@rynfar/meridian 1.41.1 → 1.42.1

package/dist/{cli-51a9sav0.js → cli-8xzxm1cq.js}

@@ -5,7 +5,7 @@ import {
   resolveProfile,
   restoreActiveProfile,
   setActiveProfile
-} from "./cli-vdp9s10c.js";
+} from "./cli-cx463q74.js";
 import {
   isTrackedPlugin,
   recordError,
@@ -20,15 +20,30 @@ import {
   profileBarJs,
   themeCss
 } from "./cli-4rqtm83g.js";
+import {
+  getAuthCacheInfo,
+  getClaudeAuthStatusAsync,
+  getResolvedClaudeExecutableInfo,
+  hasExtendedContext,
+  isClosedControllerError,
+  mapModelToClaudeModel,
+  recordExtendedContextUnavailable,
+  resolveClaudeExecutableAsync,
+  resolveSdkModelDefaults,
+  stripExtendedContext
+} from "./cli-3jqvrake.js";
 import {
   checkPluginConfigured
 } from "./cli-rtab0qa6.js";
 import {
   claudeLog,
   createPlatformCredentialStore,
+  ensureFreshToken,
   refreshOAuthToken,
+  startBackgroundRefresh,
+  stopBackgroundRefresh,
   withClaudeLogContext
-} from "./cli-e289rj3k.js";
+} from "./cli-7k1fcprd.js";
 import {
   __commonJS,
   __esm,
@@ -1179,13 +1194,13 @@ __export(exports_sdkFeatures, {
   getAllFeatureConfigs: () => getAllFeatureConfigs
 });
 import { existsSync as existsSync5, mkdirSync as mkdirSync2, readFileSync as readFileSync4, writeFileSync as writeFileSync2, renameSync as renameSync2 } from "node:fs";
-import { join as join5 } from "node:path";
+import { join as join4 } from "node:path";
 import { homedir as homedir3 } from "node:os";
 function getConfigPath() {
-  const dir = join5(homedir3(), ".config", "meridian");
+  const dir = join4(homedir3(), ".config", "meridian");
   if (!existsSync5(dir))
     mkdirSync2(dir, { recursive: true });
-  return join5(dir, "sdk-features.json");
+  return join4(dir, "sdk-features.json");
 }
 function readConfig() {
   const now = Date.now();
@@ -3708,7 +3723,7 @@ var serve = (options, listeningListener) => {
 
 // src/proxy/server.ts
 import { homedir as homedir4 } from "node:os";
-import { join as join6 } from "node:path";
+import { join as join5 } from "node:path";
 import { query } from "@anthropic-ai/claude-agent-sdk";
 
 // src/proxy/rateLimitStore.ts
@@ -3788,8 +3803,8 @@ async function readAccessToken(store) {
   const creds = await store.read();
   return creds?.claudeAiOauth?.accessToken ?? null;
 }
-async function callAnthropic(token, signal) {
-  const res = await fetch(OAUTH_USAGE_URL, {
+async function callAnthropic(token, fetchImpl, signal) {
+  const res = await fetchImpl(OAUTH_USAGE_URL, {
     headers: {
       Authorization: `Bearer ${token}`,
       "anthropic-beta": OAUTH_BETA_HEADER,
@@ -3801,9 +3816,17 @@ async function callAnthropic(token, signal) {
     return { __status: res.status };
   return await res.json();
 }
+var _testOverride = null;
 async function fetchOAuthUsage(opts) {
+  if (_testOverride && !opts?.fetchImpl && !opts?.store) {
+    return _testOverride(opts);
+  }
+  return fetchOAuthUsageImpl(opts);
+}
+async function fetchOAuthUsageImpl(opts) {
   const ttl = opts?.ttlMs ?? CACHE_TTL_MS_DEFAULT;
   const cacheKey2 = opts?.profileId ?? DEFAULT_KEY;
+  const fetchImpl = opts?.fetchImpl ?? globalThis.fetch;
   if (!opts?.force) {
     const cached = cacheByProfile.get(cacheKey2);
     if (cached && Date.now() - cached.fetchedAt < ttl)
@@ -3818,7 +3841,7 @@ async function fetchOAuthUsage(opts) {
       const token = await readAccessToken(store);
       if (!token)
         return null;
-      let result = await callAnthropic(token);
+      let result = await callAnthropic(token, fetchImpl);
       if ("__status" in result && result.__status === 401) {
         claudeLog("oauth_usage.token_refresh_attempt", { profile: cacheKey2 });
         const refreshed = await refreshOAuthToken(store);
@@ -3829,7 +3852,7 @@ async function fetchOAuthUsage(opts) {
         const newToken = await readAccessToken(store);
         if (!newToken)
           return null;
-        result = await callAnthropic(newToken);
+        result = await callAnthropic(newToken, fetchImpl);
       }
       if ("__status" in result) {
         claudeLog("oauth_usage.upstream_error", { profile: cacheKey2, status: result.__status });
@@ -3849,6 +3872,17 @@ async function fetchOAuthUsage(opts) {
   return promise;
 }
 
+// src/proxy/cwd.ts
+import { existsSync } from "node:fs";
+function resolveSdkWorkingDirectory(opts) {
+  const exists = opts.exists ?? existsSync;
+  const claimed = opts.envOverride || opts.adapterCwd || opts.fallback;
+  if (exists(claimed)) {
+    return { workingDirectory: claimed, claimedWorkingDirectory: claimed, fellBack: false };
+  }
+  return { workingDirectory: opts.fallback, claimedWorkingDirectory: claimed, fellBack: true };
+}
+
 // src/proxy/types.ts
 var DEFAULT_PROXY_CONFIG = {
   port: 3456,
@@ -3945,8 +3979,8 @@ function createRequestContext(params) {
   };
 }
 // src/proxy/server.ts
-import { exec as execCallback2 } from "child_process";
-import { promisify as promisify3 } from "util";
+import { exec as execCallback } from "child_process";
+import { promisify as promisify2 } from "util";
 import { randomUUID } from "crypto";
 
 // src/proxy/passthroughTools.ts
@@ -8447,7 +8481,7 @@ class MemoryDiagnosticLogStore {
 }
 var diagnosticLog = new MemoryDiagnosticLogStore;
 // src/telemetry/routes.ts
-import { existsSync, readFileSync } from "node:fs";
+import { existsSync as existsSync2, readFileSync } from "node:fs";
 import { resolve, dirname } from "node:path";
 import { fileURLToPath } from "node:url";
 
@@ -8801,7 +8835,7 @@ timer = setInterval(refresh, 5000);
 
 // src/telemetry/routes.ts
 var _iconPath = resolve(dirname(fileURLToPath(import.meta.url)), "..", "..", "assets", "icon.svg");
-var _iconSvg = existsSync(_iconPath) ? readFileSync(_iconPath, "utf-8") : null;
+var _iconSvg = existsSync2(_iconPath) ? readFileSync(_iconPath, "utf-8") : null;
 function createTelemetryRoutes() {
   const routes = new Hono2;
   routes.get("/", (c) => {
@@ -9139,7 +9173,13 @@ function classifyError(errMsg) {
 }
 function isExpiredTokenError(errMsg) {
   const lower = errMsg.toLowerCase();
-  return lower.includes("oauth token has expired") || lower.includes("not logged in");
+  if (lower.includes("oauth token has expired") || lower.includes("not logged in"))
+    return true;
+  if (lower.includes("invalid_token") || lower.includes("token_expired"))
+    return true;
+  if (lower.includes("401") && (lower.includes("authentication") || lower.includes("unauthorized") || lower.includes("invalid")))
+    return true;
+  return false;
 }
 function isStaleSessionError(error) {
   if (!(error instanceof Error))
@@ -9232,252 +9272,6 @@ function formatSdkTermination(t, ctx) {
   return `sdk_termination ${parts.join(" ")}`;
 }
 
-// src/proxy/models.ts
-import { exec as execCallback } from "child_process";
-import { existsSync as existsSync2, statSync } from "fs";
-import { fileURLToPath as fileURLToPath2 } from "url";
-import { join as join2, dirname as dirname2 } from "path";
-import { promisify } from "util";
-var exec = promisify(execCallback);
-var STUB_SIZE_THRESHOLD = 4096;
-var CANONICAL_OPUS_MODEL = "claude-opus-4-7";
-var CANONICAL_SONNET_MODEL = "claude-sonnet-4-6";
-var CANONICAL_HAIKU_MODEL = "claude-haiku-4-5";
-function resolveSdkModelDefaults() {
-  return {
-    ANTHROPIC_DEFAULT_OPUS_MODEL: process.env.MERIDIAN_DEFAULT_OPUS_MODEL ?? CANONICAL_OPUS_MODEL,
-    ANTHROPIC_DEFAULT_SONNET_MODEL: process.env.MERIDIAN_DEFAULT_SONNET_MODEL ?? CANONICAL_SONNET_MODEL,
-    ANTHROPIC_DEFAULT_HAIKU_MODEL: process.env.MERIDIAN_DEFAULT_HAIKU_MODEL ?? CANONICAL_HAIKU_MODEL
-  };
-}
-var AUTH_STATUS_CACHE_TTL_MS = 60000;
-var AUTH_STATUS_FAILURE_TTL_MS = 5000;
-var cachedAuthStatus = null;
-var lastKnownGoodAuthStatus = null;
-var cachedAuthStatusAt = 0;
-var cachedAuthStatusIsFailure = false;
-var cachedAuthStatusPromise = null;
-function supports1mContext(model) {
-  if (model.includes("4-5") || model.includes("4.5"))
-    return false;
-  return true;
-}
-function mapModelToClaudeModel(model, subscriptionType, agentMode) {
-  if (model.includes("haiku"))
-    return "haiku";
-  const use1m = supports1mContext(model);
-  const isSubagent = agentMode === "subagent";
-  if (model.includes("opus")) {
-    if (use1m && !isSubagent && !isExtendedContextKnownUnavailable())
-      return "opus[1m]";
-    return "opus";
-  }
-  const sonnetOverride = process.env.MERIDIAN_SONNET_MODEL ?? process.env.CLAUDE_PROXY_SONNET_MODEL;
-  if (sonnetOverride === "sonnet[1m]") {
-    if (!use1m || isSubagent || isExtendedContextKnownUnavailable())
-      return "sonnet";
-    return "sonnet[1m]";
-  }
-  return "sonnet";
-}
-var EXTRA_USAGE_RETRY_MS = 60 * 60 * 1000;
-var extraUsageUnavailableAt = 0;
-function recordExtendedContextUnavailable() {
-  extraUsageUnavailableAt = Date.now();
-}
-function isExtendedContextKnownUnavailable() {
-  return extraUsageUnavailableAt > 0 && Date.now() - extraUsageUnavailableAt < EXTRA_USAGE_RETRY_MS;
-}
-function stripExtendedContext(model) {
-  if (model === "opus[1m]")
-    return "opus";
-  if (model === "sonnet[1m]")
-    return "sonnet";
-  return model;
-}
-function hasExtendedContext(model) {
-  return model.endsWith("[1m]");
-}
-var profileAuthCaches = new Map;
-function getAuthCacheInfo(profileId) {
-  if (!profileId) {
-    return { lastCheckedAt: cachedAuthStatusAt, lastSuccessAt: cachedAuthStatusIsFailure ? 0 : cachedAuthStatusAt, isFailure: cachedAuthStatusIsFailure };
-  }
-  const cache = profileAuthCaches.get(profileId);
-  if (!cache)
-    return { lastCheckedAt: 0, lastSuccessAt: 0, isFailure: false };
-  return { lastCheckedAt: cache.at, lastSuccessAt: cache.lastSuccessAt, isFailure: cache.isFailure };
-}
-function getAuthCache(key) {
-  let cache = profileAuthCaches.get(key);
-  if (!cache) {
-    cache = { status: null, lastKnownGood: null, at: 0, isFailure: false, promise: null, lastSuccessAt: 0 };
-    profileAuthCaches.set(key, cache);
-  }
-  return cache;
-}
-async function getClaudeAuthStatusAsync(profileId, envOverrides) {
-  const isDefault = !profileId;
-  const cache = isDefault ? null : getAuthCache(profileId);
-  const c_status = cache ? cache.status : cachedAuthStatus;
-  const c_lastKnownGood = cache ? cache.lastKnownGood : lastKnownGoodAuthStatus;
-  const c_at = cache ? cache.at : cachedAuthStatusAt;
-  const c_isFailure = cache ? cache.isFailure : cachedAuthStatusIsFailure;
-  let c_promise = cache ? cache.promise : cachedAuthStatusPromise;
-  const ttl = c_isFailure ? AUTH_STATUS_FAILURE_TTL_MS : AUTH_STATUS_CACHE_TTL_MS;
-  if (c_at > 0 && Date.now() - c_at < ttl) {
-    return c_status ?? c_lastKnownGood;
-  }
-  if (c_promise)
-    return c_promise;
-  c_promise = (async () => {
-    try {
-      const { stdout } = await exec("claude auth status", {
-        timeout: 5000,
-        ...envOverrides ? { env: { ...process.env, ...envOverrides } } : {}
-      });
-      const parsed = JSON.parse(stdout);
-      if (cache) {
-        cache.status = parsed;
-        cache.lastKnownGood = parsed;
-        cache.at = Date.now();
-        cache.isFailure = false;
-        cache.lastSuccessAt = Date.now();
-      } else {
-        cachedAuthStatus = parsed;
-        lastKnownGoodAuthStatus = parsed;
-        cachedAuthStatusAt = Date.now();
-        cachedAuthStatusIsFailure = false;
-      }
-      return parsed;
-    } catch {
-      if (cache) {
-        cache.isFailure = true;
-        cache.at = Date.now();
-        cache.status = null;
-        return cache.lastKnownGood;
-      } else {
-        cachedAuthStatusIsFailure = true;
-        cachedAuthStatusAt = Date.now();
-        cachedAuthStatus = null;
-        return lastKnownGoodAuthStatus;
-      }
-    }
-  })();
-  if (cache)
-    cache.promise = c_promise;
-  else
-    cachedAuthStatusPromise = c_promise;
-  try {
-    return await c_promise;
-  } finally {
-    if (cache)
-      cache.promise = null;
-    else
-      cachedAuthStatusPromise = null;
-  }
-}
-var cachedClaudePath = null;
-var cachedClaudePathPromise = null;
-var DEFAULT_DEPS = {
-  existsSync: existsSync2,
-  statSync: (p) => statSync(p),
-  exec,
-  resolvePackage: (specifier) => fileURLToPath2(import.meta.resolve(specifier)),
-  envGet: (name) => process.env[name],
-  platform: process.platform,
-  arch: process.arch,
-  isBun: typeof process.versions.bun !== "undefined"
-};
-function tryEnvOverride(deps) {
-  const explicit = deps.envGet("MERIDIAN_CLAUDE_PATH");
-  if (!explicit)
-    return null;
-  return deps.existsSync(explicit) ? explicit : null;
-}
-function tryBundledBinary(deps) {
-  try {
-    const pkgPath = deps.resolvePackage("@anthropic-ai/claude-code/package.json");
-    const bundled = join2(dirname2(pkgPath), "bin", "claude.exe");
-    if (!deps.existsSync(bundled))
-      return null;
-    const size = deps.statSync(bundled).size;
-    if (size <= STUB_SIZE_THRESHOLD)
-      return null;
-    return bundled;
-  } catch {
-    return null;
-  }
-}
-function tryPlatformPackage(deps) {
-  const binName = deps.platform === "win32" ? "claude.exe" : "claude";
-  const candidates = [`@anthropic-ai/claude-code-${deps.platform}-${deps.arch}`];
-  if (deps.platform === "linux") {
-    candidates.push(`@anthropic-ai/claude-code-${deps.platform}-${deps.arch}-musl`);
-  }
-  for (const pkg of candidates) {
-    try {
-      const pkgJson = deps.resolvePackage(`${pkg}/package.json`);
-      const candidate = join2(dirname2(pkgJson), binName);
-      if (deps.existsSync(candidate))
-        return candidate;
-    } catch {}
-  }
-  return null;
-}
-async function tryPathLookup(deps) {
-  const cmd = deps.platform === "win32" ? "where claude" : "which claude";
-  try {
-    const { stdout } = await deps.exec(cmd);
-    const candidates = stdout.split(/\r?\n/).map((s) => s.trim()).filter(Boolean);
-    for (const candidate of candidates) {
-      if (deps.platform === "win32" && candidate.startsWith("/"))
-        continue;
-      if (deps.existsSync(candidate))
-        return candidate;
-    }
-  } catch {}
-  return null;
-}
-function tryLegacySdkCliJs(deps) {
-  if (!deps.isBun)
-    return null;
-  try {
-    const sdkPath = deps.resolvePackage("@anthropic-ai/claude-agent-sdk");
-    const cliJs = join2(dirname2(sdkPath), "cli.js");
-    return deps.existsSync(cliJs) ? cliJs : null;
-  } catch {
-    return null;
-  }
-}
-async function resolveClaudeExecutable(deps = DEFAULT_DEPS) {
-  return tryEnvOverride(deps) ?? tryBundledBinary(deps) ?? tryPlatformPackage(deps) ?? await tryPathLookup(deps) ?? tryLegacySdkCliJs(deps);
-}
-async function resolveClaudeExecutableAsync() {
-  if (cachedClaudePath)
-    return cachedClaudePath;
-  if (cachedClaudePathPromise)
-    return cachedClaudePathPromise;
-  cachedClaudePathPromise = (async () => {
-    const resolved = await resolveClaudeExecutable();
-    if (resolved) {
-      cachedClaudePath = resolved;
-      return resolved;
-    }
-    throw new Error("Could not find Claude Code executable. Install via: npm install -g @anthropic-ai/claude-code, " + "or set MERIDIAN_CLAUDE_PATH=/path/to/claude to point at an existing binary.");
-  })();
-  try {
-    return await cachedClaudePathPromise;
-  } finally {
-    cachedClaudePathPromise = null;
-  }
-}
-function isClosedControllerError(error) {
-  if (!(error instanceof Error))
-    return false;
-  return error.message.includes("Controller is already closed");
-}
-
 // src/proxy/openai.ts
 function extractOpenAiContent(content) {
   if (typeof content === "string")
@@ -10995,8 +10789,8 @@ function detectAdapter(c) {
 import { createSdkMcpServer as createSdkMcpServer2, tool } from "@anthropic-ai/claude-agent-sdk";
 import * as fs from "node:fs/promises";
 import * as path2 from "node:path";
-import { exec as exec2 } from "node:child_process";
-import { promisify as promisify2 } from "node:util";
+import { exec } from "node:child_process";
+import { promisify } from "node:util";
 
 // node_modules/@isaacs/balanced-match/dist/esm/index.js
 var balanced = (a, b, str) => {
@@ -12433,7 +12227,7 @@ minimatch.escape = escape;
 minimatch.unescape = unescape;
 
 // node_modules/glob/dist/esm/glob.js
-import { fileURLToPath as fileURLToPath4 } from "node:url";
+import { fileURLToPath as fileURLToPath3 } from "node:url";
 
 // node_modules/lru-cache/dist/esm/index.js
 var defaultPerf = typeof performance === "object" && performance && typeof performance.now === "function" ? performance : Date;
@@ -13596,7 +13390,7 @@ class LRUCache {
 
 // node_modules/path-scurry/dist/esm/index.js
 import { posix, win32 } from "node:path";
-import { fileURLToPath as fileURLToPath3 } from "node:url";
+import { fileURLToPath as fileURLToPath2 } from "node:url";
 import { lstatSync, readdir as readdirCB, readdirSync, readlinkSync, realpathSync as rps } from "fs";
 import * as actualFS from "node:fs";
 import { lstat, readdir, readlink, realpath } from "node:fs/promises";
@@ -15051,7 +14845,7 @@ class PathScurryBase {
   constructor(cwd = process.cwd(), pathImpl, sep2, { nocase, childrenCacheSize = 16 * 1024, fs = defaultFS } = {}) {
     this.#fs = fsFromOption(fs);
     if (cwd instanceof URL || cwd.startsWith("file://")) {
-      cwd = fileURLToPath3(cwd);
+      cwd = fileURLToPath2(cwd);
     }
     const cwdPath = pathImpl.resolve(cwd);
     this.roots = Object.create(null);
@@ -16355,7 +16149,7 @@ class Glob {
     if (!opts.cwd) {
       this.cwd = "";
     } else if (opts.cwd instanceof URL || opts.cwd.startsWith("file://")) {
-      opts.cwd = fileURLToPath4(opts.cwd);
+      opts.cwd = fileURLToPath3(opts.cwd);
     }
     this.cwd = opts.cwd || "";
     this.root = opts.root;
@@ -16546,7 +16340,7 @@ var glob = Object.assign(glob_, {
 glob.glob = glob;
 
 // src/mcpTools.ts
-var execAsync = promisify2(exec2);
+var execAsync = promisify(exec);
 var getCwd = () => process.env.MERIDIAN_WORKDIR ?? process.env.CLAUDE_PROXY_WORKDIR ?? process.cwd();
 function createOpencodeMcpServer() {
   return createSdkMcpServer2({
@@ -16686,6 +16480,8 @@ function createOpencodeMcpServer() {
 function stripConfigDir(env2) {
   if (!("CLAUDE_CONFIG_DIR" in env2))
     return env2;
+  if (env2.CLAUDE_CODE_OAUTH_TOKEN)
+    return env2;
   const out = { ...env2 };
   delete out.CLAUDE_CONFIG_DIR;
   return out;
@@ -16719,6 +16515,8 @@ function resolveSystemPrompt(systemContext, passthrough, settingSources, codeSys
   }
   if (append)
     return { systemPrompt: append };
+  if (codeSystemPrompt === false)
+    return { systemPrompt: "" };
   return {};
 }
 function buildQueryOptions(ctx) {
@@ -16774,6 +16572,8 @@ function buildQueryOptions(ctx) {
       allowDangerouslySkipPermissions: true,
       ...resolveSystemPrompt(systemContext, passthrough, settingSources, codeSystemPrompt, clientSystemPrompt, cwdNote),
       ...passthrough ? {
+        tools: [],
+        settingSources: [],
         disallowedTools: [...allBlockedTools],
         ...passthroughMcp ? {
           allowedTools: [...passthroughMcp.toolNames],
@@ -16831,7 +16631,8 @@ function getAdapterTransforms(adapterName) {
 
 // src/proxy/plugins/loader.ts
 import { readdirSync as readdirSync2, readFileSync as readFileSync2, existsSync as existsSync3 } from "fs";
-import { join as join3, isAbsolute as isAbsolute2, extname } from "path";
+import { join as join2, isAbsolute as isAbsolute2, extname } from "path";
+import { pathToFileURL } from "url";
 
 // src/proxy/plugins/validation.ts
 var KNOWN_ADAPTERS = ["opencode", "crush", "droid", "pi", "forgecode", "passthrough"];
@@ -16915,7 +16716,7 @@ async function loadPlugins(pluginDir, configPath) {
   const loaded = [];
   const seenNames = new Set;
   for (const { filename, entry } of ordered) {
-    const filePath = isAbsolute2(filename) ? filename : join3(pluginDir, filename);
+    const filePath = isAbsolute2(filename) ? filename : join2(pluginDir, filename);
     if (entry && !entry.enabled) {
       loaded.push({
         name: filename,
@@ -16928,7 +16729,8 @@ async function loadPlugins(pluginDir, configPath) {
     }
     try {
       const cacheBuster = `?t=${Date.now()}-${++loadCounter}`;
-      const mod = await import(filePath + cacheBuster);
+      const specifier = process.platform === "win32" ? pathToFileURL(filePath).href + cacheBuster : filePath + cacheBuster;
+      const mod = await import(specifier);
       const exported = mod.default ?? mod;
       const transforms = Array.isArray(exported) ? exported : [exported];
       for (const item of transforms) {
@@ -17291,12 +17093,12 @@ import {
   openSync,
   readFileSync as readFileSync3,
   renameSync,
-  statSync as statSync2,
+  statSync,
   unlinkSync,
   writeFileSync
 } from "node:fs";
 import { homedir as homedir2 } from "node:os";
-import { join as join4 } from "node:path";
+import { join as join3 } from "node:path";
 var DEFAULT_MAX_STORED_SESSIONS = 1e4;
 var STALE_LOCK_THRESHOLD_MS = 30000;
 function getMaxStoredSessions() {
@@ -17320,7 +17122,7 @@ function acquireLock(lockPath) {
       return false;
     }
     try {
-      const stat = statSync2(lockPath);
+      const stat = statSync(lockPath);
       if (Date.now() - stat.mtimeMs > STALE_LOCK_THRESHOLD_MS) {
         unlinkSync(lockPath);
         const fd = openSync(lockPath, "wx");
@@ -17347,11 +17149,11 @@ function getStorePath() {
   if (!existsSync4(dir)) {
     mkdirSync(dir, { recursive: true });
   }
-  return join4(dir, "sessions.json");
+  return join3(dir, "sessions.json");
 }
 function getDefaultCacheDir() {
-  const newDir = join4(homedir2(), ".cache", "meridian");
-  const oldDir = join4(homedir2(), ".cache", "opencode-claude-max-proxy");
+  const newDir = join3(homedir2(), ".cache", "meridian");
+  const oldDir = join3(homedir2(), ".cache", "opencode-claude-max-proxy");
   if (existsSync4(newDir))
     return newDir;
   if (existsSync4(oldDir)) {
@@ -17691,7 +17493,7 @@ function storeSession(sessionId, messages, claudeSessionId, workingDirectory, sd
 }
 
 // src/proxy/server.ts
-var exec3 = promisify3(execCallback2);
+var exec2 = promisify2(execCallback);
 var claudeExecutable = "";
 var MULTIMODAL_TYPES = new Set(["image", "document", "file"]);
 function hasMultimodalContent(content) {
@@ -17869,8 +17671,8 @@ function createProxyServer(config = {}) {
   const sessionDiscoveredTools = new Map;
   const sessionToolCache = new Map;
   const sessionMcpCache = new LRUMap(getMaxSessionsLimit());
-  const pluginDir = finalConfig.pluginDir ?? join6(homedir4(), ".config", "meridian", "plugins");
-  const pluginConfigPath = finalConfig.pluginConfigPath ?? join6(homedir4(), ".config", "meridian", "plugins.json");
+  const pluginDir = finalConfig.pluginDir ?? join5(homedir4(), ".config", "meridian", "plugins");
+  const pluginConfigPath = finalConfig.pluginConfigPath ?? join5(homedir4(), ".config", "meridian", "plugins.json");
   let loadedPlugins = [];
   let pluginTransforms = [];
   const app = new Hono2;
@@ -17884,6 +17686,8 @@ function createProxyServer(config = {}) {
   app.use("/profiles", requireAuth);
   app.use("/plugins/*", requireAuth);
   app.use("/plugins", requireAuth);
+  app.use("/settings/*", requireAuth);
+  app.use("/settings", requireAuth);
   app.use("/auth/*", requireAuth);
   app.get("/", (c) => {
     const accept = c.req.header("accept") || "";
@@ -17944,8 +17748,19 @@ function createProxyServer(config = {}) {
         const agentMode = c.req.header("x-opencode-agent-mode") ?? null;
         const requestSource = c.req.header("x-meridian-source")?.slice(0, 64) || undefined;
         let model = mapModelToClaudeModel(body.model || "sonnet", authStatus?.subscriptionType, agentMode);
-        const workingDirectory = (process.env.MERIDIAN_WORKDIR ?? process.env.CLAUDE_PROXY_WORKDIR) || adapter.extractWorkingDirectory(body) || process.cwd();
-        const clientWorkingDirectory = adapter.extractClientWorkingDirectory?.(body) || workingDirectory;
+        const cwdResolution = resolveSdkWorkingDirectory({
+          envOverride: process.env.MERIDIAN_WORKDIR ?? process.env.CLAUDE_PROXY_WORKDIR,
+          adapterCwd: adapter.extractWorkingDirectory(body),
+          fallback: process.cwd()
+        });
+        const workingDirectory = cwdResolution.workingDirectory;
+        if (cwdResolution.fellBack) {
+          claudeLog("cwd_fallback", {
+            claimed: cwdResolution.claimedWorkingDirectory,
+            usedInstead: workingDirectory
+          });
+        }
+        const clientWorkingDirectory = adapter.extractClientWorkingDirectory?.(body) || cwdResolution.claimedWorkingDirectory;
         const {
           ANTHROPIC_API_KEY: _dropApiKey,
           ANTHROPIC_BASE_URL: _dropBaseUrl,
@@ -18224,6 +18039,7 @@ function createProxyServer(config = {}) {
             const RATE_LIMIT_BASE_DELAY_MS = 1000;
             const response = async function* () {
               let rateLimitRetries = 0;
+              await ensureFreshToken().catch(() => {});
               let tokenRefreshed = false;
               while (true) {
                 let didYieldContent = false;
@@ -18625,6 +18441,7 @@ Subprocess stderr: ${stderrOutput}`;
               const RATE_LIMIT_BASE_DELAY_MS = 1000;
               const response = async function* () {
                 let rateLimitRetries = 0;
+                await ensureFreshToken().catch(() => {});
                 let tokenRefreshed = false;
                 while (true) {
                   let didYieldClientEvent = false;
@@ -19442,6 +19259,7 @@ data: ${JSON.stringify({
           auth: { loggedIn: false }
         }, 503);
       }
+      const claudeExecutableInfo = getResolvedClaudeExecutableInfo();
       return c.json({
         status: "healthy",
         version: serverVersion,
@@ -19451,6 +19269,7 @@ data: ${JSON.stringify({
           subscriptionType: auth.subscriptionType
         },
         mode: envBool("PASSTHROUGH") ? "passthrough" : "internal",
+        ...claudeExecutableInfo ? { claudeExecutable: claudeExecutableInfo } : {},
         plugin: { opencode: checkPluginConfigured() ? "configured" : "not-configured" }
       });
     } catch {
@@ -19563,9 +19382,16 @@ data: ${JSON.stringify({
     if (!anthropicBody) {
       return c.json({ type: "error", error: { type: "invalid_request_error", message: "messages: Field required" } }, 400);
     }
+    const internalHeaders = { "Content-Type": "application/json" };
+    const xApiKey = c.req.header("x-api-key");
+    if (xApiKey)
+      internalHeaders["x-api-key"] = xApiKey;
+    const authz = c.req.header("authorization");
+    if (authz)
+      internalHeaders["authorization"] = authz;
     const internalReq = new Request("http://internal/v1/messages", {
       method: "POST",
-      headers: { "Content-Type": "application/json" },
+      headers: internalHeaders,
       body: JSON.stringify(anthropicBody)
     });
     const internalRes = await app.fetch(internalReq);
@@ -19844,6 +19670,10 @@ async function startProxyServer(config = {}) {
       console.log(`Telemetry dashboard: http://${finalConfig.host}:${info.port}/telemetry`);
       const pins = resolveSdkModelDefaults();
       console.log(`Model pins: opus=${pins.ANTHROPIC_DEFAULT_OPUS_MODEL} sonnet=${pins.ANTHROPIC_DEFAULT_SONNET_MODEL} haiku=${pins.ANTHROPIC_DEFAULT_HAIKU_MODEL}`);
+      const claudeInfo = getResolvedClaudeExecutableInfo();
+      if (claudeInfo) {
+        console.log(`Claude executable: ${claudeInfo.path} (resolved via ${claudeInfo.source})`);
+      }
       console.log(`
 Point any Anthropic-compatible tool at this endpoint:`);
       console.log(`  ANTHROPIC_API_KEY=x ANTHROPIC_BASE_URL=http://${finalConfig.host}:${info.port}`);
@@ -19865,6 +19695,7 @@ Or use a different port:`);
       console.error(`  MERIDIAN_PORT=4567 meridian`);
     }
   });
+  startBackgroundRefresh();
   let authKeepaliveInterval;
   const effectiveProfiles = getEffectiveProfiles(finalConfig.profiles);
   if (effectiveProfiles.length > 0) {
@@ -19888,6 +19719,7 @@ Or use a different port:`);
     async close() {
       if (authKeepaliveInterval)
         clearInterval(authKeepaliveInterval);
+      stopBackgroundRefresh();
       await new Promise((resolve3, reject) => {
         server.close((err) => err ? reject(err) : resolve3());
       });