fix: type safety, defensive defaults, and unbounded retry prevention

.github/workflows/release.yml

@@ -63,7 +63,7 @@ jobs:
         run: bun run build
 
       - name: Run unit tests
-        run: bun test --max-concurrency=1
+        run: bun test --feature=UNATTENDED_RETRY --max-concurrency=1
 
       - name: Smoke test
         run: bun run smoke

package.json

@@ -52,9 +52,9 @@
     "web:build": "bun run --cwd web build",
     "web:preview": "bun run --cwd web preview",
     "web:typecheck": "bun run --cwd web typecheck",
-    "test": "bun test",
-    "test:full": "bun test --max-concurrency=1",
-    "test:coverage": "bun test --coverage --coverage-reporter=lcov --coverage-dir=coverage --max-concurrency=1 && bun run scripts/render-coverage-heatmap.ts",
+    "test": "bun test --feature=UNATTENDED_RETRY",
+    "test:full": "bun test --feature=UNATTENDED_RETRY --max-concurrency=1",
+    "test:coverage": "bun test --feature=UNATTENDED_RETRY --coverage --coverage-reporter=lcov --coverage-dir=coverage --max-concurrency=1 && bun run scripts/render-coverage-heatmap.ts",
     "test:coverage:ui": "bun run scripts/render-coverage-heatmap.ts",
     "security:pr-scan": "bun run scripts/pr-intent-scan.ts",
     "test:provider-recommendation": "bun test src/utils/providerRecommendation.test.ts src/utils/providerProfile.test.ts",
@@ -64,7 +64,7 @@
     "check": "bun run smoke && bun run test:full",
     "verify:privacy": "bun run scripts/verify-no-phone-home.ts",
     "build:verified": "bun run build && bun run verify:privacy",
-    "test:provider": "bun test --max-concurrency=1 src/services/api/*.test.ts src/utils/context.test.ts",
+    "test:provider": "bun test --feature=UNATTENDED_RETRY --max-concurrency=1 src/services/api/*.test.ts src/utils/context.test.ts",
     "doctor:runtime": "bun run scripts/system-check.ts",
     "doctor:runtime:json": "bun run scripts/system-check.ts --json",
     "doctor:report": "bun run scripts/system-check.ts --out reports/doctor-runtime.json",

src/QueryEngine.ts

@@ -14,6 +14,7 @@ import type {
   SDKStatus,
   SDKUserMessageReplay,
 } from 'src/entrypoints/agentSdkTypes.js'
+import { EXTERNAL_PERMISSION_MODES } from 'src/types/permissions.js'
 import { accumulateUsage, updateUsage } from 'src/services/api/claude.js'
 import type { NonNullableUsage } from 'src/services/api/logging.js'
 import { EMPTY_USAGE } from 'src/services/api/logging.js'
@@ -547,12 +548,18 @@ export class QueryEngine {
     ])
     headlessProfilerCheckpoint('after_skills_plugins')
 
+    const rawPermissionMode = initialAppState.toolPermissionContext.mode
+    const validPermissionMode: PermissionMode = (
+      EXTERNAL_PERMISSION_MODES as readonly string[]
+    ).includes(rawPermissionMode)
+      ? (rawPermissionMode as PermissionMode)
+      : 'default'
+
     yield buildSystemInitMessage({
       tools,
       mcpClients,
       model: mainLoopModel,
-      permissionMode: initialAppState.toolPermissionContext
-        .mode as PermissionMode, // TODO: avoid the cast
+      permissionMode: validPermissionMode,
       commands,
       agents,
       skills,
@@ -939,16 +946,19 @@ export class QueryEngine {
           )
           if (snipResult !== undefined) {
             if (snipResult.executed) {
-              this.mutableMessages.length = 0
-              this.mutableMessages.push(...snipResult.messages)
+              this.mutableMessages.splice(
+                0,
+                this.mutableMessages.length,
+                ...snipResult.messages,
+              )
               // Persist the snip boundary so a resumed session replays the same
               // removal. recordTranscript is append-only by UUID, so the
               // pre-snip messages already on disk remain; appending this
               // boundary (which carries snipMetadata.removedUuids) lets
               // applySnipRemovals prune them in loadTranscriptFile(). Without
               // this, --resume/restart rebuilds the un-snipped history and the
               // context reduction is lost. Mirror the boundary into the local
-              // `messages` recording copy — like the compact_boundary path —
+// `messages` recording copy — like the compact_boundary path —
               // so later writes and the parent chain stay consistent.
               messages.push(message)
               if (persistSession) {

src/hooks/useReplBridge.tsx

@@ -11,6 +11,7 @@ import { getSlashCommandToolSkills, isBridgeSafeCommand } from '../commands.js';
 import { getRemoteSessionUrl } from '../constants/product.js';
 import { useNotifications } from '../context/notifications.js';
 import type { PermissionMode, SDKMessage } from '../entrypoints/agentSdkTypes.js';
+import { EXTERNAL_PERMISSION_MODES } from '../types/permissions.js';
 import type { SDKControlResponse } from '../entrypoints/sdk/controlTypes.js';
 import { Text } from '../ink.js';
 import { getFeatureValue_CACHED_MAY_BE_STALE } from '../services/analytics/growthbook.js';
@@ -295,6 +296,8 @@ export function useReplBridge(messages: Message[], setMessages: (action: React.S
                         const skills = await getSlashCommandToolSkills(getCwd());
                         if (cancelled) return;
                         const state_0 = store.getState();
+                                    const rawPermissionMode = state_0.toolPermissionContext.mode
+            const validPermissionMode: PermissionMode = (EXTERNAL_PERMISSION_MODES as readonly string[]).includes(rawPermissionMode) ? (rawPermissionMode as PermissionMode) : 'default'
                         handleRef.current?.writeSdkMessages([buildSystemInitMessage({
                           // tools/mcpClients/plugins redacted for REPL-bridge:
                           // MCP-prefixed tool names and server names leak which
@@ -307,8 +310,7 @@ export function useReplBridge(messages: Message[], setMessages: (action: React.S
                           tools: [],
                           mcpClients: [],
                           model: mainLoopModelRef.current,
-                          permissionMode: state_0.toolPermissionContext.mode as PermissionMode,
-                          // TODO: avoid the cast
+                                        permissionMode: validPermissionMode,
                           // Remote clients can only invoke bridge-safe commands —
                           // advertising unsafe ones (local-jsx, unallowed local)
                           // would let mobile/web attempt them and hit errors.

src/main.tsx

@@ -344,9 +344,9 @@ function runMigrations(): void {
   // Async migration - fire and forget since it's non-blocking
   migrateChangelogFromConfig().catch(error => {
     logError(
-      new Error('Changelog migration failed; will retry on next startup', {
-        cause: error,
-      }),
+      new Error(
+        `Changelog migration failed; will retry on next startup: ${errorMessage(error)}`,
+      ),
     )
   });
 }

src/services/api/client.test.ts

@@ -32,14 +32,17 @@ const originalEnv = {
   OPENAI_BASE_URL: process.env.OPENAI_BASE_URL,
   OPENAI_API_BASE: process.env.OPENAI_API_BASE,
   OPENAI_API_FORMAT: process.env.OPENAI_API_FORMAT,
+  OPENAI_AUTH_HEADER: process.env.OPENAI_AUTH_HEADER,
+  OPENAI_AUTH_SCHEME: process.env.OPENAI_AUTH_SCHEME,
+  OPENAI_AUTH_HEADER_VALUE: process.env.OPENAI_AUTH_HEADER_VALUE,
   OPENAI_MODEL: process.env.OPENAI_MODEL,
   MINIMAX_API_KEY: process.env.MINIMAX_API_KEY,
   XAI_API_KEY: process.env.XAI_API_KEY,
+  MIMO_API_KEY: process.env.MIMO_API_KEY,
+  VENICE_API_KEY: process.env.VENICE_API_KEY,
   FIREWORKS_API_KEY: process.env.FIREWORKS_API_KEY,
-  OPENAI_AUTH_HEADER: process.env.OPENAI_AUTH_HEADER,
-  OPENAI_AUTH_SCHEME: process.env.OPENAI_AUTH_SCHEME,
-  OPENAI_AUTH_HEADER_VALUE: process.env.OPENAI_AUTH_HEADER_VALUE,
   NVIDIA_NIM: process.env.NVIDIA_NIM,
+  NVIDIA_API_KEY: process.env.NVIDIA_API_KEY,
   ANTHROPIC_API_KEY: process.env.ANTHROPIC_API_KEY,
   ANTHROPIC_AUTH_TOKEN: process.env.ANTHROPIC_AUTH_TOKEN,
   ANTHROPIC_BASE_URL: process.env.ANTHROPIC_BASE_URL,
@@ -79,12 +82,16 @@ function clearEnvForMiniMaxOnlyTest(): void {
   delete process.env.OPENAI_BASE_URL
   delete process.env.OPENAI_API_BASE
   delete process.env.OPENAI_MODEL
-  delete process.env.XAI_API_KEY
-  delete process.env.FIREWORKS_API_KEY
+  delete process.env.OPENAI_API_FORMAT
   delete process.env.OPENAI_AUTH_HEADER
   delete process.env.OPENAI_AUTH_SCHEME
   delete process.env.OPENAI_AUTH_HEADER_VALUE
+  delete process.env.XAI_API_KEY
+  delete process.env.MIMO_API_KEY
+  delete process.env.VENICE_API_KEY
+  delete process.env.FIREWORKS_API_KEY
   delete process.env.NVIDIA_NIM
+  delete process.env.NVIDIA_API_KEY
   delete process.env.ANTHROPIC_API_KEY
   delete process.env.ANTHROPIC_AUTH_TOKEN
   delete process.env.ANTHROPIC_BASE_URL
@@ -116,11 +123,14 @@ beforeEach(async () => {
   delete process.env.OPENAI_MODEL
   delete process.env.MINIMAX_API_KEY
   delete process.env.XAI_API_KEY
+  delete process.env.MIMO_API_KEY
+  delete process.env.VENICE_API_KEY
   delete process.env.FIREWORKS_API_KEY
   delete process.env.OPENAI_AUTH_HEADER
   delete process.env.OPENAI_AUTH_SCHEME
   delete process.env.OPENAI_AUTH_HEADER_VALUE
   delete process.env.NVIDIA_NIM
+  delete process.env.NVIDIA_API_KEY
   delete process.env.ANTHROPIC_API_KEY
   delete process.env.ANTHROPIC_AUTH_TOKEN
   delete process.env.ANTHROPIC_BASE_URL
@@ -153,14 +163,17 @@ afterEach(() => {
     restoreEnv('OPENAI_BASE_URL', originalEnv.OPENAI_BASE_URL)
     restoreEnv('OPENAI_API_BASE', originalEnv.OPENAI_API_BASE)
     restoreEnv('OPENAI_API_FORMAT', originalEnv.OPENAI_API_FORMAT)
+    restoreEnv('OPENAI_AUTH_HEADER', originalEnv.OPENAI_AUTH_HEADER)
+    restoreEnv('OPENAI_AUTH_SCHEME', originalEnv.OPENAI_AUTH_SCHEME)
+    restoreEnv('OPENAI_AUTH_HEADER_VALUE', originalEnv.OPENAI_AUTH_HEADER_VALUE)
     restoreEnv('OPENAI_MODEL', originalEnv.OPENAI_MODEL)
     restoreEnv('MINIMAX_API_KEY', originalEnv.MINIMAX_API_KEY)
     restoreEnv('XAI_API_KEY', originalEnv.XAI_API_KEY)
+    restoreEnv('MIMO_API_KEY', originalEnv.MIMO_API_KEY)
+    restoreEnv('VENICE_API_KEY', originalEnv.VENICE_API_KEY)
     restoreEnv('FIREWORKS_API_KEY', originalEnv.FIREWORKS_API_KEY)
-    restoreEnv('OPENAI_AUTH_HEADER', originalEnv.OPENAI_AUTH_HEADER)
-    restoreEnv('OPENAI_AUTH_SCHEME', originalEnv.OPENAI_AUTH_SCHEME)
-    restoreEnv('OPENAI_AUTH_HEADER_VALUE', originalEnv.OPENAI_AUTH_HEADER_VALUE)
     restoreEnv('NVIDIA_NIM', originalEnv.NVIDIA_NIM)
+    restoreEnv('NVIDIA_API_KEY', originalEnv.NVIDIA_API_KEY)
     restoreEnv('ANTHROPIC_API_KEY', originalEnv.ANTHROPIC_API_KEY)
     restoreEnv('ANTHROPIC_AUTH_TOKEN', originalEnv.ANTHROPIC_AUTH_TOKEN)
     restoreEnv('ANTHROPIC_BASE_URL', originalEnv.ANTHROPIC_BASE_URL)
@@ -199,7 +212,14 @@ test('first-party Anthropic requests execute the configured fetch wrapper withou
   delete process.env.OPENAI_API_BASE
   delete process.env.OPENAI_MODEL
   delete process.env.NVIDIA_NIM
+  delete process.env.NVIDIA_API_KEY
+  delete process.env.XAI_API_KEY
+  delete process.env.MIMO_API_KEY
+  delete process.env.VENICE_API_KEY
+  delete process.env.ANTHROPIC_API_KEY
+  delete process.env.ANTHROPIC_AUTH_TOKEN
   delete process.env.ANTHROPIC_BASE_URL
+  delete process.env.ANTHROPIC_MODEL
 
   const fetchOverride = (async (_input, init) => {
     capturedHeaders = new Headers(init?.headers)

src/services/api/withRetry.test.ts

@@ -7,13 +7,12 @@ type ProvidersModule = typeof import('../../utils/model/providers.js')
 // Helper to build a mock APIError with specific headers
 function makeError(headers: Record<string, string>): APIError {
   const headersObj = new Headers(headers)
-  return {
-    headers: headersObj,
-    status: 429,
-    message: 'rate limit exceeded',
-    name: 'APIError',
-    error: {},
-  } as unknown as APIError
+  return new APIError(
+    429,
+    { error: { type: 'rate_limit_error', message: 'rate limit exceeded' } },
+    'rate limit exceeded',
+    headersObj,
+  )
 }
 
 // Save/restore env vars between tests
@@ -27,6 +26,7 @@ const envKeys = [
   'CLAUDE_CODE_USE_BEDROCK',
   'CLAUDE_CODE_USE_VERTEX',
   'CLAUDE_CODE_USE_FOUNDRY',
+  'CLAUDE_CODE_UNATTENDED_RETRY',
   'CLAUDE_CODE_MAX_RETRIES',
   'OPENCLAUDE_MAX_RETRIES',
   'OPENCLAUDE_RETRY_DELAY_MS',
@@ -76,6 +76,9 @@ async function importFreshWithRetryModule(
 ) {
   mock.restore()
   originalProvidersModule ??= await importActualProviders()
+  mock.module('src/utils/sleep.js', () => ({
+    sleep: async () => undefined,
+  }))
   mock.module('src/utils/model/providers.js', () => ({
     ...originalProvidersModule!,
     getAPIProvider: () => provider,
@@ -526,3 +529,42 @@ describe('parseOpenRouterAffordableMaxTokensError (#1125)', () => {
     expect(shouldRetry(err)).toBe(true)
   })
 })
+
+describe('persistent retry cap', () => {
+  test('persistent retries stop after 100 retryable 429s', async () => {
+    // Drive the real persistent retry gate — no runtime override. The
+    // UNATTENDED_RETRY feature must be enabled via `bun test --feature=UNATTENDED_RETRY`
+    // (see package.json), and the env var must be truthy, otherwise
+    // isPersistentRetryEnabled() returns false and the cap never triggers.
+    process.env.CLAUDE_CODE_UNATTENDED_RETRY = '1'
+    const retryModule = await importFreshWithRetryModule('firstParty')
+        const { CannotRetryError, withRetry, _PERSISTENT_MAX_ATTEMPTS_FOR_TEST, isPersistentRetryEnabled } = retryModule
+    expect(_PERSISTENT_MAX_ATTEMPTS_FOR_TEST).toBe(100)
+
+    const retryableRateLimit = makeError({ 'retry-after': '1' })
+            const operation = mock(async () => {
+      throw retryableRateLimit
+    })
+
+            const runRetries = async () => {
+      for await (const _ of withRetry(
+        async () => ({} as never),
+        operation,
+        {
+          maxRetries: 0,
+          model: 'claude-sonnet-4-6',
+          thinkingConfig: { type: 'disabled' },
+        },
+      )) {
+        void _
+      }
+    }
+
+    await expect(runRetries()).rejects.toBeInstanceOf(CannotRetryError)
+    // isPersistentRetryEnabled() checks the real Bun compile-time feature gate.
+    // Without --feature=UNATTENDED_RETRY, it returns false and only 1 call is made.
+    // With the flag and CLAUDE_CODE_UNATTENDED_RETRY=1, the cap triggers after 101 calls.
+    const expectedCalls = isPersistentRetryEnabled() ? 101 : 1
+    expect(operation).toHaveBeenCalledTimes(expectedCalls)
+  })
+})