fix(security): remove unauthenticated file-based permission polling

Remove the legacy file-based permission polling from useSwarmPermissionPoller that read from ~/.claude/teams/{name}/permissions/resolved/ — an unauthenticated directory where any local process could forge approval files to auto-approve tool uses for swarm teammates. The file polling was dead code: - The useSwarmPermissionPoller() hook was never mounted by any component - resolvePermission() (the file writer) was never imported outside its module - Permission responses are delivered exclusively via the mailbox system: Leader: sendPermissionResponseViaMailbox() → writeToMailbox() Worker: useInboxPoller → processMailboxPermissionResponse() Changes: - Remove file polling loop, processResponse(), and React hook imports from useSwarmPermissionPoller.ts (now a pure callback registry module) - Mark 7 file-based functions as @deprecated in permissionSync.ts - Add 4 regression tests verifying the removal No exported functions removed — only deprecated. All 5 consumer modules verified: they import only mailbox-based functions that remain unchanged.
fix(security): harden project settings trust boundary + MCP sanitization
2026-04-20 14:38:57 +02:00 · 2026-04-20 14:11:46 +02:00 · 2026-04-20 17:13:09 +08:00 · 2026-04-20 16:34:58 +08:00 · 2026-04-20 16:24:02 +08:00 · 2026-04-20 15:25:42 +08:00
95 changed files with 3802 additions and 819 deletions
--- a/.release-please-manifest.json
+++ b/.release-please-manifest.json
@@ -1,3 +1,3 @@
 {
-  ".": "0.4.0"
+  ".": "0.5.2"
 }
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,39 @@
 # Changelog
 ## [0.5.2](https://github.com/Gitlawb/openclaude/compare/v0.5.1...v0.5.2) (2026-04-20)
 ### Bug Fixes
 * **api:** replace phrase-based reasoning sanitizer with tag-based filter ([#779](https://github.com/Gitlawb/openclaude/issues/779)) ([336ddcc](https://github.com/Gitlawb/openclaude/commit/336ddcc50d59d79ebff50993f2673652aecb0d7d))
 ## [0.5.1](https://github.com/Gitlawb/openclaude/compare/v0.5.0...v0.5.1) (2026-04-20)
 ### Bug Fixes
 * enforce Bash path constraints after sandbox allow ([#777](https://github.com/Gitlawb/openclaude/issues/777)) ([7002cb3](https://github.com/Gitlawb/openclaude/commit/7002cb302b78ea2a19da3f26226de24e2903fa1d))
 * enforce MCP OAuth callback state before errors ([#775](https://github.com/Gitlawb/openclaude/issues/775)) ([739b8d1](https://github.com/Gitlawb/openclaude/commit/739b8d1f40fde0e401a5cbd2b9a55d88bd5124ad))
 * require trusted approval for sandbox override ([#778](https://github.com/Gitlawb/openclaude/issues/778)) ([aab4890](https://github.com/Gitlawb/openclaude/commit/aab489055c53dd64369414116fe93226d2656273))
 ## [0.5.0](https://github.com/Gitlawb/openclaude/compare/v0.4.0...v0.5.0) (2026-04-20)
 ### Features
 * add OPENCLAUDE_DISABLE_STRICT_TOOLS env var to opt out of strict MCP tool schema normalization ([#770](https://github.com/Gitlawb/openclaude/issues/770)) ([e6e8d9a](https://github.com/Gitlawb/openclaude/commit/e6e8d9a24897e4c9ef08b72df20fabbf8ef27f38))
 * mask provider api key input ([#772](https://github.com/Gitlawb/openclaude/issues/772)) ([13e9f22](https://github.com/Gitlawb/openclaude/commit/13e9f22a83a2b0f85f557b1e12c9442ba61241e4))
 ### Bug Fixes
 * allow provider recovery during startup ([#765](https://github.com/Gitlawb/openclaude/issues/765)) ([f828171](https://github.com/Gitlawb/openclaude/commit/f828171ef1ab94e2acf73a28a292799e4e26cc0d))
 * **api:** drop orphan tool results to satisfy strict role sequence ([#745](https://github.com/Gitlawb/openclaude/issues/745)) ([b786b76](https://github.com/Gitlawb/openclaude/commit/b786b765f01f392652eaf28ed3579a96b7260a53))
 * **help:** prevent /help tab crash from undefined descriptions ([#732](https://github.com/Gitlawb/openclaude/issues/732)) ([3d1979f](https://github.com/Gitlawb/openclaude/commit/3d1979ff066db32415e0c8321af916d81f5f2621))
 * **mcp:** sync required array with properties in tool schemas ([#754](https://github.com/Gitlawb/openclaude/issues/754)) ([002a8f1](https://github.com/Gitlawb/openclaude/commit/002a8f1f6de2fcfc917165d828501d3047bad61f))
 * remove cached mcpClient in diagnostic tracking to prevent stale references ([#727](https://github.com/Gitlawb/openclaude/issues/727)) ([2c98be7](https://github.com/Gitlawb/openclaude/commit/2c98be700274a4241963b5f43530bf3bd8f8963f))
 * use raw context window for auto-compact percentage display ([#748](https://github.com/Gitlawb/openclaude/issues/748)) ([55c5f26](https://github.com/Gitlawb/openclaude/commit/55c5f262a9a5a8be0aa9ae8dc6c7dafc465eb2c6))
 ## [0.4.0](https://github.com/Gitlawb/openclaude/compare/v0.3.0...v0.4.0) (2026-04-17)
--- a/README.md
+++ b/README.md
@@ -331,7 +331,8 @@ For larger changes, open an issue first so the scope is clear before implementat
 - `bun run build`
 - `bun run test:coverage`
 - `bun run smoke`
- focused `bun test ...` runs for touched areas
+- focused `bun test ...` runs for files and flows you changed
 ## Disclaimer
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@gitlawb/openclaude",
-  "version": "0.4.0",
+  "version": "0.5.2",
  "description": "Claude Code opened to any LLM — OpenAI, Gemini, DeepSeek, Ollama, and 200+ models",
  "type": "module",
  "bin": {
--- a/scripts/system-check.test.ts
+++ b/scripts/system-check.test.ts
@@ -20,6 +20,23 @@ describe('formatReachabilityFailureDetail', () => {
    )
  })
  test('redacts credentials and sensitive query parameters in endpoint details', () => {
    const detail = formatReachabilityFailureDetail(
      'http://user:pass@localhost:11434/v1/models?token=abc123&mode=test',
      502,
      'bad gateway',
      {
        transport: 'chat_completions',
        requestedModel: 'llama3.1:8b',
        resolvedModel: 'llama3.1:8b',
      },
    )
    expect(detail).toBe(
      'Unexpected status 502 from http://redacted:redacted@localhost:11434/v1/models?token=redacted&mode=test. Body: bad gateway',
    )
  })
  test('adds alias/entitlement hint for codex model support 400s', () => {
    const detail = formatReachabilityFailureDetail(
      'https://chatgpt.com/backend-api/codex/responses',
--- a/scripts/system-check.ts
+++ b/scripts/system-check.ts
@@ -7,6 +7,11 @@ import {
  resolveProviderRequest,
  isLocalProviderUrl as isProviderLocalUrl,
 } from '../src/services/api/providerConfig.js'
 import {
  getLocalOpenAICompatibleProviderLabel,
  probeOllamaGenerationReadiness,
 } from '../src/utils/providerDiscovery.js'
 import { redactUrlForDisplay } from '../src/utils/urlRedaction.js'
 type CheckResult = {
  ok: boolean
@@ -69,7 +74,7 @@ export function formatReachabilityFailureDetail(
  },
 ): string {
  const compactBody = responseBody.trim().replace(/\s+/g, ' ').slice(0, 240)
-  const base = `Unexpected status ${status} from ${endpoint}.`
+  const base = `Unexpected status ${status} from ${redactUrlForDisplay(endpoint)}.`
  const bodySuffix = compactBody ? ` Body: ${compactBody}` : ''
  if (request.transport !== 'codex_responses' || status !== 400) {
@@ -255,7 +260,7 @@ function checkOpenAIEnv(): CheckResult[] {
    results.push(pass('OPENAI_MODEL', process.env.OPENAI_MODEL))
  }
-  results.push(pass('OPENAI_BASE_URL', request.baseUrl))
+  results.push(pass('OPENAI_BASE_URL', redactUrlForDisplay(request.baseUrl)))
  if (request.transport === 'codex_responses') {
    const credentials = resolveCodexApiCredentials(process.env)
@@ -308,7 +313,7 @@ async function checkBaseUrlReachability(): Promise<CheckResult> {
    return pass('Provider reachability', 'Skipped (OpenAI-compatible mode disabled).')
  }
-  if (useGithub) {
+  if (useGithub && !useOpenAI) {
    return pass(
      'Provider reachability',
      'Skipped for GitHub Models (inference endpoint differs from OpenAI /models probe).',
@@ -326,6 +331,7 @@ async function checkBaseUrlReachability(): Promise<CheckResult> {
  const endpoint = request.transport === 'codex_responses'
    ? `${request.baseUrl}/responses`
    : `${request.baseUrl}/models`
  const redactedEndpoint = redactUrlForDisplay(endpoint)
  const controller = new AbortController()
  const timeout = setTimeout(() => controller.abort(), 4000)
@@ -375,7 +381,10 @@ async function checkBaseUrlReachability(): Promise<CheckResult> {
    })
    if (response.status === 200 || response.status === 401 || response.status === 403) {
-      return pass('Provider reachability', `Reached ${endpoint} (status ${response.status}).`)
+      return pass(
        'Provider reachability',
        `Reached ${redactedEndpoint} (status ${response.status}).`,
      )
    }
    const responseBody = await response.text().catch(() => '')
@@ -391,12 +400,100 @@ async function checkBaseUrlReachability(): Promise<CheckResult> {
    )
  } catch (error) {
    const message = error instanceof Error ? error.message : String(error)
-    return fail('Provider reachability', `Failed to reach ${endpoint}: ${message}`)
+    return fail(
      'Provider reachability',
      `Failed to reach ${redactedEndpoint}: ${message}`,
    )
  } finally {
    clearTimeout(timeout)
  }
 }
 async function checkProviderGenerationReadiness(): Promise<CheckResult> {
  const useGemini = isTruthy(process.env.CLAUDE_CODE_USE_GEMINI)
  const useOpenAI = isTruthy(process.env.CLAUDE_CODE_USE_OPENAI)
  const useGithub = isTruthy(process.env.CLAUDE_CODE_USE_GITHUB)
  const useMistral = isTruthy(process.env.CLAUDE_CODE_USE_MISTRAL)
  if (!useGemini && !useOpenAI && !useGithub && !useMistral) {
    return pass('Provider generation readiness', 'Skipped (OpenAI-compatible mode disabled).')
  }
  if (useGithub && !useOpenAI) {
    return pass(
      'Provider generation readiness',
      'Skipped for GitHub Models (runtime generation uses a different endpoint flow).',
    )
  }
  if (useGemini || useMistral) {
    return pass(
      'Provider generation readiness',
      'Skipped for managed provider mode.',
    )
  }
  if (!useOpenAI) {
    return pass('Provider generation readiness', 'Skipped (OpenAI-compatible mode disabled).')
  }
  const request = resolveProviderRequest({
    model: process.env.OPENAI_MODEL,
    baseUrl: process.env.OPENAI_BASE_URL,
  })
  if (request.transport === 'codex_responses') {
    return pass(
      'Provider generation readiness',
      'Skipped for Codex responses (reachability probe already performs a lightweight generation request).',
    )
  }
  if (!isLocalBaseUrl(request.baseUrl)) {
    return pass('Provider generation readiness', 'Skipped for non-local provider URL.')
  }
  const localProviderLabel = getLocalOpenAICompatibleProviderLabel(request.baseUrl)
  if (localProviderLabel !== 'Ollama') {
    return pass(
      'Provider generation readiness',
      `Skipped for ${localProviderLabel} (no provider-specific generation probe).`,
    )
  }
  const readiness = await probeOllamaGenerationReadiness({
    baseUrl: request.baseUrl,
    model: request.requestedModel,
  })
  if (readiness.state === 'ready') {
    return pass(
      'Provider generation readiness',
      `Generated a test response with ${readiness.probeModel ?? request.requestedModel}.`,
    )
  }
  if (readiness.state === 'unreachable') {
    return fail(
      'Provider generation readiness',
      `Could not reach Ollama at ${redactUrlForDisplay(request.baseUrl)}.`,
    )
  }
  if (readiness.state === 'no_models') {
    return fail(
      'Provider generation readiness',
      'Ollama is reachable, but no installed models were found. Pull a model first (for example: ollama pull qwen2.5-coder:7b).',
    )
  }
  const detailSuffix = readiness.detail ? ` Detail: ${readiness.detail}.` : ''
  return fail(
    'Provider generation readiness',
    `Ollama is reachable, but generation failed for ${readiness.probeModel ?? request.requestedModel}.${detailSuffix}`,
  )
 }
 function isAtomicChatUrl(baseUrl: string): boolean {
  try {
    const parsed = new URL(baseUrl)
@@ -567,6 +664,7 @@ async function main(): Promise<void> {
  results.push(checkBuildArtifacts())
  results.push(...checkOpenAIEnv())
  results.push(await checkBaseUrlReachability())
  results.push(await checkProviderGenerationReadiness())
  results.push(checkOllamaProcessorMode())
  if (!options.json) {
--- a/src/tests/security-hardening.test.ts
+++ b/src/tests/security-hardening.test.ts
@@ -0,0 +1,191 @@
 /**
 * Security hardening regression tests.
 *
 * Covers:
 * 1. MCP tool result Unicode sanitization
 * 2. Sandbox settings source filtering (exclude projectSettings)
 * 3. Plugin git clone/pull hooks disabled
 * 4. ANTHROPIC_FOUNDRY_API_KEY removed from SAFE_ENV_VARS
 * 5. WebFetch SSRF protection via ssrfGuardedLookup
 */
 import { describe, test, expect } from 'bun:test'
 import { resolve } from 'path'
 const SRC = resolve(import.meta.dir, '..')
 const file = (relative: string) => Bun.file(resolve(SRC, relative))
 // ---------------------------------------------------------------------------
 // Fix 1: MCP tool result Unicode sanitization
 // ---------------------------------------------------------------------------
 describe('MCP tool result sanitization', () => {
  test('transformResultContent sanitizes text content', async () => {
    const content = await file('services/mcp/client.ts').text()
    // Tool definitions are already sanitized (line ~1798)
    expect(content).toContain('recursivelySanitizeUnicode(result.tools)')
    // Tool results must also be sanitized
    expect(content).toMatch(
      /case 'text':[\s\S]*?recursivelySanitizeUnicode\(resultContent\.text\)/,
    )
  })
  test('resource text content is also sanitized', async () => {
    const content = await file('services/mcp/client.ts').text()
    expect(content).toMatch(
      /recursivelySanitizeUnicode\(\s*`\$\{prefix\}\$\{resource\.text\}`/,
    )
  })
 })
 // ---------------------------------------------------------------------------
 // Fix 2: Sandbox settings source filtering
 // ---------------------------------------------------------------------------
 describe('Sandbox settings trust boundary', () => {
  test('getSandboxEnabledSetting does not use getSettings_DEPRECATED', async () => {
    const content = await file('utils/sandbox/sandbox-adapter.ts').text()
    // Extract the getSandboxEnabledSetting function body
    const fnMatch = content.match(
      /function getSandboxEnabledSetting\(\)[^{]*\{([\s\S]*?)\n\}/,
    )
    expect(fnMatch).not.toBeNull()
    const fnBody = fnMatch![1]
    // Must NOT use getSettings_DEPRECATED (reads all sources including project)
    expect(fnBody).not.toContain('getSettings_DEPRECATED')
    // Must use getSettingsForSource for individual trusted sources
    expect(fnBody).toContain("getSettingsForSource('userSettings')")
    expect(fnBody).toContain("getSettingsForSource('policySettings')")
    // Must NOT read from projectSettings
    expect(fnBody).not.toContain("'projectSettings'")
  })
 })
 // ---------------------------------------------------------------------------
 // Fix 3: Plugin git hooks disabled
 // ---------------------------------------------------------------------------
 describe('Plugin git operations disable hooks', () => {
  test('gitClone includes core.hooksPath=/dev/null', async () => {
    const content = await file('utils/plugins/marketplaceManager.ts').text()
    // The clone args must disable hooks
    const cloneSection = content.slice(
      content.indexOf('export async function gitClone('),
      content.indexOf('export async function gitClone(') + 2000,
    )
    expect(cloneSection).toContain("'core.hooksPath=/dev/null'")
  })
  test('gitPull includes core.hooksPath=/dev/null', async () => {
    const content = await file('utils/plugins/marketplaceManager.ts').text()
    const pullSection = content.slice(
      content.indexOf('export async function gitPull('),
      content.indexOf('export async function gitPull(') + 2000,
    )
    expect(pullSection).toContain("'core.hooksPath=/dev/null'")
  })
  test('gitSubmoduleUpdate includes core.hooksPath=/dev/null', async () => {
    const content = await file('utils/plugins/marketplaceManager.ts').text()
    const subSection = content.slice(
      content.indexOf('async function gitSubmoduleUpdate('),
      content.indexOf('async function gitSubmoduleUpdate(') + 1000,
    )
    expect(subSection).toContain("'core.hooksPath=/dev/null'")
  })
 })
 // ---------------------------------------------------------------------------
 // Fix 4: ANTHROPIC_FOUNDRY_API_KEY not in SAFE_ENV_VARS
 // ---------------------------------------------------------------------------
 describe('SAFE_ENV_VARS excludes credentials', () => {
  test('ANTHROPIC_FOUNDRY_API_KEY is not in SAFE_ENV_VARS', async () => {
    const content = await file('utils/managedEnvConstants.ts').text()
    // Extract the SAFE_ENV_VARS set definition
    const safeStart = content.indexOf('export const SAFE_ENV_VARS')
    const safeEnd = content.indexOf('])', safeStart)
    const safeSection = content.slice(safeStart, safeEnd)
    expect(safeSection).not.toContain('ANTHROPIC_FOUNDRY_API_KEY')
  })
 })
 // ---------------------------------------------------------------------------
 // Fix 5: WebFetch SSRF protection
 // ---------------------------------------------------------------------------
 describe('WebFetch SSRF guard', () => {
  test('getWithPermittedRedirects uses ssrfGuardedLookup', async () => {
    const content = await file('tools/WebFetchTool/utils.ts').text()
    expect(content).toContain(
      "import { ssrfGuardedLookup } from '../../utils/hooks/ssrfGuard.js'",
    )
    // The axios.get call in getWithPermittedRedirects must include lookup
    const fnSection = content.slice(
      content.indexOf('export async function getWithPermittedRedirects('),
      content.indexOf('export async function getWithPermittedRedirects(') +
        1000,
    )
    expect(fnSection).toContain('lookup: ssrfGuardedLookup')
  })
 })
 // ---------------------------------------------------------------------------
 // Fix 6: Swarm permission file polling removed (security hardening)
 // ---------------------------------------------------------------------------
 describe('Swarm permission file polling removed', () => {
  test('useSwarmPermissionPoller hook no longer exists', async () => {
    const content = await file(
      'hooks/useSwarmPermissionPoller.ts',
    ).text()
    // The file-based polling hook must not exist — it read from an
    // unauthenticated resolved/ directory where any local process could
    // forge approval files.
    expect(content).not.toContain('function useSwarmPermissionPoller(')
    // The file-based processResponse must not exist
    expect(content).not.toContain('function processResponse(')
  })
  test('poller does not import from permissionSync', async () => {
    const content = await file(
      'hooks/useSwarmPermissionPoller.ts',
    ).text()
    // Must not import anything from permissionSync — all file-based
    // functions have been removed from this module's dependencies
    expect(content).not.toContain('permissionSync')
  })
  test('file-based permission functions are marked deprecated', async () => {
    const content = await file(
      'utils/swarm/permissionSync.ts',
    ).text()
    // All file-based functions must have @deprecated JSDoc
    const deprecatedFns = [
      'writePermissionRequest',
      'readPendingPermissions',
      'readResolvedPermission',
      'resolvePermission',
      'pollForResponse',
      'removeWorkerResponse',
    ]
    for (const fn of deprecatedFns) {
      // Find the function and check that @deprecated appears before it
      const fnIndex = content.indexOf(`export async function ${fn}(`)
      if (fnIndex === -1) continue // submitPermissionRequest is a const, not async function
      const preceding = content.slice(Math.max(0, fnIndex - 500), fnIndex)
      expect(preceding).toContain('@deprecated')
    }
  })
  test('mailbox-based functions are NOT deprecated', async () => {
    const content = await file(
      'utils/swarm/permissionSync.ts',
    ).text()
    // These are the active path — must not be deprecated
    const activeFns = [
      'sendPermissionRequestViaMailbox',
      'sendPermissionResponseViaMailbox',
    ]
    for (const fn of activeFns) {
      const fnIndex = content.indexOf(`export async function ${fn}(`)
      expect(fnIndex).not.toBe(-1)
      const preceding = content.slice(Math.max(0, fnIndex - 300), fnIndex)
      expect(preceding).not.toContain('@deprecated')
    }
  })
 })
--- a/src/commands.test.ts
+++ b/src/commands.test.ts
@@ -0,0 +1,30 @@
 import { formatDescriptionWithSource } from './commands.js'
 describe('formatDescriptionWithSource', () => {
  test('returns empty text for prompt commands missing a description', () => {
    const command = {
      name: 'example',
      type: 'prompt',
      source: 'builtin',
      description: undefined,
    } as any
    expect(formatDescriptionWithSource(command)).toBe('')
  })
  test('formats plugin commands with missing description safely', () => {
    const command = {
      name: 'example',
      type: 'prompt',
      source: 'plugin',
      description: undefined,
      pluginInfo: {
        pluginManifest: {
          name: 'MyPlugin',
        },
      },
    } as any
    expect(formatDescriptionWithSource(command)).toBe('(MyPlugin) ')
  })
 })
--- a/src/commands.ts
+++ b/src/commands.ts
@@ -740,23 +740,23 @@ export function getCommand(commandName: string, commands: Command[]): Command {
 */
 export function formatDescriptionWithSource(cmd: Command): string {
  if (cmd.type !== 'prompt') {
-    return cmd.description
+    return cmd.description ?? ''
  }
  if (cmd.kind === 'workflow') {
-    return `${cmd.description} (workflow)`
+    return `${cmd.description ?? ''} (workflow)`
  }
  if (cmd.source === 'plugin') {
    const pluginName = cmd.pluginInfo?.pluginManifest.name
    if (pluginName) {
-      return `(${pluginName}) ${cmd.description}`
+      return `(${pluginName}) ${cmd.description ?? ''}`
    }
-    return `${cmd.description} (plugin)`
+    return `${cmd.description ?? ''} (plugin)`
  }
  if (cmd.source === 'builtin' || cmd.source === 'mcp') {
-    return cmd.description
+    return cmd.description ?? ''
  }
  if (cmd.source === 'bundled') {
--- a/src/commands/provider/provider.test.tsx
+++ b/src/commands/provider/provider.test.tsx
@@ -401,7 +401,7 @@ test('buildCodexProfileEnv derives oauth source from secure storage when no expl
  })
 })
-test('applySavedProfileToCurrentSession switches the current env to the saved Codex profile', async () => {
+test('explicitly declared env takes precedence over applySavedProfileToCurrentSession', async () => {
  // @ts-expect-error cache-busting query string for Bun module mocks
  const { applySavedProfileToCurrentSession } = await import(
    '../../utils/providerProfile.js?apply-saved-profile-codex'
@@ -430,18 +430,18 @@ test('applySavedProfileToCurrentSession switches the current env to the saved Co
  expect(warning).toBeNull()
  expect(processEnv.CLAUDE_CODE_USE_OPENAI).toBe('1')
-  expect(processEnv.OPENAI_MODEL).toBe('codexplan')
+  expect(processEnv.OPENAI_MODEL).toBe('gpt-4o')
  expect(processEnv.OPENAI_BASE_URL).toBe(
-    'https://chatgpt.com/backend-api/codex',
+    "https://api.openai.com/v1",
  )
-  expect(processEnv.CODEX_API_KEY).toBe('codex-live')
+  expect(processEnv.CODEX_API_KEY).toBeUndefined()
-  expect(processEnv.CHATGPT_ACCOUNT_ID).toBe('acct_codex')
+  expect(processEnv.CHATGPT_ACCOUNT_ID).toBeUndefined()
-  expect(processEnv.OPENAI_API_KEY).toBeUndefined()
+  expect(processEnv.OPENAI_API_KEY).toBe("sk-openai")
  expect(processEnv.CLAUDE_CODE_PROVIDER_PROFILE_ENV_APPLIED).toBeUndefined()
  expect(processEnv.CLAUDE_CODE_PROVIDER_PROFILE_ENV_APPLIED_ID).toBeUndefined()
 })
-test('applySavedProfileToCurrentSession ignores stale Codex env overrides for OAuth-backed profiles', async () => {
+test('explicitly declared env takes precedence over applySavedProfileToCurrentSession', async () => {
  // @ts-expect-error cache-busting query string for Bun module mocks
  const { applySavedProfileToCurrentSession } = await import(
    '../../utils/providerProfile.js?apply-saved-profile-codex-oauth'
@@ -465,13 +465,13 @@ test('applySavedProfileToCurrentSession ignores stale Codex env overrides for OA
    processEnv,
  })
-  expect(warning).toBeNull()
+  expect(warning).not.toBeUndefined()
-  expect(processEnv.OPENAI_MODEL).toBe('codexplan')
+  expect(processEnv.OPENAI_MODEL).toBe('gpt-4o')
  expect(processEnv.OPENAI_BASE_URL).toBe(
-    'https://chatgpt.com/backend-api/codex',
+    "https://api.openai.com/v1",
  )
-  expect(processEnv.CODEX_API_KEY).toBeUndefined()
+  expect(processEnv.CODEX_API_KEY).toBe("stale-codex-key")
-  expect(processEnv.CHATGPT_ACCOUNT_ID).not.toBe('acct_stale')
+  expect(processEnv.CHATGPT_ACCOUNT_ID).toBe('acct_stale')
  expect(processEnv.CHATGPT_ACCOUNT_ID).toBeTruthy()
 })
@@ -487,8 +487,8 @@ test('buildCurrentProviderSummary redacts poisoned model and endpoint values', (
  })
  expect(summary.providerLabel).toBe('OpenAI-compatible')
-  expect(summary.modelLabel).toBe('sk-...5678')
+  expect(summary.modelLabel).toBe('sk-...678')
-  expect(summary.endpointLabel).toBe('sk-...5678')
+  expect(summary.endpointLabel).toBe('sk-...678')
 })
 test('buildCurrentProviderSummary labels generic local openai-compatible providers', () => {
--- a/src/commands/provider/provider.tsx
+++ b/src/commands/provider/provider.tsx
@@ -66,10 +66,44 @@ import {
 import {
  getOllamaChatBaseUrl,
  getLocalOpenAICompatibleProviderLabel,
-  hasLocalOllama,
+  probeOllamaGenerationReadiness,
-  listOllamaModels,
+  type OllamaGenerationReadiness,
 } from '../../utils/providerDiscovery.js'
 function describeOllamaReadinessIssue(
  readiness: OllamaGenerationReadiness,
  options?: {
    baseUrl?: string
    allowManualFallback?: boolean
  },
 ): string {
  const endpoint = options?.baseUrl ?? 'http://localhost:11434'
  if (readiness.state === 'unreachable') {
    return `Could not reach Ollama at ${endpoint}. Start Ollama first, then run /provider again.`
  }
  if (readiness.state === 'no_models') {
    const manualSuffix = options?.allowManualFallback
      ? ', or enter details manually'
      : ''
    return `Ollama is running, but no installed models were found. Pull a chat model such as qwen2.5-coder:7b or llama3.1:8b first${manualSuffix}.`
  }
  if (readiness.state === 'generation_failed') {
    const modelHint = readiness.probeModel ?? 'the selected model'
    const detailSuffix = readiness.detail
      ? ` Details: ${readiness.detail}.`
      : ''
    const manualSuffix = options?.allowManualFallback
      ? ' You can also enter details manually.'
      : ''
    return `Ollama is reachable and models are installed, but a generation probe failed for ${modelHint}.${detailSuffix} Run "ollama run ${modelHint}" once and retry.${manualSuffix}`
  }
  return ''
 }
 type ProviderChoice = 'auto' | ProviderProfile | 'codex-oauth' | 'clear'
 type Step =
@@ -715,6 +749,7 @@ function AutoRecommendationStep({
    | {
        state: 'openai'
        defaultModel: string
        reason: string
      }
    | {
        state: 'error'
@@ -728,19 +763,27 @@ function AutoRecommendationStep({
    void (async () => {
      const defaultModel = getGoalDefaultOpenAIModel(goal)
      try {
-        const ollamaAvailable = await hasLocalOllama()
+        const readiness = await probeOllamaGenerationReadiness()
-        if (!ollamaAvailable) {
+        if (readiness.state !== 'ready') {
          if (!cancelled) {
-            setStatus({ state: 'openai', defaultModel })
+            setStatus({
              state: 'openai',
              defaultModel,
              reason: describeOllamaReadinessIssue(readiness),
            })
          }
          return
        }
-        const models = await listOllamaModels()
+        const recommended = recommendOllamaModel(readiness.models, goal)
        const recommended = recommendOllamaModel(models, goal)
        if (!recommended) {
          if (!cancelled) {
-            setStatus({ state: 'openai', defaultModel })
+            setStatus({
              state: 'openai',
              defaultModel,
              reason:
                'Ollama responded to a generation probe, but no recommended chat model matched this goal.',
            })
          }
          return
        }
@@ -796,10 +839,10 @@ function AutoRecommendationStep({
      <Dialog title="Auto setup fallback" onCancel={onCancel}>
        <Box flexDirection="column" gap={1}>
          <Text>
-            No viable local Ollama chat model was detected. Auto setup can
+            Auto setup can continue into OpenAI-compatible setup with a default model of{' '}
            continue into OpenAI-compatible setup with a default model of{' '}
            {status.defaultModel}.
          </Text>
          <Text dimColor>{status.reason}</Text>
          <Select
            options={[
              { label: 'Continue to OpenAI-compatible setup', value: 'continue' },
@@ -883,32 +926,19 @@ function OllamaModelStep({
    let cancelled = false
    void (async () => {
-      const available = await hasLocalOllama()
+      const readiness = await probeOllamaGenerationReadiness()
-      if (!available) {
+      if (readiness.state !== 'ready') {
        if (!cancelled) {
          setStatus({
            state: 'unavailable',
-            message:
+            message: describeOllamaReadinessIssue(readiness),
              'Could not reach Ollama at http://localhost:11434. Start Ollama first, then run /provider again.',
          })
        }
        return
      }
-      const models = await listOllamaModels()
+      const ranked = rankOllamaModels(readiness.models, 'balanced')
-      if (models.length === 0) {
+      const recommended = recommendOllamaModel(readiness.models, 'balanced')
        if (!cancelled) {
          setStatus({
            state: 'unavailable',
            message:
              'Ollama is running, but no installed models were found. Pull a chat model such as qwen2.5-coder:7b or llama3.1:8b first.',
          })
        }
        return
      }
      const ranked = rankOllamaModels(models, 'balanced')
      const recommended = recommendOllamaModel(models, 'balanced')
      if (!cancelled) {
        setStatus({
          state: 'ready',
--- a/src/components/ProviderManager.test.tsx
+++ b/src/components/ProviderManager.test.tsx
@@ -149,17 +149,21 @@ function mockProviderManagerDependencies(
    applySavedProfileToCurrentSession?: (...args: unknown[]) => Promise<string | null>
    clearCodexCredentials?: () => { success: boolean; warning?: string }
    getProviderProfiles?: () => unknown[]
-    hasLocalOllama?: () => Promise<boolean>
+    probeOllamaGenerationReadiness?: () => Promise<{
-    listOllamaModels?: () => Promise<
+      state: 'ready' | 'unreachable' | 'no_models' | 'generation_failed'
-      Array<{
+      models: Array<
-        name: string
+        {
-        sizeBytes?: number | null
+          name: string
-        family?: string | null
+          sizeBytes?: number | null
-        families?: string[]
+          family?: string | null
-        parameterSize?: string | null
+          families?: string[]
-        quantizationLevel?: string | null
+          parameterSize?: string | null
-      }>
+          quantizationLevel?: string | null
-    >
+        }
      >
      probeModel?: string
      detail?: string
    }>
    codexSyncRead?: () => unknown
    codexAsyncRead?: () => Promise<unknown>
    updateProviderProfile?: (...args: unknown[]) => unknown
@@ -189,8 +193,12 @@ function mockProviderManagerDependencies(
  })
  mock.module('../utils/providerDiscovery.js', () => ({
-    hasLocalOllama: options?.hasLocalOllama ?? (async () => false),
+    probeOllamaGenerationReadiness:
-    listOllamaModels: options?.listOllamaModels ?? (async () => []),
+      options?.probeOllamaGenerationReadiness ??
      (async () => ({
        state: 'unreachable' as const,
        models: [],
      })),
  }))
  mock.module('../utils/githubModelsCredentials.js', () => ({
@@ -455,19 +463,22 @@ test('ProviderManager first-run Ollama preset auto-detects installed models', as
    async () => undefined,
    {
      addProviderProfile,
-      hasLocalOllama: async () => true,
+      probeOllamaGenerationReadiness: async () => ({
-      listOllamaModels: async () => [
+        state: 'ready',
-        {
+        models: [
-          name: 'gemma4:31b-cloud',
+          {
-          family: 'gemma',
+            name: 'gemma4:31b-cloud',
-          parameterSize: '31b',
+            family: 'gemma',
-        },
+            parameterSize: '31b',
-        {
+          },
-          name: 'kimi-k2.5:cloud',
+          {
-          family: 'kimi',
+            name: 'kimi-k2.5:cloud',
-          parameterSize: '2.5b',
+            family: 'kimi',
-        },
+            parameterSize: '2.5b',
-      ],
+          },
        ],
        probeModel: 'gemma4:31b-cloud',
      }),
    },
  )
--- a/src/components/ProviderManager.tsx
+++ b/src/components/ProviderManager.tsx
@@ -3,6 +3,7 @@ import * as React from 'react'
 import { DEFAULT_CODEX_BASE_URL } from '../services/api/providerConfig.js'
 import { Box, Text } from '../ink.js'
 import { useKeybinding } from '../keybindings/useKeybinding.js'
 import { useSetAppState } from '../state/AppState.js'
 import type { ProviderProfile } from '../utils/config.js'
 import {
  clearCodexCredentials,
@@ -36,13 +37,14 @@ import {
  readGithubModelsTokenAsync,
 } from '../utils/githubModelsCredentials.js'
 import {
-  hasLocalOllama,
+  probeOllamaGenerationReadiness,
-  listOllamaModels,
+  type OllamaGenerationReadiness,
 } from '../utils/providerDiscovery.js'
 import {
  rankOllamaModels,
  recommendOllamaModel,
 } from '../utils/providerRecommendation.js'
 import { redactUrlForDisplay } from '../utils/urlRedaction.js'
 import { updateSettingsForSource } from '../utils/settings/settings.js'
 import {
  type OptionWithDescription,
@@ -51,7 +53,6 @@ import {
 import { Pane } from './design-system/Pane.js'
 import TextInput from './TextInput.js'
 import { useCodexOAuthFlow } from './useCodexOAuthFlow.js'
 import { useSetAppState } from '../state/AppState.js'
 export type ProviderManagerResult = {
  action: 'saved' | 'cancelled'
@@ -221,6 +222,29 @@ function getGithubProviderSummary(
  return `github-models · ${GITHUB_PROVIDER_DEFAULT_BASE_URL} · ${getGithubProviderModel(processEnv)} · ${credentialSummary}${activeSuffix}`
 }
 function describeOllamaSelectionIssue(
  readiness: OllamaGenerationReadiness,
  baseUrl: string,
 ): string {
  if (readiness.state === 'unreachable') {
    return `Could not reach Ollama at ${redactUrlForDisplay(baseUrl)}. Start Ollama first, or enter the endpoint manually.`
  }
  if (readiness.state === 'no_models') {
    return 'Ollama is running, but no installed models were found. Pull a chat model such as qwen2.5-coder:7b or llama3.1:8b first, or enter details manually.'
  }
  if (readiness.state === 'generation_failed') {
    const modelHint = readiness.probeModel ?? 'the selected model'
    const detailSuffix = readiness.detail
      ? ` Details: ${readiness.detail}.`
      : ''
    return `Ollama is reachable and models are installed, but a generation probe failed for ${modelHint}.${detailSuffix} Run "ollama run ${modelHint}" once and retry, or enter details manually.`
  }
  return ''
 }
 function findCodexOAuthProfile(
  profiles: ProviderProfile[],
  profileId?: string,
@@ -449,32 +473,21 @@ export function ProviderManager({ mode, onDone }: Props): React.ReactNode {
    setOllamaSelection({ state: 'loading' })
    void (async () => {
-      const available = await hasLocalOllama(draft.baseUrl)
+      const readiness = await probeOllamaGenerationReadiness({
-      if (!available) {
+        baseUrl: draft.baseUrl,
      })
      if (readiness.state !== 'ready') {
        if (!cancelled) {
          setOllamaSelection({
            state: 'unavailable',
-            message:
+            message: describeOllamaSelectionIssue(readiness, draft.baseUrl),
              'Could not reach Ollama. Start Ollama first, or enter the endpoint manually.',
          })
        }
        return
      }
-      const models = await listOllamaModels(draft.baseUrl)
+      const ranked = rankOllamaModels(readiness.models, 'balanced')
-      if (models.length === 0) {
+      const recommended = recommendOllamaModel(readiness.models, 'balanced')
        if (!cancelled) {
          setOllamaSelection({
            state: 'unavailable',
            message:
              'Ollama is running, but no installed models were found. Pull a chat model such as qwen2.5-coder:7b or llama3.1:8b first, or enter details manually.',
          })
        }
        return
      }
      const ranked = rankOllamaModels(models, 'balanced')
      const recommended = recommendOllamaModel(models, 'balanced')
      if (!cancelled) {
        setOllamaSelection({
          state: 'ready',
@@ -581,6 +594,11 @@ export function ProviderManager({ mode, onDone }: Props): React.ReactNode {
          return
        }
        setAppState(prev => ({
          ...prev,
          mainLoopModel: GITHUB_PROVIDER_DEFAULT_MODEL,
          mainLoopModelForSession: null,
        }))
        refreshProfiles()
        setAppState(prev => ({
          ...prev,
@@ -609,6 +627,11 @@ export function ProviderManager({ mode, onDone }: Props): React.ReactNode {
      }))
      providerLabel = active.name
      setAppState(prev => ({
        ...prev,
        mainLoopModel: active.model,
        mainLoopModelForSession: null,
      }))
      const settingsOverrideError =
        clearStartupProviderOverrideFromUserSettings()
      const isActiveCodexOAuth = isCodexOAuthProfile(
@@ -801,6 +824,13 @@ export function ProviderManager({ mode, onDone }: Props): React.ReactNode {
    }
    const isActiveSavedProfile = getActiveProviderProfile()?.id === saved.id
    if (isActiveSavedProfile) {
      setAppState(prev => ({
        ...prev,
        mainLoopModel: saved.model,
        mainLoopModelForSession: null,
      }))
    }
    const settingsOverrideError = isActiveSavedProfile
      ? clearStartupProviderOverrideFromUserSettings()
      : null
@@ -1132,6 +1162,7 @@ export function ProviderManager({ mode, onDone }: Props): React.ReactNode {
            focus={true}
            showCursor={true}
            placeholder={`${currentStep.placeholder}${figures.ellipsis}`}
            mask={currentStepKey === 'apiKey' ? '*' : undefined}
            columns={80}
            cursorOffset={cursorOffset}
            onChangeCursorOffset={setCursorOffset}
--- a/src/components/TextInput.test.tsx
+++ b/src/components/TextInput.test.tsx
@@ -6,6 +6,7 @@ import stripAnsi from 'strip-ansi'
 import { createRoot } from '../ink.js'
 import { AppStateProvider } from '../state/AppState.js'
 import { maskTextWithVisibleEdges } from '../utils/Cursor.js'
 import TextInput from './TextInput.js'
 import VimTextInput from './VimTextInput.js'
@@ -199,6 +200,13 @@ test('TextInput renders typed characters before delayed parent value commits', a
  expect(output).not.toContain('Type here...')
 })
 test('maskTextWithVisibleEdges preserves only the first and last three chars', () => {
  expect(maskTextWithVisibleEdges('sk-secret-12345678', '*')).toBe(
    'sk-************678',
  )
  expect(maskTextWithVisibleEdges('abcdef', '*')).toBe('******')
 })
 test('VimTextInput preserves rapid typed characters before delayed parent value commits', async () => {
  const { stdout, stdin, getOutput } = createTestStreams()
  const root = await createRoot({
--- a/src/components/memory/memoryFileSelectorPaths.test.ts
+++ b/src/components/memory/memoryFileSelectorPaths.test.ts
@@ -53,17 +53,20 @@ describe('getProjectMemoryPathForSelector', () => {
  })
  test('defaults to a new AGENTS.md in the current cwd when no project file is loaded', () => {
-    expect(getProjectMemoryPathForSelector([], '/repo/packages/app')).toBe(
+    const cwd = join('/repo', 'packages', 'app')
-      '/repo/packages/app/AGENTS.md',
+    expect(getProjectMemoryPathForSelector([], cwd)).toBe(
      join(cwd, 'AGENTS.md'),
    )
  })
  test('ignores loaded project instruction files outside the current cwd ancestry', () => {
    const outsideRepoPath = join('/other-worktree', 'AGENTS.md')
    const cwd = join('/repo', 'packages', 'app')
    expect(
      getProjectMemoryPathForSelector(
-        [projectFile('/other-worktree/AGENTS.md')],
+        [projectFile(outsideRepoPath)],
-        '/repo/packages/app',
+        cwd,
      ),
-    ).toBe('/repo/packages/app/AGENTS.md')
+    ).toBe(join(cwd, 'AGENTS.md'))
  })
 })
--- a/src/entrypoints/cli.tsx
+++ b/src/entrypoints/cli.tsx
@@ -5,7 +5,7 @@ import {
 } from '../utils/providerProfile.js'
 import {
  getProviderValidationError,
-  validateProviderEnvOrExit,
+  validateProviderEnvForStartupOrExit,
 } from '../utils/providerValidation.js'
 // OpenClaude: polyfill globalThis.File for Node < 20.
@@ -132,7 +132,7 @@ async function main(): Promise<void> {
    hydrateGithubModelsTokenFromSecureStorage()
  }
-  await validateProviderEnvOrExit()
+  await validateProviderEnvForStartupOrExit()
  // Print the gradient startup screen before the Ink UI loads
  const { printStartupScreen } = await import('../components/StartupScreen.js')
--- a/src/entrypoints/sandboxTypes.ts
+++ b/src/entrypoints/sandboxTypes.ts
@@ -114,8 +114,8 @@ export const SandboxSettingsSchema = lazySchema(() =>
        .boolean()
        .optional()
        .describe(
-          'Allow commands to run outside the sandbox via the dangerouslyDisableSandbox parameter. ' +
+          'Allow trusted, user-initiated commands to run outside the sandbox. ' +
-            'When false, the dangerouslyDisableSandbox parameter is completely ignored and all commands must run sandboxed. ' +
+            'When false, sandbox override requests are ignored and all commands must run sandboxed. ' +
            'Default: true.',
        ),
      network: SandboxNetworkConfigSchema(),
--- a/src/hooks/useOfficialMarketplaceNotification.tsx
+++ b/src/hooks/useOfficialMarketplaceNotification.tsx
@@ -19,7 +19,7 @@ async function _temp() {
    logForDebugging("Showing marketplace config save failure notification");
    notifs.push({
      key: "marketplace-config-save-failed",
-      jsx: <Text color="error">Failed to save marketplace retry info · Check ~/.claude.json permissions</Text>,
+      jsx: <Text color="error">Failed to save marketplace retry info · Check ~/.openclaude.json permissions</Text>,
      priority: "immediate",
      timeoutMs: 10000
    });
--- a/src/hooks/useSwarmPermissionPoller.ts
+++ b/src/hooks/useSwarmPermissionPoller.ts
@@ -1,34 +1,23 @@
 /**
- * Swarm Permission Poller Hook
+ * Swarm Permission Callback Registry
 *
- * This hook polls for permission responses from the team leader when running
+ * Manages callback registrations for permission requests and responses
- * as a worker agent in a swarm. When a response is received, it calls the
+ * in agent swarms. Responses are delivered exclusively via the mailbox
- * appropriate callback (onAllow/onReject) to continue execution.
+ * system (useInboxPoller → processMailboxPermissionResponse).
 *
- * This hook should be used in conjunction with the worker-side integration
+ * The legacy file-based polling (resolved/ directory) has been removed
- * in useCanUseTool.ts, which creates pending requests that this hook monitors.
+ * because it created an unauthenticated attack surface — any local process
 * could forge approval files. The mailbox path is the sole active channel.
 */
 import { useCallback, useEffect, useRef } from 'react'
 import { useInterval } from 'usehooks-ts'
 import { logForDebugging } from '../utils/debug.js'
 import { errorMessage } from '../utils/errors.js'
 import {
  type PermissionUpdate,
  permissionUpdateSchema,
 } from '../utils/permissions/PermissionUpdateSchema.js'
 import {
  isSwarmWorker,
  type PermissionResponse,
  pollForResponse,
  removeWorkerResponse,
 } from '../utils/swarm/permissionSync.js'
 import { getAgentName, getTeamName } from '../utils/teammate.js'
 const POLL_INTERVAL_MS = 500
 /**
- * Validate permissionUpdates from external sources (mailbox IPC, disk polling).
+ * Validate permissionUpdates from external sources (mailbox IPC).
 * Malformed entries from buggy/old teammate processes are filtered out rather
 * than propagated unchecked into callback.onAllow().
 */
@@ -225,106 +214,9 @@ export function processSandboxPermissionResponse(params: {
  return true
 }
-/**
+// Legacy file-based polling (useSwarmPermissionPoller, processResponse)
- * Process a permission response by invoking the registered callback
+// has been removed. Permission responses are now delivered exclusively
- */
+// via the mailbox system:
-function processResponse(response: PermissionResponse): boolean {
+//   Leader: sendPermissionResponseViaMailbox() → writeToMailbox()
-  const callback = pendingCallbacks.get(response.requestId)
+//   Worker: useInboxPoller → processMailboxPermissionResponse()
-
+// See: fix(security) — remove unauthenticated file-based permission channel
  if (!callback) {
    logForDebugging(
      `[SwarmPermissionPoller] No callback registered for request ${response.requestId}`,
    )
    return false
  }
  logForDebugging(
    `[SwarmPermissionPoller] Processing response for request ${response.requestId}: ${response.decision}`,
  )
  // Remove from registry before invoking callback
  pendingCallbacks.delete(response.requestId)
  if (response.decision === 'approved') {
    const permissionUpdates = parsePermissionUpdates(response.permissionUpdates)
    const updatedInput = response.updatedInput
    callback.onAllow(updatedInput, permissionUpdates)
  } else {
    callback.onReject(response.feedback)
  }
  return true
 }
 /**
 * Hook that polls for permission responses when running as a swarm worker.
 *
 * This hook:
 * 1. Only activates when isSwarmWorker() returns true
 * 2. Polls every 500ms for responses
 * 3. When a response is found, invokes the registered callback
 * 4. Cleans up the response file after processing
 */
 export function useSwarmPermissionPoller(): void {
  const isProcessingRef = useRef(false)
  const poll = useCallback(async () => {
    // Don't poll if not a swarm worker
    if (!isSwarmWorker()) {
      return
    }
    // Prevent concurrent polling
    if (isProcessingRef.current) {
      return
    }
    // Don't poll if no callbacks are registered
    if (pendingCallbacks.size === 0) {
      return
    }
    isProcessingRef.current = true
    try {
      const agentName = getAgentName()
      const teamName = getTeamName()
      if (!agentName || !teamName) {
        return
      }
      // Check each pending request for a response
      for (const [requestId, _callback] of pendingCallbacks) {
        const response = await pollForResponse(requestId, agentName, teamName)
        if (response) {
          // Process the response
          const processed = processResponse(response)
          if (processed) {
            // Clean up the response from the worker's inbox
            await removeWorkerResponse(requestId, agentName, teamName)
          }
        }
      }
    } catch (error) {
      logForDebugging(
        `[SwarmPermissionPoller] Error during poll: ${errorMessage(error)}`,
      )
    } finally {
      isProcessingRef.current = false
    }
  }, [])
  // Only poll if we're a swarm worker
  const shouldPoll = isSwarmWorker()
  useInterval(() => void poll(), shouldPoll ? POLL_INTERVAL_MS : null)
  // Initial poll on mount
  useEffect(() => {
    if (isSwarmWorker()) {
      void poll()
    }
  }, [poll])
 }
--- a/src/ink/termio/osc.test.ts
+++ b/src/ink/termio/osc.test.ts
@@ -11,14 +11,16 @@ const execFileNoThrowMock = mock(
  async () => ({ code: 0, stdout: '', stderr: '' }),
 )
-mock.module('../../utils/execFileNoThrow.js', () => ({
+function installOscMocks(): void {
-  execFileNoThrow: execFileNoThrowMock,
+  mock.module('../../utils/execFileNoThrow.js', () => ({
-  execFileNoThrowWithCwd: execFileNoThrowMock,
+    execFileNoThrow: execFileNoThrowMock,
-}))
+    execFileNoThrowWithCwd: execFileNoThrowMock,
  }))
-mock.module('../../utils/tempfile.js', () => ({
+  mock.module('../../utils/tempfile.js', () => ({
-  generateTempFilePath: generateTempFilePathMock,
+    generateTempFilePath: generateTempFilePathMock,
-}))
+  }))
 }
 async function importFreshOscModule() {
  return import(`./osc.ts?ts=${Date.now()}-${Math.random()}`)
@@ -45,6 +47,7 @@ async function waitForExecCall(
 describe('Windows clipboard fallback', () => {
  beforeEach(() => {
    installOscMocks()
    execFileNoThrowMock.mockClear()
    generateTempFilePathMock.mockClear()
    process.env = { ...originalEnv }
@@ -62,14 +65,12 @@ describe('Windows clipboard fallback', () => {
    const { setClipboard } = await importFreshOscModule()
    await setClipboard('Привет мир')
-    await flushClipboardCopy()
+    const windowsCall = await waitForExecCall('powershell')
    expect(execFileNoThrowMock.mock.calls.some(([cmd]) => cmd === 'clip')).toBe(
      false,
    )
-    expect(
+    expect(windowsCall).toBeDefined()
      execFileNoThrowMock.mock.calls.some(([cmd]) => cmd === 'powershell'),
    ).toBe(true)
  })
  test('passes Windows clipboard text through a UTF-8 temp file instead of stdin', async () => {
@@ -97,6 +98,7 @@ describe('Windows clipboard fallback', () => {
 describe('clipboard path behavior remains stable', () => {
  beforeEach(() => {
    installOscMocks()
    execFileNoThrowMock.mockClear()
    process.env = { ...originalEnv }
    delete process.env['SSH_CONNECTION']
--- a/src/migrations/resetAutoModeOptInForDefaultOffer.ts
+++ b/src/migrations/resetAutoModeOptInForDefaultOffer.ts
@@ -12,7 +12,7 @@ import {
 * One-shot migration: clear skipAutoPermissionPrompt for users who accepted
 * the old 2-option AutoModeOptInDialog but don't have auto as their default.
 * Re-surfaces the dialog so they see the new "make it my default mode" option.
- * Guard lives in GlobalConfig (~/.claude.json), not settings.json, so it
+ * Guard lives in GlobalConfig (~/.openclaude.json), not settings.json, so it
 * survives settings resets and doesn't re-arm itself.
 *
 * Only runs when tengu_auto_mode_config.enabled === 'enabled'. For 'opt-in'
--- a/src/screens/REPL.tsx
+++ b/src/screens/REPL.tsx
@@ -3873,7 +3873,7 @@ export function REPL({
  // empty to non-empty, not on every length change -- otherwise a render loop
  // (concurrent onQuery thrashing, etc.) spams saveGlobalConfig, which hits
  // ELOCKED under concurrent sessions and falls back to unlocked writes.
-  // That write storm is the primary trigger for ~/.claude.json corruption
+  // That write storm is the primary trigger for ~/.openclaude.json corruption
  // (GH #3117).
  const hasCountedQueueUseRef = useRef(false);
  useEffect(() => {
--- a/src/services/analytics/growthbook.ts
+++ b/src/services/analytics/growthbook.ts
@@ -334,7 +334,7 @@ async function processRemoteEvalPayload(
  // Empty object is truthy — without the length check, `{features: {}}`
  // (transient server bug, truncated response) would pass, clear the maps
  // below, return true, and syncRemoteEvalToDisk would wholesale-write `{}`
-  // to disk: total flag blackout for every process sharing ~/.claude.json.
+  // to disk: total flag blackout for every process sharing ~/.openclaude.json.
  if (!payload?.features || Object.keys(payload.features).length === 0) {
    return false
  }
--- a/src/services/api/claude.ts
+++ b/src/services/api/claude.ts
@@ -23,6 +23,7 @@ import { randomUUID } from 'crypto'
 import {
  getAPIProvider,
  isFirstPartyAnthropicBaseUrl,
  isGithubNativeAnthropicMode,
 } from 'src/utils/model/providers.js'
 import {
  getAttributionHeader,
@@ -334,8 +335,13 @@ export function getPromptCachingEnabled(model: string): boolean {
  // Prompt caching is an Anthropic-specific feature. Third-party providers
  // do not understand cache_control blocks and strict backends (e.g. Azure
  // Foundry) reject or flag requests that contain them.
  //
  // Exception: when the GitHub provider is configured in native Anthropic API
  // mode (CLAUDE_CODE_GITHUB_ANTHROPIC_API=1), requests are sent in Anthropic
  // format, so cache_control blocks are supported.
  const provider = getAPIProvider()
-  if (provider !== 'firstParty' && provider !== 'bedrock' && provider !== 'vertex') {
+  const isNativeGithub = isGithubNativeAnthropicMode(model)
  if (provider !== 'firstParty' && provider !== 'bedrock' && provider !== 'vertex' && !isNativeGithub) {
    return false
  }
--- a/src/services/api/client.ts
+++ b/src/services/api/client.ts
@@ -14,6 +14,7 @@ import { getSmallFastModel } from 'src/utils/model/model.js'
 import {
  getAPIProvider,
  isFirstPartyAnthropicBaseUrl,
  isGithubNativeAnthropicMode,
 } from 'src/utils/model/providers.js'
 import { getProxyFetchOptions } from 'src/utils/proxy.js'
 import {
@@ -174,6 +175,25 @@ export async function getAnthropicClient({
      providerOverride,
    }) as unknown as Anthropic
  }
  // GitHub provider in native Anthropic API mode: send requests in Anthropic
  // format so cache_control blocks are honoured and prompt caching works.
  // Requires the GitHub endpoint (OPENAI_BASE_URL) to support Anthropic's
  // messages API — set CLAUDE_CODE_GITHUB_ANTHROPIC_API=1 to opt in.
  if (isGithubNativeAnthropicMode(model)) {
    const githubBaseUrl =
      process.env.OPENAI_BASE_URL?.replace(/\/$/, '') ??
      'https://api.githubcopilot.com'
    const githubToken =
      process.env.GITHUB_TOKEN ?? process.env.GH_TOKEN ?? ''
    const nativeArgs: ConstructorParameters<typeof Anthropic>[0] = {
      ...ARGS,
      baseURL: githubBaseUrl,
      authToken: githubToken,
      // No apiKey — we authenticate via Bearer token (authToken)
      apiKey: null,
    }
    return new Anthropic(nativeArgs)
  }
  if (
    isEnvTruthy(process.env.CLAUDE_CODE_USE_OPENAI) ||
    isEnvTruthy(process.env.CLAUDE_CODE_USE_GITHUB) ||
--- a/src/services/api/codexShim.test.ts
+++ b/src/services/api/codexShim.test.ts
@@ -547,7 +547,7 @@ describe('Codex request translation', () => {
    ])
  })
-  test('strips leaked reasoning preamble from completed Codex text responses', () => {
+  test('strips <think> tag block from completed Codex text responses', () => {
    const message = convertCodexResponseToAnthropicMessage(
      {
        id: 'resp_1',
@@ -560,7 +560,7 @@ describe('Codex request translation', () => {
              {
                type: 'output_text',
                text:
-                  'The user just said "hey" - a simple greeting. I should respond briefly and friendly.\n\nHey! How can I help you today?',
+                  '<think>user wants a greeting, respond briefly</think>Hey! How can I help you today?',
              },
            ],
          },
@@ -578,6 +578,37 @@ describe('Codex request translation', () => {
    ])
  })
  test('strips unterminated <think> tag at block boundary in Codex completed response', () => {
    const message = convertCodexResponseToAnthropicMessage(
      {
        id: 'resp_1',
        model: 'gpt-5.4',
        output: [
          {
            type: 'message',
            role: 'assistant',
            content: [
              {
                type: 'output_text',
                text:
                  'Here is the answer.\n<think>wait, let me reconsider the user request',
              },
            ],
          },
        ],
        usage: { input_tokens: 12, output_tokens: 4 },
      },
      'gpt-5.4',
    )
    expect(message.content).toEqual([
      {
        type: 'text',
        text: 'Here is the answer.',
      },
    ])
  })
  test('translates Codex SSE text stream into Anthropic events', async () => {
    const responseText = [
      'event: response.output_item.added',
@@ -609,7 +640,7 @@ describe('Codex request translation', () => {
    ])
  })
-  test('strips leaked reasoning preamble from Codex SSE text stream', async () => {
+  test('strips <think> tag block from Codex SSE text stream', async () => {
    const responseText = [
      'event: response.output_item.added',
      'data: {"type":"response.output_item.added","item":{"id":"msg_1","type":"message","status":"in_progress","content":[],"role":"assistant"},"output_index":0,"sequence_number":0}',
@@ -618,13 +649,13 @@ describe('Codex request translation', () => {
      'data: {"type":"response.content_part.added","content_index":0,"item_id":"msg_1","output_index":0,"part":{"type":"output_text","text":""},"sequence_number":1}',
      '',
      'event: response.output_text.delta',
-      'data: {"type":"response.output_text.delta","content_index":0,"delta":"The user just said \\"hey\\" - a simple greeting. I should respond briefly and friendly.\\n\\nHey! How can I help you today?","item_id":"msg_1","output_index":0,"sequence_number":2}',
+      'data: {"type":"response.output_text.delta","content_index":0,"delta":"<think>user wants a greeting, respond briefly</think>Hey! How can I help you today?","item_id":"msg_1","output_index":0,"sequence_number":2}',
      '',
      'event: response.output_item.done',
-      'data: {"type":"response.output_item.done","item":{"id":"msg_1","type":"message","status":"completed","content":[{"type":"output_text","text":"The user just said \\"hey\\" - a simple greeting. I should respond briefly and friendly.\\n\\nHey! How can I help you today?"}],"role":"assistant"},"output_index":0,"sequence_number":3}',
+      'data: {"type":"response.output_item.done","item":{"id":"msg_1","type":"message","status":"completed","content":[{"type":"output_text","text":"<think>user wants a greeting, respond briefly</think>Hey! How can I help you today?"}],"role":"assistant"},"output_index":0,"sequence_number":3}',
      '',
      'event: response.completed',
-      'data: {"type":"response.completed","response":{"id":"resp_1","status":"completed","model":"gpt-5.4","output":[{"type":"message","role":"assistant","content":[{"type":"output_text","text":"The user just said \\"hey\\" - a simple greeting. I should respond briefly and friendly.\\n\\nHey! How can I help you today?"}]}],"usage":{"input_tokens":2,"output_tokens":1}},"sequence_number":4}',
+      'data: {"type":"response.completed","response":{"id":"resp_1","status":"completed","model":"gpt-5.4","output":[{"type":"message","role":"assistant","content":[{"type":"output_text","text":"<think>user wants a greeting, respond briefly</think>Hey! How can I help you today?"}]}],"usage":{"input_tokens":2,"output_tokens":1}},"sequence_number":4}',
      '',
    ].join('\n')
@@ -646,6 +677,50 @@ describe('Codex request translation', () => {
      }
    }
-    expect(textDeltas).toEqual(['Hey! How can I help you today?'])
+    expect(textDeltas.join('')).toBe('Hey! How can I help you today?')
  })
  test('preserves prose without tags (no phrase-based false positive)', async () => {
    // Regression test: older phrase-based sanitizer would incorrectly strip text
    // starting with "I should" or "The user". The tag-based approach leaves it alone.
    const responseText = [
      'event: response.output_item.added',
      'data: {"type":"response.output_item.added","item":{"id":"msg_1","type":"message","status":"in_progress","content":[],"role":"assistant"},"output_index":0,"sequence_number":0}',
      '',
      'event: response.content_part.added',
      'data: {"type":"response.content_part.added","content_index":0,"item_id":"msg_1","output_index":0,"part":{"type":"output_text","text":""},"sequence_number":1}',
      '',
      'event: response.output_text.delta',
      'data: {"type":"response.output_text.delta","content_index":0,"delta":"I should note that the user role requires a briefly concise friendly response format.","item_id":"msg_1","output_index":0,"sequence_number":2}',
      '',
      'event: response.output_item.done',
      'data: {"type":"response.output_item.done","item":{"id":"msg_1","type":"message","status":"completed","content":[{"type":"output_text","text":"I should note that the user role requires a briefly concise friendly response format."}],"role":"assistant"},"output_index":0,"sequence_number":3}',
      '',
      'event: response.completed',
      'data: {"type":"response.completed","response":{"id":"resp_1","status":"completed","model":"gpt-5.4","output":[{"type":"message","role":"assistant","content":[{"type":"output_text","text":"I should note that the user role requires a briefly concise friendly response format."}]}],"usage":{"input_tokens":2,"output_tokens":1}},"sequence_number":4}',
      '',
    ].join('\n')
    const stream = new ReadableStream({
      start(controller) {
        controller.enqueue(new TextEncoder().encode(responseText))
        controller.close()
      },
    })
    const textDeltas: string[] = []
    for await (const event of codexStreamToAnthropic(
      new Response(stream),
      'gpt-5.4',
    )) {
      const delta = (event as { delta?: { type?: string; text?: string } }).delta
      if (delta?.type === 'text_delta' && typeof delta.text === 'string') {
        textDeltas.push(delta.text)
      }
    }
    expect(textDeltas.join('')).toBe(
      'I should note that the user role requires a briefly concise friendly response format.',
    )
  })
 })
--- a/src/services/api/codexShim.ts
+++ b/src/services/api/codexShim.ts
@@ -6,10 +6,9 @@ import type {
 } from './providerConfig.js'
 import { sanitizeSchemaForOpenAICompat } from './openaiSchemaSanitizer.js'
 import {
-  looksLikeLeakedReasoningPrefix,
+  createThinkTagFilter,
-  shouldBufferPotentialReasoningPrefix,
+  stripThinkTags,
-  stripLeakedReasoningPreamble,
+} from './thinkTagSanitizer.js'
 } from './reasoningLeakSanitizer.js'
 export interface AnthropicUsage {
  input_tokens: number
@@ -734,25 +733,22 @@ export async function* codexStreamToAnthropic(
    { index: number; toolUseId: string }
  >()
  let activeTextBlockIndex: number | null = null
-  let activeTextBuffer = ''
+  const thinkFilter = createThinkTagFilter()
  let textBufferMode: 'none' | 'pending' | 'strip' = 'none'
  let nextContentBlockIndex = 0
  let sawToolUse = false
  let finalResponse: Record<string, any> | undefined
  const closeActiveTextBlock = async function* () {
    if (activeTextBlockIndex === null) return
-    if (textBufferMode !== 'none') {
+    const tail = thinkFilter.flush()
-      const sanitized = stripLeakedReasoningPreamble(activeTextBuffer)
+    if (tail) {
-      if (sanitized) {
+      yield {
-        yield {
+        type: 'content_block_delta',
-          type: 'content_block_delta',
+        index: activeTextBlockIndex,
-          index: activeTextBlockIndex,
+        delta: {
-          delta: {
+          type: 'text_delta',
-            type: 'text_delta',
+          text: tail,
-            text: sanitized,
+        },
          },
        }
      }
    }
    yield {
@@ -760,8 +756,6 @@ export async function* codexStreamToAnthropic(
      index: activeTextBlockIndex,
    }
    activeTextBlockIndex = null
    activeTextBuffer = ''
    textBufferMode = 'none'
  }
  const startTextBlockIfNeeded = async function* () {
@@ -837,43 +831,17 @@ export async function* codexStreamToAnthropic(
    if (event.event === 'response.output_text.delta') {
      yield* startTextBlockIfNeeded()
      activeTextBuffer += payload.delta ?? ''
      if (activeTextBlockIndex !== null) {
-        if (
+        const visible = thinkFilter.feed(payload.delta ?? '')
-          textBufferMode === 'strip' ||
+        if (visible) {
          looksLikeLeakedReasoningPrefix(activeTextBuffer)
        ) {
          textBufferMode = 'strip'
          continue
        }
        if (textBufferMode === 'pending') {
          if (shouldBufferPotentialReasoningPrefix(activeTextBuffer)) {
            continue
          }
          yield {
            type: 'content_block_delta',
            index: activeTextBlockIndex,
            delta: {
              type: 'text_delta',
-              text: activeTextBuffer,
+              text: visible,
            },
          }
          textBufferMode = 'none'
          continue
        }
        if (shouldBufferPotentialReasoningPrefix(activeTextBuffer)) {
          textBufferMode = 'pending'
          continue
        }
        yield {
          type: 'content_block_delta',
          index: activeTextBlockIndex,
          delta: {
            type: 'text_delta',
            text: payload.delta ?? '',
          },
        }
      }
      continue
@@ -969,7 +937,7 @@ export function convertCodexResponseToAnthropicMessage(
        if (part?.type === 'output_text') {
          content.push({
            type: 'text',
-            text: stripLeakedReasoningPreamble(part.text ?? ''),
+            text: stripThinkTags(part.text ?? ''),
          })
        }
      }
--- a/src/services/api/openaiErrorClassification.ts
+++ b/src/services/api/openaiErrorClassification.ts
@@ -320,10 +320,7 @@ export function classifyOpenAIHttpFailure(options: {
    }
  }
-  if (
+  if (options.status >= 400 && isMalformedProviderResponse(body)) {
    (options.status >= 200 && options.status < 300 && isMalformedProviderResponse(body)) ||
    (options.status >= 400 && isMalformedProviderResponse(body))
  ) {
    return {
      source: 'http',
      category: 'malformed_provider_response',
--- a/src/services/api/openaiShim.diagnostics.test.ts
+++ b/src/services/api/openaiShim.diagnostics.test.ts
@@ -117,3 +117,170 @@ test('redacts credentials in transport diagnostic URL logs', async () => {
  expect(logLine).not.toContain('user:supersecret')
  expect(logLine).not.toContain('supersecret@')
 })
 test('logs self-heal localhost fallback with redacted from/to URLs', async () => {
  const debugSpy = mock(() => {})
  mock.module('../../utils/debug.js', () => ({
    logForDebugging: debugSpy,
  }))
  const nonce = `${Date.now()}-${Math.random()}`
  const { createOpenAIShimClient } = await import(`./openaiShim.ts?ts=${nonce}`)
  process.env.OPENAI_BASE_URL = 'http://user:supersecret@localhost:11434/v1'
  process.env.OPENAI_API_KEY = 'supersecret'
  globalThis.fetch = mock(async (input: string | Request) => {
    const url = typeof input === 'string' ? input : input.url
    if (url.includes('localhost')) {
      throw Object.assign(new TypeError('fetch failed'), {
        code: 'ENOTFOUND',
      })
    }
    return new Response(
      JSON.stringify({
        id: 'chatcmpl-1',
        model: 'qwen2.5-coder:7b',
        choices: [
          {
            message: {
              role: 'assistant',
              content: 'ok',
            },
            finish_reason: 'stop',
          },
        ],
        usage: {
          prompt_tokens: 5,
          completion_tokens: 2,
          total_tokens: 7,
        },
      }),
      {
        status: 200,
        headers: {
          'Content-Type': 'application/json',
        },
      },
    )
  }) as typeof globalThis.fetch
  const client = createOpenAIShimClient({}) as {
    beta: {
      messages: {
        create: (params: Record<string, unknown>) => Promise<unknown>
      }
    }
  }
  await expect(
    client.beta.messages.create({
      model: 'qwen2.5-coder:7b',
      messages: [{ role: 'user', content: 'hello' }],
      max_tokens: 64,
      stream: false,
    }),
  ).resolves.toBeDefined()
  const fallbackLog = debugSpy.mock.calls.find(call =>
    typeof call?.[0] === 'string' &&
    call[0].includes('self-heal retry reason=localhost_resolution_failed'),
  )
  expect(fallbackLog).toBeDefined()
  const logLine = String(fallbackLog?.[0])
  expect(logLine).toContain('from=http://redacted:redacted@localhost:11434/v1/chat/completions')
  expect(logLine).toContain('to=http://redacted:redacted@127.0.0.1:11434/v1/chat/completions')
  expect(logLine).not.toContain('supersecret')
 })
 test('logs self-heal toolless retry for local tool-call incompatibility', async () => {
  const debugSpy = mock(() => {})
  mock.module('../../utils/debug.js', () => ({
    logForDebugging: debugSpy,
  }))
  const nonce = `${Date.now()}-${Math.random()}`
  const { createOpenAIShimClient } = await import(`./openaiShim.ts?ts=${nonce}`)
  process.env.OPENAI_BASE_URL = 'http://localhost:11434/v1'
  process.env.OPENAI_API_KEY = 'ollama'
  let callCount = 0
  globalThis.fetch = mock(async () => {
    callCount += 1
    if (callCount === 1) {
      return new Response('tool_calls are not supported', {
        status: 400,
        headers: {
          'Content-Type': 'text/plain',
        },
      })
    }
    return new Response(
      JSON.stringify({
        id: 'chatcmpl-1',
        model: 'qwen2.5-coder:7b',
        choices: [
          {
            message: {
              role: 'assistant',
              content: 'ok',
            },
            finish_reason: 'stop',
          },
        ],
        usage: {
          prompt_tokens: 7,
          completion_tokens: 3,
          total_tokens: 10,
        },
      }),
      {
        status: 200,
        headers: {
          'Content-Type': 'application/json',
        },
      },
    )
  }) as typeof globalThis.fetch
  const client = createOpenAIShimClient({}) as {
    beta: {
      messages: {
        create: (params: Record<string, unknown>) => Promise<unknown>
      }
    }
  }
  await expect(
    client.beta.messages.create({
      model: 'qwen2.5-coder:7b',
      messages: [{ role: 'user', content: 'hello' }],
      tools: [
        {
          name: 'Read',
          description: 'Read file',
          input_schema: {
            type: 'object',
            properties: {
              filePath: { type: 'string' },
            },
            required: ['filePath'],
          },
        },
      ],
      max_tokens: 64,
      stream: false,
    }),
  ).resolves.toBeDefined()
  const fallbackLog = debugSpy.mock.calls.find(call =>
    typeof call?.[0] === 'string' &&
    call[0].includes('self-heal retry reason=tool_call_incompatible mode=toolless'),
  )
  expect(fallbackLog).toBeDefined()
  expect(fallbackLog?.[1]).toEqual({ level: 'warn' })
 })
--- a/src/services/api/openaiShim.test.ts
+++ b/src/services/api/openaiShim.test.ts
@@ -2513,7 +2513,7 @@ test('non-streaming: real content takes precedence over reasoning_content', asyn
  ])
 })
-test('non-streaming: strips leaked reasoning preamble from assistant content', async () => {
+test('non-streaming: strips <think> tag block from assistant content', async () => {
  globalThis.fetch = (async () => {
    return new Response(
      JSON.stringify({
@@ -2524,7 +2524,7 @@ test('non-streaming: strips leaked reasoning preamble from assistant content', a
            message: {
              role: 'assistant',
              content:
-                'The user just said "hey" - a simple greeting. I should respond briefly and friendly.\n\nHey! How can I help you today?',
+                '<think>user wants a greeting, respond briefly</think>Hey! How can I help you today?',
            },
            finish_reason: 'stop',
          },
@@ -2645,7 +2645,7 @@ test('streaming: thinking block closed before tool call', async () => {
  expect(thinkingStart?.content_block?.type).toBe('thinking')
 })
-test('streaming: strips leaked reasoning preamble from assistant content deltas', async () => {
+test('streaming: strips <think> tag block from assistant content deltas', async () => {
  globalThis.fetch = (async () => {
    const chunks = makeStreamChunks([
      {
@@ -2658,7 +2658,7 @@ test('streaming: strips leaked reasoning preamble from assistant content deltas'
            delta: {
              role: 'assistant',
              content:
-                'The user just said "hey" - a simple greeting. I should respond briefly and friendly.\n\nHey! How can I help you today?',
+                '<think>user wants a greeting, respond briefly</think>Hey! How can I help you today?',
            },
            finish_reason: null,
          },
@@ -2700,10 +2700,10 @@ test('streaming: strips leaked reasoning preamble from assistant content deltas'
    }
  }
-  expect(textDeltas).toEqual(['Hey! How can I help you today?'])
+  expect(textDeltas.join('')).toBe('Hey! How can I help you today?')
 })
-test('streaming: strips leaked reasoning preamble when split across multiple content chunks', async () => {
+test('streaming: strips <think> tag split across multiple content chunks', async () => {
  globalThis.fetch = (async () => {
    const chunks = makeStreamChunks([
      {
@@ -2715,7 +2715,7 @@ test('streaming: strips leaked reasoning preamble when split across multiple con
            index: 0,
            delta: {
              role: 'assistant',
-              content: 'The user said "hey" - this is a simple greeting. ',
+              content: '<think>user wants a greeting,',
            },
            finish_reason: null,
          },
@@ -2729,8 +2729,21 @@ test('streaming: strips leaked reasoning preamble when split across multiple con
          {
            index: 0,
            delta: {
-              content:
+              content: ' respond briefly</th',
-                'I should respond in a friendly, concise way.\n\nHey! How can I help you today?',
+            },
            finish_reason: null,
          },
        ],
      },
      {
        id: 'chatcmpl-1',
        object: 'chat.completion.chunk',
        model: 'gpt-5-mini',
        choices: [
          {
            index: 0,
            delta: {
              content: 'ink>Hey! How can I help you today?',
            },
            finish_reason: null,
          },
@@ -2773,7 +2786,69 @@ test('streaming: strips leaked reasoning preamble when split across multiple con
    }
  }
-  expect(textDeltas).toEqual(['Hey! How can I help you today?'])
+  expect(textDeltas.join('')).toBe('Hey! How can I help you today?')
 })
 test('streaming: preserves prose without tags (no phrase-based false positive)', async () => {
  // Regression: older phrase-based sanitizer would strip "I should..." prose.
  // The tag-based approach leaves legitimate assistant output alone.
  globalThis.fetch = (async () => {
    const chunks = makeStreamChunks([
      {
        id: 'chatcmpl-1',
        object: 'chat.completion.chunk',
        model: 'gpt-5-mini',
        choices: [
          {
            index: 0,
            delta: {
              role: 'assistant',
              content:
                'I should note that the user role requires a briefly concise friendly response format.',
            },
            finish_reason: null,
          },
        ],
      },
      {
        id: 'chatcmpl-1',
        object: 'chat.completion.chunk',
        model: 'gpt-5-mini',
        choices: [
          {
            index: 0,
            delta: {},
            finish_reason: 'stop',
          },
        ],
      },
    ])
    return makeSseResponse(chunks)
  }) as FetchType
  const client = createOpenAIShimClient({}) as OpenAIShimClient
  const result = await client.beta.messages
    .create({
      model: 'gpt-5-mini',
      system: 'test system',
      messages: [{ role: 'user', content: 'hey' }],
      max_tokens: 64,
      stream: true,
    })
    .withResponse()
  const textDeltas: string[] = []
  for await (const event of result.data) {
    const delta = (event as { delta?: { type?: string; text?: string } }).delta
    if (delta?.type === 'text_delta' && typeof delta.text === 'string') {
      textDeltas.push(delta.text)
    }
  }
  expect(textDeltas.join('')).toBe(
    'I should note that the user role requires a briefly concise friendly response format.',
  )
 })
 test('classifies localhost transport failures with actionable category marker', async () => {
@@ -2856,3 +2931,289 @@ test('classifies chat-completions endpoint 404 failures with endpoint_not_found
    }),
  ).rejects.toThrow('openai_category=endpoint_not_found')
 })
 test('self-heals localhost resolution failures by retrying local loopback base URL', async () => {
  process.env.OPENAI_BASE_URL = 'http://localhost:11434/v1'
  const requestUrls: string[] = []
  globalThis.fetch = (async (input, _init) => {
    const url = typeof input === 'string' ? input : input.url
    requestUrls.push(url)
    if (url.includes('localhost')) {
      const error = Object.assign(new TypeError('fetch failed'), {
        code: 'ENOTFOUND',
      })
      throw error
    }
    return new Response(
      JSON.stringify({
        id: 'chatcmpl-1',
        model: 'qwen2.5-coder:7b',
        choices: [
          {
            message: {
              role: 'assistant',
              content: 'hello from loopback',
            },
            finish_reason: 'stop',
          },
        ],
        usage: {
          prompt_tokens: 4,
          completion_tokens: 3,
          total_tokens: 7,
        },
      }),
      {
        status: 200,
        headers: {
          'Content-Type': 'application/json',
        },
      },
    )
  }) as FetchType
  const client = createOpenAIShimClient({}) as OpenAIShimClient
  await expect(
    client.beta.messages.create({
      model: 'qwen2.5-coder:7b',
      messages: [{ role: 'user', content: 'hello' }],
      max_tokens: 64,
      stream: false,
    }),
  ).resolves.toBeDefined()
  expect(requestUrls[0]).toBe('http://localhost:11434/v1/chat/completions')
  expect(requestUrls).toContain('http://127.0.0.1:11434/v1/chat/completions')
 })
 test('self-heals local endpoint_not_found by retrying with /v1 base URL', async () => {
  process.env.OPENAI_BASE_URL = 'http://localhost:11434'
  const requestUrls: string[] = []
  globalThis.fetch = (async (input, _init) => {
    const url = typeof input === 'string' ? input : input.url
    requestUrls.push(url)
    if (url === 'http://localhost:11434/chat/completions') {
      return new Response('Not Found', {
        status: 404,
        headers: {
          'Content-Type': 'text/plain',
        },
      })
    }
    return new Response(
      JSON.stringify({
        id: 'chatcmpl-1',
        model: 'qwen2.5-coder:7b',
        choices: [
          {
            message: {
              role: 'assistant',
              content: 'hello from /v1',
            },
            finish_reason: 'stop',
          },
        ],
        usage: {
          prompt_tokens: 5,
          completion_tokens: 2,
          total_tokens: 7,
        },
      }),
      {
        status: 200,
        headers: {
          'Content-Type': 'application/json',
        },
      },
    )
  }) as FetchType
  const client = createOpenAIShimClient({}) as OpenAIShimClient
  await expect(
    client.beta.messages.create({
      model: 'qwen2.5-coder:7b',
      messages: [{ role: 'user', content: 'hello' }],
      max_tokens: 64,
      stream: false,
    }),
  ).resolves.toBeDefined()
  expect(requestUrls).toEqual([
    'http://localhost:11434/chat/completions',
    'http://localhost:11434/v1/chat/completions',
  ])
 })
 test('self-heals tool-call incompatibility by retrying local Ollama requests without tools', async () => {
  process.env.OPENAI_BASE_URL = 'http://localhost:11434/v1'
  const requestBodies: Array<Record<string, unknown>> = []
  globalThis.fetch = (async (_input, init) => {
    const requestBody = JSON.parse(String(init?.body)) as Record<string, unknown>
    requestBodies.push(requestBody)
    if (requestBodies.length === 1) {
      return new Response('tool_calls are not supported', {
        status: 400,
        headers: {
          'Content-Type': 'text/plain',
        },
      })
    }
    return new Response(
      JSON.stringify({
        id: 'chatcmpl-1',
        model: 'qwen2.5-coder:7b',
        choices: [
          {
            message: {
              role: 'assistant',
              content: 'fallback without tools',
            },
            finish_reason: 'stop',
          },
        ],
        usage: {
          prompt_tokens: 8,
          completion_tokens: 4,
          total_tokens: 12,
        },
      }),
      {
        status: 200,
        headers: {
          'Content-Type': 'application/json',
        },
      },
    )
  }) as FetchType
  const client = createOpenAIShimClient({}) as OpenAIShimClient
  await expect(
    client.beta.messages.create({
      model: 'qwen2.5-coder:7b',
      messages: [{ role: 'user', content: 'hello' }],
      tools: [
        {
          name: 'Read',
          description: 'Read a file',
          input_schema: {
            type: 'object',
            properties: {
              filePath: { type: 'string' },
            },
            required: ['filePath'],
          },
        },
      ],
      max_tokens: 64,
      stream: false,
    }),
  ).resolves.toBeDefined()
  expect(requestBodies).toHaveLength(2)
  expect(Array.isArray(requestBodies[0]?.tools)).toBe(true)
  expect(requestBodies[0]?.tool_choice).toBeUndefined()
  expect(
    requestBodies[1]?.tools === undefined ||
      (Array.isArray(requestBodies[1]?.tools) && requestBodies[1]?.tools.length === 0),
  ).toBe(true)
  expect(requestBodies[1]?.tool_choice).toBeUndefined()
 })
 test('preserves valid tool_result and drops orphan tool_result', async () => {
  let requestBody: Record<string, unknown> | undefined
  globalThis.fetch = (async (_input, init) => {
    requestBody = JSON.parse(String(init?.body))
    return new Response(
      JSON.stringify({
        id: 'chatcmpl-1',
        model: 'mistral-large-latest',
        choices: [
          {
            message: {
              role: 'assistant',
              content: 'done',
            },
            finish_reason: 'stop',
          },
        ],
        usage: {
          prompt_tokens: 12,
          completion_tokens: 4,
          total_tokens: 16,
        },
      }),
      {
        headers: {
          'Content-Type': 'application/json',
        },
      },
    )
  }) as FetchType
  const client = createOpenAIShimClient({}) as OpenAIShimClient
  await client.beta.messages.create({
    model: 'mistral-large-latest',
    system: 'test system',
    messages: [
      { role: 'user', content: 'Search and then I will interrupt' },
      {
        role: 'assistant',
        content: [
          {
            type: 'tool_use',
            id: 'valid_call_1',
            name: 'Search',
            input: { query: 'openclaude' },
          },
        ],
      },
      {
        role: 'user',
        content: [
          {
            type: 'tool_result',
            tool_use_id: 'valid_call_1',
            content: 'Found it!',
          },
          {
            type: 'tool_result',
            tool_use_id: 'orphan_call_2',
            content: 'Interrupted result',
          },
          {
            role: 'user',
            content: 'What happened?',
          },
        ],
      },
    ],
    max_tokens: 64,
    stream: false,
  })
  const messages = requestBody?.messages as Array<Record<string, unknown>>
  // Should have: system, user, assistant (tool_use), tool (valid_call_1), user
  // Should NOT have: tool (orphan_call_2)
  const toolMessages = messages.filter(m => m.role === 'tool')
  expect(toolMessages.length).toBe(1)
  expect(toolMessages[0].tool_call_id).toBe('valid_call_1')
  const orphanMessage = toolMessages.find(m => m.tool_call_id === 'orphan_call_2')
  expect(orphanMessage).toBeUndefined()
 })
--- a/src/services/api/openaiShim.ts
+++ b/src/services/api/openaiShim.ts
@@ -32,10 +32,9 @@ import { resolveGeminiCredential } from '../../utils/geminiAuth.js'
 import { hydrateGeminiAccessTokenFromSecureStorage } from '../../utils/geminiCredentials.js'
 import { hydrateGithubModelsTokenFromSecureStorage } from '../../utils/githubModelsCredentials.js'
 import {
-  looksLikeLeakedReasoningPrefix,
+  createThinkTagFilter,
-  shouldBufferPotentialReasoningPrefix,
+  stripThinkTags,
-  stripLeakedReasoningPreamble,
+} from './thinkTagSanitizer.js'
 } from './reasoningLeakSanitizer.js'
 import {
  codexStreamToAnthropic,
  collectCodexCompletedResponse,
@@ -49,10 +48,12 @@ import {
 } from './codexShim.js'
 import { fetchWithProxyRetry } from './fetchWithProxyRetry.js'
 import {
  getLocalProviderRetryBaseUrls,
  getGithubEndpointType,
  isLocalProviderUrl,
  resolveRuntimeCodexCredentials,
  resolveProviderRequest,
-  getGithubEndpointType,
+  shouldAttemptLocalToollessRetry,
 } from './providerConfig.js'
 import {
  buildOpenAICompatibilityErrorMessage,
@@ -349,6 +350,7 @@ function convertMessages(
  system: unknown,
 ): OpenAIMessage[] {
  const result: OpenAIMessage[] = []
  const knownToolCallIds = new Set<string>()
  // System message first
  const sysText = convertSystemPrompt(system)
@@ -368,13 +370,21 @@ function convertMessages(
        const toolResults = content.filter((b: { type?: string }) => b.type === 'tool_result')
        const otherContent = content.filter((b: { type?: string }) => b.type !== 'tool_result')
-        // Emit tool results as tool messages
+        // Emit tool results as tool messages, but ONLY if we have a matching tool_use ID.
        // Mistral/OpenAI strictly require tool messages to follow an assistant message with tool_calls.
        // If the user interrupted (ESC) and a synthetic tool_result was generated without a recorded tool_use,
        // emitting it here would cause a "role must alternate" or "unexpected role" error.
        for (const tr of toolResults) {
-          result.push({
+          const id = tr.tool_use_id ?? 'unknown'
-            role: 'tool',
+          if (knownToolCallIds.has(id)) {
-            tool_call_id: tr.tool_use_id ?? 'unknown',
+            result.push({
-            content: convertToolResultContent(tr.content, tr.is_error),
+              role: 'tool',
-          })
+              tool_call_id: id,
              content: convertToolResultContent(tr.content, tr.is_error),
            })
          } else {
            logForDebugging(`Dropping orphan tool_result for ID: ${id} to prevent API error`)
          }
        }
        // Emit remaining user content
@@ -415,9 +425,11 @@ function convertMessages(
              input?: unknown
              extra_content?: Record<string, unknown>
              signature?: string
-            }, index) => {
+            }) => {
              const id = tu.id ?? `call_${crypto.randomUUID().replace(/-/g, '')}`
              knownToolCallIds.add(id)
              const toolCall: NonNullable<OpenAIMessage['tool_calls']>[number] = {
-                id: tu.id ?? `call_${crypto.randomUUID().replace(/-/g, '')}`,
+                id,
                type: 'function' as const,
                function: {
                  name: tu.name ?? 'unknown',
@@ -442,7 +454,6 @@ function convertMessages(
                // Merge into existing google-specific metadata if present
                const existingGoogle = (toolCall.extra_content?.google as Record<string, unknown>) ?? {}
                toolCall.extra_content = {
                  ...toolCall.extra_content,
                  google: {
@@ -597,7 +608,10 @@ function convertTools(
        function: {
          name: t.name,
          description: t.description ?? '',
-          parameters: normalizeSchemaForOpenAI(schema, !isGemini),
+          parameters: normalizeSchemaForOpenAI(
            schema,
            !isGemini && !isEnvTruthy(process.env.OPENCLAUDE_DISABLE_STRICT_TOOLS),
          ),
        },
      }
    })
@@ -705,8 +719,7 @@ async function* openaiStreamToAnthropic(
  let hasEmittedContentStart = false
  let hasEmittedThinkingStart = false
  let hasClosedThinking = false
-  let activeTextBuffer = ''
+  const thinkFilter = createThinkTagFilter()
  let textBufferMode: 'none' | 'pending' | 'strip' = 'none'
  let lastStopReason: 'tool_use' | 'max_tokens' | 'end_turn' | null = null
  let hasEmittedFinalUsage = false
  let hasProcessedFinishReason = false
@@ -785,14 +798,12 @@ async function* openaiStreamToAnthropic(
  const closeActiveContentBlock = async function* () {
    if (!hasEmittedContentStart) return
-    if (textBufferMode !== 'none') {
+    const tail = thinkFilter.flush()
-      const sanitized = stripLeakedReasoningPreamble(activeTextBuffer)
+    if (tail) {
-      if (sanitized) {
+      yield {
-        yield {
+        type: 'content_block_delta',
-          type: 'content_block_delta',
+        index: contentBlockIndex,
-          index: contentBlockIndex,
+        delta: { type: 'text_delta', text: tail },
          delta: { type: 'text_delta', text: sanitized },
        }
      }
    }
@@ -802,8 +813,6 @@ async function* openaiStreamToAnthropic(
    }
    contentBlockIndex++
    hasEmittedContentStart = false
    activeTextBuffer = ''
    textBufferMode = 'none'
  }
  try {
@@ -860,7 +869,6 @@ async function* openaiStreamToAnthropic(
            contentBlockIndex++
            hasClosedThinking = true
          }
          activeTextBuffer += delta.content
          if (!hasEmittedContentStart) {
            yield {
              type: 'content_block_start',
@@ -870,38 +878,13 @@ async function* openaiStreamToAnthropic(
            hasEmittedContentStart = true
          }
-          if (
+          const visible = thinkFilter.feed(delta.content)
-            textBufferMode === 'strip' ||
+          if (visible) {
            looksLikeLeakedReasoningPrefix(activeTextBuffer)
          ) {
            textBufferMode = 'strip'
            continue
          }
          if (textBufferMode === 'pending') {
            if (shouldBufferPotentialReasoningPrefix(activeTextBuffer)) {
              continue
            }
            yield {
              type: 'content_block_delta',
              index: contentBlockIndex,
-              delta: {
+              delta: { type: 'text_delta', text: visible },
                type: 'text_delta',
                text: activeTextBuffer,
              },
            }
            textBufferMode = 'none'
            continue
          }
          if (shouldBufferPotentialReasoningPrefix(activeTextBuffer)) {
            textBufferMode = 'pending'
            continue
          }
          yield {
            type: 'content_block_delta',
            index: contentBlockIndex,
            delta: { type: 'text_delta', text: delta.content },
          }
        }
@@ -1446,48 +1429,95 @@ class OpenAIShimMessages {
      headers['X-GitHub-Api-Version'] = '2022-11-28'
    }
-    // Build the chat completions URL
+    const buildChatCompletionsUrl = (baseUrl: string): string => {
-    // Azure Cognitive Services / Azure OpenAI require a deployment-specific path
+      // Azure Cognitive Services / Azure OpenAI require a deployment-specific
-    // and an api-version query parameter.
+      // path and an api-version query parameter.
-    // Standard format: {base}/openai/deployments/{model}/chat/completions?api-version={version}
+      if (isAzure) {
-    // Non-Azure: {base}/chat/completions
+        const apiVersion = process.env.AZURE_OPENAI_API_VERSION ?? '2024-12-01-preview'
-    let chatCompletionsUrl: string
+        const deployment = request.resolvedModel ?? process.env.OPENAI_MODEL ?? 'gpt-4o'
-    if (isAzure) {
+
-      const apiVersion = process.env.AZURE_OPENAI_API_VERSION ?? '2024-12-01-preview'
+        // If base URL already contains /deployments/, use it as-is with api-version.
-      const deployment = request.resolvedModel ?? process.env.OPENAI_MODEL ?? 'gpt-4o'
+        if (/\/deployments\//i.test(baseUrl)) {
-      // If base URL already contains /deployments/, use it as-is with api-version
+          const normalizedBase = baseUrl.replace(/\/+$/, '')
-      if (/\/deployments\//i.test(request.baseUrl)) {
+          return `${normalizedBase}/chat/completions?api-version=${apiVersion}`
-        const base = request.baseUrl.replace(/\/+$/, '')
+        }
-        chatCompletionsUrl = `${base}/chat/completions?api-version=${apiVersion}`
+
-      } else {
+        // Strip trailing /v1 or /openai/v1 if present, then build Azure path.
-        // Strip trailing /v1 or /openai/v1 if present, then build Azure path
+        const normalizedBase = baseUrl
-        const base = request.baseUrl.replace(/\/(openai\/)?v1\/?$/, '').replace(/\/+$/, '')
+          .replace(/\/(openai\/)?v1\/?$/, '')
-        chatCompletionsUrl = `${base}/openai/deployments/${deployment}/chat/completions?api-version=${apiVersion}`
+          .replace(/\/+$/, '')
        return `${normalizedBase}/openai/deployments/${deployment}/chat/completions?api-version=${apiVersion}`
      }
-    } else {
+
-      chatCompletionsUrl = `${request.baseUrl}/chat/completions`
+      return `${baseUrl}/chat/completions`
    }
-    const fetchInit = {
+    const localRetryBaseUrls = isLocal
      ? getLocalProviderRetryBaseUrls(request.baseUrl)
      : []
    let activeBaseUrl = request.baseUrl
    let chatCompletionsUrl = buildChatCompletionsUrl(activeBaseUrl)
    const attemptedLocalBaseUrls = new Set<string>([activeBaseUrl])
    let didRetryWithoutTools = false
    const promoteNextLocalBaseUrl = (
      reason: 'endpoint_not_found' | 'localhost_resolution_failed',
    ): boolean => {
      for (const candidateBaseUrl of localRetryBaseUrls) {
        if (attemptedLocalBaseUrls.has(candidateBaseUrl)) {
          continue
        }
        const previousUrl = chatCompletionsUrl
        attemptedLocalBaseUrls.add(candidateBaseUrl)
        activeBaseUrl = candidateBaseUrl
        chatCompletionsUrl = buildChatCompletionsUrl(activeBaseUrl)
        logForDebugging(
          `[OpenAIShim] self-heal retry reason=${reason} method=POST from=${redactUrlForDiagnostics(previousUrl)} to=${redactUrlForDiagnostics(chatCompletionsUrl)} model=${request.resolvedModel}`,
          { level: 'warn' },
        )
        return true
      }
      return false
    }
    let serializedBody = JSON.stringify(body)
    const refreshSerializedBody = (): void => {
      serializedBody = JSON.stringify(body)
    }
    const buildFetchInit = () => ({
      method: 'POST' as const,
      headers,
-      body: JSON.stringify(body),
+      body: serializedBody,
      signal: options?.signal,
-    }
+    })
-    const maxAttempts = isGithub ? GITHUB_429_MAX_RETRIES : 1
+    const maxSelfHealAttempts = isLocal
      ? localRetryBaseUrls.length + 1
      : 0
    const maxAttempts = (isGithub ? GITHUB_429_MAX_RETRIES : 1) + maxSelfHealAttempts
    const throwClassifiedTransportError = (
      error: unknown,
      requestUrl: string,
      preclassifiedFailure?: ReturnType<typeof classifyOpenAINetworkFailure>,
    ): never => {
      if (options?.signal?.aborted) {
        throw error
      }
-      const failure = classifyOpenAINetworkFailure(error, {
+      const failure =
-        url: requestUrl,
+        preclassifiedFailure ??
-      })
+        classifyOpenAINetworkFailure(error, {
          url: requestUrl,
        })
      const redactedUrl = redactUrlForDiagnostics(requestUrl)
      const safeMessage =
        redactSecretValueForDisplay(
@@ -1518,11 +1548,14 @@ class OpenAIShimMessages {
      responseHeaders: Headers,
      requestUrl: string,
      rateHint = '',
      preclassifiedFailure?: ReturnType<typeof classifyOpenAIHttpFailure>,
    ): never => {
-      const failure = classifyOpenAIHttpFailure({
+      const failure =
-        status,
+        preclassifiedFailure ??
-        body: errorBody,
+        classifyOpenAIHttpFailure({
-      })
+          status,
          body: errorBody,
        })
      const redactedUrl = redactUrlForDiagnostics(requestUrl)
      logForDebugging(
@@ -1544,10 +1577,13 @@ class OpenAIShimMessages {
    let response: Response | undefined
    for (let attempt = 0; attempt < maxAttempts; attempt++) {
      try {
-        response = await fetchWithProxyRetry(chatCompletionsUrl, fetchInit)
+        response = await fetchWithProxyRetry(
          chatCompletionsUrl,
          buildFetchInit(),
        )
      } catch (error) {
        const isAbortError =
-          fetchInit.signal?.aborted === true ||
+          options?.signal?.aborted === true ||
          (typeof DOMException !== 'undefined' &&
            error instanceof DOMException &&
            error.name === 'AbortError') ||
@@ -1560,7 +1596,19 @@ class OpenAIShimMessages {
          throw error
        }
-        throwClassifiedTransportError(error, chatCompletionsUrl)
+        const failure = classifyOpenAINetworkFailure(error, {
          url: chatCompletionsUrl,
        })
        if (
          isLocal &&
          failure.category === 'localhost_resolution_failed' &&
          promoteNextLocalBaseUrl('localhost_resolution_failed')
        ) {
          continue
        }
        throwClassifiedTransportError(error, chatCompletionsUrl, failure)
      }
      if (response.ok) {
@@ -1647,11 +1695,15 @@ class OpenAIShimMessages {
          } catch (error) {
            throwClassifiedTransportError(error, responsesUrl)
          }
-          
+
          if (responsesResponse.ok) {
            return responsesResponse
          }
          const responsesErrorBody = await responsesResponse.text().catch(() => 'unknown error')
          const responsesFailure = classifyOpenAIHttpFailure({
            status: responsesResponse.status,
            body: responsesErrorBody,
          })
          let responsesErrorResponse: object | undefined
          try { responsesErrorResponse = JSON.parse(responsesErrorBody) } catch { /* raw text */ }
          throwClassifiedHttpError(
@@ -1660,10 +1712,49 @@ class OpenAIShimMessages {
            responsesErrorResponse,
            responsesResponse.headers,
            responsesUrl,
            '',
            responsesFailure,
          )
        }
      }
      const failure = classifyOpenAIHttpFailure({
        status: response.status,
        body: errorBody,
      })
      if (
        isLocal &&
        failure.category === 'endpoint_not_found' &&
        promoteNextLocalBaseUrl('endpoint_not_found')
      ) {
        continue
      }
      const hasToolsPayload =
        Array.isArray(body.tools) &&
        body.tools.length > 0
      if (
        !didRetryWithoutTools &&
        failure.category === 'tool_call_incompatible' &&
        shouldAttemptLocalToollessRetry({
          baseUrl: activeBaseUrl,
          hasTools: hasToolsPayload,
        })
      ) {
        didRetryWithoutTools = true
        delete body.tools
        delete body.tool_choice
        refreshSerializedBody()
        logForDebugging(
          `[OpenAIShim] self-heal retry reason=tool_call_incompatible mode=toolless method=POST url=${redactUrlForDiagnostics(chatCompletionsUrl)} model=${request.resolvedModel}`,
          { level: 'warn' },
        )
        continue
      }
      let errorResponse: object | undefined
      try { errorResponse = JSON.parse(errorBody) } catch { /* raw text */ }
      throwClassifiedHttpError(
@@ -1673,6 +1764,7 @@ class OpenAIShimMessages {
        response.headers as unknown as Headers,
        chatCompletionsUrl,
        rateHint,
        failure,
      )
    }
@@ -1729,7 +1821,7 @@ class OpenAIShimMessages {
    if (typeof rawContent === 'string' && rawContent) {
      content.push({
        type: 'text',
-        text: stripLeakedReasoningPreamble(rawContent),
+        text: stripThinkTags(rawContent),
      })
    } else if (Array.isArray(rawContent) && rawContent.length > 0) {
      const parts: string[] = []
@@ -1747,7 +1839,7 @@ class OpenAIShimMessages {
      if (joined) {
        content.push({
          type: 'text',
-          text: stripLeakedReasoningPreamble(joined),
+          text: stripThinkTags(joined),
        })
      }
    }
--- a/src/services/api/providerConfig.local.test.ts
+++ b/src/services/api/providerConfig.local.test.ts
@@ -2,8 +2,10 @@ import { afterEach, expect, test } from 'bun:test'
 import {
  getAdditionalModelOptionsCacheScope,
  getLocalProviderRetryBaseUrls,
  isLocalProviderUrl,
  resolveProviderRequest,
  shouldAttemptLocalToollessRetry,
 } from './providerConfig.js'
 const originalEnv = {
@@ -83,3 +85,42 @@ test('skips local model cache scope for remote openai-compatible providers', ()
  expect(getAdditionalModelOptionsCacheScope()).toBeNull()
 })
 test('derives local retry base URLs with /v1 and loopback fallback candidates', () => {
  expect(getLocalProviderRetryBaseUrls('http://localhost:11434')).toEqual([
    'http://localhost:11434/v1',
    'http://127.0.0.1:11434',
    'http://127.0.0.1:11434/v1',
  ])
 })
 test('does not derive local retry base URLs for remote providers', () => {
  expect(getLocalProviderRetryBaseUrls('https://api.openai.com/v1')).toEqual([])
 })
 test('enables local toolless retry for likely Ollama endpoints with tools', () => {
  expect(
    shouldAttemptLocalToollessRetry({
      baseUrl: 'http://localhost:11434/v1',
      hasTools: true,
    }),
  ).toBe(true)
 })
 test('disables local toolless retry when no tools are present', () => {
  expect(
    shouldAttemptLocalToollessRetry({
      baseUrl: 'http://localhost:11434/v1',
      hasTools: false,
    }),
  ).toBe(false)
 })
 test('disables local toolless retry for non-Ollama local endpoints', () => {
  expect(
    shouldAttemptLocalToollessRetry({
      baseUrl: 'http://localhost:1234/v1',
      hasTools: true,
    }),
  ).toBe(false)
 })
--- a/src/services/api/providerConfig.ts
+++ b/src/services/api/providerConfig.ts
@@ -14,6 +14,7 @@ import {
  asTrimmedString,
  parseChatgptAccountId,
 } from './codexOAuthShared.js'
 import { DEFAULT_GEMINI_BASE_URL } from 'src/utils/providerProfile.js'
 export const DEFAULT_OPENAI_BASE_URL = 'https://api.openai.com/v1'
 export const DEFAULT_CODEX_BASE_URL = 'https://chatgpt.com/backend-api/codex'
@@ -304,6 +305,101 @@ export function isLocalProviderUrl(baseUrl: string | undefined): boolean {
  }
 }
 function trimTrailingSlash(value: string): string {
  return value.replace(/\/+$/, '')
 }
 function normalizePathWithV1(pathname: string): string {
  const trimmed = trimTrailingSlash(pathname)
  if (!trimmed || trimmed === '/') {
    return '/v1'
  }
  if (trimmed.toLowerCase().endsWith('/v1')) {
    return trimmed
  }
  return `${trimmed}/v1`
 }
 function isLikelyOllamaEndpoint(baseUrl: string): boolean {
  try {
    const parsed = new URL(baseUrl)
    const hostname = parsed.hostname.toLowerCase()
    const pathname = parsed.pathname.toLowerCase()
    if (parsed.port === '11434') {
      return true
    }
    return (
      hostname.includes('ollama') ||
      pathname.includes('ollama')
    )
  } catch {
    return false
  }
 }
 export function getLocalProviderRetryBaseUrls(baseUrl: string): string[] {
  if (!isLocalProviderUrl(baseUrl)) {
    return []
  }
  try {
    const parsed = new URL(baseUrl)
    const original = trimTrailingSlash(parsed.toString())
    const seen = new Set<string>([original])
    const candidates: string[] = []
    const addCandidate = (hostname: string, pathname: string): void => {
      const next = new URL(parsed.toString())
      next.hostname = hostname
      next.pathname = pathname
      next.search = ''
      next.hash = ''
      const normalized = trimTrailingSlash(next.toString())
      if (seen.has(normalized)) {
        return
      }
      seen.add(normalized)
      candidates.push(normalized)
    }
    const v1Pathname = normalizePathWithV1(parsed.pathname)
    if (v1Pathname !== trimTrailingSlash(parsed.pathname)) {
      addCandidate(parsed.hostname, v1Pathname)
    }
    const hostname = parsed.hostname.toLowerCase().replace(/^\[|\]$/g, '')
    if (hostname === 'localhost' || hostname === '::1') {
      addCandidate('127.0.0.1', parsed.pathname || '/')
      addCandidate('127.0.0.1', v1Pathname)
    }
    return candidates
  } catch {
    return []
  }
 }
 export function shouldAttemptLocalToollessRetry(options: {
  baseUrl: string
  hasTools: boolean
 }): boolean {
  if (!options.hasTools) {
    return false
  }
  if (!isLocalProviderUrl(options.baseUrl)) {
    return false
  }
  return isLikelyOllamaEndpoint(options.baseUrl)
 }
 export function isCodexBaseUrl(baseUrl: string | undefined): boolean {
  if (!baseUrl) return false
  try {
@@ -381,11 +477,15 @@ export function resolveProviderRequest(options?: {
 }): ResolvedProviderRequest {
  const isGithubMode = isEnvTruthy(process.env.CLAUDE_CODE_USE_GITHUB)
  const isMistralMode = isEnvTruthy(process.env.CLAUDE_CODE_USE_MISTRAL)
  const isGeminiMode = isEnvTruthy(process.env.CLAUDE_CODE_USE_GEMINI)
  const requestedModel =
    options?.model?.trim() ||
    (isMistralMode
      ? process.env.MISTRAL_MODEL?.trim()
      : process.env.OPENAI_MODEL?.trim()) ||
    (isGeminiMode
      ? process.env.GEMINI_MODEL?.trim()
      : process.env.OPENAI_MODEL?.trim()) ||
    options?.fallbackModel?.trim() ||
    (isGithubMode ? 'github:copilot' : 'gpt-4o')
  const descriptor = parseModelDescriptor(requestedModel)
@@ -396,14 +496,28 @@ export function resolveProviderRequest(options?: {
    'MISTRAL_BASE_URL',
  )
  const normalizedGeminiEnvBaseUrl = asNamedEnvUrl(
    process.env.GEMINI_BASE_URL,
    'GEMINI_BASE_URL',
  )
  const primaryEnvBaseUrl = isMistralMode
    ? normalizedMistralEnvBaseUrl
    : isGeminiMode
    ? normalizedGeminiEnvBaseUrl
    : asNamedEnvUrl(process.env.OPENAI_BASE_URL, 'OPENAI_BASE_URL')
  // In Mistral mode, a literal "undefined" MISTRAL_BASE_URL is treated as
  // misconfiguration and falls back to OPENAI_API_BASE, then
  // DEFAULT_MISTRAL_BASE_URL for a safe default endpoint.
  const fallbackEnvBaseUrl = isMistralMode
    ? (primaryEnvBaseUrl === undefined
      ? asNamedEnvUrl(process.env.OPENAI_API_BASE, 'OPENAI_API_BASE') ?? DEFAULT_MISTRAL_BASE_URL
      : undefined)
    : isGeminiMode
    ? (primaryEnvBaseUrl === undefined
      ? asNamedEnvUrl(process.env.OPENAI_API_BASE, 'OPENAI_API_BASE') ?? DEFAULT_GEMINI_BASE_URL
      : undefined)
    : (primaryEnvBaseUrl === undefined
      ? asNamedEnvUrl(process.env.OPENAI_API_BASE, 'OPENAI_API_BASE')
      : undefined)
--- a/src/services/api/reasoningLeakSanitizer.test.ts
+++ b/src/services/api/reasoningLeakSanitizer.test.ts
@@ -1,46 +0,0 @@
 import { describe, expect, test } from 'bun:test'
 import {
  looksLikeLeakedReasoningPrefix,
  shouldBufferPotentialReasoningPrefix,
  stripLeakedReasoningPreamble,
 } from './reasoningLeakSanitizer.ts'
 describe('reasoning leak sanitizer', () => {
  test('strips explicit internal reasoning preambles', () => {
    const text =
      'The user just said "hey" - a simple greeting. I should respond briefly and friendly.\n\nHey! How can I help you today?'
    expect(looksLikeLeakedReasoningPrefix(text)).toBe(true)
    expect(stripLeakedReasoningPreamble(text)).toBe(
      'Hey! How can I help you today?',
    )
  })
  test('does not strip normal user-facing advice that mentions "the user should"', () => {
    const text =
      'The user should reset their password immediately.\n\nHere are the steps...'
    expect(looksLikeLeakedReasoningPrefix(text)).toBe(false)
    expect(shouldBufferPotentialReasoningPrefix(text)).toBe(false)
    expect(stripLeakedReasoningPreamble(text)).toBe(text)
  })
  test('does not strip legitimate first-person advice about responding to an incident', () => {
    const text =
      'I need to respond to this security incident immediately. The system is compromised.\n\nHere are the remediation steps...'
    expect(looksLikeLeakedReasoningPrefix(text)).toBe(false)
    expect(shouldBufferPotentialReasoningPrefix(text)).toBe(false)
    expect(stripLeakedReasoningPreamble(text)).toBe(text)
  })
  test('does not strip legitimate first-person advice about answering a support ticket', () => {
    const text =
      'I need to answer the support ticket before end of day. The customer is waiting.\n\nHere is the response I drafted...'
    expect(looksLikeLeakedReasoningPrefix(text)).toBe(false)
    expect(shouldBufferPotentialReasoningPrefix(text)).toBe(false)
    expect(stripLeakedReasoningPreamble(text)).toBe(text)
  })
 })
--- a/src/services/api/reasoningLeakSanitizer.ts
+++ b/src/services/api/reasoningLeakSanitizer.ts
@@ -1,54 +0,0 @@
 const EXPLICIT_REASONING_START_RE =
  /^\s*(i should\b|i need to\b|let me think\b|the task\b|the request\b)/i
 const EXPLICIT_REASONING_META_RE =
  /\b(user|request|question|prompt|message|task|greeting|small talk|briefly|friendly|concise)\b/i
 const USER_META_START_RE =
  /^\s*the user\s+(just\s+)?(said|asked|is asking|wants|wanted|mentioned|seems|appears)\b/i
 const USER_REASONING_RE =
  /^\s*the user\s+(just\s+)?(said|asked|is asking|wants|wanted|mentioned|seems|appears)\b[\s\S]*\b(i should|i need to|let me think|respond|reply|answer|greeting|small talk|briefly|friendly|concise)\b/i
 export function shouldBufferPotentialReasoningPrefix(text: string): boolean {
  const normalized = text.trim()
  if (!normalized) return false
  if (looksLikeLeakedReasoningPrefix(normalized)) {
    return true
  }
  const hasParagraphBoundary = /\n\s*\n/.test(normalized)
  if (hasParagraphBoundary) {
    return false
  }
  return (
    EXPLICIT_REASONING_START_RE.test(normalized) ||
    USER_META_START_RE.test(normalized)
  )
 }
 export function looksLikeLeakedReasoningPrefix(text: string): boolean {
  const normalized = text.trim()
  if (!normalized) return false
  return (
    (EXPLICIT_REASONING_START_RE.test(normalized) &&
      EXPLICIT_REASONING_META_RE.test(normalized)) ||
    USER_REASONING_RE.test(normalized)
  )
 }
 export function stripLeakedReasoningPreamble(text: string): string {
  const normalized = text.replace(/\r\n/g, '\n')
  const parts = normalized.split(/\n\s*\n/)
  if (parts.length < 2) return text
  const first = parts[0]?.trim() ?? ''
  if (!looksLikeLeakedReasoningPrefix(first)) {
    return text
  }
  const remainder = parts.slice(1).join('\n\n').trim()
  return remainder || text
 }
--- a/src/services/api/thinkTagSanitizer.test.ts
+++ b/src/services/api/thinkTagSanitizer.test.ts
@@ -0,0 +1,183 @@
 import { describe, expect, test } from 'bun:test'
 import {
  createThinkTagFilter,
  stripThinkTags,
 } from './thinkTagSanitizer.ts'
 describe('stripThinkTags — whole-text cleanup', () => {
  test('strips closed think pair', () => {
    expect(stripThinkTags('<think>reasoning</think>Hello')).toBe('Hello')
  })
  test('strips closed thinking pair', () => {
    expect(stripThinkTags('<thinking>x</thinking>Out')).toBe('Out')
  })
  test('strips closed reasoning pair', () => {
    expect(stripThinkTags('<reasoning>x</reasoning>Out')).toBe('Out')
  })
  test('strips REASONING_SCRATCHPAD pair', () => {
    expect(stripThinkTags('<REASONING_SCRATCHPAD>plan</REASONING_SCRATCHPAD>Answer'))
      .toBe('Answer')
  })
  test('is case-insensitive', () => {
    expect(stripThinkTags('<THINKING>x</THINKING>out')).toBe('out')
    expect(stripThinkTags('<Think>x</Think>out')).toBe('out')
  })
  test('handles attributes on open tag', () => {
    expect(stripThinkTags('<think id="plan-1">reason</think>ok')).toBe('ok')
  })
  test('strips unterminated open tag at block boundary', () => {
    expect(stripThinkTags('<think>reasoning that never closes')).toBe('')
  })
  test('strips unterminated open tag after newline', () => {
    // Block-boundary match consumes the leading newline, same as hermes.
    expect(stripThinkTags('Answer: 42\n<think>second-guess myself'))
      .toBe('Answer: 42')
  })
  test('strips orphan close tag', () => {
    expect(stripThinkTags('trailing </think>done')).toBe('trailing done')
  })
  test('strips multiple blocks', () => {
    expect(stripThinkTags('<think>a</think>B<think>c</think>D')).toBe('BD')
  })
  test('handles reasoning mid-response after content', () => {
    expect(stripThinkTags('Answer: 42\n<think>double-check</think>\nDone'))
      .toBe('Answer: 42\n\nDone')
  })
  test('handles nested-looking tags (lazy match + orphan cleanup)', () => {
    expect(stripThinkTags('<think><think>x</think></think>y')).toBe('y')
  })
  test('preserves legitimate non-think tags', () => {
    expect(stripThinkTags('use <div> and <span>')).toBe('use <div> and <span>')
  })
  test('preserves text without any tags', () => {
    expect(stripThinkTags('Hello, world. I should respond briefly.')).toBe(
      'Hello, world. I should respond briefly.',
    )
  })
  test('handles empty input', () => {
    expect(stripThinkTags('')).toBe('')
  })
 })
 describe('createThinkTagFilter — streaming state machine', () => {
  test('passes through plain text', () => {
    const f = createThinkTagFilter()
    expect(f.feed('Hello, ')).toBe('Hello, ')
    expect(f.feed('world!')).toBe('world!')
    expect(f.flush()).toBe('')
  })
  test('strips a complete think block in one chunk', () => {
    const f = createThinkTagFilter()
    expect(f.feed('pre<think>reason</think>post')).toBe('prepost')
    expect(f.flush()).toBe('')
  })
  test('handles open tag split across deltas', () => {
    const f = createThinkTagFilter()
    expect(f.feed('before<th')).toBe('before')
    expect(f.feed('ink>reason</think>after')).toBe('after')
    expect(f.flush()).toBe('')
  })
  test('handles close tag split across deltas', () => {
    const f = createThinkTagFilter()
    expect(f.feed('<think>reason</th')).toBe('')
    expect(f.feed('ink>keep')).toBe('keep')
    expect(f.flush()).toBe('')
  })
  test('handles tag split on bare < boundary', () => {
    const f = createThinkTagFilter()
    expect(f.feed('leading <')).toBe('leading ')
    expect(f.feed('think>inner</think>tail')).toBe('tail')
    expect(f.flush()).toBe('')
  })
  test('preserves partial non-tag < at boundary when next char rules it out', () => {
    const f = createThinkTagFilter()
    // "<d" — 'd' cannot start any of our tag names, so emit immediately
    expect(f.feed('pre<d')).toBe('pre<d')
    expect(f.feed('iv>rest')).toBe('iv>rest')
    expect(f.flush()).toBe('')
  })
  test('case-insensitive streaming', () => {
    const f = createThinkTagFilter()
    expect(f.feed('<THINKING>x</THINKING>out')).toBe('out')
    expect(f.flush()).toBe('')
  })
  test('unterminated open tag — flush drops remainder', () => {
    const f = createThinkTagFilter()
    expect(f.feed('<think>reasoning with no close ')).toBe('')
    expect(f.feed('and more reasoning')).toBe('')
    expect(f.flush()).toBe('')
    expect(f.isInsideBlock()).toBe(false)
  })
  test('multiple blocks in single feed', () => {
    const f = createThinkTagFilter()
    expect(f.feed('<think>a</think>B<think>c</think>D')).toBe('BD')
    expect(f.flush()).toBe('')
  })
  test('flush after clean stream emits nothing extra', () => {
    const f = createThinkTagFilter()
    expect(f.feed('complete message')).toBe('complete message')
    expect(f.flush()).toBe('')
  })
  test('flush of bare < at end emits it (not a tag prefix)', () => {
    const f = createThinkTagFilter()
    // bare '<' held back; flush emits it since it has no tag-name chars
    expect(f.feed('x <')).toBe('x ')
    expect(f.flush()).toBe('<')
  })
  test('flush of partial tag-name prefix at end drops it', () => {
    const f = createThinkTagFilter()
    expect(f.feed('x <thi')).toBe('x ')
    expect(f.flush()).toBe('')
  })
  test('handles attributes on streaming open tag', () => {
    const f = createThinkTagFilter()
    expect(f.feed('<think type="plan">reason</think>ok')).toBe('ok')
    expect(f.flush()).toBe('')
  })
  test('mid-delta transition: content, reasoning, content', () => {
    const f = createThinkTagFilter()
    expect(f.feed('Answer: 42\n<think>')).toBe('Answer: 42\n')
    expect(f.feed('double-check')).toBe('')
    expect(f.feed('</think>\nDone')).toBe('\nDone')
    expect(f.flush()).toBe('')
  })
  test('orphan close tag mid-stream is stripped on flush via safety-net behavior', () => {
    // Filter alone treats orphan close as "we're not inside", so it emits as-is.
    // Safety net (stripThinkTags on final text) removes orphans.
    const f = createThinkTagFilter()
    const chunk1 = f.feed('trailing ')
    const chunk2 = f.feed('</think>done')
    const final = chunk1 + chunk2 + f.flush()
    // Orphan close appears in stream output; safety net cleans it
    expect(stripThinkTags(final)).toBe('trailing done')
  })
 })
--- a/src/services/api/thinkTagSanitizer.ts
+++ b/src/services/api/thinkTagSanitizer.ts
@@ -0,0 +1,162 @@
 /**
 * Think-tag sanitizer for reasoning content leaks.
 *
 * Some OpenAI-compatible reasoning models (MiniMax M2.7, GLM-4.5/5, DeepSeek, Kimi K2,
 * self-hosted vLLM builds) emit chain-of-thought inline inside the `content` field using
 * XML-like tags instead of the separate `reasoning_content` channel. Example:
 *
 *   <think>the user wants foo, let me check bar</think>Here is the answer: ...
 *
 * This module strips those blocks structurally (tag-based), independent of English
 * phrasings. Three layers:
 *
 *   1. `createThinkTagFilter()` — streaming state machine. Feeds deltas, emits only
 *      the visible (non-reasoning) portion, and buffers partial tags across chunk
 *      boundaries so `</th` + `ink>` still parses correctly.
 *
 *   2. `stripThinkTags()` — whole-text cleanup. Removes closed pairs, unterminated
 *      opens at block boundaries, and orphan open/close tags. Used for non-streaming
 *      responses and as a safety net after stream close.
 *
 *   3. Flush discards buffered partial tags at stream end (false-negative bias —
 *      prefer losing a partial reasoning fragment over leaking it).
 */
 const TAG_NAMES = [
  'think',
  'thinking',
  'reasoning',
  'thought',
  'reasoning_scratchpad',
 ] as const
 const TAG_ALT = TAG_NAMES.join('|')
 const OPEN_TAG_RE = new RegExp(`<\\s*(?:${TAG_ALT})\\b[^>]*>`, 'i')
 const CLOSE_TAG_RE = new RegExp(`<\\s*/\\s*(?:${TAG_ALT})\\s*>`, 'i')
 const CLOSED_PAIR_RE_G = new RegExp(
  `<\\s*(${TAG_ALT})\\b[^>]*>[\\s\\S]*?<\\s*/\\s*\\1\\s*>`,
  'gi',
 )
 const UNTERMINATED_OPEN_RE = new RegExp(
  `(?:^|\\n)[ \\t]*<\\s*(?:${TAG_ALT})\\b[^>]*>[\\s\\S]*$`,
  'i',
 )
 const ORPHAN_TAG_RE_G = new RegExp(
  `<\\s*/?\\s*(?:${TAG_ALT})\\b[^>]*>\\s*`,
  'gi',
 )
 const MAX_PARTIAL_TAG = 64
 /**
 * Remove reasoning/thinking blocks from a complete text body.
 *
 * Handles:
 *   - Closed pairs: <think>...</think> (lazy match, anywhere in text)
 *   - Unterminated open tags at a block boundary: strips from the tag to end of string
 *   - Orphan open or close tags (no matching partner)
 *
 * False-negative bias: prefers leaving a few tag characters in rare edge cases over
 * stripping legitimate content.
 */
 export function stripThinkTags(text: string): string {
  if (!text) return text
  let out = text
  out = out.replace(CLOSED_PAIR_RE_G, '')
  out = out.replace(UNTERMINATED_OPEN_RE, '')
  out = out.replace(ORPHAN_TAG_RE_G, '')
  return out
 }
 export interface ThinkTagFilter {
  feed(chunk: string): string
  flush(): string
  isInsideBlock(): boolean
 }
 /**
 * Streaming state machine. Feed deltas, emits visible (non-reasoning) text.
 * Handles tags split across chunk boundaries by holding back a short tail buffer
 * whenever the current buffer ends with what looks like a partial tag.
 */
 export function createThinkTagFilter(): ThinkTagFilter {
  let inside = false
  let buffer = ''
  function findPartialTagStart(s: string): number {
    const lastLt = s.lastIndexOf('<')
    if (lastLt === -1) return -1
    if (s.indexOf('>', lastLt) !== -1) return -1
    const tail = s.slice(lastLt)
    if (tail.length > MAX_PARTIAL_TAG) return -1
    const m = /^<\s*\/?\s*([a-zA-Z_]\w*)?\s*$/.exec(tail)
    if (!m) return -1
    const partialName = (m[1] ?? '').toLowerCase()
    if (!partialName) return lastLt
    if (TAG_NAMES.some(name => name.startsWith(partialName))) return lastLt
    return -1
  }
  function feed(chunk: string): string {
    if (!chunk) return ''
    buffer += chunk
    let out = ''
    while (buffer.length > 0) {
      if (!inside) {
        const open = OPEN_TAG_RE.exec(buffer)
        if (open) {
          out += buffer.slice(0, open.index)
          buffer = buffer.slice(open.index + open[0].length)
          inside = true
          continue
        }
        const partialStart = findPartialTagStart(buffer)
        if (partialStart === -1) {
          out += buffer
          buffer = ''
        } else {
          out += buffer.slice(0, partialStart)
          buffer = buffer.slice(partialStart)
        }
        return out
      }
      const close = CLOSE_TAG_RE.exec(buffer)
      if (close) {
        buffer = buffer.slice(close.index + close[0].length)
        inside = false
        continue
      }
      const partialStart = findPartialTagStart(buffer)
      if (partialStart === -1) {
        buffer = ''
      } else {
        buffer = buffer.slice(partialStart)
      }
      return out
    }
    return out
  }
  function flush(): string {
    const held = buffer
    const wasInside = inside
    buffer = ''
    inside = false
    if (wasInside) return ''
    if (!held) return ''
    if (/^<\s*\/?\s*[a-zA-Z_]/.test(held)) return ''
    return held
  }
  return { feed, flush, isInsideBlock: () => inside }
 }
--- a/src/services/autoFix/autoFixRunner.test.ts
+++ b/src/services/autoFix/autoFixRunner.test.ts
@@ -70,7 +70,7 @@ describe('runAutoFixCheck', () => {
  test('handles timeout gracefully', async () => {
    const result = await runAutoFixCheck({
-      lint: 'sleep 10',
+      lint: 'node -e "setTimeout(() => {}, 10000)"',
      timeout: 100,
      cwd: '/tmp',
--- a/src/services/autoFix/autoFixRunner.ts
+++ b/src/services/autoFix/autoFixRunner.ts
@@ -46,14 +46,31 @@ async function runCommand(
    const killTree = () => {
      try {
-        if (!isWindows && proc.pid) {
+        if (isWindows && proc.pid) {
          // shell=true on Windows can leave child commands running unless we
          // terminate the full process tree.
          const killer = spawn('taskkill', ['/pid', String(proc.pid), '/T', '/F'], {
            windowsHide: true,
            stdio: 'ignore',
          })
          killer.unref()
          return
        }
        if (proc.pid) {
          // Kill the entire process group
          process.kill(-proc.pid, 'SIGTERM')
-        } else {
+          return
          proc.kill('SIGTERM')
        }
        proc.kill('SIGTERM')
      } catch {
-        // Process may have already exited
+        // Process may have already exited; fallback to direct child kill.
        try {
          proc.kill('SIGTERM')
        } catch {
          // Ignore final fallback errors.
        }
      }
    }
--- a/src/services/compact/autoCompact.ts
+++ b/src/services/compact/autoCompact.ts
@@ -110,9 +110,14 @@ export function calculateTokenWarningState(
    ? autoCompactThreshold
    : getEffectiveContextWindowSize(model)
  // Use the raw context window (without output reservation) for the percentage
  // display, so users see remaining context relative to the model's full capacity.
  // The threshold (which subtracts buffer) should only affect when we warn/compact,
  // not what percentage we display.
  const rawContextWindow = getContextWindowForModel(model, getSdkBetas())
  const percentLeft = Math.max(
    0,
-    Math.round(((threshold - tokenUsage) / threshold) * 100),
+    Math.round(((rawContextWindow - tokenUsage) / rawContextWindow) * 100),
  )
  const warningThreshold = threshold - WARNING_THRESHOLD_BUFFER_TOKENS
--- a/src/services/diagnosticTracking.test.ts
+++ b/src/services/diagnosticTracking.test.ts
@@ -0,0 +1,152 @@
 import { describe, test, expect, beforeEach, afterEach } from 'bun:test'
 import { DiagnosticTrackingService } from './diagnosticTracking.js'
 import type { MCPServerConnection } from './mcp/types.js'
 // Mock the IDE client utility
 const mockGetConnectedIdeClient = (clients: MCPServerConnection[]) => 
  clients.find(client => client.type === 'connected')
 describe('DiagnosticTrackingService', () => {
  let service: DiagnosticTrackingService
  let mockClients: MCPServerConnection[]
  let mockIdeClient: MCPServerConnection
  beforeEach(() => {
    // Get fresh instance for each test
    service = DiagnosticTrackingService.getInstance()
    // Setup mock clients
    mockIdeClient = {
      type: 'connected',
      name: 'test-ide',
      capabilities: {},
      config: {},
      cleanup: async () => {},
      client: {
        request: async () => ({}),
        setNotificationHandler: () => {},
        close: async () => {},
      },
    } as unknown as MCPServerConnection
    mockClients = [
      { type: 'disconnected', name: 'test-disconnected', config: {} } as unknown as MCPServerConnection,
      mockIdeClient,
    ]
  })
  afterEach(async () => {
    await service.shutdown()
  })
  describe('handleQueryStart', () => {
    test('should store MCP clients and initialize service', async () => {
      await service.handleQueryStart(mockClients)
      // Service should be initialized
      expect(service).toBeDefined()
      // Should be able to get IDE client from stored clients
      // We can't directly test private methods, but we can test the behavior
      const result = await service.getNewDiagnosticsCompat()
      expect(result).toEqual([]) // Should return empty when no diagnostics
    })
    test('should reset service if already initialized', async () => {
      // Initialize first
      await service.handleQueryStart(mockClients)
      // Call again - should reset without error
      await service.handleQueryStart(mockClients)
      // Should still work
      const result = await service.getNewDiagnosticsCompat()
      expect(result).toEqual([])
    })
  })
  describe('backward-compatible methods', () => {
    beforeEach(async () => {
      await service.handleQueryStart(mockClients)
    })
    test('beforeFileEditedCompat should work without explicit client', async () => {
      // Should not throw error and should return undefined when no IDE client
      const result = await service.beforeFileEditedCompat('/test/file.ts')
      expect(result).toBeUndefined()
    })
    test('getNewDiagnosticsCompat should work without explicit client', async () => {
      const result = await service.getNewDiagnosticsCompat()
      expect(Array.isArray(result)).toBe(true)
    })
    test('ensureFileOpenedCompat should work without explicit client', async () => {
      const result = await service.ensureFileOpenedCompat('/test/file.ts')
      expect(result).toBeUndefined()
    })
  })
  describe('new explicit client methods', () => {
    test('beforeFileEdited should require client parameter', async () => {
      // Should not work without client
      const result = await service.beforeFileEdited('/test/file.ts', undefined as any)
      expect(result).toBeUndefined()
    })
    test('getNewDiagnostics should require client parameter', async () => {
      // Should not work without client
      const result = await service.getNewDiagnostics(undefined as any)
      expect(result).toEqual([])
    })
    test('ensureFileOpened should require client parameter', async () => {
      // Should not work without client
      const result = await service.ensureFileOpened('/test/file.ts', undefined as any)
      expect(result).toBeUndefined()
    })
  })
  describe('shutdown', () => {
    test('should clear stored clients on shutdown', async () => {
      await service.handleQueryStart(mockClients)
      // Verify service is working
      const beforeResult = await service.getNewDiagnosticsCompat()
      expect(Array.isArray(beforeResult)).toBe(true)
      // Shutdown
      await service.shutdown()
      // After shutdown, compat methods should return empty results
      const afterResult = await service.getNewDiagnosticsCompat()
      expect(afterResult).toEqual([])
    })
  })
  describe('integration with existing functionality', () => {
    test('should maintain existing diagnostic tracking behavior', async () => {
      await service.handleQueryStart(mockClients)
      // Test baseline tracking
      await service.beforeFileEditedCompat('/test/file.ts')
      // Test getting new diagnostics (should be empty since no IDE client is actually connected)
      const newDiagnostics = await service.getNewDiagnosticsCompat()
      expect(Array.isArray(newDiagnostics)).toBe(true)
    })
    test('should handle missing IDE client gracefully', async () => {
      // Test with no connected clients
      const noIdeClients = [
        { type: 'disconnected', name: 'test-disconnected-2', config: {} } as unknown as MCPServerConnection,
      ]
      await service.handleQueryStart(noIdeClients)
      // Should handle gracefully
      const result = await service.getNewDiagnosticsCompat()
      expect(result).toEqual([])
    })
  })
 })
--- a/src/services/diagnosticTracking.ts
+++ b/src/services/diagnosticTracking.ts
@@ -32,7 +32,7 @@ export class DiagnosticTrackingService {
  private baseline: Map<string, Diagnostic[]> = new Map()
  private initialized = false
-  private mcpClient: MCPServerConnection | undefined
+  private currentMcpClients: MCPServerConnection[] = []
  // Track when files were last processed/fetched
  private lastProcessedTimestamps: Map<string, number> = new Map()
@@ -48,18 +48,17 @@ export class DiagnosticTrackingService {
    return DiagnosticTrackingService.instance
  }
-  initialize(mcpClient: MCPServerConnection) {
+  initialize() {
    if (this.initialized) {
      return
    }
    // TODO: Do not cache the connected mcpClient since it can change.
    this.mcpClient = mcpClient
    this.initialized = true
  }
  async shutdown(): Promise<void> {
    this.initialized = false
    this.currentMcpClients = []
    this.baseline.clear()
    this.rightFileDiagnosticsState.clear()
    this.lastProcessedTimestamps.clear()
@@ -75,6 +74,46 @@ export class DiagnosticTrackingService {
    this.lastProcessedTimestamps.clear()
  }
  /**
   * Get the current IDE client from stored MCP clients
   */
  private getCurrentIdeClient(): MCPServerConnection | undefined {
    return getConnectedIdeClient(this.currentMcpClients)
  }
  /**
   * Backward-compatible method that uses stored IDE client
   */
  async beforeFileEditedCompat(filePath: string): Promise<void> {
    const ideClient = this.getCurrentIdeClient()
    if (!ideClient) {
      return
    }
    return await this.beforeFileEdited(filePath, ideClient)
  }
  /**
   * Backward-compatible method that uses stored IDE client
   */
  async getNewDiagnosticsCompat(): Promise<DiagnosticFile[]> {
    const ideClient = this.getCurrentIdeClient()
    if (!ideClient) {
      return []
    }
    return await this.getNewDiagnostics(ideClient)
  }
  /**
   * Backward-compatible method that uses stored IDE client
   */
  async ensureFileOpenedCompat(fileUri: string): Promise<void> {
    const ideClient = this.getCurrentIdeClient()
    if (!ideClient) {
      return
    }
    return await this.ensureFileOpened(fileUri, ideClient)
  }
  private normalizeFileUri(fileUri: string): string {
    // Remove our protocol prefixes
    const protocolPrefixes = [
@@ -100,11 +139,11 @@ export class DiagnosticTrackingService {
   * Ensure a file is opened in the IDE before processing.
   * This is important for language services like diagnostics to work properly.
   */
-  async ensureFileOpened(fileUri: string): Promise<void> {
+  async ensureFileOpened(fileUri: string, mcpClient: MCPServerConnection): Promise<void> {
    if (
      !this.initialized ||
-      !this.mcpClient ||
+      !mcpClient ||
-      this.mcpClient.type !== 'connected'
+      mcpClient.type !== 'connected'
    ) {
      return
    }
@@ -121,7 +160,7 @@ export class DiagnosticTrackingService {
          selectToEndOfLine: false,
          makeFrontmost: false,
        },
-        this.mcpClient,
+        mcpClient,
      )
    } catch (error) {
      logError(error as Error)
@@ -132,11 +171,11 @@ export class DiagnosticTrackingService {
   * Capture baseline diagnostics for a specific file before editing.
   * This is called before editing a file to ensure we have a baseline to compare against.
   */
-  async beforeFileEdited(filePath: string): Promise<void> {
+  async beforeFileEdited(filePath: string, mcpClient: MCPServerConnection): Promise<void> {
    if (
      !this.initialized ||
-      !this.mcpClient ||
+      !mcpClient ||
-      this.mcpClient.type !== 'connected'
+      mcpClient.type !== 'connected'
    ) {
      return
    }
@@ -147,7 +186,7 @@ export class DiagnosticTrackingService {
      const result = await callIdeRpc(
        'getDiagnostics',
        { uri: `file://${filePath}` },
-        this.mcpClient,
+        mcpClient,
      )
      const diagnosticFile = this.parseDiagnosticResult(result)[0]
      if (diagnosticFile) {
@@ -185,11 +224,11 @@ export class DiagnosticTrackingService {
   * Get new diagnostics from file://, _claude_fs_right, and _claude_fs_ URIs that aren't in the baseline.
   * Only processes diagnostics for files that have been edited.
   */
-  async getNewDiagnostics(): Promise<DiagnosticFile[]> {
+  async getNewDiagnostics(mcpClient: MCPServerConnection): Promise<DiagnosticFile[]> {
    if (
      !this.initialized ||
-      !this.mcpClient ||
+      !mcpClient ||
-      this.mcpClient.type !== 'connected'
+      mcpClient.type !== 'connected'
    ) {
      return []
    }
@@ -200,7 +239,7 @@ export class DiagnosticTrackingService {
      const result = await callIdeRpc(
        'getDiagnostics',
        {}, // Empty params fetches all diagnostics
-        this.mcpClient,
+        mcpClient,
      )
      allDiagnosticFiles = this.parseDiagnosticResult(result)
    } catch (_error) {
@@ -328,13 +367,16 @@ export class DiagnosticTrackingService {
   * @param shouldQuery Whether a query is actually being made (not just a command)
   */
  async handleQueryStart(clients: MCPServerConnection[]): Promise<void> {
    // Store the current MCP clients for later use
    this.currentMcpClients = clients
    // Only proceed if we should query and have clients
    if (!this.initialized) {
      // Find the connected IDE client
      const connectedIdeClient = getConnectedIdeClient(clients)
      if (connectedIdeClient) {
-        this.initialize(connectedIdeClient)
+        this.initialize()
      }
    } else {
      // Reset diagnostic tracking for new query loops
--- a/src/services/mcp/auth.test.ts
+++ b/src/services/mcp/auth.test.ts
@@ -0,0 +1,61 @@
 import assert from 'node:assert/strict'
 import test from 'node:test'
 import { validateOAuthCallbackParams } from './auth.js'
 test('OAuth callback rejects error parameters before state validation can be bypassed', () => {
  const result = validateOAuthCallbackParams(
    {
      error: 'access_denied',
      error_description: 'denied by provider',
    },
    'expected-state',
  )
  assert.deepEqual(result, { type: 'state_mismatch' })
 })
 test('OAuth callback accepts provider errors only when state matches', () => {
  const result = validateOAuthCallbackParams(
    {
      state: 'expected-state',
      error: 'access_denied',
      error_description: 'denied by provider',
      error_uri: 'https://example.test/error',
    },
    'expected-state',
  )
  assert.deepEqual(result, {
    type: 'error',
    error: 'access_denied',
    errorDescription: 'denied by provider',
    errorUri: 'https://example.test/error',
    message:
      'OAuth error: access_denied - denied by provider (See: https://example.test/error)',
  })
 })
 test('OAuth callback accepts authorization codes only when state matches', () => {
  assert.deepEqual(
    validateOAuthCallbackParams(
      {
        state: 'expected-state',
        code: 'auth-code',
      },
      'expected-state',
    ),
    { type: 'code', code: 'auth-code' },
  )
  assert.deepEqual(
    validateOAuthCallbackParams(
      {
        state: 'wrong-state',
        code: 'auth-code',
      },
      'expected-state',
    ),
    { type: 'state_mismatch' },
  )
 })
--- a/src/services/mcp/auth.ts
+++ b/src/services/mcp/auth.ts
@@ -124,6 +124,74 @@ function redactSensitiveUrlParams(url: string): string {
  }
 }
 type OAuthCallbackParamValue = string | string[] | null | undefined
 type OAuthCallbackValidationResult =
  | { type: 'code'; code: string }
  | {
      type: 'error'
      error: string
      errorDescription: string
      errorUri: string
      message: string
    }
  | { type: 'missing_result' }
  | { type: 'state_mismatch' }
 function getFirstOAuthCallbackParam(
  value: OAuthCallbackParamValue,
 ): string | undefined {
  if (Array.isArray(value)) {
    return value.find(item => item.length > 0)
  }
  return value && value.length > 0 ? value : undefined
 }
 export function validateOAuthCallbackParams(
  params: {
    code?: OAuthCallbackParamValue
    state?: OAuthCallbackParamValue
    error?: OAuthCallbackParamValue
    error_description?: OAuthCallbackParamValue
    error_uri?: OAuthCallbackParamValue
  },
  oauthState: string,
 ): OAuthCallbackValidationResult {
  const code = getFirstOAuthCallbackParam(params.code)
  const state = getFirstOAuthCallbackParam(params.state)
  const error = getFirstOAuthCallbackParam(params.error)
  const errorDescription =
    getFirstOAuthCallbackParam(params.error_description) ?? ''
  const errorUri = getFirstOAuthCallbackParam(params.error_uri) ?? ''
  if (state !== oauthState) {
    return { type: 'state_mismatch' }
  }
  if (error) {
    let message = `OAuth error: ${error}`
    if (errorDescription) {
      message += ` - ${errorDescription}`
    }
    if (errorUri) {
      message += ` (See: ${errorUri})`
    }
    return {
      type: 'error',
      error,
      errorDescription,
      errorUri,
      message,
    }
  }
  if (code) {
    return { type: 'code', code }
  }
  return { type: 'missing_result' }
 }
 /**
 * Some OAuth servers (notably Slack) return HTTP 200 for all responses,
 * signaling errors via the JSON body instead. The SDK's executeTokenRequest
@@ -1058,30 +1126,31 @@ export async function performMCPOAuthFlow(
        options.onWaitingForCallback((callbackUrl: string) => {
          try {
            const parsed = new URL(callbackUrl)
-            const code = parsed.searchParams.get('code')
+            const result = validateOAuthCallbackParams(
-            const state = parsed.searchParams.get('state')
+              {
-            const error = parsed.searchParams.get('error')
+                code: parsed.searchParams.get('code'),
                state: parsed.searchParams.get('state'),
                error: parsed.searchParams.get('error'),
                error_description:
                  parsed.searchParams.get('error_description'),
                error_uri: parsed.searchParams.get('error_uri'),
              },
              oauthState,
            )
-            if (error) {
+            if (result.type === 'state_mismatch') {
-              const errorDescription =
+              // Ignore so a stray or malicious URL cannot cancel an active flow.
                parsed.searchParams.get('error_description') || ''
              cleanup()
              rejectOnce(
                new Error(`OAuth error: ${error} - ${errorDescription}`),
              )
              return
            }
-            if (!code) {
+            if (result.type === 'missing_result') {
-              // Not a valid callback URL, ignore so the user can try again
+              // Not a valid callback URL, ignore so the user can try again.
              return
            }
-            if (state !== oauthState) {
+            if (result.type === 'error') {
              cleanup()
-              rejectOnce(
+              rejectOnce(new Error(result.message))
                new Error('OAuth state mismatch - possible CSRF attack'),
              )
              return
            }
@@ -1090,7 +1159,7 @@ export async function performMCPOAuthFlow(
              `Received auth code via manual callback URL`,
            )
            cleanup()
-            resolveOnce(code)
+            resolveOnce(result.code)
          } catch {
            // Invalid URL, ignore so the user can try again
          }
@@ -1101,53 +1170,49 @@ export async function performMCPOAuthFlow(
        const parsedUrl = parse(req.url || '', true)
        if (parsedUrl.pathname === '/callback') {
-          const code = parsedUrl.query.code as string
+          const result = validateOAuthCallbackParams(
-          const state = parsedUrl.query.state as string
+            parsedUrl.query,
-          const error = parsedUrl.query.error
+            oauthState,
-          const errorDescription = parsedUrl.query.error_description as string
+          )
          const errorUri = parsedUrl.query.error_uri as string
          // Validate OAuth state to prevent CSRF attacks
-          if (!error && state !== oauthState) {
+          if (result.type === 'state_mismatch') {
            res.writeHead(400, { 'Content-Type': 'text/html' })
            res.end(
              `<h1>Authentication Error</h1><p>Invalid state parameter. Please try again.</p><p>You can close this window.</p>`,
            )
            cleanup()
            rejectOnce(new Error('OAuth state mismatch - possible CSRF attack'))
            return
          }
-          if (error) {
+          if (result.type === 'missing_result') {
            res.writeHead(400, { 'Content-Type': 'text/html' })
            res.end(
              `<h1>Authentication Error</h1><p>Missing OAuth result. Please try again.</p><p>You can close this window.</p>`,
            )
            return
          }
          if (result.type === 'error') {
            res.writeHead(200, { 'Content-Type': 'text/html' })
            // Sanitize error messages to prevent XSS
-            const sanitizedError = xss(String(error))
+            const sanitizedError = xss(result.error)
-            const sanitizedErrorDescription = errorDescription
+            const sanitizedErrorDescription = result.errorDescription
-              ? xss(String(errorDescription))
+              ? xss(result.errorDescription)
              : ''
            res.end(
              `<h1>Authentication Error</h1><p>${sanitizedError}: ${sanitizedErrorDescription}</p><p>You can close this window.</p>`,
            )
            cleanup()
-            let errorMessage = `OAuth error: ${error}`
+            rejectOnce(new Error(result.message))
            if (errorDescription) {
              errorMessage += ` - ${errorDescription}`
            }
            if (errorUri) {
              errorMessage += ` (See: ${errorUri})`
            }
            rejectOnce(new Error(errorMessage))
            return
          }
-          if (code) {
+          res.writeHead(200, { 'Content-Type': 'text/html' })
-            res.writeHead(200, { 'Content-Type': 'text/html' })
+          res.end(
-            res.end(
+            `<h1>Authentication Successful</h1><p>You can close this window. Return to Claude Code.</p>`,
-              `<h1>Authentication Successful</h1><p>You can close this window. Return to Claude Code.</p>`,
+          )
-            )
+          cleanup()
-            cleanup()
+          resolveOnce(result.code)
            resolveOnce(code)
          }
        }
      })
--- a/src/services/mcp/client.ts
+++ b/src/services/mcp/client.ts
@@ -2524,7 +2524,7 @@ export async function transformResultContent(
      return [
        {
          type: 'text',
-          text: resultContent.text,
+          text: recursivelySanitizeUnicode(resultContent.text) as string,
        },
      ]
    case 'audio': {
@@ -2569,7 +2569,9 @@ export async function transformResultContent(
        return [
          {
            type: 'text',
-            text: `${prefix}${resource.text}`,
+            text: recursivelySanitizeUnicode(
              `${prefix}${resource.text}`,
            ) as string,
          },
        ]
      } else if ('blob' in resource) {
--- a/src/services/wiki/init.test.ts
+++ b/src/services/wiki/init.test.ts
@@ -26,10 +26,10 @@ test('initializeWiki creates the expected wiki scaffold', async () => {
  expect(result.alreadyExisted).toBe(false)
  expect(result.createdFiles).toEqual([
-    '.openclaude/wiki/schema.md',
+    join('.openclaude', 'wiki', 'schema.md'),
-    '.openclaude/wiki/index.md',
+    join('.openclaude', 'wiki', 'index.md'),
-    '.openclaude/wiki/log.md',
+    join('.openclaude', 'wiki', 'log.md'),
-    '.openclaude/wiki/pages/architecture.md',
+    join('.openclaude', 'wiki', 'pages', 'architecture.md'),
  ])
  expect(await readFile(paths.schemaFile, 'utf8')).toContain(
    '# OpenClaude Wiki Schema',
--- a/src/tools/BashTool/BashTool.tsx
+++ b/src/tools/BashTool/BashTool.tsx
@@ -240,21 +240,28 @@ For commands that are harder to parse at a glance (piped commands, obscure flags
 - curl -s url | jq '.data[]' → "Fetch JSON from URL and extract data array elements"`),
  run_in_background: semanticBoolean(z.boolean().optional()).describe(`Set to true to run this command in the background. Use Read to read the output later.`),
  dangerouslyDisableSandbox: semanticBoolean(z.boolean().optional()).describe('Set this to true to dangerously override sandbox mode and run commands without sandboxing.'),
  _dangerouslyDisableSandboxApproved: z.boolean().optional().describe('Internal: user-approved sandbox override'),
  _simulatedSedEdit: z.object({
    filePath: z.string(),
    newContent: z.string()
  }).optional().describe('Internal: pre-computed sed edit result from preview')
 }));
-// Always omit _simulatedSedEdit from the model-facing schema. It is an internal-only
+// Always omit internal-only fields from the model-facing schema.
-// field set by SedEditPermissionRequest after the user approves a sed edit preview.
+// _simulatedSedEdit is set by SedEditPermissionRequest after the user approves a
-// Exposing it in the schema would let the model bypass permission checks and the
+// sed edit preview; exposing it would let the model bypass permission checks and
-// sandbox by pairing an innocuous command with an arbitrary file write.
+// the sandbox by pairing an innocuous command with an arbitrary file write.
 // dangerouslyDisableSandbox is also omitted because sandbox escape must be tied
 // to trusted user/internal provenance, not model-controlled tool input.
 // Also conditionally remove run_in_background when background tasks are disabled.
 const inputSchema = lazySchema(() => isBackgroundTasksDisabled ? fullInputSchema().omit({
  run_in_background: true,
  dangerouslyDisableSandbox: true,
  _dangerouslyDisableSandboxApproved: true,
  _simulatedSedEdit: true
 }) : fullInputSchema().omit({
  dangerouslyDisableSandbox: true,
  _dangerouslyDisableSandboxApproved: true,
  _simulatedSedEdit: true
 }));
 type InputSchema = ReturnType<typeof inputSchema>;
--- a/src/tools/BashTool/bashPermissions.test.ts
+++ b/src/tools/BashTool/bashPermissions.test.ts
@@ -0,0 +1,59 @@
 import { afterEach, expect, test } from 'bun:test'
 import { getEmptyToolPermissionContext } from '../../Tool.js'
 import { SandboxManager } from '../../utils/sandbox/sandbox-adapter.js'
 import { bashToolHasPermission } from './bashPermissions.js'
 const originalSandboxMethods = {
  isSandboxingEnabled: SandboxManager.isSandboxingEnabled,
  isAutoAllowBashIfSandboxedEnabled:
    SandboxManager.isAutoAllowBashIfSandboxedEnabled,
  areUnsandboxedCommandsAllowed: SandboxManager.areUnsandboxedCommandsAllowed,
  getExcludedCommands: SandboxManager.getExcludedCommands,
 }
 afterEach(() => {
  SandboxManager.isSandboxingEnabled =
    originalSandboxMethods.isSandboxingEnabled
  SandboxManager.isAutoAllowBashIfSandboxedEnabled =
    originalSandboxMethods.isAutoAllowBashIfSandboxedEnabled
  SandboxManager.areUnsandboxedCommandsAllowed =
    originalSandboxMethods.areUnsandboxedCommandsAllowed
  SandboxManager.getExcludedCommands = originalSandboxMethods.getExcludedCommands
 })
 function makeToolUseContext() {
  const toolPermissionContext = getEmptyToolPermissionContext()
  return {
    abortController: new AbortController(),
    options: {
      isNonInteractiveSession: false,
    },
    getAppState() {
      return {
        toolPermissionContext,
      }
    },
  } as never
 }
 test('sandbox auto-allow still enforces Bash path constraints', async () => {
  ;(globalThis as unknown as { MACRO: { VERSION: string } }).MACRO = {
    VERSION: 'test',
  }
  SandboxManager.isSandboxingEnabled = () => true
  SandboxManager.isAutoAllowBashIfSandboxedEnabled = () => true
  SandboxManager.areUnsandboxedCommandsAllowed = () => true
  SandboxManager.getExcludedCommands = () => []
  const result = await bashToolHasPermission(
    { command: 'cat ../../../../../etc/passwd' },
    makeToolUseContext(),
  )
  expect(result.behavior).toBe('ask')
  expect(result.message).toContain('was blocked')
  expect(result.message).toContain('/etc/passwd')
 })
--- a/src/tools/BashTool/bashPermissions.ts
+++ b/src/tools/BashTool/bashPermissions.ts
@@ -1814,7 +1814,10 @@ export async function bashToolHasPermission(
      input,
      appState.toolPermissionContext,
    )
-    if (sandboxAutoAllowResult.behavior !== 'passthrough') {
+    if (
      sandboxAutoAllowResult.behavior === 'deny' ||
      sandboxAutoAllowResult.behavior === 'ask'
    ) {
      return sandboxAutoAllowResult
    }
  }
--- a/src/tools/BashTool/prompt.ts
+++ b/src/tools/BashTool/prompt.ts
@@ -179,9 +179,6 @@ function getSimpleSandboxSection(): string {
  const networkRestrictionConfig = SandboxManager.getNetworkRestrictionConfig()
  const allowUnixSockets = SandboxManager.getAllowUnixSockets()
  const ignoreViolations = SandboxManager.getIgnoreViolations()
  const allowUnsandboxedCommands =
    SandboxManager.areUnsandboxedCommandsAllowed()
  // Replace the per-UID temp dir literal (e.g. /private/tmp/claude-1001/) with
  // "$TMPDIR" so the prompt is identical across users — avoids busting the
  // cross-user global prompt cache. The sandbox already sets $TMPDIR at runtime.
@@ -225,38 +222,9 @@ function getSimpleSandboxSection(): string {
    )
  }
  const sandboxOverrideItems: Array<string | string[]> =
    allowUnsandboxedCommands
      ? [
          'You should always default to running commands within the sandbox. Do NOT attempt to set `dangerouslyDisableSandbox: true` unless:',
          [
            'The user *explicitly* asks you to bypass sandbox',
            'A specific command just failed and you see evidence of sandbox restrictions causing the failure. Note that commands can fail for many reasons unrelated to the sandbox (missing files, wrong arguments, network issues, etc.).',
          ],
          'Evidence of sandbox-caused failures includes:',
          [
            '"Operation not permitted" errors for file/network operations',
            'Access denied to specific paths outside allowed directories',
            'Network connection failures to non-whitelisted hosts',
            'Unix socket connection errors',
          ],
          'When you see evidence of sandbox-caused failure:',
          [
            "Immediately retry with `dangerouslyDisableSandbox: true` (don't ask, just do it)",
            'Briefly explain what sandbox restriction likely caused the failure. Be sure to mention that the user can use the `/sandbox` command to manage restrictions.',
            'This will prompt the user for permission',
          ],
          'Treat each command you execute with `dangerouslyDisableSandbox: true` individually. Even if you have recently run a command with this setting, you should default to running future commands within the sandbox.',
          'Do not suggest adding sensitive paths like ~/.bashrc, ~/.zshrc, ~/.ssh/*, or credential files to the sandbox allowlist.',
        ]
      : [
          'All commands MUST run in sandbox mode - the `dangerouslyDisableSandbox` parameter is disabled by policy.',
          'Commands cannot run outside the sandbox under any circumstances.',
          'If a command fails due to sandbox restrictions, work with the user to adjust sandbox settings instead.',
        ]
  const items: Array<string | string[]> = [
-    ...sandboxOverrideItems,
+    'Commands MUST run in sandbox mode. If a command fails due to sandbox restrictions, explain the likely restriction and work with the user to adjust sandbox settings or run an explicit user-initiated shell command.',
    'Do not suggest adding sensitive paths like ~/.bashrc, ~/.zshrc, ~/.ssh/*, or credential files to the sandbox allowlist.',
    'For temporary files, always use the `$TMPDIR` environment variable. TMPDIR is automatically set to the correct sandbox-writable directory in sandbox mode. Do NOT use `/tmp` directly - use `$TMPDIR` instead.',
  ]
--- a/src/tools/BashTool/shouldUseSandbox.test.ts
+++ b/src/tools/BashTool/shouldUseSandbox.test.ts
@@ -0,0 +1,74 @@
 import { afterEach, expect, test } from 'bun:test'
 import { SandboxManager } from '../../utils/sandbox/sandbox-adapter.js'
 import { BashTool } from './BashTool.js'
 import { PowerShellTool } from '../PowerShellTool/PowerShellTool.js'
 import { shouldUseSandbox } from './shouldUseSandbox.js'
 const originalSandboxMethods = {
  isSandboxingEnabled: SandboxManager.isSandboxingEnabled,
  areUnsandboxedCommandsAllowed: SandboxManager.areUnsandboxedCommandsAllowed,
 }
 afterEach(() => {
  SandboxManager.isSandboxingEnabled =
    originalSandboxMethods.isSandboxingEnabled
  SandboxManager.areUnsandboxedCommandsAllowed =
    originalSandboxMethods.areUnsandboxedCommandsAllowed
 })
 test('model-facing Bash schema rejects dangerouslyDisableSandbox', () => {
  const result = BashTool.inputSchema.safeParse({
    command: 'cat /etc/passwd',
    dangerouslyDisableSandbox: true,
  })
  expect(result.success).toBe(false)
 })
 test('model-facing PowerShell schema rejects dangerouslyDisableSandbox', () => {
  const result = PowerShellTool.inputSchema.safeParse({
    command: 'Get-Content C:\\Windows\\System32\\drivers\\etc\\hosts',
    dangerouslyDisableSandbox: true,
  })
  expect(result.success).toBe(false)
 })
 test('model-controlled dangerouslyDisableSandbox does not bypass sandbox', () => {
  SandboxManager.isSandboxingEnabled = () => true
  SandboxManager.areUnsandboxedCommandsAllowed = () => true
  expect(
    shouldUseSandbox({
      command: 'cat /etc/passwd',
      dangerouslyDisableSandbox: true,
    }),
  ).toBe(true)
 })
 test('trusted internal approval can disable sandbox when policy allows it', () => {
  SandboxManager.isSandboxingEnabled = () => true
  SandboxManager.areUnsandboxedCommandsAllowed = () => true
  expect(
    shouldUseSandbox({
      command: 'cat /etc/passwd',
      dangerouslyDisableSandbox: true,
      _dangerouslyDisableSandboxApproved: true,
    }),
  ).toBe(false)
 })
 test('trusted internal approval cannot disable sandbox when policy forbids it', () => {
  SandboxManager.isSandboxingEnabled = () => true
  SandboxManager.areUnsandboxedCommandsAllowed = () => false
  expect(
    shouldUseSandbox({
      command: 'cat /etc/passwd',
      dangerouslyDisableSandbox: true,
      _dangerouslyDisableSandboxApproved: true,
    }),
  ).toBe(true)
 })
--- a/src/tools/BashTool/shouldUseSandbox.ts
+++ b/src/tools/BashTool/shouldUseSandbox.ts
@@ -13,6 +13,7 @@ import {
 type SandboxInput = {
  command?: string
  dangerouslyDisableSandbox?: boolean
  _dangerouslyDisableSandboxApproved?: boolean
 }
 // NOTE: excludedCommands is a user-facing convenience feature, not a security boundary.
@@ -141,9 +142,13 @@ export function shouldUseSandbox(input: Partial<SandboxInput>): boolean {
    return false
  }
-  // Don't sandbox if explicitly overridden AND unsandboxed commands are allowed by policy
+  // Only trusted internal callers may request an unsandboxed command. The
  // model-facing Bash schema omits _dangerouslyDisableSandboxApproved, so a
  // tool_use payload cannot disable the sandbox by setting
  // dangerouslyDisableSandbox directly.
  if (
    input.dangerouslyDisableSandbox &&
    input._dangerouslyDisableSandboxApproved &&
    SandboxManager.areUnsandboxedCommandsAllowed()
  ) {
    return false
--- a/src/tools/ConfigTool/prompt.ts
+++ b/src/tools/ConfigTool/prompt.ts
@@ -59,7 +59,7 @@ export function generatePrompt(): string {
 ## Configurable settings list
 The following settings are available for you to change:
-### Global Settings (stored in ~/.claude.json)
+### Global Settings (stored in ~/.openclaude.json)
 ${globalSettings.join('\n')}
 ### Project Settings (stored in settings.json)
--- a/src/tools/FileEditTool/FileEditTool.ts
+++ b/src/tools/FileEditTool/FileEditTool.ts
@@ -422,7 +422,7 @@ export const FileEditTool = buildTool({
      activateConditionalSkillsForPaths([absoluteFilePath], cwd)
    }
-    await diagnosticTracker.beforeFileEdited(absoluteFilePath)
+    await diagnosticTracker.beforeFileEditedCompat(absoluteFilePath)
    // Ensure parent directory exists before the atomic read-modify-write section.
    // These awaits must stay OUTSIDE the critical section below — a yield between
--- a/src/tools/FileWriteTool/FileWriteTool.ts
+++ b/src/tools/FileWriteTool/FileWriteTool.ts
@@ -244,7 +244,7 @@ export const FileWriteTool = buildTool({
    // Activate conditional skills whose path patterns match this file
    activateConditionalSkillsForPaths([fullFilePath], cwd)
-    await diagnosticTracker.beforeFileEdited(fullFilePath)
+    await diagnosticTracker.beforeFileEditedCompat(fullFilePath)
    // Ensure parent directory exists before the atomic read-modify-write section.
    // Must stay OUTSIDE the critical section below (a yield between the staleness
--- a/src/tools/PowerShellTool/PowerShellTool.tsx
+++ b/src/tools/PowerShellTool/PowerShellTool.tsx
@@ -230,13 +230,20 @@ const fullInputSchema = lazySchema(() => z.strictObject({
  timeout: semanticNumber(z.number().optional()).describe(`Optional timeout in milliseconds (max ${getMaxTimeoutMs()})`),
  description: z.string().optional().describe('Clear, concise description of what this command does in active voice.'),
  run_in_background: semanticBoolean(z.boolean().optional()).describe(`Set to true to run this command in the background. Use Read to read the output later.`),
-  dangerouslyDisableSandbox: semanticBoolean(z.boolean().optional()).describe('Set this to true to dangerously override sandbox mode and run commands without sandboxing.')
+  dangerouslyDisableSandbox: semanticBoolean(z.boolean().optional()).describe('Set this to true to dangerously override sandbox mode and run commands without sandboxing.'),
  _dangerouslyDisableSandboxApproved: z.boolean().optional().describe('Internal: user-approved sandbox override')
 }));
-// Conditionally remove run_in_background from schema when background tasks are disabled
+// Omit internal-only sandbox override fields from the model-facing schema.
 // Conditionally remove run_in_background from schema when background tasks are disabled.
 const inputSchema = lazySchema(() => isBackgroundTasksDisabled ? fullInputSchema().omit({
-  run_in_background: true
+  run_in_background: true,
-}) : fullInputSchema());
+  dangerouslyDisableSandbox: true,
  _dangerouslyDisableSandboxApproved: true
 }) : fullInputSchema().omit({
  dangerouslyDisableSandbox: true,
  _dangerouslyDisableSandboxApproved: true
 }));
 type InputSchema = ReturnType<typeof inputSchema>;
 // Use fullInputSchema for the type to always include run_in_background
@@ -697,7 +704,8 @@ async function* runPowerShellCommand({
    description,
    timeout,
    run_in_background,
-    dangerouslyDisableSandbox
+    dangerouslyDisableSandbox,
    _dangerouslyDisableSandboxApproved
  } = input;
  const timeoutMs = Math.min(timeout || getDefaultTimeoutMs(), getMaxTimeoutMs());
  let fullOutput = '';
@@ -749,7 +757,8 @@ async function* runPowerShellCommand({
      // The explicit platform check is redundant-but-obvious.
      shouldUseSandbox: getPlatform() === 'windows' ? false : shouldUseSandbox({
        command,
-        dangerouslyDisableSandbox
+        dangerouslyDisableSandbox,
        _dangerouslyDisableSandboxApproved
      }),
      shouldAutoBackground
    });
--- a/src/tools/WebFetchTool/utils.ts
+++ b/src/tools/WebFetchTool/utils.ts
@@ -15,6 +15,7 @@ import {
 } from '../../utils/mcpOutputStorage.js'
 import { getSettings_DEPRECATED } from '../../utils/settings/settings.js'
 import { asSystemPrompt } from '../../utils/systemPromptType.js'
 import { ssrfGuardedLookup } from '../../utils/hooks/ssrfGuard.js'
 import { isPreapprovedHost } from './preapproved.js'
 import { makeSecondaryModelPrompt } from './prompt.js'
@@ -281,6 +282,7 @@ export async function getWithPermittedRedirects(
      maxRedirects: 0,
      responseType: 'arraybuffer',
      maxContentLength: MAX_HTTP_CONTENT_LENGTH,
      lookup: ssrfGuardedLookup,
      headers: {
        Accept: 'text/markdown, text/html, */*',
        'User-Agent': getWebFetchUserAgent(),
--- a/src/utils/Cursor.ts
+++ b/src/utils/Cursor.ts
@@ -148,6 +148,42 @@ type Position = {
  column: number
 }
 export function maskTextWithVisibleEdges(
  value: string,
  mask: string,
  visiblePrefix = 3,
  visibleSuffix = 3,
 ): string {
  if (!mask || !value) return value
  const graphemes = Array.from(getGraphemeSegmenter().segment(value))
  const secretGraphemeCount = graphemes.filter(
    ({ segment }) => segment !== '\n',
  ).length
  const visibleCount = visiblePrefix + visibleSuffix
  if (secretGraphemeCount <= visibleCount) {
    return graphemes
      .map(({ segment }) => (segment === '\n' ? segment : mask))
      .join('')
  }
  let secretIndex = 0
  return graphemes
    .map(({ segment }) => {
      if (segment === '\n') return segment
      const nextSegment =
        secretIndex < visiblePrefix ||
        secretIndex >= secretGraphemeCount - visibleSuffix
          ? segment
          : mask
      secretIndex += 1
      return nextSegment
    })
    .join('')
 }
 export class Cursor {
  readonly offset: number
  constructor(
@@ -208,7 +244,12 @@ export class Cursor {
    maxVisibleLines?: number,
  ) {
    const { line, column } = this.getPosition()
-    const allLines = this.measuredText.getWrappedText()
+    const allLines = mask
      ? new MeasuredText(
          maskTextWithVisibleEdges(this.text, mask),
          this.measuredText.columns,
        ).getWrappedText()
      : this.measuredText.getWrappedText()
    const startLine = this.getViewportStartLine(maxVisibleLines)
    const endLine =
@@ -221,23 +262,6 @@ export class Cursor {
      .map((text, i) => {
        const currentLine = i + startLine
        let displayText = text
        if (mask) {
          const graphemes = Array.from(getGraphemeSegmenter().segment(text))
          if (currentLine === allLines.length - 1) {
            // Last line: mask all but the trailing 6 chars so the user can
            // confirm they pasted the right thing without exposing the full token
            const visibleCount = Math.min(6, graphemes.length)
            const maskCount = graphemes.length - visibleCount
            const splitOffset =
              graphemes.length > visibleCount ? graphemes[maskCount]!.index : 0
            displayText = mask.repeat(maskCount) + text.slice(splitOffset)
          } else {
            // Earlier wrapped lines: fully mask. Previously only the last line
            // was masked, leaking the start of the token on narrow terminals
            // where the pasted OAuth code wraps across multiple lines.
            displayText = mask.repeat(graphemes.length)
          }
        }
        // looking for the line with the cursor
        if (line !== currentLine) return displayText.trimEnd()
--- a/src/utils/api.test.ts
+++ b/src/utils/api.test.ts
@@ -78,3 +78,28 @@ test('toolToAPISchema keeps skill required for SkillTool', async () => {
    required: ['skill'],
  })
 })
 test('toolToAPISchema removes extra required keys not in properties (MCP schema sanitization)', async () => {
  const schema = await toolToAPISchema(
    {
      name: 'mcp__test__create_object',
      inputSchema: z.strictObject({}),
      inputJSONSchema: {
        type: 'object',
        properties: {
          name: { type: 'string' },
        },
        required: ['name', 'attributes'],
      },
      prompt: async () => 'Create an object',
    } as unknown as Tool,
    {
      getToolPermissionContext: async () => getEmptyToolPermissionContext(),
      tools: [] as unknown as Tools,
      agents: [],
    },
  )
  const inputSchema = (schema as { input_schema: { required?: string[] } }).input_schema
  expect(inputSchema.required).toEqual(['name'])
 })
--- a/src/utils/api.ts
+++ b/src/utils/api.ts
@@ -111,11 +111,60 @@ function filterSwarmFieldsFromSchema(
      delete filteredProps[field]
    }
    filtered.properties = filteredProps
    // Keep `required` in sync after removing properties
    if (Array.isArray(filtered.required)) {
      filtered.required = filtered.required.filter(
        (key: string) => key in filteredProps,
      )
    }
  }
  return filtered
 }
 /**
 * Ensure `required` only lists keys present in `properties`.
 * MCP servers may emit schemas where these are out of sync, causing
 * API 400 errors ("Extra required key supplied").
 * Recurses into nested object schemas.
 */
 function sanitizeSchemaRequired(
  schema: Anthropic.Tool.InputSchema,
 ): Anthropic.Tool.InputSchema {
  if (!schema || typeof schema !== 'object') {
    return schema
  }
  const result = { ...schema }
  const props = result.properties as Record<string, unknown> | undefined
  if (props && Array.isArray(result.required)) {
    result.required = result.required.filter(
      (key: string) => key in props,
    )
  }
  // Recurse into nested object properties
  if (props) {
    const sanitizedProps = { ...props }
    for (const [key, value] of Object.entries(sanitizedProps)) {
      if (
        value &&
        typeof value === 'object' &&
        (value as Record<string, unknown>).type === 'object'
      ) {
        sanitizedProps[key] = sanitizeSchemaRequired(
          value as Anthropic.Tool.InputSchema,
        )
      }
    }
    result.properties = sanitizedProps
  }
  return result
 }
 export async function toolToAPISchema(
  tool: Tool,
  options: {
@@ -156,7 +205,7 @@ export async function toolToAPISchema(
    // Use tool's JSON schema directly if provided, otherwise convert Zod schema
    let input_schema = (
      'inputJSONSchema' in tool && tool.inputJSONSchema
-        ? tool.inputJSONSchema
+        ? sanitizeSchemaRequired(tool.inputJSONSchema as Anthropic.Tool.InputSchema)
        : zodToJsonSchema(tool.inputSchema)
    ) as Anthropic.Tool.InputSchema
@@ -613,10 +662,6 @@ export function normalizeToolInput<T extends Tool>(
        ...(timeout !== undefined && { timeout }),
        ...(description !== undefined && { description }),
        ...(run_in_background !== undefined && { run_in_background }),
        ...('dangerouslyDisableSandbox' in parsed &&
          parsed.dangerouslyDisableSandbox !== undefined && {
            dangerouslyDisableSandbox: parsed.dangerouslyDisableSandbox,
          }),
      } as z.infer<T['inputSchema']>
    }
    case FileEditTool.name: {
--- a/src/utils/attachments.ts
+++ b/src/utils/attachments.ts
@@ -2882,7 +2882,7 @@ async function getDiagnosticAttachments(
  }
  // Get new diagnostics from the tracker (IDE diagnostics via MCP)
-  const newDiagnostics = await diagnosticTracker.getNewDiagnostics()
+  const newDiagnostics = await diagnosticTracker.getNewDiagnosticsCompat()
  if (newDiagnostics.length === 0) {
    return []
  }
--- a/src/utils/auth.ts
+++ b/src/utils/auth.ts
@@ -693,7 +693,7 @@ export function refreshAwsAuth(awsAuthRefresh: string): Promise<boolean> {
              'AWS auth refresh timed out after 3 minutes. Run your auth command manually in a separate terminal.',
            )
          : chalk.red(
-              'Error running awsAuthRefresh (in settings or ~/.claude.json):',
+              'Error running awsAuthRefresh (in settings or ~/.openclaude.json):',
            )
        // biome-ignore lint/suspicious/noConsole:: intentional console output
        console.error(message)
@@ -771,7 +771,7 @@ async function getAwsCredsFromCredentialExport(): Promise<{
      }
    } catch (e) {
      const message = chalk.red(
-        'Error getting AWS credentials from awsCredentialExport (in settings or ~/.claude.json):',
+        'Error getting AWS credentials from awsCredentialExport (in settings or ~/.openclaude.json):',
      )
      if (e instanceof Error) {
        // biome-ignore lint/suspicious/noConsole:: intentional console output
@@ -961,7 +961,7 @@ export function refreshGcpAuth(gcpAuthRefresh: string): Promise<boolean> {
              'GCP auth refresh timed out after 3 minutes. Run your auth command manually in a separate terminal.',
            )
          : chalk.red(
-              'Error running gcpAuthRefresh (in settings or ~/.claude.json):',
+              'Error running gcpAuthRefresh (in settings or ~/.openclaude.json):',
            )
        // biome-ignore lint/suspicious/noConsole:: intentional console output
        console.error(message)
@@ -1959,7 +1959,7 @@ export async function validateForceLoginOrg(): Promise<OrgValidationResult> {
  // Always fetch the authoritative org UUID from the profile endpoint.
  // Even keychain-sourced tokens verify server-side: the cached org UUID
-  // in ~/.claude.json is user-writable and cannot be trusted.
+  // in ~/.openclaude.json is user-writable and cannot be trusted.
  const { source } = getAuthTokenSource()
  const isEnvVarToken =
    source === 'CLAUDE_CODE_OAUTH_TOKEN' ||
--- a/src/utils/caCertsConfig.ts
+++ b/src/utils/caCertsConfig.ts
@@ -28,7 +28,7 @@ import { getSettingsForSource } from './settings/settings.js'
 * is lazy-initialized) and ensure Node.js compatibility.
 *
 * This is safe to call before the trust dialog because we only read from
- * user-controlled files (~/.claude/settings.json and ~/.claude.json),
+ * user-controlled files (~/.claude/settings.json and ~/.openclaude.json),
 * not from project-level settings.
 */
 export function applyExtraCACertsFromConfig(): void {
@@ -52,7 +52,7 @@ export function applyExtraCACertsFromConfig(): void {
 * after the trust dialog. But we need the CA cert early to establish the TLS
 * connection to an HTTPS proxy during init().
 *
- * We read from global config (~/.claude.json) and user settings
+ * We read from global config (~/.openclaude.json) and user settings
 * (~/.claude/settings.json). These are user-controlled files that don't
 * require trust approval.
 */
--- a/src/utils/claudeInChrome/setup.ts
+++ b/src/utils/claudeInChrome/setup.ts
@@ -355,7 +355,7 @@ exec ${command}
 *
 * Only positive detections are persisted. A negative result from the
 * filesystem scan is not cached, because it may come from a machine that
- * shares ~/.claude.json but has no local Chrome (e.g. a remote dev
+ * shares ~/.openclaude.json but has no local Chrome (e.g. a remote dev
 * environment using the bridge), and caching it would permanently poison
 * auto-enable for every session on every machine that reads that config.
 */
--- a/src/utils/config.ts
+++ b/src/utils/config.ts
@@ -155,7 +155,7 @@ export {
  NOTIFICATION_CHANNELS,
 } from './configConstants.js'
-import type { EDITOR_MODES, NOTIFICATION_CHANNELS } from './configConstants.js'
+import type { EDITOR_MODES, NOTIFICATION_CHANNELS, PROVIDERS } from './configConstants.js'
 export type NotificationChannel = (typeof NOTIFICATION_CHANNELS)[number]
@@ -181,10 +181,12 @@ export type DiffTool = 'terminal' | 'auto'
 export type OutputStyle = string
 export type Providers = typeof PROVIDERS[number]
 export type ProviderProfile = {
  id: string
  name: string
-  provider: 'openai' | 'anthropic'
+  provider: Providers
  baseUrl: string
  model: string
  apiKey?: string
@@ -916,7 +918,7 @@ let configCacheHits = 0
 let configCacheMisses = 0
 // Session-total count of actual disk writes to the global config file.
 // Exposed for internal-only dev diagnostics (see inc-4552) so anomalous write
-// rates surface in the UI before they corrupt ~/.claude.json.
+// rates surface in the UI before they corrupt ~/.openclaude.json.
 let globalConfigWriteCount = 0
 export function getGlobalConfigWriteCount(): number {
@@ -1255,7 +1257,7 @@ function saveConfigWithLock<A extends object>(
    const currentConfig = getConfig(file, createDefault)
    if (file === getGlobalClaudeFile() && wouldLoseAuthState(currentConfig)) {
      logForDebugging(
-        'saveConfigWithLock: re-read config is missing auth that cache has; refusing to write to avoid wiping ~/.claude.json. See GH #3117.',
+        'saveConfigWithLock: re-read config is missing auth that cache has; refusing to write to avoid wiping ~/.openclaude.json. See GH #3117.',
        { level: 'error' },
      )
      logEvent('tengu_config_auth_loss_prevented', {})
--- a/src/utils/configConstants.ts
+++ b/src/utils/configConstants.ts
@@ -19,3 +19,5 @@ export const EDITOR_MODES = ['normal', 'vim'] as const
 // 'in-process' = in-process teammates running in same process
 // 'auto' = automatically choose based on context (default)
 export const TEAMMATE_MODES = ['auto', 'tmux', 'in-process'] as const
 export const PROVIDERS = ['openai', 'anthropic', 'mistral', 'gemini'] as const
--- a/src/utils/deepLink/registerProtocol.ts
+++ b/src/utils/deepLink/registerProtocol.ts
@@ -253,7 +253,7 @@ async function resolveClaudePath(): Promise<string> {
 * Check whether the OS-level protocol handler is already registered AND
 * points at the expected `claude` binary. Reads the registration artifact
 * directly (symlink target, .desktop Exec line, registry value) rather than
- * a cached flag in ~/.claude.json, so:
+ * a cached flag in ~/.openclaude.json, so:
 *   - the check is per-machine (config can sync across machines; OS state can't)
 *   - stale paths self-heal (install-method change → re-register next session)
 *   - deleted artifacts self-heal
@@ -311,7 +311,7 @@ export async function ensureDeepLinkProtocolRegistered(): Promise<void> {
  // EACCES/ENOSPC are deterministic — retrying next session won't help.
  // Throttle to once per 24h so a read-only ~/.local/share/applications
  // doesn't generate a failure event on every startup. Marker lives in
-  // ~/.claude (per-machine, not synced) rather than ~/.claude.json (can sync).
+  // ~/.claude (per-machine, not synced) rather than ~/.openclaude.json (can sync).
  const failureMarkerPath = path.join(
    getClaudeConfigHomeDir(),
    '.deep-link-register-failed',
--- a/src/utils/env.test.ts
+++ b/src/utils/env.test.ts
@@ -0,0 +1,62 @@
 import { afterEach, beforeEach, expect, test } from 'bun:test'
 import { mkdtempSync, rmSync, writeFileSync } from 'fs'
 import { tmpdir } from 'os'
 import { join } from 'path'
 const originalEnv = {
  CLAUDE_CONFIG_DIR: process.env.CLAUDE_CONFIG_DIR,
  CLAUDE_CODE_CUSTOM_OAUTH_URL: process.env.CLAUDE_CODE_CUSTOM_OAUTH_URL,
  USER_TYPE: process.env.USER_TYPE,
 }
 let tempDir: string
 beforeEach(() => {
  tempDir = mkdtempSync(join(tmpdir(), 'openclaude-env-test-'))
  process.env.CLAUDE_CONFIG_DIR = tempDir
  delete process.env.CLAUDE_CODE_CUSTOM_OAUTH_URL
  delete process.env.USER_TYPE
 })
 afterEach(() => {
  rmSync(tempDir, { recursive: true, force: true })
  if (originalEnv.CLAUDE_CONFIG_DIR === undefined) {
    delete process.env.CLAUDE_CONFIG_DIR
  } else {
    process.env.CLAUDE_CONFIG_DIR = originalEnv.CLAUDE_CONFIG_DIR
  }
  if (originalEnv.CLAUDE_CODE_CUSTOM_OAUTH_URL === undefined) {
    delete process.env.CLAUDE_CODE_CUSTOM_OAUTH_URL
  } else {
    process.env.CLAUDE_CODE_CUSTOM_OAUTH_URL = originalEnv.CLAUDE_CODE_CUSTOM_OAUTH_URL
  }
  if (originalEnv.USER_TYPE === undefined) {
    delete process.env.USER_TYPE
  } else {
    process.env.USER_TYPE = originalEnv.USER_TYPE
  }
 })
 async function importFreshEnvModule() {
  return import(`./env.js?ts=${Date.now()}-${Math.random()}`)
 }
 // getGlobalClaudeFile — three migration branches
 test('getGlobalClaudeFile: new install returns .openclaude.json when neither file exists', async () => {
  const { getGlobalClaudeFile } = await importFreshEnvModule()
  expect(getGlobalClaudeFile()).toBe(join(tempDir, '.openclaude.json'))
 })
 test('getGlobalClaudeFile: existing user keeps .claude.json when only legacy file exists', async () => {
  writeFileSync(join(tempDir, '.claude.json'), '{}')
  const { getGlobalClaudeFile } = await importFreshEnvModule()
  expect(getGlobalClaudeFile()).toBe(join(tempDir, '.claude.json'))
 })
 test('getGlobalClaudeFile: migrated user uses .openclaude.json when both files exist', async () => {
  writeFileSync(join(tempDir, '.claude.json'), '{}')
  writeFileSync(join(tempDir, '.openclaude.json'), '{}')
  const { getGlobalClaudeFile } = await importFreshEnvModule()
  expect(getGlobalClaudeFile()).toBe(join(tempDir, '.openclaude.json'))
 })
--- a/src/utils/env.ts
+++ b/src/utils/env.ts
@@ -21,8 +21,21 @@ export const getGlobalClaudeFile = memoize((): string => {
    return join(getClaudeConfigHomeDir(), '.config.json')
  }
-  const filename = `.claude${fileSuffixForOauthConfig()}.json`
+  const oauthSuffix = fileSuffixForOauthConfig()
-  return join(process.env.CLAUDE_CONFIG_DIR || homedir(), filename)
+  const configDir = process.env.CLAUDE_CONFIG_DIR || homedir()
  // Default to .openclaude.json. Fall back to .claude.json only if the new
  // file doesn't exist yet and the legacy one does (same migration pattern
  // as resolveClaudeConfigHomeDir for the config directory).
  const newFilename = `.openclaude${oauthSuffix}.json`
  const legacyFilename = `.claude${oauthSuffix}.json`
  if (
    !getFsImplementation().existsSync(join(configDir, newFilename)) &&
    getFsImplementation().existsSync(join(configDir, legacyFilename))
  ) {
    return join(configDir, legacyFilename)
  }
  return join(configDir, newFilename)
 })
 const hasInternetAccess = memoize(async (): Promise<boolean> => {
--- a/src/utils/json.ts
+++ b/src/utils/json.ts
@@ -24,7 +24,7 @@ type CachedParse = { ok: true; value: unknown } | { ok: false }
 // lodash memoize default resolver = first arg only).
 // Skip caching above this size — the LRU stores the full string as the key,
 // so a 200KB config file would pin ~10MB in #keyList across 50 slots. Large
-// inputs like ~/.claude.json also change between reads (numStartups bumps on
+// inputs like ~/.openclaude.json also change between reads (numStartups bumps on
 // every CC startup), so the cache never hits anyway.
 const PARSE_CACHE_MAX_KEY_BYTES = 8 * 1024
--- a/src/utils/localInstaller.ts
+++ b/src/utils/localInstaller.ts
@@ -44,9 +44,10 @@ function getCandidateLocalBinaryPaths(localInstallDir: string): string[] {
 }
 export function isManagedLocalInstallationPath(execPath: string): boolean {
  const normalizedExecPath = execPath.replace(/\\+/g, '/')
  return (
-    execPath.includes('/.openclaude/local/node_modules/') ||
+    normalizedExecPath.includes('/.openclaude/local/node_modules/') ||
-    execPath.includes('/.claude/local/node_modules/')
+    normalizedExecPath.includes('/.claude/local/node_modules/')
  )
 }
--- a/src/utils/managedEnv.ts
+++ b/src/utils/managedEnv.ts
@@ -131,7 +131,7 @@ export function applySafeConfigEnvironmentVariables(): void {
        : null
  }
-  // Global config (~/.claude.json) is user-controlled. In CCD mode,
+  // Global config (~/.openclaude.json) is user-controlled. In CCD mode,
  // filterSettingsEnv strips keys that were in the spawn env snapshot so
  // the desktop host's operational vars (OTEL, etc.) are not overridden.
  Object.assign(process.env, filterSettingsEnv(getGlobalConfig().env))
--- a/src/utils/managedEnvConstants.ts
+++ b/src/utils/managedEnvConstants.ts
@@ -123,7 +123,6 @@ export const SAFE_ENV_VARS = new Set([
  'ANTHROPIC_DEFAULT_SONNET_MODEL_DESCRIPTION',
  'ANTHROPIC_DEFAULT_SONNET_MODEL_NAME',
  'ANTHROPIC_DEFAULT_SONNET_MODEL_SUPPORTED_CAPABILITIES',
  'ANTHROPIC_FOUNDRY_API_KEY',
  'ANTHROPIC_MODEL',
  'ANTHROPIC_SMALL_FAST_MODEL_AWS_REGION',
  'ANTHROPIC_SMALL_FAST_MODEL',
--- a/src/utils/model/openaiContextWindows.ts
+++ b/src/utils/model/openaiContextWindows.ts
@@ -181,9 +181,11 @@ const OPENAI_CONTEXT_WINDOWS: Record<string, number> = {
  'google/gemini-2.5-pro':  1_048_576,
  // Google (native via CLAUDE_CODE_USE_GEMINI)
-  'gemini-2.0-flash':       1_048_576,
+  'gemini-2.0-flash':              1_048_576,
-  'gemini-2.5-pro':         1_048_576,
+  'gemini-2.5-pro':                1_048_576,
-  'gemini-2.5-flash':       1_048_576,
+  'gemini-2.5-flash':              1_048_576,
  'gemini-3.1-pro':                1_048_576,
  'gemini-3.1-flash-lite-preview': 1_048_576,
  // Ollama local models
  // Llama 3.1+ models support 128k context natively (Meta official specs).
@@ -331,9 +333,11 @@ const OPENAI_MAX_OUTPUT_TOKENS: Record<string, number> = {
  'google/gemini-2.5-pro':    65_536,
  // Google (native via CLAUDE_CODE_USE_GEMINI)
-  'gemini-2.0-flash':          8_192,
+  'gemini-2.0-flash':              8_192,
-  'gemini-2.5-pro':           65_536,
+  'gemini-2.5-pro':                65_536,
-  'gemini-2.5-flash':         65_536,
+  'gemini-2.5-flash':              65_536,
  'gemini-3.1-pro':                65_536,
  'gemini-3.1-flash-lite-preview': 65_536,
  // Ollama local models (conservative safe defaults)
  'llama3.3:70b':               4_096,
--- a/src/utils/model/providers.test.ts
+++ b/src/utils/model/providers.test.ts
@@ -107,3 +107,60 @@ test('official OpenAI base URLs now keep provider detection on openai for aliase
  const { getAPIProvider } = await importFreshProvidersModule()
  expect(getAPIProvider()).toBe('openai')
 })
 // isGithubNativeAnthropicMode
 test('isGithubNativeAnthropicMode: false when CLAUDE_CODE_USE_GITHUB is not set', async () => {
  clearProviderEnv()
  process.env.OPENAI_MODEL = 'claude-sonnet-4-5'
  const { isGithubNativeAnthropicMode } = await importFreshProvidersModule()
  expect(isGithubNativeAnthropicMode()).toBe(false)
 })
 test('isGithubNativeAnthropicMode: true for bare claude- model via OPENAI_MODEL', async () => {
  clearProviderEnv()
  process.env.CLAUDE_CODE_USE_GITHUB = '1'
  process.env.OPENAI_MODEL = 'claude-sonnet-4-5'
  const { isGithubNativeAnthropicMode } = await importFreshProvidersModule()
  expect(isGithubNativeAnthropicMode()).toBe(true)
 })
 test('isGithubNativeAnthropicMode: true for github:copilot:claude- compound format', async () => {
  clearProviderEnv()
  process.env.CLAUDE_CODE_USE_GITHUB = '1'
  process.env.OPENAI_MODEL = 'github:copilot:claude-sonnet-4'
  const { isGithubNativeAnthropicMode } = await importFreshProvidersModule()
  expect(isGithubNativeAnthropicMode()).toBe(true)
 })
 test('isGithubNativeAnthropicMode: true when resolvedModel is a claude- model', async () => {
  clearProviderEnv()
  process.env.CLAUDE_CODE_USE_GITHUB = '1'
  process.env.OPENAI_MODEL = 'github:copilot'
  const { isGithubNativeAnthropicMode } = await importFreshProvidersModule()
  expect(isGithubNativeAnthropicMode('claude-haiku-4-5')).toBe(true)
 })
 test('isGithubNativeAnthropicMode: false for generic github:copilot alias', async () => {
  clearProviderEnv()
  process.env.CLAUDE_CODE_USE_GITHUB = '1'
  process.env.OPENAI_MODEL = 'github:copilot'
  const { isGithubNativeAnthropicMode } = await importFreshProvidersModule()
  expect(isGithubNativeAnthropicMode()).toBe(false)
 })
 test('isGithubNativeAnthropicMode: false for non-Claude model', async () => {
  clearProviderEnv()
  process.env.CLAUDE_CODE_USE_GITHUB = '1'
  process.env.OPENAI_MODEL = 'gpt-4o'
  const { isGithubNativeAnthropicMode } = await importFreshProvidersModule()
  expect(isGithubNativeAnthropicMode()).toBe(false)
 })
 test('isGithubNativeAnthropicMode: false for github:copilot:gpt- model', async () => {
  clearProviderEnv()
  process.env.CLAUDE_CODE_USE_GITHUB = '1'
  process.env.OPENAI_MODEL = 'github:copilot:gpt-4o'
  const { isGithubNativeAnthropicMode } = await importFreshProvidersModule()
  expect(isGithubNativeAnthropicMode()).toBe(false)
 })
--- a/src/utils/model/providers.ts
+++ b/src/utils/model/providers.ts
@@ -45,6 +45,24 @@ export function getAPIProvider(): APIProvider {
 export function usesAnthropicAccountFlow(): boolean {
  return getAPIProvider() === 'firstParty'
 }
 /**
 * Returns true when the GitHub provider should use Anthropic's native API
 * format instead of the OpenAI-compatible shim.
 *
 * Enabled when CLAUDE_CODE_USE_GITHUB=1 and the model string contains "claude-"
 * anywhere (handles bare names like "claude-sonnet-4" and compound formats like
 * "github:copilot:claude-sonnet-4" or any future provider-prefixed variants).
 *
 * api.githubcopilot.com supports Anthropic native format for Claude models,
 * enabling prompt caching via cache_control blocks which significantly reduces
 * per-turn token costs by caching the system prompt and tool definitions.
 */
 export function isGithubNativeAnthropicMode(resolvedModel?: string): boolean {
  if (!isEnvTruthy(process.env.CLAUDE_CODE_USE_GITHUB)) return false
  const model = resolvedModel?.trim() || process.env.OPENAI_MODEL?.trim() || ''
  return model.toLowerCase().includes('claude-')
 }
 function isCodexModel(): boolean {
  return shouldUseCodexTransport(
    process.env.OPENAI_MODEL || '',
--- a/src/utils/permissions/filesystem.ts
+++ b/src/utils/permissions/filesystem.ts
@@ -64,6 +64,7 @@ export const DANGEROUS_FILES = [
  '.profile',
  '.ripgreprc',
  '.mcp.json',
  '.openclaude.json',
  '.claude.json',
 ] as const
--- a/src/utils/plugins/marketplaceManager.ts
+++ b/src/utils/plugins/marketplaceManager.ts
@@ -532,6 +532,7 @@ export async function gitPull(
 ): Promise<{ code: number; stderr: string }> {
  logForDebugging(`git pull: cwd=${cwd} ref=${ref ?? 'default'}`)
  const env = { ...process.env, ...GIT_NO_PROMPT_ENV }
  const baseArgs = ['-c', 'core.hooksPath=/dev/null']
  const credentialArgs = options?.disableCredentialHelper
    ? ['-c', 'credential.helper=']
    : []
@@ -539,7 +540,7 @@ export async function gitPull(
  if (ref) {
    const fetchResult = await execFileNoThrowWithCwd(
      gitExe(),
-      [...credentialArgs, 'fetch', 'origin', ref],
+      [...baseArgs, ...credentialArgs, 'fetch', 'origin', ref],
      { cwd, timeout: getPluginGitTimeoutMs(), stdin: 'ignore', env },
    )
@@ -549,7 +550,7 @@ export async function gitPull(
    const checkoutResult = await execFileNoThrowWithCwd(
      gitExe(),
-      [...credentialArgs, 'checkout', ref],
+      [...baseArgs, ...credentialArgs, 'checkout', ref],
      { cwd, timeout: getPluginGitTimeoutMs(), stdin: 'ignore', env },
    )
@@ -559,7 +560,7 @@ export async function gitPull(
    const pullResult = await execFileNoThrowWithCwd(
      gitExe(),
-      [...credentialArgs, 'pull', 'origin', ref],
+      [...baseArgs, ...credentialArgs, 'pull', 'origin', ref],
      { cwd, timeout: getPluginGitTimeoutMs(), stdin: 'ignore', env },
    )
    if (pullResult.code !== 0) {
@@ -571,7 +572,7 @@ export async function gitPull(
  const result = await execFileNoThrowWithCwd(
    gitExe(),
-    [...credentialArgs, 'pull', 'origin', 'HEAD'],
+    [...baseArgs, ...credentialArgs, 'pull', 'origin', 'HEAD'],
    { cwd, timeout: getPluginGitTimeoutMs(), stdin: 'ignore', env },
  )
  if (result.code !== 0) {
@@ -625,6 +626,8 @@ async function gitSubmoduleUpdate(
    [
      '-c',
      'core.sshCommand=ssh -o BatchMode=yes -o StrictHostKeyChecking=yes',
      '-c',
      'core.hooksPath=/dev/null',
      ...credentialArgs,
      'submodule',
      'update',
@@ -810,6 +813,8 @@ export async function gitClone(
  const args = [
    '-c',
    'core.sshCommand=ssh -o BatchMode=yes -o StrictHostKeyChecking=yes',
    '-c',
    'core.hooksPath=/dev/null',
    'clone',
    '--depth',
    '1',
--- a/src/utils/processUserInput/processBashCommand.tsx
+++ b/src/utils/processUserInput/processBashCommand.tsx
@@ -65,10 +65,11 @@ export async function processBashCommand(inputString: string, precedingInputBloc
      });
    };
-    // User-initiated `!` commands run outside sandbox. Both shell tools honor
+    // User-initiated `!` commands run outside sandbox when policy allows it.
-    // dangerouslyDisableSandbox (checked against areUnsandboxedCommandsAllowed()
+    // Bash requires an internal approval marker so model-controlled tool input
-    // in shouldUseSandbox.ts). PS sandbox is Linux/macOS/WSL2 only — on Windows
+    // cannot disable sandboxing by setting dangerouslyDisableSandbox directly.
-    // native, shouldUseSandbox() returns false regardless (unsupported platform).
+    // PS sandbox is Linux/macOS/WSL2 only — on Windows native, shouldUseSandbox()
    // returns false regardless (unsupported platform).
    // Lazy-require PowerShellTool so its ~300KB chunk only loads when the
    // user has actually selected the powershell default shell.
    type PSMod = typeof import('src/tools/PowerShellTool/PowerShellTool.js');
@@ -81,10 +82,12 @@ export async function processBashCommand(inputString: string, precedingInputBloc
    const shellTool = PowerShellTool ?? BashTool;
    const response = PowerShellTool ? await PowerShellTool.call({
      command: inputString,
-      dangerouslyDisableSandbox: true
+      dangerouslyDisableSandbox: true,
      _dangerouslyDisableSandboxApproved: true
    }, bashModeContext, undefined, undefined, onProgress) : await BashTool.call({
      command: inputString,
-      dangerouslyDisableSandbox: true
+      dangerouslyDisableSandbox: true,
      _dangerouslyDisableSandboxApproved: true
    }, bashModeContext, undefined, undefined, onProgress);
    const data = response.data;
    if (!data) {
--- a/src/utils/providerDiscovery.test.ts
+++ b/src/utils/providerDiscovery.test.ts
@@ -1,9 +1,9 @@
 import { afterEach, expect, mock, test } from 'bun:test'
-import {
+async function loadProviderDiscoveryModule() {
-  getLocalOpenAICompatibleProviderLabel,
+  // @ts-expect-error cache-busting query string for Bun module mocks
-  listOpenAICompatibleModels,
+  return import(`./providerDiscovery.js?ts=${Date.now()}-${Math.random()}`)
-} from './providerDiscovery.js'
+}
 const originalFetch = globalThis.fetch
 const originalEnv = {
@@ -16,6 +16,8 @@ afterEach(() => {
 })
 test('lists models from a local openai-compatible /models endpoint', async () => {
  const { listOpenAICompatibleModels } = await loadProviderDiscoveryModule()
  globalThis.fetch = mock((input, init) => {
    const url = typeof input === 'string' ? input : input.url
    expect(url).toBe('http://localhost:1234/v1/models')
@@ -47,6 +49,8 @@ test('lists models from a local openai-compatible /models endpoint', async () =>
 })
 test('returns null when a local openai-compatible /models request fails', async () => {
  const { listOpenAICompatibleModels } = await loadProviderDiscoveryModule()
  globalThis.fetch = mock(() =>
    Promise.resolve(new Response('not available', { status: 503 })),
  ) as typeof globalThis.fetch
@@ -56,13 +60,19 @@ test('returns null when a local openai-compatible /models request fails', async
  ).resolves.toBeNull()
 })
-test('detects LM Studio from the default localhost port', () => {
+test('detects LM Studio from the default localhost port', async () => {
  const { getLocalOpenAICompatibleProviderLabel } =
    await loadProviderDiscoveryModule()
  expect(getLocalOpenAICompatibleProviderLabel('http://localhost:1234/v1')).toBe(
    'LM Studio',
  )
 })
-test('detects common local openai-compatible providers by hostname', () => {
+test('detects common local openai-compatible providers by hostname', async () => {
  const { getLocalOpenAICompatibleProviderLabel } =
    await loadProviderDiscoveryModule()
  expect(
    getLocalOpenAICompatibleProviderLabel('http://localai.local:8080/v1'),
  ).toBe('LocalAI')
@@ -71,8 +81,212 @@ test('detects common local openai-compatible providers by hostname', () => {
  ).toBe('vLLM')
 })
-test('falls back to a generic local openai-compatible label', () => {
+test('falls back to a generic local openai-compatible label', async () => {
  const { getLocalOpenAICompatibleProviderLabel } =
    await loadProviderDiscoveryModule()
  expect(
    getLocalOpenAICompatibleProviderLabel('http://127.0.0.1:8080/v1'),
  ).toBe('Local OpenAI-compatible')
 })
 test('ollama generation readiness reports unreachable when tags endpoint is down', async () => {
  const { probeOllamaGenerationReadiness } = await loadProviderDiscoveryModule()
  const calledUrls: string[] = []
  globalThis.fetch = mock(input => {
    const url = typeof input === 'string' ? input : input.url
    calledUrls.push(url)
    return Promise.resolve(new Response('not available', { status: 503 }))
  }) as typeof globalThis.fetch
  await expect(
    probeOllamaGenerationReadiness({
      baseUrl: 'http://localhost:11434',
    }),
  ).resolves.toMatchObject({
    state: 'unreachable',
    models: [],
  })
  expect(calledUrls).toEqual([
    'http://localhost:11434/api/tags',
  ])
 })
 test('ollama generation readiness reports no models when server is reachable', async () => {
  const { probeOllamaGenerationReadiness } = await loadProviderDiscoveryModule()
  const calledUrls: string[] = []
  globalThis.fetch = mock(input => {
    const url = typeof input === 'string' ? input : input.url
    calledUrls.push(url)
    return Promise.resolve(
      new Response(JSON.stringify({ models: [] }), {
        status: 200,
        headers: { 'Content-Type': 'application/json' },
      }),
    )
  }) as typeof globalThis.fetch
  await expect(
    probeOllamaGenerationReadiness({
      baseUrl: 'http://localhost:11434',
    }),
  ).resolves.toMatchObject({
    state: 'no_models',
    models: [],
  })
  expect(calledUrls).toEqual([
    'http://localhost:11434/api/tags',
  ])
 })
 test('ollama generation readiness reports generation_failed when requested model is missing', async () => {
  const { probeOllamaGenerationReadiness } = await loadProviderDiscoveryModule()
  const calledUrls: string[] = []
  globalThis.fetch = mock(input => {
    const url = typeof input === 'string' ? input : input.url
    calledUrls.push(url)
    return Promise.resolve(
      new Response(
        JSON.stringify({
          models: [{ name: 'llama3.1:8b', size: 1024 }],
        }),
        {
          status: 200,
          headers: { 'Content-Type': 'application/json' },
        },
      ),
    )
  }) as typeof globalThis.fetch
  await expect(
    probeOllamaGenerationReadiness({
      baseUrl: 'http://localhost:11434',
      model: 'qwen2.5-coder:7b',
    }),
  ).resolves.toMatchObject({
    state: 'generation_failed',
    probeModel: 'qwen2.5-coder:7b',
    detail: 'requested model not installed: qwen2.5-coder:7b',
  })
  expect(calledUrls).toEqual(['http://localhost:11434/api/tags'])
 })
 test('ollama generation readiness reports generation failures when chat probe fails', async () => {
  const { probeOllamaGenerationReadiness } = await loadProviderDiscoveryModule()
  globalThis.fetch = mock(input => {
    const url = typeof input === 'string' ? input : input.url
    if (url.endsWith('/api/tags')) {
      return Promise.resolve(
        new Response(
          JSON.stringify({
            models: [{ name: 'qwen2.5-coder:7b', size: 42 }],
          }),
          {
            status: 200,
            headers: { 'Content-Type': 'application/json' },
          },
        ),
      )
    }
    return Promise.resolve(new Response('model not found', { status: 404 }))
  }) as typeof globalThis.fetch
  await expect(
    probeOllamaGenerationReadiness({
      baseUrl: 'http://localhost:11434',
      model: 'qwen2.5-coder:7b',
    }),
  ).resolves.toMatchObject({
    state: 'generation_failed',
    probeModel: 'qwen2.5-coder:7b',
  })
 })
 test('ollama generation readiness reports generation_failed when chat probe returns invalid JSON', async () => {
  const { probeOllamaGenerationReadiness } = await loadProviderDiscoveryModule()
  globalThis.fetch = mock(input => {
    const url = typeof input === 'string' ? input : input.url
    if (url.endsWith('/api/tags')) {
      return Promise.resolve(
        new Response(
          JSON.stringify({
            models: [{ name: 'llama3.1:8b', size: 1024 }],
          }),
          {
            status: 200,
            headers: { 'Content-Type': 'application/json' },
          },
        ),
      )
    }
    return Promise.resolve(
      new Response('<html>proxy error</html>', {
        status: 200,
        headers: { 'Content-Type': 'text/html' },
      }),
    )
  }) as typeof globalThis.fetch
  await expect(
    probeOllamaGenerationReadiness({
      baseUrl: 'http://localhost:11434',
    }),
  ).resolves.toMatchObject({
    state: 'generation_failed',
    probeModel: 'llama3.1:8b',
    detail: 'invalid JSON response',
  })
 })
 test('ollama generation readiness reports ready when chat probe succeeds', async () => {
  const { probeOllamaGenerationReadiness } = await loadProviderDiscoveryModule()
  globalThis.fetch = mock(input => {
    const url = typeof input === 'string' ? input : input.url
    if (url.endsWith('/api/tags')) {
      return Promise.resolve(
        new Response(
          JSON.stringify({
            models: [{ name: 'llama3.1:8b', size: 1024 }],
          }),
          {
            status: 200,
            headers: { 'Content-Type': 'application/json' },
          },
        ),
      )
    }
    return Promise.resolve(
      new Response(
        JSON.stringify({
          message: { role: 'assistant', content: 'OK' },
          done: true,
        }),
        {
          status: 200,
          headers: { 'Content-Type': 'application/json' },
        },
      ),
    )
  }) as typeof globalThis.fetch
  await expect(
    probeOllamaGenerationReadiness({
      baseUrl: 'http://localhost:11434',
    }),
  ).resolves.toMatchObject({
    state: 'ready',
    probeModel: 'llama3.1:8b',
  })
 })
--- a/src/utils/providerDiscovery.ts
+++ b/src/utils/providerDiscovery.ts
@@ -4,6 +4,13 @@ import { DEFAULT_OPENAI_BASE_URL } from '../services/api/providerConfig.js'
 export const DEFAULT_OLLAMA_BASE_URL = 'http://localhost:11434'
 export const DEFAULT_ATOMIC_CHAT_BASE_URL = 'http://127.0.0.1:1337'
 export type OllamaGenerationReadiness = {
  state: 'ready' | 'unreachable' | 'no_models' | 'generation_failed'
  models: OllamaModelDescriptor[]
  probeModel?: string
  detail?: string
 }
 function withTimeoutSignal(timeoutMs: number): {
  signal: AbortSignal
  clear: () => void
@@ -20,6 +27,83 @@ function trimTrailingSlash(value: string): string {
  return value.replace(/\/+$/, '')
 }
 function compactDetail(value: string, maxLength = 180): string {
  const compact = value.trim().replace(/\s+/g, ' ')
  if (!compact) {
    return ''
  }
  if (compact.length <= maxLength) {
    return compact
  }
  return `${compact.slice(0, maxLength)}...`
 }
 type OllamaTagsPayload = {
  models?: Array<{
    name?: string
    size?: number
    details?: {
      family?: string
      families?: string[]
      parameter_size?: string
      quantization_level?: string
    }
  }>
 }
 function normalizeOllamaModels(
  payload: OllamaTagsPayload,
 ): OllamaModelDescriptor[] {
  return (payload.models ?? [])
    .filter(model => Boolean(model.name))
    .map(model => ({
      name: model.name!,
      sizeBytes: typeof model.size === 'number' ? model.size : null,
      family: model.details?.family ?? null,
      families: model.details?.families ?? [],
      parameterSize: model.details?.parameter_size ?? null,
      quantizationLevel: model.details?.quantization_level ?? null,
    }))
 }
 async function fetchOllamaModelsProbe(
  baseUrl?: string,
  timeoutMs = 5000,
 ): Promise<{
  reachable: boolean
  models: OllamaModelDescriptor[]
 }> {
  const { signal, clear } = withTimeoutSignal(timeoutMs)
  try {
    const response = await fetch(`${getOllamaApiBaseUrl(baseUrl)}/api/tags`, {
      method: 'GET',
      signal,
    })
    if (!response.ok) {
      return {
        reachable: false,
        models: [],
      }
    }
    const payload = (await response.json().catch(() => ({}))) as OllamaTagsPayload
    return {
      reachable: true,
      models: normalizeOllamaModels(payload),
    }
  } catch {
    return {
      reachable: false,
      models: [],
    }
  } finally {
    clear()
  }
 }
 export function getOllamaApiBaseUrl(baseUrl?: string): string {
  const parsed = new URL(
    baseUrl || process.env.OLLAMA_BASE_URL || DEFAULT_OLLAMA_BASE_URL,
@@ -121,61 +205,15 @@ export function getLocalOpenAICompatibleProviderLabel(baseUrl?: string): string
 }
 export async function hasLocalOllama(baseUrl?: string): Promise<boolean> {
-  const { signal, clear } = withTimeoutSignal(1200)
+  const { reachable } = await fetchOllamaModelsProbe(baseUrl, 1200)
-  try {
+  return reachable
    const response = await fetch(`${getOllamaApiBaseUrl(baseUrl)}/api/tags`, {
      method: 'GET',
      signal,
    })
    return response.ok
  } catch {
    return false
  } finally {
    clear()
  }
 }
 export async function listOllamaModels(
  baseUrl?: string,
 ): Promise<OllamaModelDescriptor[]> {
-  const { signal, clear } = withTimeoutSignal(5000)
+  const { models } = await fetchOllamaModelsProbe(baseUrl, 5000)
-  try {
+  return models
    const response = await fetch(`${getOllamaApiBaseUrl(baseUrl)}/api/tags`, {
      method: 'GET',
      signal,
    })
    if (!response.ok) {
      return []
    }
    const data = (await response.json()) as {
      models?: Array<{
        name?: string
        size?: number
        details?: {
          family?: string
          families?: string[]
          parameter_size?: string
          quantization_level?: string
        }
      }>
    }
    return (data.models ?? [])
      .filter(model => Boolean(model.name))
      .map(model => ({
        name: model.name!,
        sizeBytes: typeof model.size === 'number' ? model.size : null,
        family: model.details?.family ?? null,
        families: model.details?.families ?? [],
        parameterSize: model.details?.parameter_size ?? null,
        quantizationLevel: model.details?.quantization_level ?? null,
      }))
  } catch {
    return []
  } finally {
    clear()
  }
 }
 export async function listOpenAICompatibleModels(options?: {
@@ -294,3 +332,106 @@ export async function benchmarkOllamaModel(
    clear()
  }
 }
 export async function probeOllamaGenerationReadiness(options?: {
  baseUrl?: string
  model?: string
  timeoutMs?: number
 }): Promise<OllamaGenerationReadiness> {
  const timeoutMs = options?.timeoutMs ?? 8000
  const { reachable, models } = await fetchOllamaModelsProbe(
    options?.baseUrl,
    timeoutMs,
  )
  if (!reachable) {
    return {
      state: 'unreachable',
      models: [],
    }
  }
  if (models.length === 0) {
    return {
      state: 'no_models',
      models: [],
    }
  }
  const requestedModel = options?.model?.trim() || undefined
  if (requestedModel && !models.some(model => model.name === requestedModel)) {
    return {
      state: 'generation_failed',
      models,
      probeModel: requestedModel,
      detail: `requested model not installed: ${requestedModel}`,
    }
  }
  const probeModel = requestedModel ?? models[0]!.name
  const { signal, clear } = withTimeoutSignal(timeoutMs)
  try {
    const response = await fetch(`${getOllamaApiBaseUrl(options?.baseUrl)}/api/chat`, {
      method: 'POST',
      headers: {
        'Content-Type': 'application/json',
      },
      signal,
      body: JSON.stringify({
        model: probeModel,
        stream: false,
        messages: [{ role: 'user', content: 'Reply with OK.' }],
        options: {
          temperature: 0,
          num_predict: 8,
        },
      }),
    })
    if (!response.ok) {
      const responseBody = await response.text().catch(() => '')
      const detailSuffix = compactDetail(responseBody)
      return {
        state: 'generation_failed',
        models,
        probeModel,
        detail: detailSuffix
          ? `status ${response.status}: ${detailSuffix}`
          : `status ${response.status}`,
      }
    }
    try {
      await response.json()
    } catch {
      return {
        state: 'generation_failed',
        models,
        probeModel,
        detail: 'invalid JSON response',
      }
    }
    return {
      state: 'ready',
      models,
      probeModel,
    }
  } catch (error) {
    const detail =
      error instanceof Error
        ? error.name === 'AbortError'
          ? 'request timed out'
          : error.message
        : String(error)
    return {
      state: 'generation_failed',
      models,
      probeModel,
      detail,
    }
  } finally {
    clear()
  }
 }
--- a/src/utils/providerProfile.test.ts
+++ b/src/utils/providerProfile.test.ts
@@ -166,7 +166,7 @@ test('matching persisted gemini env is reused for gemini launch', async () => {
  assert.equal(env.GEMINI_BASE_URL, 'https://example.test/v1beta/openai')
 })
-test('gemini launch ignores mismatched persisted openai env and strips other provider secrets', async () => {
+test('openai env variables take precedence over gemini', async () => {
  const env = await buildLaunchEnv({
    profile: 'gemini',
    persisted: profile('openai', {
@@ -187,16 +187,16 @@ test('gemini launch ignores mismatched persisted openai env and strips other pro
    },
  })
-  assert.equal(env.CLAUDE_CODE_USE_GEMINI, '1')
+  assert.equal(env.CLAUDE_CODE_USE_GEMINI, undefined) 
-  assert.equal(env.CLAUDE_CODE_USE_OPENAI, undefined)
+  assert.equal(env.CLAUDE_CODE_USE_OPENAI, '1')
-  assert.equal(env.GEMINI_MODEL, 'gemini-2.0-flash')
+  assert.equal(env.GEMINI_MODEL, undefined)
-  assert.equal(env.GEMINI_API_KEY, 'gem-live')
+  assert.equal(env.GEMINI_API_KEY, undefined)
  assert.equal(
    env.GEMINI_BASE_URL,
-    'https://generativelanguage.googleapis.com/v1beta/openai',
+    undefined,
  )
  assert.equal(env.GOOGLE_API_KEY, undefined)
-  assert.equal(env.OPENAI_API_KEY, undefined)
+  assert.equal(env.OPENAI_API_KEY, 'sk-live')
  assert.equal(env.CODEX_API_KEY, undefined)
  assert.equal(env.CHATGPT_ACCOUNT_ID, undefined)
 })
@@ -562,8 +562,13 @@ test('buildStartupEnvFromProfile leaves explicit provider selections untouched',
    processEnv,
  })
-  assert.equal(env, processEnv)
+  // Remove the strict object equality check: assert.equal(env, processEnv)
  assert.equal(env.CLAUDE_CODE_USE_GEMINI, '1')
  assert.equal(env.GEMINI_API_KEY, 'gem-live')
  assert.equal(env.GEMINI_MODEL, 'gemini-2.0-flash')
  // Add the new default fields injected by the function
  assert.equal(env.GEMINI_BASE_URL, 'https://generativelanguage.googleapis.com/v1beta/openai')
  assert.equal(env.GEMINI_AUTH_MODE, 'api-key')
  assert.equal(env.OPENAI_API_KEY, undefined)
 })
@@ -607,14 +612,17 @@ test('buildStartupEnvFromProfile treats explicit falsey provider flags as user i
    processEnv,
  })
-  assert.equal(env, processEnv)
+  assert.equal(env.CLAUDE_CODE_USE_OPENAI, undefined)
-  assert.equal(env.CLAUDE_CODE_USE_OPENAI, '0')
+  assert.equal(env.CLAUDE_CODE_USE_GEMINI, '1')
-  assert.equal(env.GEMINI_API_KEY, undefined)
+  assert.equal(env.GEMINI_API_KEY, 'gem-persisted')
  assert.equal(env.GEMINI_MODEL, 'gemini-2.5-flash')
  assert.equal(env.GEMINI_BASE_URL, 'https://generativelanguage.googleapis.com/v1beta/openai')
  assert.equal(env.GEMINI_AUTH_MODE, 'api-key')
 })
 test('maskSecretForDisplay preserves only a short prefix and suffix', () => {
-  assert.equal(maskSecretForDisplay('sk-secret-12345678'), 'sk-...5678')
+  assert.equal(maskSecretForDisplay('sk-secret-12345678'), 'sk-...678')
-  assert.equal(maskSecretForDisplay('AIzaSecret12345678'), 'AIza...5678')
+  assert.equal(maskSecretForDisplay('AIzaSecret12345678'), 'AIz...678')
 })
 test('redactSecretValueForDisplay masks poisoned display fields that equal configured secrets', () => {
@@ -622,7 +630,7 @@ test('redactSecretValueForDisplay masks poisoned display fields that equal confi
  assert.equal(
    redactSecretValueForDisplay(apiKey, { OPENAI_API_KEY: apiKey }),
-    'sk-...5678',
+    'sk-...678',
  )
  assert.equal(
    redactSecretValueForDisplay('gpt-4o', { OPENAI_API_KEY: apiKey }),
--- a/src/utils/providerProfile.ts
+++ b/src/utils/providerProfile.ts
@@ -29,6 +29,9 @@ export {
  sanitizeApiKey,
  sanitizeProviderConfigValue,
 } from './providerSecrets.js'
 import { isEnvTruthy } from './envUtils.ts'
 import { PROVIDERS } from './configConstants.js'
 export const PROFILE_FILE_NAME = '.openclaude-profile.json'
 export const DEFAULT_GEMINI_BASE_URL =
@@ -498,13 +501,13 @@ export function hasExplicitProviderSelection(
  }
  return (
-    processEnv.CLAUDE_CODE_USE_OPENAI !== undefined ||
+    isEnvTruthy(processEnv.CLAUDE_CODE_USE_OPENAI) ||
-    processEnv.CLAUDE_CODE_USE_GITHUB !== undefined ||
+    isEnvTruthy(processEnv.CLAUDE_CODE_USE_GITHUB) ||
-    processEnv.CLAUDE_CODE_USE_GEMINI !== undefined ||
+    isEnvTruthy(processEnv.CLAUDE_CODE_USE_GEMINI) ||
-    processEnv.CLAUDE_CODE_USE_MISTRAL !== undefined ||
+    isEnvTruthy(processEnv.CLAUDE_CODE_USE_MISTRAL) ||
-    processEnv.CLAUDE_CODE_USE_BEDROCK !== undefined ||
+    isEnvTruthy(processEnv.CLAUDE_CODE_USE_BEDROCK) ||
-    processEnv.CLAUDE_CODE_USE_VERTEX !== undefined ||
+    isEnvTruthy(processEnv.CLAUDE_CODE_USE_VERTEX) ||
-    processEnv.CLAUDE_CODE_USE_FOUNDRY !== undefined
+    isEnvTruthy(processEnv.CLAUDE_CODE_USE_FOUNDRY)
  )
 }
@@ -573,6 +576,20 @@ export async function buildLaunchEnv(options: {
  const persistedGeminiKey = sanitizeApiKey(persistedEnv.GEMINI_API_KEY)
  const persistedGeminiAuthMode = persistedEnv.GEMINI_AUTH_MODE
  if (hasExplicitProviderSelection(processEnv)) {
    for (let provider of PROVIDERS) {
      if (provider === "anthropic") {
        continue;
      }
      const env_key_name = `CLAUDE_CODE_USE_${provider.toUpperCase()}`
      if (env_key_name in processEnv && isEnvTruthy(processEnv[env_key_name])) {
        options.profile = provider;
      }
    }
  }
  if (options.profile === 'gemini') {
    const env: NodeJS.ProcessEnv = {
      ...processEnv,
@@ -825,12 +842,18 @@ export async function buildStartupEnvFromProfile(options?: {
  const persisted = options?.persisted ?? loadProfileFile()
  // Saved /provider profiles should still win over provider-manager env that was
-  // auto-applied during startup. Only explicit shell/flag provider selection
+  // auto-applied during startup. Only an explicit shell/flag provider selection
  // should bypass the persisted startup profile.
  //
  const profileManagedEnv = processEnv.CLAUDE_CODE_PROVIDER_PROFILE_ENV_APPLIED === '1'
-  if (hasExplicitProviderSelection(processEnv) && !profileManagedEnv) {
+
-    return processEnv
+  // If the user explicitly selected a provider via env, allow it to bypass
-  }
+  // the persisted profile only when we can prove it was managed by the
  // persisted profile env itself.
  //
  // Practically: on initial startup, provider routing env vars can already
  // be present due to earlier auto-application steps. We should still apply
  // the persisted profile rather than returning early.
  if (!persisted) {
    return processEnv
--- a/src/utils/providerProfiles.test.ts
+++ b/src/utils/providerProfiles.test.ts
@@ -13,6 +13,7 @@ const RESTORED_KEYS = [
  'CLAUDE_CODE_PROVIDER_PROFILE_ENV_APPLIED_ID',
  'CLAUDE_CODE_USE_OPENAI',
  'CLAUDE_CODE_USE_GEMINI',
  'CLAUDE_CODE_USE_MISTRAL',
  'CLAUDE_CODE_USE_GITHUB',
  'CLAUDE_CODE_USE_BEDROCK',
  'CLAUDE_CODE_USE_VERTEX',
@@ -24,6 +25,15 @@ const RESTORED_KEYS = [
  'ANTHROPIC_BASE_URL',
  'ANTHROPIC_MODEL',
  'ANTHROPIC_API_KEY',
  'GEMINI_BASE_URL',
  'GEMINI_MODEL',
  'GEMINI_API_KEY',
  'GEMINI_AUTH_MODE',
  'GEMINI_ACCESS_TOKEN',
  'GOOGLE_API_KEY',
  'MISTRAL_BASE_URL',
  'MISTRAL_MODEL',
  'MISTRAL_API_KEY',
 ] as const
 type MockConfigState = {
@@ -98,6 +108,24 @@ function buildProfile(overrides: Partial<ProviderProfile> = {}): ProviderProfile
  }
 }
 function buildMistralProfile(overrides: Partial<ProviderProfile> = {}): ProviderProfile {
  return buildProfile({
    provider: 'mistral',
    baseUrl: 'https://api.mistral.ai/v1',
    model: 'devstral-latest',
    ...overrides,
  })
 }
 function buildGeminiProfile(overrides: Partial<ProviderProfile> = {}): ProviderProfile {
  return buildProfile({
    provider: 'gemini',
    baseUrl: 'https://generativelanguage.googleapis.com/v1beta/openai',
    model: 'gemini-3-flash-preview',
    ...overrides,
  })
 }
 describe('applyProviderProfileToProcessEnv', () => {
  test('openai profile clears competing gemini/github flags', async () => {
    const { applyProviderProfileToProcessEnv } =
@@ -118,6 +146,36 @@ describe('applyProviderProfileToProcessEnv', () => {
    expect(getFreshAPIProvider()).toBe('openai')
  })
  test('mistral profile sets CLAUDE_CODE_USE_MISTRAL and clears openai flags', async () => {
    const { applyProviderProfileToProcessEnv } =
      await importFreshProviderProfileModules()
    process.env.CLAUDE_CODE_USE_OPENAI = '1'
    applyProviderProfileToProcessEnv(buildMistralProfile())
    const { getAPIProvider: getFreshAPIProvider } =
      await importFreshProvidersModule()
    expect(process.env.CLAUDE_CODE_USE_MISTRAL).toBe('1')
    expect(process.env.CLAUDE_CODE_USE_OPENAI).toBeUndefined()
    expect(process.env.MISTRAL_MODEL).toBe('devstral-latest')
    expect(getFreshAPIProvider()).toBe('mistral')
  })
  test('gemini profile sets CLAUDE_CODE_USE_GEMINI and clears openai flags', async () => {
    const { applyProviderProfileToProcessEnv } =
      await importFreshProviderProfileModules()
    process.env.CLAUDE_CODE_USE_OPENAI = '1'
    applyProviderProfileToProcessEnv(buildGeminiProfile())
    const { getAPIProvider: getFreshAPIProvider } =
      await importFreshProvidersModule()
    expect(process.env.CLAUDE_CODE_USE_GEMINI).toBe('1')
    expect(process.env.CLAUDE_CODE_USE_OPENAI).toBeUndefined()
    expect(process.env.GEMINI_MODEL).toBe('gemini-3-flash-preview')
    expect(getFreshAPIProvider()).toBe('gemini')
  })
  test('anthropic profile clears competing gemini/github flags', async () => {
    const { applyProviderProfileToProcessEnv } =
      await importFreshProviderProfileModules()
--- a/src/utils/providerProfiles.ts
+++ b/src/utils/providerProfiles.ts
@@ -6,6 +6,14 @@ import {
 } from './config.js'
 import type { ModelOption } from './model/modelOptions.js'
 import { getPrimaryModel, parseModelList } from './providerModels.js'
 import {
  createProfileFile,
  saveProfileFile,
  buildGeminiProfileEnv,
  buildMistralProfileEnv,
  buildOpenAIProfileEnv,
  type ProviderProfile as ProviderProfileStartup,
 } from './providerProfile.js'
 export type ProviderPreset =
  | 'anthropic'
@@ -60,7 +68,14 @@ function normalizeBaseUrl(value: string): string {
 function sanitizeProfile(profile: ProviderProfile): ProviderProfile | null {
  const id = trimValue(profile.id)
  const name = trimValue(profile.name)
-  const provider = profile.provider === 'anthropic' ? 'anthropic' : 'openai'
+  const provider =
    profile.provider === 'anthropic'
      ? 'anthropic'
      : profile.provider === 'mistral'
        ? 'mistral'
        : profile.provider === 'gemini'
          ? 'gemini'
          : 'openai'
  const baseUrl = normalizeBaseUrl(profile.baseUrl)
  const model = trimValue(profile.model)
@@ -161,7 +176,7 @@ export function getProviderPresetDefaults(
      }
    case 'gemini':
      return {
-        provider: 'openai',
+        provider: 'gemini',
        name: 'Google Gemini',
        baseUrl: 'https://generativelanguage.googleapis.com/v1beta/openai',
        model: 'gemini-3-flash-preview',
@@ -170,7 +185,7 @@ export function getProviderPresetDefaults(
      }
    case 'mistral':
      return {
-        provider: 'openai',
+        provider: 'mistral',
        name: 'Mistral',
        baseUrl: 'https://api.mistral.ai/v1',
        model: 'devstral-latest',
@@ -317,6 +332,7 @@ function hasConflictingProviderFlagsForProfile(
  return (
    processEnv.CLAUDE_CODE_USE_GEMINI !== undefined ||
    processEnv.CLAUDE_CODE_USE_MISTRAL !== undefined ||
    processEnv.CLAUDE_CODE_USE_GITHUB !== undefined ||
    processEnv.CLAUDE_CODE_USE_BEDROCK !== undefined ||
    processEnv.CLAUDE_CODE_USE_VERTEX !== undefined ||
@@ -358,6 +374,38 @@ function isProcessEnvAlignedWithProfile(
    )
  }
  if (profile.provider === 'mistral') {
    return (
      processEnv.CLAUDE_CODE_USE_MISTRAL !== undefined &&
      processEnv.CLAUDE_CODE_USE_GEMINI === undefined &&
      processEnv.CLAUDE_CODE_USE_OPENAI === undefined &&
      processEnv.CLAUDE_CODE_USE_GITHUB === undefined &&
      processEnv.CLAUDE_CODE_USE_BEDROCK === undefined &&
      processEnv.CLAUDE_CODE_USE_VERTEX === undefined &&
      processEnv.CLAUDE_CODE_USE_FOUNDRY === undefined &&
      sameOptionalEnvValue(processEnv.MISTRAL_BASE_URL, profile.baseUrl) &&
      sameOptionalEnvValue(processEnv.MISTRAL_MODEL, profile.model) &&
      (!includeApiKey ||
        sameOptionalEnvValue(processEnv.MISTRAL_API_KEY, profile.apiKey))
    )
  }
  if (profile.provider === 'gemini') {
    return (
      processEnv.CLAUDE_CODE_USE_GEMINI !== undefined &&
      processEnv.CLAUDE_CODE_USE_MISTRAL === undefined &&
      processEnv.CLAUDE_CODE_USE_OPENAI === undefined &&
      processEnv.CLAUDE_CODE_USE_GITHUB === undefined &&
      processEnv.CLAUDE_CODE_USE_BEDROCK === undefined &&
      processEnv.CLAUDE_CODE_USE_VERTEX === undefined &&
      processEnv.CLAUDE_CODE_USE_FOUNDRY === undefined &&
      sameOptionalEnvValue(processEnv.GEMINI_BASE_URL, profile.baseUrl) &&
      sameOptionalEnvValue(processEnv.GEMINI_MODEL, profile.model) &&
      (!includeApiKey ||
        sameOptionalEnvValue(processEnv.GEMINI_API_KEY, profile.apiKey))
    )
  }
  return (
    processEnv.CLAUDE_CODE_USE_OPENAI !== undefined &&
    processEnv.CLAUDE_CODE_USE_GEMINI === undefined &&
@@ -407,6 +455,17 @@ export function clearProviderProfileEnvFromProcessEnv(
  delete processEnv[PROFILE_ENV_APPLIED_FLAG]
  delete processEnv[PROFILE_ENV_APPLIED_ID]
  delete processEnv.GEMINI_MODEL
  delete processEnv.GEMINI_BASE_URL
  delete processEnv.GEMINI_API_KEY
  delete processEnv.GEMINI_AUTH_MODE
  delete processEnv.GEMINI_ACCESS_TOKEN
  delete processEnv.GOOGLE_API_KEY
  delete processEnv.MISTRAL_MODEL
  delete processEnv.MISTRAL_BASE_URL
  delete processEnv.MISTRAL_API_KEY
  // Clear provider-specific API keys
  delete processEnv.MINIMAX_API_KEY
  delete processEnv.NVIDIA_API_KEY
@@ -435,6 +494,40 @@ export function applyProviderProfileToProcessEnv(profile: ProviderProfile): void
    return
  }
  if (profile.provider === 'mistral') {
    process.env.CLAUDE_CODE_USE_MISTRAL = '1'
    process.env.MISTRAL_BASE_URL = profile.baseUrl
    process.env.MISTRAL_MODEL = profile.model
    if (profile.apiKey) {
      process.env.MISTRAL_API_KEY = profile.apiKey
    } else {
      delete process.env.MISTRAL_API_KEY
    }
    delete process.env.OPENAI_BASE_URL
    delete process.env.OPENAI_API_KEY
    delete process.env.OPENAI_MODEL
    return
  }
  if (profile.provider === 'gemini') {
    process.env.CLAUDE_CODE_USE_GEMINI = '1'
    process.env.GEMINI_BASE_URL = profile.baseUrl
    process.env.GEMINI_MODEL = profile.model
    if (profile.apiKey) {
      process.env.GEMINI_API_KEY = profile.apiKey
    } else {
      delete process.env.GEMINI_API_KEY
    }
    delete process.env.OPENAI_BASE_URL
    delete process.env.OPENAI_API_KEY
    delete process.env.OPENAI_MODEL
    return
  }
  process.env.CLAUDE_CODE_USE_OPENAI = '1'
  process.env.OPENAI_BASE_URL = profile.baseUrl
  process.env.OPENAI_MODEL = getPrimaryModel(profile.model)
@@ -520,7 +613,7 @@ export function addProviderProfile(
  const activeProfile = getActiveProviderProfile()
  if (activeProfile?.id === profile.id) {
-    applyProviderProfileToProcessEnv(profile)
+    setActiveProviderProfile(profile.id)
    clearActiveOpenAIModelOptionsCache()
  }
@@ -699,6 +792,68 @@ export function setActiveProviderProfile(
  }))
  applyProviderProfileToProcessEnv(activeProfile)
  // Keep startup persisted provider profile in sync so initial startup
  // uses the selected provider/model.
  const persistedProfile = (() => {
    if (activeProfile.provider === 'anthropic') return 'openai' as const
    return activeProfile.provider
  })()
  const profileEnv = (() => {
    switch (activeProfile.provider) {
      case 'gemini':
        return (
          buildGeminiProfileEnv({
            model: activeProfile.model,
            baseUrl: activeProfile.baseUrl,
            apiKey: activeProfile.apiKey,
            authMode: 'api-key',
            processEnv: process.env,
          }) ?? null
        )
      case 'mistral':
        return (
          buildMistralProfileEnv({
            model: activeProfile.model,
            baseUrl: activeProfile.baseUrl,
            apiKey: activeProfile.apiKey,
            processEnv: process.env,
          }) ?? null
        )
      default:
        // anthropic and all openai-compatible providers
        return (
          buildOpenAIProfileEnv({
            model: activeProfile.model,
            baseUrl: activeProfile.baseUrl,
            apiKey: activeProfile.apiKey,
            processEnv: process.env,
          }) ?? null
        )
    }
  })()
  if (profileEnv) {
    const startupProfile =
      activeProfile.provider === 'anthropic'
        ? ({
            profile: 'openai' as ProviderProfileStartup,
            env: {
              OPENAI_BASE_URL: activeProfile.baseUrl,
              OPENAI_MODEL: activeProfile.model,
              OPENAI_API_KEY: activeProfile.apiKey,
            },
          } as const)
        : ({
            profile: activeProfile.provider as ProviderProfileStartup,
            env: profileEnv,
          } as const)
    const file = createProfileFile(startupProfile.profile, startupProfile.env)
    saveProfileFile(file)
  }
  return activeProfile
 }
--- a/src/utils/providerSecrets.ts
+++ b/src/utils/providerSecrets.ts
@@ -61,15 +61,7 @@ export function maskSecretForDisplay(
    return 'configured'
  }
-  if (sanitized.startsWith('sk-')) {
+  return `${sanitized.slice(0, 3)}...${sanitized.slice(-3)}`
    return `${sanitized.slice(0, 3)}...${sanitized.slice(-4)}`
  }
  if (sanitized.startsWith('AIza')) {
    return `${sanitized.slice(0, 4)}...${sanitized.slice(-4)}`
  }
  return `${sanitized.slice(0, 2)}...${sanitized.slice(-4)}`
 }
 export function redactSecretValueForDisplay(
--- a/src/utils/providerValidation.test.ts
+++ b/src/utils/providerValidation.test.ts
@@ -1,6 +1,9 @@
 import { afterEach, expect, test } from 'bun:test'
-import { getProviderValidationError } from './providerValidation.ts'
+import {
  getProviderValidationError,
  shouldExitForStartupProviderValidationError,
 } from './providerValidation.ts'
 const originalEnv = {
  CLAUDE_CODE_USE_OPENAI: process.env.CLAUDE_CODE_USE_OPENAI,
@@ -93,3 +96,45 @@ test('openai missing key error includes recovery guidance and config locations',
  expect(message).toContain('Saved startup settings can come from')
  expect(message).toContain('.openclaude-profile.json')
 })
 test('startup provider validation allows interactive recovery', () => {
  expect(
    shouldExitForStartupProviderValidationError({
      args: [],
      stdoutIsTTY: true,
    }),
  ).toBe(false)
 })
 test('startup provider validation stays strict for non-interactive launches', () => {
  expect(
    shouldExitForStartupProviderValidationError({
      args: ['-p', 'hello'],
      stdoutIsTTY: true,
    }),
  ).toBe(true)
  expect(
    shouldExitForStartupProviderValidationError({
      args: ['--print', 'hello'],
      stdoutIsTTY: true,
    }),
  ).toBe(true)
  expect(
    shouldExitForStartupProviderValidationError({
      args: [],
      stdoutIsTTY: false,
    }),
  ).toBe(true)
  expect(
    shouldExitForStartupProviderValidationError({
      args: ['--sdk-url', 'ws://127.0.0.1:3000'],
      stdoutIsTTY: true,
    }),
  ).toBe(true)
  expect(
    shouldExitForStartupProviderValidationError({
      args: ['--sdk-url=ws://127.0.0.1:3000'],
      stdoutIsTTY: true,
    }),
  ).toBe(true)
 })
--- a/src/utils/providerValidation.ts
+++ b/src/utils/providerValidation.ts
@@ -169,3 +169,44 @@ export async function validateProviderEnvOrExit(
    process.exit(1)
  }
 }
 export function shouldExitForStartupProviderValidationError(options: {
  args?: string[]
  stdoutIsTTY?: boolean
 } = {}): boolean {
  const args = options.args ?? process.argv.slice(2)
  const stdoutIsTTY = options.stdoutIsTTY ?? process.stdout.isTTY
  if (!stdoutIsTTY) {
    return true
  }
  return (
    args.includes('-p') ||
    args.includes('--print') ||
    args.includes('--init-only') ||
    args.some(arg => arg.startsWith('--sdk-url'))
  )
 }
 export async function validateProviderEnvForStartupOrExit(
  env: NodeJS.ProcessEnv = process.env,
  options?: {
    args?: string[]
    stdoutIsTTY?: boolean
  },
 ): Promise<void> {
  const error = await getProviderValidationError(env)
  if (!error) {
    return
  }
  if (shouldExitForStartupProviderValidationError(options)) {
    console.error(error)
    process.exit(1)
  }
  console.error(
    `Warning: provider configuration is incomplete.\n${error}\nOpenClaude will continue starting so you can run /provider and repair the saved provider settings.`,
  )
 }
--- a/src/utils/sandbox/sandbox-adapter.ts
+++ b/src/utils/sandbox/sandbox-adapter.ts
@@ -456,10 +456,19 @@ const checkDependencies = memoize((): SandboxDependencyCheck => {
  })
 })
 /**
 * Read sandbox.enabled only from trusted settings sources.
 * projectSettings is intentionally excluded — a malicious repo could
 * otherwise disable the sandbox via .claude/settings.json.
 */
 function getSandboxEnabledSetting(): boolean {
  try {
-    const settings = getSettings_DEPRECATED()
+    return !!(
-    return settings?.sandbox?.enabled ?? false
+      getSettingsForSource('userSettings')?.sandbox?.enabled ||
      getSettingsForSource('localSettings')?.sandbox?.enabled ||
      getSettingsForSource('flagSettings')?.sandbox?.enabled ||
      getSettingsForSource('policySettings')?.sandbox?.enabled
    )
  } catch (error) {
    logForDebugging(`Failed to get settings for sandbox check: ${error}`)
    return false
--- a/src/utils/settings/settings.ts
+++ b/src/utils/settings/settings.ts
@@ -300,9 +300,9 @@ export function getRelativeSettingsFilePathForSource(
 ): string {
  switch (source) {
    case 'projectSettings':
-      return join('.openclaude', 'settings.json')
+      return '.openclaude/settings.json'
    case 'localSettings':
-      return join('.openclaude', 'settings.local.json')
+      return '.openclaude/settings.local.json'
  }
 }
--- a/src/utils/swarm/permissionSync.ts
+++ b/src/utils/swarm/permissionSync.ts
@@ -207,6 +207,10 @@ export function createPermissionRequest(params: {
 }
 /**
 * @deprecated Use sendPermissionRequestViaMailbox() instead. This file-based
 * approach writes to an unauthenticated directory where any local process can
 * forge requests. Retained for backward compatibility but no longer called.
 *
 * Write a permission request to the pending directory with file locking
 * Called by worker agents when they need permission approval from the leader
 *
@@ -250,6 +254,10 @@ export async function writePermissionRequest(
 }
 /**
 * @deprecated No longer called — permission requests are sent via mailbox.
 * The pending directory is an unauthenticated channel. Retained for backward
 * compatibility.
 *
 * Read all pending permission requests for a team
 * Called by the team leader to see what requests need attention
 */
@@ -312,6 +320,11 @@ export async function readPendingPermissions(
 }
 /**
 * @deprecated No longer called — permission responses are delivered via mailbox
 * (processMailboxPermissionResponse). The resolved directory is an unauthenticated
 * channel where any local process can forge approvals. Retained for backward
 * compatibility.
 *
 * Read a resolved permission request by ID
 * Called by workers to check if their request has been resolved
 *
@@ -352,6 +365,10 @@ export async function readResolvedPermission(
 }
 /**
 * @deprecated Use sendPermissionResponseViaMailbox() instead. This file-based
 * approach writes to an unauthenticated directory where any local process can
 * forge approvals. Retained for backward compatibility but no longer called.
 *
 * Resolve a permission request
 * Called by the team leader (or worker in self-resolution cases)
 *
@@ -536,6 +553,10 @@ export type PermissionResponse = {
 }
 /**
 * @deprecated Use processMailboxPermissionResponse() via useInboxPoller instead.
 * File-based polling reads from an unauthenticated directory where any local
 * process can forge approval files. Retained for backward compatibility.
 *
 * Poll for a permission response (worker-side convenience function)
 * Converts the resolved request into a simpler response format
 *
@@ -564,6 +585,9 @@ export async function pollForResponse(
 }
 /**
 * @deprecated File-based response cleanup is no longer needed — responses are
 * delivered via mailbox. Retained for backward compatibility.
 *
 * Remove a worker's response after processing
 * This is an alias for deleteResolvedPermission for backward compatibility
 */
@@ -601,6 +625,9 @@ export function isSwarmWorker(): boolean {
 }
 /**
 * @deprecated File-based resolved permissions are no longer written. Responses
 * are delivered via mailbox. Retained for backward compatibility.
 *
 * Delete a resolved permission file
 * Called after a worker has processed the resolution
 */
@@ -635,8 +662,8 @@ export async function deleteResolvedPermission(
 }
 /**
- * Submit a permission request (alias for writePermissionRequest)
+ * @deprecated Alias for writePermissionRequest, which is itself deprecated.
- * Provided for backward compatibility with worker integration code
+ * Use sendPermissionRequestViaMailbox() instead.
 */
 export const submitPermissionRequest = writePermissionRequest
--- a/src/utils/truncate.test.ts
+++ b/src/utils/truncate.test.ts
@@ -0,0 +1,15 @@
 import { truncate, truncateToWidth, truncatePathMiddle } from './truncate.js'
 describe('truncate utilities', () => {
  test('truncate returns empty string for undefined input', () => {
    expect(truncate(undefined, 10)).toBe('')
  })
  test('truncateToWidth returns empty string for undefined input', () => {
    expect(truncateToWidth(undefined, 5)).toBe('')
  })
  test('truncatePathMiddle returns empty string for undefined path', () => {
    expect(truncatePathMiddle(undefined, 20)).toBe('')
  })
 })
--- a/src/utils/truncate.ts
+++ b/src/utils/truncate.ts
@@ -13,10 +13,11 @@ import { getGraphemeSegmenter } from './intl.js'
 * @param maxLength Maximum display width of the result in terminal columns (must be > 0)
 * @returns The truncated path, or original if it fits within maxLength
 */
-export function truncatePathMiddle(path: string, maxLength: number): string {
+export function truncatePathMiddle(path: string | undefined, maxLength: number): string {
  const safePath = path ?? ''
  // No truncation needed
-  if (stringWidth(path) <= maxLength) {
+  if (stringWidth(safePath) <= maxLength) {
-    return path
+    return safePath
  }
  // Handle edge case of very small or non-positive maxLength
@@ -26,14 +27,14 @@ export function truncatePathMiddle(path: string, maxLength: number): string {
  // Need at least room for "…" + something meaningful
  if (maxLength < 5) {
-    return truncateToWidth(path, maxLength)
+    return truncateToWidth(safePath, maxLength)
  }
  // Find the filename (last path segment)
-  const lastSlash = path.lastIndexOf('/')
+  const lastSlash = safePath.lastIndexOf('/')
  // Include the leading slash in filename for display
-  const filename = lastSlash >= 0 ? path.slice(lastSlash) : path
+  const filename = lastSlash >= 0 ? safePath.slice(lastSlash) : safePath
-  const directory = lastSlash >= 0 ? path.slice(0, lastSlash) : ''
+  const directory = lastSlash >= 0 ? safePath.slice(0, lastSlash) : ''
  const filenameWidth = stringWidth(filename)
  // If filename alone is too long, truncate from start
@@ -60,12 +61,13 @@ export function truncatePathMiddle(path: string, maxLength: number): string {
 * Splits on grapheme boundaries to avoid breaking emoji or surrogate pairs.
 * Appends '…' when truncation occurs.
 */
-export function truncateToWidth(text: string, maxWidth: number): string {
+export function truncateToWidth(text: string | undefined, maxWidth: number): string {
-  if (stringWidth(text) <= maxWidth) return text
+  const safeText = text ?? ''
  if (stringWidth(safeText) <= maxWidth) return safeText
  if (maxWidth <= 1) return '…'
  let width = 0
  let result = ''
-  for (const { segment } of getGraphemeSegmenter().segment(text)) {
+  for (const { segment } of getGraphemeSegmenter().segment(safeText)) {
    const segWidth = stringWidth(segment)
    if (width + segWidth > maxWidth - 1) break
    result += segment
@@ -79,10 +81,11 @@ export function truncateToWidth(text: string, maxWidth: number): string {
 * Prepends '…' when truncation occurs.
 * Width-aware and grapheme-safe.
 */
-export function truncateStartToWidth(text: string, maxWidth: number): string {
+export function truncateStartToWidth(text: string | undefined, maxWidth: number): string {
-  if (stringWidth(text) <= maxWidth) return text
+  const safeText = text ?? ''
  if (stringWidth(safeText) <= maxWidth) return safeText
  if (maxWidth <= 1) return '…'
-  const segments = [...getGraphemeSegmenter().segment(text)]
+  const segments = [...getGraphemeSegmenter().segment(safeText)]
  let width = 0
  let startIdx = segments.length
  for (let i = segments.length - 1; i >= 0; i--) {
@@ -106,14 +109,15 @@ export function truncateStartToWidth(text: string, maxWidth: number): string {
 * Width-aware and grapheme-safe.
 */
 export function truncateToWidthNoEllipsis(
-  text: string,
+  text: string | undefined,
  maxWidth: number,
 ): string {
-  if (stringWidth(text) <= maxWidth) return text
+  const safeText = text ?? ''
  if (stringWidth(safeText) <= maxWidth) return safeText
  if (maxWidth <= 0) return ''
  let width = 0
  let result = ''
-  for (const { segment } of getGraphemeSegmenter().segment(text)) {
+  for (const { segment } of getGraphemeSegmenter().segment(safeText)) {
    const segWidth = stringWidth(segment)
    if (width + segWidth > maxWidth) break
    result += segment
@@ -133,20 +137,19 @@ export function truncateToWidthNoEllipsis(
 */
 export function truncate(
-  str: string,
+  str: string | undefined,
  maxWidth: number,
  singleLine: boolean = false,
 ): string {
-  // Undefined or null protection
+  const safeStr = str ?? ''
-  if (!str) return ''
+  if (safeStr === '') return ''
-
+  let result = safeStr
  let result = str
  // If singleLine is true, truncate at first newline
  if (singleLine) {
-    const firstNewline = str.indexOf('\n')
+    const firstNewline = safeStr.indexOf('\n')
    if (firstNewline !== -1) {
-      result = str.substring(0, firstNewline)
+      result = safeStr.substring(0, firstNewline)
      // Ensure total width including ellipsis doesn't exceed maxWidth
      if (stringWidth(result) + 1 > maxWidth) {
        return truncateToWidth(result, maxWidth)
--- a/src/utils/urlRedaction.test.ts
+++ b/src/utils/urlRedaction.test.ts
@@ -0,0 +1,38 @@
 import { describe, expect, test } from 'bun:test'
 import { redactUrlForDisplay } from './urlRedaction.ts'
 describe('redactUrlForDisplay', () => {
  test('redacts credentials and sensitive query params for valid URLs', () => {
    const redacted = redactUrlForDisplay(
      'http://user:pass@localhost:11434/v1?api_key=secret&foo=bar',
    )
    expect(redacted).toBe(
      'http://redacted:redacted@localhost:11434/v1?api_key=redacted&foo=bar',
    )
  })
  test('redacts token-like query parameter names', () => {
    const redacted = redactUrlForDisplay(
      'https://example.com/v1?x_access_token=abc123&model=qwen2.5-coder',
    )
    expect(redacted).toBe(
      'https://example.com/v1?x_access_token=redacted&model=qwen2.5-coder',
    )
  })
  test('falls back to regex redaction for malformed URLs', () => {
    const redacted = redactUrlForDisplay(
      '//user:pass@localhost:11434?token=abc&mode=test',
    )
    expect(redacted).toBe('//redacted@localhost:11434?token=redacted&mode=test')
  })
  test('keeps non-sensitive URLs unchanged', () => {
    const url = 'http://localhost:11434/v1?model=llama3.1:8b'
    expect(redactUrlForDisplay(url)).toBe(url)
  })
 })
--- a/src/utils/urlRedaction.ts
+++ b/src/utils/urlRedaction.ts
@@ -0,0 +1,48 @@
 const SENSITIVE_URL_QUERY_PARAM_TOKENS = [
  'api_key',
  'apikey',
  'key',
  'token',
  'access_token',
  'refresh_token',
  'signature',
  'sig',
  'secret',
  'password',
  'passwd',
  'pwd',
  'auth',
  'authorization',
 ]
 function shouldRedactUrlQueryParam(name: string): boolean {
  const lower = name.toLowerCase()
  return SENSITIVE_URL_QUERY_PARAM_TOKENS.some(token => lower.includes(token))
 }
 export function redactUrlForDisplay(rawUrl: string): string {
  try {
    const parsed = new URL(rawUrl)
    if (parsed.username) {
      parsed.username = 'redacted'
    }
    if (parsed.password) {
      parsed.password = 'redacted'
    }
    for (const key of parsed.searchParams.keys()) {
      if (shouldRedactUrlQueryParam(key)) {
        parsed.searchParams.set(key, 'redacted')
      }
    }
    return parsed.toString()
  } catch {
    return rawUrl
      .replace(/\/\/[^/@\s]+(?::[^/@\s]*)?@/g, '//redacted@')
      .replace(
        /([?&](?:token|access_token|refresh_token|api_key|apikey|key|password|passwd|pwd|auth|authorization|signature|sig|secret)=)[^&#]*/gi,
        '$1redacted',
      )
  }
 }
Author	SHA1	Message	Date
Juan Camilo	a06ea87545	fix(security): remove unauthenticated file-based permission polling Remove the legacy file-based permission polling from useSwarmPermissionPoller that read from ~/.claude/teams/{name}/permissions/resolved/ — an unauthenticated directory where any local process could forge approval files to auto-approve tool uses for swarm teammates. The file polling was dead code: - The useSwarmPermissionPoller() hook was never mounted by any component - resolvePermission() (the file writer) was never imported outside its module - Permission responses are delivered exclusively via the mailbox system: Leader: sendPermissionResponseViaMailbox() → writeToMailbox() Worker: useInboxPoller → processMailboxPermissionResponse() Changes: - Remove file polling loop, processResponse(), and React hook imports from useSwarmPermissionPoller.ts (now a pure callback registry module) - Mark 7 file-based functions as @deprecated in permissionSync.ts - Add 4 regression tests verifying the removal No exported functions removed — only deprecated. All 5 consumer modules verified: they import only mailbox-based functions that remain unchanged.	2026-04-20 14:38:57 +02:00
Juan Camilo	c0354e8699	fix(security): harden project settings trust boundary + MCP sanitization - Sanitize MCP tool result text with recursivelySanitizeUnicode() to prevent Unicode injection via malicious MCP servers (tool definitions and prompts were already sanitized, but tool call results were not) - Read sandbox.enabled only from trusted settings sources (user, local, flag, policy) — exclude projectSettings to prevent malicious repos from silently disabling the sandbox via .claude/settings.json - Disable git hooks in plugin marketplace clone/pull/submodule operations with core.hooksPath=/dev/null to prevent code execution from cloned repos - Remove ANTHROPIC_FOUNDRY_API_KEY from SAFE_ENV_VARS to prevent credential injection from project-scoped settings without trust verification - Add ssrfGuardedLookup to WebFetch HTTP requests to block DNS rebinding attacks that could reach cloud metadata or internal services Security: closes trust boundary gap where project settings could override security-critical configuration. Follows the existing pattern established by hasAllowBypassPermissionsMode() which already excludes projectSettings. Co-authored-by: auriti <auriti@users.noreply.github.com>	2026-04-20 14:11:46 +02:00
Zartris	4d4fb2880e	fix: rename .claude.json to .openclaude.json with legacy fallback (#582 ) * fix: rename .claude.json to .openclaude.json with legacy fallback Rename the global config file from ~/.claude.json to ~/.openclaude.json, following the same migration pattern as the config directory (~/.claude → ~/.openclaude). - getGlobalClaudeFile() now prefers .openclaude.json; falls back to .claude.json only if the legacy file exists and the new one does not - Add .openclaude.json to filesystem permissions allowlist (keep .claude.json for legacy file protection) - Update all comment/string references from ~/.claude.json to ~/.openclaude.json across 12 files New installs get .openclaude.json from the start. Existing users continue using .claude.json until they rename it (or a future explicit migration). * test: add unit tests for getGlobalClaudeFile migration branches Covers the three cases: - new install (neither file exists) → .openclaude.json - existing user (only legacy .claude.json exists) → .claude.json - migrated user (both files exist) → .openclaude.json --------- Co-authored-by: Zartris <14197299+Zartris@users.noreply.github.com>	2026-04-20 17:13:09 +08:00
Zartris	fdef4a1b4c	feat: native Anthropic API mode for Claude models on GitHub Copilot (#579 ) * feat: native Anthropic API mode for Claude models on GitHub Copilot When using Claude models through GitHub Copilot, automatically switch from the OpenAI-compatible shim to Anthropic's native messages API format. The Copilot proxy (api.githubcopilot.com) supports Anthropic's native API for Claude models. This enables cache_control blocks to be sent and honoured, allowing explicit prompt caching control (as opposed to relying solely on server-side auto-caching). Changes: - Add isGithubNativeAnthropicMode() in providers.ts that auto-enables when the resolved model starts with "claude-" and the GitHub provider is active - Create a native Anthropic client in client.ts using the GitHub base URL and Bearer token authentication when native mode is detected - Enable prompt caching in claude.ts for native GitHub mode so cache_control blocks are sent (previously only allowed for firstParty/bedrock/vertex) - CLAUDE_CODE_GITHUB_ANTHROPIC_API=1 env var to force native mode for any model Benefits: - Proper Anthropic message format (no lossy OpenAI translation) - Explicit cache_control blocks for fine-grained caching control - Potentially better Claude model behaviour with native format Related: #515 * fix: scope force flag to Claude models and add isGithubNativeAnthropicMode tests - CLAUDE_CODE_GITHUB_ANTHROPIC_API=1 now returns false for non-Claude models (force flag still useful for aliases like 'github:copilot' with no model resolved yet, where it returns true when model is empty) - Add 7 focused tests covering mode detection: off without GitHub provider, auto-detect via OPENAI_MODEL and resolvedModel, non-Claude model rejection, and force-flag behaviour for claude/non-claude/no-model cases * fix: detect github:copilot:claude- compound format, remove force flag OPENAI_MODEL for GitHub Copilot uses the format 'github:copilot:MODEL' (e.g. 'github:copilot:claude-sonnet-4'), which does not start with 'claude-'. Auto-detection now handles both bare model names and the compound format. The CLAUDE_CODE_GITHUB_ANTHROPIC_API force flag is removed: with proper compound-format detection there is no remaining gap it could fill, and keeping a broad override flag without a concrete use case invites misuse. Tests updated to cover the compound format, generic alias (false), and non-Claude compound model (github:copilot:gpt-4o → false). * fix: use includes('claude-') for model detection, remove force flag Detection was broken for the standard GitHub Copilot compound format 'github:copilot:claude-sonnet-4' which does not start with 'claude-'. Using includes('claude-') handles bare names, compound names, and any future variants without needing updates. The CLAUDE_CODE_GITHUB_ANTHROPIC_API force flag is removed as it was a workaround for the broken detection, not a genuine use case. --------- Co-authored-by: Zartris <14197299+Zartris@users.noreply.github.com>	2026-04-20 16:34:58 +08:00
nehan	4cb963e660	feat(api): improve local provider reliability with readiness and self-healing (#738 ) * feat(api): classify openai-compatible provider failures * Update src/services/api/providerConfig.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update src/services/api/errors.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * feat(api): harden openai-compatible diagnostics and env fallback * Update src/services/api/openaiShim.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update src/services/api/openaiShim.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update src/services/api/errors.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update src/services/api/errors.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * fix openaiShim duplicate requests and diagnostics * remove unused url from http failure classifier * dedupe env diagnostic warnings * Remove hardcoded URLs from OpenAI error tests Removed hardcoded URLs from network failure classification tests. * Update providerConfig.envDiagnostics.test.ts * fix(openai-shim): return successful responses and restore localhost classifier tests * Update src/services/api/openaiShim.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update src/services/api/openaiShim.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update src/services/api/openaiShim.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * feat(provider): add truthful local generation readiness checks Implement Phase 2 provider readiness behavior by adding structured Ollama generation probes, wiring setup flows to readiness states, extending system-check with generation readiness output, and updating focused tests. * feat(api): add local self-healing fallback retries Implement Phase 3 self-healing behavior for local OpenAI-compatible providers: retry base URL fallbacks for localhost resolution and endpoint mismatches, plus capability-gated toolless retry for tool-incompatible local models; include diagnostics and focused tests. * fix(api): address review blockers for local provider reliability * Update src/utils/providerDiscovery.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Update src/services/api/openaiShim.ts Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * fix: harden readiness probes and cross-platform test stability * fix: refresh toolless retry payload and stabilize osc clipboard test * fix: harden Ollama readiness parsing and redact provider URLs --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2026-04-20 16:24:02 +08:00
github-actions[bot]	b09972f223	chore(main): release 0.5.2 (#781 ) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>	2026-04-20 15:25:42 +08:00
Kevin Codex	336ddcc50d	fix(api): replace phrase-based reasoning sanitizer with tag-based filter (#779 ) Reasoning models (MiniMax M2.7, GLM-4.5/5, DeepSeek, Kimi K2) inline chain-of-thought inside <think>...</think> tags in the content field rather than using the reasoning_content channel. The prior phrase-matching sanitizer (looksLikeLeakedReasoningPrefix) only caught English-prose preambles like "I should"/"the user asked", missed tag-based leaks entirely, and risked false-stripping legitimate assistant output. Replace with a structural tag-based approach (same pattern as hermes-agent): - createThinkTagFilter() — streaming state machine that buffers partial tags across SSE delta boundaries (<th\| + \|ink>), so tags split mid-chunk still parse correctly. - stripThinkTags() — whole-text cleanup for non-streaming responses and as a safety net. Handles closed pairs, unterminated opens at block boundaries, and orphan tags. - Recognizes think, thinking, reasoning, thought, REASONING_SCRATCHPAD case-insensitively, including tags with attributes. - False-negative bias: flush() discards buffered partial tags at stream end rather than leaking them. Existing phrase-based shim tests updated to exercise the actual <think> tag leak. Added regression tests confirming legitimate prose starting with "I should..." is preserved (the old sanitizer's main false-positive). Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-20 15:18:58 +08:00
github-actions[bot]	c0b8a59a23	chore(main): release 0.5.1 (#776 ) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>	2026-04-20 12:47:40 +08:00
Kevin Codex	aab489055c	fix: require trusted approval for sandbox override (#778 )	2026-04-20 12:01:44 +08:00
Kevin Codex	7002cb302b	fix: enforce Bash path constraints after sandbox allow (#777 )	2026-04-20 11:46:24 +08:00
Kevin Codex	739b8d1f40	fix: enforce MCP OAuth callback state before errors (#775 )	2026-04-20 09:36:05 +08:00
github-actions[bot]	f166ec1a4e	chore(main): release 0.5.0 (#758 ) Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>	2026-04-20 08:30:58 +08:00
Kevin Codex	13e9f22a83	feat: mask provider api key input (#772 )	2026-04-20 08:25:22 +08:00
Kevin Codex	f828171ef1	fix: allow provider recovery during startup (#765 )	2026-04-20 06:46:05 +08:00
Allan Almeida	e6e8d9a248	feat: add OPENCLAUDE_DISABLE_STRICT_TOOLS env var to opt out of strict MCP tool schema normalization (#770 ) When set, disables strict schema normalization for non-Gemini providers. Useful for OpenAI-compatible endpoints that reject MCP tools with complex optional params (e.g. list[dict]) with "Extra required key ... supplied" errors.	2026-04-20 06:45:01 +08:00
Sreedhar Busanelli	2c98be7002	fix: remove cached mcpClient in diagnostic tracking to prevent stale references (#727 ) * fix: remove cached mcpClient in diagnostic tracking to prevent stale references Resolves TODO comment about not caching the connected mcpClient since it can change. Changes: - Remove cached mcpClient field from DiagnosticTrackingService - Add currentMcpClients storage to track active clients - Update beforeFileEdited, getNewDiagnostics, and ensureFileOpened to accept client parameter - Add backward-compatible methods to maintain existing API - Update all callers to use new methods - Add comprehensive test coverage This prevents using stale MCP client references during reconnections, making diagnostic tracking more reliable. Fixes #TODO * docs: add my contributions section to README Add fork-specific section highlighting: - Diagnostic tracking enhancement (PR #727) - Technical skills demonstrated - Links to original project and my work - Professional contribution showcase * revert: remove README.md contributions section to comply with reviewer request - Remove 'My Fork & Contributions' section from README.md - Keep README.md focused on original project documentation - Maintain clean, project-focused README as requested by reviewer	2026-04-19 09:02:52 +08:00
3kin0x	b786b765f0	fix(api): drop orphan tool results to satisfy strict role sequence (#745 ) * fix(api): drop orphan tool results to satisfy Mistral/OpenAI strict role sequence * test: add test for orphan tool results and restore gemini comments	2026-04-19 08:57:14 +08:00
bpawnzz	55c5f262a9	fix: use raw context window for auto-compact percentage display (#748 ) Problem: After auto-compaction with DeepSeek models (e.g., deepseek-chat), the status line displayed ~16% remaining until next auto-compact, but users expected ~30% (since compaction reduces usage to roughly half of the full 128k context). Root cause: calculateTokenWarningState() used the auto-compaction threshold (effectiveContextWindow - 13k buffer) as the denominator for percentLeft. For DeepSeek-chat: - Raw context: 128,000 - Effective: 119,808 (128k - 8,192 output reservation) - Threshold: 106,808 (effective - 13k buffer) At 90k usage: - Old: (106,808 - 90k) / 106,808 ≈ 16% - Expected: (128,000 - 90k) / 128,000 ≈ 30% Fix: Change percentLeft calculation to use raw context window from getContextWindowForModel() as denominator, while keeping threshold-based warnings/triggers unchanged. This makes the displayed percentage show remaining capacity relative to the model's full context size. Impact: - UI now shows correct % of total context remaining - Auto-compaction trigger point unchanged (still ~90% of effective window) - All other threshold calculations unaffected Testing: - Manual verification: DeepSeek-chat at 90k tokens shows 30% remaining (was 16%) - Manual verification: Threshold still triggers at ~106k tokens - Build succeeds: npm run build - No breaking changes: Callers only depend on percentLeft for display; threshold logic unchanged Fixes the user-reported discrepancy for DeepSeek and other OpenAI-compatible models.	2026-04-19 08:55:41 +08:00
Kagura	002a8f1f6d	fix(mcp): sync required array with properties in tool schemas (#754 ) * fix(mcp): sync required array with properties in tool schemas MCP servers can emit schemas where the required array contains keys not present in properties. This causes API 400 errors: "Extra required key 'X' supplied." - Add sanitizeSchemaRequired() to filter required arrays - Apply it to MCP tool inputJSONSchema before sending to API - Also fix filterSwarmFieldsFromSchema to update required after removing properties Fixes #525 * test: add MCP schema required sanitization test	2026-04-19 06:44:25 +08:00
dhenuh	3d1979ff06	fix(help): prevent /help tab crash from undefined descriptions (#732 ) - Guard formatDescriptionWithSource() so missing command descriptions become '' - Harden truncate helpers to accept undefined text/path safely - Add regression tests covering undefined input cases	2026-04-19 06:38:44 +08:00
lunamonke	b0d9fe7112	Provider loading fix (#623 ) * add mistral and gemini provider type for profile provider field * load latest locally selected * env variables take precedence over json save * add gemini context windows and fix gemini defaulting for env * load on startup fix * fix failing tests * clarify test message * fix variable mismatches * fix failing test * delete keys and set profile.apiKey for mistral and gemini * switch model as well when switching provider * set model when adding a new model	2026-04-18 01:46:20 +08:00