Harden phase0 rolling retention timestamp parsing with explicit bounds and UTC round-trip validation; add regression coverage for invalid date/time tags. No architecture/protocol flow changes; diagram files reviewed and no updates were needed.
- Read Claude Code's OAuth token from ~/.claude/.credentials.json as
a fallback source for auth_mode: oauth (with expiry checking)
- Fix OAuth callback server to bind to localhost (not 127.0.0.1) and
use JSON content type for token exchange
- Null out apiKey when authToken is set to prevent SDK from falling
back to ANTHROPIC_API_KEY env var (routes to wrong billing)
- Add DeferredErrorClient so daemon starts even when credentials are
missing, surfacing the error on first chat() call instead of crash
- Prompt to complete OAuth flow immediately when setting auth_mode to
oauth with no token stored
Note: Anthropic currently rejects OAuth for API access (Feb 2026
policy change), but the plumbing is in place for if/when re-enabled.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Add regression tests that verify rolling and rolling:prune scripts keep shared overridable TAG semantics and tagged prune reports. No architecture/protocol flow changes; diagram files reviewed and no updates were needed.
Add AbortSignal support to pollForToken (GitHub) and pollDeviceToken
(OpenAI) using an abortable sleep that clears its timer immediately on
abort. Wire an AbortController into the TUI login handlers, triggered
by the readline SIGINT event, so Ctrl+C exits the wait loop cleanly
instead of hanging until the device code expires.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Remove implicit pnpm build from daemon-start and daemon-restart so
restarting the service doesn't trigger a rebuild. Add a deploy target
that explicitly chains build + daemon-restart for the combined workflow.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace vague "use tools immediately" imperative with precise rules:
add explicit no-tools-available clause to prevent fabrication on
tool-less backends, simplify the Operational Response Contract into
principles, and remove the redundant Autonomy Guardrail section.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
William Valentin