aaditagrawal
diff --git a/‎.plans/17-claude-code.md‎
Lines changed: 14 additions & 0 deletions b/‎.plans/17-claude-code.md‎
Lines changed: 14 additions & 0 deletions
diff --git a/‎apps/server/src/ampServerManager.ts‎
Lines changed: 45 additions & 4 deletions b/‎apps/server/src/ampServerManager.ts‎
Lines changed: 45 additions & 4 deletions
diff --git a/‎apps/server/src/geminiCliServerManager.test.ts‎
Lines changed: 55 additions & 2 deletions b/‎apps/server/src/geminiCliServerManager.test.ts‎
Lines changed: 55 additions & 2 deletions
diff --git a/‎apps/server/src/geminiCliServerManager.ts‎
Lines changed: 24 additions & 12 deletions b/‎apps/server/src/geminiCliServerManager.ts‎
Lines changed: 24 additions & 12 deletions
@@ -122,6 +122,9 @@ Each provider manages its own authentication externally:
 1. **Environment variables and CLI auth** -- Credentials are resolved via provider-native mechanisms (e.g. `ANTHROPIC_API_KEY` for Claude, `OPENAI_API_KEY` for Codex, `gh auth` for Copilot). The adapter layer never stores or brokers credentials directly; it relies on the underlying CLI/SDK picking them up from the environment.
 2. **Per-provider rate limiting** -- Each server manager (`codexAppServerManager`, `claudeCodeServerManager`, etc.) is responsible for honoring its provider's rate limits. Adapters should surface rate-limit errors as `ProviderAdapterProcessError` so orchestration can report them cleanly.
 3. **Concurrent session limits** -- The number of simultaneous provider sessions is bounded by system resources (open processes, file descriptors, memory). `ProviderSessionDirectory` tracks active sessions but does not enforce hard caps; operators should monitor resource usage when running multiple providers concurrently.
+4. **Credential leakage prevention** -- Error messages, logs, and serialized `ProviderAdapterProcessError` payloads must never include raw API keys or tokens. Adapters should redact secrets before surfacing diagnostics.
+5. **Secure environment propagation** -- When spawning child processes (CLI binaries, SDK sub-processes), pass an explicit environment whitelist rather than forwarding the entire `process.env`. This limits accidental exposure of unrelated secrets to the child.
+6. **Secret rotation** -- Rotating a provider API key or token requires restarting all active sessions for that provider. Document this operational requirement; there is no hot-reload path for credentials.
 
 ### 2.2 Claude runtime bridge
 
@@ -341,6 +344,14 @@ Whichever option is chosen:
 2. checkpoint revert tests must pass under orchestration expectations
 3. user-visible activity log should explain failures clearly when provider rollback is impossible
 
+### Decision criteria
+
+Choose the rollback strategy as follows:
+
+1. If the Agent SDK exposes a native rewind/rollback API that can truncate conversation history to an arbitrary checkpoint, use **Option A** (provider-native rewind). This gives the cleanest UX and avoids session restart overhead.
+2. If no native rewind API exists or it cannot target the exact checkpoint boundary orchestration requires, use **Option B** (session restart + state truncation shim).
+3. **Time-box rule:** if investigation into Option A takes longer than 2 working days without a reliable prototype, default to Option B and move on. Option A can be revisited as a follow-up enhancement once the base integration is stable.
+
 ---
 
 ## Phase 5: Web integration
@@ -434,6 +445,9 @@ Cover cross-provider interactions that single-adapter tests miss:
 2. **Concurrent active sessions** -- Run sessions on two or more different providers simultaneously. Verify events from each session are routed to the correct orchestration thread without cross-contamination.
 3. **Resume cursor isolation** -- Persist resume cursors from two different providers, then attempt to resume each. Confirm that one provider's cursor cannot accidentally be used to resume another provider's session (adapter parse should reject mismatched cursors).
 4. **Provider health monitoring** -- Simulate a provider becoming unavailable (process crash, binary missing). Verify `listProviderStatuses()` reflects the degraded state and that orchestration surfaces a clear error to the client rather than hanging.
+5. **Performance under load** -- Run 10+ concurrent provider sessions across mixed adapters. Monitor memory usage, open file descriptors, and event-delivery latency to ensure the server remains responsive and does not leak resources.
+6. **Chaos scenarios** -- Forcibly kill provider child processes and inject network timeouts mid-stream. Verify that orchestration detects the failure, emits a clear `runtime.error`, and cleans up session resources without leaving zombie processes.
+7. **Resume after ungraceful shutdown** -- Terminate the server (SIGKILL) while sessions are active, then restart. Validate that persisted resume cursors allow sessions to recover and that no corrupted state prevents new sessions from starting.
 
 ---
 
 
@@ -20,6 +20,7 @@ import {
 } from "@t3tools/contracts";
 import type { ProviderSessionUsage, ProviderUsageResult } from "@t3tools/contracts";
 import type { ProviderThreadSnapshot } from "./provider/Services/ProviderAdapter.ts";
+import { createLogger } from "./logger.ts";
 
 // ── Constants ───────────────────────────────────────────────────────
 
@@ -78,6 +79,8 @@ interface AmpSession {
   activeAssistantItemId: RuntimeItemId | undefined;
   /** Maps parent_tool_use_id → RuntimeTaskId for tracking subagent tasks. */
   readonly subagentTasks: Map<string, string>;
+  /** Maps tool_use_id → classified item type for consistent start/completion typing. */
+  readonly toolItemTypes: Map<string, ReturnType<typeof classifyToolName>>;
   readonly createdAt: string;
   updatedAt: string;
 }
@@ -167,6 +170,7 @@ export class AmpServerManager extends EventEmitter<{
   event: [ProviderRuntimeEvent];
 }> {
   private readonly sessions = new Map<ThreadId, AmpSession>();
+  private readonly logger = createLogger("amp");
 
   // ── Session lifecycle ───────────────────────────────────────────
 
@@ -211,6 +215,7 @@ export class AmpServerManager extends EventEmitter<{
       activeTurnId: undefined,
       activeAssistantItemId: undefined,
       subagentTasks: new Map(),
+      toolItemTypes: new Map(),
       createdAt: now,
       updatedAt: now,
     };
@@ -237,6 +242,17 @@ export class AmpServerManager extends EventEmitter<{
     child.on("close", (code) => {
       const s = this.sessions.get(threadId);
       if (s) {
+        if (s.activeTurnId) {
+          this.emitEvent(threadId, s.activeTurnId, {
+            type: "turn.completed",
+            payload: {
+              state: "failed",
+              errorMessage: `AMP process exited with code ${code}`,
+            },
+          });
+          s.activeTurnId = undefined;
+          s.activeAssistantItemId = undefined;
+        }
         s.status = "closed";
         s.updatedAt = new Date().toISOString();
         this.emitEvent(threadId, s.activeTurnId, {
@@ -252,10 +268,21 @@ export class AmpServerManager extends EventEmitter<{
     child.on("error", (error) => {
       const s = this.sessions.get(threadId);
       if (s) {
+        if (s.activeTurnId) {
+          this.emitEvent(threadId, s.activeTurnId, {
+            type: "turn.completed",
+            payload: {
+              state: "failed",
+              errorMessage: `AMP process error: ${error.message}`,
+            },
+          });
+          s.activeTurnId = undefined;
+          s.activeAssistantItemId = undefined;
+        }
         s.status = "closed";
         s.updatedAt = new Date().toISOString();
       }
-      this.emitEvent(threadId, session.activeTurnId, {
+      this.emitEvent(threadId, s?.activeTurnId, {
         type: "runtime.error",
         payload: { message: error.message, class: "transport_error" },
       });
@@ -285,6 +312,11 @@ export class AmpServerManager extends EventEmitter<{
     if (session.status === "closed") {
       throw new Error(`AMP session is closed: ${input.threadId}`);
     }
+    if (session.status === "running" || session.activeTurnId) {
+      throw new Error(
+        `AMP session ${input.threadId} already has a turn in progress (turn ${session.activeTurnId})`,
+      );
+    }
 
     const turnId = TurnId.makeUnsafe(randomUUID());
     session.activeTurnId = turnId;
@@ -419,7 +451,7 @@ export class AmpServerManager extends EventEmitter<{
       msg = JSON.parse(trimmed) as AmpJsonlMessage;
     } catch {
       // Non-JSON output — treat as raw assistant text.
-      console.warn(`[amp] Failed to parse JSONL line, treating as text: ${trimmed.slice(0, 120)}`);
+      this.logger.warn("Failed to parse JSONL line", { length: trimmed.length });
       this.emitEvent(threadId, session.activeTurnId, {
         type: "content.delta",
         payload: {
@@ -533,7 +565,8 @@ export class AmpServerManager extends EventEmitter<{
     }
 
     // For persistent sessions, a turn completes when stop_reason is "end_turn".
-    if (inner?.stop_reason === "end_turn") {
+    // Guard against duplicate turn.completed (handleResultMessage may also emit one).
+    if (inner?.stop_reason === "end_turn" && session.activeTurnId && session.status !== "ready") {
       _ampUsageAccumulator.turnCount++;
       this.closeAllSubagentTasks(threadId, session);
       this.emitEvent(threadId, session.activeTurnId, {
@@ -595,6 +628,7 @@ export class AmpServerManager extends EventEmitter<{
         // A tool use starts a new assistant message segment — clear the active item.
         session.activeAssistantItemId = undefined;
         const itemType = classifyToolName(block.name);
+        session.toolItemTypes.set(block.id, itemType);
         const itemId = RuntimeItemId.makeUnsafe(block.id);
         this.emitEvent(
           threadId,
@@ -680,13 +714,16 @@ export class AmpServerManager extends EventEmitter<{
         if (block.type === "tool_result") {
           const resultBlock = block as AmpToolResultContentBlock;
           const itemId = RuntimeItemId.makeUnsafe(resultBlock.tool_use_id);
+          const itemType =
+            session.toolItemTypes.get(resultBlock.tool_use_id) ?? "dynamic_tool_call";
+          session.toolItemTypes.delete(resultBlock.tool_use_id);
           this.emitEvent(
             threadId,
             session.activeTurnId,
             {
               type: "item.completed",
               payload: {
-                itemType: "dynamic_tool_call",
+                itemType,
                 status: resultBlock.is_error ? "failed" : "completed",
                 data: resultBlock.content,
               },
@@ -705,6 +742,10 @@ export class AmpServerManager extends EventEmitter<{
     session: AmpSession,
     msg: AmpJsonlMessage,
   ): void {
+    // Guard: only complete the turn if one is still active (handleAssistantMessage
+    // may have already completed it via stop_reason === "end_turn").
+    if (!session.activeTurnId || session.status === "ready") return;
+
     // Close all open subagent tasks before completing the turn.
     this.closeAllSubagentTasks(threadId, session);
 
 
@@ -133,14 +133,67 @@ describe("GeminiCliServerManager", () => {
         provider: "geminiCli",
         runtimeMode: "full-access",
       });
-      manager.stopSession(asThreadId("thread-1"));
+
+      // Directly mark the session as closed without removing it from the map,
+      // so we exercise the "closed session" branch (not the "unknown session" branch).
+      const sessions = (
+        manager as unknown as { sessions: Map<string, { status: string }> }
+      ).sessions;
+      const session = sessions.get("thread-1");
+      expect(session).toBeDefined();
+      session!.status = "closed";
 
       expect(() =>
         manager.sendTurn({
           threadId: asThreadId("thread-1"),
           input: "hello",
         }),
-      ).toThrow("Unknown Gemini CLI session");
+      ).toThrow("Gemini CLI session is closed");
+    });
+
+    it("rejects when session is already running", async () => {
+      const manager = new GeminiCliServerManager();
+      await manager.startSession({
+        threadId: asThreadId("thread-1"),
+        provider: "geminiCli",
+        runtimeMode: "full-access",
+      });
+
+      // Mark the session as running to simulate an in-progress turn.
+      const sessions = (
+        manager as unknown as { sessions: Map<string, { status: string }> }
+      ).sessions;
+      const session = sessions.get("thread-1");
+      expect(session).toBeDefined();
+      session!.status = "running";
+
+      expect(() =>
+        manager.sendTurn({
+          threadId: asThreadId("thread-1"),
+          input: "hello",
+        }),
+      ).toThrow("Gemini CLI session already running");
+    });
+
+    it("rejects when attachments are provided", async () => {
+      const manager = new GeminiCliServerManager();
+      try {
+        await manager.startSession({
+          threadId: asThreadId("thread-1"),
+          provider: "geminiCli",
+          runtimeMode: "full-access",
+        });
+
+        expect(() =>
+          manager.sendTurn({
+            threadId: asThreadId("thread-1"),
+            input: "hello",
+            attachments: [{ type: "image", url: "https://example.com/img.png" }] as never,
+          }),
+        ).toThrow("does not support attachments");
+      } finally {
+        manager.stopAll();
+      }
     });
   });
 
 
@@ -239,6 +239,14 @@ export class GeminiCliServerManager extends EventEmitter<{
     if (session.status === "closed") {
       throw new Error(`Gemini CLI session is closed: ${input.threadId}`);
     }
+    if (session.status === "running") {
+      throw new Error(`Gemini CLI session already running: ${input.threadId}`);
+    }
+
+    // Reject attachments — Gemini CLI doesn't support them.
+    if (input.attachments && input.attachments.length > 0) {
+      throw new Error("Gemini CLI does not support attachments");
+    }
 
     const turnId = TurnId.makeUnsafe(randomUUID());
     session.activeTurnId = turnId;
@@ -249,6 +257,9 @@ export class GeminiCliServerManager extends EventEmitter<{
 
     const prompt = input.input ?? "";
 
+    // Use per-turn model override if provided, otherwise fall back to session model.
+    const effectiveModel = input.model ?? session.model;
+
     // Build args for headless mode with stream-json output.
     const args: string[] = [
       "-p",
@@ -259,8 +270,8 @@ export class GeminiCliServerManager extends EventEmitter<{
       resolveApprovalMode(session.runtimeMode),
     ];
 
-    if (session.model) {
-      args.push("-m", session.model);
+    if (effectiveModel) {
+      args.push("-m", effectiveModel);
     }
 
     // Resume previous Gemini session for follow-up turns.
@@ -296,20 +307,21 @@ export class GeminiCliServerManager extends EventEmitter<{
 
       s.activeProcess = undefined;
 
-      // If the turn wasn't already completed by a "result" event, mark it.
+      // If the turn wasn't already completed by a "result" event, emit a terminal turn.completed.
       if (s.status === "running" && s.activeTurnId === turnId) {
         s.status = "ready";
         s.updatedAt = new Date().toISOString();
 
-        if (code !== 0) {
-          this.emitEvent(input.threadId, turnId, {
-            type: "turn.completed",
-            payload: {
-              state: "failed",
-              errorMessage: `Gemini CLI exited with code ${code}`,
-            },
-          });
-        }
+        this.emitEvent(input.threadId, turnId, {
+          type: "turn.completed",
+          payload:
+            code === 0
+              ? { state: "completed" }
+              : {
+                  state: "failed",
+                  errorMessage: `Gemini CLI exited with code ${code}`,
+                },
+        });
       }
     });