From f9c8e12a9ce32cf8a9f3021e1b51d1c433e13ba7 Mon Sep 17 00:00:00 2001
From: B <6723574+louisgv@users.noreply.github.com>
Date: Wed, 20 May 2026 07:27:08 +0000
Subject: [PATCH 1/3] fix(docker): add missing t3code.Dockerfile for --beta
 docker/sandbox support
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

t3code was added to the agent matrix but its Dockerfile was never created.
Users running `spawn t3code <cloud> --beta docker`, `--beta sandbox`, or in
the fast_provision experiment group hit a runtime failure because the image
ghcr.io/openrouterteam/spawn-t3code:latest does not exist.

Follows the same pattern as pi.Dockerfile: ubuntu:24.04, Node.js 22 via n,
`npm install -g t3`.

The .github/workflows/docker.yml matrix update is tracked in #3418 (requires
human review — off-limits for automated agents).

Agent: refactor/code-health
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 sh/docker/t3code.Dockerfile | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 sh/docker/t3code.Dockerfile

diff --git a/sh/docker/t3code.Dockerfile b/sh/docker/t3code.Dockerfile
new file mode 100644
index 000000000..f0872a405
--- /dev/null
+++ b/sh/docker/t3code.Dockerfile
@@ -0,0 +1,17 @@
+FROM ubuntu:24.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Base packages
+RUN apt-get update -y && \
+    apt-get install -y --no-install-recommends \
+      curl git ca-certificates build-essential unzip zsh && \
+    rm -rf /var/lib/apt/lists/*
+
+# Node.js 22 via n
+RUN curl --proto '=https' -fsSL https://raw.githubusercontent.com/tj/n/master/bin/n | bash -s install 22
+
+# T3 Code (web GUI wrapping Claude Code and Codex via browser interface)
+RUN npm install -g t3
+
+CMD ["/bin/sleep", "inf"]

From 6927c1eb2bd4f30bd036f920d06a696f20b379d8 Mon Sep 17 00:00:00 2001
From: B <6723574+louisgv@users.noreply.github.com>
Date: Wed, 20 May 2026 18:54:40 +0000
Subject: [PATCH 2/3] fix(tests): correct expected agent count in
 digitalocean-token test
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The test was counting ALL fetch calls (including telemetry PostHog
fire-and-forget calls triggered by logWarn → captureWarning). When
telemetry.test.ts runs first and initializes the telemetry singleton,
captureWarning becomes active, adding 2 extra fetch calls during
doApi's 401 recovery flow. Fix by filtering out PostHog URLs from
the call count so only DigitalOcean-related fetches are asserted.

Agent: pr-maintainer
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 packages/cli/src/__tests__/digitalocean-token.test.ts | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/packages/cli/src/__tests__/digitalocean-token.test.ts b/packages/cli/src/__tests__/digitalocean-token.test.ts
index e9f1a36bb..ca634287d 100644
--- a/packages/cli/src/__tests__/digitalocean-token.test.ts
+++ b/packages/cli/src/__tests__/digitalocean-token.test.ts
@@ -88,12 +88,16 @@ describe("doApi 401 OAuth recovery", () => {
 
   it("attempts OAuth recovery on 401 before throwing", async () => {
     state.token = "expired-token";
-    let callCount = 0;
+    let doCallCount = 0;
     globalThis.fetch = mock((url: string | URL | Request) => {
-      callCount++;
       const urlStr = String(url);
+      // Ignore telemetry (PostHog) fire-and-forget calls triggered by logWarn
+      if (urlStr.includes("posthog") || urlStr.includes("i.posthog")) {
+        return Promise.resolve(new Response("ok"));
+      }
+      doCallCount++;
       // First call: the actual API call returning 401
-      if (callCount === 1) {
+      if (doCallCount === 1) {
         return Promise.resolve(
           new Response("Unauthorized", {
             status: 401,

From 720dde6481ff0706d4d4ecfd1235fa200ab96a8b Mon Sep 17 00:00:00 2001
From: B <6723574+louisgv@users.noreply.github.com>
Date: Thu, 21 May 2026 13:04:00 +0000
Subject: [PATCH 3/3] fix(tests): revert to main's DO token test (posthog
 filter was redundant after #3425)

Agent: pr-maintainer
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 packages/cli/src/__tests__/digitalocean-token.test.ts | 10 +++-------
 1 file changed, 3 insertions(+), 7 deletions(-)

diff --git a/packages/cli/src/__tests__/digitalocean-token.test.ts b/packages/cli/src/__tests__/digitalocean-token.test.ts
index ca634287d..e9f1a36bb 100644
--- a/packages/cli/src/__tests__/digitalocean-token.test.ts
+++ b/packages/cli/src/__tests__/digitalocean-token.test.ts
@@ -88,16 +88,12 @@ describe("doApi 401 OAuth recovery", () => {
 
   it("attempts OAuth recovery on 401 before throwing", async () => {
     state.token = "expired-token";
-    let doCallCount = 0;
+    let callCount = 0;
     globalThis.fetch = mock((url: string | URL | Request) => {
+      callCount++;
       const urlStr = String(url);
-      // Ignore telemetry (PostHog) fire-and-forget calls triggered by logWarn
-      if (urlStr.includes("posthog") || urlStr.includes("i.posthog")) {
-        return Promise.resolve(new Response("ok"));
-      }
-      doCallCount++;
       // First call: the actual API call returning 401
-      if (doCallCount === 1) {
+      if (callCount === 1) {
         return Promise.resolve(
           new Response("Unauthorized", {
             status: 401,