@otto-assistant/bridge 0.4.97 → 0.4.101

package/src/anthropic-auth-plugin.ts

@@ -23,7 +23,7 @@
  * - https://github.com/badlogic/pi-mono/blob/main/packages/ai/src/providers/anthropic.ts
  */
 
-import type { Plugin } from '@opencode-ai/plugin'
+import type { Plugin } from "@opencode-ai/plugin";
 import {
   loadAccountStore,
   rememberAnthropicOAuth,
@@ -34,100 +34,113 @@ import {
   type OAuthStored,
   upsertAccount,
   withAuthStateLock,
-} from './anthropic-auth-state.js'
+} from "./anthropic-auth-state.js";
 import {
   extractAnthropicAccountIdentity,
   type AnthropicAccountIdentity,
-} from './anthropic-account-identity.js'
+} from "./anthropic-account-identity.js";
 // PKCE (Proof Key for Code Exchange) using Web Crypto API.
 // Reference: https://github.com/badlogic/pi-mono/blob/main/packages/ai/src/utils/oauth/pkce.ts
 function base64urlEncode(bytes: Uint8Array): string {
-  let binary = ''
+  let binary = "";
   for (const byte of bytes) {
-    binary += String.fromCharCode(byte)
+    binary += String.fromCharCode(byte);
   }
-  return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '')
+  return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
 }
 
-async function generatePKCE(): Promise<{ verifier: string; challenge: string }> {
-  const verifierBytes = new Uint8Array(32)
-  crypto.getRandomValues(verifierBytes)
-  const verifier = base64urlEncode(verifierBytes)
-  const data = new TextEncoder().encode(verifier)
-  const hashBuffer = await crypto.subtle.digest('SHA-256', data)
-  const challenge = base64urlEncode(new Uint8Array(hashBuffer))
-  return { verifier, challenge }
+async function generatePKCE(): Promise<{
+  verifier: string;
+  challenge: string;
+}> {
+  const verifierBytes = new Uint8Array(32);
+  crypto.getRandomValues(verifierBytes);
+  const verifier = base64urlEncode(verifierBytes);
+  const data = new TextEncoder().encode(verifier);
+  const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+  const challenge = base64urlEncode(new Uint8Array(hashBuffer));
+  return { verifier, challenge };
 }
-import { spawn } from 'node:child_process'
-import { createServer, type Server } from 'node:http'
+import { spawn } from "node:child_process";
+import { createServer, type Server } from "node:http";
 
 // --- Constants ---
 
 const CLIENT_ID = (() => {
-  const encoded = 'OWQxYzI1MGEtZTYxYi00NGQ5LTg4ZWQtNTk0NGQxOTYyZjVl'
-  return typeof atob === 'function'
+  const encoded = "OWQxYzI1MGEtZTYxYi00NGQ5LTg4ZWQtNTk0NGQxOTYyZjVl";
+  return typeof atob === "function"
     ? atob(encoded)
-    : Buffer.from(encoded, 'base64').toString('utf8')
-})()
-
-const TOKEN_URL = 'https://platform.claude.com/v1/oauth/token'
-const CREATE_API_KEY_URL = 'https://api.anthropic.com/api/oauth/claude_cli/create_api_key'
-const CLIENT_DATA_URL = 'https://api.anthropic.com/api/oauth/claude_cli/client_data'
-const PROFILE_URL = 'https://api.anthropic.com/api/oauth/profile'
-const CALLBACK_PORT = 53692
-const CALLBACK_PATH = '/callback'
-const REDIRECT_URI = `http://localhost:${CALLBACK_PORT}${CALLBACK_PATH}`
+    : Buffer.from(encoded, "base64").toString("utf8");
+})();
+
+const TOKEN_URL = "https://platform.claude.com/v1/oauth/token";
+const CREATE_API_KEY_URL =
+  "https://api.anthropic.com/api/oauth/claude_cli/create_api_key";
+const CLIENT_DATA_URL =
+  "https://api.anthropic.com/api/oauth/claude_cli/client_data";
+const PROFILE_URL = "https://api.anthropic.com/api/oauth/profile";
+const CALLBACK_PORT = 53692;
+const CALLBACK_PATH = "/callback";
+const REDIRECT_URI = `http://localhost:${CALLBACK_PORT}${CALLBACK_PATH}`;
 const SCOPES =
-  'org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload'
-const OAUTH_TIMEOUT_MS = 5 * 60 * 1000
-const CLAUDE_CODE_VERSION = '2.1.75'
-const CLAUDE_CODE_IDENTITY = "You are Claude Code, Anthropic's official CLI for Claude."
-const OPENCODE_IDENTITY = 'You are OpenCode, the best coding agent on the planet.'
-const CLAUDE_CODE_BETA = 'claude-code-20250219'
-const OAUTH_BETA = 'oauth-2025-04-20'
-const FINE_GRAINED_TOOL_STREAMING_BETA = 'fine-grained-tool-streaming-2025-05-14'
-const INTERLEAVED_THINKING_BETA = 'interleaved-thinking-2025-05-14'
-const TOAST_SESSION_HEADER = 'x-kimaki-session-id'
+  "org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload";
+const OAUTH_TIMEOUT_MS = 5 * 60 * 1000;
+const CLAUDE_CODE_VERSION = "2.1.75";
+const CLAUDE_CODE_IDENTITY =
+  "You are Claude Code, Anthropic's official CLI for Claude.";
+const OPENCODE_IDENTITY =
+  "You are OpenCode, the best coding agent on the planet.";
+const ANTHROPIC_PROMPT_MARKER = "Skills provide specialized instructions";
+const CLAUDE_CODE_BETA = "claude-code-20250219";
+const OAUTH_BETA = "oauth-2025-04-20";
+const FINE_GRAINED_TOOL_STREAMING_BETA =
+  "fine-grained-tool-streaming-2025-05-14";
+const INTERLEAVED_THINKING_BETA = "interleaved-thinking-2025-05-14";
+const TOAST_SESSION_HEADER = "x-kimaki-session-id";
 
 const ANTHROPIC_HOSTS = new Set([
-  'api.anthropic.com',
-  'claude.ai',
-  'console.anthropic.com',
-  'platform.claude.com',
-])
+  "api.anthropic.com",
+  "claude.ai",
+  "console.anthropic.com",
+  "platform.claude.com",
+]);
 
 const OPENCODE_TO_CLAUDE_CODE_TOOL_NAME: Record<string, string> = {
-  bash: 'Bash',
-  edit: 'Edit',
-  glob: 'Glob',
-  grep: 'Grep',
-  question: 'AskUserQuestion',
-  read: 'Read',
-  skill: 'Skill',
-  task: 'Task',
-  todowrite: 'TodoWrite',
-  webfetch: 'WebFetch',
-  websearch: 'WebSearch',
-  write: 'Write',
-}
+  bash: "Bash",
+  edit: "Edit",
+  glob: "Glob",
+  grep: "Grep",
+  question: "AskUserQuestion",
+  read: "Read",
+  skill: "Skill",
+  task: "Task",
+  todowrite: "TodoWrite",
+  webfetch: "WebFetch",
+  websearch: "WebSearch",
+  write: "Write",
+};
 
 // --- Types ---
 
 type OAuthSuccess = {
-  type: 'success'
-  provider?: string
-  refresh: string
-  access: string
-  expires: number
-}
+  type: "success";
+  provider?: string;
+  refresh: string;
+  access: string;
+  expires: number;
+};
 
 type ApiKeySuccess = {
-  type: 'success'
-  provider?: string
-  key: string
-}
+  type: "success";
+  provider?: string;
+  key: string;
+};
 
-type AuthResult = OAuthSuccess | ApiKeySuccess | { type: 'failed' }
+type AuthResult = OAuthSuccess | ApiKeySuccess | { type: "failed" };
+type PluginHooks = Awaited<ReturnType<Plugin>>;
+type SystemTransformHook = NonNullable<
+  PluginHooks["experimental.chat.system.transform"]
+>;
 
 // --- HTTP helpers ---
 
@@ -138,9 +151,9 @@ type AuthResult = OAuthSuccess | ApiKeySuccess | { type: 'failed' }
 async function requestText(
   urlString: string,
   options: {
-    method: string
-    headers?: Record<string, string>
-    body?: string
+    method: string;
+    headers?: Record<string, string>;
+    body?: string;
   },
 ): Promise<string> {
   return new Promise((resolve, reject) => {
@@ -149,11 +162,11 @@ async function requestText(
       headers: options.headers,
       method: options.method,
       url: urlString,
-    })
+    });
     const child = spawn(
-      'node',
+      "node",
       [
-        '-e',
+        "-e",
         `
 const input = JSON.parse(process.argv[1]);
 (async () => {
@@ -176,82 +189,96 @@ const input = JSON.parse(process.argv[1]);
         payload,
       ],
       {
-        stdio: ['ignore', 'pipe', 'pipe'],
+        stdio: ["ignore", "pipe", "pipe"],
       },
-    )
+    );
 
-    let stdout = ''
-    let stderr = ''
+    let stdout = "";
+    let stderr = "";
     const timeout = setTimeout(() => {
-      child.kill()
-      reject(new Error(`Request timed out. url=${urlString}`))
-    }, 30_000)
-
-    child.stdout.on('data', (chunk) => {
-      stdout += String(chunk)
-    })
-    child.stderr.on('data', (chunk) => {
-      stderr += String(chunk)
-    })
-
-    child.on('error', (error) => {
-      clearTimeout(timeout)
-      reject(error)
-    })
-
-    child.on('close', (code) => {
-      clearTimeout(timeout)
+      child.kill();
+      reject(new Error(`Request timed out. url=${urlString}`));
+    }, 30_000);
+
+    child.stdout.on("data", (chunk) => {
+      stdout += String(chunk);
+    });
+    child.stderr.on("data", (chunk) => {
+      stderr += String(chunk);
+    });
+
+    child.on("error", (error) => {
+      clearTimeout(timeout);
+      reject(error);
+    });
+
+    child.on("close", (code) => {
+      clearTimeout(timeout);
       if (code !== 0) {
-        let details = stderr.trim()
+        let details = stderr.trim();
         try {
-          const parsed = JSON.parse(details) as { status?: number; body?: string }
-          if (typeof parsed.status === 'number') {
-            reject(new Error(`HTTP ${parsed.status} from ${urlString}: ${parsed.body ?? ''}`))
-            return
+          const parsed = JSON.parse(details) as {
+            status?: number;
+            body?: string;
+          };
+          if (typeof parsed.status === "number") {
+            reject(
+              new Error(
+                `HTTP ${parsed.status} from ${urlString}: ${parsed.body ?? ""}`,
+              ),
+            );
+            return;
           }
         } catch {
           // fall back to raw stderr
         }
-        reject(new Error(details || `Node helper exited with code ${code}`))
-        return
+        reject(new Error(details || `Node helper exited with code ${code}`));
+        return;
       }
-      resolve(stdout)
-    })
-  })
+      resolve(stdout);
+    });
+  });
 }
 
-async function postJson(url: string, body: Record<string, string | number>): Promise<unknown> {
-  const requestBody = JSON.stringify(body)
+async function postJson(
+  url: string,
+  body: Record<string, string | number>,
+): Promise<unknown> {
+  const requestBody = JSON.stringify(body);
   const responseText = await requestText(url, {
-    method: 'POST',
+    method: "POST",
     headers: {
-      Accept: 'application/json',
-      'Content-Length': String(Buffer.byteLength(requestBody)),
-      'Content-Type': 'application/json',
+      Accept: "application/json",
+      "Content-Length": String(Buffer.byteLength(requestBody)),
+      "Content-Type": "application/json",
     },
     body: requestBody,
-  })
-  return JSON.parse(responseText) as unknown
+  });
+  return JSON.parse(responseText) as unknown;
 }
 
-const pendingRefresh = new Map<string, Promise<OAuthStored>>()
+const pendingRefresh = new Map<string, Promise<OAuthStored>>();
 
 // --- OAuth token exchange & refresh ---
 
 function parseTokenResponse(json: unknown): {
-  access_token: string
-  refresh_token: string
-  expires_in: number
+  access_token: string;
+  refresh_token: string;
+  expires_in: number;
 } {
-  const data = json as { access_token: string; refresh_token: string; expires_in: number }
+  const data = json as {
+    access_token: string;
+    refresh_token: string;
+    expires_in: number;
+  };
   if (!data.access_token || !data.refresh_token) {
-    throw new Error(`Invalid token response: ${JSON.stringify(json)}`)
+    throw new Error(`Invalid token response: ${JSON.stringify(json)}`);
   }
-  return data
+  return data;
 }
 
 function tokenExpiry(expiresIn: number) {
-  return Date.now() + expiresIn * 1000 - 5 * 60 * 1000
+  return Date.now() + expiresIn * 1000 - 5 * 60 * 1000;
 }
 
 async function exchangeAuthorizationCode(
@@ -261,134 +288,140 @@ async function exchangeAuthorizationCode(
   redirectUri: string,
 ): Promise<OAuthSuccess> {
   const json = await postJson(TOKEN_URL, {
-    grant_type: 'authorization_code',
+    grant_type: "authorization_code",
     client_id: CLIENT_ID,
     code,
     state,
     redirect_uri: redirectUri,
     code_verifier: verifier,
-  })
-  const data = parseTokenResponse(json)
+  });
+  const data = parseTokenResponse(json);
   return {
-    type: 'success',
+    type: "success",
     refresh: data.refresh_token,
     access: data.access_token,
     expires: tokenExpiry(data.expires_in),
-  }
+  };
 }
 
-async function refreshAnthropicToken(refreshToken: string): Promise<OAuthStored> {
+async function refreshAnthropicToken(
+  refreshToken: string,
+): Promise<OAuthStored> {
   const json = await postJson(TOKEN_URL, {
-    grant_type: 'refresh_token',
+    grant_type: "refresh_token",
     client_id: CLIENT_ID,
     refresh_token: refreshToken,
-  })
-  const data = parseTokenResponse(json)
+  });
+  const data = parseTokenResponse(json);
   return {
-    type: 'oauth',
+    type: "oauth",
     refresh: data.refresh_token,
     access: data.access_token,
     expires: tokenExpiry(data.expires_in),
-  }
+  };
 }
 
 async function createApiKey(accessToken: string): Promise<ApiKeySuccess> {
   const responseText = await requestText(CREATE_API_KEY_URL, {
-    method: 'POST',
+    method: "POST",
     headers: {
-      Accept: 'application/json',
+      Accept: "application/json",
       authorization: `Bearer ${accessToken}`,
-      'Content-Type': 'application/json',
+      "Content-Type": "application/json",
     },
-  })
-  const json = JSON.parse(responseText) as { raw_key: string }
-  return { type: 'success', key: json.raw_key }
+  });
+  const json = JSON.parse(responseText) as { raw_key: string };
+  return { type: "success", key: json.raw_key };
 }
 
 async function fetchAnthropicAccountIdentity(accessToken: string) {
-  const urls = [CLIENT_DATA_URL, PROFILE_URL]
+  const urls = [CLIENT_DATA_URL, PROFILE_URL];
   for (const url of urls) {
     const responseText = await requestText(url, {
-      method: 'GET',
+      method: "GET",
       headers: {
-        Accept: 'application/json',
+        Accept: "application/json",
         authorization: `Bearer ${accessToken}`,
-        'user-agent': process.env.OPENCODE_ANTHROPIC_USER_AGENT || `claude-cli/${CLAUDE_CODE_VERSION}`,
-        'x-app': 'cli',
+        "user-agent":
+          process.env.OPENCODE_ANTHROPIC_USER_AGENT ||
+          `claude-cli/${CLAUDE_CODE_VERSION}`,
+        "x-app": "cli",
       },
     }).catch(() => {
-      return undefined
-    })
-    if (!responseText) continue
-    const parsed = JSON.parse(responseText) as unknown
-    const identity = extractAnthropicAccountIdentity(parsed)
-    if (identity) return identity
+      return undefined;
+    });
+    if (!responseText) continue;
+    const parsed = JSON.parse(responseText) as unknown;
+    const identity = extractAnthropicAccountIdentity(parsed);
+    if (identity) return identity;
   }
-  return undefined
+  return undefined;
 }
 
 // --- Localhost callback server ---
 
-type CallbackResult = { code: string; state: string }
+type CallbackResult = { code: string; state: string };
 
 async function startCallbackServer(expectedState: string) {
   return new Promise<{
-    server: Server
-    cancelWait: () => void
-    waitForCode: () => Promise<CallbackResult | null>
+    server: Server;
+    cancelWait: () => void;
+    waitForCode: () => Promise<CallbackResult | null>;
   }>((resolve, reject) => {
-    let settle: ((value: CallbackResult | null) => void) | undefined
-    let settled = false
+    let settle: ((value: CallbackResult | null) => void) | undefined;
+    let settled = false;
     const waitPromise = new Promise<CallbackResult | null>((res) => {
       settle = (v) => {
-        if (settled) return
-        settled = true
-        res(v)
-      }
-    })
+        if (settled) return;
+        settled = true;
+        res(v);
+      };
+    });
 
     const server = createServer((req, res) => {
       try {
-        const url = new URL(req.url || '', 'http://localhost')
+        const url = new URL(req.url || "", "http://localhost");
         if (url.pathname !== CALLBACK_PATH) {
-          res.writeHead(404).end('Not found')
-          return
+          res.writeHead(404).end("Not found");
+          return;
         }
-        const code = url.searchParams.get('code')
-        const state = url.searchParams.get('state')
-        const error = url.searchParams.get('error')
+        const code = url.searchParams.get("code");
+        const state = url.searchParams.get("state");
+        const error = url.searchParams.get("error");
         if (error || !code || !state || state !== expectedState) {
-          res.writeHead(400).end('Authentication failed: ' + (error || 'missing code/state'))
-          return
+          res
+            .writeHead(400)
+            .end("Authentication failed: " + (error || "missing code/state"));
+          return;
         }
         res
-          .writeHead(200, { 'Content-Type': 'text/plain' })
-          .end('Authentication successful. You can close this window.')
-        settle?.({ code, state })
+          .writeHead(200, { "Content-Type": "text/plain" })
+          .end("Authentication successful. You can close this window.");
+        settle?.({ code, state });
       } catch {
-        res.writeHead(500).end('Internal error')
+        res.writeHead(500).end("Internal error");
       }
-    })
+    });
 
-    server.once('error', reject)
-    server.listen(CALLBACK_PORT, '127.0.0.1', () => {
+    server.once("error", reject);
+    server.listen(CALLBACK_PORT, "127.0.0.1", () => {
       resolve({
         server,
         cancelWait: () => {
-          settle?.(null)
+          settle?.(null);
         },
         waitForCode: () => waitPromise,
-      })
-    })
-  })
+      });
+    });
+  });
 }
 
 function closeServer(server: Server) {
   return new Promise<void>((resolve) => {
     server.close(() => {
-      resolve()
-    })
-  })
+      resolve();
+    });
+  });
 }
 
 // --- Authorization flow ---
@@ -396,25 +429,25 @@ function closeServer(server: Server) {
 // then waitForCallback handles both auto (localhost) and manual (pasted code) paths.
 
 async function beginAuthorizationFlow() {
-  const pkce = await generatePKCE()
-  const callbackServer = await startCallbackServer(pkce.verifier)
+  const pkce = await generatePKCE();
+  const callbackServer = await startCallbackServer(pkce.verifier);
 
   const authParams = new URLSearchParams({
-    code: 'true',
+    code: "true",
     client_id: CLIENT_ID,
-    response_type: 'code',
+    response_type: "code",
     redirect_uri: REDIRECT_URI,
     scope: SCOPES,
     code_challenge: pkce.challenge,
-    code_challenge_method: 'S256',
+    code_challenge_method: "S256",
     state: pkce.verifier,
-  })
+  });
 
   return {
     url: `https://claude.ai/oauth/authorize?${authParams.toString()}`,
     verifier: pkce.verifier,
     callbackServer,
-  }
+  };
 }
 
 async function waitForCallback(
@@ -427,16 +460,16 @@ async function waitForCallback(
       callbackServer.waitForCode(),
       new Promise<null>((r) => {
         setTimeout(() => {
-          r(null)
-        }, 50)
+          r(null);
+        }, 50);
       }),
-    ])
-    if (quick?.code) return quick
+    ]);
+    if (quick?.code) return quick;
 
     // If manual input was provided, parse it
-    const trimmed = manualInput?.trim()
+    const trimmed = manualInput?.trim();
     if (trimmed) {
-      return parseManualInput(trimmed)
+      return parseManualInput(trimmed);
     }
 
     // Wait for localhost callback with timeout
@@ -444,108 +477,111 @@ async function waitForCallback(
       callbackServer.waitForCode(),
       new Promise<null>((r) => {
         setTimeout(() => {
-          r(null)
-        }, OAUTH_TIMEOUT_MS)
+          r(null);
+        }, OAUTH_TIMEOUT_MS);
       }),
-    ])
+    ]);
     if (!result?.code) {
-      throw new Error('Timed out waiting for OAuth callback')
+      throw new Error("Timed out waiting for OAuth callback");
     }
-    return result
+    return result;
   } finally {
-    callbackServer.cancelWait()
-    await closeServer(callbackServer.server)
+    callbackServer.cancelWait();
+    await closeServer(callbackServer.server);
   }
 }
 
 function parseManualInput(input: string): CallbackResult {
   try {
-    const url = new URL(input)
-    const code = url.searchParams.get('code')
-    const state = url.searchParams.get('state')
-    if (code) return { code, state: state || '' }
+    const url = new URL(input);
+    const code = url.searchParams.get("code");
+    const state = url.searchParams.get("state");
+    if (code) return { code, state: state || "" };
   } catch {
     // not a URL
   }
-  if (input.includes('#')) {
-    const [code = '', state = ''] = input.split('#', 2)
-    return { code, state }
+  if (input.includes("#")) {
+    const [code = "", state = ""] = input.split("#", 2);
+    return { code, state };
   }
-  if (input.includes('code=')) {
-    const params = new URLSearchParams(input)
-    const code = params.get('code')
-    if (code) return { code, state: params.get('state') || '' }
+  if (input.includes("code=")) {
+    const params = new URLSearchParams(input);
+    const code = params.get("code");
+    if (code) return { code, state: params.get("state") || "" };
   }
-  return { code: input, state: '' }
+  return { code: input, state: "" };
 }
 
 // Unified authorize handler: returns either OAuth tokens or an API key,
 // for both auto and remote-first modes.
-function buildAuthorizeHandler(mode: 'oauth' | 'apikey') {
+function buildAuthorizeHandler(mode: "oauth" | "apikey") {
   return async () => {
-    const auth = await beginAuthorizationFlow()
-    const isRemote = Boolean(process.env.KIMAKI)
-    let pendingAuthResult: Promise<AuthResult> | undefined
+    const auth = await beginAuthorizationFlow();
+    const isRemote = Boolean(process.env.KIMAKI);
+    let pendingAuthResult: Promise<AuthResult> | undefined;
 
     const finalize = async (result: CallbackResult): Promise<AuthResult> => {
-      const verifier = auth.verifier
+      const verifier = auth.verifier;
       const creds = await exchangeAuthorizationCode(
         result.code,
         result.state || verifier,
         verifier,
         REDIRECT_URI,
-      )
-      if (mode === 'apikey') {
-        return createApiKey(creds.access)
+      );
+      if (mode === "apikey") {
+        return createApiKey(creds.access);
       }
-      const identity = await fetchAnthropicAccountIdentity(creds.access)
-      await rememberAnthropicOAuth({
-        type: 'oauth',
-        refresh: creds.refresh,
-        access: creds.access,
-        expires: creds.expires,
-      }, identity)
-      return creds
-    }
+      const identity = await fetchAnthropicAccountIdentity(creds.access);
+      await rememberAnthropicOAuth(
+        {
+          type: "oauth",
+          refresh: creds.refresh,
+          access: creds.access,
+          expires: creds.expires,
+        },
+        identity,
+      );
+      return creds;
+    };
 
     if (!isRemote) {
       return {
         url: auth.url,
         instructions:
-          'Complete login in your browser on this machine. OpenCode will catch the localhost callback automatically.',
-        method: 'auto' as const,
+          "Complete login in your browser on this machine. OpenCode will catch the localhost callback automatically.",
+        method: "auto" as const,
         callback: async (): Promise<AuthResult> => {
           pendingAuthResult ??= (async () => {
             try {
-              const result = await waitForCallback(auth.callbackServer)
-              return await finalize(result)
+              const result = await waitForCallback(auth.callbackServer);
+              return await finalize(result);
             } catch {
-              return { type: 'failed' }
+              return { type: "failed" };
             }
-          })()
-          return pendingAuthResult
+          })();
+          return pendingAuthResult;
         },
-      }
+      };
     }
 
     return {
       url: auth.url,
       instructions:
-        'Complete login in your browser, then paste the final redirect URL from the address bar here. Pasting just the authorization code also works.',
-      method: 'code' as const,
+        "Complete login in your browser, then paste the final redirect URL from the address bar here. Pasting just the authorization code also works.",
+      method: "code" as const,
       callback: async (input: string): Promise<AuthResult> => {
         pendingAuthResult ??= (async () => {
           try {
-            const result = await waitForCallback(auth.callbackServer, input)
-            return await finalize(result)
+            const result = await waitForCallback(auth.callbackServer, input);
+            return await finalize(result);
           } catch {
-            return { type: 'failed' }
+            return { type: "failed" };
           }
-        })()
-        return pendingAuthResult
+        })();
+        return pendingAuthResult;
       },
-    }
-  }
+    };
+  };
 }
 
 // --- Request/response rewriting ---
@@ -553,397 +589,484 @@ function buildAuthorizeHandler(mode: 'oauth' | 'apikey') {
 // and reverses the mapping in streamed responses.
 
 function toClaudeCodeToolName(name: string) {
-  return OPENCODE_TO_CLAUDE_CODE_TOOL_NAME[name.toLowerCase()] ?? name
+  return OPENCODE_TO_CLAUDE_CODE_TOOL_NAME[name.toLowerCase()] ?? name;
 }
 
-function sanitizeSystemText(text: string, onError?: (msg: string) => void) {
-  const startIdx = text.indexOf(OPENCODE_IDENTITY)
-  if (startIdx === -1) return text
-  const codeRefsMarker = '# Code References'
-  const endIdx = text.indexOf(codeRefsMarker, startIdx)
+function sanitizeAnthropicSystemText(
+  text: string,
+  onError?: (msg: string) => void,
+) {
+  const startIdx = text.indexOf(OPENCODE_IDENTITY);
+  if (startIdx === -1) return text;
+
+  // Keep the marker aligned with the current OpenCode Anthropic prompt.
+  const endIdx = text.indexOf(ANTHROPIC_PROMPT_MARKER, startIdx);
   if (endIdx === -1) {
-    onError?.(`sanitizeSystemText: could not find '# Code References' after OpenCode identity`)
-    return text
+    onError?.(
+      "sanitizeAnthropicSystemText: could not find Anthropic prompt marker after OpenCode identity",
+    );
+    return text;
   }
-  // Remove everything from the OpenCode identity up to (but not including) '# Code References'
-  return text.slice(0, startIdx) + text.slice(endIdx)
+
+  return (text.slice(0, startIdx) + text.slice(endIdx)).replaceAll(
+    "opencode",
+    "openc0de",
+  );
 }
 
-function prependClaudeCodeIdentity(system: unknown, onError?: (msg: string) => void) {
-  const identityBlock = { type: 'text', text: CLAUDE_CODE_IDENTITY }
+function mapSystemTextPart(
+  part: unknown,
+  onError?: (msg: string) => void,
+): unknown {
+  if (typeof part === "string") {
+    return { type: "text", text: sanitizeAnthropicSystemText(part, onError) };
+  }
 
-  if (typeof system === 'undefined') return [identityBlock]
+  if (
+    part &&
+    typeof part === "object" &&
+    "type" in part &&
+    part.type === "text" &&
+    "text" in part &&
+    typeof part.text === "string"
+  ) {
+    return {
+      ...part,
+      text: sanitizeAnthropicSystemText(part.text, onError),
+    };
+  }
+
+  return part;
+}
 
-  if (typeof system === 'string') {
-    const sanitized = sanitizeSystemText(system, onError)
-    if (sanitized === CLAUDE_CODE_IDENTITY) return [identityBlock]
-    return [identityBlock, { type: 'text', text: sanitized }]
+
+function prependClaudeCodeIdentity(
+  system: unknown,
+  onError?: (msg: string) => void,
+) {
+  const identityBlock = { type: "text", text: CLAUDE_CODE_IDENTITY };
+
+  if (typeof system === "undefined") return [identityBlock];
+
+  if (typeof system === "string") {
+    const sanitized = sanitizeAnthropicSystemText(system, onError);
+    if (sanitized === CLAUDE_CODE_IDENTITY) return [identityBlock];
+    return [identityBlock, { type: "text", text: sanitized }];
   }
 
-  if (!Array.isArray(system)) return [identityBlock, system]
+  if (!Array.isArray(system)) return [identityBlock, system];
 
   const sanitized = system.map((item) => {
-    if (typeof item === 'string') return { type: 'text', text: sanitizeSystemText(item, onError) }
-    if (item && typeof item === 'object' && (item as { type?: unknown }).type === 'text') {
-      const text = (item as { text?: unknown }).text
-      if (typeof text === 'string') {
-        return { ...(item as Record<string, unknown>), text: sanitizeSystemText(text, onError) }
-      }
-    }
-    return item
-  })
+    return mapSystemTextPart(item, onError);
+  });
 
-  const first = sanitized[0]
+  const first = sanitized[0];
   if (
     first &&
-    typeof first === 'object' &&
-    (first as { type?: unknown }).type === 'text' &&
-    (first as { text?: unknown }).text === CLAUDE_CODE_IDENTITY
+    typeof first === "object" &&
+    "type" in first &&
+    first.type === "text" &&
+    "text" in first &&
+    first.text === CLAUDE_CODE_IDENTITY
   ) {
-    return sanitized
+    return sanitized;
   }
-  return [identityBlock, ...sanitized]
+  return [identityBlock, ...sanitized];
 }
 
-function rewriteRequestPayload(body: string | undefined, onError?: (msg: string) => void) {
-  if (!body) return { body, modelId: undefined, reverseToolNameMap: new Map<string, string>() }
+function rewriteRequestPayload(
+  body: string | undefined,
+  onError?: (msg: string) => void,
+) {
+  if (!body)
+    return {
+      body,
+      modelId: undefined,
+      reverseToolNameMap: new Map<string, string>(),
+    };
 
   try {
-    const payload = JSON.parse(body) as Record<string, unknown>
-    const reverseToolNameMap = new Map<string, string>()
-    const modelId = typeof payload.model === 'string' ? payload.model : undefined
+    const payload = JSON.parse(body) as Record<string, unknown>;
+    const reverseToolNameMap = new Map<string, string>();
+    const modelId =
+      typeof payload.model === "string" ? payload.model : undefined;
 
     // Build reverse map and rename tools
     if (Array.isArray(payload.tools)) {
       payload.tools = payload.tools.map((tool) => {
-        if (!tool || typeof tool !== 'object') return tool
-        const name = (tool as { name?: unknown }).name
-        if (typeof name !== 'string') return tool
-        const mapped = toClaudeCodeToolName(name)
-        reverseToolNameMap.set(mapped, name)
-        return { ...(tool as Record<string, unknown>), name: mapped }
-      })
+        if (!tool || typeof tool !== "object") return tool;
+        const name = (tool as { name?: unknown }).name;
+        if (typeof name !== "string") return tool;
+        const mapped = toClaudeCodeToolName(name);
+        reverseToolNameMap.set(mapped, name);
+        return { ...(tool as Record<string, unknown>), name: mapped };
+      });
     }
 
     // Rename system prompt
-    payload.system = prependClaudeCodeIdentity(payload.system, onError)
+    payload.system = prependClaudeCodeIdentity(payload.system, onError);
 
     // Rename tool_choice
     if (
       payload.tool_choice &&
-      typeof payload.tool_choice === 'object' &&
-      (payload.tool_choice as { type?: unknown }).type === 'tool'
+      typeof payload.tool_choice === "object" &&
+      (payload.tool_choice as { type?: unknown }).type === "tool"
     ) {
-      const name = (payload.tool_choice as { name?: unknown }).name
-      if (typeof name === 'string') {
+      const name = (payload.tool_choice as { name?: unknown }).name;
+      if (typeof name === "string") {
         payload.tool_choice = {
           ...(payload.tool_choice as Record<string, unknown>),
           name: toClaudeCodeToolName(name),
-        }
+        };
       }
     }
 
     // Rename tool_use blocks in messages
     if (Array.isArray(payload.messages)) {
       payload.messages = payload.messages.map((message) => {
-        if (!message || typeof message !== 'object') return message
-        const content = (message as { content?: unknown }).content
-        if (!Array.isArray(content)) return message
+        if (!message || typeof message !== "object") return message;
+        const content = (message as { content?: unknown }).content;
+        if (!Array.isArray(content)) return message;
         return {
           ...(message as Record<string, unknown>),
           content: content.map((block) => {
-            if (!block || typeof block !== 'object') return block
-            const b = block as { type?: unknown; name?: unknown }
-            if (b.type !== 'tool_use' || typeof b.name !== 'string') return block
-            return { ...(block as Record<string, unknown>), name: toClaudeCodeToolName(b.name) }
+            if (!block || typeof block !== "object") return block;
+            const b = block as { type?: unknown; name?: unknown };
+            if (b.type !== "tool_use" || typeof b.name !== "string")
+              return block;
+            return {
+              ...(block as Record<string, unknown>),
+              name: toClaudeCodeToolName(b.name),
+            };
           }),
-        }
-      })
+        };
+      });
     }
 
-    return { body: JSON.stringify(payload), modelId, reverseToolNameMap }
+    return { body: JSON.stringify(payload), modelId, reverseToolNameMap };
   } catch {
-    return { body, modelId: undefined, reverseToolNameMap: new Map<string, string>() }
+    return {
+      body,
+      modelId: undefined,
+      reverseToolNameMap: new Map<string, string>(),
+    };
   }
 }
 
-function wrapResponseStream(response: Response, reverseToolNameMap: Map<string, string>) {
-  if (!response.body || reverseToolNameMap.size === 0) return response
+function wrapResponseStream(
+  response: Response,
+  reverseToolNameMap: Map<string, string>,
+) {
+  if (!response.body || reverseToolNameMap.size === 0) return response;
 
-  const reader = response.body.getReader()
-  const decoder = new TextDecoder()
-  const encoder = new TextEncoder()
-  let carry = ''
+  const reader = response.body.getReader();
+  const decoder = new TextDecoder();
+  const encoder = new TextEncoder();
+  let carry = "";
 
   const transform = (text: string) => {
     return text.replace(/"name"\s*:\s*"([^"]+)"/g, (full, name: string) => {
-      const original = reverseToolNameMap.get(name)
-      return original ? full.replace(`"${name}"`, `"${original}"`) : full
-    })
-  }
+      const original = reverseToolNameMap.get(name);
+      return original ? full.replace(`"${name}"`, `"${original}"`) : full;
+    });
+  };
 
   const stream = new ReadableStream<Uint8Array>({
     async pull(controller) {
-      const { done, value } = await reader.read()
+      const { done, value } = await reader.read();
       if (done) {
-        const finalText = carry + decoder.decode()
-        if (finalText) controller.enqueue(encoder.encode(transform(finalText)))
-        controller.close()
-        return
+        const finalText = carry + decoder.decode();
+        if (finalText) controller.enqueue(encoder.encode(transform(finalText)));
+        controller.close();
+        return;
       }
-      carry += decoder.decode(value, { stream: true })
+      carry += decoder.decode(value, { stream: true });
       // Buffer 256 chars to avoid splitting JSON keys across chunks
-      if (carry.length <= 256) return
-      const output = carry.slice(0, -256)
-      carry = carry.slice(-256)
-      controller.enqueue(encoder.encode(transform(output)))
+      if (carry.length <= 256) return;
+      const output = carry.slice(0, -256);
+      carry = carry.slice(-256);
+      controller.enqueue(encoder.encode(transform(output)));
     },
     async cancel(reason) {
-      await reader.cancel(reason)
+      await reader.cancel(reason);
     },
-  })
+  });
 
   return new Response(stream, {
     status: response.status,
     statusText: response.statusText,
     headers: response.headers,
-  })
+  });
 }
 
 function appendToastSessionMarker({
   message,
   sessionId,
 }: {
-  message: string
-  sessionId: string | undefined
+  message: string;
+  sessionId: string | undefined;
 }) {
   if (!sessionId) {
-    return message
+    return message;
   }
-  return `${message} ${sessionId}`
+  return `${message} ${sessionId}`;
 }
 
 // --- Beta headers ---
 
 function getRequiredBetas(modelId: string | undefined) {
-  const betas = [CLAUDE_CODE_BETA, OAUTH_BETA, FINE_GRAINED_TOOL_STREAMING_BETA]
+  const betas = [
+    CLAUDE_CODE_BETA,
+    OAUTH_BETA,
+    FINE_GRAINED_TOOL_STREAMING_BETA,
+  ];
   const isAdaptive =
-    modelId?.includes('opus-4-6') ||
-    modelId?.includes('opus-4.6') ||
-    modelId?.includes('sonnet-4-6') ||
-    modelId?.includes('sonnet-4.6')
-  if (!isAdaptive) betas.push(INTERLEAVED_THINKING_BETA)
-  return betas
+    modelId?.includes("opus-4-6") ||
+    modelId?.includes("opus-4.6") ||
+    modelId?.includes("sonnet-4-6") ||
+    modelId?.includes("sonnet-4.6");
+  if (!isAdaptive) betas.push(INTERLEAVED_THINKING_BETA);
+  return betas;
 }
 
 function mergeBetas(existing: string | null, required: string[]) {
   return [
     ...new Set([
       ...required,
-      ...(existing || '')
-        .split(',')
+      ...(existing || "")
+        .split(",")
         .map((s) => s.trim())
         .filter(Boolean),
     ]),
-  ].join(',')
+  ].join(",");
 }
 
 // --- Token refresh with dedup ---
 
 function isOAuthStored(auth: { type: string }): auth is OAuthStored {
-  return auth.type === 'oauth'
+  return auth.type === "oauth";
 }
 
 async function getFreshOAuth(
   getAuth: () => Promise<OAuthStored | { type: string }>,
-  client: Parameters<Plugin>[0]['client'],
+  client: Parameters<Plugin>[0]["client"],
 ) {
-  const auth = await getAuth()
-  if (!isOAuthStored(auth)) return undefined
-  if (auth.access && auth.expires > Date.now()) return auth
+  const auth = await getAuth();
+  if (!isOAuthStored(auth)) return undefined;
+  if (auth.access && auth.expires > Date.now()) return auth;
 
-  const pending = pendingRefresh.get(auth.refresh)
+  const pending = pendingRefresh.get(auth.refresh);
   if (pending) {
-    return pending
+    return pending;
   }
 
   const refreshPromise = withAuthStateLock(async () => {
-    const latest = await getAuth()
+    const latest = await getAuth();
     if (!isOAuthStored(latest)) {
-      throw new Error('Anthropic OAuth credentials disappeared during refresh')
+      throw new Error("Anthropic OAuth credentials disappeared during refresh");
     }
-    if (latest.access && latest.expires > Date.now()) return latest
+    if (latest.access && latest.expires > Date.now()) return latest;
 
-    const refreshed = await refreshAnthropicToken(latest.refresh)
-    await setAnthropicAuth(refreshed, client)
-    const store = await loadAccountStore()
+    const refreshed = await refreshAnthropicToken(latest.refresh);
+    await setAnthropicAuth(refreshed, client);
+    const store = await loadAccountStore();
     if (store.accounts.length > 0) {
       const identity: AnthropicAccountIdentity | undefined = (() => {
         const currentIndex = store.accounts.findIndex((account) => {
-          return account.refresh === latest.refresh || account.access === latest.access
-        })
-        const current = currentIndex >= 0 ? store.accounts[currentIndex] : undefined
-        if (!current) return undefined
+          return (
+            account.refresh === latest.refresh ||
+            account.access === latest.access
+          );
+        });
+        const current =
+          currentIndex >= 0 ? store.accounts[currentIndex] : undefined;
+        if (!current) return undefined;
         return {
           ...(current.email ? { email: current.email } : {}),
           ...(current.accountId ? { accountId: current.accountId } : {}),
-        }
-      })()
-      upsertAccount(store, { ...refreshed, ...identity })
-      await saveAccountStore(store)
+        };
+      })();
+      upsertAccount(store, { ...refreshed, ...identity });
+      await saveAccountStore(store);
     }
-    return refreshed
-  })
-  pendingRefresh.set(auth.refresh, refreshPromise)
+    return refreshed;
+  });
+  pendingRefresh.set(auth.refresh, refreshPromise);
   return refreshPromise.finally(() => {
-    pendingRefresh.delete(auth.refresh)
-  })
+    pendingRefresh.delete(auth.refresh);
+  });
 }
 
-// --- Plugin export ---
-
 const AnthropicAuthPlugin: Plugin = async ({ client }) => {
   return {
-    'chat.headers': async (input, output) => {
-      if (input.model.providerID !== 'anthropic') {
-        return
+    "chat.headers": async (input, output) => {
+      if (input.model.providerID !== "anthropic") {
+        return;
       }
-      output.headers[TOAST_SESSION_HEADER] = input.sessionID
+      output.headers[TOAST_SESSION_HEADER] = input.sessionID;
     },
     auth: {
-      provider: 'anthropic',
+      provider: "anthropic",
       async loader(
         getAuth: () => Promise<OAuthStored | { type: string }>,
         provider: { models: Record<string, { cost?: unknown }> },
       ) {
-        const auth = await getAuth()
-        if (auth.type !== 'oauth') return {}
+        const auth = await getAuth();
+        if (auth.type !== "oauth") return {};
 
         // Zero out costs for OAuth users (Claude Pro/Max subscription)
         for (const model of Object.values(provider.models)) {
-          model.cost = { input: 0, output: 0, cache: { read: 0, write: 0 } }
+          model.cost = { input: 0, output: 0, cache: { read: 0, write: 0 } };
         }
 
         return {
-          apiKey: '',
+          apiKey: "",
           async fetch(input: Request | string | URL, init?: RequestInit) {
             const url = (() => {
               try {
-                return new URL(input instanceof Request ? input.url : input.toString())
+                return new URL(
+                  input instanceof Request ? input.url : input.toString(),
+                );
               } catch {
-                return null
+                return null;
               }
-            })()
-            if (!url || !ANTHROPIC_HOSTS.has(url.hostname)) return fetch(input, init)
+            })();
+            if (!url || !ANTHROPIC_HOSTS.has(url.hostname))
+              return fetch(input, init);
 
             const originalBody =
-              typeof init?.body === 'string'
+              typeof init?.body === "string"
                 ? init.body
                 : input instanceof Request
                   ? await input
                       .clone()
                       .text()
                       .catch(() => undefined)
-                  : undefined
+                  : undefined;
 
-            const headers = new Headers(init?.headers)
+            const headers = new Headers(init?.headers);
             if (input instanceof Request) {
               input.headers.forEach((v, k) => {
-                if (!headers.has(k)) headers.set(k, v)
-              })
+                if (!headers.has(k)) headers.set(k, v);
+              });
             }
-            const sessionId = headers.get(TOAST_SESSION_HEADER) ?? undefined
+            const sessionId = headers.get(TOAST_SESSION_HEADER) ?? undefined;
 
             const rewritten = rewriteRequestPayload(originalBody, (msg) => {
-              client.tui.showToast({
-                body: {
-                  message: appendToastSessionMarker({ message: msg, sessionId }),
-                  variant: 'error',
-                },
-              }).catch(() => {})
-            })
-            const betas = getRequiredBetas(rewritten.modelId)
+              client.tui
+                .showToast({
+                  body: {
+                    message: appendToastSessionMarker({
+                      message: msg,
+                      sessionId,
+                    }),
+                    variant: "error",
+                  },
+                })
+                .catch(() => {});
+            });
+            const betas = getRequiredBetas(rewritten.modelId);
 
             const runRequest = async (auth: OAuthStored) => {
-              const requestHeaders = new Headers(headers)
-              requestHeaders.delete(TOAST_SESSION_HEADER)
-              requestHeaders.set('accept', 'application/json')
+              const requestHeaders = new Headers(headers);
+              requestHeaders.delete(TOAST_SESSION_HEADER);
+              requestHeaders.set("accept", "application/json");
+              requestHeaders.set(
+                "anthropic-beta",
+                mergeBetas(requestHeaders.get("anthropic-beta"), betas),
+              );
               requestHeaders.set(
-                'anthropic-beta',
-                mergeBetas(requestHeaders.get('anthropic-beta'), betas),
-              )
-              requestHeaders.set('anthropic-dangerous-direct-browser-access', 'true')
-              requestHeaders.set('authorization', `Bearer ${auth.access}`)
+                "anthropic-dangerous-direct-browser-access",
+                "true",
+              );
+              requestHeaders.set("authorization", `Bearer ${auth.access}`);
               requestHeaders.set(
-                'user-agent',
-                process.env.OPENCODE_ANTHROPIC_USER_AGENT || `claude-cli/${CLAUDE_CODE_VERSION}`,
-              )
-              requestHeaders.set('x-app', 'cli')
-              requestHeaders.delete('x-api-key')
+                "user-agent",
+                process.env.OPENCODE_ANTHROPIC_USER_AGENT ||
+                  `claude-cli/${CLAUDE_CODE_VERSION}`,
+              );
+              requestHeaders.set("x-app", "cli");
+              requestHeaders.delete("x-api-key");
 
               return fetch(input, {
                 ...(init ?? {}),
                 body: rewritten.body,
                 headers: requestHeaders,
-              })
-            }
+              });
+            };
 
-            const freshAuth = await getFreshOAuth(getAuth, client)
-            if (!freshAuth) return fetch(input, init)
+            const freshAuth = await getFreshOAuth(getAuth, client);
+            if (!freshAuth) return fetch(input, init);
 
-            let response = await runRequest(freshAuth)
+            let response = await runRequest(freshAuth);
             if (!response.ok) {
               const bodyText = await response
                 .clone()
                 .text()
-                .catch(() => '')
+                .catch(() => "");
               if (shouldRotateAuth(response.status, bodyText)) {
-                const rotated = await rotateAnthropicAccount(freshAuth, client)
+                const rotated = await rotateAnthropicAccount(freshAuth, client);
                 if (rotated) {
                   // Show toast notification so Discord thread shows the rotation
-                  client.tui.showToast({
-                    body: {
-                      message: appendToastSessionMarker({
-                        message: `Switching from account ${rotated.fromLabel} to account ${rotated.toLabel}`,
-                        sessionId,
-                      }),
-                      variant: 'info',
-                    },
-
-                  }).catch(() => {})
-                  const retryAuth = await getFreshOAuth(getAuth, client)
+                  client.tui
+                    .showToast({
+                      body: {
+                        message: appendToastSessionMarker({
+                          message: `Switching from account ${rotated.fromLabel} to account ${rotated.toLabel}`,
+                          sessionId,
+                        }),
+                        variant: "info",
+                      },
+                    })
+                    .catch(() => {});
+                  const retryAuth = await getFreshOAuth(getAuth, client);
                   if (retryAuth) {
-                    response = await runRequest(retryAuth)
+                    response = await runRequest(retryAuth);
                   }
                 }
               }
             }
 
-            return wrapResponseStream(response, rewritten.reverseToolNameMap)
+            return wrapResponseStream(response, rewritten.reverseToolNameMap);
           },
-        }
+        };
       },
       methods: [
         {
-          label: 'Claude Pro/Max',
-          type: 'oauth',
-          authorize: buildAuthorizeHandler('oauth'),
+          label: "Claude Pro/Max",
+          type: "oauth",
+          authorize: buildAuthorizeHandler("oauth"),
         },
         {
-          label: 'Create an API Key',
-          type: 'oauth',
-          authorize: buildAuthorizeHandler('apikey'),
+          label: "Create an API Key",
+          type: "oauth",
+          authorize: buildAuthorizeHandler("apikey"),
         },
         {
-          provider: 'anthropic',
-          label: 'Manually enter API Key',
-          type: 'api',
+          provider: "anthropic",
+          label: "Manually enter API Key",
+          type: "api",
         },
       ],
     },
-  }
-}
+  };
+};
 
-export {
-  AnthropicAuthPlugin as anthropicAuthPlugin,
-}
+const replacer: Plugin = async () => {
+  return {
+    "experimental.chat.system.transform": (async (input, output) => {
+      if (input.model.providerID !== "anthropic") return;
+      const textIndex = output.system.findIndex((x) =>
+        x.includes(OPENCODE_IDENTITY),
+      );
+      const text = output.system[textIndex];
+      if (!text) {
+        return;
+      }
+
+      output.system[textIndex] = sanitizeAnthropicSystemText(text);
+    }) satisfies SystemTransformHook,
+  };
+};
+
+export { replacer, AnthropicAuthPlugin as anthropicAuthPlugin };