@rynfar/meridian 1.43.0 → 1.44.1

package/README.md

@@ -197,7 +197,7 @@ The system prompt controls are independent — any combination works:
 
 The core question is **who executes the tools** — the SDK or the client?
 
-- **Passthrough mode** (default for OpenCode) — Claude generates tool calls, but Meridian captures them and sends them back to the client for execution. The client runs the tool using its own implementation, with its own sandboxing, file tracking, and UI, then sends the result in the next request. This is how OpenCode, oh-my-opencagent (OMO), and most coding agents work — they have their own read/write/bash tools and need to stay in control of what runs on the user's machine.
+- **Passthrough mode** (default for OpenCode and Pi) — Claude generates tool calls, but Meridian captures them and sends them back to the client for execution. The client runs the tool using its own implementation, with its own sandboxing, file tracking, and UI, then sends the result in the next request. This is how OpenCode, oh-my-opencagent (OMO), and most coding agents work — they have their own read/write/bash tools and need to stay in control of what runs on the user's machine.
 - **Internal mode** — Claude Code handles everything. The SDK executes tools directly on the host, runs its full agent loop, and returns the final result. This is for clients that are purely chat interfaces (Open WebUI, simple API consumers) with no tool execution of their own.
 
 Most users don't need to configure anything — the adapter sets the right mode automatically. To override:
@@ -239,6 +239,20 @@ meridian profile add work
 
 > **⚠ Important:** Claude's OAuth reuses your browser session. Before adding a second account, sign out of claude.ai and sign into the other account first.
 
+#### Headless / SSH: complete Claude OAuth with a pasted code
+
+When you still want a normal Claude Max browser-login profile but the Meridian host cannot open a browser (SSH, WSL, containers, remote servers), use `--headless`. Meridian prints a Claude OAuth URL, prompts for the returned code, exchanges it with PKCE, and saves the resulting credentials into the profile's isolated `CLAUDE_CONFIG_DIR`:
+
+```bash
+meridian profile add work --headless
+```
+
+Open the printed URL in a browser, sign in to the target Claude account, then paste the returned code at Meridian's `Paste code:` prompt. For an existing browser-login profile:
+
+```bash
+meridian profile login work --headless
+```
+
 #### Headless / CI: register an OAuth token
 
 When a browser isn't available (containers, CI runners, remote shells), generate a long-lived OAuth token with `claude setup-token` and register it as a profile:
@@ -269,11 +283,11 @@ You can also switch profiles from the web UI at `http://127.0.0.1:3456/profiles`
 
 | Command | Description |
 |---------|-------------|
-| `meridian profile add <name>` | Add a profile and authenticate via browser |
+| `meridian profile add <name> [--headless]` | Add a profile and authenticate via Claude OAuth; `--headless` prints a URL, prompts for the returned code, and stores the exchanged credentials |
 | `meridian profile add <name> --oauth-token [TOKEN]` | Add a headless profile from a `claude setup-token` value (prompts when `TOKEN` is omitted) |
 | `meridian profile list` | List profiles and auth status |
 | `meridian profile switch <name>` | Switch the active profile (requires running proxy) |
-| `meridian profile login <name>` | Re-authenticate an expired profile (browser-login profiles only) |
+| `meridian profile login <name> [--headless]` | Re-authenticate an expired profile (browser-login profiles only); `--headless` uses the URL/code flow |
 | `meridian profile remove <name>` | Remove a profile and its credentials |
 
 ### How it works
@@ -361,9 +375,11 @@ Add a provider to `~/.config/crush/crush.json`:
       "base_url": "http://127.0.0.1:3456",
       "api_key": "dummy",
       "models": [
-        { "id": "claude-sonnet-4-6", "name": "Claude Sonnet 4.6 (1M)", "context_window": 1000000, "default_max_tokens": 64000, "can_reason": true, "supports_attachments": true },
-        { "id": "claude-opus-4-6",   "name": "Claude Opus 4.6 (1M)",   "context_window": 1000000, "default_max_tokens": 32768, "can_reason": true, "supports_attachments": true },
-        { "id": "claude-haiku-4-5-20251001", "name": "Claude Haiku 4.5", "context_window": 200000, "default_max_tokens": 16384, "can_reason": true, "supports_attachments": true }
+        { "id": "claude-opus-4-8",   "name": "Claude Opus 4.8 (1M)",    "context_window": 1000000, "default_max_tokens": 32768, "can_reason": true, "supports_attachments": true },
+        { "id": "claude-opus-4-7",   "name": "Claude Opus 4.7 (1M)",    "context_window": 1000000, "default_max_tokens": 32768, "can_reason": true, "supports_attachments": true },
+        { "id": "claude-sonnet-4-6", "name": "Claude Sonnet 4.6 (1M)",  "context_window": 1000000, "default_max_tokens": 64000, "can_reason": true, "supports_attachments": true },
+        { "id": "claude-opus-4-6",   "name": "Claude Opus 4.6 (1M)",    "context_window": 1000000, "default_max_tokens": 32768, "can_reason": true, "supports_attachments": true },
+        { "id": "claude-haiku-4-5-20251001", "name": "Claude Haiku 4.5", "context_window": 200000,  "default_max_tokens": 16384, "can_reason": true, "supports_attachments": true }
       ]
     }
   }
@@ -384,6 +400,8 @@ Add Meridian as a custom model provider in `~/.factory/settings.json`:
 ```json
 {
   "customModels": [
+    { "model": "claude-opus-4-8",         "name": "Opus 4.8 (Meridian)",   "provider": "anthropic", "baseUrl": "http://127.0.0.1:3456", "apiKey": "x" },
+    { "model": "claude-opus-4-7",         "name": "Opus 4.7 (Meridian)",   "provider": "anthropic", "baseUrl": "http://127.0.0.1:3456", "apiKey": "x" },
     { "model": "claude-sonnet-4-6",       "name": "Sonnet 4.6 (Meridian)", "provider": "anthropic", "baseUrl": "http://127.0.0.1:3456", "apiKey": "x" },
     { "model": "claude-opus-4-6",         "name": "Opus 4.6 (Meridian)",   "provider": "anthropic", "baseUrl": "http://127.0.0.1:3456", "apiKey": "x" },
     { "model": "claude-haiku-4-5-20251001", "name": "Haiku 4.5 (Meridian)", "provider": "anthropic", "baseUrl": "http://127.0.0.1:3456", "apiKey": "x" }
@@ -508,6 +526,8 @@ Pi uses the `@mariozechner/pi-ai` library which supports a configurable `baseUrl
 
 Pi mimics Claude Code's User-Agent, so automatic detection isn't possible. The `x-meridian-agent: pi` header in the config above tells Meridian to use the Pi adapter. Alternatively, if Pi is your only agent, you can set `MERIDIAN_DEFAULT_AGENT=pi` as an env var instead.
 
+Pi runs in passthrough mode by default — it executes its own tools and Meridian just forwards the `tool_use` blocks. Opt out with `MERIDIAN_PASSTHROUGH=0`.
+
 ### Claude Code
 
 Claude Code can point at Meridian like any other Anthropic API client. The
@@ -555,7 +575,7 @@ export ANTHROPIC_BASE_URL=http://127.0.0.1:3456
 | [Cline](https://github.com/cline/cline) | ✅ Verified | Config (see above) — full tool support, file read/write/edit, bash, session resume |
 | [Aider](https://github.com/paul-gauthier/aider) | ✅ Verified | Env vars — file editing, streaming; `--no-stream` broken (litellm bug) |
 | [Open WebUI](https://github.com/open-webui/open-webui) | ✅ Verified | OpenAI-compatible endpoints — set base URL to `http://127.0.0.1:3456` |
-| [Pi](https://github.com/mariozechner/pi-coding-agent) | ✅ Verified | models.json config (see above) — requires `MERIDIAN_DEFAULT_AGENT=pi` |
+| [Pi](https://github.com/mariozechner/pi-coding-agent) | ✅ Verified | models.json config (see above) — full tool support via passthrough; detected via `x-meridian-agent: pi` header |
 | [Claude Code](https://docs.anthropic.com/en/docs/claude-code) | ✅ Verified | `ANTHROPIC_BASE_URL` — remote clients share a Max subscription over the network; client CWD preserved in system prompt |
 | [Continue](https://github.com/continuedev/continue) | 🔲 Untested | OpenAI-compatible endpoints should work — set `apiBase` to `http://127.0.0.1:3456` |
 
@@ -734,11 +754,11 @@ export default {
 |---------|-------------|
 | `meridian` | Start the proxy server |
 | `meridian setup` | Configure the OpenCode plugin in `~/.config/opencode/opencode.json` |
-| `meridian profile add <name>` | Add a profile and authenticate via browser |
+| `meridian profile add <name> [--headless]` | Add a profile and authenticate via Claude OAuth; `--headless` prints a URL, prompts for the returned code, and stores the exchanged credentials |
 | `meridian profile add <name> --oauth-token [TOKEN]` | Add a headless profile from a `claude setup-token` value (prompts when `TOKEN` is omitted) |
 | `meridian profile list` | List all profiles and their auth status |
 | `meridian profile switch <name>` | Switch the active profile (requires running proxy) |
-| `meridian profile login <name>` | Re-authenticate an expired profile (browser-login profiles only) |
+| `meridian profile login <name> [--headless]` | Re-authenticate an expired profile (browser-login profiles only); `--headless` uses the URL/code flow |
 | `meridian profile remove <name>` | Remove a profile and its credentials |
 | `meridian refresh-token` | Manually refresh the Claude OAuth token (exits 0/1) |
 
@@ -840,6 +860,21 @@ meridian refresh-token
 curl -X POST http://127.0.0.1:3456/auth/refresh
 ```
 
+**I'm getting `400 You're out of extra usage` only when tools are present. What do I do?**
+First confirm the failure pattern: a tiny no-tool request succeeds, but the same client fails once it sends tool definitions. If that is the case, beta-header stripping and model fallback usually will not help because the request body still contains agentic tool context.
+
+For the affected adapter, try disabling the connecting client's system prompt while keeping the Claude Code prompt enabled:
+
+```bash
+curl -X PATCH http://127.0.0.1:3456/settings/api/features/pi \
+  -H 'Content-Type: application/json' \
+  -d '{"clientSystemPrompt":false,"codeSystemPrompt":true}'
+```
+
+Replace `pi` with the adapter you use (`opencode`, `crush`, `forgecode`, `droid`, `passthrough`, or `openai`). You can make the same change in the `/settings` UI under **SDK Feature Toggles**. (The `openai` adapter — used by the `/v1/chat/completions` endpoint — already defaults `codeSystemPrompt` to off, so on that one you typically only need `clientSystemPrompt:false`.)
+
+This keeps the SDK's preset prompt and tool bridge, but removes the external client's large agent prompt from the request. That may help when the error is triggered by the combination of tool definitions plus client prompt context. The tradeoff is that the connected agent may behave more like vanilla Claude Code because its own persona and workflow instructions are no longer included. If it still fails, the remaining options are to use fewer/no tools for that client, enable Extra Usage/API billing, or switch to a local/provider-backed model for that workflow. See [#516](https://github.com/rynfar/meridian/issues/516) for the current debugging thread.
+
 **I'm hitting rate limits on 1M context. What do I do?**
 Meridian defaults Sonnet to 200k context because Sonnet 1M is always billed as Extra Usage on Max plans — even when regular usage isn't exhausted. This is [Anthropic's intended billing model](https://code.claude.com/docs/en/model-config#extended-context), not a bug. Set `MERIDIAN_SONNET_MODEL=sonnet[1m]` to opt in if you have Extra Usage enabled and understand the billing implications. Opus defaults to 1M context, which is included with Max/Team/Enterprise subscriptions at no extra cost. Note: there is a [known upstream bug](https://github.com/anthropics/claude-code/issues/39841) where Claude Code incorrectly gates Opus 1M behind Extra Usage on Max — this is Anthropic's to fix.
 

package/dist/{cli-7k1fcprd.js → cli-1kbcm3yn.js}

@@ -1,10 +1,10 @@
 // src/proxy/tokenRefresh.ts
-import { execFile as execFileCb } from "child_process";
-import { existsSync, readFileSync, writeFileSync, mkdirSync } from "fs";
-import { homedir, platform, userInfo } from "os";
-import { join, dirname, resolve } from "path";
-import { createHash } from "crypto";
-import { promisify } from "util";
+import { execFile as execFileCb } from "node:child_process";
+import { createHash } from "node:crypto";
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from "node:fs";
+import { homedir, platform, userInfo } from "node:os";
+import { dirname, join, resolve } from "node:path";
+import { promisify } from "node:util";
 
 // src/logger.ts
 import { AsyncLocalStorage } from "node:async_hooks";
@@ -102,6 +102,7 @@ function parseKeychainValue(raw) {
 var keychainWasHexByService = new Map;
 function buildMacosStore(serviceName) {
   return {
+    refreshKey: `keychain:${serviceName}`,
     async read() {
       try {
         const { stdout } = await execFile("/usr/bin/security", ["find-generic-password", "-s", serviceName, "-a", userInfo().username, "-w"], { timeout: 5000 });
@@ -131,24 +132,26 @@ function buildMacosStore(serviceName) {
 }
 var macosStore = buildMacosStore(KEYCHAIN_SERVICE);
 function buildFileStore(filePath) {
+  const absPath = resolve(filePath);
   return {
+    refreshKey: `file:${absPath}`,
     async read() {
       try {
-        if (!existsSync(filePath))
+        if (!existsSync(absPath))
           return null;
-        return JSON.parse(readFileSync(filePath, "utf-8"));
+        return JSON.parse(readFileSync(absPath, "utf-8"));
       } catch (err) {
-        claudeLog("token_refresh.file_read_failed", { path: filePath, error: String(err) });
+        claudeLog("token_refresh.file_read_failed", { path: absPath, error: String(err) });
         return null;
       }
     },
     async write(credentials) {
       try {
-        mkdirSync(dirname(filePath), { recursive: true });
-        writeFileSync(filePath, serializeCredentials(credentials), "utf-8");
+        mkdirSync(dirname(absPath), { recursive: true });
+        writeFileSync(absPath, serializeCredentials(credentials), "utf-8");
         return true;
       } catch (err) {
-        claudeLog("token_refresh.file_write_failed", { path: filePath, error: String(err) });
+        claudeLog("token_refresh.file_write_failed", { path: absPath, error: String(err) });
         return false;
       }
     }
@@ -167,14 +170,29 @@ function createPlatformCredentialStore(opts) {
 function credentialsFilePathForProfile(claudeConfigDir) {
   return claudeConfigDir ? configDirToCredentialsFile(claudeConfigDir) : CREDENTIALS_FILE;
 }
-var inflightRefresh = null;
+var inflightRefreshByKey = new Map;
+var inflightRefreshByStore = new WeakMap;
 async function refreshOAuthToken(store) {
-  if (inflightRefresh)
-    return inflightRefresh;
-  inflightRefresh = doRefresh(store ?? createPlatformCredentialStore()).finally(() => {
-    inflightRefresh = null;
+  const s = store ?? createPlatformCredentialStore();
+  const refreshKey = s.refreshKey;
+  if (refreshKey) {
+    const inflight2 = inflightRefreshByKey.get(refreshKey);
+    if (inflight2)
+      return inflight2;
+    const refresh2 = doRefresh(s).finally(() => {
+      inflightRefreshByKey.delete(refreshKey);
+    });
+    inflightRefreshByKey.set(refreshKey, refresh2);
+    return refresh2;
+  }
+  const inflight = inflightRefreshByStore.get(s);
+  if (inflight)
+    return inflight;
+  const refresh = doRefresh(s).finally(() => {
+    inflightRefreshByStore.delete(s);
   });
-  return inflightRefresh;
+  inflightRefreshByStore.set(s, refresh);
+  return refresh;
 }
 async function doRefresh(store) {
   const credentials = await store.read();
@@ -273,7 +291,6 @@ async function scheduleNext(store, bufferMs, failureRetryMs, gen) {
     if (!scheduledRefreshActive || gen !== scheduledRefreshGeneration)
       return;
     claudeLog("token_refresh.scheduled", { ok, immediate: true });
-    console.error(`[token_refresh] scheduled refresh (immediate) ok=${ok}`);
     armTimer(ok ? 0 : failureRetryMs, store, bufferMs, failureRetryMs, gen);
     return;
   }
@@ -293,7 +310,7 @@ function isBackgroundRefreshActive() {
   return scheduledRefreshActive;
 }
 function resetInflightRefresh() {
-  inflightRefresh = null;
+  inflightRefreshByKey.clear();
 }
 
 export { withClaudeLogContext, claudeLog, configDirToKeychainService, configDirToCredentialsFile, serializeCredentials, createPlatformCredentialStore, credentialsFilePathForProfile, refreshOAuthToken, ensureFreshToken, startBackgroundRefresh, stopBackgroundRefresh, isBackgroundRefreshActive, resetInflightRefresh };