@rynfar/meridian 1.43.0 → 1.44.0

package/README.md

@@ -239,6 +239,20 @@ meridian profile add work
 
 > **⚠ Important:** Claude's OAuth reuses your browser session. Before adding a second account, sign out of claude.ai and sign into the other account first.
 
+#### Headless / SSH: complete Claude OAuth with a pasted code
+
+When you still want a normal Claude Max browser-login profile but the Meridian host cannot open a browser (SSH, WSL, containers, remote servers), use `--headless`. Meridian prints a Claude OAuth URL, prompts for the returned code, exchanges it with PKCE, and saves the resulting credentials into the profile's isolated `CLAUDE_CONFIG_DIR`:
+
+```bash
+meridian profile add work --headless
+```
+
+Open the printed URL in a browser, sign in to the target Claude account, then paste the returned code at Meridian's `Paste code:` prompt. For an existing browser-login profile:
+
+```bash
+meridian profile login work --headless
+```
+
 #### Headless / CI: register an OAuth token
 
 When a browser isn't available (containers, CI runners, remote shells), generate a long-lived OAuth token with `claude setup-token` and register it as a profile:
@@ -269,11 +283,11 @@ You can also switch profiles from the web UI at `http://127.0.0.1:3456/profiles`
 
 | Command | Description |
 |---------|-------------|
-| `meridian profile add <name>` | Add a profile and authenticate via browser |
+| `meridian profile add <name> [--headless]` | Add a profile and authenticate via Claude OAuth; `--headless` prints a URL, prompts for the returned code, and stores the exchanged credentials |
 | `meridian profile add <name> --oauth-token [TOKEN]` | Add a headless profile from a `claude setup-token` value (prompts when `TOKEN` is omitted) |
 | `meridian profile list` | List profiles and auth status |
 | `meridian profile switch <name>` | Switch the active profile (requires running proxy) |
-| `meridian profile login <name>` | Re-authenticate an expired profile (browser-login profiles only) |
+| `meridian profile login <name> [--headless]` | Re-authenticate an expired profile (browser-login profiles only); `--headless` uses the URL/code flow |
 | `meridian profile remove <name>` | Remove a profile and its credentials |
 
 ### How it works
@@ -361,9 +375,11 @@ Add a provider to `~/.config/crush/crush.json`:
       "base_url": "http://127.0.0.1:3456",
       "api_key": "dummy",
       "models": [
-        { "id": "claude-sonnet-4-6", "name": "Claude Sonnet 4.6 (1M)", "context_window": 1000000, "default_max_tokens": 64000, "can_reason": true, "supports_attachments": true },
-        { "id": "claude-opus-4-6",   "name": "Claude Opus 4.6 (1M)",   "context_window": 1000000, "default_max_tokens": 32768, "can_reason": true, "supports_attachments": true },
-        { "id": "claude-haiku-4-5-20251001", "name": "Claude Haiku 4.5", "context_window": 200000, "default_max_tokens": 16384, "can_reason": true, "supports_attachments": true }
+        { "id": "claude-opus-4-8",   "name": "Claude Opus 4.8 (1M)",    "context_window": 1000000, "default_max_tokens": 32768, "can_reason": true, "supports_attachments": true },
+        { "id": "claude-opus-4-7",   "name": "Claude Opus 4.7 (1M)",    "context_window": 1000000, "default_max_tokens": 32768, "can_reason": true, "supports_attachments": true },
+        { "id": "claude-sonnet-4-6", "name": "Claude Sonnet 4.6 (1M)",  "context_window": 1000000, "default_max_tokens": 64000, "can_reason": true, "supports_attachments": true },
+        { "id": "claude-opus-4-6",   "name": "Claude Opus 4.6 (1M)",    "context_window": 1000000, "default_max_tokens": 32768, "can_reason": true, "supports_attachments": true },
+        { "id": "claude-haiku-4-5-20251001", "name": "Claude Haiku 4.5", "context_window": 200000,  "default_max_tokens": 16384, "can_reason": true, "supports_attachments": true }
       ]
     }
   }
@@ -384,6 +400,8 @@ Add Meridian as a custom model provider in `~/.factory/settings.json`:
 ```json
 {
   "customModels": [
+    { "model": "claude-opus-4-8",         "name": "Opus 4.8 (Meridian)",   "provider": "anthropic", "baseUrl": "http://127.0.0.1:3456", "apiKey": "x" },
+    { "model": "claude-opus-4-7",         "name": "Opus 4.7 (Meridian)",   "provider": "anthropic", "baseUrl": "http://127.0.0.1:3456", "apiKey": "x" },
     { "model": "claude-sonnet-4-6",       "name": "Sonnet 4.6 (Meridian)", "provider": "anthropic", "baseUrl": "http://127.0.0.1:3456", "apiKey": "x" },
     { "model": "claude-opus-4-6",         "name": "Opus 4.6 (Meridian)",   "provider": "anthropic", "baseUrl": "http://127.0.0.1:3456", "apiKey": "x" },
     { "model": "claude-haiku-4-5-20251001", "name": "Haiku 4.5 (Meridian)", "provider": "anthropic", "baseUrl": "http://127.0.0.1:3456", "apiKey": "x" }
@@ -734,11 +752,11 @@ export default {
 |---------|-------------|
 | `meridian` | Start the proxy server |
 | `meridian setup` | Configure the OpenCode plugin in `~/.config/opencode/opencode.json` |
-| `meridian profile add <name>` | Add a profile and authenticate via browser |
+| `meridian profile add <name> [--headless]` | Add a profile and authenticate via Claude OAuth; `--headless` prints a URL, prompts for the returned code, and stores the exchanged credentials |
 | `meridian profile add <name> --oauth-token [TOKEN]` | Add a headless profile from a `claude setup-token` value (prompts when `TOKEN` is omitted) |
 | `meridian profile list` | List all profiles and their auth status |
 | `meridian profile switch <name>` | Switch the active profile (requires running proxy) |
-| `meridian profile login <name>` | Re-authenticate an expired profile (browser-login profiles only) |
+| `meridian profile login <name> [--headless]` | Re-authenticate an expired profile (browser-login profiles only); `--headless` uses the URL/code flow |
 | `meridian profile remove <name>` | Remove a profile and its credentials |
 | `meridian refresh-token` | Manually refresh the Claude OAuth token (exits 0/1) |
 
@@ -840,6 +858,21 @@ meridian refresh-token
 curl -X POST http://127.0.0.1:3456/auth/refresh
 ```
 
+**I'm getting `400 You're out of extra usage` only when tools are present. What do I do?**
+First confirm the failure pattern: a tiny no-tool request succeeds, but the same client fails once it sends tool definitions. If that is the case, beta-header stripping and model fallback usually will not help because the request body still contains agentic tool context.
+
+For the affected adapter, try disabling the connecting client's system prompt while keeping the Claude Code prompt enabled:
+
+```bash
+curl -X PATCH http://127.0.0.1:3456/settings/api/features/pi \
+  -H 'Content-Type: application/json' \
+  -d '{"clientSystemPrompt":false,"codeSystemPrompt":true}'
+```
+
+Replace `pi` with the adapter you use (`opencode`, `crush`, `forgecode`, `droid`, `passthrough`, or `openai`). You can make the same change in the `/settings` UI under **SDK Feature Toggles**. (The `openai` adapter — used by the `/v1/chat/completions` endpoint — already defaults `codeSystemPrompt` to off, so on that one you typically only need `clientSystemPrompt:false`.)
+
+This keeps the SDK's preset prompt and tool bridge, but removes the external client's large agent prompt from the request. That may help when the error is triggered by the combination of tool definitions plus client prompt context. The tradeoff is that the connected agent may behave more like vanilla Claude Code because its own persona and workflow instructions are no longer included. If it still fails, the remaining options are to use fewer/no tools for that client, enable Extra Usage/API billing, or switch to a local/provider-backed model for that workflow. See [#516](https://github.com/rynfar/meridian/issues/516) for the current debugging thread.
+
 **I'm hitting rate limits on 1M context. What do I do?**
 Meridian defaults Sonnet to 200k context because Sonnet 1M is always billed as Extra Usage on Max plans — even when regular usage isn't exhausted. This is [Anthropic's intended billing model](https://code.claude.com/docs/en/model-config#extended-context), not a bug. Set `MERIDIAN_SONNET_MODEL=sonnet[1m]` to opt in if you have Extra Usage enabled and understand the billing implications. Opus defaults to 1M context, which is included with Max/Team/Enterprise subscriptions at no extra cost. Note: there is a [known upstream bug](https://github.com/anthropics/claude-code/issues/39841) where Claude Code incorrectly gates Opus 1M behind Extra Usage on Max — this is Anthropic's to fix.
 

package/dist/{cli-7k1fcprd.js → cli-1kbcm3yn.js}

@@ -1,10 +1,10 @@
 // src/proxy/tokenRefresh.ts
-import { execFile as execFileCb } from "child_process";
-import { existsSync, readFileSync, writeFileSync, mkdirSync } from "fs";
-import { homedir, platform, userInfo } from "os";
-import { join, dirname, resolve } from "path";
-import { createHash } from "crypto";
-import { promisify } from "util";
+import { execFile as execFileCb } from "node:child_process";
+import { createHash } from "node:crypto";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { homedir, platform, userInfo } from "node:os";
+import { dirname, join, resolve } from "node:path";
+import { promisify } from "node:util";
 
 // src/logger.ts
 import { AsyncLocalStorage } from "node:async_hooks";
@@ -102,6 +102,7 @@ function parseKeychainValue(raw) {
 var keychainWasHexByService = new Map;
 function buildMacosStore(serviceName) {
   return {
+    refreshKey: `keychain:${serviceName}`,
     async read() {
       try {
         const { stdout } = await execFile("/usr/bin/security", ["find-generic-password", "-s", serviceName, "-a", userInfo().username, "-w"], { timeout: 5000 });
@@ -131,24 +132,26 @@ function buildMacosStore(serviceName) {
 }
 var macosStore = buildMacosStore(KEYCHAIN_SERVICE);
 function buildFileStore(filePath) {
+  const absPath = resolve(filePath);
   return {
+    refreshKey: `file:${absPath}`,
     async read() {
       try {
-        if (!existsSync(filePath))
+        if (!existsSync(absPath))
           return null;
-        return JSON.parse(readFileSync(filePath, "utf-8"));
+        return JSON.parse(readFileSync(absPath, "utf-8"));
       } catch (err) {
-        claudeLog("token_refresh.file_read_failed", { path: filePath, error: String(err) });
+        claudeLog("token_refresh.file_read_failed", { path: absPath, error: String(err) });
         return null;
       }
     },
     async write(credentials) {
       try {
-        mkdirSync(dirname(filePath), { recursive: true });
-        writeFileSync(filePath, serializeCredentials(credentials), "utf-8");
+        mkdirSync(dirname(absPath), { recursive: true });
+        writeFileSync(absPath, serializeCredentials(credentials), "utf-8");
         return true;
       } catch (err) {
-        claudeLog("token_refresh.file_write_failed", { path: filePath, error: String(err) });
+        claudeLog("token_refresh.file_write_failed", { path: absPath, error: String(err) });
         return false;
       }
     }
@@ -167,14 +170,29 @@ function createPlatformCredentialStore(opts) {
 function credentialsFilePathForProfile(claudeConfigDir) {
   return claudeConfigDir ? configDirToCredentialsFile(claudeConfigDir) : CREDENTIALS_FILE;
 }
-var inflightRefresh = null;
+var inflightRefreshByKey = new Map;
+var inflightRefreshByStore = new WeakMap;
 async function refreshOAuthToken(store) {
-  if (inflightRefresh)
-    return inflightRefresh;
-  inflightRefresh = doRefresh(store ?? createPlatformCredentialStore()).finally(() => {
-    inflightRefresh = null;
+  const s = store ?? createPlatformCredentialStore();
+  const refreshKey = s.refreshKey;
+  if (refreshKey) {
+    const inflight2 = inflightRefreshByKey.get(refreshKey);
+    if (inflight2)
+      return inflight2;
+    const refresh2 = doRefresh(s).finally(() => {
+      inflightRefreshByKey.delete(refreshKey);
+    });
+    inflightRefreshByKey.set(refreshKey, refresh2);
+    return refresh2;
+  }
+  const inflight = inflightRefreshByStore.get(s);
+  if (inflight)
+    return inflight;
+  const refresh = doRefresh(s).finally(() => {
+    inflightRefreshByStore.delete(s);
   });
-  return inflightRefresh;
+  inflightRefreshByStore.set(s, refresh);
+  return refresh;
 }
 async function doRefresh(store) {
   const credentials = await store.read();
@@ -273,7 +291,6 @@ async function scheduleNext(store, bufferMs, failureRetryMs, gen) {
     if (!scheduledRefreshActive || gen !== scheduledRefreshGeneration)
       return;
     claudeLog("token_refresh.scheduled", { ok, immediate: true });
-    console.error(`[token_refresh] scheduled refresh (immediate) ok=${ok}`);
     armTimer(ok ? 0 : failureRetryMs, store, bufferMs, failureRetryMs, gen);
     return;
   }
@@ -293,7 +310,7 @@ function isBackgroundRefreshActive() {
   return scheduledRefreshActive;
 }
 function resetInflightRefresh() {
-  inflightRefresh = null;
+  inflightRefreshByKey.clear();
 }
 
 export { withClaudeLogContext, claudeLog, configDirToKeychainService, configDirToCredentialsFile, serializeCredentials, createPlatformCredentialStore, credentialsFilePathForProfile, refreshOAuthToken, ensureFreshToken, startBackgroundRefresh, stopBackgroundRefresh, isBackgroundRefreshActive, resetInflightRefresh };