- pool --enable/--disable: refuse remote targets with manual config
guidance; resolve the lifecycle port instead of assuming 8317
- enablePoolRouting: roll back the pool flag when config regeneration
fails; already-enabled path re-runs regeneration (repairable state)
- pool opt-in prompt: gate on hasUnifiedConfig (legacy installs skip);
never auto-accept consent under --yes/CCS_YES
- order show (file mode): render selector pick order incl. residual
on-disk priorities and surface drift instead of alphabetical order
- order --reset: clear residual priority fields via management-API
PATCH when proxy runs, atomic direct write when stopped
- quota pool section: classify in-proxy 429 cooldowns as cooling with
reset times (graceful degradation when proxy or endpoint is absent);
honest paused label plus resume hint
- routing state: remote targets report pool as not manageable instead
of echoing the local flag; strategy/affinity apply warns when pool
routing overrides the change (CLI, API message, and dashboard)
- claude model-neutral: --config explicit pins survive the stale-pin
migration; remote env path filters historical default pins read from
claude.settings.json without mutating the file
- cross-lane guard: also checks account-profile CLAUDE_CONFIG_DIR lanes
for email overlap, not only the ambient ~/.claude login
- onboarding hint: opt-in copy naming ccs cliproxy pool --enable
- dashboard card: pool-ON shows drain-order pointer, pool-OFF shows the
enable command, local-only note for remote proxies (i18n x5)
- claude provider launch env no longer pins ANTHROPIC_MODEL/tier defaults;
one-shot migration strips CCS-written stale pins across all historically
shipped default generations while preserving explicit user pins
- TTY-gated once-per-install warning when a user profile named claude or
anthropic is shadowed by the built-in provider, with rename guidance
- account-safety ban messaging parameterized by provider; Anthropic
patterns gated to claude accounts only
- first-run notice that ccs claude routes through the local CLIProxy
instance
Part of #1464 account pools (phase 2).
Issue #1161. Sweeps 127 files to import from
src/config/config-loader-facade.ts instead of unified-config-loader or
utils/config-manager directly.
WRITE callers (32 files): replaced raw saveUnifiedConfig /
mutateUnifiedConfig / updateUnifiedConfig calls with the facade's
cache-coherent wrappers saveConfig / mutateConfig / updateConfig. This
fixes a latent stale-cache window where direct writes through the
underlying loader bypassed the facade's memoization.
READ callers (95 files): mechanical import-path migration only —
function names unchanged because the facade re-exports them. No
behavior change.
Also updated:
- tests/unit/utils/browser/browser-setup.test.ts (DI interface rename)
- src/management/checks/image-analysis-check.ts (dynamic import rename)
- src/web-server/health-service.ts (dynamic require rename)
- src/ccs.ts (path prefix fix from sweep script)
After sweep: zero raw write callers remain outside src/config/. Direct
imports of config-manager remain only for symbols not in the facade
(getConfigPath, getCcsDirSource, etc). Behavior unchanged; full suite
passes 1824/1824.
Out of scope: switching loadOrCreateUnifiedConfig() callers to
getCachedConfig() — needs per-callsite cache-safety analysis. Tracked
as follow-up.
Refs #1161
Phase 07 of #1162. Splits tool-sanitization + codex-reasoning proxy spawn
out of the orchestrator:
- src/cliproxy/executor/proxy-chain-builder.ts (185 LOC):
buildProxyChain + ProxyChainContext / ProxyChainResult types.
DI escape hatch (_ToolSanitizationProxy / _CodexReasoningProxy) for
testability without refactoring the proxy classes (Bun module cache
blocks mock.module of already-loaded modules).
- 9 unit tests covering codex-only, tool-san only, both-together,
spawn failure swallowing, env propagation.
index.ts: 716 -> 665 LOC (-51). HTTPS tunnel kept inline because
tunnelPort is needed by image-analysis resolution before first-pass
buildClaudeEnvironment — folding it in would also require moving image
analysis. Two-pass buildClaudeEnvironment dance preserved exactly.
Behavior unchanged; full suite passes 1824/1824.
Refs #1162
Phase 06 of #1162. Splits the largest remaining concern out of the
orchestrator into a focused module:
- src/cliproxy/executor/auth-coordinator.ts (397 LOC):
handleLogout, handleImport, resolveSkipLocalAuth, runAntigravityGate,
ensureProviderAuthentication, runPreflightQuotaCheck,
runAccountSafetyGuards, ensureModelConfiguration,
ensureProviderSettingsFile. Preserves load-bearing ordering of
antigravity gate -> auth -> token refresh -> quota check.
- 36 unit tests covering --auth/--logout/--import early exit,
antigravity gate refusal/acceptance, OAuth trigger paths, composite
providers, remote-proxy skipLocalAuth.
index.ts: 895 -> 716 LOC (-179). Behavior unchanged; full suite passes
1824/1824. Module is 397 LOC (over the <200 ideal) — kept whole because
the auth ordering contract should not be split across files.
Refs #1162
Phases 04+05 of #1162. Splits two more concerns out of the orchestrator:
- src/cliproxy/executor/browser-launch-setup.ts (118 LOC):
resolveBrowserLaunchFlags + resolveBrowserRuntime. Encapsulates browser
flag resolution, attach config, blocked-override warning, and runtime
setup including MCP sync.
- src/cliproxy/executor/account-resolution.ts (197 LOC):
resolveRuntimeQuotaMonitorProviders, resolveAccounts (--accounts /
--use / --nickname / OAuth ban-risk warn / default touch),
applyAccountSafetyGuards, touchDefaultAccount.
- New tests: 184 + 430 LOC covering both modules.
index.ts: 1045 -> 895 LOC (-150). resolveRuntimeQuotaMonitorProviders
re-exported from index.ts for __testExports backwards compat. Behavior
unchanged; full suite passes 1824/1824.
Refs #1162
Phase 03 of #1162. Splits proxy + binary resolution out of the orchestrator
into a focused module:
- src/cliproxy/executor/proxy-resolver.ts (196 LOC):
ResolvedProxy + ResolveExecutorProxyContext interfaces, resolveExecutorProxy
function. Encapsulates proxy config resolution, port mutation, remote
reachability check, fallback prompt, local backend selection, and
binary acquisition.
- src/cliproxy/executor/__tests__/proxy-resolver.test.ts: 10 unit tests
covering local/remote/fallback paths.
index.ts: 1168 -> 1045 LOC (-123). Removes 9 now-unused imports. Browser
flag handling intentionally left in index.ts for Phase 04. Behavior
unchanged; full suite passes 1824/1824.
Refs #1162
Phases 01+02 of #1162. Splits executor flag parsing/validation out of the
1428-LOC orchestrator into a focused module:
New files:
- src/cliproxy/executor/arg-parser.ts (~500 LOC):
readOptionValue, hasGitLabTokenLoginFlag, getGitLabTokenLoginFlagName,
CCS_FLAGS + filterCcsFlags, ParsedExecutorFlags + parseExecutorFlags,
validateFlagCombinations (process.exit semantics preserved for parity).
- src/cliproxy/executor/__tests__/arg-parser.test.ts: 45 unit tests.
- src/cliproxy/executor/__tests__/index-characterization.test.ts:
TDD baseline (16 pass + 7 skipped scenarios at the spawn/dynamic-import
boundary; mock simplification deferred to a follow-up phase).
index.ts: 1428 -> 1175 LOC (-253). Re-exports preserved at module bottom
for backwards compatibility. Behavior unchanged; full test suite passes
(1824/1824).
Refs #1162
Use ComSpec-aware shell selection for escaped wrapper launches.
Apply it to the remaining Windows Claude launch paths.
Rewrite the Codex exec regression test to use scoped spies so the full suite stays isolated.
- skip managed Claude browser attach when the default CCS browser profile
directory has not been created yet
- keep explicit env override flows failing fast so real misconfiguration still
surfaces clearly
- add regression coverage for default and settings-profile launches
- skip CLIProxy auto-update checks on runtime bootstrap paths
- fail fast when local startup needs a missing binary instead of attempting installs
- add regression coverage for dashboard limited mode and startup test isolation
- keep headless paste routing aligned with the selected Kiro auth method
- validate local callback replay targets and add prompt cancellation safeguards
- wire IDC params through the dashboard start route and support equals-form CLI flags
- auto-select Builder ID for the default Kiro AWS auth flow
- support IDC auth flags and callback-based Kiro paste replay
- update regression coverage for Kiro auth routing
- keep Codex team and personal auth files as separate identities
- resolve quota and live monitor stats by token file-backed account id
- surface duplicate-aware account labels across the dashboard and variant UI
- add safer error responses for settings/auth routes to avoid leaking internals
- guard sensitive AGY settings endpoints to localhost when dashboard auth is off
- validate start-route bodies and reject OAuth start in remote mode for consistency
- preserve cliproxy.kiro_no_incognito and token_refresh during config merges
- enforce AGY acknowledgement in remote auth-token run/auth command paths