@ouro.bot/cli 0.1.0-alpha.33 → 0.1.0-alpha.330

package/dist/heart/provider-ping.js

@@ -0,0 +1,162 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sanitizeErrorMessage = sanitizeErrorMessage;
+exports.pingProvider = pingProvider;
+exports.runHealthInventory = runHealthInventory;
+const identity_1 = require("./identity");
+const anthropic_1 = require("./providers/anthropic");
+const azure_1 = require("./providers/azure");
+const minimax_1 = require("./providers/minimax");
+const openai_codex_1 = require("./providers/openai-codex");
+const github_copilot_1 = require("./providers/github-copilot");
+const auth_flow_1 = require("./auth/auth-flow");
+const runtime_1 = require("../nerves/runtime");
+const PING_TIMEOUT_MS = 10_000;
+/**
+ * Strip raw JSON/HTML API response bodies from error messages.
+ * SDK errors often include the full response: "400 {"type":"error",...}" or "403 <html>...".
+ * Extract just the HTTP status and a short human-readable summary.
+ */
+function sanitizeErrorMessage(message) {
+    const statusMatch = message.match(/^(\d{3})\s/);
+    if (!statusMatch)
+        return message;
+    const status = statusMatch[1];
+    const body = message.slice(status.length).trim();
+    // HTML response (Cloudflare challenge, error pages, etc.)
+    if (body.startsWith("<") || body.includes("<!DOCTYPE") || body.includes("<html")) {
+        return `HTTP ${status}`;
+    }
+    // JSON response
+    if (body.startsWith("{")) {
+        try {
+            const json = JSON.parse(body);
+            const inner = json?.error?.message;
+            if (typeof inner === "string" && inner && inner !== "Error") {
+                return `${status} ${inner}`;
+            }
+        }
+        catch { /* not valid JSON */ }
+        return `HTTP ${status}`;
+    }
+    // Already clean (e.g., "401 Provided authentication token is expired.")
+    return message;
+}
+function hasEmptyCredentials(provider, config) {
+    const record = config;
+    return identity_1.PROVIDER_CREDENTIALS[provider].required.some((key) => !record[key]);
+}
+function createRuntimeForPing(provider, _config) {
+    // The provider constructors read credentials from the active config via getXxxConfig().
+    // For ping, this is acceptable because verifyProviderCredentials patches the runtime
+    // config before calling ping. The model string is a default — for anthropic the ping
+    // overrides it with haiku anyway, and for others it's used in a minimal API call.
+    const DEFAULT_MODELS = {
+        anthropic: "claude-haiku-4-5-20251001",
+        azure: "gpt-4o",
+        minimax: "MiniMax-M2.7",
+        "openai-codex": "codex-mini-latest",
+        "github-copilot": "gpt-4o",
+    };
+    /* v8 ignore next -- fallback: all known providers are in DEFAULT_MODELS @preserve */
+    const model = DEFAULT_MODELS[provider] ?? "unknown";
+    switch (provider) {
+        case "anthropic":
+            return (0, anthropic_1.createAnthropicProviderRuntime)(model);
+        case "azure":
+            return (0, azure_1.createAzureProviderRuntime)(model);
+        case "minimax":
+            return (0, minimax_1.createMinimaxProviderRuntime)(model);
+        case "openai-codex":
+            return (0, openai_codex_1.createOpenAICodexProviderRuntime)(model);
+        case "github-copilot":
+            return (0, github_copilot_1.createGithubCopilotProviderRuntime)(model);
+        /* v8 ignore next 2 -- exhaustive: all providers handled above @preserve */
+        default:
+            throw new Error(`unsupported provider for ping: ${provider}`);
+    }
+}
+async function pingProvider(provider, config) {
+    if (hasEmptyCredentials(provider, config)) {
+        return { ok: false, classification: "auth-failure", message: "no credentials configured" };
+    }
+    let runtime;
+    try {
+        runtime = createRuntimeForPing(provider, config);
+        /* v8 ignore start -- factory creation failure: tested via individual provider init tests @preserve */
+    }
+    catch (error) {
+        return {
+            ok: false,
+            classification: "auth-failure",
+            message: error instanceof Error ? error.message : String(error),
+        };
+    }
+    /* v8 ignore stop */
+    try {
+        const controller = new AbortController();
+        /* v8 ignore next -- timeout callback: only fires after 10s, tests resolve faster @preserve */
+        const timeout = setTimeout(() => controller.abort(), PING_TIMEOUT_MS);
+        try {
+            // Minimal API call — no thinking, no reasoning, no tools.
+            if (provider === "anthropic") {
+                // Use haiku for the ping — setup tokens may not have access to newer
+                // models, but if haiku works, the credentials are valid.
+                // Override the beta header to exclude thinking (which requires a
+                // thinking param in the request body).
+                const client = runtime.client;
+                await client.messages.create({ model: "claude-haiku-4-5-20251001", max_tokens: 1, messages: [{ role: "user", content: "ping" }] }, { signal: controller.signal, headers: { "anthropic-beta": "claude-code-20250219,oauth-2025-04-20" } });
+            }
+            else if (provider === "openai-codex") {
+                // Codex uses the Responses API (chatgpt.com/backend-api/codex/responses),
+                // not the Chat Completions API. Ping via responses endpoint.
+                const client = runtime.client;
+                await client.responses.create({ model: runtime.model, input: "ping", store: false }, { signal: controller.signal });
+            }
+            else {
+                // OpenAI-compatible providers (azure, minimax, github-copilot)
+                const client = runtime.client;
+                await client.chat.completions.create({ model: runtime.model, max_tokens: 1, messages: [{ role: "user", content: "ping" }] }, { signal: controller.signal });
+            }
+            return { ok: true };
+        }
+        finally {
+            clearTimeout(timeout);
+        }
+    }
+    catch (error) {
+        const err = error instanceof Error ? error : /* v8 ignore next -- defensive @preserve */ new Error(String(error));
+        let classification;
+        try {
+            classification = runtime.classifyError(err);
+        }
+        catch {
+            /* v8 ignore next -- defensive: classifyError should not throw @preserve */
+            classification = "unknown";
+        }
+        (0, runtime_1.emitNervesEvent)({
+            component: "engine",
+            event: "engine.provider_ping_fail",
+            message: `provider ping failed: ${provider}`,
+            meta: { provider, classification, error: err.message },
+        });
+        return { ok: false, classification, message: sanitizeErrorMessage(err.message) };
+    }
+}
+const PINGABLE_PROVIDERS = ["anthropic", "openai-codex", "azure", "minimax", "github-copilot"];
+async function runHealthInventory(agentName, currentProvider, deps = {}) {
+    /* v8 ignore next -- default: tests inject ping dep @preserve */
+    const ping = deps.ping ?? pingProvider;
+    const { secrets } = (0, auth_flow_1.loadAgentSecrets)(agentName);
+    const providers = PINGABLE_PROVIDERS.filter((p) => p !== currentProvider);
+    const results = await Promise.all(providers.map(async (provider) => {
+        const config = secrets.providers[provider];
+        const result = await ping(provider, config);
+        return [provider, result];
+    }));
+    const inventory = {};
+    for (const [provider, result] of results) {
+        inventory[provider] = result;
+    }
+    return inventory;
+}

package/dist/heart/providers/anthropic-token.js

@@ -0,0 +1,163 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.needsRefresh = needsRefresh;
+exports.refreshAnthropicToken = refreshAnthropicToken;
+exports.persistTokenState = persistTokenState;
+exports.ensureFreshToken = ensureFreshToken;
+/* v8 ignore start -- OAuth token lifecycle: requires live API calls, tested via integration @preserve */
+const fs = __importStar(require("fs"));
+const runtime_1 = require("../../nerves/runtime");
+const identity_1 = require("../identity");
+const OAUTH_TOKEN_ENDPOINT = "https://console.anthropic.com/v1/oauth/token";
+const OAUTH_CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
+const REFRESH_MARGIN_MS = 5 * 60 * 1000; // refresh 5 minutes before expiry
+/**
+ * Check if the Anthropic OAuth token needs refreshing.
+ * Returns true if no expiresAt is set (legacy token) or if within 5 min of expiry.
+ */
+function needsRefresh(expiresAt) {
+    if (!expiresAt)
+        return true; // legacy token with no expiry — always try refresh
+    return Date.now() > expiresAt - REFRESH_MARGIN_MS;
+}
+/**
+ * Refresh an Anthropic OAuth access token using the refresh token.
+ * Returns the new token state or null if refresh fails.
+ */
+async function refreshAnthropicToken(refreshToken, fetchImpl = fetch) {
+    try {
+        const response = await fetchImpl(OAUTH_TOKEN_ENDPOINT, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                grant_type: "refresh_token",
+                refresh_token: refreshToken,
+                client_id: OAUTH_CLIENT_ID,
+            }),
+        });
+        if (!response.ok) {
+            (0, runtime_1.emitNervesEvent)({
+                level: "warn",
+                component: "engine",
+                event: "engine.anthropic_token_refresh_failed",
+                message: `token refresh failed: ${response.status}`,
+                meta: { status: response.status },
+            });
+            return null;
+        }
+        const json = await response.json();
+        if (!json.access_token) {
+            (0, runtime_1.emitNervesEvent)({
+                level: "warn",
+                component: "engine",
+                event: "engine.anthropic_token_refresh_failed",
+                message: "token refresh returned no access_token",
+                meta: {},
+            });
+            return null;
+        }
+        const state = {
+            accessToken: json.access_token,
+            refreshToken: json.refresh_token ?? refreshToken, // keep old if not returned
+            expiresAt: Date.now() + (json.expires_in ?? 28800) * 1000, // default 8h
+        };
+        (0, runtime_1.emitNervesEvent)({
+            component: "engine",
+            event: "engine.anthropic_token_refreshed",
+            message: "anthropic OAuth token refreshed",
+            meta: { expiresAt: new Date(state.expiresAt).toISOString() },
+        });
+        return state;
+    }
+    catch (error) {
+        (0, runtime_1.emitNervesEvent)({
+            level: "warn",
+            component: "engine",
+            event: "engine.anthropic_token_refresh_error",
+            message: "token refresh threw",
+            meta: { error: error instanceof Error ? error.message : String(error) },
+        });
+        return null;
+    }
+}
+/**
+ * Persist refreshed token state back to secrets.json.
+ */
+function persistTokenState(agentName, state) {
+    try {
+        const secretsPath = (0, identity_1.getAgentSecretsPath)(agentName);
+        const raw = fs.readFileSync(secretsPath, "utf-8");
+        const secrets = JSON.parse(raw);
+        secrets.providers = secrets.providers ?? {};
+        secrets.providers.anthropic = secrets.providers.anthropic ?? {};
+        secrets.providers.anthropic.setupToken = state.accessToken;
+        secrets.providers.anthropic.refreshToken = state.refreshToken;
+        secrets.providers.anthropic.expiresAt = state.expiresAt;
+        fs.writeFileSync(secretsPath, JSON.stringify(secrets, null, 2) + "\n", "utf-8");
+        /* v8 ignore start -- defensive: persistence failure must not crash the provider @preserve */
+    }
+    catch (error) {
+        (0, runtime_1.emitNervesEvent)({
+            level: "warn",
+            component: "engine",
+            event: "engine.anthropic_token_persist_error",
+            message: "failed to persist refreshed token",
+            meta: { error: error instanceof Error ? error.message : String(error) },
+        });
+    }
+    /* v8 ignore stop */
+}
+/**
+ * Ensure the Anthropic token is fresh. If expired, refresh and persist.
+ * Returns the current valid access token, or null if refresh failed and
+ * the existing token is expired.
+ */
+async function ensureFreshToken(currentToken, refreshToken, expiresAt, agentName, fetchImpl) {
+    if (!needsRefresh(expiresAt)) {
+        return currentToken; // still fresh
+    }
+    if (!refreshToken) {
+        // No refresh token — use the current token as-is (may be expired)
+        return currentToken;
+    }
+    const newState = await refreshAnthropicToken(refreshToken, fetchImpl);
+    if (!newState) {
+        return currentToken; // refresh failed — try the old token
+    }
+    persistTokenState(agentName, newState);
+    return newState.accessToken;
+}
+/* v8 ignore stop */

package/dist/heart/providers/anthropic.js

@@ -1,14 +1,51 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
+exports.toAnthropicMessages = toAnthropicMessages;
+exports.classifyAnthropicError = classifyAnthropicError;
 exports.createAnthropicProviderRuntime = createAnthropicProviderRuntime;
 const sdk_1 = __importDefault(require("@anthropic-ai/sdk"));
 const config_1 = require("../config");
 const identity_1 = require("../identity");
 const runtime_1 = require("../../nerves/runtime");
 const streaming_1 = require("../streaming");
+const model_capabilities_1 = require("../model-capabilities");
+const error_classification_1 = require("./error-classification");
 const ANTHROPIC_SETUP_TOKEN_PREFIX = "sk-ant-oat01-";
 const ANTHROPIC_SETUP_TOKEN_MIN_LENGTH = 80;
 const ANTHROPIC_OAUTH_BETA_HEADER = "claude-code-20250219,oauth-2025-04-20,fine-grained-tool-streaming-2025-05-14,interleaved-thinking-2025-05-14";
@@ -22,10 +59,10 @@ function getAnthropicSetupTokenInstructions() {
     const agentName = getAnthropicAgentNameForGuidance();
     return [
         "Fix:",
-        `  1. Run \`npm run auth:claude-setup-token -- --agent ${agentName}\``,
-        "     (or run `claude setup-token` and paste the token manually)",
+        `  1. Run \`ouro auth --agent ${agentName}\``,
         `  2. Open ${getAnthropicSecretsPathForGuidance()}`,
         "  3. Confirm providers.anthropic.setupToken is set",
+        "  4. After reauth, retry the failed ouro command or reconnect this session.",
     ].join("\n");
 }
 function getAnthropicReauthGuidance(reason) {
@@ -93,6 +130,18 @@ function toAnthropicMessages(messages) {
         if (msg.role === "assistant") {
             const assistant = msg;
             const blocks = [];
+            // Restore thinking blocks before text/tool_use blocks
+            const thinkingBlocks = assistant._thinking_blocks;
+            if (thinkingBlocks) {
+                for (const tb of thinkingBlocks) {
+                    if (tb.type === "thinking") {
+                        blocks.push({ type: "thinking", thinking: tb.thinking, signature: tb.signature });
+                    }
+                    else {
+                        blocks.push({ type: "redacted_thinking", data: tb.data });
+                    }
+                }
+            }
             const text = toAnthropicTextContent(assistant.content);
             if (text) {
                 blocks.push({ type: "text", text });
@@ -173,53 +222,64 @@ function mergeAnthropicToolArguments(current, partial) {
     }
     return current + partial;
 }
+function classifyAnthropicError(error) {
+    return (0, error_classification_1.classifyHttpError)(error, {
+        isAuthFailure: isAnthropicAuthFailure,
+        isServerError: (e) => e.status === 529,
+    });
+}
 function isAnthropicAuthFailure(error) {
-    if (!(error instanceof Error))
-        return false;
-    const status = error.status;
-    if (status === 401 || status === 403)
-        return true;
     const lower = error.message.toLowerCase();
     return (lower.includes("oauth authentication") ||
         lower.includes("authentication failed") ||
         lower.includes("unauthorized") ||
         lower.includes("invalid api key"));
 }
-function withAnthropicAuthGuidance(error) {
-    const base = error instanceof Error ? error.message : String(error);
-    if (isAnthropicAuthFailure(error)) {
-        return new Error(getAnthropicReauthGuidance(`Anthropic authentication failed (${base}).`));
-    }
-    return error instanceof Error ? error : new Error(String(error));
-}
 async function streamAnthropicMessages(client, model, request) {
     const { system, messages } = toAnthropicMessages(request.messages);
     const anthropicTools = toAnthropicTools(request.activeTools);
+    const modelCaps = (0, model_capabilities_1.getModelCapabilities)(model);
+    const maxTokens = modelCaps.maxOutputTokens ?? 16384;
     const params = {
         model,
-        max_tokens: 4096,
+        max_tokens: maxTokens,
         messages,
         stream: true,
+        thinking: { type: "adaptive" },
+        output_config: { effort: request.reasoningEffort ?? "medium" },
     };
-    if (system)
-        params.system = system;
+    // The Anthropic API requires a Claude Code identification block in the system
+    // prompt when using OAuth setup tokens (sk-ant-oat01). Without it, Opus/Sonnet
+    // 4.6 requests are rejected with 400. This is the API's validation that the
+    // token is being used by a Claude Code client.
+    const claudeCodePreamble = { type: "text", text: "You are Claude Code, Anthropic's official CLI for Claude." };
+    if (system) {
+        params.system = [claudeCodePreamble, { type: "text", text: system }];
+    }
+    else {
+        params.system = [claudeCodePreamble];
+    }
     if (anthropicTools.length > 0)
         params.tools = anthropicTools;
     if (request.toolChoiceRequired && anthropicTools.length > 0) {
-        params.tool_choice = { type: "any" };
+        // Thinking (adaptive or enabled) only supports tool_choice "auto" or "none".
+        // "any" forces tool use which is incompatible with extended thinking.
+        params.tool_choice = params.thinking ? { type: "auto" } : /* v8 ignore next -- no-thinking path: thinking always set for 4.6 models @preserve */ { type: "any" };
     }
     let response;
     try {
         response = await client.messages.create(params, request.signal ? { signal: request.signal } : {});
     }
     catch (error) {
-        throw withAnthropicAuthGuidance(error);
+        throw error instanceof Error ? error : new Error(String(error));
     }
     let content = "";
     let streamStarted = false;
     let usage;
     const toolCalls = new Map();
-    const answerStreamer = new streaming_1.FinalAnswerStreamer(request.callbacks);
+    const thinkingBlocks = new Map();
+    const redactedBlocks = new Map();
+    const answerStreamer = new streaming_1.SettleStreamer(request.callbacks, request.eagerSettleStreaming);
     try {
         for await (const event of response) {
             if (request.signal?.aborted)
@@ -227,8 +287,14 @@ async function streamAnthropicMessages(client, model, request) {
             const eventType = String(event.type ?? "");
             if (eventType === "content_block_start") {
                 const block = event.content_block;
-                if (block?.type === "tool_use") {
-                    const index = Number(event.index);
+                const index = Number(event.index);
+                if (block?.type === "thinking") {
+                    thinkingBlocks.set(index, { type: "thinking", thinking: "", signature: "" });
+                }
+                else if (block?.type === "redacted_thinking") {
+                    redactedBlocks.set(index, { type: "redacted_thinking", data: String(block.data ?? "") });
+                }
+                else if (block?.type === "tool_use") {
                     const rawInput = block.input;
                     const input = rawInput && typeof rawInput === "object"
                         ? JSON.stringify(rawInput)
@@ -239,9 +305,9 @@ async function streamAnthropicMessages(client, model, request) {
                         name,
                         arguments: input,
                     });
-                    // Activate eager streaming for sole final_answer tool call
-                    /* v8 ignore next -- final_answer streaming activation, tested via FinalAnswerStreamer unit tests @preserve */
-                    if (name === "final_answer" && toolCalls.size === 1) {
+                    // Activate eager streaming for sole settle tool call
+                    /* v8 ignore next -- settle streaming activation, tested via SettleStreamer unit tests @preserve */
+                    if (name === "settle" && toolCalls.size === 1) {
                         answerStreamer.activate();
                     }
                 }
@@ -265,7 +331,19 @@ async function streamAnthropicMessages(client, model, request) {
                         request.callbacks.onModelStreamStart();
                         streamStarted = true;
                     }
-                    request.callbacks.onReasoningChunk(String(delta?.thinking ?? ""));
+                    const thinkingText = String(delta?.thinking ?? "");
+                    request.callbacks.onReasoningChunk(thinkingText);
+                    const thinkingIndex = Number(event.index);
+                    const thinkingBlock = thinkingBlocks.get(thinkingIndex);
+                    if (thinkingBlock)
+                        thinkingBlock.thinking += thinkingText;
+                    continue;
+                }
+                if (deltaType === "signature_delta") {
+                    const sigIndex = Number(event.index);
+                    const sigBlock = thinkingBlocks.get(sigIndex);
+                    if (sigBlock)
+                        sigBlock.signature += String(delta?.signature ?? "");
                     continue;
                 }
                 if (deltaType === "input_json_delta") {
@@ -274,8 +352,8 @@ async function streamAnthropicMessages(client, model, request) {
                     if (existing) {
                         const partialJson = String(delta?.partial_json ?? "");
                         existing.arguments = mergeAnthropicToolArguments(existing.arguments, partialJson);
-                        /* v8 ignore next -- final_answer delta streaming, tested via FinalAnswerStreamer unit tests @preserve */
-                        if (existing.name === "final_answer" && toolCalls.size === 1) {
+                        /* v8 ignore next -- settle delta streaming, tested via SettleStreamer unit tests @preserve */
+                        if (existing.name === "settle" && toolCalls.size === 1) {
                             answerStreamer.processDelta(partialJson);
                         }
                     }
@@ -299,17 +377,25 @@ async function streamAnthropicMessages(client, model, request) {
         }
     }
     catch (error) {
-        throw withAnthropicAuthGuidance(error);
+        throw error instanceof Error ? error : /* v8 ignore next -- defensive: stream errors are always Error @preserve */ new Error(String(error));
     }
+    // Collect all thinking blocks (regular + redacted) sorted by index to preserve ordering
+    const allThinkingIndices = [...thinkingBlocks.keys(), ...redactedBlocks.keys()].sort((a, b) => a - b);
+    const outputItems = allThinkingIndices.map((idx) => {
+        const tb = thinkingBlocks.get(idx);
+        if (tb)
+            return tb;
+        return redactedBlocks.get(idx);
+    });
     return {
         content,
         toolCalls: [...toolCalls.values()],
-        outputItems: [],
+        outputItems,
         usage,
-        finalAnswerStreamed: answerStreamer.streamed,
+        settleStreamed: answerStreamer.streamed,
     };
 }
-function createAnthropicProviderRuntime() {
+function createAnthropicProviderRuntime(model) {
     (0, runtime_1.emitNervesEvent)({
         component: "engine",
         event: "engine.provider_init",
@@ -317,30 +403,67 @@ function createAnthropicProviderRuntime() {
         meta: { provider: "anthropic" },
     });
     const anthropicConfig = (0, config_1.getAnthropicConfig)();
-    if (!(anthropicConfig.model && anthropicConfig.setupToken)) {
-        throw new Error(getAnthropicReauthGuidance("provider 'anthropic' is selected in agent.json but providers.anthropic.model/setupToken is incomplete in secrets.json."));
+    if (!anthropicConfig.setupToken) {
+        throw new Error(getAnthropicReauthGuidance("provider 'anthropic' is selected in agent.json but providers.anthropic.setupToken is missing in secrets.json."));
     }
+    const modelCaps = (0, model_capabilities_1.getModelCapabilities)(model);
+    const capabilities = new Set();
+    if (modelCaps.reasoningEffort)
+        capabilities.add("reasoning-effort");
     const credential = resolveAnthropicSetupTokenCredential();
-    const client = new sdk_1.default({
-        authToken: credential.token,
-        timeout: 30000,
-        maxRetries: 0,
-        defaultHeaders: {
-            "anthropic-beta": ANTHROPIC_OAUTH_BETA_HEADER,
-        },
-    });
+    const refreshToken = anthropicConfig.refreshToken;
+    const expiresAt = anthropicConfig.expiresAt;
+    function createClient(token) {
+        return new sdk_1.default({
+            authToken: token,
+            maxRetries: 0,
+            defaultHeaders: {
+                "anthropic-beta": ANTHROPIC_OAUTH_BETA_HEADER,
+                "anthropic-dangerous-direct-browser-access": "true",
+                "user-agent": "claude-cli/2.1.2 (external, cli)",
+                "x-app": "cli",
+            },
+        });
+    }
+    let currentToken = credential.token;
+    let client = createClient(currentToken);
+    /* v8 ignore start -- token refresh: dynamic import + ensureFreshToken, tested via integration @preserve */
+    async function ensureClient() {
+        try {
+            const { ensureFreshToken } = await Promise.resolve().then(() => __importStar(require("./anthropic-token")));
+            const { getAgentName } = await Promise.resolve().then(() => __importStar(require("../identity")));
+            const freshToken = await ensureFreshToken(currentToken, refreshToken, expiresAt, getAgentName());
+            if (freshToken !== currentToken) {
+                currentToken = freshToken;
+                client = createClient(freshToken);
+            }
+        }
+        catch {
+            // refresh failed — use existing client
+        }
+        return client;
+    }
+    /* v8 ignore stop */
     return {
         id: "anthropic",
-        model: anthropicConfig.model,
-        client,
+        model,
+        /* v8 ignore next -- getter: returns mutable client ref @preserve */
+        get client() { return client; },
+        capabilities,
+        supportedReasoningEfforts: modelCaps.reasoningEffort,
         resetTurnState(_messages) {
             // Anthropic request payload is derived from canonical messages each turn.
         },
         appendToolOutput(_callId, _output) {
             // Anthropic uses canonical messages for tool_result tracking.
         },
-        streamTurn(request) {
-            return streamAnthropicMessages(client, anthropicConfig.model, request);
+        async streamTurn(request) {
+            const freshClient = await ensureClient();
+            return streamAnthropicMessages(freshClient, model, request);
+        },
+        /* v8 ignore next 3 -- delegation: classification logic tested via classifyAnthropicError @preserve */
+        classifyError(error) {
+            return classifyAnthropicError(error);
         },
     };
 }