ummaya 0.2.4 → 0.2.6

package/tui/src/upstreamproxy/relay.ts

@@ -46,6 +46,10 @@ type WebSocketLike = Pick<
   | 'binaryType'
 >
 
+type BunWebSocketConstructor = {
+  new (url: string | URL, options?: Bun.WebSocketOptions): WebSocket
+}
+
 // Envoy per-request buffer cap. Week-1 Datadog payloads won't hit this, but
 // design for it so git-push doesn't need a relay rewrite.
 const MAX_CHUNK_BYTES = 512 * 1024
@@ -363,10 +367,10 @@ function openTunnel(
       headers,
       agent: getWebSocketProxyAgent(wsUrl),
       ...getWebSocketTLSOptions(),
-    }) as unknown as WebSocketLike
+    })
   } else {
-    ws = new globalThis.WebSocket(wsUrl, {
-      // @ts-expect-error — Bun extension; not in lib.dom WebSocket types
+    const BunWebSocket = globalThis.WebSocket as BunWebSocketConstructor
+    ws = new BunWebSocket(wsUrl, {
       headers,
       proxy: getWebSocketProxyUrl(wsUrl),
       tls: getWebSocketTLSOptions() || undefined,

package/tui/src/upstreamproxy/upstreamproxy.ts

@@ -13,7 +13,7 @@
  *      so a supervisor restart can retry)
  *   6. Exposes HTTPS_PROXY / SSL_CERT_FILE env vars for all agent subprocesses
  *
- * Every step fails open: any error logs a warning and disables the proxy.
+ * Every step fails open: each error logs a warning and disables the proxy.
  * A broken proxy setup must never break an otherwise-working session.
  *
  * Design doc: api-go/ccr/docs/plans/CCR_AUTH_DESIGN.md § "Week-1 pilot scope".

package/tui/src/utils/assistantMessageFactories.ts

@@ -1,4 +1,8 @@
-import type { BetaContentBlock, BetaUsage as Usage } from 'src/sdk-compat.js'
+import type {
+  BetaContentBlock,
+  BetaUsage as Usage,
+  ThinkingBlock,
+} from 'src/sdk-compat.js'
 import type { SDKAssistantMessageError } from 'src/entrypoints/agentSdkTypes.js'
 import { randomUUID } from 'crypto'
 import { NO_CONTENT_MESSAGE } from '../constants/messages.js'
@@ -21,6 +25,8 @@ const EMPTY_USAGE: Usage = {
   speed: null,
 }
 
+type AssistantContentBlock = BetaContentBlock | ThinkingBlock
+
 function baseCreateAssistantMessage({
   content,
   isApiErrorMessage = false,
@@ -30,7 +36,7 @@ function baseCreateAssistantMessage({
   isVirtual,
   usage = EMPTY_USAGE,
 }: {
-  content: BetaContentBlock[]
+  content: AssistantContentBlock[]
   isApiErrorMessage?: boolean
   apiError?: AssistantMessage['apiError']
   error?: SDKAssistantMessageError
@@ -68,7 +74,7 @@ export function createAssistantMessage({
   usage,
   isVirtual,
 }: {
-  content: string | BetaContentBlock[]
+  content: string | AssistantContentBlock[]
   usage?: Usage
   isVirtual?: true
 }): AssistantMessage {

package/tui/src/utils/auth.ts

@@ -1,6 +1,9 @@
+import { createHash } from 'node:crypto'
+import { execa, execaSync } from 'execa'
 import memoize from 'lodash-es/memoize.js'
 import { normalizeApiKeyForConfig } from './authPortable.js'
 import { getGlobalConfig, saveGlobalConfig } from './config.js'
+import { getClaudeConfigHomeDir } from './envUtils.js'
 
 export const FRIENDLI_PRIMARY_ENV = 'UMMAYA_FRIENDLI_TOKEN'
 export const FRIENDLI_LOGIN_REQUIRED_MESSAGE =
@@ -31,77 +34,125 @@ function normalizeFriendliApiKey(apiKey: string): string {
   return trimmed
 }
 
-export async function getClaudeAIOAuthTokens(): Promise<null> {
-  return null
+type FriendliKeychainIdentity = {
+  readonly account: string
+  readonly service: string
 }
 
-export function isClaudeAISubscriber(): boolean {
-  return false
+function getFriendliKeychainIdentity(): FriendliKeychainIdentity {
+  const configHash = createHash('sha256')
+    .update(getClaudeConfigHomeDir())
+    .digest('hex')
+    .substring(0, 16)
+  return {
+    account: `ummaya-friendli:${configHash}`,
+    service: `UMMAYA FriendliAI API Key (${configHash})`,
+  }
 }
 
-export function isConsumerSubscriber(): boolean {
-  return false
+async function saveApiKeyToMacOSKeychain(apiKey: string): Promise<boolean> {
+  if (process.platform !== 'darwin') {
+    return false
+  }
+  const identity = getFriendliKeychainIdentity()
+  const hexValue = Buffer.from(apiKey, 'utf-8').toString('hex')
+  const command = `add-generic-password -U -a "${identity.account}" -s "${identity.service}" -X "${hexValue}"\n`
+  try {
+    const result = await execa('security', ['-i'], {
+      input: command,
+      reject: false,
+    })
+    return result.exitCode === 0
+  } catch (error) {
+    if (error instanceof Error) {
+      return false
+    }
+    throw error
+  }
 }
 
-export function isMaxSubscriber(): boolean {
-  return false
+function getApiKeyFromMacOSKeychain(): null | string {
+  if (process.platform !== 'darwin') {
+    return null
+  }
+  const identity = getFriendliKeychainIdentity()
+  try {
+    const result = execaSync(
+      'security',
+      [
+        'find-generic-password',
+        '-a',
+        identity.account,
+        '-w',
+        '-s',
+        identity.service,
+      ],
+      { reject: false, stdio: ['ignore', 'pipe', 'pipe'] },
+    )
+    const stdout = result.stdout.trim()
+    return result.exitCode === 0 && stdout.length > 0 ? stdout : null
+  } catch (error) {
+    if (error instanceof Error) {
+      return null
+    }
+    throw error
+  }
 }
 
-export function isProSubscriber(): boolean {
-  return false
+async function removeApiKeyFromMacOSKeychain(): Promise<void> {
+  if (process.platform !== 'darwin') {
+    return
+  }
+  const identity = getFriendliKeychainIdentity()
+  try {
+    await execa(
+      'security',
+      ['delete-generic-password', '-a', identity.account, '-s', identity.service],
+      { reject: false },
+    )
+  } catch (error) {
+    if (error instanceof Error) {
+      return
+    }
+    throw error
+  }
 }
 
-export function isTeamSubscriber(): boolean {
-  return false
-}
+export async function getClaudeAIOAuthTokens(): Promise<null> { return null }
 
-export function isTeamPremiumSubscriber(): boolean {
-  return false
-}
+export function isClaudeAISubscriber(): boolean { return false }
 
-export function isEnterpriseSubscriber(): boolean {
-  return false
-}
+export function isConsumerSubscriber(): boolean { return false }
 
-export function isAnthropicAuthEnabled(): boolean {
-  return false
-}
+export function isMaxSubscriber(): boolean { return false }
 
-export function is1PApiCustomer(): boolean {
-  return false
-}
+export function isProSubscriber(): boolean { return false }
 
-export function isUsing3PServices(): boolean {
-  return false
-}
+export function isTeamSubscriber(): boolean { return false }
 
-export function isOverageProvisioningAllowed(): boolean {
-  return false
-}
+export function isTeamPremiumSubscriber(): boolean { return false }
 
-export function hasProfileScope(): boolean {
-  return false
-}
+export function isEnterpriseSubscriber(): boolean { return false }
 
-export function getAccountInformation(): null {
-  return null
-}
+export function isAnthropicAuthEnabled(): boolean { return false }
 
-export function getOauthAccountInfo(): null {
-  return null
-}
+export function is1PApiCustomer(): boolean { return false }
 
-export function getOauthOrgUUID(): null {
-  return null
-}
+export function isUsing3PServices(): boolean { return false }
 
-export function getSubscriptionType(): 'free' {
-  return 'free'
-}
+export function isOverageProvisioningAllowed(): boolean { return false }
 
-export function getSubscriptionName(): string {
-  return ''
-}
+export function hasProfileScope(): boolean { return false }
+
+export function getAccountInformation(): null { return null }
+
+export function getOauthAccountInfo(): null { return null }
+
+export function getOauthOrgUUID(): null { return null }
+
+export function getSubscriptionType(): 'free' { return 'free' }
+
+export function getSubscriptionName(): string { return '' }
 
 export function getAuthTokenSource(): {
   source: AuthTokenSource
@@ -110,9 +161,7 @@ export function getAuthTokenSource(): {
   return { source: 'none', hasToken: false }
 }
 
-export function getRateLimitTier(): 0 {
-  return 0
-}
+export function getRateLimitTier(): 0 { return 0 }
 
 export function getAnthropicApiKey(): null | string {
   return getAnthropicApiKeyWithSource().key
@@ -145,12 +194,13 @@ export function hasAnthropicApiKeyAuth(): boolean {
 export async function saveApiKey(apiKey: string): Promise<void> {
   const normalized = normalizeFriendliApiKey(apiKey)
   process.env[FRIENDLI_PRIMARY_ENV] = normalized
+  const savedToKeychain = await saveApiKeyToMacOSKeychain(normalized)
   saveGlobalConfig(current => {
     const truncated = normalizeApiKeyForConfig(normalized)
     const approved = current.customApiKeyResponses?.approved ?? []
     return {
       ...current,
-      primaryApiKey: normalized,
+      primaryApiKey: savedToKeychain ? undefined : normalized,
       customApiKeyResponses: {
         ...current.customApiKeyResponses,
         approved: approved.includes(truncated)
@@ -165,6 +215,7 @@ export async function saveApiKey(apiKey: string): Promise<void> {
 
 export async function removeApiKey(): Promise<void> {
   delete process.env[FRIENDLI_PRIMARY_ENV]
+  await removeApiKeyFromMacOSKeychain()
   saveGlobalConfig(current => ({
     ...current,
     primaryApiKey: undefined,
@@ -172,70 +223,47 @@ export async function removeApiKey(): Promise<void> {
   getApiKeyFromConfigOrMacOSKeychain.cache?.clear?.()
 }
 
-export function getApiKeyFromApiKeyHelper(): null {
-  return null
-}
+export function getApiKeyFromApiKeyHelper(): null { return null }
 
 export const getApiKeyFromConfigOrMacOSKeychain = memoize((): null | string => {
+  const keychainKey = getApiKeyFromMacOSKeychain()
+  if (keychainKey) {
+    return keychainKey
+  }
+
   const configKey = getGlobalConfig().primaryApiKey?.trim()
   return configKey && configKey.length > 0 ? configKey : null
 })
 
-export function getConfiguredApiKeyHelper(): null {
-  return null
-}
+export function getConfiguredApiKeyHelper(): null { return null }
 
-export function getApiKeyHelperElapsedMs(): number {
-  return 0
-}
+export function getApiKeyHelperElapsedMs(): number { return 0 }
 
-export async function checkAndRefreshOAuthTokenIfNeeded(): Promise<void> {
-  /* no-op */
-}
+export async function checkAndRefreshOAuthTokenIfNeeded(): Promise<void> {}
 
-export async function refreshAndGetAwsCredentials(): Promise<null> {
-  return null
-}
+export async function refreshAndGetAwsCredentials(): Promise<null> { return null }
 
-export async function prefetchAwsCredentialsAndBedRockInfoIfSafe(): Promise<void> {
-  /* no-op */
-}
+export async function prefetchAwsCredentialsAndBedRockInfoIfSafe(): Promise<void> {}
 
-export async function prefetchGcpCredentialsIfSafe(): Promise<void> {
-  /* no-op */
-}
+export async function prefetchGcpCredentialsIfSafe(): Promise<void> {}
 
-export async function prefetchApiKeyFromApiKeyHelperIfSafe(): Promise<void> {
-  /* no-op */
-}
+export async function prefetchApiKeyFromApiKeyHelperIfSafe(): Promise<void> {}
 
 export function clearApiKeyHelperCache(): void {
   getApiKeyFromConfigOrMacOSKeychain.cache?.clear?.()
 }
 
-export function clearAwsCredentialsCache(): void {
-  /* no-op */
-}
+export function clearAwsCredentialsCache(): void {}
 
-export function clearGcpCredentialsCache(): void {
-  /* no-op */
-}
+export function clearGcpCredentialsCache(): void {}
 
-export function clearOAuthTokenCache(): void {
-  /* no-op */
-}
+export function clearOAuthTokenCache(): void {}
 
-export async function handleOAuth401Error(): Promise<void> {
-  /* no-op */
-}
+export async function handleOAuth401Error(): Promise<void> {}
 
-export async function saveOAuthTokensIfNeeded(): Promise<void> {
-  /* no-op */
-}
+export async function saveOAuthTokensIfNeeded(): Promise<void> {}
 
-export async function validateForceLoginOrg(): Promise<{ valid: true }> {
-  return { valid: true }
-}
+export async function validateForceLoginOrg(): Promise<{ valid: true }> { return { valid: true } }
 
 export function assertFriendliApiKeyForUse(
   env: Record<string, string | undefined> = process.env,
@@ -256,48 +284,10 @@ export function assertFriendliApiKeyForUse(
   throw new Error(FRIENDLI_LOGIN_REQUIRED_MESSAGE)
 }
 
-const _default = {
-  getClaudeAIOAuthTokens,
-  isClaudeAISubscriber,
-  isConsumerSubscriber,
-  isMaxSubscriber,
-  isProSubscriber,
-  isTeamSubscriber,
-  isTeamPremiumSubscriber,
-  isEnterpriseSubscriber,
-  isAnthropicAuthEnabled,
-  is1PApiCustomer,
-  isUsing3PServices,
-  isOverageProvisioningAllowed,
-  hasProfileScope,
-  getAccountInformation,
-  getOauthAccountInfo,
-  getOauthOrgUUID,
-  getSubscriptionType,
-  getAuthTokenSource,
-  getRateLimitTier,
-  getAnthropicApiKey,
-  getAnthropicApiKeyWithSource,
-  hasAnthropicApiKeyAuth,
-  saveApiKey,
-  removeApiKey,
-  getApiKeyFromApiKeyHelper,
-  getApiKeyFromConfigOrMacOSKeychain,
-  getConfiguredApiKeyHelper,
-  getApiKeyHelperElapsedMs,
-  checkAndRefreshOAuthTokenIfNeeded,
-  refreshAndGetAwsCredentials,
-  prefetchAwsCredentialsAndBedRockInfoIfSafe,
-  prefetchGcpCredentialsIfSafe,
-  prefetchApiKeyFromApiKeyHelperIfSafe,
-  clearApiKeyHelperCache,
-  clearAwsCredentialsCache,
-  clearGcpCredentialsCache,
-  clearOAuthTokenCache,
-  handleOAuth401Error,
-  saveOAuthTokensIfNeeded,
-  validateForceLoginOrg,
-  assertFriendliApiKeyForUse,
+export default {
+  getClaudeAIOAuthTokens, isClaudeAISubscriber, isConsumerSubscriber, isMaxSubscriber, isProSubscriber, isTeamSubscriber, isTeamPremiumSubscriber, isEnterpriseSubscriber, isAnthropicAuthEnabled, is1PApiCustomer,
+  isUsing3PServices, isOverageProvisioningAllowed, hasProfileScope, getAccountInformation, getOauthAccountInfo, getOauthOrgUUID, getSubscriptionType, getAuthTokenSource, getRateLimitTier,
+  getAnthropicApiKey, getAnthropicApiKeyWithSource, hasAnthropicApiKeyAuth, saveApiKey, removeApiKey, getApiKeyFromApiKeyHelper, getApiKeyFromConfigOrMacOSKeychain, getConfiguredApiKeyHelper,
+  getApiKeyHelperElapsedMs, checkAndRefreshOAuthTokenIfNeeded, refreshAndGetAwsCredentials, prefetchAwsCredentialsAndBedRockInfoIfSafe, prefetchGcpCredentialsIfSafe, prefetchApiKeyFromApiKeyHelperIfSafe,
+  clearApiKeyHelperCache, clearAwsCredentialsCache, clearGcpCredentialsCache, clearOAuthTokenCache, handleOAuth401Error, saveOAuthTokensIfNeeded, validateForceLoginOrg, assertFriendliApiKeyForUse,
 }
-
-export default _default

package/tui/src/utils/bash/ast.ts

@@ -180,7 +180,7 @@ const SPECIAL_VAR_NAMES = new Set([
  * expansion, brace expressions).
  *
  * This set is not exhaustive — it documents KNOWN dangerous types. The real
- * safety property is the allowlist in walkArgument/walkCommand: any type NOT
+ * safety property is the allowlist in walkArgument/walkCommand: types NOT
  * explicitly handled there also triggers too-complex.
  */
 const DANGEROUS_TYPES = new Set([
@@ -355,7 +355,7 @@ function maskBracesInQuotedContexts(cmd: string): string {
         i++
       }
     } else {
-      // Unquoted: `\` escapes any next char.
+      // Unquoted: `\` escapes the next char.
       if (c === '\\' && i + 1 < cmd.length) {
         out.push(c, cmd[i + 1]!)
         i += 2
@@ -374,7 +374,7 @@ const DOLLAR = String.fromCharCode(0x24)
 
 /**
  * Parse a bash command string and extract a flat list of simple commands.
- * Returns 'too-complex' if the command uses any shell feature we can't
+ * Returns 'too-complex' if the command uses a shell feature we can't
  * statically analyze. Returns 'parse-unavailable' if tree-sitter WASM isn't
  * loaded — caller should fall back to conservative behavior.
  */
@@ -460,7 +460,7 @@ export function parseForSecurityFromAst(
 }
 
 function walkProgram(root: Node): ParseForSecurityResult {
-  // ERROR-node check folded into collectCommands — any unhandled node type
+  // ERROR-node check folded into collectCommands — each unhandled node type
   // (including ERROR) falls through to tooComplex() in the default branch.
   // Avoids a separate full-tree walk for error detection.
   const commands: SimpleCommand[] = []
@@ -477,7 +477,7 @@ function walkProgram(root: Node): ParseForSecurityResult {
 
 /**
  * Recursively collect leaf `command` nodes from a structural wrapper node.
- * Returns an error result on any disallowed node type, or null on success.
+ * Returns an error result on a disallowed node type, or null on success.
  */
 function collectCommands(
   node: Node,
@@ -485,7 +485,7 @@ function collectCommands(
   varScope: Map<string, string>,
 ): ParseForSecurityResult | null {
   if (node.type === 'command') {
-    // Pass `commands` as the innerCommands accumulator — any $() extracted
+    // Pass `commands` as the innerCommands accumulator — extracted $()
     // during walkCommand gets appended alongside the outer command.
     const result = walkCommand(node, [], commands, varScope)
     if (result.kind !== 'simple') return result
@@ -798,7 +798,7 @@ function collectCommands(
       }
       if (child.type === 'do_group') {
         // while body: recurse with scope COPY (body assignments don't leak
-        // past done). The COPY contains any `read VAR` tracking from the
+        // past done). The COPY contains `read VAR` tracking from the
         // condition (already in real varScope at this point).
         const bodyScope = new Map(varScope)
         for (const c of child.children) {
@@ -994,7 +994,7 @@ function walkTestExpr(
     case 'regex':
     case 'extglob_pattern':
       // RHS of =~ or ==/!= in [[ ]]. Pattern text only — no code execution.
-      // Parser emits these as leaf nodes with no children (any $(...) or ${...}
+      // Parser emits these as leaf nodes with no children ($(...) or ${...}
       // inside the pattern is a sibling, not a child, and is walked separately).
       argv.push(node.text)
       return null
@@ -1322,8 +1322,8 @@ function walkCommand(
   //   argv = ['git', 'push', '--force']  ← correct, path validation sees 'push'
   //   .text = 'git $SUB --force'         ← deny rule 'git push:*' doesn't match
   //
-  // Detection: any `$<identifier>` in node.text means a simple_expansion was
-  // resolved (or we'd have returned too-complex). This catches $VAR at any
+  // Detection: `$<identifier>` in node.text means a simple_expansion was
+  // resolved (or we'd have returned too-complex). This catches $VAR at each
   // position — command_name, word, string interior, concatenation part.
   // `$(...)` doesn't match (paren, not identifier start). `'$VAR'` in single
   // quotes: tree-sitter's .text includes the quotes, so a naive check would
@@ -1408,7 +1408,7 @@ function walkArgument(
   switch (node.type) {
     case 'word': {
       // Unescape backslash sequences. In unquoted context, bash's quote
-      // removal turns `\X` → `X` for any character X. tree-sitter preserves
+      // removal turns `\X` → `X` for character X. tree-sitter preserves
       // the raw text. Required for checkSemantics: `\eval` must match
       // EVAL_LIKE_BUILTINS, `\zmodload` must match ZSH_DANGEROUS_BUILTINS.
       // Also makes argv accurate: `find -exec {} \;` → argv has `;` not
@@ -1513,7 +1513,7 @@ function walkString(
   let result = ''
   let cursor = -1
   // SECURITY: Track whether the string contains a runtime-unknown
-  // placeholder ($() output or unknown-value tracked var) vs any literal
+  // placeholder ($() output or unknown-value tracked var) vs literal
   // content. A string that is ONLY a placeholder (`"$(cmd)"`, `"$VAR"`
   // where VAR holds an unknown sentinel) produces an argv element that IS
   // the placeholder — which downstream path validation resolves as a
@@ -1670,7 +1670,7 @@ const ARITH_LEAF_RE =
  *
  * When safe, the caller puts the full `$((…))` span into argv as a literal
  * string. bash will expand it to an integer at runtime; the static string
- * won't match any sensitive path/deny patterns.
+ * won't match sensitive path/deny patterns.
  */
 function walkArithmetic(node: Node): ParseForSecurityResult | null {
   for (const child of node.children) {
@@ -1863,7 +1863,7 @@ function walkVariableAssignment(
   //     scope-model gaps: `||` reset, env-prefix chain (PS4='' && PS4='$'
   //     PS4+='(id)' cmd reads stale parent value), subshell.
   //   - bash's decode_prompt_string runs BEFORE promptvars, so `\044(id)`
-  //     (octal for `$`) becomes `$(id)` at trace time — any literal-char
+  //     (octal for `$`) becomes `$(id)` at trace time — literal-char
   //     check must model prompt-escape decoding exactly.
   //   - assignment paths exist outside walkVariableAssignment (for_statement
   //     sets loopVar directly, see that handler's PS4 check).
@@ -1909,8 +1909,8 @@ function walkVariableAssignment(
   // literal `~/x`. Later `cd $VAR` → our argv `['cd','~/x']`, bash runs
   // `cd /home/user/x`. Tilde expansion also happens after `=` and `:` in
   // assignment values (e.g. PATH=~/bin:~/sbin). We can't model it — reject
-  // any value containing `~` that isn't already quoted-literal (where bash
-  // doesn't expand). Conservative: any `~` in value → reject.
+  // values containing `~` that aren't already quoted-literal (where bash
+  // doesn't expand). Conservative: `~` in value → reject.
   if (value.includes('~')) {
     return {
       kind: 'too-complex',
@@ -1955,7 +1955,7 @@ function resolveSimpleExpansion(
   if (varName === null) return tooComplex(node)
   // Tracked vars: check stored value. Literal strings (VAR=/tmp) are
   // returned DIRECTLY so downstream path validation sees the real path.
-  // Non-literal values (containing any placeholder — loop vars, $() output,
+  // Non-literal values (containing a placeholder — loop vars, $() output,
   // read vars, composites like `VAR="prefix$(cmd)"`) are ONLY safe inside
   // strings; as bare args they'd hide the runtime path/flag from validation.
   //
@@ -2228,7 +2228,7 @@ export function checkSemantics(commands: SimpleCommand[]): SemanticCheckResult {
         // SECURITY (SAST Mar 2026): the previous loop only skipped `--long`
         // flags, so `timeout -k 5 10 eval ...` broke out with name='timeout'
         // and the wrapped eval was never checked. Now handle known short
-        // flags AND fail closed on any unrecognized flag — an unknown flag
+        // flags AND fail closed on unrecognized flags — an unknown flag
         // means we can't locate the wrapped command, so we must not silently
         // fall through to name='timeout'.
         let i = 1
@@ -2351,7 +2351,7 @@ export function checkSemantics(commands: SimpleCommand[]): SemanticCheckResult {
         // SECURITY: previous handling only stripped ONE flag and fell through
         // to slice(2) for anything unrecognized, so `stdbuf --output 0 eval`
         // → ['0','eval',...] → name='0' hid eval. Now iterate all known flag
-        // forms and fail closed on any unknown flag.
+        // forms and fail closed on unknown flags.
         let i = 1
         while (i < a.length) {
           const arg = a[i]!
@@ -2390,7 +2390,7 @@ export function checkSemantics(commands: SimpleCommand[]): SemanticCheckResult {
     // UNQUOTED empty expansion at command position (`V="" && $V cmd`) is a
     // bypass: bash drops the empty field and runs `cmd` as argv[0], while
     // our name="" skips every builtin check below. resolveSimpleExpansion
-    // rejects the $V case; this catches any other path to empty argv[0]
+    // rejects the $V case; this catches other paths to empty argv[0]
     // (concatenation of empties, walkString whitespace-quirk, future bugs).
     if (name === '') {
       return {
@@ -2437,7 +2437,7 @@ export function checkSemantics(commands: SimpleCommand[]): SemanticCheckResult {
           }
         }
         // Combined short flags: `-ra` is bash shorthand for `-r -a`.
-        // Check if any danger flag character appears in a combined flag
+        // Check if a danger flag character appears in a combined flag
         // string. The danger flag's NAME operand is the next argument.
         if (
           arg.length > 2 &&
@@ -2636,7 +2636,7 @@ export function checkSemantics(commands: SimpleCommand[]): SemanticCheckResult {
         // `fc -l`, `fc -ln` list history — safe. `fc -e ed` invokes an
         // editor then executes. `fc -s [pat=rep]` RE-EXECUTES the last
         // matching command (optionally with substitution) — as dangerous
-        // as eval. Block any short-opt containing `e` or `s`.
+        // as eval. Block short-opts containing `e` or `s`.
         // to avoid introducing FPs for `fc -l` (list history).
       } else if (
         name === 'compgen' &&
@@ -2645,7 +2645,7 @@ export function checkSemantics(commands: SimpleCommand[]): SemanticCheckResult {
         // `compgen -c/-f/-v` only list completions — safe. `compgen -C cmd`
         // immediately executes cmd; `-F func` calls a shell function; `-W list`
         // word-expands its argument (including $(cmd) even from single-quoted
-        // raw_string). Block any short-opt containing C/F/W (case-sensitive:
+        // raw_string). Block short-opts containing C/F/W (case-sensitive:
         // -c/-f are safe).
       } else {
         return {

package/tui/src/utils/bash/bashParser.ts

@@ -1591,7 +1591,7 @@ function isRedirectLiteralStart(P: ParseState): boolean {
   // Shell terminators and operators
   if (c === '|' || c === '&' || c === ';' || c === '(' || c === ')')
     return false
-  // Redirect operators (< > with any suffix; <( >( handled by caller)
+  // Redirect operators (< > with suffixes; <( >( handled by caller)
   if (c === '<' || c === '>') {
     // <( >( are process substitutions — those ARE literals
     return peek(P.L, 1) === '('
@@ -1707,11 +1707,11 @@ function tryParseRedirect(P: ParseState, greedy = false): TsNode | null {
     })
     const kids = fd ? [fd, op, startNode] : [op, startNode]
     const startIdx = fd ? fd.startIndex : op.startIndex
-    // SECURITY: tree-sitter nests any pipeline/list/file_redirect appearing
+    // SECURITY: tree-sitter nests pipeline/list/file_redirect nodes appearing
     // between heredoc_start and the newline as a CHILD of heredoc_redirect.
     // `ls <<'EOF' | rm -rf /tmp/evil` must not silently drop the rm. Parse
     // trailing words and file_redirects properly (ast.ts walkHeredocRedirect
-    // fails closed on any unrecognized child via tooComplex). Pipeline / list
+    // fails closed on unrecognized children via tooComplex). Pipeline / list
     // operators (| && || ;) are structurally complex — emit ERROR so the same
     // fail-closed path rejects them.
     while (true) {
@@ -2753,7 +2753,7 @@ function parseExpansionBody(P: ParseState): TsNode[] {
       }
       // Pattern: per grammar _expansion_regex_replacement, pattern is
       // choice(regex, string, cmd_sub, seq(string, regex)). If it STARTS
-      // with ", emit (string) and any trailing chars become (regex).
+      // with ", emit (string) and trailing chars become (regex).
       // `${v//"${old}"/}` → (string(expansion)); `${v//"${c}"\//}` →
       // (string)(regex).
       if (peek(P.L) === '"') {
@@ -3468,7 +3468,7 @@ function parseCasePattern(P: ParseState): TsNode[] {
       if (peek(P.L) === c) advance(P.L)
       continue
     }
-    // Paren counting: any ( inside pattern opens a scope; don't break at ) or |
+    // Paren counting: ( inside pattern opens a scope; don't break at ) or |
     // until balanced. Handles extglob *(a|b) and nested shapes *([0-9])([0-9]).
     if (c === '(') {
       parenDepth++

package/tui/src/utils/billing.ts

@@ -19,7 +19,7 @@ export function hasConsoleBillingAccess(): boolean {
   // we already show a warning on launch in that case
   if (isSubscriber) return false
 
-  // Check if user has any form of authentication
+  // Check if user has a configured authentication source
   const authSource = getAuthTokenSource()
   const hasApiKey = getAnthropicApiKey() !== null