@rynfar/meridian 1.41.1 → 1.42.0

package/README.md

@@ -239,6 +239,20 @@ meridian profile add work
 
 > **⚠ Important:** Claude's OAuth reuses your browser session. Before adding a second account, sign out of claude.ai and sign into the other account first.
 
+#### Headless / CI: register an OAuth token
+
+When a browser isn't available (containers, CI runners, remote shells), generate a long-lived OAuth token with `claude setup-token` and register it as a profile:
+
+```bash
+# Prompt for the token (input is hidden — paste the value from `claude setup-token`)
+meridian profile add ci --oauth-token
+
+# Or pass it inline
+meridian profile add ci --oauth-token sk-ant-oat01-...
+```
+
+OAuth-token profiles store the token in `profiles.json` and feed it to the SDK via `CLAUDE_CODE_OAUTH_TOKEN` — no Keychain entry, no browser handshake. To prevent the SDK's 401-recovery from silently falling back to the host's `~/.claude` credentials, OAuth-token profiles also pin `CLAUDE_CONFIG_DIR` to an isolated per-profile directory under `~/.config/meridian/profiles/<name>/`. That directory holds only SDK state (sessions, settings) — never `.credentials.json`, since the token is delivered through the env.
+
 ### Switching profiles
 
 ```bash
@@ -256,14 +270,15 @@ You can also switch profiles from the web UI at `http://127.0.0.1:3456/profiles`
 | Command | Description |
 |---------|-------------|
 | `meridian profile add <name>` | Add a profile and authenticate via browser |
+| `meridian profile add <name> --oauth-token [TOKEN]` | Add a headless profile from a `claude setup-token` value (prompts when `TOKEN` is omitted) |
 | `meridian profile list` | List profiles and auth status |
 | `meridian profile switch <name>` | Switch the active profile (requires running proxy) |
-| `meridian profile login <name>` | Re-authenticate an expired profile |
+| `meridian profile login <name>` | Re-authenticate an expired profile (browser-login profiles only) |
 | `meridian profile remove <name>` | Remove a profile and its credentials |
 
 ### How it works
 
-Each profile stores its credentials in an isolated `CLAUDE_CONFIG_DIR` under `~/.config/meridian/profiles/<name>/`. When a request arrives, Meridian resolves the profile in priority order:
+Each profile stores its credentials in an isolated `CLAUDE_CONFIG_DIR` under `~/.config/meridian/profiles/<name>/`. OAuth-token profiles use the same isolated directory layout — but the token itself lives in `~/.config/meridian/profiles.json` and is fed to the SDK via `CLAUDE_CODE_OAUTH_TOKEN`, so the per-profile dir holds only SDK state (sessions, settings) and never the credential. When a request arrives, Meridian resolves the profile in priority order:
 
 1. `x-meridian-profile` request header (per-request override)
 2. Active profile (set via `meridian profile switch` or the web UI)
@@ -276,11 +291,21 @@ Session state is scoped per profile — switching accounts won't cross-contamina
 For advanced setups (CI, Docker), profiles can also be provided via environment variable:
 
 ```bash
-export MERIDIAN_PROFILES='[{"id":"personal","claudeConfigDir":"/path/to/config1"},{"id":"work","claudeConfigDir":"/path/to/config2"}]'
+export MERIDIAN_PROFILES='[
+  {"id":"personal","claudeConfigDir":"/path/to/config1"},
+  {"id":"work","claudeConfigDir":"/path/to/config2"},
+  {"id":"ci","oauthToken":"sk-ant-oat01-..."}
+]'
 export MERIDIAN_DEFAULT_PROFILE=personal
 meridian
 ```
 
+Profile shapes:
+
+- `claudeConfigDir` — points at a `~/.claude`-style directory; uses Claude Max OAuth from that dir
+- `apiKey` (with optional `baseUrl`) — direct Anthropic API access; sets `ANTHROPIC_API_KEY` / `ANTHROPIC_BASE_URL`
+- `oauthToken` — long-lived token from `claude setup-token`; sets `CLAUDE_CODE_OAUTH_TOKEN`, no config dir needed
+
 When `MERIDIAN_PROFILES` is set, it takes precedence over disk-configured profiles. When unset, Meridian auto-discovers profiles from `~/.config/meridian/profiles.json` on each request.
 
 ## Agent Setup
@@ -710,9 +735,10 @@ export default {
 | `meridian` | Start the proxy server |
 | `meridian setup` | Configure the OpenCode plugin in `~/.config/opencode/opencode.json` |
 | `meridian profile add <name>` | Add a profile and authenticate via browser |
+| `meridian profile add <name> --oauth-token [TOKEN]` | Add a headless profile from a `claude setup-token` value (prompts when `TOKEN` is omitted) |
 | `meridian profile list` | List all profiles and their auth status |
 | `meridian profile switch <name>` | Switch the active profile (requires running proxy) |
-| `meridian profile login <name>` | Re-authenticate an expired profile |
+| `meridian profile login <name>` | Re-authenticate an expired profile (browser-login profiles only) |
 | `meridian profile remove <name>` | Remove a profile and its credentials |
 | `meridian refresh-token` | Manually refresh the Claude OAuth token (exits 0/1) |
 
@@ -767,6 +793,19 @@ docker run \
 
 Switch profiles at runtime via the `x-meridian-profile` header or `meridian profile switch` (see [Multi-Profile Support](#multi-profile-support)).
 
+### OAuth-token profiles in Docker (no volume mount)
+
+If you'd rather not mount a credential directory, generate a long-lived OAuth token on the host with `claude setup-token` and pass it as a profile. There's nothing to mount — the token alone is the credential:
+
+```bash
+docker run \
+  -e 'MERIDIAN_PROFILES=[{"id":"ci","oauthToken":"sk-ant-oat01-..."}]' \
+  -e MERIDIAN_DEFAULT_PROFILE=ci \
+  -p 3456:3456 meridian
+```
+
+This is the recommended path for CI runners, ephemeral containers, and cross-host deployments where browser-based login isn't reachable. Treat the token like any other secret — inject it via your platform's secret store rather than committing it to your image or compose file.
+
 ## Testing
 
 ```bash

package/dist/{cli-e289rj3k.js → cli-7k1fcprd.js}

@@ -229,8 +229,71 @@ async function doRefresh(store) {
   claudeLog("token_refresh.success", { expiresAt });
   return true;
 }
+async function ensureFreshToken(store, bufferMs = 5 * 60 * 1000) {
+  const s = store ?? createPlatformCredentialStore();
+  const credentials = await s.read();
+  const expiresAt = credentials?.claudeAiOauth?.expiresAt;
+  if (!expiresAt)
+    return false;
+  if (expiresAt - Date.now() > bufferMs)
+    return true;
+  return refreshOAuthToken(s);
+}
+var scheduledRefreshTimer = null;
+var scheduledRefreshActive = false;
+var scheduledRefreshGeneration = 0;
+function startBackgroundRefresh(store, bufferMs = 5 * 60 * 1000, failureRetryMs = 5 * 60 * 1000) {
+  if (scheduledRefreshActive)
+    return;
+  scheduledRefreshActive = true;
+  const gen = ++scheduledRefreshGeneration;
+  scheduleNext(store ?? createPlatformCredentialStore(), bufferMs, failureRetryMs, gen);
+}
+function stopBackgroundRefresh() {
+  scheduledRefreshActive = false;
+  scheduledRefreshGeneration++;
+  if (scheduledRefreshTimer)
+    clearTimeout(scheduledRefreshTimer);
+  scheduledRefreshTimer = null;
+}
+async function scheduleNext(store, bufferMs, failureRetryMs, gen) {
+  if (!scheduledRefreshActive || gen !== scheduledRefreshGeneration)
+    return;
+  const credentials = await store.read().catch(() => null);
+  if (!scheduledRefreshActive || gen !== scheduledRefreshGeneration)
+    return;
+  const expiresAt = credentials?.claudeAiOauth?.expiresAt;
+  if (!expiresAt) {
+    armTimer(failureRetryMs, store, bufferMs, failureRetryMs, gen);
+    return;
+  }
+  const dueIn = expiresAt - Date.now() - bufferMs;
+  if (dueIn <= 0) {
+    const ok = await refreshOAuthToken(store);
+    if (!scheduledRefreshActive || gen !== scheduledRefreshGeneration)
+      return;
+    claudeLog("token_refresh.scheduled", { ok, immediate: true });
+    console.error(`[token_refresh] scheduled refresh (immediate) ok=${ok}`);
+    armTimer(ok ? 0 : failureRetryMs, store, bufferMs, failureRetryMs, gen);
+    return;
+  }
+  armTimer(dueIn, store, bufferMs, failureRetryMs, gen);
+}
+function armTimer(delayMs, store, bufferMs, failureRetryMs, gen) {
+  scheduledRefreshTimer = setTimeout(async () => {
+    if (!scheduledRefreshActive || gen !== scheduledRefreshGeneration)
+      return;
+    scheduleNext(store, bufferMs, failureRetryMs, gen);
+  }, delayMs);
+  if (scheduledRefreshTimer && scheduledRefreshTimer.unref) {
+    scheduledRefreshTimer.unref();
+  }
+}
+function isBackgroundRefreshActive() {
+  return scheduledRefreshActive;
+}
 function resetInflightRefresh() {
   inflightRefresh = null;
 }
 
-export { withClaudeLogContext, claudeLog, configDirToKeychainService, configDirToCredentialsFile, serializeCredentials, createPlatformCredentialStore, credentialsFilePathForProfile, refreshOAuthToken, resetInflightRefresh };
+export { withClaudeLogContext, claudeLog, configDirToKeychainService, configDirToCredentialsFile, serializeCredentials, createPlatformCredentialStore, credentialsFilePathForProfile, refreshOAuthToken, ensureFreshToken, startBackgroundRefresh, stopBackgroundRefresh, isBackgroundRefreshActive, resetInflightRefresh };

package/dist/{cli-vdp9s10c.js → cli-cx463q74.js}

@@ -86,6 +86,14 @@ function resolveProfile(profiles, defaultProfile, requestedId) {
   return buildResolvedProfile(profile);
 }
 function buildResolvedProfile(profile) {
+  if (profile.oauthToken || profile.type === "oauth-token") {
+    const env2 = {};
+    if (profile.oauthToken) {
+      env2.CLAUDE_CODE_OAUTH_TOKEN = profile.oauthToken;
+      env2.CLAUDE_CONFIG_DIR = join(homedir(), ".config", "meridian", "profiles", profile.id);
+    }
+    return { id: profile.id, type: "oauth-token", env: env2 };
+  }
   const type = profile.type ?? "claude-max";
   if (type === "api") {
     const env2 = {};

package/dist/{cli-51a9sav0.js → cli-kvwnarfk.js}

@@ -5,7 +5,7 @@ import {
   resolveProfile,
   restoreActiveProfile,
   setActiveProfile
-} from "./cli-vdp9s10c.js";
+} from "./cli-cx463q74.js";
 import {
   isTrackedPlugin,
   recordError,
@@ -26,9 +26,12 @@ import {
 import {
   claudeLog,
   createPlatformCredentialStore,
+  ensureFreshToken,
   refreshOAuthToken,
+  startBackgroundRefresh,
+  stopBackgroundRefresh,
   withClaudeLogContext
-} from "./cli-e289rj3k.js";
+} from "./cli-7k1fcprd.js";
 import {
   __commonJS,
   __esm,
@@ -1178,12 +1181,12 @@ __export(exports_sdkFeatures, {
   getFeaturesForAdapter: () => getFeaturesForAdapter,
   getAllFeatureConfigs: () => getAllFeatureConfigs
 });
-import { existsSync as existsSync5, mkdirSync as mkdirSync2, readFileSync as readFileSync4, writeFileSync as writeFileSync2, renameSync as renameSync2 } from "node:fs";
+import { existsSync as existsSync6, mkdirSync as mkdirSync2, readFileSync as readFileSync4, writeFileSync as writeFileSync2, renameSync as renameSync2 } from "node:fs";
 import { join as join5 } from "node:path";
 import { homedir as homedir3 } from "node:os";
 function getConfigPath() {
   const dir = join5(homedir3(), ".config", "meridian");
-  if (!existsSync5(dir))
+  if (!existsSync6(dir))
     mkdirSync2(dir, { recursive: true });
   return join5(dir, "sdk-features.json");
 }
@@ -1193,7 +1196,7 @@ function readConfig() {
     return cachedConfig;
   const path3 = getConfigPath();
   try {
-    if (existsSync5(path3)) {
+    if (existsSync6(path3)) {
       cachedConfig = JSON.parse(readFileSync4(path3, "utf-8"));
     } else {
       cachedConfig = {};
@@ -3788,8 +3791,8 @@ async function readAccessToken(store) {
   const creds = await store.read();
   return creds?.claudeAiOauth?.accessToken ?? null;
 }
-async function callAnthropic(token, signal) {
-  const res = await fetch(OAUTH_USAGE_URL, {
+async function callAnthropic(token, fetchImpl, signal) {
+  const res = await fetchImpl(OAUTH_USAGE_URL, {
     headers: {
       Authorization: `Bearer ${token}`,
       "anthropic-beta": OAUTH_BETA_HEADER,
@@ -3801,9 +3804,17 @@ async function callAnthropic(token, signal) {
     return { __status: res.status };
   return await res.json();
 }
+var _testOverride = null;
 async function fetchOAuthUsage(opts) {
+  if (_testOverride && !opts?.fetchImpl && !opts?.store) {
+    return _testOverride(opts);
+  }
+  return fetchOAuthUsageImpl(opts);
+}
+async function fetchOAuthUsageImpl(opts) {
   const ttl = opts?.ttlMs ?? CACHE_TTL_MS_DEFAULT;
   const cacheKey2 = opts?.profileId ?? DEFAULT_KEY;
+  const fetchImpl = opts?.fetchImpl ?? globalThis.fetch;
   if (!opts?.force) {
     const cached = cacheByProfile.get(cacheKey2);
     if (cached && Date.now() - cached.fetchedAt < ttl)
@@ -3818,7 +3829,7 @@ async function fetchOAuthUsage(opts) {
       const token = await readAccessToken(store);
       if (!token)
         return null;
-      let result = await callAnthropic(token);
+      let result = await callAnthropic(token, fetchImpl);
       if ("__status" in result && result.__status === 401) {
         claudeLog("oauth_usage.token_refresh_attempt", { profile: cacheKey2 });
         const refreshed = await refreshOAuthToken(store);
@@ -3829,7 +3840,7 @@ async function fetchOAuthUsage(opts) {
         const newToken = await readAccessToken(store);
         if (!newToken)
           return null;
-        result = await callAnthropic(newToken);
+        result = await callAnthropic(newToken, fetchImpl);
       }
       if ("__status" in result) {
         claudeLog("oauth_usage.upstream_error", { profile: cacheKey2, status: result.__status });
@@ -3849,6 +3860,17 @@ async function fetchOAuthUsage(opts) {
   return promise;
 }
 
+// src/proxy/cwd.ts
+import { existsSync } from "node:fs";
+function resolveSdkWorkingDirectory(opts) {
+  const exists = opts.exists ?? existsSync;
+  const claimed = opts.envOverride || opts.adapterCwd || opts.fallback;
+  if (exists(claimed)) {
+    return { workingDirectory: claimed, claimedWorkingDirectory: claimed, fellBack: false };
+  }
+  return { workingDirectory: opts.fallback, claimedWorkingDirectory: claimed, fellBack: true };
+}
+
 // src/proxy/types.ts
 var DEFAULT_PROXY_CONFIG = {
   port: 3456,
@@ -8447,7 +8469,7 @@ class MemoryDiagnosticLogStore {
 }
 var diagnosticLog = new MemoryDiagnosticLogStore;
 // src/telemetry/routes.ts
-import { existsSync, readFileSync } from "node:fs";
+import { existsSync as existsSync2, readFileSync } from "node:fs";
 import { resolve, dirname } from "node:path";
 import { fileURLToPath } from "node:url";
 
@@ -8801,7 +8823,7 @@ timer = setInterval(refresh, 5000);
 
 // src/telemetry/routes.ts
 var _iconPath = resolve(dirname(fileURLToPath(import.meta.url)), "..", "..", "assets", "icon.svg");
-var _iconSvg = existsSync(_iconPath) ? readFileSync(_iconPath, "utf-8") : null;
+var _iconSvg = existsSync2(_iconPath) ? readFileSync(_iconPath, "utf-8") : null;
 function createTelemetryRoutes() {
   const routes = new Hono2;
   routes.get("/", (c) => {
@@ -9139,7 +9161,13 @@ function classifyError(errMsg) {
 }
 function isExpiredTokenError(errMsg) {
   const lower = errMsg.toLowerCase();
-  return lower.includes("oauth token has expired") || lower.includes("not logged in");
+  if (lower.includes("oauth token has expired") || lower.includes("not logged in"))
+    return true;
+  if (lower.includes("invalid_token") || lower.includes("token_expired"))
+    return true;
+  if (lower.includes("401") && (lower.includes("authentication") || lower.includes("unauthorized") || lower.includes("invalid")))
+    return true;
+  return false;
 }
 function isStaleSessionError(error) {
   if (!(error instanceof Error))
@@ -9234,7 +9262,7 @@ function formatSdkTermination(t, ctx) {
 
 // src/proxy/models.ts
 import { exec as execCallback } from "child_process";
-import { existsSync as existsSync2, statSync } from "fs";
+import { existsSync as existsSync3, statSync } from "fs";
 import { fileURLToPath as fileURLToPath2 } from "url";
 import { join as join2, dirname as dirname2 } from "path";
 import { promisify } from "util";
@@ -9243,11 +9271,11 @@ var STUB_SIZE_THRESHOLD = 4096;
 var CANONICAL_OPUS_MODEL = "claude-opus-4-7";
 var CANONICAL_SONNET_MODEL = "claude-sonnet-4-6";
 var CANONICAL_HAIKU_MODEL = "claude-haiku-4-5";
-function resolveSdkModelDefaults() {
+function resolveSdkModelDefaults(env2 = process.env) {
   return {
-    ANTHROPIC_DEFAULT_OPUS_MODEL: process.env.MERIDIAN_DEFAULT_OPUS_MODEL ?? CANONICAL_OPUS_MODEL,
-    ANTHROPIC_DEFAULT_SONNET_MODEL: process.env.MERIDIAN_DEFAULT_SONNET_MODEL ?? CANONICAL_SONNET_MODEL,
-    ANTHROPIC_DEFAULT_HAIKU_MODEL: process.env.MERIDIAN_DEFAULT_HAIKU_MODEL ?? CANONICAL_HAIKU_MODEL
+    ANTHROPIC_DEFAULT_OPUS_MODEL: env2.MERIDIAN_DEFAULT_OPUS_MODEL ?? CANONICAL_OPUS_MODEL,
+    ANTHROPIC_DEFAULT_SONNET_MODEL: env2.MERIDIAN_DEFAULT_SONNET_MODEL ?? CANONICAL_SONNET_MODEL,
+    ANTHROPIC_DEFAULT_HAIKU_MODEL: env2.MERIDIAN_DEFAULT_HAIKU_MODEL ?? CANONICAL_HAIKU_MODEL
   };
 }
 var AUTH_STATUS_CACHE_TTL_MS = 60000;
@@ -9377,10 +9405,10 @@ async function getClaudeAuthStatusAsync(profileId, envOverrides) {
       cachedAuthStatusPromise = null;
   }
 }
-var cachedClaudePath = null;
+var cachedClaudeInfo = null;
 var cachedClaudePathPromise = null;
 var DEFAULT_DEPS = {
-  existsSync: existsSync2,
+  existsSync: existsSync3,
   statSync: (p) => statSync(p),
   exec,
   resolvePackage: (specifier) => fileURLToPath2(import.meta.resolve(specifier)),
@@ -9450,19 +9478,37 @@ function tryLegacySdkCliJs(deps) {
     return null;
   }
 }
-async function resolveClaudeExecutable(deps = DEFAULT_DEPS) {
-  return tryEnvOverride(deps) ?? tryBundledBinary(deps) ?? tryPlatformPackage(deps) ?? await tryPathLookup(deps) ?? tryLegacySdkCliJs(deps);
+async function resolveClaudeExecutableWithSource(deps = DEFAULT_DEPS) {
+  const env2 = tryEnvOverride(deps);
+  if (env2)
+    return { path: env2, source: "env" };
+  const bundled = tryBundledBinary(deps);
+  if (bundled)
+    return { path: bundled, source: "bundled" };
+  const platformPkg = tryPlatformPackage(deps);
+  if (platformPkg)
+    return { path: platformPkg, source: "platform-package" };
+  const pathLookup = await tryPathLookup(deps);
+  if (pathLookup)
+    return { path: pathLookup, source: "path-lookup" };
+  const legacy = tryLegacySdkCliJs(deps);
+  if (legacy)
+    return { path: legacy, source: "legacy-cli-js" };
+  return null;
+}
+function getResolvedClaudeExecutableInfo() {
+  return cachedClaudeInfo;
 }
 async function resolveClaudeExecutableAsync() {
-  if (cachedClaudePath)
-    return cachedClaudePath;
+  if (cachedClaudeInfo)
+    return cachedClaudeInfo.path;
   if (cachedClaudePathPromise)
     return cachedClaudePathPromise;
   cachedClaudePathPromise = (async () => {
-    const resolved = await resolveClaudeExecutable();
+    const resolved = await resolveClaudeExecutableWithSource();
     if (resolved) {
-      cachedClaudePath = resolved;
-      return resolved;
+      cachedClaudeInfo = resolved;
+      return resolved.path;
     }
     throw new Error("Could not find Claude Code executable. Install via: npm install -g @anthropic-ai/claude-code, " + "or set MERIDIAN_CLAUDE_PATH=/path/to/claude to point at an existing binary.");
   })();
@@ -16686,6 +16732,8 @@ function createOpencodeMcpServer() {
 function stripConfigDir(env2) {
   if (!("CLAUDE_CONFIG_DIR" in env2))
     return env2;
+  if (env2.CLAUDE_CODE_OAUTH_TOKEN)
+    return env2;
   const out = { ...env2 };
   delete out.CLAUDE_CONFIG_DIR;
   return out;
@@ -16830,8 +16878,9 @@ function getAdapterTransforms(adapterName) {
 }
 
 // src/proxy/plugins/loader.ts
-import { readdirSync as readdirSync2, readFileSync as readFileSync2, existsSync as existsSync3 } from "fs";
+import { readdirSync as readdirSync2, readFileSync as readFileSync2, existsSync as existsSync4 } from "fs";
 import { join as join3, isAbsolute as isAbsolute2, extname } from "path";
+import { pathToFileURL } from "url";
 
 // src/proxy/plugins/validation.ts
 var KNOWN_ADAPTERS = ["opencode", "crush", "droid", "pi", "forgecode", "passthrough"];
@@ -16871,7 +16920,7 @@ function validateTransform(exported) {
 // src/proxy/plugins/loader.ts
 var loadCounter = 0;
 function parsePluginConfig(configPath) {
-  if (!existsSync3(configPath))
+  if (!existsSync4(configPath))
     return [];
   try {
     const raw2 = readFileSync2(configPath, "utf-8");
@@ -16884,7 +16933,7 @@ function parsePluginConfig(configPath) {
 async function loadPlugins(pluginDir, configPath) {
   resetAllPluginStats();
   const config = configPath ? parsePluginConfig(configPath) : [];
-  const pluginDirExists = existsSync3(pluginDir);
+  const pluginDirExists = existsSync4(pluginDir);
   let filenames = [];
   if (pluginDirExists) {
     try {
@@ -16928,7 +16977,8 @@ async function loadPlugins(pluginDir, configPath) {
     }
     try {
       const cacheBuster = `?t=${Date.now()}-${++loadCounter}`;
-      const mod = await import(filePath + cacheBuster);
+      const specifier = process.platform === "win32" ? pathToFileURL(filePath).href + cacheBuster : filePath + cacheBuster;
+      const mod = await import(specifier);
       const exported = mod.default ?? mod;
       const transforms = Array.isArray(exported) ? exported : [exported];
       for (const item of transforms) {
@@ -17286,7 +17336,7 @@ function verifyLineage(cached, messages, cacheKey2, cache) {
 // src/proxy/sessionStore.ts
 import {
   closeSync,
-  existsSync as existsSync4,
+  existsSync as existsSync5,
   mkdirSync,
   openSync,
   readFileSync as readFileSync3,
@@ -17344,7 +17394,7 @@ var sessionDirOverride = null;
 var skipLocking = false;
 function getStorePath() {
   const dir = sessionDirOverride || process.env.MERIDIAN_SESSION_DIR || process.env.CLAUDE_PROXY_SESSION_DIR || getDefaultCacheDir();
-  if (!existsSync4(dir)) {
+  if (!existsSync5(dir)) {
     mkdirSync(dir, { recursive: true });
   }
   return join4(dir, "sessions.json");
@@ -17352,9 +17402,9 @@ function getStorePath() {
 function getDefaultCacheDir() {
   const newDir = join4(homedir2(), ".cache", "meridian");
   const oldDir = join4(homedir2(), ".cache", "opencode-claude-max-proxy");
-  if (existsSync4(newDir))
+  if (existsSync5(newDir))
     return newDir;
-  if (existsSync4(oldDir)) {
+  if (existsSync5(oldDir)) {
     try {
       const { symlinkSync } = __require("fs");
       symlinkSync(oldDir, newDir);
@@ -17367,7 +17417,7 @@ function getDefaultCacheDir() {
 }
 function readStore() {
   const path3 = getStorePath();
-  if (!existsSync4(path3))
+  if (!existsSync5(path3))
     return {};
   try {
     const data = readFileSync3(path3, "utf-8");
@@ -17884,6 +17934,8 @@ function createProxyServer(config = {}) {
   app.use("/profiles", requireAuth);
   app.use("/plugins/*", requireAuth);
   app.use("/plugins", requireAuth);
+  app.use("/settings/*", requireAuth);
+  app.use("/settings", requireAuth);
   app.use("/auth/*", requireAuth);
   app.get("/", (c) => {
     const accept = c.req.header("accept") || "";
@@ -17944,8 +17996,19 @@ function createProxyServer(config = {}) {
         const agentMode = c.req.header("x-opencode-agent-mode") ?? null;
         const requestSource = c.req.header("x-meridian-source")?.slice(0, 64) || undefined;
         let model = mapModelToClaudeModel(body.model || "sonnet", authStatus?.subscriptionType, agentMode);
-        const workingDirectory = (process.env.MERIDIAN_WORKDIR ?? process.env.CLAUDE_PROXY_WORKDIR) || adapter.extractWorkingDirectory(body) || process.cwd();
-        const clientWorkingDirectory = adapter.extractClientWorkingDirectory?.(body) || workingDirectory;
+        const cwdResolution = resolveSdkWorkingDirectory({
+          envOverride: process.env.MERIDIAN_WORKDIR ?? process.env.CLAUDE_PROXY_WORKDIR,
+          adapterCwd: adapter.extractWorkingDirectory(body),
+          fallback: process.cwd()
+        });
+        const workingDirectory = cwdResolution.workingDirectory;
+        if (cwdResolution.fellBack) {
+          claudeLog("cwd_fallback", {
+            claimed: cwdResolution.claimedWorkingDirectory,
+            usedInstead: workingDirectory
+          });
+        }
+        const clientWorkingDirectory = adapter.extractClientWorkingDirectory?.(body) || cwdResolution.claimedWorkingDirectory;
         const {
           ANTHROPIC_API_KEY: _dropApiKey,
           ANTHROPIC_BASE_URL: _dropBaseUrl,
@@ -18224,6 +18287,7 @@ function createProxyServer(config = {}) {
             const RATE_LIMIT_BASE_DELAY_MS = 1000;
             const response = async function* () {
               let rateLimitRetries = 0;
+              await ensureFreshToken().catch(() => {});
               let tokenRefreshed = false;
               while (true) {
                 let didYieldContent = false;
@@ -18625,6 +18689,7 @@ Subprocess stderr: ${stderrOutput}`;
               const RATE_LIMIT_BASE_DELAY_MS = 1000;
               const response = async function* () {
                 let rateLimitRetries = 0;
+                await ensureFreshToken().catch(() => {});
                 let tokenRefreshed = false;
                 while (true) {
                   let didYieldClientEvent = false;
@@ -19442,6 +19507,7 @@ data: ${JSON.stringify({
           auth: { loggedIn: false }
         }, 503);
       }
+      const claudeExecutableInfo = getResolvedClaudeExecutableInfo();
       return c.json({
         status: "healthy",
         version: serverVersion,
@@ -19451,6 +19517,7 @@ data: ${JSON.stringify({
           subscriptionType: auth.subscriptionType
         },
         mode: envBool("PASSTHROUGH") ? "passthrough" : "internal",
+        ...claudeExecutableInfo ? { claudeExecutable: claudeExecutableInfo } : {},
         plugin: { opencode: checkPluginConfigured() ? "configured" : "not-configured" }
       });
     } catch {
@@ -19563,9 +19630,16 @@ data: ${JSON.stringify({
     if (!anthropicBody) {
       return c.json({ type: "error", error: { type: "invalid_request_error", message: "messages: Field required" } }, 400);
     }
+    const internalHeaders = { "Content-Type": "application/json" };
+    const xApiKey = c.req.header("x-api-key");
+    if (xApiKey)
+      internalHeaders["x-api-key"] = xApiKey;
+    const authz = c.req.header("authorization");
+    if (authz)
+      internalHeaders["authorization"] = authz;
     const internalReq = new Request("http://internal/v1/messages", {
       method: "POST",
-      headers: { "Content-Type": "application/json" },
+      headers: internalHeaders,
       body: JSON.stringify(anthropicBody)
     });
     const internalRes = await app.fetch(internalReq);
@@ -19844,6 +19918,10 @@ async function startProxyServer(config = {}) {
       console.log(`Telemetry dashboard: http://${finalConfig.host}:${info.port}/telemetry`);
       const pins = resolveSdkModelDefaults();
       console.log(`Model pins: opus=${pins.ANTHROPIC_DEFAULT_OPUS_MODEL} sonnet=${pins.ANTHROPIC_DEFAULT_SONNET_MODEL} haiku=${pins.ANTHROPIC_DEFAULT_HAIKU_MODEL}`);
+      const claudeInfo = getResolvedClaudeExecutableInfo();
+      if (claudeInfo) {
+        console.log(`Claude executable: ${claudeInfo.path} (resolved via ${claudeInfo.source})`);
+      }
       console.log(`
 Point any Anthropic-compatible tool at this endpoint:`);
       console.log(`  ANTHROPIC_API_KEY=x ANTHROPIC_BASE_URL=http://${finalConfig.host}:${info.port}`);
@@ -19865,6 +19943,7 @@ Or use a different port:`);
       console.error(`  MERIDIAN_PORT=4567 meridian`);
     }
   });
+  startBackgroundRefresh();
   let authKeepaliveInterval;
   const effectiveProfiles = getEffectiveProfiles(finalConfig.profiles);
   if (effectiveProfiles.length > 0) {
@@ -19888,6 +19967,7 @@ Or use a different port:`);
     async close() {
       if (authKeepaliveInterval)
         clearInterval(authKeepaliveInterval);
+      stopBackgroundRefresh();
       await new Promise((resolve3, reject) => {
         server.close((err) => err ? reject(err) : resolve3());
       });

package/dist/cli.js

@@ -1,13 +1,13 @@
 #!/usr/bin/env node
 import {
   startProxyServer
-} from "./cli-51a9sav0.js";
-import"./cli-vdp9s10c.js";
+} from "./cli-kvwnarfk.js";
+import"./cli-cx463q74.js";
 import"./cli-sry5aqdj.js";
 import"./cli-4rqtm83g.js";
 import"./cli-340h1chz.js";
 import"./cli-rtab0qa6.js";
-import"./cli-e289rj3k.js";
+import"./cli-7k1fcprd.js";
 import {
   __require
 } from "./cli-p9swy5t3.js";
@@ -50,12 +50,18 @@ See https://github.com/rynfar/meridian for full documentation.`);
   process.exit(0);
 }
 if (args[0] === "profile") {
-  const { profileAdd, profileList, profileRemove, profileSwitch, profileLogin, profileHelp } = await import("./profileCli-5f15dx7k.js");
+  const { profileAdd, profileAddOauthToken, profileList, profileRemove, profileSwitch, profileLogin, profileHelp } = await import("./profileCli-wpb4qbjn.js");
   const subcommand = args[1];
   const profileId = args[2];
-  if (subcommand === "add" && profileId)
-    profileAdd(profileId);
-  else if (subcommand === "list" || subcommand === "ls")
+  if (subcommand === "add" && profileId) {
+    const oauthFlagIdx = args.indexOf("--oauth-token", 3);
+    if (oauthFlagIdx >= 0) {
+      const tokenArg = args[oauthFlagIdx + 1];
+      await profileAddOauthToken(profileId, tokenArg);
+    } else {
+      profileAdd(profileId);
+    }
+  } else if (subcommand === "list" || subcommand === "ls")
     profileList();
   else if (subcommand === "remove" && profileId)
     profileRemove(profileId);
@@ -89,7 +95,7 @@ Restart OpenCode for the plugin to take effect.`);
   process.exit(0);
 }
 if (args[0] === "refresh-token") {
-  const { refreshOAuthToken } = await import("./tokenRefresh-psq94r54.js");
+  const { refreshOAuthToken } = await import("./tokenRefresh-swetnf89.js");
   const success = await refreshOAuthToken();
   if (success) {
     console.log("Token refreshed successfully");
@@ -147,7 +153,7 @@ async function runCli(start = startProxyServer, runExec = exec) {
     console.error("\x1B[33m⚠ Could not verify Claude auth status. If requests fail, run: claude login\x1B[0m");
   }
   if (!profiles) {
-    const { enableDiskProfileDiscovery } = await import("./profiles-edzz1ffd.js");
+    const { enableDiskProfileDiscovery } = await import("./profiles-rdd84b45.js");
     enableDiskProfileDiscovery();
   }
   const proxy = await start({ port, host, idleTimeoutSeconds, profiles, defaultProfile, version });

package/dist/{profileCli-5f15dx7k.js → profileCli-wpb4qbjn.js}

@@ -116,6 +116,33 @@ function profileAdd(id) {
   saveProfileConfig(profiles);
   printEnvHint(profiles);
 }
+async function profileAddOauthToken(id, tokenArg) {
+  if (!id || /[^a-zA-Z0-9_-]/.test(id)) {
+    console.error("\x1B[31m✗ Invalid profile ID.\x1B[0m Use only letters, numbers, hyphens, underscores.");
+    process.exit(1);
+  }
+  const profiles = loadProfileConfig();
+  if (profiles.find((p) => p.id === id)) {
+    console.error(`\x1B[31m✗ Profile "${id}" already exists.\x1B[0m`);
+    console.error(`  Run: meridian profile list`);
+    process.exit(1);
+  }
+  let token = tokenArg?.trim() ?? "";
+  if (!token) {
+    console.log(`\x1B[36mAdding profile: ${id} (OAuth token)\x1B[0m`);
+    console.log(`  Generate a token with: \x1B[1mclaude setup-token\x1B[0m`);
+    console.log();
+    token = promptToken(`Paste OAuth token for "${id}" (input hidden):`);
+  }
+  if (!token) {
+    console.error("\x1B[31m✗ Empty token. Aborted.\x1B[0m");
+    process.exit(1);
+  }
+  profiles.push({ id, type: "oauth-token", oauthToken: token });
+  saveProfileConfig(profiles);
+  console.log(`\x1B[32m✓ Profile "${id}" added (OAuth token).\x1B[0m`);
+  printEnvHint(profiles);
+}
 function profileList() {
   const profiles = loadProfileConfig();
   if (profiles.length === 0) {
@@ -126,6 +153,10 @@ function profileList() {
   console.log(`Profiles:
 `);
   for (const p of profiles) {
+    if (p.oauthToken || p.type === "oauth-token") {
+      console.log(`  ${p.id.padEnd(20)} \x1B[32m✓ OAuth token\x1B[0m`);
+      continue;
+    }
     const auth = getAuthStatus(p.claudeConfigDir ?? "");
     const status = auth.loggedIn ? `\x1B[32m✓ ${auth.email} (${auth.subscriptionType || "unknown"})\x1B[0m` : "\x1B[31m✗ not logged in\x1B[0m";
     console.log(`  ${p.id.padEnd(20)} ${status}`);
@@ -133,6 +164,18 @@ function profileList() {
   console.log();
   printEnvHint(profiles);
 }
+function dirsToRemoveOnProfileRemove(profile, profilesDir) {
+  const dirs = [];
+  if (profile.claudeConfigDir && profile.claudeConfigDir.startsWith(profilesDir)) {
+    dirs.push(profile.claudeConfigDir);
+  }
+  if (profile.oauthToken || profile.type === "oauth-token") {
+    const isolationDir = join(profilesDir, profile.id);
+    if (!dirs.includes(isolationDir))
+      dirs.push(isolationDir);
+  }
+  return dirs;
+}
 function profileRemove(id) {
   const profiles = loadProfileConfig();
   const idx = profiles.findIndex((p) => p.id === id);
@@ -140,11 +183,13 @@ function profileRemove(id) {
     console.error(`\x1B[31m✗ Profile "${id}" not found.\x1B[0m`);
     process.exit(1);
   }
-  const configDir = profiles[idx].claudeConfigDir ?? "";
+  const removed = profiles[idx];
+  const dirsToRemove = dirsToRemoveOnProfileRemove(removed, PROFILES_DIR);
   profiles.splice(idx, 1);
   saveProfileConfig(profiles);
-  if (configDir && existsSync(configDir) && configDir.startsWith(PROFILES_DIR)) {
-    rmSync(configDir, { recursive: true, force: true });
+  for (const dir of dirsToRemove) {
+    if (existsSync(dir))
+      rmSync(dir, { recursive: true, force: true });
   }
   console.log(`\x1B[32m✓ Profile "${id}" removed.\x1B[0m`);
   if (profiles.length > 0) {
@@ -181,6 +226,11 @@ function profileLogin(id) {
     console.error(`\x1B[31m✗ Profile "${id}" not found.\x1B[0m Run: meridian profile add ${id}`);
     process.exit(1);
   }
+  if (profile.oauthToken || profile.type === "oauth-token") {
+    console.error(`\x1B[31m✗ Profile "${id}" uses an OAuth token; \`claude auth login\` does not apply.\x1B[0m`);
+    console.error(`  To replace the token: meridian profile remove ${id} && meridian profile add ${id} --oauth-token`);
+    process.exit(1);
+  }
   console.log(`\x1B[36mRe-authenticating profile: ${id}\x1B[0m`);
   console.log();
   console.log("\x1B[33m⚠ Make sure you're signed into the correct Claude account in your browser.\x1B[0m");
@@ -209,6 +259,41 @@ function promptYesNo(question) {
   const answer = (result.stdout?.toString().trim() ?? "").toLowerCase();
   return answer !== "n" && answer !== "no";
 }
+function promptToken(question) {
+  process.stderr.write(`${question}
+> `);
+  const script = [
+    `const stdin = process.stdin;`,
+    `if (!stdin.isTTY) {`,
+    `  let buf = "";`,
+    `  stdin.setEncoding("utf8");`,
+    `  stdin.on("data", (c) => { buf += c; });`,
+    `  stdin.on("end", () => { process.stdout.write(buf.split(/\\r?\\n/)[0] || ""); process.exit(0); });`,
+    `} else {`,
+    `  stdin.setRawMode(true); stdin.resume(); stdin.setEncoding("utf8");`,
+    `  let input = "";`,
+    `  stdin.on("data", (key) => {`,
+    `    if (key === "\\u0003") { process.stderr.write("\\n"); process.exit(1); }`,
+    `    else if (key === "\\r" || key === "\\n") {`,
+    `      stdin.setRawMode(false); process.stderr.write("\\n");`,
+    `      process.stdout.write(input); process.exit(0);`,
+    `    }`,
+    `    else if (key === "\\u007f" || key === "\\b") {`,
+    `      if (input.length > 0) input = input.slice(0, -1);`,
+    `    }`,
+    `    else { input += key; }`,
+    `  });`,
+    `}`
+  ].join(`
+`);
+  const result = spawnSync("node", ["-e", script], { stdio: ["inherit", "pipe", "inherit"] });
+  if (result.status !== 0) {
+    process.stderr.write(`
+`);
+    process.exit(1);
+  }
+  return (result.stdout?.toString() ?? "").trim();
+}
 function printEnvHint(_profiles) {
   console.log(`\x1B[90mConfig: ${CONFIG_FILE}\x1B[0m`);
   console.log("\x1B[90mProfiles are picked up automatically — no restart needed.\x1B[0m");
@@ -217,17 +302,22 @@ function profileHelp() {
   console.log(`meridian profile — manage Claude account profiles
 
 Commands:
-  meridian profile add <name>       Add a profile and authenticate
-  meridian profile list             List profiles and auth status
-  meridian profile remove <name>    Remove a profile
-  meridian profile switch <name>    Switch the active profile (requires running proxy)
-  meridian profile login <name>     Re-authenticate an existing profile
+  meridian profile add <name>                       Add a profile via browser login
+  meridian profile add <name> --oauth-token [TOKEN] Add a profile from a \`claude setup-token\` value
+                                                    (if TOKEN is omitted, you will be prompted; input is hidden)
+  meridian profile list                             List profiles and auth status
+  meridian profile remove <name>                    Remove a profile
+  meridian profile switch <name>                    Switch the active profile (requires running proxy)
+  meridian profile login <name>                     Re-authenticate an existing profile (claude-max only)
 
 Examples:
-  meridian profile add personal     # Add personal account
-  meridian profile add work         # Add work account
-  meridian profile switch work      # Switch to work account
-  meridian profile list             # Show all profiles`);
+  meridian profile add personal                     # Add personal account (browser login)
+  meridian profile add work                         # Add work account
+  meridian profile add ci --oauth-token             # Add headless CI profile (prompted, no echo)
+  meridian profile add ci --oauth-token sk-ant-oat01-...
+                                                    # Add headless CI profile (token from CLI argument)
+  meridian profile switch work                      # Switch to work account
+  meridian profile list                             # Show all profiles`);
 }
 export {
   profileSwitch,
@@ -235,5 +325,7 @@ export {
   profileLogin,
   profileList,
   profileHelp,
-  profileAdd
+  profileAddOauthToken,
+  profileAdd,
+  dirsToRemoveOnProfileRemove
 };

package/dist/{profiles-edzz1ffd.js → profiles-rdd84b45.js}

@@ -9,7 +9,7 @@ import {
   resolveProfile,
   restoreActiveProfile,
   setActiveProfile
-} from "./cli-vdp9s10c.js";
+} from "./cli-cx463q74.js";
 import"./cli-340h1chz.js";
 import"./cli-p9swy5t3.js";
 export {

package/dist/proxy/cwd.d.ts

@@ -0,0 +1,42 @@
+/**
+ * Resolve the SDK subprocess `cwd:` option, falling back to a known-valid
+ * path on the proxy host when the resolved working directory doesn't exist.
+ *
+ * Background — issue #381:
+ *   When meridian runs on a remote machine (e.g. accessed over Tailscale)
+ *   and the client (OpenCode/Crush/etc.) runs on a different machine, the
+ *   adapter extracts the client's reported working directory and passes it
+ *   to the SDK as `cwd:`. That path doesn't exist on the proxy host, so
+ *   `child_process.spawn(claude, { cwd })` fails with ENOENT — which the
+ *   SDK then reports as the misleading "Claude Code native binary not
+ *   found at ..." error.
+ *
+ *   Falling back to the proxy's own `process.cwd()` lets the SDK spawn
+ *   succeed; `clientWorkingDirectory` is tracked separately (and emitted
+ *   into the model's context via buildCwdNote) so the model still hears
+ *   about the user's real working directory.
+ */
+export interface CwdResolution {
+    /** Path passed to the SDK as `cwd:`. Always exists on the proxy host. */
+    workingDirectory: string;
+    /**
+     * The originally-resolved path before existence validation. May not
+     * exist on the proxy host. Used as `clientWorkingDirectory` for
+     * fingerprint bucketing and the system-prompt cwdNote.
+     */
+    claimedWorkingDirectory: string;
+    /** True if `workingDirectory` differs from `claimedWorkingDirectory`. */
+    fellBack: boolean;
+}
+export interface ResolveCwdOpts {
+    /** MERIDIAN_WORKDIR / CLAUDE_PROXY_WORKDIR (highest precedence). */
+    envOverride: string | undefined;
+    /** Adapter's extracted client working directory. */
+    adapterCwd: string | undefined;
+    /** Last-resort fallback. Must exist; typically `process.cwd()`. */
+    fallback: string;
+    /** Injection point for tests. Defaults to `node:fs`'s existsSync. */
+    exists?: (path: string) => boolean;
+}
+export declare function resolveSdkWorkingDirectory(opts: ResolveCwdOpts): CwdResolution;
+//# sourceMappingURL=cwd.d.ts.map

package/dist/proxy/cwd.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cwd.d.ts","sourceRoot":"","sources":["../../src/proxy/cwd.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAIH,MAAM,WAAW,aAAa;IAC5B,yEAAyE;IACzE,gBAAgB,EAAE,MAAM,CAAA;IACxB;;;;OAIG;IACH,uBAAuB,EAAE,MAAM,CAAA;IAC/B,yEAAyE;IACzE,QAAQ,EAAE,OAAO,CAAA;CAClB;AAED,MAAM,WAAW,cAAc;IAC7B,oEAAoE;IACpE,WAAW,EAAE,MAAM,GAAG,SAAS,CAAA;IAC/B,oDAAoD;IACpD,UAAU,EAAE,MAAM,GAAG,SAAS,CAAA;IAC9B,mEAAmE;IACnE,QAAQ,EAAE,MAAM,CAAA;IAChB,qEAAqE;IACrE,MAAM,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAA;CACnC;AAED,wBAAgB,0BAA0B,CAAC,IAAI,EAAE,cAAc,GAAG,aAAa,CAO9E"}

package/dist/proxy/errors.d.ts

@@ -15,10 +15,20 @@ export declare function classifyError(errMsg: string): ClassifiedError;
  * Detect errors caused by an expired or missing OAuth access token.
  * Triggers an inline token refresh + retry in server.ts.
  *
- * Two distinct messages from the Claude Code CLI:
- *   - "OAuth token has expired" — CLI sent the token, Anthropic API rejected it
- *   - "Not logged in"           — CLI checked expiresAt locally and refused to try
- * Both are resolved by refreshing the token.
+ * Patterns, in order of specificity:
+ *   - "OAuth token has expired" / "Not logged in" — CLI-emitted (subprocess
+ *     either got 401 with this wording from Anthropic or detected expiry
+ *     locally before sending).
+ *   - "invalid_token" / "token_expired" — RFC 6750 resource-server errors that
+ *     can appear in the API response body.
+ *   - "401" + ("authentication" | "unauthorized" | "invalid") — generic 401
+ *     wrapping. Anthropic's API does not always echo the CLI-specific wording,
+ *     so without this branch a stale access token returns a generic 401 to the
+ *     proxy and refresh-and-retry never fires (caller sees the 401).
+ *
+ * False positives only cost one OAuth round-trip — the refresh is single-shot
+ * per request (gated by `tokenRefreshed` in server.ts) and surfaces the
+ * original error if it doesn't help.
  */
 export declare function isExpiredTokenError(errMsg: string): boolean;
 /**

package/dist/proxy/errors.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/proxy/errors.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,EAAE,MAAM,CAAA;CAChB;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,eAAe,CA+G7D;AAED;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAG3D;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAO3D;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAGxD;AAED;;;;GAIG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAGjE;AAED;;;;;GAKG;AACH,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,WAAW,GAAG,cAAc,GAAG,SAAS,GAAG,SAAS,CAAA;IAC5D,sDAAsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,wDAAwD;IACxD,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,wDAAwD;IACxD,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB;;wCAEoC;IACpC,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB;AAuBD;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,MAAM,GAAG,cAAc,CAuCpE;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAClC,CAAC,EAAE,cAAc,EACjB,GAAG,EAAE;IACH,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,QAAQ,CAAC,EAAE,OAAO,CAAA;IAClB,gBAAgB,CAAC,EAAE,OAAO,CAAA;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAA;CACtB,GACA,MAAM,CAYR"}
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/proxy/errors.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,MAAM,CAAA;IACZ,OAAO,EAAE,MAAM,CAAA;CAChB;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,MAAM,GAAG,eAAe,CA+G7D;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAM3D;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAO3D;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAGxD;AAED;;;;GAIG;AACH,wBAAgB,yBAAyB,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAGjE;AAED;;;;;GAKG;AACH,MAAM,WAAW,cAAc;IAC7B,MAAM,EAAE,WAAW,GAAG,cAAc,GAAG,SAAS,GAAG,SAAS,CAAA;IAC5D,sDAAsD;IACtD,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,wDAAwD;IACxD,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,wDAAwD;IACxD,UAAU,CAAC,EAAE,MAAM,CAAA;IACnB;;wCAEoC;IACpC,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB;AAuBD;;;;;;GAMG;AACH,wBAAgB,qBAAqB,CAAC,MAAM,EAAE,MAAM,GAAG,cAAc,CAuCpE;AAED;;;;;;;GAOG;AACH,wBAAgB,oBAAoB,CAClC,CAAC,EAAE,cAAc,EACjB,GAAG,EAAE;IACH,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,QAAQ,CAAC,EAAE,OAAO,CAAA;IAClB,gBAAgB,CAAC,EAAE,OAAO,CAAA;IAC1B,YAAY,CAAC,EAAE,MAAM,CAAA;CACtB,GACA,MAAM,CAYR"}

package/dist/proxy/models.d.ts

@@ -25,8 +25,12 @@ export declare const CANONICAL_HAIKU_MODEL = "claude-haiku-4-5";
  * Build the ANTHROPIC_DEFAULT_{TYPE}_MODEL env record to apply before the
  * inherited process env, so user-set shell values still win but unset
  * variables get Meridian's canonical pins.
+ *
+ * Accepts an optional `env` arg so unit tests can pass a synthetic env
+ * map instead of mutating process.env (which leaks between parallel
+ * test files).
  */
-export declare function resolveSdkModelDefaults(): Record<string, string>;
+export declare function resolveSdkModelDefaults(env?: NodeJS.ProcessEnv): Record<string, string>;
 export interface ClaudeAuthStatus {
     loggedIn?: boolean;
     subscriptionType?: string;
@@ -71,6 +75,18 @@ export declare function getAuthCacheInfo(profileId?: string): {
  * @param envOverrides - Optional env vars for per-profile auth (e.g. CLAUDE_CONFIG_DIR).
  */
 export declare function getClaudeAuthStatusAsync(profileId?: string, envOverrides?: Record<string, string>): Promise<ClaudeAuthStatus | null>;
+/**
+ * Tag identifying which resolver step produced the path. Surfaced at startup
+ * and in `/health` so users can self-diagnose "wrong claude got picked"
+ * without having to inspect their PATH manually (closes the diagnostic gap
+ * from #478, where a Bun-shimmed `claude` on PATH led to silent failures
+ * that looked indistinguishable from any other SDK error).
+ */
+export type ClaudeExecutableSource = "env" | "bundled" | "platform-package" | "path-lookup" | "legacy-cli-js";
+export interface ClaudeExecutableInfo {
+    path: string;
+    source: ClaudeExecutableSource;
+}
 /**
  * Resolve the Claude executable path asynchronously (non-blocking).
  *
@@ -102,11 +118,29 @@ type ResolverDeps = {
     isBun: boolean;
 };
 /**
- * Pure resolver — runs each step and returns the first hit, or null when
- * all steps miss. Exported for unit tests; production callers use
- * resolveClaudeExecutableAsync, which adds caching on top.
+ * Pure resolver, source-aware variant — runs each step and returns the
+ * first hit (path + source tag), or null when all steps miss.
+ *
+ * Order matters: `env` wins unconditionally (operator escape hatch), then
+ * `bundled` (the path the SDK expects), then `platform-package` (postinstall
+ * fallback), then `path-lookup` (system PATH — most likely to surface
+ * unintended shims, see #478), then `legacy-cli-js` (only matters on stale
+ * Bun installs of SDK < 0.2.98).
+ */
+export declare function resolveClaudeExecutableWithSource(deps?: ResolverDeps): Promise<ClaudeExecutableInfo | null>;
+/**
+ * Pure resolver — returns the path string only. Kept for callers that
+ * don't need the source tag (existing behavior; preserves the existing
+ * test surface in claude-executable-resolver.test.ts).
  */
 export declare function resolveClaudeExecutable(deps?: ResolverDeps): Promise<string | null>;
+/**
+ * Returns the cached resolved-executable info — `null` if
+ * `resolveClaudeExecutableAsync` hasn't run yet. Used by `/health` and the
+ * startup log so the resolver only runs once and both surfaces see the
+ * same answer.
+ */
+export declare function getResolvedClaudeExecutableInfo(): ClaudeExecutableInfo | null;
 export declare function resolveClaudeExecutableAsync(): Promise<string>;
 /** Reset cached path — for testing only */
 export declare function resetCachedClaudePath(): void;

package/dist/proxy/models.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"models.d.ts","sourceRoot":"","sources":["../../src/proxy/models.ts"],"names":[],"mappings":"AAAA;;GAEG;AAoBH,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,YAAY,GAAG,MAAM,GAAG,UAAU,GAAG,OAAO,CAAA;AAEjF;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,oBAAoB,oBAAoB,CAAA;AACrD,eAAO,MAAM,sBAAsB,sBAAsB,CAAA;AACzD,eAAO,MAAM,qBAAqB,qBAAqB,CAAA;AAEvD;;;;GAIG;AACH,wBAAgB,uBAAuB,IAAI,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAMhE;AACD,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,EAAE,OAAO,CAAA;IAClB,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AA0BD,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,EAAE,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,WAAW,CA8B7H;AAWD;;;;;;GAMG;AACH,wBAAgB,gCAAgC,IAAI,IAAI,CAEvD;AAED;;;;GAIG;AACH,wBAAgB,iCAAiC,IAAI,OAAO,CAG3D;AAED,0EAA0E;AAC1E,wBAAgB,+BAA+B,IAAI,IAAI,CAEtD;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,WAAW,GAAG,WAAW,CAIpE;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAE9D;AAaD;gFACgF;AAChF,wBAAgB,gBAAgB,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG;IAAE,aAAa,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,OAAO,CAAA;CAAE,CAOzH;AAWD;;;;GAIG;AACH,wBAAsB,wBAAwB,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAuD1I;AAOD;;;;;;;;;;GAUG;AACH;;;;GAIG;AACH,KAAK,YAAY,GAAG;IAClB,UAAU,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,OAAO,CAAA;IAClC,QAAQ,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAA;IACzC,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IAClD,cAAc,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,MAAM,CAAA;IAC7C,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAA;IAC5C,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAA;IACzB,IAAI,EAAE,MAAM,CAAA;IACZ,KAAK,EAAE,OAAO,CAAA;CACf,CAAA;AA4HD;;;;GAIG;AACH,wBAAsB,uBAAuB,CAAC,IAAI,GAAE,YAA2B,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAQvG;AAED,wBAAsB,4BAA4B,IAAI,OAAO,CAAC,MAAM,CAAC,CAqBpE;AAED,2CAA2C;AAC3C,wBAAgB,qBAAqB,IAAI,IAAI,CAG5C;AAED,kDAAkD;AAClD,wBAAgB,2BAA2B,IAAI,IAAI,CAOlD;AAED;;6DAE6D;AAC7D,wBAAgB,qBAAqB,IAAI,IAAI,CAO5C;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAG/D"}
+{"version":3,"file":"models.d.ts","sourceRoot":"","sources":["../../src/proxy/models.ts"],"names":[],"mappings":"AAAA;;GAEG;AAoBH,MAAM,MAAM,WAAW,GAAG,QAAQ,GAAG,YAAY,GAAG,MAAM,GAAG,UAAU,GAAG,OAAO,CAAA;AAEjF;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,oBAAoB,oBAAoB,CAAA;AACrD,eAAO,MAAM,sBAAsB,sBAAsB,CAAA;AACzD,eAAO,MAAM,qBAAqB,qBAAqB,CAAA;AAEvD;;;;;;;;GAQG;AACH,wBAAgB,uBAAuB,CACrC,GAAG,GAAE,MAAM,CAAC,UAAwB,GACnC,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAMxB;AACD,MAAM,WAAW,gBAAgB;IAC/B,QAAQ,CAAC,EAAE,OAAO,CAAA;IAClB,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB,KAAK,CAAC,EAAE,MAAM,CAAA;CACf;AA0BD,wBAAgB,qBAAqB,CAAC,KAAK,EAAE,MAAM,EAAE,gBAAgB,CAAC,EAAE,MAAM,GAAG,IAAI,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,WAAW,CA8B7H;AAWD;;;;;;GAMG;AACH,wBAAgB,gCAAgC,IAAI,IAAI,CAEvD;AAED;;;;GAIG;AACH,wBAAgB,iCAAiC,IAAI,OAAO,CAG3D;AAED,0EAA0E;AAC1E,wBAAgB,+BAA+B,IAAI,IAAI,CAEtD;AAED;;;GAGG;AACH,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,WAAW,GAAG,WAAW,CAIpE;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,KAAK,EAAE,WAAW,GAAG,OAAO,CAE9D;AAaD;gFACgF;AAChF,wBAAgB,gBAAgB,CAAC,SAAS,CAAC,EAAE,MAAM,GAAG;IAAE,aAAa,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,CAAC;IAAC,SAAS,EAAE,OAAO,CAAA;CAAE,CAOzH;AAWD;;;;GAIG;AACH,wBAAsB,wBAAwB,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,OAAO,CAAC,gBAAgB,GAAG,IAAI,CAAC,CAuD1I;AAID;;;;;;GAMG;AACH,MAAM,MAAM,sBAAsB,GAC9B,KAAK,GACL,SAAS,GACT,kBAAkB,GAClB,aAAa,GACb,eAAe,CAAA;AAEnB,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,MAAM,CAAA;IACZ,MAAM,EAAE,sBAAsB,CAAA;CAC/B;AAKD;;;;;;;;;;GAUG;AACH;;;;GAIG;AACH,KAAK,YAAY,GAAG;IAClB,UAAU,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK,OAAO,CAAA;IAClC,QAAQ,EAAE,CAAC,CAAC,EAAE,MAAM,KAAK;QAAE,IAAI,EAAE,MAAM,CAAA;KAAE,CAAA;IACzC,IAAI,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,CAAC;QAAE,MAAM,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;IAClD,cAAc,EAAE,CAAC,SAAS,EAAE,MAAM,KAAK,MAAM,CAAA;IAC7C,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM,GAAG,SAAS,CAAA;IAC5C,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAA;IACzB,IAAI,EAAE,MAAM,CAAA;IACZ,KAAK,EAAE,OAAO,CAAA;CACf,CAAA;AA4HD;;;;;;;;;GASG;AACH,wBAAsB,iCAAiC,CACrD,IAAI,GAAE,YAA2B,GAChC,OAAO,CAAC,oBAAoB,GAAG,IAAI,CAAC,CAYtC;AAED;;;;GAIG;AACH,wBAAsB,uBAAuB,CAAC,IAAI,GAAE,YAA2B,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAGvG;AAED;;;;;GAKG;AACH,wBAAgB,+BAA+B,IAAI,oBAAoB,GAAG,IAAI,CAE7E;AAED,wBAAsB,4BAA4B,IAAI,OAAO,CAAC,MAAM,CAAC,CAqBpE;AAED,2CAA2C;AAC3C,wBAAgB,qBAAqB,IAAI,IAAI,CAG5C;AAED,kDAAkD;AAClD,wBAAgB,2BAA2B,IAAI,IAAI,CAOlD;AAED;;6DAE6D;AAC7D,wBAAgB,qBAAqB,IAAI,IAAI,CAO5C;AAED;;;GAGG;AACH,wBAAgB,uBAAuB,CAAC,KAAK,EAAE,OAAO,GAAG,OAAO,CAG/D"}

package/dist/proxy/oauthUsage.d.ts

@@ -37,6 +37,19 @@ export interface OAuthUsageSnapshot {
     extraUsage: OAuthExtraUsageInfo | null;
     fetchedAt: number;
 }
+/** Minimal fetch shape used by callAnthropic. Avoids `typeof fetch`'s
+ *  `preconnect` property, which makes test casts unwieldy. */
+type FetchLike = (input: string, init?: RequestInit) => Promise<Response>;
+export interface FetchOAuthUsageOpts {
+    ttlMs?: number;
+    force?: boolean;
+    store?: CredentialStore;
+    profileId?: string | null;
+    claudeConfigDir?: string;
+    fetchImpl?: FetchLike;
+}
+/** Test-only setter. Pass `null` to clear. */
+export declare function __setFetchOAuthUsageOverride(fn: ((opts?: FetchOAuthUsageOpts) => Promise<OAuthUsageSnapshot | null>) | null): void;
 /**
  * Fetch latest OAuth usage for a specific profile (or the default OAuth
  * account if none specified). Returns null if no OAuth token is available
@@ -54,14 +67,11 @@ export interface OAuthUsageSnapshot {
  * @param claudeConfigDir When provided, reads credentials from this dir's
  *                        keychain entry (macOS) or `.credentials.json`
  *                        (Linux) instead of the platform default.
+ * @param fetchImpl       Override the fetch implementation (for testing).
+ *                        Defaults to globalThis.fetch.
  */
-export declare function fetchOAuthUsage(opts?: {
-    ttlMs?: number;
-    force?: boolean;
-    store?: CredentialStore;
-    profileId?: string | null;
-    claudeConfigDir?: string;
-}): Promise<OAuthUsageSnapshot | null>;
+export declare function fetchOAuthUsage(opts?: FetchOAuthUsageOpts): Promise<OAuthUsageSnapshot | null>;
 /** Test-only / shutdown helper — clears all cached snapshots and pending fetches. */
 export declare function resetOAuthUsageCache(): void;
+export {};
 //# sourceMappingURL=oauthUsage.d.ts.map

package/dist/proxy/oauthUsage.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauthUsage.d.ts","sourceRoot":"","sources":["../../src/proxy/oauthUsage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAGH,OAAO,EAAoD,KAAK,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAgCvG,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAA;IACZ,WAAW,EAAE,MAAM,GAAG,IAAI,CAAA;IAC1B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;CACxB;AAED,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,OAAO,CAAA;IAClB,YAAY,EAAE,MAAM,CAAA;IACpB,WAAW,EAAE,MAAM,CAAA;IACnB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAA;IAC1B,QAAQ,EAAE,MAAM,CAAA;CACjB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,gBAAgB,EAAE,CAAA;IAC3B,UAAU,EAAE,mBAAmB,GAAG,IAAI,CAAA;IACtC,SAAS,EAAE,MAAM,CAAA;CAClB;AA0ED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAsB,eAAe,CAAC,IAAI,CAAC,EAAE;IAC3C,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,KAAK,CAAC,EAAE,OAAO,CAAA;IACf,KAAK,CAAC,EAAE,eAAe,CAAA;IACvB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IACzB,eAAe,CAAC,EAAE,MAAM,CAAA;CACzB,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAgDrC;AAED,qFAAqF;AACrF,wBAAgB,oBAAoB,IAAI,IAAI,CAG3C"}
+{"version":3,"file":"oauthUsage.d.ts","sourceRoot":"","sources":["../../src/proxy/oauthUsage.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAGH,OAAO,EAAoD,KAAK,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAgCvG,MAAM,WAAW,gBAAgB;IAC/B,IAAI,EAAE,MAAM,CAAA;IACZ,WAAW,EAAE,MAAM,GAAG,IAAI,CAAA;IAC1B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;CACxB;AAED,MAAM,WAAW,mBAAmB;IAClC,SAAS,EAAE,OAAO,CAAA;IAClB,YAAY,EAAE,MAAM,CAAA;IACpB,WAAW,EAAE,MAAM,CAAA;IACnB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAA;IAC1B,QAAQ,EAAE,MAAM,CAAA;CACjB;AAED,MAAM,WAAW,kBAAkB;IACjC,OAAO,EAAE,gBAAgB,EAAE,CAAA;IAC3B,UAAU,EAAE,mBAAmB,GAAG,IAAI,CAAA;IACtC,SAAS,EAAE,MAAM,CAAA;CAClB;AA6DD;8DAC8D;AAC9D,KAAK,SAAS,GAAG,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,QAAQ,CAAC,CAAA;AAmBzE,MAAM,WAAW,mBAAmB;IAClC,KAAK,CAAC,EAAE,MAAM,CAAA;IACd,KAAK,CAAC,EAAE,OAAO,CAAA;IACf,KAAK,CAAC,EAAE,eAAe,CAAA;IACvB,SAAS,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;IACzB,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,SAAS,CAAC,EAAE,SAAS,CAAA;CACtB;AAcD,8CAA8C;AAC9C,wBAAgB,4BAA4B,CAC1C,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,EAAE,mBAAmB,KAAK,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAAC,GAAG,IAAI,GAC9E,IAAI,CAEN;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,eAAe,CAAC,IAAI,CAAC,EAAE,mBAAmB,GAAG,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAOpG;AAqDD,qFAAqF;AACrF,wBAAgB,oBAAoB,IAAI,IAAI,CAG3C"}

package/dist/proxy/plugins/loader.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../../src/proxy/plugins/loader.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAA;AAC7C,OAAO,KAAK,EAAE,WAAW,EAAgB,YAAY,EAAE,MAAM,SAAS,CAAA;AAStE,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,WAAW,EAAE,CASnE;AAED,wBAAsB,WAAW,CAC/B,SAAS,EAAE,MAAM,EACjB,UAAU,CAAC,EAAE,MAAM,GAClB,OAAO,CAAC,YAAY,EAAE,CAAC,CAiIzB;AAED,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,SAAS,EAAE,CAIxE"}
+{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../../src/proxy/plugins/loader.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,SAAS,EAAE,MAAM,cAAc,CAAA;AAC7C,OAAO,KAAK,EAAE,WAAW,EAAgB,YAAY,EAAE,MAAM,SAAS,CAAA;AAStE,wBAAgB,iBAAiB,CAAC,UAAU,EAAE,MAAM,GAAG,WAAW,EAAE,CASnE;AAED,wBAAsB,WAAW,CAC/B,SAAS,EAAE,MAAM,EACjB,UAAU,CAAC,EAAE,MAAM,GAClB,OAAO,CAAC,YAAY,EAAE,CAAC,CA+IzB;AAED,wBAAgB,mBAAmB,CAAC,OAAO,EAAE,YAAY,EAAE,GAAG,SAAS,EAAE,CAIxE"}

package/dist/proxy/profiles.d.ts

@@ -2,8 +2,9 @@
  * Multi-profile support.
  *
  * Allows a single Meridian instance to route requests to different Claude
- * accounts. Each profile is a named auth context (a CLAUDE_CONFIG_DIR for
- * Max subscriptions, or an API key for direct API access).
+ * accounts. Each profile is a named auth context — a CLAUDE_CONFIG_DIR for
+ * Max subscriptions, an Anthropic API key for direct API access, or a
+ * long-lived OAuth token minted by `claude setup-token`.
  *
  * Profile selection priority:
  *   1. x-meridian-profile request header (per-request override)
@@ -18,11 +19,16 @@
  * while avoiding synchronous disk I/O on every request.
  */
 export declare function loadProfilesFromDisk(): ProfileConfig[];
-export type ProfileType = "claude-max" | "api";
+export type ProfileType = "claude-max" | "api" | "oauth-token";
 export interface ProfileConfig {
     /** Unique profile identifier (e.g. "personal", "work") */
     id: string;
-    /** Auth type — "claude-max" uses CLAUDE_CONFIG_DIR, "api" uses ANTHROPIC_API_KEY */
+    /**
+     * Auth type. Inferred from the populated credential field when omitted:
+     *   - `oauthToken`        → "oauth-token" (CLAUDE_CODE_OAUTH_TOKEN)
+     *   - `apiKey`/`baseUrl`  → must be combined with explicit `type: "api"`
+     *   - `claudeConfigDir`   → "claude-max" (CLAUDE_CONFIG_DIR)
+     */
     type?: ProfileType;
     /** Path to .claude config directory (claude-max profiles) */
     claudeConfigDir?: string;
@@ -30,6 +36,8 @@ export interface ProfileConfig {
     apiKey?: string;
     /** Anthropic base URL override (api profiles) */
     baseUrl?: string;
+    /** Long-lived OAuth token from `claude setup-token` (oauth-token profiles) */
+    oauthToken?: string;
 }
 export interface ResolvedProfile {
     id: string;

package/dist/proxy/profiles.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"profiles.d.ts","sourceRoot":"","sources":["../../src/proxy/profiles.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAcH;;;;GAIG;AACH,wBAAgB,oBAAoB,IAAI,aAAa,EAAE,CAkBtD;AAED,MAAM,MAAM,WAAW,GAAG,YAAY,GAAG,KAAK,CAAA;AAE9C,MAAM,WAAW,aAAa;IAC5B,0DAA0D;IAC1D,EAAE,EAAE,MAAM,CAAA;IACV,oFAAoF;IACpF,IAAI,CAAC,EAAE,WAAW,CAAA;IAClB,6DAA6D;IAC7D,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,uCAAuC;IACvC,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,iDAAiD;IACjD,OAAO,CAAC,EAAE,MAAM,CAAA;CACjB;AAED,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,WAAW,CAAA;IACjB,4DAA4D;IAC5D,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CAC5B;AAOD;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAGxD;AAED;;GAEG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,GAAG,SAAS,CAEvD;AAED,+CAA+C;AAC/C,wBAAgB,kBAAkB,IAAI,IAAI,CAEzC;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,cAAc,CAAC,EAAE,aAAa,EAAE,GAAG,IAAI,CAY3E;AAUD;;kEAEkE;AAClE,wBAAgB,0BAA0B,IAAI,IAAI,CAEjD;AAED,wBAAgB,oBAAoB,CAAC,cAAc,EAAE,aAAa,EAAE,GAAG,SAAS,GAAG,aAAa,EAAE,CAOjG;AAED,0DAA0D;AAC1D,wBAAgB,WAAW,CAAC,cAAc,EAAE,aAAa,EAAE,GAAG,SAAS,GAAG,OAAO,CAEhF;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,aAAa,EAAE,GAAG,SAAS,EACrC,cAAc,EAAE,MAAM,GAAG,SAAS,EAClC,WAAW,CAAC,EAAE,MAAM,GACnB,eAAe,CAkBjB;AAqBD;;GAEG;AACH,wBAAgB,YAAY,CAC1B,QAAQ,EAAE,aAAa,EAAE,GAAG,SAAS,EACrC,cAAc,EAAE,MAAM,GAAG,SAAS,GACjC,KAAK,CAAC;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,WAAW,CAAC;IAAC,QAAQ,EAAE,OAAO,CAAA;CAAE,CAAC,CAU7D"}
+{"version":3,"file":"profiles.d.ts","sourceRoot":"","sources":["../../src/proxy/profiles.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAcH;;;;GAIG;AACH,wBAAgB,oBAAoB,IAAI,aAAa,EAAE,CAkBtD;AAED,MAAM,MAAM,WAAW,GAAG,YAAY,GAAG,KAAK,GAAG,aAAa,CAAA;AAE9D,MAAM,WAAW,aAAa;IAC5B,0DAA0D;IAC1D,EAAE,EAAE,MAAM,CAAA;IACV;;;;;OAKG;IACH,IAAI,CAAC,EAAE,WAAW,CAAA;IAClB,6DAA6D;IAC7D,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,uCAAuC;IACvC,MAAM,CAAC,EAAE,MAAM,CAAA;IACf,iDAAiD;IACjD,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,8EAA8E;IAC9E,UAAU,CAAC,EAAE,MAAM,CAAA;CACpB;AAED,MAAM,WAAW,eAAe;IAC9B,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,WAAW,CAAA;IACjB,4DAA4D;IAC5D,GAAG,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CAC5B;AAOD;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,SAAS,EAAE,MAAM,GAAG,IAAI,CAGxD;AAED;;GAEG;AACH,wBAAgB,kBAAkB,IAAI,MAAM,GAAG,SAAS,CAEvD;AAED,+CAA+C;AAC/C,wBAAgB,kBAAkB,IAAI,IAAI,CAEzC;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,cAAc,CAAC,EAAE,aAAa,EAAE,GAAG,IAAI,CAY3E;AAUD;;kEAEkE;AAClE,wBAAgB,0BAA0B,IAAI,IAAI,CAEjD;AAED,wBAAgB,oBAAoB,CAAC,cAAc,EAAE,aAAa,EAAE,GAAG,SAAS,GAAG,aAAa,EAAE,CAOjG;AAED,0DAA0D;AAC1D,wBAAgB,WAAW,CAAC,cAAc,EAAE,aAAa,EAAE,GAAG,SAAS,GAAG,OAAO,CAEhF;AAED;;;;;;GAMG;AACH,wBAAgB,cAAc,CAC5B,QAAQ,EAAE,aAAa,EAAE,GAAG,SAAS,EACrC,cAAc,EAAE,MAAM,GAAG,SAAS,EAClC,WAAW,CAAC,EAAE,MAAM,GACnB,eAAe,CAkBjB;AAkCD;;GAEG;AACH,wBAAgB,YAAY,CAC1B,QAAQ,EAAE,aAAa,EAAE,GAAG,SAAS,EACrC,cAAc,EAAE,MAAM,GAAG,SAAS,GACjC,KAAK,CAAC;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,WAAW,CAAC;IAAC,QAAQ,EAAE,OAAO,CAAA;CAAE,CAAC,CAU7D"}

package/dist/proxy/query.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"query.d.ts","sourceRoot":"","sources":["../../src/proxy/query.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAW,aAAa,EAAE,MAAM,gCAAgC,CAAA;AAErF,OAAO,EAAE,0BAA0B,EAAwB,MAAM,oBAAoB,CAAA;AAerF,MAAM,WAAW,YAAY;IAC3B,iEAAiE;IACjE,MAAM,EAAE,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,CAAA;IACnC,iCAAiC;IACjC,KAAK,EAAE,MAAM,CAAA;IACb,uEAAuE;IACvE,gBAAgB,EAAE,MAAM,CAAA;IACxB;;;;;OAKG;IACH,sBAAsB,CAAC,EAAE,MAAM,CAAA;IAC/B,yCAAyC;IACzC,aAAa,EAAE,MAAM,CAAA;IACrB,gCAAgC;IAChC,gBAAgB,EAAE,MAAM,CAAA;IACxB,0CAA0C;IAC1C,WAAW,EAAE,OAAO,CAAA;IACpB,0CAA0C;IAC1C,MAAM,EAAE,OAAO,CAAA;IACf,6DAA6D;IAC7D,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;IAC9B,mEAAmE;IACnE,cAAc,CAAC,EAAE,UAAU,CAAC,OAAO,0BAA0B,CAAC,CAAA;IAC9D,wDAAwD;IACxD,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAA;IAC5C,yDAAyD;IACzD,gBAAgB,EAAE,OAAO,CAAA;IACzB,0DAA0D;IAC1D,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,wCAAwC;IACxC,MAAM,EAAE,OAAO,CAAA;IACf,8CAA8C;IAC9C,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB,kCAAkC;IAClC,QAAQ,CAAC,EAAE,GAAG,CAAA;IACd,iDAAiD;IACjD,YAAY,EAAE,SAAS,MAAM,EAAE,CAAA;IAC/B,+CAA+C;IAC/C,iBAAiB,EAAE,SAAS,MAAM,EAAE,CAAA;IACpC,uCAAuC;IACvC,aAAa,EAAE,MAAM,CAAA;IACrB,wCAAwC;IACxC,eAAe,EAAE,SAAS,MAAM,EAAE,CAAA;IAClC,kEAAkE;IAClE,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAA;IACjC,mEAAmE;IACnE,MAAM,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,KAAK,CAAA;IAC1C,0EAA0E;IAC1E,QAAQ,CAAC,EAAE;QAAE,IAAI,EAAE,UAAU,CAAA;KAAE,GAAG;QAAE,IAAI,EAAE,SAAS,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG;QAAE,IAAI,EAAE,UAAU,CAAA;KAAE,CAAA;IACnG,8EAA8E;IAC9E,UAAU,CAAC,EAAE;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,CAAA;IAC9B,8BAA8B;IAC9B,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;IAChB,yEAAyE;IACzE,cAAc,CAAC,EAAE,aAAa,EAAE,CAAA;IAChC,+CAA+C;IAC/C,gBAAgB,CAAC,EAAE,OAAO,CAAA;IAC1B,+CAA+C;IAC/C,kBAAkB,CAAC,EAAE,OAAO,CAAA;IAC5B,wDAAwD;IACxD,MAAM,CAAC,EAAE,OAAO,CAAA;IAChB,wDAAwD;IACxD,QAAQ,CAAC,EAAE,OAAO,CAAA;IAClB,0DAA0D;IAC1D,YAAY,CAAC,EAAE,OAAO,CAAA;IACtB,kCAAkC;IAClC,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,wCAAwC;IACxC,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,+BAA+B;IAC/B,QAAQ,CAAC,EAAE,OAAO,CAAA;IAClB,+CAA+C;IAC/C,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAA;IAChC,yDAAyD;IACzD,YAAY,CAAC,EAAE,MAAM,CAAA;CACtB;AAED;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,YAAY,CAAC,QAAQ,CAAC,CAAA;IAC9B,OAAO,EAAE,OAAO,CAAA;CACjB;AA+BD;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,CAkBvE;AAyBD,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,YAAY,GAAG,gBAAgB,CAuFrE"}
+{"version":3,"file":"query.d.ts","sourceRoot":"","sources":["../../src/proxy/query.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAGH,OAAO,KAAK,EAAE,OAAO,EAAW,aAAa,EAAE,MAAM,gCAAgC,CAAA;AAErF,OAAO,EAAE,0BAA0B,EAAwB,MAAM,oBAAoB,CAAA;AAsBrF,MAAM,WAAW,YAAY;IAC3B,iEAAiE;IACjE,MAAM,EAAE,MAAM,GAAG,aAAa,CAAC,GAAG,CAAC,CAAA;IACnC,iCAAiC;IACjC,KAAK,EAAE,MAAM,CAAA;IACb,uEAAuE;IACvE,gBAAgB,EAAE,MAAM,CAAA;IACxB;;;;;OAKG;IACH,sBAAsB,CAAC,EAAE,MAAM,CAAA;IAC/B,yCAAyC;IACzC,aAAa,EAAE,MAAM,CAAA;IACrB,gCAAgC;IAChC,gBAAgB,EAAE,MAAM,CAAA;IACxB,0CAA0C;IAC1C,WAAW,EAAE,OAAO,CAAA;IACpB,0CAA0C;IAC1C,MAAM,EAAE,OAAO,CAAA;IACf,6DAA6D;IAC7D,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAC,CAAA;IAC9B,mEAAmE;IACnE,cAAc,CAAC,EAAE,UAAU,CAAC,OAAO,0BAA0B,CAAC,CAAA;IAC9D,wDAAwD;IACxD,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,CAAA;IAC5C,yDAAyD;IACzD,gBAAgB,EAAE,OAAO,CAAA;IACzB,0DAA0D;IAC1D,eAAe,CAAC,EAAE,MAAM,CAAA;IACxB,wCAAwC;IACxC,MAAM,EAAE,OAAO,CAAA;IACf,8CAA8C;IAC9C,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB,kCAAkC;IAClC,QAAQ,CAAC,EAAE,GAAG,CAAA;IACd,iDAAiD;IACjD,YAAY,EAAE,SAAS,MAAM,EAAE,CAAA;IAC/B,+CAA+C;IAC/C,iBAAiB,EAAE,SAAS,MAAM,EAAE,CAAA;IACpC,uCAAuC;IACvC,aAAa,EAAE,MAAM,CAAA;IACrB,wCAAwC;IACxC,eAAe,EAAE,SAAS,MAAM,EAAE,CAAA;IAClC,kEAAkE;IAClE,QAAQ,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,IAAI,CAAA;IACjC,mEAAmE;IACnE,MAAM,CAAC,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,KAAK,CAAA;IAC1C,0EAA0E;IAC1E,QAAQ,CAAC,EAAE;QAAE,IAAI,EAAE,UAAU,CAAA;KAAE,GAAG;QAAE,IAAI,EAAE,SAAS,CAAC;QAAC,YAAY,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG;QAAE,IAAI,EAAE,UAAU,CAAA;KAAE,CAAA;IACnG,8EAA8E;IAC9E,UAAU,CAAC,EAAE;QAAE,KAAK,EAAE,MAAM,CAAA;KAAE,CAAA;IAC9B,8BAA8B;IAC9B,KAAK,CAAC,EAAE,MAAM,EAAE,CAAA;IAChB,yEAAyE;IACzE,cAAc,CAAC,EAAE,aAAa,EAAE,CAAA;IAChC,+CAA+C;IAC/C,gBAAgB,CAAC,EAAE,OAAO,CAAA;IAC1B,+CAA+C;IAC/C,kBAAkB,CAAC,EAAE,OAAO,CAAA;IAC5B,wDAAwD;IACxD,MAAM,CAAC,EAAE,OAAO,CAAA;IAChB,wDAAwD;IACxD,QAAQ,CAAC,EAAE,OAAO,CAAA;IAClB,0DAA0D;IAC1D,YAAY,CAAC,EAAE,OAAO,CAAA;IACtB,kCAAkC;IAClC,YAAY,CAAC,EAAE,MAAM,CAAA;IACrB,wCAAwC;IACxC,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,+BAA+B;IAC/B,QAAQ,CAAC,EAAE,OAAO,CAAA;IAClB,+CAA+C;IAC/C,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAA;IAChC,yDAAyD;IACzD,YAAY,CAAC,EAAE,MAAM,CAAA;CACtB;AAED;;;;GAIG;AACH,MAAM,WAAW,gBAAgB;IAC/B,MAAM,EAAE,YAAY,CAAC,QAAQ,CAAC,CAAA;IAC9B,OAAO,EAAE,OAAO,CAAA;CACjB;AA+BD;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,MAAM,GAAG,MAAM,CAkBvE;AAyBD,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,YAAY,GAAG,gBAAgB,CAuFrE"}

package/dist/proxy/server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/proxy/server.ts"],"names":[],"mappings":"AAYA,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,SAAS,CAAA;AACtE,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,WAAW,EAAE,CAAA;AAGvD,YAAY,EACV,SAAS,EACT,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,cAAc,EACd,iBAAiB,EACjB,YAAY,EACZ,aAAa,EACb,WAAW,GACZ,MAAM,aAAa,CAAA;AAKpB,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAA;AAgCnG,OAAO,EACL,kBAAkB,EAClB,WAAW,EACX,oBAAoB,EAEpB,KAAK,aAAa,EAGnB,MAAM,mBAAmB,CAAA;AAG1B,OAAO,EAA+B,iBAAiB,EAAE,mBAAmB,EAAsC,MAAM,iBAAiB,CAAA;AAGzI,OAAO,EAAE,kBAAkB,EAAE,WAAW,EAAE,oBAAoB,EAAE,CAAA;AAChE,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,CAAA;AACjD,YAAY,EAAE,aAAa,EAAE,CAAA;AA+N7B,wBAAgB,iBAAiB,CAAC,MAAM,GAAE,OAAO,CAAC,WAAW,CAAM,GAAG,WAAW,CA2gFhF;AAED,wBAAsB,gBAAgB,CAAC,MAAM,GAAE,OAAO,CAAC,WAAW,CAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAoEhG"}
+{"version":3,"file":"server.d.ts","sourceRoot":"","sources":["../../src/proxy/server.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,WAAW,EAAE,aAAa,EAAE,WAAW,EAAE,MAAM,SAAS,CAAA;AACtE,YAAY,EAAE,WAAW,EAAE,aAAa,EAAE,WAAW,EAAE,CAAA;AAGvD,YAAY,EACV,SAAS,EACT,cAAc,EACd,eAAe,EACf,gBAAgB,EAChB,cAAc,EACd,cAAc,EACd,iBAAiB,EACjB,YAAY,EACZ,aAAa,EACb,WAAW,GACZ,MAAM,aAAa,CAAA;AAKpB,OAAO,EAAE,gBAAgB,EAAE,cAAc,EAAE,aAAa,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAA;AAgCnG,OAAO,EACL,kBAAkB,EAClB,WAAW,EACX,oBAAoB,EAEpB,KAAK,aAAa,EAGnB,MAAM,mBAAmB,CAAA;AAG1B,OAAO,EAA+B,iBAAiB,EAAE,mBAAmB,EAAsC,MAAM,iBAAiB,CAAA;AAGzI,OAAO,EAAE,kBAAkB,EAAE,WAAW,EAAE,oBAAoB,EAAE,CAAA;AAChE,OAAO,EAAE,iBAAiB,EAAE,mBAAmB,EAAE,CAAA;AACjD,YAAY,EAAE,aAAa,EAAE,CAAA;AA+N7B,wBAAgB,iBAAiB,CAAC,MAAM,GAAE,OAAO,CAAC,WAAW,CAAM,GAAG,WAAW,CA6jFhF;AAED,wBAAsB,gBAAgB,CAAC,MAAM,GAAE,OAAO,CAAC,WAAW,CAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAmFhG"}

package/dist/proxy/tokenRefresh.d.ts

@@ -77,6 +77,47 @@ export declare function credentialsFilePathForProfile(claudeConfigDir?: string):
  * @param store  Override the credential store (for testing).
  */
 export declare function refreshOAuthToken(store?: CredentialStore): Promise<boolean>;
+/**
+ * Refresh the access token if it is within `bufferMs` of expiry.
+ *
+ * Cheap to call before every SDK request: when the token isn't due yet this
+ * is just one credential-store read. When it is due, the underlying
+ * `refreshOAuthToken()` call is in-flight-deduplicated so concurrent callers
+ * share one network round-trip.
+ *
+ * Returns true when the token is fresh after the call (already valid OR
+ * successfully refreshed), false on any failure (no credentials, no
+ * expiresAt, refresh request failed). False is non-fatal — the caller
+ * proceeds with whatever token is on disk and falls back to the reactive
+ * refresh-on-401 path if Anthropic rejects it.
+ */
+export declare function ensureFreshToken(store?: CredentialStore, bufferMs?: number): Promise<boolean>;
+/**
+ * Start a self-rescheduling timer that refreshes the access token shortly
+ * before each expiry — regardless of incoming traffic.
+ *
+ * Idempotent: a second call while one is already running is a no-op. Safe to
+ * call from any code path; returns synchronously and schedules in the
+ * background.
+ *
+ * Why traffic-independent matters: without this, an idle proxy never fires
+ * either the proactive (`ensureFreshToken`) or reactive (401-retry) refresh
+ * path. Anthropic's OAuth refresh tokens appear to be invalidated server-side
+ * after sitting unused for an extended period (observed 2026-05-03: two NAS
+ * instances idle past expiry both got `400 invalid_grant` on a manual refresh
+ * attempt; only fix was OAuth-flow re-login). Running a refresh every ~8h
+ * keeps the refresh chain warm.
+ *
+ * On `refreshOAuthToken()` failure (network, transient API error, refresh
+ * token rejected) we retry every `failureRetryMs` — gives operators a window
+ * to `claude login` and have the new tokens picked up automatically on the
+ * next tick.
+ */
+export declare function startBackgroundRefresh(store?: CredentialStore, bufferMs?: number, failureRetryMs?: number): void;
+/** Stop the background scheduler. Idempotent. */
+export declare function stopBackgroundRefresh(): void;
+/** For testing only. */
+export declare function isBackgroundRefreshActive(): boolean;
 /** Reset in-flight state — for testing only. */
 export declare function resetInflightRefresh(): void;
 export {};

package/dist/proxy/tokenRefresh.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"tokenRefresh.d.ts","sourceRoot":"","sources":["../../src/proxy/tokenRefresh.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAkBH;;;;;;;;GAQG;AACH,wBAAgB,0BAA0B,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM,CAK1E;AAED,gEAAgE;AAChE,wBAAgB,0BAA0B,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM,CAE1E;AAED,UAAU,gBAAgB;IACxB,WAAW,EAAE,MAAM,CAAA;IACnB,YAAY,EAAE,MAAM,CAAA;IACpB,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB;AAED,UAAU,eAAe;IACvB,aAAa,EAAE,gBAAgB,CAAA;IAC/B,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;CACvB;AAMD,MAAM,WAAW,eAAe;IAC9B,IAAI,IAAI,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAAA;IACvC,KAAK,CAAC,WAAW,EAAE,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;CACtD;AAED;;;;;;;;;GASG;AACH,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,eAAe,GAAG,MAAM,CAEzE;AAuGD;;;;;;;GAOG;AACH,wBAAgB,6BAA6B,CAAC,IAAI,CAAC,EAAE;IAAE,eAAe,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,eAAe,CAQlG;AAED,uGAAuG;AACvG,wBAAgB,6BAA6B,CAAC,eAAe,CAAC,EAAE,MAAM,GAAG,MAAM,CAE9E;AASD;;;;;;;;;;GAUG;AACH,wBAAsB,iBAAiB,CAAC,KAAK,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,CAQjF;AAiED,gDAAgD;AAChD,wBAAgB,oBAAoB,IAAI,IAAI,CAE3C"}
+{"version":3,"file":"tokenRefresh.d.ts","sourceRoot":"","sources":["../../src/proxy/tokenRefresh.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAkBH;;;;;;;;GAQG;AACH,wBAAgB,0BAA0B,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM,CAK1E;AAED,gEAAgE;AAChE,wBAAgB,0BAA0B,CAAC,eAAe,EAAE,MAAM,GAAG,MAAM,CAE1E;AAED,UAAU,gBAAgB;IACxB,WAAW,EAAE,MAAM,CAAA;IACnB,YAAY,EAAE,MAAM,CAAA;IACpB,SAAS,EAAE,MAAM,CAAA;IACjB,MAAM,CAAC,EAAE,MAAM,EAAE,CAAA;IACjB,gBAAgB,CAAC,EAAE,MAAM,CAAA;IACzB,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB;AAED,UAAU,eAAe;IACvB,aAAa,EAAE,gBAAgB,CAAA;IAC/B,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAA;CACvB;AAMD,MAAM,WAAW,eAAe;IAC9B,IAAI,IAAI,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC,CAAA;IACvC,KAAK,CAAC,WAAW,EAAE,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,CAAA;CACtD;AAED;;;;;;;;;GASG;AACH,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,eAAe,GAAG,MAAM,CAEzE;AAuGD;;;;;;;GAOG;AACH,wBAAgB,6BAA6B,CAAC,IAAI,CAAC,EAAE;IAAE,eAAe,CAAC,EAAE,MAAM,CAAA;CAAE,GAAG,eAAe,CAQlG;AAED,uGAAuG;AACvG,wBAAgB,6BAA6B,CAAC,eAAe,CAAC,EAAE,MAAM,GAAG,MAAM,CAE9E;AASD;;;;;;;;;;GAUG;AACH,wBAAsB,iBAAiB,CAAC,KAAK,CAAC,EAAE,eAAe,GAAG,OAAO,CAAC,OAAO,CAAC,CAQjF;AAiED;;;;;;;;;;;;;GAaG;AACH,wBAAsB,gBAAgB,CACpC,KAAK,CAAC,EAAE,eAAe,EACvB,QAAQ,SAAgB,GACvB,OAAO,CAAC,OAAO,CAAC,CAOlB;AAiBD;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,wBAAgB,sBAAsB,CACpC,KAAK,CAAC,EAAE,eAAe,EACvB,QAAQ,SAAgB,EACxB,cAAc,SAAgB,GAC7B,IAAI,CAKN;AAED,iDAAiD;AACjD,wBAAgB,qBAAqB,IAAI,IAAI,CAK5C;AA0DD,wBAAwB;AACxB,wBAAgB,yBAAyB,IAAI,OAAO,CAEnD;AAED,gDAAgD;AAChD,wBAAgB,oBAAoB,IAAI,IAAI,CAE3C"}

package/dist/server.js

@@ -10,13 +10,13 @@ import {
   runObserveHook,
   runTransformHook,
   startProxyServer
-} from "./cli-51a9sav0.js";
-import"./cli-vdp9s10c.js";
+} from "./cli-kvwnarfk.js";
+import"./cli-cx463q74.js";
 import"./cli-sry5aqdj.js";
 import"./cli-4rqtm83g.js";
 import"./cli-340h1chz.js";
 import"./cli-rtab0qa6.js";
-import"./cli-e289rj3k.js";
+import"./cli-7k1fcprd.js";
 import"./cli-p9swy5t3.js";
 export {
   startProxyServer,

package/dist/{tokenRefresh-psq94r54.js → tokenRefresh-swetnf89.js}

@@ -3,15 +3,23 @@ import {
   configDirToKeychainService,
   createPlatformCredentialStore,
   credentialsFilePathForProfile,
+  ensureFreshToken,
+  isBackgroundRefreshActive,
   refreshOAuthToken,
   resetInflightRefresh,
-  serializeCredentials
-} from "./cli-e289rj3k.js";
+  serializeCredentials,
+  startBackgroundRefresh,
+  stopBackgroundRefresh
+} from "./cli-7k1fcprd.js";
 import"./cli-p9swy5t3.js";
 export {
+  stopBackgroundRefresh,
+  startBackgroundRefresh,
   serializeCredentials,
   resetInflightRefresh,
   refreshOAuthToken,
+  isBackgroundRefreshActive,
+  ensureFreshToken,
   credentialsFilePathForProfile,
   createPlatformCredentialStore,
   configDirToKeychainService,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rynfar/meridian",
-  "version": "1.41.1",
+  "version": "1.42.0",
   "description": "Local Anthropic API powered by your Claude Max subscription. One subscription, every agent.",
   "type": "module",
   "main": "./dist/server.js",
@@ -25,7 +25,7 @@
     "postbuild": "node scripts/fix-bun-exports.mjs && node --check dist/cli.js && node --check dist/server.js && test -f dist/proxy/server.d.ts",
     "postinstall": "node ./node_modules/@anthropic-ai/claude-code/install.cjs 2>/dev/null || true",
     "prepublishOnly": "bun run build",
-    "test": "bun test --path-ignore-patterns '**/*session-store*' --path-ignore-patterns '**/*proxy-async-ops*' --path-ignore-patterns '**/*proxy-extra-usage-fallback*' --path-ignore-patterns '**/*models-auth-status*' --path-ignore-patterns '**/*proxy-context-usage-store*' --path-ignore-patterns '**/*proxy-passthrough-thinking*' --path-ignore-patterns '**/*profile-switch-integration*' --path-ignore-patterns '**/*session-recovery*' --path-ignore-patterns '**/*models.test*' --path-ignore-patterns '**/*proxy-health-degraded*' --path-ignore-patterns '**/*proxy-subagent-model-selection*' --path-ignore-patterns '**/*oauth-usage*' && bun test src/__tests__/profile-switch-integration.test.ts && bun test src/__tests__/proxy-extra-usage-fallback.test.ts && bun test src/__tests__/proxy-async-ops.test.ts && bun test src/__tests__/proxy-session-store.test.ts && bun test src/__tests__/session-store-pruning.test.ts && bun test src/__tests__/proxy-session-store-locking.test.ts && bun test src/__tests__/proxy-context-usage-store.test.ts && bun test src/__tests__/models-auth-status.test.ts && bun test src/__tests__/proxy-passthrough-thinking.test.ts && bun test src/__tests__/proxy-session-recovery.test.ts && bun test src/__tests__/models.test.ts && bun test src/__tests__/proxy-health-degraded.test.ts && bun test src/__tests__/proxy-subagent-model-selection.test.ts && bun test src/__tests__/oauth-usage.test.ts",
+    "test": "bun test --path-ignore-patterns '**/*session-store*' --path-ignore-patterns '**/*proxy-async-ops*' --path-ignore-patterns '**/*models-auth-status*' --path-ignore-patterns '**/*proxy-context-usage-store*' --path-ignore-patterns '**/*proxy-passthrough-thinking*' --path-ignore-patterns '**/*session-recovery*' --path-ignore-patterns '**/*models.test*' && bun test src/__tests__/proxy-async-ops.test.ts && bun test src/__tests__/proxy-session-store.test.ts && bun test src/__tests__/session-store-pruning.test.ts && bun test src/__tests__/proxy-session-store-locking.test.ts && bun test src/__tests__/proxy-context-usage-store.test.ts && bun test src/__tests__/models-auth-status.test.ts && bun test src/__tests__/proxy-passthrough-thinking.test.ts && bun test src/__tests__/proxy-session-recovery.test.ts && bun test src/__tests__/models.test.ts",
     "nix:lock": "bun2nix -o bun.nix",
     "typecheck": "tsc --noEmit",
     "proxy:direct": "bun run ./bin/cli.ts"