u-foo 2.2.4 → 2.3.1

package/src/agent/credentials/codex.js

@@ -8,6 +8,17 @@ const {
   parseTimestamp,
 } = require("./index");
 
+const CODEX_OAUTH_TOKEN_URL = "https://auth.openai.com/oauth/token";
+const CODEX_OAUTH_CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+const DEFAULT_REFRESH_WINDOW_MS = 300 * 1000;
+const DEFAULT_LOCK_TIMEOUT_MS = 3000;
+const DEFAULT_LOCK_RETRY_MS = 25;
+const DEFAULT_STALE_LOCK_MS = 30 * 1000;
+
+function sleep(ms) {
+  return new Promise((resolve) => setTimeout(resolve, ms));
+}
+
 function defaultCodexConfigDir() {
   return path.join(os.homedir(), ".codex");
 }
@@ -19,6 +30,7 @@ function resolveCodexAuthPaths(options = {}) {
   return {
     configDir,
     authPath,
+    lockPath: `${authPath}.lock`,
   };
 }
 
@@ -34,6 +46,78 @@ function decodeJwtPayload(token = "") {
   }
 }
 
+function firstString(...values) {
+  for (const value of values) {
+    if (typeof value === "string" && value.trim()) return value.trim();
+  }
+  return "";
+}
+
+function codexAuthClaims(claims = {}) {
+  const info = claims["https://api.openai.com/auth"];
+  return info && typeof info === "object" && !Array.isArray(info) ? info : {};
+}
+
+function deriveAccountIdFromClaims(claims = {}) {
+  const info = codexAuthClaims(claims);
+  return firstString(
+    info.chatgpt_account_id,
+    info.account_id,
+    info.user_id,
+    claims.account_id,
+    claims.sub
+  );
+}
+
+function deriveEmailFromClaims(claims = {}) {
+  return firstString(claims.email);
+}
+
+function deriveExpiresAtFromClaims(claims = {}) {
+  const exp = Number(claims.exp);
+  if (!Number.isFinite(exp) || exp <= 0) return "";
+  return new Date(exp * 1000).toISOString();
+}
+
+async function withLockFile(lockPath, options = {}, fn) {
+  const fsModule = options.fsModule || fs;
+  const timeoutMs = Number.isFinite(options.timeoutMs) ? options.timeoutMs : DEFAULT_LOCK_TIMEOUT_MS;
+  const retryMs = Number.isFinite(options.retryMs) ? options.retryMs : DEFAULT_LOCK_RETRY_MS;
+  const staleMs = Number.isFinite(options.staleMs) ? options.staleMs : DEFAULT_STALE_LOCK_MS;
+  const sleepFn = typeof options.sleep === "function" ? options.sleep : sleep;
+  const startedAt = Date.now();
+
+  fsModule.mkdirSync(path.dirname(lockPath), { recursive: true, mode: 0o700 });
+
+  while ((Date.now() - startedAt) <= timeoutMs) {
+    let fd = null;
+    try {
+      fd = fsModule.openSync(lockPath, "wx", 0o600);
+      try {
+        return await fn();
+      } finally {
+        try { fsModule.closeSync(fd); } catch {}
+        try { fsModule.unlinkSync(lockPath); } catch {}
+      }
+    } catch (err) {
+      if (!err || err.code !== "EEXIST") throw err;
+      try {
+        const stat = fsModule.statSync(lockPath);
+        if ((Date.now() - stat.mtimeMs) > staleMs) {
+          fsModule.unlinkSync(lockPath);
+          continue;
+        }
+      } catch {}
+      // eslint-disable-next-line no-await-in-loop
+      await sleepFn(retryMs);
+    }
+  }
+
+  const err = new Error(`Timed out waiting for Codex OAuth lock: ${lockPath}`);
+  err.code = "CODEX_AUTH_LOCK_TIMEOUT";
+  throw err;
+}
+
 function parseCodexAuthFile(raw = {}) {
   if (!raw || typeof raw !== "object" || Array.isArray(raw)) {
     const err = new Error("Codex auth payload must be a JSON object");
@@ -42,23 +126,19 @@ function parseCodexAuthFile(raw = {}) {
   }
 
   const tokens = raw.tokens && typeof raw.tokens === "object" ? raw.tokens : null;
-  const apiKey = typeof raw.OPENAI_API_KEY === "string" ? raw.OPENAI_API_KEY : "";
-  const accessToken = tokens && typeof tokens.access_token === "string"
-    ? tokens.access_token
-    : (typeof raw.access_token === "string" ? raw.access_token : "");
-  const refreshToken = tokens && typeof tokens.refresh_token === "string"
-    ? tokens.refresh_token
-    : (typeof raw.refresh_token === "string" ? raw.refresh_token : "");
-  const idToken = tokens && typeof tokens.id_token === "string"
-    ? tokens.id_token
-    : (typeof raw.id_token === "string" ? raw.id_token : "");
-  const accountId = tokens && typeof tokens.account_id === "string"
-    ? tokens.account_id
-    : (typeof raw.account_id === "string" ? raw.account_id : "");
-  const expiresAt = typeof raw.expired === "string"
-    ? raw.expired
-    : (typeof raw.expire === "string" ? raw.expire : "");
-  const email = typeof raw.email === "string" ? raw.email : "";
+  const apiKey = firstString(raw.OPENAI_API_KEY, raw.api_key);
+  const accessToken = firstString(tokens && tokens.access_token, raw.access_token);
+  const refreshToken = firstString(tokens && tokens.refresh_token, raw.refresh_token);
+  const idToken = firstString(tokens && tokens.id_token, raw.id_token);
+  const accountId = firstString(tokens && tokens.account_id, raw.account_id);
+  const expiresAt = firstString(
+    raw.expired,
+    raw.expire,
+    raw.expires_at,
+    tokens && tokens.expired,
+    tokens && tokens.expires_at
+  );
+  const email = firstString(raw.email, tokens && tokens.email);
 
   if (!apiKey && !accessToken) {
     const err = new Error("Unsupported Codex auth schema");
@@ -85,9 +165,18 @@ class CodexUpstreamCredentialResolver {
   constructor(options = {}) {
     this.fs = options.fsModule || fs;
     this.env = options.env || process.env;
+    this.fetchImpl = options.fetchImpl || global.fetch;
     this.now = typeof options.now === "function" ? options.now : () => Date.now();
     this.paths = resolveCodexAuthPaths(options);
-    this.refreshWindowMs = Number.isFinite(options.refreshWindowMs) ? options.refreshWindowMs : 0;
+    this.refreshWindowMs = Number.isFinite(options.refreshWindowMs) ? options.refreshWindowMs : DEFAULT_REFRESH_WINDOW_MS;
+    this.autoRefresh = options.autoRefresh !== false;
+    this.refreshRetries = Number.isInteger(options.refreshRetries) && options.refreshRetries > 0
+      ? options.refreshRetries
+      : 2;
+    this.sleep = typeof options.sleep === "function" ? options.sleep : sleep;
+    this.lockTimeoutMs = Number.isFinite(options.lockTimeoutMs) ? options.lockTimeoutMs : DEFAULT_LOCK_TIMEOUT_MS;
+    this.lockRetryMs = Number.isFinite(options.lockRetryMs) ? options.lockRetryMs : DEFAULT_LOCK_RETRY_MS;
+    this.lockStaleMs = Number.isFinite(options.lockStaleMs) ? options.lockStaleMs : DEFAULT_STALE_LOCK_MS;
   }
 
   resolvePaths() {
@@ -98,19 +187,146 @@ class CodexUpstreamCredentialResolver {
     const raw = JSON.parse(this.fs.readFileSync(this.paths.authPath, "utf8"));
     const parsed = parseCodexAuthFile(raw);
     const claims = decodeJwtPayload(parsed.idToken);
-    const derivedEmail = typeof claims.email === "string" ? claims.email : "";
-    const derivedExpiresAt = Number.isFinite(Number(claims.exp))
-      ? new Date(Number(claims.exp) * 1000).toISOString()
-      : "";
+    const derivedEmail = deriveEmailFromClaims(claims);
+    const derivedAccountId = deriveAccountIdFromClaims(claims);
+    const derivedExpiresAt = deriveExpiresAtFromClaims(claims);
     const expiresAt = parsed.expiresAt || derivedExpiresAt;
     return {
       ...parsed,
       accountEmail: parsed.email || derivedEmail,
+      accountId: parsed.accountId || derivedAccountId,
       expiresAt,
       expiresAtMs: parseTimestamp(expiresAt),
     };
   }
 
+  writeAuthFile(raw) {
+    const text = `${JSON.stringify(raw, null, 2)}\n`;
+    const tmpPath = `${this.paths.authPath}.tmp-${process.pid}-${Date.now()}`;
+    this.fs.mkdirSync(path.dirname(this.paths.authPath), { recursive: true, mode: 0o700 });
+    this.fs.writeFileSync(tmpPath, text, "utf8");
+    this.fs.renameSync(tmpPath, this.paths.authPath);
+  }
+
+  async refreshTokens(refreshToken) {
+    if (typeof this.fetchImpl !== "function") {
+      const err = new Error("fetch is unavailable for Codex token refresh");
+      err.code = "CODEX_AUTH_REFRESH_UNAVAILABLE";
+      throw err;
+    }
+
+    let lastErr = null;
+    for (let attempt = 0; attempt < this.refreshRetries; attempt += 1) {
+      try {
+        const body = new URLSearchParams({
+          client_id: CODEX_OAUTH_CLIENT_ID,
+          grant_type: "refresh_token",
+          refresh_token: refreshToken,
+          scope: "openid profile email",
+        });
+        const response = await this.fetchImpl(CODEX_OAUTH_TOKEN_URL, {
+          method: "POST",
+          headers: {
+            "content-type": "application/x-www-form-urlencoded",
+            accept: "application/json",
+          },
+          body: body.toString(),
+        });
+        const text = await response.text();
+        if (!response.ok) {
+          const err = new Error(`Codex token refresh failed (${response.status}): ${text.slice(0, 500)}`);
+          err.code = "CODEX_AUTH_REFRESH_FAILED";
+          err.status = response.status;
+          throw err;
+        }
+        const payload = JSON.parse(text);
+        if (!payload || typeof payload !== "object" || !payload.access_token) {
+          const err = new Error("Codex token refresh response did not include access_token");
+          err.code = "CODEX_AUTH_REFRESH_SCHEMA_UNSUPPORTED";
+          throw err;
+        }
+        const claims = decodeJwtPayload(payload.id_token);
+        return {
+          accessToken: firstString(payload.access_token),
+          refreshToken: firstString(payload.refresh_token, refreshToken),
+          idToken: firstString(payload.id_token),
+          tokenType: firstString(payload.token_type, "Bearer"),
+          expiresAt: Number.isFinite(Number(payload.expires_in))
+            ? new Date(this.now() + Number(payload.expires_in) * 1000).toISOString()
+            : deriveExpiresAtFromClaims(claims),
+          accountId: deriveAccountIdFromClaims(claims),
+          email: deriveEmailFromClaims(claims),
+        };
+      } catch (err) {
+        lastErr = err;
+        if (err && (
+          err.code === "CODEX_AUTH_REFRESH_SCHEMA_UNSUPPORTED"
+          || String(err.message || "").toLowerCase().includes("refresh_token_reused")
+        )) {
+          throw err;
+        }
+      }
+    }
+
+    const err = new Error(lastErr && lastErr.message ? lastErr.message : "Codex token refresh failed");
+    err.code = lastErr && lastErr.code ? lastErr.code : "CODEX_AUTH_REFRESH_FAILED";
+    err.cause = lastErr;
+    throw err;
+  }
+
+  async refreshAuthRecord(record) {
+    if (!record || !record.refreshToken) {
+      const err = new Error("Codex OAuth credential is expired and has no refresh token");
+      err.code = "CODEX_AUTH_REFRESH_UNAVAILABLE";
+      throw err;
+    }
+
+    return withLockFile(this.paths.lockPath, {
+      fsModule: this.fs,
+      timeoutMs: this.lockTimeoutMs,
+      retryMs: this.lockRetryMs,
+      staleMs: this.lockStaleMs,
+      sleep: this.sleep,
+    }, async () => {
+      const currentRecord = this.readAuthFile();
+      const currentDescriptor = this.buildResolvedCredential(currentRecord);
+      if (currentDescriptor.state === "fresh") {
+        return currentRecord;
+      }
+      if (!currentRecord.refreshToken) {
+        const err = new Error("Codex OAuth credential is expired and has no refresh token");
+        err.code = "CODEX_AUTH_REFRESH_UNAVAILABLE";
+        throw err;
+      }
+
+      const refreshed = await this.refreshTokens(currentRecord.refreshToken);
+      const nextRaw = currentRecord.raw && typeof currentRecord.raw === "object" && !Array.isArray(currentRecord.raw)
+        ? { ...currentRecord.raw }
+        : {};
+      const existingTokens = nextRaw.tokens && typeof nextRaw.tokens === "object" && !Array.isArray(nextRaw.tokens)
+        ? { ...nextRaw.tokens }
+        : {};
+
+      nextRaw.tokens = {
+        ...existingTokens,
+        id_token: refreshed.idToken || existingTokens.id_token || currentRecord.idToken || "",
+        access_token: refreshed.accessToken,
+        refresh_token: refreshed.refreshToken || existingTokens.refresh_token || currentRecord.refreshToken || "",
+        account_id: refreshed.accountId || currentRecord.accountId || existingTokens.account_id || "",
+      };
+      nextRaw.last_refresh = new Date(this.now()).toISOString();
+      nextRaw.expired = refreshed.expiresAt || currentRecord.expiresAt || "";
+      if (refreshed.email || currentRecord.accountEmail || currentRecord.email) {
+        nextRaw.email = refreshed.email || currentRecord.accountEmail || currentRecord.email || "";
+      }
+      if (currentRecord.authMode && !nextRaw.auth_mode) {
+        nextRaw.auth_mode = currentRecord.authMode;
+      }
+      this.writeAuthFile(nextRaw);
+      return this.readAuthFile();
+    });
+  }
+
   buildResolvedCredential(record) {
     if (record.apiKey) {
       return buildCredentialDescriptor({
@@ -185,7 +401,17 @@ class CodexUpstreamCredentialResolver {
       }
       throw err;
     }
-    return this.buildResolvedCredential(authRecord);
+    const descriptor = this.buildResolvedCredential(authRecord);
+    if (
+      this.autoRefresh
+      && descriptor.credentialKind === "oauth"
+      && descriptor.refreshable
+      && (descriptor.state === "expired" || descriptor.state === "near_expiry")
+    ) {
+      const refreshedRecord = await this.refreshAuthRecord(authRecord);
+      return this.buildResolvedCredential(refreshedRecord);
+    }
+    return descriptor;
   }
 }
 
@@ -200,4 +426,6 @@ module.exports = {
   resolveCodexAuthPaths,
   parseCodexAuthFile,
   decodeJwtPayload,
+  deriveAccountIdFromClaims,
+  deriveExpiresAtFromClaims,
 };

package/src/agent/defaultBootstrap.js

@@ -181,9 +181,11 @@ function resolveDefaultManualBootstrap({
   const normalizedAgent = asTrimmedString(agentType).toLowerCase();
   const currentEnv = env && typeof env === "object" ? env : {};
   const currentArgs = Array.isArray(args) ? args.slice() : [];
+  const hasCodexStartupBootstrap = normalizedAgent === "codex"
+    && Boolean(currentEnv.UFOO_STARTUP_BOOTSTRAP_TEXT);
   if (
     currentEnv.UFOO_SKIP_DEFAULT_BOOTSTRAP === "1"
-    || currentEnv.UFOO_STARTUP_BOOTSTRAP_TEXT
+    || hasCodexStartupBootstrap
     || hasMetaCommandArgs(currentArgs)
   ) {
     return { args: currentArgs, env: {}, mode: "skip" };

package/src/agent/directAuthStatus.js

@@ -0,0 +1,264 @@
+"use strict";
+
+const { loadConfig } = require("../config");
+const {
+  resolveCodexAuthPaths,
+  resolveCodexUpstreamCredentials,
+} = require("./credentials/codex");
+const {
+  resolveClaudeOauthPaths,
+  resolveClaudeUpstreamCredentials,
+} = require("./credentials/claude");
+
+function normalizeRefreshWindowMs(value) {
+  const num = Number(value);
+  if (!Number.isFinite(num) || num < 0) return 300000;
+  return Math.floor(num * 1000);
+}
+
+function normalizeErrorCode(err, fallback = "DIRECT_AUTH_STATUS_FAILED") {
+  return String(err && err.code ? err.code : fallback).trim() || fallback;
+}
+
+function normalizeDirectAuthProvider(value = "") {
+  const text = String(value || "").trim().toLowerCase();
+  if (text === "claude" || text === "claude-cli" || text === "claude-code" || text === "anthropic") return "claude";
+  return "codex";
+}
+
+function formatAccount(credential = {}) {
+  const email = String(credential.accountEmail || "").trim();
+  const accountId = String(credential.accountId || "").trim();
+  if (email && accountId) return `${email} (${accountId})`;
+  if (email) return email;
+  if (accountId) return accountId;
+  return "";
+}
+
+function formatCompactAccount(status = {}) {
+  return String(status.accountEmail || status.account || status.accountId || "").trim();
+}
+
+function formatCompactExpires(value = "") {
+  const text = String(value || "").trim();
+  const match = text.match(/^(\d{4}-\d{2}-\d{2})T(\d{2}:\d{2})/);
+  if (!match) return text;
+  return `${match[1]} ${match[2]}${text.endsWith("Z") ? "Z" : ""}`;
+}
+
+function codexTransportFromCredential(credential = {}) {
+  return credential.credentialKind === "oauth" && credential.accessToken
+    ? "codex-responses"
+    : "openai-chat";
+}
+
+async function inspectCodexDirectAuth({
+  projectRoot,
+  env = process.env,
+  fetchImpl = global.fetch,
+  loadConfigImpl = loadConfig,
+  autoRefresh = false,
+} = {}) {
+  const config = loadConfigImpl(projectRoot) || {};
+  const paths = resolveCodexAuthPaths({ authPath: config.codexAuthPath });
+  try {
+    const credential = await resolveCodexUpstreamCredentials({
+      authPath: config.codexAuthPath,
+      refreshWindowMs: normalizeRefreshWindowMs(config.codexOauthRefreshWindowSec),
+      fetchImpl,
+      env,
+      autoRefresh,
+    });
+    return {
+      ok: true,
+      provider: "codex",
+      transport: codexTransportFromCredential(credential),
+      credentialKind: String(credential.credentialKind || ""),
+      source: String(credential.source || ""),
+      state: String(credential.state || ""),
+      refreshable: credential.refreshable === true,
+      account: formatAccount(credential),
+      accountId: String(credential.accountId || ""),
+      accountEmail: String(credential.accountEmail || ""),
+      expiresAt: String(credential.expiresAt || ""),
+      credentialPath: String(credential.credentialPath || paths.authPath || ""),
+    };
+  } catch (err) {
+    return {
+      ok: false,
+      provider: "codex",
+      error: err && err.message ? err.message : "Codex direct API credentials are unavailable",
+      errorCode: normalizeErrorCode(err, "CODEX_AUTH_STATUS_FAILED"),
+      credentialPath: paths.authPath || "",
+      hint: "Run Codex login once or set OPENAI_API_KEY; ufoo-agent will not fall back to the CLI.",
+    };
+  }
+}
+
+async function inspectClaudeDirectAuth({
+  projectRoot,
+  env = process.env,
+  loadConfigImpl = loadConfig,
+} = {}) {
+  const config = loadConfigImpl(projectRoot) || {};
+  const paths = resolveClaudeOauthPaths({
+    profile: config.claudeOauthProfile,
+    tokenPath: config.claudeOauthTokenPath,
+  });
+  try {
+    const credential = await resolveClaudeUpstreamCredentials({
+      profile: config.claudeOauthProfile,
+      tokenPath: config.claudeOauthTokenPath,
+      refreshWindowMs: normalizeRefreshWindowMs(config.claudeOauthRefreshWindowSec),
+      env,
+    });
+    return {
+      ok: true,
+      provider: "claude",
+      transport: "anthropic-messages",
+      credentialKind: String(credential.credentialKind || ""),
+      source: String(credential.source || ""),
+      state: String(credential.state || ""),
+      refreshable: credential.refreshable === true,
+      profile: String(credential.profile || paths.profile || ""),
+      expiresAt: String(credential.expiresAt || ""),
+      credentialPath: String(credential.credentialPath || paths.tokenPath || ""),
+    };
+  } catch (err) {
+    return {
+      ok: false,
+      provider: "claude",
+      error: err && err.message ? err.message : "Claude direct API credentials are unavailable",
+      errorCode: normalizeErrorCode(err, "CLAUDE_AUTH_STATUS_FAILED"),
+      credentialPath: paths.tokenPath || "",
+      hint: "Use ANTHROPIC_API_KEY, ANTHROPIC_AUTH_TOKEN, ~/.claude/settings.json, or Claude OAuth token file; restart chat/daemon if you changed shell env.",
+    };
+  }
+}
+
+async function inspectDirectAuthStatus(options = {}) {
+  const { projectRoot, loadConfigImpl = loadConfig, provider = "" } = options;
+  const config = loadConfigImpl(projectRoot) || {};
+  const selected = normalizeDirectAuthProvider(provider || config.agentProvider || config.routerProvider || "");
+  const nextOptions = {
+    ...options,
+    loadConfigImpl: () => config,
+  };
+  if (selected === "claude") {
+    return inspectClaudeDirectAuth(nextOptions);
+  }
+  return inspectCodexDirectAuth(nextOptions);
+}
+
+function formatCodexDirectAuthStatus(status = {}, options = {}) {
+  if (options.compact === true) {
+    if (status.ok) {
+      const credential = status.credentialKind || "credential";
+      const transport = status.transport || "unknown";
+      const state = status.state || "unknown";
+      const details = [
+        status.source || "",
+        formatCompactAccount(status),
+        status.expiresAt ? `expires ${formatCompactExpires(status.expiresAt)}` : "",
+        status.refreshable ? "refreshable" : "",
+      ].filter(Boolean);
+      const lines = [
+        `Codex API: OK · ${credential}/${transport} · ${state}`,
+      ];
+      if (details.length > 0) lines.push(`  ${details.join(" · ")}`);
+      return lines;
+    }
+
+    const hint = String(status.hint || "Run Codex login once or set OPENAI_API_KEY.").replace(/;.*$/, ".");
+    return [
+      `Codex API: FAIL · ${status.errorCode || "CODEX_AUTH_STATUS_FAILED"}`,
+      `  ${status.error || "Codex direct API credentials are unavailable"} · ${hint}`,
+    ];
+  }
+
+  if (status.ok) {
+    const state = status.state || "unknown";
+    const lines = [
+      `Codex direct API: OK (${status.transport || "unknown"}, ${status.credentialKind || "credential"}, ${state})`,
+      `  - source: ${status.source || "(unknown)"}`,
+    ];
+    if (status.account) lines.push(`  - account: ${status.account}`);
+    if (status.expiresAt) lines.push(`  - expires: ${status.expiresAt}`);
+    if (status.credentialPath) lines.push(`  - path: ${status.credentialPath}`);
+    if (status.refreshable) lines.push("  - refreshable: yes");
+    return lines;
+  }
+
+  const lines = [
+    `Codex direct API: FAIL (${status.errorCode || "CODEX_AUTH_STATUS_FAILED"})`,
+    `  - ${status.error || "Codex direct API credentials are unavailable"}`,
+  ];
+  if (status.credentialPath) lines.push(`  - expected path: ${status.credentialPath}`);
+  if (status.hint) lines.push(`  - ${status.hint}`);
+  return lines;
+}
+
+function formatClaudeDirectAuthStatus(status = {}, options = {}) {
+  if (options.compact === true) {
+    if (status.ok) {
+      const credential = status.credentialKind || "credential";
+      const transport = status.transport || "anthropic-messages";
+      const state = status.state || "unknown";
+      const details = [
+        status.source || "",
+        status.profile ? `profile ${status.profile}` : "",
+        status.expiresAt ? `expires ${formatCompactExpires(status.expiresAt)}` : "",
+        status.refreshable ? "refreshable" : "",
+      ].filter(Boolean);
+      const lines = [
+        `Claude API: OK · ${credential}/${transport} · ${state}`,
+      ];
+      if (details.length > 0) lines.push(`  ${details.join(" · ")}`);
+      return lines;
+    }
+
+    const hint = String(status.hint || "Use ANTHROPIC_API_KEY, ANTHROPIC_AUTH_TOKEN, Claude settings, or Claude OAuth.").replace(/;.*$/, ".");
+    return [
+      `Claude API: FAIL · ${status.errorCode || "CLAUDE_AUTH_STATUS_FAILED"}`,
+      `  ${status.error || "Claude direct API credentials are unavailable"} · ${hint}`,
+    ];
+  }
+
+  if (status.ok) {
+    const state = status.state || "unknown";
+    const lines = [
+      `Claude direct API: OK (${status.transport || "anthropic-messages"}, ${status.credentialKind || "credential"}, ${state})`,
+      `  - source: ${status.source || "(unknown)"}`,
+    ];
+    if (status.profile) lines.push(`  - profile: ${status.profile}`);
+    if (status.expiresAt) lines.push(`  - expires: ${status.expiresAt}`);
+    if (status.credentialPath) lines.push(`  - path: ${status.credentialPath}`);
+    if (status.refreshable) lines.push("  - refreshable: yes");
+    return lines;
+  }
+
+  const lines = [
+    `Claude direct API: FAIL (${status.errorCode || "CLAUDE_AUTH_STATUS_FAILED"})`,
+    `  - ${status.error || "Claude direct API credentials are unavailable"}`,
+  ];
+  if (status.credentialPath) lines.push(`  - expected path: ${status.credentialPath}`);
+  if (status.hint) lines.push(`  - ${status.hint}`);
+  return lines;
+}
+
+function formatDirectAuthStatus(status = {}, options = {}) {
+  if (status.provider === "claude") {
+    return formatClaudeDirectAuthStatus(status, options);
+  }
+  return formatCodexDirectAuthStatus(status, options);
+}
+
+module.exports = {
+  inspectDirectAuthStatus,
+  inspectCodexDirectAuth,
+  inspectClaudeDirectAuth,
+  formatDirectAuthStatus,
+  formatCodexDirectAuthStatus,
+  formatClaudeDirectAuthStatus,
+  normalizeDirectAuthProvider,
+};

package/src/agent/internalRunner.js

@@ -19,6 +19,7 @@ const { resolveClaudeUpstreamCredentials } = require("./credentials/claude");
 const { buildUpstreamAuthFromCredential } = require("./credentials");
 const { listToolsForCallerTier, CALLER_TIERS } = require("../tools");
 const { redactToolCallPayload, redactSecrets } = require("../providerapi/redactor");
+const { buildCachedMemoryPrefix } = require("../memory");
 
 function sleep(ms) {
   return new Promise((resolve) => setTimeout(resolve, ms));
@@ -60,6 +61,14 @@ function safeSubscriber(subscriber) {
   return subscriber.replace(/:/g, "_");
 }
 
+function buildMemoryPrefix(projectRoot, limit = 50) {
+  try {
+    return buildCachedMemoryPrefix(projectRoot, { limit }).prefix.trim();
+  } catch {
+    return "";
+  }
+}
+
 function createBusSender(projectRoot, subscriber) {
   const eventBus = new EventBus(projectRoot);
   let sendQueue = Promise.resolve();
@@ -84,16 +93,8 @@ function createBusSender(projectRoot, subscriber) {
   return { enqueue, flush };
 }
 
-function shouldFallbackToLegacyThreadProvider(err, provider) {
-  if (provider !== "claude-cli" || !err || typeof err !== "object") {
-    return false;
-  }
-  const code = String(err.code || "").trim().toUpperCase();
-  return (
-    code === "CLAUDE_AUTH_UNAVAILABLE"
-    || code === "CLAUDE_OAUTH_SCHEMA_UNSUPPORTED"
-    || code === "ANTHROPIC_SDK_UNAVAILABLE"
-  );
+function shouldFallbackToLegacyThreadProvider() {
+  return false;
 }
 
 function drainQueue(queueFile) {
@@ -143,7 +144,10 @@ async function handleEvent(
   threadRuntime = null
 ) {
   if (!evt || !evt.data || !evt.data.message) return;
-  const prompt = evt.data.message;
+  const memoryPrefix = buildMemoryPrefix(projectRoot);
+  const prompt = memoryPrefix
+    ? `${memoryPrefix}\n\n${evt.data.message}`
+    : evt.data.message;
   const publisher = evt.publisher || "unknown";
   const sandbox = "workspace-write";
   const streamState = { emitted: false, lastChar: "" };
@@ -358,6 +362,8 @@ function buildWorkerThreadToolRuntime({ projectRoot, subscriber, observer }) {
           projectRoot,
           subscriber,
           eventBus,
+          tool_call_id: toolCall.tool_call_id || toolCall.toolCallId || "",
+          turn_id: toolCall.turn_id || toolCall.turnId || "",
         }, rawArgs);
         const safeResult = redactSecrets(result);
         emitAudit("post_call", { ...redactedPayload, result: safeResult });
@@ -407,7 +413,7 @@ function createThreadRuntime({ projectRoot, provider, model, extraArgs = [], sub
   };
 
   if (provider === "codex-cli") {
-    if (getCodexThreadMode(projectRoot) !== "sdk") {
+    if (getCodexThreadMode(projectRoot) !== "api") {
       return disabledRuntime;
     }