+    log: false
+  }).trim();
+  const hooksDir = join11(commonDir, "hooks");
+  hooksDirCache.set(cwd, hooksDir);
+  return hooksDir;
+}
 var authServer;
 function setGitAuthServer(server) {
   authServer = server;
@@ -151617,6 +151738,8 @@ async function $git(subcommand, args2, options) {
     "protocol.file.allow=never",
     "-c",
     "core.sshCommand=ssh",
+    "-c",
+    `core.hooksPath=${resolveHooksDir(cwd, gitPath)}`,
     subcommand,
     ...args2
   ];
@@ -151886,7 +152009,274 @@ function postProcessRangeDiff(raw2, contextLines = 3) {
 // mcp/git.ts
 import { randomUUID as randomUUID3 } from "node:crypto";
 import { writeFileSync as writeFileSync7 } from "node:fs";
-import { join as join11 } from "node:path";
+import { join as join13 } from "node:path";
+
+// utils/apiCommit.ts
+import { execFileSync as execFileSync7 } from "node:child_process";
+import { lstat, readlink } from "node:fs/promises";
+import { join as join12 } from "node:path";
+var GITHUB_API = "https://api.github.com";
+var MAX_BLOB_BYTES = 30 * 1024 * 1024;
+var BLOB_UPLOAD_CONCURRENCY = 8;
+function getRepoRoot() {
+  return $2("git", ["rev-parse", "--show-toplevel"], { log: false }).trim();
+}
+async function gh(params) {
+  const response = await fetch(`${GITHUB_API}${params.path}`, {
+    method: params.method,
+    headers: {
+      Accept: "application/vnd.github+json",
+      Authorization: `Bearer ${params.token}`,
+      "X-GitHub-Api-Version": "2022-11-28",
+      "Content-Type": "application/json"
+    },
+    body: params.body === void 0 ? null : JSON.stringify(params.body)
+  });
+  const text = await response.text();
+  let json4;
+  try {
+    json4 = text ? JSON.parse(text) : null;
+  } catch {
+    json4 = text.slice(0, 500);
+  }
+  return { status: response.status, json: json4 };
+}
+function ghError(method, path4, result) {
+  return new Error(`${method} ${path4} failed (${result.status}): ${JSON.stringify(result.json)}`);
+}
+function isRetryable(status) {
+  return status === 403 || status === 429 || status >= 500;
+}
+function detectWorkingTreeChanges() {
+  const byPath = /* @__PURE__ */ new Map();
+  const diff = $2("git", ["diff", "--name-status", "--no-renames", "-z", "HEAD"], { log: false });
+  const tokens = diff.split("\0").filter((t2) => t2.length > 0);
+  for (let i = 0; i + 1 < tokens.length; i += 2) {
+    const status = tokens[i];
+    const path4 = tokens[i + 1];
+    if (status === void 0 || path4 === void 0) break;
+    if (status === "U") {
+      throw new Error(
+        `'${path4}' has unresolved merge conflicts. resolve the conflicts, stage the result with git add, then retry.`
+      );
+    }
+    byPath.set(path4, { path: path4, deleted: status === "D" });
+  }
+  const porcelain = $2("git", ["status", "--porcelain=v1", "-z", "-uall", "--no-renames"], {
+    log: false
+  });
+  for (const entry of porcelain.split("\0")) {
+    if (entry.startsWith("?? ") && !byPath.has(entry.slice(3))) {
+      const path4 = entry.slice(3);
+      byPath.set(path4, { path: path4, deleted: false });
+    }
+  }
+  return [...byPath.values()];
+}
+async function assertApiCommittable(files) {
+  const present = files.filter((f) => !f.deleted).map((f) => f.path);
+  if (present.length === 0) return;
+  const root = getRepoRoot();
+  const attrs = $2(
+    "git",
+    ["check-attr", "filter", "-z", "--", ...present.map((p2) => join12(root, p2))],
+    { log: false }
+  );
+  const parts = attrs.split("\0");
+  for (let i = 0; i + 2 < parts.length; i += 3) {
+    if (parts[i + 2] === "lfs") {
+      throw new Error(
+        `'${parts[i]}' is tracked by git-lfs, which signed commits can't upload. remove it from the change set or ask the user to disable signed commits for this repo.`
+      );
+    }
+  }
+  for (const path4 of present) {
+    const stat = await lstat(join12(root, path4));
+    if (stat.isDirectory()) {
+      throw new Error(
+        `'${path4}' is a directory (nested repository or submodule?) \u2014 signed commits only support files and symlinks.`
+      );
+    }
+  }
+}
+async function createBlobEntry(params) {
+  const absPath = join12(params.repoRoot, params.path);
+  const stat = await lstat(absPath);
+  if (stat.size > MAX_BLOB_BYTES) {
+    throw new Error(
+      `'${params.path}' is ${Math.round(stat.size / 1024 / 1024)}MB \u2014 too large for signed commits (the GitHub blob API rejects large uploads). use git-lfs for large assets or ask the user to disable signed commits for this repo.`
+    );
+  }
+  let mode;
+  let content;
+  if (stat.isSymbolicLink()) {
+    mode = "120000";
+    content = await readlink(absPath, { encoding: "buffer" });
+  } else {
+    mode = stat.mode & 64 ? "100755" : "100644";
+    const cleanSha = $2("git", ["hash-object", "-w", "--", absPath], { log: false }).trim();
+    content = execFileSync7("git", ["cat-file", "blob", cleanSha], {
+      cwd: params.repoRoot,
+      maxBuffer: 2 * MAX_BLOB_BYTES
+    });
+  }
+  const path4 = `${params.repoPath}/git/blobs`;
+  let result;
+  for (const delayMs of [0, 1e3, 3e3]) {
+    if (delayMs > 0) await new Promise((r) => setTimeout(r, delayMs));
+    result = await gh({
+      token: params.token,
+      method: "POST",
+      path: path4,
+      body: { content: content.toString("base64"), encoding: "base64" }
+    });
+    if (result.status === 201) {
+      const blob = result.json;
+      return { path: params.path, mode, type: "blob", sha: blob.sha };
+    }
+    if (!isRetryable(result.status)) break;
+    log.info(`blob upload for ${params.path} got ${result.status}, retrying`);
+  }
+  if (!result) throw new Error(`POST ${path4} failed`);
+  throw ghError("POST", path4, result);
+}
+async function updateRefWithRetry(params) {
+  const path4 = `${params.repoPath}/git/refs/heads/${encodeBranchPath(params.remoteBranch)}`;
+  let lastResult;
+  for (const delayMs of [0, 1e3, 3e3]) {
+    if (delayMs > 0) await new Promise((r) => setTimeout(r, delayMs));
+    const result = await gh({
+      token: params.token,
+      method: "PATCH",
+      path: path4,
+      body: { sha: params.sha, force: false }
+    });
+    if (result.status === 200) return;
+    if (result.status === 422) {
+      const detail = JSON.stringify(result.json);
+      if (/fast.forward/i.test(detail)) {
+        throw new Error(
+          `the remote branch '${params.remoteBranch}' moved while committing (concurrent push). fetch it with git_fetch, integrate with git merge --no-commit origin/${params.remoteBranch}, resolve any conflicts, git add the results, then retry commit_changes.`
+        );
+      }
+      throw ghError("PATCH", path4, result);
+    }
+    lastResult = result;
+    if (!isRetryable(result.status)) break;
+    log.info(`ref update got ${result.status}, retrying`);
+  }
+  if (lastResult) throw ghError("PATCH", path4, lastResult);
+  throw new Error(`PATCH ${path4} failed`);
+}
+function encodeBranchPath(branch) {
+  return branch.split("/").map(encodeURIComponent).join("/");
+}
+function validateRemoteBranch(branch) {
+  const bad = branch.startsWith("-") || branch.startsWith("/") || branch.endsWith("/") || branch.includes("..") || branch.includes("@{") || /[\s~^:?*[\]\\]/.test(branch);
+  if (bad) throw new Error(`invalid remote branch name '${branch}'`);
+}
+async function createSignedCommit(params) {
+  validateRemoteBranch(params.remoteBranch);
+  const repoPath = `/repos/${params.owner}/${params.repo}`;
+  const branchPath = `${repoPath}/git/ref/heads/${encodeBranchPath(params.remoteBranch)}`;
+  const refResult = await gh({ token: params.token, method: "GET", path: branchPath });
+  const branchExists = refResult.status === 200;
+  if (branchExists) {
+    const ref = refResult.json;
+    const remoteTip = ref.object.sha;
+    if (!params.parents.includes(remoteTip)) {
+      throw new Error(
+        isAncestorOfHead(remoteTip) ? `your local branch has commits that were never pushed \u2014 signed-commits mode can't push local commits. run git reset --mixed ${remoteTip} (keeps every change in the working tree), then retry commit_changes.` : `the remote branch '${params.remoteBranch}' has commits you don't have locally (tip ${remoteTip.slice(0, 7)}). fetch it with git_fetch, integrate with git merge --no-commit origin/${params.remoteBranch}, resolve any conflicts, git add the results, then retry commit_changes.`
+      );
+    }
+  } else if (refResult.status !== 404) {
+    throw ghError("GET", branchPath, refResult);
+  }
+  const baseParent = params.parents[0];
+  if (!baseParent) throw new Error("createSignedCommit requires at least one parent");
+  const baseTree = $2("git", ["rev-parse", `${baseParent}^{tree}`], { log: false }).trim();
+  let treeSha = baseTree;
+  if (params.files.length > 0) {
+    const repoRoot = getRepoRoot();
+    const additions = params.files.filter((f) => !f.deleted);
+    const blobEntries = [];
+    for (let i = 0; i < additions.length; i += BLOB_UPLOAD_CONCURRENCY) {
+      const chunk = additions.slice(i, i + BLOB_UPLOAD_CONCURRENCY);
+      blobEntries.push(
+        ...await Promise.all(
+          chunk.map(
+            (f) => createBlobEntry({ token: params.token, repoPath, repoRoot, path: f.path })
+          )
+        )
+      );
+    }
+    const deletionEntries = params.files.filter((f) => f.deleted).map((f) => ({ path: f.path, mode: "100644", type: "blob", sha: null }));
+    const treeResult = await gh({
+      token: params.token,
+      method: "POST",
+      path: `${repoPath}/git/trees`,
+      body: { base_tree: baseTree, tree: [...blobEntries, ...deletionEntries] }
+    });
+    if (treeResult.status !== 201) {
+      throw wrapUnknownBaseError("POST", `${repoPath}/git/trees`, treeResult, params.remoteBranch);
+    }
+    treeSha = treeResult.json.sha;
+  }
+  const commitResult = await gh({
+    token: params.token,
+    method: "POST",
+    path: `${repoPath}/git/commits`,
+    body: { message: params.message, tree: treeSha, parents: params.parents }
+  });
+  if (commitResult.status !== 201) {
+    throw wrapUnknownBaseError(
+      "POST",
+      `${repoPath}/git/commits`,
+      commitResult,
+      params.remoteBranch
+    );
+  }
+  const commit = commitResult.json;
+  if (branchExists) {
+    await updateRefWithRetry({
+      token: params.token,
+      repoPath,
+      remoteBranch: params.remoteBranch,
+      sha: commit.sha
+    });
+  } else {
+    const createResult = await gh({
+      token: params.token,
+      method: "POST",
+      path: `${repoPath}/git/refs`,
+      body: { ref: `refs/heads/${params.remoteBranch}`, sha: commit.sha }
+    });
+    if (createResult.status !== 201) {
+      throw ghError("POST", `${repoPath}/git/refs`, createResult);
+    }
+  }
+  return { sha: commit.sha, createdBranch: !branchExists };
+}
+function isAncestorOfHead(sha) {
+  try {
+    $2("git", ["merge-base", "--is-ancestor", sha, "HEAD"], { log: false });
+    return true;
+  } catch {
+    return false;
+  }
+}
+function wrapUnknownBaseError(method, path4, result, remoteBranch) {
+  if (result.status === 404 || result.status === 422) {
+    return new Error(
+      `${ghError(method, path4, result).message}
+
+this usually means your local branch has commits that were never pushed \u2014 signed-commits mode can't push local commits. run git reset --mixed origin/${remoteBranch} (or the commit you branched from; this keeps every change in the working tree), then retry commit_changes.`
+    );
+  }
+  return ghError(method, path4, result);
+}
+
+// mcp/git.ts
 function getPushDestination(branch, storedDest) {
   if (storedDest && storedDest.localBranch === branch) {
     log.debug(`using stored push destination: ${storedDest.remoteName}/${storedDest.remoteBranch}`);
@@ -151944,6 +152334,10 @@ function validateTagName(tag) {
     );
   }
 }
+function pushesToBaseRepo(ctx) {
+  const baseUrl = `https://github.com/${ctx.repo.owner}/${ctx.repo.name}.git`;
+  return normalizeUrl(ctx.toolState.pushUrl ?? "") === normalizeUrl(baseUrl);
+}
 function validatePushDestination(ctx, branch) {
   const pushUrl = ctx.toolState.pushUrl;
   if (!pushUrl) throw new Error("pushUrl not set - setupGit must run before push_branch");
@@ -151962,6 +152356,47 @@ var PushBranch = type({
   branchName: type.string.describe("The branch name to push (defaults to current branch)").optional(),
   force: type.boolean.describe("Force push (use with caution)").default(false)
 });
+function assertPushTarget(ctx, branch, pushDest) {
+  const prBranchMatch = branch.match(/^pr-(\d+)$/);
+  if (prBranchMatch && pushDest.remoteBranch !== branch) {
+    const prNumber = Number(prBranchMatch[1]);
+    const event = ctx.payload.event;
+    const runScoped = event.is_pr === true && event.issue_number === prNumber;
+    if (!runScoped) {
+      throw new Error(
+        `push blocked: local branch '${branch}' would push to '${pushDest.remoteName}/${pushDest.remoteBranch}', but this run is not scoped to PR #${prNumber}. the 'pr-${prNumber}' branch was created by a prior checkout_pr call (likely from a subagent \u2014 subagents share the working tree and toolState with the orchestrator). you have probably landed your commit on the wrong branch. switch to your own feature branch first (e.g. 'git checkout <feature-branch>') and then push. if the push to PR #${prNumber} is intentional, this run needs to be triggered against that PR.`
+      );
+    }
+  }
+  const defaultBranch = ctx.repo.data.default_branch || "main";
+  if (ctx.payload.push === "restricted" && pushDest.remoteBranch === defaultBranch) {
+    throw new Error(
+      `Push blocked: cannot push directly to default branch '${pushDest.remoteBranch}'. Create a feature branch and open a PR instead.`
+    );
+  }
+}
+async function runPrepushHook(ctx, retryTool) {
+  if (ctx.toolState.prepushFailureCount > 0) {
+    log.info(`\xBB skipping prepush hook (failed earlier this run)`);
+    return true;
+  }
+  if (!ctx.prepushScript) return false;
+  const prepushHook = await executeLifecycleHook({
+    event: "prepush",
+    script: ctx.prepushScript
+  });
+  if (prepushHook.failure) {
+    ctx.toolState.prepushFailureCount += 1;
+    throw new Error(
+      buildPrepushFailureMessage({
+        failure: prepushHook.failure,
+        shell: ctx.payload.shell,
+        retryTool
+      })
+    );
+  }
+  return false;
+}
 var CONCURRENT_PUSH_PATTERNS = ["fetch first", "non-fast-forward", "cannot lock ref"];
 var TRANSIENT_PATTERNS = [
   /RPC failed/i,
@@ -152021,7 +152456,6 @@ async function pushWithRetry(args2, token) {
   throw lastErr instanceof Error ? lastErr : new Error(String(lastErr));
 }
 function PushBranchTool(ctx) {
-  const defaultBranch = ctx.repo.data.default_branch || "main";
   const pushPermission = ctx.payload.push;
   return tool({
     name: "push_branch",
@@ -152033,6 +152467,11 @@ function PushBranchTool(ctx) {
       }
       const branch = branchName || $2("git", ["rev-parse", "--abbrev-ref", "HEAD"], { log: false });
       rejectSpecialRef(branch, "branch");
+      if (ctx.signedCommits && pushesToBaseRepo(ctx)) {
+        throw new Error(
+          "push_branch is not used in signed-commits mode \u2014 commits land on the remote via the commit_changes tool. call commit_changes to commit your working-tree changes as a GitHub-signed commit. if you already called commit_changes, your work is already on the remote \u2014 there is nothing left to push."
+        );
+      }
       const status = $2("git", ["status", "--porcelain"], { log: false });
       if (status) {
         throw new Error(
@@ -152043,36 +152482,11 @@ ${status}` + (ctx.toolState.prepushFailureCount > 0 ? "\n\nnote: the prepush hoo
         );
       }
       const pushDest = validatePushDestination(ctx, branch);
-      const prBranchMatch = branch.match(/^pr-(\d+)$/);
-      if (prBranchMatch && pushDest.remoteBranch !== branch) {
-        const prNumber = Number(prBranchMatch[1]);
-        const event = ctx.payload.event;
-        const runScoped = event.is_pr === true && event.issue_number === prNumber;
-        if (!runScoped) {
-          throw new Error(
-            `push blocked: local branch '${branch}' would push to '${pushDest.remoteName}/${pushDest.remoteBranch}', but this run is not scoped to PR #${prNumber}. the 'pr-${prNumber}' branch was created by a prior checkout_pr call (likely from a subagent \u2014 subagents share the working tree and toolState with the orchestrator). you have probably landed your commit on the wrong branch. switch to your own feature branch first (e.g. 'git checkout <feature-branch>') and then push. if the push to PR #${prNumber} is intentional, this run needs to be triggered against that PR.`
-          );
-        }
-      }
-      if (pushPermission === "restricted" && pushDest.remoteBranch === defaultBranch) {
-        throw new Error(
-          `Push blocked: cannot push directly to default branch '${pushDest.remoteBranch}'. Create a feature branch and open a PR instead.`
-        );
-      }
+      assertPushTarget(ctx, branch, pushDest);
       const refspec = branch === pushDest.remoteBranch ? branch : `${branch}:${pushDest.remoteBranch}`;
       const pushArgs = force ? ["--force", "-u", pushDest.remoteName, refspec] : ["-u", pushDest.remoteName, refspec];
-      const prepushSkipped = ctx.toolState.prepushFailureCount > 0;
-      if (prepushSkipped) {
-        log.info(`\xBB skipping prepush hook (failed earlier this run)`);
-      } else if (ctx.prepushScript) {
-        const prepushHook = await executeLifecycleHook({
-          event: "prepush",
-          script: ctx.prepushScript
-        });
-        if (prepushHook.failure) {
-          ctx.toolState.prepushFailureCount += 1;
-          throw new Error(buildPrepushFailureMessage(prepushHook.failure, ctx.payload.shell));
-        }
+      const prepushSkipped = await runPrepushHook(ctx, "push_branch");
+      if (!prepushSkipped && ctx.prepushScript) {
         const postHookStatus = $2("git", ["status", "--porcelain"], { log: false });
         if (postHookStatus) {
           throw new Error(
@@ -152123,15 +152537,138 @@ ${integrateStep}
     })
   });
 }
-function buildPrepushFailureMessage(failure, shell) {
+function buildPrepushFailureMessage(params) {
+  const failure = params.failure;
   const header = failure.kind === "exit" ? `prepush hook failed with exit code ${failure.exitCode}.
 
 script output:
 ${failure.output || "(empty)"}` : failure.kind === "timeout" ? `prepush hook timed out \u2014 the script is hung or doing too much work.` : `prepush hook failed to spawn: ${failure.spawnError}.`;
-  const ifRealBug = shell === "disabled" ? `fix it before pushing again \u2014 shell access is disabled in this run, so you can't re-run the hook command yourself.` : `run the hook command yourself via the shell tool to iterate (push_branch will NOT re-run it).`;
+  const ifRealBug = params.shell === "disabled" ? `fix it before pushing again \u2014 shell access is disabled in this run, so you can't re-run the hook command yourself.` : `run the hook command yourself via the shell tool to iterate (${params.retryTool} will NOT re-run it).`;
   return `${header}
 
-this repo's prepush hook is best-effort: the next push_branch call will SKIP the hook and proceed. if the failure is unrelated to your changes (pre-existing breakage, flaky check), just call push_branch again. if it could be a real bug in your code, ${ifRealBug}`;
+this repo's prepush hook is best-effort: the next ${params.retryTool} call will SKIP the hook and proceed. if the failure is unrelated to your changes (pre-existing breakage, flaky check), just call ${params.retryTool} again. if it could be a real bug in your code, ${ifRealBug}`;
+}
+function buildNothingToCommitMessage(pushDest) {
+  const base = "nothing to commit \u2014 the working tree matches HEAD.";
+  try {
+    const remoteTip = $2(
+      "git",
+      ["rev-parse", `refs/remotes/${pushDest.remoteName}/${pushDest.remoteBranch}`],
+      { log: false }
+    ).trim();
+    const head = $2("git", ["rev-parse", "HEAD"], { log: false }).trim();
+    if (remoteTip === head) {
+      return `${base} your work is already on ${pushDest.remoteName}/${pushDest.remoteBranch} \u2014 there is no push step in signed-commits mode.`;
+    }
+    $2("git", ["merge-base", "--is-ancestor", remoteTip, "HEAD"], { log: false });
+    return `${base} but your local branch has commits that were never pushed \u2014 signed-commits mode can't push local commits. run git reset --mixed ${remoteTip} (keeps every change in the working tree), then retry commit_changes.`;
+  } catch {
+    return base;
+  }
+}
+var CommitChanges = type({
+  message: type.string.describe("Commit message (first line = subject)"),
+  files: type.string.array().describe("Optional subset of changed paths to commit. Defaults to every working-tree change.").optional()
+});
+function CommitChangesTool(ctx) {
+  const pushPermission = ctx.payload.push;
+  return tool({
+    name: "commit_changes",
+    description: "Commit working-tree changes directly to the remote branch as a GitHub-signed (Verified) commit \u2014 this repository has signed commits enabled, so use this INSTEAD of git commit + push_branch. Edit files locally, then call this tool: it detects every working-tree change (new, modified, deleted files), or commits a subset via `files`. The commit lands on the remote immediately \u2014 there is no separate push step. The remote branch is created automatically on the first commit to a new local branch. A merge in progress (git merge --no-commit) is concluded as a signed merge commit \u2014 resolve conflicts and git add first. Runs the repository prepush hook (if configured) before committing \u2014 best-effort, same skip-on-failure behavior as push_branch.",
+    parameters: CommitChanges,
+    timeoutMs: 6e5,
+    execute: execute(async (params) => {
+      if (pushPermission === "disabled") {
+        throw new Error("Push is disabled. This repository is configured for read-only access.");
+      }
+      const branch = $2("git", ["rev-parse", "--abbrev-ref", "HEAD"], { log: false }).trim();
+      if (branch === "HEAD") {
+        throw new Error(
+          "HEAD is detached \u2014 create or check out a branch before committing (e.g. git checkout -b pullfrog/<description>)."
+        );
+      }
+      rejectSpecialRef(branch, "branch");
+      const pushDest = validatePushDestination(ctx, branch);
+      if (!pushesToBaseRepo(ctx)) {
+        throw new Error(
+          `'${branch}' pushes to the fork '${pushDest.url}', where the app can't create signed commits. commit locally via the git tool and use push_branch instead (those commits will be unsigned).`
+        );
+      }
+      assertPushTarget(ctx, branch, pushDest);
+      const prepushSkipped = await runPrepushHook(ctx, "commit_changes");
+      const head = $2("git", ["rev-parse", "HEAD"], { log: false }).trim();
+      let mergeHead = "";
+      try {
+        mergeHead = $2("git", ["rev-parse", "-q", "--verify", "MERGE_HEAD"], { log: false }).trim();
+      } catch {
+      }
+      let changes = detectWorkingTreeChanges();
+      if (params.files) {
+        if (mergeHead) {
+          throw new Error(
+            "can't commit a subset of files while a merge is in progress \u2014 the merge commit must include every merged change. omit `files`."
+          );
+        }
+        const requested = new Set(params.files);
+        const known = new Set(changes.map((c2) => c2.path));
+        const unknown4 = [...requested].filter((p2) => !known.has(p2));
+        if (unknown4.length > 0) {
+          throw new Error(
+            `no detected change at: ${unknown4.join(", ")} \u2014 run git status to list changed paths.`
+          );
+        }
+        changes = changes.filter((c2) => requested.has(c2.path));
+      }
+      if (changes.length === 0 && !mergeHead) {
+        throw new Error(buildNothingToCommitMessage(pushDest));
+      }
+      await assertApiCommittable(changes);
+      const parents = mergeHead ? [head, mergeHead] : [head];
+      const result = await createSignedCommit({
+        token: ctx.gitToken,
+        owner: ctx.repo.owner,
+        repo: ctx.repo.name,
+        remoteBranch: pushDest.remoteBranch,
+        message: params.message,
+        parents,
+        files: changes
+      });
+      await $git(
+        "fetch",
+        [
+          "--no-tags",
+          "origin",
+          `+refs/heads/${pushDest.remoteBranch}:refs/remotes/origin/${pushDest.remoteBranch}`
+        ],
+        { token: ctx.gitToken }
+      );
+      $2("git", ["update-ref", `refs/heads/${branch}`, result.sha], { log: false });
+      if (mergeHead) {
+        $2("git", ["merge", "--quit"], { log: false });
+      }
+      $2("git", ["reset", "-q"], { log: false });
+      if (result.createdBranch) {
+        $2("git", ["config", `branch.${branch}.remote`, "origin"], { log: false });
+        $2("git", ["config", `branch.${branch}.merge`, `refs/heads/${pushDest.remoteBranch}`], {
+          log: false
+        });
+      }
+      log.info(
+        `\xBB created signed commit ${result.sha.slice(0, 7)} (${changes.length} file(s)) on ${pushDest.remoteName}/${pushDest.remoteBranch}`
+      );
+      return {
+        success: true,
+        sha: result.sha,
+        branch,
+        remoteBranch: pushDest.remoteBranch,
+        files: changes.map((c2) => c2.deleted ? `D ${c2.path}` : c2.path),
+        createdBranch: result.createdBranch,
+        verified: true,
+        prepushSkipped,
+        message: `created signed commit ${result.sha.slice(0, 7)} on ${pushDest.remoteName}/${pushDest.remoteBranch}${result.createdBranch ? " (remote branch created)" : ""}`
+      };
+    })
+  });
 }
 var AUTH_REQUIRED_REDIRECT = {
   push: "use the push_branch tool instead \u2014 it handles authentication and permission checks.",
@@ -152204,7 +152741,7 @@ function countAhead(head, base) {
 function spillGitOutput(params) {
   const tempDir = process.env.PULLFROG_TEMP_DIR;
   if (!tempDir) throw new Error("PULLFROG_TEMP_DIR not set");
-  const outputPath = join11(tempDir, `git-${params.command}-${randomUUID3().slice(0, 8)}.txt`);
+  const outputPath = join13(tempDir, `git-${params.command}-${randomUUID3().slice(0, 8)}.txt`);
   writeFileSync7(outputPath, params.output);
   const previewByLines = params.output.split("\n").slice(0, OVERFLOW_PREVIEW_LINES).join("\n");
   const preview = previewByLines.length <= OVERFLOW_PREVIEW_MAX_CHARS ? previewByLines : `${previewByLines.slice(0, OVERFLOW_PREVIEW_MAX_CHARS)}\u2026`;
@@ -152238,8 +152775,30 @@ function GitTool(ctx) {
       }
       const redirect = AUTH_REQUIRED_REDIRECT[command];
       if (redirect) {
+        if (command === "push" && ctx.signedCommits) {
+          throw new Error(
+            "git push is not available through this tool \u2014 in signed-commits mode use commit_changes instead: it commits your working-tree changes directly to the remote as a GitHub-signed commit (push_branch only applies to fork PRs)."
+          );
+        }
         throw new Error(`git ${command} is not available through this tool \u2014 ${redirect}`);
       }
+      if (ctx.signedCommits && (command === "commit" || command === "merge")) {
+        if (pushesToBaseRepo(ctx)) {
+          if (command === "commit") {
+            throw new Error(
+              "git commit is blocked in signed-commits mode \u2014 use the commit_changes tool instead. it commits your working-tree changes directly to the remote as a GitHub-signed (Verified) commit. if you are concluding a merge, stage the resolutions with git add and call commit_changes \u2014 no local commit is needed."
+            );
+          }
+          const noLocalCommit = args2.some(
+            (a) => a === "--no-commit" || a === "--abort" || a === "--quit"
+          );
+          if (!noLocalCommit) {
+            throw new Error(
+              "bare git merge would create a local commit, which can't be pushed in signed-commits mode. use git merge --no-commit <ref>, resolve any conflicts, git add the results, then call commit_changes \u2014 it concludes the merge as a signed merge commit."
+            );
+          }
+        }
+      }
       if (ctx.payload.shell === "disabled") {
         const blocked = NOSHELL_BLOCKED_SUBCOMMANDS[command];
         if (blocked) {
@@ -152872,7 +153431,6 @@ async function createAndSubmitWithFooter(ctx, params, opts) {
       workflowRun: ctx.runId ? { owner: ctx.repo.owner, repo: ctx.repo.name, runId: ctx.runId, jobId: ctx.jobId } : void 0,
       customParts,
       model: ctx.toolState.model,
-      fallbackFrom: ctx.toolState.modelFallback?.from,
       oss: ctx.oss
     });
     return await ctx.octokit.rest.pulls.submitReview({
@@ -152905,12 +153463,12 @@ async function reportReviewNodeId(ctx, params) {
 }
 
 // utils/setup.ts
-import { execFileSync as execFileSync7, execSync as execSync2 } from "node:child_process";
+import { execFileSync as execFileSync8, execSync as execSync2 } from "node:child_process";
 import { mkdtempSync as mkdtempSync2, readdirSync, realpathSync as realpathSync2, unlinkSync as unlinkSync2 } from "node:fs";
 import { tmpdir as tmpdir3 } from "node:os";
-import { join as join12 } from "node:path";
+import { join as join14 } from "node:path";
 function createTempDirectory() {
-  const sharedTempDir = mkdtempSync2(join12(tmpdir3(), "pullfrog-"));
+  const sharedTempDir = mkdtempSync2(join14(tmpdir3(), "pullfrog-"));
   process.env.PULLFROG_TEMP_DIR = sharedTempDir;
   log.info(`\xBB created temp dir at ${sharedTempDir}`);
   return sharedTempDir;
@@ -152955,13 +153513,13 @@ function wipeRunnerLeakSurface() {
       return [];
     }
   };
-  const fileCommandsDir = join12(runnerTemp, "_runner_file_commands");
+  const fileCommandsDir = join14(runnerTemp, "_runner_file_commands");
   for (const entry of listDir(fileCommandsDir)) {
-    tryUnlink(join12(fileCommandsDir, entry));
+    tryUnlink(join14(fileCommandsDir, entry));
   }
   for (const entry of listDir(runnerTemp)) {
     if (entry.endsWith(".sh") || /^git-credentials-.*\.config$/.test(entry)) {
-      tryUnlink(join12(runnerTemp, entry));
+      tryUnlink(join14(runnerTemp, entry));
     }
   }
   if (wiped.length > 0) {
@@ -152998,7 +153556,7 @@ function removeIncludeIfEntries(repoDir) {
     if (!key || seen.has(key)) continue;
     seen.add(key);
     try {
-      execFileSync7("git", ["config", "--local", "--unset-all", key], {
+      execFileSync8("git", ["config", "--local", "--unset-all", key], {
         cwd: repoDir,
         stdio: "pipe",
         env: env2
@@ -153470,7 +154028,7 @@ function CheckoutPrTool(ctx) {
         headSha: ctx.toolState.checkoutSha
       });
       if (incremental) {
-        incrementalDiffPath = join13(
+        incrementalDiffPath = join15(
           tempDir,
           `pr-${pull_number}-${beforeShort}-${headShort}-incremental.diff`
         );
@@ -153484,7 +154042,7 @@ function CheckoutPrTool(ctx) {
     const diffPreview = formatResult.content.split("\n").slice(0, 100).join("\n");
     log.debug(`formatted diff preview (first 100 lines):
 ${diffPreview}`);
-    const diffPath = join13(tempDir, `pr-${pull_number}-${headShort}.diff`);
+    const diffPath = join15(tempDir, `pr-${pull_number}-${headShort}.diff`);
     writeFileSync8(diffPath, formatResult.content);
     log.debug(`wrote diff to ${diffPath} (${formatResult.content.length} bytes)`);
     ctx.toolState.diffCoverage = createDiffCoverageState({
@@ -153593,7 +154151,7 @@ ${dirty}`
 
 // mcp/checkSuite.ts
 import { mkdirSync as mkdirSync7, writeFileSync as writeFileSync9 } from "node:fs";
-import { join as join14 } from "node:path";
+import { join as join16 } from "node:path";
 var GetCheckSuiteLogs = type({
   check_suite_id: type.number.describe("the id from check_suite.id")
 });
@@ -153689,7 +154247,7 @@ function GetCheckSuiteLogsTool(ctx) {
       if (!tempDir) {
         throw new Error("PULLFROG_TEMP_DIR not set");
       }
-      const logsDir = join14(tempDir, "ci-logs");
+      const logsDir = join16(tempDir, "ci-logs");
       mkdirSync7(logsDir, { recursive: true });
       const jobResults = [];
       for (const run4 of failedRuns) {
@@ -153716,7 +154274,7 @@ function GetCheckSuiteLogsTool(ctx) {
               );
             }
             const logsText = await logsResult.text();
-            const logPath = join14(logsDir, `job-${job.id}.log`);
+            const logPath = join16(logsDir, `job-${job.id}.log`);
             writeFileSync9(logPath, logsText);
             const analysis = analyzeLog(logsText, 80);
             const failedSteps = job.steps?.filter((s) => s.conclusion === "failure").map((s) => `Step ${s.number}: ${s.name}`) ?? [];
@@ -153766,7 +154324,7 @@ function GetCheckSuiteLogsTool(ctx) {
 
 // mcp/commitInfo.ts
 import { writeFileSync as writeFileSync10 } from "node:fs";
-import { join as join15 } from "node:path";
+import { join as join17 } from "node:path";
 var CommitInfo = type({
   sha: type.string.describe("the commit SHA (full or abbreviated) to fetch")
 });
@@ -153790,7 +154348,7 @@ function CommitInfoTool(ctx) {
           "PULLFROG_TEMP_DIR not set - get_commit_info must run in pullfrog action context"
         );
       }
-      const diffFile = join15(tempDir, `commit-${sha.slice(0, 7)}.diff`);
+      const diffFile = join17(tempDir, `commit-${sha.slice(0, 7)}.diff`);
       writeFileSync10(diffFile, formatResult.content);
       log.debug(`wrote commit diff to ${diffFile} (${formatResult.content.length} bytes)`);
       return {
@@ -154297,7 +154855,6 @@ function buildPrBodyWithFooter(ctx, body) {
     triggeredBy: true,
     workflowRun: ctx.runId ? { owner: ctx.repo.owner, repo: ctx.repo.name, runId: ctx.runId, jobId: ctx.jobId } : void 0,
     model: ctx.toolState.model,
-    fallbackFrom: ctx.toolState.modelFallback?.from,
     oss: ctx.oss
   });
   const bodyWithoutFooter = stripExistingFooter(fixDoubleEscapedString(body));
@@ -154452,7 +155009,7 @@ function PullRequestInfoTool(ctx) {
 
 // mcp/reviewComments.ts
 import { writeFileSync as writeFileSync11 } from "node:fs";
-import { join as join16 } from "node:path";
+import { join as join18 } from "node:path";
 var REVIEW_THREADS_QUERY = `
 query ($owner: String!, $name: String!, $prNumber: Int!) {
   repository(owner: $owner, name: $name) {
@@ -154868,7 +155425,7 @@ function GetReviewCommentsTool(ctx) {
         throw new Error("PULLFROG_TEMP_DIR not set");
       }
       const filename = `review-${params.review_id}-threads.md`;
-      const commentsPath = join16(tempDir, filename);
+      const commentsPath = join18(tempDir, filename);
       writeFileSync11(commentsPath, formatted.content);
       log.debug(`wrote ${threadBlocks.length} threads to ${commentsPath}`);
       return {
@@ -155106,7 +155663,7 @@ import { spawn as spawn4, spawnSync as spawnSync5 } from "node:child_process";
 import { randomUUID as randomUUID4 } from "node:crypto";
 import { closeSync, openSync, writeFileSync as writeFileSync12 } from "node:fs";
 import { userInfo as userInfo2 } from "node:os";
-import { join as join17 } from "node:path";
+import { join as join19 } from "node:path";
 import { setTimeout as sleep2 } from "node:timers/promises";
 var ShellParams = type({
   command: "string",
@@ -155269,7 +155826,7 @@ function getTempDir() {
 var MAX_OUTPUT_CHARS = 5e3;
 function capOutput(output) {
   if (output.length <= MAX_OUTPUT_CHARS) return output;
-  const fullPath = join17(getTempDir(), `shell-${randomUUID4().slice(0, 8)}.log`);
+  const fullPath = join19(getTempDir(), `shell-${randomUUID4().slice(0, 8)}.log`);
   writeFileSync12(fullPath, output);
   const elided = output.length - MAX_OUTPUT_CHARS;
   return `... [${elided} chars truncated; full output saved to ${fullPath}] ...
@@ -155324,8 +155881,8 @@ Do NOT use this tool for git commands \u2014 use the dedicated git tools instead
       if (params.background) {
         const tempDir = getTempDir();
         const handle = `bg-${randomUUID4().slice(0, 8)}`;
-        const outputPath = join17(tempDir, `${handle}.log`);
-        const pidPath = join17(tempDir, `${handle}.pid`);
+        const outputPath = join19(tempDir, `${handle}.log`);
+        const pidPath = join19(tempDir, `${handle}.pid`);
         const logFd = openSync(outputPath, "a");
         let proc2;
         try {
@@ -155556,7 +156113,7 @@ function buildCommonTools(ctx, outputSchema) {
   return tools;
 }
 function buildOrchestratorTools(ctx, outputSchema) {
-  return [
+  const tools = [
     ...buildCommonTools(ctx, outputSchema),
     ReportProgressTool(ctx),
     SelectModeTool(ctx),
@@ -155566,6 +156123,10 @@ function buildOrchestratorTools(ctx, outputSchema) {
     CreatePullRequestTool(ctx),
     UpdatePullRequestBodyTool(ctx)
   ];
+  if (ctx.signedCommits) {
+    tools.push(CommitChangesTool(ctx));
+  }
+  return tools;
 }
 async function tryStartMcpServer(ctx, tools, port) {
   const server = new FastMCP({ name: pullfrogMcpName, version: "0.0.1" });
@@ -155756,8 +156317,14 @@ var MISSING_KEY_MARKER = "no API key found";
 function buildMissingApiKeyError(params) {
   const githubSecretsUrl = `https://github.com/${params.owner}/${params.name}/settings/secrets/actions`;
   const settingsUrl = `${getApiUrl()}/console/${params.owner}/${params.name}`;
+  const envVars = params.model?.includes("/") ? getModelEnvVars(params.model) : [];
+  const [primary, ...alternates] = envVars;
+  const envVarList = primary ? `\`${primary}\`${alternates.length > 0 ? ` (or ${alternates.map((v) => `\`${v}\``).join(" / ")})` : ""}` : void 0;
+  const lead = envVarList ? `**${MISSING_KEY_MARKER}** \u2014 this repo is configured to use \`${params.model}\`, which needs ${envVarList}, but the runner has no key for it.` : `**${MISSING_KEY_MARKER}** \u2014 Pullfrog needs at least one LLM provider API key (e.g. \`ANTHROPIC_API_KEY\`, \`OPENAI_API_KEY\`, \`GEMINI_API_KEY\`) configured as a GitHub Actions secret.`;
   return [
-    `**${MISSING_KEY_MARKER}** \u2014 Pullfrog needs at least one LLM provider API key (e.g. \`ANTHROPIC_API_KEY\`, \`OPENAI_API_KEY\`, \`GEMINI_API_KEY\`) configured as a GitHub Actions secret.`,
+    lead,
+    "",
+    "**To fix:** add the key as a GitHub Actions secret (referenced from your workflow's `env:` block) or as a Pullfrog secret in the console \u2014 or switch this repo to a different model (free models need no key).",
     "",
     `[Open repo secrets \u2192](${githubSecretsUrl}) \xB7 [Configure model \u2192](${settingsUrl}) \xB7 [Setup docs \u2192](https://docs.pullfrog.com/keys) \xB7 [Ask in Discord \u2192](https://discord.gg/8y96raFg8e)`
   ].join("\n");
@@ -155837,10 +156404,14 @@ function validateAgentApiKey(params) {
     }
     if (params.agent.name === "opencode") {
       if (params.authorized.has(params.model)) return;
-      throw new Error(buildMissingApiKeyError({ owner: params.owner, name: params.name }));
+      throw new Error(
+        buildMissingApiKeyError({ owner: params.owner, name: params.name, model: params.model })
+      );
     }
     if (hasEnvVar3("ANTHROPIC_API_KEY") || hasEnvVar3("CLAUDE_CODE_OAUTH_TOKEN")) return;
-    throw new Error(buildMissingApiKeyError({ owner: params.owner, name: params.name }));
+    throw new Error(
+      buildMissingApiKeyError({ owner: params.owner, name: params.name, model: params.model })
+    );
   }
   if (params.agent.name === "opencode") {
     if (params.authorized.size > 0) return;
@@ -155851,42 +156422,37 @@ function validateAgentApiKey(params) {
 }
 function isApiKeyAuthError(text) {
   if (!text) return false;
-  return text.includes(MISSING_KEY_MARKER) || /Invalid API key/i.test(text) || /\bUser not found\b/i.test(text) || /\bInvalid authentication\b/i.test(text) || /authentication_error/i.test(text) || /Invalid bearer token/i.test(text) || /api_error_status\s*=\s*401/i.test(text) || /API Error:\s*401/i.test(text);
+  return text.includes(MISSING_KEY_MARKER) || /Invalid API key/i.test(text) || /\bUser not found\b/i.test(text) || /\bInvalid authentication\b/i.test(text) || /authentication_error/i.test(text) || /Invalid bearer token/i.test(text) || /api_error_status\s*=\s*401/i.test(text) || /API Error:\s*401/i.test(text) || /Failed to authenticate\. API Error:/i.test(text) || isOAuthCredentialExpiredError(text);
+}
+function isOAuthCredentialExpiredError(text) {
+  return /authentication token has expired/i.test(text) || /Token refresh failed/i.test(text);
 }
 function formatApiKeyErrorSummary(params) {
   if (params.raw.includes(MISSING_KEY_MARKER)) {
+    if (params.raw.startsWith(`**${MISSING_KEY_MARKER}**`)) return params.raw;
     return buildMissingApiKeyError({ owner: params.owner, name: params.name });
   }
   const githubSecretsUrl = `https://github.com/${params.owner}/${params.name}/settings/secrets/actions`;
   const settingsUrl = `${getApiUrl()}/console/${params.owner}/${params.name}`;
+  if (isOAuthCredentialExpiredError(params.raw)) {
+    return [
+      `**Your provider OAuth credential has expired.** Re-authenticate the provider connection (e.g. \`pullfrog auth codex\`), then re-trigger the run.`,
+      "",
+      `[Model settings \u2192](${settingsUrl}) \xB7 [Setup docs \u2192](https://docs.pullfrog.com/keys) \xB7 [Ask in Discord \u2192](https://discord.gg/8y96raFg8e)`
+    ].join("\n");
+  }
   return [
-    `**Your LLM provider API key was rejected (401).** Rotate the key in your provider dashboard, then update the matching GitHub Actions secret.`,
+    `**Your LLM provider API key was rejected.** Rotate the key in your provider dashboard, then update the matching GitHub Actions secret.`,
     "",
     `[Update repo secret \u2192](${githubSecretsUrl}) \xB7 [Model settings \u2192](${settingsUrl}) \xB7 [Setup docs \u2192](https://docs.pullfrog.com/keys) \xB7 [Ask in Discord \u2192](https://discord.gg/8y96raFg8e)`
   ].join("\n");
 }
 
-// utils/byokFallback.ts
-var FREE_FALLBACK_SLUG = "opencode/big-pickle";
-function selectFallbackModelIfNeeded(input) {
-  if (input.proxyModel) return { fallback: false };
-  if (!input.resolvedModel) return { fallback: false };
-  if (input.resolvedModel === FREE_FALLBACK_SLUG) return { fallback: false };
-  if (!input.resolvedModel.includes("/")) return { fallback: false };
-  if (input.agentName === "claude") return { fallback: false };
-  if (input.authorized.has(input.resolvedModel)) return { fallback: false };
-  return {
-    fallback: true,
-    from: input.resolvedModel,
-    to: FREE_FALLBACK_SLUG
-  };
-}
-
 // utils/gitAuthServer.ts
 import { randomUUID as randomUUID5 } from "node:crypto";
 import { writeFileSync as writeFileSync13 } from "node:fs";
 import { createServer as createServer3 } from "node:http";
-import { join as join18 } from "node:path";
+import { join as join20 } from "node:path";
 var REVOKED_TRAP_MS = 6e4;
 function revokeGitHubToken(token) {
   fetch("https://api.github.com/installation/token", {
@@ -155955,7 +156521,7 @@ async function startGitAuthServer(tmpdir4) {
   function writeAskpassScript(code) {
     const scriptId = randomUUID5();
     const scriptName = `askpass-${scriptId}.js`;
-    const scriptPath = join18(tmpdir4, scriptName);
+    const scriptPath = join20(tmpdir4, scriptName);
     const content = [
       `#!/usr/bin/env node`,
       `var a=process.argv[2]||"";`,
@@ -155993,7 +156559,7 @@ async function startGitAuthServer(tmpdir4) {
 var core3 = __toESM(require_core(), 1);
 import { createSign } from "node:crypto";
 import { rename, writeFile } from "node:fs/promises";
-import { dirname as dirname3, join as join19 } from "node:path";
+import { dirname as dirname3, join as join21 } from "node:path";
 
 // node_modules/.pnpm/@octokit+plugin-throttling@11.0.3_@octokit+core@7.0.5/node_modules/@octokit/plugin-throttling/dist-bundle/index.js
 var import_light = __toESM(require_light(), 1);
@@ -159635,6 +160201,7 @@ var Octokit2 = Octokit.plugin(requestLog, legacyRestEndpointMethods, paginateRes
 );
 
 // utils/github.ts
+var OIDC_AUDIENCE = "pullfrog-api";
 function isObject4(value2) {
   return typeof value2 === "object" && value2 !== null;
 }
@@ -159651,8 +160218,39 @@ var TokenExchangeError = class extends Error {
     this.status = status;
   }
 };
+async function fetchIdTokenFromStash(creds) {
+  const url4 = new URL(creds.requestUrl);
+  url4.searchParams.set("audience", OIDC_AUDIENCE);
+  const timeoutMs = 3e4;
+  let response;
+  try {
+    response = await fetch(url4, {
+      headers: { Authorization: `Bearer ${creds.requestToken}` },
+      signal: AbortSignal.timeout(timeoutMs)
+    });
+  } catch (error49) {
+    if (error49 instanceof Error && error49.name === "TimeoutError") {
+      throw new Error(`ID token request timed out after ${timeoutMs}ms`);
+    }
+    throw error49;
+  }
+  if (!response.ok) {
+    throw new TokenExchangeError(
+      response.status,
+      `Failed to get ID token: ${response.status} ${response.statusText}`
+    );
+  }
+  const body = await response.json();
+  if (!body.value) {
+    throw new Error("ID token response has no value field");
+  }
+  if (isGitHubActions) {
+    core3.setSecret(body.value);
+  }
+  return body.value;
+}
 async function acquireTokenViaOIDC(opts) {
-  const oidcToken = await core3.getIDToken("pullfrog-api");
+  const oidcToken = opts?.oidc ? await fetchIdTokenFromStash(opts.oidc) : await core3.getIDToken(OIDC_AUDIENCE);
   const repos = [...opts?.repos ?? []];
   const targetRepo = process.env.GITHUB_REPOSITORY?.split("/")[1];
   if (targetRepo) {
@@ -159801,14 +160399,15 @@ async function acquireTokenViaGitHubApp(opts) {
   const installationId = await findInstallationId(jwt2, config3.repoOwner, config3.repoName);
   return await createInstallationToken(jwt2, installationId, opts?.permissions);
 }
+function isTransientTokenError(error49) {
+  if (error49 instanceof TokenExchangeError) return error49.status >= 500 || error49.status === 429;
+  return error49 instanceof Error && (error49.message.includes("timed out") || error49.message.includes("fetch failed") || error49.message.includes("ECONNRESET") || error49.message.includes("ETIMEDOUT"));
+}
 async function acquireNewToken(opts) {
-  if (isOIDCAvailable()) {
+  if (opts?.oidc || isOIDCAvailable()) {
     return await retry(() => acquireTokenViaOIDC(opts), {
       label: "token exchange",
-      shouldRetry: (error49) => {
-        if (error49 instanceof TokenExchangeError) return error49.status >= 500 || error49.status === 429;
-        return error49 instanceof Error && (error49.message.includes("timed out") || error49.message.includes("fetch failed") || error49.message.includes("ECONNRESET") || error49.message.includes("ETIMEDOUT"));
-      }
+      shouldRetry: isTransientTokenError
     });
   }
   if (process.env.GITHUB_ACTIONS === "true") {
@@ -159851,14 +160450,14 @@ function getGitHubUsageSummary() {
 }
 async function writeGitHubUsageSummaryToFile(path4) {
   const summary2 = getGitHubUsageSummary();
-  const tmpPath = join19(dirname3(path4), `.usage-summary-${process.pid}.tmp`);
+  const tmpPath = join21(dirname3(path4), `.usage-summary-${process.pid}.tmp`);
   await writeFile(tmpPath, JSON.stringify(summary2));
   await rename(tmpPath, path4);
 }
-function createOctokit(token) {
+function createOctokit(token, refreshAuth) {
+  let currentToken = token;
   const OctokitWithPlugins = Octokit2.plugin(throttling);
   const octokit = new OctokitWithPlugins({
-    auth: token,
     throttle: {
       onRateLimit: (_retryAfter, _options, _octokit, retryCount) => {
         return retryCount <= 2;
@@ -159887,6 +160486,8 @@ function createOctokit(token) {
     return response;
   };
   octokit.hook.wrap("request", async (request2, options) => {
+    const sentToken = currentToken;
+    options.headers.authorization = `token ${sentToken}`;
     try {
       const response = await request2(options);
       onResponse(response);
@@ -159895,6 +160496,13 @@ function createOctokit(token) {
       if (isObject4(error49) && "response" in error49 && isObject4(error49.response) && "headers" in error49.response && isObject4(error49.response.headers)) {
         onResponse(error49.response);
       }
+      if (refreshAuth && isObject4(error49) && "status" in error49 && error49.status === 401) {
+        currentToken = await refreshAuth(sentToken);
+        options.headers.authorization = `token ${currentToken}`;
+        const response = await request2(options);
+        onResponse(response);
+        return response;
+      }
       throw error49;
     }
   });
@@ -160093,7 +160701,17 @@ Use \`${t2("git")}\` for local git commands (status, log, add, commit, checkout,
 - \`${t2("checkout_pr")}\` - checkout a PR branch (fetches and configures push for forks)
 - \`${t2("delete_branch")}\` - delete a remote branch (requires push: enabled)
 - \`${t2("push_tags")}\` - push tags (requires push: enabled)
-
+${ctx.signedCommits ? `
+#### Signed commits (enabled for this repository)
+
+This repository requires GitHub-signed commits, which local git commits can never satisfy. This OVERRIDES any other instruction (including mode instructions) to commit via git or push via \`${t2("push_branch")}\`:
+- Do NOT use git commit or \`${t2("push_branch")}\` for same-repo branches \u2014 both are blocked. Instead: edit files, then call \`${t2("commit_changes")}\` with a commit message. It commits every working-tree change (or a \`files\` subset) directly to the remote branch as a GitHub-signed (Verified) commit. There is no separate push step.
+- New branches: create locally as usual (git checkout -b); the remote branch is created on the first \`${t2("commit_changes")}\` call.
+- To integrate remote changes (concurrent pushes, base branch): \`${t2("git_fetch")}\`, then git merge --no-commit <ref>, resolve conflicts, git add the results, then \`${t2("commit_changes")}\` \u2014 it concludes the merge as a signed merge commit.
+- \`${t2("commit_changes")}\` commits EVERY working-tree change by default \u2014 review \`git status\` first and clean up stray artifacts (or pass \`files\`).
+- cherry-pick/revert: use \`-n\`/\`--no-commit\` so no local commit is created, then \`${t2("commit_changes")}\`.
+- Fork PRs are the exception: signing is impossible there, so commit and push normally (those commits will be unsigned).
+` : ""}
 Rules:
 - All code changes must be pushed to a pull request (new or existing) before the run ends. This environment is ephemeral \u2014 unpushed work is lost permanently. \`git status\` must be clean when you finish.
 - Protected branches (default branch) are blocked from direct pushes in restricted mode. Do not use \`git push\` directly \u2014 it will fail without credentials.
@@ -160269,7 +160887,7 @@ function resolveInstructions(ctx) {
 
 // utils/learnings.ts
 import { mkdir as mkdir2, readFile as readFile3, writeFile as writeFile2 } from "node:fs/promises";
-import { dirname as dirname4, join as join20 } from "node:path";
+import { dirname as dirname4, join as join22 } from "node:path";
 
 // utils/learningsTruncate.ts
 var MAX_LEARNINGS_LENGTH = 1e5;
@@ -160286,7 +160904,7 @@ function truncateAtLineBoundary(body, cap) {
 // utils/learnings.ts
 var LEARNINGS_FILE_NAME = "pullfrog-learnings.md";
 function learningsFilePath(tmpdir4) {
-  return join20(tmpdir4, LEARNINGS_FILE_NAME);
+  return join22(tmpdir4, LEARNINGS_FILE_NAME);
 }
 async function seedLearningsFile(params) {
   const path4 = learningsFilePath(params.tmpdir);
@@ -160706,6 +161324,10 @@ function formatTransientErrorSummary(error49, owner) {
 var core7 = __toESM(require_core(), 1);
 import assert2 from "node:assert/strict";
 var mcpTokenValue;
+var refreshMcpTokenFn;
+function getMcpTokenRefresh() {
+  return refreshMcpTokenFn;
+}
 function getJobToken() {
   const inputToken = core7.getInput("token");
   if (inputToken) {
@@ -160757,6 +161379,29 @@ async function resolveTokens(params) {
     `\xBB acquired scoped MCP token (${Object.entries(mcpPermissions).map((e) => e.join(":")).join(", ")})`
   );
   mcpTokenValue = mcpToken;
+  let currentMcpToken = mcpToken;
+  let refreshPromise;
+  refreshMcpTokenFn = (stale) => {
+    assert2(mcpTokenValue, "tokens already disposed");
+    if (stale !== currentMcpToken) {
+      return Promise.resolve(currentMcpToken);
+    }
+    refreshPromise ??= acquireNewToken({
+      permissions: mcpPermissions,
+      oidc: params.oidc ?? void 0
+    }).then((fresh) => {
+      if (isGitHubActions) {
+        core7.setSecret(fresh);
+      }
+      mcpTokenValue = fresh;
+      currentMcpToken = fresh;
+      log.warning("\xBB GitHub rejected the MCP token; re-acquired a fresh scoped MCP token");
+      return fresh;
+    }).finally(() => {
+      refreshPromise = void 0;
+    });
+    return refreshPromise;
+  };
   let disposingRef;
   const dispose = async () => {
     if (disposingRef) {
@@ -160765,9 +161410,10 @@ async function resolveTokens(params) {
     disposingRef = Promise.withResolvers();
     try {
       mcpTokenValue = void 0;
+      refreshMcpTokenFn = void 0;
       await Promise.all([
         revokeGitHubInstallationToken(gitToken),
-        revokeGitHubInstallationToken(mcpToken)
+        revokeGitHubInstallationToken(currentMcpToken)
       ]);
     } finally {
       removeSignalHandler();
@@ -160811,7 +161457,7 @@ async function reportErrorToComment(ctx) {
 
 ${ctx.error}` : ctx.error;
   const repoContext = parseRepoContext();
-  const octokit = createOctokit(getGitHubInstallationToken());
+  const octokit = createOctokit(getGitHubInstallationToken(), getMcpTokenRefresh());
   const runId = process.env.GITHUB_RUN_ID ? Number.parseInt(process.env.GITHUB_RUN_ID, 10) : void 0;
   const customParts = [];
   if (runId) {
@@ -160825,7 +161471,6 @@ ${ctx.error}` : ctx.error;
     workflowRun: runId ? { owner: repoContext.owner, repo: repoContext.name, runId } : void 0,
     customParts,
     model: ctx.toolState.model,
-    fallbackFrom: ctx.toolState.modelFallback?.from,
     oss: ctx.toolState.oss
   });
   const body = `${formattedError}${footer}`;
@@ -160892,18 +161537,15 @@ async function mintProxyKey(ctx) {
     if (error49 instanceof TransientError) throw error49;
     log.warning(`proxy key mint error: ${error49 instanceof Error ? error49.message : String(error49)}`);
     return null;
-  } finally {
-    delete process.env.ACTIONS_ID_TOKEN_REQUEST_URL;
-    delete process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
   }
 }
 async function buildProxyTokenHeaders(ctx) {
   if (ctx.oidcCredentials) {
-    process.env.ACTIONS_ID_TOKEN_REQUEST_URL = ctx.oidcCredentials.requestUrl;
-    process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN = ctx.oidcCredentials.requestToken;
-    const oidcToken = await core8.getIDToken("pullfrog-api");
-    delete process.env.ACTIONS_ID_TOKEN_REQUEST_URL;
-    delete process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
+    const creds = ctx.oidcCredentials;
+    const oidcToken = await retry(() => fetchIdTokenFromStash(creds), {
+      label: "ID token mint",
+      shouldRetry: isTransientTokenError
+    });
     return { Authorization: `Bearer ${oidcToken}` };
   }
   if (isLocalApiUrl()) {
@@ -160967,7 +161609,7 @@ async function runProxyResolution(ctx) {
 
 // utils/prSummary.ts
 import { mkdir as mkdir3, readFile as readFile4, writeFile as writeFile3 } from "node:fs/promises";
-import { dirname as dirname5, join as join21 } from "node:path";
+import { dirname as dirname5, join as join23 } from "node:path";
 var SUMMARY_FILE_NAME = "pullfrog-summary.md";
 var SUMMARY_SCAFFOLD = `# PR summary
 
@@ -160977,7 +161619,7 @@ var SUMMARY_SCAFFOLD = `# PR summary
 var MIN_SNAPSHOT_LENGTH = 60;
 var MAX_SNAPSHOT_LENGTH = 32768;
 function summaryFilePath(tmpdir4) {
-  return join21(tmpdir4, SUMMARY_FILE_NAME);
+  return join23(tmpdir4, SUMMARY_FILE_NAME);
 }
 async function seedSummaryFile(params) {
   const path4 = summaryFilePath(params.tmpdir);
@@ -161105,6 +161747,7 @@ var defaultSettings = {
   push: "restricted",
   shell: "restricted",
   prApproveEnabled: false,
+  signedCommits: false,
   modeInstructions: {},
   learnings: null,
   learningsHeadings: [],
@@ -161337,7 +161980,7 @@ ${input.errorMessage}
   ].join("\n");
 }
 function formatProviderModelNotFoundSummary(input) {
-  return `Pullfrog's free fallback model is no longer available in OpenCode's catalog. Add an API key for your configured model in the Pullfrog console for \`${input.owner}/${input.name}\`, or contact support if this persists.
+  return `The configured model is no longer available in OpenCode's catalog. Pick a different model in the Pullfrog console for \`${input.owner}/${input.name}\`, or contact support if this persists.
 
 \`\`\`
 ${input.raw}
@@ -161778,7 +162421,7 @@ async function main() {
     const initialOctokit = createOctokit(jobToken);
     const runContext = await resolveRunContextData({ octokit: initialOctokit, token: jobToken });
     timer.checkpoint("runContextData");
-    const tmpdir4 = createTempDirectory();
+    createTempDirectory();
     const opencodeCliPath = await agents.opencode.install();
     captureBaselineModels(opencodeCliPath);
     if (runContext.dbSecrets) {
@@ -161802,12 +162445,12 @@ async function main() {
     if (payload.event.trigger === "pull_request_synchronize") {
       toolState.beforeSha = payload.event.before_sha;
     }
-    const tokenRef = __using(_stack2, await resolveTokens({ push: payload.push }), true);
-    wipeRunnerLeakSurface();
     const oidcCredentials = process.env.ACTIONS_ID_TOKEN_REQUEST_URL && process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN ? {
       requestUrl: process.env.ACTIONS_ID_TOKEN_REQUEST_URL,
       requestToken: process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN
     } : null;
+    const tokenRef = __using(_stack2, await resolveTokens({ push: payload.push, oidc: oidcCredentials }), true);
+    wipeRunnerLeakSurface();
     if (payload.shell !== "enabled") {
       delete process.env.ACTIONS_ID_TOKEN_REQUEST_URL;
       delete process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN;
@@ -161820,7 +162463,7 @@ async function main() {
       repo: runContext.repo,
       toolState
     });
-    const octokit = createOctokit(tokenRef.mcpToken);
+    const octokit = createOctokit(tokenRef.mcpToken, getMcpTokenRefresh());
     const runInfo = await resolveRun({ octokit });
     let toolContext;
     let progressCallbackDisabled = false;
@@ -161832,13 +162475,13 @@ async function main() {
         if (payload.cwd && process.cwd() !== payload.cwd) {
           process.chdir(payload.cwd);
         }
-        const tmpdir5 = createTempDirectory();
+        const tmpdir4 = createTempDirectory();
         const originalBody = payload.event.body;
         const resolvedBody = await resolveBody({
           event: payload.event,
           octokit,
           repo: runContext.repo,
-          tmpdir: tmpdir5,
+          tmpdir: tmpdir4,
           githubToken: tokenRef.mcpToken
         });
         if (resolvedBody !== originalBody) {
@@ -161847,33 +162490,18 @@ async function main() {
             payload.prompt = payload.prompt.replace(originalBody, resolvedBody ?? "");
           }
         }
-        const gitAuthServer = __using(_stack, await startGitAuthServer(tmpdir5), true);
+        const gitAuthServer = __using(_stack, await startGitAuthServer(tmpdir4), true);
         setGitAuthServer(gitAuthServer);
-        const initialResolvedModel = payload.proxyModel ? void 0 : resolveModel({ slug: payload.model });
-        const authorized2 = getAuthorizedModels();
-        const fallback = selectFallbackModelIfNeeded({
-          resolvedModel: initialResolvedModel,
-          proxyModel: payload.proxyModel,
-          authorized: authorized2,
-          agentName: resolveAgent({ model: initialResolvedModel }).name
-        });
-        const effectiveSlug = fallback.fallback ? fallback.to : payload.model;
-        const resolvedModel = fallback.fallback ? fallback.to : initialResolvedModel;
-        if (fallback.fallback) {
-          log.warning(
-            `\xBB fell back from ${fallback.from} to ${fallback.to} \u2014 no BYOK key present in runner env. add a provider key in repo secrets to use ${fallback.from} instead.`
-          );
-          toolState.modelFallback = { from: fallback.from };
-        }
+        const resolvedModel = payload.proxyModel ? void 0 : resolveModel({ slug: payload.model });
         vertexCredentials = materializeVertexCredentials({ model: resolvedModel });
         const agent2 = resolveAgent({ model: resolvedModel });
-        const effectiveModel = payload.proxyModel ?? resolvedModel ?? effectiveSlug;
+        const effectiveModel = payload.proxyModel ?? resolvedModel ?? payload.model;
         toolState.model = effectiveModel;
-        if (!fallback.fallback && !payload.proxyModel) {
+        if (!payload.proxyModel) {
           validateAgentApiKey({
             agent: agent2,
             model: effectiveModel,
-            authorized: authorized2,
+            authorized: getAuthorizedModels(),
             owner: runContext.repo.owner,
             name: runContext.repo.name
           });
@@ -161890,7 +162518,7 @@ async function main() {
         timer.checkpoint("git");
         const pmSpec = await resolvePackageManagerSpec(process.cwd());
         if (pmSpec) {
-          await ensurePackageManager({ spec: pmSpec, binDir: packageManagerBinDir(tmpdir5) });
+          await ensurePackageManager({ spec: pmSpec, binDir: packageManagerBinDir(tmpdir4) });
         }
         timer.checkpoint("packageManager");
         const setupHook = await executeLifecycleHook({
@@ -161903,26 +162531,34 @@ async function main() {
         }
         timer.checkpoint("lifecycleHooks::setup");
         const agentId = agent2.name;
-        const modes2 = [...computeModes(agentId), ...runContext.repoSettings.modes];
+        const modes2 = [
+          ...computeModes(agentId, runContext.repoSettings.signedCommits),
+          ...runContext.repoSettings.modes
+        ];
         const outputSchema = resolveOutputSchema();
         toolContext = {
           agentId,
           repo: runContext.repo,
           payload,
           octokit,
-          githubInstallationToken: tokenRef.mcpToken,
+          // live getter so raw-token consumers (asset fetches, plan/summary-comment
+          // GETs) see the refreshed MCP token after a mid-run re-acquisition (#891)
+          get githubInstallationToken() {
+            return getGitHubInstallationToken();
+          },
           gitToken: tokenRef.gitToken,
           apiToken: runContext.apiToken,
           modes: modes2,
           postCheckoutScript: runContext.repoSettings.postCheckoutScript,
           prepushScript: runContext.repoSettings.prepushScript,
           prApproveEnabled: runContext.repoSettings.prApproveEnabled,
+          signedCommits: runContext.repoSettings.signedCommits,
           modeInstructions: runContext.repoSettings.modeInstructions,
           toolState,
           runId: runInfo.runId,
           jobId: runInfo.jobId,
           mcpServerUrl: "",
-          tmpdir: tmpdir5,
+          tmpdir: tmpdir4,
           oss: runContext.oss,
           plan: runContext.plan,
           resolvedModel
@@ -161933,7 +162569,7 @@ async function main() {
         timer.checkpoint("mcpServer");
         try {
           const learningsPath = await seedLearningsFile({
-            tmpdir: tmpdir5,
+            tmpdir: tmpdir4,
             current: runContext.repoSettings.learnings
           });
           toolState.learningsFilePath = learningsPath;
@@ -161950,7 +162586,7 @@ async function main() {
         }
         if (payload.generateSummary && payload.event.is_pr && payload.event.issue_number) {
           const previousSnapshot = await fetchPreviousSnapshot(toolContext, payload.event.issue_number);
-          const filePath = await seedSummaryFile({ tmpdir: tmpdir5, previousSnapshot });
+          const filePath = await seedSummaryFile({ tmpdir: tmpdir4, previousSnapshot });
           toolState.summaryFilePath = filePath;
           try {
             toolState.summarySeed = await readFile5(filePath, "utf8");
@@ -161970,6 +162606,7 @@ async function main() {
           modes: modes2,
           agentId,
           outputSchema,
+          signedCommits: runContext.repoSettings.signedCommits,
           learningsFilePath: toolState.learningsFilePath ?? null,
           learningsHeadings: runContext.repoSettings.learningsHeadings,
           setupHookFailure: describeSetupFailure(setupHook.failure)
@@ -161988,7 +162625,7 @@ ${instructions.user}` : null,
           log.info(instructions.full);
         });
         if (agentId === "opencode") {
-          const pluginDir = join22(process.cwd(), ".opencode", "plugin");
+          const pluginDir = join24(process.cwd(), ".opencode", "plugin");
           const hasPlugins = existsSync8(pluginDir) && readdirSync2(pluginDir).some((f) => /\.[jt]sx?$/.test(f));
           if (hasPlugins && toolState.dependencyInstallation?.promise) {
             log.info(
@@ -162043,7 +162680,7 @@ ${instructions.user}` : null,
           payload,
           resolvedModel,
           mcpServerUrl: mcpHttpServer.url,
-          tmpdir: tmpdir5,
+          tmpdir: tmpdir4,
           // PULLFROG_DATA_DIR (/var/lib/pullfrog) holds codex auth.json + any
           // future pullfrog-managed on-disk secrets. bash via MCP tmpfs-overlays
           // it; agent native FS tools deny it via the same secretDenyPaths plumbing
@@ -162319,7 +162956,7 @@ async function run(args2) {
 }
 
 // commands/init.ts
-import { execFileSync as execFileSync8 } from "node:child_process";
+import { execFileSync as execFileSync9 } from "node:child_process";
 var import_arg3 = __toESM(require_arg(), 1);
 var import_picocolors3 = __toESM(require_picocolors(), 1);
 var PULLFROG_API_URL2 = (process.env.PULLFROG_API_URL || "https://pullfrog.com").replace(
@@ -162379,7 +163016,7 @@ function handleCancel2(value2) {
 function getGhToken2() {
   let token;
   try {
-    token = execFileSync8("gh", ["auth", "token"], { encoding: "utf-8" }).trim();
+    token = execFileSync9("gh", ["auth", "token"], { encoding: "utf-8" }).trim();
   } catch {
     bail2(
       `gh cli not found or not authenticated.
@@ -162422,7 +163059,7 @@ async function ghApi(path4, token) {
 function parseGitRemote2() {
   let url4;
   try {
-    url4 = execFileSync8("git", ["remote", "get-url", "origin"], { encoding: "utf-8" }).trim();
+    url4 = execFileSync9("git", ["remote", "get-url", "origin"], { encoding: "utf-8" }).trim();
   } catch {
     bail2("not a git repository or no 'origin' remote found.");
   }
@@ -162433,10 +163070,10 @@ function parseGitRemote2() {
 function openBrowser(url4) {
   try {
     const platform = process.platform;
-    if (platform === "darwin") execFileSync8("open", [url4], { stdio: "ignore" });
+    if (platform === "darwin") execFileSync9("open", [url4], { stdio: "ignore" });
     else if (platform === "win32")
-      execFileSync8("cmd", ["/c", "start", "", url4], { stdio: "ignore" });
-    else execFileSync8("xdg-open", [url4], { stdio: "ignore" });
+      execFileSync9("cmd", ["/c", "start", "", url4], { stdio: "ignore" });
+    else execFileSync9("xdg-open", [url4], { stdio: "ignore" });
   } catch {
   }
 }
@@ -162663,7 +163300,7 @@ function setGhSecret(ctx) {
   let orgFailed = false;
   if (ctx.org) {
     try {
-      execFileSync8("gh", ["secret", "set", ctx.name, "--org", ctx.org, "--visibility", "all"], {
+      execFileSync9("gh", ["secret", "set", ctx.name, "--org", ctx.org, "--visibility", "all"], {
         input: ctx.value,
         stdio: ["pipe", "ignore", "pipe"],
         encoding: "utf-8"
@@ -162674,7 +163311,7 @@ function setGhSecret(ctx) {
     }
   }
   try {
-    execFileSync8("gh", ["secret", "set", ctx.name, "--repo", ctx.repoSlug], {
+    execFileSync9("gh", ["secret", "set", ctx.name, "--repo", ctx.repoSlug], {
       input: ctx.value,
       stdio: ["pipe", "ignore", "pipe"],
       encoding: "utf-8"
@@ -163046,7 +163683,7 @@ async function run2() {
 }
 
 // cli.ts
-var VERSION10 = "0.1.28";
+var VERSION10 = "0.1.30";
 var bin = basename2(process.argv[1] || "");
 var PROG = bin === "pf" || bin === "pullfrog" ? bin : "pullfrog";
 var rawArgs = process.argv.slice(2);