@vacbo/opencode-anthropic-fix 0.0.45 → 0.1.2

package/README.md

@@ -33,6 +33,8 @@ opencode
 
 That's it. OpenCode will now use your Claude subscription directly. All model costs show as $0.00.
 
+Manual parallel QA: `bash scripts/qa-parallel.sh`
+
 ## What This Fork Adds
 
 The [original plugin](https://github.com/anomalyco/opencode-anthropic-auth) provided basic OAuth support. This fork adds:
@@ -555,6 +557,17 @@ Configuration is stored at `~/.config/opencode/anthropic-auth.json`. All setting
 - In OAuth mode, the plugin always includes `oauth-2025-04-20` in `anthropic-beta`.
 - This applies to all models, including Haiku.
 
+## Per-instance Proxy Lifecycle
+
+The plugin uses a dedicated HTTP proxy per OpenCode instance to handle TLS fingerprint mimicry. This architecture provides isolation and graceful degradation:
+
+- **Each OpenCode instance owns its own proxy** — when you open multiple OpenCode tabs or windows, each gets an independent proxy process
+- **Proxy dies with parent process** — the proxy monitors its parent PID and exits automatically if the parent dies, preventing orphaned processes
+- **Ephemeral port allocation** — each proxy binds to an available ephemeral port (port 0) to avoid conflicts between instances
+- **Graceful fallback to native fetch** — if Bun is unavailable or the proxy fails to start, requests fall back to native Node.js fetch without TLS mimicry
+
+This design ensures that proxy failures are isolated to a single OpenCode instance and never affect other running instances.
+
 ## How It Works
 
 When you make a request through OpenCode:
@@ -666,6 +679,12 @@ Make sure `~/.local/bin` is on your PATH:
 export PATH="$HOME/.local/bin:$PATH"
 ```
 
+## Known Limitations
+
+- **Windows native fetch fallback** — On Windows, the Bun-based TLS mimicry proxy is not available. Requests fall back to native Node.js fetch without fingerprint mimicry. This is a platform limitation; the plugin still functions but with reduced request signature parity.
+
+- **Claude Code refresh blocking** — When reusing Claude Code credentials, token refresh can block for up to 60 seconds while invoking the `claude` CLI. This is a known latent issue in the credential reuse flow and is outside the scope of this plugin's control.
+
 ## License
 
 Same as upstream. See [anomalyco/opencode-anthropic-auth](https://github.com/anomalyco/opencode-anthropic-auth).

package/dist/bun-proxy.mjs

@@ -1,64 +1,291 @@
 // src/bun-proxy.ts
-var PORT = parseInt(process.argv[2] || "48372", 10);
-var server = Bun.serve({
-  port: PORT,
-  async fetch(req) {
-    if (new URL(req.url).pathname === "/__health") {
-      return new Response("ok");
+import { resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+
+// src/parent-pid-watcher.ts
+var DEFAULT_POLL_INTERVAL_MS = 5e3;
+function assertValidParentPid(parentPid) {
+  if (!Number.isInteger(parentPid) || parentPid <= 0) {
+    throw new Error("Parent PID must be a positive integer.");
+  }
+}
+function assertValidPollInterval(pollIntervalMs) {
+  if (!Number.isFinite(pollIntervalMs) || pollIntervalMs <= 0) {
+    throw new Error("Poll interval must be a positive number.");
+  }
+}
+function isParentAlive(parentPid) {
+  try {
+    process.kill(parentPid, 0);
+    return true;
+  } catch (error) {
+    const code = error.code;
+    if (code === "ESRCH") {
+      return false;
     }
-    const targetUrl = req.headers.get("x-proxy-url");
-    if (!targetUrl) {
-      return new Response("Missing x-proxy-url", { status: 400 });
+    if (code === "EPERM") {
+      return true;
     }
-    const headers = new Headers(req.headers);
-    headers.delete("x-proxy-url");
-    headers.delete("host");
-    headers.delete("connection");
-    const body = req.method !== "GET" && req.method !== "HEAD" ? await req.arrayBuffer() : void 0;
-    if (targetUrl.includes("/v1/messages") && !targetUrl.includes("count_tokens")) {
-      const logHeaders = {};
-      headers.forEach((v, k) => {
-        logHeaders[k] = k === "authorization" ? "Bearer ***" : v;
-      });
-      let systemPreview = "";
-      if (body) {
-        try {
-          const parsed = JSON.parse(new TextDecoder().decode(body));
-          if (Array.isArray(parsed.system)) {
-            systemPreview = JSON.stringify(parsed.system.slice(0, 3).map((b) => ({
-              text: typeof b.text === "string" ? b.text.slice(0, 200) : "(non-text)",
-              cache_control: b.cache_control
-            })), null, 2);
-          }
-        } catch {
-        }
+    return true;
+  }
+}
+var ParentPidWatcher = class {
+  parentPid;
+  pollIntervalMs;
+  onParentGone;
+  interval = null;
+  shouldMonitorPpidDrift = false;
+  constructor(options) {
+    this.parentPid = options.parentPid;
+    this.pollIntervalMs = options.pollIntervalMs ?? DEFAULT_POLL_INTERVAL_MS;
+    this.onParentGone = options.onParentGone;
+  }
+  start() {
+    if (this.interval) {
+      return;
+    }
+    assertValidParentPid(this.parentPid);
+    assertValidPollInterval(this.pollIntervalMs);
+    this.shouldMonitorPpidDrift = process.ppid === this.parentPid;
+    this.interval = setInterval(() => {
+      if (this.shouldMonitorPpidDrift && process.ppid !== this.parentPid) {
+        this.handleParentGone();
+        return;
       }
-      console.error(`
-[bun-proxy] === /v1/messages REQUEST ===`);
-      console.error(`[bun-proxy] URL: ${targetUrl}`);
-      console.error(`[bun-proxy] Headers: ${JSON.stringify(logHeaders, null, 2)}`);
-      if (systemPreview) console.error(`[bun-proxy] System blocks (first 3): ${systemPreview}`);
-      console.error(`[bun-proxy] ===========================
-`);
+      if (!isParentAlive(this.parentPid)) {
+        this.handleParentGone();
+      }
+    }, this.pollIntervalMs);
+  }
+  stop() {
+    if (!this.interval) {
+      return;
+    }
+    clearInterval(this.interval);
+    this.interval = null;
+    this.shouldMonitorPpidDrift = false;
+  }
+  handleParentGone() {
+    this.stop();
+    this.onParentGone();
+  }
+};
+
+// src/bun-proxy.ts
+var DEFAULT_ALLOWED_HOSTS = ["api.anthropic.com", "platform.claude.com"];
+var DEFAULT_REQUEST_TIMEOUT_MS = 6e5;
+var DEFAULT_PARENT_EXIT_CODE = 1;
+var DEFAULT_PARENT_POLL_INTERVAL_MS = 5e3;
+var HEALTH_PATH = "/__health";
+var DEBUG_ENABLED = process.env.OPENCODE_ANTHROPIC_DEBUG === "1";
+function isMainModule(argv = process.argv) {
+  return Boolean(argv[1]) && resolve(argv[1]) === fileURLToPath(import.meta.url);
+}
+function parseInteger(value) {
+  const parsed = Number.parseInt(value ?? "", 10);
+  return Number.isInteger(parsed) && parsed > 0 ? parsed : null;
+}
+function parseParentPid(argv) {
+  const inlineValue = argv.map((argument) => argument.match(/^--parent-pid=(\d+)$/)?.[1] ?? null).find((value) => value !== null);
+  if (inlineValue) {
+    return parseInteger(inlineValue);
+  }
+  const flagIndex = argv.indexOf("--parent-pid");
+  return flagIndex >= 0 ? parseInteger(argv[flagIndex + 1]) : null;
+}
+function createNoopWatcher() {
+  return {
+    start() {
+    },
+    stop() {
+    }
+  };
+}
+function createDefaultParentWatcherFactory() {
+  return ({ parentPid, onParentExit, pollIntervalMs, exitCode }) => new ParentPidWatcher({
+    parentPid,
+    pollIntervalMs,
+    onParentGone: () => {
+      onParentExit(exitCode);
     }
+  });
+}
+function sanitizeForwardHeaders(source) {
+  const headers = new Headers(source);
+  ["x-proxy-url", "host", "connection", "content-length"].forEach((headerName) => {
+    headers.delete(headerName);
+  });
+  return headers;
+}
+function copyResponseHeaders(source) {
+  const headers = new Headers(source);
+  ["transfer-encoding", "content-encoding"].forEach((headerName) => {
+    headers.delete(headerName);
+  });
+  return headers;
+}
+function resolveTargetUrl(req, allowedHosts) {
+  const targetUrl = req.headers.get("x-proxy-url");
+  if (!targetUrl) {
+    return new Response("Missing x-proxy-url", { status: 400 });
+  }
+  try {
+    const parsedUrl = new URL(targetUrl);
+    if (allowedHosts.size > 0 && !allowedHosts.has(parsedUrl.hostname)) {
+      return new Response(`Host not allowed: ${parsedUrl.hostname}`, { status: 403 });
+    }
+    return parsedUrl;
+  } catch {
+    return new Response("Invalid x-proxy-url", { status: 400 });
+  }
+}
+function createAbortContext(requestTimeoutMs) {
+  const timeoutController = new AbortController();
+  const timer = setTimeout(() => {
+    timeoutController.abort(new DOMException("Upstream request timed out", "TimeoutError"));
+  }, requestTimeoutMs);
+  timer.unref?.();
+  return {
+    timeoutSignal: timeoutController.signal,
+    cancelTimeout() {
+      clearTimeout(timer);
+    }
+  };
+}
+function isAbortError(error) {
+  return error instanceof DOMException ? error.name === "AbortError" || error.name === "TimeoutError" : error instanceof Error && (error.name === "AbortError" || error.name === "TimeoutError");
+}
+function isTimeoutAbort(signal) {
+  const reason = signal.reason;
+  return reason instanceof DOMException ? reason.name === "TimeoutError" : reason instanceof Error && reason.name === "TimeoutError";
+}
+function createAbortResponse(req, timeoutSignal) {
+  return req.signal.aborted ? new Response("Client disconnected", { status: 499 }) : isTimeoutAbort(timeoutSignal) ? new Response("Upstream request timed out", { status: 504 }) : new Response("Upstream request aborted", { status: 499 });
+}
+async function createUpstreamInit(req, signal) {
+  const method = req.method || "GET";
+  const hasBody = method !== "GET" && method !== "HEAD";
+  const bodyText = hasBody ? await req.text() : "";
+  return {
+    method,
+    headers: sanitizeForwardHeaders(req.headers),
+    signal,
+    ...hasBody && bodyText.length > 0 ? { body: bodyText } : {}
+  };
+}
+function logRequest(targetUrl, req) {
+  if (!DEBUG_ENABLED) {
+    return;
+  }
+  const logHeaders = Object.fromEntries(
+    [...sanitizeForwardHeaders(req.headers).entries()].map(([key, value]) => [
+      key,
+      key === "authorization" ? "Bearer ***" : value
+    ])
+  );
+  console.error("\n[bun-proxy] === FORWARDED REQUEST ===");
+  console.error(`[bun-proxy] ${req.method} ${targetUrl.toString()}`);
+  console.error(`[bun-proxy] Headers: ${JSON.stringify(logHeaders, null, 2)}`);
+  console.error("[bun-proxy] =========================\n");
+}
+function createProxyRequestHandler(options) {
+  const allowedHosts = new Set(options.allowHosts ?? DEFAULT_ALLOWED_HOSTS);
+  const requestTimeoutMs = options.requestTimeoutMs ?? DEFAULT_REQUEST_TIMEOUT_MS;
+  return async function handleProxyRequest(req) {
+    if (new URL(req.url).pathname === HEALTH_PATH) {
+      return new Response("ok");
+    }
+    const targetUrl = resolveTargetUrl(req, allowedHosts);
+    if (targetUrl instanceof Response) {
+      return targetUrl;
+    }
+    const abortContext = createAbortContext(requestTimeoutMs);
+    const upstreamSignal = AbortSignal.any([req.signal, abortContext.timeoutSignal]);
+    const upstreamInit = await createUpstreamInit(req, upstreamSignal);
+    logRequest(targetUrl, req);
     try {
-      const resp = await fetch(targetUrl, {
-        method: req.method,
-        headers,
-        body
+      const upstreamResponse = await options.fetchImpl(targetUrl.toString(), upstreamInit);
+      return new Response(upstreamResponse.body, {
+        status: upstreamResponse.status,
+        statusText: upstreamResponse.statusText,
+        headers: copyResponseHeaders(upstreamResponse.headers)
       });
-      const respHeaders = new Headers(resp.headers);
-      respHeaders.delete("transfer-encoding");
-      respHeaders.delete("content-encoding");
-      return new Response(resp.body, {
-        status: resp.status,
-        statusText: resp.statusText,
-        headers: respHeaders
-      });
-    } catch (err) {
-      const msg = err instanceof Error ? err.message : String(err);
-      return new Response(msg, { status: 502 });
+    } catch (error) {
+      if (upstreamSignal.aborted && isAbortError(error)) {
+        return createAbortResponse(req, abortContext.timeoutSignal);
+      }
+      const message = error instanceof Error ? error.message : String(error);
+      return new Response(message, { status: 502 });
+    } finally {
+      abortContext.cancelTimeout();
+    }
+  };
+}
+function createProxyProcessRuntime(options = {}) {
+  const argv = options.argv ?? process.argv;
+  const parentPid = parseParentPid(argv);
+  if (!parentPid) {
+    return createNoopWatcher();
+  }
+  const exit = options.exit ?? process.exit;
+  const parentWatcherFactory = options.parentWatcherFactory ?? createDefaultParentWatcherFactory();
+  return parentWatcherFactory({
+    parentPid,
+    pollIntervalMs: DEFAULT_PARENT_POLL_INTERVAL_MS,
+    exitCode: DEFAULT_PARENT_EXIT_CODE,
+    onParentExit: (exitCode) => {
+      exit(exitCode ?? DEFAULT_PARENT_EXIT_CODE);
     }
+  });
+}
+function assertBunRuntime() {
+  if (typeof Bun === "undefined") {
+    throw new Error("bun-proxy.ts must be executed with Bun.");
   }
-});
-console.log(`BUN_PROXY_PORT=${server.port}`);
+  return Bun;
+}
+async function runProxyProcess() {
+  const bun = assertBunRuntime();
+  const watcher = createProxyProcessRuntime();
+  const server = bun.serve({
+    port: 0,
+    fetch: createProxyRequestHandler({
+      fetchImpl: fetch,
+      allowHosts: DEFAULT_ALLOWED_HOSTS,
+      requestTimeoutMs: DEFAULT_REQUEST_TIMEOUT_MS
+    })
+  });
+  const lifecycle = {
+    closed: false
+  };
+  const shutdown = (exitCode = 0) => {
+    if (lifecycle.closed) {
+      return;
+    }
+    lifecycle.closed = true;
+    watcher.stop();
+    server.stop(true);
+    process.exit(exitCode);
+  };
+  process.on("SIGTERM", () => {
+    shutdown(0);
+  });
+  process.on("SIGINT", () => {
+    shutdown(0);
+  });
+  watcher.start();
+  process.stdout.write(`BUN_PROXY_PORT=${server.port}
+`);
+}
+if (isMainModule()) {
+  void runProxyProcess().catch((error) => {
+    const message = error instanceof Error ? error.stack ?? error.message : String(error);
+    process.stderr.write(`${message}
+`);
+    process.exit(1);
+  });
+}
+export {
+  createProxyProcessRuntime,
+  createProxyRequestHandler
+};