Merge remote-tracking branch 'origin/main' into test-opencode-zen

# Conflicts:
#	web/src/app/api/v1/chat/completions/__tests__/completions.test.ts

Author: jahooma

agents/file-explorer/code-searcher.ts

@@ -85,6 +85,7 @@ const codeSearcher: SecretAgentDefinition = {
     yield {
       toolName: 'set_output',
       input: {
+        message: '',
         results: toolResults,
       },
       includeToolCall: false,

cli/release/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codebuff",
-  "version": "1.0.673",
+  "version": "1.0.674",
   "description": "AI coding agent",
   "license": "MIT",
   "bin": {

cli/src/components/tools/__tests__/code-search.test.tsx

@@ -0,0 +1,45 @@
+import { describe, expect, test } from 'bun:test'
+import React from 'react'
+import { renderToStaticMarkup } from 'react-dom/server'
+
+import { initializeThemeStore } from '../../../hooks/use-theme'
+import { CodeSearchComponent } from '../code-search'
+
+import type { ChatTheme } from '../../../types/theme-system'
+import type { ToolBlock } from '../types'
+
+initializeThemeStore()
+
+const createToolBlock = (
+  output?: string,
+): ToolBlock & { toolName: 'code_search' } => ({
+  type: 'tool',
+  toolName: 'code_search',
+  toolCallId: 'code-search-test',
+  input: {
+    pattern: 'getAgentBaseName',
+    cwd: 'cli/src/utils',
+  },
+  output,
+})
+
+describe('CodeSearchComponent', () => {
+  test('uses formatted match count from current code search output', () => {
+    const result = CodeSearchComponent.render(
+      createToolBlock(`Found 2 matches
+./message-block-helpers.ts:
+Line 13: export const getAgentBaseName = (type: string): string => {
+Line 196: getAgentBaseName(options.agentType ?? '') === 'code-searcher'`),
+      {} as ChatTheme,
+      {
+        availableWidth: 80,
+        indentationOffset: 0,
+        labelWidth: 10,
+      },
+    )
+
+    const markup = renderToStaticMarkup(<>{result.content}</>)
+
+    expect(markup).toContain('getAgentBaseName in cli/src/utils (2 results)')
+  })
+})

cli/src/components/tools/code-search.tsx

@@ -23,13 +23,22 @@ export const CodeSearchComponent = defineToolComponent({
 
     if (toolBlock.output && typeof toolBlock.output === 'string') {
       const lines = toolBlock.output.split('\n')
+      const matchCountLine = lines.find((line) =>
+        /^Found \d+ matches?$/.test(line.trim()),
+      )
+      const parsedTotalResults = matchCountLine
+        ?.trim()
+        .match(/^Found (\d+) matches?$/)?.[1]
 
-      for (const line of lines) {
-        const trimmed = line.trim()
+      if (parsedTotalResults !== undefined) {
+        totalResults = Number(parsedTotalResults)
+      } else {
+        for (const line of lines) {
+          const trimmed = line.trim()
 
-        // Result lines start with a number followed by a colon
-        if (/^\d+:/.test(trimmed)) {
-          totalResults++
+          if (/^(?:Line\s+)?\d+:/.test(trimmed)) {
+            totalResults++
+          }
         }
       }
     }
@@ -52,12 +61,7 @@ export const CodeSearchComponent = defineToolComponent({
 
     // Return as content using SimpleToolCallItem
     return {
-      content: (
-        <SimpleToolCallItem
-          name="Search"
-          description={summary}
-        />
-      ),
+      content: <SimpleToolCallItem name="Search" description={summary} />,
     }
   },
 })

cli/src/utils/__tests__/message-block-helpers.test.ts

@@ -376,6 +376,23 @@ describe('extractSpawnAgentResultContent', () => {
       hasError: false,
     })
   })
+
+  test('uses an empty structuredOutput message as no display content', () => {
+    const result = extractSpawnAgentResultContent({
+      type: 'structuredOutput',
+      value: {
+        message: '',
+        results: [
+          {
+            stdout: 'Found 1 match\n./file.ts:\nLine 1: needle',
+            message: 'Exit code: 0',
+          },
+        ],
+      },
+    })
+
+    expect(result).toEqual({ content: '', hasError: false })
+  })
 })
 
 describe('appendInterruptionNotice', () => {

docs/authentication.md

@@ -13,10 +13,13 @@ sequenceDiagram
     participant DB as Database
 
     CLI->>Web: POST /api/auth/cli/code {fingerprintId}
-    Web->>Web: Generate auth code (1h expiry)
-    Web->>CLI: Return login URL
+    Web->>Web: Generate signed auth payload (1h expiry)
+    Web->>DB: Store payload behind opaque browser token
+    Web->>CLI: Return login URL with opaque token
     CLI->>CLI: Open browser
     Note over Web: User completes OAuth
+    Web->>DB: Resolve opaque token to signed payload
+    Web->>DB: Mark opaque token consumed
     Web->>DB: Check fingerprint ownership
     Web->>DB: Create/update session
     loop Every 5s
@@ -64,11 +67,14 @@ sequenceDiagram
 ### 4. Failure: Invalid/Expired Code
 
 - Auth code validation fails or expired (1h limit)
+- Opaque browser tokens resolve expired signed payloads before returning the expired-code error
 - Returns authentication error
 
 ## Security Features
 
-- Auth codes expire after 1 hour
+- Signed auth payloads expire after 1 hour
+- Browser login URLs use opaque 43-character tokens instead of exposing the signed auth payload
+- Opaque browser tokens are stored in `verificationToken` under `cli-login:<token>` and atomically moved to `cli-login-consumed:<token-hash>` when onboarding resolves them; consumed markers scrub the signed auth payload from the `token` column
 - Fingerprint uniqueness: hardware info + 8 random bytes
 - Ownership conflicts blocked and logged
 - Sessions linked to fingerprint_id in database

docs/testing.md

@@ -9,3 +9,37 @@ CLI hook testing note: React 19 + Bun + RTL `renderHook()` is unreliable; prefer
 ## CLI tmux Testing
 
 For testing CLI behavior via tmux, use the helper scripts in `scripts/tmux/`. These handle bracketed paste mode and session logging automatically. Session data is saved to `debug/tmux-sessions/` in YAML format and can be viewed with `bun scripts/tmux/tmux-viewer/index.tsx`. See `scripts/tmux/README.md` for details.
+
+Useful workflow for agents:
+
+```bash
+# Start the dev CLI in a detached tmux session.
+SESSION=$(./scripts/tmux/tmux-cli.sh start --name cli-check -w 160 -h 40 --wait 6)
+
+# Capture the initial screen. Captures are written to debug/tmux-sessions/$SESSION/.
+./scripts/tmux/tmux-cli.sh capture "$SESSION" --label initial
+
+# Send a prompt. The helper uses bracketed paste so text is not dropped.
+./scripts/tmux/tmux-cli.sh send "$SESSION" "Search for getAgentBaseName and report what you find" --wait-idle 4
+
+# Capture after the run, then inspect the saved capture text.
+./scripts/tmux/tmux-cli.sh capture "$SESSION" --label after-search --wait 2
+
+# Clean up when finished.
+./scripts/tmux/tmux-cli.sh stop "$SESSION"
+```
+
+If a change can be verified with a small local harness instead of a live model-backed CLI run, run that harness inside tmux too. This still checks terminal rendering and produces a capture:
+
+```bash
+SESSION=$(./scripts/tmux/tmux-cli.sh start \
+  --name render-check \
+  -w 160 -h 20 \
+  --wait 1 \
+  --command "bun .context/my-render-check.tsx")
+
+./scripts/tmux/tmux-cli.sh capture "$SESSION" --label rendered
+./scripts/tmux/tmux-cli.sh stop "$SESSION"
+```
+
+When verifying UI output, prefer checking the saved capture file for concrete strings that should and should not appear. For example, after expanding a code-searcher agent, check that the capture shows the search summary but not raw structured payload keys like `results:` or `stdout:`.

freebuff/cli/release/package.json

@@ -1,6 +1,6 @@
 {
   "name": "freebuff",
-  "version": "0.0.84",
+  "version": "0.0.85",
   "description": "The world's strongest free coding agent",
   "license": "MIT",
   "bin": {

freebuff/web/src/app/api/auth/cli/code/route.ts

@@ -1,3 +1,5 @@
+import { randomBytes } from 'node:crypto'
+
 import { genAuthCode } from '@codebuff/common/util/credentials'
 import db from '@codebuff/internal/db'
 import * as schema from '@codebuff/internal/db/schema'
@@ -6,6 +8,11 @@ import { and, eq, gt } from 'drizzle-orm'
 import { NextResponse } from 'next/server'
 import { z } from 'zod/v4'
 
+import {
+  buildCliAuthCode,
+  getCliAuthCodeHashPrefix,
+  getCliAuthCodeTokenIdentifier,
+} from '@/app/onboard/_helpers'
 import { logger } from '@/util/logger'
 
 import { getLoginUrlOrigin } from './_origin'
@@ -55,6 +62,19 @@ export async function POST(req: Request) {
       )
     }
 
+    const authCode = buildCliAuthCode(
+      fingerprintId,
+      expiresAt.toString(),
+      fingerprintHash,
+    )
+    const loginToken = randomBytes(32).toString('base64url')
+
+    await db.insert(schema.verificationToken).values({
+      identifier: getCliAuthCodeTokenIdentifier(loginToken),
+      token: authCode,
+      expires: new Date(expiresAt),
+    })
+
     const loginUrl = new URL(
       '/login',
       getLoginUrlOrigin(
@@ -64,9 +84,25 @@ export async function POST(req: Request) {
         env.NEXT_PUBLIC_CB_ENVIRONMENT !== 'prod',
       ),
     )
-    loginUrl.searchParams.set(
-      'auth_code',
-      `${fingerprintId}.${expiresAt}.${fingerprintHash}`,
+    loginUrl.searchParams.set('auth_code', loginToken)
+
+    logger.info(
+      {
+        authCodeTokenHashPrefix: getCliAuthCodeHashPrefix(loginToken),
+        authCodeTokenLength: loginToken.length,
+        fingerprintIdPrefix: fingerprintId.slice(0, 24),
+        fingerprintIdLength: fingerprintId.length,
+        expiresAt,
+        loginUrlOrigin: loginUrl.origin,
+        requestOrigin: new URL(req.url).origin,
+        requestHost: req.headers.get('host'),
+        forwardedHost: req.headers.get('x-forwarded-host'),
+        forwardedProto: req.headers.get('x-forwarded-proto'),
+        originHeader: req.headers.get('origin'),
+        configuredAppUrl: env.NEXT_PUBLIC_CODEBUFF_APP_URL,
+        environment: env.NEXT_PUBLIC_CB_ENVIRONMENT,
+      },
+      'Issued Freebuff CLI auth code token',
     )
 
     return NextResponse.json({