feat: integrate fork work onto upstream main (squashed)

Squash-merge of feat/autofix-pr-test (69 commits) onto upstream/main
with -X ours strategy (upstream as authoritative for content conflicts).

Key features brought in from fork:
- LocalMemoryRecall + VaultHttpFetch tools (end-to-end wired)
- /local-memory, /local-vault, /memory-stores, /skill-store interactive panels
- /agents-platform, /schedule, /vault command scaffolding
- /login: switch / replace / remove of workspace API key
- statusline refactor (built-in status row, /statusline as info command)
- autofix-pr command + workflow

Conflict resolutions (upstream-wins):
- 10 .js command stubs kept from upstream (alongside fork's .ts implementations)
- src/components/BuiltinStatusLine.tsx accepted upstream's deletion
  (fork's wire-up references in StatusLine.tsx will be cleaned up next)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

docs/jira/P2-AUTH-DIFF-2026-04-30.md

@@ -0,0 +1,85 @@
+# P2 Auth Diff Investigation — Why /v1/code/triggers works but agents/vaults/memory_stores 401
+
+**Date**: 2026-04-30
+**Source**: Reverse-engineering `C:\Users\12180\.local\bin\claude.exe` v2.1.123 (253MB Bun-compiled binary)
+**Investigator**: claude-code-bast-autofix-pr fork
+
+## Endpoint reality matrix in official binary
+
+| Endpoint | Has actual code? | URL builder | Method | beta header | Extra X- headers | Auth scheme |
+|---|---|---|---|---|---|---|
+| `/v1/code/triggers` | **YES** | `${BASE_API_URL}/v1/code/triggers` (template literal) | GET/POST | `ccr-triggers-2026-01-30` (`OS9`) | `x-organization-uuid` | `Authorization: Bearer <subscription token>` |
+| `/v1/agents` | **NO** | only in `managed-agents-onboarding.md` documentation strings | — | — | — | — |
+| `/v1/vaults` | **NO** | only in API reference markdown tables | — | — | — | — |
+| `/v1/memory_stores` | **NO** | only in API reference markdown tables | — | — | — | — |
+| `/v1/skills` | yes (different path) | `this._client.post("/v1/skills?beta=true", …)` via Anthropic SDK | GET/POST | `skills-2025-10-02` | none beyond SDK defaults | SDK auth (workspace API key) — **NOT subscription** |
+
+## Decisive evidence
+
+### 1. Only triggers + skills + sessions + ultrareview/preflight + mcp_servers + environment_providers are actually called
+
+```text
+$ grep "BASE_API_URL.{0,3}/v1/" claude.exe | sort -u
+BASE_API_URL}/v1/code/github/import-token
+BASE_API_URL}/v1/code/sessions
+BASE_API_URL}/v1/code/triggers
+BASE_API_URL}/v1/environment_providers
+BASE_API_URL}/v1/environment_providers/cloud/create
+BASE_API_URL}/v1/mcp_servers
+BASE_API_URL}/v1/session_ingress/session/
+BASE_API_URL}/v1/sessions
+BASE_API_URL}/v1/ultrareview/preflight
+```
+
+`agents`, `vaults`, `memory_stores` are **completely absent** from any call site. They only appear as text in documentation pages (`managed-agents-api-reference`, `managed-agents-overview`).
+
+### 2. Triggers actual request build (decompiled)
+
+```js
+let _ = `${f$().BASE_API_URL}/v1/code/triggers`,
+    A = {
+      Authorization: `Bearer ${$}`,
+      "Content-Type": "application/json",
+      "anthropic-version": "2023-06-01",
+      "anthropic-beta": OS9,                  // = "ccr-triggers-2026-01-30"
+      "x-organization-uuid": K
+    };
+```
+
+Beta is `ccr-triggers-2026-01-30`, **not** `managed-agents-2026-04-01`.
+
+### 3. Skills uses Anthropic SDK client (different auth surface)
+
+```js
+this._client.post("/v1/skills?beta=true", qNH({…, headers:[{"anthropic-beta":[...$??[], "skills-2025-10-02"]…}]
+```
+
+Mandatory `?beta=true` query. Auth comes from SDK `_client` (workspace API key path), not subscription OAuth bearer.
+
+### 4. Beta inventory (full sweep)
+
+35 dated beta tokens exist; relevant ones: `ccr-triggers-2026-01-30`, `skills-2025-10-02`, `managed-agents-2026-04-01` (only used in docs prose), `oidc-federation-2026-04-01`, `environments-2025-11-01`. **No** `vaults-*`, `memory-stores-*`, or `agents-2026-*` beta token exists.
+
+## Root cause of fork 401s
+
+`/v1/agents`, `/v1/vaults`, `/v1/memory_stores` are **not consumer endpoints** of the subscription bearer-token path. Anthropic's official CLI never calls them; they live behind the workspace/team API plane (workspace API key + different auth & scope). 401 with subscription bearer is the **expected** server response — no header tweak makes it 200.
+
+`/v1/skills` is callable but only via the SDK `_client` (workspace API key), and requires `?beta=true` query — fork's subscription-bearer + missing `?beta=true` is double-broken.
+
+## Fix recommendations
+
+| Fork API client | Action |
+|---|---|
+| `triggersApi.ts` | Already correct. Switch beta from `managed-agents-2026-04-01` → `ccr-triggers-2026-01-30`. |
+| `agentsApi.ts` | **Drop** the command. `/v1/agents` is workspace-API-key-only; subscription bearer is wrong auth plane. Mark `/agents-platform` as workspace-only or remove. |
+| `vaultsApi.ts` | **Drop**. Same reason. Recommend local file-based credential store instead. |
+| `memoryStoresApi.ts` | **Drop**. Same reason. Local memory files (`~/.claude/memory/`) already cover the use case. |
+| `skillsApi.ts` | Keep, but: (1) require `ANTHROPIC_API_KEY` (workspace key), not subscription bearer; (2) append `?beta=true` to every URL; (3) use `anthropic-beta: skills-2025-10-02`. |
+
+## Conclusion
+
+This is **not a header-config bug** in fork's `buildHeaders`. Three of the four endpoints (`agents`, `vaults`, `memory_stores`) are not reachable at all from a subscription OAuth token — Anthropic's official binary never calls them. The fork should:
+
+1. Fix triggers beta header value (`ccr-triggers-2026-01-30`).
+2. Disable or repurpose agents/vaults/memory_stores commands — they require workspace API keys, not subscription tokens.
+3. For skills, switch to workspace API key auth + `?beta=true` query + `skills-2025-10-02` beta.