build(deps): update dependency oh-my-openagent to v3.17.12

[fro-bot]

This PR contains the following updates:

Package	Change	Age	Confidence	OpenSSF	Code Search
oh-my-openagent	3.17.6 → 3.17.12

---

Release Notes

code-yeongyu/oh-my-openagent (oh-my-openagent)

v3.17.12

Compare Source

Fixes the "Sisyphus randomly drops to claude-opus-4.7" bug

If you're on 3.17.x and noticed Sisyphus silently jumping back to claude-opus-4-7 while you were running it on GPT-5.4, GLM, Kimi, or any non-Claude model: this release fixes that.

What was happening

Commit 034744cb (Apr 22, "retry forbidden provider errors") added bare "403" and "forbidden" substrings to the retryable-error pattern list. The intent was to retry the specific Forbidden: Selected provider is forbidden case from PR #​3706, but bare-substring matching is greedy: it caught any error message containing those tokens, including:

• Tool-level 403s (e.g. webfetch hitting a guarded URL)
• File-permission "forbidden" messages
• Unrelated upstream errors that happened to spell "forbidden" / "403"

When the classifier returned true on those false positives, event.ts armed setPendingModelFallback("sisyphus", ...), which immediately advanced to the first entry of Sisyphus' fallback chain, claude-opus-4-7. So a non-Claude run would silently jump to opus 4.7 with no visible model-level error.

Fix

Replaced the bare patterns with the specific phrases the original PR was actually targeting:

- "403",
- "forbidden",
+ "selected provider is forbidden",
+ "provider is forbidden",

The original "Selected provider is forbidden" case still retries correctly. Unrelated 403 / forbidden messages now stay non-retryable, so your configured model is no longer hijacked. Two regression tests lock the new behavior down.

Reported by ilove_borshch in #omo-help. Thanks for the precise repro.

---

• f7270a0 fix(model-error-classifier): scope forbidden-provider retry to specific phrase

v3.17.11

Compare Source

GPT-5.5 Agents: Manual QA Gate, Stronger Investigation, Apply-Patch Fix

A focused tune-up to the GPT-5.5 prompts driving Sisyphus, Sisyphus-Junior, and Hephaestus. If you run any of those agents on a GPT-5.5 model, this release tightens their behavior in five ways you'll notice in practice.

Manual QA Gate: agents have to actually USE what they build

End-to-end delegations on GPT-5.5 (e.g., ulw, "implement and finish", "ship it") now route through a non-negotiable surface-to-tool mapping:

Surface	Required tool
TUI / CLI	interactive_bash (tmux)
Web / browser	playwright
HTTP service	curl against the running service
Library / SDK	minimal driver script

"Tests pass + lsp clean + build green" is no longer enough. Agents must drive the deliverable through the matching tool before declaring done. This closes the failure mode where a GPT-5.5 agent reports "implementation complete" without ever launching the binary or loading the page.

Investigate-before-acting is no longer a soft phrase

Bumped from a one-liner to a dedicated block: never speculate about unread code, re-read on every task hand-off, and treat the worktree as potentially mutated by parallel agents. If you've seen GPT-5.5 reason about a file it didn't open, this is the fix.

Parallelize-aggressively is now a first-class behavior

Reads, searches, diagnostics, and background sub-agents are expected to batch into a single response by default. Sequential tool calls when the work is independent now stand out as a violation rather than the norm.

apply_patch ↔ permission contradiction resolved

Earlier prompts told GPT-5.5 to use apply_patch while the platform-level permission denies it on GPT models. The agent now reaches for edit / write directly via GPT_APPLY_PATCH_GUIDANCE, removing the contradiction that was triggering tool-denial loops.

Hard invariants & dig-deeper trio restored

• Sisyphus now carries explicit hard-invariant blocks: no as any / @ts-ignore, no destructive git without confirmation, never deliver before Oracle returns.
• Sisyphus-Junior gains a review-tasks block plus a sensible default-behavior fallback when category context is missing or sparse.
• Hephaestus regains optional category delegation while keeping direct execution as the default.
• The dig-deeper trio (tool persistence / dig deeper / dependency checks) is split back into orthogonal paragraphs so each one carries its own cognitive trigger instead of being fused into a single sentence.

No config changes, no migration steps. Update and the new behavior takes effect on the next GPT-5.5 agent run.

---

• 1a64060 feat(agents): strengthen gpt-5.5 prompts with manual QA gate, dig-deeper trio, anti-fallback
• a469abd @​guyua9 has signed the CLA in #​3733

v3.17.10

Compare Source

What's New in v3.17.10

Note on versioning: v3.17.7 through v3.17.9 were partial publishes during a Trusted Publishing rollout (a few platform packages couldn't ship while their npm-side trust config was still being put in place). v3.17.10 is the first complete release with all platform binaries shipped together. Please skip the in-between versions.

Smarter Fallback When Credits Run Out

When a provider returns "insufficient balance", "no credits", or "forbidden", the runtime now treats it the same as quota exhaustion and automatically falls back to the next configured model. You no longer get hard failures the moment one of your accounts runs dry — the agent keeps working with a different provider. (#​3519)

This applies to both your main session and any background tasks spawned during the run.

Background Tasks Now Show Their Retry History

Background tasks that recovered from a transient failure now render a retry timeline with links to each retry session. If a task succeeded only after 2-3 attempts, you can see exactly when each retry happened and what session it ran in — much easier to diagnose flaky models or providers.

Sync task() calls also replay session registration after runtime errors, so retried tasks no longer get orphaned.

Day-1 Support for GPT-5.5

The new claude-opus-4-7 and gpt-5.5 models now have native deep-category prompts tuned to their behaviour. Delegating to category="deep" automatically uses the right system prompt.

Faster Compaction, Faster Context Window Math

Four small but cumulative perf wins:

• Hashline edit uses write-metadata line counts instead of re-reading files (fewer disk hits per edit)
• Compaction reuses message update parts when the tail has no text (less work on every prompt)
• Context window usage is now cached per session (no recomputation across hooks)
• Background agent indexes tasks by parent session (faster lookups when many tasks fan out)

If you've felt the agent get a tiny bit snappier on long sessions, this is why.

Plugin Auto-Updater No Longer Reads the Wrong package.json

When oh-my-opencode runs from a flat-install directory (e.g. some Claude Code plugin sandboxes), the auto-update checker was reading a sibling package.json and reporting bogus versions. It now prefers the loaded module's own package.json, so version checks and update prompts are accurate. (#​3718)

Behind the Scenes — npm Trusted Publishing

The release pipeline migrated from long-lived npm tokens to OIDC trusted publishing (OpenSSF standard). Every version is now published with a short-lived, workflow-scoped credential, with provenance attestations signed by sigstore. No user-facing change, but means future releases are no longer at risk of token-expiry outages — a problem that caused the v3.17.7-v3.17.9 partial publishes during this rollout.

A new preflight-trust job verifies all 24 platform packages have a trusted publisher configured before the version is bumped. If any package is missing trust config, the workflow fails fast with a list of npm.com URLs to fix — preventing future partial publishes.

---

Minor Compatibility and Stability Release

This release carries compatibility-facing behavior changes and operational hardening. Read the summary below before upgrading or publishing.

• Rename transition updates across package detection, plugin/config compatibility, and install surfaces.
• Task and tool behavior updates, including delegate-task contract and runtime registration behavior.
• Install and publish workflow hardening, including safer release sequencing and package/install fixes.

Commit Summary

• 9a61c60 fix(ci): treat npm OIDC exchange 201 as success in preflight
• ab5216f feat(ci): add preflight-trust gate before version bump
• 017d48f @​yizhifengye has signed the CLA in #​3731
• fd85dad fix(ci): strip _authToken from .npmrc so OIDC takes precedence
• 48fc7bd fix(ci): switch npm publish to OIDC trusted publishing
• 216283e @​aaronkyriesenbach has signed the CLA in #​3727
• 002297b Merge pull request #​3718 from ismetanin/fix/cached-version-per-plugin-sandbox
• 5291ee7 fix(auto-update-checker): prefer loaded module's package.json over flat-install candidates
• d65bc87 feat(agents): add gpt-5.5 native deep category prompt
• 766eedd Merge pull request #​3706 from unclok/fix/retry-recovery-and-observability
• 05a15f7 Merge branch 'dev' into fix/retry-recovery-and-observability
• ea07f28 Merge pull request #​3556 from MoerAI/fix/fallback-credit-exhaustion
• 6850cb6 Merge branch 'dev' into fix/fallback-credit-exhaustion
• 7adb725 Merge remote-tracking branch 'origin/dev' into fix/retry-recovery-and-observability
• b8652db @​deopa0402 has signed the CLA in #​3713
• 483e11a @​unclok has signed the CLA in #​3706
• 0dd455e fix(delegate-task): ignore stale sync session errors
• 1856657 fix(model-fallback): clone session fallback chains
• 2237c1a fix(background-agent): guard stale launch errors and retry links
• 27fb2d5 test(plugin): clean up event handler test helpers
• 078e496 fix(delegate-task): replay sync retry session registration
• fbaeb03 fix(todo-continuation): avoid duplicate progress reset
• ebcd6ed perf(hashline): use write metadata line counts
• 24201ea perf(background-agent): index tasks by parent session
• eb722aa perf(compaction): reuse message update parts for no-text tails
• ece8fd4 perf(shared): cache context window usage per session
• 3fc9e6b Merge remote-tracking branch 'origin/dev' into opencode/mighty-wolf
• 79054ea feat(background-task): render retry timelines and links
• 25548f2 fix(model-fallback): retry forbidden provider errors
• 613e4a6 fix(delegate-task): retry sync tasks after runtime session errors
• a4968a3 feat(background-task): track retry attempts across sessions
• cc3cca7 fix(model-fallback): expose session fallback chains to background tasks
• 328df08 fix(test): update provider-matrix tests to expect fallback on quota exhaustion
• 5949300 fix(error-classifier): match insufficient balance/funds as quota_exceeded
• 034744c fix(model-error-classifier): retry forbidden provider errors
• fbf130e fix(test): update integration tests to expect fallback on quota exhaustion
• 7488c52 fix(runtime-fallback): trigger fallback on quota/credit exhaustion (fixes #​3519)

Thank you to 4 community contributors:

• @​MoerAI:
  • fix(runtime-fallback): trigger fallback on quota/credit exhaustion (fixes #​3519)
  • fix(test): update integration tests to expect fallback on quota exhaustion
  • fix(error-classifier): match insufficient balance/funds as quota_exceeded
  • fix(test): update provider-matrix tests to expect fallback on quota exhaustion
• @​unclok:
  • fix(model-error-classifier): retry forbidden provider errors
  • fix(model-fallback): expose session fallback chains to background tasks
  • feat(background-task): track retry attempts across sessions
  • fix(delegate-task): retry sync tasks after runtime session errors
  • fix(model-fallback): retry forbidden provider errors
  • feat(background-task): render retry timelines and links
  • Merge remote-tracking branch 'origin/dev' into opencode/mighty-wolf
  • fix(delegate-task): replay sync retry session registration
  • test(plugin): clean up event handler test helpers
  • fix(background-agent): guard stale launch errors and retry links
  • fix(model-fallback): clone session fallback chains
  • fix(delegate-task): ignore stale sync session errors
  • Merge remote-tracking branch 'origin/dev' into fix/retry-recovery-and-observability
• @​ismetanin:
  • fix(auto-update-checker): prefer loaded module's package.json over flat-install candidates
• @​acamq:
  • Merge pull request #​3718 from ismetanin/fix/cached-version-per-plugin-sandbox

v3.17.9

Compare Source

v3.17.8

Compare Source

v3.17.7

Compare Source

---

Configuration

📅 Schedule: (in timezone America/Phoenix)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.