From 698e19d07d6b6499eab4507a0784073d93388f79 Mon Sep 17 00:00:00 2001
From: James Grugett <jahooma@gmail.com>
Date: Tue, 24 Mar 2026 15:18:02 -0700
Subject: [PATCH 1/5] Turnstile implementation

---
 .env.example                                  |  4 +
 common/src/env-schema.ts                      |  2 +
 .../app/api/auth/verify-turnstile/route.ts    | 78 +++++++++++++++++++
 .../web/src/components/login/login-card.tsx   | 59 +++++++++++++-
 .../src/components/sign-in/sign-in-button.tsx |  4 +-
 .../sign-in/sign-in-card-footer.tsx           |  4 +-
 .../web/src/components/turnstile-widget.tsx   | 63 +++++++++++++++
 freebuff/web/src/middleware.ts                | 67 ++++++++++++++++
 freebuff/web/src/types/turnstile.d.ts         | 25 ++++++
 packages/internal/src/env-schema.ts           |  2 +
 .../app/api/auth/verify-turnstile/route.ts    | 78 +++++++++++++++++++
 web/src/components/login/login-card.tsx       | 64 ++++++++++++++-
 web/src/components/sign-in/sign-in-button.tsx |  4 +-
 .../sign-in/sign-in-card-footer.tsx           |  8 +-
 web/src/components/turnstile-widget.tsx       | 63 +++++++++++++++
 web/src/middleware.ts                         | 67 ++++++++++++++++
 web/src/types/turnstile.d.ts                  | 25 ++++++
 17 files changed, 607 insertions(+), 10 deletions(-)
 create mode 100644 freebuff/web/src/app/api/auth/verify-turnstile/route.ts
 create mode 100644 freebuff/web/src/components/turnstile-widget.tsx
 create mode 100644 freebuff/web/src/middleware.ts
 create mode 100644 freebuff/web/src/types/turnstile.d.ts
 create mode 100644 web/src/app/api/auth/verify-turnstile/route.ts
 create mode 100644 web/src/components/turnstile-widget.tsx
 create mode 100644 web/src/middleware.ts
 create mode 100644 web/src/types/turnstile.d.ts

diff --git a/.env.example b/.env.example
index a1b46a0b88..ce0fd74103 100644
--- a/.env.example
+++ b/.env.example
@@ -33,6 +33,10 @@ DISCORD_PUBLIC_KEY=dummy_discord_public_key
 DISCORD_BOT_TOKEN=dummy_discord_bot_token
 DISCORD_APPLICATION_ID=dummy_discord_app_id
 
+# Cloudflare Turnstile (optional — bot protection on signup)
+TURNSTILE_SECRET_KEY=dummy_turnstile_secret_key
+NEXT_PUBLIC_TURNSTILE_SITE_KEY=dummy_turnstile_site_key
+
 # Frontend/Public Variables
 NEXT_PUBLIC_CB_ENVIRONMENT=dev
 NEXT_PUBLIC_CODEBUFF_APP_URL=http://localhost:3000
diff --git a/common/src/env-schema.ts b/common/src/env-schema.ts
index 23eb38f9a4..9c32c950d7 100644
--- a/common/src/env-schema.ts
+++ b/common/src/env-schema.ts
@@ -11,6 +11,7 @@ export const clientEnvSchema = z.object({
   NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY: z.string().min(1),
   NEXT_PUBLIC_STRIPE_CUSTOMER_PORTAL: z.url().min(1),
   NEXT_PUBLIC_GOOGLE_SITE_VERIFICATION_ID: z.string().optional(),
+  NEXT_PUBLIC_TURNSTILE_SITE_KEY: z.string().optional(),
   NEXT_PUBLIC_WEB_PORT: z.coerce.number().min(1000),
 } satisfies Record<`${typeof CLIENT_ENV_PREFIX}${string}`, any>)
 export const clientEnvVars = clientEnvSchema.keyof().options
@@ -33,5 +34,6 @@ export const clientProcessEnv: ClientInput = {
     process.env.NEXT_PUBLIC_STRIPE_CUSTOMER_PORTAL,
   NEXT_PUBLIC_GOOGLE_SITE_VERIFICATION_ID:
     process.env.NEXT_PUBLIC_GOOGLE_SITE_VERIFICATION_ID,
+  NEXT_PUBLIC_TURNSTILE_SITE_KEY: process.env.NEXT_PUBLIC_TURNSTILE_SITE_KEY,
   NEXT_PUBLIC_WEB_PORT: process.env.NEXT_PUBLIC_WEB_PORT,
 }
diff --git a/freebuff/web/src/app/api/auth/verify-turnstile/route.ts b/freebuff/web/src/app/api/auth/verify-turnstile/route.ts
new file mode 100644
index 0000000000..d1ab2b4342
--- /dev/null
+++ b/freebuff/web/src/app/api/auth/verify-turnstile/route.ts
@@ -0,0 +1,78 @@
+import crypto from 'crypto'
+
+import { env } from '@codebuff/internal/env'
+import { NextResponse } from 'next/server'
+import { z } from 'zod/v4'
+
+import type { NextRequest } from 'next/server'
+
+import { logger } from '@/util/logger'
+
+const TURNSTILE_VERIFY_URL =
+  'https://challenges.cloudflare.com/turnstile/v0/siteverify'
+
+export async function POST(request: NextRequest) {
+  const secretKey = env.TURNSTILE_SECRET_KEY
+  if (!secretKey) {
+    return NextResponse.json({ success: true })
+  }
+
+  const body = await request.json()
+  const parsed = z.object({ token: z.string().min(1) }).safeParse(body)
+
+  if (!parsed.success) {
+    return NextResponse.json(
+      { success: false, error: 'Invalid token' },
+      { status: 400 },
+    )
+  }
+
+  const formData = new FormData()
+  formData.append('secret', secretKey)
+  formData.append('response', parsed.data.token)
+
+  const ip =
+    request.headers.get('CF-Connecting-IP') ??
+    request.headers.get('X-Forwarded-For') ??
+    ''
+  if (ip) {
+    formData.append('remoteip', ip)
+  }
+
+  const result = await fetch(TURNSTILE_VERIFY_URL, {
+    method: 'POST',
+    body: formData,
+  })
+  const outcome = (await result.json()) as {
+    success: boolean
+    'error-codes'?: string[]
+  }
+
+  if (!outcome.success) {
+    logger.warn(
+      { errorCodes: outcome['error-codes'] },
+      'Turnstile verification failed',
+    )
+    return NextResponse.json(
+      { success: false, error: 'Verification failed' },
+      { status: 403 },
+    )
+  }
+
+  const timestamp = Date.now().toString()
+  const signature = crypto
+    .createHmac('sha256', env.NEXTAUTH_SECRET)
+    .update(timestamp)
+    .digest('hex')
+
+  const response = NextResponse.json({ success: true })
+  response.cookies.set('turnstile_verified', `${timestamp}.${signature}`, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    maxAge: 300,
+    path: '/',
+  })
+
+  return response
+}
diff --git a/freebuff/web/src/components/login/login-card.tsx b/freebuff/web/src/components/login/login-card.tsx
index a539ea44ff..14c7f1ac4e 100644
--- a/freebuff/web/src/components/login/login-card.tsx
+++ b/freebuff/web/src/components/login/login-card.tsx
@@ -3,9 +3,10 @@
 import Image from 'next/image'
 import { useSearchParams } from 'next/navigation'
 import { useSession, signIn } from 'next-auth/react'
-import { Suspense } from 'react'
+import { Suspense, useCallback, useRef, useState } from 'react'
 
 import { SignInCardFooter } from '@/components/sign-in/sign-in-card-footer'
+import { TurnstileWidget } from '@/components/turnstile-widget'
 import { Button } from '@/components/ui/button'
 import {
   Card,
@@ -15,9 +16,48 @@ import {
   CardFooter,
 } from '@/components/ui/card'
 
+const TURNSTILE_SITE_KEY = process.env.NEXT_PUBLIC_TURNSTILE_SITE_KEY
+
 export function LoginCard({ authCode }: { authCode?: string | null }) {
   const { data: session } = useSession()
   const searchParams = useSearchParams() ?? new URLSearchParams()
+  const [turnstileVerified, setTurnstileVerified] = useState(
+    !TURNSTILE_SITE_KEY,
+  )
+  const [turnstileError, setTurnstileError] = useState<string | null>(null)
+  const turnstileErrorShownRef = useRef(false)
+
+  const handleTurnstileVerify = useCallback(async (token: string) => {
+    try {
+      const response = await fetch('/api/auth/verify-turnstile', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ token }),
+      })
+      const result = await response.json()
+      if (result.success) {
+        setTurnstileVerified(true)
+        setTurnstileError(null)
+        turnstileErrorShownRef.current = false
+      } else {
+        setTurnstileError('Verification failed. Please refresh and try again.')
+      }
+    } catch {
+      setTurnstileError('Verification failed. Please refresh and try again.')
+    }
+  }, [])
+
+  const handleTurnstileError = useCallback((errorCode: string) => {
+    console.error('Turnstile error:', errorCode)
+    if (!turnstileErrorShownRef.current) {
+      turnstileErrorShownRef.current = true
+      setTurnstileError('Verification error. Please refresh and try again.')
+    }
+  }, [])
+
+  const handleTurnstileExpired = useCallback(() => {
+    setTurnstileVerified(false)
+  }, [])
 
   const handleContinueAsUser = () => {
     const referralCode = searchParams.get('referral_code')
@@ -129,7 +169,22 @@ export function LoginCard({ authCode }: { authCode?: string | null }) {
                 </CardFooter>
               </>
             ) : (
-              <SignInCardFooter />
+              <>
+                {TURNSTILE_SITE_KEY && (
+                  <CardContent className="flex flex-col items-center gap-2">
+                    <TurnstileWidget
+                      siteKey={TURNSTILE_SITE_KEY}
+                      onVerify={handleTurnstileVerify}
+                      onError={handleTurnstileError}
+                      onExpired={handleTurnstileExpired}
+                    />
+                    {turnstileError && (
+                      <p className="text-sm text-red-400">{turnstileError}</p>
+                    )}
+                  </CardContent>
+                )}
+                <SignInCardFooter disabled={!turnstileVerified} />
+              </>
             )}
           </Card>
         </Suspense>
diff --git a/freebuff/web/src/components/sign-in/sign-in-button.tsx b/freebuff/web/src/components/sign-in/sign-in-button.tsx
index a2d652fa7c..240e7c78b5 100644
--- a/freebuff/web/src/components/sign-in/sign-in-button.tsx
+++ b/freebuff/web/src/components/sign-in/sign-in-button.tsx
@@ -12,9 +12,11 @@ import type { OAuthProviderType } from 'next-auth/providers/oauth-types'
 export function SignInButton({
   providerName,
   providerDomain,
+  disabled,
 }: {
   providerName: OAuthProviderType
   providerDomain: string
+  disabled?: boolean
 }) {
   const [isPending, startTransition] = useTransition()
   const pathname = usePathname()
@@ -52,7 +54,7 @@ export function SignInButton({
   return (
     <Button
       onClick={handleSignIn}
-      disabled={isPending}
+      disabled={isPending || disabled}
       className="flex items-center gap-2 w-full bg-zinc-900 border border-zinc-700 text-white hover:bg-zinc-800 hover:border-acid-matrix/60 hover:shadow-[0_0_20px_rgba(124,255,63,0.15)] transition-all duration-300"
     >
       {isPending ? (
diff --git a/freebuff/web/src/components/sign-in/sign-in-card-footer.tsx b/freebuff/web/src/components/sign-in/sign-in-card-footer.tsx
index fb465188cb..3db121d521 100644
--- a/freebuff/web/src/components/sign-in/sign-in-card-footer.tsx
+++ b/freebuff/web/src/components/sign-in/sign-in-card-footer.tsx
@@ -1,10 +1,10 @@
 import { SignInButton } from './sign-in-button'
 import { CardFooter } from '../ui/card'
 
-export function SignInCardFooter() {
+export function SignInCardFooter({ disabled }: { disabled?: boolean }) {
   return (
     <CardFooter className="flex flex-col space-y-3 pb-8">
-      <SignInButton providerDomain="github.com" providerName="github" />
+      <SignInButton providerDomain="github.com" providerName="github" disabled={disabled} />
     </CardFooter>
   )
 }
diff --git a/freebuff/web/src/components/turnstile-widget.tsx b/freebuff/web/src/components/turnstile-widget.tsx
new file mode 100644
index 0000000000..0971a4e3ee
--- /dev/null
+++ b/freebuff/web/src/components/turnstile-widget.tsx
@@ -0,0 +1,63 @@
+'use client'
+
+import Script from 'next/script'
+import { useEffect, useRef, useState } from 'react'
+
+export function TurnstileWidget({
+  siteKey,
+  onVerify,
+  onError,
+  onExpired,
+}: {
+  siteKey: string
+  onVerify: (token: string) => void
+  onError: (errorCode: string) => void
+  onExpired: () => void
+}) {
+  const containerRef = useRef<HTMLDivElement>(null)
+  const widgetIdRef = useRef<string | undefined>(undefined)
+  const onVerifyRef = useRef(onVerify)
+  const onErrorRef = useRef(onError)
+  const onExpiredRef = useRef(onExpired)
+  onVerifyRef.current = onVerify
+  onErrorRef.current = onError
+  onExpiredRef.current = onExpired
+
+  const [scriptLoaded, setScriptLoaded] = useState(false)
+
+  useEffect(() => {
+    if (
+      !scriptLoaded ||
+      !containerRef.current ||
+      !window.turnstile ||
+      widgetIdRef.current !== undefined
+    ) {
+      return
+    }
+
+    widgetIdRef.current = window.turnstile.render(containerRef.current, {
+      sitekey: siteKey,
+      callback: (token: string) => onVerifyRef.current(token),
+      'error-callback': (errorCode: string) => onErrorRef.current(errorCode),
+      'expired-callback': () => onExpiredRef.current(),
+    })
+
+    return () => {
+      if (widgetIdRef.current !== undefined && window.turnstile) {
+        window.turnstile.remove(widgetIdRef.current)
+        widgetIdRef.current = undefined
+      }
+    }
+  }, [scriptLoaded, siteKey])
+
+  return (
+    <>
+      <link rel="preconnect" href="https://challenges.cloudflare.com" />
+      <Script
+        src="https://challenges.cloudflare.com/turnstile/v0/api.js?render=explicit"
+        onLoad={() => setScriptLoaded(true)}
+      />
+      <div ref={containerRef} />
+    </>
+  )
+}
diff --git a/freebuff/web/src/middleware.ts b/freebuff/web/src/middleware.ts
new file mode 100644
index 0000000000..66f726c4f7
--- /dev/null
+++ b/freebuff/web/src/middleware.ts
@@ -0,0 +1,67 @@
+import { NextResponse } from 'next/server'
+
+import type { NextRequest } from 'next/server'
+
+const COOKIE_MAX_AGE_MS = 5 * 60 * 1000 // 5 minutes
+
+async function verifyHmac(
+  timestamp: string,
+  signature: string,
+  secret: string,
+): Promise<boolean> {
+  const encoder = new TextEncoder()
+  const key = await crypto.subtle.importKey(
+    'raw',
+    encoder.encode(secret),
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign'],
+  )
+  const signed = await crypto.subtle.sign('HMAC', key, encoder.encode(timestamp))
+  const expected = Array.from(new Uint8Array(signed))
+    .map((b) => b.toString(16).padStart(2, '0'))
+    .join('')
+  return expected === signature
+}
+
+export async function middleware(request: NextRequest) {
+  const turnstileSecret = process.env.TURNSTILE_SECRET_KEY
+  const nextauthSecret = process.env.NEXTAUTH_SECRET
+
+  if (!turnstileSecret || !nextauthSecret) {
+    return NextResponse.next()
+  }
+
+  const cookie = request.cookies.get('turnstile_verified')?.value
+  if (!cookie) {
+    const loginUrl = new URL('/login', request.url)
+    request.nextUrl.searchParams.forEach((value, key) => {
+      loginUrl.searchParams.set(key, value)
+    })
+    return NextResponse.redirect(loginUrl)
+  }
+
+  const [timestamp, signature] = cookie.split('.')
+  if (!timestamp || !signature) {
+    const loginUrl = new URL('/login', request.url)
+    return NextResponse.redirect(loginUrl)
+  }
+
+  const age = Date.now() - parseInt(timestamp, 10)
+  if (isNaN(age) || age > COOKIE_MAX_AGE_MS) {
+    const loginUrl = new URL('/login', request.url)
+    return NextResponse.redirect(loginUrl)
+  }
+
+  const valid = await verifyHmac(timestamp, signature, nextauthSecret)
+  if (!valid) {
+    const loginUrl = new URL('/login', request.url)
+    return NextResponse.redirect(loginUrl)
+  }
+
+  return NextResponse.next()
+}
+
+export const config = {
+  matcher: ['/api/auth/signin/:path*'],
+}
diff --git a/freebuff/web/src/types/turnstile.d.ts b/freebuff/web/src/types/turnstile.d.ts
new file mode 100644
index 0000000000..5351e371a2
--- /dev/null
+++ b/freebuff/web/src/types/turnstile.d.ts
@@ -0,0 +1,25 @@
+interface TurnstileRenderOptions {
+  sitekey: string
+  callback: (token: string) => void
+  'error-callback'?: (errorCode: string) => void
+  'expired-callback'?: () => void
+  theme?: 'light' | 'dark' | 'auto'
+  size?: 'normal' | 'flexible' | 'compact'
+  action?: string
+  execution?: 'render' | 'execute'
+  appearance?: 'always' | 'execute' | 'interaction-only'
+}
+
+interface TurnstileInstance {
+  render: (container: HTMLElement | string, options: TurnstileRenderOptions) => string
+  reset: (widgetId: string) => void
+  remove: (widgetId: string) => void
+  getResponse: (widgetId: string) => string | undefined
+  isExpired: (widgetId: string) => boolean
+  ready: (callback: () => void) => void
+  execute: (container: HTMLElement | string) => void
+}
+
+interface Window {
+  turnstile?: TurnstileInstance
+}
diff --git a/packages/internal/src/env-schema.ts b/packages/internal/src/env-schema.ts
index c4bfa7423f..db05a4f8f9 100644
--- a/packages/internal/src/env-schema.ts
+++ b/packages/internal/src/env-schema.ts
@@ -30,6 +30,7 @@ export const serverEnvSchema = clientEnvSchema.extend({
   DISCORD_PUBLIC_KEY: z.string().min(1),
   DISCORD_BOT_TOKEN: z.string().min(1),
   DISCORD_APPLICATION_ID: z.string().min(1),
+  TURNSTILE_SECRET_KEY: z.string().optional(),
 })
 export const serverEnvVars = serverEnvSchema.keyof().options
 export type ServerEnvVar = (typeof serverEnvVars)[number]
@@ -75,4 +76,5 @@ export const serverProcessEnv: ServerInput = {
   DISCORD_PUBLIC_KEY: process.env.DISCORD_PUBLIC_KEY,
   DISCORD_BOT_TOKEN: process.env.DISCORD_BOT_TOKEN,
   DISCORD_APPLICATION_ID: process.env.DISCORD_APPLICATION_ID,
+  TURNSTILE_SECRET_KEY: process.env.TURNSTILE_SECRET_KEY,
 }
diff --git a/web/src/app/api/auth/verify-turnstile/route.ts b/web/src/app/api/auth/verify-turnstile/route.ts
new file mode 100644
index 0000000000..d1ab2b4342
--- /dev/null
+++ b/web/src/app/api/auth/verify-turnstile/route.ts
@@ -0,0 +1,78 @@
+import crypto from 'crypto'
+
+import { env } from '@codebuff/internal/env'
+import { NextResponse } from 'next/server'
+import { z } from 'zod/v4'
+
+import type { NextRequest } from 'next/server'
+
+import { logger } from '@/util/logger'
+
+const TURNSTILE_VERIFY_URL =
+  'https://challenges.cloudflare.com/turnstile/v0/siteverify'
+
+export async function POST(request: NextRequest) {
+  const secretKey = env.TURNSTILE_SECRET_KEY
+  if (!secretKey) {
+    return NextResponse.json({ success: true })
+  }
+
+  const body = await request.json()
+  const parsed = z.object({ token: z.string().min(1) }).safeParse(body)
+
+  if (!parsed.success) {
+    return NextResponse.json(
+      { success: false, error: 'Invalid token' },
+      { status: 400 },
+    )
+  }
+
+  const formData = new FormData()
+  formData.append('secret', secretKey)
+  formData.append('response', parsed.data.token)
+
+  const ip =
+    request.headers.get('CF-Connecting-IP') ??
+    request.headers.get('X-Forwarded-For') ??
+    ''
+  if (ip) {
+    formData.append('remoteip', ip)
+  }
+
+  const result = await fetch(TURNSTILE_VERIFY_URL, {
+    method: 'POST',
+    body: formData,
+  })
+  const outcome = (await result.json()) as {
+    success: boolean
+    'error-codes'?: string[]
+  }
+
+  if (!outcome.success) {
+    logger.warn(
+      { errorCodes: outcome['error-codes'] },
+      'Turnstile verification failed',
+    )
+    return NextResponse.json(
+      { success: false, error: 'Verification failed' },
+      { status: 403 },
+    )
+  }
+
+  const timestamp = Date.now().toString()
+  const signature = crypto
+    .createHmac('sha256', env.NEXTAUTH_SECRET)
+    .update(timestamp)
+    .digest('hex')
+
+  const response = NextResponse.json({ success: true })
+  response.cookies.set('turnstile_verified', `${timestamp}.${signature}`, {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    maxAge: 300,
+    path: '/',
+  })
+
+  return response
+}
diff --git a/web/src/components/login/login-card.tsx b/web/src/components/login/login-card.tsx
index e4d01d5947..95d21bd8ae 100644
--- a/web/src/components/login/login-card.tsx
+++ b/web/src/components/login/login-card.tsx
@@ -2,11 +2,13 @@
 
 import { useSearchParams } from 'next/navigation'
 import { useSession, signIn } from 'next-auth/react'
-import { Suspense } from 'react'
+import { Suspense, useCallback, useRef, useState } from 'react'
 
 import { SignInCardFooter } from '@/components/sign-in/sign-in-card-footer'
+import { TurnstileWidget } from '@/components/turnstile-widget'
 import { Avatar, AvatarImage, AvatarFallback } from '@/components/ui/avatar'
 import { Button } from '@/components/ui/button'
+import { toast } from '@/components/ui/use-toast'
 import {
   Card,
   CardHeader,
@@ -16,9 +18,55 @@ import {
   CardFooter,
 } from '@/components/ui/card'
 
+const TURNSTILE_SITE_KEY = process.env.NEXT_PUBLIC_TURNSTILE_SITE_KEY
+
 export function LoginCard({ authCode }: { authCode?: string | null }) {
   const { data: session } = useSession()
   const searchParams = useSearchParams() ?? new URLSearchParams()
+  const [turnstileVerified, setTurnstileVerified] = useState(
+    !TURNSTILE_SITE_KEY,
+  )
+  const turnstileErrorShownRef = useRef(false)
+
+  const handleTurnstileVerify = useCallback(async (token: string) => {
+    try {
+      const response = await fetch('/api/auth/verify-turnstile', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ token }),
+      })
+      const result = await response.json()
+      if (result.success) {
+        setTurnstileVerified(true)
+        turnstileErrorShownRef.current = false
+      } else {
+        toast({
+          title: 'Verification failed',
+          description: 'Please refresh the page and try again.',
+        })
+      }
+    } catch {
+      toast({
+        title: 'Verification failed',
+        description: 'Please refresh the page and try again.',
+      })
+    }
+  }, [])
+
+  const handleTurnstileError = useCallback((errorCode: string) => {
+    console.error('Turnstile error:', errorCode)
+    if (!turnstileErrorShownRef.current) {
+      turnstileErrorShownRef.current = true
+      toast({
+        title: 'Verification error',
+        description: 'Please refresh the page and try again.',
+      })
+    }
+  }, [])
+
+  const handleTurnstileExpired = useCallback(() => {
+    setTurnstileVerified(false)
+  }, [])
 
   const handleContinueAsUser = () => {
     const referralCode = searchParams.get('referral_code')
@@ -107,7 +155,19 @@ export function LoginCard({ authCode }: { authCode?: string | null }) {
                 </CardFooter>
               </>
             ) : (
-              <SignInCardFooter />
+              <>
+                {TURNSTILE_SITE_KEY && (
+                  <CardContent className="flex justify-center">
+                    <TurnstileWidget
+                      siteKey={TURNSTILE_SITE_KEY}
+                      onVerify={handleTurnstileVerify}
+                      onError={handleTurnstileError}
+                      onExpired={handleTurnstileExpired}
+                    />
+                  </CardContent>
+                )}
+                <SignInCardFooter disabled={!turnstileVerified} />
+              </>
             )}
           </Card>
         </Suspense>
diff --git a/web/src/components/sign-in/sign-in-button.tsx b/web/src/components/sign-in/sign-in-button.tsx
index 7aa46922c7..7d0a313501 100644
--- a/web/src/components/sign-in/sign-in-button.tsx
+++ b/web/src/components/sign-in/sign-in-button.tsx
@@ -18,10 +18,12 @@ export const SignInButton = ({
   providerName,
   providerDomain,
   onClick, // Additional handler for analytics/tracking
+  disabled,
 }: {
   providerName: OAuthProviderType
   providerDomain: string
   onClick?: () => void
+  disabled?: boolean
 }) => {
   const [isPending, startTransition] = useTransition()
   const pathname = usePathname()
@@ -123,7 +125,7 @@ export const SignInButton = ({
   return (
     <Button
       onClick={handleSignIn}
-      disabled={isPending}
+      disabled={isPending || disabled}
       className="flex items-center gap-2"
     >
       {isPending && <Icons.loader className="mr-2 size-4 animate-spin" />}
diff --git a/web/src/components/sign-in/sign-in-card-footer.tsx b/web/src/components/sign-in/sign-in-card-footer.tsx
index 635cd6ec2d..6026eb0a1e 100644
--- a/web/src/components/sign-in/sign-in-card-footer.tsx
+++ b/web/src/components/sign-in/sign-in-card-footer.tsx
@@ -1,10 +1,14 @@
 import { SignInButton } from './sign-in-button'
 import { CardFooter } from '../ui/card'
 
-export const SignInCardFooter = () => {
+export const SignInCardFooter = ({ disabled }: { disabled?: boolean }) => {
   return (
     <CardFooter className="flex flex-col space-y-2">
-      <SignInButton providerDomain="github.com" providerName="github" />
+      <SignInButton
+        providerDomain="github.com"
+        providerName="github"
+        disabled={disabled}
+      />
       {/* <SignInButton
                 providerDomain="google.com"
                 providerName="google"
diff --git a/web/src/components/turnstile-widget.tsx b/web/src/components/turnstile-widget.tsx
new file mode 100644
index 0000000000..0971a4e3ee
--- /dev/null
+++ b/web/src/components/turnstile-widget.tsx
@@ -0,0 +1,63 @@
+'use client'
+
+import Script from 'next/script'
+import { useEffect, useRef, useState } from 'react'
+
+export function TurnstileWidget({
+  siteKey,
+  onVerify,
+  onError,
+  onExpired,
+}: {
+  siteKey: string
+  onVerify: (token: string) => void
+  onError: (errorCode: string) => void
+  onExpired: () => void
+}) {
+  const containerRef = useRef<HTMLDivElement>(null)
+  const widgetIdRef = useRef<string | undefined>(undefined)
+  const onVerifyRef = useRef(onVerify)
+  const onErrorRef = useRef(onError)
+  const onExpiredRef = useRef(onExpired)
+  onVerifyRef.current = onVerify
+  onErrorRef.current = onError
+  onExpiredRef.current = onExpired
+
+  const [scriptLoaded, setScriptLoaded] = useState(false)
+
+  useEffect(() => {
+    if (
+      !scriptLoaded ||
+      !containerRef.current ||
+      !window.turnstile ||
+      widgetIdRef.current !== undefined
+    ) {
+      return
+    }
+
+    widgetIdRef.current = window.turnstile.render(containerRef.current, {
+      sitekey: siteKey,
+      callback: (token: string) => onVerifyRef.current(token),
+      'error-callback': (errorCode: string) => onErrorRef.current(errorCode),
+      'expired-callback': () => onExpiredRef.current(),
+    })
+
+    return () => {
+      if (widgetIdRef.current !== undefined && window.turnstile) {
+        window.turnstile.remove(widgetIdRef.current)
+        widgetIdRef.current = undefined
+      }
+    }
+  }, [scriptLoaded, siteKey])
+
+  return (
+    <>
+      <link rel="preconnect" href="https://challenges.cloudflare.com" />
+      <Script
+        src="https://challenges.cloudflare.com/turnstile/v0/api.js?render=explicit"
+        onLoad={() => setScriptLoaded(true)}
+      />
+      <div ref={containerRef} />
+    </>
+  )
+}
diff --git a/web/src/middleware.ts b/web/src/middleware.ts
new file mode 100644
index 0000000000..66f726c4f7
--- /dev/null
+++ b/web/src/middleware.ts
@@ -0,0 +1,67 @@
+import { NextResponse } from 'next/server'
+
+import type { NextRequest } from 'next/server'
+
+const COOKIE_MAX_AGE_MS = 5 * 60 * 1000 // 5 minutes
+
+async function verifyHmac(
+  timestamp: string,
+  signature: string,
+  secret: string,
+): Promise<boolean> {
+  const encoder = new TextEncoder()
+  const key = await crypto.subtle.importKey(
+    'raw',
+    encoder.encode(secret),
+    { name: 'HMAC', hash: 'SHA-256' },
+    false,
+    ['sign'],
+  )
+  const signed = await crypto.subtle.sign('HMAC', key, encoder.encode(timestamp))
+  const expected = Array.from(new Uint8Array(signed))
+    .map((b) => b.toString(16).padStart(2, '0'))
+    .join('')
+  return expected === signature
+}
+
+export async function middleware(request: NextRequest) {
+  const turnstileSecret = process.env.TURNSTILE_SECRET_KEY
+  const nextauthSecret = process.env.NEXTAUTH_SECRET
+
+  if (!turnstileSecret || !nextauthSecret) {
+    return NextResponse.next()
+  }
+
+  const cookie = request.cookies.get('turnstile_verified')?.value
+  if (!cookie) {
+    const loginUrl = new URL('/login', request.url)
+    request.nextUrl.searchParams.forEach((value, key) => {
+      loginUrl.searchParams.set(key, value)
+    })
+    return NextResponse.redirect(loginUrl)
+  }
+
+  const [timestamp, signature] = cookie.split('.')
+  if (!timestamp || !signature) {
+    const loginUrl = new URL('/login', request.url)
+    return NextResponse.redirect(loginUrl)
+  }
+
+  const age = Date.now() - parseInt(timestamp, 10)
+  if (isNaN(age) || age > COOKIE_MAX_AGE_MS) {
+    const loginUrl = new URL('/login', request.url)
+    return NextResponse.redirect(loginUrl)
+  }
+
+  const valid = await verifyHmac(timestamp, signature, nextauthSecret)
+  if (!valid) {
+    const loginUrl = new URL('/login', request.url)
+    return NextResponse.redirect(loginUrl)
+  }
+
+  return NextResponse.next()
+}
+
+export const config = {
+  matcher: ['/api/auth/signin/:path*'],
+}
diff --git a/web/src/types/turnstile.d.ts b/web/src/types/turnstile.d.ts
new file mode 100644
index 0000000000..5351e371a2
--- /dev/null
+++ b/web/src/types/turnstile.d.ts
@@ -0,0 +1,25 @@
+interface TurnstileRenderOptions {
+  sitekey: string
+  callback: (token: string) => void
+  'error-callback'?: (errorCode: string) => void
+  'expired-callback'?: () => void
+  theme?: 'light' | 'dark' | 'auto'
+  size?: 'normal' | 'flexible' | 'compact'
+  action?: string
+  execution?: 'render' | 'execute'
+  appearance?: 'always' | 'execute' | 'interaction-only'
+}
+
+interface TurnstileInstance {
+  render: (container: HTMLElement | string, options: TurnstileRenderOptions) => string
+  reset: (widgetId: string) => void
+  remove: (widgetId: string) => void
+  getResponse: (widgetId: string) => string | undefined
+  isExpired: (widgetId: string) => boolean
+  ready: (callback: () => void) => void
+  execute: (container: HTMLElement | string) => void
+}
+
+interface Window {
+  turnstile?: TurnstileInstance
+}

From 2684e8472f5d34b609483d7c69670bc9799805b7 Mon Sep 17 00:00:00 2001
From: James Grugett <jahooma@gmail.com>
Date: Tue, 24 Mar 2026 18:06:25 -0700
Subject: [PATCH 2/5] freebuff: use thinker-gpt to plan response

---
 agents/base2/base2.ts | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/agents/base2/base2.ts b/agents/base2/base2.ts
index 42c79b98c6..11f7bf3601 100644
--- a/agents/base2/base2.ts
+++ b/agents/base2/base2.ts
@@ -141,7 +141,9 @@ Use the spawn_agents tool to spawn specialized agents to help you complete the u
 - **Sequence agents properly:** Keep in mind dependencies when spawning different agents. Don't spawn agents in parallel that depend on each other.
   ${buildArray(
         '- Spawn context-gathering agents (file pickers and web/docs researchers) before making edits. Use the code_search, list_directory, and glob tools directly for searching and exploring the codebase.',
-        isFree && 'Do not spawn the thinker-gpt agent, unless the user asks. Not everyone has connected their ChatGPT subscription to Codebuff to allow for it.',
+        // isFree && 'Important: Do not spawn the thinker-gpt agent, unless the user asks. Not everyone has connected their ChatGPT subscription to Codebuff to allow for it.',
+        isFree &&
+        '- You must spawn the thinker-gpt agent to plan your response, except for extremely simple requests that are obvious.',
         isDefault &&
         '- Spawn the editor agent to implement the changes after you have gathered all the context you need.',
         (isDefault || isMax) &&
@@ -149,8 +151,6 @@ Use the spawn_agents tool to spawn specialized agents to help you complete the u
         isMax &&
         `- IMPORTANT: You must spawn the editor-multi-prompt agent to implement the changes after you have gathered all the context you need. You must spawn this agent for non-trivial changes, since it writes much better code than you would with the str_replace or write_file tools. Don't spawn the editor in parallel with context-gathering agents.`,
         isFree &&
-        '- Implement code changes using the str_replace or write_file tools directly.',
-        isFree &&
         '- Spawn a code-reviewer-lite to review the changes after you have implemented the changes.',
         '- Spawn bashers sequentially if the second command depends on the the first.',
         isDefault &&
@@ -204,8 +204,10 @@ ${buildArray(
 [ You read a few other relevant files using the read_files tool ]${!noAskUser
         ? `\n\n[ You ask the user for important clarifications on their request or alternate implementation strategies using the ask_user tool ]`
         : ''
-      }
-${isDefault
+      }${isFree
+        ? `\n\n[ You spawn the thinker-gpt agent to plan your response ]`
+        : ''
+      }${isDefault
         ? `[ You implement the changes using the editor agent ]`
         : isFast || isFree
           ? '[ You implement the changes using the str_replace or write_file tools ]'
@@ -337,6 +339,8 @@ ${buildArray(
     '- IMPORTANT: You must spawn the editor agent to implement the changes after you have gathered all the context you need. This agent will do the best job of implementing the changes so you must spawn it for all non-trivial changes. Do not pass any prompt or params to the editor agent when spawning it. It will make its own best choices of what to do.',
     isMax &&
     `- IMPORTANT: You must spawn the editor-multi-prompt agent to implement non-trivial code changes, since it will generate the best code changes from multiple implementation proposals. This is the best way to make high quality code changes -- strongly prefer using this agent over the str_replace or write_file tools, unless the change is very straightforward and obvious. You should also prompt it to implement the full task rather than just a single step.`,
+    isFree &&
+    '- IMPORTANT: You must spawn the thinker-gpt agent to plan your response after you have gathered all the context you need. This agent will do the best job of thinking and planning your best response so you must spawn it for all non-trivial requests. Do not pass any prompt or params to the editor agent when spawning it. It will make its own best recommendations of what to do.',
     isFast &&
     '- Implement the changes using the str_replace or write_file tools. Implement all the changes in one go.',
     isFast &&
@@ -380,6 +384,8 @@ function buildImplementationStepPrompt({
     (isDefault || isMax) &&
     `You must spawn a ${isDefault ? 'code-reviewer' : 'code-reviewer-multi-prompt'} to review the changes after you have implemented the changes and in parallel with typechecking or testing.`,
     isFree &&
+    `You must spawn a thinker-gpt to plan your response after you have gathered all the relevant context.`,
+    isFree &&
     `You must spawn a code-reviewer-lite to review the changes after you have implemented the changes and in parallel with typechecking or testing.`,
     `After completing the user request, summarize your changes in a sentence${isFast ? '' : ' or a few short bullet points'}.${isSonnet ? " Don't create any summary markdown files or example documentation files, unless asked by the user." : ''}.`,
     !isFast &&

From 8713040797eddf4e8a691d73a57f8b06f0e2058a Mon Sep 17 00:00:00 2001
From: James Grugett <jahooma@gmail.com>
Date: Tue, 24 Mar 2026 22:39:11 -0700
Subject: [PATCH 3/5] Revert "freebuff: use thinker-gpt to plan response"

This reverts commit 2684e8472f5d34b609483d7c69670bc9799805b7.
---
 agents/base2/base2.ts | 16 +++++-----------
 1 file changed, 5 insertions(+), 11 deletions(-)

diff --git a/agents/base2/base2.ts b/agents/base2/base2.ts
index 11f7bf3601..42c79b98c6 100644
--- a/agents/base2/base2.ts
+++ b/agents/base2/base2.ts
@@ -141,9 +141,7 @@ Use the spawn_agents tool to spawn specialized agents to help you complete the u
 - **Sequence agents properly:** Keep in mind dependencies when spawning different agents. Don't spawn agents in parallel that depend on each other.
   ${buildArray(
         '- Spawn context-gathering agents (file pickers and web/docs researchers) before making edits. Use the code_search, list_directory, and glob tools directly for searching and exploring the codebase.',
-        // isFree && 'Important: Do not spawn the thinker-gpt agent, unless the user asks. Not everyone has connected their ChatGPT subscription to Codebuff to allow for it.',
-        isFree &&
-        '- You must spawn the thinker-gpt agent to plan your response, except for extremely simple requests that are obvious.',
+        isFree && 'Do not spawn the thinker-gpt agent, unless the user asks. Not everyone has connected their ChatGPT subscription to Codebuff to allow for it.',
         isDefault &&
         '- Spawn the editor agent to implement the changes after you have gathered all the context you need.',
         (isDefault || isMax) &&
@@ -151,6 +149,8 @@ Use the spawn_agents tool to spawn specialized agents to help you complete the u
         isMax &&
         `- IMPORTANT: You must spawn the editor-multi-prompt agent to implement the changes after you have gathered all the context you need. You must spawn this agent for non-trivial changes, since it writes much better code than you would with the str_replace or write_file tools. Don't spawn the editor in parallel with context-gathering agents.`,
         isFree &&
+        '- Implement code changes using the str_replace or write_file tools directly.',
+        isFree &&
         '- Spawn a code-reviewer-lite to review the changes after you have implemented the changes.',
         '- Spawn bashers sequentially if the second command depends on the the first.',
         isDefault &&
@@ -204,10 +204,8 @@ ${buildArray(
 [ You read a few other relevant files using the read_files tool ]${!noAskUser
         ? `\n\n[ You ask the user for important clarifications on their request or alternate implementation strategies using the ask_user tool ]`
         : ''
-      }${isFree
-        ? `\n\n[ You spawn the thinker-gpt agent to plan your response ]`
-        : ''
-      }${isDefault
+      }
+${isDefault
         ? `[ You implement the changes using the editor agent ]`
         : isFast || isFree
           ? '[ You implement the changes using the str_replace or write_file tools ]'
@@ -339,8 +337,6 @@ ${buildArray(
     '- IMPORTANT: You must spawn the editor agent to implement the changes after you have gathered all the context you need. This agent will do the best job of implementing the changes so you must spawn it for all non-trivial changes. Do not pass any prompt or params to the editor agent when spawning it. It will make its own best choices of what to do.',
     isMax &&
     `- IMPORTANT: You must spawn the editor-multi-prompt agent to implement non-trivial code changes, since it will generate the best code changes from multiple implementation proposals. This is the best way to make high quality code changes -- strongly prefer using this agent over the str_replace or write_file tools, unless the change is very straightforward and obvious. You should also prompt it to implement the full task rather than just a single step.`,
-    isFree &&
-    '- IMPORTANT: You must spawn the thinker-gpt agent to plan your response after you have gathered all the context you need. This agent will do the best job of thinking and planning your best response so you must spawn it for all non-trivial requests. Do not pass any prompt or params to the editor agent when spawning it. It will make its own best recommendations of what to do.',
     isFast &&
     '- Implement the changes using the str_replace or write_file tools. Implement all the changes in one go.',
     isFast &&
@@ -384,8 +380,6 @@ function buildImplementationStepPrompt({
     (isDefault || isMax) &&
     `You must spawn a ${isDefault ? 'code-reviewer' : 'code-reviewer-multi-prompt'} to review the changes after you have implemented the changes and in parallel with typechecking or testing.`,
     isFree &&
-    `You must spawn a thinker-gpt to plan your response after you have gathered all the relevant context.`,
-    isFree &&
     `You must spawn a code-reviewer-lite to review the changes after you have implemented the changes and in parallel with typechecking or testing.`,
     `After completing the user request, summarize your changes in a sentence${isFast ? '' : ' or a few short bullet points'}.${isSonnet ? " Don't create any summary markdown files or example documentation files, unless asked by the user." : ''}.`,
     !isFast &&

From 6262b2987ea312be16fb1f18f2d314c7515cd4a5 Mon Sep 17 00:00:00 2001
From: James Grugett <jahooma@gmail.com>
Date: Tue, 24 Mar 2026 23:31:16 -0700
Subject: [PATCH 4/5] Freebuff with editor gpt

---
 agents/base2/base2.ts       |   9 ++-
 agents/editor/editor-gpt.ts | 122 ++++++++++++++++++++++++++++++++++++
 2 files changed, 129 insertions(+), 2 deletions(-)
 create mode 100644 agents/editor/editor-gpt.ts

diff --git a/agents/base2/base2.ts b/agents/base2/base2.ts
index 42c79b98c6..2b06402721 100644
--- a/agents/base2/base2.ts
+++ b/agents/base2/base2.ts
@@ -84,6 +84,7 @@ export function createBase2(
       isMax && 'editor-multi-prompt',
       'tmux-cli',
       'browser-use',
+      isFree && 'editor-gpt',
       isFree && 'code-reviewer-lite',
       isDefault && 'code-reviewer',
       isMax && 'code-reviewer-multi-prompt',
@@ -149,7 +150,7 @@ Use the spawn_agents tool to spawn specialized agents to help you complete the u
         isMax &&
         `- IMPORTANT: You must spawn the editor-multi-prompt agent to implement the changes after you have gathered all the context you need. You must spawn this agent for non-trivial changes, since it writes much better code than you would with the str_replace or write_file tools. Don't spawn the editor in parallel with context-gathering agents.`,
         isFree &&
-        '- Implement code changes using the str_replace or write_file tools directly.',
+        '- Implement code changes using the editor-gpt agent after you have gathered all the context you need. You must spawn this agent for all non-trivial changes since it is much better at writing code than you.',
         isFree &&
         '- Spawn a code-reviewer-lite to review the changes after you have implemented the changes.',
         '- Spawn bashers sequentially if the second command depends on the the first.',
@@ -208,7 +209,7 @@ ${buildArray(
 ${isDefault
         ? `[ You implement the changes using the editor agent ]`
         : isFast || isFree
-          ? '[ You implement the changes using the str_replace or write_file tools ]'
+          ? '[ You implement the changes using the editor-gpt agent ]'
           : '[ You implement the changes using the editor-multi-prompt agent ]'
       }
 
@@ -333,6 +334,8 @@ ${buildArray(
     `- For any task requiring 3+ steps, use the write_todos tool to write out your step-by-step implementation plan. Include ALL of the applicable tasks in the list.${isFast ? '' : ' You should include a step to review the changes after you have implemented the changes.'}:${hasNoValidation ? '' : ' You should include at least one step to validate/test your changes: be specific about whether to typecheck, run tests, run lints, etc.'} You may be able to do reviewing and validation in parallel in the same step. Skip write_todos for simple tasks like quick edits or answering questions.`,
     (isDefault || isMax) &&
     `- For quick problems, briefly explain your reasoning to the user. If you need to think longer, write your thoughts within the <think> tags. Finally, for complex problems, spawn the thinker agent to help find the best solution. (gpt-5-agent is a last resort for complex problems)`,
+    isFree &&
+    '- IMPORTANT: You must spawn the editor-gpt agent to implement the changes after you have gathered all the context you need. This agent will do the best job of implementing the changes so you must spawn it for all non-trivial changes. Do not pass any prompt or params to the editor agent when spawning it. It will make its own best choices of what to do. For quick follow-ups or simple changes, you can use the str_replace or write_file tools directly to make the changes.',
     isDefault &&
     '- IMPORTANT: You must spawn the editor agent to implement the changes after you have gathered all the context you need. This agent will do the best job of implementing the changes so you must spawn it for all non-trivial changes. Do not pass any prompt or params to the editor agent when spawning it. It will make its own best choices of what to do.',
     isMax &&
@@ -375,6 +378,8 @@ function buildImplementationStepPrompt({
     isMax &&
     `Keep working until the user's request is completely satisfied${!hasNoValidation ? ' and validated' : ''}, or until you require more information from the user.`,
     'You must use the skill tool to load any potentially relevant skills.',
+    isFree &&
+    `You must spawn the editor-gpt agent to implement non-trivial code changes. For obvious or simple changes, you can use the str_replace or write_file tools directly to make the changes.`,
     isMax &&
     `You must spawn the 'editor-multi-prompt' agent to implement code changes rather than using the str_replace or write_file tools, since it will generate the best code changes.`,
     (isDefault || isMax) &&
diff --git a/agents/editor/editor-gpt.ts b/agents/editor/editor-gpt.ts
new file mode 100644
index 0000000000..9b6163ca4a
--- /dev/null
+++ b/agents/editor/editor-gpt.ts
@@ -0,0 +1,122 @@
+
+import { publisher } from '../constants'
+
+import type { AgentDefinition } from '../types/agent-definition'
+
+export const createCodeEditor = (options: {
+  model: 'gpt-5' | 'opus' | 'minimax'
+}): Omit<AgentDefinition, 'id'> => {
+  const { model } = options
+  return {
+    publisher,
+    model:
+      options.model === 'gpt-5'
+        ? 'openai/gpt-5.4'
+        : options.model === 'minimax'
+          ? 'minimax/minimax-m2.5'
+          : 'anthropic/claude-opus-4.6',
+    ...(options.model === 'opus' && {
+      providerOptions: {
+        only: ['amazon-bedrock'],
+      },
+    }),
+    displayName: 'Editor',
+    spawnerPrompt:
+      "Expert code editor that implements code changes based on the user's request. Do not specify an input prompt for this agent; it inherits the context of the entire conversation with the user. Make sure to gather as much context as possible and read any related files (be extremely comprehensive!) before spawning this agent as it cannot read files on its own.",
+    outputMode: 'structured_output',
+    toolNames: [
+      // 'read_files',
+      // 'read_subtree',
+      // 'skill',
+      // 'set_output',
+      // 'code_search',
+      // 'list_directory',
+      // 'glob',
+      'write_file',
+      'str_replace',
+      'patch_file'
+    ],
+    spawnableAgents: [
+      // 'file-picker',
+      // 'researcher-web',
+      // 'researcher-docs',
+      // 'basher',
+      // 'tmux-cli',
+      // 'browser-use',
+      // 'context-pruner',
+    ],
+    includeMessageHistory: true,
+    systemPrompt: `You are a code editor called upon solely to modify files without using other tools. After you finish, another agent will complete the overall task, including running the type checker, running tests, etc. Your job is only to do one pass on the file editing.`,
+    instructionsPrompt: `You are an expert code editor with deep understanding of software engineering principles. You were spawned to generate an implementation for the user's request. Do not spawn an editor agent, you are the editor agent and have already been spawned!
+    
+Your task is to write out ALL the code changes needed to complete the user's request in a single comprehensive response.
+
+Important: You DO NOT have access to tools other than patch_file, write_file, or str_replace file editing tools. You cannot read more files, search the codebase, use glob patterns, run terminal commands (e.g. running the type checker), or use any other tools. You must implement the changes with the context you have already gathered. The rest of the task will be finished by another agent.
+
+${model === 'opus'
+        ? `Before you start writing your implementation, you should use <think> tags to think about the best way to implement the changes.
+
+You can also use <think> tags interspersed between tool calls to think about the best way to implement the changes.
+
+<example>
+
+<think>
+[ Long think about the best way to implement the changes ]
+</think>
+
+[ First tool call to implement the feature ]
+
+[ Second tool call to implement the feature ]
+
+<think>
+[ Thoughts about a tricky part of the implementation ]
+</think>
+
+[ Third tool call to implement the feature ]
+
+...
+
+[ Last tool call to implement the feature ]
+</example>` : ''}
+
+Your implementation should:
+- Be complete and comprehensive
+- Include all necessary changes to fulfill the user's request
+- Follow the project's conventions and patterns
+- Be as simple and maintainable as possible
+- Reuse existing code wherever possible
+- Be well-structured and organized
+
+More style notes:
+- Try/catch blocks clutter the code -- use them sparingly.
+- Optional arguments are code smell -- better to use required arguments.
+- New components often should be added to a new file, not added to an existing file.
+
+Write out your complete implementation now. Your job is only to make these specific changes and not to do anything else (e.g. do not use terminal commands, do not review the code, do not write any final summary). You must stop abruptly as soon as you have made the last edit.`,
+
+    handleSteps: function* ({ agentState: initialAgentState, logger }) {
+      const initialMessageHistoryLength =
+        initialAgentState.messageHistory.length
+      const { agentState } = yield 'STEP_ALL'
+      const { messageHistory } = agentState
+
+      const newMessages = messageHistory.slice(initialMessageHistoryLength)
+
+      yield {
+        toolName: 'set_output',
+        input: {
+          output: {
+            messages: newMessages,
+          },
+        },
+        includeToolCall: false,
+      }
+    },
+  } satisfies Omit<AgentDefinition, 'id'>
+}
+
+const definition = {
+  ...createCodeEditor({ model: 'gpt-5' }),
+  id: 'editor-gpt',
+}
+export default definition

From b76c5375bacb6a99bdcf8d10a454ff85d5c84a7b Mon Sep 17 00:00:00 2001
From: James Grugett <jahooma@gmail.com>
Date: Wed, 25 Mar 2026 11:52:42 -0700
Subject: [PATCH 5/5] Also spawn a code-reviewer-gpt for comprehensive review

---
 agents/base2/base2.ts                | 12 ++++++------
 agents/reviewer/code-reviewer-gpt.ts |  1 +
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/agents/base2/base2.ts b/agents/base2/base2.ts
index 2b06402721..2c6c8d9a11 100644
--- a/agents/base2/base2.ts
+++ b/agents/base2/base2.ts
@@ -85,7 +85,7 @@ export function createBase2(
       'tmux-cli',
       'browser-use',
       isFree && 'editor-gpt',
-      isFree && 'code-reviewer-lite',
+      isFree && 'code-reviewer-gpt',
       isDefault && 'code-reviewer',
       isMax && 'code-reviewer-multi-prompt',
       'thinker-gpt',
@@ -152,7 +152,7 @@ Use the spawn_agents tool to spawn specialized agents to help you complete the u
         isFree &&
         '- Implement code changes using the editor-gpt agent after you have gathered all the context you need. You must spawn this agent for all non-trivial changes since it is much better at writing code than you.',
         isFree &&
-        '- Spawn a code-reviewer-lite to review the changes after you have implemented the changes.',
+        '- Spawn a code-reviewer-gpt to review the changes after you have implemented the changes.',
         '- Spawn bashers sequentially if the second command depends on the the first.',
         isDefault &&
         '- Spawn a code-reviewer to review the changes after you have implemented the changes.',
@@ -216,7 +216,7 @@ ${isDefault
 ${isDefault
         ? `[ You spawn a code-reviewer, a basher to typecheck the changes, and another basher to run tests, all in parallel ]`
         : isFree
-          ? `[ You spawn a code-reviewer-lite to review the changes, and a basher to typecheck the changes, and another basher to run tests, all in parallel ]`
+          ? `[ You spawn a code-reviewer-gpt to review the changes, and a basher to typecheck the changes, and another basher to run tests, all in parallel ]`
           : isMax
             ? `[  You spawn a basher to typecheck the changes, and another basher to run tests, in parallel. Then, you spawn a code-reviewer-multi-prompt to review the changes. ]`
             : '[ You spawn a basher to typecheck the changes and another basher to run tests, all in parallel ]'
@@ -225,7 +225,7 @@ ${isDefault
 ${isDefault
         ? `[ You fix the issues found by the code-reviewer and type/test errors ]`
         : isFree
-          ? `[ You fix the issues found by the code-reviewer-lite and type/test errors ]`
+          ? `[ You fix the issues found by the code-reviewer-gpt and type/test errors ]`
           : isMax
             ? `[ You fix the issues found by the code-reviewer-multi-prompt and type/test errors ]`
             : '[ You fix the issues found by the type/test errors and spawn more bashers to confirm ]'
@@ -349,7 +349,7 @@ ${buildArray(
     (isDefault || isMax) &&
     `- Spawn a ${isDefault ? 'code-reviewer' : 'code-reviewer-multi-prompt'} to review the changes after you have implemented changes. (Skip this step only if the change is extremely straightforward and obvious.)`,
     isFree &&
-    `- Spawn a code-reviewer-lite to review the changes after you have implemented changes. (Skip this step only if the change is extremely straightforward and obvious.)`,
+    `- Spawn a code-reviewer-gpt to review the changes after you have implemented changes. (Skip this step only if the change is extremely straightforward and obvious.)`,
     `- Inform the user that you have completed the task in one sentence or a few short bullet points.${isSonnet ? " Don't create any markdown summary files or example documentation files, unless asked by the user." : ''}`,
     !isFast &&
     !noAskUser &&
@@ -385,7 +385,7 @@ function buildImplementationStepPrompt({
     (isDefault || isMax) &&
     `You must spawn a ${isDefault ? 'code-reviewer' : 'code-reviewer-multi-prompt'} to review the changes after you have implemented the changes and in parallel with typechecking or testing.`,
     isFree &&
-    `You must spawn a code-reviewer-lite to review the changes after you have implemented the changes and in parallel with typechecking or testing.`,
+    `You must spawn a code-reviewer-gpt to review the changes after you have implemented the changes and in parallel with typechecking or testing.`,
     `After completing the user request, summarize your changes in a sentence${isFast ? '' : ' or a few short bullet points'}.${isSonnet ? " Don't create any summary markdown files or example documentation files, unless asked by the user." : ''}.`,
     !isFast &&
     !noAskUser &&
diff --git a/agents/reviewer/code-reviewer-gpt.ts b/agents/reviewer/code-reviewer-gpt.ts
index c5fdb08fcf..2949a98673 100644
--- a/agents/reviewer/code-reviewer-gpt.ts
+++ b/agents/reviewer/code-reviewer-gpt.ts
@@ -5,6 +5,7 @@ import { createReviewer } from './code-reviewer'
 const definition: SecretAgentDefinition = {
   id: 'code-reviewer-gpt',
   publisher,
+  inheritParentSystemPrompt: false,
   ...createReviewer('openai/gpt-5.4'),
 }