@vacbo/opencode-anthropic-fix 0.0.44 → 0.1.1

package/src/__tests__/sanitization-regex.test.ts

@@ -0,0 +1,65 @@
+/**
+ * Regex word-boundary regression tests (Task 9 from quality-refactor plan)
+ *
+ * Verifies that sanitization regexes use \b word boundaries so they don't
+ * create false positive matches inside compound words.
+ */
+
+import { describe, it, expect } from "vitest";
+
+import { sanitizeSystemText } from "../system-prompt/sanitize.js";
+
+describe("sanitizeSystemText word boundaries", () => {
+  it("replaces the PascalCase word 'OpenCode' with 'Claude Code'", () => {
+    const result = sanitizeSystemText("Run OpenCode first", true);
+    expect(result).not.toContain("OpenCode");
+    expect(result).toContain("Claude Code");
+  });
+
+  it("replaces the lowercase word 'opencode' with 'Claude'", () => {
+    // Per sanitize.ts, /\bopencode\b/gi → "Claude" (not "Claude Code")
+    const result = sanitizeSystemText("use opencode here", true);
+    expect(result).not.toContain("opencode");
+    expect(result).toContain("Claude");
+  });
+
+  it("does NOT replace 'myopencode' (word boundary on left)", () => {
+    const result = sanitizeSystemText("the myopencode binary", true);
+    expect(result).toContain("myopencode");
+  });
+
+  it("does NOT replace 'opencoder' (word boundary on right)", () => {
+    const result = sanitizeSystemText("known as opencoder", true);
+    expect(result).toContain("opencoder");
+  });
+
+  it("does NOT replace 'preopencode' (word boundary on both sides)", () => {
+    const result = sanitizeSystemText("run preopencode first", true);
+    expect(result).toContain("preopencode");
+  });
+
+  it("handles mixed content correctly", () => {
+    const result = sanitizeSystemText("use opencode inside myopencode directory", true);
+    // Standalone "opencode" becomes "Claude"
+    expect(result).toContain("Claude");
+    // "myopencode" is preserved because of word boundary
+    expect(result).toContain("myopencode");
+  });
+
+  it("preserves text when enabled=false", () => {
+    const result = sanitizeSystemText("use opencode here", false);
+    expect(result).toContain("opencode");
+  });
+
+  it("replaces 'Sisyphus' with 'Claude Code Agent'", () => {
+    const result = sanitizeSystemText("from the Sisyphus agent", true);
+    expect(result).not.toContain("Sisyphus");
+    expect(result).toContain("Claude Code Agent");
+  });
+
+  it("replaces 'morph_edit' with 'edit' at word boundaries", () => {
+    const result = sanitizeSystemText("call morph_edit tool", true);
+    expect(result).not.toContain("morph_edit");
+    expect(result).toContain("edit");
+  });
+});

package/src/__tests__/state-bounds.test.ts

@@ -0,0 +1,110 @@
+/**
+ * Unbounded state bounds tests (Task 13 from quality-refactor plan)
+ *
+ * Verifies cap helpers enforce FIFO eviction and TTL cleanup for
+ * long-lived in-memory collections.
+ */
+
+import { describe, it, expect } from "vitest";
+
+import { capFileAccountMap, FILE_ACCOUNT_MAP_MAX_SIZE } from "../commands/router.js";
+import { pruneExpiredPendingOAuth, PENDING_OAUTH_TTL_MS, type PendingOAuthEntry } from "../commands/oauth-flow.js";
+
+function makePendingEntry(createdAt: number): PendingOAuthEntry {
+  return {
+    mode: "login",
+    verifier: "test-verifier",
+    createdAt,
+  };
+}
+
+describe("capFileAccountMap FIFO eviction", () => {
+  it("exports FILE_ACCOUNT_MAP_MAX_SIZE = 1000", () => {
+    expect(FILE_ACCOUNT_MAP_MAX_SIZE).toBe(1000);
+  });
+
+  it("caps the map at FILE_ACCOUNT_MAP_MAX_SIZE entries", () => {
+    const map = new Map<string, number>();
+    for (let i = 0; i < FILE_ACCOUNT_MAP_MAX_SIZE + 100; i++) {
+      capFileAccountMap(map, `file_${i}`, i % 5);
+    }
+    expect(map.size).toBeLessThanOrEqual(FILE_ACCOUNT_MAP_MAX_SIZE);
+  });
+
+  it("evicts oldest entries first (FIFO)", () => {
+    const map = new Map<string, number>();
+    for (let i = 0; i < FILE_ACCOUNT_MAP_MAX_SIZE; i++) {
+      capFileAccountMap(map, `file_${i}`, 0);
+    }
+    capFileAccountMap(map, "file_overflow", 1);
+    expect(map.has("file_0")).toBe(false);
+    expect(map.has("file_overflow")).toBe(true);
+    expect(map.size).toBe(FILE_ACCOUNT_MAP_MAX_SIZE);
+  });
+
+  it("updates value of existing key when below cap", () => {
+    const map = new Map<string, number>();
+    capFileAccountMap(map, "file_a", 1);
+    capFileAccountMap(map, "file_a", 2);
+    expect(map.get("file_a")).toBe(2);
+    expect(map.size).toBe(1);
+  });
+
+  it("handles rapid insertion under cap without eviction", () => {
+    const map = new Map<string, number>();
+    for (let i = 0; i < 500; i++) {
+      capFileAccountMap(map, `file_${i}`, 0);
+    }
+    expect(map.size).toBe(500);
+    expect(map.has("file_0")).toBe(true);
+    expect(map.has("file_499")).toBe(true);
+  });
+});
+
+describe("pruneExpiredPendingOAuth TTL cleanup", () => {
+  it("exports PENDING_OAUTH_TTL_MS = 10 minutes", () => {
+    expect(PENDING_OAUTH_TTL_MS).toBe(10 * 60 * 1000);
+  });
+
+  it("removes entries older than TTL", () => {
+    const map = new Map<string, PendingOAuthEntry>();
+    const now = Date.now();
+    map.set("expired", makePendingEntry(now - PENDING_OAUTH_TTL_MS - 1000));
+    map.set("fresh", makePendingEntry(now));
+
+    pruneExpiredPendingOAuth(map);
+
+    expect(map.has("expired")).toBe(false);
+    expect(map.has("fresh")).toBe(true);
+  });
+
+  it("does not remove entries just inside the TTL boundary", () => {
+    const map = new Map<string, PendingOAuthEntry>();
+    const now = Date.now();
+    map.set("boundary", makePendingEntry(now - PENDING_OAUTH_TTL_MS + 1000));
+
+    pruneExpiredPendingOAuth(map);
+
+    expect(map.has("boundary")).toBe(true);
+  });
+
+  it("handles empty map without error", () => {
+    const map = new Map<string, PendingOAuthEntry>();
+    expect(() => pruneExpiredPendingOAuth(map)).not.toThrow();
+  });
+
+  it("removes only expired entries, leaves fresh ones", () => {
+    const map = new Map<string, PendingOAuthEntry>();
+    const now = Date.now();
+    map.set("old1", makePendingEntry(now - PENDING_OAUTH_TTL_MS - 5000));
+    map.set("old2", makePendingEntry(now - PENDING_OAUTH_TTL_MS - 2000));
+    map.set("new1", makePendingEntry(now - 1000));
+    map.set("new2", makePendingEntry(now));
+
+    pruneExpiredPendingOAuth(map);
+
+    expect(map.size).toBe(2);
+    expect(map.has("new1")).toBe(true);
+    expect(map.has("new2")).toBe(true);
+  });
+});

package/src/account-identity.test.ts

@@ -0,0 +1,213 @@
+import { describe, expect, it } from "vitest";
+import type { CCCredential } from "./cc-credentials.js";
+import type { ManagedAccount } from "./accounts.js";
+import {
+  findByIdentity,
+  identitiesMatch,
+  resolveIdentity,
+  resolveIdentityFromCCCredential,
+  resolveIdentityFromOAuthExchange,
+  serializeIdentity,
+  type AccountIdentity,
+} from "./account-identity.js";
+
+describe("account-identity", () => {
+  const oauthAccount: ManagedAccount = {
+    id: "oauth-1",
+    index: 0,
+    email: "alice@example.com",
+    refreshToken: "rt_oauth_123",
+    access: "at_oauth_123",
+    expires: Date.now() + 3600000,
+    tokenUpdatedAt: Date.now(),
+    addedAt: Date.now(),
+    lastUsed: 0,
+    enabled: true,
+    rateLimitResetTimes: {},
+    consecutiveFailures: 0,
+    lastFailureTime: null,
+    stats: {
+      requests: 0,
+      inputTokens: 0,
+      outputTokens: 0,
+      cacheReadTokens: 0,
+      cacheWriteTokens: 0,
+      lastReset: Date.now(),
+    },
+    source: "oauth",
+  };
+
+  const ccAccount: ManagedAccount = {
+    id: "cc-1",
+    index: 1,
+    email: undefined,
+    label: "Claude Code-credentials:alice@example.com",
+    refreshToken: "rt_cc_456",
+    access: "at_cc_456",
+    expires: Date.now() + 3600000,
+    tokenUpdatedAt: Date.now(),
+    addedAt: Date.now(),
+    lastUsed: 0,
+    enabled: true,
+    rateLimitResetTimes: {},
+    consecutiveFailures: 0,
+    lastFailureTime: null,
+    stats: {
+      requests: 0,
+      inputTokens: 0,
+      outputTokens: 0,
+      cacheReadTokens: 0,
+      cacheWriteTokens: 0,
+      lastReset: Date.now(),
+    },
+    source: "cc-keychain",
+  };
+
+  const legacyAccount: ManagedAccount = {
+    id: "legacy-1",
+    index: 2,
+    email: undefined,
+    refreshToken: "rt_legacy_789",
+    access: "at_legacy_789",
+    expires: Date.now() + 3600000,
+    tokenUpdatedAt: Date.now(),
+    addedAt: Date.now(),
+    lastUsed: 0,
+    enabled: true,
+    rateLimitResetTimes: {},
+    consecutiveFailures: 0,
+    lastFailureTime: null,
+    stats: {
+      requests: 0,
+      inputTokens: 0,
+      outputTokens: 0,
+      cacheReadTokens: 0,
+      cacheWriteTokens: 0,
+      lastReset: Date.now(),
+    },
+    source: undefined,
+  };
+
+  const ccCredential: CCCredential = {
+    accessToken: "at_cc_456",
+    refreshToken: "rt_cc_456",
+    expiresAt: Date.now() + 3600000,
+    source: "cc-keychain",
+    label: "Claude Code-credentials:alice@example.com",
+  };
+
+  describe("resolveIdentity", () => {
+    it("should resolve OAuth account identity from email", () => {
+      const identity = resolveIdentity(oauthAccount);
+
+      expect(identity).toEqual({
+        kind: "oauth",
+        email: "alice@example.com",
+      });
+    });
+
+    it("should resolve CC account identity from source+label", () => {
+      const identity = resolveIdentity(ccAccount);
+
+      expect(identity).toEqual({
+        kind: "cc",
+        source: "cc-keychain",
+        label: "Claude Code-credentials:alice@example.com",
+      });
+    });
+
+    it("should resolve legacy identity from refreshToken when no email or source", () => {
+      const identity = resolveIdentity(legacyAccount);
+
+      expect(identity).toEqual({
+        kind: "legacy",
+        refreshToken: "rt_legacy_789",
+      });
+    });
+  });
+
+  describe("exchange helpers", () => {
+    it("should resolve CC identity from a Claude Code credential", () => {
+      expect(resolveIdentityFromCCCredential(ccCredential)).toEqual({
+        kind: "cc",
+        source: "cc-keychain",
+        label: "Claude Code-credentials:alice@example.com",
+      });
+    });
+
+    it("should resolve OAuth exchange results with email as OAuth identity", () => {
+      expect(resolveIdentityFromOAuthExchange({ email: "alice@example.com", refresh: "rt_oauth_123" })).toEqual({
+        kind: "oauth",
+        email: "alice@example.com",
+      });
+    });
+
+    it("should resolve OAuth exchange results without email as legacy identity", () => {
+      expect(resolveIdentityFromOAuthExchange({ refresh: "rt_legacy_789" })).toEqual({
+        kind: "legacy",
+        refreshToken: "rt_legacy_789",
+      });
+    });
+  });
+
+  describe("identitiesMatch", () => {
+    it("should match OAuth accounts with same email", () => {
+      const identity1: AccountIdentity = { kind: "oauth", email: "alice@example.com" };
+      const identity2: AccountIdentity = { kind: "oauth", email: "alice@example.com" };
+
+      expect(identitiesMatch(identity1, identity2)).toBe(true);
+    });
+
+    it("should match CC accounts with same source+label", () => {
+      const identity1: AccountIdentity = { kind: "cc", source: "cc-keychain", label: "label1" };
+      const identity2: AccountIdentity = { kind: "cc", source: "cc-keychain", label: "label1" };
+
+      expect(identitiesMatch(identity1, identity2)).toBe(true);
+    });
+
+    it("should not match different identity types", () => {
+      const oauthIdentity: AccountIdentity = { kind: "oauth", email: "alice@example.com" };
+      const ccIdentity: AccountIdentity = { kind: "cc", source: "cc-keychain", label: "label" };
+      const legacyIdentity: AccountIdentity = { kind: "legacy", refreshToken: "rt" };
+
+      expect(identitiesMatch(oauthIdentity, ccIdentity)).toBe(false);
+      expect(identitiesMatch(oauthIdentity, legacyIdentity)).toBe(false);
+      expect(identitiesMatch(ccIdentity, legacyIdentity)).toBe(false);
+    });
+
+    it("should not match different stable key fields", () => {
+      expect(
+        identitiesMatch({ kind: "oauth", email: "alice@example.com" }, { kind: "oauth", email: "bob@example.com" }),
+      ).toBe(false);
+      expect(
+        identitiesMatch(
+          { kind: "cc", source: "cc-keychain", label: "label1" },
+          { kind: "cc", source: "cc-keychain", label: "label2" },
+        ),
+      ).toBe(false);
+    });
+  });
+
+  describe("findByIdentity", () => {
+    const accounts: ManagedAccount[] = [oauthAccount, ccAccount, legacyAccount];
+
+    it("should find matching accounts by stable identity", () => {
+      expect(findByIdentity(accounts, { kind: "oauth", email: "alice@example.com" })).toBe(oauthAccount);
+      expect(
+        findByIdentity(accounts, {
+          kind: "cc",
+          source: "cc-keychain",
+          label: "Claude Code-credentials:alice@example.com",
+        }),
+      ).toBe(ccAccount);
+      expect(findByIdentity(accounts, { kind: "legacy", refreshToken: "rt_legacy_789" })).toBe(legacyAccount);
+      expect(findByIdentity(accounts, { kind: "oauth", email: "unknown@example.com" })).toBeNull();
+    });
+
+    it("should serialize identities without leaking secrets", () => {
+      expect(serializeIdentity({ kind: "oauth", email: "alice@example.com" })).toBe("oauth:alice@example.com");
+      expect(serializeIdentity({ kind: "cc", source: "cc-keychain", label: "label1" })).toBe("cc:cc-keychain:label1");
+      expect(serializeIdentity({ kind: "legacy", refreshToken: "secret-refresh-token" })).toBe("legacy:redacted");
+    });
+  });
+});

package/src/account-identity.ts

@@ -0,0 +1,108 @@
+import type { CCCredential } from "./cc-credentials.js";
+import type { ManagedAccount } from "./accounts.js";
+import type { AccountMetadata } from "./storage.js";
+
+type CCAccountSource = "cc-keychain" | "cc-file";
+
+export type AccountIdentity =
+  | { kind: "oauth"; email: string }
+  | { kind: "cc"; source: CCAccountSource; label: string }
+  | { kind: "legacy"; refreshToken: string };
+
+type IdentityAccount = ManagedAccount | AccountMetadata;
+
+function isCCAccountSource(source: IdentityAccount["source"]): source is CCAccountSource {
+  return source === "cc-keychain" || source === "cc-file";
+}
+
+function isAccountIdentity(value: unknown): value is AccountIdentity {
+  if (!value || typeof value !== "object") return false;
+
+  const candidate = value as Record<string, unknown>;
+  switch (candidate.kind) {
+    case "oauth":
+      return typeof candidate.email === "string" && candidate.email.length > 0;
+    case "cc":
+      return isCCAccountSource(candidate.source as IdentityAccount["source"]) && typeof candidate.label === "string";
+    case "legacy":
+      return typeof candidate.refreshToken === "string" && candidate.refreshToken.length > 0;
+    default:
+      return false;
+  }
+}
+
+export function resolveIdentity(account: IdentityAccount): AccountIdentity {
+  if (isAccountIdentity(account.identity)) {
+    return account.identity;
+  }
+
+  if (account.source === "oauth" && account.email) {
+    return { kind: "oauth", email: account.email };
+  }
+
+  if (isCCAccountSource(account.source) && account.label) {
+    return { kind: "cc", source: account.source, label: account.label };
+  }
+
+  return { kind: "legacy", refreshToken: account.refreshToken };
+}
+
+export function resolveIdentityFromCCCredential(cred: CCCredential): AccountIdentity {
+  return {
+    kind: "cc",
+    source: cred.source,
+    label: cred.label,
+  };
+}
+
+export function resolveIdentityFromOAuthExchange(result: { email?: string; refresh: string }): AccountIdentity {
+  if (result.email) {
+    return {
+      kind: "oauth",
+      email: result.email,
+    };
+  }
+
+  return {
+    kind: "legacy",
+    refreshToken: result.refresh,
+  };
+}
+
+export function identitiesMatch(a: AccountIdentity, b: AccountIdentity): boolean {
+  if (a.kind !== b.kind) return false;
+
+  switch (a.kind) {
+    case "oauth": {
+      return a.email === (b as Extract<AccountIdentity, { kind: "oauth" }>).email;
+    }
+    case "cc": {
+      const ccIdentity = b as Extract<AccountIdentity, { kind: "cc" }>;
+      return a.source === ccIdentity.source && a.label === ccIdentity.label;
+    }
+    case "legacy": {
+      return a.refreshToken === (b as Extract<AccountIdentity, { kind: "legacy" }>).refreshToken;
+    }
+  }
+}
+
+export function findByIdentity<T extends IdentityAccount>(accounts: T[], id: AccountIdentity): T | null {
+  for (const account of accounts) {
+    if (identitiesMatch(resolveIdentity(account), id)) {
+      return account;
+    }
+  }
+
+  return null;
+}
+
+export function serializeIdentity(id: AccountIdentity): string {
+  switch (id.kind) {
+    case "oauth":
+      return `oauth:${id.email}`;
+    case "cc":
+      return `cc:${id.source}:${id.label}`;
+    case "legacy":
+      return "legacy:redacted";
+  }
+}