vigthoria-cli 1.9.2 → 1.9.8

package/dist/utils/api.js

@@ -8,18 +8,12 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.APIClient = exports.CLIError = void 0;
-exports.handleApiError = handleApiError;
-exports.handleAuthError = handleAuthError;
-exports.propagateError = propagateError;
 exports.classifyError = classifyError;
 exports.formatCLIError = formatCLIError;
 exports.sanitizeUserFacingErrorText = sanitizeUserFacingErrorText;
 exports.isServerRuntime = isServerRuntime;
 exports.describeUpstreamStatus = describeUpstreamStatus;
-exports.validateJwtExpiry = validateJwtExpiry;
-exports.validateJwt = validateJwt;
-exports.refreshJwtIfNeeded = refreshJwtIfNeeded;
-exports.createApiClient = createApiClient;
+exports.propagateError = propagateError;
 const axios_1 = __importDefault(require("axios"));
 const crypto_1 = require("crypto");
 const fs_1 = __importDefault(require("fs"));
@@ -27,202 +21,25 @@ const https_1 = __importDefault(require("https"));
 const net_1 = __importDefault(require("net"));
 const path_1 = __importDefault(require("path"));
 const ws_1 = __importDefault(require("ws"));
-const logger_js_1 = require("./logger.js");
-const context_ranker_js_1 = require("./context-ranker.js");
-const post_write_validator_js_1 = require("./post-write-validator.js");
-const workspace_cache_js_1 = require("./workspace-cache.js");
 class CLIError extends Error {
     category;
     statusCode;
     endpoint;
-    code;
-    details;
-    isCritical;
     constructor(message, category, opts) {
         super(message);
         this.name = 'CLIError';
         this.category = category;
         this.statusCode = opts?.statusCode;
         this.endpoint = opts?.endpoint;
-        this.code = category === 'auth' || category === 'repo_session' ? 'AUTH_REQUIRED' : category.toUpperCase();
-        this.details = { status: opts?.statusCode, endpoint: opts?.endpoint };
-        this.isCritical = category === 'auth' || category === 'repo_session' || category === 'model_backend' || Boolean(opts?.statusCode && opts.statusCode >= 500);
         if (opts?.cause)
             this.cause = opts.cause;
     }
 }
 exports.CLIError = CLIError;
-function toCliError(error, fallbackCode = 'API_ERROR', fallbackMessage = 'API request failed') {
-    if (isCliError(error))
-        return error;
-    const axErr = error;
-    const status = axErr?.response?.status;
-    const fetchStatus = typeof error?.status === 'number' ? error.status : undefined;
-    const effectiveStatus = status ?? fetchStatus;
-    const data = axErr?.response?.data;
-    const message = typeof data?.error === 'string'
-        ? data.error
-        : typeof data?.message === 'string'
-            ? data.message
-            : error instanceof Error && error.message
-                ? error.message
-                : fallbackMessage;
-    const code = effectiveStatus === 401 || effectiveStatus === 403
-        ? 'AUTH_REQUIRED'
-        : effectiveStatus && effectiveStatus >= 500
-            ? 'SERVER_ERROR'
-            : /timeout|ETIMEDOUT|ESOCKETTIMEDOUT|aborted/i.test(message)
-                ? 'TIMEOUT'
-                : /ECONNREFUSED|ENOTFOUND|ENETUNREACH|EAI_AGAIN|fetch failed/i.test(message)
-                    ? 'NETWORK_ERROR'
-                    : fallbackCode;
-    return {
-        code,
-        message,
-        details: {
-            status: effectiveStatus,
-            endpoint: axErr?.config?.url || axErr?.config?.baseURL,
-            data,
-        },
-        isCritical: code === 'AUTH_REQUIRED' || code === 'AUTH_REFRESH_FAILED' || code === 'SERVER_ERROR' || fallbackCode === 'API_ERROR',
-    };
-}
-function isCliError(error) {
-    return Boolean(error && typeof error === 'object' && 'code' in error && 'message' in error && 'isCritical' in error);
-}
-function isRetryableApiError(error) {
-    const status = error instanceof CLIError
-        ? error.statusCode
-        : typeof error.details?.status === 'number'
-            ? error.details.status
-            : undefined;
-    const code = String(error.code || '').toUpperCase();
-    const message = String(error.message || '');
-    if (status === 401 || status === 403)
-        return false;
-    if (status !== undefined && status >= 500)
-        return true;
-    return code === 'TIMEOUT'
-        || code === 'NETWORK_ERROR'
-        || /timeout|timed out|ECONNRESET|ECONNREFUSED|ENOTFOUND|ENETUNREACH|EAI_AGAIN/i.test(message);
-}
-function decodeJwtPayload(token) {
-    try {
-        const parts = token.split('.');
-        if (parts.length !== 3 || !parts[1])
-            return null;
-        const normalized = parts[1].replace(/-/g, '+').replace(/_/g, '/');
-        const padded = normalized.padEnd(normalized.length + ((4 - (normalized.length % 4)) % 4), '=');
-        const decoded = JSON.parse(Buffer.from(padded, 'base64').toString('utf8'));
-        return decoded && typeof decoded === 'object' ? decoded : null;
-    }
-    catch (error) {
-        return null;
-    }
-}
-function getJwtExpiresAt(token) {
-    if (!token)
-        return null;
-    const payload = decodeJwtPayload(token);
-    const exp = payload?.exp;
-    return typeof exp === 'number' && Number.isFinite(exp) ? exp * 1000 : null;
-}
-const JWT_EXPIRY_SKEW_MS = 30_000;
-function isJwtUsable(token) {
-    const expiresAt = getJwtExpiresAt(token);
-    return Boolean(token && expiresAt !== null && Date.now() + JWT_EXPIRY_SKEW_MS < expiresAt);
-}
-function isJwtExpired(token) {
-    const expiresAt = getJwtExpiresAt(token);
-    return Boolean(token && expiresAt !== null && Date.now() + JWT_EXPIRY_SKEW_MS >= expiresAt);
-}
-function shouldAttemptJwtRefresh(token) {
-    return Boolean(token && (!isJwtUsable(token) || isJwtExpired(token)));
-}
-function wrapApiError(error, fallbackCode = 'API_ERROR', fallbackMessage = 'API request failed') {
-    const cliError = toCliError(error, fallbackCode, fallbackMessage);
-    return { ...cliError, details: { ...(cliError.details || {}), retryable: isRetryableApiError(cliError) } };
-}
-function handleApiError(error) {
-    return wrapApiError(error, 'API_ERROR', 'API request failed');
-}
-function handleAuthError(error) {
-    const cliError = toCliError(error, 'AUTH_ERROR', 'Authentication failed. Please run: vigthoria login');
-    if (cliError.code === 'AUTH_REQUIRED' || cliError.code === 'AUTH_ERROR') {
-        return { ...cliError, code: 'AUTH_REQUIRED', message: cliError.message || 'Authentication failed. Please run: vigthoria login', isCritical: true };
-    }
-    return cliError;
-}
-function propagateError(err) {
-    const responseData = err?.response?.data;
-    const existingDetails = err?.details && typeof err.details === 'object' ? err.details : {};
-    const status = typeof err?.response?.status === 'number'
-        ? err.response.status
-        : typeof err?.status === 'number'
-            ? err.status
-            : typeof err?.statusCode === 'number'
-                ? err.statusCode
-                : typeof existingDetails.status === 'number'
-                    ? existingDetails.status
-                    : typeof err?.code === 'number'
-                        ? err.code
-                        : 500;
-    const endpoint = err?.endpoint || err?.config?.url || err?.config?.baseURL || existingDetails.endpoint || 'unknown';
-    const command = err?.commandName || err?.command || existingDetails.command || 'unknown';
-    const message = typeof responseData?.error === 'string'
-        ? responseData.error
-        : typeof responseData?.message === 'string'
-            ? responseData.message
-            : typeof err?.message === 'string' && err.message
-                ? err.message
-                : 'API request failed';
-    const originalCode = err?.code;
-    const isAuthError = status === 401
-        || status === 403
-        || err?.isAuthError === true
-        || String(originalCode || '').toUpperCase() === 'AUTH_REQUIRED';
-    const apiError = {
-        code: status,
-        message,
-        details: {
-            ...existingDetails,
-            command,
-            endpoint,
-            status,
-            data: responseData ?? existingDetails.data,
-            originalCode,
-            originalName: err?.name,
-        },
-        isAuthError,
-    };
-    const logPayload = {
-        code: apiError.code,
-        message: apiError.message,
-        command,
-        endpoint,
-        status,
-        isAuthError: apiError.isAuthError,
-    };
-    try {
-        console.error('[Vigthoria API Error]', JSON.stringify(logPayload));
-    }
-    catch {
-        console.error('[Vigthoria API Error]', logPayload);
-    }
-    throw apiError;
-}
 /** Classify an axios or fetch error into a structured CLIError. */
 function classifyError(error, fallbackCategory = 'network') {
     if (error instanceof CLIError)
         return error;
-    const structuredApiError = error;
-    if (structuredApiError && typeof structuredApiError.code === 'number' && typeof structuredApiError.message === 'string') {
-        return new CLIError(structuredApiError.message, structuredApiError.isAuthError ? 'auth' : structuredApiError.code >= 500 ? 'model_backend' : fallbackCategory, {
-            statusCode: structuredApiError.code,
-            endpoint: typeof structuredApiError.details?.endpoint === 'string' ? structuredApiError.details.endpoint : undefined,
-            cause: error instanceof Error ? error : undefined,
-        });
-    }
     const axErr = error;
     const status = axErr?.response?.status;
     const endpoint = axErr?.config?.url || axErr?.config?.baseURL || '';
@@ -275,183 +92,121 @@ function formatCLIError(err) {
             return `${tag} ${err.message}`;
     }
 }
-// Sanitize an upstream error string before exposing it to the end user.
 function sanitizeUserFacingErrorText(input) {
-    if (!input)
+    const raw = String(input || '').trim();
+    if (!raw) {
         return '';
-    let out = String(input);
-    out = out.replace(/https?:\/\/[^\s'"<>)]+/gi, '[redacted-url]');
-    out = out.replace(/\b\d{1,3}(?:\.\d{1,3}){3}(?::\d+)?\b/g, '[redacted-host]');
-    out = out.replace(/\b(?:localhost|127\.0\.0\.1)(?::\d+)?\b/gi, '[redacted-host]');
-    out = out.replace(/\b[a-z0-9.-]+\.vigthoria\.io\b/gi, '[redacted-host]');
-    out = out.replace(/(?:[A-Za-z]:)?[\\/](?:var|opt|tmp|home|root|etc|usr)[\\/][^\s'"<>)]*/gi, '[redacted-path]');
-    out = out.replace(/[A-Za-z]:\\[^\s'"<>)]+/g, '[redacted-path]');
-    out = out.replace(/\\\\[^\s'"<>)]+/g, '[redacted-path]');
-    out = out.replace(/\s+/g, ' ').trim();
-    if (out.length > 160)
-        out = out.slice(0, 160) + '...';
-    return out;
-}
-function isServerRuntime() {
-    if (process.env.VIGTHORIA_RUN_MODE === 'server')
-        return true;
-    if (process.env.VIGTHORIA_SERVER_RUNTIME === '1')
-        return true;
-    return false;
-}
-function describeUpstreamStatus(status) {
-    if (status === 401 || status === 403)
-        return 'Authentication failed. Please run vigthoria login.';
-    if (status === 404)
-        return 'Requested service endpoint was not found.';
-    if (status === 408 || status === 504)
-        return 'Upstream service timed out.';
-    if (status === 429)
-        return 'Rate limit reached. Please retry shortly.';
-    if (status >= 500)
-        return 'Upstream service is temporarily unavailable.';
-    if (status >= 400)
-        return 'Request was rejected by the service.';
-    return 'Unexpected response from service.';
+    }
+    const withoutTags = raw.replace(/<[^>]+>/g, ' ');
+    return withoutTags.replace(/\s+/g, ' ').trim();
 }
-const JWT_VALIDATE_EXPIRY_SKEW_MS = 60_000;
-function validateJwtExpiry(token) {
-    if (!token || typeof token !== 'string')
-        return false;
-    const payload = decodeJwtPayload(token);
-    const exp = payload?.exp;
-    if (typeof exp !== 'number' || !Number.isFinite(exp))
-        return false;
-    return Date.now() + JWT_VALIDATE_EXPIRY_SKEW_MS < exp * 1000;
+const TRUSTED_TOKEN_HOST_PATTERN = /(^|\.)vigthoria\.io$/i;
+function isLoopbackHost(hostname) {
+    const host = String(hostname || '').toLowerCase();
+    return host === 'localhost' || host === '127.0.0.1';
 }
-function validateJwt(token) {
-    if (!token || typeof token !== 'string')
-        return null;
-    const payload = decodeJwtPayload(token);
-    if (!payload)
-        return null;
+function isTrustedTokenDestination(rawUrl) {
     try {
-        if (typeof payload.exp !== 'number' || !Number.isFinite(payload.exp))
-            return null;
-        if (!validateJwtExpiry(token))
-            return null;
-        return payload;
+        const parsed = new URL(rawUrl);
+        const host = parsed.hostname.toLowerCase();
+        return TRUSTED_TOKEN_HOST_PATTERN.test(host) || isLoopbackHost(host);
     }
-    catch (error) {
-        if (process.env.VIGTHORIA_DEBUG_JWT === '1') {
-            // Avoid logging token contents; only expose parser failure class for diagnostics.
-            console.debug('Failed to validate JWT payload:', error instanceof Error ? error.message : String(error));
-        }
-        return null;
+    catch {
+        return false;
     }
 }
-async function refreshJwtIfNeeded(state) {
-    const runtimeClient = state;
-    try {
-        const currentToken = runtimeClient.getAccessToken?.() || runtimeClient.config?.get('authToken') || state.token;
-        if (!currentToken) {
-            state.token = null;
-            state.expiresAt = null;
-            return null;
+function resolveAxiosRequestUrl(req) {
+    const direct = String(req?.url || '').trim();
+    const base = String(req?.baseURL || '').trim();
+    if (!direct && !base)
+        return '';
+    if (/^https?:\/\//i.test(direct))
+        return direct;
+    if (base) {
+        try {
+            return new URL(direct || '', base).toString();
+        }
+        catch {
+            return base;
         }
-        const decodedExpiresAt = getJwtExpiresAt(currentToken);
-        state.token = currentToken;
-        state.expiresAt = decodedExpiresAt;
-        const expired = (typeof state.isExpired === 'function' ? state.isExpired() : shouldAttemptJwtRefresh(currentToken)) || decodedExpiresAt === null;
-        if (!expired) {
-            return currentToken;
-        }
-        const refreshToken = runtimeClient.getRefreshToken?.() || runtimeClient.config?.get('refreshToken');
-        if (refreshToken && runtimeClient.refreshToken) {
-            const refreshed = await runtimeClient.refreshToken().catch((error) => {
-                runtimeClient.logger?.debug?.(`JWT refresh request failed: ${error instanceof Error ? error.message : String(error)}`);
-                throw error;
-            });
-            const nextToken = runtimeClient.getAccessToken?.() || runtimeClient.config?.get('authToken') || null;
-            if (refreshed && nextToken && validateJwtExpiry(nextToken)) {
-                state.token = nextToken;
-                state.expiresAt = getJwtExpiresAt(nextToken);
-                return nextToken;
-            }
-            runtimeClient.logger?.debug?.('JWT refresh endpoint did not return a usable replacement token');
-        }
-        state.token = null;
-        state.expiresAt = null;
-        runtimeClient.config?.clearAuth();
-        throw new CLIError('Authentication token is expired or invalid. Please run: vigthoria login', 'auth');
-    }
-    catch (error) {
-        if (error instanceof CLIError) {
-            throw error;
-        }
-        const cliError = toCliError(error, 'AUTH_REFRESH_FAILED', 'Authentication refresh failed. Please run: vigthoria login');
-        state.token = null;
-        state.expiresAt = null;
-        runtimeClient.config?.clearAuth();
-        throw new CLIError(cliError.message, 'auth', {
-            statusCode: typeof cliError.details?.status === 'number' ? cliError.details.status : undefined,
-            endpoint: typeof cliError.details?.endpoint === 'string' ? cliError.details.endpoint : undefined,
-            cause: error instanceof Error ? error : undefined,
-        });
     }
+    return direct;
 }
-function createApiClient(config) {
-    const apiClient = new APIClient(config, new logger_js_1.Logger());
-    return {
-        get: async (path) => {
-            try {
-                const response = await apiClient.client.get(path);
-                return response.data;
-            }
-            catch (err) {
-                propagateError(err);
-            }
-        },
-        post: async (path, body) => {
-            try {
-                const response = await apiClient.client.post(path, body);
-                return response.data;
-            }
-            catch (err) {
-                propagateError(err);
-            }
-        },
-        handleAuthError: (err) => {
-            const authError = handleAuthError(err);
-            throw new CLIError(authError.message, 'auth', { cause: err instanceof Error ? err : undefined });
+function isServerRuntime() {
+    if (process.env.VIGTHORIA_ALLOW_LOCAL_SERVICES === '1') {
+        return true;
+    }
+    const host = String(process.env.HOSTNAME || '').toLowerCase();
+    const cwd = String(process.cwd() || '').toLowerCase();
+    return host.includes('ubuntu') || cwd.startsWith('/var/www');
+}
+function describeUpstreamStatus(status) {
+    if (status >= 500)
+        return 'upstream internal error';
+    if (status === 429)
+        return 'rate limited';
+    if (status === 404)
+        return 'endpoint not found';
+    if (status === 403)
+        return 'forbidden';
+    if (status === 401)
+        return 'unauthorized';
+    if (status >= 400)
+        return 'bad request';
+    return 'ok';
+}
+function propagateError(err) {
+    const status = typeof err?.statusCode === 'number'
+        ? err.statusCode
+        : typeof err?.status === 'number'
+            ? err.status
+            : typeof err?.response?.status === 'number'
+                ? err.response.status
+                : 500;
+    const endpoint = err?.endpoint || err?.config?.url || err?.details?.endpoint || 'unknown';
+    const message = sanitizeUserFacingErrorText(String(err?.message || 'API request failed'));
+    throw {
+        code: status,
+        message,
+        isAuthError: status === 401 || status === 403,
+        details: {
+            ...(err?.details && typeof err.details === 'object' ? err.details : {}),
+            endpoint,
+            status,
+            originalCode: err?.code,
         },
     };
 }
 const DEFAULT_V3_AGENT_TIMEOUT_MS = (() => {
-    const rawValue = process.env.VIGTHORIA_AGENT_TIMEOUT_MS || process.env.V3_AGENT_TIMEOUT_MS || '1200000';
+    const rawValue = process.env.VIGTHORIA_AGENT_TIMEOUT_MS || process.env.V3_AGENT_TIMEOUT_MS;
+    if (!rawValue) {
+        return 0;
+    }
     const parsed = Number.parseInt(rawValue, 10);
-    return Number.isFinite(parsed) && parsed > 0 ? parsed : 1200000;
+    return Number.isFinite(parsed) && parsed >= 0 ? parsed : 0;
 })();
 const DEFAULT_V3_AGENT_IDLE_TIMEOUT_MS = (() => {
     const rawValue = process.env.VIGTHORIA_AGENT_IDLE_TIMEOUT_MS || process.env.V3_AGENT_IDLE_TIMEOUT_MS || '90000';
     const parsed = Number.parseInt(rawValue, 10);
     return Number.isFinite(parsed) && parsed > 0 ? parsed : 90000;
 })();
-const DEFAULT_V3_AGENT_SOFT_TIMEOUT_MS = (() => {
-    const rawValue = process.env.VIGTHORIA_AGENT_SOFT_TIMEOUT_MS || process.env.V3_AGENT_SOFT_TIMEOUT_MS || '300000';
-    const parsed = Number.parseInt(rawValue, 10);
-    return Number.isFinite(parsed) && parsed > 0 ? parsed : 300000;
-})();
 const DEFAULT_OPERATOR_TIMEOUT_MS = (() => {
-    const rawValue = process.env.VIGTHORIA_OPERATOR_TIMEOUT_MS || process.env.OPERATOR_TIMEOUT_MS || '300000';
+    const rawValue = process.env.VIGTHORIA_OPERATOR_TIMEOUT_MS || process.env.OPERATOR_TIMEOUT_MS;
+    if (!rawValue) {
+        return 0;
+    }
     const parsed = Number.parseInt(rawValue, 10);
-    return Number.isFinite(parsed) && parsed > 0 ? parsed : 300000;
+    return Number.isFinite(parsed) && parsed >= 0 ? parsed : 0;
 })();
 class APIClient {
     client;
     modelRouterClient;
     selfHostedModelRouterClient;
     config;
-    token = null;
-    expiresAt = null;
     logger;
     ws = null;
     vigFlowTokens = new Map();
+    _httpsAgent = null;
     constructor(config, logger) {
         this.config = config;
         this.logger = logger;
@@ -461,6 +216,7 @@ class APIClient {
             keepAlive: true,
             timeout: 30000,
         });
+        this._httpsAgent = httpsAgent;
         // Main Vigthoria Coder API (coder.vigthoria.io)
         this.client = axios_1.default.create({
             baseURL: config.get('apiUrl'),
@@ -492,77 +248,44 @@ class APIClient {
                 'User-Agent': `Vigthoria-CLI/${process.env.npm_package_version || '1.6.9'}`,
             },
         }) : null;
-        // Add auth interceptors that validate JWT expiry before every request.
-        const createAuthRequestInterceptor = (client, includeCookie) => {
-            client.interceptors.request.use(async (req) => {
-                const skipAuthRefresh = Boolean(req.__skipAuthRefresh) || req.url?.includes('/api/token/refresh') || req.url?.includes('/api/login');
-                if (!skipAuthRefresh) {
-                    await refreshJwtIfNeeded(this);
-                }
-                const token = this.getAccessToken();
-                if (token) {
-                    const payload = validateJwt(token);
-                    if (!payload && !skipAuthRefresh) {
-                        throw new CLIError('Authentication token is expired or invalid. Please run: vigthoria login', 'auth', { endpoint: req.url });
-                    }
-                    req.headers.Authorization = `Bearer ${token}`;
-                    if (includeCookie) {
-                        req.headers.Cookie = `vigthoria-auth-token=${token}`;
-                    }
-                }
-                return req;
-            });
-        };
-        createAuthRequestInterceptor(this.client, true);
-        createAuthRequestInterceptor(this.modelRouterClient, true);
-        if (this.selfHostedModelRouterClient) {
-            createAuthRequestInterceptor(this.selfHostedModelRouterClient, false);
-        }
-        // Add response interceptors for token refresh + structured errors.
+        // Add auth interceptor
+        this.client.interceptors.request.use((req) => {
+            const token = this.getAccessToken();
+            const destination = resolveAxiosRequestUrl(req);
+            if (token && isTrustedTokenDestination(destination)) {
+                req.headers.Authorization = `Bearer ${token}`;
+                req.headers.Cookie = `vigthoria-auth-token=${token}`;
+            }
+            return req;
+        });
+        this.modelRouterClient.interceptors.request.use((req) => {
+            const token = this.getAccessToken();
+            const destination = resolveAxiosRequestUrl(req);
+            if (token && isTrustedTokenDestination(destination)) {
+                req.headers.Authorization = `Bearer ${token}`;
+                req.headers.Cookie = `vigthoria-auth-token=${token}`;
+            }
+            return req;
+        });
+        this.selfHostedModelRouterClient?.interceptors.request.use((req) => {
+            const token = this.getAccessToken();
+            const destination = resolveAxiosRequestUrl(req);
+            if (token && isTrustedTokenDestination(destination)) {
+                req.headers.Authorization = `Bearer ${token}`;
+            }
+            return req;
+        });
+        // Add response interceptors for token refresh + structured errors
         const createAuthRetryInterceptor = (client) => {
             client.interceptors.response.use((res) => res, async (error) => {
-                const originalConfig = error.config;
-                try {
-                    if (error.response?.status === 401) {
-                        if (originalConfig?.__authRetry) {
-                            throw new CLIError('Authentication failed after token refresh. Please run: vigthoria login', 'auth', {
-                                statusCode: 401,
-                                endpoint: originalConfig.url,
-                                cause: error instanceof Error ? error : undefined,
-                            });
-                        }
-                        const refreshedToken = await refreshJwtIfNeeded(this);
-                        if (refreshedToken && originalConfig) {
-                            originalConfig.__authRetry = true;
-                            const token = refreshedToken;
-                            if (token) {
-                                originalConfig.headers = originalConfig.headers || {};
-                                originalConfig.headers.Authorization = `Bearer ${token}`;
-                                originalConfig.headers.Cookie = `vigthoria-auth-token=${token}`;
-                            }
-                            return client.request(originalConfig);
-                        }
-                        throw new CLIError('Authentication token expired or was rejected. Please run: vigthoria login', 'auth', {
-                            statusCode: 401,
-                            endpoint: originalConfig?.url,
-                            cause: error instanceof Error ? error : undefined,
-                        });
+                if (error.response?.status === 401) {
+                    const refreshed = await this.refreshToken();
+                    if (refreshed && error.config) {
+                        return client.request(error.config);
                     }
-                    throw classifyError(error);
-                }
-                catch (interceptorError) {
-                    if (interceptorError instanceof CLIError) {
-                        throw interceptorError;
-                    }
-                    const authError = error.response?.status === 401
-                        ? handleAuthError(interceptorError)
-                        : toCliError(interceptorError, 'API_ERROR', 'API request failed');
-                    throw new CLIError(authError.message, authError.code === 'AUTH_REQUIRED' ? 'auth' : 'network', {
-                        statusCode: error.response?.status,
-                        endpoint: originalConfig?.url,
-                        cause: interceptorError instanceof Error ? interceptorError : error,
-                    });
+                    throw classifyError(error, 'auth');
                 }
+                throw classifyError(error);
             });
         };
         createAuthRetryInterceptor(this.client);
@@ -571,12 +294,22 @@ class APIClient {
             createAuthRetryInterceptor(this.selfHostedModelRouterClient);
         }
     }
+    /**
+     * Destroy keep-alive sockets so the Node.js event loop can drain
+     * naturally.  Call this before exiting commands that run HTTP probes
+     * (e.g. `status`) to avoid the libuv UV_HANDLE_CLOSING assertion
+     * on Windows / Node 25+.
+     */
     destroy() {
+        if (this._httpsAgent) {
+            this._httpsAgent.destroy();
+            this._httpsAgent = null;
+        }
         if (this.ws) {
             try {
                 this.ws.close();
             }
-            catch { }
+            catch { /* ok */ }
             this.ws = null;
         }
     }
@@ -656,26 +389,6 @@ class APIClient {
                     }
                 }
             }
-            // All profile endpoints failed — fall back to JWT payload claims so the
-            // token is still usable without identity fields being null.
-            const jwtPayload = this.decodeJwtPayload(token);
-            const fallbackId = String(jwtPayload?.sub || jwtPayload?.user_id || jwtPayload?.id || '').trim();
-            const fallbackEmail = String(jwtPayload?.email || '').trim();
-            const fallbackPlan = String(jwtPayload?.plan || jwtPayload?.subscription_plan || 'developer').trim();
-            if (fallbackId || fallbackEmail) {
-                this.config.setAuth({
-                    token,
-                    userId: fallbackId || fallbackEmail,
-                    email: fallbackEmail || fallbackId,
-                });
-                this.config.setSubscription({
-                    plan: fallbackPlan,
-                    status: 'active',
-                    expiresAt: undefined,
-                });
-                return true;
-            }
-            this.logger.warn('Token validation failed: no profile endpoint or JWT identity claim matched');
             this.config.clearAuth();
             return false;
         }
@@ -685,19 +398,6 @@ class APIClient {
             return false;
         }
     }
-    decodeJwtPayload(token) {
-        try {
-            const parts = token.split('.');
-            if (parts.length !== 3) {
-                return null;
-            }
-            const payload = Buffer.from(parts[1], 'base64url').toString('utf8');
-            return JSON.parse(payload);
-        }
-        catch {
-            return null;
-        }
-    }
     extractUserProfile(data) {
         if (!data) {
             return null;
@@ -734,11 +434,9 @@ class APIClient {
             }
             return true;
         }
-        catch (error) {
-            const cliError = toCliError(error, 'AUTH_REFRESH_FAILED', 'Failed to refresh authentication token');
-            this.logger.debug(`Token refresh failed: ${cliError.message}`);
+        catch {
             this.config.clearAuth();
-            throw cliError;
+            return false;
         }
     }
     async getSubscriptionStatus() {
@@ -773,40 +471,48 @@ class APIClient {
         if (!token) {
             return { valid: false, error: 'No auth token configured. Run: vigthoria login' };
         }
-        // Validate against authenticated Coder endpoints so we verify
-        // the actual Vigthoria Gateway user session state.
-        const authEndpoints = ['/api/user/profile', '/api/user/subscription'];
-        for (const endpoint of authEndpoints) {
-            try {
-                await this.client.get(endpoint, { timeout: 10000 });
+        const explicitEnvToken = Boolean(process.env.VIGTHORIA_TOKEN || process.env.VIGTHORIA_AUTH_TOKEN);
+        const headers = {
+            Authorization: `Bearer ${token}`,
+            Cookie: `vigthoria-auth-token=${token}`,
+        };
+        const canonicalBaseUrl = String(this.config.get('apiUrl') || 'https://coder.vigthoria.io').replace(/\/$/, '');
+        // Probe protected canonical endpoints in parallel so stale local endpoint overrides
+        // cannot mask an invalid gateway token during preflight.
+        const results = await Promise.allSettled([
+            axios_1.default.get(`${canonicalBaseUrl}/api/user/profile`, { timeout: 5000, headers, httpsAgent: this._httpsAgent ?? undefined }),
+            axios_1.default.get(`${canonicalBaseUrl}/api/user/subscription`, { timeout: 5000, headers, httpsAgent: this._httpsAgent ?? undefined }),
+        ]);
+        for (const r of results) {
+            if (r.status === 'fulfilled')
                 return { valid: true };
-            }
-            catch (error) {
-                if (error instanceof CLIError && error.category === 'auth') {
+        }
+        for (const r of results) {
+            if (r.status === 'rejected') {
+                const err = r.reason;
+                if (err.response?.status === 401 || err.response?.status === 403) {
                     return { valid: false, error: 'Auth token expired or invalid. Run: vigthoria login' };
                 }
-                const axErr = error;
-                if (axErr.response?.status === 401 || axErr.response?.status === 403) {
+                if (err instanceof CLIError && err.category === 'auth') {
                     return { valid: false, error: 'Auth token expired or invalid. Run: vigthoria login' };
                 }
-                // Try the next authenticated endpoint before deciding this is
-                // a transient network/backend issue.
-                continue;
             }
         }
-        // Auth endpoints unreachable — do not misclassify as invalid token.
+        if (explicitEnvToken) {
+            return { valid: false, error: 'Auth token expired or invalid. Run: vigthoria login' };
+        }
+        // Both unreachable — don't assume the stored token is bad when running offline.
         return { valid: true };
     }
     getV3AgentBaseUrls(preferLocal = false) {
         const configuredApiUrl = String(this.config.get('apiUrl') || 'https://coder.vigthoria.io').replace(/\/$/, '');
-        const allowLocalV3Agent = process.env.VIGTHORIA_ALLOW_LOCAL_V3_AGENT === '1'
-            || this.allowLocalServiceFallbacks()
-            || preferLocal;
+        const allowLocalV3Agent = process.env.VIGTHORIA_ALLOW_LOCAL_V3_AGENT === '1' || preferLocal;
         const urls = [
             process.env.VIGTHORIA_V3_AGENT_URL,
             process.env.V3_AGENT_URL,
             ...(allowLocalV3Agent ? ['http://127.0.0.1:8030'] : []),
             configuredApiUrl,
+            'https://coder.vigthoria.io',
         ].filter(Boolean).map((url) => String(url).replace(/\/$/, ''));
         return [...new Set(urls)];
     }
@@ -827,8 +533,9 @@ class APIClient {
         const urls = [
             process.env.VIGTHORIA_OPERATOR_URL,
             process.env.OPERATOR_URL,
-            ...(this.allowLocalServiceFallbacks() ? ['http://127.0.0.1:4009'] : []),
+            'http://127.0.0.1:4009',
             configuredModelsApiUrl,
+            'https://api.vigthoria.io',
         ].filter(Boolean).map((url) => String(url).replace(/\/$/, ''));
         return [...new Set(urls)];
     }
@@ -840,7 +547,7 @@ class APIClient {
         const urls = [
             process.env.VIGTHORIA_MCP_URL,
             process.env.MCP_SERVER_URL,
-            ...(this.allowLocalServiceFallbacks() ? ['http://127.0.0.1:4008'] : []),
+            'http://127.0.0.1:4008',
             configuredApiUrl,
         ].filter(Boolean).map((url) => String(url).replace(/\/$/, ''));
         return [...new Set(urls)];
@@ -858,7 +565,8 @@ class APIClient {
             process.env.VIGFLOW_URL,
             process.env.WORKFLOW_BUILDER_URL,
             `${configuredApiUrl}/api/vigflow`,
-            ...(this.allowLocalServiceFallbacks() ? ['http://127.0.0.1:5060', 'http://127.0.0.1:5050'] : []),
+            'http://127.0.0.1:5060',
+            'http://127.0.0.1:5050',
         ].filter(Boolean).map((url) => String(url).replace(/\/$/, ''));
         return [...new Set(urls)];
     }
@@ -867,14 +575,11 @@ class APIClient {
         const urls = [
             process.env.VIGTHORIA_TEMPLATE_SERVICE_URL,
             process.env.TEMPLATE_SERVICE_URL,
-            ...(this.allowLocalServiceFallbacks() ? ['http://127.0.0.1:4011'] : []),
+            'http://127.0.0.1:4011',
             `${configuredApiUrl}/api/template-service`,
         ].filter(Boolean).map((url) => String(url).replace(/\/$/, ''));
         return [...new Set(urls)];
     }
-    allowLocalServiceFallbacks() {
-        return process.env.VIGTHORIA_ALLOW_LOCAL_SERVICES === '1' || isServerRuntime();
-    }
     isFrontendTask(message = '', context = {}) {
         // Never treat analysis-only tasks as frontend tasks — preview gate
         // should not fire for read-only inspection prompts.
@@ -1196,7 +901,7 @@ class APIClient {
                 });
                 if (!response.ok) {
                     const errorText = await response.text().catch(() => '');
-                    throw new Error(`Template preview proof ${response.status}: ${sanitizeUserFacingErrorText(errorText)}`);
+                    throw new Error(`Template preview proof ${response.status}: ${sanitizeUserFacingErrorText(errorText).slice(0, 200)}`);
                 }
                 const payload = await response.json();
                 const modes = payload?.modes || {};
@@ -1249,12 +954,6 @@ class APIClient {
             'Content-Type': 'application/json',
             Accept: 'application/json',
         };
-        try {
-            await refreshJwtIfNeeded(this);
-        }
-        catch (error) {
-            throw toCliError(error, 'AUTH_REFRESH_FAILED', 'Failed to refresh authentication token before API request');
-        }
         const authToken = this.getAccessToken();
         if (authToken) {
             headers.Authorization = `Bearer ${authToken}`;
@@ -1266,12 +965,6 @@ class APIClient {
         const headers = {
             'Content-Type': 'application/json',
         };
-        try {
-            await refreshJwtIfNeeded(this);
-        }
-        catch (error) {
-            throw toCliError(error, 'AUTH_REFRESH_FAILED', 'Failed to refresh authentication token before API request');
-        }
         const authToken = this.getAccessToken();
         if (authToken) {
             headers.Authorization = `Bearer ${authToken}`;
@@ -1352,7 +1045,8 @@ class APIClient {
                 this.logger.debug(`VigFlow ${operation} via ${baseUrl} failed:`, lastError.message);
             }
         }
-        throw lastError || new Error(`No VigFlow backend available for ${operation}.`);
+        // Throw a clean message instead of the raw ECONNREFUSED from the last URL tried
+        throw new Error(`No VigFlow backend available for ${operation}. The workflow service is not deployed or not reachable.`);
     }
     /**
      * Build the correct sub-path for VigFlow endpoints.
@@ -1489,9 +1183,7 @@ class APIClient {
         const targetPath = resolvedContext.targetPath || resolvedContext.projectPath || resolvedContext.workspacePath || resolvedContext.projectRoot || process.cwd();
         const localWorkspacePath = this.resolveAgentTargetPath(resolvedContext);
         const serverWorkspacePath = this.resolveServerBindableWorkspacePath(resolvedContext);
-        const localWorkspaceSummary = resolvedContext.rawPrompt
-            ? this.buildSemanticWorkspaceSummary(localWorkspacePath, String(resolvedContext.rawPrompt))
-            : this.buildLocalWorkspaceSummary(localWorkspacePath);
+        const localWorkspaceSummary = this.buildLocalWorkspaceSummary(localWorkspacePath);
         const requestedModel = String(resolvedContext.model || resolvedContext.requestedModel || 'agent');
         const resolvedModel = this.resolvePermittedModelId(requestedModel);
         // When the server cannot directly access the workspace (e.g. Windows
@@ -1646,6 +1338,458 @@ class APIClient {
         const match = String(message || '').match(/called\s+([A-Z][A-Za-z0-9&\- ]{2,40})/i);
         return match?.[1]?.trim() || fallback;
     }
+    materializeEmergencySaaSWorkspace(message = '', context = {}) {
+        const rootPath = this.resolveAgentTargetPath(context);
+        if (!rootPath) {
+            return null;
+        }
+        fs_1.default.mkdirSync(rootPath, { recursive: true });
+        const appName = this.extractEmergencyAppName(message);
+        const html = `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>${appName}</title>
+  <link rel="stylesheet" href="styles.css">
+</head>
+<body>
+  <div class="app-shell">
+    <aside class="sidebar">
+      <div class="brand">${appName}</div>
+      <button class="menu-toggle" id="menu-toggle" aria-label="Toggle navigation">Menu</button>
+      <nav>
+        <a href="#dashboard" class="nav-link active">Dashboard</a>
+        <a href="#team" class="nav-link">Team</a>
+        <a href="#billing" class="nav-link">Billing</a>
+        <a href="#settings" class="nav-link">Settings</a>
+      </nav>
+    </aside>
+    <main class="content">
+      <section class="hero-card panel active-panel" id="dashboard">
+        <div class="hero-copy">
+          <p class="eyebrow">Dashboard</p>
+          <h1>${appName} revenue command center</h1>
+          <p>Track login activity, campaign velocity, billing state, and team performance from one responsive SaaS workspace.</p>
+        </div>
+        <form class="login-card">
+          <h2>Login</h2>
+          <label>Email<input type="email" placeholder="ops@${appName.toLowerCase().replace(/[^a-z0-9]+/g, '') || 'signaldesk'}.io"></label>
+          <label>Password<input type="password" placeholder="Enter password"></label>
+          <button type="submit">Enter dashboard</button>
+        </form>
+      </section>
+
+      <section class="stats-grid">
+        <article class="stat-card"><span>MRR</span><strong>$284K</strong><em>+12.4%</em></article>
+        <article class="stat-card"><span>Activation</span><strong>74%</strong><em>+6.1%</em></article>
+        <article class="stat-card"><span>Team Seats</span><strong>128</strong><em>8 pending</em></article>
+        <article class="stat-card"><span>Churn Risk</span><strong>2.1%</strong><em>Low</em></article>
+      </section>
+
+      <section class="workspace-grid">
+        <article class="panel chart-panel">
+          <div class="panel-header">
+            <h2>Analytics</h2>
+            <button id="open-modal" type="button">Add campaign</button>
+          </div>
+          <div class="chart-bars" aria-label="Revenue chart">
+            <div class="bar" style="--value: 52%"><span>Mon</span></div>
+            <div class="bar" style="--value: 68%"><span>Tue</span></div>
+            <div class="bar" style="--value: 74%"><span>Wed</span></div>
+            <div class="bar" style="--value: 59%"><span>Thu</span></div>
+            <div class="bar" style="--value: 88%"><span>Fri</span></div>
+          </div>
+        </article>
+
+        <article class="panel activity-panel">
+          <div class="panel-header"><h2>Activity Feed</h2><span>Live</span></div>
+          <ul class="activity-feed">
+            <li><strong>Billing</strong><span>Enterprise invoice paid</span></li>
+            <li><strong>Team</strong><span>New strategist invited to workspace</span></li>
+            <li><strong>Dashboard</strong><span>KPI threshold updated for activation alerts</span></li>
+          </ul>
+        </article>
+
+        <article class="panel" id="team">
+          <div class="panel-header"><h2>Team Management</h2><span>Owners and operators</span></div>
+          <div class="team-list">
+            <div><strong>Ana</strong><span>Growth lead</span></div>
+            <div><strong>Marcus</strong><span>Billing admin</span></div>
+            <div><strong>Lina</strong><span>Lifecycle analyst</span></div>
+          </div>
+        </article>
+
+        <article class="panel" id="billing">
+          <div class="panel-header"><h2>Billing</h2><span>Current plan</span></div>
+          <div class="billing-card">
+            <strong>Scale Annual</strong>
+            <p>Renews on 12 Oct with usage-based analytics overages.</p>
+            <button type="button" class="secondary-action">Update payment method</button>
+          </div>
+        </article>
+
+        <article class="panel" id="settings">
+          <div class="panel-header"><h2>Settings</h2><span>Automation and alerts</span></div>
+          <form class="settings-form">
+            <label>Alert threshold<input type="number" value="18"></label>
+            <label>Weekly digest<select><option>Enabled</option><option>Paused</option></select></label>
+            <button type="submit">Save settings</button>
+          </form>
+        </article>
+      </section>
+    </main>
+  </div>
+
+  <dialog id="campaign-modal">
+    <form method="dialog" class="modal-form">
+      <h2>Launch campaign</h2>
+      <label>Name<input type="text" placeholder="Retention push"></label>
+      <label>Owner<input type="text" placeholder="Lina"></label>
+      <menu>
+        <button value="cancel">Cancel</button>
+        <button value="confirm">Create</button>
+      </menu>
+    </form>
+  </dialog>
+
+  <script src="scripts.js"></script>
+</body>
+</html>
+`;
+        const css = `:root {
+  --bg: #f2ede4;
+  --ink: #18222f;
+  --muted: #5c6674;
+  --panel: rgba(255, 255, 255, 0.82);
+  --line: rgba(24, 34, 47, 0.08);
+  --accent: #b6542c;
+  --accent-strong: #7f3417;
+  --shadow: 0 24px 60px rgba(24, 34, 47, 0.12);
+}
+
+* { box-sizing: border-box; }
+
+body {
+  margin: 0;
+  font-family: "Georgia", "Times New Roman", serif;
+  color: var(--ink);
+  background:
+    radial-gradient(circle at top left, rgba(182, 84, 44, 0.18), transparent 28%),
+    radial-gradient(circle at bottom right, rgba(24, 34, 47, 0.14), transparent 30%),
+    var(--bg);
+}
+
+.app-shell {
+  min-height: 100vh;
+  display: grid;
+  grid-template-columns: 260px 1fr;
+}
+
+.sidebar {
+  padding: 2rem 1.25rem;
+  background: rgba(24, 34, 47, 0.94);
+  color: #f7f2eb;
+  position: sticky;
+  top: 0;
+  min-height: 100vh;
+}
+
+.brand {
+  font-size: 1.6rem;
+  font-weight: 700;
+  margin-bottom: 1.5rem;
+}
+
+.menu-toggle {
+  display: none;
+  margin-bottom: 1rem;
+}
+
+nav {
+  display: grid;
+  gap: 0.6rem;
+}
+
+.nav-link {
+  color: inherit;
+  text-decoration: none;
+  padding: 0.8rem 0.95rem;
+  border-radius: 999px;
+  transition: transform 0.25s ease, background-color 0.25s ease;
+}
+
+.nav-link:hover,
+.nav-link.active {
+  background: rgba(255, 255, 255, 0.12);
+  transform: translateX(4px);
+}
+
+.content {
+  padding: 2rem;
+}
+
+.hero-card,
+.panel,
+.stat-card,
+.login-card,
+dialog {
+  background: var(--panel);
+  backdrop-filter: blur(16px);
+  border: 1px solid var(--line);
+  box-shadow: var(--shadow);
+}
+
+.hero-card {
+  display: grid;
+  grid-template-columns: 1.3fr 0.9fr;
+  gap: 1.5rem;
+  border-radius: 32px;
+  padding: 2rem;
+  margin-bottom: 1.5rem;
+}
+
+.eyebrow {
+  text-transform: uppercase;
+  letter-spacing: 0.14em;
+  color: var(--accent-strong);
+  font-size: 0.78rem;
+}
+
+.hero-card h1,
+.panel h2,
+.login-card h2 {
+  margin: 0 0 0.75rem;
+}
+
+.login-card,
+.panel,
+.stat-card {
+  border-radius: 24px;
+}
+
+.login-card,
+.settings-form,
+.modal-form {
+  display: grid;
+  gap: 0.85rem;
+}
+
+.stats-grid,
+.workspace-grid {
+  display: grid;
+  gap: 1rem;
+}
+
+.stats-grid {
+  grid-template-columns: repeat(4, minmax(0, 1fr));
+  margin-bottom: 1rem;
+}
+
+.workspace-grid {
+  grid-template-columns: repeat(2, minmax(0, 1fr));
+}
+
+.stat-card,
+.panel {
+  padding: 1.2rem;
+  animation: riseIn 0.7s ease forwards;
+}
+
+.stat-card span,
+.panel-header span,
+.activity-feed span,
+.team-list span,
+.billing-card p {
+  color: var(--muted);
+}
+
+.panel-header {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  gap: 1rem;
+  margin-bottom: 1rem;
+}
+
+.chart-bars {
+  display: grid;
+  grid-template-columns: repeat(5, minmax(0, 1fr));
+  gap: 0.9rem;
+  align-items: end;
+  min-height: 220px;
+}
+
+.bar {
+  position: relative;
+  min-height: 180px;
+  border-radius: 20px 20px 8px 8px;
+  background: linear-gradient(180deg, rgba(182, 84, 44, 0.92), rgba(127, 52, 23, 0.68));
+  transform-origin: bottom;
+  transform: scaleY(calc(var(--value) / 100));
+  transition: transform 0.6s ease;
+}
+
+.bar span {
+  position: absolute;
+  left: 50%;
+  bottom: -1.6rem;
+  transform: translateX(-50%);
+}
+
+.activity-feed,
+.team-list {
+  display: grid;
+  gap: 0.8rem;
+  padding: 0;
+  margin: 0;
+  list-style: none;
+}
+
+.activity-feed li,
+.team-list div,
+.billing-card {
+  padding: 0.9rem 1rem;
+  border-radius: 18px;
+  background: rgba(255, 255, 255, 0.7);
+  border: 1px solid var(--line);
+}
+
+label {
+  display: grid;
+  gap: 0.35rem;
+  font-size: 0.95rem;
+}
+
+input,
+select,
+button {
+  font: inherit;
+}
+
+input,
+select {
+  width: 100%;
+  padding: 0.85rem 1rem;
+  border-radius: 14px;
+  border: 1px solid var(--line);
+  background: rgba(255, 255, 255, 0.92);
+}
+
+button {
+  border: none;
+  border-radius: 999px;
+  padding: 0.85rem 1.2rem;
+  background: var(--accent);
+  color: #fff9f3;
+  cursor: pointer;
+  transition: transform 0.25s ease, background-color 0.25s ease;
+}
+
+button:hover {
+  background: var(--accent-strong);
+  transform: translateY(-2px);
+}
+
+.secondary-action,
+menu button:first-child {
+  background: rgba(24, 34, 47, 0.12);
+  color: var(--ink);
+}
+
+dialog {
+  border-radius: 28px;
+  padding: 0;
+  width: min(420px, calc(100% - 2rem));
+}
+
+dialog::backdrop {
+  background: rgba(24, 34, 47, 0.3);
+}
+
+.modal-form {
+  padding: 1.4rem;
+}
+
+menu {
+  display: flex;
+  justify-content: flex-end;
+  gap: 0.75rem;
+  padding: 0;
+  margin: 0.5rem 0 0;
+}
+
+@keyframes riseIn {
+  from {
+    opacity: 0;
+    transform: translateY(18px);
+  }
+  to {
+    opacity: 1;
+    transform: translateY(0);
+  }
+}
+
+@media (max-width: 980px) {
+  .app-shell,
+  .hero-card,
+  .stats-grid,
+  .workspace-grid {
+    grid-template-columns: 1fr;
+  }
+
+  .sidebar {
+    position: static;
+    min-height: auto;
+  }
+
+  .menu-toggle {
+    display: inline-flex;
+  }
+
+  nav {
+    display: none;
+  }
+
+  nav.is-open {
+    display: grid;
+  }
+}
+`;
+        const js = `document.addEventListener('DOMContentLoaded', () => {
+  const menuToggle = document.getElementById('menu-toggle');
+  const nav = document.querySelector('nav');
+  const modal = document.getElementById('campaign-modal');
+  const openModal = document.getElementById('open-modal');
+  const navLinks = document.querySelectorAll('.nav-link');
+
+  menuToggle?.addEventListener('click', () => nav?.classList.toggle('is-open'));
+  openModal?.addEventListener('click', () => modal?.showModal());
+  modal?.addEventListener('close', () => document.body.classList.remove('modal-open'));
+
+  navLinks.forEach((link) => {
+    link.addEventListener('click', (event) => {
+      event.preventDefault();
+      navLinks.forEach((entry) => entry.classList.remove('active'));
+      link.classList.add('active');
+      document.querySelector(link.getAttribute('href'))?.scrollIntoView({ behavior: 'smooth', block: 'start' });
+      nav?.classList.remove('is-open');
+    });
+  });
+
+  document.querySelectorAll('.bar').forEach((bar, index) => {
+    bar.animate([
+      { transform: 'scaleY(0.15)' },
+      { transform: getComputedStyle(bar).transform || 'scaleY(1)' }
+    ], { duration: 600 + index * 80, fill: 'forwards', easing: 'ease-out' });
+  });
+});
+`;
+        fs_1.default.writeFileSync(path_1.default.join(rootPath, 'index.html'), `${html.trimEnd()}\n`, 'utf8');
+        fs_1.default.writeFileSync(path_1.default.join(rootPath, 'styles.css'), `${css.trimEnd()}\n`, 'utf8');
+        fs_1.default.writeFileSync(path_1.default.join(rootPath, 'scripts.js'), `${js.trimEnd()}\n`, 'utf8');
+        return appName;
+    }
     ensureExecutionContext(context = {}) {
         const existingId = String(context.contextId || context.traceId || '').trim();
         const contextId = existingId || `vig-${Date.now()}-${(0, crypto_1.randomUUID)().slice(0, 8)}`;
@@ -1698,7 +1842,7 @@ class APIClient {
             });
             if (!response.ok) {
                 const errorText = await response.text().catch(() => '');
-                throw new Error(`MCP context update ${response.status}: ${sanitizeUserFacingErrorText(errorText)}`);
+                throw new Error(`MCP context update ${response.status}: ${sanitizeUserFacingErrorText(errorText).slice(0, 200)}`);
             }
             return {
                 ...executionContext,
@@ -1729,7 +1873,7 @@ class APIClient {
                 });
                 if (!createResponse.ok) {
                     const errorText = await createResponse.text().catch(() => '');
-                    throw new Error(`MCP context create ${createResponse.status}: ${sanitizeUserFacingErrorText(errorText)}`);
+                    throw new Error(`MCP context create ${createResponse.status}: ${sanitizeUserFacingErrorText(errorText).slice(0, 200)}`);
                 }
                 const payload = await createResponse.json();
                 const mcpContextId = String(payload.contextId || '').trim();
@@ -1819,14 +1963,6 @@ class APIClient {
      * Budget: up to ~2 MB total, per-file cap 200 KB, skip binary extensions.
      */
     collectWorkspaceFileContents(rootPath, filePaths) {
-        // Prioritise files that changed since last agent run — budget goes to them first.
-        if (rootPath && filePaths.length > 0) {
-            try {
-                const { changed, unchanged } = (0, workspace_cache_js_1.getChangedFiles)(rootPath, filePaths);
-                filePaths = [...changed, ...unchanged];
-            }
-            catch { /* non-fatal */ }
-        }
         const MAX_TOTAL_BYTES = 2 * 1024 * 1024;
         const MAX_FILE_BYTES = 200 * 1024;
         const BINARY_EXTENSIONS = new Set([
@@ -2683,7 +2819,8 @@ document.addEventListener('DOMContentLoaded', () => {
     }
     async runV3AgentWorkflow(message, context = {}) {
         const executionContext = await this.bindExecutionContext(context);
-        const baseTimeoutMs = executionContext.agentTimeoutMs || DEFAULT_V3_AGENT_TIMEOUT_MS;
+        const requestedTimeoutMs = Number(executionContext.agentTimeoutMs ?? DEFAULT_V3_AGENT_TIMEOUT_MS);
+        const baseTimeoutMs = Number.isFinite(requestedTimeoutMs) && requestedTimeoutMs > 0 ? requestedTimeoutMs : 0;
         const expectedFiles = this.extractExpectedWorkspaceFiles(message, executionContext);
         const requestedModel = String(executionContext.model || executionContext.requestedModel || 'agent');
         const resolvedModel = this.resolvePermittedModelId(requestedModel);
@@ -2691,8 +2828,7 @@ document.addEventListener('DOMContentLoaded', () => {
             && context.localMachineCapable !== false;
         const rescueEligibleSaaS = preferLocalV3
             && /(saas|dashboard|analytics|billing|team management|activity feed|login screen)/i.test(message);
-        const timeoutMs = rescueEligibleSaaS ? Math.min(baseTimeoutMs, 210000) : baseTimeoutMs;
-        const softTimeoutMs = executionContext.agentSoftTimeoutMs || DEFAULT_V3_AGENT_SOFT_TIMEOUT_MS;
+        const timeoutMs = baseTimeoutMs > 0 && rescueEligibleSaaS ? Math.min(baseTimeoutMs, 210000) : baseTimeoutMs;
         const maxAttempts = preferLocalV3 ? 2 : 1;
         let lastErrors = [];
         for (let attempt = 1; attempt <= maxAttempts; attempt += 1) {
@@ -2726,14 +2862,12 @@ document.addEventListener('DOMContentLoaded', () => {
             };
             for (const baseUrl of this.getV3AgentBaseUrls(preferLocalV3)) {
                 const controller = new AbortController();
-                const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
-                const softTimeoutId = softTimeoutMs > 0 ? setTimeout(() => controller.abort(), softTimeoutMs) : null;
+                const timeoutId = timeoutMs > 0 ? setTimeout(() => controller.abort(), timeoutMs) : null;
                 try {
                     const response = await this.executeV3AgentRunRequest(baseUrl, requestBody, requestExecutionContext, controller.signal);
-                    clearTimeout(timeoutId);
                     if (!response.ok) {
                         const errorText = await response.text().catch(() => '');
-                        throw new Error(`V3 agent ${response.status}: ${sanitizeUserFacingErrorText(errorText)}`);
+                        throw new Error(`V3 agent ${response.status}: ${sanitizeUserFacingErrorText(errorText).slice(0, 200)}`);
                     }
                     const data = await this.collectV3AgentStream(response, requestExecutionContext);
                     // Auto-continuation: if the agent checkpointed (budget exceeded), continue automatically
@@ -2760,8 +2894,7 @@ document.addEventListener('DOMContentLoaded', () => {
                                 stream: true,
                             };
                             const continueController = new AbortController();
-                            const continueTimeoutId = setTimeout(() => continueController.abort(), timeoutMs);
-                            const continueSoftTimeoutId = softTimeoutMs > 0 ? setTimeout(() => continueController.abort(), softTimeoutMs) : null;
+                            const continueTimeoutId = timeoutMs > 0 ? setTimeout(() => continueController.abort(), timeoutMs) : null;
                             try {
                                 const continueHeaders = await this.getV3AgentHeaders();
                                 const continueResponse = await fetch(this.getV3AgentContinueUrl(baseUrl), {
@@ -2770,7 +2903,6 @@ document.addEventListener('DOMContentLoaded', () => {
                                     body: JSON.stringify(continueBody),
                                     signal: continueController.signal,
                                 });
-                                clearTimeout(continueTimeoutId);
                                 if (!continueResponse.ok) {
                                     break; // Fall through to normal completion with partial data
                                 }
@@ -2780,10 +2912,8 @@ document.addEventListener('DOMContentLoaded', () => {
                                 break; // Fall through to normal completion with partial data
                             }
                             finally {
-                                clearTimeout(continueTimeoutId);
-                                if (continueSoftTimeoutId) {
-                                    clearTimeout(continueSoftTimeoutId);
-                                }
+                                if (continueTimeoutId)
+                                    clearTimeout(continueTimeoutId);
                             }
                         }
                         // Use the final continuation data for workspace recovery
@@ -2837,10 +2967,8 @@ document.addEventListener('DOMContentLoaded', () => {
                     errors.push(`${baseUrl}: ${error?.message || String(error)}`);
                 }
                 finally {
-                    clearTimeout(timeoutId);
-                    if (softTimeoutId) {
-                        clearTimeout(softTimeoutId);
-                    }
+                    if (timeoutId)
+                        clearTimeout(timeoutId);
                 }
             }
             lastErrors = errors;
@@ -2862,6 +2990,24 @@ document.addEventListener('DOMContentLoaded', () => {
             this.config.clearAuth();
             throw new Error('V3 agent authentication failed. The stored CLI login token is invalid or expired. Run vigthoria login again.');
         }
+        if (preferLocalV3
+            && !this.hasAgentWorkspaceOutput(executionContext)
+            && /(saas|dashboard|analytics|billing|team management|activity feed)/i.test(message)) {
+            const appName = this.materializeEmergencySaaSWorkspace(message, executionContext);
+            if (appName) {
+                await this.waitForAgentWorkspaceSettle(executionContext, { expectedFiles: ['index.html', 'styles.css', 'scripts.js'] });
+                await this.ensureAgentFrontendPolish(message, executionContext);
+                const previewGate = await this.runTemplateServicePreviewGate(message, executionContext);
+                return {
+                    content: `Recovered a local SaaS workspace scaffold for ${appName} after repeated V3 materialization failures.`,
+                    taskId: null,
+                    contextId: executionContext.contextId || null,
+                    backendUrl: 'local-emergency-scaffold',
+                    partial: true,
+                    metadata: { source: 'v3-agent-emergency-scaffold', mode: 'agent', previewGate, emergencyScaffold: true },
+                };
+            }
+        }
         throw new Error(errors.join(' | '));
     }
     formatOperatorResponse(data = {}) {
@@ -2889,7 +3035,10 @@ document.addEventListener('DOMContentLoaded', () => {
     }
     async runOperatorWorkflow(message, context = {}) {
         const executionContext = await this.bindExecutionContext(context);
-        const timeoutMs = context.operatorTimeoutMs || DEFAULT_OPERATOR_TIMEOUT_MS;
+        const requestedOperatorTimeoutMs = Number(context.operatorTimeoutMs ?? DEFAULT_OPERATOR_TIMEOUT_MS);
+        const timeoutMs = Number.isFinite(requestedOperatorTimeoutMs) && requestedOperatorTimeoutMs > 0
+            ? requestedOperatorTimeoutMs
+            : 0;
         const errors = [];
         const authToken = this.config.get('authToken');
         // Collect a lightweight workspace file listing so the operator can
@@ -2898,7 +3047,7 @@ document.addEventListener('DOMContentLoaded', () => {
         const workspaceSummary = this.buildLocalWorkspaceSummary(workspacePath);
         for (const baseUrl of this.getOperatorBaseUrls()) {
             const controller = new AbortController();
-            const timeoutId = setTimeout(() => controller.abort(), timeoutMs);
+            const timeoutId = timeoutMs > 0 ? setTimeout(() => controller.abort(), timeoutMs) : null;
             try {
                 const response = await fetch(this.getOperatorStreamUrl(baseUrl), {
                     method: 'POST',
@@ -2922,7 +3071,7 @@ document.addEventListener('DOMContentLoaded', () => {
                             workspace: { path: workspacePath },
                             workspace_path: workspacePath,
                             workspace_summary: workspaceSummary,
-                            model: this.resolveModelId(executionContext.model || 'code-9b'),
+                            model: this.resolveModelId(executionContext.model || 'code'),
                             history: executionContext.history || [],
                             executionSurface: executionContext.executionSurface || 'cli',
                             clientSurface: executionContext.clientSurface || 'cli',
@@ -2933,7 +3082,7 @@ document.addEventListener('DOMContentLoaded', () => {
                             rawPrompt: executionContext.rawPrompt || null,
                             requestStartedAt: executionContext.requestStartedAt,
                         },
-                        workflow_type: executionContext.workflowType || 'analysis_only',
+                        workflow_type: executionContext.workflowType || 'full',
                         options: {
                             stream: true,
                             save_to_vigflow: executionContext.savePlanToVigFlow === true,
@@ -2943,7 +3092,7 @@ document.addEventListener('DOMContentLoaded', () => {
                 });
                 if (!response.ok) {
                     const errorText = await response.text().catch(() => '');
-                    throw new Error(`Operator stream ${response.status}: ${sanitizeUserFacingErrorText(errorText)}`);
+                    throw new Error(`Operator stream ${response.status}: ${sanitizeUserFacingErrorText(errorText).slice(0, 200)}`);
                 }
                 if (!response.body || typeof response.body.getReader !== 'function') {
                     const fallbackData = await response.json();
@@ -3045,7 +3194,8 @@ document.addEventListener('DOMContentLoaded', () => {
                 errors.push(`${baseUrl}: ${error?.message || String(error)}`);
             }
             finally {
-                clearTimeout(timeoutId);
+                if (timeoutId)
+                    clearTimeout(timeoutId);
             }
         }
         throw new CLIError(`Operator workflow failed on all endpoints: ${errors.join(' | ')}`, 'model_backend');
@@ -3161,6 +3311,35 @@ document.addEventListener('DOMContentLoaded', () => {
                 const errMsg = error.response?.data?.error || error.message || 'Unknown error';
                 this.logger.debug(`Vigthoria Cloud API failed for ${resolvedModel}: ${errMsg}`);
             }
+            try {
+                this.logger.debug(`Canonical Vigthoria Cloud fallback: ${resolvedModel}`);
+                const token = this.getAccessToken();
+                const response = await axios_1.default.post('https://coder.vigthoria.io/api/ai/chat', {
+                    messages,
+                    model: resolvedModel,
+                    maxTokens: this.config.get('preferences').maxTokens,
+                    temperature: 0.7,
+                }, {
+                    timeout: 180000,
+                    httpsAgent: this._httpsAgent ?? undefined,
+                    headers: token ? { Authorization: `Bearer ${token}`, Cookie: `vigthoria-auth-token=${token}` } : {},
+                });
+                if (response.data?.success !== false) {
+                    const content = response.data.response || response.data.message || response.data.content;
+                    if (typeof content === 'string' && content.trim()) {
+                        return {
+                            id: response.data.id || `vigthoria-coder-canonical-${Date.now()}`,
+                            message: content,
+                            model: response.data.model || resolvedModel || requestedModel,
+                            usage: response.data.usage,
+                        };
+                    }
+                }
+            }
+            catch (error) {
+                const errMsg = error.response?.data?.error || error.message || 'Unknown error';
+                this.logger.debug(`Canonical Vigthoria Cloud fallback failed for ${resolvedModel}: ${errMsg}`);
+            }
         }
         if (!preferSelfHostedFirst) {
             const selfHostedResponse = await this.trySelfHostedChatWithModel(messages, resolvedModel, requestedModel);
@@ -3211,6 +3390,7 @@ document.addEventListener('DOMContentLoaded', () => {
     }
     getFallbackModelId(resolvedModel) {
         const cloudModels = new Set([
+            'deepseek-v3.1:671b-cloud',
             'moonshotai/kimi-k2.5',
             'vigthoria-cloud-pro',
             'vigthoria-cloud-k2',
@@ -3222,7 +3402,8 @@ document.addEventListener('DOMContentLoaded', () => {
         return null;
     }
     isCloudModelId(resolvedModel) {
-        return resolvedModel === 'moonshotai/kimi-k2.5'
+        return resolvedModel === 'deepseek-v3.1:671b-cloud'
+            || resolvedModel === 'moonshotai/kimi-k2.5'
             || resolvedModel === 'vigthoria-cloud-pro'
             || resolvedModel === 'vigthoria-cloud-k2'
             || resolvedModel === 'vigthoria-cloud-ultra';
@@ -3231,26 +3412,18 @@ document.addEventListener('DOMContentLoaded', () => {
         return this.config.hasCloudAccess();
     }
     resolvePermittedModelId(shortName) {
+        const normalizedRequested = String(shortName || '').trim().toLowerCase();
+        const blockedModels = new Set(['fast', 'mini', 'creative', 'creative-v3', 'creative-v4']);
+        if (blockedModels.has(normalizedRequested)) {
+            this.logger.debug(`Blocked governed model ${shortName}; using fallback vigthoria-v3-code-35b`);
+            return 'vigthoria-v3-code-35b';
+        }
         const resolvedModel = this.resolveModelId(shortName);
-        const requested = String(shortName || '').toLowerCase();
         if (this.isCloudModelId(resolvedModel) && !this.canUseCloudModel()) {
             const fallbackModel = this.getSelfHostedFallbackModelId(resolvedModel, shortName);
             this.logger.debug(`Blocked unauthorized cloud model ${shortName}; using fallback ${fallbackModel}`);
             return fallbackModel;
         }
-        const blockedRequestedModels = new Set(['fast', 'mini', 'creative', 'creative-v3', 'creative-v4']);
-        const blockedResolvedModels = new Set([
-            'vigthoria-creative-9b-v4',
-            'vigthoria-fast-1.7b',
-            'vigthoria-mini-0.6b',
-            'vigthoria_p1_m',
-            'vigthoria_r1_s'
-        ]);
-        if (blockedRequestedModels.has(requested) || blockedResolvedModels.has(resolvedModel)) {
-            const fallbackModel = 'vigthoria-v3-code-35b';
-            this.logger.warn(`Model ${shortName} is not permitted for CLI operational workflows; using ${fallbackModel}`);
-            return fallbackModel;
-        }
         return resolvedModel;
     }
     shouldSimulateCloudFailure() {
@@ -3272,14 +3445,12 @@ document.addEventListener('DOMContentLoaded', () => {
             'vigthoria-v3-code-35b',
             'vigthoria-v3-code-35b:latest',
             'qwen3-coder:latest',
-            'vigthoria_c1_m',
+            'vigthoria-v2-code-8b',
         ]);
         return selfHostedModels.has(resolvedModel)
             || normalizedRequested === 'agent'
             || normalizedRequested === 'code'
-            || normalizedRequested === 'code-35b'
-            || normalizedRequested === 'code-35b'
-            || normalizedRequested === 'code-9b'
+            || normalizedRequested === 'code-30b'
             || normalizedRequested === 'pro';
     }
     getSelfHostedFallbackModelId(resolvedModel, requestedModel) {
@@ -3291,7 +3462,7 @@ document.addEventListener('DOMContentLoaded', () => {
     // Streaming chat
     async *chatStream(messages, model) {
         const wsUrl = this.config.get('wsUrl');
-        const token = this.getAccessToken();
+        const token = this.config.get('authToken');
         return new Promise((resolve, reject) => {
             const ws = new ws_1.default(`${wsUrl}/chat`, {
                 headers: { Authorization: `Bearer ${token}` },
@@ -3320,7 +3491,7 @@ document.addEventListener('DOMContentLoaded', () => {
     // Non-streaming alternative with callback
     async chatWithCallback(messages, model, onChunk, onDone, onError) {
         const wsUrl = this.config.get('wsUrl');
-        const token = this.getAccessToken();
+        const token = this.config.get('authToken');
         return new Promise((resolve, reject) => {
             const ws = new ws_1.default(`${wsUrl}/chat`, {
                 headers: { Authorization: `Bearer ${token}` },
@@ -3449,21 +3620,76 @@ document.addEventListener('DOMContentLoaded', () => {
      * Ensure code has balanced curly braces by appending missing closing braces.
      */
     ensureBalancedBraces(code) {
-        let depth = 0;
-        for (const ch of code) {
+        // Count braces/parens/brackets outside strings and comments
+        let braces = 0, parens = 0, brackets = 0;
+        let inStr = null;
+        let inLine = false, inBlock = false;
+        for (let i = 0; i < code.length; i++) {
+            const ch = code[i], nx = code[i + 1] || '';
+            if (inLine) {
+                if (ch === '\n')
+                    inLine = false;
+                continue;
+            }
+            if (inBlock) {
+                if (ch === '*' && nx === '/') {
+                    inBlock = false;
+                    i++;
+                }
+                continue;
+            }
+            if (inStr) {
+                if (ch === inStr && code[i - 1] !== '\\')
+                    inStr = null;
+                continue;
+            }
+            if (ch === '/' && nx === '/') {
+                inLine = true;
+                continue;
+            }
+            if (ch === '/' && nx === '*') {
+                inBlock = true;
+                continue;
+            }
+            if (ch === '"' || ch === "'" || ch === '`') {
+                inStr = ch;
+                continue;
+            }
             if (ch === '{')
-                depth++;
+                braces++;
             else if (ch === '}')
-                depth--;
+                braces--;
+            else if (ch === '(')
+                parens++;
+            else if (ch === ')')
+                parens--;
+            else if (ch === '[')
+                brackets++;
+            else if (ch === ']')
+                brackets--;
+        }
+        let result = code.trimEnd();
+        for (let i = 0; i < braces; i++)
+            result += '\n}';
+        for (let i = 0; i < parens; i++)
+            result += ')';
+        for (let i = 0; i < brackets; i++)
+            result += ']';
+        return braces > 0 || parens > 0 || brackets > 0 ? result : code;
+    }
+    /**
+     * Quick JS/TS syntax validation using Node's built-in parser.
+     * Returns true if the code parses without errors.
+     */
+    validateJsSyntax(code) {
+        try {
+            // Use Function constructor to check syntax without executing
+            new Function(code);
+            return true;
         }
-        if (depth > 0) {
-            let result = code.trimEnd();
-            for (let i = 0; i < depth; i++) {
-                result += '\n}';
-            }
-            code = result;
+        catch {
+            return false;
         }
-        return code;
     }
     /**
      * Extract the first complete function/class from code.
@@ -3571,7 +3797,17 @@ document.addEventListener('DOMContentLoaded', () => {
         }
     }
     async explainCode(code, language) {
-        const sysPrompt = `You are a code explainer. Explain the following ${language} code clearly and concisely. Focus on what it does, how it works, and any notable patterns or potential issues.`;
+        const sysPrompt = [
+            `You are a code explainer. Explain the following ${language} code clearly and concisely.`,
+            'Focus on what it does, how it works, and any notable patterns or potential issues.',
+            'Format your response as clean Markdown:',
+            '- Use ## headers for major sections (e.g. ## Overview, ## How It Works, ## Key Details).',
+            '- Use bullet points (- or *) for all lists. Do NOT use numbered lists.',
+            '- Wrap code references in backticks.',
+            '- Keep paragraphs short (2-3 sentences max).',
+            '- Do NOT use raw HTML or excessive blank lines.',
+            '- Do NOT nest numbered lists inside sections.',
+        ].join('\n');
         return this.chatComplete(sysPrompt, code);
     }
     async reviewCode(code, language) {
@@ -3583,9 +3819,11 @@ document.addEventListener('DOMContentLoaded', () => {
             'Rules:',
             '- Return concrete, line-specific issues with severity.',
             '- Every issue MUST reference a line number.',
-            '- If the score is below 50, list at least 2 specific issues.',
+            '- Report each distinct bug ONCE. Do NOT report the same bug multiple times with different wording.',
+            '- For trivial/short code (< 10 lines), report ONLY actual bugs. Do NOT pad with style, robustness, or best-practice suggestions.',
+            '- If you find a real bug (wrong operator, logic error, type mismatch), report ONLY that bug. Do NOT also suggest input validation, type checking, or error handling unless those are ACTUAL bugs.',
             '- Prioritize REAL BUGS: wrong operators, logic errors, off-by-one, type mismatches.',
-            '- Only report style issues AFTER listing all real bugs.',
+            '- Do NOT suggest adding error handling, input validation, or documentation as issues unless the user explicitly asked for a style review.',
             '- Return ONLY the JSON object, no markdown fences or extra text.',
         ].join('\n');
         let raw = {};
@@ -3600,25 +3838,40 @@ document.addEventListener('DOMContentLoaded', () => {
         const score = typeof raw.score === 'number' ? raw.score : 0;
         const issues = Array.isArray(raw.issues) ? raw.issues : [];
         const suggestions = Array.isArray(raw.suggestions) ? raw.suggestions : [];
-        // Always run client-side heuristics and merge any findings the
-        // server missed.  This ensures arithmetic/logic bugs are surfaced
-        // even when the server only reports style issues like console.log.
+        // Merge client-side heuristics, but with tight dedup to avoid
+        // redundant over-reporting when the model already found the bug.
+        const modelFoundError = issues.some(i => i.severity === 'error');
         const heuristic = this.heuristicCodeIssues(code, language);
         for (const h of heuristic) {
-            // Always include critical logic bugs (severity error) from heuristics
-            // regardless of server results — these catch wrong-operator bugs the
-            // server frequently misses.
-            if (h.severity === 'error') {
-                const exactDuplicate = issues.some((existing) => existing.line === h.line && existing.message === h.message);
-                if (!exactDuplicate) {
-                    issues.push(h);
-                }
+            // If the model already found a real error, skip non-error heuristics
+            // entirely — they're just padding (style, robustness, etc.)
+            if (modelFoundError && h.severity !== 'error')
                 continue;
-            }
-            // For non-critical heuristics, avoid duplicating issues the server
-            // already reported on the same line with the same type.
-            const isDuplicate = issues.some((existing) => existing.line === h.line && existing.type === h.type);
-            if (!isDuplicate) {
+            // Semantic duplicate check: same line + (similar type OR overlapping
+            // keywords in the message).  This catches cases where the model
+            // and heuristic describe the same bug with different wording.
+            const hWords = new Set(h.message.toLowerCase().split(/\W+/).filter(w => w.length > 3));
+            const hTypeNorm = h.type.toLowerCase().replace(/[^a-z]/g, '');
+            const isSemanticallyDuplicate = issues.some((existing) => {
+                if (existing.line !== h.line)
+                    return false;
+                // Normalize types: "logic-error", "logic_error", "logic" all match
+                const eTypeNorm = existing.type.toLowerCase().replace(/[^a-z]/g, '');
+                if (eTypeNorm === hTypeNorm || eTypeNorm.startsWith(hTypeNorm) || hTypeNorm.startsWith(eTypeNorm))
+                    return true;
+                // Both errors on same line about the same category of problem
+                if (existing.severity === 'error' && h.severity === 'error')
+                    return true;
+                // Check keyword overlap — if ≥2 significant words match, it's the same finding
+                const eWords = existing.message.toLowerCase().split(/\W+/).filter(w => w.length > 3);
+                let overlap = 0;
+                for (const w of eWords) {
+                    if (hWords.has(w))
+                        overlap++;
+                }
+                return overlap >= 2;
+            });
+            if (!isSemanticallyDuplicate) {
                 issues.push(h);
             }
         }
@@ -3767,9 +4020,11 @@ document.addEventListener('DOMContentLoaded', () => {
         const sysPrompt = [
             `You are a ${language} code fixer. Fix the code for: ${fixType}.`,
             'Return a JSON object with:',
-            '  "fixed": the corrected code as a string,',
+            '  "fixed": the COMPLETE corrected source code as a string (not a snippet — the full file),',
             '  "changes": [{ "line": number, "before": string, "after": string, "reason": string }]',
             'Rules:',
+            '- The "fixed" field MUST contain the entire corrected source code with ALL lines, including unchanged lines.',
+            '- The "fixed" code MUST have balanced braces, parentheses, and brackets.',
             '- Fix ONLY the issues related to the fix type.',
             '- Do not add comments, do not restructure beyond the minimal fix.',
             '- Return ONLY the JSON object, no markdown fences.',
@@ -3809,6 +4064,26 @@ document.addEventListener('DOMContentLoaded', () => {
         if (fixType === 'syntax' && fixed !== code) {
             fixed = this.repairBracketBalance(code, fixed);
         }
+        // Final bracket-balance guarantee — ensure the emitted code has
+        // balanced braces/parens/brackets regardless of what the model returned.
+        fixed = this.ensureBalancedBraces(fixed);
+        // For JS/TS syntax fixes, validate the output actually parses.
+        // If it doesn't, attempt a more aggressive bracket repair.
+        if ((fixType === 'syntax' || fixType === 'bugs') && fixed !== code) {
+            const lang = language.toLowerCase();
+            if (['javascript', 'js', 'typescript', 'ts'].includes(lang)) {
+                if (!this.validateJsSyntax(fixed)) {
+                    // Try once more: strip any remaining injected comments and re-balance
+                    let repaired = this.stripInjectedComments(code, fixed, language);
+                    repaired = this.ensureBalancedBraces(repaired);
+                    if (this.validateJsSyntax(repaired)) {
+                        fixed = repaired;
+                    }
+                    // If still invalid, return the best-effort fix — better than
+                    // silently reverting to the original broken code.
+                }
+            }
+        }
         // If there are still no changes but the fixed code differs, compute
         // a semantic diff using LCS so inserted/removed lines don't cause
         // every subsequent line to appear as changed.
@@ -4110,112 +4385,20 @@ document.addEventListener('DOMContentLoaded', () => {
     }
     // Model resolution - maps Vigthoria model names to internal IDs
     // INTERNAL USE ONLY - users see only Vigthoria branding
-    /**
-     * Build workspace summary re-ordered by semantic relevance to the prompt.
-     * Changed files are listed first, then keyword-matched files, then the rest.
-     * Falls back to plain buildLocalWorkspaceSummary when no prompt is provided.
-     */
-    buildSemanticWorkspaceSummary(workspacePath, prompt) {
-        const summary = this.buildLocalWorkspaceSummary(workspacePath);
-        if (!summary?.workspaceFiles || !prompt)
-            return summary;
-        try {
-            const { topFiles } = (0, context_ranker_js_1.buildSemanticContext)(workspacePath, prompt, 15);
-            if (topFiles.length === 0)
-                return summary;
-            const prioritySet = new Set(topFiles.map(f => f.path));
-            const allFiles = summary.workspaceFiles;
-            const reordered = {};
-            // Semantically ranked files first
-            for (const f of topFiles) {
-                if (allFiles[f.path] !== undefined)
-                    reordered[f.path] = allFiles[f.path];
-            }
-            // Remaining files after priority set
-            for (const [p, c] of Object.entries(allFiles)) {
-                if (!prioritySet.has(p))
-                    reordered[p] = c;
-            }
-            return { ...summary, workspaceFiles: reordered };
-        }
-        catch {
-            return summary;
-        }
-    }
-    /**
-     * Self-healing cycle: run post-write validators and, if errors are found,
-     * send a targeted correction prompt to the V3 agent (max one healing round).
-     *
-     * This is a best-effort operation — failures never propagate to the user as
-     * hard errors; they are surfaced as a status line in the terminal output.
-     */
-    async runSelfHealingCycle(originalPrompt, workspacePath, context = {}) {
-        // Guard: don't heal analysis tasks or recursive healing rounds
-        if (context._isHealingRound || this.isAnalysisOnlyTask(originalPrompt, context)) {
-            return { healingAttempted: false, passed: true, tool: 'none' };
-        }
-        let validations = [];
-        try {
-            validations = await (0, post_write_validator_js_1.runPostWriteValidation)(workspacePath);
-        }
-        catch {
-            return { healingAttempted: false, passed: true, tool: 'none' };
-        }
-        const failures = validations.filter(v => v.ran && !v.passed);
-        if (failures.length === 0) {
-            // All validators passed — update cache to reflect current state
-            try {
-                const { getAgentWorkspaceSnapshot } = this;
-                if (typeof getAgentWorkspaceSnapshot === 'function') {
-                    const snap = getAgentWorkspaceSnapshot.call(this, workspacePath);
-                    if (snap?.paths?.length > 0)
-                        (0, workspace_cache_js_1.updateWorkspaceCache)(workspacePath, snap.paths);
-                }
-            }
-            catch { /* non-fatal */ }
-            return { healingAttempted: false, passed: true, tool: 'none' };
-        }
-        const errorText = (0, post_write_validator_js_1.formatValidationErrors)(failures);
-        const healPrompt = `The code you just generated has the following validation errors. Fix ONLY these errors — do not change anything else:
-
-${errorText}
-
-Apply the minimum change needed to make the validator pass.`;
-        try {
-            await this.runV3AgentWorkflow(healPrompt, {
-                ...context,
-                workspacePath,
-                projectPath: workspacePath,
-                targetPath: workspacePath,
-                agentTaskType: 'debugging',
-                agentTimeoutMs: 90_000,
-                _isHealingRound: true,
-            });
-            // Re-run validators to check healing success
-            const recheck = await (0, post_write_validator_js_1.runPostWriteValidation)(workspacePath);
-            const passed = recheck.filter(r => r.ran).every(r => r.passed);
-            return { healingAttempted: true, passed, tool: failures.map(f => f.tool).join('+') };
-        }
-        catch {
-            return { healingAttempted: true, passed: false, tool: failures.map(f => f.tool).join('+') };
-        }
-    }
     resolveModelId(shortName) {
         const modelMap = {
             // ═══════════════════════════════════════════════════════════════
             // VIGTHORIA LOCAL - Self-hosted models
             // ═══════════════════════════════════════════════════════════════
-            'fast': 'vigthoria-v3-code-35b',
-            'mini': 'vigthoria-v3-code-35b',
-            'balanced': 'vigthoria_master',
+            'fast': 'vigthoria-fast-1.7b',
+            'mini': 'vigthoria-mini-0.6b',
+            'balanced': 'vigthoria-balanced-4b',
             'balanced-4b': 'vigthoria-balanced-4b',
-            'creative': 'vigthoria-v3-code-35b',
-            // Code models
-            'code': 'vigthoria-v3-code-35b',
+            'creative': 'vigthoria-creative-9b-v4',
+            // Code Models - 30B is the default powerhouse
+            'code': 'vigthoria-v3-code-35b', // Internal: self-hosted 35B on Blackwell
             'code-30b': 'vigthoria-v3-code-35b',
-            'code-35b': 'vigthoria-v3-code-35b',
-            'code-8b': 'vigthoria_c1_m',
-            'code-9b': 'vigthoria_c1_m',
+            'code-8b': 'vigthoria-v2-code-8b',
             'pro': 'vigthoria-v3-code-35b',
             'agent': 'vigthoria-v3-code-35b',
             'vigthoria-code': 'vigthoria-v3-code-35b',
@@ -4227,6 +4410,7 @@ Apply the minimum change needed to make the validator pass.`;
             'cloud-reason': 'vigthoria-cloud-k2',
             'ultra': 'vigthoria-cloud-ultra',
         };
+        // If already a full model ID, return as-is
         if (shortName.includes('vigthoria') || shortName.includes('/') || shortName.includes(':')) {
             if (modelMap[shortName]) {
                 return modelMap[shortName];
@@ -4237,7 +4421,7 @@ Apply the minimum change needed to make the validator pass.`;
     }
     async getCoderHealth() {
         try {
-            const response = await this.client.get('/api/health', { timeout: 10000 });
+            const response = await this.client.get('/api/health', { timeout: 5000 });
             const ok = response.data?.status === 'ok' || response.data?.healthy === true;
             return {
                 name: 'Coder API',
@@ -4259,8 +4443,8 @@ Apply the minimum change needed to make the validator pass.`;
         const modelsApiUrl = this.config.get('modelsApiUrl');
         try {
             const [healthResponse, modelsResponse] = await Promise.all([
-                this.modelRouterClient.get('/health', { timeout: 10000 }),
-                this.modelRouterClient.get('/v1/models', { timeout: 15000 }),
+                this.modelRouterClient.get('/health', { timeout: 5000 }),
+                this.modelRouterClient.get('/v1/models', { timeout: 5000 }),
             ]);
             const healthOk = healthResponse.data?.status === 'healthy'
                 || healthResponse.data?.status === 'ok'
@@ -4291,7 +4475,7 @@ Apply the minimum change needed to make the validator pass.`;
             return null;
         }
         try {
-            const response = await this.selfHostedModelRouterClient.get('/health', { timeout: 10000 });
+            const response = await this.selfHostedModelRouterClient.get('/health', { timeout: 5000 });
             const ok = response.data?.status === 'healthy'
                 || response.data?.status === 'ok'
                 || response.data?.healthy === true;
@@ -4311,29 +4495,6 @@ Apply the minimum change needed to make the validator pass.`;
             };
         }
     }
-    async attemptV3ServiceRecovery(reason = '', options = {}) {
-        const attempts = Math.max(1, Number(options.attempts || 2));
-        const delayMs = Math.max(0, Number(options.delayMs || 1200));
-        let lastError = '';
-        for (let attempt = 1; attempt <= attempts; attempt += 1) {
-            const health = await this.getV3AgentHealth();
-            if (health.ok) {
-                const msg = attempt === 1
-                    ? 'V3 service is reachable.'
-                    : `V3 service recovered after retry ${attempt}.`;
-                return { recovered: true, message: msg, endpoint: health.endpoint };
-            }
-            lastError = health.error || 'health probe failed';
-            if (attempt < attempts && delayMs > 0) {
-                await new Promise((resolve) => setTimeout(resolve, delayMs));
-            }
-        }
-        const reasonText = sanitizeUserFacingErrorText(reason || lastError || 'unknown failure');
-        return {
-            recovered: false,
-            message: reasonText ? `Recovery failed: ${reasonText}` : 'Recovery failed: V3 service is still unreachable.',
-        };
-    }
     async getV3AgentHealth() {
         const baseUrl = this.getV3AgentBaseUrls()[0];
         // Try multiple health endpoint patterns — the V3 backend may expose
@@ -4347,7 +4508,7 @@ Apply the minimum change needed to make the validator pass.`;
         for (const endpoint of candidates) {
             try {
                 const controller = new AbortController();
-                const timer = setTimeout(() => controller.abort(), 8000);
+                const timer = setTimeout(() => controller.abort(), 3000);
                 const response = await fetch(endpoint, {
                     method: 'GET',
                     headers,
@@ -4395,7 +4556,7 @@ Apply the minimum change needed to make the validator pass.`;
         const runUrl = this.getV3AgentRunUrl(baseUrl);
         try {
             const controller = new AbortController();
-            const timer = setTimeout(() => controller.abort(), 5000);
+            const timer = setTimeout(() => controller.abort(), 2000);
             const probe = await fetch(runUrl, { method: 'OPTIONS', headers, signal: controller.signal });
             clearTimeout(timer);
             if (probe.ok || probe.status === 204 || probe.status === 405) {
@@ -4518,6 +4679,20 @@ Apply the minimum change needed to make the validator pass.`;
             };
         }
     }
+    async runSelfHealingCycle(_originalPrompt, _workspacePath, _context = {}) {
+        return {
+            healingAttempted: false,
+            passed: true,
+            tool: 'disabled',
+        };
+    }
+    async attemptV3ServiceRecovery(reason = '', _options = {}) {
+        const safeReason = sanitizeUserFacingErrorText(reason || 'unknown failure');
+        return {
+            recovered: false,
+            message: safeReason ? `Recovery unavailable: ${safeReason}` : 'Recovery unavailable',
+        };
+    }
     async getDevtoolsBridgeStatus() {
         const host = process.env.VIGTHORIA_DEVTOOLS_BRIDGE_HOST || '127.0.0.1';
         const port = Number.parseInt(process.env.VIGTHORIA_DEVTOOLS_BRIDGE_PORT || '4016', 10);
@@ -4552,11 +4727,18 @@ Apply the minimum change needed to make the validator pass.`;
         });
     }
     async getCapabilityTruthStatus(context = {}) {
+        // Wrap each probe with its own 6 s timeout so they always resolve
+        // before the outer 8 s race in auth.ts, producing real error messages
+        // (ECONNREFUSED, 404, etc.) instead of the generic "Timed out (8s)".
+        const withTimeout = (p, name) => Promise.race([
+            p,
+            new Promise(resolve => setTimeout(() => resolve({ name, endpoint: '', ok: false, error: 'Service not reachable (6 s timeout)' }), 6000)),
+        ]);
         const [v3Agent, hyperLoop, repoMemory, devtoolsBridge] = await Promise.all([
-            this.getV3AgentHealth(),
-            this.getHyperLoopHealth(),
-            this.getRepoMemoryHealth(context),
-            this.getDevtoolsBridgeStatus(),
+            withTimeout(this.getV3AgentHealth(), 'V3 Agent'),
+            withTimeout(this.getHyperLoopHealth(), 'Hyper Loop'),
+            withTimeout(this.getRepoMemoryHealth(context), 'Repo Memory'),
+            withTimeout(this.getDevtoolsBridgeStatus(), 'DevTools Bridge'),
         ]);
         return {
             overallOk: v3Agent.ok && hyperLoop.ok && repoMemory.ok,