Fall back to HF_TOKEN env var + SOTA-aware research prompt (#4)

- Show cancelled prompt in shimmer status bar instead of chat input placeholder (0736c2f5fbe31d6d14657123acf19b5914d11679)
- Fall back to HF_TOKEN env var for local dev sessions (e17cb5d298727ddac1ad8ab6027f32662b1de28d)
- Add SOTA-awareness to research sub-agent system prompt (b09abf1dcf615cd94a559427d6c7851fc3526bcb)
- Remove outdated-API flagging line from research prompt (66db756b7a5356afd7528be9c511f28b7a579866)
- Fix session title only updating on the very first user message (c80c38cbe724a8eafb88af39c65f418585f2edb3)

agent/tools/research_tool.py

@@ -46,12 +46,22 @@ Your job: explore documentation, code examples, APIs, and repos,
 then return a concise, actionable summary. The main agent will use
 your findings to implement the actual solution.
 
+# Being up to date is critical
+
+Always prioritize finding the most current, state-of-the-art approaches.
+ML moves fast — a method from 6 months ago may already be obsolete.
+
+- Search for **recent papers** (use `hf_papers`) to find SOTA methods, models, and datasets for the task
+- Compare what you find in docs/examples against what recent papers recommend — prefer the newer approach
+- When multiple approaches exist, identify which is SOTA and why (benchmark results, adoption, recency)
+- Include in your findings: what is the current best model, dataset, and method for the task
+
 # Research methodology
 
-1. **Discovery**: Find relevant entry points — example scripts, doc pages, API endpoints
+1. **Discovery**: Find relevant entry points — example scripts, doc pages, API endpoints, **and recent papers for SOTA approaches**
 2. **Tracing**: Follow the chain from entry point to implementation detail
-3. **Analysis**: Identify patterns, current API usage, key dependencies
-4. **Synthesis**: Summarize findings in a structured format
+3. **Analysis**: Identify patterns, current API usage, key dependencies. **Compare against SOTA from recent papers**
+4. **Synthesis**: Summarize findings in a structured format, highlighting what is current best practice vs. outdated
 
 # How to use your tools
 
@@ -101,11 +111,12 @@ hf_inspect_dataset({"dataset": "org/name", "split": "train", "sample_rows": 3})
 # Output format
 
 Your output MUST include:
+- **SOTA landscape**: Current best models, datasets, and methods for the task (from recent papers). Flag anything outdated.
 - **Key findings**: The most important things you discovered (current API usage, working patterns)
 - **Essential references**: Specific file paths, URLs, function names, doc sections, code snippets
   that the main agent should use directly
 - **Code patterns**: Key imports, configurations, and usage patterns from working examples
-- **Recommendations**: What to do next based on your findings
+- **Recommendations**: What to do next based on your findings, preferring SOTA approaches
 
 Be concise. Your output goes into another agent's context — every token counts.
 Aim for 500-1500 words max. Include actual code snippets from examples you read,

backend/routes/agent.py

@@ -7,6 +7,7 @@ dependency. In dev mode (no OAUTH_CLIENT_ID), auth is bypassed automatically.
 import asyncio
 import json
 import logging
+import os
 from typing import Any
 
 from dependencies import get_current_user
@@ -205,17 +206,14 @@ async def create_session(
 
     Returns 503 if the server or user has reached the session limit.
     """
-    # Extract the user's HF token (Bearer header or HttpOnly cookie)
-    # In dev mode, fall back to environment variable if no token in request
+    # Extract the user's HF token (Bearer header, HttpOnly cookie, or env var)
     hf_token = None
     auth_header = request.headers.get("Authorization", "")
     if auth_header.startswith("Bearer "):
         hf_token = auth_header[7:]
     if not hf_token:
         hf_token = request.cookies.get("hf_access_token")
-    if not hf_token and user["user_id"] == "dev":
-        # Dev mode: use HF_TOKEN from environment
-        import os
+    if not hf_token:
         hf_token = os.environ.get("HF_TOKEN")
 
     try:

frontend/src/components/Chat/ActivityStatusBar.tsx

@@ -32,6 +32,7 @@ function statusLabel(status: ActivityStatus): string {
       return base;
     }
     case 'waiting-approval': return 'Waiting for approval';
+    case 'cancelled': return 'What should the agent do instead?';
     default: return '';
   }
 }
@@ -59,7 +60,7 @@ export default function ActivityStatusBar() {
           animation: `${shimmer} 4s ease-in-out infinite`,
         }}
       >
-        {label}…
+        {label}{activityStatus.type !== 'cancelled' && '…'}
       </Typography>
     </Box>
   );

frontend/src/components/SessionChat.tsx

@@ -5,7 +5,7 @@
  * runs — processing events — but only the active session renders visible
  * UI (MessageList + ChatInput).
  */
-import { useCallback, useEffect, useState } from 'react';
+import { useCallback, useEffect } from 'react';
 import { useAgentChat } from '@/hooks/useAgentChat';
 import { useAgentStore } from '@/store/agentStore';
 import { useSessionStore } from '@/store/sessionStore';
@@ -24,8 +24,6 @@ export default function SessionChat({ sessionId, isActive, onSessionDead }: Sess
   const { isConnected, isProcessing, activityStatus, updateSession } = useAgentStore();
   const { updateSessionTitle } = useSessionStore();
 
-  const [wasCancelled, setWasCancelled] = useState(false);
-
   const { messages, sendMessage, stop, status, undoLastTurn, approveTools } = useAgentChat({
     sessionId,
     isActive,
@@ -57,11 +55,11 @@ export default function SessionChat({ sessionId, isActive, onSessionDead }: Sess
     return () => document.removeEventListener('visibilitychange', onVisible);
   }, [isActive, sessionId]);
 
-  // Wrap stop to track cancellation
+  // Wrap stop to show cancelled shimmer
   const handleStop = useCallback(() => {
     stop();
-    setWasCancelled(true);
-  }, [stop]);
+    updateSession(sessionId, { activityStatus: { type: 'cancelled' } });
+  }, [stop, updateSession, sessionId]);
 
   // SDK status is the ground truth — if it's streaming/submitted, agent is busy
   const sdkBusy = status === 'streaming' || status === 'submitted';
@@ -71,12 +69,11 @@ export default function SessionChat({ sessionId, isActive, onSessionDead }: Sess
     async (text: string) => {
       if (!text.trim() || busy) return;
 
-      setWasCancelled(false);
-      updateSession(sessionId, { isProcessing: true });
+      updateSession(sessionId, { isProcessing: true, activityStatus: { type: 'thinking' } });
       sendMessage({ text: text.trim(), metadata: { createdAt: new Date().toISOString() } });
 
       // Auto-title the session from the first user message
-      const isFirstMessage = messages.filter((m) => m.role === 'user').length <= 1;
+      const isFirstMessage = messages.filter((m) => m.role === 'user').length === 0;
       if (isFirstMessage) {
         apiFetch('/api/title', {
           method: 'POST',
@@ -114,9 +111,7 @@ export default function SessionChat({ sessionId, isActive, onSessionDead }: Sess
         placeholder={
           activityStatus.type === 'waiting-approval'
             ? 'Approve or reject pending tools first...'
-            : wasCancelled
-              ? 'What should the agent do instead?'
-              : undefined
+            : undefined
         }
       />
     </>

frontend/src/store/agentStore.ts

@@ -50,7 +50,8 @@ export type ActivityStatus =
   | { type: 'thinking' }
   | { type: 'tool'; toolName: string; description?: string }
   | { type: 'waiting-approval' }
-  | { type: 'streaming' };
+  | { type: 'streaming' }
+  | { type: 'cancelled' };
 
 /** State that is tracked per-session (each session has its own copy). */
 export interface PerSessionState {
@@ -222,7 +223,7 @@ export const useAgentStore = create<AgentStore>()((set, get) => ({
     // Apply the processing→idle side effect
     const processingCleared = 'isProcessing' in updates && !updates.isProcessing;
     if (processingCleared) {
-      if (updated.activityStatus.type !== 'waiting-approval') {
+      if (updated.activityStatus.type !== 'waiting-approval' && updated.activityStatus.type !== 'cancelled') {
         updated.activityStatus = { type: 'idle' };
       }
     }
@@ -300,7 +301,7 @@ export const useAgentStore = create<AgentStore>()((set, get) => ({
 
   setProcessing: (isProcessing) => {
     const current = get().activityStatus;
-    const preserveStatus = current.type === 'waiting-approval';
+    const preserveStatus = current.type === 'waiting-approval' || current.type === 'cancelled';
     set({ isProcessing, ...(!isProcessing && !preserveStatus ? { activityStatus: { type: 'idle' } } : {}) });
   },
   setConnected: (isConnected) => set({ isConnected }),