chore(release): sdk-typescript v0.1.3

Skip flaky permission control test

docs/developers/tools/_meta.ts

@@ -10,4 +10,5 @@ export default {
   'web-search': 'Web Search',
   memory: 'Memory',
   'mcp-server': 'MCP Servers',
+  sandbox: 'Sandboxing',
 };

docs/developers/tools/sandbox.md

@@ -0,0 +1,90 @@
+## Customizing the sandbox environment (Docker/Podman)
+
+### Currently, the project does not support the use of the BUILD_SANDBOX function after installation through the npm package
+
+1. To build a custom sandbox, you need to access the build scripts (scripts/build_sandbox.js) in the source code repository.
+2. These build scripts are not included in the packages released by npm.
+3. The code contains hard-coded path checks that explicitly reject build requests from non-source code environments.
+
+If you need extra tools inside the container (e.g., `git`, `python`, `rg`), create a custom Dockerfile, The specific operation is as follows
+
+#### 1、Clone qwen code project first, https://github.com/QwenLM/qwen-code.git
+
+#### 2、Make sure you perform the following operation in the source code repository directory
+
+```bash
+# 1. First, install the dependencies of the project
+npm install
+
+# 2. Build the Qwen Code project
+npm run build
+
+# 3. Verify that the dist directory has been generated
+ls -la packages/cli/dist/
+
+# 4. Create a global link in the CLI package directory
+cd packages/cli
+npm link
+
+# 5. Verification link (it should now point to the source code)
+which qwen
+# Expected output: /xxx/xxx/.nvm/versions/node/v24.11.1/bin/qwen
+# Or similar paths, but it should be a symbolic link
+
+# 6. For details of the symbolic link, you can see the specific source code path
+ls -la $(dirname $(which qwen))/../lib/node_modules/@qwen-code/qwen-code
+# It should show that this is a symbolic link pointing to your source code directory
+
+# 7.Test the version of qwen
+qwen -v
+# npm link will overwrite the global qwen. To avoid being unable to distinguish the same version number, you can uninstall the global CLI first
+```
+
+#### 3、Create your sandbox Dockerfile under the root directory of your own project
+
+- Path: `.qwen/sandbox.Dockerfile`
+
+- Official mirror image address:https://github.com/QwenLM/qwen-code/pkgs/container/qwen-code
+
+```bash
+# Based on the official Qwen sandbox image (It is recommended to explicitly specify the version)
+FROM ghcr.io/qwenlm/qwen-code:sha-570ec43
+# Add your extra tools here
+RUN apt-get update && apt-get install -y \
+    git \
+    python3 \
+    ripgrep
+```
+
+#### 4、Create the first sandbox image under the root directory of your project
+
+```bash
+GEMINI_SANDBOX=docker BUILD_SANDBOX=1 qwen -s
+# Observe whether the sandbox version of the tool you launched is consistent with the version of your custom image. If they are consistent, the startup will be successful
+```
+
+This builds a project-specific image based on the default sandbox image.
+
+#### Remove npm link
+
+- If you want to restore the official CLI of qwen, please remove the npm link
+
+```bash
+# Method 1: Unlink globally
+npm unlink -g @qwen-code/qwen-code
+
+# Method 2: Remove it in the packages/cli directory
+cd packages/cli
+npm unlink
+
+# Verification has been lifted
+which qwen
+# It should display "qwen not found"
+
+# Reinstall the global version if necessary
+npm install -g @qwen-code/qwen-code
+
+# Verification Recovery
+which qwen
+qwen --version
+```

docs/users/configuration/settings.md

@@ -104,7 +104,7 @@ Settings are organized into categories. All settings should be placed within the
 | `model.name`                                       | string  | The Qwen model to use for conversations.                                                                                                                                                                                                                                                                                                                               | `undefined` |
 | `model.maxSessionTurns`                            | number  | Maximum number of user/model/tool turns to keep in a session. -1 means unlimited.                                                                                                                                                                                                                                                                                      | `-1`        |
 | `model.summarizeToolOutput`                        | object  | Enables or disables the summarization of tool output. You can specify the token budget for the summarization using the `tokenBudget` setting. Note: Currently only the `run_shell_command` tool is supported. For example `{"run_shell_command": {"tokenBudget": 2000}}`                                                                                               | `undefined` |
-| `model.generationConfig`                           | object  | Advanced overrides passed to the underlying content generator. Supports request controls such as `timeout`, `maxRetries`, and `disableCacheControl`, along with fine-tuning knobs under `samplingParams` (for example `temperature`, `top_p`, `max_tokens`). Leave unset to rely on provider defaults.                                                                 | `undefined` |
+| `model.generationConfig`                           | object  | Advanced overrides passed to the underlying content generator. Supports request controls such as `timeout`, `maxRetries`, `disableCacheControl`, and `customHeaders` (custom HTTP headers for API requests), along with fine-tuning knobs under `samplingParams` (for example `temperature`, `top_p`, `max_tokens`). Leave unset to rely on provider defaults.         | `undefined` |
 | `model.chatCompression.contextPercentageThreshold` | number  | Sets the threshold for chat history compression as a percentage of the model's total token limit. This is a value between 0 and 1 that applies to both automatic compression and the manual `/compress` command. For example, a value of `0.6` will trigger compression when the chat history exceeds 60% of the token limit. Use `0` to disable compression entirely. | `0.7`       |
 | `model.skipNextSpeakerCheck`                       | boolean | Skip the next speaker check.                                                                                                                                                                                                                                                                                                                                           | `false`     |
 | `model.skipLoopDetection`                          | boolean | Disables loop detection checks. Loop detection prevents infinite loops in AI responses but can generate false positives that interrupt legitimate workflows. Enable this option if you experience frequent false positive loop detection interruptions.                                                                                                                | `false`     |
@@ -114,12 +114,16 @@ Settings are organized into categories. All settings should be placed within the
 
 **Example model.generationConfig:**
 
-```
+```json
 {
   "model": {
     "generationConfig": {
       "timeout": 60000,
       "disableCacheControl": false,
+      "customHeaders": {
+        "X-Request-ID": "req-123",
+        "X-User-ID": "user-456"
+      },
       "samplingParams": {
         "temperature": 0.2,
         "top_p": 0.8,
@@ -130,6 +134,8 @@ Settings are organized into categories. All settings should be placed within the
 }
 ```
 
+The `customHeaders` field allows you to add custom HTTP headers to all API requests. This is useful for request tracing, monitoring, API gateway routing, or when different models require different headers. If `customHeaders` is defined in `modelProviders[].generationConfig.customHeaders`, it will be used directly; otherwise, headers from `model.generationConfig.customHeaders` will be used. No merging occurs between the two levels.
+
 **model.openAILoggingDir examples:**
 
 - `"~/qwen-logs"` - Logs to `~/qwen-logs` directory
@@ -154,6 +160,10 @@ Use `modelProviders` to declare curated model lists per auth type that the `/mod
         "generationConfig": {
           "timeout": 60000,
           "maxRetries": 3,
+          "customHeaders": {
+            "X-Model-Version": "v1.0",
+            "X-Request-Priority": "high"
+          },
           "samplingParams": { "temperature": 0.2 }
         }
       }
@@ -215,7 +225,7 @@ Per-field precedence for `generationConfig`:
 3. `settings.model.generationConfig`
 4. Content-generator defaults (`getDefaultGenerationConfig` for OpenAI, `getParameterValue` for Gemini, etc.)
 
-`samplingParams` is treated atomically; provider values replace the entire object. Defaults from the content generator apply last so each provider retains its tuned baseline.
+`samplingParams` and `customHeaders` are both treated atomically; provider values replace the entire object. If `modelProviders[].generationConfig` defines these fields, they are used directly; otherwise, values from `model.generationConfig` are used. No merging occurs between provider and global configuration levels. Defaults from the content generator apply last so each provider retains its tuned baseline.
 
 ##### Selection persistence and recommendations
 

docs/users/features/sandbox.md

@@ -166,15 +166,6 @@ export SANDBOX_SET_UID_GID=true   # Force host UID/GID
 export SANDBOX_SET_UID_GID=false  # Disable UID/GID mapping
 ```
 
-## Customizing the sandbox environment (Docker/Podman)
-
-If you need extra tools inside the container (e.g., `git`, `python`, `rg`), create a custom Dockerfile:
-
-- Path: `.qwen/sandbox.Dockerfile`
-- Then run with: `BUILD_SANDBOX=1 qwen -s ...`
-
-This builds a project-specific image based on the default sandbox image.
-
 ## Troubleshooting
 
 ### Common issues

docs/users/quickstart.md

@@ -159,7 +159,7 @@ Qwen Code will:
 
 ### Test out other common workflows
 
-There are a number of ways to work with Claude:
+There are a number of ways to work with Qwen Code:
 
 **Refactor code**
 

integration-tests/sdk-typescript/permission-control.test.ts

@@ -831,7 +831,7 @@ describe('Permission Control (E2E)', () => {
         TEST_TIMEOUT,
       );
 
-      it(
+      it.skip(
         'should execute dangerous commands without confirmation',
         async () => {
           const q = query({

package-lock.json

@@ -18588,7 +18588,7 @@
     },
     "packages/sdk-typescript": {
       "name": "@qwen-code/sdk",
-      "version": "0.1.2",
+      "version": "0.1.3",
       "license": "Apache-2.0",
       "dependencies": {
         "@modelcontextprotocol/sdk": "^1.25.1",

packages/cli/src/ui/auth/useAuth.ts

@@ -83,12 +83,26 @@ export const useAuthCommand = (
     async (authType: AuthType, credentials?: OpenAICredentials) => {
       try {
         const authTypeScope = getPersistScopeForModelSelection(settings);
+
+        // Persist authType
         settings.setValue(
           authTypeScope,
           'security.auth.selectedType',
           authType,
         );
 
+        // Persist model from ContentGenerator config (handles fallback cases)
+        // This ensures that when syncAfterAuthRefresh falls back to default model,
+        // it gets persisted to settings.json
+        const contentGeneratorConfig = config.getContentGeneratorConfig();
+        if (contentGeneratorConfig?.model) {
+          settings.setValue(
+            authTypeScope,
+            'model.name',
+            contentGeneratorConfig.model,
+          );
+        }
+
         // Only update credentials if not switching to QWEN_OAUTH,
         // so that OpenAI credentials are preserved when switching to QWEN_OAUTH.
         if (authType !== AuthType.QWEN_OAUTH && credentials) {
@@ -106,9 +120,6 @@ export const useAuthCommand = (
               credentials.baseUrl,
             );
           }
-          if (credentials?.model != null) {
-            settings.setValue(authTypeScope, 'model.name', credentials.model);
-          }
         }
       } catch (error) {
         handleAuthFailure(error);

packages/cli/src/utils/errors.test.ts

@@ -117,8 +117,33 @@ describe('errors', () => {
       expect(getErrorMessage(undefined)).toBe('undefined');
     });
 
-    it('should handle objects', () => {
-      const obj = { message: 'test' };
+    it('should extract message from error-like objects', () => {
+      const obj = { message: 'test error message' };
+      expect(getErrorMessage(obj)).toBe('test error message');
+    });
+
+    it('should stringify plain objects without message property', () => {
+      const obj = { code: 500, details: 'internal error' };
+      expect(getErrorMessage(obj)).toBe(
+        '{"code":500,"details":"internal error"}',
+      );
+    });
+
+    it('should handle empty objects', () => {
+      expect(getErrorMessage({})).toBe('{}');
+    });
+
+    it('should handle objects with non-string message property', () => {
+      const obj = { message: 123 };
+      expect(getErrorMessage(obj)).toBe('{"message":123}');
+    });
+
+    it('should fallback to String() when toJSON returns undefined', () => {
+      const obj = {
+        toJSON() {
+          return undefined;
+        },
+      };
       expect(getErrorMessage(obj)).toBe('[object Object]');
     });
   });

packages/cli/src/utils/errors.ts

@@ -18,6 +18,29 @@ export function getErrorMessage(error: unknown): string {
   if (error instanceof Error) {
     return error.message;
   }
+
+  // Handle objects with message property (error-like objects)
+  if (
+    error !== null &&
+    typeof error === 'object' &&
+    'message' in error &&
+    typeof (error as { message: unknown }).message === 'string'
+  ) {
+    return (error as { message: string }).message;
+  }
+
+  // Handle plain objects by stringifying them
+  if (error !== null && typeof error === 'object') {
+    try {
+      const stringified = JSON.stringify(error);
+      // JSON.stringify can return undefined for objects with toJSON() returning undefined
+      return stringified ?? String(error);
+    } catch {
+      // If JSON.stringify fails (circular reference, etc.), fall back to String
+      return String(error);
+    }
+  }
+
   return String(error);
 }
 

packages/cli/src/utils/modelConfigUtils.ts

@@ -10,6 +10,7 @@ import {
   type ContentGeneratorConfigSources,
   resolveModelConfig,
   type ModelConfigSourcesInput,
+  type ProviderModelConfig,
 } from '@qwen-code/qwen-code-core';
 import type { Settings } from '../config/settings.js';
 
@@ -81,6 +82,21 @@ export function resolveCliGenerationConfig(
 
   const authType = selectedAuthType;
 
+  // Find modelProvider from settings.modelProviders based on authType and model
+  let modelProvider: ProviderModelConfig | undefined;
+  if (authType && settings.modelProviders) {
+    const providers = settings.modelProviders[authType];
+    if (providers && Array.isArray(providers)) {
+      // Try to find by requested model (from CLI or settings)
+      const requestedModel = argv.model || settings.model?.name;
+      if (requestedModel) {
+        modelProvider = providers.find((p) => p.id === requestedModel) as
+          | ProviderModelConfig
+          | undefined;
+      }
+    }
+  }
+
   const configSources: ModelConfigSourcesInput = {
     authType,
     cli: {
@@ -96,6 +112,7 @@ export function resolveCliGenerationConfig(
         | Partial<ContentGeneratorConfig>
         | undefined,
     },
+    modelProvider,
     env,
   };
 
@@ -103,7 +120,7 @@ export function resolveCliGenerationConfig(
 
   // Log warnings if any
   for (const warning of resolved.warnings) {
-    console.warn(`[modelProviderUtils] ${warning}`);
+    console.warn(warning);
   }
 
   // Resolve OpenAI logging config (CLI-specific, not part of core resolver)

packages/cli/src/utils/sandbox.ts

@@ -360,10 +360,10 @@ export async function start_sandbox(
     //
     // note this can only be done with binary linked from gemini-cli repo
     if (process.env['BUILD_SANDBOX']) {
-      if (!gcPath.includes('gemini-cli/packages/')) {
+      if (!gcPath.includes('qwen-code/packages/')) {
         throw new FatalSandboxError(
-          'Cannot build sandbox using installed gemini binary; ' +
-            'run `npm link ./packages/cli` under gemini-cli repo to switch to linked binary.',
+          'Cannot build sandbox using installed Qwen Code binary; ' +
+            'run `npm link ./packages/cli` under QwenCode-cli repo to switch to linked binary.',
         );
       } else {
         console.error('building sandbox ...');

packages/core/src/core/anthropicContentGenerator/anthropicContentGenerator.test.ts

@@ -10,6 +10,7 @@ import type {
   GenerateContentParameters,
 } from '@google/genai';
 import { FinishReason, GenerateContentResponse } from '@google/genai';
+import type { ContentGeneratorConfig } from '../contentGenerator.js';
 
 // Mock the request tokenizer module BEFORE importing the class that uses it.
 const mockTokenizer = {
@@ -127,6 +128,32 @@ describe('AnthropicContentGenerator', () => {
     );
   });
 
+  it('merges customHeaders into defaultHeaders (does not replace defaults)', async () => {
+    const { AnthropicContentGenerator } = await importGenerator();
+    void new AnthropicContentGenerator(
+      {
+        model: 'claude-test',
+        apiKey: 'test-key',
+        baseUrl: 'https://example.invalid',
+        timeout: 10_000,
+        maxRetries: 2,
+        samplingParams: {},
+        schemaCompliance: 'auto',
+        reasoning: { effort: 'medium' },
+        customHeaders: {
+          'X-Custom': '1',
+        },
+      } as unknown as Record<string, unknown> as ContentGeneratorConfig,
+      mockConfig,
+    );
+
+    const headers = (anthropicState.constructorOptions?.['defaultHeaders'] ||
+      {}) as Record<string, string>;
+    expect(headers['User-Agent']).toContain('QwenCode/1.2.3');
+    expect(headers['anthropic-beta']).toContain('effort-2025-11-24');
+    expect(headers['X-Custom']).toBe('1');
+  });
+
   it('adds the effort beta header when reasoning.effort is set', async () => {
     const { AnthropicContentGenerator } = await importGenerator();
     void new AnthropicContentGenerator(

packages/core/src/core/anthropicContentGenerator/anthropicContentGenerator.ts

@@ -141,6 +141,7 @@ export class AnthropicContentGenerator implements ContentGenerator {
   private buildHeaders(): Record<string, string> {
     const version = this.cliConfig.getCliVersion() || 'unknown';
     const userAgent = `QwenCode/${version} (${process.platform}; ${process.arch})`;
+    const { customHeaders } = this.contentGeneratorConfig;
 
     const betas: string[] = [];
     const reasoning = this.contentGeneratorConfig.reasoning;
@@ -163,7 +164,7 @@ export class AnthropicContentGenerator implements ContentGenerator {
       headers['anthropic-beta'] = betas.join(',');
     }
 
-    return headers;
+    return customHeaders ? { ...headers, ...customHeaders } : headers;
   }
 
   private async buildRequest(

packages/core/src/core/contentGenerator.ts

@@ -91,6 +91,8 @@ export type ContentGeneratorConfig = {
   userAgent?: string;
   // Schema compliance mode for tool definitions
   schemaCompliance?: 'auto' | 'openapi_30';
+  // Custom HTTP headers to be sent with requests
+  customHeaders?: Record<string, string>;
 };
 
 // Keep the public ContentGeneratorConfigSources API, but reuse the generic

packages/core/src/core/geminiContentGenerator/geminiContentGenerator.test.ts

@@ -39,6 +39,41 @@ describe('GeminiContentGenerator', () => {
     mockGoogleGenAI = vi.mocked(GoogleGenAI).mock.results[0].value;
   });
 
+  it('should merge customHeaders into existing httpOptions.headers', async () => {
+    vi.mocked(GoogleGenAI).mockClear();
+
+    void new GeminiContentGenerator(
+      {
+        apiKey: 'test-api-key',
+        httpOptions: {
+          headers: {
+            'X-Base': 'base',
+            'X-Override': 'base',
+          },
+        },
+      },
+      {
+        customHeaders: {
+          'X-Custom': 'custom',
+          'X-Override': 'custom',
+        },
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      } as any,
+    );
+
+    expect(vi.mocked(GoogleGenAI)).toHaveBeenCalledTimes(1);
+    expect(vi.mocked(GoogleGenAI)).toHaveBeenCalledWith({
+      apiKey: 'test-api-key',
+      httpOptions: {
+        headers: {
+          'X-Base': 'base',
+          'X-Custom': 'custom',
+          'X-Override': 'custom',
+        },
+      },
+    });
+  });
+
   it('should call generateContent on the underlying model', async () => {
     const request = { model: 'gemini-1.5-flash', contents: [] };
     const expectedResponse = { responseId: 'test-id' };

packages/core/src/core/geminiContentGenerator/geminiContentGenerator.ts

@@ -35,7 +35,26 @@ export class GeminiContentGenerator implements ContentGenerator {
     },
     contentGeneratorConfig?: ContentGeneratorConfig,
   ) {
-    this.googleGenAI = new GoogleGenAI(options);
+    const customHeaders = contentGeneratorConfig?.customHeaders;
+    const finalOptions = customHeaders
+      ? (() => {
+          const baseHttpOptions = options.httpOptions;
+          const baseHeaders = baseHttpOptions?.headers ?? {};
+
+          return {
+            ...options,
+            httpOptions: {
+              ...(baseHttpOptions ?? {}),
+              headers: {
+                ...baseHeaders,
+                ...customHeaders,
+              },
+            },
+          };
+        })()
+      : options;
+
+    this.googleGenAI = new GoogleGenAI(finalOptions);
     this.contentGeneratorConfig = contentGeneratorConfig;
   }
 

packages/core/src/core/openaiContentGenerator/provider/dashscope.test.ts

@@ -142,6 +142,27 @@ describe('DashScopeOpenAICompatibleProvider', () => {
       });
     });
 
+    it('should merge custom headers with DashScope defaults', () => {
+      const providerWithCustomHeaders = new DashScopeOpenAICompatibleProvider(
+        {
+          ...mockContentGeneratorConfig,
+          customHeaders: {
+            'X-Custom': '1',
+            'X-DashScope-CacheControl': 'disable',
+          },
+        } as ContentGeneratorConfig,
+        mockCliConfig,
+      );
+
+      const headers = providerWithCustomHeaders.buildHeaders();
+
+      expect(headers['User-Agent']).toContain('QwenCode/1.0.0');
+      expect(headers['X-DashScope-UserAgent']).toContain('QwenCode/1.0.0');
+      expect(headers['X-DashScope-AuthType']).toBe(AuthType.QWEN_OAUTH);
+      expect(headers['X-Custom']).toBe('1');
+      expect(headers['X-DashScope-CacheControl']).toBe('disable');
+    });
+
     it('should handle unknown CLI version', () => {
       (
         mockCliConfig.getCliVersion as MockedFunction<

packages/core/src/core/openaiContentGenerator/provider/dashscope.ts

@@ -47,13 +47,17 @@ export class DashScopeOpenAICompatibleProvider
   buildHeaders(): Record<string, string | undefined> {
     const version = this.cliConfig.getCliVersion() || 'unknown';
     const userAgent = `QwenCode/${version} (${process.platform}; ${process.arch})`;
-    const { authType } = this.contentGeneratorConfig;
-    return {
+    const { authType, customHeaders } = this.contentGeneratorConfig;
+    const defaultHeaders = {
       'User-Agent': userAgent,
       'X-DashScope-CacheControl': 'enable',
       'X-DashScope-UserAgent': userAgent,
       'X-DashScope-AuthType': authType,
     };
+
+    return customHeaders
+      ? { ...defaultHeaders, ...customHeaders }
+      : defaultHeaders;
   }
 
   buildClient(): OpenAI {

packages/core/src/core/openaiContentGenerator/provider/default.test.ts

@@ -73,6 +73,26 @@ describe('DefaultOpenAICompatibleProvider', () => {
       });
     });
 
+    it('should merge customHeaders with defaults (and allow overrides)', () => {
+      const providerWithCustomHeaders = new DefaultOpenAICompatibleProvider(
+        {
+          ...mockContentGeneratorConfig,
+          customHeaders: {
+            'X-Custom': '1',
+            'User-Agent': 'custom-agent',
+          },
+        } as ContentGeneratorConfig,
+        mockCliConfig,
+      );
+
+      const headers = providerWithCustomHeaders.buildHeaders();
+
+      expect(headers).toEqual({
+        'User-Agent': 'custom-agent',
+        'X-Custom': '1',
+      });
+    });
+
     it('should handle unknown CLI version', () => {
       (
         mockCliConfig.getCliVersion as MockedFunction<

packages/core/src/core/openaiContentGenerator/provider/default.ts

@@ -25,9 +25,14 @@ export class DefaultOpenAICompatibleProvider
   buildHeaders(): Record<string, string | undefined> {
     const version = this.cliConfig.getCliVersion() || 'unknown';
     const userAgent = `QwenCode/${version} (${process.platform}; ${process.arch})`;
-    return {
+    const { customHeaders } = this.contentGeneratorConfig;
+    const defaultHeaders = {
       'User-Agent': userAgent,
     };
+
+    return customHeaders
+      ? { ...defaultHeaders, ...customHeaders }
+      : defaultHeaders;
   }
 
   buildClient(): OpenAI {

packages/core/src/models/constants.ts

@@ -25,6 +25,7 @@ export const MODEL_GENERATION_CONFIG_FIELDS = [
   'disableCacheControl',
   'schemaCompliance',
   'reasoning',
+  'customHeaders',
 ] as const satisfies ReadonlyArray<keyof ContentGeneratorConfig>;
 
 /**
@@ -105,15 +106,6 @@ export const QWEN_OAUTH_MODELS: ModelConfig[] = [
     description:
       'The latest Qwen Coder model from Alibaba Cloud ModelStudio (version: qwen3-coder-plus-2025-09-23)',
     capabilities: { vision: false },
-    generationConfig: {
-      samplingParams: {
-        temperature: 0.7,
-        top_p: 0.9,
-        max_tokens: 8192,
-      },
-      timeout: 60000,
-      maxRetries: 3,
-    },
   },
   {
     id: 'vision-model',
@@ -121,14 +113,5 @@ export const QWEN_OAUTH_MODELS: ModelConfig[] = [
     description:
       'The latest Qwen Vision model from Alibaba Cloud ModelStudio (version: qwen3-vl-plus-2025-09-23)',
     capabilities: { vision: true },
-    generationConfig: {
-      samplingParams: {
-        temperature: 0.7,
-        top_p: 0.9,
-        max_tokens: 8192,
-      },
-      timeout: 60000,
-      maxRetries: 3,
-    },
   },
 ];

packages/core/src/models/modelConfigResolver.test.ts

@@ -112,11 +112,9 @@ describe('modelConfigResolver', () => {
           modelProvider: {
             id: 'provider-model',
             name: 'Provider Model',
-            authType: AuthType.USE_OPENAI,
             envKey: 'MY_CUSTOM_KEY',
             baseUrl: 'https://provider.example.com',
             generationConfig: {},
-            capabilities: {},
           },
         });
 
@@ -249,13 +247,11 @@ describe('modelConfigResolver', () => {
           modelProvider: {
             id: 'model',
             name: 'Model',
-            authType: AuthType.USE_OPENAI,
             envKey: 'MY_KEY',
             baseUrl: 'https://api.example.com',
             generationConfig: {
               timeout: 60000,
             },
-            capabilities: {},
           },
         });
 

packages/core/src/models/modelConfigResolver.ts

@@ -41,7 +41,7 @@ import {
   QWEN_OAUTH_ALLOWED_MODELS,
   MODEL_GENERATION_CONFIG_FIELDS,
 } from './constants.js';
-import type { ResolvedModelConfig } from './types.js';
+import type { ModelConfig as ModelProviderConfig } from './types.js';
 export {
   validateModelConfig,
   type ModelConfigValidationResult,
@@ -86,8 +86,8 @@ export interface ModelConfigSourcesInput {
   /** Environment variables (injected for testability) */
   env: Record<string, string | undefined>;
 
-  /** Resolved model from ModelProviders (explicit selection, highest priority) */
-  modelProvider?: ResolvedModelConfig;
+  /** Model from ModelProviders (explicit selection, highest priority) */
+  modelProvider?: ModelProviderConfig;
 
   /** Proxy URL (computed from Config) */
   proxy?: string;
@@ -277,7 +277,7 @@ function resolveQwenOAuthConfig(
   input: ModelConfigSourcesInput,
   warnings: string[],
 ): ModelConfigResolutionResult {
-  const { cli, settings, proxy } = input;
+  const { cli, settings, proxy, modelProvider } = input;
   const sources: ConfigSources = {};
 
   // Qwen OAuth only allows specific models
@@ -311,10 +311,10 @@ function resolveQwenOAuthConfig(
     sources['proxy'] = computedSource('Config.getProxy()');
   }
 
-  // Resolve generation config from settings
+  // Resolve generation config from settings and modelProvider
   const generationConfig = resolveGenerationConfig(
     settings?.generationConfig,
-    undefined,
+    modelProvider?.generationConfig,
     AuthType.QWEN_OAUTH,
     resolvedModel,
     sources,
@@ -344,7 +344,7 @@ function resolveGenerationConfig(
   const result: Partial<ContentGeneratorConfig> = {};
 
   for (const field of MODEL_GENERATION_CONFIG_FIELDS) {
-    // ModelProvider config takes priority
+    // ModelProvider config takes priority over settings config
     if (authType && modelProviderConfig && field in modelProviderConfig) {
       // eslint-disable-next-line @typescript-eslint/no-explicit-any
       (result as any)[field] = modelProviderConfig[field];

packages/core/src/models/modelsConfig.test.ts

@@ -480,6 +480,91 @@ describe('ModelsConfig', () => {
     expect(gc.apiKeyEnvKey).toBeUndefined();
   });
 
+  it('should use default model for new authType when switching from different authType with env vars', () => {
+    // Simulate cold start with OPENAI env vars (OPENAI_MODEL and OPENAI_API_KEY)
+    // This sets the model in generationConfig but no authType is selected yet
+    const modelsConfig = new ModelsConfig({
+      generationConfig: {
+        model: 'gpt-4o', // From OPENAI_MODEL env var
+        apiKey: 'openai-key-from-env',
+      },
+    });
+
+    // User switches to qwen-oauth via AuthDialog
+    // refreshAuth calls syncAfterAuthRefresh with the current model (gpt-4o)
+    // which doesn't exist in qwen-oauth registry, so it should use default
+    modelsConfig.syncAfterAuthRefresh(AuthType.QWEN_OAUTH, 'gpt-4o');
+
+    const gc = currentGenerationConfig(modelsConfig);
+    // Should use default qwen-oauth model (coder-model), not the OPENAI model
+    expect(gc.model).toBe('coder-model');
+    expect(gc.apiKey).toBe('QWEN_OAUTH_DYNAMIC_TOKEN');
+    expect(gc.apiKeyEnvKey).toBeUndefined();
+  });
+
+  it('should clear manual credentials when switching from USE_OPENAI to QWEN_OAUTH', () => {
+    // User manually set credentials for OpenAI
+    const modelsConfig = new ModelsConfig({
+      initialAuthType: AuthType.USE_OPENAI,
+      generationConfig: {
+        model: 'gpt-4o',
+        apiKey: 'manual-openai-key',
+        baseUrl: 'https://manual.example.com/v1',
+      },
+    });
+
+    // Manually set credentials via updateCredentials
+    modelsConfig.updateCredentials({
+      apiKey: 'manual-openai-key',
+      baseUrl: 'https://manual.example.com/v1',
+      model: 'gpt-4o',
+    });
+
+    // User switches to qwen-oauth
+    // Since authType is not USE_OPENAI, manual credentials should be cleared
+    // and default qwen-oauth model should be applied
+    modelsConfig.syncAfterAuthRefresh(AuthType.QWEN_OAUTH, 'gpt-4o');
+
+    const gc = currentGenerationConfig(modelsConfig);
+    // Should use default qwen-oauth model, not preserve manual OpenAI credentials
+    expect(gc.model).toBe('coder-model');
+    expect(gc.apiKey).toBe('QWEN_OAUTH_DYNAMIC_TOKEN');
+    // baseUrl should be set to qwen-oauth default, not preserved from manual OpenAI config
+    expect(gc.baseUrl).toBe('DYNAMIC_QWEN_OAUTH_BASE_URL');
+    expect(gc.apiKeyEnvKey).toBeUndefined();
+  });
+
+  it('should preserve manual credentials when switching to USE_OPENAI', () => {
+    // User manually set credentials
+    const modelsConfig = new ModelsConfig({
+      initialAuthType: AuthType.USE_OPENAI,
+      generationConfig: {
+        model: 'gpt-4o',
+        apiKey: 'manual-openai-key',
+        baseUrl: 'https://manual.example.com/v1',
+        samplingParams: { temperature: 0.9 },
+      },
+    });
+
+    // Manually set credentials via updateCredentials
+    modelsConfig.updateCredentials({
+      apiKey: 'manual-openai-key',
+      baseUrl: 'https://manual.example.com/v1',
+      model: 'gpt-4o',
+    });
+
+    // User switches to USE_OPENAI (same or different model)
+    // Since authType is USE_OPENAI, manual credentials should be preserved
+    modelsConfig.syncAfterAuthRefresh(AuthType.USE_OPENAI, 'gpt-4o');
+
+    const gc = currentGenerationConfig(modelsConfig);
+    // Should preserve manual credentials
+    expect(gc.model).toBe('gpt-4o');
+    expect(gc.apiKey).toBe('manual-openai-key');
+    expect(gc.baseUrl).toBe('https://manual.example.com/v1');
+    expect(gc.samplingParams?.temperature).toBe(0.9); // Preserved from initial config
+  });
+
   it('should maintain consistency between currentModelId and _generationConfig.model after initialization', () => {
     const modelProvidersConfig: ModelProvidersConfig = {
       openai: [

packages/core/src/models/modelsConfig.ts

@@ -600,7 +600,7 @@ export class ModelsConfig {
 
     // If credentials were manually set, don't apply modelProvider defaults
     // Just update the authType and preserve the manually set credentials
-    if (preserveManualCredentials) {
+    if (preserveManualCredentials && authType === AuthType.USE_OPENAI) {
       this.strictModelProviderSelection = false;
       this.currentAuthType = authType;
       if (modelId) {
@@ -621,7 +621,17 @@ export class ModelsConfig {
         this.applyResolvedModelDefaults(resolved);
       }
     } else {
+      // If the provided modelId doesn't exist in the registry for the new authType,
+      // use the default model for that authType instead of keeping the old model.
+      // This handles the case where switching from one authType (e.g., OPENAI with
+      // env vars) to another (e.g., qwen-oauth) - we should use the default model
+      // for the new authType, not the old model.
       this.currentAuthType = authType;
+      const defaultModel =
+        this.modelRegistry.getDefaultModelForAuthType(authType);
+      if (defaultModel) {
+        this.applyResolvedModelDefaults(defaultModel);
+      }
     }
   }
 

packages/core/src/models/types.ts

@@ -31,6 +31,7 @@ export type ModelGenerationConfig = Pick<
   | 'disableCacheControl'
   | 'schemaCompliance'
   | 'reasoning'
+  | 'customHeaders'
 >;
 
 /**

packages/core/src/qwen/qwenOAuth2.ts

@@ -559,6 +559,109 @@ export async function getQwenOAuthClient(
   }
 }
 
+/**
+ * Displays a formatted box with OAuth device authorization URL.
+ * Uses process.stderr.write() to bypass ConsolePatcher and ensure the auth URL
+ * is always visible to users, especially in non-interactive mode.
+ * Using stderr prevents corruption of structured JSON output (which goes to stdout)
+ * and follows the standard Unix convention of user-facing messages to stderr.
+ */
+function showFallbackMessage(verificationUriComplete: string): void {
+  const title = 'Qwen OAuth Device Authorization';
+  const url = verificationUriComplete;
+  const minWidth = 70;
+  const maxWidth = 80;
+  const boxWidth = Math.min(Math.max(title.length + 4, minWidth), maxWidth);
+
+  // Calculate the width needed for the box (account for padding)
+  const contentWidth = boxWidth - 4; // Subtract 2 spaces and 2 border chars
+
+  // Helper to wrap text to fit within box width
+  const wrapText = (text: string, width: number): string[] => {
+    // For URLs, break at any character if too long
+    if (text.startsWith('http://') || text.startsWith('https://')) {
+      const lines: string[] = [];
+      for (let i = 0; i < text.length; i += width) {
+        lines.push(text.substring(i, i + width));
+      }
+      return lines;
+    }
+
+    // For regular text, break at word boundaries
+    const words = text.split(' ');
+    const lines: string[] = [];
+    let currentLine = '';
+
+    for (const word of words) {
+      if (currentLine.length + word.length + 1 <= width) {
+        currentLine += (currentLine ? ' ' : '') + word;
+      } else {
+        if (currentLine) {
+          lines.push(currentLine);
+        }
+        currentLine = word.length > width ? word.substring(0, width) : word;
+      }
+    }
+    if (currentLine) {
+      lines.push(currentLine);
+    }
+    return lines;
+  };
+
+  // Build the box borders with title centered in top border
+  // Format: +--- Title ---+
+  const titleWithSpaces = ' ' + title + ' ';
+  const totalDashes = boxWidth - 2 - titleWithSpaces.length; // Subtract corners and title
+  const leftDashes = Math.floor(totalDashes / 2);
+  const rightDashes = totalDashes - leftDashes;
+  const topBorder =
+    '+' +
+    '-'.repeat(leftDashes) +
+    titleWithSpaces +
+    '-'.repeat(rightDashes) +
+    '+';
+  const emptyLine = '|' + ' '.repeat(boxWidth - 2) + '|';
+  const bottomBorder = '+' + '-'.repeat(boxWidth - 2) + '+';
+
+  // Build content lines
+  const instructionLines = wrapText(
+    'Please visit the following URL in your browser to authorize:',
+    contentWidth,
+  );
+  const urlLines = wrapText(url, contentWidth);
+  const waitingLine = 'Waiting for authorization to complete...';
+
+  // Write the box
+  process.stderr.write('\n' + topBorder + '\n');
+  process.stderr.write(emptyLine + '\n');
+
+  // Write instructions
+  for (const line of instructionLines) {
+    process.stderr.write(
+      '| ' + line + ' '.repeat(contentWidth - line.length) + ' |\n',
+    );
+  }
+
+  process.stderr.write(emptyLine + '\n');
+
+  // Write URL
+  for (const line of urlLines) {
+    process.stderr.write(
+      '| ' + line + ' '.repeat(contentWidth - line.length) + ' |\n',
+    );
+  }
+
+  process.stderr.write(emptyLine + '\n');
+
+  // Write waiting message
+  process.stderr.write(
+    '| ' + waitingLine + ' '.repeat(contentWidth - waitingLine.length) + ' |\n',
+  );
+
+  process.stderr.write(emptyLine + '\n');
+  process.stderr.write(bottomBorder + '\n\n');
+}
+
 async function authWithQwenDeviceFlow(
   client: QwenOAuth2Client,
   config: Config,
@@ -571,6 +674,50 @@ async function authWithQwenDeviceFlow(
   };
   qwenOAuth2Events.once(QwenOAuth2Event.AuthCancel, cancelHandler);
 
+  // Helper to check cancellation and return appropriate result
+  const checkCancellation = (): AuthResult | null => {
+    if (!isCancelled) {
+      return null;
+    }
+    const message = 'Authentication cancelled by user.';
+    console.debug('\n' + message);
+    qwenOAuth2Events.emit(QwenOAuth2Event.AuthProgress, 'error', message);
+    return { success: false, reason: 'cancelled', message };
+  };
+
+  // Helper to emit auth progress events
+  const emitAuthProgress = (
+    status: 'polling' | 'success' | 'error' | 'timeout' | 'rate_limit',
+    message: string,
+  ): void => {
+    qwenOAuth2Events.emit(QwenOAuth2Event.AuthProgress, status, message);
+  };
+
+  // Helper to handle browser launch with error handling
+  const launchBrowser = async (url: string): Promise<void> => {
+    try {
+      const childProcess = await open(url);
+
+      // IMPORTANT: Attach an error handler to the returned child process.
+      // Without this, if `open` fails to spawn a process (e.g., `xdg-open` is not found
+      // in a minimal Docker container), it will emit an unhandled 'error' event,
+      // causing the entire Node.js process to crash.
+      if (childProcess) {
+        childProcess.on('error', (err) => {
+          console.debug(
+            'Browser launch failed:',
+            err.message || 'Unknown error',
+          );
+        });
+      }
+    } catch (err) {
+      console.debug(
+        'Failed to open browser:',
+        err instanceof Error ? err.message : 'Unknown error',
+      );
+    }
+  };
+
   try {
     // Generate PKCE code verifier and challenge
     const { code_verifier, code_challenge } = generatePKCEPair();
@@ -593,56 +740,18 @@ async function authWithQwenDeviceFlow(
     // Emit device authorization event for UI integration immediately
     qwenOAuth2Events.emit(QwenOAuth2Event.AuthUri, deviceAuth);
 
-    const showFallbackMessage = () => {
-      console.log('\n=== Qwen OAuth Device Authorization ===');
-      console.log(
-        'Please visit the following URL in your browser to authorize:',
-      );
-      console.log(`\n${deviceAuth.verification_uri_complete}\n`);
-      console.log('Waiting for authorization to complete...\n');
-    };
-
     // Always show the fallback message in non-interactive environments to ensure
     // users can see the authorization URL even if browser launching is attempted.
     // This is critical for headless/remote environments where browser launching
     // may silently fail without throwing an error.
-    if (config.isBrowserLaunchSuppressed()) {
-      // Browser launch is suppressed, show fallback message
-      showFallbackMessage();
-    } else {
-      // Try to open the URL in browser, but always show the URL as fallback
-      // to handle cases where browser launch silently fails (e.g., headless servers)
-      showFallbackMessage();
-      try {
-        const childProcess = await open(deviceAuth.verification_uri_complete);
+    showFallbackMessage(deviceAuth.verification_uri_complete);
 
-        // IMPORTANT: Attach an error handler to the returned child process.
-        // Without this, if `open` fails to spawn a process (e.g., `xdg-open` is not found
-        // in a minimal Docker container), it will emit an unhandled 'error' event,
-        // causing the entire Node.js process to crash.
-        if (childProcess) {
-          childProcess.on('error', (err) => {
-            console.debug(
-              'Browser launch failed:',
-              err.message || 'Unknown error',
-            );
-          });
-        }
-      } catch (err) {
-        console.debug(
-          'Failed to open browser:',
-          err instanceof Error ? err.message : 'Unknown error',
-        );
-      }
+    // Try to open browser if not suppressed
+    if (!config.isBrowserLaunchSuppressed()) {
+      await launchBrowser(deviceAuth.verification_uri_complete);
     }
 
-    // Emit auth progress event
-    qwenOAuth2Events.emit(
-      QwenOAuth2Event.AuthProgress,
-      'polling',
-      'Waiting for authorization...',
-    );
-
+    emitAuthProgress('polling', 'Waiting for authorization...');
     console.debug('Waiting for authorization...\n');
 
     // Poll for the token
@@ -653,11 +762,9 @@ async function authWithQwenDeviceFlow(
 
     for (let attempt = 0; attempt < maxAttempts; attempt++) {
       // Check if authentication was cancelled
-      if (isCancelled) {
-        const message = 'Authentication cancelled by user.';
-        console.debug('\n' + message);
-        qwenOAuth2Events.emit(QwenOAuth2Event.AuthProgress, 'error', message);
-        return { success: false, reason: 'cancelled', message };
+      const cancellationResult = checkCancellation();
+      if (cancellationResult) {
+        return cancellationResult;
       }
 
       try {
@@ -700,9 +807,7 @@ async function authWithQwenDeviceFlow(
             // minimal stub; cache invalidation is best-effort and should not break auth.
           }
 
-          // Emit auth progress success event
-          qwenOAuth2Events.emit(
-            QwenOAuth2Event.AuthProgress,
+          emitAuthProgress(
             'success',
             'Authentication successful! Access token obtained.',
           );
@@ -725,9 +830,7 @@ async function authWithQwenDeviceFlow(
             pollInterval = 2000; // Reset to default interval
           }
 
-          // Emit polling progress event
-          qwenOAuth2Events.emit(
-            QwenOAuth2Event.AuthProgress,
+          emitAuthProgress(
             'polling',
             `Polling... (attempt ${attempt + 1}/${maxAttempts})`,
           );
@@ -757,15 +860,9 @@ async function authWithQwenDeviceFlow(
           });
 
           // Check for cancellation after waiting
-          if (isCancelled) {
-            const message = 'Authentication cancelled by user.';
-            console.debug('\n' + message);
-            qwenOAuth2Events.emit(
-              QwenOAuth2Event.AuthProgress,
-              'error',
-              message,
-            );
-            return { success: false, reason: 'cancelled', message };
+          const cancellationResult = checkCancellation();
+          if (cancellationResult) {
+            return cancellationResult;
           }
 
           continue;
@@ -793,15 +890,17 @@ async function authWithQwenDeviceFlow(
           message: string,
           eventType: 'error' | 'rate_limit' = 'error',
         ): AuthResult => {
-          qwenOAuth2Events.emit(
-            QwenOAuth2Event.AuthProgress,
-            eventType,
-            message,
-          );
+          emitAuthProgress(eventType, message);
           console.error('\n' + message);
           return { success: false, reason, message };
         };
 
+        // Check for cancellation first
+        const cancellationResult = checkCancellation();
+        if (cancellationResult) {
+          return cancellationResult;
+        }
+
         // Handle credential caching failures - stop polling immediately
         if (errorMessage.includes('Failed to cache credentials')) {
           return handleError('error', errorMessage);
@@ -825,26 +924,14 @@ async function authWithQwenDeviceFlow(
         }
 
         const message = `Error polling for token: ${errorMessage}`;
-        qwenOAuth2Events.emit(QwenOAuth2Event.AuthProgress, 'error', message);
-
-        if (isCancelled) {
-          const message = 'Authentication cancelled by user.';
-          return { success: false, reason: 'cancelled', message };
-        }
+        emitAuthProgress('error', message);
 
         await new Promise((resolve) => setTimeout(resolve, pollInterval));
       }
     }
 
     const timeoutMessage = 'Authorization timeout, please restart the process.';
-
-    // Emit timeout error event
-    qwenOAuth2Events.emit(
-      QwenOAuth2Event.AuthProgress,
-      'timeout',
-      timeoutMessage,
-    );
-
+    emitAuthProgress('timeout', timeoutMessage);
     console.error('\n' + timeoutMessage);
     return { success: false, reason: 'timeout', message: timeoutMessage };
   } catch (error: unknown) {
@@ -853,7 +940,7 @@ async function authWithQwenDeviceFlow(
     });
     const message = `Device authorization flow failed: ${fullErrorMessage}`;
 
-    qwenOAuth2Events.emit(QwenOAuth2Event.AuthProgress, 'error', message);
+    emitAuthProgress('error', message);
     console.error(message);
     return { success: false, reason: 'error', message };
   } finally {

packages/sdk-typescript/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@qwen-code/sdk",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "TypeScript SDK for programmatic access to qwen-code CLI",
   "main": "./dist/index.cjs",
   "module": "./dist/index.mjs",

packages/sdk-typescript/src/utils/cliPath.ts

@@ -125,8 +125,9 @@ function normalizeForRegex(dirPath: string): string {
 function tryResolveCliFromImportMeta(): string | null {
   try {
     if (typeof import.meta !== 'undefined' && import.meta.url) {
-      const cliUrl = new URL('./cli/cli.js', import.meta.url);
-      const cliPath = fileURLToPath(cliUrl);
+      const currentFilePath = fileURLToPath(import.meta.url);
+      const currentDir = path.dirname(currentFilePath);
+      const cliPath = path.join(currentDir, 'cli', 'cli.js');
       if (fs.existsSync(cliPath)) {
         return cliPath;
       }