@otto-assistant/otto 0.1.2 → 0.7.15

package/dist/anthropic-auth-plugin.js

@@ -0,0 +1,917 @@
+/**
+ * Anthropic OAuth authentication plugin for OpenCode.
+ *
+ * If you're copy-pasting this plugin into your OpenCode config folder,
+ * you need to install the runtime dependencies first:
+ *
+ *   cd ~/.config/opencode
+ *   bun init -y
+ *   bun add proper-lockfile
+ *
+ * Handles three concerns:
+ * 1. OAuth login + token refresh (PKCE flow against claude.ai)
+ * 2. Request/response rewriting (tool names, system prompt, beta headers)
+ *    so the Anthropic API treats requests as Claude Code CLI requests.
+ * 3. Multi-account OAuth rotation after Anthropic rate-limit/auth failures.
+ *
+ * Login mode is chosen from environment:
+ * - `OTTO` (or `OTTO`) set: remote-first pasted callback URL/raw code flow
+ * - otherwise: standard localhost auto-complete flow
+ *
+ * Source references:
+ * - https://github.com/badlogic/pi-mono/blob/main/packages/ai/src/utils/oauth/anthropic.ts
+ * - https://github.com/badlogic/pi-mono/blob/main/packages/ai/src/providers/anthropic.ts
+ */
+import { appendToastSessionMarker } from "./plugin-logger.js";
+import { loadAccountStore, rememberAnthropicOAuth, rotateAnthropicAccount, saveAccountStore, setAnthropicAuth, shouldRotateAuth, upsertAccount, withAuthStateLock, } from "./anthropic-auth-state.js";
+import { extractAnthropicAccountIdentity, } from "./anthropic-account-identity.js";
+// PKCE (Proof Key for Code Exchange) using Web Crypto API.
+// Reference: https://github.com/badlogic/pi-mono/blob/main/packages/ai/src/utils/oauth/pkce.ts
+function base64urlEncode(bytes) {
+    let binary = "";
+    for (const byte of bytes) {
+        binary += String.fromCharCode(byte);
+    }
+    return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+}
+async function generatePKCE() {
+    const verifierBytes = new Uint8Array(32);
+    crypto.getRandomValues(verifierBytes);
+    const verifier = base64urlEncode(verifierBytes);
+    const data = new TextEncoder().encode(verifier);
+    const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+    const challenge = base64urlEncode(new Uint8Array(hashBuffer));
+    return { verifier, challenge };
+}
+import { spawn } from "node:child_process";
+import { createServer } from "node:http";
+// --- Constants ---
+const CLIENT_ID = (() => {
+    const encoded = "OWQxYzI1MGEtZTYxYi00NGQ5LTg4ZWQtNTk0NGQxOTYyZjVl";
+    return typeof atob === "function"
+        ? atob(encoded)
+        : Buffer.from(encoded, "base64").toString("utf8");
+})();
+const TOKEN_URL = "https://platform.claude.com/v1/oauth/token";
+const CREATE_API_KEY_URL = "https://api.anthropic.com/api/oauth/claude_cli/create_api_key";
+const CLIENT_DATA_URL = "https://api.anthropic.com/api/oauth/claude_cli/client_data";
+const PROFILE_URL = "https://api.anthropic.com/api/oauth/profile";
+const CALLBACK_PORT = 53692;
+const CALLBACK_PATH = "/callback";
+const REDIRECT_URI = `http://localhost:${CALLBACK_PORT}${CALLBACK_PATH}`;
+const SCOPES = "org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload";
+const OAUTH_TIMEOUT_MS = 5 * 60 * 1000;
+const CLAUDE_CODE_VERSION = "2.1.75";
+const CLAUDE_CODE_IDENTITY = "You are Claude Code, Anthropic's official CLI for Claude.";
+const OPENCODE_IDENTITY = "You are OpenCode, the best coding agent on the planet.";
+const ANTHROPIC_PROMPT_MARKER = "Skills provide specialized instructions";
+// Subagent prompts don't contain OPENCODE_IDENTITY; opencode appends this
+// line + an <env> block instead. We strip from here to </env> inclusive.
+const SUBAGENT_MODEL_IDENTITY = "You are powered by the model named";
+const CLAUDE_CODE_BETA = "claude-code-20250219";
+const OAUTH_BETA = "oauth-2025-04-20";
+const FINE_GRAINED_TOOL_STREAMING_BETA = "fine-grained-tool-streaming-2025-05-14";
+const INTERLEAVED_THINKING_BETA = "interleaved-thinking-2025-05-14";
+const TOAST_SESSION_HEADER = "x-otto-session-id";
+const ANTHROPIC_HOSTS = new Set([
+    "api.anthropic.com",
+    "claude.ai",
+    "console.anthropic.com",
+    "platform.claude.com",
+]);
+const OPENCODE_TO_CLAUDE_CODE_TOOL_NAME = {
+    bash: "Bash",
+    edit: "Edit",
+    glob: "Glob",
+    grep: "Grep",
+    question: "AskUserQuestion",
+    read: "Read",
+    skill: "Skill",
+    task: "Task",
+    todowrite: "TodoWrite",
+    webfetch: "WebFetch",
+    websearch: "WebSearch",
+    write: "Write",
+};
+// --- HTTP helpers ---
+// Claude OAuth token exchange can 429 when this runs inside the opencode auth
+// process, even with the same payload that succeeds in a plain Node process.
+// Run these OAuth-only HTTP calls in an isolated Node child to avoid whatever
+// parent-process runtime state is affecting the in-process requests.
+async function requestText(urlString, options) {
+    return new Promise((resolve, reject) => {
+        const payload = JSON.stringify({
+            body: options.body,
+            headers: options.headers,
+            method: options.method,
+            url: urlString,
+        });
+        const child = spawn("node", [
+            "-e",
+            `
+const input = JSON.parse(process.argv[1]);
+(async () => {
+  const response = await fetch(input.url, {
+    method: input.method,
+    headers: input.headers,
+    body: input.body,
+  });
+  const text = await response.text();
+  if (!response.ok) {
+    console.error(JSON.stringify({ status: response.status, body: text }));
+    process.exit(1);
+  }
+  process.stdout.write(text);
+})().catch((error) => {
+  console.error(error instanceof Error ? error.stack ?? error.message : String(error));
+  process.exit(1);
+});
+    `.trim(),
+            payload,
+        ], {
+            stdio: ["ignore", "pipe", "pipe"],
+        });
+        let stdout = "";
+        let stderr = "";
+        const timeout = setTimeout(() => {
+            child.kill();
+            reject(new Error(`Request timed out. url=${urlString}`));
+        }, 30_000);
+        child.stdout.on("data", (chunk) => {
+            stdout += String(chunk);
+        });
+        child.stderr.on("data", (chunk) => {
+            stderr += String(chunk);
+        });
+        child.on("error", (error) => {
+            clearTimeout(timeout);
+            reject(error);
+        });
+        child.on("close", (code) => {
+            clearTimeout(timeout);
+            if (code !== 0) {
+                let details = stderr.trim();
+                try {
+                    const parsed = JSON.parse(details);
+                    if (typeof parsed.status === "number") {
+                        reject(new Error(`HTTP ${parsed.status} from ${urlString}: ${parsed.body ?? ""}`));
+                        return;
+                    }
+                }
+                catch {
+                    // fall back to raw stderr
+                }
+                reject(new Error(details || `Node helper exited with code ${code}`));
+                return;
+            }
+            resolve(stdout);
+        });
+    });
+}
+async function postJson(url, body) {
+    const requestBody = JSON.stringify(body);
+    const responseText = await requestText(url, {
+        method: "POST",
+        headers: {
+            Accept: "application/json",
+            "Content-Length": String(Buffer.byteLength(requestBody)),
+            "Content-Type": "application/json",
+        },
+        body: requestBody,
+    });
+    return JSON.parse(responseText);
+}
+const pendingRefresh = new Map();
+// --- OAuth token exchange & refresh ---
+function parseTokenResponse(json) {
+    const data = json;
+    if (!data.access_token || !data.refresh_token) {
+        throw new Error(`Invalid token response: ${JSON.stringify(json)}`);
+    }
+    return data;
+}
+function tokenExpiry(expiresIn) {
+    return Date.now() + expiresIn * 1000 - 5 * 60 * 1000;
+}
+async function exchangeAuthorizationCode(code, state, verifier, redirectUri) {
+    const json = await postJson(TOKEN_URL, {
+        grant_type: "authorization_code",
+        client_id: CLIENT_ID,
+        code,
+        state,
+        redirect_uri: redirectUri,
+        code_verifier: verifier,
+    });
+    const data = parseTokenResponse(json);
+    return {
+        type: "success",
+        refresh: data.refresh_token,
+        access: data.access_token,
+        expires: tokenExpiry(data.expires_in),
+    };
+}
+async function refreshAnthropicToken(refreshToken) {
+    const json = await postJson(TOKEN_URL, {
+        grant_type: "refresh_token",
+        client_id: CLIENT_ID,
+        refresh_token: refreshToken,
+    });
+    const data = parseTokenResponse(json);
+    return {
+        type: "oauth",
+        refresh: data.refresh_token,
+        access: data.access_token,
+        expires: tokenExpiry(data.expires_in),
+    };
+}
+async function createApiKey(accessToken) {
+    const responseText = await requestText(CREATE_API_KEY_URL, {
+        method: "POST",
+        headers: {
+            Accept: "application/json",
+            authorization: `Bearer ${accessToken}`,
+            "Content-Type": "application/json",
+        },
+    });
+    const json = JSON.parse(responseText);
+    return { type: "success", key: json.raw_key };
+}
+async function fetchAnthropicAccountIdentity(accessToken) {
+    const urls = [CLIENT_DATA_URL, PROFILE_URL];
+    for (const url of urls) {
+        const responseText = await requestText(url, {
+            method: "GET",
+            headers: {
+                Accept: "application/json",
+                authorization: `Bearer ${accessToken}`,
+                "user-agent": process.env.OPENCODE_ANTHROPIC_USER_AGENT ||
+                    `claude-cli/${CLAUDE_CODE_VERSION}`,
+                "x-app": "cli",
+            },
+        }).catch(() => {
+            return undefined;
+        });
+        if (!responseText)
+            continue;
+        const parsed = JSON.parse(responseText);
+        const identity = extractAnthropicAccountIdentity(parsed);
+        if (identity)
+            return identity;
+    }
+    return undefined;
+}
+async function startCallbackServer(expectedState) {
+    return new Promise((resolve, reject) => {
+        let settle;
+        let settled = false;
+        const waitPromise = new Promise((res) => {
+            settle = (v) => {
+                if (settled)
+                    return;
+                settled = true;
+                res(v);
+            };
+        });
+        const server = createServer((req, res) => {
+            try {
+                const url = new URL(req.url || "", "http://localhost");
+                if (url.pathname !== CALLBACK_PATH) {
+                    res.writeHead(404).end("Not found");
+                    return;
+                }
+                const code = url.searchParams.get("code");
+                const state = url.searchParams.get("state");
+                const error = url.searchParams.get("error");
+                if (error || !code || !state || state !== expectedState) {
+                    res
+                        .writeHead(400)
+                        .end("Authentication failed: " + (error || "missing code/state"));
+                    return;
+                }
+                res
+                    .writeHead(200, { "Content-Type": "text/plain" })
+                    .end("Authentication successful. You can close this window.");
+                settle?.({ code, state });
+            }
+            catch {
+                res.writeHead(500).end("Internal error");
+            }
+        });
+        server.once("error", reject);
+        server.listen(CALLBACK_PORT, "127.0.0.1", () => {
+            resolve({
+                server,
+                cancelWait: () => {
+                    settle?.(null);
+                },
+                waitForCode: () => waitPromise,
+            });
+        });
+    });
+}
+function closeServer(server) {
+    return new Promise((resolve) => {
+        server.close(() => {
+            resolve();
+        });
+    });
+}
+// --- Authorization flow ---
+// Unified flow: beginAuthorizationFlow starts PKCE + callback server,
+// then waitForCallback handles both auto (localhost) and manual (pasted code) paths.
+async function beginAuthorizationFlow() {
+    const pkce = await generatePKCE();
+    const callbackServer = await startCallbackServer(pkce.verifier);
+    const authParams = new URLSearchParams({
+        code: "true",
+        client_id: CLIENT_ID,
+        response_type: "code",
+        redirect_uri: REDIRECT_URI,
+        scope: SCOPES,
+        code_challenge: pkce.challenge,
+        code_challenge_method: "S256",
+        state: pkce.verifier,
+    });
+    return {
+        url: `https://claude.ai/oauth/authorize?${authParams.toString()}`,
+        verifier: pkce.verifier,
+        callbackServer,
+    };
+}
+async function waitForCallback(callbackServer, manualInput) {
+    try {
+        // Try localhost callback first (instant check)
+        const quick = await Promise.race([
+            callbackServer.waitForCode(),
+            new Promise((r) => {
+                setTimeout(() => {
+                    r(null);
+                }, 50);
+            }),
+        ]);
+        if (quick?.code)
+            return quick;
+        // If manual input was provided, parse it
+        const trimmed = manualInput?.trim();
+        if (trimmed) {
+            return parseManualInput(trimmed);
+        }
+        // Wait for localhost callback with timeout
+        const result = await Promise.race([
+            callbackServer.waitForCode(),
+            new Promise((r) => {
+                setTimeout(() => {
+                    r(null);
+                }, OAUTH_TIMEOUT_MS);
+            }),
+        ]);
+        if (!result?.code) {
+            throw new Error("Timed out waiting for OAuth callback");
+        }
+        return result;
+    }
+    finally {
+        callbackServer.cancelWait();
+        await closeServer(callbackServer.server);
+    }
+}
+function parseManualInput(input) {
+    try {
+        const url = new URL(input);
+        const code = url.searchParams.get("code");
+        const state = url.searchParams.get("state");
+        if (code)
+            return { code, state: state || "" };
+    }
+    catch {
+        // not a URL
+    }
+    if (input.includes("#")) {
+        const [code = "", state = ""] = input.split("#", 2);
+        return { code, state };
+    }
+    if (input.includes("code=")) {
+        const params = new URLSearchParams(input);
+        const code = params.get("code");
+        if (code)
+            return { code, state: params.get("state") || "" };
+    }
+    return { code: input, state: "" };
+}
+// Unified authorize handler: returns either OAuth tokens or an API key,
+// for both auto and remote-first modes.
+function buildAuthorizeHandler(mode) {
+    return async () => {
+        const auth = await beginAuthorizationFlow();
+        const isRemote = Boolean(process.env.OTTO || process.env.OTTO);
+        let pendingAuthResult;
+        const finalize = async (result) => {
+            const verifier = auth.verifier;
+            const creds = await exchangeAuthorizationCode(result.code, result.state || verifier, verifier, REDIRECT_URI);
+            if (mode === "apikey") {
+                return createApiKey(creds.access);
+            }
+            const identity = await fetchAnthropicAccountIdentity(creds.access);
+            await rememberAnthropicOAuth({
+                type: "oauth",
+                refresh: creds.refresh,
+                access: creds.access,
+                expires: creds.expires,
+            }, identity);
+            return creds;
+        };
+        if (!isRemote) {
+            return {
+                url: auth.url,
+                instructions: "Complete login in your browser on this machine. OpenCode will catch the localhost callback automatically.",
+                method: "auto",
+                callback: async () => {
+                    pendingAuthResult ??= (async () => {
+                        try {
+                            const result = await waitForCallback(auth.callbackServer);
+                            return await finalize(result);
+                        }
+                        catch {
+                            return { type: "failed" };
+                        }
+                    })();
+                    return pendingAuthResult;
+                },
+            };
+        }
+        return {
+            url: auth.url,
+            instructions: "Complete login in your browser, then paste the final redirect URL from the address bar here. Pasting just the authorization code also works.",
+            method: "code",
+            callback: async (input) => {
+                pendingAuthResult ??= (async () => {
+                    try {
+                        const result = await waitForCallback(auth.callbackServer, input);
+                        return await finalize(result);
+                    }
+                    catch {
+                        return { type: "failed" };
+                    }
+                })();
+                return pendingAuthResult;
+            },
+        };
+    };
+}
+// --- Request/response rewriting ---
+// Renames opencode tool names to Claude Code tool names in requests,
+// and reverses the mapping in streamed responses.
+function toClaudeCodeToolName(name) {
+    return OPENCODE_TO_CLAUDE_CODE_TOOL_NAME[name.toLowerCase()] ?? name;
+}
+/**
+ * Strips the OpenCode identity block (from "You are OpenCode…" up to the
+ * Anthropic prompt marker "Skills provide specialized instructions") and
+ * re-injects essential environment context as a small XML tag.
+ *
+ * The original OpenCode prompt between those markers contains the current
+ * working directory and other runtime context. Stripping it wholesale loses
+ * that info, so we add back what the model needs (cwd) in a compact form.
+ *
+ * Original OpenCode Anthropic prompt structure (for reference):
+ *   "You are OpenCode, the best coding agent on the planet."
+ *   + environment block (cwd, OS, shell, date, etc.)
+ *   + "Skills provide specialized instructions …"
+ */
+function sanitizeAnthropicSystemText(text, onError) {
+    const startIdx = text.indexOf(OPENCODE_IDENTITY);
+    if (startIdx !== -1) {
+        // Main session path: strip from OpenCode identity to the Anthropic prompt marker.
+        // Keep the marker aligned with the current OpenCode Anthropic prompt.
+        const endIdx = text.indexOf(ANTHROPIC_PROMPT_MARKER, startIdx);
+        if (endIdx === -1) {
+            onError?.("sanitizeAnthropicSystemText: could not find Anthropic prompt marker after OpenCode identity");
+            return text;
+        }
+        return replaceBlockWithCompactEnv(text, startIdx, endIdx);
+    }
+    // Subagent path: opencode appends "You are powered by the model named ..."
+    // followed by an <env> block. Strip from that line through </env>.
+    const subagentIdx = text.indexOf(SUBAGENT_MODEL_IDENTITY);
+    if (subagentIdx !== -1) {
+        const envCloseTag = "</env>";
+        const envCloseIdx = text.indexOf(envCloseTag, subagentIdx);
+        if (envCloseIdx === -1) {
+            onError?.("sanitizeAnthropicSystemText: could not find </env> after subagent model identity");
+            return text;
+        }
+        const endIdx = envCloseIdx + envCloseTag.length;
+        // Skip trailing newline so the join is clean
+        const afterEnd = text[endIdx] === "\n" ? endIdx + 1 : endIdx;
+        return replaceBlockWithCompactEnv(text, subagentIdx, afterEnd);
+    }
+    return text;
+}
+// Extract cwd from the block being stripped and replace it with a compact
+// <environment> tag. Shared by both main-session and subagent paths.
+// Source: anomalyco/opencode packages/opencode/src/session/system.ts
+// OpenCode's system prompt format (as of 2025):
+//   <env>
+//     Working directory: ${Instance.directory}
+//     Workspace root folder: ${Instance.worktree}
+//     Is directory a git repo: yes/no
+//     Platform: ${process.platform}
+//     Today's date: ${new Date().toDateString()}
+//   </env>
+// Older format used <environment><cwd>/path</cwd></environment>.
+// We try both patterns to stay compatible across opencode versions.
+// We preserve the per-session directory instead of falling back to
+// process.cwd() which is the opencode server's cwd and wrong for
+// multi-session/worktree setups where each session has a different directory.
+function replaceBlockWithCompactEnv(text, startIdx, endIdx) {
+    const strippedBlock = text.slice(startIdx, endIdx);
+    const cwdMatch = strippedBlock.match(/Working directory:\s*(.+)/)?.[1]?.trim() ||
+        strippedBlock.match(/<cwd>([^<]+)<\/cwd>/)?.[1];
+    const cwd = cwdMatch || process.cwd();
+    const envContext = `\n<environment>\n<cwd>${cwd}</cwd>\n</environment>\n` +
+        `Read, write, and edit files under ${cwd}.\n\n`;
+    return (text.slice(0, startIdx) +
+        envContext +
+        text.slice(endIdx));
+}
+function mapSystemTextPart(part, onError) {
+    if (typeof part === "string") {
+        return { type: "text", text: sanitizeAnthropicSystemText(part, onError) };
+    }
+    if (part &&
+        typeof part === "object" &&
+        "type" in part &&
+        part.type === "text" &&
+        "text" in part &&
+        typeof part.text === "string") {
+        return {
+            ...part,
+            text: sanitizeAnthropicSystemText(part.text, onError),
+        };
+    }
+    return part;
+}
+function prependClaudeCodeIdentity(system, onError) {
+    const identityBlock = {
+        type: "text",
+        text: CLAUDE_CODE_IDENTITY,
+    };
+    if (typeof system === "undefined")
+        return [identityBlock];
+    if (typeof system === "string") {
+        const sanitized = sanitizeAnthropicSystemText(system, onError);
+        if (sanitized === CLAUDE_CODE_IDENTITY)
+            return [identityBlock];
+        return [identityBlock, { type: "text", text: sanitized }];
+    }
+    if (!Array.isArray(system))
+        return [identityBlock, system];
+    const sanitized = system.map((item) => {
+        return mapSystemTextPart(item, onError);
+    });
+    const first = sanitized[0];
+    if (first &&
+        typeof first === "object" &&
+        "type" in first &&
+        first.type === "text" &&
+        "text" in first &&
+        first.text === CLAUDE_CODE_IDENTITY) {
+        return sanitized;
+    }
+    return [identityBlock, ...sanitized];
+}
+function rewriteRequestPayload(body, onError) {
+    if (!body)
+        return {
+            body,
+            modelId: undefined,
+            reverseToolNameMap: new Map(),
+        };
+    try {
+        const payload = JSON.parse(body);
+        const reverseToolNameMap = new Map();
+        const modelId = typeof payload.model === "string" ? payload.model : undefined;
+        // Build reverse map and rename tools
+        if (Array.isArray(payload.tools)) {
+            payload.tools = payload.tools.map((tool) => {
+                if (!tool || typeof tool !== "object")
+                    return tool;
+                const name = tool.name;
+                if (typeof name !== "string")
+                    return tool;
+                const mapped = toClaudeCodeToolName(name);
+                reverseToolNameMap.set(mapped, name);
+                return { ...tool, name: mapped };
+            });
+        }
+        // Rename system prompt
+        payload.system = prependClaudeCodeIdentity(payload.system, onError);
+        // Rename tool_choice
+        if (payload.tool_choice &&
+            typeof payload.tool_choice === "object" &&
+            payload.tool_choice.type === "tool") {
+            const name = payload.tool_choice.name;
+            if (typeof name === "string") {
+                payload.tool_choice = {
+                    ...payload.tool_choice,
+                    name: toClaudeCodeToolName(name),
+                };
+            }
+        }
+        // Rename tool_use blocks in messages
+        if (Array.isArray(payload.messages)) {
+            payload.messages = payload.messages.map((message) => {
+                if (!message || typeof message !== "object")
+                    return message;
+                const content = message.content;
+                if (!Array.isArray(content))
+                    return message;
+                return {
+                    ...message,
+                    content: content.map((block) => {
+                        if (!block || typeof block !== "object")
+                            return block;
+                        const b = block;
+                        if (b.type !== "tool_use" || typeof b.name !== "string")
+                            return block;
+                        return {
+                            ...block,
+                            name: toClaudeCodeToolName(b.name),
+                        };
+                    }),
+                };
+            });
+        }
+        return { body: JSON.stringify(payload), modelId, reverseToolNameMap };
+    }
+    catch {
+        return {
+            body,
+            modelId: undefined,
+            reverseToolNameMap: new Map(),
+        };
+    }
+}
+function wrapResponseStream(response, reverseToolNameMap) {
+    if (!response.body || reverseToolNameMap.size === 0)
+        return response;
+    const reader = response.body.getReader();
+    const decoder = new TextDecoder();
+    const encoder = new TextEncoder();
+    let carry = "";
+    const transform = (text) => {
+        return text.replace(/"name"\s*:\s*"([^"]+)"/g, (full, name) => {
+            const original = reverseToolNameMap.get(name);
+            return original ? full.replace(`"${name}"`, `"${original}"`) : full;
+        });
+    };
+    const stream = new ReadableStream({
+        async pull(controller) {
+            const { done, value } = await reader.read();
+            if (done) {
+                const finalText = carry + decoder.decode();
+                if (finalText)
+                    controller.enqueue(encoder.encode(transform(finalText)));
+                controller.close();
+                return;
+            }
+            carry += decoder.decode(value, { stream: true });
+            // Buffer 256 chars to avoid splitting JSON keys across chunks
+            if (carry.length <= 256)
+                return;
+            const output = carry.slice(0, -256);
+            carry = carry.slice(-256);
+            controller.enqueue(encoder.encode(transform(output)));
+        },
+        async cancel(reason) {
+            await reader.cancel(reason);
+        },
+    });
+    return new Response(stream, {
+        status: response.status,
+        statusText: response.statusText,
+        headers: response.headers,
+    });
+}
+// --- Beta headers ---
+function getRequiredBetas(modelId) {
+    const betas = [
+        CLAUDE_CODE_BETA,
+        OAUTH_BETA,
+        FINE_GRAINED_TOOL_STREAMING_BETA,
+    ];
+    const isAdaptive = modelId?.includes("opus-4-6") ||
+        modelId?.includes("opus-4.6") ||
+        modelId?.includes("sonnet-4-6") ||
+        modelId?.includes("sonnet-4.6");
+    if (!isAdaptive)
+        betas.push(INTERLEAVED_THINKING_BETA);
+    return betas;
+}
+function mergeBetas(existing, required) {
+    return [
+        ...new Set([
+            ...required,
+            ...(existing || "")
+                .split(",")
+                .map((s) => s.trim())
+                .filter(Boolean),
+        ]),
+    ].join(",");
+}
+// --- Token refresh with dedup ---
+function isOAuthStored(auth) {
+    return auth.type === "oauth";
+}
+async function getFreshOAuth(getAuth, client) {
+    const auth = await getAuth();
+    if (!isOAuthStored(auth))
+        return undefined;
+    if (auth.access && auth.expires > Date.now())
+        return auth;
+    const pending = pendingRefresh.get(auth.refresh);
+    if (pending) {
+        return pending;
+    }
+    const refreshPromise = withAuthStateLock(async () => {
+        const latest = await getAuth();
+        if (!isOAuthStored(latest)) {
+            throw new Error("Anthropic OAuth credentials disappeared during refresh");
+        }
+        if (latest.access && latest.expires > Date.now())
+            return latest;
+        const refreshed = await refreshAnthropicToken(latest.refresh);
+        await setAnthropicAuth(refreshed, client);
+        const store = await loadAccountStore();
+        if (store.accounts.length > 0) {
+            const identity = (() => {
+                const currentIndex = store.accounts.findIndex((account) => {
+                    return (account.refresh === latest.refresh ||
+                        account.access === latest.access);
+                });
+                const current = currentIndex >= 0 ? store.accounts[currentIndex] : undefined;
+                if (!current)
+                    return undefined;
+                return {
+                    ...(current.email ? { email: current.email } : {}),
+                    ...(current.accountId ? { accountId: current.accountId } : {}),
+                };
+            })();
+            upsertAccount(store, { ...refreshed, ...identity });
+            await saveAccountStore(store);
+        }
+        return refreshed;
+    });
+    pendingRefresh.set(auth.refresh, refreshPromise);
+    return refreshPromise.finally(() => {
+        pendingRefresh.delete(auth.refresh);
+    });
+}
+const AnthropicAuthPlugin = async ({ client }) => {
+    return {
+        "chat.headers": async (input, output) => {
+            if (input.model.providerID !== "anthropic") {
+                return;
+            }
+            output.headers[TOAST_SESSION_HEADER] = input.sessionID;
+        },
+        auth: {
+            provider: "anthropic",
+            async loader(getAuth, provider) {
+                const auth = await getAuth();
+                if (auth.type !== "oauth")
+                    return {};
+                // Zero out costs for OAuth users (Claude Pro/Max subscription)
+                for (const model of Object.values(provider.models)) {
+                    model.cost = { input: 0, output: 0, cache: { read: 0, write: 0 } };
+                }
+                return {
+                    apiKey: "",
+                    async fetch(input, init) {
+                        const url = (() => {
+                            try {
+                                return new URL(input instanceof Request ? input.url : input.toString());
+                            }
+                            catch {
+                                return null;
+                            }
+                        })();
+                        if (!url || !ANTHROPIC_HOSTS.has(url.hostname))
+                            return fetch(input, init);
+                        const originalBody = typeof init?.body === "string"
+                            ? init.body
+                            : input instanceof Request
+                                ? await input
+                                    .clone()
+                                    .text()
+                                    .catch(() => undefined)
+                                : undefined;
+                        const headers = new Headers(init?.headers);
+                        if (input instanceof Request) {
+                            input.headers.forEach((v, k) => {
+                                if (!headers.has(k))
+                                    headers.set(k, v);
+                            });
+                        }
+                        const sessionId = headers.get(TOAST_SESSION_HEADER) ?? undefined;
+                        const rewritten = rewriteRequestPayload(originalBody, (msg) => {
+                            client.tui
+                                .showToast({
+                                body: {
+                                    message: appendToastSessionMarker({
+                                        message: msg,
+                                        sessionId,
+                                    }),
+                                    variant: "error",
+                                },
+                            })
+                                .catch(() => { });
+                        });
+                        const betas = getRequiredBetas(rewritten.modelId);
+                        const runRequest = async (auth) => {
+                            const requestHeaders = new Headers(headers);
+                            requestHeaders.delete(TOAST_SESSION_HEADER);
+                            requestHeaders.set("accept", "application/json");
+                            requestHeaders.set("anthropic-beta", mergeBetas(requestHeaders.get("anthropic-beta"), betas));
+                            requestHeaders.set("anthropic-dangerous-direct-browser-access", "true");
+                            requestHeaders.set("authorization", `Bearer ${auth.access}`);
+                            requestHeaders.set("user-agent", process.env.OPENCODE_ANTHROPIC_USER_AGENT ||
+                                `claude-cli/${CLAUDE_CODE_VERSION}`);
+                            requestHeaders.set("x-app", "cli");
+                            requestHeaders.delete("x-api-key");
+                            return fetch(input, {
+                                ...(init ?? {}),
+                                body: rewritten.body,
+                                headers: requestHeaders,
+                            });
+                        };
+                        const freshAuth = await getFreshOAuth(getAuth, client);
+                        if (!freshAuth)
+                            return fetch(input, init);
+                        let response = await runRequest(freshAuth);
+                        if (!response.ok) {
+                            const bodyText = await response
+                                .clone()
+                                .text()
+                                .catch(() => "");
+                            if (shouldRotateAuth(response.status, bodyText)) {
+                                const rotated = await rotateAnthropicAccount(freshAuth, client);
+                                if (rotated) {
+                                    // Show toast notification so Discord thread shows the rotation
+                                    client.tui
+                                        .showToast({
+                                        body: {
+                                            message: appendToastSessionMarker({
+                                                message: `Switching from account ${rotated.fromLabel} to account ${rotated.toLabel}`,
+                                                sessionId,
+                                            }),
+                                            variant: "info",
+                                        },
+                                    })
+                                        .catch(() => { });
+                                    const retryAuth = await getFreshOAuth(getAuth, client);
+                                    if (retryAuth) {
+                                        response = await runRequest(retryAuth);
+                                    }
+                                }
+                            }
+                        }
+                        return wrapResponseStream(response, rewritten.reverseToolNameMap);
+                    },
+                };
+            },
+            methods: [
+                {
+                    label: "Claude Pro/Max",
+                    type: "oauth",
+                    authorize: buildAuthorizeHandler("oauth"),
+                },
+                {
+                    label: "Create an API Key",
+                    type: "oauth",
+                    authorize: buildAuthorizeHandler("apikey"),
+                },
+                {
+                    provider: "anthropic",
+                    label: "Manually enter API Key",
+                    type: "api",
+                },
+            ],
+        },
+    };
+};
+const replacer = async () => {
+    return {
+        "experimental.chat.system.transform": (async (input, output) => {
+            if (input.model.providerID !== "anthropic")
+                return;
+            const textIndex = output.system.findIndex((x) => x.includes(OPENCODE_IDENTITY));
+            const text = output.system[textIndex];
+            if (!text) {
+                return;
+            }
+            output.system[textIndex] = sanitizeAnthropicSystemText(text);
+        }),
+    };
+};
+export { replacer, AnthropicAuthPlugin as anthropicAuthPlugin };