zidane 5.13.0 → 5.13.2

package/dist/xdg-zlSeVBhQ.js

@@ -0,0 +1,1417 @@
+import { t as writeFileAtomic } from "./atomic-write-Bgtr5JPu.js";
+import { a as local, c as generatePkce, f as arcee, g as FAST_MODE_OPTIONS, h as ANTHROPIC_EXTRA_MODELS, i as openai, l as cerebras, n as createXaiOAuthProvider, p as anthropic, r as openrouter, s as createCursorOAuthProvider, t as xai, u as baseten } from "./providers-Cz-RNYZO.js";
+import { dirname, resolve } from "node:path";
+import { existsSync, readFileSync, realpathSync } from "node:fs";
+import { randomBytes } from "node:crypto";
+import { getModel, getModels } from "@earendil-works/pi-ai";
+import { homedir } from "node:os";
+import { createServer } from "node:http";
+import { refreshAnthropicToken, refreshOpenAICodexToken, registerOAuthProvider } from "@earendil-works/pi-ai/oauth";
+//#region src/chat/oauth-page/server.ts
+const CALLBACK_HOST = process.env.PI_OAUTH_CALLBACK_HOST || "127.0.0.1";
+function buildRequestHandler(opts, pending) {
+	return (req, res) => {
+		try {
+			const url = new URL(req.url || "", "http://localhost");
+			if (url.pathname !== opts.path) {
+				respondError(res, 404, opts, "Callback route not found.");
+				return;
+			}
+			const error = url.searchParams.get("error");
+			if (error) {
+				respondError(res, 400, opts, `${opts.providerName} authentication did not complete.`, `Error: ${error}`);
+				return;
+			}
+			const code = url.searchParams.get("code");
+			const state = url.searchParams.get("state");
+			if (!code || !state) {
+				respondError(res, 400, opts, "Missing code or state parameter.");
+				return;
+			}
+			if (state !== opts.expectedState) {
+				respondError(res, 400, opts, "State mismatch.");
+				return;
+			}
+			res.writeHead(200, { "Content-Type": "text/html; charset=utf-8" });
+			res.end(opts.renderPage({
+				kind: "success",
+				provider: opts.providerName,
+				message: opts.successMessage
+			}));
+			pending.settle({
+				code,
+				state
+			});
+		} catch {
+			respondError(res, 500, opts, "Internal error while processing the callback.");
+		}
+	};
+}
+function respondError(res, status, opts, message, details) {
+	res.writeHead(status, { "Content-Type": "text/html; charset=utf-8" });
+	res.end(opts.renderPage({
+		kind: "error",
+		provider: opts.providerName,
+		message,
+		details
+	}));
+}
+function buildStubHandle(redirectUri, server) {
+	return {
+		redirectUri,
+		waitForCode: async () => null,
+		cancelWait: () => {},
+		close: () => {
+			try {
+				server?.close();
+			} catch {}
+		}
+	};
+}
+/**
+* Start the loopback HTTP callback server. The returned handle is the
+* caller's contract — they `await waitForCode()`, race it against manual
+* paste, then `close()` in a `finally`.
+*/
+async function startCallbackServer(opts) {
+	const onListenError = opts.onListenError ?? "reject";
+	const redirectUri = `http://localhost:${opts.port}${opts.path}`;
+	return new Promise((resolve, reject) => {
+		let settled = false;
+		const pending = { settle: () => {} };
+		const waitPromise = new Promise((resolveWait) => {
+			pending.settle = (value) => {
+				if (settled) return;
+				settled = true;
+				resolveWait(value);
+			};
+		});
+		const server = createServer(buildRequestHandler(opts, pending));
+		server.on("error", (err) => {
+			if (onListenError === "resolveWithStub") {
+				pending.settle(null);
+				resolve(buildStubHandle(redirectUri, server));
+				return;
+			}
+			reject(err);
+		});
+		server.listen(opts.port, CALLBACK_HOST, () => {
+			resolve({
+				redirectUri,
+				waitForCode: () => waitPromise,
+				cancelWait: () => pending.settle(null),
+				close: () => {
+					try {
+						server.close();
+					} catch {}
+				}
+			});
+		});
+	});
+}
+//#endregion
+//#region src/chat/oauth-page/anthropic.ts
+const CLIENT_ID$1 = atob("OWQxYzI1MGEtZTYxYi00NGQ5LTg4ZWQtNTk0NGQxOTYyZjVl");
+const AUTHORIZE_URL$1 = "https://claude.ai/oauth/authorize";
+const TOKEN_URL$1 = "https://platform.claude.com/v1/oauth/token";
+const CALLBACK_PORT$1 = 53692;
+const CALLBACK_PATH$1 = "/callback";
+const SCOPES = "org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload";
+const PROVIDER_NAME$1 = "Anthropic";
+/**
+* Parse what the user pasted into the manual-code prompt. Accepts:
+*   - the bare authorization code
+*   - the full `redirect_uri?code=...&state=...` URL
+*   - the `code#state` shorthand Anthropic surfaces on the page
+*   - a raw query string with `code=...&state=...`
+*
+* Matches pi-ai's parse table so an existing user's muscle memory still works.
+*/
+function parseAuthorizationInput$1(input) {
+	const value = input.trim();
+	if (!value) return {};
+	try {
+		const url = new URL(value);
+		return {
+			code: url.searchParams.get("code") ?? void 0,
+			state: url.searchParams.get("state") ?? void 0
+		};
+	} catch {}
+	if (value.includes("#")) {
+		const [code, state] = value.split("#", 2);
+		return {
+			code,
+			state
+		};
+	}
+	if (value.includes("code=")) {
+		const params = new URLSearchParams(value);
+		return {
+			code: params.get("code") ?? void 0,
+			state: params.get("state") ?? void 0
+		};
+	}
+	return { code: value };
+}
+async function postJson(url, body) {
+	const response = await fetch(url, {
+		method: "POST",
+		headers: {
+			"Content-Type": "application/json",
+			"Accept": "application/json"
+		},
+		body: JSON.stringify(body),
+		signal: AbortSignal.timeout(3e4)
+	});
+	const responseBody = await response.text();
+	if (!response.ok) throw new Error(`HTTP request failed. status=${response.status}; url=${url}; body=${responseBody}`);
+	return responseBody;
+}
+async function exchangeAuthorizationCode$1(code, state, verifier, redirectUri) {
+	const responseBody = await postJson(TOKEN_URL$1, {
+		grant_type: "authorization_code",
+		client_id: CLIENT_ID$1,
+		code,
+		state,
+		redirect_uri: redirectUri,
+		code_verifier: verifier
+	});
+	const tokenData = JSON.parse(responseBody);
+	return {
+		refresh: tokenData.refresh_token,
+		access: tokenData.access_token,
+		expires: Date.now() + tokenData.expires_in * 1e3 - 300 * 1e3
+	};
+}
+async function loginAnthropicWithCustomPage(options) {
+	const { verifier, challenge } = await generatePkce();
+	const server = await startCallbackServer({
+		port: CALLBACK_PORT$1,
+		path: CALLBACK_PATH$1,
+		expectedState: verifier,
+		providerName: PROVIDER_NAME$1,
+		renderPage: options.renderPage,
+		successMessage: "Anthropic authentication completed. You can close this window.",
+		onListenError: "reject"
+	});
+	let code;
+	let state;
+	try {
+		const authParams = new URLSearchParams({
+			code: "true",
+			client_id: CLIENT_ID$1,
+			response_type: "code",
+			redirect_uri: server.redirectUri,
+			scope: SCOPES,
+			code_challenge: challenge,
+			code_challenge_method: "S256",
+			state: verifier
+		});
+		options.onAuth({
+			url: `${AUTHORIZE_URL$1}?${authParams.toString()}`,
+			instructions: "Complete login in your browser. If the browser is on another machine, paste the final redirect URL here."
+		});
+		if (options.onManualCodeInput) {
+			let manualInput;
+			let manualError;
+			const manualPromise = options.onManualCodeInput().then((input) => {
+				manualInput = input;
+				server.cancelWait();
+			}).catch((err) => {
+				manualError = err instanceof Error ? err : new Error(String(err));
+				server.cancelWait();
+			});
+			const result = await server.waitForCode();
+			if (manualError) throw manualError;
+			if (result?.code) {
+				code = result.code;
+				state = result.state;
+			} else if (manualInput) {
+				const parsed = parseAuthorizationInput$1(manualInput);
+				if (parsed.state && parsed.state !== verifier) throw new Error("OAuth state mismatch");
+				code = parsed.code;
+				state = parsed.state ?? verifier;
+			}
+			if (!code) {
+				await manualPromise;
+				if (manualError) throw manualError;
+				if (manualInput) {
+					const parsed = parseAuthorizationInput$1(manualInput);
+					if (parsed.state && parsed.state !== verifier) throw new Error("OAuth state mismatch");
+					code = parsed.code;
+					state = parsed.state ?? verifier;
+				}
+			}
+		} else {
+			const result = await server.waitForCode();
+			if (result?.code) {
+				code = result.code;
+				state = result.state;
+			}
+		}
+		if (!code) {
+			const parsed = parseAuthorizationInput$1(await options.onPrompt({
+				message: "Paste the authorization code or full redirect URL:",
+				placeholder: server.redirectUri
+			}));
+			if (parsed.state && parsed.state !== verifier) throw new Error("OAuth state mismatch");
+			code = parsed.code;
+			state = parsed.state ?? verifier;
+		}
+		if (!code) throw new Error("Missing authorization code");
+		if (!state) throw new Error("Missing OAuth state");
+		options.onProgress?.("Exchanging authorization code for tokens...");
+		return await exchangeAuthorizationCode$1(code, state, verifier, server.redirectUri);
+	} finally {
+		server.close();
+	}
+}
+/**
+* Build an `OAuthProviderInterface` that behaves identically to pi-ai's
+* `anthropicOAuthProvider` except for the callback page HTML. Drop this
+* onto `ProviderDescriptor.oauthProvider` to override.
+*/
+function createAnthropicOAuthProviderWithCustomPage(renderPage) {
+	return {
+		id: "anthropic",
+		name: "Anthropic (Claude Pro/Max)",
+		usesCallbackServer: true,
+		async login(callbacks) {
+			return loginAnthropicWithCustomPage({
+				renderPage,
+				onAuth: callbacks.onAuth,
+				onPrompt: callbacks.onPrompt,
+				onProgress: callbacks.onProgress,
+				onManualCodeInput: callbacks.onManualCodeInput
+			});
+		},
+		async refreshToken(credentials) {
+			return refreshAnthropicToken(credentials.refresh);
+		},
+		getApiKey(credentials) {
+			return credentials.access;
+		}
+	};
+}
+//#endregion
+//#region src/chat/oauth-page/openai-codex.ts
+const CLIENT_ID = "app_EMoamEEZ73f0CkXaXp7hrann";
+const AUTHORIZE_URL = "https://auth.openai.com/oauth/authorize";
+const TOKEN_URL = "https://auth.openai.com/oauth/token";
+const CALLBACK_PORT = 1455;
+const CALLBACK_PATH = "/auth/callback";
+const SCOPE = "openid profile email offline_access";
+const JWT_CLAIM_PATH = "https://api.openai.com/auth";
+const PROVIDER_NAME = "OpenAI";
+function createState() {
+	return randomBytes(16).toString("hex");
+}
+function parseAuthorizationInput(input) {
+	const value = input.trim();
+	if (!value) return {};
+	try {
+		const url = new URL(value);
+		return {
+			code: url.searchParams.get("code") ?? void 0,
+			state: url.searchParams.get("state") ?? void 0
+		};
+	} catch {}
+	if (value.includes("#")) {
+		const [code, state] = value.split("#", 2);
+		return {
+			code,
+			state
+		};
+	}
+	if (value.includes("code=")) {
+		const params = new URLSearchParams(value);
+		return {
+			code: params.get("code") ?? void 0,
+			state: params.get("state") ?? void 0
+		};
+	}
+	return { code: value };
+}
+function decodeJwt(token) {
+	try {
+		const parts = token.split(".");
+		if (parts.length !== 3) return null;
+		const payload = parts[1] ?? "";
+		const decoded = atob(payload);
+		return JSON.parse(decoded);
+	} catch {
+		return null;
+	}
+}
+function getAccountId(accessToken) {
+	const accountId = (decodeJwt(accessToken)?.[JWT_CLAIM_PATH])?.chatgpt_account_id;
+	return typeof accountId === "string" && accountId.length > 0 ? accountId : null;
+}
+async function exchangeAuthorizationCode(code, verifier, redirectUri) {
+	const response = await fetch(TOKEN_URL, {
+		method: "POST",
+		headers: { "Content-Type": "application/x-www-form-urlencoded" },
+		body: new URLSearchParams({
+			grant_type: "authorization_code",
+			client_id: CLIENT_ID,
+			code,
+			code_verifier: verifier,
+			redirect_uri: redirectUri
+		})
+	});
+	if (!response.ok) {
+		const text = await response.text().catch(() => "");
+		return {
+			type: "failed",
+			message: `OpenAI Codex token exchange failed (${response.status}): ${text || response.statusText}`
+		};
+	}
+	const json = await response.json();
+	if (!json.access_token || !json.refresh_token || typeof json.expires_in !== "number") return {
+		type: "failed",
+		message: `OpenAI Codex token exchange response missing fields: ${JSON.stringify(json)}`
+	};
+	return {
+		type: "success",
+		access: json.access_token,
+		refresh: json.refresh_token,
+		expires: Date.now() + json.expires_in * 1e3
+	};
+}
+async function loginOpenAICodexWithCustomPage(options) {
+	const { verifier, challenge } = await generatePkce();
+	const state = createState();
+	const originator = options.originator ?? "pi";
+	const server = await startCallbackServer({
+		port: CALLBACK_PORT,
+		path: CALLBACK_PATH,
+		expectedState: state,
+		providerName: PROVIDER_NAME,
+		renderPage: options.renderPage,
+		successMessage: "OpenAI authentication completed. You can close this window.",
+		onListenError: "resolveWithStub"
+	});
+	const authUrl = new URL(AUTHORIZE_URL);
+	authUrl.searchParams.set("response_type", "code");
+	authUrl.searchParams.set("client_id", CLIENT_ID);
+	authUrl.searchParams.set("redirect_uri", server.redirectUri);
+	authUrl.searchParams.set("scope", SCOPE);
+	authUrl.searchParams.set("code_challenge", challenge);
+	authUrl.searchParams.set("code_challenge_method", "S256");
+	authUrl.searchParams.set("state", state);
+	authUrl.searchParams.set("id_token_add_organizations", "true");
+	authUrl.searchParams.set("codex_cli_simplified_flow", "true");
+	authUrl.searchParams.set("originator", originator);
+	options.onAuth({
+		url: authUrl.toString(),
+		instructions: "A browser window should open. Complete login to finish."
+	});
+	let code;
+	try {
+		if (options.onManualCodeInput) {
+			let manualCode;
+			let manualError;
+			const manualPromise = options.onManualCodeInput().then((input) => {
+				manualCode = input;
+				server.cancelWait();
+			}).catch((err) => {
+				manualError = err instanceof Error ? err : new Error(String(err));
+				server.cancelWait();
+			});
+			const result = await server.waitForCode();
+			if (manualError) throw manualError;
+			if (result?.code) code = result.code;
+			else if (manualCode) {
+				const parsed = parseAuthorizationInput(manualCode);
+				if (parsed.state && parsed.state !== state) throw new Error("State mismatch");
+				code = parsed.code;
+			}
+			if (!code) {
+				await manualPromise;
+				if (manualError) throw manualError;
+				if (manualCode) {
+					const parsed = parseAuthorizationInput(manualCode);
+					if (parsed.state && parsed.state !== state) throw new Error("State mismatch");
+					code = parsed.code;
+				}
+			}
+		} else {
+			const result = await server.waitForCode();
+			if (result?.code) code = result.code;
+		}
+		if (!code) {
+			const parsed = parseAuthorizationInput(await options.onPrompt({ message: "Paste the authorization code (or full redirect URL):" }));
+			if (parsed.state && parsed.state !== state) throw new Error("State mismatch");
+			code = parsed.code;
+		}
+		if (!code) throw new Error("Missing authorization code");
+		const tokenResult = await exchangeAuthorizationCode(code, verifier, server.redirectUri);
+		if (tokenResult.type !== "success") throw new Error(tokenResult.message);
+		const accountId = getAccountId(tokenResult.access);
+		if (!accountId) throw new Error("Failed to extract accountId from token");
+		return {
+			access: tokenResult.access,
+			refresh: tokenResult.refresh,
+			expires: tokenResult.expires,
+			accountId
+		};
+	} finally {
+		server.close();
+	}
+}
+/**
+* Build an `OAuthProviderInterface` that behaves identically to pi-ai's
+* `openaiCodexOAuthProvider` except for the callback page HTML.
+*/
+function createOpenAICodexOAuthProviderWithCustomPage(renderPage) {
+	return {
+		id: "openai-codex",
+		name: "ChatGPT Plus/Pro (Codex Subscription)",
+		usesCallbackServer: true,
+		async login(callbacks) {
+			return loginOpenAICodexWithCustomPage({
+				renderPage,
+				onAuth: callbacks.onAuth,
+				onPrompt: callbacks.onPrompt,
+				onProgress: callbacks.onProgress,
+				onManualCodeInput: callbacks.onManualCodeInput
+			});
+		},
+		async refreshToken(credentials) {
+			return refreshOpenAICodexToken(credentials.refresh);
+		},
+		getApiKey(credentials) {
+			return credentials.access;
+		}
+	};
+}
+//#endregion
+//#region src/chat/oauth-page/render.ts
+function escapeHtml(value) {
+	return value.replaceAll("&", "&amp;").replaceAll("<", "&lt;").replaceAll(">", "&gt;").replaceAll("\"", "&quot;").replaceAll("'", "&#39;");
+}
+/**
+* Default zidane-themed page. Visually neutral but distinguishable from
+* pi-ai's stock page — dark background, mono headings, no logo (host can
+* pass a custom renderer to add one).
+*/
+const renderDefaultCallbackPage = (page) => {
+	const heading = escapeHtml(page.kind === "success" ? `Signed in to ${page.provider}` : `Could not sign in to ${page.provider}`);
+	const message = escapeHtml(page.message);
+	const details = page.details ? escapeHtml(page.details) : void 0;
+	return `<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1" />
+  <title>${heading}</title>
+  <style>
+    :root {
+      --text: #f4f4f5;
+      --text-dim: #a1a1aa;
+      --accent: ${page.kind === "success" ? "#22d3ee" : "#f87171"};
+      --page-bg: #0a0a0a;
+      --panel-bg: #131316;
+      --border: #27272a;
+      --font-sans: ui-sans-serif, system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
+      --font-mono: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace;
+    }
+    * { box-sizing: border-box; }
+    html { color-scheme: dark; }
+    body {
+      margin: 0;
+      min-height: 100vh;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      padding: 24px;
+      background: var(--page-bg);
+      color: var(--text);
+      font-family: var(--font-sans);
+    }
+    main {
+      width: 100%;
+      max-width: 520px;
+      padding: 32px;
+      background: var(--panel-bg);
+      border: 1px solid var(--border);
+      border-radius: 12px;
+    }
+    .label {
+      font-family: var(--font-mono);
+      font-size: 12px;
+      letter-spacing: 0.08em;
+      text-transform: uppercase;
+      color: var(--accent);
+      margin-bottom: 12px;
+    }
+    h1 {
+      margin: 0 0 12px;
+      font-size: 22px;
+      font-weight: 600;
+      letter-spacing: -0.01em;
+      color: var(--text);
+    }
+    p {
+      margin: 0;
+      line-height: 1.6;
+      color: var(--text-dim);
+      font-size: 14px;
+    }
+    .details {
+      margin-top: 18px;
+      padding: 12px 14px;
+      background: var(--page-bg);
+      border: 1px solid var(--border);
+      border-radius: 8px;
+      font-family: var(--font-mono);
+      font-size: 12px;
+      color: var(--text-dim);
+      white-space: pre-wrap;
+      word-break: break-word;
+    }
+  </style>
+</head>
+<body>
+  <main>
+    <div class="label">zidane · OAuth · ${escapeHtml(page.provider)}</div>
+    <h1>${heading}</h1>
+    <p>${message}</p>
+    ${details ? `<div class="details">${details}</div>` : ""}
+  </main>
+</body>
+</html>`;
+};
+//#endregion
+//#region src/chat/oauth-page/index.ts
+/**
+* Bundle helper — returns both Anthropic + OpenAI Codex providers wired
+* with the same renderer. Hosts that want different renderers per provider
+* should call the individual `create…WithCustomPage` factories instead.
+*/
+function createCustomCallbackOAuthProviders(renderPage) {
+	return {
+		anthropic: createAnthropicOAuthProviderWithCustomPage(renderPage),
+		openaiCodex: createOpenAICodexOAuthProviderWithCustomPage(renderPage)
+	};
+}
+let cursorRegistered = false;
+/**
+* Register Cursor with pi-ai's OAuth registry.
+*
+* Unlike Anthropic / Codex, Cursor is **not** built into pi-ai, so
+* `getOAuthApiKey('cursor', …)` (used by `resolveOAuthApiKey` for lazy
+* token refresh) would throw "Unknown OAuth provider" until we register it.
+* Call once at startup from both the CLI auth path and the TUI. Idempotent.
+*/
+function registerCursorOAuthProvider() {
+	const provider = createCursorOAuthProvider();
+	if (!cursorRegistered) {
+		registerOAuthProvider(provider);
+		cursorRegistered = true;
+	}
+	return provider;
+}
+let xaiRegistered = false;
+/**
+* Register xAI Grok with pi-ai's OAuth registry.
+*
+* pi-ai ships an xAI *API-key* provider, but no OAuth one — so
+* `getOAuthApiKey('xai-oauth', …)` (lazy refresh in `resolveOAuthApiKey`)
+* would throw "Unknown OAuth provider" until we register our flow. The
+* callback page routes through the supplied renderer so the post-redirect
+* HTML matches zidane's theme. Call once at startup; idempotent.
+*/
+function registerXaiOAuthProvider(renderPage) {
+	const provider = createXaiOAuthProvider(renderPage);
+	if (!xaiRegistered) {
+		registerOAuthProvider(provider);
+		xaiRegistered = true;
+	}
+	return provider;
+}
+//#endregion
+//#region src/chat/providers.ts
+/**
+* pi-ai's stock Anthropic + Codex OAuth providers bake their own callback
+* HTML; we route both through `renderDefaultCallbackPage` so the post-redirect
+* page matches zidane's theme. The override lives in `src/chat/oauth-page/`
+* — see that folder's `index.ts` for the deletion path once pi-ai exposes
+* a `renderCallbackPage` hook upstream.
+*/
+const { anthropic: anthropicOAuthProvider, openaiCodex: openaiCodexOAuthProvider } = createCustomCallbackOAuthProviders(renderDefaultCallbackPage);
+registerCursorOAuthProvider();
+/**
+* xAI Grok isn't built into pi-ai's OAuth registry (only its API-key provider
+* is), so register our loopback-PKCE flow — themed via `renderDefaultCallbackPage`
+* — so lazy token refresh resolves through it.
+*/
+const xaiOAuthProvider = registerXaiOAuthProvider(renderDefaultCallbackPage);
+/** Convenience accessor — returns `credentialFileKey ?? key`. */
+function credKeyOf(desc) {
+	return desc.credentialFileKey ?? desc.key;
+}
+/** Convenience accessor — returns `piProviderId ?? key`. */
+function piIdOf(desc) {
+	return desc.piProviderId ?? desc.key;
+}
+const anthropicDescriptor = {
+	key: "anthropic",
+	label: "Anthropic",
+	factory: anthropic,
+	defaultModel: "claude-opus-4-8",
+	envKey: "ANTHROPIC_API_KEY",
+	apiKeyPlaceholder: "sk-ant-…",
+	oauthProvider: anthropicOAuthProvider,
+	oauthHint: "Claude Pro/Max subscription",
+	extraModels: ANTHROPIC_EXTRA_MODELS,
+	optionsFor: (id) => FAST_MODE_OPTIONS[id] ? [FAST_MODE_OPTIONS[id]] : void 0
+};
+const openaiDescriptor = {
+	key: "openai",
+	label: "OpenAI",
+	factory: openai,
+	defaultModel: "gpt-5.5",
+	envKey: "OPENAI_CODEX_API_KEY",
+	credentialFileKey: "openai-codex",
+	piProviderId: "openai-codex",
+	apiKeyPlaceholder: "sk-… or eyJ… (Codex)",
+	oauthProvider: openaiCodexOAuthProvider
+};
+const openrouterDescriptor = {
+	key: "openrouter",
+	label: "OpenRouter",
+	factory: openrouter,
+	defaultModel: "anthropic/claude-sonnet-4-6",
+	envKey: "OPENROUTER_API_KEY",
+	apiKeyPlaceholder: "sk-or-…"
+};
+const cerebrasDescriptor = {
+	key: "cerebras",
+	label: "Cerebras",
+	factory: cerebras,
+	defaultModel: "zai-glm-4.7",
+	envKey: "CEREBRAS_API_KEY",
+	apiKeyPlaceholder: "csk-…"
+};
+/**
+* xAI Grok. Supports BOTH a static API key (`XAI_API_KEY`) and the
+* SuperGrok / X Premium+ OAuth subscription, so the wizard offers both methods.
+* Models come from pi-ai's `xai` registry (OpenAI-compatible endpoint), shared
+* by both auth modes.
+*/
+const xaiDescriptor = {
+	key: "xai",
+	label: "xAI Grok",
+	factory: xai,
+	defaultModel: "grok-4.3",
+	envKey: "XAI_API_KEY",
+	apiKeyPlaceholder: "xai-…",
+	oauthProvider: xaiOAuthProvider,
+	oauthHint: "SuperGrok / X Premium+ subscription",
+	credentialFileKey: "xai-oauth",
+	piProviderId: "xai"
+};
+const arceeDescriptor = {
+	key: "arcee",
+	label: "Arcee",
+	factory: arcee,
+	defaultModel: "trinity-large-thinking",
+	envKey: "ARCEE_API_KEY",
+	apiKeyPlaceholder: "arcee-…",
+	models: [
+		{
+			id: "trinity-large-thinking",
+			name: "Trinity Large (Thinking)",
+			contextWindow: 256e3,
+			reasoning: true,
+			input: ["text"],
+			cost: {
+				input: .25,
+				output: .8
+			}
+		},
+		{
+			id: "trinity-large-preview",
+			name: "Trinity Large (Preview)",
+			contextWindow: 128e3,
+			input: ["text"],
+			cost: {
+				input: .45,
+				output: .15
+			}
+		},
+		{
+			id: "trinity-mini",
+			name: "Trinity Mini",
+			contextWindow: 128e3,
+			input: ["text"],
+			cost: {
+				input: .045,
+				output: .15
+			}
+		}
+	]
+};
+const basetenDescriptor = {
+	key: "baseten",
+	label: "Baseten",
+	factory: baseten,
+	defaultModel: "zai-org/GLM-5.1",
+	envKey: "BASETEN_API_KEY",
+	apiKeyPlaceholder: "baseten-api-key…",
+	models: [
+		{
+			id: "zai-org/GLM-5.2",
+			name: "GLM 5.2",
+			contextWindow: 1e6,
+			reasoning: true,
+			input: ["text"]
+		},
+		{
+			id: "zai-org/GLM-5.1",
+			name: "GLM 5.1",
+			contextWindow: 2e5,
+			reasoning: true,
+			input: ["text"]
+		},
+		{
+			id: "zai-org/GLM-5",
+			name: "GLM 5",
+			contextWindow: 2e5,
+			reasoning: true,
+			input: ["text"],
+			cost: {
+				input: .95,
+				output: 3.15,
+				cacheRead: .2
+			}
+		},
+		{
+			id: "zai-org/GLM-4.7",
+			name: "GLM 4.7",
+			contextWindow: 2e5,
+			reasoning: true,
+			input: ["text"],
+			cost: {
+				input: .6,
+				output: 2.2,
+				cacheRead: .12
+			}
+		},
+		{
+			id: "moonshotai/Kimi-K2.6",
+			name: "Kimi K2.6",
+			contextWindow: 256e3,
+			reasoning: true,
+			input: ["text", "image"],
+			cost: {
+				input: 1,
+				output: 3.9,
+				cacheRead: .2
+			}
+		},
+		{
+			id: "moonshotai/Kimi-K2.5",
+			name: "Kimi K2.5",
+			contextWindow: 256e3,
+			reasoning: true,
+			input: ["text", "image"],
+			cost: {
+				input: .6,
+				output: 3,
+				cacheRead: .12
+			}
+		},
+		{
+			id: "deepseek-ai/DeepSeek-V4-Pro",
+			name: "DeepSeek V4 Pro",
+			contextWindow: 131e3,
+			reasoning: true,
+			input: ["text"],
+			cost: {
+				input: 1.74,
+				output: 3.48,
+				cacheRead: .145
+			}
+		},
+		{
+			id: "nvidia/Nemotron-120B-A12B",
+			name: "Nemotron Super",
+			contextWindow: 2e5,
+			reasoning: true,
+			input: ["text"],
+			cost: {
+				input: .3,
+				output: .75,
+				cacheRead: .06
+			}
+		},
+		{
+			id: "nvidia/NVIDIA-Nemotron-3-Ultra-550B-A55B",
+			name: "Nemotron Ultra",
+			contextWindow: 2e5,
+			reasoning: true,
+			input: ["text"]
+		},
+		{
+			id: "openai/gpt-oss-120b",
+			name: "GPT-OSS 120B",
+			contextWindow: 128e3,
+			reasoning: true,
+			input: ["text"],
+			cost: {
+				input: .1,
+				output: .5
+			}
+		}
+	]
+};
+/**
+* Conservative context-window assumption for a user-configured local model.
+* Local runtimes expose no reliable per-model metadata over the OpenAI-compat
+* `/v1/models` endpoint (it returns ids, not context sizes), so we pick a
+* floor that fits the smallest mainstream OSS models (Llama 3.x 8B, Qwen2.5)
+* without over-promising. The footer's context indicator and auto-compaction
+* lean on this — under-estimating is the safe direction (compact early rather
+* than overflow the server's real window).
+*
+* Users running larger-context models (e.g. a 128K Qwen) can raise it via the
+* `LOCAL_LLM_CONTEXT_WINDOW` env var / customField, which supports a single
+* value or a per-model map (resolved by {@link resolveContextWindow}).
+*/
+const LOCAL_DEFAULT_CONTEXT_WINDOW = 8192;
+/**
+* Local OpenAI-compatible LLM (Ollama, vLLM, LM Studio, Lemonade, llama.cpp).
+*
+* No fixed base URL or model catalogue — both come from the user via
+* `customFields`. No `envKey`, so the wizard skips the API-key prompt and
+* treats the customFields-only credential as the auth signal (see
+* `applyApiKeyEnv` + `detectAuth`).
+*
+* Vision / cache / reasoning are off by default in the factory — flip them
+* by passing a custom descriptor that calls `local({ capabilities })`.
+*
+* `models` is a getter, not a static list: there's no fixed catalogue to ship,
+* but once the user has configured a default model (mirrored into
+* `LOCAL_LLM_DEFAULT_MODEL` by `applyApiKeyEnv`), we surface it as a
+* single-entry list so the model picker + footer aren't empty. Resolved at
+* access time because the env var is populated at TUI launch, after this
+* module loads. Empty list when unconfigured — the picker hides, the user
+* types a slug at the prompt as before.
+*/
+const localDescriptor = {
+	key: "local",
+	label: "Local LLM",
+	factory: local,
+	get models() {
+		const configured = process.env.LOCAL_LLM_DEFAULT_MODEL?.trim();
+		if (!configured) return [];
+		return [{
+			id: configured,
+			name: configured,
+			contextWindow: resolveContextWindow(process.env.LOCAL_LLM_CONTEXT_WINDOW, configured) ?? LOCAL_DEFAULT_CONTEXT_WINDOW,
+			input: ["text"]
+		}];
+	},
+	customFields: [
+		{
+			key: "baseURL",
+			label: "Base URL",
+			envVar: "LOCAL_LLM_BASE_URL",
+			placeholder: "http://localhost:11434/v1",
+			hint: "Where your local LLM server is reachable. Examples: Ollama → http://localhost:11434/v1, vLLM → http://localhost:8000/v1, LM Studio → http://localhost:1234/v1.",
+			required: true
+		},
+		{
+			key: "apiKey",
+			label: "API key",
+			envVar: "LOCAL_LLM_API_KEY",
+			placeholder: "leave blank if your server is unauthenticated"
+		},
+		{
+			key: "model",
+			label: "Default model",
+			envVar: "LOCAL_LLM_DEFAULT_MODEL",
+			placeholder: "e.g. llama3.1:8b, qwen2.5-coder, mistral-small",
+			hint: "Model id your server exposes. Leave blank to pick later from the model picker."
+		},
+		{
+			key: "contextWindow",
+			label: "Context window (tokens)",
+			envVar: "LOCAL_LLM_CONTEXT_WINDOW",
+			placeholder: "e.g. 32768  ·  or per-model: llama3.1:8b=32768, qwen2.5-coder=128k, 64k",
+			hint: "Context length(s) for your local model(s) — local runtimes don't advertise this, so set it here to enable the context indicator and auto-compaction. Use a single value (32768, 128k) for all models, or a comma-separated map of `model=window` with an optional bare value as the fallback. Press"
+		}
+	],
+	contextWindowEnvVar: "LOCAL_LLM_CONTEXT_WINDOW"
+};
+/**
+* Default provider registry. Passed verbatim when `runTui` is invoked without
+* an explicit `providers` option. Hosts that want to override per-provider
+* metadata can spread this and replace specific entries:
+*
+* ```ts
+* runTui({ providers: { ...BUILTIN_PROVIDERS, anthropic: myOwnAnthropicDescriptor } })
+* ```
+*
+* `cursor` is intentionally NOT registered here: OAuth works, but inference
+* isn't wired (`cursor.stream()` throws — Cursor speaks a protobuf/HTTP-2
+* agent protocol, not OpenAI-compat). Shipping it in the picker only lets users
+* select a model that errors every turn. The descriptor stays exported so a
+* host can opt in (`{ ...BUILTIN_PROVIDERS, cursor: cursorDescriptor }`) once
+* the transport lands — re-add it here at that point.
+*/
+const BUILTIN_PROVIDERS = {
+	anthropic: anthropicDescriptor,
+	openai: openaiDescriptor,
+	openrouter: openrouterDescriptor,
+	cerebras: cerebrasDescriptor,
+	xai: xaiDescriptor,
+	arcee: arceeDescriptor,
+	baseten: basetenDescriptor,
+	local: localDescriptor
+};
+/**
+* Resolve the model list for a given provider. Honors `descriptor.models`
+* when set; otherwise queries pi-ai via `descriptor.piProviderId`. Returns
+* `[]` for descriptors with no known mapping (custom providers without a
+* model list) — callers should hide the model picker in that case.
+*/
+function modelsForDescriptor(descriptor) {
+	if (descriptor.models) return descriptor.models;
+	let bundled;
+	try {
+		bundled = getModels(piIdOf(descriptor));
+	} catch {
+		bundled = [];
+	}
+	if (descriptor.extraModels?.length) {
+		const bundledIds = new Set(bundled.map((m) => m.id));
+		bundled = [...descriptor.extraModels.filter((m) => !bundledIds.has(m.id)), ...bundled];
+	}
+	return descriptor.optionsFor ? bundled.map((m) => decorateOptions(m, descriptor)) : bundled;
+}
+/**
+* Attach descriptor-resolved {@link ModelOption}s to a model that doesn't
+* already declare its own. Pure / non-mutating — returns the input untouched
+* when the model has options already or the descriptor resolves none.
+*/
+function decorateOptions(model, descriptor) {
+	if (model.options?.length || !descriptor.optionsFor) return model;
+	const options = descriptor.optionsFor(model.id);
+	return options?.length ? {
+		...model,
+		options
+	} : model;
+}
+/**
+* Resolve a single model's metadata via the descriptor's model source.
+* Mirrors {@link modelsForDescriptor} routing: descriptor's own list wins,
+* pi-ai's registry is the fallback. Returns `null` when the model isn't
+* known.
+*/
+function getModelInfo(descriptor, modelId) {
+	if (descriptor.models) return descriptor.models.find((m) => m.id === modelId) ?? null;
+	try {
+		const bundled = getModel(piIdOf(descriptor), modelId);
+		if (bundled) return decorateOptions(bundled, descriptor);
+	} catch {}
+	const extra = descriptor.extraModels?.find((m) => m.id === modelId);
+	return extra ? decorateOptions(extra, descriptor) : null;
+}
+/**
+* Parse a user-supplied context-window string into a token count.
+*
+* Accepts a plain integer (`"32768"`), or a number with a `k`/`m` suffix
+* (×1_000 / ×1_000_000, case-insensitive, optional space) — so `"128k"`
+* yields `128_000`, matching how the footer renders windows (`fmtTokens`).
+* Fractional values are floored (`"1.5k"` → `1500`). Returns `null` for
+* empty, malformed, zero, or negative input so callers fall through to
+* "window unknown" rather than a bogus ceiling.
+*/
+function parseContextWindow(raw) {
+	if (raw == null) return null;
+	const trimmed = raw.trim();
+	if (trimmed.length === 0) return null;
+	const match = /^(\d+(?:\.\d+)?)\s*([km])?$/i.exec(trimmed);
+	if (!match) return null;
+	const suffix = match[2]?.toLowerCase();
+	const mult = suffix === "k" ? 1e3 : suffix === "m" ? 1e6 : 1;
+	const value = Math.floor(Number.parseFloat(match[1]) * mult);
+	return value >= 1 ? value : null;
+}
+/**
+* Resolve a per-model context window from a user-supplied spec string.
+*
+* A spec is a comma-separated list of entries. An entry is either:
+*   - `model=window` — a per-model override (split on the **first** `=`, so
+*     model ids containing `:` or `/` survive), or
+*   - a bare `window` — the fallback applied to any model not named above.
+*
+* Windows are parsed by {@link parseContextWindow} (plain int or k/m suffix).
+* Whitespace around entries and the `=` is ignored; malformed entries are
+* skipped rather than poisoning the whole spec; a later duplicate key wins.
+*
+* Lookup order for `modelId`: exact map entry → bare fallback → `null`. A
+* lone bare value (`"32768"`) therefore behaves as a single global window,
+* keeping the simple single-model config working.
+*
+* @example resolveContextWindow('llama3.1:8b=32768, qwen=128k, 64k', 'qwen') // 128000
+*/
+function resolveContextWindow(spec, modelId) {
+	if (spec == null) return null;
+	const overrides = /* @__PURE__ */ new Map();
+	let fallback = null;
+	for (const entry of spec.split(",")) {
+		const eq = entry.indexOf("=");
+		if (eq === -1) {
+			const bare = parseContextWindow(entry);
+			if (bare != null) fallback = bare;
+			continue;
+		}
+		const key = entry.slice(0, eq).trim();
+		const window = parseContextWindow(entry.slice(eq + 1));
+		if (key.length > 0 && window != null) overrides.set(key, window);
+	}
+	return overrides.get(modelId) ?? fallback;
+}
+/**
+* Look up the model's max context window via the descriptor's model source.
+* Falls back to {@link ProviderDescriptor.contextWindowEnvVar} (parsed via
+* {@link resolveContextWindow}, which supports a per-model map) when the
+* registry has nothing — this is how local LLMs, whose runtimes don't
+* advertise a window, get one. Returns `null` when neither source resolves a
+* value (custom slugs, providers without a registry or a configured window);
+* callers should hide the context indicator and skip auto-compaction then.
+*/
+function getContextWindow(descriptor, modelId) {
+	const fromRegistry = getModelInfo(descriptor, modelId)?.contextWindow;
+	if (fromRegistry != null) return fromRegistry;
+	if (descriptor.contextWindowEnvVar) return resolveContextWindow(process.env[descriptor.contextWindowEnvVar], modelId);
+	return null;
+}
+/**
+* Whether the given model exposes a reasoning / extended-thinking knob.
+* Drives the TUI's effort picker visibility — the `ctrl+n` shortcut and
+* the bottom-bar `effortName` segment only surface when this is `true`.
+* Returns `false` for unknown models (no registry entry → no advertised
+* capability).
+*/
+function modelSupportsReasoning(descriptor, modelId) {
+	return getModelInfo(descriptor, modelId)?.reasoning === true;
+}
+/**
+* Custom {@link ModelOption}s the given model supports (e.g. fast mode), or `[]`
+* when none. Drives the TUI/GUI options picker visibility — surfaces only when
+* non-empty.
+*/
+function modelOptionsFor(descriptor, modelId) {
+	return getModelInfo(descriptor, modelId)?.options ?? [];
+}
+/**
+* Normalize a model-options blob to an enabled-only `{ id: true }` map.
+*
+* Single source of truth shared by every surface that reads or persists model
+* options — the TUI run path, the GUI engine reader, and the GUI IPC handlers.
+* Tolerant of arbitrary input (persisted JSON metadata may be anything): a
+* non-object → `{}`, and only entries strictly equal to `true` survive. This
+* keeps the persisted shape minimal (no `{ fast: false }` noise) and means
+* callers never forward a disabled option to `agent.run`.
+*/
+function enabledModelOptions(raw) {
+	if (!raw || typeof raw !== "object") return {};
+	const out = {};
+	for (const [id, on] of Object.entries(raw)) if (on === true) out[id] = true;
+	return out;
+}
+/**
+* Resolve a model's remembered options for a (re)pick: keep only options the
+* model still declares AND that are enabled, dropping any that no longer apply
+* (e.g. switching away from a model that supported `fast`). Returns `undefined`
+* when nothing applies so callers can omit the field entirely.
+*
+* Shared by the TUI pick path and the launch-time resume path so "which options
+* survive a model switch / relaunch" is decided in exactly one place.
+*/
+function restoreModelOptions(descriptor, modelId, remembered) {
+	const validIds = new Set(modelOptionsFor(descriptor, modelId).map((o) => o.id));
+	if (validIds.size === 0) return void 0;
+	const enabled = enabledModelOptions(remembered?.[modelId]);
+	const filtered = {};
+	for (const id of Object.keys(enabled)) if (validIds.has(id)) filtered[id] = true;
+	return Object.keys(filtered).length > 0 ? filtered : void 0;
+}
+//#endregion
+//#region src/chat/credentials.ts
+/** POSIX mode for the credentials file. Ignored on Windows. */
+const FILE_MODE = 384;
+/**
+* Resolve the credentials file path given the resolved TUI data directory
+* (typically `~/.zidane`, i.e. `config.paths.dir`).
+*
+* Matches the convention used elsewhere in the TUI (sessions.db, state.json)
+* so a single `ZIDANE_STORAGE_DIR` override moves the entire data root.
+*/
+function credentialsPath(dataDir) {
+	return resolve(dataDir, "credentials.json");
+}
+/**
+* Read credentials from disk.
+*
+* Returns `{}` when the file is missing or corrupt (last-ditch tolerance —
+* a hand-edit gone wrong shouldn't lock the user out of re-authing). On first
+* call with no file present, attempts a migration from `cwd/.credentials.json`
+* (the legacy location used by `bun run auth`).
+*/
+function readCredentials(dataDir) {
+	const path = credentialsPath(dataDir);
+	if (!existsSync(path)) {
+		const migrated = migrateLegacyFile(path);
+		if (migrated) return migrated;
+		return {};
+	}
+	try {
+		const raw = readFileSync(path, "utf-8");
+		const parsed = JSON.parse(raw);
+		if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) return {};
+		return parsed;
+	} catch {
+		return {};
+	}
+}
+/** Read a single provider's credential (translating via the descriptor). */
+function readProviderCredential(dataDir, descriptor) {
+	return readCredentials(dataDir)[credKeyOf(descriptor)];
+}
+/**
+* Write credentials atomically (write-then-rename) with mode 0o600.
+*
+* Atomic on the same filesystem — readers either see the previous file or the
+* new one, never a half-written intermediate. Creates the parent dir if needed
+* (first launch on a fresh machine: `~/.zidane/` may not exist yet).
+*/
+function writeCredentials(dataDir, creds) {
+	writeFileAtomic(credentialsPath(dataDir), `${JSON.stringify(creds, null, 2)}\n`, {
+		ensureDir: true,
+		mode: FILE_MODE
+	});
+}
+function setProviderCredential(dataDir, descriptor, cred) {
+	const all = readCredentials(dataDir);
+	all[credKeyOf(descriptor)] = cred;
+	writeCredentials(dataDir, all);
+}
+function removeProviderCredential(dataDir, descriptor) {
+	const all = readCredentials(dataDir);
+	const fileKey = credKeyOf(descriptor);
+	if (!(fileKey in all)) return;
+	delete all[fileKey];
+	writeCredentials(dataDir, all);
+}
+/**
+* Reconcile `process.env` with the stored credentials so the harness providers
+* pick up the wizard's output via their existing env-var resolution. Called
+* once at TUI launch after the credentials file has been resolved.
+*
+* **Precedence: stored credential > ambient env.** When the user has run the
+* auth wizard, that's an explicit, recent action — it MUST win over whatever
+* ambient value is already in `process.env`. Otherwise an upgrade reliably
+* breaks for anyone whose cwd happens to contain a stale `.env`: Bun
+* auto-loads `.env` from cwd into `process.env` before our code runs, the
+* legacy `bun run auth` used to upsert tokens into `cwd/.env`, and even a
+* one-off `export ANTHROPIC_API_KEY=…` from months ago in the user's shell rc
+* can outlive its usefulness. None of those should override a key the user
+* just typed into the wizard.
+*
+* Three cases per registered provider with an `envKey`:
+*
+*   1. Stored `kind: 'apikey'` → overwrite env with the stored value. Wizard
+*      wins. A debug log fires when this clobbers a different ambient value.
+*   2. Stored `kind: 'oauth'`  → DELETE env, so {@link resolveOAuthApiKey}
+*      falls through to the file-read + refresh path. A stale OAuth token
+*      in env would otherwise short-circuit refresh and get rejected.
+*   3. No stored entry → leave env alone. Env-only setups (no wizard run yet,
+*      hosts driving zidane purely from secrets management) keep working.
+*
+* To opt out and force ambient env to win again, the user signs the provider
+* out via the wizard (which deletes the stored entry → case 3 above).
+*
+* Descriptors without an `envKey` (OAuth-only providers, custom providers
+* that bypass env-var resolution) are skipped silently.
+*/
+function applyApiKeyEnv(dataDir, registry) {
+	const creds = readCredentials(dataDir);
+	for (const descriptor of Object.values(registry)) {
+		const cred = creds[credKeyOf(descriptor)];
+		if (cred?.kind === "apikey" && descriptor.customFields) {
+			const stored = cred.customFields ?? {};
+			for (const field of descriptor.customFields) {
+				const value = stored[field.key];
+				if (typeof value === "string" && value.length > 0) {
+					const ambient = process.env[field.envVar];
+					if (ambient && ambient !== value && process.env.ZIDANE_DEBUG) process.stderr.write(`[zidane/chat] applyApiKeyEnv: overriding ambient \`${field.envVar}\` with stored value from credentials.json (provider=${descriptor.key}, field=${field.key}).\n`);
+					process.env[field.envVar] = value;
+				}
+			}
+		}
+		if (!descriptor.envKey) continue;
+		const envKey = descriptor.envKey;
+		const ambient = process.env[envKey];
+		if (cred?.kind === "apikey" && cred.value) {
+			if (ambient && ambient !== cred.value && process.env.ZIDANE_DEBUG) process.stderr.write(`[zidane/chat] applyApiKeyEnv: overriding ambient \`${envKey}\` with stored API key from credentials.json (provider=${descriptor.key}). Sign out via the auth wizard if the ambient value was intended to win.\n`);
+			process.env[envKey] = cred.value;
+			continue;
+		}
+		if (cred?.kind === "oauth" && cred.access) {
+			if (ambient !== void 0 && process.env.ZIDANE_DEBUG) process.stderr.write(`[zidane/chat] applyApiKeyEnv: clearing ambient \`${envKey}\` because credentials.json has stored OAuth for ${descriptor.key} — refresh path needs the file.\n`);
+			delete process.env[envKey];
+			continue;
+		}
+	}
+}
+/**
+* `bun run auth` (pre-TUI) wrote `cwd/.credentials.json` with an entry per
+* provider mapping directly to an OAuthCredentials payload, e.g.:
+*
+*   {
+*     "anthropic":    { "access": "...", "refresh": "...", "expires": 123 },
+*     "openai-codex": { "access": "...", "refresh": "...", "expires": 123, "accountId": "..." }
+*   }
+*
+* We don't delete the legacy file — it might still be used by a host that
+* imports the harness directly. We just copy its contents into the new
+* location under the kind-tagged shape so the TUI picks them up.
+*
+* Migration is provider-agnostic: any top-level entry with an `access` field
+* is preserved verbatim (extras included), under the same key. The TUI's
+* detection then looks them up via the matching descriptor's `credentialFileKey`.
+*
+* Returns the migrated credentials when the migration ran, or `null` when
+* there's no legacy file to migrate.
+*/
+function migrateLegacyFile(targetPath) {
+	const legacyPath = resolve(process.cwd(), ".credentials.json");
+	const real = (p) => {
+		try {
+			return realpathSync(p);
+		} catch {
+			return p;
+		}
+	};
+	const legacyDir = real(dirname(legacyPath));
+	if (legacyDir !== real(homedir()) && legacyDir !== real(dirname(resolve(targetPath)))) return null;
+	if (!existsSync(legacyPath)) return null;
+	let legacy;
+	try {
+		legacy = JSON.parse(readFileSync(legacyPath, "utf-8"));
+	} catch {
+		return null;
+	}
+	if (!legacy || typeof legacy !== "object" || Array.isArray(legacy)) return null;
+	const migrated = {};
+	for (const [fileKey, value] of Object.entries(legacy)) {
+		if (!isOAuthLegacy(value)) continue;
+		const { access, refresh, expires, ...extras } = value;
+		migrated[fileKey] = {
+			kind: "oauth",
+			access,
+			...typeof refresh === "string" ? { refresh } : {},
+			...typeof expires === "number" ? { expires } : {},
+			...extras
+		};
+	}
+	if (Object.keys(migrated).length === 0) return null;
+	writeFileAtomic(targetPath, `${JSON.stringify(migrated, null, 2)}\n`, {
+		ensureDir: true,
+		mode: FILE_MODE
+	});
+	return migrated;
+}
+function isOAuthLegacy(value) {
+	return typeof value === "object" && value !== null && "access" in value && typeof value.access === "string";
+}
+//#endregion
+//#region src/chat/xdg.ts
+/**
+* XDG Base Directory resolution for zidane.
+*
+* The user's storage spreads across four logical slots:
+*
+*   - **config** — credentials, mcp-credentials, keybindings, config.json,
+*     mcps.json, skills (user-editable surface).
+*   - **data**   — sessions.db (long-lived chat history).
+*   - **state**  — state.json (per-machine UI bookkeeping: last provider,
+*     last model, last agent, settings).
+*   - **cache**  — persisted tool results, background-task logs,
+*     auto-update registry cache (regenerable, safe to wipe).
+*
+* Historically all four collapsed to `~/.zidane/`. This module adds
+* XDG-Base-Directory-aware defaults so a Linux user with no existing
+* `~/.zidane/` lands in the conventional `~/.config/zidane/`,
+* `~/.local/share/zidane/`, `~/.local/state/zidane/`, `~/.cache/zidane/`
+* trio. Existing setups (anyone with a `~/.zidane/` directory or
+* `ZIDANE_STORAGE_DIR` set) keep the single-dir layout unchanged.
+*
+* Resolution flow — applied in this order:
+*
+*   1. Caller passed an explicit `storageDir` (`ChatOptions.storageDir`)
+*      OR `ZIDANE_STORAGE_DIR` is set → **legacy-explicit** single-dir
+*      layout under `<storageDir>/<prefix>`. The four slots collapse to
+*      the same directory.
+*   2. `~/<prefix>/` already exists on disk → **legacy-existing**
+*      single-dir layout under that directory. Upgrades never silently
+*      shift files around.
+*   3. Any `XDG_*_HOME` env var is set OR `process.platform === 'linux'`
+*      → **XDG split**. Each slot lands in its own dir. Per-slot
+*      `ZIDANE_{CONFIG,DATA,CACHE,STATE}_DIR` overrides beat the XDG
+*      vars for surgical tweaks.
+*   4. Otherwise (macOS/Windows, no XDG signal, no existing dir) →
+*      **default** single-dir layout at `~/<prefix>/`. Day-one behavior
+*      on these platforms is unchanged.
+*
+* The `userDir` legacy alias always equals `configDir` so existing code
+* that still references `paths.userDir` keeps reading credentials, mcps,
+* etc. from the right place.
+*/
+/**
+* Resolve the four storage slots according to the precedence above.
+*
+* Pure aside from one filesystem probe (`existsSync(home/<prefix>)`)
+* — the same probe `resolveStoragePaths` would do anyway when
+* computing `paths.userDir`. No directories are created here; the
+* relevant write paths (state store, credentials writer, persist
+* dir) handle their own lazy `mkdirSync` already.
+*/
+function resolveStorageDirs(opts = {}) {
+	const env = opts.env ?? process.env;
+	const home = opts.home ?? homedir();
+	const platform = opts.platform ?? process.platform;
+	const rawPrefix = opts.prefix ?? ".zidane";
+	const prefixBare = rawPrefix.replace(/^\./, "");
+	const explicitStorageDir = opts.storageDir ?? env.ZIDANE_STORAGE_DIR;
+	if (explicitStorageDir) return single(resolve(explicitStorageDir, rawPrefix), "legacy-explicit");
+	const legacyHomeDir = resolve(home, rawPrefix);
+	if (existsSync(legacyHomeDir)) return single(legacyHomeDir, "legacy-existing");
+	if (platform === "linux" || !!env.XDG_CONFIG_HOME || !!env.XDG_DATA_HOME || !!env.XDG_CACHE_HOME || !!env.XDG_STATE_HOME || !!env.ZIDANE_CONFIG_DIR || !!env.ZIDANE_DATA_DIR || !!env.ZIDANE_STATE_DIR || !!env.ZIDANE_CACHE_DIR) return {
+		configDir: env.ZIDANE_CONFIG_DIR ?? resolve(env.XDG_CONFIG_HOME || resolve(home, ".config"), prefixBare),
+		dataDir: env.ZIDANE_DATA_DIR ?? resolve(env.XDG_DATA_HOME || resolve(home, ".local", "share"), prefixBare),
+		stateDir: env.ZIDANE_STATE_DIR ?? resolve(env.XDG_STATE_HOME || resolve(home, ".local", "state"), prefixBare),
+		cacheDir: env.ZIDANE_CACHE_DIR ?? resolve(env.XDG_CACHE_HOME || resolve(home, ".cache"), prefixBare),
+		mode: "xdg"
+	};
+	return single(legacyHomeDir, "default");
+}
+function single(base, mode) {
+	return {
+		configDir: base,
+		dataDir: base,
+		stateDir: base,
+		cacheDir: base,
+		mode
+	};
+}
+//#endregion
+export { restoreModelOptions as C, piIdOf as S, modelOptionsFor as _, readProviderCredential as a, openaiDescriptor as b, writeCredentials as c, cerebrasDescriptor as d, credKeyOf as f, localDescriptor as g, getModelInfo as h, readCredentials as i, BUILTIN_PROVIDERS as l, getContextWindow as m, applyApiKeyEnv as n, removeProviderCredential as o, enabledModelOptions as p, credentialsPath as r, setProviderCredential as s, resolveStorageDirs as t, anthropicDescriptor as u, modelSupportsReasoning as v, openrouterDescriptor as x, modelsForDescriptor as y };
+
+//# sourceMappingURL=xdg-zlSeVBhQ.js.map