@hienlh/ppm 0.9.18 → 0.9.19

package/CHANGELOG.md

@@ -1,5 +1,13 @@
 # Changelog
 
+## [0.9.19] - 2026-04-05
+
+### Fixed
+- **Proxy for OAuth accounts**: OAuth tokens (Claude Max/Pro) now route through SDK `query()` bridge instead of direct API forwarding, which was returning rate_limit_error. API key accounts still use direct forwarding.
+
+### Added
+- **SDK proxy bridge** (`proxy-sdk-bridge.ts`): Translates Anthropic Messages API requests into Agent SDK calls for OAuth accounts, supporting both streaming SSE and non-streaming JSON responses with account rotation
+
 ## [0.9.16] - 2026-04-04
 
 ### Fixed

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hienlh/ppm",
-  "version": "0.9.18",
+  "version": "0.9.19",
   "description": "Personal Project Manager — mobile-first web IDE with AI assistance",
   "author": "hienlh",
   "license": "MIT",

package/src/services/proxy-sdk-bridge.ts

@@ -0,0 +1,237 @@
+/**
+ * SDK-based proxy bridge — translates Anthropic Messages API requests
+ * into Agent SDK query() calls for OAuth (Claude Max/Pro) accounts.
+ *
+ * Direct API forwarding doesn't work for OAuth tokens because they're
+ * meant for the Claude Code infrastructure, not raw api.anthropic.com.
+ * This bridge uses the same SDK approach as opencode-claude-max-proxy.
+ */
+import { query } from "@anthropic-ai/claude-agent-sdk";
+import { accountSelector } from "./account-selector.service.ts";
+
+/** Map Anthropic model IDs to SDK model names */
+function mapModelToSdkModel(model: string): "sonnet" | "opus" | "haiku" {
+  if (model.includes("opus")) return "opus";
+  if (model.includes("haiku")) return "haiku";
+  return "sonnet";
+}
+
+/** Extract text prompt from Messages API body (system + messages) */
+function buildPromptFromBody(body: any): { prompt: string; systemPrompt?: string } {
+  // Extract system prompt
+  let systemPrompt: string | undefined;
+  if (body.system) {
+    if (typeof body.system === "string") {
+      systemPrompt = body.system;
+    } else if (Array.isArray(body.system)) {
+      systemPrompt = body.system
+        .filter((b: any) => b.type === "text" && b.text)
+        .map((b: any) => b.text)
+        .join("\n");
+    }
+  }
+
+  // Convert messages to text, preserving role context
+  const parts = body.messages
+    ?.map((m: { role: string; content: string | Array<{ type: string; text?: string }> }) => {
+      const role = m.role === "assistant" ? "Assistant" : "Human";
+      let content: string;
+      if (typeof m.content === "string") {
+        content = m.content;
+      } else if (Array.isArray(m.content)) {
+        content = m.content
+          .filter((block: any) => block.type === "text" && block.text)
+          .map((block: any) => block.text)
+          .join("");
+      } else {
+        content = String(m.content);
+      }
+      return `${role}: ${content}`;
+    })
+    .join("\n\n") || "";
+
+  return { prompt: parts, systemPrompt };
+}
+
+/** Build env for SDK subprocess — sets OAuth token, blocks stale env vars */
+function buildSdkEnv(accessToken: string): Record<string, string | undefined> {
+  return {
+    ...process.env,
+    // OAuth token → CLAUDE_CODE_OAUTH_TOKEN; clear API key to prevent conflicts
+    ANTHROPIC_API_KEY: "",
+    CLAUDE_CODE_OAUTH_TOKEN: accessToken,
+    // Clear base URL to ensure SDK hits Anthropic directly
+    ANTHROPIC_BASE_URL: "",
+  };
+}
+
+interface SdkAccount {
+  id: string;
+  email?: string | null;
+  accessToken: string;
+}
+
+/**
+ * Forward a Messages API request via SDK query() for OAuth accounts.
+ * Returns a Response in Anthropic Messages API format (JSON or SSE).
+ */
+export async function forwardViaSdk(
+  body: any,
+  account: SdkAccount,
+): Promise<Response> {
+  const model = mapModelToSdkModel(body.model || "sonnet");
+  const stream = body.stream ?? true;
+  const { prompt, systemPrompt } = buildPromptFromBody(body);
+  const env = buildSdkEnv(account.accessToken);
+
+  console.log(`[proxy-sdk] ${stream ? "stream" : "non-stream"} → ${model} via account ${account.email ?? account.id}`);
+
+  if (!stream) {
+    return handleNonStreaming(prompt, systemPrompt, model, env, body, account);
+  }
+  return handleStreaming(prompt, systemPrompt, model, env, body, account);
+}
+
+/** Non-streaming: collect full response and return as JSON */
+async function handleNonStreaming(
+  prompt: string,
+  systemPrompt: string | undefined,
+  model: "sonnet" | "opus" | "haiku",
+  env: Record<string, string | undefined>,
+  body: any,
+  account: SdkAccount,
+): Promise<Response> {
+  try {
+    let fullContent = "";
+    const response = query({
+      prompt,
+      options: { maxTurns: 1, model, env, ...(systemPrompt && { systemPrompt }) },
+    });
+
+    for await (const message of response) {
+      if (message.type === "assistant") {
+        for (const block of (message as any).message?.content ?? []) {
+          if (block.type === "text") fullContent += block.text;
+        }
+      }
+    }
+
+    if (!fullContent) fullContent = "";
+    accountSelector.onSuccess(account.id);
+
+    return new Response(JSON.stringify({
+      id: `msg_${Date.now()}`,
+      type: "message",
+      role: "assistant",
+      content: [{ type: "text", text: fullContent }],
+      model: body.model,
+      stop_reason: "end_turn",
+      usage: { input_tokens: 0, output_tokens: 0 },
+    }), {
+      status: 200,
+      headers: { "Content-Type": "application/json", "Access-Control-Allow-Origin": "*" },
+    });
+  } catch (error) {
+    console.error(`[proxy-sdk] Non-stream error:`, (error as Error).message);
+    accountSelector.onRateLimit(account.id);
+    return new Response(JSON.stringify({
+      type: "error",
+      error: { type: "api_error", message: (error as Error).message },
+    }), { status: 502, headers: { "Content-Type": "application/json" } });
+  }
+}
+
+/** Streaming: convert SDK events to Anthropic SSE format */
+async function handleStreaming(
+  prompt: string,
+  systemPrompt: string | undefined,
+  model: "sonnet" | "opus" | "haiku",
+  env: Record<string, string | undefined>,
+  body: any,
+  account: SdkAccount,
+): Promise<Response> {
+  const encoder = new TextEncoder();
+
+  const readable = new ReadableStream({
+    async start(controller) {
+      try {
+        const response = query({
+          prompt,
+          options: {
+            maxTurns: 1,
+            model,
+            env,
+            ...(systemPrompt && { systemPrompt }),
+            includePartialMessages: true,
+          },
+        });
+
+        const heartbeat = setInterval(() => {
+          try { controller.enqueue(encoder.encode(`: ping\n\n`)); } catch { clearInterval(heartbeat); }
+        }, 15_000);
+
+        // Track tool_use block indices to filter them out
+        const skipBlockIndices = new Set<number>();
+
+        try {
+          for await (const message of response) {
+            if (message.type !== "stream_event") continue;
+
+            const event = (message as any).event;
+            const eventType = event.type as string;
+            const eventIndex = event.index as number | undefined;
+
+            // Filter tool_use content blocks — external tools expect text only
+            if (eventType === "content_block_start") {
+              const block = event.content_block;
+              if (block?.type === "tool_use") {
+                if (eventIndex !== undefined) skipBlockIndices.add(eventIndex);
+                continue;
+              }
+            }
+
+            // Skip deltas and stops for tool_use blocks
+            if (eventIndex !== undefined && skipBlockIndices.has(eventIndex)) continue;
+
+            // Override message_delta to always show end_turn
+            if (eventType === "message_delta") {
+              const patched = {
+                ...event,
+                delta: { ...(event.delta || {}), stop_reason: "end_turn" },
+                usage: event.usage || { output_tokens: 0 },
+              };
+              controller.enqueue(encoder.encode(`event: ${eventType}\ndata: ${JSON.stringify(patched)}\n\n`));
+              continue;
+            }
+
+            // Forward all other events (message_start, text deltas, content_block_start/stop, message_stop)
+            controller.enqueue(encoder.encode(`event: ${eventType}\ndata: ${JSON.stringify(event)}\n\n`));
+          }
+
+          accountSelector.onSuccess(account.id);
+        } finally {
+          clearInterval(heartbeat);
+        }
+
+        controller.close();
+      } catch (error) {
+        console.error(`[proxy-sdk] Stream error:`, (error as Error).message);
+        accountSelector.onRateLimit(account.id);
+        controller.enqueue(encoder.encode(`event: error\ndata: ${JSON.stringify({
+          type: "error",
+          error: { type: "api_error", message: (error as Error).message },
+        })}\n\n`));
+        controller.close();
+      }
+    },
+  });
+
+  return new Response(readable, {
+    headers: {
+      "Content-Type": "text/event-stream",
+      "Cache-Control": "no-cache",
+      "Connection": "keep-alive",
+      "Access-Control-Allow-Origin": "*",
+    },
+  });
+}

package/src/services/proxy.service.ts

@@ -1,6 +1,7 @@
 import { getConfigValue, setConfigValue } from "./db.service.ts";
 import { accountSelector } from "./account-selector.service.ts";
 import { accountService } from "./account.service.ts";
+import { forwardViaSdk } from "./proxy-sdk-bridge.ts";
 import { randomBytes } from "node:crypto";
 
 const PROXY_ENABLED_KEY = "proxy_enabled";
@@ -41,7 +42,8 @@ class ProxyService {
 
   /**
    * Forward a request to Anthropic API using account rotation.
-   * Returns a Response object (may be streaming SSE).
+   * OAuth accounts (sk-ant-oat-*) → SDK query() bridge.
+   * API key accounts → direct HTTP forward to api.anthropic.com.
    */
   async forward(
     path: string,
@@ -65,69 +67,75 @@ class ProxyService {
       if (fresh) token = fresh.accessToken;
     }
 
-    // Build upstream headers — forward relevant Anthropic headers
+    // OAuth tokens: route through SDK query() — direct API doesn't work for Claude Max/Pro
+    if (token.startsWith("sk-ant-oat") && body && path === "/v1/messages") {
+      try {
+        const parsed = JSON.parse(body);
+        this.requestCount++;
+        return await forwardViaSdk(parsed, { id: account.id, email: account.email, accessToken: token });
+      } catch (e) {
+        console.error(`[proxy] SDK bridge error:`, (e as Error).message);
+        return new Response(
+          JSON.stringify({ type: "error", error: { type: "api_error", message: (e as Error).message } }),
+          { status: 502, headers: { "Content-Type": "application/json" } },
+        );
+      }
+    }
+
+    // API key accounts: direct HTTP forward to Anthropic API
+    return this.forwardDirect(path, method, headers, body, token, account);
+  }
+
+  /** Direct HTTP forward for API key accounts */
+  private async forwardDirect(
+    path: string,
+    method: string,
+    headers: Record<string, string>,
+    body: string | null,
+    token: string,
+    account: { id: string; email: string | null },
+  ): Promise<Response> {
     const upstreamHeaders: Record<string, string> = {
       "Content-Type": "application/json",
       "User-Agent": "ppm-proxy/1.0",
+      "x-api-key": token,
     };
-
-    // Set auth based on token type
-    if (token.startsWith("sk-ant-oat")) {
-      upstreamHeaders["Authorization"] = `Bearer ${token}`;
-      upstreamHeaders["anthropic-beta"] = headers["anthropic-beta"] || "oauth-2025-04-20";
-    } else {
-      upstreamHeaders["x-api-key"] = token;
-    }
-
-    // Forward anthropic-version header
-    if (headers["anthropic-version"]) {
-      upstreamHeaders["anthropic-version"] = headers["anthropic-version"];
-    }
-    // Forward anthropic-beta if present from client
-    if (headers["anthropic-beta"]) {
-      upstreamHeaders["anthropic-beta"] = headers["anthropic-beta"];
-    }
+    if (headers["anthropic-version"]) upstreamHeaders["anthropic-version"] = headers["anthropic-version"];
+    if (headers["anthropic-beta"]) upstreamHeaders["anthropic-beta"] = headers["anthropic-beta"];
 
     const url = `${ANTHROPIC_API_BASE}${path}`;
-    console.log(`[proxy] ${method} ${path} → account ${account.email ?? account.id}`);
+    console.log(`[proxy] ${method} ${path} → account ${account.email ?? account.id} (direct)`);
 
     try {
       const upstream = await fetch(url, {
         method,
         headers: upstreamHeaders,
         body: body || undefined,
-        signal: AbortSignal.timeout(300_000), // 5min timeout for long streaming
+        signal: AbortSignal.timeout(300_000),
       });
 
       this.requestCount++;
 
-      // Handle rate limit / auth errors for account rotation
       if (upstream.status === 429) {
         accountSelector.onRateLimit(account.id);
-        console.log(`[proxy] 429 from Anthropic — account ${account.email ?? account.id} rate limited`);
+        console.log(`[proxy] 429 — account ${account.email ?? account.id} rate limited`);
       } else if (upstream.status === 401) {
         accountSelector.onAuthError(account.id);
-        console.log(`[proxy] 401 from Anthropic — account ${account.email ?? account.id} auth error`);
+        console.log(`[proxy] 401 — account ${account.email ?? account.id} auth error`);
       } else if (upstream.status >= 200 && upstream.status < 300) {
         accountSelector.onSuccess(account.id);
       }
 
-      // Stream response back as-is (preserves SSE for streaming)
       const responseHeaders = new Headers();
-      // Forward key response headers
       for (const key of ["content-type", "x-request-id", "request-id"]) {
         const val = upstream.headers.get(key);
         if (val) responseHeaders.set(key, val);
       }
-      // CORS for external tools
       responseHeaders.set("Access-Control-Allow-Origin", "*");
 
-      return new Response(upstream.body, {
-        status: upstream.status,
-        headers: responseHeaders,
-      });
+      return new Response(upstream.body, { status: upstream.status, headers: responseHeaders });
     } catch (e) {
-      console.error(`[proxy] Error forwarding to Anthropic:`, (e as Error).message);
+      console.error(`[proxy] Error forwarding:`, (e as Error).message);
       return new Response(
         JSON.stringify({ type: "error", error: { type: "api_error", message: (e as Error).message } }),
         { status: 502, headers: { "Content-Type": "application/json" } },