@rynfar/meridian 1.24.1 → 1.24.5

package/README.md

@@ -304,6 +304,9 @@ See [`adapters/detect.ts`](src/proxy/adapters/detect.ts) and [`adapters/opencode
 | `MERIDIAN_IDLE_TIMEOUT_SECONDS` | `CLAUDE_PROXY_IDLE_TIMEOUT_SECONDS` | `120` | HTTP keep-alive timeout |
 | `MERIDIAN_TELEMETRY_SIZE` | `CLAUDE_PROXY_TELEMETRY_SIZE` | `1000` | Telemetry ring buffer size |
 | `MERIDIAN_NO_FILE_CHANGES` | `CLAUDE_PROXY_NO_FILE_CHANGES` | unset | Disable "Files changed" summary in responses |
+| `MERIDIAN_SONNET_MODEL` | `CLAUDE_PROXY_SONNET_MODEL` | `sonnet[1m]`* | Force sonnet tier: `sonnet` (200k) or `sonnet[1m]` (1M). Set to `sonnet` if you hit 1M context rate limits frequently |
+
+*`sonnet[1m]` only for Max subscribers with Extra Usage enabled; falls back to `sonnet` automatically otherwise.
 
 ## Programmatic API
 
@@ -371,6 +374,7 @@ See [`examples/opencode-plugin/`](examples/opencode-plugin/) for a reference imp
 | `POST /v1/messages` | Anthropic Messages API |
 | `POST /messages` | Alias for `/v1/messages` |
 | `GET /health` | Auth status, subscription type, mode |
+| `POST /auth/refresh` | Manually refresh the OAuth token |
 | `GET /telemetry` | Performance dashboard |
 | `GET /telemetry/requests` | Recent request metrics (JSON) |
 | `GET /telemetry/summary` | Aggregate statistics (JSON) |
@@ -415,7 +419,21 @@ API keys are billed per token. Your Max subscription is a flat monthly fee with
 It works with any Claude subscription that supports the Claude Code SDK. Max is recommended for the best rate limits.
 
 **What happens if my session expires?**
-The SDK handles token refresh automatically. If it can't refresh, Meridian returns a clear error telling you to run `claude login`.
+OAuth tokens expire roughly every 8 hours. Meridian detects the expiry on the next request, refreshes the token automatically, and retries — so requests continue to work transparently. If the refresh itself fails (e.g. your refresh token has expired after weeks of inactivity), Meridian returns a clear error telling you to run `claude login`.
+
+**Can I trigger a refresh manually?**
+Yes — two options:
+
+```bash
+# CLI (works whether the proxy is running or not)
+meridian refresh-token
+
+# HTTP endpoint (while the proxy is running)
+curl -s -X POST http://127.0.0.1:3456/auth/refresh
+# {"success":true,"message":"OAuth token refreshed successfully"}
+```
+
+The CLI exits 0 on success and 1 on failure, so it integrates cleanly into scripts or health checks.
 
 ## Contributing
 

package/dist/{cli-bjpad5x9.js → cli-9pc43rfa.js}

@@ -1,19 +1,10 @@
-import { createRequire } from "node:module";
-var __defProp = Object.defineProperty;
-var __returnValue = (v) => v;
-function __exportSetter(name, newValue) {
-  this[name] = __returnValue.bind(null, newValue);
-}
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, {
-      get: all[name],
-      enumerable: true,
-      configurable: true,
-      set: __exportSetter.bind(all, name)
-    });
-};
-var __require = /* @__PURE__ */ createRequire(import.meta.url);
+import {
+  __export,
+  __require,
+  claudeLog,
+  refreshOAuthToken,
+  withClaudeLogContext
+} from "./cli-jd4atcxs.js";
 
 // node_modules/hono/dist/compose.js
 var compose = (middleware, onError, onNotFound) => {
@@ -2179,68 +2170,6 @@ var DEFAULT_PROXY_CONFIG = {
   silent: false
 };
 
-// src/logger.ts
-import { AsyncLocalStorage } from "node:async_hooks";
-var contextStore = new AsyncLocalStorage;
-var shouldLog = () => process.env["OPENCODE_CLAUDE_PROVIDER_DEBUG"];
-var shouldLogStreamDebug = () => process.env["OPENCODE_CLAUDE_PROVIDER_STREAM_DEBUG"];
-var isVerboseStreamEvent = (event) => {
-  return event.startsWith("stream.") || event === "response.empty_stream";
-};
-var REDACTED_KEYS = new Set([
-  "authorization",
-  "cookie",
-  "x-api-key",
-  "apiKey",
-  "apikey",
-  "prompt",
-  "messages",
-  "content"
-]);
-var sanitize = (value) => {
-  if (value === null || value === undefined)
-    return value;
-  if (typeof value === "string") {
-    if (value.length > 512) {
-      return `${value.slice(0, 512)}... [truncated=${value.length}]`;
-    }
-    return value;
-  }
-  if (Array.isArray(value)) {
-    return value.map(sanitize);
-  }
-  if (typeof value === "object") {
-    const out = {};
-    for (const [k, v] of Object.entries(value)) {
-      if (REDACTED_KEYS.has(k)) {
-        if (typeof v === "string") {
-          out[k] = `[redacted len=${v.length}]`;
-        } else if (Array.isArray(v)) {
-          out[k] = `[redacted array len=${v.length}]`;
-        } else {
-          out[k] = "[redacted]";
-        }
-      } else {
-        out[k] = sanitize(v);
-      }
-    }
-    return out;
-  }
-  return value;
-};
-var withClaudeLogContext = (context, fn) => {
-  return contextStore.run(context, fn);
-};
-var claudeLog = (event, extra) => {
-  if (!shouldLog())
-    return;
-  if (isVerboseStreamEvent(event) && !shouldLogStreamDebug())
-    return;
-  const context = contextStore.getStore() || {};
-  const payload = sanitize({ ts: new Date().toISOString(), event, ...context, ...extra || {} });
-  console.debug(`[opencode-claude-code-provider] ${JSON.stringify(payload)}`);
-};
-
 // src/proxy/server.ts
 import { exec as execCallback2 } from "child_process";
 import { promisify as promisify3 } from "util";
@@ -6940,6 +6869,13 @@ refresh();setInterval(refresh,10000);
 // src/proxy/errors.ts
 function classifyError(errMsg) {
   const lower = errMsg.toLowerCase();
+  if (lower.includes("oauth token has expired") || lower.includes("not logged in")) {
+    return {
+      status: 401,
+      type: "authentication_error",
+      message: "Claude OAuth token has expired and could not be refreshed automatically. Run 'claude login' in your terminal to re-authenticate."
+    };
+  }
   if (lower.includes("401") || lower.includes("authentication") || lower.includes("invalid auth") || lower.includes("credentials")) {
     return {
       status: 401,
@@ -6948,10 +6884,11 @@ function classifyError(errMsg) {
     };
   }
   if (lower.includes("429") || lower.includes("rate limit") || lower.includes("too many requests")) {
+    const hint = lower.includes("1m") || lower.includes("context") ? " If you're frequently hitting this, set MERIDIAN_SONNET_MODEL=sonnet to use the 200k model instead." : "";
     return {
       status: 429,
       type: "rate_limit_error",
-      message: "Claude Max rate limit reached. Wait a moment and try again."
+      message: `Claude Max rate limit reached. Wait a moment and try again.${hint}`
     };
   }
   if (lower.includes("402") || lower.includes("billing") || lower.includes("subscription") || lower.includes("payment")) {
@@ -7014,6 +6951,10 @@ function classifyError(errMsg) {
     message: errMsg || "Unknown error"
   };
 }
+function isExpiredTokenError(errMsg) {
+  const lower = errMsg.toLowerCase();
+  return lower.includes("oauth token has expired") || lower.includes("not logged in");
+}
 function isStaleSessionError(error) {
   if (!(error instanceof Error))
     return false;
@@ -7023,6 +6964,10 @@ function isRateLimitError(errMsg) {
   const lower = errMsg.toLowerCase();
   return lower.includes("429") || lower.includes("rate limit") || lower.includes("too many requests");
 }
+function isExtraUsageRequiredError(errMsg) {
+  const lower = errMsg.toLowerCase();
+  return lower.includes("extra usage") && lower.includes("1m");
+}
 
 // src/proxy/models.ts
 import { exec as execCallback } from "child_process";
@@ -14352,6 +14297,7 @@ function createProxyServer(config = {}) {
             const RATE_LIMIT_BASE_DELAY_MS = 1000;
             const response = async function* () {
               let rateLimitRetries = 0;
+              let tokenRefreshed = false;
               while (true) {
                 let didYieldContent = false;
                 try {
@@ -14414,6 +14360,27 @@ function createProxyServer(config = {}) {
                     }));
                     return;
                   }
+                  if (isExtraUsageRequiredError(errMsg) && hasExtendedContext(model)) {
+                    const from = model;
+                    model = stripExtendedContext(model);
+                    claudeLog("upstream.context_fallback", {
+                      mode: "non_stream",
+                      from,
+                      to: model,
+                      reason: "extra_usage_required"
+                    });
+                    console.error(`[PROXY] ${requestMeta.requestId} extra usage required for [1m], falling back to ${model}`);
+                    continue;
+                  }
+                  if (isExpiredTokenError(errMsg) && !tokenRefreshed) {
+                    tokenRefreshed = true;
+                    const refreshed = await refreshOAuthToken();
+                    if (refreshed) {
+                      claudeLog("token_refresh.retrying", { mode: "non_stream" });
+                      console.error(`[PROXY] ${requestMeta.requestId} OAuth token expired — refreshed, retrying`);
+                      continue;
+                    }
+                  }
                   if (isRateLimitError(errMsg)) {
                     if (hasExtendedContext(model)) {
                       const from = model;
@@ -14622,6 +14589,7 @@ Subprocess stderr: ${stderrOutput}`;
               const RATE_LIMIT_BASE_DELAY_MS = 1000;
               const response = async function* () {
                 let rateLimitRetries = 0;
+                let tokenRefreshed = false;
                 while (true) {
                   let didYieldClientEvent = false;
                   try {
@@ -14684,6 +14652,27 @@ Subprocess stderr: ${stderrOutput}`;
                       }));
                       return;
                     }
+                    if (isExtraUsageRequiredError(errMsg) && hasExtendedContext(model)) {
+                      const from = model;
+                      model = stripExtendedContext(model);
+                      claudeLog("upstream.context_fallback", {
+                        mode: "stream",
+                        from,
+                        to: model,
+                        reason: "extra_usage_required"
+                      });
+                      console.error(`[PROXY] ${requestMeta.requestId} extra usage required for [1m], falling back to ${model}`);
+                      continue;
+                    }
+                    if (isExpiredTokenError(errMsg) && !tokenRefreshed) {
+                      tokenRefreshed = true;
+                      const refreshed = await refreshOAuthToken();
+                      if (refreshed) {
+                        claudeLog("token_refresh.retrying", { mode: "stream" });
+                        console.error(`[PROXY] ${requestMeta.requestId} OAuth token expired — refreshed, retrying`);
+                        continue;
+                      }
+                    }
                     if (isRateLimitError(errMsg)) {
                       if (hasExtendedContext(model)) {
                         const from = model;
@@ -15127,6 +15116,13 @@ data: ${JSON.stringify({
       });
     }
   });
+  app.post("/auth/refresh", async (c) => {
+    const success = await refreshOAuthToken();
+    if (success) {
+      return c.json({ success: true, message: "OAuth token refreshed successfully" });
+    }
+    return c.json({ success: false, message: "Token refresh failed. If the problem persists, run 'claude login'." }, 500);
+  });
   app.all("*", (c) => {
     console.error(`[PROXY] UNHANDLED ${c.req.method} ${c.req.url}`);
     return c.json({ error: { type: "not_found", message: `Endpoint not supported: ${c.req.method} ${new URL(c.req.url).pathname}` } }, 404);
@@ -15177,4 +15173,4 @@ Or use a different port:`);
   };
 }
 
-export { __require, computeLineageHash, hashMessage, computeMessageHashes, getMaxSessionsLimit, clearSessionCache, createProxyServer, startProxyServer };
+export { computeLineageHash, hashMessage, computeMessageHashes, getMaxSessionsLimit, clearSessionCache, createProxyServer, startProxyServer };

package/dist/cli-jd4atcxs.js

@@ -0,0 +1,220 @@
+import { createRequire } from "node:module";
+var __defProp = Object.defineProperty;
+var __returnValue = (v) => v;
+function __exportSetter(name, newValue) {
+  this[name] = __returnValue.bind(null, newValue);
+}
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, {
+      get: all[name],
+      enumerable: true,
+      configurable: true,
+      set: __exportSetter.bind(all, name)
+    });
+};
+var __require = /* @__PURE__ */ createRequire(import.meta.url);
+
+// src/proxy/tokenRefresh.ts
+import { execFile as execFileCb } from "child_process";
+import { existsSync, readFileSync, writeFileSync } from "fs";
+import { homedir, platform, userInfo } from "os";
+import { promisify } from "util";
+
+// src/logger.ts
+import { AsyncLocalStorage } from "node:async_hooks";
+var contextStore = new AsyncLocalStorage;
+var shouldLog = () => process.env["OPENCODE_CLAUDE_PROVIDER_DEBUG"];
+var shouldLogStreamDebug = () => process.env["OPENCODE_CLAUDE_PROVIDER_STREAM_DEBUG"];
+var isVerboseStreamEvent = (event) => {
+  return event.startsWith("stream.") || event === "response.empty_stream";
+};
+var REDACTED_KEYS = new Set([
+  "authorization",
+  "cookie",
+  "x-api-key",
+  "apiKey",
+  "apikey",
+  "prompt",
+  "messages",
+  "content"
+]);
+var sanitize = (value) => {
+  if (value === null || value === undefined)
+    return value;
+  if (typeof value === "string") {
+    if (value.length > 512) {
+      return `${value.slice(0, 512)}... [truncated=${value.length}]`;
+    }
+    return value;
+  }
+  if (Array.isArray(value)) {
+    return value.map(sanitize);
+  }
+  if (typeof value === "object") {
+    const out = {};
+    for (const [k, v] of Object.entries(value)) {
+      if (REDACTED_KEYS.has(k)) {
+        if (typeof v === "string") {
+          out[k] = `[redacted len=${v.length}]`;
+        } else if (Array.isArray(v)) {
+          out[k] = `[redacted array len=${v.length}]`;
+        } else {
+          out[k] = "[redacted]";
+        }
+      } else {
+        out[k] = sanitize(v);
+      }
+    }
+    return out;
+  }
+  return value;
+};
+var withClaudeLogContext = (context, fn) => {
+  return contextStore.run(context, fn);
+};
+var claudeLog = (event, extra) => {
+  if (!shouldLog())
+    return;
+  if (isVerboseStreamEvent(event) && !shouldLogStreamDebug())
+    return;
+  const context = contextStore.getStore() || {};
+  const payload = sanitize({ ts: new Date().toISOString(), event, ...context, ...extra || {} });
+  console.debug(`[opencode-claude-code-provider] ${JSON.stringify(payload)}`);
+};
+
+// src/proxy/tokenRefresh.ts
+var execFile = promisify(execFileCb);
+var OAUTH_TOKEN_URL = "https://platform.claude.com/v1/oauth/token";
+var OAUTH_CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
+var KEYCHAIN_SERVICE = "Claude Code-credentials";
+var CREDENTIALS_FILE = `${homedir()}/.claude/.credentials.json`;
+function parseKeychainValue(raw) {
+  const trimmed = raw.trim();
+  try {
+    return { credentials: JSON.parse(trimmed), wasHex: false };
+  } catch {}
+  try {
+    const decoded = Buffer.from(trimmed, "hex").toString("utf-8");
+    return { credentials: JSON.parse(decoded), wasHex: true };
+  } catch {}
+  return null;
+}
+var keychainWasHex = false;
+var macosStore = {
+  async read() {
+    try {
+      const { stdout } = await execFile("/usr/bin/security", ["find-generic-password", "-s", KEYCHAIN_SERVICE, "-a", userInfo().username, "-w"], { timeout: 5000 });
+      const parsed = parseKeychainValue(stdout);
+      if (!parsed)
+        throw new Error("Could not parse keychain value as JSON or hex-encoded JSON");
+      keychainWasHex = parsed.wasHex;
+      return parsed.credentials;
+    } catch (err) {
+      claudeLog("token_refresh.keychain_read_failed", { error: String(err) });
+      return null;
+    }
+  },
+  async write(credentials) {
+    const json = JSON.stringify(credentials, null, 2);
+    const value = keychainWasHex ? Buffer.from(json).toString("hex") : json;
+    try {
+      await execFile("/usr/bin/security", ["add-generic-password", "-U", "-s", KEYCHAIN_SERVICE, "-a", userInfo().username, "-w", value], { timeout: 5000 });
+      return true;
+    } catch (err) {
+      claudeLog("token_refresh.keychain_write_failed", { error: String(err) });
+      return false;
+    }
+  }
+};
+var fileStore = {
+  async read() {
+    try {
+      if (!existsSync(CREDENTIALS_FILE))
+        return null;
+      return JSON.parse(readFileSync(CREDENTIALS_FILE, "utf-8"));
+    } catch (err) {
+      claudeLog("token_refresh.file_read_failed", { error: String(err) });
+      return null;
+    }
+  },
+  async write(credentials) {
+    try {
+      writeFileSync(CREDENTIALS_FILE, JSON.stringify(credentials, null, 2), "utf-8");
+      return true;
+    } catch (err) {
+      claudeLog("token_refresh.file_write_failed", { error: String(err) });
+      return false;
+    }
+  }
+};
+function createPlatformCredentialStore() {
+  return platform() === "darwin" ? macosStore : fileStore;
+}
+var inflightRefresh = null;
+async function refreshOAuthToken(store) {
+  if (inflightRefresh)
+    return inflightRefresh;
+  inflightRefresh = doRefresh(store ?? createPlatformCredentialStore()).finally(() => {
+    inflightRefresh = null;
+  });
+  return inflightRefresh;
+}
+async function doRefresh(store) {
+  const credentials = await store.read();
+  if (!credentials) {
+    claudeLog("token_refresh.no_credentials", {});
+    return false;
+  }
+  const { refreshToken } = credentials.claudeAiOauth;
+  if (!refreshToken) {
+    claudeLog("token_refresh.no_refresh_token", {});
+    return false;
+  }
+  let response;
+  try {
+    response = await fetch(OAUTH_TOKEN_URL, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        grant_type: "refresh_token",
+        client_id: OAUTH_CLIENT_ID,
+        refresh_token: refreshToken
+      }),
+      signal: AbortSignal.timeout(15000)
+    });
+  } catch (err) {
+    claudeLog("token_refresh.request_failed", { error: String(err) });
+    return false;
+  }
+  if (!response.ok) {
+    const body = await response.text().catch(() => "");
+    claudeLog("token_refresh.bad_response", { status: response.status, body });
+    return false;
+  }
+  let tokenData;
+  try {
+    tokenData = await response.json();
+  } catch (err) {
+    claudeLog("token_refresh.parse_failed", { error: String(err) });
+    return false;
+  }
+  const now = Date.now();
+  const expiresAt = tokenData.expires_at ?? (tokenData.expires_in ? now + tokenData.expires_in * 1000 : now + 8 * 60 * 60 * 1000);
+  credentials.claudeAiOauth = {
+    ...credentials.claudeAiOauth,
+    accessToken: tokenData.access_token,
+    refreshToken: tokenData.refresh_token ?? refreshToken,
+    expiresAt
+  };
+  const written = await store.write(credentials);
+  if (!written)
+    return false;
+  claudeLog("token_refresh.success", { expiresAt });
+  return true;
+}
+function resetInflightRefresh() {
+  inflightRefresh = null;
+}
+
+export { __export, __require, withClaudeLogContext, claudeLog, createPlatformCredentialStore, refreshOAuthToken, resetInflightRefresh };

package/dist/cli.js

@@ -1,8 +1,10 @@
 #!/usr/bin/env node
 import {
-  __require,
   startProxyServer
-} from "./cli-bjpad5x9.js";
+} from "./cli-9pc43rfa.js";
+import {
+  __require
+} from "./cli-jd4atcxs.js";
 
 // bin/cli.ts
 import { createRequire } from "module";
@@ -20,7 +22,11 @@ if (args.includes("--help") || args.includes("-h")) {
 
 Local Anthropic API powered by your Claude Max subscription.
 
-Usage: meridian [options]
+Usage: meridian [command] [options]
+
+Commands:
+  (default)        Start the proxy server
+  refresh-token    Refresh the Claude Code OAuth token
 
 Options:
   -v, --version   Show version
@@ -35,6 +41,17 @@ Environment variables:
 See https://github.com/rynfar/meridian for full documentation.`);
   process.exit(0);
 }
+if (args[0] === "refresh-token") {
+  const { refreshOAuthToken } = await import("./tokenRefresh-wzn2bvrq.js");
+  const success = await refreshOAuthToken();
+  if (success) {
+    console.log("Token refreshed successfully");
+    process.exit(0);
+  } else {
+    console.error("Token refresh failed. If the problem persists, run: claude login");
+    process.exit(1);
+  }
+}
 var exec = promisify(execCallback);
 process.on("uncaughtException", (err) => {
   console.error(`[PROXY] Uncaught exception (recovered): ${err.message}`);

package/dist/proxy/errors.d.ts

@@ -11,6 +11,16 @@ export interface ClassifiedError {
  * Detect specific SDK errors and return helpful messages to the client.
  */
 export declare function classifyError(errMsg: string): ClassifiedError;
+/**
+ * Detect errors caused by an expired or missing OAuth access token.
+ * Triggers an inline token refresh + retry in server.ts.
+ *
+ * Two distinct messages from the Claude Code CLI:
+ *   - "OAuth token has expired" — CLI sent the token, Anthropic API rejected it
+ *   - "Not logged in"           — CLI checked expiresAt locally and refused to try
+ * Both are resolved by refreshing the token.
+ */
+export declare function isExpiredTokenError(errMsg: string): boolean;
 /**
  * Detect errors caused by stale session/message UUIDs.
  * These happen when the upstream Claude session no longer contains
@@ -22,4 +32,10 @@ export declare function isStaleSessionError(error: unknown): boolean;
  * Used by server.ts to decide whether to retry with a smaller context window.
  */
 export declare function isRateLimitError(errMsg: string): boolean;
+/**
+ * Detect errors caused by the 1M context window requiring Extra Usage.
+ * Max subscribers without Extra Usage enabled get this error when using
+ * sonnet[1m] or opus[1m]. The fix is to fall back to the base model.
+ */
+export declare function isExtraUsageRequiredError(errMsg: string): boolean;
 //# sourceMappingURL=errors.d.ts.map

package/dist/proxy/errors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/proxy/errors.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,EAAE,MAAM,CAAA;CAChB;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,eAAe,CAmG7D;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAG3D;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAGxD"}
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/proxy/errors.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,EAAE,MAAM,CAAA;CAChB;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,eAAe,CA+G7D;AAED;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAG3D;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAG3D;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAGxD;AAED;;;;GAIG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAGjE"}

package/dist/proxy/server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/proxy/server.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,SAAS,CAAA;AACtE,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,WAAW,EAAE,CAAA;AAiBvD,OAAO,EACL,kBAAkB,EAClB,WAAW,EACX,oBAAoB,EACpB,KAAK,aAAa,EACnB,MAAM,mBAAmB,CAAA;AAG1B,OAAO,EAA+B,iBAAiB,EAAE,mBAAmB,EAAgB,MAAM,iBAAiB,CAAA;AAEnH,OAAO,EAAE,kBAAkB,EAAE,WAAW,EAAE,oBAAoB,EAAE,CAAA;AAChE,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,CAAA;AACjD,YAAY,EAAE,aAAa,EAAE,CAAA;AAyF7B,wBAAgB,iBAAiB,CAAC,MAAM,GAAE,OAAO,CAAC,WAAW,CAAM,GAAG,WAAW,CAosChF;AAED,wBAAsB,gBAAgB,CAAC,MAAM,GAAE,OAAO,CAAC,WAAW,CAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CA0ChG"}
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/proxy/server.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,SAAS,CAAA;AACtE,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,WAAW,EAAE,CAAA;AAkBvD,OAAO,EACL,kBAAkB,EAClB,WAAW,EACX,oBAAoB,EACpB,KAAK,aAAa,EACnB,MAAM,mBAAmB,CAAA;AAG1B,OAAO,EAA+B,iBAAiB,EAAE,mBAAmB,EAAgB,MAAM,iBAAiB,CAAA;AAEnH,OAAO,EAAE,kBAAkB,EAAE,WAAW,EAAE,oBAAoB,EAAE,CAAA;AAChE,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,CAAA;AACjD,YAAY,EAAE,aAAa,EAAE,CAAA;AAyF7B,wBAAgB,iBAAiB,CAAC,MAAM,GAAE,OAAO,CAAC,WAAW,CAAM,GAAG,WAAW,CAqwChF;AAED,wBAAsB,gBAAgB,CAAC,MAAM,GAAE,OAAO,CAAC,WAAW,CAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CA0ChG"}

package/dist/proxy/tokenRefresh.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Cross-platform OAuth token refresh for Claude Code credentials.
+ *
+ * Storage backends:
+ *   macOS  — system Keychain via /usr/bin/security (no prompt — pre-authorised)
+ *   Linux  — ~/.claude/.credentials.json
+ *
+ * The credential store is dependency-injectable for testing. Production code
+ * uses createPlatformCredentialStore() which picks the right backend
+ * automatically.
+ *
+ * Concurrent calls to refreshOAuthToken() are deduplicated: if a refresh is
+ * already in flight, subsequent callers wait for the same promise rather than
+ * issuing a second network request and racing on the write.
+ */
+interface OAuthCredentials {
+    accessToken: string;
+    refreshToken: string;
+    expiresAt: number;
+    scopes?: string[];
+    subscriptionType?: string;
+    rateLimitTier?: string;
+}
+interface CredentialsFile {
+    claudeAiOauth: OAuthCredentials;
+    [key: string]: unknown;
+}
+export interface CredentialStore {
+    read(): Promise<CredentialsFile | null>;
+    write(credentials: CredentialsFile): Promise<boolean>;
+}
+/**
+ * Returns the appropriate credential store for the current platform.
+ */
+export declare function createPlatformCredentialStore(): CredentialStore;
+/**
+ * Refresh the Claude Code OAuth access token.
+ *
+ * Reads the stored refresh token, exchanges it for a new access token via
+ * Anthropic's OAuth endpoint, and writes the updated credentials back.
+ *
+ * Returns true on success, false on any failure. Concurrent calls share one
+ * in-flight request so only one network round-trip is made.
+ *
+ * @param store  Override the credential store (for testing).
+ */
+export declare function refreshOAuthToken(store?: CredentialStore): Promise<boolean>;
+/** Reset in-flight state — for testing only. */
+export declare function resetInflightRefresh(): void;
+export {};
+//# sourceMappingURL=tokenRefresh.d.ts.map

package/dist/proxy/tokenRefresh.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tokenRefresh.d.ts","sourceRoot":"","sources":["../../src/proxy/tokenRefresh.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAeH,UAAU,gBAAgB;IACxB,WAAW,EAAE,MAAM,CAAA;IACnB,YAAY,EAAE,MAAM,CAAA;IACpB,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB;AAED,UAAU,eAAe;IACvB,aAAa,EAAE,gBAAgB,CAAA;IAC/B,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;CACvB;AAMD,MAAM,WAAW,eAAe;IAC9B,IAAI,IAAI,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAAA;IACvC,KAAK,CAAC,WAAW,EAAE,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;CACtD;AA2FD;;GAEG;AACH,wBAAgB,6BAA6B,IAAI,eAAe,CAE/D;AASD;;;;;;;;;;GAUG;AACH,wBAAsB,iBAAiB,CAAC,KAAK,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,CAQjF;AAiED,gDAAgD;AAChD,wBAAgB,oBAAoB,IAAI,IAAI,CAE3C"}

package/dist/server.js

@@ -6,7 +6,8 @@ import {
   getMaxSessionsLimit,
   hashMessage,
   startProxyServer
-} from "./cli-bjpad5x9.js";
+} from "./cli-9pc43rfa.js";
+import"./cli-jd4atcxs.js";
 export {
   startProxyServer,
   hashMessage,

package/dist/tokenRefresh-wzn2bvrq.js

@@ -0,0 +1,10 @@
+import {
+  createPlatformCredentialStore,
+  refreshOAuthToken,
+  resetInflightRefresh
+} from "./cli-jd4atcxs.js";
+export {
+  resetInflightRefresh,
+  refreshOAuthToken,
+  createPlatformCredentialStore
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rynfar/meridian",
-  "version": "1.24.1",
+  "version": "1.24.5",
   "description": "Local Anthropic API powered by your Claude Max subscription. One subscription, every agent.",
   "type": "module",
   "main": "./dist/server.js",
@@ -24,7 +24,7 @@
     "build": "rm -rf dist && bun build bin/cli.ts src/proxy/server.ts --outdir dist --target node --splitting --external @anthropic-ai/claude-agent-sdk --entry-naming '[name].js' && tsc -p tsconfig.build.json",
     "postbuild": "node --check dist/cli.js && node --check dist/server.js && test -f dist/proxy/server.d.ts",
     "prepublishOnly": "bun run build",
-    "test": "bun test --path-ignore-patterns '**/*session-store*' && bun test src/__tests__/proxy-session-store.test.ts && bun test src/__tests__/session-store-pruning.test.ts && bun test src/__tests__/proxy-session-store-locking.test.ts",
+    "test": "bun test --path-ignore-patterns '**/*session-store*' --path-ignore-patterns '**/*proxy-async-ops*' --path-ignore-patterns '**/*proxy-extra-usage-fallback*' && bun test src/__tests__/proxy-extra-usage-fallback.test.ts && bun test src/__tests__/proxy-async-ops.test.ts && bun test src/__tests__/proxy-session-store.test.ts && bun test src/__tests__/session-store-pruning.test.ts && bun test src/__tests__/proxy-session-store-locking.test.ts",
     "typecheck": "tsc --noEmit",
     "proxy:direct": "bun run ./bin/cli.ts"
   },