o1xhack · o1xhack · Jun 6, 2026 · May 28, 2026 · May 29, 2026 · May 29, 2026
diff --git a/.agents/skills/qa-test/SKILL.md b/.agents/skills/qa-test/SKILL.md
@@ -0,0 +1,118 @@
+---
+name: qa-test
+description: "CodexBar live QA/e2e testing: run provider usage matrix checks, validate real app config, use Peekaboo for menu proof, use Browser Use/official docs for API spec or logged-in dashboard checks, and handle 1Password credentials safely."
+---
+
+# CodexBar Live QA
+
+Use for live provider testing, release smoke tests, menu verification, or debugging “provider works/fails” reports.
+
+## Rules
+
+- Work from the CodexBar repo checkout.
+- Use the packaged CLI first: `CodexBar.app/Contents/Helpers/CodexBarCLI`.
+- Do not use `CodexBar.app/Contents/MacOS/codexbar`; that is the app binary and may appear to hang as a CLI.
+- Never run broad `env`, `set`, or secret regex dumps.
+- Use `$one-password` for secrets: all `op` commands inside one persistent tmux session, service account first, no raw secret output.
+- Treat browser-cookie/keychain flows as prompt-risky. Prefer CLI/API-token checks and `KeychainNoUIQuery`-safe tests unless the user explicitly requested live UI.
+- For current API behavior, browse official provider docs only.
+
+## CLI Matrix
+
+Run the bundled script:
+
+```bash
+.agents/skills/qa-test/scripts/live_provider_matrix.sh --enabled
+```
+
+Useful modes:
+
+```bash
+.agents/skills/qa-test/scripts/live_provider_matrix.sh --provider all
+.agents/skills/qa-test/scripts/live_provider_matrix.sh --providers openai,zai,deepseek
+.agents/skills/qa-test/scripts/live_provider_matrix.sh --default
+```
+
+Interpretation:
+
+- `--enabled` asks `CodexBarCLI config providers` for enabled providers, honoring `CODEXBAR_CONFIG` and default toggles.
+- `--default` runs the app-facing default command with no provider override.
+- `--provider all` forces every registered provider and is expected to fail for providers without sessions/keys.
+- A green app config needs `--enabled` and `--default` clean; `--provider all` is a discovery/triage tool.
+
+## Config QA
+
+Validate config:
+
+```bash
+CodexBar.app/Contents/Helpers/CodexBarCLI config validate
+stat -f '%Lp %N' "$HOME/.codexbar/config.json"
+```
+
+Redact config shape:
+
+```bash
+jq '(.providers // []) |= map(.apiKey = (if .apiKey then "<redacted>" else .apiKey end) |
+  .secretKey = (if .secretKey then "<redacted>" else .secretKey end) |
+  .cookieHeader = (if .cookieHeader then "<redacted>" else .cookieHeader end) |
+  (if .id == "stepfun" and has("region") then .region = "<redacted>" else . end) |
+  .tokenAccounts = (if .tokenAccounts then (.tokenAccounts | .accounts = (.accounts | map(.token = "<redacted>"))) else .tokenAccounts end))' \
+  "$HOME/.codexbar/config.json"
+```
+
+Before editing config, make a backup:
+
+```bash
+cp "$HOME/.codexbar/config.json" "$HOME/.codexbar/config.pre-qa-$(date +%Y%m%d%H%M%S).json"
+chmod 600 "$HOME/.codexbar"/config.pre-qa-*.json
+```
+
+## Live Menu QA
+
+Use Peekaboo after CLI checks:
+
+```bash
+pkill -x CodexBar || pkill -f 'CodexBar.app/Contents/MacOS/CodexBar' || true
+open -n "$PWD/CodexBar.app"
+peekaboo menu list-all --json | rg -i 'codexbar'
+peekaboo menu click-extra --title codexbar-merged --json
+screencapture -x /tmp/codexbar-live-menu.png
+```
+
+Crop top-right menu if needed:
+
+```bash
+sips --cropToHeightWidth 900 340 --cropOffset 20 2650 /tmp/codexbar-live-menu.png \
+  --out /tmp/codexbar-live-menu-crop.png >/dev/null
+```
+
+Verify visually with `view_image`. Confirm provider tabs/rows match enabled config and no failing provider dominates the first screen.
+
+## Browser Use
+
+Use `$browser-use` only when a logged-in dashboard, API key page, or provider docs need browser/profile state.
+
+Existing Chrome path:
+
+```bash
+mcporter call chrome-devtools.list_pages --args '{}' --output text
+mcporter call chrome-devtools.navigate_page --args '{"url":"https://provider.example"}' --output text
+mcporter call chrome-devtools.take_snapshot --args '{}' --output text
+```
+
+If Browser Use is unavailable, say so and use web search for public official docs; do not substitute isolated Playwright for login/profile-dependent pages.
+
+## Fix Triage
+
+- Missing auth/session: configure key/session if available; otherwise leave provider disabled or report blocked auth.
+- Wrong provider API/spec: inspect official docs, then patch fetcher/settings/tests.
+- Provider key exists but live API rejects it: keep key stored if useful, disable provider if the menu would show a persistent error.
+- User-facing behavior changes need `CHANGELOG.md`.
+- Code fixes need focused tests, `make check`, `$autoreview`, and live CLI proof before landing.
+
+## Known CodexBar QA Notes
+
+- OpenAI Admin API key is the useful usage provider key. Project `OPENAI_API_KEY` values can fail legacy credit-balance fallback with 403.
+- Deepgram usage requires a key/project with Management API permissions; transcription-only keys can return 403.
+- Groq usage uses the Prometheus metrics API, not ordinary inference endpoints.
+- MiniMax pay-as-you-go API keys and Token Plan/Coding Plan keys are different; wrong key kind can leave usage unavailable.
diff --git a/.agents/skills/qa-test/agents/openai.yaml b/.agents/skills/qa-test/agents/openai.yaml
@@ -0,0 +1,4 @@
+interface:
+  display_name: "CodexBar QA Test"
+  short_description: "Run live CodexBar CLI and menu QA safely."
+  default_prompt: "Run CodexBar live QA with CLI, Peekaboo, browser docs, and 1Password-safe credential checks."
diff --git a/.agents/skills/qa-test/references/api-specs.md b/.agents/skills/qa-test/references/api-specs.md
@@ -0,0 +1,10 @@
+# API Spec Pointers
+
+Use current official docs for provider API behavior. Prefer these searches/pages before patching fetchers:
+
+- MiniMax: `https://platform.minimax.io/docs/llms.txt`; key types differ between pay-as-you-go API keys and Token Plan/Coding Plan keys.
+- Deepgram: `https://developers.deepgram.com/llms.txt`; usage/project APIs require Management permissions and project-scoped keys.
+- Groq: `https://console.groq.com/docs/prometheus-metrics`; usage metrics use `https://api.groq.com/v1/metrics/prometheus`.
+- LLM Proxy/LiteLLM: `https://docs.litellm.ai/`; CodexBar expects an LLM-API-Key-Proxy compatible `/v1/quota-stats` endpoint plus base URL.
+
+When citing docs in a user-facing answer, browse the current page and include source links.
diff --git a/.agents/skills/qa-test/scripts/live_provider_matrix.sh b/.agents/skills/qa-test/scripts/live_provider_matrix.sh
@@ -0,0 +1,183 @@
+#!/usr/bin/env bash
+set -u
+
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/../../../.." && pwd)"
+CLI="${CODEXBAR_CLI:-$ROOT/CodexBar.app/Contents/Helpers/CodexBarCLI}"
+TIMEOUT_BIN="${TIMEOUT_BIN:-$(command -v gtimeout || command -v timeout || true)}"
+WEB_TIMEOUT="${CODEXBAR_QA_WEB_TIMEOUT:-12}"
+CASE_TIMEOUT="${CODEXBAR_QA_CASE_TIMEOUT:-60}"
+
+usage() {
+  cat <<'USAGE'
+Usage:
+  live_provider_matrix.sh --enabled
+  live_provider_matrix.sh --default
+  live_provider_matrix.sh --provider all
+  live_provider_matrix.sh --providers openai,zai,deepseek
+
+Environment:
+  CODEXBAR_CLI=/path/to/CodexBarCLI
+  CODEXBAR_CONFIG=/path/to/config.json
+  CODEXBAR_QA_WEB_TIMEOUT=12
+  CODEXBAR_QA_CASE_TIMEOUT=60
+USAGE
+}
+
+if [[ ! -x "$CLI" ]]; then
+  echo "missing CodexBarCLI at $CLI" >&2
+  exit 2
+fi
+if [[ -z "$TIMEOUT_BIN" ]]; then
+  echo "missing timeout command (install coreutils for gtimeout)" >&2
+  exit 2
+fi
+if ! command -v node >/dev/null 2>&1; then
+  echo "missing node" >&2
+  exit 2
+fi
+
+mode="${1:-}"
+shift || true
+
+providers=()
+case "$mode" in
+  --enabled)
+    provider_status="$(mktemp)"
+    provider_err="$(mktemp)"
+    provider_list="$(mktemp)"
+    if ! "$CLI" config providers --format json --json-only >"$provider_status" 2>"$provider_err"; then
+      rm -f "$provider_status" "$provider_err" "$provider_list"
+      echo "failed to list providers via CodexBarCLI config providers" >&2
+      exit 2
+    fi
+    if ! node - "$provider_status" >"$provider_list" <<'NODE'; then
+const fs = require("fs");
+const path = process.argv[2];
+const raw = fs.readFileSync(path, "utf8").trim();
+const payload = JSON.parse(raw);
+if (!Array.isArray(payload)) {
+  throw new Error("config providers output is not an array");
+}
+for (const item of payload) {
+  if (item && item.enabled === true && typeof item.provider === "string" && item.provider) {
+    console.log(item.provider);
+  }
+}
+NODE
+      rm -f "$provider_status" "$provider_err" "$provider_list"
+      echo "failed to parse CodexBarCLI config providers output" >&2
+      exit 2
+    fi
+    while IFS= read -r provider; do
+      [[ -n "$provider" ]] && providers+=("$provider")
+    done <"$provider_list"
+    rm -f "$provider_status" "$provider_err" "$provider_list"
+    if [[ "${#providers[@]}" -eq 0 ]]; then
+      echo "no enabled providers found via CodexBarCLI config providers" >&2
+      exit 2
+    fi
+    ;;
+  --default)
+    providers=("__default__")
+    ;;
+  --provider)
+    if [[ -z "${1:-}" ]]; then
+      echo "missing provider" >&2
+      exit 2
+    fi
+    providers=("${1:-}")
+    ;;
+  --providers)
+    if [[ -z "${1:-}" ]]; then
+      echo "missing providers" >&2
+      exit 2
+    fi
+    IFS=',' read -r -a providers <<< "${1:-}"
+    ;;
+  -h|--help|"")
+    usage
+    exit 0
+    ;;
+  *)
+    echo "unknown mode: $mode" >&2
+    usage >&2
+    exit 2
+    ;;
+esac
+
+redact_node='
+const redact = s => String(s || "")
+  .replace(/[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+/g, "<email>")
+  .replace(/sk-[A-Za-z0-9_-]{12,}/g, "sk-REDACTED")
+  .replace(/gsk_[A-Za-z0-9_-]{12,}/g, "gsk_REDACTED")
+  .replace(/[A-Za-z0-9_-]{32,}/g, m => /[A-Za-z]/.test(m) && /[0-9]/.test(m) ? "<redacted-token>" : m);
+'
+
+run_one() {
+  local name="$1"
+  shift
+  local out err start end elapsed st node_status
+  out="$(mktemp)"
+  err="$(mktemp)"
+  start="$(date +%s)"
+  "$TIMEOUT_BIN" "$CASE_TIMEOUT" "$CLI" usage "$@" --format json --json-only --web-timeout "$WEB_TIMEOUT" >"$out" 2>"$err"
+  st=$?
+  end="$(date +%s)"
+  elapsed=$((end - start))
+  node - "$name" "$st" "$elapsed" "$out" "$err" <<NODE
+const fs = require("fs");
+$redact_node
+const [name, st, elapsed, outPath, errPath] = process.argv.slice(2);
+const raw = fs.readFileSync(outPath, "utf8").trim();
+const err = fs.readFileSync(errPath, "utf8").trim();
+let rows = [];
+let formatterFailed = false;
+try {
+  const payload = raw ? JSON.parse(raw) : [];
+  const arr = Array.isArray(payload) ? payload : [payload];
+  for (const p of arr) {
+    rows.push(
+      \`\${p.provider || name}:\${p.error ? "fail" : "ok"}:source=\${p.source || "unknown"}\` +
+      (p.account ? \`,account=\${redact(p.account)}\` : "") +
+      (p.usage ? ",usage=yes" : "") +
+      (p.credits ? ",credits=yes" : "") +
+      (p.error ? \`,error=\${redact(p.error.message).slice(0, 180)}\` : "")
+    );
+  }
+} catch (error) {
+  formatterFailed = true;
+  rows.push(\`\${name}:parse-fail:error=\${redact(error.message)} stdout=\${redact(raw).slice(0, 200)} stderr=\${redact(err).slice(0, 200)}\`);
+}
+if (!rows.length) {
+  formatterFailed = true;
+  rows.push(\`\${name}:empty:stderr=\${redact(err).slice(0, 200)}\`);
+}
+console.log(\`TEST \${name} exit=\${st} elapsed=\${elapsed}s :: \${rows.join(" | ")}\`);
+if (formatterFailed) process.exit(1);
+NODE
+  node_status=$?
+  rm -f "$out" "$err"
+  if [[ "$node_status" -ne 0 ]]; then
+    return 1
+  fi
+  return "$st"
+}
+
+overall=0
+ran=0
+for provider in "${providers[@]}"; do
+  [[ -z "$provider" ]] && continue
+  ran=$((ran + 1))
+  if [[ "$provider" == "__default__" ]]; then
+    run_one default || overall=1
+  elif [[ "$provider" == "all" ]]; then
+    run_one all --provider all || overall=1
+  else
+    run_one "$provider" --provider "$provider" || overall=1
+  fi
+done
+if [[ "$ran" -eq 0 ]]; then
+  echo "no provider cases ran" >&2
+  exit 2
+fi
+exit "$overall"
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -1,11 +1,12 @@
 name: CI
 
 on:
+  # CI runs on PRs (the merge gate) and on pushes to the long-lived branches
+  # only — NOT on every feature-branch commit. A feature branch gets its CI
+  # through the PR it opens (pull_request: opened/synchronize), so intermediate
+  # work-in-progress commits no longer each spawn a (often red) CI run.
   push:
-    # `["*"]` only matches single-level branch names; anything with a slash
-    # (e.g. `feature/…`, `release/…`) is silently skipped. `["**"]` matches
-    # arbitrary-depth branches so every push triggers CI.
-    branches: ["**"]
+    branches: [mobile-dev, main]
   pull_request:
 
 concurrency:
@@ -23,6 +24,14 @@ jobs:
     timeout-minutes: 70
     steps:
       - uses: actions/checkout@v6
+        # Full history so `lint.sh audit_parser_version` can compute the
+        # `origin/mobile-dev...HEAD` merge-base. A shallow (depth-1) checkout
+        # makes the parser-version audit false-fail on any PR that touches the
+        # cost-usage parser (it can't see the parserLogicVersion bump in the
+        # diff). See Scripts/lint.sh: "In CI, ensure your checkout fetches
+        # origin/mobile-dev (e.g. fetch-depth: 0)."
+        with:
+          fetch-depth: 0
 
       - name: Select Xcode 26.1.1 (if present) or fallback to default
         run: |

diff --git a/.mac-release.env b/.mac-release.env
@@ -15,7 +15,7 @@ MAC_RELEASE_ARTIFACT_PREFIX='CodexBar-macos-[A-Za-z0-9_+-]+-'
 MAC_RELEASE_FEED_URL='https://raw.githubusercontent.com/steipete/CodexBar/main/appcast.xml'
 MAC_RELEASE_DOWNLOAD_URL_PREFIX='https://github.com/steipete/CodexBar/releases/download/v${MARKETING_VERSION}/'
 
-MAC_RELEASE_PRECHECK='swiftformat Sources Tests >/dev/null && swiftlint --strict && swift test --parallel'
+MAC_RELEASE_PRECHECK='swiftformat Sources Tests >/dev/null && swiftlint --strict && swift test --enable-xctest --disable-swift-testing && swift test --enable-swift-testing --disable-xctest --no-parallel'
 MAC_RELEASE_PACKAGE_CMD='Scripts/sign-and-notarize.sh'
 MAC_RELEASE_TAG_SIGNED=1
 MAC_RELEASE_TAG_FORCE=1

diff --git a/AGENTS.md b/AGENTS.md
@@ -73,6 +73,7 @@ Full status definitions and index are in `CodexBarMobile/Research/README.md`.
 - Build with `xcodebuild` to verify compilation
 - Run unit tests if applicable
 - Verify on simulator or real device as needed
+- Never run tests/checks or ad-hoc validation that can display macOS Keychain prompts. Live provider probes, browser-cookie imports, `codexbar usage` against real accounts, and real SecItem reads must be explicitly requested; otherwise use parser tests, stubs, test stores, or `KeychainNoUIQuery`.
 
 ## Step 5 — Documentation