@rynfar/meridian 1.42.1 → 1.44.0

package/dist/{cli-rtab0qa6.js → cli-je60fevk.js}

@@ -3,6 +3,24 @@ import { existsSync, mkdirSync, readFileSync, writeFileSync } from "fs";
 import { homedir, platform } from "os";
 import { dirname, join } from "path";
 import { fileURLToPath } from "url";
+import { applyEdits, modify, parse as parseJsonc } from "jsonc-parser";
+
+class UnparseableConfigError extends Error {
+  configPath;
+  constructor(configPath) {
+    super(`Could not parse ${configPath} — it may contain a syntax error.`);
+    this.configPath = configPath;
+    this.name = "UnparseableConfigError";
+  }
+}
+function parseOpencodeConfig(text) {
+  const errors = [];
+  const parsed = parseJsonc(text, errors, { allowTrailingComma: true });
+  if (errors.length > 0 || parsed === null || typeof parsed !== "object" || Array.isArray(parsed)) {
+    return null;
+  }
+  return parsed;
+}
 function findOpencodeConfigPath() {
   if (process.env.OPENCODE_CONFIG_DIR) {
     return join(process.env.OPENCODE_CONFIG_DIR, "opencode.json");
@@ -31,37 +49,37 @@ function checkPluginConfigured(configPath) {
   const path = configPath ?? findOpencodeConfigPath();
   if (!existsSync(path))
     return false;
-  try {
-    const raw = readFileSync(path, "utf-8");
-    const config = JSON.parse(raw);
-    const plugins = Array.isArray(config.plugin) ? config.plugin : [];
-    return plugins.some((p) => typeof p === "string" && isMeridianEntry(p));
-  } catch {
+  const config = parseOpencodeConfig(readFileSync(path, "utf-8"));
+  if (config === null)
     return false;
-  }
+  const plugins = Array.isArray(config.plugin) ? config.plugin : [];
+  return plugins.some((p) => typeof p === "string" && isMeridianEntry(p));
 }
 function runSetup(pluginPath, configPath) {
   const path = configPath ?? findOpencodeConfigPath();
   const dir = dirname(path);
-  let config = {};
-  let created = false;
-  if (existsSync(path)) {
-    try {
-      config = JSON.parse(readFileSync(path, "utf-8"));
-    } catch {}
-  } else {
-    created = true;
+  if (!existsSync(path)) {
     if (!existsSync(dir))
       mkdirSync(dir, { recursive: true });
+    writeFileSync(path, `${JSON.stringify({ plugin: [pluginPath] }, null, 2)}
+`, "utf-8");
+    return { configPath: path, pluginPath, alreadyConfigured: false, removedStale: [], created: true };
+  }
+  const text = readFileSync(path, "utf-8");
+  const config = parseOpencodeConfig(text);
+  if (config === null) {
+    throw new UnparseableConfigError(path);
   }
   const existing = Array.isArray(config.plugin) ? config.plugin.filter((p) => typeof p === "string") : [];
   const removedStale = existing.filter(isMeridianEntry);
   const others = existing.filter((p) => !isMeridianEntry(p));
   const alreadyConfigured = removedStale.some((p) => p === pluginPath);
-  config.plugin = [...others, pluginPath];
-  writeFileSync(path, JSON.stringify(config, null, 2) + `
-`, "utf-8");
-  return { configPath: path, pluginPath, alreadyConfigured, removedStale, created };
+  const newPlugins = [...others, pluginPath];
+  const edits = modify(text, ["plugin"], newPlugins, {
+    formattingOptions: { insertSpaces: true, tabSize: 2 }
+  });
+  writeFileSync(path, applyEdits(text, edits), "utf-8");
+  return { configPath: path, pluginPath, alreadyConfigured, removedStale, created: false };
 }
 
-export { findOpencodeConfigPath, findPluginPath, checkPluginConfigured, runSetup };
+export { UnparseableConfigError, findOpencodeConfigPath, findPluginPath, checkPluginConfigured, runSetup };

package/dist/{cli-3jqvrake.js → cli-yeazzt32.js}

@@ -7,7 +7,7 @@ import { promisify } from "util";
 var exec = promisify(execCallback);
 var execFile = promisify(execFileCallback);
 var STUB_SIZE_THRESHOLD = 4096;
-var CANONICAL_OPUS_MODEL = "claude-opus-4-7";
+var CANONICAL_OPUS_MODEL = "claude-opus-4-8";
 var CANONICAL_SONNET_MODEL = "claude-sonnet-4-6";
 var CANONICAL_HAIKU_MODEL = "claude-haiku-4-5";
 function resolveSdkModelDefaults(env = process.env) {

package/dist/cli.js

@@ -1,16 +1,16 @@
 #!/usr/bin/env node
 import {
   startProxyServer
-} from "./cli-8xzxm1cq.js";
+} from "./cli-fc6mt326.js";
 import"./cli-cx463q74.js";
 import"./cli-sry5aqdj.js";
 import"./cli-4rqtm83g.js";
 import {
   resolveClaudeExecutableAsync
-} from "./cli-3jqvrake.js";
+} from "./cli-yeazzt32.js";
 import"./cli-340h1chz.js";
-import"./cli-rtab0qa6.js";
-import"./cli-7k1fcprd.js";
+import"./cli-je60fevk.js";
+import"./cli-1kbcm3yn.js";
 import {
   __require
 } from "./cli-p9swy5t3.js";
@@ -53,16 +53,17 @@ See https://github.com/rynfar/meridian for full documentation.`);
   process.exit(0);
 }
 if (args[0] === "profile") {
-  const { profileAdd, profileAddOauthToken, profileList, profileRemove, profileSwitch, profileLogin, profileHelp } = await import("./profileCli-c7cvkv5q.js");
+  const { profileAdd, profileAddOauthToken, profileList, profileRemove, profileSwitch, profileLogin, profileHelp } = await import("./profileCli-xcmmr5w4.js");
   const subcommand = args[1];
   const profileId = args[2];
+  const headless = args.includes("--headless");
   if (subcommand === "add" && profileId) {
     const oauthFlagIdx = args.indexOf("--oauth-token", 3);
     if (oauthFlagIdx >= 0) {
       const tokenArg = args[oauthFlagIdx + 1];
-      await profileAddOauthToken(profileId, tokenArg);
+      await profileAddOauthToken(profileId, tokenArg?.startsWith("--") ? undefined : tokenArg);
     } else {
-      profileAdd(profileId);
+      await profileAdd(profileId, { headless });
     }
   } else if (subcommand === "list" || subcommand === "ls")
     profileList();
@@ -71,15 +72,27 @@ if (args[0] === "profile") {
   else if (subcommand === "switch" && profileId)
     await profileSwitch(profileId);
   else if (subcommand === "login" && profileId)
-    profileLogin(profileId);
+    await profileLogin(profileId, { headless });
   else
     profileHelp();
   process.exit(0);
 }
 if (args[0] === "setup") {
-  const { findPluginPath, runSetup } = await import("./setup-v5pnqe04.js");
+  const { findPluginPath, runSetup, UnparseableConfigError } = await import("./setup-6c11e8d6.js");
   const pluginPath = findPluginPath(import.meta.url);
-  const result = runSetup(pluginPath);
+  let result;
+  try {
+    result = runSetup(pluginPath);
+  } catch (err) {
+    if (err instanceof UnparseableConfigError) {
+      console.error(`\x1B[31m✗ Could not parse ${err.configPath}\x1B[0m`);
+      console.error("  Your config was left untouched. Fix the syntax error, then re-run");
+      console.error(`  'meridian setup' — or add this plugin manually:`);
+      console.error(`    "plugin": ["${pluginPath}"]`);
+      process.exit(1);
+    }
+    throw err;
+  }
   if (result.alreadyConfigured) {
     console.log(`\x1B[32m✓ Meridian plugin already configured\x1B[0m`);
     console.log(`  ${result.configPath}`);
@@ -98,7 +111,7 @@ Restart OpenCode for the plugin to take effect.`);
   process.exit(0);
 }
 if (args[0] === "refresh-token") {
-  const { refreshOAuthToken } = await import("./tokenRefresh-swetnf89.js");
+  const { refreshOAuthToken } = await import("./tokenRefresh-pvc2q8ea.js");
   const success = await refreshOAuthToken();
   if (success) {
     console.log("Token refreshed successfully");
@@ -110,12 +123,6 @@ if (args[0] === "refresh-token") {
 }
 var exec = promisify(execCallback);
 var execFile = promisify(execFileCallback);
-process.on("uncaughtException", (err) => {
-  console.error(`[PROXY] Uncaught exception (recovered): ${err.message}`);
-});
-process.on("unhandledRejection", (reason) => {
-  console.error(`[PROXY] Unhandled rejection (recovered): ${reason instanceof Error ? reason.message : reason}`);
-});
 var port = parseInt(process.env.MERIDIAN_PORT ?? process.env.CLAUDE_PROXY_PORT ?? "3456", 10);
 var host = process.env.MERIDIAN_HOST ?? process.env.CLAUDE_PROXY_HOST ?? "127.0.0.1";
 var idleTimeoutSeconds = parseInt(process.env.MERIDIAN_IDLE_TIMEOUT_SECONDS ?? process.env.CLAUDE_PROXY_IDLE_TIMEOUT_SECONDS ?? "120", 10);
@@ -135,7 +142,7 @@ async function runCli(start = startProxyServer, runAuthCheck = async () => {
   return execFile(claudePath, ["auth", "status"], { timeout: 5000 });
 }) {
   try {
-    const { findOpencodeConfigPath, checkPluginConfigured, findPluginPath } = await import("./setup-v5pnqe04.js");
+    const { findOpencodeConfigPath, checkPluginConfigured, findPluginPath } = await import("./setup-6c11e8d6.js");
     const configPath = findOpencodeConfigPath();
     const { existsSync } = await import("fs");
     if (existsSync(configPath) && !checkPluginConfigured(configPath)) {
@@ -163,7 +170,7 @@ async function runCli(start = startProxyServer, runAuthCheck = async () => {
     const { enableDiskProfileDiscovery } = await import("./profiles-rdd84b45.js");
     enableDiskProfileDiscovery();
   }
-  const proxy = await start({ port, host, idleTimeoutSeconds, profiles, defaultProfile, version });
+  const proxy = await start({ port, host, idleTimeoutSeconds, profiles, defaultProfile, version, installProcessErrorHandlers: true });
   proxy.server.on("error", (error) => {
     if (error.code === "EADDRINUSE") {
       process.exit(1);

package/dist/{profileCli-c7cvkv5q.js → profileCli-xcmmr5w4.js}

@@ -1,24 +1,82 @@
 import {
   resolveClaudeExecutableSync
-} from "./cli-3jqvrake.js";
+} from "./cli-yeazzt32.js";
 import {
   setSetting
 } from "./cli-340h1chz.js";
+import {
+  createPlatformCredentialStore
+} from "./cli-1kbcm3yn.js";
 import"./cli-p9swy5t3.js";
 
 // src/proxy/profileCli.ts
-import { mkdirSync, existsSync, rmSync, readFileSync, writeFileSync } from "node:fs";
-import { join } from "node:path";
 import { execFileSync, spawnSync } from "node:child_process";
+import { createHash, randomBytes } from "node:crypto";
+import { mkdirSync, readFileSync, rmSync, writeFileSync, existsSync } from "node:fs";
 import { homedir } from "node:os";
+import { join } from "node:path";
 var PROFILES_DIR = join(homedir(), ".config", "meridian", "profiles");
 var CONFIG_FILE = join(homedir(), ".config", "meridian", "profiles.json");
+var OAUTH_AUTHORIZE_URL = "https://claude.com/cai/oauth/authorize";
+var OAUTH_TOKEN_URL = "https://platform.claude.com/v1/oauth/token";
+var OAUTH_CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
+var OAUTH_REDIRECT_URI = "https://platform.claude.com/oauth/code/callback";
+var OAUTH_SCOPES = [
+  "org:create_api_key",
+  "user:profile",
+  "user:inference",
+  "user:sessions:claude_code",
+  "user:mcp_servers",
+  "user:file_upload"
+];
 function ensureProfilesDir() {
   mkdirSync(PROFILES_DIR, { recursive: true });
 }
 function getProfileDir(id) {
   return join(PROFILES_DIR, id);
 }
+function buildAuthLoginEnv(configDir, _options = {}, baseEnv = process.env) {
+  const env = { ...baseEnv };
+  if (configDir)
+    env.CLAUDE_CONFIG_DIR = configDir;
+  return env;
+}
+function base64Url(bytes) {
+  return bytes.toString("base64url");
+}
+function createManualOAuthSession() {
+  const codeVerifier = base64Url(randomBytes(32));
+  const state = base64Url(randomBytes(32));
+  const codeChallenge = createHash("sha256").update(codeVerifier).digest("base64url");
+  const url = new URL(OAUTH_AUTHORIZE_URL);
+  url.searchParams.set("code", "true");
+  url.searchParams.set("client_id", OAUTH_CLIENT_ID);
+  url.searchParams.set("response_type", "code");
+  url.searchParams.set("redirect_uri", OAUTH_REDIRECT_URI);
+  url.searchParams.set("scope", OAUTH_SCOPES.join(" "));
+  url.searchParams.set("code_challenge", codeChallenge);
+  url.searchParams.set("code_challenge_method", "S256");
+  url.searchParams.set("state", state);
+  return { authorizeUrl: url.toString(), codeVerifier, state };
+}
+function parseAuthorizationCodeInput(input) {
+  const trimmed = input.trim();
+  if (!trimmed)
+    return null;
+  try {
+    const url = new URL(trimmed);
+    const code2 = url.searchParams.get("code") ?? new URLSearchParams(url.hash.replace(/^#/, "")).get("code");
+    const state2 = url.searchParams.get("state") ?? new URLSearchParams(url.hash.replace(/^#/, "")).get("state") ?? undefined;
+    return code2 ? { code: code2, state: state2 } : null;
+  } catch {}
+  const [codePart, hashState] = trimmed.split("#", 2);
+  if (!codePart)
+    return null;
+  const ampersandParams = codePart.includes("&") ? new URLSearchParams(codePart.slice(codePart.indexOf("&") + 1)) : null;
+  const code = codePart.split("&", 1)[0]?.trim();
+  const state = ampersandParams?.get("state") ?? hashState?.trim() ?? undefined;
+  return code ? { code, state } : null;
+}
 function loadProfileConfig() {
   if (!existsSync(CONFIG_FILE))
     return [];
@@ -31,7 +89,7 @@ function loadProfileConfig() {
 }
 function saveProfileConfig(profiles) {
   ensureProfilesDir();
-  writeFileSync(CONFIG_FILE, JSON.stringify(profiles, null, 2) + `
+  writeFileSync(CONFIG_FILE, `${JSON.stringify(profiles, null, 2)}
 `, { mode: 384 });
 }
 function getAuthStatus(configDir) {
@@ -52,7 +110,72 @@ function getAuthStatus(configDir) {
     return { loggedIn: false };
   }
 }
-function profileAdd(id) {
+async function completeManualOAuthLogin(configDir) {
+  const session = createManualOAuthSession();
+  console.log("\x1B[33m⚠ Headless OAuth login: open this URL in a browser:\x1B[0m");
+  console.log();
+  console.log(session.authorizeUrl);
+  console.log();
+  console.log("After sign-in, paste the code shown by Claude below.");
+  const input = promptLine("Paste code:");
+  const parsed = parseAuthorizationCodeInput(input);
+  if (!parsed) {
+    console.error("\x1B[31m✗ No authorization code received.\x1B[0m");
+    return false;
+  }
+  if (parsed.state && parsed.state !== session.state) {
+    console.error("\x1B[31m✗ OAuth state mismatch. Please retry the login.\x1B[0m");
+    return false;
+  }
+  let response;
+  try {
+    response = await fetch(OAUTH_TOKEN_URL, {
+      method: "POST",
+      headers: { "Content-Type": "application/json" },
+      body: JSON.stringify({
+        grant_type: "authorization_code",
+        client_id: OAUTH_CLIENT_ID,
+        code: parsed.code,
+        redirect_uri: OAUTH_REDIRECT_URI,
+        code_verifier: session.codeVerifier,
+        state: parsed.state ?? session.state
+      }),
+      signal: AbortSignal.timeout(30000)
+    });
+  } catch (err) {
+    console.error(`\x1B[31m✗ OAuth token exchange failed: ${err instanceof Error ? err.message : err}\x1B[0m`);
+    return false;
+  }
+  if (!response.ok) {
+    const body = await response.text().catch(() => "");
+    console.error(`\x1B[31m✗ OAuth token exchange failed (${response.status}).\x1B[0m`);
+    if (body)
+      console.error(`  ${body.slice(0, 300)}`);
+    return false;
+  }
+  let tokenData;
+  try {
+    tokenData = await response.json();
+  } catch (err) {
+    console.error(`\x1B[31m✗ OAuth token response was invalid: ${err instanceof Error ? err.message : err}\x1B[0m`);
+    return false;
+  }
+  if (!tokenData.access_token || !tokenData.refresh_token) {
+    console.error("\x1B[31m✗ OAuth token response did not include the required tokens.\x1B[0m");
+    return false;
+  }
+  const expiresAt = tokenData.expires_at ?? Date.now() + (tokenData.expires_in ?? 8 * 60 * 60) * 1000;
+  const store = createPlatformCredentialStore({ claudeConfigDir: configDir });
+  return store.write({
+    claudeAiOauth: {
+      accessToken: tokenData.access_token,
+      refreshToken: tokenData.refresh_token,
+      expiresAt,
+      scopes: tokenData.scope?.split(" ").filter(Boolean) ?? OAUTH_SCOPES
+    }
+  });
+}
+async function profileAdd(id, options = {}) {
   if (!id || /[^a-zA-Z0-9_-]/.test(id)) {
     console.error("\x1B[31m✗ Invalid profile ID.\x1B[0m Use only letters, numbers, hyphens, underscores.");
     process.exit(1);
@@ -95,33 +218,43 @@ function profileAdd(id) {
     printEnvHint(profiles);
     return;
   }
-  console.log("\x1B[33m⚠ Important: Before logging in, make sure you're signed into the");
-  console.log(`  correct Claude account in your browser (the one for "${id}").\x1B[0m`);
-  console.log();
-  console.log("  If you're currently signed into a different account:");
-  console.log("    1. Go to https://claude.ai and sign out");
-  console.log("    2. Sign in with the account you want for this profile");
-  console.log("    3. Come back here — the login will open your browser");
-  console.log();
-  console.log("  Press Ctrl+C to cancel, or wait for the browser to open...");
-  console.log();
-  const resolvedAuth = resolveClaudeExecutableSync();
-  if (!resolvedAuth) {
-    console.error("\x1B[31m✗ Could not find a Claude executable to run auth login.\x1B[0m");
-    console.error("  Install via: npm install -g @anthropic-ai/claude-code, or set MERIDIAN_CLAUDE_PATH=/path/to/claude");
-    process.exit(1);
+  if (!options.headless) {
+    console.log("\x1B[33m⚠ Important: Before logging in, make sure you're signed into the");
+    console.log(`  correct Claude account in your browser (the one for "${id}").\x1B[0m`);
+    console.log();
+    console.log("  If you're currently signed into a different account:");
+    console.log("    1. Go to https://claude.ai and sign out");
+    console.log("    2. Sign in with the account you want for this profile");
+    console.log("    3. Come back here — the login will open your browser");
+    console.log();
+    console.log("  Press Ctrl+C to cancel, or wait for the browser to open...");
   }
-  const result = spawnSync(resolvedAuth.path, ["auth", "login"], {
-    env: { ...process.env, CLAUDE_CONFIG_DIR: configDir },
-    stdio: "inherit"
-  });
-  if (result.status !== 0) {
-    console.error("\x1B[31m✗ Login failed.\x1B[0m");
-    process.exit(1);
+  console.log();
+  if (options.headless) {
+    const success = await completeManualOAuthLogin(configDir);
+    if (!success) {
+      console.error("\x1B[31m✗ Login failed.\x1B[0m");
+      process.exit(1);
+    }
+  } else {
+    const resolvedAuth = resolveClaudeExecutableSync();
+    if (!resolvedAuth) {
+      console.error("\x1B[31m✗ Could not find a Claude executable to run auth login.\x1B[0m");
+      console.error("  Install via: npm install -g @anthropic-ai/claude-code, or set MERIDIAN_CLAUDE_PATH=/path/to/claude");
+      process.exit(1);
+    }
+    const result = spawnSync(resolvedAuth.path, ["auth", "login"], {
+      env: buildAuthLoginEnv(configDir, options),
+      stdio: "inherit"
+    });
+    if (result.status !== 0) {
+      console.error("\x1B[31m✗ Login failed.\x1B[0m");
+      process.exit(1);
+    }
   }
   const auth = getAuthStatus(configDir);
   if (!auth.loggedIn) {
-    console.error("\x1B[31m✗ Login did not complete. Try again: meridian profile add " + id + "\x1B[0m");
+    console.error(`\x1B[31m✗ Login did not complete. Try again: meridian profile add ${id}\x1B[0m`);
     process.exit(1);
   }
   console.log();
@@ -180,7 +313,7 @@ function profileList() {
 }
 function dirsToRemoveOnProfileRemove(profile, profilesDir) {
   const dirs = [];
-  if (profile.claudeConfigDir && profile.claudeConfigDir.startsWith(profilesDir)) {
+  if (profile.claudeConfigDir?.startsWith(profilesDir)) {
     dirs.push(profile.claudeConfigDir);
   }
   if (profile.oauthToken || profile.type === "oauth-token") {
@@ -198,6 +331,10 @@ function profileRemove(id) {
     process.exit(1);
   }
   const removed = profiles[idx];
+  if (!removed) {
+    console.error(`\x1B[31m✗ Profile "${id}" not found.\x1B[0m`);
+    process.exit(1);
+  }
   const dirsToRemove = dirsToRemoveOnProfileRemove(removed, PROFILES_DIR);
   profiles.splice(idx, 1);
   saveProfileConfig(profiles);
@@ -233,7 +370,7 @@ async function profileSwitch(id) {
     process.exit(1);
   }
 }
-function profileLogin(id) {
+async function profileLogin(id, options = {}) {
   const profiles = loadProfileConfig();
   const profile = profiles.find((p) => p.id === id);
   if (!profile) {
@@ -247,21 +384,31 @@ function profileLogin(id) {
   }
   console.log(`\x1B[36mRe-authenticating profile: ${id}\x1B[0m`);
   console.log();
-  console.log("\x1B[33m⚠ Make sure you're signed into the correct Claude account in your browser.\x1B[0m");
-  console.log();
-  const resolvedLogin = resolveClaudeExecutableSync();
-  if (!resolvedLogin) {
-    console.error("\x1B[31m✗ Could not find a Claude executable to run auth login.\x1B[0m");
-    console.error("  Install via: npm install -g @anthropic-ai/claude-code, or set MERIDIAN_CLAUDE_PATH=/path/to/claude");
-    process.exit(1);
+  if (!options.headless) {
+    console.log("\x1B[33m⚠ Make sure you're signed into the correct Claude account in your browser.\x1B[0m");
   }
-  const result = spawnSync(resolvedLogin.path, ["auth", "login"], {
-    env: { ...process.env, CLAUDE_CONFIG_DIR: profile.claudeConfigDir },
-    stdio: "inherit"
-  });
-  if (result.status !== 0) {
-    console.error("\x1B[31m✗ Login failed.\x1B[0m");
-    process.exit(1);
+  console.log();
+  if (options.headless) {
+    const success = await completeManualOAuthLogin(profile.claudeConfigDir ?? getProfileDir(id));
+    if (!success) {
+      console.error("\x1B[31m✗ Login failed.\x1B[0m");
+      process.exit(1);
+    }
+  } else {
+    const resolvedLogin = resolveClaudeExecutableSync();
+    if (!resolvedLogin) {
+      console.error("\x1B[31m✗ Could not find a Claude executable to run auth login.\x1B[0m");
+      console.error("  Install via: npm install -g @anthropic-ai/claude-code, or set MERIDIAN_CLAUDE_PATH=/path/to/claude");
+      process.exit(1);
+    }
+    const result = spawnSync(resolvedLogin.path, ["auth", "login"], {
+      env: buildAuthLoginEnv(profile.claudeConfigDir, options),
+      stdio: "inherit"
+    });
+    if (result.status !== 0) {
+      console.error("\x1B[31m✗ Login failed.\x1B[0m");
+      process.exit(1);
+    }
   }
   const auth = getAuthStatus(profile.claudeConfigDir ?? "");
   if (auth.loggedIn) {
@@ -279,6 +426,16 @@ function promptYesNo(question) {
   const answer = (result.stdout?.toString().trim() ?? "").toLowerCase();
   return answer !== "n" && answer !== "no";
 }
+function promptLine(question) {
+  process.stderr.write(`${question} `);
+  const result = spawnSync("node", ["-e", [
+    `const rl = require("readline").createInterface({ input: process.stdin });`,
+    `rl.once("line", (a) => { process.stdout.write(a); rl.close(); });`,
+    `rl.once("close", () => process.exit(0));`
+  ].join(`
+`)], { stdio: ["inherit", "pipe", "inherit"] });
+  return result.stdout?.toString().trim() ?? "";
+}
 function promptToken(question) {
   process.stderr.write(`${question}
 > `);
@@ -322,20 +479,22 @@ function profileHelp() {
   console.log(`meridian profile — manage Claude account profiles
 
 Commands:
-  meridian profile add <name>                       Add a profile via browser login
+  meridian profile add <name> [--headless]          Add a profile via Claude OAuth login
   meridian profile add <name> --oauth-token [TOKEN] Add a profile from a \`claude setup-token\` value
                                                     (if TOKEN is omitted, you will be prompted; input is hidden)
   meridian profile list                             List profiles and auth status
   meridian profile remove <name>                    Remove a profile
   meridian profile switch <name>                    Switch the active profile (requires running proxy)
-  meridian profile login <name>                     Re-authenticate an existing profile (claude-max only)
+  meridian profile login <name> [--headless]        Re-authenticate an existing profile (claude-max only)
 
 Examples:
   meridian profile add personal                     # Add personal account (browser login)
   meridian profile add work                         # Add work account
+  meridian profile add work --headless              # Print OAuth URL, prompt for returned code, store credentials
   meridian profile add ci --oauth-token             # Add headless CI profile (prompted, no echo)
   meridian profile add ci --oauth-token sk-ant-oat01-...
                                                     # Add headless CI profile (token from CLI argument)
+  meridian profile login work --headless            # Re-authenticate via OAuth URL/code prompt
   meridian profile switch work                      # Switch to work account
   meridian profile list                             # Show all profiles`);
 }
@@ -347,5 +506,8 @@ export {
   profileHelp,
   profileAddOauthToken,
   profileAdd,
-  dirsToRemoveOnProfileRemove
+  parseAuthorizationCodeInput,
+  dirsToRemoveOnProfileRemove,
+  createManualOAuthSession,
+  buildAuthLoginEnv
 };

package/dist/proxy/adapters/detect.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"detect.d.ts","sourceRoot":"","sources":["../../../src/proxy/adapters/detect.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AACnC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AA0C9C;;;;;;;;;;;;GAYG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,OAAO,GAAG,YAAY,CAgDtD"}
+{"version":3,"file":"detect.d.ts","sourceRoot":"","sources":["../../../src/proxy/adapters/detect.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,MAAM,CAAA;AACnC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AA8C9C;;;;;;;;;;;;GAYG;AACH,wBAAgB,aAAa,CAAC,CAAC,EAAE,OAAO,GAAG,YAAY,CAgDtD"}

package/dist/proxy/adapters/openai.d.ts

@@ -0,0 +1,23 @@
+/**
+ * OpenAI-compatible endpoint adapter.
+ *
+ * `/v1/chat/completions` serves generic OpenAI chat clients (Open WebUI,
+ * LibreChat, curl, any OpenAI-compatible tool). These are NOT coding agents:
+ * they bring their own system prompt and don't want the ~28KB claude_code
+ * preset injected on top of it (which would override their intent with the
+ * Claude Code persona — see the #526 investigation).
+ *
+ * The handler tags the internal hop with `x-meridian-agent: openai` so this
+ * adapter is selected deterministically instead of falling through to the
+ * default `opencode` adapter (whose preset defaults ON). Behaviour is
+ * otherwise identical to `opencode` — same tools, MCP server, passthrough,
+ * and transforms — the ONLY difference is the system-prompt preset default,
+ * which is set OFF in sdkFeatures.ADAPTER_DEFAULTS. This mirrors the
+ * `passthrough` adapter precedent (#190).
+ *
+ * NOTE: agent-specific. Keep this as a thin re-identification of the OpenCode
+ * adapter; do not fork behaviour here.
+ */
+import type { AgentAdapter } from "../adapter";
+export declare const openAiAdapter: AgentAdapter;
+//# sourceMappingURL=openai.d.ts.map

package/dist/proxy/adapters/openai.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"openai.d.ts","sourceRoot":"","sources":["../../../src/proxy/adapters/openai.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAA;AAG9C,eAAO,MAAM,aAAa,EAAE,YAG3B,CAAA"}

package/dist/proxy/effort.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Reasoning effort levels and normalization.
+ *
+ * The Claude Code SDK `--effort` flag accepts a fixed vocabulary. Clients send
+ * the effort under several keys (`effort`, `x-opencode-effort`, the standard
+ * OpenAI `reasoning_effort`, or an Anthropic-style `output_config.effort`), and
+ * not every value they send is valid for Claude — OpenAI notably offers
+ * `"minimal"`, which the SDK rejects. normalizeEffort gates the value so an
+ * unknown effort falls back to the model default (undefined) rather than
+ * erroring the whole request at the SDK boundary.
+ *
+ * Pure module — no I/O, no imports from server/session.
+ */
+export declare const VALID_EFFORTS: readonly ["low", "medium", "high", "xhigh", "max"];
+export type Effort = (typeof VALID_EFFORTS)[number];
+/**
+ * Return the value if it is a valid Claude effort level, else undefined.
+ * Case-sensitive: the SDK expects lowercase.
+ */
+export declare function normalizeEffort(value: unknown): Effort | undefined;
+//# sourceMappingURL=effort.d.ts.map

package/dist/proxy/effort.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"effort.d.ts","sourceRoot":"","sources":["../../src/proxy/effort.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,eAAO,MAAM,aAAa,oDAAqD,CAAA;AAE/E,MAAM,MAAM,MAAM,GAAG,CAAC,OAAO,aAAa,CAAC,CAAC,MAAM,CAAC,CAAA;AAEnD;;;GAGG;AACH,wBAAgB,eAAe,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,GAAG,SAAS,CAIlE"}

package/dist/proxy/models.d.ts

@@ -18,7 +18,7 @@ export type ClaudeModel = "sonnet" | "sonnet[1m]" | "opus" | "opus[1m]" | "haiku
  * override via MERIDIAN_DEFAULT_{TYPE}_MODEL (proxy-side) or
  * ANTHROPIC_DEFAULT_{TYPE}_MODEL (shell env, wins over Meridian's pin).
  */
-export declare const CANONICAL_OPUS_MODEL = "claude-opus-4-7";
+export declare const CANONICAL_OPUS_MODEL = "claude-opus-4-8";
 export declare const CANONICAL_SONNET_MODEL = "claude-sonnet-4-6";
 export declare const CANONICAL_HAIKU_MODEL = "claude-haiku-4-5";
 /**

package/dist/proxy/openai.d.ts

@@ -61,6 +61,12 @@ export interface OpenAiChatRequest {
     temperature?: number;
     top_p?: number;
     tools?: OpenAiChatTool[];
+    /** Standard OpenAI reasoning level (low/medium/high/…). */
+    reasoning_effort?: string;
+    /** Anthropic-style nesting some clients use. */
+    output_config?: {
+        effort?: string;
+    };
 }
 export interface AnthropicTextBlock {
     type: "text";
@@ -93,6 +99,12 @@ export interface AnthropicRequestBody {
     temperature?: number;
     top_p?: number;
     tools?: AnthropicTool[];
+    /** Reasoning effort carried from the OpenAI request so the internal
+     *  /v1/messages hop forwards it to the SDK (value gated by normalizeEffort). */
+    reasoning_effort?: string;
+    output_config?: {
+        effort?: string;
+    };
 }
 export interface AnthropicUsage {
     input_tokens?: number;