npm - @rynfar/meridian - Versions diffs - 1.41.1 → 1.42.1 - Mend

@rynfar/meridian 1.41.1 → 1.42.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/README.md +43 -4
package/dist/cli-3jqvrake.js +279 -0
package/dist/{cli-e289rj3k.js → cli-7k1fcprd.js} +64 -1
package/dist/{cli-51a9sav0.js → cli-8xzxm1cq.js} +115 -283
package/dist/{cli-vdp9s10c.js → cli-cx463q74.js} +8 -0
package/dist/cli.js +25 -12
package/dist/{profileCli-5f15dx7k.js → profileCli-c7cvkv5q.js} +129 -17
package/dist/{profiles-edzz1ffd.js → profiles-rdd84b45.js} +1 -1
package/dist/proxy/cwd.d.ts +42 -0
package/dist/proxy/cwd.d.ts.map +1 -0
package/dist/proxy/errors.d.ts +14 -4
package/dist/proxy/errors.d.ts.map +1 -1
package/dist/proxy/models.d.ts +57 -4
package/dist/proxy/models.d.ts.map +1 -1
package/dist/proxy/oauthUsage.d.ts +17 -7
package/dist/proxy/oauthUsage.d.ts.map +1 -1
package/dist/proxy/plugins/loader.d.ts.map +1 -1
package/dist/proxy/profiles.d.ts +12 -4
package/dist/proxy/profiles.d.ts.map +1 -1
package/dist/proxy/query.d.ts.map +1 -1
package/dist/proxy/server.d.ts.map +1 -1
package/dist/proxy/tokenRefresh.d.ts +41 -0
package/dist/proxy/tokenRefresh.d.ts.map +1 -1
package/dist/server.js +4 -3
package/dist/{tokenRefresh-psq94r54.js → tokenRefresh-swetnf89.js} +10 -2
package/package.json +2 -2

package/README.md CHANGED Viewed

@@ -239,6 +239,20 @@ meridian profile add work
 > **⚠ Important:** Claude's OAuth reuses your browser session. Before adding a second account, sign out of claude.ai and sign into the other account first.
+#### Headless / CI: register an OAuth token
+When a browser isn't available (containers, CI runners, remote shells), generate a long-lived OAuth token with `claude setup-token` and register it as a profile:
+```bash
+# Prompt for the token (input is hidden — paste the value from `claude setup-token`)
+meridian profile add ci --oauth-token
+# Or pass it inline
+meridian profile add ci --oauth-token sk-ant-oat01-...
+```
+OAuth-token profiles store the token in `profiles.json` and feed it to the SDK via `CLAUDE_CODE_OAUTH_TOKEN` — no Keychain entry, no browser handshake. To prevent the SDK's 401-recovery from silently falling back to the host's `~/.claude` credentials, OAuth-token profiles also pin `CLAUDE_CONFIG_DIR` to an isolated per-profile directory under `~/.config/meridian/profiles/<name>/`. That directory holds only SDK state (sessions, settings) — never `.credentials.json`, since the token is delivered through the env.
 ### Switching profiles
 ```bash
@@ -256,14 +270,15 @@ You can also switch profiles from the web UI at `http://127.0.0.1:3456/profiles`
 | Command | Description |
 |---------|-------------|
 | `meridian profile add <name>` | Add a profile and authenticate via browser |
+| `meridian profile add <name> --oauth-token [TOKEN]` | Add a headless profile from a `claude setup-token` value (prompts when `TOKEN` is omitted) |
 | `meridian profile list` | List profiles and auth status |
 | `meridian profile switch <name>` | Switch the active profile (requires running proxy) |
-| `meridian profile login <name>` | Re-authenticate an expired profile |
+| `meridian profile login <name>` | Re-authenticate an expired profile (browser-login profiles only) |
 | `meridian profile remove <name>` | Remove a profile and its credentials |
 ### How it works
-Each profile stores its credentials in an isolated `CLAUDE_CONFIG_DIR` under `~/.config/meridian/profiles/<name>/`. When a request arrives, Meridian resolves the profile in priority order:
+Each profile stores its credentials in an isolated `CLAUDE_CONFIG_DIR` under `~/.config/meridian/profiles/<name>/`. OAuth-token profiles use the same isolated directory layout — but the token itself lives in `~/.config/meridian/profiles.json` and is fed to the SDK via `CLAUDE_CODE_OAUTH_TOKEN`, so the per-profile dir holds only SDK state (sessions, settings) and never the credential. When a request arrives, Meridian resolves the profile in priority order:
 1. `x-meridian-profile` request header (per-request override)
 2. Active profile (set via `meridian profile switch` or the web UI)
@@ -276,11 +291,21 @@ Session state is scoped per profile — switching accounts won't cross-contamina
 For advanced setups (CI, Docker), profiles can also be provided via environment variable:
 ```bash
-export MERIDIAN_PROFILES='[{"id":"personal","claudeConfigDir":"/path/to/config1"},{"id":"work","claudeConfigDir":"/path/to/config2"}]'
+export MERIDIAN_PROFILES='[
+  {"id":"personal","claudeConfigDir":"/path/to/config1"},
+  {"id":"work","claudeConfigDir":"/path/to/config2"},
+  {"id":"ci","oauthToken":"sk-ant-oat01-..."}
+]'
 export MERIDIAN_DEFAULT_PROFILE=personal
 meridian
 ```
+Profile shapes:
+- `claudeConfigDir` — points at a `~/.claude`-style directory; uses Claude Max OAuth from that dir
+- `apiKey` (with optional `baseUrl`) — direct Anthropic API access; sets `ANTHROPIC_API_KEY` / `ANTHROPIC_BASE_URL`
+- `oauthToken` — long-lived token from `claude setup-token`; sets `CLAUDE_CODE_OAUTH_TOKEN`, no config dir needed
 When `MERIDIAN_PROFILES` is set, it takes precedence over disk-configured profiles. When unset, Meridian auto-discovers profiles from `~/.config/meridian/profiles.json` on each request.
 ## Agent Setup
@@ -710,9 +735,10 @@ export default {
 | `meridian` | Start the proxy server |
 | `meridian setup` | Configure the OpenCode plugin in `~/.config/opencode/opencode.json` |
 | `meridian profile add <name>` | Add a profile and authenticate via browser |
+| `meridian profile add <name> --oauth-token [TOKEN]` | Add a headless profile from a `claude setup-token` value (prompts when `TOKEN` is omitted) |
 | `meridian profile list` | List all profiles and their auth status |
 | `meridian profile switch <name>` | Switch the active profile (requires running proxy) |
-| `meridian profile login <name>` | Re-authenticate an expired profile |
+| `meridian profile login <name>` | Re-authenticate an expired profile (browser-login profiles only) |
 | `meridian profile remove <name>` | Remove a profile and its credentials |
 | `meridian refresh-token` | Manually refresh the Claude OAuth token (exits 0/1) |
@@ -767,6 +793,19 @@ docker run \
 Switch profiles at runtime via the `x-meridian-profile` header or `meridian profile switch` (see [Multi-Profile Support](#multi-profile-support)).
+### OAuth-token profiles in Docker (no volume mount)
+If you'd rather not mount a credential directory, generate a long-lived OAuth token on the host with `claude setup-token` and pass it as a profile. There's nothing to mount — the token alone is the credential:
+```bash
+docker run \
+  -e 'MERIDIAN_PROFILES=[{"id":"ci","oauthToken":"sk-ant-oat01-..."}]' \
+  -e MERIDIAN_DEFAULT_PROFILE=ci \
+  -p 3456:3456 meridian
+```
+This is the recommended path for CI runners, ephemeral containers, and cross-host deployments where browser-based login isn't reachable. Treat the token like any other secret — inject it via your platform's secret store rather than committing it to your image or compose file.
 ## Testing
 ```bash

package/dist/cli-3jqvrake.js ADDED Viewed

@@ -0,0 +1,279 @@
+// src/proxy/models.ts
+import { exec as execCallback, execFile as execFileCallback } from "child_process";
+import { existsSync, statSync } from "fs";
+import { fileURLToPath } from "url";
+import { join, dirname } from "path";
+import { promisify } from "util";
+var exec = promisify(execCallback);
+var execFile = promisify(execFileCallback);
+var STUB_SIZE_THRESHOLD = 4096;
+var CANONICAL_OPUS_MODEL = "claude-opus-4-7";
+var CANONICAL_SONNET_MODEL = "claude-sonnet-4-6";
+var CANONICAL_HAIKU_MODEL = "claude-haiku-4-5";
+function resolveSdkModelDefaults(env = process.env) {
+  return {
+    ANTHROPIC_DEFAULT_OPUS_MODEL: env.MERIDIAN_DEFAULT_OPUS_MODEL ?? CANONICAL_OPUS_MODEL,
+    ANTHROPIC_DEFAULT_SONNET_MODEL: env.MERIDIAN_DEFAULT_SONNET_MODEL ?? CANONICAL_SONNET_MODEL,
+    ANTHROPIC_DEFAULT_HAIKU_MODEL: env.MERIDIAN_DEFAULT_HAIKU_MODEL ?? CANONICAL_HAIKU_MODEL
+  };
+}
+var AUTH_STATUS_CACHE_TTL_MS = 60000;
+var AUTH_STATUS_FAILURE_TTL_MS = 5000;
+var cachedAuthStatus = null;
+var lastKnownGoodAuthStatus = null;
+var cachedAuthStatusAt = 0;
+var cachedAuthStatusIsFailure = false;
+var cachedAuthStatusPromise = null;
+function supports1mContext(model) {
+  if (model.includes("4-5") || model.includes("4.5"))
+    return false;
+  return true;
+}
+function mapModelToClaudeModel(model, subscriptionType, agentMode) {
+  if (model.includes("haiku"))
+    return "haiku";
+  const use1m = supports1mContext(model);
+  const isSubagent = agentMode === "subagent";
+  if (model.includes("opus")) {
+    if (use1m && !isSubagent && !isExtendedContextKnownUnavailable())
+      return "opus[1m]";
+    return "opus";
+  }
+  const sonnetOverride = process.env.MERIDIAN_SONNET_MODEL ?? process.env.CLAUDE_PROXY_SONNET_MODEL;
+  if (sonnetOverride === "sonnet[1m]") {
+    if (!use1m || isSubagent || isExtendedContextKnownUnavailable())
+      return "sonnet";
+    return "sonnet[1m]";
+  }
+  return "sonnet";
+}
+var EXTRA_USAGE_RETRY_MS = 60 * 60 * 1000;
+var extraUsageUnavailableAt = 0;
+function recordExtendedContextUnavailable() {
+  extraUsageUnavailableAt = Date.now();
+}
+function isExtendedContextKnownUnavailable() {
+  return extraUsageUnavailableAt > 0 && Date.now() - extraUsageUnavailableAt < EXTRA_USAGE_RETRY_MS;
+}
+function stripExtendedContext(model) {
+  if (model === "opus[1m]")
+    return "opus";
+  if (model === "sonnet[1m]")
+    return "sonnet";
+  return model;
+}
+function hasExtendedContext(model) {
+  return model.endsWith("[1m]");
+}
+var profileAuthCaches = new Map;
+function getAuthCacheInfo(profileId) {
+  if (!profileId) {
+    return { lastCheckedAt: cachedAuthStatusAt, lastSuccessAt: cachedAuthStatusIsFailure ? 0 : cachedAuthStatusAt, isFailure: cachedAuthStatusIsFailure };
+  }
+  const cache = profileAuthCaches.get(profileId);
+  if (!cache)
+    return { lastCheckedAt: 0, lastSuccessAt: 0, isFailure: false };
+  return { lastCheckedAt: cache.at, lastSuccessAt: cache.lastSuccessAt, isFailure: cache.isFailure };
+}
+function getAuthCache(key) {
+  let cache = profileAuthCaches.get(key);
+  if (!cache) {
+    cache = { status: null, lastKnownGood: null, at: 0, isFailure: false, promise: null, lastSuccessAt: 0 };
+    profileAuthCaches.set(key, cache);
+  }
+  return cache;
+}
+async function getClaudeAuthStatusAsync(profileId, envOverrides) {
+  const isDefault = !profileId;
+  const cache = isDefault ? null : getAuthCache(profileId);
+  const c_status = cache ? cache.status : cachedAuthStatus;
+  const c_lastKnownGood = cache ? cache.lastKnownGood : lastKnownGoodAuthStatus;
+  const c_at = cache ? cache.at : cachedAuthStatusAt;
+  const c_isFailure = cache ? cache.isFailure : cachedAuthStatusIsFailure;
+  let c_promise = cache ? cache.promise : cachedAuthStatusPromise;
+  const ttl = c_isFailure ? AUTH_STATUS_FAILURE_TTL_MS : AUTH_STATUS_CACHE_TTL_MS;
+  if (c_at > 0 && Date.now() - c_at < ttl) {
+    return c_status ?? c_lastKnownGood;
+  }
+  if (c_promise)
+    return c_promise;
+  c_promise = (async () => {
+    try {
+      const claudePath = await resolveClaudeExecutableAsync();
+      const { stdout } = await execFile(claudePath, ["auth", "status"], {
+        timeout: 5000,
+        ...envOverrides ? { env: { ...process.env, ...envOverrides } } : {}
+      });
+      const parsed = JSON.parse(stdout);
+      if (cache) {
+        cache.status = parsed;
+        cache.lastKnownGood = parsed;
+        cache.at = Date.now();
+        cache.isFailure = false;
+        cache.lastSuccessAt = Date.now();
+      } else {
+        cachedAuthStatus = parsed;
+        lastKnownGoodAuthStatus = parsed;
+        cachedAuthStatusAt = Date.now();
+        cachedAuthStatusIsFailure = false;
+      }
+      return parsed;
+    } catch {
+      if (cache) {
+        cache.isFailure = true;
+        cache.at = Date.now();
+        cache.status = null;
+        return cache.lastKnownGood;
+      } else {
+        cachedAuthStatusIsFailure = true;
+        cachedAuthStatusAt = Date.now();
+        cachedAuthStatus = null;
+        return lastKnownGoodAuthStatus;
+      }
+    }
+  })();
+  if (cache)
+    cache.promise = c_promise;
+  else
+    cachedAuthStatusPromise = c_promise;
+  try {
+    return await c_promise;
+  } finally {
+    if (cache)
+      cache.promise = null;
+    else
+      cachedAuthStatusPromise = null;
+  }
+}
+var cachedClaudeInfo = null;
+var cachedClaudePathPromise = null;
+var DEFAULT_DEPS = {
+  existsSync,
+  statSync: (p) => statSync(p),
+  exec,
+  resolvePackage: (specifier) => fileURLToPath(import.meta.resolve(specifier)),
+  envGet: (name) => process.env[name],
+  platform: process.platform,
+  arch: process.arch,
+  isBun: typeof process.versions.bun !== "undefined"
+};
+function tryEnvOverride(deps) {
+  const explicit = deps.envGet("MERIDIAN_CLAUDE_PATH");
+  if (!explicit)
+    return null;
+  return deps.existsSync(explicit) ? explicit : null;
+}
+function tryBundledBinary(deps) {
+  try {
+    const pkgPath = deps.resolvePackage("@anthropic-ai/claude-code/package.json");
+    const bundled = join(dirname(pkgPath), "bin", "claude.exe");
+    if (!deps.existsSync(bundled))
+      return null;
+    const size = deps.statSync(bundled).size;
+    if (size <= STUB_SIZE_THRESHOLD)
+      return null;
+    return bundled;
+  } catch {
+    return null;
+  }
+}
+function tryPlatformPackage(deps) {
+  const binName = deps.platform === "win32" ? "claude.exe" : "claude";
+  const candidates = [`@anthropic-ai/claude-code-${deps.platform}-${deps.arch}`];
+  if (deps.platform === "linux") {
+    candidates.push(`@anthropic-ai/claude-code-${deps.platform}-${deps.arch}-musl`);
+  }
+  for (const pkg of candidates) {
+    try {
+      const pkgJson = deps.resolvePackage(`${pkg}/package.json`);
+      const candidate = join(dirname(pkgJson), binName);
+      if (deps.existsSync(candidate))
+        return candidate;
+    } catch {}
+  }
+  return null;
+}
+async function tryPathLookup(deps) {
+  const cmd = deps.platform === "win32" ? "where claude" : "which claude";
+  try {
+    const { stdout } = await deps.exec(cmd);
+    const candidates = stdout.split(/\r?\n/).map((s) => s.trim()).filter(Boolean);
+    for (const candidate of candidates) {
+      if (deps.platform === "win32" && candidate.startsWith("/"))
+        continue;
+      if (deps.existsSync(candidate))
+        return candidate;
+    }
+  } catch {}
+  return null;
+}
+function tryLegacySdkCliJs(deps) {
+  if (!deps.isBun)
+    return null;
+  try {
+    const sdkPath = deps.resolvePackage("@anthropic-ai/claude-agent-sdk");
+    const cliJs = join(dirname(sdkPath), "cli.js");
+    return deps.existsSync(cliJs) ? cliJs : null;
+  } catch {
+    return null;
+  }
+}
+async function resolveClaudeExecutableWithSource(deps = DEFAULT_DEPS) {
+  const env = tryEnvOverride(deps);
+  if (env)
+    return { path: env, source: "env" };
+  const bundled = tryBundledBinary(deps);
+  if (bundled)
+    return { path: bundled, source: "bundled" };
+  const platformPkg = tryPlatformPackage(deps);
+  if (platformPkg)
+    return { path: platformPkg, source: "platform-package" };
+  const pathLookup = await tryPathLookup(deps);
+  if (pathLookup)
+    return { path: pathLookup, source: "path-lookup" };
+  const legacy = tryLegacySdkCliJs(deps);
+  if (legacy)
+    return { path: legacy, source: "legacy-cli-js" };
+  return null;
+}
+function resolveClaudeExecutableSync(deps = DEFAULT_DEPS) {
+  const env = tryEnvOverride(deps);
+  if (env)
+    return { path: env, source: "env" };
+  const bundled = tryBundledBinary(deps);
+  if (bundled)
+    return { path: bundled, source: "bundled" };
+  const platformPkg = tryPlatformPackage(deps);
+  if (platformPkg)
+    return { path: platformPkg, source: "platform-package" };
+  return null;
+}
+function getResolvedClaudeExecutableInfo() {
+  return cachedClaudeInfo;
+}
+async function resolveClaudeExecutableAsync() {
+  if (cachedClaudeInfo)
+    return cachedClaudeInfo.path;
+  if (cachedClaudePathPromise)
+    return cachedClaudePathPromise;
+  cachedClaudePathPromise = (async () => {
+    const resolved = await resolveClaudeExecutableWithSource();
+    if (resolved) {
+      cachedClaudeInfo = resolved;
+      return resolved.path;
+    }
+    throw new Error("Could not find Claude Code executable. Install via: npm install -g @anthropic-ai/claude-code, " + "or set MERIDIAN_CLAUDE_PATH=/path/to/claude to point at an existing binary.");
+  })();
+  try {
+    return await cachedClaudePathPromise;
+  } finally {
+    cachedClaudePathPromise = null;
+  }
+}
+function isClosedControllerError(error) {
+  if (!(error instanceof Error))
+    return false;
+  return error.message.includes("Controller is already closed");
+}
+export { resolveSdkModelDefaults, mapModelToClaudeModel, recordExtendedContextUnavailable, stripExtendedContext, hasExtendedContext, getAuthCacheInfo, getClaudeAuthStatusAsync, resolveClaudeExecutableSync, getResolvedClaudeExecutableInfo, resolveClaudeExecutableAsync, isClosedControllerError };

package/dist/{cli-e289rj3k.js → cli-7k1fcprd.js} RENAMED Viewed

@@ -229,8 +229,71 @@ async function doRefresh(store) {
   claudeLog("token_refresh.success", { expiresAt });
   return true;
 }
+async function ensureFreshToken(store, bufferMs = 5 * 60 * 1000) {
+  const s = store ?? createPlatformCredentialStore();
+  const credentials = await s.read();
+  const expiresAt = credentials?.claudeAiOauth?.expiresAt;
+  if (!expiresAt)
+    return false;
+  if (expiresAt - Date.now() > bufferMs)
+    return true;
+  return refreshOAuthToken(s);
+}
+var scheduledRefreshTimer = null;
+var scheduledRefreshActive = false;
+var scheduledRefreshGeneration = 0;
+function startBackgroundRefresh(store, bufferMs = 5 * 60 * 1000, failureRetryMs = 5 * 60 * 1000) {
+  if (scheduledRefreshActive)
+    return;
+  scheduledRefreshActive = true;
+  const gen = ++scheduledRefreshGeneration;
+  scheduleNext(store ?? createPlatformCredentialStore(), bufferMs, failureRetryMs, gen);
+}
+function stopBackgroundRefresh() {
+  scheduledRefreshActive = false;
+  scheduledRefreshGeneration++;
+  if (scheduledRefreshTimer)
+    clearTimeout(scheduledRefreshTimer);
+  scheduledRefreshTimer = null;
+}
+async function scheduleNext(store, bufferMs, failureRetryMs, gen) {
+  if (!scheduledRefreshActive || gen !== scheduledRefreshGeneration)
+    return;
+  const credentials = await store.read().catch(() => null);
+  if (!scheduledRefreshActive || gen !== scheduledRefreshGeneration)
+    return;
+  const expiresAt = credentials?.claudeAiOauth?.expiresAt;
+  if (!expiresAt) {
+    armTimer(failureRetryMs, store, bufferMs, failureRetryMs, gen);
+    return;
+  }
+  const dueIn = expiresAt - Date.now() - bufferMs;
+  if (dueIn <= 0) {
+    const ok = await refreshOAuthToken(store);
+    if (!scheduledRefreshActive || gen !== scheduledRefreshGeneration)
+      return;
+    claudeLog("token_refresh.scheduled", { ok, immediate: true });
+    console.error(`[token_refresh] scheduled refresh (immediate) ok=${ok}`);
+    armTimer(ok ? 0 : failureRetryMs, store, bufferMs, failureRetryMs, gen);
+    return;
+  }
+  armTimer(dueIn, store, bufferMs, failureRetryMs, gen);
+}
+function armTimer(delayMs, store, bufferMs, failureRetryMs, gen) {
+  scheduledRefreshTimer = setTimeout(async () => {
+    if (!scheduledRefreshActive || gen !== scheduledRefreshGeneration)
+      return;
+    scheduleNext(store, bufferMs, failureRetryMs, gen);
+  }, delayMs);
+  if (scheduledRefreshTimer && scheduledRefreshTimer.unref) {
+    scheduledRefreshTimer.unref();
+  }
+}
+function isBackgroundRefreshActive() {
+  return scheduledRefreshActive;
+}
 function resetInflightRefresh() {
   inflightRefresh = null;
 }
-export { withClaudeLogContext, claudeLog, configDirToKeychainService, configDirToCredentialsFile, serializeCredentials, createPlatformCredentialStore, credentialsFilePathForProfile, refreshOAuthToken, resetInflightRefresh };
+export { withClaudeLogContext, claudeLog, configDirToKeychainService, configDirToCredentialsFile, serializeCredentials, createPlatformCredentialStore, credentialsFilePathForProfile, refreshOAuthToken, ensureFreshToken, startBackgroundRefresh, stopBackgroundRefresh, isBackgroundRefreshActive, resetInflightRefresh };