@ouro.bot/cli 0.1.0-alpha.56 → 0.1.0-alpha.560

package/dist/heart/provider-visibility.js

@@ -0,0 +1,188 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildAgentProviderVisibility = buildAgentProviderVisibility;
+exports.formatProviderVisibilityLine = formatProviderVisibilityLine;
+exports.formatAgentProviderVisibilityForPrompt = formatAgentProviderVisibilityForPrompt;
+exports.formatAgentProviderVisibilityForStartOfTurn = formatAgentProviderVisibilityForStartOfTurn;
+exports.formatAgentProviderVisibilityForPulse = formatAgentProviderVisibilityForPulse;
+exports.providerVisibilityStatusRows = providerVisibilityStatusRows;
+exports.isAgentProviderVisibility = isAgentProviderVisibility;
+const runtime_1 = require("../nerves/runtime");
+const provider_binding_resolver_1 = require("./provider-binding-resolver");
+const LANES = ["outward", "inner"];
+function credentialVisibility(binding) {
+    const credential = binding.credential;
+    if (credential.status === "present") {
+        return {
+            status: "present",
+            source: credential.source,
+            revision: credential.revision,
+        };
+    }
+    return {
+        status: credential.status,
+        ...("repair" in credential ? { repairCommand: credential.repair.command } : {}),
+    };
+}
+function readinessVisibility(binding) {
+    return {
+        status: binding.readiness.status,
+        ...(binding.readiness.checkedAt ? { checkedAt: binding.readiness.checkedAt } : {}),
+        ...(binding.readiness.error ? { error: binding.readiness.error } : {}),
+        ...(binding.readiness.reason ? { reason: binding.readiness.reason } : {}),
+        ...(binding.readiness.attempts !== undefined ? { attempts: binding.readiness.attempts } : {}),
+    };
+}
+function visibilityForLane(input, lane) {
+    const resolved = (0, provider_binding_resolver_1.resolveEffectiveProviderBinding)({ ...input, lane });
+    if (!resolved.ok) {
+        return {
+            lane,
+            status: "unconfigured",
+            provider: "unconfigured",
+            model: "-",
+            source: "missing",
+            readiness: {
+                status: "unknown",
+                reason: resolved.reason,
+            },
+            credential: {
+                status: "missing",
+                repairCommand: resolved.repair.command,
+            },
+            repairCommand: resolved.repair.command,
+            reason: resolved.reason,
+            warnings: resolved.warnings.map((warning) => warning.message),
+        };
+    }
+    return {
+        lane,
+        status: "configured",
+        provider: resolved.binding.provider,
+        model: resolved.binding.model,
+        source: resolved.binding.source,
+        readiness: readinessVisibility(resolved.binding),
+        credential: credentialVisibility(resolved.binding),
+        warnings: resolved.binding.warnings.map((warning) => warning.message),
+    };
+}
+function buildAgentProviderVisibility(input) {
+    const visibility = {
+        agentName: input.agentName,
+        lanes: LANES.map((lane) => visibilityForLane(input, lane)),
+    };
+    (0, runtime_1.emitNervesEvent)({
+        component: "config/identity",
+        event: "config.provider_visibility_built",
+        message: "built provider visibility summary",
+        meta: {
+            agentName: input.agentName,
+            laneStatuses: visibility.lanes.map((lane) => `${lane.lane}:${lane.status}`).join(","),
+        },
+    });
+    return visibility;
+}
+function credentialLabel(credential) {
+    if (credential.status === "present")
+        return credential.source ?? "vault";
+    if (credential.status === "invalid-pool")
+        return "vault unavailable";
+    if (credential.status === "not-loaded")
+        return "checked previously";
+    return "missing";
+}
+function readinessLabel(readiness) {
+    if (readiness.status === "failed") {
+        return readiness.error ? `failed: ${readiness.error}` : "failed";
+    }
+    if (readiness.status === "stale") {
+        return readiness.reason ? `stale: ${readiness.reason}` : "stale";
+    }
+    if (readiness.status === "unknown") {
+        return readiness.reason ? `unknown: ${readiness.reason}` : "unknown";
+    }
+    return readiness.status;
+}
+function providerStatusDetail(lane) {
+    if (lane.credential.status === "missing" || lane.credential.status === "invalid-pool")
+        return undefined;
+    return lane.readiness.error;
+}
+function formatProviderVisibilityLine(lane) {
+    if (lane.status === "unconfigured") {
+        return `${lane.lane}: unconfigured (${lane.reason}); repair: ${lane.repairCommand}`;
+    }
+    const parts = [
+        readinessLabel(lane.readiness),
+        `source: ${lane.source}`,
+        `credentials: ${credentialLabel(lane.credential)}`,
+    ];
+    if (lane.credential.revision)
+        parts.push(`revision: ${lane.credential.revision}`);
+    if (lane.credential.repairCommand)
+        parts.push(`repair: ${lane.credential.repairCommand}`);
+    if (lane.warnings.length > 0)
+        parts.push(`warnings: ${lane.warnings.join("; ")}`);
+    return `${lane.lane}: ${lane.provider} / ${lane.model} [${parts.join("; ")}]`;
+}
+function formatAgentProviderVisibilityForPrompt(visibility) {
+    if (visibility.lanes.every((lane) => lane.status === "unconfigured")) {
+        return [
+            "provider bindings are not configured in agent.json.",
+            ...visibility.lanes.map((lane) => `- ${formatProviderVisibilityLine(lane)}`),
+        ].join("\n");
+    }
+    return [
+        "runtime uses provider bindings from agent.json:",
+        ...visibility.lanes.map((lane) => `- ${formatProviderVisibilityLine(lane)}`),
+    ].join("\n");
+}
+function formatAgentProviderVisibilityForStartOfTurn(visibility) {
+    return visibility.lanes.map((lane) => `- ${formatProviderVisibilityLine(lane)}`).join("\n");
+}
+function formatAgentProviderVisibilityForPulse(visibility) {
+    return visibility.lanes.map((lane) => formatProviderVisibilityLine(lane)).join("; ");
+}
+function providerVisibilityStatusRows(visibility) {
+    return visibility.lanes.map((lane) => {
+        if (lane.status === "unconfigured") {
+            return {
+                agent: visibility.agentName,
+                lane: lane.lane,
+                provider: "unconfigured",
+                model: "-",
+                source: "missing",
+                readiness: "unknown",
+                detail: lane.repairCommand,
+                credential: "missing",
+            };
+        }
+        const detail = providerStatusDetail(lane);
+        return {
+            agent: visibility.agentName,
+            lane: lane.lane,
+            provider: lane.provider,
+            model: lane.model,
+            source: lane.source,
+            readiness: lane.readiness.status,
+            ...(detail ? { detail } : {}),
+            credential: credentialLabel(lane.credential),
+        };
+    });
+}
+function isAgentProviderVisibility(value) {
+    if (!value || typeof value !== "object" || Array.isArray(value))
+        return false;
+    const record = value;
+    if (typeof record.agentName !== "string")
+        return false;
+    if (!Array.isArray(record.lanes))
+        return false;
+    return record.lanes.every((lane) => {
+        if (!lane || typeof lane !== "object" || Array.isArray(lane))
+            return false;
+        const laneRecord = lane;
+        return (laneRecord.lane === "outward" || laneRecord.lane === "inner")
+            && (laneRecord.status === "configured" || laneRecord.status === "unconfigured");
+    });
+}

package/dist/heart/providers/anthropic-token.js

@@ -0,0 +1,131 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.needsRefresh = needsRefresh;
+exports.refreshAnthropicToken = refreshAnthropicToken;
+exports.persistTokenState = persistTokenState;
+exports.ensureFreshToken = ensureFreshToken;
+/* v8 ignore start -- OAuth token lifecycle: requires live API calls, tested via integration @preserve */
+const runtime_1 = require("../../nerves/runtime");
+const provider_credentials_1 = require("../provider-credentials");
+const OAUTH_TOKEN_ENDPOINT = "https://console.anthropic.com/v1/oauth/token";
+const OAUTH_CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
+const REFRESH_MARGIN_MS = 5 * 60 * 1000; // refresh 5 minutes before expiry
+/**
+ * Check if the Anthropic OAuth token needs refreshing.
+ * Returns true if no expiresAt is set (legacy token) or if within 5 min of expiry.
+ */
+function needsRefresh(expiresAt) {
+    if (!expiresAt)
+        return true; // legacy token with no expiry — always try refresh
+    return Date.now() > expiresAt - REFRESH_MARGIN_MS;
+}
+/**
+ * Refresh an Anthropic OAuth access token using the refresh token.
+ * Returns the new token state or null if refresh fails.
+ */
+async function refreshAnthropicToken(refreshToken, fetchImpl = fetch) {
+    try {
+        const response = await fetchImpl(OAUTH_TOKEN_ENDPOINT, {
+            method: "POST",
+            headers: { "Content-Type": "application/json" },
+            body: JSON.stringify({
+                grant_type: "refresh_token",
+                refresh_token: refreshToken,
+                client_id: OAUTH_CLIENT_ID,
+            }),
+        });
+        if (!response.ok) {
+            (0, runtime_1.emitNervesEvent)({
+                level: "warn",
+                component: "engine",
+                event: "engine.anthropic_token_refresh_failed",
+                message: `token refresh failed: ${response.status}`,
+                meta: { status: response.status },
+            });
+            return null;
+        }
+        const json = await response.json();
+        if (!json.access_token) {
+            (0, runtime_1.emitNervesEvent)({
+                level: "warn",
+                component: "engine",
+                event: "engine.anthropic_token_refresh_failed",
+                message: "token refresh returned no access_token",
+                meta: {},
+            });
+            return null;
+        }
+        const state = {
+            accessToken: json.access_token,
+            refreshToken: json.refresh_token ?? refreshToken, // keep old if not returned
+            expiresAt: Date.now() + (json.expires_in ?? 28800) * 1000, // default 8h
+        };
+        (0, runtime_1.emitNervesEvent)({
+            component: "engine",
+            event: "engine.anthropic_token_refreshed",
+            message: "anthropic OAuth token refreshed",
+            meta: { expiresAt: new Date(state.expiresAt).toISOString() },
+        });
+        return state;
+    }
+    catch (error) {
+        (0, runtime_1.emitNervesEvent)({
+            level: "warn",
+            component: "engine",
+            event: "engine.anthropic_token_refresh_error",
+            message: "token refresh threw",
+            meta: { error: error instanceof Error ? error.message : String(error) },
+        });
+        return null;
+    }
+}
+/**
+ * Persist refreshed token state back to the agent vault.
+ */
+async function persistTokenState(agentName, state) {
+    try {
+        await (0, provider_credentials_1.upsertProviderCredential)({
+            agentName,
+            provider: "anthropic",
+            credentials: {
+                setupToken: state.accessToken,
+                refreshToken: state.refreshToken,
+                expiresAt: state.expiresAt,
+            },
+            config: {},
+            provenance: { source: "auth-flow" },
+        });
+        /* v8 ignore start -- defensive: persistence failure must not crash the provider @preserve */
+    }
+    catch (error) {
+        (0, runtime_1.emitNervesEvent)({
+            level: "warn",
+            component: "engine",
+            event: "engine.anthropic_token_persist_error",
+            message: "failed to persist refreshed token",
+            meta: { error: error instanceof Error ? error.message : String(error) },
+        });
+    }
+    /* v8 ignore stop */
+}
+/**
+ * Ensure the Anthropic token is fresh. If expired, refresh and persist.
+ * Returns the current valid access token, or null if refresh failed and
+ * the existing token is expired.
+ */
+async function ensureFreshToken(currentToken, refreshToken, expiresAt, agentName, fetchImpl) {
+    if (!needsRefresh(expiresAt)) {
+        return currentToken; // still fresh
+    }
+    if (!refreshToken) {
+        // No refresh token — use the current token as-is (may be expired)
+        return currentToken;
+    }
+    const newState = await refreshAnthropicToken(refreshToken, fetchImpl);
+    if (!newState) {
+        return currentToken; // refresh failed — try the old token
+    }
+    await persistTokenState(agentName, newState);
+    return newState.accessToken;
+}
+/* v8 ignore stop */

package/dist/heart/providers/anthropic.js

@@ -1,9 +1,43 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.toAnthropicMessages = toAnthropicMessages;
+exports.classifyAnthropicError = classifyAnthropicError;
 exports.createAnthropicProviderRuntime = createAnthropicProviderRuntime;
 const sdk_1 = __importDefault(require("@anthropic-ai/sdk"));
 const config_1 = require("../config");
@@ -11,12 +45,10 @@ const identity_1 = require("../identity");
 const runtime_1 = require("../../nerves/runtime");
 const streaming_1 = require("../streaming");
 const model_capabilities_1 = require("../model-capabilities");
+const error_classification_1 = require("./error-classification");
 const ANTHROPIC_SETUP_TOKEN_PREFIX = "sk-ant-oat01-";
 const ANTHROPIC_SETUP_TOKEN_MIN_LENGTH = 80;
 const ANTHROPIC_OAUTH_BETA_HEADER = "claude-code-20250219,oauth-2025-04-20,fine-grained-tool-streaming-2025-05-14,interleaved-thinking-2025-05-14";
-function getAnthropicSecretsPathForGuidance() {
-    return (0, identity_1.getAgentSecretsPath)();
-}
 function getAnthropicAgentNameForGuidance() {
     return (0, identity_1.getAgentName)();
 }
@@ -24,10 +56,8 @@ function getAnthropicSetupTokenInstructions() {
     const agentName = getAnthropicAgentNameForGuidance();
     return [
         "Fix:",
-        `  1. Run \`ouro auth --agent ${agentName}\``,
-        `  2. Open ${getAnthropicSecretsPathForGuidance()}`,
-        "  3. Confirm providers.anthropic.setupToken is set",
-        "  4. After reauth, retry the failed ouro command or reconnect this session.",
+        `  1. Run \`ouro auth --agent ${agentName} --provider anthropic\``,
+        "  2. After reauth, retry the failed ouro command or reconnect this session.",
     ].join("\n");
 }
 function getAnthropicReauthGuidance(reason) {
@@ -37,8 +67,7 @@ function getAnthropicReauthGuidance(reason) {
         getAnthropicSetupTokenInstructions(),
     ].join("\n");
 }
-function resolveAnthropicSetupTokenCredential() {
-    const anthropicConfig = (0, config_1.getAnthropicConfig)();
+function resolveAnthropicSetupTokenCredential(anthropicConfig) {
     const token = anthropicConfig.setupToken?.trim();
     if (!token) {
         throw new Error(getAnthropicReauthGuidance("Anthropic provider is selected but no setup-token credential was found."));
@@ -187,25 +216,19 @@ function mergeAnthropicToolArguments(current, partial) {
     }
     return current + partial;
 }
+function classifyAnthropicError(error) {
+    return (0, error_classification_1.classifyHttpError)(error, {
+        isAuthFailure: isAnthropicAuthFailure,
+        isServerError: (e) => e.status === 529,
+    });
+}
 function isAnthropicAuthFailure(error) {
-    if (!(error instanceof Error))
-        return false;
-    const status = error.status;
-    if (status === 401 || status === 403)
-        return true;
     const lower = error.message.toLowerCase();
     return (lower.includes("oauth authentication") ||
         lower.includes("authentication failed") ||
         lower.includes("unauthorized") ||
         lower.includes("invalid api key"));
 }
-function withAnthropicAuthGuidance(error) {
-    const base = error instanceof Error ? error.message : String(error);
-    if (isAnthropicAuthFailure(error)) {
-        return new Error(getAnthropicReauthGuidance(`Anthropic authentication failed (${base}).`));
-    }
-    return error instanceof Error ? error : new Error(String(error));
-}
 async function streamAnthropicMessages(client, model, request) {
     const { system, messages } = toAnthropicMessages(request.messages);
     const anthropicTools = toAnthropicTools(request.activeTools);
@@ -216,21 +239,49 @@ async function streamAnthropicMessages(client, model, request) {
         max_tokens: maxTokens,
         messages,
         stream: true,
-        thinking: { type: "adaptive", effort: request.reasoningEffort ?? "medium" },
+        thinking: { type: "adaptive" },
+        output_config: { effort: request.reasoningEffort ?? "medium" },
     };
-    if (system)
-        params.system = system;
+    // The Anthropic API requires a Claude Code identification block in the system
+    // prompt when using OAuth setup tokens (sk-ant-oat01). Without it, Opus/Sonnet
+    // 4.6 requests are rejected with 400. This is the API's validation that the
+    // token is being used by a Claude Code client.
+    const preambleText = "You are Claude Code, Anthropic's official CLI for Claude.";
+    if (request.systemPrompt) {
+        // Structured SystemPrompt: merge preamble + stable prefix into one cached block,
+        // volatile suffix as a separate uncached block.
+        const stableBlock = {
+            type: "text",
+            text: preambleText + "\n\n" + request.systemPrompt.stable,
+            cache_control: { type: "ephemeral" },
+        };
+        if (request.systemPrompt.volatile) {
+            params.system = [stableBlock, { type: "text", text: request.systemPrompt.volatile }];
+        }
+        else {
+            params.system = [stableBlock];
+        }
+    }
+    else if (system) {
+        // Fallback: no structured prompt, extract from messages (legacy path)
+        params.system = [{ type: "text", text: preambleText }, { type: "text", text: system }];
+    }
+    else {
+        params.system = [{ type: "text", text: preambleText }];
+    }
     if (anthropicTools.length > 0)
         params.tools = anthropicTools;
     if (request.toolChoiceRequired && anthropicTools.length > 0) {
-        params.tool_choice = { type: "any" };
+        // Thinking (adaptive or enabled) only supports tool_choice "auto" or "none".
+        // "any" forces tool use which is incompatible with extended thinking.
+        params.tool_choice = params.thinking ? { type: "auto" } : /* v8 ignore next -- no-thinking path: thinking always set for 4.6 models @preserve */ { type: "any" };
     }
     let response;
     try {
         response = await client.messages.create(params, request.signal ? { signal: request.signal } : {});
     }
     catch (error) {
-        throw withAnthropicAuthGuidance(error);
+        throw error instanceof Error ? error : new Error(String(error));
     }
     let content = "";
     let streamStarted = false;
@@ -238,7 +289,7 @@ async function streamAnthropicMessages(client, model, request) {
     const toolCalls = new Map();
     const thinkingBlocks = new Map();
     const redactedBlocks = new Map();
-    const answerStreamer = new streaming_1.FinalAnswerStreamer(request.callbacks);
+    const answerStreamer = new streaming_1.SettleStreamer(request.callbacks, request.eagerSettleStreaming);
     try {
         for await (const event of response) {
             if (request.signal?.aborted)
@@ -264,9 +315,9 @@ async function streamAnthropicMessages(client, model, request) {
                         name,
                         arguments: input,
                     });
-                    // Activate eager streaming for sole final_answer tool call
-                    /* v8 ignore next -- final_answer streaming activation, tested via FinalAnswerStreamer unit tests @preserve */
-                    if (name === "final_answer" && toolCalls.size === 1) {
+                    // Activate eager streaming for sole settle tool call
+                    /* v8 ignore next -- settle streaming activation, tested via SettleStreamer unit tests @preserve */
+                    if (name === "settle" && toolCalls.size === 1) {
                         answerStreamer.activate();
                     }
                 }
@@ -311,8 +362,8 @@ async function streamAnthropicMessages(client, model, request) {
                     if (existing) {
                         const partialJson = String(delta?.partial_json ?? "");
                         existing.arguments = mergeAnthropicToolArguments(existing.arguments, partialJson);
-                        /* v8 ignore next -- final_answer delta streaming, tested via FinalAnswerStreamer unit tests @preserve */
-                        if (existing.name === "final_answer" && toolCalls.size === 1) {
+                        /* v8 ignore next -- settle delta streaming, tested via SettleStreamer unit tests @preserve */
+                        if (existing.name === "settle" && toolCalls.size === 1) {
                             answerStreamer.processDelta(partialJson);
                         }
                     }
@@ -336,7 +387,7 @@ async function streamAnthropicMessages(client, model, request) {
         }
     }
     catch (error) {
-        throw withAnthropicAuthGuidance(error);
+        throw error instanceof Error ? error : /* v8 ignore next -- defensive: stream errors are always Error @preserve */ new Error(String(error));
     }
     // Collect all thinking blocks (regular + redacted) sorted by index to preserve ordering
     const allThinkingIndices = [...thinkingBlocks.keys(), ...redactedBlocks.keys()].sort((a, b) => a - b);
@@ -351,37 +402,62 @@ async function streamAnthropicMessages(client, model, request) {
         toolCalls: [...toolCalls.values()],
         outputItems,
         usage,
-        finalAnswerStreamed: answerStreamer.streamed,
+        settleStreamed: answerStreamer.streamed,
     };
 }
-function createAnthropicProviderRuntime() {
+function createAnthropicProviderRuntime(model, anthropicConfig = (0, config_1.getAnthropicConfig)()) {
     (0, runtime_1.emitNervesEvent)({
         component: "engine",
         event: "engine.provider_init",
         message: "anthropic provider init",
         meta: { provider: "anthropic" },
     });
-    const anthropicConfig = (0, config_1.getAnthropicConfig)();
-    if (!(anthropicConfig.model && anthropicConfig.setupToken)) {
-        throw new Error(getAnthropicReauthGuidance("provider 'anthropic' is selected in agent.json but providers.anthropic.model/setupToken is incomplete in secrets.json."));
+    if (!anthropicConfig.setupToken) {
+        throw new Error(getAnthropicReauthGuidance("provider 'anthropic' is selected but anthropic.setupToken is missing in the agent vault."));
     }
-    const modelCaps = (0, model_capabilities_1.getModelCapabilities)(anthropicConfig.model);
+    const modelCaps = (0, model_capabilities_1.getModelCapabilities)(model);
     const capabilities = new Set();
     if (modelCaps.reasoningEffort)
         capabilities.add("reasoning-effort");
-    const credential = resolveAnthropicSetupTokenCredential();
-    const client = new sdk_1.default({
-        authToken: credential.token,
-        timeout: 30000,
-        maxRetries: 0,
-        defaultHeaders: {
-            "anthropic-beta": ANTHROPIC_OAUTH_BETA_HEADER,
-        },
-    });
+    const credential = resolveAnthropicSetupTokenCredential(anthropicConfig);
+    const refreshToken = anthropicConfig.refreshToken;
+    const expiresAt = anthropicConfig.expiresAt;
+    function createClient(token) {
+        return new sdk_1.default({
+            authToken: token,
+            maxRetries: 0,
+            defaultHeaders: {
+                "anthropic-beta": ANTHROPIC_OAUTH_BETA_HEADER,
+                "anthropic-dangerous-direct-browser-access": "true",
+                "user-agent": "claude-cli/2.1.2 (external, cli)",
+                "x-app": "cli",
+            },
+        });
+    }
+    let currentToken = credential.token;
+    let client = createClient(currentToken);
+    /* v8 ignore start -- token refresh: dynamic import + ensureFreshToken, tested via integration @preserve */
+    async function ensureClient() {
+        try {
+            const { ensureFreshToken } = await Promise.resolve().then(() => __importStar(require("./anthropic-token")));
+            const { getAgentName } = await Promise.resolve().then(() => __importStar(require("../identity")));
+            const freshToken = await ensureFreshToken(currentToken, refreshToken, expiresAt, getAgentName());
+            if (freshToken !== currentToken) {
+                currentToken = freshToken;
+                client = createClient(freshToken);
+            }
+        }
+        catch {
+            // refresh failed — use existing client
+        }
+        return client;
+    }
+    /* v8 ignore stop */
     return {
         id: "anthropic",
-        model: anthropicConfig.model,
-        client,
+        model,
+        /* v8 ignore next -- getter: returns mutable client ref @preserve */
+        get client() { return client; },
         capabilities,
         supportedReasoningEfforts: modelCaps.reasoningEffort,
         resetTurnState(_messages) {
@@ -390,8 +466,19 @@ function createAnthropicProviderRuntime() {
         appendToolOutput(_callId, _output) {
             // Anthropic uses canonical messages for tool_result tracking.
         },
-        streamTurn(request) {
-            return streamAnthropicMessages(client, anthropicConfig.model, request);
+        async streamTurn(request) {
+            const freshClient = await ensureClient();
+            return streamAnthropicMessages(freshClient, model, request);
+        },
+        /* v8 ignore start -- ping: tested via provider-ping.test.ts @preserve */
+        async ping(signal) {
+            const freshClient = await ensureClient();
+            await freshClient.messages.create({ model: "claude-haiku-4-5-20251001", max_tokens: 1, messages: [{ role: "user", content: "ping" }] }, { signal, headers: { "anthropic-beta": "claude-code-20250219,oauth-2025-04-20" } });
+        },
+        /* v8 ignore stop */
+        /* v8 ignore next 3 -- delegation: classification logic tested via classifyAnthropicError @preserve */
+        classifyError(error) {
+            return classifyAnthropicError(error);
         },
     };
 }