@suncreation/crush-auth-proxy 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 suncreation
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,95 @@
+# @suncreation/crush-auth-proxy
+
+Use your **Claude Max subscription** (OAuth) with [Crush CLI](https://github.com/charmbracelet/crush) — no separate Anthropic API key needed.
+
+This proxy sits between Crush and Anthropic's API, injecting Claude Code OAuth credentials so you can use your existing Claude Max plan.
+
+## Quick Start
+
+```bash
+# 1. Login with your Claude account (one-time)
+npx @suncreation/crush-auth-proxy setup-token
+
+# 2. Start the proxy daemon
+npx @suncreation/crush-auth-proxy start
+
+# 3. Configure Crush (see below)
+
+# 4. Use Crush normally
+crush run --model anthropic/claude-opus-4-6 "Hello!"
+```
+
+## Commands
+
+| Command | Description |
+|---------|-------------|
+| `setup-token` | OAuth login — opens browser, saves token locally |
+| `start` | Start proxy as background daemon (port 18080) |
+| `stop` | Stop the daemon |
+| `restart` | Restart the daemon |
+| `status` | Check if proxy is running + token validity |
+| `logs` | Tail daemon logs |
+
+### Options
+
+| Option | Description |
+|--------|-------------|
+| `--port <n>` | Custom port (default: 18080) |
+| `--foreground` | Run in foreground instead of daemon |
+
+## Crush Configuration
+
+Create or edit `~/.config/crush/crush.json`:
+
+```json
+{
+  "providers": {
+    "anthropic": {
+      "id": "anthropic",
+      "type": "anthropic",
+      "base_url": "http://127.0.0.1:18080",
+      "api_key": "proxy-handled"
+    }
+  }
+}
+```
+
+## How It Works
+
+The proxy replicates Claude Code's authentication mechanism:
+
+1. **OAuth PKCE Flow** — Authenticates via `claude.ai` using the same client credentials as Claude Code
+2. **Request Transformation** — Rewrites headers (User-Agent, auth), adds required beta flags, prefixes tool names with `mcp_`
+3. **System Prompt Injection** — Prepends the Claude Code system prompt identifier
+4. **Response Streaming** — Strips `mcp_` prefixes from streamed responses
+5. **Token Auto-Refresh** — Automatically refreshes expired OAuth tokens
+
+## Per-User Storage
+
+All config is stored in `~/.config/crush-auth-proxy/`:
+
+```
+~/.config/crush-auth-proxy/
+  ├── claude-oauth-token.json   # Your OAuth tokens (chmod 0600)
+  ├── proxy.pid                 # Daemon PID
+  └── proxy.log                 # Daemon logs
+```
+
+## Requirements
+
+- Node.js >= 18
+- A Claude Max subscription (claude.ai account)
+- [Crush CLI](https://github.com/charmbracelet/crush) installed
+
+## Supported Models
+
+All Anthropic models available through your Claude Max subscription, including:
+
+- `anthropic/claude-opus-4-6`
+- `anthropic/claude-sonnet-4-5-20250514`
+- `anthropic/claude-haiku-3-5-20241022`
+- And more
+
+## License
+
+MIT

package/bin/crush-auth-proxy.mjs

@@ -0,0 +1,735 @@
+#!/usr/bin/env node
+// ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+// crush-auth-proxy — Claude Code Auth Proxy for Crush CLI
+//
+// Uses your Claude Max subscription via OAuth (same as Claude Code)
+// so you don't need a separate Anthropic API key.
+//
+// Usage:
+//   crush-auth-proxy setup-token        # OAuth login (first time)
+//   crush-auth-proxy start              # start as background daemon
+//   crush-auth-proxy stop               # stop daemon
+//   crush-auth-proxy status             # check if running
+//   crush-auth-proxy restart            # restart daemon
+//   crush-auth-proxy logs               # tail daemon logs
+//   crush-auth-proxy start --port 9090  # custom port
+//   crush-auth-proxy --foreground       # run in foreground (no daemon)
+// ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+import http from "node:http";
+import https from "node:https";
+import crypto from "node:crypto";
+import fs from "node:fs";
+import { execSync, spawn } from "node:child_process";
+import path from "node:path";
+import os from "node:os";
+import { URL, URLSearchParams } from "node:url";
+import { fileURLToPath } from "node:url";
+
+const __filename = fileURLToPath(import.meta.url);
+
+// ── CLI Args ───────────────────────────────────────────────────
+
+const args = process.argv.slice(2);
+const command = args[0];
+
+// ── Constants ──────────────────────────────────────────────────
+
+const CONFIG_DIR = path.join(os.homedir(), ".config", "crush-auth-proxy");
+const TOKEN_FILE = path.join(CONFIG_DIR, "claude-oauth-token.json");
+const PID_FILE = path.join(CONFIG_DIR, "proxy.pid");
+const LOG_FILE = path.join(CONFIG_DIR, "proxy.log");
+
+const ANTHROPIC_API = "api.anthropic.com";
+const OAUTH_HOST = "claude.ai";
+const TOKEN_HOST = "console.anthropic.com";
+const CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
+const SPOOFED_UA = "claude-cli/2.1.2 (external, cli)";
+const SYSTEM_PREFIX =
+  "You are Claude Code, Anthropic's official CLI for Claude.";
+
+// Port: --port flag > PORT env > 18080
+let DEFAULT_PORT = 18080;
+const portIdx = args.indexOf("--port");
+if (portIdx !== -1 && args[portIdx + 1]) {
+  DEFAULT_PORT = parseInt(args[portIdx + 1], 10);
+} else if (process.env.PORT) {
+  DEFAULT_PORT = parseInt(process.env.PORT, 10);
+}
+
+// Ensure config directory exists
+fs.mkdirSync(CONFIG_DIR, { recursive: true });
+
+// ── Help ───────────────────────────────────────────────────────
+
+if (args.includes("--help") || args.includes("-h")) {
+  console.log(`
+crush-auth-proxy — Claude Code Auth Proxy for Crush CLI
+
+Uses your Claude Max subscription via OAuth so you don't need
+a separate Anthropic API key with Crush.
+
+COMMANDS:
+  setup-token              OAuth login (run this first!)
+  start                    Start proxy as background daemon
+  stop                     Stop the background daemon
+  restart                  Restart the daemon
+  status                   Check if proxy is running
+  logs                     Tail the proxy log
+
+OPTIONS:
+  --port <port>            Custom port (default: 18080)
+  --foreground             Run in foreground (no daemon)
+  --help, -h               Show this help
+
+ENVIRONMENT:
+  PORT                     Override default port (18080)
+
+QUICK START:
+  1. npx @suncreation/crush-auth-proxy setup-token
+  2. Add to ~/.config/crush/crush.json:
+     {
+       "providers": {
+         "anthropic": {
+           "id": "anthropic",
+           "type": "anthropic",
+           "base_url": "http://127.0.0.1:18080",
+           "api_key": "proxy-handled"
+         }
+       }
+     }
+  3. npx @suncreation/crush-auth-proxy start
+  4. crush run --model anthropic/claude-opus-4-6 "hello"
+
+CONFIG DIR: ~/.config/crush-auth-proxy/
+  `);
+  process.exit(0);
+}
+
+// ── PID Helpers ────────────────────────────────────────────────
+
+function readPid() {
+  try {
+    return parseInt(fs.readFileSync(PID_FILE, "utf8").trim(), 10);
+  } catch {
+    return null;
+  }
+}
+
+function isProcessRunning(pid) {
+  try {
+    process.kill(pid, 0);
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function getRunningPid() {
+  const pid = readPid();
+  if (pid && isProcessRunning(pid)) return pid;
+  if (pid) try { fs.unlinkSync(PID_FILE); } catch {}
+  return null;
+}
+
+function sleepMs(ms) {
+  return new Promise((r) => setTimeout(r, ms));
+}
+
+// ── Token Storage ──────────────────────────────────────────────
+
+function loadToken() {
+  try {
+    return JSON.parse(fs.readFileSync(TOKEN_FILE, "utf8"));
+  } catch {
+    return null;
+  }
+}
+
+function saveToken(token) {
+  fs.mkdirSync(path.dirname(TOKEN_FILE), { recursive: true });
+  fs.writeFileSync(TOKEN_FILE, JSON.stringify(token, null, 2), {
+    mode: 0o600,
+  });
+}
+
+// ── OAuth PKCE Flow ────────────────────────────────────────────
+
+function base64url(buf) {
+  return buf.toString("base64url");
+}
+
+function generatePKCE() {
+  const verifier = base64url(crypto.randomBytes(32));
+  const challenge = base64url(
+    crypto.createHash("sha256").update(verifier).digest()
+  );
+  return { verifier, challenge };
+}
+
+async function httpsRequest(options, body) {
+  return new Promise((resolve, reject) => {
+    const req = https.request(options, (res) => {
+      let data = "";
+      res.on("data", (c) => (data += c));
+      res.on("end", () =>
+        resolve({ status: res.statusCode, body: data, headers: res.headers })
+      );
+    });
+    req.on("error", reject);
+    if (body) req.write(body);
+    req.end();
+  });
+}
+
+async function refreshToken(token) {
+  const params = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: token.refresh_token,
+    client_id: CLIENT_ID,
+  });
+  const body = params.toString();
+  const res = await httpsRequest(
+    {
+      hostname: TOKEN_HOST,
+      path: "/v1/oauth/token",
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+        "Content-Length": Buffer.byteLength(body),
+        "User-Agent": SPOOFED_UA,
+      },
+    },
+    body
+  );
+  if (res.status !== 200) {
+    console.error("[proxy] Token refresh failed:", res.status, res.body);
+    return null;
+  }
+  const data = JSON.parse(res.body);
+  const newToken = {
+    access_token: data.access_token,
+    refresh_token: data.refresh_token || token.refresh_token,
+    expires_at: Date.now() + (data.expires_in || 28800) * 1000,
+  };
+  saveToken(newToken);
+  return newToken;
+}
+
+async function doOAuthLogin() {
+  const { verifier, challenge } = generatePKCE();
+  const state = base64url(crypto.randomBytes(16));
+
+  return new Promise((resolve, reject) => {
+    const callbackServer = http.createServer(async (req, res) => {
+      const url = new URL(req.url, "http://localhost");
+      if (!url.pathname.startsWith("/oauth/callback")) {
+        res.writeHead(404);
+        res.end("Not found");
+        return;
+      }
+      const code = url.searchParams.get("code");
+      const returnedState = url.searchParams.get("state");
+      if (returnedState !== state) {
+        res.writeHead(400);
+        res.end("State mismatch");
+        return;
+      }
+
+      const params = new URLSearchParams({
+        grant_type: "authorization_code",
+        code,
+        redirect_uri: `http://localhost:${callbackPort}/oauth/callback`,
+        client_id: CLIENT_ID,
+        code_verifier: verifier,
+      });
+      const body = params.toString();
+
+      try {
+        const tokenRes = await httpsRequest(
+          {
+            hostname: TOKEN_HOST,
+            path: "/v1/oauth/token",
+            method: "POST",
+            headers: {
+              "Content-Type": "application/x-www-form-urlencoded",
+              "Content-Length": Buffer.byteLength(body),
+              "User-Agent": SPOOFED_UA,
+            },
+          },
+          body
+        );
+
+        if (tokenRes.status !== 200) {
+          res.writeHead(500);
+          res.end("Token exchange failed: " + tokenRes.body);
+          callbackServer.close();
+          reject(new Error("Token exchange failed"));
+          return;
+        }
+
+        const data = JSON.parse(tokenRes.body);
+        const token = {
+          access_token: data.access_token,
+          refresh_token: data.refresh_token,
+          expires_at: Date.now() + (data.expires_in || 28800) * 1000,
+        };
+        saveToken(token);
+
+        res.writeHead(200, { "Content-Type": "text/html" });
+        res.end(
+          "<html><body><h2>Login successful! You can close this tab.</h2></body></html>"
+        );
+        callbackServer.close();
+        resolve(token);
+      } catch (e) {
+        res.writeHead(500);
+        res.end("Error: " + e.message);
+        callbackServer.close();
+        reject(e);
+      }
+    });
+
+    let callbackPort;
+    callbackServer.listen(0, () => {
+      callbackPort = callbackServer.address().port;
+      const authUrl =
+        `https://${OAUTH_HOST}/oauth/authorize?` +
+        new URLSearchParams({
+          response_type: "code",
+          client_id: CLIENT_ID,
+          redirect_uri: `http://localhost:${callbackPort}/oauth/callback`,
+          scope: "user:inference",
+          state,
+          code_challenge: challenge,
+          code_challenge_method: "S256",
+        }).toString();
+
+      console.log("[proxy] Opening browser for OAuth login...");
+      console.log("[proxy] If browser doesn't open, visit:", authUrl);
+      try {
+        const platform = os.platform();
+        if (platform === "darwin") {
+          execSync(`open "${authUrl}"`);
+        } else if (platform === "win32") {
+          execSync(`start "${authUrl}"`);
+        } else {
+          execSync(`xdg-open "${authUrl}"`);
+        }
+      } catch {
+        console.log("[proxy] Could not open browser automatically.");
+      }
+    });
+
+    setTimeout(() => {
+      callbackServer.close();
+      reject(new Error("OAuth login timed out after 120s"));
+    }, 120000);
+  });
+}
+
+// ── Get Valid Token ────────────────────────────────────────────
+
+async function getValidToken() {
+  let token = loadToken();
+
+  if (!token) {
+    console.log("[proxy] No saved token found. Starting OAuth login...");
+    token = await doOAuthLogin();
+  }
+
+  if (token.expires_at - Date.now() < 5 * 60 * 1000) {
+    console.log("[proxy] Token expiring soon, refreshing...");
+    const refreshed = await refreshToken(token);
+    if (refreshed) return refreshed;
+    console.log("[proxy] Refresh failed, starting fresh login...");
+    return doOAuthLogin();
+  }
+
+  return token;
+}
+
+// ── Command: setup-token ───────────────────────────────────────
+
+if (command === "setup-token") {
+  console.log("[setup] Starting OAuth login for Claude Max...");
+  console.log(`[setup] Tokens will be saved to: ${TOKEN_FILE}`);
+  try {
+    const token = await doOAuthLogin();
+    console.log("[setup] Login successful!");
+    console.log(`[setup] Token saved to: ${TOKEN_FILE}`);
+    console.log(`[setup] Expires: ${new Date(token.expires_at).toLocaleString()}`);
+    console.log("\n[setup] Now start the proxy:");
+    console.log("  npx @suncreation/crush-auth-proxy start\n");
+  } catch (e) {
+    console.error("[setup] Login failed:", e.message);
+    process.exit(1);
+  }
+  process.exit(0);
+}
+
+// ── Command: status ────────────────────────────────────────────
+
+if (command === "status") {
+  const pid = getRunningPid();
+  if (pid) {
+    console.log(`[proxy] Running (PID ${pid}) on port ${DEFAULT_PORT}`);
+    try {
+      const res = execSync(`curl -s http://127.0.0.1:${DEFAULT_PORT}/health`, {
+        timeout: 3000,
+      }).toString();
+      console.log(`[proxy] Health: ${res}`);
+    } catch {
+      console.log("[proxy] Warning: PID exists but health check failed");
+    }
+  } else {
+    console.log("[proxy] Not running");
+  }
+  const token = loadToken();
+  if (token) {
+    const remaining = token.expires_at - Date.now();
+    if (remaining > 0) {
+      console.log(`[proxy] Token valid (expires: ${new Date(token.expires_at).toLocaleString()})`);
+    } else {
+      console.log(`[proxy] Token expired — will auto-refresh on next request`);
+    }
+  } else {
+    console.log("[proxy] No token — run: crush-auth-proxy setup-token");
+  }
+  process.exit(0);
+}
+
+// ── Command: stop ──────────────────────────────────────────────
+
+if (command === "stop") {
+  const pid = getRunningPid();
+  if (!pid) {
+    console.log("[proxy] Not running");
+    process.exit(0);
+  }
+  try {
+    process.kill(pid, "SIGTERM");
+    for (let i = 0; i < 50; i++) {
+      if (!isProcessRunning(pid)) break;
+      await sleepMs(100);
+    }
+    if (isProcessRunning(pid)) process.kill(pid, "SIGKILL");
+    try { fs.unlinkSync(PID_FILE); } catch {}
+    console.log(`[proxy] Stopped (PID ${pid})`);
+  } catch (e) {
+    console.error(`[proxy] Failed to stop PID ${pid}:`, e.message);
+    try { fs.unlinkSync(PID_FILE); } catch {}
+  }
+  process.exit(0);
+}
+
+// ── Command: restart ───────────────────────────────────────────
+
+if (command === "restart") {
+  const pid = getRunningPid();
+  if (pid) {
+    try {
+      process.kill(pid, "SIGTERM");
+      for (let i = 0; i < 50; i++) {
+        if (!isProcessRunning(pid)) break;
+        await sleepMs(100);
+      }
+      if (isProcessRunning(pid)) process.kill(pid, "SIGKILL");
+      try { fs.unlinkSync(PID_FILE); } catch {}
+      console.log(`[proxy] Stopped old process (PID ${pid})`);
+    } catch {}
+  }
+  // Fall through to start logic below
+}
+
+// ── Command: logs ──────────────────────────────────────────────
+
+if (command === "logs") {
+  if (!fs.existsSync(LOG_FILE)) {
+    console.log("[proxy] No log file yet:", LOG_FILE);
+    process.exit(0);
+  }
+  try {
+    execSync(`tail -f "${LOG_FILE}"`, { stdio: "inherit" });
+  } catch {}
+  process.exit(0);
+}
+
+// ── Command: start (daemon mode) ──────────────────────────────
+
+if (command === "start" || command === "restart") {
+  const existingPid = getRunningPid();
+  if (existingPid && command === "start") {
+    console.log(`[proxy] Already running (PID ${existingPid})`);
+    console.log("[proxy] Use 'restart' to restart, or 'stop' to stop");
+    process.exit(0);
+  }
+
+  const token = loadToken();
+  if (!token) {
+    console.log("[proxy] No token found. Run setup first:");
+    console.log("  npx @suncreation/crush-auth-proxy setup-token");
+    process.exit(1);
+  }
+
+  // Spawn detached child with --foreground
+  const portArgs = portIdx !== -1 ? ["--port", String(DEFAULT_PORT)] : [];
+  const logStream = fs.openSync(LOG_FILE, "a");
+
+  const child = spawn(process.execPath, [__filename, "--foreground", ...portArgs], {
+    detached: true,
+    stdio: ["ignore", logStream, logStream],
+    env: { ...process.env },
+  });
+
+  fs.writeFileSync(PID_FILE, String(child.pid));
+  child.unref();
+
+  await sleepMs(1000);
+
+  if (isProcessRunning(child.pid)) {
+    console.log(`[proxy] Started as daemon (PID ${child.pid})`);
+    console.log(`[proxy] Listening on http://127.0.0.1:${DEFAULT_PORT}`);
+    console.log(`[proxy] Logs: ${LOG_FILE}`);
+    console.log(`[proxy] Token expires: ${new Date(token.expires_at).toLocaleString()}`);
+  } else {
+    console.error("[proxy] Failed to start. Check logs:");
+    console.error(`  tail ${LOG_FILE}`);
+    try { fs.unlinkSync(PID_FILE); } catch {}
+    process.exit(1);
+  }
+  process.exit(0);
+}
+
+// ── Default (no command) — show usage ──────────────────────────
+
+if (!command || (command !== "--foreground" && !args.includes("--foreground"))) {
+  console.log(`crush-auth-proxy — Claude Code Auth Proxy for Crush CLI
+
+COMMANDS:
+  setup-token    OAuth login (run this first!)
+  start          Start proxy as background daemon
+  stop           Stop the daemon
+  restart        Restart the daemon
+  status         Check if running
+  logs           Tail proxy logs
+  --help         Full help
+
+QUICK START:
+  npx @suncreation/crush-auth-proxy setup-token
+  npx @suncreation/crush-auth-proxy start
+`);
+  process.exit(0);
+}
+
+// ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+// FOREGROUND SERVER — used by daemon spawn or --foreground flag
+// ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
+
+function readBody(req) {
+  return new Promise((resolve) => {
+    const chunks = [];
+    req.on("data", (c) => chunks.push(c));
+    req.on("end", () => resolve(Buffer.concat(chunks)));
+  });
+}
+
+// Write PID for foreground mode
+fs.writeFileSync(PID_FILE, String(process.pid));
+
+// Clean up on exit
+function cleanup() {
+  try { fs.unlinkSync(PID_FILE); } catch {}
+  process.exit(0);
+}
+process.on("SIGTERM", cleanup);
+process.on("SIGINT", cleanup);
+
+const server = http.createServer(async (req, res) => {
+  // Health check
+  if (req.method === "GET" && req.url === "/health") {
+    res.writeHead(200);
+    res.end("ok");
+    return;
+  }
+
+  const bodyBuf = await readBody(req);
+  let token;
+  try {
+    token = await getValidToken();
+  } catch (e) {
+    console.error("[proxy] Auth error:", e.message);
+    res.writeHead(401, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ error: { type: "auth_error", message: e.message } }));
+    return;
+  }
+
+  // Parse and modify request body — match OpenCode's exact spoofing logic
+  const TOOL_PREFIX = "mcp_";
+  let bodyStr = bodyBuf.toString("utf8");
+  if (req.url?.includes("/messages") && bodyStr) {
+    try {
+      const parsed = JSON.parse(bodyStr);
+
+      // 1. System prompt: prepend Claude Code prefix
+      if (parsed.system) {
+        if (typeof parsed.system === "string") {
+          if (!parsed.system.includes(SYSTEM_PREFIX)) {
+            parsed.system = SYSTEM_PREFIX + "\n\n" + parsed.system;
+          }
+        } else if (Array.isArray(parsed.system)) {
+          const hasPrefix = parsed.system.some(
+            (b) => b.type === "text" && b.text?.includes(SYSTEM_PREFIX)
+          );
+          if (!hasPrefix) {
+            parsed.system.unshift({ type: "text", text: SYSTEM_PREFIX });
+          }
+        }
+      } else {
+        parsed.system = SYSTEM_PREFIX;
+      }
+
+      // 2. System prompt sanitization — replace app name references
+      if (parsed.system && Array.isArray(parsed.system)) {
+        parsed.system = parsed.system.map((item) => {
+          if (item.type === "text" && item.text) {
+            return {
+              ...item,
+              text: item.text
+                .replace(/Crush/g, "Claude Code")
+                .replace(/(?<!\/)crush/gi, "Claude"),
+            };
+          }
+          return item;
+        });
+      } else if (typeof parsed.system === "string") {
+        parsed.system = parsed.system
+          .replace(/Crush/g, "Claude Code")
+          .replace(/(?<!\/)crush/gi, "Claude");
+      }
+
+      // 3. Tool name mcp_ prefixing
+      if (parsed.tools && Array.isArray(parsed.tools)) {
+        parsed.tools = parsed.tools.map((tool) => ({
+          ...tool,
+          name: tool.name ? `${TOOL_PREFIX}${tool.name}` : tool.name,
+        }));
+      }
+
+      // 4. Prefix tool_use blocks in messages
+      if (parsed.messages && Array.isArray(parsed.messages)) {
+        parsed.messages = parsed.messages.map((msg) => {
+          if (msg.content && Array.isArray(msg.content)) {
+            msg.content = msg.content.map((block) => {
+              if (block.type === "tool_use" && block.name) {
+                return { ...block, name: `${TOOL_PREFIX}${block.name}` };
+              }
+              return block;
+            });
+          }
+          return msg;
+        });
+      }
+
+      bodyStr = JSON.stringify(parsed);
+    } catch {}
+  }
+
+  // Build upstream request
+  const upstreamPath = req.url?.includes("?")
+    ? req.url + "&beta=true"
+    : req.url + "?beta=true";
+
+  const upstreamHeaders = {
+    "Content-Type": "application/json",
+    "Content-Length": Buffer.byteLength(bodyStr),
+    Authorization: `Bearer ${token.access_token}`,
+    "anthropic-version": "2023-06-01",
+    "anthropic-beta": "oauth-2025-04-20,interleaved-thinking-2025-05-14",
+    "User-Agent": SPOOFED_UA,
+  };
+
+  const proxyReq = https.request(
+    {
+      hostname: ANTHROPIC_API,
+      port: 443,
+      path: upstreamPath,
+      method: req.method,
+      headers: upstreamHeaders,
+    },
+    (proxyRes) => {
+      if (proxyRes.statusCode === 401) {
+        let errBody = "";
+        proxyRes.on("data", (c) => (errBody += c));
+        proxyRes.on("end", async () => {
+          console.log("[proxy] Got 401, attempting token refresh...");
+          const refreshed = await refreshToken(token);
+          if (refreshed) {
+            console.log("[proxy] Token refreshed, retrying...");
+            upstreamHeaders.Authorization = `Bearer ${refreshed.access_token}`;
+            upstreamHeaders["Content-Length"] = Buffer.byteLength(bodyStr);
+            const retryReq = https.request(
+              {
+                hostname: ANTHROPIC_API,
+                port: 443,
+                path: upstreamPath,
+                method: req.method,
+                headers: upstreamHeaders,
+              },
+              (retryRes) => {
+                res.writeHead(retryRes.statusCode, retryRes.headers);
+                retryRes.on("data", (chunk) => {
+                  let text = chunk.toString("utf8");
+                  text = text.replace(/"name"\s*:\s*"mcp_([^"]+)"/g, '"name": "$1"');
+                  res.write(text);
+                });
+                retryRes.on("end", () => res.end());
+              }
+            );
+            retryReq.on("error", (e) => {
+              res.writeHead(502);
+              res.end(JSON.stringify({ error: { message: e.message } }));
+            });
+            retryReq.write(bodyStr);
+            retryReq.end();
+          } else {
+            res.writeHead(401, { "Content-Type": "application/json" });
+            res.end(errBody);
+          }
+        });
+        return;
+      }
+
+      res.writeHead(proxyRes.statusCode, proxyRes.headers);
+      proxyRes.on("data", (chunk) => {
+        let text = chunk.toString("utf8");
+        text = text.replace(/"name"\s*:\s*"mcp_([^"]+)"/g, '"name": "$1"');
+        res.write(text);
+      });
+      proxyRes.on("end", () => res.end());
+    }
+  );
+
+  proxyReq.on("error", (e) => {
+    console.error("[proxy] Upstream error:", e.message);
+    res.writeHead(502, { "Content-Type": "application/json" });
+    res.end(JSON.stringify({ error: { type: "proxy_error", message: e.message } }));
+  });
+
+  proxyReq.write(bodyStr);
+  proxyReq.end();
+
+  console.log(`[proxy] ${req.method} ${req.url} → ${ANTHROPIC_API}${upstreamPath}`);
+});
+
+server.listen(DEFAULT_PORT, "127.0.0.1", () => {
+  console.log(`[proxy] Claude Code Auth Proxy listening on http://127.0.0.1:${DEFAULT_PORT}`);
+  console.log(`[proxy] PID: ${process.pid} | Config: ${CONFIG_DIR}`);
+
+  const token = loadToken();
+  if (token) {
+    console.log(`[proxy] Token loaded (expires: ${new Date(token.expires_at).toLocaleString()})`);
+  } else {
+    console.log("[proxy] No token — will prompt OAuth on first request");
+  }
+});

package/package.json

@@ -0,0 +1,32 @@
+{
+  "name": "@suncreation/crush-auth-proxy",
+  "version": "1.0.0",
+  "description": "Claude Code Auth Proxy for Crush CLI — Use your Claude Max subscription (OAuth) instead of API keys",
+  "type": "module",
+  "bin": {
+    "crush-auth-proxy": "bin/crush-auth-proxy.mjs"
+  },
+  "keywords": [
+    "crush",
+    "claude",
+    "anthropic",
+    "oauth",
+    "proxy",
+    "claude-code",
+    "claude-max"
+  ],
+  "author": "suncreation",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/suncreation/crush-auth-proxy.git"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "files": [
+    "bin/",
+    "README.md",
+    "LICENSE"
+  ]
+}