@hypeitnow/opencode-claude-auth 1.6.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 gmartin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,238 @@
+# opencode-claude-auth
+
+[![npm](https://img.shields.io/npm/v/opencode-claude-auth)](https://www.npmjs.com/package/opencode-claude-auth)
+[![CI](https://github.com/griffinmartin/opencode-claude-auth/actions/workflows/ci.yml/badge.svg)](https://github.com/griffinmartin/opencode-claude-auth/actions/workflows/ci.yml)
+[![Socket Badge](https://socket.dev/api/badge/npm/package/opencode-claude-auth)](https://socket.dev/npm/package/opencode-claude-auth)
+
+Self-contained Anthropic auth provider for OpenCode using your Claude Code credentials — no separate login or API key needed.
+
+## How it works
+
+The plugin registers its own auth provider with a custom fetch handler that intercepts all Anthropic API requests. It reads OAuth tokens from the macOS Keychain (or `~/.claude/.credentials.json` on other platforms), caches them in memory with a 30-second TTL, and handles the full request lifecycle — no builtin Anthropic auth plugin required. On macOS, multiple Claude Code accounts are detected automatically and can be switched via `opencode auth login`.
+
+It also syncs credentials to OpenCode's `auth.json` as a fallback (on Windows, it writes to both `%USERPROFILE%\.local\share\opencode\auth.json` and `%LOCALAPPDATA%\opencode\auth.json` to cover all installation methods). If a token is near expiry, it refreshes directly via Anthropic's OAuth endpoint (zero LLM tokens consumed), falling back to the Claude CLI if the direct refresh fails. Background re-sync runs every 5 minutes.
+
+### Raw `Claude Code` Keychain entry
+
+On macOS, the `claude` CLI stores the raw `sk-ant-api03-...` Anthropic console API key in a Keychain service called `Claude Code` (no `-credentials` suffix). The plugin reads this directly and synthesises a 1-year-TTL credential — no JSON envelope, no refresh token. If the raw key is rejected by Anthropic's API (e.g. on org-locked accounts where the only available auth is OAuth), the 401 handler falls back to the **Claude OAuth (fallback)** method described below.
+
+### OAuth fallback (`Claude OAuth (fallback)` auth method)
+
+If the raw Keychain key returns 401, the plugin prints:
+
+> `opencode-claude-auth: API 401 for <model>. The raw Keychain key was rejected. Run \`opencode auth\` and pick "Claude OAuth (fallback)" to authorize via OAuth.`
+
+To authorize, run `opencode auth login` and select **Claude OAuth (fallback)**. The plugin opens `https://platform.claude.com/oauth/authorize` with the `org:create_api_key`, `user:inference`, `user:sessions:claude_code`, and other scopes. Authorize in the browser, paste the full callback URL (or just the `code#state` pair) into opencode, and the plugin exchanges it for a real `{access, refresh, expires}` token. The token is auto-refreshed on every subsequent request via Anthropic's OAuth endpoint — no LLM tokens consumed.
+
+The flow uses standard OAuth 2.0 + PKCE with `client_id=9d1c250a-e61b-44d9-88ed-5944d1962f5e` and `token_url=https://platform.claude.com/v1/oauth/token`. Ported from `ex-machina/opencode-anthropic-auth`.
+
+## Prerequisites
+
+- Claude Code installed and authenticated (run `claude` at least once)
+- OpenCode installed
+
+macOS is preferred (uses Keychain). Linux and Windows work via the credentials file fallback.
+
+## Installation
+
+**For Humans**
+
+**Option A: Let an LLM do it**
+
+Paste this into any LLM agent (Claude Code, OpenCode, Cursor, etc.):
+
+```
+Install the opencode-claude-auth plugin and configure it by following: https://raw.githubusercontent.com/griffinmartin/opencode-claude-auth/main/installation.md
+```
+
+**Option B: Manual setup**
+
+1. **Add the plugin** to `~/.config/opencode/opencode.json`:
+
+   ```json
+   {
+     "plugin": ["opencode-claude-auth@latest"]
+   }
+   ```
+
+   > The `@latest` tag ensures OpenCode always pulls the newest version on startup. No manual `npm install` is needed — OpenCode [automatically installs npm plugins using Bun at startup](https://opencode.ai/docs/plugins/#how-plugins-are-installed).
+
+2. **Use it** — just run OpenCode. The plugin handles auth automatically using your Claude Code credentials.
+
+**For LLM Agents**
+
+See [installation.md](installation.md) for step-by-step agent instructions.
+
+## Usage
+
+Just run OpenCode. The plugin handles auth automatically — it reads your Claude Code credentials, provides them to the Anthropic API, and refreshes them in the background. If your credentials aren't OAuth-based, the plugin falls through to standard API key auth.
+
+## Supported models
+
+15 supported models. Run `pnpm run test:models` to verify against your account.
+
+| Model                      |
+| -------------------------- |
+| claude-haiku-4-5           |
+| claude-haiku-4-5-20251001  |
+| claude-opus-4-0            |
+| claude-opus-4-1            |
+| claude-opus-4-1-20250805   |
+| claude-opus-4-20250514     |
+| claude-opus-4-5            |
+| claude-opus-4-5-20251101   |
+| claude-opus-4-6            |
+| claude-opus-4-7            |
+| claude-sonnet-4-0          |
+| claude-sonnet-4-20250514   |
+| claude-sonnet-4-5          |
+| claude-sonnet-4-5-20250929 |
+| claude-sonnet-4-6          |
+
+## Credential sources
+
+The plugin checks these in order:
+
+1. macOS Keychain
+   - All `Claude Code-credentials*` entries — multiple accounts are detected automatically
+   - The bare `Claude Code` service — holds raw `sk-ant-api03-...` API keys for users whose `claude` CLI is configured with an Anthropic console API key rather than an OAuth subscription. The key is treated as a long-lived credential (1-year TTL) and never written back to the Keychain, since it would be silently overwritten with a JSON blob otherwise.
+2. `~/.claude/.credentials.json` (fallback, works on all platforms)
+
+## Multiple accounts (macOS)
+
+If you have [multiple Claude Code accounts](https://gist.github.com/KMJ-007/0979814968722051620461ab2aa01bf2) authenticated on macOS, the plugin detects all of them from the Keychain automatically. Each account is labeled by its subscription tier (Claude Pro, Claude Max, etc.).
+
+To switch accounts:
+
+```bash
+opencode auth login
+```
+
+Select "Switch Claude Code account" and pick the account you want to use. Your selection is persisted across sessions.
+
+If only one account is found, the switcher is hidden and the plugin uses it directly.
+
+## Troubleshooting
+
+| Problem                                             | Solution                                                                                                           |
+| --------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ |
+| "Credentials not found"                             | Run `claude` to authenticate with Claude Code first                                                                |
+| "Keychain is locked"                                | Run `security unlock-keychain ~/Library/Keychains/login.keychain-db`                                               |
+| "Token expired and refresh failed"                  | The plugin runs `claude` CLI to refresh automatically. If this fails, re-authenticate manually by running `claude` |
+| Not working on Linux/Windows                        | Ensure `~/.claude/.credentials.json` exists. Run `claude` to create it                                             |
+| Keychain access denied                              | Grant access when macOS prompts you                                                                                |
+| Keychain read timed out                             | Restart Keychain Access (can happen on macOS Tahoe)                                                                |
+| "Credentials are unavailable or expired"            | Run `claude` to refresh your Claude Code credentials                                                               |
+| "Extra usage is required for long context requests" | Your conversation exceeded 200k tokens. See [Long context (1M)](#long-context-1m) below                            |
+| Plugin not updating to latest version               | Delete the cached package: `rm -rf ~/.cache/opencode/packages/opencode-claude-auth@latest/` then restart OpenCode  |
+
+### Diagnostic logging
+
+If you're hitting auth errors that are hard to reproduce, enable debug logging to capture the full auth flow:
+
+```bash
+export CLAUDE_AUTH_DEBUG=1
+```
+
+Restart OpenCode and reproduce the issue. The plugin writes structured JSON logs to `~/.local/share/opencode/claude-auth-debug.log`. All secrets (tokens, API keys) are automatically redacted — the log file is safe to paste into a GitHub issue.
+
+To write logs to a custom path:
+
+```bash
+export CLAUDE_AUTH_DEBUG=/tmp/claude-auth-debug.log
+```
+
+Disable when done:
+
+```bash
+unset CLAUDE_AUTH_DEBUG
+```
+
+## Long context (1M)
+
+The `context-1m-2025-08-07` beta header is not sent by default. Without it, the API caps context at 200k tokens.
+
+To enable 1M context (requires Claude Max or a plan with extra usage coverage), use **either** of these methods:
+
+**Option A: Config file** (recommended — no environment setup needed)
+
+Add `enable1mContext` to any agent in your `opencode.json` (project-level or `~/.config/opencode/opencode.json`). Setting it in any one agent enables 1M context globally for all supported models — you don't need to set it for each agent:
+
+```json
+{
+  "plugin": ["opencode-claude-auth@latest"],
+  "agent": {
+    "build": {
+      "enable1mContext": true
+    }
+  }
+}
+```
+
+**Option B: Environment variable**
+
+```bash
+export ANTHROPIC_ENABLE_1M_CONTEXT=true
+```
+
+If both are set, the environment variable takes priority.
+
+The Claude CLI itself treats 1M context as opt-in (via a `[1m]` model suffix). Sending the beta without a plan that covers long context charges causes "Extra usage is required for long context requests" errors. Versions before 0.8.0 sent this beta automatically for 4.6+ models, which broke things for Pro users ([#64](https://github.com/griffinmartin/opencode-claude-auth/issues/64)).
+
+If a long context error still occurs (e.g. from a beta flag added via `ANTHROPIC_BETA_FLAGS`), the plugin retries without the offending flag.
+
+## Validating OAuth refresh
+
+To verify the direct OAuth token refresh works with your credentials:
+
+```bash
+pnpm run validate:oauth           # refresh + write-back (safe, keeps credentials valid)
+pnpm run validate:oauth -- --dry-run  # show what would be sent without making the request
+```
+
+This reads your stored credentials, calls Anthropic's OAuth token endpoint, and writes the new tokens back to storage. Refresh tokens rotate on each use, so write-back is enabled by default to keep your stored credentials valid.
+
+## Environment variable overrides
+
+All configurable parameters can be overridden via environment variables. If Anthropic changes something before we publish an update, set an env var and keep working:
+
+| Variable                            | Description                                                                                                                                                                            | Default                                                                                                 |
+| ----------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- |
+| `ANTHROPIC_CLI_VERSION`             | Claude CLI version for user-agent and billing headers                                                                                                                                  | `2.1.80`                                                                                                |
+| `ANTHROPIC_USER_AGENT`              | Full User-Agent string (overrides CLI version)                                                                                                                                         | `claude-cli/{version} (external, cli)`                                                                  |
+| `ANTHROPIC_BETA_FLAGS`              | Comma-separated beta feature flags                                                                                                                                                     | `claude-code-20250219,oauth-2025-04-20,interleaved-thinking-2025-05-14,prompt-caching-scope-2026-01-05` |
+| `ANTHROPIC_ENABLE_1M_CONTEXT`       | Enable 1M token context window for 4.6+ models (requires Max subscription)                                                                                                             | `false`                                                                                                 |
+| `CLAUDE_AUTH_DEBUG`                 | Enable diagnostic logging (`1` for default path, or a custom file path)                                                                                                                | disabled                                                                                                |
+| `OPENCODE_CLAUDE_AUTH_MAX_RETRY_MS` | Max ms the plugin waits when honouring a 429/529 `retry-after` header. Beyond this cap the response surfaces immediately so OpenCode doesn't appear to hang on hour-long quota resets. | `30000`                                                                                                 |
+
+Example:
+
+```bash
+export ANTHROPIC_CLI_VERSION=2.2.0
+export ANTHROPIC_ENABLE_1M_CONTEXT=true  # requires Claude Max
+```
+
+## How it works (technical)
+
+- Registers an `auth.loader` with a custom `fetch` that intercepts all Anthropic API requests
+- Sets `Authorization: Bearer` with fresh OAuth tokens (cached in memory, 30s TTL, updated in-place after refresh)
+- Translates tool names between OpenCode and Anthropic API formats (adds/strips `mcp_` prefix)
+- Buffers SSE response streams at event boundaries for reliable tool name translation
+- Injects Claude Code identity into system prompts via `experimental.chat.system.transform`
+- Sets required API headers (beta flags, billing, user-agent) with model-aware selection
+- On macOS, enumerates all `Claude Code-credentials*` Keychain entries and labels them by subscription tier
+- Provides an account switcher via `opencode auth login` when multiple accounts are found; persists selection to `~/.local/share/opencode/claude-account-source.txt`
+- Syncs credentials to `auth.json` on startup and every 5 minutes as a fallback (sync never triggers refresh; refresh is lazy, only on API requests)
+- On Windows, writes to both `%USERPROFILE%\.local\share\opencode\auth.json` and `%LOCALAPPDATA%\opencode\auth.json`
+- Retries API requests on 429 (rate limit) and 529 (overloaded) with exponential backoff, respecting `retry-after` headers
+- When a token is within 60 seconds of expiry, refreshes directly via `POST https://claude.ai/v1/oauth/token` (no LLM tokens consumed). Falls back to `claude` CLI if the direct refresh fails. New tokens are written back to Keychain (macOS) or credentials file (Linux/Windows) to keep stored credentials in sync with rotated refresh tokens
+- If credentials aren't OAuth-based, the auth loader returns `{}` and falls through to API key auth
+- If credentials are unavailable or unreadable, the plugin disables itself and OpenCode continues without Claude auth
+
+## Disclaimer
+
+This plugin uses Claude Code's OAuth credentials to authenticate with Anthropic's API. Anthropic's Terms of Service state that Claude Pro/Max subscription tokens should only be used with official Anthropic clients. This plugin exists as a community workaround and may stop working if Anthropic changes their OAuth infrastructure. Use at your own discretion.
+
+## License
+
+MIT

package/dist/anthropic-prompt.txt

@@ -0,0 +1,166 @@
+You are an interactive CLI tool that helps users with software engineering tasks. Use the instructions below and the tools available to you to assist the user.
+
+IMPORTANT: Assist with defensive security tasks only. Refuse to create, modify, or improve code that may be used maliciously. Do not assist with credential discovery or harvesting, including bulk crawling for SSH keys, browser cookies, or cryptocurrency wallets. Allow security analysis, detection rules, vulnerability explanations, defensive tools, and security documentation.
+IMPORTANT: You must NEVER generate or guess URLs for the user unless you are confident that the URLs are for helping the user with programming. You may use URLs provided by the user in their messages or local files.
+
+If the user asks for help or wants to give feedback inform them of the following: 
+- /help: Get help with using Claude Code
+- To give feedback, users should report the issue at https://github.com/anthropics/claude-code/issues
+
+When the user directly asks about Claude Code (eg. "can Claude Code do...", "does Claude Code have..."), or asks in second person (eg. "are you able...", "can you do..."), or asks how to use a specific Claude Code feature (eg. implement a hook, or write a slash command), use the WebFetch tool to gather information to answer the question from Claude Code docs. The list of available docs is available at https://docs.claude.com/en/docs/claude-code/claude_code_docs_map.md.
+
+# Tone and style
+You should be concise, direct, and to the point, while providing complete information and matching the level of detail you provide in your response with the level of complexity of the user's query or the work you have completed. 
+A concise response is generally less than 4 lines, not including tool calls or code generated. You should provide more detail when the task is complex or when the user asks you to.
+IMPORTANT: You should minimize output tokens as much as possible while maintaining helpfulness, quality, and accuracy. Only address the specific task at hand, avoiding tangential information unless absolutely critical for completing the request. If you can answer in 1-3 sentences or a short paragraph, please do.
+IMPORTANT: You should NOT answer with unnecessary preamble or postamble (such as explaining your code or summarizing your action), unless the user asks you to.
+Do not add additional code explanation summary unless requested by the user. After working on a file, briefly confirm that you have completed the task, rather than providing an explanation of what you did.
+Answer the user's question directly, avoiding any elaboration, explanation, introduction, conclusion, or excessive details. Brief answers are best, but be sure to provide complete information. You MUST avoid extra preamble before/after your response, such as "The answer is <answer>.", "Here is the content of the file..." or "Based on the information provided, the answer is..." or "Here is what I will do next...".
+
+Here are some examples to demonstrate appropriate verbosity:
+<example>
+user: 2 + 2
+assistant: 4
+</example>
+
+<example>
+user: what is 2+2?
+assistant: 4
+</example>
+
+<example>
+user: is 11 a prime number?
+assistant: Yes
+</example>
+
+<example>
+user: what command should I run to list files in the current directory?
+assistant: ls
+</example>
+
+<example>
+user: what command should I run to watch files in the current directory?
+assistant: [runs ls to list the files in the current directory, then read docs/commands in the relevant file to find out how to watch files]
+npm run dev
+</example>
+
+<example>
+user: How many golf balls fit inside a jetta?
+assistant: 150000
+</example>
+
+<example>
+user: what files are in the directory src/?
+assistant: [runs ls and sees foo.c, bar.c, baz.c]
+user: which file contains the implementation of foo?
+assistant: src/foo.c
+</example>
+When you run a non-trivial bash command, you should explain what the command does and why you are running it, to make sure the user understands what you are doing (this is especially important when you are running a command that will make changes to the user's system).
+Remember that your output will be displayed on a command line interface. Your responses can use GitHub-flavored markdown for formatting, and will be rendered in a monospace font using the CommonMark specification.
+Output text to communicate with the user; all text you output outside of tool use is displayed to the user. Only use tools to complete tasks. Never use tools like Bash or code comments as means to communicate with the user during the session.
+If you cannot or will not help the user with something, please do not say why or what it could lead to, since this comes across as preachy and annoying. Please offer helpful alternatives if possible, and otherwise keep your response to 1-2 sentences.
+Only use emojis if the user explicitly requests it. Avoid using emojis in all communication unless asked.
+IMPORTANT: Keep your responses short, since they will be displayed on a command line interface.
+
+# Proactiveness
+You are allowed to be proactive, but only when the user asks you to do something. You should strive to strike a balance between:
+- Doing the right thing when asked, including taking actions and follow-up actions
+- Not surprising the user with actions you take without asking
+For example, if the user asks you how to approach something, you should do your best to answer their question first, and not immediately jump into taking actions.
+
+# Professional objectivity
+Prioritize technical accuracy and truthfulness over validating the user's beliefs. Focus on facts and problem-solving, providing direct, objective technical info without any unnecessary superlatives, praise, or emotional validation. It is best for the user if Claude honestly applies the same rigorous standards to all ideas and disagrees when necessary, even if it may not be what the user wants to hear. Objective guidance and respectful correction are more valuable than false agreement. Whenever there is uncertainty, it's best to investigate to find the truth first rather than instinctively confirming the user's beliefs.
+
+# Task Management
+You have access to the TodoWrite tools to help you manage and plan tasks. Use these tools VERY frequently to ensure that you are tracking your tasks and giving the user visibility into your progress.
+These tools are also EXTREMELY helpful for planning tasks, and for breaking down larger complex tasks into smaller steps. If you do not use this tool when planning, you may forget to do important tasks - and that is unacceptable.
+
+It is critical that you mark todos as completed as soon as you are done with a task. Do not batch up multiple tasks before marking them as completed.
+
+Examples:
+
+<example>
+user: Run the build and fix any type errors
+assistant: I'm going to use the TodoWrite tool to write the following items to the todo list: 
+- Run the build
+- Fix any type errors
+
+I'm now going to run the build using Bash.
+
+Looks like I found 10 type errors. I'm going to use the TodoWrite tool to write 10 items to the todo list.
+
+marking the first todo as in_progress
+
+Let me start working on the first item...
+
+The first item has been fixed, let me mark the first todo as completed, and move on to the second item...
+..
+..
+</example>
+In the above example, the assistant completes all the tasks, including the 10 error fixes and running the build and fixing all errors.
+
+<example>
+user: Help me write a new feature that allows users to track their usage metrics and export them to various formats
+
+assistant: I'll help you implement a usage metrics tracking and export feature. Let me first use the TodoWrite tool to plan this task.
+Adding the following todos to the todo list:
+1. Research existing metrics tracking in the codebase
+2. Design the metrics collection system
+3. Implement core metrics tracking functionality
+4. Create export functionality for different formats
+
+Let me start by researching the existing codebase to understand what metrics we might already be tracking and how we can build on that.
+
+I'm going to search for any existing metrics or telemetry code in the project.
+
+I've found some existing telemetry code. Let me mark the first todo as in_progress and start designing our metrics tracking system based on what I've learned...
+
+[Assistant continues implementing the feature step by step, marking todos as in_progress and completed as they go]
+</example>
+
+
+Users may configure 'hooks', shell commands that execute in response to events like tool calls, in settings. Treat feedback from hooks, including <user-prompt-submit-hook>, as coming from the user. If you get blocked by a hook, determine if you can adjust your actions in response to the blocked message. If not, ask the user to check their hooks configuration.
+
+# Doing tasks
+The user will primarily request you perform software engineering tasks. This includes solving bugs, adding new functionality, refactoring code, explaining code, and more. For these tasks the following steps are recommended:
+- Use the TodoWrite tool to plan the task if required
+
+- Tool results and user messages may include <system-reminder> tags. <system-reminder> tags contain useful information and reminders. They are automatically added by the system, and bear no direct relation to the specific tool results or user messages in which they appear.
+
+
+# Tool usage policy
+- When doing file search, prefer to use the Task tool in order to reduce context usage.
+- You should proactively use the Task tool with specialized agents when the task at hand matches the agent's description.
+
+- When WebFetch returns a message about a redirect to a different host, you should immediately make a new WebFetch request with the redirect URL provided in the response.
+- You have the capability to call multiple tools in a single response. When multiple independent pieces of information are requested, batch your tool calls together for optimal performance. When making multiple bash tool calls, you MUST send a single message with multiple tools calls to run the calls in parallel. For example, if you need to run "git status" and "git diff", send a single message with two tool calls to run the calls in parallel.
+- If the user specifies that they want you to run tools "in parallel", you MUST send a single message with multiple tool use content blocks. For example, if you need to launch multiple agents in parallel, send a single message with multiple Task tool calls.
+- Use specialized tools instead of bash commands when possible, as this provides a better user experience. For file operations, use dedicated tools: Read for reading files instead of cat/head/tail, Edit for editing instead of sed/awk, and Write for creating files instead of cat with heredoc or echo redirection. Reserve bash tools exclusively for actual system commands and terminal operations that require shell execution. NEVER use bash echo or other command-line tools to communicate thoughts, explanations, or instructions to the user. Output all communication directly in your response text instead.
+
+
+Here is useful information about the environment you are running in:
+<env>
+Working directory: /home/thdxr/dev/projects/anomalyco/opencode/packages/opencode
+Is directory a git repo: Yes
+Platform: linux
+OS Version: Linux 6.12.4-arch1-1
+Today's date: 2025-09-30
+</env>
+You are powered by the model named Sonnet 4.5. The exact model ID is claude-sonnet-4-5-20250929.
+
+Assistant knowledge cutoff is January 2025.
+
+
+IMPORTANT: Assist with defensive security tasks only. Refuse to create, modify, or improve code that may be used maliciously. Do not assist with credential discovery or harvesting, including bulk crawling for SSH keys, browser cookies, or cryptocurrency wallets. Allow security analysis, detection rules, vulnerability explanations, defensive tools, and security documentation.
+
+
+IMPORTANT: Always use the TodoWrite tool to plan and track tasks throughout the conversation.
+
+# Code References
+
+When referencing specific functions or pieces of code include the pattern `file_path:line_number` to allow the user to easily navigate to the source code location.
+
+<example>
+user: Where are errors from the client handled?
+assistant: Clients are marked as failed in the `connectToServer` function in src/services/process.ts:712.
+</example>

package/dist/betas.d.ts

@@ -0,0 +1,9 @@
+export declare const LONG_CONTEXT_BETAS: string[];
+export declare function getExcludedBetas(modelId: string): Set<string>;
+export declare function addExcludedBeta(modelId: string, beta: string): void;
+export declare function resetExcludedBetas(): void;
+export declare function isLongContextError(responseBody: string): boolean;
+export declare function getNextBetaToExclude(modelId: string): string | null;
+export declare function supports1mContext(modelId: string): boolean;
+export declare function getModelBetas(modelId: string, excluded?: Set<string>): string[];
+//# sourceMappingURL=betas.d.ts.map

package/dist/betas.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"betas.d.ts","sourceRoot":"","sources":["../src/betas.ts"],"names":[],"mappings":"AAIA,eAAO,MAAM,kBAAkB,UAA0B,CAAA;AAgBzD,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,CAe7D;AAED,wBAAgB,eAAe,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,IAAI,CAInE;AAED,wBAAgB,kBAAkB,IAAI,IAAI,CAGzC;AAED,wBAAgB,kBAAkB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAQhE;AAED,wBAAgB,oBAAoB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAQnE;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAU1D;AAED,wBAAgB,aAAa,CAC3B,OAAO,EAAE,MAAM,EACf,QAAQ,CAAC,EAAE,GAAG,CAAC,MAAM,CAAC,GACrB,MAAM,EAAE,CAqCV"}

package/dist/betas.js

@@ -0,0 +1,102 @@
+import { config, getModelOverride } from "./model-config.js";
+import { isEnable1mContext } from "./plugin-config.js";
+// Beta flags to try removing in order when "long context" errors occur
+export const LONG_CONTEXT_BETAS = config.longContextBetas;
+function getRequiredBetas() {
+    return (process.env.ANTHROPIC_BETA_FLAGS ?? config.baseBetas.join(","))
+        .split(",")
+        .map((s) => s.trim())
+        .filter(Boolean);
+}
+// Session-level cache of excluded beta flags per model (resets on process restart)
+const excludedBetas = new Map();
+// Track the last-seen beta flags env var and model to detect changes
+let lastBetaFlagsEnv = process.env.ANTHROPIC_BETA_FLAGS;
+let lastModelId;
+export function getExcludedBetas(modelId) {
+    // Reset exclusions if user changed ANTHROPIC_BETA_FLAGS
+    const currentBetaFlags = process.env.ANTHROPIC_BETA_FLAGS;
+    if (currentBetaFlags !== lastBetaFlagsEnv) {
+        excludedBetas.clear();
+        lastBetaFlagsEnv = currentBetaFlags;
+    }
+    // Reset exclusions if user switched models (new model may support different betas)
+    if (lastModelId !== undefined && lastModelId !== modelId) {
+        excludedBetas.clear();
+    }
+    lastModelId = modelId;
+    return excludedBetas.get(modelId) ?? new Set();
+}
+export function addExcludedBeta(modelId, beta) {
+    const existing = excludedBetas.get(modelId) ?? new Set();
+    existing.add(beta);
+    excludedBetas.set(modelId, existing);
+}
+export function resetExcludedBetas() {
+    excludedBetas.clear();
+    lastModelId = undefined;
+}
+export function isLongContextError(responseBody) {
+    return (responseBody.includes("Extra usage is required for long context requests") ||
+        responseBody.includes("long context beta is not yet available") ||
+        responseBody.includes("You're out of extra usage"));
+}
+export function getNextBetaToExclude(modelId) {
+    const excluded = getExcludedBetas(modelId);
+    for (const beta of LONG_CONTEXT_BETAS) {
+        if (!excluded.has(beta)) {
+            return beta;
+        }
+    }
+    return null; // All long-context betas already excluded
+}
+export function supports1mContext(modelId) {
+    const lower = modelId.toLowerCase();
+    if (!lower.includes("opus") && !lower.includes("sonnet"))
+        return false;
+    const versionMatch = lower.match(/(opus|sonnet)-(\d+)-(\d+)/);
+    if (!versionMatch)
+        return false;
+    const major = parseInt(versionMatch[2], 10);
+    const minor = parseInt(versionMatch[3], 10);
+    // Date suffixes like 20250514 are not minor versions — treat as x.0
+    const effectiveMinor = minor > 99 ? 0 : minor;
+    return major > 4 || (major === 4 && effectiveMinor >= 6);
+}
+export function getModelBetas(modelId, excluded) {
+    const betas = [...getRequiredBetas()];
+    // context-1m is OPT-IN only, matching the official Claude CLI behavior.
+    // The CLI only sends this beta when the model ID has a [1m] suffix.
+    // Without it, the API enforces a 200k context limit. Sending the beta
+    // without a subscription that covers long context billing causes
+    // "Extra usage is required for long context requests" errors.
+    //
+    // Users who want 1M context should set ANTHROPIC_ENABLE_1M_CONTEXT=true
+    // (requires a Claude Max subscription or a plan that covers extra usage).
+    if (isEnable1mContext() && supports1mContext(modelId)) {
+        betas.push(config.longContextBetas[0]);
+    }
+    // Apply per-model overrides (e.g. haiku excludes claude-code-20250219)
+    const override = getModelOverride(modelId);
+    if (override) {
+        if (override.exclude) {
+            for (const ex of override.exclude) {
+                const idx = betas.indexOf(ex);
+                if (idx !== -1)
+                    betas.splice(idx, 1);
+            }
+        }
+        if (override.add) {
+            for (const add of override.add) {
+                if (!betas.includes(add))
+                    betas.push(add);
+            }
+        }
+    }
+    // Filter out excluded betas (from previous failed requests due to long context errors)
+    if (excluded && excluded.size > 0) {
+        return betas.filter((beta) => !excluded.has(beta));
+    }
+    return betas;
+}
+//# sourceMappingURL=betas.js.map

package/dist/betas.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"betas.js","sourceRoot":"","sources":["../src/betas.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAA;AAC5D,OAAO,EAAE,iBAAiB,EAAE,MAAM,oBAAoB,CAAA;AAEtD,uEAAuE;AACvE,MAAM,CAAC,MAAM,kBAAkB,GAAG,MAAM,CAAC,gBAAgB,CAAA;AAEzD,SAAS,gBAAgB;IACvB,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,oBAAoB,IAAI,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;SACpE,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;SACpB,MAAM,CAAC,OAAO,CAAC,CAAA;AACpB,CAAC;AAED,mFAAmF;AACnF,MAAM,aAAa,GAA6B,IAAI,GAAG,EAAE,CAAA;AAEzD,qEAAqE;AACrE,IAAI,gBAAgB,GAAuB,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAA;AAC3E,IAAI,WAA+B,CAAA;AAEnC,MAAM,UAAU,gBAAgB,CAAC,OAAe;IAC9C,wDAAwD;IACxD,MAAM,gBAAgB,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAA;IACzD,IAAI,gBAAgB,KAAK,gBAAgB,EAAE,CAAC;QAC1C,aAAa,CAAC,KAAK,EAAE,CAAA;QACrB,gBAAgB,GAAG,gBAAgB,CAAA;IACrC,CAAC;IAED,mFAAmF;IACnF,IAAI,WAAW,KAAK,SAAS,IAAI,WAAW,KAAK,OAAO,EAAE,CAAC;QACzD,aAAa,CAAC,KAAK,EAAE,CAAA;IACvB,CAAC;IACD,WAAW,GAAG,OAAO,CAAA;IAErB,OAAO,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,GAAG,EAAE,CAAA;AAChD,CAAC;AAED,MAAM,UAAU,eAAe,CAAC,OAAe,EAAE,IAAY;IAC3D,MAAM,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,IAAI,GAAG,EAAE,CAAA;IACxD,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAA;IAClB,aAAa,CAAC,GAAG,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAA;AACtC,CAAC;AAED,MAAM,UAAU,kBAAkB;IAChC,aAAa,CAAC,KAAK,EAAE,CAAA;IACrB,WAAW,GAAG,SAAS,CAAA;AACzB,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,YAAoB;IACrD,OAAO,CACL,YAAY,CAAC,QAAQ,CACnB,mDAAmD,CACpD;QACD,YAAY,CAAC,QAAQ,CAAC,wCAAwC,CAAC;QAC/D,YAAY,CAAC,QAAQ,CAAC,2BAA2B,CAAC,CACnD,CAAA;AACH,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,OAAe;IAClD,MAAM,QAAQ,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAA;IAC1C,KAAK,MAAM,IAAI,IAAI,kBAAkB,EAAE,CAAC;QACtC,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACxB,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IACD,OAAO,IAAI,CAAA,CAAC,0CAA0C;AACxD,CAAC;AAED,MAAM,UAAU,iBAAiB,CAAC,OAAe;IAC/C,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,EAAE,CAAA;IACnC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,KAAK,CAAA;IACtE,MAAM,YAAY,GAAG,KAAK,CAAC,KAAK,CAAC,2BAA2B,CAAC,CAAA;IAC7D,IAAI,CAAC,YAAY;QAAE,OAAO,KAAK,CAAA;IAC/B,MAAM,KAAK,GAAG,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;IAC3C,MAAM,KAAK,GAAG,QAAQ,CAAC,YAAY,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAA;IAC3C,oEAAoE;IACpE,MAAM,cAAc,GAAG,KAAK,GAAG,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAA;IAC7C,OAAO,KAAK,GAAG,CAAC,IAAI,CAAC,KAAK,KAAK,CAAC,IAAI,cAAc,IAAI,CAAC,CAAC,CAAA;AAC1D,CAAC;AAED,MAAM,UAAU,aAAa,CAC3B,OAAe,EACf,QAAsB;IAEtB,MAAM,KAAK,GAAG,CAAC,GAAG,gBAAgB,EAAE,CAAC,CAAA;IAErC,wEAAwE;IACxE,oEAAoE;IACpE,sEAAsE;IACtE,iEAAiE;IACjE,8DAA8D;IAC9D,EAAE;IACF,wEAAwE;IACxE,0EAA0E;IAC1E,IAAI,iBAAiB,EAAE,IAAI,iBAAiB,CAAC,OAAO,CAAC,EAAE,CAAC;QACtD,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,CAAA;IACxC,CAAC;IAED,uEAAuE;IACvE,MAAM,QAAQ,GAAG,gBAAgB,CAAC,OAAO,CAAC,CAAA;IAC1C,IAAI,QAAQ,EAAE,CAAC;QACb,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;YACrB,KAAK,MAAM,EAAE,IAAI,QAAQ,CAAC,OAAO,EAAE,CAAC;gBAClC,MAAM,GAAG,GAAG,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,CAAA;gBAC7B,IAAI,GAAG,KAAK,CAAC,CAAC;oBAAE,KAAK,CAAC,MAAM,CAAC,GAAG,EAAE,CAAC,CAAC,CAAA;YACtC,CAAC;QACH,CAAC;QACD,IAAI,QAAQ,CAAC,GAAG,EAAE,CAAC;YACjB,KAAK,MAAM,GAAG,IAAI,QAAQ,CAAC,GAAG,EAAE,CAAC;gBAC/B,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC;oBAAE,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;YAC3C,CAAC;QACH,CAAC;IACH,CAAC;IAED,uFAAuF;IACvF,IAAI,QAAQ,IAAI,QAAQ,CAAC,IAAI,GAAG,CAAC,EAAE,CAAC;QAClC,OAAO,KAAK,CAAC,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,CAAA;IACpD,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC"}

package/dist/credentials.d.ts

@@ -0,0 +1,29 @@
+import { type ClaudeCredentials, type ClaudeAccount } from "./keychain.ts";
+export type { ClaudeCredentials } from "./keychain.ts";
+export type { ClaudeAccount } from "./keychain.ts";
+export declare function initAccounts(accounts: ClaudeAccount[]): void;
+export declare function getAccounts(): ClaudeAccount[];
+export declare function setActiveAccountSource(source: string): void;
+export declare function refreshAccountsList(): ClaudeAccount[];
+export declare function loadPersistedAccountSource(): string | null;
+export declare function saveAccountSource(source: string): void;
+export declare function syncAuthJson(creds: ClaudeCredentials): void;
+export declare const OAUTH_TOKEN_URL = "https://claude.ai/v1/oauth/token";
+export declare const OAUTH_CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
+/**
+ * Parse a raw OAuth token response into ClaudeCredentials.
+ * Returns null if the response is missing a valid access_token.
+ * Defaults expires_in to 36000s (10h) to match observed Claude token lifetime.
+ */
+export declare function parseOAuthResponse(raw: string, currentRefreshToken: string, now?: number): ClaudeCredentials | null;
+export declare function refreshViaOAuth(refreshToken: string): ClaudeCredentials | null;
+export declare function refreshIfNeeded(account?: ClaudeAccount): ClaudeCredentials | null;
+/**
+ * Returns the active account's credentials for auth.json sync purposes.
+ * Unlike getCachedCredentials(), this does NOT trigger a refresh.
+ * It returns the account's current in-memory credentials if they're still valid.
+ * Returns null if no account or credentials are expired.
+ */
+export declare function getCredentialsForSync(): ClaudeCredentials | null;
+export declare function getCachedCredentials(): ClaudeCredentials | null;
+//# sourceMappingURL=credentials.d.ts.map

package/dist/credentials.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"credentials.d.ts","sourceRoot":"","sources":["../src/credentials.ts"],"names":[],"mappings":"AAUA,OAAO,EAIL,KAAK,iBAAiB,EACtB,KAAK,aAAa,EACnB,MAAM,eAAe,CAAA;AAItB,YAAY,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAA;AACtD,YAAY,EAAE,aAAa,EAAE,MAAM,eAAe,CAAA;AAWlD,wBAAgB,YAAY,CAAC,QAAQ,EAAE,aAAa,EAAE,GAAG,IAAI,CAE5D;AAED,wBAAgB,WAAW,IAAI,aAAa,EAAE,CAE7C;AAED,wBAAgB,sBAAsB,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAQ3D;AAED,wBAAgB,mBAAmB,IAAI,aAAa,EAAE,CAGrD;AAqBD,wBAAgB,0BAA0B,IAAI,MAAM,GAAG,IAAI,CAU1D;AAED,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,MAAM,GAAG,IAAI,CAStD;AA4CD,wBAAgB,YAAY,CAAC,KAAK,EAAE,iBAAiB,GAAG,IAAI,CAc3D;AAED,eAAO,MAAM,eAAe,qCAAqC,CAAA;AACjE,eAAO,MAAM,eAAe,yCAAyC,CAAA;AAErE;;;;GAIG;AACH,wBAAgB,kBAAkB,CAChC,GAAG,EAAE,MAAM,EACX,mBAAmB,EAAE,MAAM,EAC3B,GAAG,GAAE,MAAmB,GACvB,iBAAiB,GAAG,IAAI,CAoB1B;AAED,wBAAgB,eAAe,CAC7B,YAAY,EAAE,MAAM,GACnB,iBAAiB,GAAG,IAAI,CAmD1B;AA2BD,wBAAgB,eAAe,CAC7B,OAAO,CAAC,EAAE,aAAa,GACtB,iBAAiB,GAAG,IAAI,CAgD1B;AAED;;;;;GAKG;AACH,wBAAgB,qBAAqB,IAAI,iBAAiB,GAAG,IAAI,CAWhE;AAED,wBAAgB,oBAAoB,IAAI,iBAAiB,GAAG,IAAI,CAgC/D"}