@vacbo/opencode-anthropic-fix 0.0.44 → 0.1.1

package/src/storage.ts

@@ -1,6 +1,8 @@
 import { randomBytes } from "node:crypto";
 import { appendFileSync, existsSync, promises as fs, readFileSync, writeFileSync } from "node:fs";
 import { dirname, join } from "node:path";
+import type { AccountIdentity } from "./account-identity.js";
+import { findByIdentity } from "./account-identity.js";
 import { getConfigDir } from "./config.js";
 
 export interface AccountStats {
@@ -15,6 +17,8 @@ export interface AccountStats {
 export interface AccountMetadata {
   id: string;
   email?: string;
+  identity?: AccountIdentity;
+  label?: string;
   refreshToken: string;
   access?: string;
   expires?: number;
@@ -36,6 +40,11 @@ export interface AccountStorage {
   activeIndex: number;
 }
 
+export type StoredAccountMatchCandidate = Pick<
+  AccountMetadata,
+  "id" | "email" | "identity" | "label" | "refreshToken" | "addedAt" | "source"
+>;
+
 const CURRENT_VERSION = 1;
 
 /**
@@ -134,6 +143,8 @@ function validateAccount(raw: unknown, now: number): AccountMetadata | null {
   return {
     id,
     email: typeof acc.email === "string" ? acc.email : undefined,
+    identity: isAccountIdentity(acc.identity) ? acc.identity : undefined,
+    label: typeof acc.label === "string" ? acc.label : undefined,
     refreshToken: acc.refreshToken as string,
     access: typeof acc.access === "string" ? acc.access : undefined,
     expires: typeof acc.expires === "number" && Number.isFinite(acc.expires) ? acc.expires : undefined,
@@ -155,10 +166,139 @@ function validateAccount(raw: unknown, now: number): AccountMetadata | null {
     lastFailureTime: typeof acc.lastFailureTime === "number" ? acc.lastFailureTime : null,
     lastSwitchReason: typeof acc.lastSwitchReason === "string" ? acc.lastSwitchReason : undefined,
     stats: validateStats(acc.stats, now),
-    source:
-      acc.source === "cc-keychain" || acc.source === "cc-file" || acc.source === "oauth"
-        ? (acc.source as "cc-keychain" | "cc-file" | "oauth")
-        : undefined,
+    source: acc.source === "cc-keychain" || acc.source === "cc-file" || acc.source === "oauth" ? acc.source : undefined,
+  };
+}
+
+function isAccountIdentity(value: unknown): value is AccountIdentity {
+  if (!value || typeof value !== "object") return false;
+
+  const candidate = value as Record<string, unknown>;
+  switch (candidate.kind) {
+    case "oauth":
+      return typeof candidate.email === "string" && candidate.email.length > 0;
+    case "cc":
+      return (
+        (candidate.source === "cc-keychain" || candidate.source === "cc-file") && typeof candidate.label === "string"
+      );
+    case "legacy":
+      return typeof candidate.refreshToken === "string" && candidate.refreshToken.length > 0;
+    default:
+      return false;
+  }
+}
+
+function resolveStoredIdentity(candidate: StoredAccountMatchCandidate): AccountIdentity {
+  if (isAccountIdentity(candidate.identity)) {
+    return candidate.identity;
+  }
+
+  if (candidate.source === "oauth" && candidate.email) {
+    return { kind: "oauth", email: candidate.email };
+  }
+
+  if ((candidate.source === "cc-keychain" || candidate.source === "cc-file") && candidate.label) {
+    return {
+      kind: "cc",
+      source: candidate.source,
+      label: candidate.label,
+    };
+  }
+
+  return { kind: "legacy", refreshToken: candidate.refreshToken };
+}
+
+function resolveTokenUpdatedAt(account: Pick<AccountMetadata, "token_updated_at" | "addedAt">): number {
+  return typeof account.token_updated_at === "number" && Number.isFinite(account.token_updated_at)
+    ? account.token_updated_at
+    : account.addedAt;
+}
+
+function clampActiveIndex(accounts: AccountMetadata[], activeIndex: number): number {
+  if (accounts.length === 0) {
+    return 0;
+  }
+
+  return Math.max(0, Math.min(activeIndex, accounts.length - 1));
+}
+
+export function findStoredAccountMatch(
+  accounts: AccountMetadata[],
+  candidate: StoredAccountMatchCandidate,
+): AccountMetadata | null {
+  const byId = accounts.find((account) => account.id === candidate.id);
+  if (byId) {
+    return byId;
+  }
+
+  const byIdentity = findByIdentity(accounts, resolveStoredIdentity(candidate));
+  if (byIdentity) {
+    return byIdentity;
+  }
+
+  const byAddedAt = accounts.filter((account) => account.addedAt === candidate.addedAt);
+  if (byAddedAt.length === 1) {
+    return byAddedAt[0]!;
+  }
+
+  const byRefreshToken = accounts.find((account) => account.refreshToken === candidate.refreshToken);
+  if (byRefreshToken) {
+    return byRefreshToken;
+  }
+
+  return byAddedAt[0] ?? null;
+}
+
+export function mergeAccountWithFresherAuth(
+  account: AccountMetadata,
+  diskMatch: AccountMetadata | null,
+): AccountMetadata {
+  const memoryTokenUpdatedAt = resolveTokenUpdatedAt(account);
+  const diskTokenUpdatedAt = diskMatch ? resolveTokenUpdatedAt(diskMatch) : 0;
+
+  if (!diskMatch || diskTokenUpdatedAt <= memoryTokenUpdatedAt) {
+    return {
+      ...account,
+      token_updated_at: memoryTokenUpdatedAt,
+    };
+  }
+
+  return {
+    ...account,
+    refreshToken: diskMatch.refreshToken,
+    access: diskMatch.access,
+    expires: diskMatch.expires,
+    token_updated_at: diskTokenUpdatedAt,
+  };
+}
+
+export function unionAccountsWithDisk(storage: AccountStorage, disk: AccountStorage | null): AccountStorage {
+  if (!disk || storage.accounts.length === 0) {
+    return {
+      ...storage,
+      activeIndex: clampActiveIndex(storage.accounts, storage.activeIndex),
+    };
+  }
+
+  const activeAccountId = storage.accounts[storage.activeIndex]?.id ?? null;
+  const matchedDiskAccounts = new Set<AccountMetadata>();
+  const mergedAccounts = storage.accounts.map((account) => {
+    const diskMatch = findStoredAccountMatch(disk.accounts, account);
+    if (diskMatch) {
+      matchedDiskAccounts.add(diskMatch);
+    }
+
+    return mergeAccountWithFresherAuth(account, diskMatch);
+  });
+
+  const diskOnlyAccounts = disk.accounts.filter((account) => !matchedDiskAccounts.has(account));
+  const accounts = [...mergedAccounts, ...diskOnlyAccounts];
+  const activeIndex = activeAccountId ? accounts.findIndex((account) => account.id === activeAccountId) : -1;
+
+  return {
+    ...storage,
+    accounts,
+    activeIndex: activeIndex >= 0 ? activeIndex : clampActiveIndex(accounts, storage.activeIndex),
   };
 }
 
@@ -177,8 +317,9 @@ export async function loadAccounts(): Promise<AccountStorage | null> {
     }
 
     if (data.version !== CURRENT_VERSION) {
-      // Future: handle migrations here
-      return null;
+      console.warn(
+        `Storage version mismatch: ${String(data.version)} vs ${CURRENT_VERSION}. Attempting best-effort migration.`,
+      );
     }
 
     const now = Date.now();
@@ -218,66 +359,15 @@ export async function saveAccounts(storage: AccountStorage): Promise<void> {
   await fs.mkdir(configDir, { recursive: true });
   ensureGitignore(configDir);
 
-  let storageToWrite = storage;
+  let storageToWrite = {
+    ...storage,
+    activeIndex: clampActiveIndex(storage.accounts, storage.activeIndex),
+  };
 
   // Merge auth fields against disk by freshness to avoid stale-process clobber.
   try {
     const disk = await loadAccounts();
-    if (disk && storage.accounts.length > 0) {
-      const diskById = new Map(disk.accounts.map((a) => [a.id, a]));
-      const diskByAddedAt = new Map<number, AccountMetadata[]>();
-      const diskByToken = new Map(disk.accounts.map((a) => [a.refreshToken, a]));
-      for (const d of disk.accounts) {
-        const bucket = diskByAddedAt.get(d.addedAt) || [];
-        bucket.push(d);
-        diskByAddedAt.set(d.addedAt, bucket);
-      }
-
-      const findDiskMatch = (acc: AccountMetadata): AccountMetadata | null => {
-        const byId = diskById.get(acc.id);
-        if (byId) return byId;
-
-        const byAddedAt = diskByAddedAt.get(acc.addedAt);
-        if (byAddedAt?.length === 1) return byAddedAt[0]!;
-
-        const byToken = diskByToken.get(acc.refreshToken);
-        if (byToken) return byToken;
-
-        if (byAddedAt && byAddedAt.length > 0) return byAddedAt[0]!;
-        return null;
-      };
-
-      const mergedAccounts = storage.accounts.map((acc) => {
-        const diskAcc = findDiskMatch(acc);
-        const memTs =
-          typeof acc.token_updated_at === "number" && Number.isFinite(acc.token_updated_at)
-            ? acc.token_updated_at
-            : acc.addedAt;
-        const diskTs = diskAcc?.token_updated_at || 0;
-        const useDiskAuth = !!diskAcc && diskTs > memTs;
-
-        return {
-          ...acc,
-          refreshToken: useDiskAuth ? diskAcc!.refreshToken : acc.refreshToken,
-          access: useDiskAuth ? diskAcc!.access : acc.access,
-          expires: useDiskAuth ? diskAcc!.expires : acc.expires,
-          token_updated_at: useDiskAuth ? diskTs : memTs,
-        };
-      });
-
-      let activeIndex = storage.activeIndex;
-      if (mergedAccounts.length > 0) {
-        activeIndex = Math.max(0, Math.min(activeIndex, mergedAccounts.length - 1));
-      } else {
-        activeIndex = 0;
-      }
-
-      storageToWrite = {
-        ...storage,
-        accounts: mergedAccounts,
-        activeIndex,
-      };
-    }
+    storageToWrite = unionAccountsWithDisk(storageToWrite, disk);
   } catch {
     // If merge read fails, continue with caller-provided storage payload.
   }

package/src/system-prompt/builder.ts

@@ -1,6 +1,36 @@
-// ---------------------------------------------------------------------------
-// System prompt block builder
-// ---------------------------------------------------------------------------
+// ===========================================================================
+// System Prompt Structure — CC Alignment Audit
+// ===========================================================================
+//
+// Audit date: 2026-04-10
+// Reference: .omc/research/cch-source-analysis.md,
+//   .omc/research/cc-vs-plugin-comparison.md
+//
+// VERIFIED ALIGNMENT:
+// [x] Billing block placement: inserted first in the system array, with no
+//     cache_control on the emitted block.
+// [x] Identity string text matches CC exactly:
+//     "You are Claude Code, Anthropic's official CLI for Claude."
+// [x] Identity cache_control matches CC's request shape:
+//     { type: "ephemeral" }.
+// [x] Block ordering remains billing → identity → remaining sanitized blocks.
+// [x] Sanitization rewrites OpenCode-specific references toward Claude/Claude
+//     Code phrasing before final prompt assembly.
+//
+// FUTURE HARDENING NOTES:
+// - CC's full system prompt is much larger (tool instructions, permissions,
+//   internal workflow text). This builder intentionally preserves only the
+//   routing-critical structure documented in the source analysis.
+// - CC records billing cache behavior internally as cacheScope: null. The
+//   plugin emits no cache_control field on the billing block, which is the
+//   equivalent wire representation.
+// - CC can append cc_workload when AsyncLocalStorage workload tracking is
+//   present. That field is not applicable to this plugin.
+// - CC tool naming conventions can evolve independently from this file. Current
+//   plugin-specific tool prefix notes live in body/request docs, not here.
+//
+// See src/headers/billing.ts for billing-specific gaps and attestation notes.
+// ===========================================================================
 
 import {
   CLAUDE_CODE_IDENTITY_STRING,

package/src/system-prompt/sanitize.ts

@@ -5,8 +5,18 @@
 import { CLAUDE_CODE_IDENTITY_STRING } from "../constants.js";
 import type { PromptCompactionMode } from "../types.js";
 
-export function sanitizeSystemText(text: string): string {
-  return text.replace(/OpenCode/g, "Claude Code").replace(/opencode/gi, "Claude");
+export function sanitizeSystemText(text: string, enabled = true): string {
+  if (!enabled) return text;
+  return text
+    .replace(/\bOpenCode\b/g, "Claude Code")
+    .replace(/\bopencode\b/gi, "Claude")
+    .replace(/OhMyClaude\s*Code/gi, "Claude Code")
+    .replace(/OhMyClaudeCode/gi, "Claude Code")
+    .replace(/\bSisyphus\b/g, "Claude Code Agent")
+    .replace(/\bMorph\s+plugin\b/gi, "edit plugin")
+    .replace(/\bmorph_edit\b/g, "edit")
+    .replace(/\bmorph_/g, "")
+    .replace(/\bOhMyClaude\b/gi, "Claude");
 }
 
 export function compactSystemText(text: string, mode: PromptCompactionMode): string {

package/src/token-refresh.test.ts

@@ -1,5 +1,7 @@
 import { execSync } from "node:child_process";
 import { beforeEach, describe, expect, it, vi, type Mock } from "vitest";
+import { createDeferred, nextTick } from "./__tests__/helpers/deferred.js";
+import { createRefreshHelpers } from "./refresh-helpers.js";
 
 vi.mock("node:child_process", () => ({
   execSync: vi.fn(),
@@ -32,7 +34,7 @@ import type { ManagedAccount } from "./accounts.js";
 import type { CCCredential } from "./cc-credentials.js";
 import { readCCCredentials, readCCCredentialsFromFile } from "./cc-credentials.js";
 import { refreshToken } from "./oauth.js";
-import { refreshAccountToken } from "./token-refresh.js";
+import { applyDiskAuthIfFresher, refreshAccountToken } from "./token-refresh.js";
 
 const mockExecSync = execSync as Mock;
 const mockReadCCCredentials = readCCCredentials as Mock;
@@ -231,4 +233,85 @@ describe("refreshAccountToken", () => {
       timeout: 5000,
     });
   });
+
+  it("reuses the first foreground retry after an idle refresh rejection", async () => {
+    const idleRefresh = createDeferred<{
+      access_token: string;
+      expires_in: number;
+      refresh_token?: string;
+    }>();
+    const foregroundRefresh = createDeferred<{
+      access_token: string;
+      expires_in: number;
+      refresh_token?: string;
+    }>();
+    const idleFailure = new Error("idle refresh failed");
+    const foregroundFailure = new Error("foreground refresh failed");
+    mockRefreshToken
+      .mockImplementationOnce(() => idleRefresh.promise)
+      .mockImplementationOnce(() => foregroundRefresh.promise)
+      .mockRejectedValueOnce(new Error("duplicate foreground refresh"));
+    const accountManager = {
+      saveToDisk: vi.fn().mockResolvedValue(undefined),
+      requestSaveToDisk: vi.fn(),
+      getEnabledAccounts: vi.fn().mockReturnValue([]),
+    };
+    const account = makeAccount();
+    const helpers = createRefreshHelpers({
+      client: {},
+      config: {
+        idle_refresh: {
+          enabled: true,
+          window_minutes: 10,
+          min_interval_minutes: 1,
+        },
+      } as never,
+      getAccountManager: () => accountManager as never,
+      debugLog: vi.fn(),
+    });
+    const idleCall = helpers.refreshAccountTokenSingleFlight(account, "idle").catch((error) => error);
+    await nextTick();
+    await nextTick();
+
+    const foregroundCallA = helpers.refreshAccountTokenSingleFlight(account, "foreground").catch((error) => error);
+    const foregroundCallB = helpers.refreshAccountTokenSingleFlight(account, "foreground").catch((error) => error);
+    await nextTick();
+
+    idleRefresh.reject(idleFailure);
+    await expect(idleCall).resolves.toBe(idleFailure);
+    await nextTick();
+
+    expect(mockRefreshToken).toHaveBeenCalledTimes(2);
+
+    foregroundRefresh.reject(foregroundFailure);
+
+    await expect(foregroundCallA).resolves.toBe(foregroundFailure);
+    await expect(foregroundCallB).resolves.toBe(foregroundFailure);
+  });
+
+  it("does not adopt older expired-fallback disk auth when only access differs", () => {
+    const currentTime = Date.now();
+    const account = makeAccount({
+      refreshToken: "refresh-current",
+      access: "access-current",
+      expires: currentTime - 1_000,
+      tokenUpdatedAt: currentTime,
+    });
+
+    const adopted = applyDiskAuthIfFresher(
+      account,
+      {
+        refreshToken: "refresh-current",
+        access: "access-stale",
+        expires: currentTime + 60_000,
+        tokenUpdatedAt: currentTime - 60_000,
+      },
+      { allowExpiredFallback: true },
+    );
+
+    expect(adopted).toBe(false);
+    expect(account.refreshToken).toBe("refresh-current");
+    expect(account.access).toBe("access-current");
+    expect(account.tokenUpdatedAt).toBe(currentTime);
+  });
 });

package/src/token-refresh.ts

@@ -61,21 +61,25 @@ export function applyDiskAuthIfFresher(
   if (!diskAuth) return false;
   const diskTokenUpdatedAt = diskAuth.tokenUpdatedAt || 0;
   const memTokenUpdatedAt = account.tokenUpdatedAt || 0;
-  const diskHasDifferentAuth = diskAuth.refreshToken !== account.refreshToken || diskAuth.access !== account.access;
+  const diskIsNewer = diskTokenUpdatedAt > memTokenUpdatedAt;
+  const diskHasDifferentRefreshToken = diskAuth.refreshToken !== account.refreshToken;
   const memAuthExpired = !account.expires || account.expires <= Date.now();
   const allowExpiredFallback = options.allowExpiredFallback === true;
-  if (diskTokenUpdatedAt <= memTokenUpdatedAt && !(allowExpiredFallback && diskHasDifferentAuth && memAuthExpired)) {
+  if (!diskIsNewer && !(allowExpiredFallback && diskHasDifferentRefreshToken && memAuthExpired)) {
     return false;
   }
   account.refreshToken = diskAuth.refreshToken;
   account.access = diskAuth.access;
   account.expires = diskAuth.expires;
-  account.tokenUpdatedAt = Math.max(memTokenUpdatedAt, diskTokenUpdatedAt);
+  if (diskIsNewer) {
+    account.tokenUpdatedAt = diskTokenUpdatedAt;
+  }
   return true;
 }
 
 export interface RefreshAccountTokenOptions {
   onTokensUpdated?: () => Promise<void>;
+  debugLog?: (...args: unknown[]) => void;
 }
 
 export interface OpenCodeClient {
@@ -188,12 +192,10 @@ export async function refreshAccountToken(
   account: ManagedAccount,
   client: OpenCodeClient,
   source: "foreground" | "idle" = "foreground",
-  { onTokensUpdated }: RefreshAccountTokenOptions = {},
+  { onTokensUpdated, debugLog }: RefreshAccountTokenOptions = {},
 ): Promise<string> {
   const lockResult = await acquireRefreshLock(account.id, {
-    timeoutMs: 2_000,
     backoffMs: 60,
-    staleMs: 20_000,
   });
   const lock =
     lockResult && typeof lockResult === "object"
@@ -233,7 +235,9 @@ export async function refreshAccountToken(
       const accessToken = await refreshCCAccount(account);
       if (accessToken) {
         if (onTokensUpdated) {
-          await onTokensUpdated().catch(() => undefined);
+          await onTokensUpdated().catch((err) => {
+            debugLog?.("onTokensUpdated failed:", (err as Error).message);
+          });
         }
 
         await client.auth
@@ -246,7 +250,9 @@ export async function refreshAccountToken(
               expires: account.expires,
             },
           })
-          .catch(() => undefined);
+          .catch((err) => {
+            debugLog?.("auth.set failed:", (err as Error).message);
+          });
         return accessToken;
       }
       throw new Error("CC credential refresh failed");