zyndo 0.3.4 → 0.4.0

package/dist/agentLoop.d.ts

@@ -10,5 +10,15 @@ export type AgentLoopResult = Readonly<{
     paused: boolean;
     timedOut?: boolean;
     pendingQuestion?: string;
+    /**
+     * Set when the underlying agent harness (codex, claude, generic binary)
+     * exited with a non-zero status and produced no usable output. The caller
+     * MUST NOT deliver `output` to the buyer in this case — it is a stderr
+     * dump, not a deliverable. Instead, send a human-readable info message
+     * and leave the task alone so the buyer can revise or dispute.
+     */
+    harnessFailed?: boolean;
+    /** When harnessFailed is set, this is the short human-readable reason. */
+    harnessError?: string;
 }>;
 export declare function runAgentLoop(provider: LLMProvider, tools: ReadonlyArray<Tool>, initialMessage: string, opts: AgentLoopOptions): Promise<AgentLoopResult>;

package/dist/commands/seller.d.ts

@@ -0,0 +1,8 @@
+import { type SellerConfig } from '../config.js';
+export type SellerCommandDeps = Readonly<{
+    loadConfig: () => SellerConfig;
+    httpFetch: typeof fetch;
+    stderr: (msg: string) => void;
+    stdout: (msg: string) => void;
+}>;
+export declare function handleSellerCommand(args: ReadonlyArray<string>, deps?: SellerCommandDeps): Promise<void>;

package/dist/commands/seller.js

@@ -0,0 +1,142 @@
+// ---------------------------------------------------------------------------
+// zyndo seller — local CLI for managing seller ownership
+//
+// Subcommands:
+//   zyndo seller list
+//     GET /user/seller-agents — prints the user's slug ↔ agentId table
+//     so the operator can find orphaned reputation after a slug change.
+//
+//   zyndo seller adopt <agentId>
+//     POST /user/seller-agents/adopt — rebinds the current seller.yaml
+//     slug to an existing agentId the user already owns. Used to reclaim
+//     reputation when the local slug drifts from what the broker persisted.
+//
+//   zyndo seller retire <slug>
+//     POST /user/seller-agents/:slug/retire — marks a slug row retired so
+//     it stops being restored on connect and frees a cap slot.
+//
+// Auth: reads `api_key` from the local seller.yaml and passes it via
+// `x-zyndo-api-key`. The /user/seller-agents/* routes accept API keys as
+// a dashboard-less auth path (incident 2026-04-15).
+// ---------------------------------------------------------------------------
+import { loadSellerConfig } from '../config.js';
+const DEFAULT_DEPS = {
+    loadConfig: () => loadSellerConfig(),
+    httpFetch: fetch,
+    stderr: (msg) => process.stderr.write(msg),
+    stdout: (msg) => process.stdout.write(msg)
+};
+export async function handleSellerCommand(args, deps = DEFAULT_DEPS) {
+    const [subcommand, ...rest] = args;
+    if (subcommand === undefined) {
+        printUsage(deps);
+        process.exitCode = 1;
+        return;
+    }
+    let config;
+    try {
+        config = deps.loadConfig();
+    }
+    catch (err) {
+        deps.stderr(`Failed to load seller config: ${err.message}\n`);
+        process.exitCode = 1;
+        return;
+    }
+    if (config.apiKey.length === 0) {
+        deps.stderr('Missing api_key in seller.yaml. Add one from https://zyndo.ai/dashboard (API Keys tab).\n');
+        process.exitCode = 1;
+        return;
+    }
+    const headers = {
+        'content-type': 'application/json',
+        'x-zyndo-api-key': config.apiKey
+    };
+    switch (subcommand) {
+        case 'list': {
+            const res = await deps.httpFetch(`${config.bridgeUrl}/user/seller-agents`, { headers });
+            if (!res.ok) {
+                deps.stderr(`List failed (${res.status}): ${await res.text().catch(() => '')}\n`);
+                process.exitCode = 1;
+                return;
+            }
+            const body = (await res.json());
+            if (body.agents.length === 0) {
+                deps.stdout('No sellers registered under this account.\n');
+                return;
+            }
+            deps.stdout(`Sellers for this account (${body.agents.length}):\n\n`);
+            for (const a of body.agents) {
+                const status = a.retiredAt !== undefined ? '[retired]' : a.online ? '[online]' : '[offline]';
+                deps.stdout(`  ${status}  ${a.displayName}\n` +
+                    `             slug:     ${a.sellerSlug}\n` +
+                    `             agentId:  ${a.agentId}\n` +
+                    `             tasks:    ${a.completedTaskCount} completed / ${a.lifetimeTaskCount} lifetime\n` +
+                    `             last seen ${a.lastSeenAt}\n\n`);
+            }
+            return;
+        }
+        case 'adopt': {
+            const agentId = rest[0];
+            if (agentId === undefined || agentId.length === 0) {
+                deps.stderr('Usage: zyndo seller adopt <agentId>\n');
+                process.exitCode = 1;
+                return;
+            }
+            if (config.id === undefined || config.id.length === 0) {
+                deps.stderr('Current seller.yaml has no `id:` slug. Add one and retry.\n');
+                process.exitCode = 1;
+                return;
+            }
+            const res = await deps.httpFetch(`${config.bridgeUrl}/user/seller-agents/adopt`, {
+                method: 'POST',
+                headers,
+                body: JSON.stringify({ sellerSlug: config.id, agentId })
+            });
+            if (!res.ok) {
+                const text = await res.text().catch(() => '');
+                deps.stderr(`Adopt failed (${res.status}): ${text}\n`);
+                process.exitCode = 1;
+                return;
+            }
+            const body = (await res.json());
+            deps.stdout(`Adopted agentId ${body.agentId} under slug "${body.sellerSlug}" (display name: ${body.displayName}).\n`);
+            if (body.previousSlug !== undefined) {
+                deps.stdout(`Previous slug "${body.previousSlug}" was retired to free the binding.\n`);
+            }
+            deps.stdout('Run `zyndo serve` to resume as this seller. Reputation stays attached to the adopted agentId.\n');
+            return;
+        }
+        case 'retire': {
+            const slug = rest[0];
+            if (slug === undefined || slug.length === 0) {
+                deps.stderr('Usage: zyndo seller retire <slug>\n');
+                process.exitCode = 1;
+                return;
+            }
+            const res = await deps.httpFetch(`${config.bridgeUrl}/user/seller-agents/${encodeURIComponent(slug)}/retire`, { method: 'POST', headers });
+            if (!res.ok) {
+                deps.stderr(`Retire failed (${res.status}): ${await res.text().catch(() => '')}\n`);
+                process.exitCode = 1;
+                return;
+            }
+            const body = (await res.json());
+            if (body.alreadyRetired === true) {
+                deps.stdout(`Slug "${body.sellerSlug}" was already retired. No change.\n`);
+            }
+            else {
+                deps.stdout(`Retired slug "${body.sellerSlug}". Its cap slot is freed.\n`);
+            }
+            return;
+        }
+        default: {
+            printUsage(deps);
+            process.exitCode = 1;
+        }
+    }
+}
+function printUsage(deps) {
+    deps.stderr('Usage:\n' +
+        '  zyndo seller list                 List seller agents on this account\n' +
+        '  zyndo seller adopt <agentId>      Rebind current seller.yaml slug to an existing agentId\n' +
+        '  zyndo seller retire <slug>        Retire a seller slug (frees a cap slot)\n');
+}

package/dist/config.d.ts

@@ -54,6 +54,7 @@ export type SellerConfig = Readonly<{
     claudeCodeTimeoutMs?: number;
     claudeCodeMaxBudgetUsd?: number;
     identityKeyPath?: string;
+    forceNewSlug: boolean;
 }>;
 export type BuyerConfig = Readonly<{
     apiKey: string;

package/dist/config.js

@@ -44,7 +44,13 @@ export function loadSellerConfig(configPath) {
     const name = requireString(data, 'name');
     const description = requireString(data, 'description');
     const provider = requireEnum(data, 'provider', ['anthropic', 'openai', 'ollama', 'claude-code']);
-    const model = requireString(data, 'model');
+    // Optional: when empty, the harness CLI uses its own native default.
+    // For codex: reads ~/.codex/config.toml `model` (auto-tracks whatever
+    // OpenAI currently supports on the seller's ChatGPT plan). For claude:
+    // uses Claude Code's built-in default. Incident 2026-04-14: a hardcoded
+    // `gpt-5-codex` override broke every task when OpenAI rotated the
+    // ChatGPT-edu allowlist to `gpt-5.3-codex`. Blank is the safest default.
+    const model = optionalString(data, 'model') ?? '';
     const providerApiKey = optionalString(data, 'provider_api_key');
     const workingDirectory = optionalString(data, 'working_directory') ?? process.cwd();
     const systemPrompt = optionalString(data, 'system_prompt') ?? 'You are a helpful AI agent.';
@@ -89,6 +95,7 @@ export function loadSellerConfig(configPath) {
     const claudeCodeTimeoutMs = typeof data.claude_code_timeout_ms === 'number' ? data.claude_code_timeout_ms : undefined;
     const claudeCodeMaxBudgetUsd = typeof data.claude_code_max_budget_usd === 'number' ? data.claude_code_max_budget_usd : undefined;
     const identityKeyPath = optionalString(data, 'identity_key_path');
+    const forceNewSlug = data.force_new_slug === true;
     const skills = requireArray(data, 'skills').map((s) => {
         const skill = s;
         const id = requireString(skill, 'id');
@@ -137,7 +144,8 @@ export function loadSellerConfig(configPath) {
         claudeCodeBinary,
         claudeCodeTimeoutMs,
         claudeCodeMaxBudgetUsd,
-        identityKeyPath
+        identityKeyPath,
+        forceNewSlug
     };
 }
 // ---------------------------------------------------------------------------

package/dist/connection.d.ts

@@ -91,6 +91,7 @@ export declare function connect(bridgeUrl: string, apiKey: string, opts: {
     categories?: ReadonlyArray<string>;
     maxConcurrentTasks?: number;
     sellerSlug?: string;
+    forceNewSlug?: boolean;
 }): Promise<AgentSession>;
 export declare function reconnect(session: AgentSession, apiKey: string, opts?: {
     role?: 'buyer' | 'seller';

package/dist/connection.js

@@ -117,6 +117,8 @@ export async function connect(bridgeUrl, apiKey, opts) {
     };
     if (opts.sellerSlug !== undefined)
         body.sellerSlug = opts.sellerSlug;
+    if (opts.forceNewSlug === true)
+        body.forceNewSlug = true;
     const res = await fetch(`${bridgeUrl}/agent/connect`, {
         method: 'POST',
         headers,
@@ -124,6 +126,39 @@ export async function connect(bridgeUrl, apiKey, opts) {
     });
     if (!res.ok) {
         const errBody = await res.text();
+        // Per-user seller cap: surface a human-readable hint so the operator
+        // can retire an existing slug instead of guessing why their daemon
+        // refused to start.
+        if (res.status === 409) {
+            let parsed;
+            try {
+                parsed = JSON.parse(errBody);
+            }
+            catch {
+                parsed = undefined;
+            }
+            if (parsed !== undefined && parsed.error === 'seller_limit_reached') {
+                const existing = parsed.existing !== undefined && parsed.existing.length > 0
+                    ? parsed.existing.join(', ')
+                    : '<none>';
+                throw new Error(`Connect failed: seller_limit_reached. This account already runs ${parsed.limit ?? '?'} sellers (${existing}). Retire one via the dashboard before launching another listing.`);
+            }
+            if (parsed !== undefined && parsed.error === 'possible_orphaned_seller') {
+                const candidates = parsed.candidates ?? [];
+                const lines = candidates
+                    .map((c) => `  - agentId=${c.agentId}  slug=${c.sellerSlug}  last_seen=${c.lastSeenAt ?? '<unknown>'}`)
+                    .join('\n');
+                throw new Error(`Connect failed: another seller on your account already uses the display name "${opts.name}".\n` +
+                    `\n` +
+                    `If it is the SAME seller you ran before, reclaim its reputation with:\n` +
+                    `  zyndo seller adopt <agentId>\n` +
+                    `\n` +
+                    `Candidates:\n${lines.length > 0 ? lines : '  (none reported by broker)'}\n` +
+                    `\n` +
+                    `If you really want a brand new empty seller under this display name, add this to seller.yaml:\n` +
+                    `  force_new_slug: true`);
+            }
+        }
         throw new Error(`Connect failed (${res.status}): ${errBody}`);
     }
     const data = (await res.json());

package/dist/harnessSelfCheck.d.ts

@@ -0,0 +1,14 @@
+import type { SellerConfig } from './config.js';
+export type SelfCheckResult = Readonly<{
+    ok: true;
+}> | Readonly<{
+    ok: false;
+    reason: string;
+    fix: string;
+}>;
+/**
+ * Spawn the harness with a trivial prompt and verify it completes successfully.
+ * This is the same command shape that `runClaudeCodeTask` uses, minus the
+ * system prompt / BOUND CONTRACT block so the probe stays fast (<30s).
+ */
+export declare function verifyHarnessReady(config: SellerConfig): Promise<SelfCheckResult>;

package/dist/harnessSelfCheck.js

@@ -0,0 +1,165 @@
+// ---------------------------------------------------------------------------
+// Harness self-check
+//
+// Runs a trivial dry-run spawn of the configured harness (claude / codex)
+// at daemon startup, BEFORE the seller connects to the broker. Catches three
+// failure modes that would otherwise burn a real buyer hire:
+//
+//  1. Seller pinned an explicit model that the account no longer allows
+//     (e.g. a stale `gpt-5-codex` after OpenAI rotated the ChatGPT allowlist
+//      to `gpt-5.3-codex`). Incident 2026-04-14.
+//  2. Harness binary is missing, unauthenticated, or rate-limited.
+//  3. Any other startup-time error the harness itself surfaces.
+//
+// The probe uses the SAME spawn path as runClaudeCodeTask (cross-spawn,
+// stdin-piped prompt, -o tempfile for codex) so anything it reports is
+// representative of what a real task would hit.
+// ---------------------------------------------------------------------------
+import spawn from 'cross-spawn';
+import { join } from 'node:path';
+import { tmpdir } from 'node:os';
+import { randomBytes } from 'node:crypto';
+import { readFileSync, unlinkSync } from 'node:fs';
+import { detectHarness } from './providers/claudeCode.js';
+const PROBE_TIMEOUT_MS = 30_000;
+const PROBE_PROMPT = 'Reply with exactly the two characters: ok';
+/**
+ * Parse harness stderr for known failure patterns and return actionable fix
+ * text. Falls through to a generic "see stderr tail" message.
+ */
+function diagnoseFailure(stderr, harness, config) {
+    // Codex + Claude ChatGPT-account allowlist rejection. The exact string from
+    // Codex v0.116.0 is "The '<model>' model is not supported when using Codex
+    // with a ChatGPT account." — future Anthropic equivalents likely follow the
+    // same pattern, hence the broad regex.
+    if (/is not supported when using .* with a ChatGPT account/i.test(stderr)
+        || /model .* is not (?:available|supported)/i.test(stderr)) {
+        const pinnedModel = config.model.length > 0 ? config.model : '(none)';
+        const fix = harness === 'codex'
+            ? `Your seller.yaml pins model="${pinnedModel}" but your Codex account does not allow it.\n` +
+                `  Fix: remove (or blank) the "model:" line in seller.yaml so Codex uses\n` +
+                `  its own default from ~/.codex/config.toml. Alternatively, set\n` +
+                `  OPENAI_API_KEY in your shell before "zyndo serve" to switch to API billing.`
+            : `Your seller.yaml pins model="${pinnedModel}" but your Claude account does not allow it.\n` +
+                `  Fix: remove (or blank) the "model:" line in seller.yaml so Claude Code\n` +
+                `  uses its own default model.`;
+        return { reason: 'Harness rejected the configured model (allowlist mismatch).', fix };
+    }
+    if (/401|unauthorized|not (?:logged in|authenticated)/i.test(stderr)) {
+        const cmd = harness === 'codex' ? 'codex login' : 'claude login';
+        return {
+            reason: 'Harness is not authenticated.',
+            fix: `Run "${cmd}" in this shell, then restart "zyndo serve".`
+        };
+    }
+    if (/rate.?limit/i.test(stderr)) {
+        return {
+            reason: 'Harness is rate-limited.',
+            fix: 'Wait a few minutes and restart "zyndo serve". If this keeps happening, upgrade your account plan.'
+        };
+    }
+    if (/command not found|ENOENT|spawn .* ENOENT/i.test(stderr)) {
+        return {
+            reason: 'Harness binary not found on PATH.',
+            fix: `Install the ${harness === 'codex' ? 'Codex' : 'Claude Code'} CLI and re-run "zyndo init" to update the binary path in seller.yaml.`
+        };
+    }
+    // Generic fallback — show the tail so the operator can see the real error.
+    const tail = stderr.length > 1000 ? stderr.slice(-1000) : stderr;
+    return {
+        reason: 'Harness exited non-zero during startup probe.',
+        fix: `Stderr tail:\n${tail.trim()}`
+    };
+}
+/**
+ * Spawn the harness with a trivial prompt and verify it completes successfully.
+ * This is the same command shape that `runClaudeCodeTask` uses, minus the
+ * system prompt / BOUND CONTRACT block so the probe stays fast (<30s).
+ */
+export async function verifyHarnessReady(config) {
+    const binary = config.claudeCodeBinary ?? 'claude';
+    const harness = config.harness ?? detectHarness(binary);
+    // `generic` harness has no prescribed args — we trust whatever shell the
+    // seller wired up. Skip the probe; there's nothing standard to test.
+    if (harness === 'generic') {
+        return { ok: true };
+    }
+    let outputFile;
+    const args = [];
+    if (harness === 'codex') {
+        outputFile = join(tmpdir(), `zyndo-probe-${Date.now()}-${randomBytes(4).toString('hex')}.txt`);
+        args.push('exec', '-');
+        if (config.model.length > 0)
+            args.push('-m', config.model);
+        args.push('--dangerously-bypass-approvals-and-sandbox', '--skip-git-repo-check', '-C', config.workingDirectory, '--color', 'never', '-o', outputFile);
+    }
+    else {
+        // claude
+        args.push('--print', '--output-format', 'json');
+        if (config.model.length > 0)
+            args.push('--model', config.model);
+        args.push('--add-dir', config.workingDirectory, '--permission-mode', 'bypassPermissions', '--no-session-persistence');
+    }
+    return new Promise((resolve) => {
+        const controller = new AbortController();
+        const timeoutHandle = setTimeout(() => controller.abort(), PROBE_TIMEOUT_MS);
+        const proc = spawn(binary, args, {
+            cwd: config.workingDirectory,
+            signal: controller.signal,
+            stdio: ['pipe', 'pipe', 'pipe'],
+            env: { ...process.env }
+        });
+        const stdoutChunks = [];
+        const stderrChunks = [];
+        proc.stdout.on('data', (c) => stdoutChunks.push(c));
+        proc.stderr.on('data', (c) => stderrChunks.push(c));
+        proc.on('error', (err) => {
+            clearTimeout(timeoutHandle);
+            if (outputFile !== undefined) {
+                try {
+                    unlinkSync(outputFile);
+                }
+                catch { /* ignore */ }
+            }
+            if (err.name === 'AbortError') {
+                resolve({
+                    ok: false,
+                    reason: `Harness probe timed out after ${PROBE_TIMEOUT_MS / 1000}s.`,
+                    fix: `The ${harness} binary hung without responding. Try running it manually once to confirm it works, then restart "zyndo serve".`
+                });
+                return;
+            }
+            resolve({
+                ok: false,
+                reason: `Failed to spawn harness binary: ${err.message}`,
+                fix: `Check that "${binary}" is installed and on your PATH. Re-run "zyndo init" to update the binary path.`
+            });
+        });
+        proc.on('close', (code) => {
+            clearTimeout(timeoutHandle);
+            const stderr = Buffer.concat(stderrChunks).toString('utf-8');
+            const stdout = Buffer.concat(stdoutChunks).toString('utf-8');
+            let probeOutput = stdout;
+            if (outputFile !== undefined) {
+                try {
+                    probeOutput = readFileSync(outputFile, 'utf-8');
+                }
+                catch { /* use stdout */ }
+                try {
+                    unlinkSync(outputFile);
+                }
+                catch { /* ignore */ }
+            }
+            if (code === 0 && probeOutput.trim().length > 0) {
+                resolve({ ok: true });
+                return;
+            }
+            const diagnosis = diagnoseFailure(stderr, harness, config);
+            resolve({ ok: false, ...diagnosis });
+        });
+        // Feed the probe prompt and close stdin so the harness completes.
+        proc.stdin.on('error', () => { });
+        proc.stdin.write(PROBE_PROMPT);
+        proc.stdin.end();
+    });
+}

package/dist/index.js

@@ -70,6 +70,11 @@ async function main() {
             await handleRefereeCommand(args.slice(1));
             break;
         }
+        case 'seller': {
+            const { handleSellerCommand } = await import('./commands/seller.js');
+            await handleSellerCommand(args.slice(1));
+            break;
+        }
         case 'version':
             process.stdout.write(`zyndo ${getPackageVersion()}\n`);
             break;
@@ -96,6 +101,9 @@ Usage:
   zyndo cashout                   View earnings and cashout (opens dashboard)
   zyndo connect [onboard|status]  Stripe Connect setup (opens dashboard)
   zyndo referee <enable|disable> <skillId>  Toggle Kimi K2.5 referee sampling on a skill
+  zyndo seller list               List seller agents on this account
+  zyndo seller adopt <agentId>    Rebind current seller.yaml slug to an existing agentId
+  zyndo seller retire <slug>      Retire a seller slug (frees a cap slot)
   zyndo version                   Show version
   zyndo help                      Show this help
 

package/dist/init.js

@@ -171,18 +171,23 @@ function testBinary(binary) {
         return { ok: false, error: err instanceof Error ? err.message : String(err) };
     }
 }
+// Default model is intentionally blank for every harness. Each CLI (claude,
+// codex) has its own native default that auto-tracks whatever the provider
+// currently rolls out on the seller's account. Hardcoding a string here used
+// to break every seller when OpenAI / Anthropic rotated their allowlists.
+// Sellers who want to pin a specific model can still enter one at the prompt.
 const HARNESS_OPTIONS = [
-    { label: 'Claude Code', harness: 'claude', binary: 'claude', defaultModel: 'sonnet' },
-    { label: 'Codex CLI', harness: 'codex', binary: 'codex', defaultModel: 'gpt-5-codex' },
-    { label: 'Other / Custom binary', harness: 'generic', binary: '', defaultModel: 'default' }
+    { label: 'Claude Code', harness: 'claude', binary: 'claude', defaultModel: '' },
+    { label: 'Codex CLI', harness: 'codex', binary: 'codex', defaultModel: '' },
+    { label: 'Other / Custom binary', harness: 'generic', binary: '', defaultModel: '' }
 ];
 function detectInstalledHarness() {
     const claudeBin = findClaudeBinary();
     if (claudeBin !== undefined)
-        return { harness: 'claude', binary: claudeBin, model: 'sonnet' };
+        return { harness: 'claude', binary: claudeBin, model: '' };
     const codexBin = findCodexBinary();
     if (codexBin !== undefined)
-        return { harness: 'codex', binary: codexBin, model: 'gpt-5-codex' };
+        return { harness: 'codex', binary: codexBin, model: '' };
     return undefined;
 }
 function parseFlags(argv) {
@@ -506,11 +511,20 @@ const YAML_HEADER = `# Zyndo seller configuration.
 #   provider              Always 'claude-code' (the spawn-a-CLI provider).
 #   harness               'claude' | 'codex' | 'generic'. MUST match the binary below.
 #   claude_code_binary    Absolute path to your harness binary. Set by \`zyndo init\`.
-#   model                 Model name passed to the harness (e.g. 'sonnet', 'gpt-5-codex').
+#   model                 OPTIONAL. Model name passed to the harness via -m/--model.
+#                         Leave blank (or omit entirely) to use the harness CLI's
+#                         own default — recommended, since it auto-tracks whatever
+#                         model your Claude/Codex account currently supports.
 #   working_directory     Where the seller can read/write files.
 #   max_concurrent_tasks  How many tasks the daemon will run in parallel.
 #   skills                What you offer. price_cents is REQUIRED ($0.10 floor).
 #   categories            Free-form tags used in marketplace browse filters.
+#   force_new_slug        OPTIONAL, default false. Set to true ONLY if you
+#                         deliberately want a second empty seller on this
+#                         account that shares a display name with an existing
+#                         one. Normally leave it unset — the broker's orphan
+#                         guard will tell you to adopt the existing agentId
+#                         instead of silently minting a duplicate.
 `;
 /**
  * If a seller.yaml already exists, return its `id:` (slug) if any. Used so
@@ -553,7 +567,9 @@ function writeConfig(out, force) {
         provider: 'claude-code',
         harness: out.harness,
         claude_code_binary: out.binary,
-        model: out.model,
+        // Omit `model` entirely when blank so the generated yaml stays clean.
+        // An absent `model:` line means the harness CLI picks its own default.
+        ...(out.model.length > 0 ? { model: out.model } : {}),
         working_directory: out.workingDirectory,
         max_concurrent_tasks: 1,
         identity_key_path: identityKeyPath,
@@ -683,19 +699,11 @@ function runNonInteractive(flags) {
             throw new Error('No AI harness found. Install Claude Code or Codex CLI, or pass --harness and --binary explicitly.');
         }
     }
-    // Pick model: explicit > harness default
-    if (flags.model !== undefined) {
-        model = flags.model;
-    }
-    else if (harness === 'claude') {
-        model = 'sonnet';
-    }
-    else if (harness === 'codex') {
-        model = 'gpt-5-codex';
-    }
-    else {
-        model = 'default';
-    }
+    // Pick model: explicit > blank (harness CLI uses its own default).
+    // Blank is safer than a hardcoded name because providers rotate model
+    // availability on ChatGPT/Claude account plans and any stale pin breaks
+    // every task overnight. See `HARNESS_OPTIONS` comment above.
+    model = flags.model ?? '';
     // Functional test
     const test = testBinary(binary);
     if (!test.ok) {
@@ -820,6 +828,7 @@ async function runInteractive() {
         process.stdout.write('  rejects any buyer brief that exceeds it. Be specific and strict.\n\n');
         const deliverables = await promptDeliverables(ask, skillName);
         process.stdout.write('\n');
+        process.stdout.write('  \x1b[2m(leave blank to use your harness CLI\'s own default — recommended)\x1b[0m\n');
         const model = await ask('Model', selected.defaultModel);
         const workingDir = await ask('Working directory', process.cwd());
         process.stdout.write('\n  \x1b[1mZyndo Marketplace\x1b[0m\n');

package/dist/providers/claudeCode.js

@@ -28,11 +28,16 @@ export function detectHarness(binary) {
 function buildHarnessSpawn(harness, config, systemPrompt) {
     switch (harness) {
         case 'claude': {
+            // Only pass --model when the seller explicitly pinned one in seller.yaml.
+            // Empty model lets Claude Code use its own built-in default, which
+            // auto-tracks whatever Anthropic currently rolls out. Prevents stale
+            // seller.yaml pins (e.g. `sonnet-3`) from overriding a working default.
+            const modelArgs = config.model.length > 0 ? ['--model', config.model] : [];
             const args = [
                 '--print',
                 '--output-format', 'json',
                 '--system-prompt', systemPrompt,
-                '--model', config.model,
+                ...modelArgs,
                 '--add-dir', config.workingDirectory,
                 '--permission-mode', 'bypassPermissions',
                 '--no-session-persistence'
@@ -53,10 +58,18 @@ function buildHarnessSpawn(harness, config, systemPrompt) {
             //   events that would otherwise pollute parseOutput.
             // - `--color never` strips ANSI escapes from any stderr we might log.
             const outputFile = join(tmpdir(), `zyndo-codex-${Date.now()}-${randomBytes(4).toString('hex')}.txt`);
+            // Only pass -m when the seller explicitly pinned a model. Empty model
+            // lets Codex use its own ~/.codex/config.toml default, which
+            // auto-tracks whatever OpenAI currently supports on the seller's plan.
+            // Incident 2026-04-14: a hardcoded `gpt-5-codex` override broke every
+            // task when OpenAI rotated the ChatGPT-edu allowlist to `gpt-5.3-codex`
+            // overnight. Blank is the safest default; sellers can still pin when
+            // they know they need a specific model.
+            const modelArgs = config.model.length > 0 ? ['-m', config.model] : [];
             const args = [
                 'exec',
                 '-',
-                '-m', config.model,
+                ...modelArgs,
                 '--dangerously-bypass-approvals-and-sandbox',
                 '--skip-git-repo-check',
                 '-C', config.workingDirectory,
@@ -209,18 +222,32 @@ export async function runClaudeCodeTask(taskContext, config, logger) {
             clearTimeout(timeoutHandle);
             if (err.name === 'AbortError') {
                 logger.error(`Task timed out after ${timeoutMs / 1000}s`);
-                resolve({ output: `Task timed out after ${timeoutMs / 1000} seconds.`, paused: false, timedOut: true });
+                // timedOut path — caller already treats this as non-deliverable
+                // and sends an info message instead of calling deliverTask. Keep
+                // the output field empty so there's no accidental leak.
+                resolve({ output: '', paused: false, timedOut: true });
                 return;
             }
             logger.error(`Spawn error: ${err.message}`);
-            resolve({ output: `Harness error: ${err.message}`, paused: false, timedOut: true });
+            resolve({
+                output: '',
+                paused: false,
+                harnessFailed: true,
+                harnessError: `Failed to spawn harness: ${err.message}`
+            });
         });
         proc.on('close', (code) => {
             clearTimeout(timeoutHandle);
             const stdout = Buffer.concat(stdoutChunks).toString('utf-8');
             const stderr = Buffer.concat(stderrChunks).toString('utf-8');
             if (stderr.length > 0) {
-                logger.info(`Harness stderr: ${stderr.slice(0, 500)}`);
+                // Dump the full stderr tail so we can see the actual codex error.
+                // Codex prints its startup banner first, then the real error below,
+                // so a 500-char slice would hide everything useful. Cap at 8000
+                // to avoid pathological logs.
+                const STDERR_MAX = 8000;
+                const tail = stderr.length > STDERR_MAX ? stderr.slice(-STDERR_MAX) : stderr;
+                logger.info(`Harness stderr (len=${stderr.length}):\n${tail}`);
             }
             // Codex writes the agent's final message to a tempfile via `-o`.
             // Read it back, then unlink. If the file is missing or unreadable
@@ -239,8 +266,22 @@ export async function runClaudeCodeTask(taskContext, config, logger) {
                 catch { /* ignore */ }
             }
             if (code !== 0 && agentOutput.length === 0) {
-                logger.error(`Harness exited with code ${code}`);
-                resolve({ output: `Harness failed (exit ${code}): ${stderr.slice(0, 1000)}`, paused: false });
+                // Log the full stderr tail (already emitted above at INFO, but make
+                // sure the ERROR line also carries enough context to diagnose).
+                const stderrTail = stderr.length > 4000 ? stderr.slice(-4000) : stderr;
+                logger.error(`Harness exited with code ${code}. stderr tail:\n${stderrTail}`);
+                // CRITICAL: do NOT put the stderr dump into `output` — the caller
+                // would deliver that verbatim to the buyer as the task deliverable.
+                // Signal failure via the harnessFailed flag so handleTask can send
+                // a human-readable info message to the buyer instead. Incident
+                // 2026-04-14: a failing codex run was delivered as "Harness failed
+                // (exit 1): OpenAI Codex ..." which the buyer saw as their post.
+                resolve({
+                    output: '',
+                    paused: false,
+                    harnessFailed: true,
+                    harnessError: `Codex exited ${code}. Try requesting a revision to retry.`
+                });
                 return;
             }
             resolve(parseOutput(agentOutput, harness));

package/dist/sellerDaemon.js

@@ -10,6 +10,7 @@ import { createAnthropicProvider } from './providers/anthropic.js';
 import { createOpenAIProvider } from './providers/openai.js';
 import { createOllamaProvider } from './providers/ollama.js';
 import { runClaudeCodeTask } from './providers/claudeCode.js';
+import { verifyHarnessReady } from './harnessSelfCheck.js';
 import { createReadFileTool } from './tools/readFile.js';
 import { createWriteFileTool } from './tools/writeFile.js';
 import { createBashTool } from './tools/bash.js';
@@ -120,6 +121,21 @@ export async function startSellerDaemon(config, opts) {
     catch (err) {
         logger.error(`Identity key setup failed: ${err instanceof Error ? err.message : String(err)}. Continuing unsigned.`);
     }
+    // Harness self-check: before touching the broker, spawn the configured
+    // harness with a trivial prompt to verify it can actually produce output.
+    // Catches stale model pins, expired auth, missing binaries, and rate
+    // limits — every failure mode that would otherwise burn a real buyer
+    // hire. Fail fast with an actionable fix instead of accepting work we
+    // know we cannot deliver. Incident 2026-04-14.
+    logger.info('Running harness self-check…');
+    const selfCheck = await verifyHarnessReady(config);
+    if (!selfCheck.ok) {
+        logger.error(`Harness self-check FAILED: ${selfCheck.reason}`);
+        logger.error(`Fix:\n  ${selfCheck.fix}`);
+        logger.error('Daemon refusing to start. Fix the issue above and re-run "zyndo serve".');
+        throw new Error(`Harness self-check failed: ${selfCheck.reason}`);
+    }
+    logger.info('Harness self-check passed.');
     // Try to reconnect as the same agent from a previous session
     let session;
     const previousSession = loadSession();
@@ -153,7 +169,8 @@ export async function startSellerDaemon(config, opts) {
             skills: [...config.skills],
             categories: [...config.categories],
             maxConcurrentTasks: config.maxConcurrentTasks,
-            sellerSlug: config.id
+            sellerSlug: config.id,
+            forceNewSlug: config.forceNewSlug
         });
         logger.info(`Connected: agentId=${session.agentId}`);
     }
@@ -603,6 +620,19 @@ async function handleTask(holder, taskId, config, logger, identityPrivateKey) {
         saveState({ taskId, messages: [], claudeCodeContext: context, originalContext: context });
         return;
     }
+    // Harness failure (codex/claude/generic exited non-zero with no output).
+    // NEVER deliver in this branch — the caller's `output` would be empty or
+    // a stderr dump and the buyer would receive it as their deliverable.
+    // Send a human-readable info message instead and leave the task in its
+    // current state so the buyer can request a revision to retry or open a
+    // dispute. Incident 2026-04-14.
+    if (result.harnessFailed === true) {
+        const reason = result.harnessError ?? 'The seller agent crashed during this run.';
+        logger.error(`Task ${taskId}: harness failed — ${reason}. NOT delivering stderr.`);
+        await sendTaskMessage(holder, taskId, 'info', `The seller agent encountered an error and could not produce a deliverable on this attempt. Details: ${reason}. Please click "Request revision" with the same brief to retry, or open a dispute if the problem persists.`);
+        saveState({ taskId, messages: [], claudeCodeContext: context, originalContext: context });
+        return;
+    }
     if (result.paused) {
         logger.info(`Task ${taskId}: paused, asking buyer: "${result.pendingQuestion?.slice(0, 100)}..."`);
         saveState({ taskId, messages: [], claudeCodeContext: context, pendingQuestion: result.pendingQuestion });
@@ -698,6 +728,13 @@ async function handleRevision(holder, taskId, feedback, config, logger, identity
         saveState({ taskId, messages: [], claudeCodeContext: revisionContext, originalContext });
         return;
     }
+    if (result.harnessFailed === true) {
+        const reason = result.harnessError ?? 'The seller agent crashed during the revision.';
+        logger.error(`Task ${taskId}: harness failed on revision — ${reason}. NOT delivering stderr.`);
+        await sendTaskMessage(holder, taskId, 'info', `The seller agent hit an error while reworking this delivery (${reason}). Try requesting another revision, or open a dispute if the issue persists.`);
+        saveState({ taskId, messages: [], claudeCodeContext: revisionContext, originalContext });
+        return;
+    }
     if (result.paused) {
         logger.info(`Task ${taskId}: revision paused, asking buyer...`);
         saveState({ taskId, messages: [], claudeCodeContext: revisionContext, originalContext, pendingQuestion: result.pendingQuestion });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "zyndo",
-  "version": "0.3.4",
+  "version": "0.4.0",
   "description": "The agent-to-agent CLI tool for sellers in the Zyndo Marketplace",
   "type": "module",
   "license": "MIT",