@vacbo/opencode-anthropic-fix 0.0.44 → 0.1.1

package/src/index.ts

@@ -9,7 +9,7 @@ import { isAccountSpecificError, parseRateLimitReason, parseRetryAfterHeader } f
 import type { PendingOAuthEntry } from "./commands/oauth-flow.js";
 import { promptAccountMenu, promptManageAccounts } from "./commands/prompts.js";
 import type { CommandDeps } from "./commands/router.js";
-import { ANTHROPIC_COMMAND_HANDLED, handleAnthropicSlashCommand, stripAnsi } from "./commands/router.js";
+import { ANTHROPIC_COMMAND_HANDLED, handleAnthropicSlashCommand } from "./commands/router.js";
 import type { AnthropicAuthConfig } from "./config.js";
 import { loadConfig } from "./config.js";
 import { CLAUDE_CODE_IDENTITY_STRING, FALLBACK_CLAUDE_CLI_VERSION, FOREGROUND_EXPIRY_BUFFER_MS } from "./constants.js";
@@ -18,28 +18,55 @@ import { buildRequestHeaders } from "./headers/builder.js";
 import { fetchLatestClaudeCodeVersion } from "./headers/user-agent.js";
 import { hasOneMillionContext, isOpus46Model } from "./models.js";
 import { authorize, exchange } from "./oauth.js";
-import { transformRequestBody } from "./request/body.js";
+import { cloneBodyForRetry, transformRequestBody } from "./request/body.js";
 import { extractFileIds, getAccountIdentifier } from "./request/metadata.js";
 import { fetchWithRetry } from "./request/retry.js";
 import { transformRequestUrl } from "./request/url.js";
-import { isEventStreamResponse, transformResponse } from "./response/streaming.js";
+import { isEventStreamResponse, stripMcpPrefixFromJsonBody, transformResponse } from "./response/index.js";
+import { StreamTruncatedError } from "./response/streaming.js";
 import { readCCCredentials } from "./cc-credentials.js";
+import {
+  findByIdentity,
+  resolveIdentityFromCCCredential,
+  resolveIdentityFromOAuthExchange,
+} from "./account-identity.js";
 import { clearAccounts, loadAccounts } from "./storage.js";
 import type { OpenCodeClient } from "./token-refresh.js";
-import {
-  formatSwitchReason,
-  markTokenStateUpdated,
-  readDiskAccountAuth,
-  refreshAccountToken,
-} from "./token-refresh.js";
+import { formatSwitchReason, markTokenStateUpdated, readDiskAccountAuth } from "./token-refresh.js";
 import type { UsageStats } from "./types.js";
-import { fetchViaBun } from "./bun-fetch.js";
+import { createBunFetch } from "./bun-fetch.js";
+import { createPluginHelpers } from "./plugin-helpers.js";
+import { createRefreshHelpers } from "./refresh-helpers.js";
+
+async function finalizeResponse(
+  response: Response,
+  onUsage?: ((stats: UsageStats) => void) | null,
+  onAccountError?: ((details: { reason: string; invalidateToken: boolean }) => void) | null,
+  onStreamError?: ((error: Error) => void) | null,
+): Promise<Response> {
+  if (!isEventStreamResponse(response)) {
+    const body = stripMcpPrefixFromJsonBody(await response.text());
+    return new Response(body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: new Headers(response.headers),
+    });
+  }
+
+  return transformResponse(response, onUsage, onAccountError, onStreamError);
+}
 
 // ---------------------------------------------------------------------------
 // Plugin factory
 // ---------------------------------------------------------------------------
 
-export async function AnthropicAuthPlugin({ client }: { client: OpenCodeClient & Record<string, any> }) {
+export async function AnthropicAuthPlugin({
+  client,
+}: {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- OpenCode plugin client API boundary; accepts arbitrary extension methods
+  client: OpenCodeClient & Record<string, any>;
+}) {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- plugin config accepts forward-compatible arbitrary keys
   const config: AnthropicAuthConfig & Record<string, any> = loadConfig();
   const signatureEmulationEnabled = config.signature_emulation.enabled;
   const promptCompactionMode =
@@ -51,16 +78,6 @@ export async function AnthropicAuthPlugin({ client }: { client: OpenCodeClient &
 
   // Track account usage toasts; show once per account change (including first use).
   let lastToastedIndex = -1;
-  const debouncedToastTimestamps = new Map<string, number>();
-
-  const refreshInFlight = new Map<string, { promise: Promise<string>; source: "foreground" | "idle" }>();
-
-  const idleRefreshLastAttempt = new Map<string, number>();
-  const idleRefreshInFlight = new Set<string>();
-
-  const IDLE_REFRESH_ENABLED = config.idle_refresh.enabled;
-  const IDLE_REFRESH_WINDOW_MS = config.idle_refresh.window_minutes * 60 * 1000;
-  const IDLE_REFRESH_MIN_INTERVAL_MS = config.idle_refresh.min_interval_minutes * 60 * 1000;
 
   let initialAccountPinned = false;
   const pendingSlashOAuth = new Map<string, PendingOAuthEntry>();
@@ -68,73 +85,44 @@ export async function AnthropicAuthPlugin({ client }: { client: OpenCodeClient &
 
   // -- Helpers ---------------------------------------------------------------
 
-  async function sendCommandMessage(sessionID: string, text: string) {
-    await client.session?.prompt({
-      path: { id: sessionID },
-      body: { noReply: true, parts: [{ type: "text", text, ignored: true }] },
-    });
-  }
-
-  async function reloadAccountManagerFromDisk() {
-    if (!accountManager) return;
-    accountManager = await AccountManager.load(config, null);
+  function debugLog(...args: unknown[]) {
+    if (!config.debug) return;
+    // eslint-disable-next-line no-console -- this IS the plugin's dedicated debug logger; gated on config.debug
+    console.error("[opencode-anthropic-auth]", ...args);
   }
 
-  async function persistOpenCodeAuth(refresh: string, access: string | undefined, expires: number | undefined) {
-    await client.auth?.set({
-      path: { id: "anthropic" },
-      body: { type: "oauth", refresh, access, expires },
+  const { toast, sendCommandMessage, runCliCommand, reloadAccountManagerFromDisk, persistOpenCodeAuth } =
+    createPluginHelpers({
+      client,
+      config,
+      debugLog,
+      getAccountManager: () => accountManager,
+      setAccountManager: (nextAccountManager) => {
+        accountManager = nextAccountManager;
+      },
     });
-  }
 
-  async function runCliCommand(argv: string[]): Promise<{ code: number; stdout: string; stderr: string }> {
-    const logs: string[] = [];
-    const errors: string[] = [];
-    let code = 1;
-    try {
-      const { main: cliMain } = await import("./cli.js");
-      code = await cliMain(argv, {
-        io: {
-          log: (...args: unknown[]) => logs.push(args.map(String).join(" ")),
-          error: (...args: unknown[]) => errors.push(args.map(String).join(" ")),
-        },
-      });
-    } catch (err) {
-      errors.push(err instanceof Error ? err.message : String(err));
-    }
-    return {
-      code,
-      stdout: stripAnsi(logs.join("\n")).trim(),
-      stderr: stripAnsi(errors.join("\n")).trim(),
-    };
-  }
+  const { parseRefreshFailure, refreshAccountTokenSingleFlight, maybeRefreshIdleAccounts } = createRefreshHelpers({
+    client,
+    config,
+    getAccountManager: () => accountManager,
+    debugLog,
+  });
+  const bunFetchInstance = createBunFetch({
+    debug: config.debug,
+    onProxyStatus: (status) => {
+      debugLog("bun fetch status", status);
+    },
+  });
 
-  async function toast(
-    message: string,
-    variant: "info" | "success" | "warning" | "error" = "info",
-    options: { debounceKey?: string } = {},
-  ) {
-    if (config.toasts.quiet && variant !== "error") return;
-    if (variant !== "error" && options.debounceKey) {
-      const minGapMs = Math.max(0, config.toasts.debounce_seconds) * 1000;
-      if (minGapMs > 0) {
-        const now = Date.now();
-        const lastAt = debouncedToastTimestamps.get(options.debounceKey) ?? 0;
-        if (now - lastAt < minGapMs) return;
-        debouncedToastTimestamps.set(options.debounceKey, now);
-      }
-    }
-    try {
-      await client.tui?.showToast({ body: { message, variant } });
-    } catch {
-      // TUI may not be available
+  const fetchWithTransport = async (input: string | URL | Request, init: RequestInit): Promise<Response> => {
+    const activeFetch = globalThis.fetch as typeof globalThis.fetch & { mock?: unknown };
+    if (typeof activeFetch === "function" && activeFetch.mock) {
+      return activeFetch(input, init);
     }
-  }
 
-  function debugLog(...args: unknown[]) {
-    if (!config.debug) return;
-    console.error("[opencode-anthropic-auth]", ...args);
-  }
+    return bunFetchInstance.fetch(input, init);
+  };
 
   // -- Version resolution ----------------------------------------------------
 
@@ -148,134 +136,7 @@ export async function AnthropicAuthPlugin({ client }: { client: OpenCodeClient &
         claudeCliVersion = version;
         debugLog("resolved claude-code version from npm", version);
       })
-      .catch(() => {});
-  }
-
-  // -- Refresh helpers -------------------------------------------------------
-
-  function parseRefreshFailure(refreshError: unknown) {
-    const message = refreshError instanceof Error ? refreshError.message : String(refreshError);
-    const status =
-      typeof refreshError === "object" && refreshError && "status" in refreshError
-        ? Number((refreshError as Record<string, unknown>).status)
-        : NaN;
-    const errorCode =
-      typeof refreshError === "object" && refreshError && ("errorCode" in refreshError || "code" in refreshError)
-        ? String(
-            (refreshError as Record<string, unknown>).errorCode || (refreshError as Record<string, unknown>).code || "",
-          )
-        : "";
-    const msgLower = message.toLowerCase();
-    const isInvalidGrant =
-      errorCode === "invalid_grant" || errorCode === "invalid_request" || msgLower.includes("invalid_grant");
-    const isTerminalStatus = status === 400 || status === 401 || status === 403;
-    return { message, status, errorCode, isInvalidGrant, isTerminalStatus };
-  }
-
-  async function refreshAccountTokenSingleFlight(
-    account: ManagedAccount,
-    source: "foreground" | "idle" = "foreground",
-  ): Promise<string> {
-    const key = account.id;
-    const existing = refreshInFlight.get(key);
-    if (existing) {
-      if (source === "foreground" && existing.source === "idle") {
-        try {
-          await existing.promise;
-        } catch {
-          /* ignore idle failure */
-        }
-        if (account.access && account.expires && account.expires > Date.now()) return account.access;
-      } else {
-        return existing.promise;
-      }
-    }
-
-    const entry: { promise: Promise<string>; source: "foreground" | "idle" } = {
-      source,
-      promise: Promise.resolve(""),
-    };
-    const p = (async () => {
-      try {
-        return await refreshAccountToken(account, client, source, {
-          onTokensUpdated: async () => {
-            try {
-              await accountManager!.saveToDisk();
-            } catch {
-              accountManager!.requestSaveToDisk();
-              throw new Error("save failed, debounced retry scheduled");
-            }
-          },
-        });
-      } finally {
-        if (refreshInFlight.get(key) === entry) refreshInFlight.delete(key);
-      }
-    })();
-    entry.promise = p;
-    refreshInFlight.set(key, entry);
-    return p;
-  }
-
-  async function refreshIdleAccount(account: ManagedAccount) {
-    if (!accountManager) return;
-    if (idleRefreshInFlight.has(account.id)) return;
-    idleRefreshInFlight.add(account.id);
-    const attemptedRefreshToken = account.refreshToken;
-    try {
-      try {
-        await refreshAccountTokenSingleFlight(account, "idle");
-        return;
-      } catch (err) {
-        let details = parseRefreshFailure(err);
-        if (!(details.isInvalidGrant || details.isTerminalStatus)) {
-          debugLog("idle refresh skipped after transient failure", {
-            accountIndex: account.index,
-            status: details.status,
-            errorCode: details.errorCode,
-            message: details.message,
-          });
-          return;
-        }
-        const diskAuth = await readDiskAccountAuth(account.id);
-        const retryToken = diskAuth?.refreshToken;
-        if (retryToken && retryToken !== attemptedRefreshToken && account.refreshToken === attemptedRefreshToken) {
-          account.refreshToken = retryToken;
-          if (diskAuth?.tokenUpdatedAt) account.tokenUpdatedAt = diskAuth.tokenUpdatedAt;
-          else markTokenStateUpdated(account);
-        }
-        try {
-          await refreshAccountTokenSingleFlight(account, "idle");
-        } catch (retryErr) {
-          details = parseRefreshFailure(retryErr);
-          debugLog("idle refresh retry failed", {
-            accountIndex: account.index,
-            status: details.status,
-            errorCode: details.errorCode,
-            message: details.message,
-          });
-        }
-      }
-    } finally {
-      idleRefreshInFlight.delete(account.id);
-    }
-  }
-
-  function maybeRefreshIdleAccounts(activeAccount: ManagedAccount) {
-    if (!IDLE_REFRESH_ENABLED || !accountManager) return;
-    const now = Date.now();
-    const excluded = new Set([activeAccount.index]);
-    const candidates = accountManager
-      .getEnabledAccounts(excluded)
-      .filter((acc) => !acc.expires || acc.expires <= now + IDLE_REFRESH_WINDOW_MS)
-      .filter((acc) => {
-        const last = idleRefreshLastAttempt.get(acc.id) ?? 0;
-        return now - last >= IDLE_REFRESH_MIN_INTERVAL_MS;
-      })
-      .sort((a, b) => (a.expires ?? 0) - (b.expires ?? 0));
-    const target = candidates[0];
-    if (!target) return;
-    idleRefreshLastAttempt.set(target.id, now);
-    void refreshIdleAccount(target);
+      .catch((err) => debugLog("CC version fetch failed:", (err as Error).message));
   }
 
   // -- Command deps ----------------------------------------------------------
@@ -300,6 +161,11 @@ export async function AnthropicAuthPlugin({ client }: { client: OpenCodeClient &
   // -- Plugin return ---------------------------------------------------------
 
   return {
+    dispose: async () => {
+      await bunFetchInstance.shutdown();
+    },
+
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- OpenCode plugin hook API boundary
     "experimental.chat.system.transform": (input: Record<string, any>, output: Record<string, any>) => {
       const prefix = CLAUDE_CODE_IDENTITY_STRING;
       if (!signatureEmulationEnabled && input.model?.providerID === "anthropic") {
@@ -308,6 +174,7 @@ export async function AnthropicAuthPlugin({ client }: { client: OpenCodeClient &
       }
     },
 
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- OpenCode plugin hook API boundary
     config: async (input: Record<string, any>) => {
       input.command ??= {};
       input.command["anthropic"] = {
@@ -316,9 +183,11 @@ export async function AnthropicAuthPlugin({ client }: { client: OpenCodeClient &
       };
     },
 
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- OpenCode plugin hook API boundary
     "command.execute.before": async (input: Record<string, any>) => {
       if (input.command !== "anthropic") return;
       try {
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any -- command router accepts the Record-shaped input from OpenCode
         await handleAnthropicSlashCommand(input as any, commandDeps);
       } catch (err) {
         const message = err instanceof Error ? err.message : String(err);
@@ -329,10 +198,16 @@ export async function AnthropicAuthPlugin({ client }: { client: OpenCodeClient &
 
     auth: {
       provider: "anthropic",
-      async loader(getAuth: () => Promise<Record<string, any>>, provider: Record<string, any>) {
+      async loader(
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any -- OpenCode auth loader API boundary
+        getAuth: () => Promise<Record<string, any>>,
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any -- OpenCode auth loader API boundary
+        provider: Record<string, any>,
+      ) {
         const auth = await getAuth();
         if (auth.type === "oauth") {
           // Zero out cost for max plan and optionally override context limits.
+          // eslint-disable-next-line @typescript-eslint/no-explicit-any -- model objects carry provider-specific metadata
           for (const model of Object.values(provider.models) as Record<string, any>[]) {
             model.cost = { input: 0, output: 0, cache: { read: 0, write: 0 } };
             if (
@@ -362,8 +237,6 @@ export async function AnthropicAuthPlugin({ client }: { client: OpenCodeClient &
             const ccCount = accountManager.getCCAccounts().length;
             if (ccCount > 0) {
               await toast(`Using Claude Code credentials (${ccCount} found)`, "success");
-            } else {
-              await toast("No Claude Code credentials — using OAuth", "info");
             }
           }
 
@@ -395,12 +268,37 @@ export async function AnthropicAuthPlugin({ client }: { client: OpenCodeClient &
 
           return {
             apiKey: "",
-            async fetch(input: any, init: any) {
+            async fetch(
+              // eslint-disable-next-line @typescript-eslint/no-explicit-any -- fetch input varies (string | URL | Request) across call sites
+              input: any,
+              // eslint-disable-next-line @typescript-eslint/no-explicit-any -- fetch init is OpenCode-shaped RequestInit-plus
+              init: any,
+            ) {
               const currentAuth = await getAuth();
               if (currentAuth.type !== "oauth") return fetch(input, init);
 
-              const requestInit = init ?? {};
+              const requestInit = { ...(init ?? {}) };
               const { requestInput, requestUrl } = transformRequestUrl(input);
+              const resolvedBody =
+                requestInit.body !== undefined
+                  ? requestInit.body
+                  : requestInput instanceof Request && requestInput.body
+                    ? await requestInput.clone().text()
+                    : undefined;
+              if (resolvedBody !== undefined) {
+                requestInit.body = resolvedBody;
+              }
+
+              const requestContext: {
+                attempt: number;
+                cloneBody: string | undefined;
+                preparedBody: string | undefined;
+              } = {
+                attempt: 0,
+                cloneBody: typeof resolvedBody === "string" ? cloneBodyForRetry(resolvedBody) : undefined,
+                preparedBody: undefined,
+              };
+
               const requestMethod = String(
                 requestInit.method || (requestInput instanceof Request ? requestInput.method : "POST"),
               ).toUpperCase();
@@ -447,6 +345,8 @@ export async function AnthropicAuthPlugin({ client }: { client: OpenCodeClient &
               }
 
               for (let attempt = 0; attempt < maxAttempts; attempt++) {
+                requestContext.attempt = attempt + 1;
+
                 const account =
                   attempt === 0 && pinnedAccount && !transientRefreshSkips.has(pinnedAccount.index)
                     ? pinnedAccount
@@ -549,19 +449,30 @@ export async function AnthropicAuthPlugin({ client }: { client: OpenCodeClient &
 
                 maybeRefreshIdleAccounts(account);
 
-                const body = transformRequestBody(
-                  requestInit.body,
-                  {
-                    enabled: signatureEmulationEnabled,
-                    claudeCliVersion,
-                    promptCompactionMode,
-                  },
-                  {
-                    persistentUserId: signatureUserId,
-                    sessionId: signatureSessionId,
-                    accountId: getAccountIdentifier(account),
-                  },
-                );
+                const buildAttemptBody = () => {
+                  const transformedBody = transformRequestBody(
+                    requestContext.cloneBody === undefined ? undefined : cloneBodyForRetry(requestContext.cloneBody),
+                    {
+                      enabled: signatureEmulationEnabled,
+                      claudeCliVersion,
+                      promptCompactionMode,
+                    },
+                    {
+                      persistentUserId: signatureUserId,
+                      sessionId: signatureSessionId,
+                      accountId: getAccountIdentifier(account),
+                    },
+                    config.relocate_third_party_prompts,
+                    debugLog,
+                  );
+
+                  requestContext.preparedBody =
+                    typeof transformedBody === "string" ? cloneBodyForRetry(transformedBody) : undefined;
+
+                  return transformedBody;
+                };
+
+                const body = buildAttemptBody();
                 logTransformedSystemPrompt(body);
 
                 const requestHeaders = buildRequestHeaders(input, requestInit, accessToken!, body, requestUrl, {
@@ -605,7 +516,7 @@ export async function AnthropicAuthPlugin({ client }: { client: OpenCodeClient &
                 let response: Response;
                 const fetchInput = requestInput as string | URL | Request;
                 try {
-                  response = await fetchViaBun(fetchInput, {
+                  response = await fetchWithTransport(fetchInput, {
                     ...requestInit,
                     body,
                     headers: requestHeaders,
@@ -649,6 +560,7 @@ export async function AnthropicAuthPlugin({ client }: { client: OpenCodeClient &
                       reason,
                     });
                     accountManager.markRateLimited(account, reason, authOrPermissionIssue ? null : retryAfterMs);
+                    transientRefreshSkips.add(account.index);
                     const name = account.email || `Account ${accountManager.getCurrentIndex() + 1}`;
                     const total = accountManager.getAccountCount();
                     if (total > 1) {
@@ -677,9 +589,13 @@ export async function AnthropicAuthPlugin({ client }: { client: OpenCodeClient &
                         headersForRetry.set("x-stainless-retry-count", String(retryCount));
                         retryCount += 1;
                         const retryUrl = fetchInput instanceof Request ? fetchInput.url : fetchInput.toString();
-                        return fetchViaBun(retryUrl, {
+                        const retryBody =
+                          requestContext.preparedBody === undefined
+                            ? undefined
+                            : cloneBodyForRetry(requestContext.preparedBody);
+                        return fetchWithTransport(retryUrl, {
                           ...requestInit,
-                          body,
+                          body: retryBody,
                           headers: headersForRetry,
                         });
                       },
@@ -687,7 +603,7 @@ export async function AnthropicAuthPlugin({ client }: { client: OpenCodeClient &
                     );
 
                     if (!retried.ok) {
-                      return transformResponse(retried);
+                      return finalizeResponse(retried);
                     }
 
                     response = retried;
@@ -695,7 +611,7 @@ export async function AnthropicAuthPlugin({ client }: { client: OpenCodeClient &
                     debugLog("non-account-specific response error, returning directly", {
                       status: response.status,
                     });
-                    return transformResponse(response);
+                    return finalizeResponse(response);
                   }
                 }
 
@@ -711,7 +627,8 @@ export async function AnthropicAuthPlugin({ client }: { client: OpenCodeClient &
                     }
                   : null;
                 const accountErrorCallback = shouldInspectStream
-                  ? (details: { reason: any; invalidateToken: boolean }) => {
+                  ? // eslint-disable-next-line @typescript-eslint/no-explicit-any -- reason carries opaque rate-limit metadata; shape stabilized at callsite
+                    (details: { reason: any; invalidateToken: boolean }) => {
                       if (details.invalidateToken) {
                         account.access = undefined;
                         account.expires = undefined;
@@ -720,8 +637,22 @@ export async function AnthropicAuthPlugin({ client }: { client: OpenCodeClient &
                       accountManager!.markRateLimited(account, details.reason, null);
                     }
                   : null;
+                const streamErrorCallback =
+                  response.ok && isEventStreamResponse(response)
+                    ? (error: Error) => {
+                        if (!(error instanceof StreamTruncatedError)) {
+                          return;
+                        }
 
-                return transformResponse(response, usageCallback, accountErrorCallback);
+                        debugLog("stream truncated during response consumption", {
+                          accountIndex: account?.index,
+                          message: error.message,
+                          context: error.context,
+                        });
+                      }
+                    : null;
+
+                return finalizeResponse(response, usageCallback, accountErrorCallback, streamErrorCallback);
               }
 
               if (lastError) throw lastError;
@@ -759,14 +690,39 @@ export async function AnthropicAuthPlugin({ client }: { client: OpenCodeClient &
               accountManager = await AccountManager.load(config, null);
             }
 
-            const exists = accountManager
-              .getAccountsSnapshot()
-              .some((acc: ManagedAccount) => acc.refreshToken === ccCred.refreshToken);
-
-            if (!exists) {
-              const added = accountManager.addAccount(ccCred.refreshToken, ccCred.accessToken, ccCred.expiresAt);
+            const identity = resolveIdentityFromCCCredential(ccCred);
+            const existing = findByIdentity(accountManager.getCCAccounts(), identity);
+
+            if (existing) {
+              existing.refreshToken = ccCred.refreshToken;
+              existing.identity = identity;
+              existing.source = ccCred.source;
+              existing.label = ccCred.label;
+              existing.enabled = true;
+              if (ccCred.accessToken) {
+                existing.access = ccCred.accessToken;
+              }
+              if (ccCred.expiresAt >= (existing.expires ?? 0)) {
+                existing.expires = ccCred.expiresAt;
+              }
+              existing.tokenUpdatedAt = Math.max(existing.tokenUpdatedAt || 0, ccCred.expiresAt || 0);
+              await accountManager.saveToDisk();
+            } else {
+              const added = accountManager.addAccount(
+                ccCred.refreshToken,
+                ccCred.accessToken,
+                ccCred.expiresAt,
+                undefined,
+                {
+                  identity,
+                  label: ccCred.label,
+                  source: ccCred.source,
+                },
+              );
               if (added) {
                 added.source = ccCred.source;
+                added.label = ccCred.label;
+                added.identity = identity;
               }
               await accountManager.saveToDisk();
               await toast("Added Claude Code credentials", "success");
@@ -829,17 +785,38 @@ export async function AnthropicAuthPlugin({ client }: { client: OpenCodeClient &
                 if (!accountManager) {
                   accountManager = await AccountManager.load(config, null);
                 }
+                const identity = resolveIdentityFromOAuthExchange(credentials);
                 const countBefore = accountManager.getAccountCount();
-                accountManager.addAccount(
-                  credentials.refresh,
-                  credentials.access,
-                  credentials.expires,
-                  credentials.email,
-                );
+                const existing =
+                  identity.kind === "oauth" ? findByIdentity(accountManager.getOAuthAccounts(), identity) : null;
+
+                if (existing) {
+                  existing.refreshToken = credentials.refresh;
+                  existing.access = credentials.access;
+                  existing.expires = credentials.expires;
+                  existing.email = credentials.email ?? existing.email;
+                  existing.identity = identity;
+                  existing.source = "oauth";
+                  existing.enabled = true;
+                  existing.tokenUpdatedAt = Date.now();
+                } else {
+                  accountManager.addAccount(
+                    credentials.refresh,
+                    credentials.access,
+                    credentials.expires,
+                    credentials.email,
+                    {
+                      identity,
+                      source: "oauth",
+                    },
+                  );
+                }
+
                 await accountManager.saveToDisk();
                 const total = accountManager.getAccountCount();
                 const name = credentials.email || "account";
-                if (countBefore > 0) await toast(`Added ${name} — ${total} accounts`, "success");
+                if (existing) await toast(`Re-authenticated (${name})`, "success");
+                else if (countBefore > 0) await toast(`Added ${name} — ${total} accounts`, "success");
                 else await toast(`Authenticated (${name})`, "success");
                 return credentials;
               },