@vacbo/opencode-anthropic-fix 0.0.45 → 0.1.2

package/dist/opencode-anthropic-auth-plugin.js

@@ -4,16 +4,10 @@ var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
 var __getOwnPropNames = Object.getOwnPropertyNames;
 var __getProtoOf = Object.getPrototypeOf;
 var __hasOwnProp = Object.prototype.hasOwnProperty;
-var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
-  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
-}) : x)(function(x) {
-  if (typeof require !== "undefined") return require.apply(this, arguments);
-  throw Error('Dynamic require of "' + x + '" is not supported');
-});
 var __esm = (fn, res) => function __init() {
   return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
 };
-var __commonJS = (cb, mod) => function __require2() {
+var __commonJS = (cb, mod) => function __require() {
   return mod || (0, cb[__getOwnPropNames(cb)[0]])((mod = { exports: {} }).exports, mod), mod.exports;
 };
 var __export = (target, all) => {
@@ -37,6 +31,84 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
   mod
 ));
 
+// src/account-identity.ts
+function isCCAccountSource(source) {
+  return source === "cc-keychain" || source === "cc-file";
+}
+function isAccountIdentity(value) {
+  if (!value || typeof value !== "object") return false;
+  const candidate = value;
+  switch (candidate.kind) {
+    case "oauth":
+      return typeof candidate.email === "string" && candidate.email.length > 0;
+    case "cc":
+      return isCCAccountSource(candidate.source) && typeof candidate.label === "string";
+    case "legacy":
+      return typeof candidate.refreshToken === "string" && candidate.refreshToken.length > 0;
+    default:
+      return false;
+  }
+}
+function resolveIdentity(account) {
+  if (isAccountIdentity(account.identity)) {
+    return account.identity;
+  }
+  if (account.source === "oauth" && account.email) {
+    return { kind: "oauth", email: account.email };
+  }
+  if (isCCAccountSource(account.source) && account.label) {
+    return { kind: "cc", source: account.source, label: account.label };
+  }
+  return { kind: "legacy", refreshToken: account.refreshToken };
+}
+function resolveIdentityFromCCCredential(cred) {
+  return {
+    kind: "cc",
+    source: cred.source,
+    label: cred.label
+  };
+}
+function resolveIdentityFromOAuthExchange(result) {
+  if (result.email) {
+    return {
+      kind: "oauth",
+      email: result.email
+    };
+  }
+  return {
+    kind: "legacy",
+    refreshToken: result.refresh
+  };
+}
+function identitiesMatch(a, b) {
+  if (a.kind !== b.kind) return false;
+  switch (a.kind) {
+    case "oauth": {
+      return a.email === b.email;
+    }
+    case "cc": {
+      const ccIdentity = b;
+      return a.source === ccIdentity.source && a.label === ccIdentity.label;
+    }
+    case "legacy": {
+      return a.refreshToken === b.refreshToken;
+    }
+  }
+}
+function findByIdentity(accounts, id) {
+  for (const account of accounts) {
+    if (identitiesMatch(resolveIdentity(account), id)) {
+      return account;
+    }
+  }
+  return null;
+}
+var init_account_identity = __esm({
+  "src/account-identity.ts"() {
+    "use strict";
+  }
+});
+
 // src/config.ts
 import { existsSync, mkdirSync, readFileSync as readFileSync2, renameSync, writeFileSync } from "node:fs";
 import { homedir as homedir2 } from "node:os";
@@ -410,6 +482,8 @@ function validateAccount(raw, now) {
   return {
     id,
     email: typeof acc.email === "string" ? acc.email : void 0,
+    identity: isAccountIdentity2(acc.identity) ? acc.identity : void 0,
+    label: typeof acc.label === "string" ? acc.label : void 0,
     refreshToken: acc.refreshToken,
     access: typeof acc.access === "string" ? acc.access : void 0,
     expires: typeof acc.expires === "number" && Number.isFinite(acc.expires) ? acc.expires : void 0,
@@ -425,6 +499,106 @@ function validateAccount(raw, now) {
     source: acc.source === "cc-keychain" || acc.source === "cc-file" || acc.source === "oauth" ? acc.source : void 0
   };
 }
+function isAccountIdentity2(value) {
+  if (!value || typeof value !== "object") return false;
+  const candidate = value;
+  switch (candidate.kind) {
+    case "oauth":
+      return typeof candidate.email === "string" && candidate.email.length > 0;
+    case "cc":
+      return (candidate.source === "cc-keychain" || candidate.source === "cc-file") && typeof candidate.label === "string";
+    case "legacy":
+      return typeof candidate.refreshToken === "string" && candidate.refreshToken.length > 0;
+    default:
+      return false;
+  }
+}
+function resolveStoredIdentity(candidate) {
+  if (isAccountIdentity2(candidate.identity)) {
+    return candidate.identity;
+  }
+  if (candidate.source === "oauth" && candidate.email) {
+    return { kind: "oauth", email: candidate.email };
+  }
+  if ((candidate.source === "cc-keychain" || candidate.source === "cc-file") && candidate.label) {
+    return {
+      kind: "cc",
+      source: candidate.source,
+      label: candidate.label
+    };
+  }
+  return { kind: "legacy", refreshToken: candidate.refreshToken };
+}
+function resolveTokenUpdatedAt(account) {
+  return typeof account.token_updated_at === "number" && Number.isFinite(account.token_updated_at) ? account.token_updated_at : account.addedAt;
+}
+function clampActiveIndex(accounts, activeIndex) {
+  if (accounts.length === 0) {
+    return 0;
+  }
+  return Math.max(0, Math.min(activeIndex, accounts.length - 1));
+}
+function findStoredAccountMatch(accounts, candidate) {
+  const byId = accounts.find((account) => account.id === candidate.id);
+  if (byId) {
+    return byId;
+  }
+  const byIdentity = findByIdentity(accounts, resolveStoredIdentity(candidate));
+  if (byIdentity) {
+    return byIdentity;
+  }
+  const byAddedAt = accounts.filter((account) => account.addedAt === candidate.addedAt);
+  if (byAddedAt.length === 1) {
+    return byAddedAt[0];
+  }
+  const byRefreshToken = accounts.find((account) => account.refreshToken === candidate.refreshToken);
+  if (byRefreshToken) {
+    return byRefreshToken;
+  }
+  return byAddedAt[0] ?? null;
+}
+function mergeAccountWithFresherAuth(account, diskMatch) {
+  const memoryTokenUpdatedAt = resolveTokenUpdatedAt(account);
+  const diskTokenUpdatedAt = diskMatch ? resolveTokenUpdatedAt(diskMatch) : 0;
+  if (!diskMatch || diskTokenUpdatedAt <= memoryTokenUpdatedAt) {
+    return {
+      ...account,
+      token_updated_at: memoryTokenUpdatedAt
+    };
+  }
+  return {
+    ...account,
+    refreshToken: diskMatch.refreshToken,
+    access: diskMatch.access,
+    expires: diskMatch.expires,
+    token_updated_at: diskTokenUpdatedAt
+  };
+}
+function unionAccountsWithDisk(storage, disk) {
+  if (!disk || storage.accounts.length === 0) {
+    return {
+      ...storage,
+      activeIndex: clampActiveIndex(storage.accounts, storage.activeIndex)
+    };
+  }
+  const activeAccountId = storage.accounts[storage.activeIndex]?.id ?? null;
+  const matchedDiskAccounts = /* @__PURE__ */ new Set();
+  const mergedAccounts = storage.accounts.map((account) => {
+    const diskMatch = findStoredAccountMatch(disk.accounts, account);
+    if (diskMatch) {
+      matchedDiskAccounts.add(diskMatch);
+    }
+    return mergeAccountWithFresherAuth(account, diskMatch);
+  });
+  const diskOnlyAccounts = disk.accounts.filter((account) => !matchedDiskAccounts.has(account));
+  const accounts = [...mergedAccounts, ...diskOnlyAccounts];
+  const activeIndex = activeAccountId ? accounts.findIndex((account) => account.id === activeAccountId) : -1;
+  return {
+    ...storage,
+    accounts,
+    activeIndex: activeIndex >= 0 ? activeIndex : clampActiveIndex(accounts, storage.activeIndex)
+  };
+}
 async function loadAccounts() {
   const storagePath = getStoragePath();
   try {
@@ -434,7 +608,9 @@ async function loadAccounts() {
       return null;
     }
     if (data.version !== CURRENT_VERSION) {
-      return null;
+      console.warn(
+        `Storage version mismatch: ${String(data.version)} vs ${CURRENT_VERSION}. Attempting best-effort migration.`
+      );
     }
     const now = Date.now();
     const accounts = data.accounts.map((raw) => validateAccount(raw, now)).filter((acc) => acc !== null);
@@ -461,53 +637,13 @@ async function saveAccounts(storage) {
   const configDir = dirname2(storagePath);
   await fs.mkdir(configDir, { recursive: true });
   ensureGitignore(configDir);
-  let storageToWrite = storage;
+  let storageToWrite = {
+    ...storage,
+    activeIndex: clampActiveIndex(storage.accounts, storage.activeIndex)
+  };
   try {
     const disk = await loadAccounts();
-    if (disk && storage.accounts.length > 0) {
-      const diskById = new Map(disk.accounts.map((a) => [a.id, a]));
-      const diskByAddedAt = /* @__PURE__ */ new Map();
-      const diskByToken = new Map(disk.accounts.map((a) => [a.refreshToken, a]));
-      for (const d3 of disk.accounts) {
-        const bucket = diskByAddedAt.get(d3.addedAt) || [];
-        bucket.push(d3);
-        diskByAddedAt.set(d3.addedAt, bucket);
-      }
-      const findDiskMatch = (acc) => {
-        const byId = diskById.get(acc.id);
-        if (byId) return byId;
-        const byAddedAt = diskByAddedAt.get(acc.addedAt);
-        if (byAddedAt?.length === 1) return byAddedAt[0];
-        const byToken = diskByToken.get(acc.refreshToken);
-        if (byToken) return byToken;
-        if (byAddedAt && byAddedAt.length > 0) return byAddedAt[0];
-        return null;
-      };
-      const mergedAccounts = storage.accounts.map((acc) => {
-        const diskAcc = findDiskMatch(acc);
-        const memTs = typeof acc.token_updated_at === "number" && Number.isFinite(acc.token_updated_at) ? acc.token_updated_at : acc.addedAt;
-        const diskTs = diskAcc?.token_updated_at || 0;
-        const useDiskAuth = !!diskAcc && diskTs > memTs;
-        return {
-          ...acc,
-          refreshToken: useDiskAuth ? diskAcc.refreshToken : acc.refreshToken,
-          access: useDiskAuth ? diskAcc.access : acc.access,
-          expires: useDiskAuth ? diskAcc.expires : acc.expires,
-          token_updated_at: useDiskAuth ? diskTs : memTs
-        };
-      });
-      let activeIndex = storage.activeIndex;
-      if (mergedAccounts.length > 0) {
-        activeIndex = Math.max(0, Math.min(activeIndex, mergedAccounts.length - 1));
-      } else {
-        activeIndex = 0;
-      }
-      storageToWrite = {
-        ...storage,
-        accounts: mergedAccounts,
-        activeIndex
-      };
-    }
+    storageToWrite = unionAccountsWithDisk(storageToWrite, disk);
   } catch {
   }
   const tempPath = `${storagePath}.${randomBytes(6).toString("hex")}.tmp`;
@@ -536,6 +672,7 @@ var CURRENT_VERSION, GITIGNORE_ENTRIES;
 var init_storage = __esm({
   "src/storage.ts"() {
     "use strict";
+    init_account_identity();
     init_config();
     CURRENT_VERSION = 1;
     GITIGNORE_ENTRIES = [".gitignore", "anthropic-accounts.json", "anthropic-accounts.json.*.tmp"];
@@ -1950,14 +2087,20 @@ async function cmdLogin() {
   const credentials = await runOAuthFlow();
   if (!credentials) return 1;
   const storage = stored || { version: 1, accounts: [], activeIndex: 0 };
-  const existingIdx = storage.accounts.findIndex((acc) => acc.refreshToken === credentials.refresh);
-  if (existingIdx >= 0) {
-    storage.accounts[existingIdx].access = credentials.access;
-    storage.accounts[existingIdx].expires = credentials.expires;
-    if (credentials.email) storage.accounts[existingIdx].email = credentials.email;
-    storage.accounts[existingIdx].enabled = true;
+  const identity = resolveIdentityFromOAuthExchange(credentials);
+  const existing = findByIdentity(storage.accounts, identity) || storage.accounts.find((acc) => acc.refreshToken === credentials.refresh);
+  if (existing) {
+    const existingIdx = storage.accounts.indexOf(existing);
+    existing.refreshToken = credentials.refresh;
+    existing.access = credentials.access;
+    existing.expires = credentials.expires;
+    existing.token_updated_at = Date.now();
+    if (credentials.email) existing.email = credentials.email;
+    existing.identity = identity;
+    existing.source = existing.source ?? "oauth";
+    existing.enabled = true;
     await saveAccounts(storage);
-    const label2 = credentials.email || `Account ${existingIdx + 1}`;
+    const label2 = credentials.email || existing.email || `Account ${existingIdx + 1}`;
     O2.success(`Updated existing account #${existingIdx + 1} (${label2}).`);
     return 0;
   }
@@ -1969,6 +2112,7 @@ async function cmdLogin() {
   storage.accounts.push({
     id: `${now}:${credentials.refresh.slice(0, 12)}`,
     email: credentials.email,
+    identity,
     refreshToken: credentials.refresh,
     access: credentials.access,
     expires: credentials.expires,
@@ -1979,7 +2123,8 @@ async function cmdLogin() {
     rateLimitResetTimes: {},
     consecutiveFailures: 0,
     lastFailureTime: null,
-    stats: createDefaultStats(now)
+    stats: createDefaultStats(now),
+    source: "oauth"
   });
   await saveAccounts(storage);
   const label = credentials.email || `Account ${storage.accounts.length}`;
@@ -2177,7 +2322,8 @@ async function cmdList() {
     }
   }
   if (anyRefreshed) {
-    await saveAccounts(stored).catch(() => {
+    await saveAccounts(stored).catch((err) => {
+      console.error("[opencode-anthropic-auth] failed to persist refreshed tokens:", err);
     });
   }
   O2.message(c2.bold("Anthropic Multi-Account Status"));
@@ -3173,6 +3319,7 @@ var USE_COLOR, ansi, c2, QUOTA_BUCKETS, USAGE_INDENT, USAGE_LABEL_WIDTH, ioConte
 var init_cli = __esm({
   async "src/cli.ts"() {
     "use strict";
+    init_account_identity();
     init_config();
     init_oauth();
     init_storage();
@@ -3458,6 +3605,9 @@ function readCCCredentials() {
   return credentials;
 }
 
+// src/accounts.ts
+init_account_identity();
+
 // src/rotation.ts
 init_config();
 var HealthScoreTracker = class {
@@ -3643,6 +3793,111 @@ function selectAccount(candidates, strategy, currentIndex, healthTracker, tokenT
 init_storage();
 var MAX_ACCOUNTS = 10;
 var RATE_LIMIT_KEY = "anthropic";
+function resolveAccountIdentity(params) {
+  if (params.identity) {
+    return params.identity;
+  }
+  if ((params.source === "cc-keychain" || params.source === "cc-file") && params.label) {
+    return {
+      kind: "cc",
+      source: params.source,
+      label: params.label
+    };
+  }
+  if (params.email) {
+    return {
+      kind: "oauth",
+      email: params.email
+    };
+  }
+  return {
+    kind: "legacy",
+    refreshToken: params.refreshToken
+  };
+}
+function createManagedAccount(init) {
+  const now = init.now ?? Date.now();
+  const addedAt = init.addedAt ?? now;
+  const tokenUpdatedAt = init.tokenUpdatedAt ?? addedAt;
+  const identity = resolveAccountIdentity({
+    refreshToken: init.refreshToken,
+    email: init.email,
+    identity: init.identity,
+    label: init.label,
+    source: init.source
+  });
+  const email = init.email ?? (identity.kind === "oauth" ? identity.email : void 0);
+  const label = init.label ?? (identity.kind === "cc" ? identity.label : void 0);
+  const source = init.source ?? (identity.kind === "cc" ? identity.source : "oauth");
+  return {
+    id: init.id ?? `${addedAt}:${init.refreshToken.slice(0, 12)}`,
+    index: init.index,
+    email,
+    identity,
+    label,
+    refreshToken: init.refreshToken,
+    access: init.access,
+    expires: init.expires,
+    tokenUpdatedAt,
+    addedAt,
+    lastUsed: init.lastUsed ?? 0,
+    enabled: init.enabled ?? true,
+    rateLimitResetTimes: { ...init.rateLimitResetTimes ?? {} },
+    consecutiveFailures: init.consecutiveFailures ?? 0,
+    lastFailureTime: init.lastFailureTime ?? null,
+    lastSwitchReason: init.lastSwitchReason ?? "initial",
+    stats: init.stats ?? createDefaultStats(addedAt),
+    source
+  };
+}
+function findMatchingAccount(accounts, params) {
+  if (params.id) {
+    const byId = accounts.find((account) => account.id === params.id);
+    if (byId) return byId;
+  }
+  if (params.identity) {
+    const byIdentity = findByIdentity(accounts, params.identity);
+    if (byIdentity) return byIdentity;
+  }
+  if (params.refreshToken) {
+    return accounts.find((account) => account.refreshToken === params.refreshToken) ?? null;
+  }
+  return null;
+}
+function reindexAccounts(accounts) {
+  accounts.forEach((account, index) => {
+    account.index = index;
+  });
+}
+function updateManagedAccountFromStorage(existing, account, index) {
+  const source = account.source || existing.source || "oauth";
+  const label = account.label ?? existing.label;
+  const email = account.email ?? existing.email;
+  existing.id = account.id || existing.id || `${account.addedAt}:${account.refreshToken.slice(0, 12)}`;
+  existing.index = index;
+  existing.email = email;
+  existing.label = label;
+  existing.identity = resolveAccountIdentity({
+    refreshToken: account.refreshToken,
+    email,
+    identity: account.identity ?? existing.identity,
+    label,
+    source
+  });
+  existing.refreshToken = account.refreshToken;
+  existing.access = account.access ?? existing.access;
+  existing.expires = account.expires ?? existing.expires;
+  existing.tokenUpdatedAt = account.token_updated_at ?? existing.tokenUpdatedAt ?? account.addedAt;
+  existing.addedAt = account.addedAt;
+  existing.lastUsed = account.lastUsed;
+  existing.enabled = account.enabled;
+  existing.rateLimitResetTimes = { ...account.rateLimitResetTimes };
+  existing.consecutiveFailures = account.consecutiveFailures;
+  existing.lastFailureTime = account.lastFailureTime;
+  existing.lastSwitchReason = account.lastSwitchReason || existing.lastSwitchReason || "initial";
+  existing.stats = account.stats ?? existing.stats ?? createDefaultStats(account.addedAt);
+  existing.source = source;
+}
 var AccountManager = class _AccountManager {
   #accounts = [];
   #cursor = 0;
@@ -3652,11 +3907,22 @@ var AccountManager = class _AccountManager {
   #config;
   #saveTimeout = null;
   #statsDeltas = /* @__PURE__ */ new Map();
+  /**
+   * Cap on pending stats deltas. When hit, a forced flush is scheduled so the
+   * map does not grow without bound between debounced saves. This is only a
+   * safety net — under normal load the 1s debounced save in `requestSaveToDisk`
+   * keeps the delta count below this cap.
+   */
+  #MAX_STATS_DELTAS = 100;
   constructor(config) {
     this.#config = config;
     this.#healthTracker = new HealthScoreTracker(config.health_score);
     this.#tokenTracker = new TokenBucketTracker(config.token_bucket);
   }
+  #rebuildTrackers() {
+    this.#healthTracker = new HealthScoreTracker(this.#config.health_score);
+    this.#tokenTracker = new TokenBucketTracker(this.#config.token_bucket);
+  }
   /**
    * Load accounts from disk, optionally merging with an OpenCode auth fallback.
    */
@@ -3664,27 +3930,38 @@ var AccountManager = class _AccountManager {
     const manager = new _AccountManager(config);
     const stored = await loadAccounts();
     if (stored) {
-      manager.#accounts = stored.accounts.map((acc, index) => ({
-        id: acc.id || `${acc.addedAt}:${acc.refreshToken.slice(0, 12)}`,
-        index,
-        email: acc.email,
-        refreshToken: acc.refreshToken,
-        access: acc.access,
-        expires: acc.expires,
-        tokenUpdatedAt: acc.token_updated_at,
-        addedAt: acc.addedAt,
-        lastUsed: acc.lastUsed,
-        enabled: acc.enabled,
-        rateLimitResetTimes: acc.rateLimitResetTimes,
-        consecutiveFailures: acc.consecutiveFailures,
-        lastFailureTime: acc.lastFailureTime,
-        lastSwitchReason: acc.lastSwitchReason,
-        stats: acc.stats ?? createDefaultStats(acc.addedAt),
-        source: acc.source || "oauth"
-      }));
+      manager.#accounts = stored.accounts.map(
+        (acc, index) => createManagedAccount({
+          id: acc.id || `${acc.addedAt}:${acc.refreshToken.slice(0, 12)}`,
+          index,
+          email: acc.email,
+          identity: acc.identity,
+          label: acc.label,
+          refreshToken: acc.refreshToken,
+          access: acc.access,
+          expires: acc.expires,
+          tokenUpdatedAt: acc.token_updated_at,
+          addedAt: acc.addedAt,
+          lastUsed: acc.lastUsed,
+          enabled: acc.enabled,
+          rateLimitResetTimes: acc.rateLimitResetTimes,
+          consecutiveFailures: acc.consecutiveFailures,
+          lastFailureTime: acc.lastFailureTime,
+          lastSwitchReason: acc.lastSwitchReason,
+          stats: acc.stats,
+          source: acc.source || "oauth"
+        })
+      );
       manager.#currentIndex = manager.#accounts.length > 0 ? Math.min(stored.activeIndex, manager.#accounts.length - 1) : -1;
       if (authFallback && manager.#accounts.length > 0) {
-        const match = manager.#accounts.find((acc) => acc.refreshToken === authFallback.refresh);
+        const fallbackIdentity = resolveAccountIdentity({
+          refreshToken: authFallback.refresh,
+          source: "oauth"
+        });
+        const match = findMatchingAccount(manager.#accounts, {
+          identity: fallbackIdentity,
+          refreshToken: authFallback.refresh
+        });
         if (match) {
           const fallbackHasAccess = typeof authFallback.access === "string" && authFallback.access.length > 0;
           const fallbackExpires = typeof authFallback.expires === "number" ? authFallback.expires : 0;
@@ -3701,23 +3978,17 @@ var AccountManager = class _AccountManager {
     } else if (authFallback && authFallback.refresh) {
       const now = Date.now();
       manager.#accounts = [
-        {
+        createManagedAccount({
           id: `${now}:${authFallback.refresh.slice(0, 12)}`,
           index: 0,
-          email: void 0,
           refreshToken: authFallback.refresh,
           access: authFallback.access,
           expires: authFallback.expires,
           tokenUpdatedAt: now,
           addedAt: now,
-          lastUsed: 0,
-          enabled: true,
-          rateLimitResetTimes: {},
-          consecutiveFailures: 0,
-          lastFailureTime: null,
           lastSwitchReason: "initial",
-          stats: createDefaultStats(now)
-        }
+          source: "oauth"
+        })
       ];
       manager.#currentIndex = 0;
     }
@@ -3731,49 +4002,60 @@ var AccountManager = class _AccountManager {
         }
       })();
       for (const ccCredential of ccCredentials) {
-        const existingMatch = manager.#accounts.find(
-          (account) => account.refreshToken === ccCredential.refreshToken
-        );
-        if (existingMatch) {
-          if (!existingMatch.source || existingMatch.source === "oauth") {
-            existingMatch.source = ccCredential.source;
+        const ccIdentity = resolveIdentityFromCCCredential(ccCredential);
+        let existingMatch = findMatchingAccount(manager.#accounts, {
+          identity: ccIdentity,
+          refreshToken: ccCredential.refreshToken
+        });
+        if (!existingMatch) {
+          const legacyUnlabeledMatches = manager.#accounts.filter(
+            (account) => account.source === ccCredential.source && !account.label && !account.email
+          );
+          if (legacyUnlabeledMatches.length === 1) {
+            existingMatch = legacyUnlabeledMatches[0];
           }
-          if (ccCredential.accessToken && ccCredential.expiresAt > (existingMatch.expires ?? 0)) {
+        }
+        if (existingMatch) {
+          existingMatch.refreshToken = ccCredential.refreshToken;
+          existingMatch.identity = ccIdentity;
+          existingMatch.source = ccCredential.source;
+          existingMatch.label = ccCredential.label;
+          existingMatch.enabled = true;
+          if (ccCredential.accessToken) {
             existingMatch.access = ccCredential.accessToken;
+          }
+          if (ccCredential.expiresAt >= (existingMatch.expires ?? 0)) {
             existingMatch.expires = ccCredential.expiresAt;
           }
+          existingMatch.tokenUpdatedAt = Math.max(existingMatch.tokenUpdatedAt || 0, ccCredential.expiresAt || 0);
+          continue;
+        }
+        if (manager.#accounts.length >= MAX_ACCOUNTS) {
           continue;
         }
         const emailCollision = manager.getOAuthAccounts().find((account) => account.email && ccCredential.label.includes(account.email));
         if (emailCollision?.email) {
         }
         const now = Date.now();
-        const ccAccount = {
+        const ccAccount = createManagedAccount({
           id: `cc-${ccCredential.source}-${now}:${ccCredential.refreshToken.slice(0, 12)}`,
           index: manager.#accounts.length,
-          email: void 0,
           refreshToken: ccCredential.refreshToken,
           access: ccCredential.accessToken,
           expires: ccCredential.expiresAt,
           tokenUpdatedAt: now,
           addedAt: now,
-          lastUsed: 0,
-          enabled: true,
-          rateLimitResetTimes: {},
-          consecutiveFailures: 0,
-          lastFailureTime: null,
+          identity: ccIdentity,
+          label: ccCredential.label,
           lastSwitchReason: "cc-auto-detected",
-          stats: createDefaultStats(now),
           source: ccCredential.source
-        };
+        });
         manager.#accounts.push(ccAccount);
       }
       if (config.cc_credential_reuse.prefer_over_oauth && manager.getCCAccounts().length > 0) {
         manager.#accounts = [...manager.getCCAccounts(), ...manager.getOAuthAccounts()];
       }
-      manager.#accounts.forEach((account, index) => {
-        account.index = index;
-      });
+      reindexAccounts(manager.#accounts);
       if (config.cc_credential_reuse.prefer_over_oauth && manager.getCCAccounts().length > 0) {
         manager.#currentIndex = 0;
       } else if (currentAccountId) {
@@ -3913,35 +4195,47 @@ var AccountManager = class _AccountManager {
    * Add a new account to the pool.
    * @returns The new account, or null if at capacity
    */
-  addAccount(refreshToken2, accessToken, expires, email) {
-    if (this.#accounts.length >= MAX_ACCOUNTS) return null;
-    const existing = this.#accounts.find((acc) => acc.refreshToken === refreshToken2);
+  addAccount(refreshToken2, accessToken, expires, email, options) {
+    const identity = resolveAccountIdentity({
+      refreshToken: refreshToken2,
+      email,
+      identity: options?.identity,
+      label: options?.label,
+      source: options?.source ?? "oauth"
+    });
+    const existing = findMatchingAccount(this.#accounts, {
+      identity,
+      refreshToken: refreshToken2
+    });
     if (existing) {
+      existing.refreshToken = refreshToken2;
       existing.access = accessToken;
       existing.expires = expires;
       existing.tokenUpdatedAt = Date.now();
-      if (email) existing.email = email;
+      existing.email = email ?? existing.email;
+      existing.identity = identity;
+      existing.label = options?.label ?? existing.label;
+      existing.source = options?.source ?? existing.source ?? "oauth";
       existing.enabled = true;
+      this.requestSaveToDisk();
       return existing;
     }
+    if (this.#accounts.length >= MAX_ACCOUNTS) return null;
     const now = Date.now();
-    const account = {
+    const account = createManagedAccount({
       id: `${now}:${refreshToken2.slice(0, 12)}`,
       index: this.#accounts.length,
-      email,
       refreshToken: refreshToken2,
       access: accessToken,
       expires,
       tokenUpdatedAt: now,
       addedAt: now,
-      lastUsed: 0,
-      enabled: true,
-      rateLimitResetTimes: {},
-      consecutiveFailures: 0,
-      lastFailureTime: null,
       lastSwitchReason: "initial",
-      stats: createDefaultStats(now)
-    };
+      email,
+      identity,
+      label: options?.label,
+      source: options?.source ?? "oauth"
+    });
     this.#accounts.push(account);
     if (this.#accounts.length === 1) {
       this.#currentIndex = 0;
@@ -3955,9 +4249,7 @@ var AccountManager = class _AccountManager {
   removeAccount(index) {
     if (index < 0 || index >= this.#accounts.length) return false;
     this.#accounts.splice(index, 1);
-    this.#accounts.forEach((acc, i) => {
-      acc.index = i;
-    });
+    reindexAccounts(this.#accounts);
     if (this.#accounts.length === 0) {
       this.#currentIndex = -1;
       this.#cursor = 0;
@@ -3969,9 +4261,7 @@ var AccountManager = class _AccountManager {
         this.#cursor = Math.min(this.#cursor, this.#accounts.length);
       }
     }
-    for (let i = 0; i < this.#accounts.length; i++) {
-      this.#healthTracker.reset(i);
-    }
+    this.#rebuildTrackers();
     this.requestSaveToDisk();
     return true;
   }
@@ -4001,7 +4291,10 @@ var AccountManager = class _AccountManager {
     if (this.#saveTimeout) clearTimeout(this.#saveTimeout);
     this.#saveTimeout = setTimeout(() => {
       this.#saveTimeout = null;
-      this.saveToDisk().catch(() => {
+      this.saveToDisk().catch((err) => {
+        if (this.#config.debug) {
+          console.error("[opencode-anthropic-auth] saveToDisk failed:", err.message);
+        }
       });
     }, 1e3);
   }
@@ -4014,9 +4307,11 @@ var AccountManager = class _AccountManager {
     let diskAccountsById = null;
     let diskAccountsByAddedAt = null;
     let diskAccountsByRefreshToken = null;
+    let diskAccounts = [];
     try {
       const diskData = await loadAccounts();
       if (diskData) {
+        diskAccounts = diskData.accounts;
         diskAccountsById = new Map(diskData.accounts.map((a) => [a.id, a]));
         diskAccountsByAddedAt = /* @__PURE__ */ new Map();
         diskAccountsByRefreshToken = /* @__PURE__ */ new Map();
@@ -4032,6 +4327,8 @@ var AccountManager = class _AccountManager {
     const findDiskAccount = (account) => {
       const byId = diskAccountsById?.get(account.id);
       if (byId) return byId;
+      const byIdentity = findByIdentity(diskAccounts, resolveIdentity(account));
+      if (byIdentity) return byIdentity;
       const byAddedAt = diskAccountsByAddedAt?.get(account.addedAt);
       if (byAddedAt?.length === 1) return byAddedAt[0];
       const byToken = diskAccountsByRefreshToken?.get(account.refreshToken);
@@ -4039,70 +4336,82 @@ var AccountManager = class _AccountManager {
       if (byAddedAt && byAddedAt.length > 0) return byAddedAt[0];
       return null;
     };
+    const matchedDiskAccounts = /* @__PURE__ */ new Set();
+    const activeAccountId = this.#accounts[this.#currentIndex]?.id ?? null;
+    const accountsToPersist = this.#accounts.filter((account) => account.enabled || !!findDiskAccount(account));
+    const persistedAccounts = accountsToPersist.map((acc) => {
+      const delta = this.#statsDeltas.get(acc.id);
+      let mergedStats = acc.stats;
+      const diskAcc = findDiskAccount(acc);
+      if (diskAcc) {
+        matchedDiskAccounts.add(diskAcc);
+      }
+      if (delta) {
+        const diskStats = diskAcc?.stats;
+        if (delta.isReset) {
+          mergedStats = {
+            requests: delta.requests,
+            inputTokens: delta.inputTokens,
+            outputTokens: delta.outputTokens,
+            cacheReadTokens: delta.cacheReadTokens,
+            cacheWriteTokens: delta.cacheWriteTokens,
+            lastReset: delta.resetTimestamp ?? acc.stats.lastReset
+          };
+        } else if (diskStats) {
+          mergedStats = {
+            requests: diskStats.requests + delta.requests,
+            inputTokens: diskStats.inputTokens + delta.inputTokens,
+            outputTokens: diskStats.outputTokens + delta.outputTokens,
+            cacheReadTokens: diskStats.cacheReadTokens + delta.cacheReadTokens,
+            cacheWriteTokens: diskStats.cacheWriteTokens + delta.cacheWriteTokens,
+            lastReset: diskStats.lastReset
+          };
+        }
+      }
+      const memTokenUpdatedAt = acc.tokenUpdatedAt || 0;
+      const diskTokenUpdatedAt = diskAcc?.token_updated_at || 0;
+      const freshestAuth = diskAcc && diskTokenUpdatedAt > memTokenUpdatedAt ? {
+        refreshToken: diskAcc.refreshToken,
+        access: diskAcc.access,
+        expires: diskAcc.expires,
+        tokenUpdatedAt: diskTokenUpdatedAt
+      } : {
+        refreshToken: acc.refreshToken,
+        access: acc.access,
+        expires: acc.expires,
+        tokenUpdatedAt: memTokenUpdatedAt
+      };
+      acc.refreshToken = freshestAuth.refreshToken;
+      acc.access = freshestAuth.access;
+      acc.expires = freshestAuth.expires;
+      acc.tokenUpdatedAt = freshestAuth.tokenUpdatedAt;
+      return {
+        id: acc.id,
+        email: acc.email,
+        identity: acc.identity,
+        label: acc.label,
+        refreshToken: freshestAuth.refreshToken,
+        access: freshestAuth.access,
+        expires: freshestAuth.expires,
+        token_updated_at: freshestAuth.tokenUpdatedAt,
+        addedAt: acc.addedAt,
+        lastUsed: acc.lastUsed,
+        enabled: acc.enabled,
+        rateLimitResetTimes: Object.keys(acc.rateLimitResetTimes).length > 0 ? acc.rateLimitResetTimes : {},
+        consecutiveFailures: acc.consecutiveFailures,
+        lastFailureTime: acc.lastFailureTime,
+        lastSwitchReason: acc.lastSwitchReason,
+        stats: mergedStats,
+        source: acc.source
+      };
+    });
+    const diskOnlyAccounts = diskAccounts.filter((account) => !matchedDiskAccounts.has(account));
+    const allAccounts = accountsToPersist.length > 0 ? [...persistedAccounts, ...diskOnlyAccounts] : persistedAccounts;
+    const resolvedActiveIndex = activeAccountId ? allAccounts.findIndex((account) => account.id === activeAccountId) : -1;
     const storage = {
       version: 1,
-      accounts: this.#accounts.map((acc) => {
-        const delta = this.#statsDeltas.get(acc.id);
-        let mergedStats = acc.stats;
-        const diskAcc = findDiskAccount(acc);
-        if (delta) {
-          const diskStats = diskAcc?.stats;
-          if (delta.isReset) {
-            mergedStats = {
-              requests: delta.requests,
-              inputTokens: delta.inputTokens,
-              outputTokens: delta.outputTokens,
-              cacheReadTokens: delta.cacheReadTokens,
-              cacheWriteTokens: delta.cacheWriteTokens,
-              lastReset: delta.resetTimestamp ?? acc.stats.lastReset
-            };
-          } else if (diskStats) {
-            mergedStats = {
-              requests: diskStats.requests + delta.requests,
-              inputTokens: diskStats.inputTokens + delta.inputTokens,
-              outputTokens: diskStats.outputTokens + delta.outputTokens,
-              cacheReadTokens: diskStats.cacheReadTokens + delta.cacheReadTokens,
-              cacheWriteTokens: diskStats.cacheWriteTokens + delta.cacheWriteTokens,
-              lastReset: diskStats.lastReset
-            };
-          }
-        }
-        const memTokenUpdatedAt = acc.tokenUpdatedAt || 0;
-        const diskTokenUpdatedAt = diskAcc?.token_updated_at || 0;
-        const freshestAuth = diskAcc && diskTokenUpdatedAt > memTokenUpdatedAt ? {
-          refreshToken: diskAcc.refreshToken,
-          access: diskAcc.access,
-          expires: diskAcc.expires,
-          tokenUpdatedAt: diskTokenUpdatedAt
-        } : {
-          refreshToken: acc.refreshToken,
-          access: acc.access,
-          expires: acc.expires,
-          tokenUpdatedAt: memTokenUpdatedAt
-        };
-        acc.refreshToken = freshestAuth.refreshToken;
-        acc.access = freshestAuth.access;
-        acc.expires = freshestAuth.expires;
-        acc.tokenUpdatedAt = freshestAuth.tokenUpdatedAt;
-        return {
-          id: acc.id,
-          email: acc.email,
-          refreshToken: freshestAuth.refreshToken,
-          access: freshestAuth.access,
-          expires: freshestAuth.expires,
-          token_updated_at: freshestAuth.tokenUpdatedAt,
-          addedAt: acc.addedAt,
-          lastUsed: acc.lastUsed,
-          enabled: acc.enabled,
-          rateLimitResetTimes: Object.keys(acc.rateLimitResetTimes).length > 0 ? acc.rateLimitResetTimes : {},
-          consecutiveFailures: acc.consecutiveFailures,
-          lastFailureTime: acc.lastFailureTime,
-          lastSwitchReason: acc.lastSwitchReason,
-          stats: mergedStats,
-          source: acc.source
-        };
-      }),
-      activeIndex: Math.max(0, this.#currentIndex)
+      accounts: allAccounts,
+      activeIndex: resolvedActiveIndex >= 0 ? resolvedActiveIndex : allAccounts.length > 0 ? Math.max(0, Math.min(this.#currentIndex, allAccounts.length - 1)) : 0
     };
     await saveAccounts(storage);
     this.#statsDeltas.clear();
@@ -4119,57 +4428,92 @@ var AccountManager = class _AccountManager {
   async syncActiveIndexFromDisk() {
     const stored = await loadAccounts();
     if (!stored) return;
-    const existingByTokenForSnapshot = new Map(this.#accounts.map((acc) => [acc.refreshToken, acc]));
-    const memSnapshot = this.#accounts.map((acc) => `${acc.id}:${acc.refreshToken}:${acc.enabled ? 1 : 0}`).join("|");
-    const diskSnapshot = stored.accounts.map((acc) => {
-      const resolvedId = acc.id || existingByTokenForSnapshot.get(acc.refreshToken)?.id || acc.refreshToken;
-      return `${resolvedId}:${acc.refreshToken}:${acc.enabled ? 1 : 0}`;
-    }).join("|");
-    if (diskSnapshot !== memSnapshot) {
-      const existingById = new Map(this.#accounts.map((acc) => [acc.id, acc]));
-      const existingByToken = new Map(this.#accounts.map((acc) => [acc.refreshToken, acc]));
-      this.#accounts = stored.accounts.map((acc, index) => {
-        const existing = acc.id && existingById.get(acc.id) || (!acc.id ? existingByToken.get(acc.refreshToken) : null);
-        return {
-          id: acc.id || existing?.id || `${acc.addedAt}:${acc.refreshToken.slice(0, 12)}`,
-          index,
-          email: acc.email ?? existing?.email,
-          refreshToken: acc.refreshToken,
-          access: acc.access ?? existing?.access,
-          expires: acc.expires ?? existing?.expires,
-          tokenUpdatedAt: acc.token_updated_at ?? existing?.tokenUpdatedAt ?? acc.addedAt,
-          addedAt: acc.addedAt,
-          lastUsed: acc.lastUsed,
-          enabled: acc.enabled,
-          rateLimitResetTimes: acc.rateLimitResetTimes,
-          consecutiveFailures: acc.consecutiveFailures,
-          lastFailureTime: acc.lastFailureTime,
-          lastSwitchReason: acc.lastSwitchReason || existing?.lastSwitchReason || "initial",
-          stats: acc.stats ?? existing?.stats ?? createDefaultStats()
-        };
+    const matchedAccounts = /* @__PURE__ */ new Set();
+    const reconciledAccounts = [];
+    let structuralChange = false;
+    for (const [index, storedAccount] of stored.accounts.entries()) {
+      const existing = findMatchingAccount(this.#accounts, {
+        id: storedAccount.id,
+        identity: resolveIdentity(storedAccount),
+        refreshToken: storedAccount.refreshToken
       });
-      this.#healthTracker = new HealthScoreTracker(this.#config.health_score);
-      this.#tokenTracker = new TokenBucketTracker(this.#config.token_bucket);
-      const currentIds = new Set(this.#accounts.map((a) => a.id));
-      for (const id of this.#statsDeltas.keys()) {
-        if (!currentIds.has(id)) this.#statsDeltas.delete(id);
-      }
-      if (this.#accounts.length === 0) {
-        this.#currentIndex = -1;
-        this.#cursor = 0;
-        return;
+      if (existing) {
+        updateManagedAccountFromStorage(existing, storedAccount, index);
+        matchedAccounts.add(existing);
+        reconciledAccounts.push(existing);
+        continue;
+      }
+      const addedAccount = createManagedAccount({
+        id: storedAccount.id,
+        index,
+        email: storedAccount.email,
+        identity: storedAccount.identity,
+        label: storedAccount.label,
+        refreshToken: storedAccount.refreshToken,
+        access: storedAccount.access,
+        expires: storedAccount.expires,
+        tokenUpdatedAt: storedAccount.token_updated_at,
+        addedAt: storedAccount.addedAt,
+        lastUsed: storedAccount.lastUsed,
+        enabled: storedAccount.enabled,
+        rateLimitResetTimes: storedAccount.rateLimitResetTimes,
+        consecutiveFailures: storedAccount.consecutiveFailures,
+        lastFailureTime: storedAccount.lastFailureTime,
+        lastSwitchReason: storedAccount.lastSwitchReason,
+        stats: storedAccount.stats,
+        source: storedAccount.source || "oauth"
+      });
+      matchedAccounts.add(addedAccount);
+      reconciledAccounts.push(addedAccount);
+      structuralChange = true;
+    }
+    for (const account of this.#accounts) {
+      if (matchedAccounts.has(account)) {
+        continue;
       }
+      if (account.enabled) {
+        account.enabled = false;
+        structuralChange = true;
+      }
+      reconciledAccounts.push(account);
+    }
+    const orderChanged = reconciledAccounts.length !== this.#accounts.length || reconciledAccounts.some((account, index) => this.#accounts[index] !== account);
+    this.#accounts = reconciledAccounts;
+    reindexAccounts(this.#accounts);
+    if (orderChanged || structuralChange) {
+      this.#rebuildTrackers();
+    }
+    const currentIds = new Set(this.#accounts.map((account) => account.id));
+    for (const id of this.#statsDeltas.keys()) {
+      if (!currentIds.has(id)) {
+        this.#statsDeltas.delete(id);
+      }
+    }
+    const enabledAccounts = this.#accounts.filter((account) => account.enabled);
+    if (enabledAccounts.length === 0) {
+      this.#currentIndex = -1;
+      this.#cursor = 0;
+      return;
     }
-    const diskIndex = Math.min(stored.activeIndex, this.#accounts.length - 1);
-    if (diskIndex >= 0 && diskIndex !== this.#currentIndex) {
-      const diskAccount = stored.accounts[diskIndex];
-      if (!diskAccount || !diskAccount.enabled) return;
-      const account = this.#accounts[diskIndex];
-      if (account && account.enabled) {
-        this.#currentIndex = diskIndex;
-        this.#cursor = diskIndex;
-        this.#healthTracker.reset(diskIndex);
+    const diskIndex = Math.min(stored.activeIndex, stored.accounts.length - 1);
+    const diskAccount = diskIndex >= 0 ? stored.accounts[diskIndex] : void 0;
+    if (!diskAccount || !diskAccount.enabled) {
+      if (!this.#accounts[this.#currentIndex]?.enabled) {
+        const fallback = enabledAccounts[0];
+        this.#currentIndex = fallback.index;
+        this.#cursor = fallback.index;
       }
+      return;
+    }
+    const activeAccount = findMatchingAccount(this.#accounts, {
+      id: diskAccount.id,
+      identity: resolveIdentity(diskAccount),
+      refreshToken: diskAccount.refreshToken
+    });
+    if (activeAccount && activeAccount.enabled && activeAccount.index !== this.#currentIndex) {
+      this.#currentIndex = activeAccount.index;
+      this.#cursor = activeAccount.index;
+      this.#healthTracker.reset(activeAccount.index);
     }
   }
   /**
@@ -4195,6 +4539,13 @@ var AccountManager = class _AccountManager {
       delta.cacheReadTokens += crTok;
       delta.cacheWriteTokens += cwTok;
     } else {
+      if (this.#statsDeltas.size >= this.#MAX_STATS_DELTAS) {
+        this.saveToDisk().catch((err) => {
+          if (this.#config.debug) {
+            console.error("[opencode-anthropic-auth] forced statsDeltas flush failed:", err.message);
+          }
+        });
+      }
       this.#statsDeltas.set(account.id, {
         requests: 1,
         inputTokens: inTok,
@@ -4727,6 +5078,14 @@ async function completeSlashOAuth(sessionID, code, deps) {
 
 // src/commands/router.ts
 var ANTHROPIC_COMMAND_HANDLED = "__ANTHROPIC_COMMAND_HANDLED__";
+var FILE_ACCOUNT_MAP_MAX_SIZE = 1e3;
+function capFileAccountMap(fileAccountMap, fileId, accountIndex) {
+  if (fileAccountMap.size >= FILE_ACCOUNT_MAP_MAX_SIZE) {
+    const oldestKey = fileAccountMap.keys().next().value;
+    if (oldestKey !== void 0) fileAccountMap.delete(oldestKey);
+  }
+  fileAccountMap.set(fileId, accountIndex);
+}
 function stripAnsi(value) {
   return value.replace(/\x1b\[[0-9;]*m/g, "");
 }
@@ -5075,7 +5434,7 @@ HTTP ${res.status}: ${errBody}`
           }
           const data = await res.json();
           const files = data.data || [];
-          for (const f of files) fileAccountMap.set(f.id, account2.index);
+          for (const f of files) capFileAccountMap(fileAccountMap, f.id, account2.index);
           if (files.length === 0) {
             await sendCommandMessage(input.sessionID, `\u25A3 Anthropic Files [${label2}]
 
@@ -5105,7 +5464,7 @@ No files uploaded.`);
             }
             const data = await res.json();
             const files = data.data || [];
-            for (const f of files) fileAccountMap.set(f.id, acct.index);
+            for (const f of files) capFileAccountMap(fileAccountMap, f.id, acct.index);
             totalFiles += files.length;
             if (files.length === 0) {
               allLines.push(`[${label2}] No files`);
@@ -5185,7 +5544,7 @@ Upload failed (HTTP ${res.status}): ${errBody}`
         }
         const file = await res.json();
         const sizeKB = ((file.size || 0) / 1024).toFixed(1);
-        fileAccountMap.set(file.id, account.index);
+        capFileAccountMap(fileAccountMap, file.id, account.index);
         await sendCommandMessage(
           input.sessionID,
           `\u25A3 Anthropic Files [${label}]
@@ -5217,7 +5576,7 @@ HTTP ${res.status}: ${errBody}`
           return;
         }
         const file = await res.json();
-        fileAccountMap.set(file.id, account.index);
+        capFileAccountMap(fileAccountMap, file.id, account.index);
         const lines = [
           `\u25A3 Anthropic Files [${label}]`,
           "",
@@ -5585,7 +5944,7 @@ function buildAnthropicBillingHeader(claudeCliVersion, messages) {
       }
     }
   }
-  const entrypoint = process.env.CLAUDE_CODE_ENTRYPOINT || "cli";
+  const entrypoint = process.env.CLAUDE_CODE_ENTRYPOINT ?? "cli";
   let cchValue;
   if (Array.isArray(messages) && messages.length > 0) {
     const bodyHint = JSON.stringify(messages).slice(0, 512);
@@ -5655,8 +6014,9 @@ function normalizeSystemTextBlocks(system) {
 }
 
 // src/system-prompt/sanitize.ts
-function sanitizeSystemText(text) {
-  return text.replace(/OpenCode/g, "Claude Code").replace(/opencode/gi, "Claude");
+function sanitizeSystemText(text, enabled = true) {
+  if (!enabled) return text;
+  return text.replace(/\bOpenCode\b/g, "Claude Code").replace(/\bopencode\b/gi, "Claude").replace(/OhMyClaude\s*Code/gi, "Claude Code").replace(/OhMyClaudeCode/gi, "Claude Code").replace(/\bSisyphus\b/g, "Claude Code Agent").replace(/\bMorph\s+plugin\b/gi, "edit plugin").replace(/\bmorph_edit\b/g, "edit").replace(/\bmorph_/g, "").replace(/\bOhMyClaude\b/gi, "Claude");
 }
 function compactSystemText(text, mode) {
   const withoutDuplicateIdentityPrefix = text.startsWith(`${CLAUDE_CODE_IDENTITY_STRING}
@@ -5789,11 +6149,69 @@ function buildRequestMetadata(input) {
 }
 
 // src/request/body.ts
-function transformRequestBody(body, signature, runtime) {
-  if (!body || typeof body !== "string") return body;
-  const TOOL_PREFIX = "mcp_";
+var TOOL_PREFIX = "mcp_";
+function getBodyType(body) {
+  if (body === null) return "null";
+  return typeof body;
+}
+function getInvalidBodyError(body) {
+  return new TypeError(
+    `opencode-anthropic-auth: expected string body, got ${getBodyType(body)}. This plugin does not support stream bodies. Please file a bug with the OpenCode version.`
+  );
+}
+function validateBodyType(body, throwOnInvalid = false) {
+  if (body === void 0 || body === null) {
+    return false;
+  }
+  if (typeof body === "string") {
+    return true;
+  }
+  if (throwOnInvalid) {
+    throw getInvalidBodyError(body);
+  }
+  return false;
+}
+function cloneBodyForRetry(body) {
+  validateBodyType(body, true);
+  return body;
+}
+function detectDoublePrefix(name) {
+  return name.startsWith(`${TOOL_PREFIX}${TOOL_PREFIX}`);
+}
+function prefixToolDefinitionName(name) {
+  if (typeof name !== "string") {
+    return name;
+  }
+  if (detectDoublePrefix(name)) {
+    throw new TypeError(`Double tool prefix detected: ${TOOL_PREFIX}${TOOL_PREFIX}`);
+  }
+  return `${TOOL_PREFIX}${name}`;
+}
+function prefixToolUseName(name, literalToolNames, debugLog) {
+  if (typeof name !== "string") {
+    return name;
+  }
+  if (detectDoublePrefix(name)) {
+    throw new TypeError(`Double tool prefix detected in tool_use block: ${name}`);
+  }
+  if (!name.startsWith(TOOL_PREFIX)) {
+    return `${TOOL_PREFIX}${name}`;
+  }
+  if (literalToolNames.has(name)) {
+    return `${TOOL_PREFIX}${name}`;
+  }
+  debugLog?.("prevented double-prefix drift for tool_use block", { name });
+  return name;
+}
+function transformRequestBody(body, signature, runtime, relocateThirdPartyPrompts = true, debugLog) {
+  if (body === void 0 || body === null) return body;
+  validateBodyType(body, true);
   try {
     const parsed = JSON.parse(body);
+    const parsedMessages = Array.isArray(parsed.messages) ? parsed.messages : [];
+    const literalToolNames = new Set(
+      Array.isArray(parsed.tools) ? parsed.tools.map((tool) => tool.name).filter((name) => typeof name === "string") : []
+    );
     if (Object.hasOwn(parsed, "betas")) {
       delete parsed.betas;
     }
@@ -5806,8 +6224,51 @@ function transformRequestBody(body, signature, runtime) {
     } else if (!Object.hasOwn(parsed, "temperature")) {
       parsed.temperature = 1;
     }
-    parsed.system = buildSystemPromptBlocks(normalizeSystemTextBlocks(parsed.system), signature, parsed.messages);
-    if (signature.enabled) {
+    const allSystemBlocks = buildSystemPromptBlocks(
+      normalizeSystemTextBlocks(parsed.system),
+      signature,
+      parsedMessages
+    );
+    if (signature.enabled && relocateThirdPartyPrompts) {
+      const THIRD_PARTY_MARKERS = /sisyphus|ohmyclaude|oh\s*my\s*claude|morph[_ ]|\.sisyphus\/|ultrawork|autopilot mode|\bohmy\b|SwarmMode|\bomc\b|\bomo\b/i;
+      const ccBlocks = [];
+      const extraBlocks = [];
+      for (const block of allSystemBlocks) {
+        const isBilling = block.text.startsWith("x-anthropic-billing-header:");
+        const isIdentity = block.text === CLAUDE_CODE_IDENTITY_STRING || KNOWN_IDENTITY_STRINGS.has(block.text);
+        const hasThirdParty = THIRD_PARTY_MARKERS.test(block.text);
+        if (isBilling || isIdentity || !hasThirdParty) {
+          ccBlocks.push(block);
+        } else {
+          extraBlocks.push(block);
+        }
+      }
+      parsed.system = ccBlocks;
+      if (extraBlocks.length > 0 && Array.isArray(parsed.messages) && parsed.messages.length > 0) {
+        const extraText = extraBlocks.map((b) => b.text).join("\n\n");
+        const wrapped = `<system-instructions>
+${extraText}
+</system-instructions>`;
+        const firstMsg = parsed.messages[0];
+        if (firstMsg && firstMsg.role === "user") {
+          if (typeof firstMsg.content === "string") {
+            firstMsg.content = `${wrapped}
+
+${firstMsg.content}`;
+          } else if (Array.isArray(firstMsg.content)) {
+            firstMsg.content.unshift({ type: "text", text: wrapped });
+          }
+        } else {
+          parsed.messages.unshift({
+            role: "user",
+            content: wrapped
+          });
+        }
+      }
+    } else {
+      parsed.system = allSystemBlocks;
+    }
+    if (signature.enabled) {
       const currentMetadata = parsed.metadata && typeof parsed.metadata === "object" && !Array.isArray(parsed.metadata) ? parsed.metadata : {};
       parsed.metadata = {
         ...currentMetadata,
@@ -5821,7 +6282,7 @@ function transformRequestBody(body, signature, runtime) {
     if (parsed.tools && Array.isArray(parsed.tools)) {
       parsed.tools = parsed.tools.map((tool) => ({
         ...tool,
-        name: tool.name ? `${TOOL_PREFIX}${tool.name}` : tool.name
+        name: prefixToolDefinitionName(tool.name)
       }));
     }
     if (parsed.messages && Array.isArray(parsed.messages)) {
@@ -5831,7 +6292,7 @@ function transformRequestBody(body, signature, runtime) {
             if (block.type === "tool_use" && block.name) {
               return {
                 ...block,
-                name: `${TOOL_PREFIX}${block.name}`
+                name: prefixToolUseName(block.name, literalToolNames, debugLog)
               };
             }
             return block;
@@ -5841,8 +6302,12 @@ function transformRequestBody(body, signature, runtime) {
       });
     }
     return JSON.stringify(parsed);
-  } catch {
-    return body;
+  } catch (err) {
+    if (err instanceof SyntaxError) {
+      debugLog?.("body parse failed:", err.message);
+      return body;
+    }
+    throw err;
   }
 }
 
@@ -5904,50 +6369,71 @@ function transformRequestUrl(input) {
 }
 
 // src/response/mcp.ts
-function stripMcpPrefixFromSSE(text) {
-  return text.replace(/^data:\s*(.+)$/gm, (_match, jsonStr) => {
-    try {
-      const parsed = JSON.parse(jsonStr);
-      if (stripMcpPrefixFromParsedEvent(parsed)) {
-        return `data: ${JSON.stringify(parsed)}`;
-      }
-    } catch {
-    }
-    return _match;
-  });
+function stripMcpPrefixFromToolUseBlock(block) {
+  if (!block || typeof block !== "object") return false;
+  const parsedBlock = block;
+  if (parsedBlock.type !== "tool_use" || typeof parsedBlock.name !== "string") {
+    return false;
+  }
+  if (!parsedBlock.name.startsWith("mcp_")) {
+    return false;
+  }
+  parsedBlock.name = parsedBlock.name.slice(4);
+  return true;
+}
+function stripMcpPrefixFromContentBlocks(content) {
+  if (!Array.isArray(content)) return false;
+  let modified = false;
+  for (const block of content) {
+    modified = stripMcpPrefixFromToolUseBlock(block) || modified;
+  }
+  return modified;
+}
+function stripMcpPrefixFromMessages(messages) {
+  if (!Array.isArray(messages)) return false;
+  let modified = false;
+  for (const message of messages) {
+    if (!message || typeof message !== "object") continue;
+    modified = stripMcpPrefixFromContentBlocks(message.content) || modified;
+  }
+  return modified;
 }
 function stripMcpPrefixFromParsedEvent(parsed) {
   if (!parsed || typeof parsed !== "object") return false;
   const p2 = parsed;
   let modified = false;
-  if (p2.content_block && typeof p2.content_block === "object" && p2.content_block.type === "tool_use" && typeof p2.content_block.name === "string" && p2.content_block.name.startsWith("mcp_")) {
-    p2.content_block.name = p2.content_block.name.slice(4);
-    modified = true;
+  modified = stripMcpPrefixFromToolUseBlock(p2.content_block) || modified;
+  if (p2.message && typeof p2.message === "object") {
+    modified = stripMcpPrefixFromContentBlocks(p2.message.content) || modified;
   }
-  if (p2.message && Array.isArray(p2.message.content)) {
-    for (const block of p2.message.content) {
-      if (!block || typeof block !== "object") continue;
-      const b = block;
-      if (b.type === "tool_use" && typeof b.name === "string" && b.name.startsWith("mcp_")) {
-        b.name = b.name.slice(4);
-        modified = true;
-      }
-    }
-  }
-  if (Array.isArray(p2.content)) {
-    for (const block of p2.content) {
-      if (!block || typeof block !== "object") continue;
-      const b = block;
-      if (b.type === "tool_use" && typeof b.name === "string" && b.name.startsWith("mcp_")) {
-        b.name = b.name.slice(4);
-        modified = true;
-      }
+  modified = stripMcpPrefixFromContentBlocks(p2.content) || modified;
+  return modified;
+}
+function stripMcpPrefixFromJsonBody(body) {
+  try {
+    const parsed = JSON.parse(body);
+    let modified = false;
+    modified = stripMcpPrefixFromContentBlocks(parsed.content) || modified;
+    modified = stripMcpPrefixFromMessages(parsed.messages) || modified;
+    if (parsed.message && typeof parsed.message === "object") {
+      modified = stripMcpPrefixFromContentBlocks(parsed.message.content) || modified;
     }
+    return modified ? JSON.stringify(parsed) : body;
+  } catch {
+    return body;
   }
-  return modified;
 }
 
 // src/response/streaming.ts
+var MAX_UNTERMINATED_SSE_BUFFER = 256 * 1024;
+var StreamTruncatedError = class extends Error {
+  context;
+  constructor(message, context = {}) {
+    super(message);
+    this.name = "StreamTruncatedError";
+    this.context = context;
+  }
+};
 function extractUsageFromSSEEvent(parsed, stats) {
   const p2 = parsed;
   if (!p2) return;
@@ -5987,6 +6473,187 @@ function getSSEDataPayload(eventBlock) {
   if (!payload || payload === "[DONE]") return null;
   return payload;
 }
+function getSSEEventType(eventBlock) {
+  for (const line of eventBlock.split("\n")) {
+    if (!line.startsWith("event:")) continue;
+    const eventType = line.slice(6).trimStart();
+    if (eventType) return eventType;
+  }
+  return null;
+}
+function formatSSEEventBlock(eventType, parsed, prettyPrint) {
+  const json = prettyPrint ? JSON.stringify(parsed, null, 2) : JSON.stringify(parsed);
+  const lines = [`event: ${eventType}`];
+  for (const line of json.split("\n")) {
+    lines.push(`data: ${line}`);
+  }
+  lines.push("", "");
+  return lines.join("\n");
+}
+function hasRecordedUsage(stats) {
+  return stats.inputTokens > 0 || stats.outputTokens > 0 || stats.cacheReadTokens > 0 || stats.cacheWriteTokens > 0;
+}
+function getErrorMessage(parsed) {
+  if (!parsed || typeof parsed !== "object") {
+    return "stream terminated with error event";
+  }
+  const error = parsed.error;
+  if (!error || typeof error !== "object") {
+    return "stream terminated with error event";
+  }
+  const message = error.message;
+  return typeof message === "string" && message ? message : "stream terminated with error event";
+}
+function getEventIndex(parsed, eventType) {
+  const index = parsed.index;
+  if (typeof index !== "number") {
+    throw new Error(`invalid SSE ${eventType} event: missing numeric index`);
+  }
+  return index;
+}
+function getEventLabel(parsed, eventType) {
+  switch (eventType) {
+    case "content_block_start": {
+      const contentBlock = parsed.content_block;
+      const blockType = contentBlock && typeof contentBlock === "object" ? contentBlock.type : void 0;
+      return typeof blockType === "string" && blockType ? `content_block_start(${blockType})` : eventType;
+    }
+    case "content_block_delta": {
+      const delta = parsed.delta;
+      const deltaType = delta && typeof delta === "object" ? delta.type : void 0;
+      return typeof deltaType === "string" && deltaType ? `content_block_delta(${deltaType})` : eventType;
+    }
+    default:
+      return eventType;
+  }
+}
+function getOpenBlockContext(openContentBlocks) {
+  for (const [index2, blockState2] of openContentBlocks) {
+    if (blockState2.type === "tool_use") {
+      return {
+        inFlightEvent: blockState2.partialJson ? "content_block_delta(input_json_delta)" : "content_block_start(tool_use)",
+        openContentBlockIndex: index2,
+        hasPartialJson: blockState2.partialJson.length > 0
+      };
+    }
+  }
+  const firstOpenBlock = openContentBlocks.entries().next().value;
+  if (!firstOpenBlock) {
+    return null;
+  }
+  const [index, blockState] = firstOpenBlock;
+  return {
+    inFlightEvent: `content_block_start(${blockState.type})`,
+    openContentBlockIndex: index,
+    hasPartialJson: blockState.partialJson.length > 0
+  };
+}
+function createStreamTruncatedError(context = {}) {
+  return new StreamTruncatedError("Stream truncated without message_stop", context);
+}
+function getBufferedEventContext(eventBlock, lastEventType) {
+  const context = {
+    lastEventType: lastEventType ?? void 0
+  };
+  const payload = getSSEDataPayload(eventBlock);
+  if (!payload) {
+    return context;
+  }
+  try {
+    const parsed = JSON.parse(payload);
+    const eventType = getSSEEventType(eventBlock) ?? (typeof parsed.type === "string" ? parsed.type : null);
+    if (eventType) {
+      context.inFlightEvent = getEventLabel(parsed, eventType);
+    }
+  } catch {
+  }
+  return context;
+}
+function validateEventState(parsed, eventType, openContentBlocks) {
+  switch (eventType) {
+    case "content_block_start": {
+      const index = getEventIndex(parsed, eventType);
+      const contentBlock = parsed.content_block;
+      if (!contentBlock || typeof contentBlock !== "object") {
+        throw new Error("invalid SSE content_block_start event: missing content_block");
+      }
+      if (openContentBlocks.has(index)) {
+        throw new Error(`duplicate content_block_start for index ${index}`);
+      }
+      const blockType = contentBlock.type;
+      if (typeof blockType !== "string" || !blockType) {
+        throw new Error("invalid SSE content_block_start event: missing content_block.type");
+      }
+      openContentBlocks.set(index, {
+        type: blockType,
+        partialJson: ""
+      });
+      return;
+    }
+    case "content_block_delta": {
+      const index = getEventIndex(parsed, eventType);
+      const blockState = openContentBlocks.get(index);
+      if (!blockState) {
+        throw new Error(`orphan content_block_delta for index ${index}`);
+      }
+      const delta = parsed.delta;
+      if (!delta || typeof delta !== "object") {
+        throw new Error("invalid SSE content_block_delta event: missing delta");
+      }
+      const deltaType = delta.type;
+      if (deltaType === "input_json_delta") {
+        if (blockState.type !== "tool_use") {
+          throw new Error(`orphan input_json_delta for non-tool_use block ${index}`);
+        }
+        const partialJson = delta.partial_json;
+        if (typeof partialJson !== "string") {
+          throw new Error("invalid SSE content_block_delta event: missing delta.partial_json");
+        }
+        blockState.partialJson += partialJson;
+      }
+      return;
+    }
+    case "content_block_stop": {
+      const index = getEventIndex(parsed, eventType);
+      const blockState = openContentBlocks.get(index);
+      if (!blockState) {
+        throw new Error(`orphan content_block_stop for index ${index}`);
+      }
+      if (blockState.type === "tool_use" && blockState.partialJson) {
+        try {
+          JSON.parse(blockState.partialJson);
+        } catch {
+          throw new Error(`incomplete tool_use partial_json for index ${index}`);
+        }
+      }
+      openContentBlocks.delete(index);
+      return;
+    }
+    default:
+      return;
+  }
+}
+function getOpenBlockError(openContentBlocks) {
+  const openBlockContext = getOpenBlockContext(openContentBlocks);
+  return openBlockContext ? createStreamTruncatedError(openBlockContext) : null;
+}
+function getMessageStopBlockError(openContentBlocks) {
+  for (const [index, blockState] of openContentBlocks) {
+    if (blockState.partialJson) {
+      return new Error(`incomplete tool_use partial_json for index ${index}`);
+    }
+  }
+  return null;
+}
+function normalizeChunk(text) {
+  return text.replace(/\r\n/g, "\n").replace(/\r/g, "\n");
+}
+function toStreamError(error) {
+  if (error instanceof Error) {
+    return error;
+  }
+  return new Error(String(error));
+}
 function getMidStreamAccountError(parsed) {
   const p2 = parsed;
   if (!p2 || p2.type !== "error" || !p2.error) {
@@ -6008,12 +6675,11 @@ function getMidStreamAccountError(parsed) {
     invalidateToken: reason === "AUTH_FAILED"
   };
 }
-function transformResponse(response, onUsage, onAccountError) {
-  if (!response.body) return response;
+function transformResponse(response, onUsage, onAccountError, onStreamError) {
+  if (!response.body || !isEventStreamResponse(response)) return response;
   const reader = response.body.getReader();
-  const decoder = new TextDecoder();
+  const decoder = new TextDecoder("utf-8", { fatal: true });
   const encoder = new TextEncoder();
-  const EMPTY_CHUNK = new Uint8Array();
   const stats = {
     inputTokens: 0,
     outputTokens: 0,
@@ -6021,82 +6687,145 @@ function transformResponse(response, onUsage, onAccountError) {
     cacheWriteTokens: 0
   };
   let sseBuffer = "";
-  let sseRewriteBuffer = "";
   let accountErrorHandled = false;
-  function processSSEBuffer(flush = false) {
+  let hasSeenMessageStop = false;
+  let hasSeenError = false;
+  let lastEventType = null;
+  const strictEventValidation = !onUsage && !onAccountError;
+  const openContentBlocks = /* @__PURE__ */ new Map();
+  function enqueueNormalizedEvent(controller, eventBlock) {
+    const payload = getSSEDataPayload(eventBlock);
+    if (!payload) {
+      return;
+    }
+    let parsed;
+    try {
+      parsed = JSON.parse(payload);
+    } catch {
+      throw new Error("invalid SSE event: malformed JSON payload");
+    }
+    const eventType = getSSEEventType(eventBlock) ?? parsed?.type;
+    if (typeof eventType !== "string" || !eventType) {
+      throw new Error("invalid SSE event: missing event type");
+    }
+    const parsedRecord = parsed;
+    lastEventType = getEventLabel(parsedRecord, eventType);
+    if (strictEventValidation) {
+      validateEventState(parsedRecord, eventType, openContentBlocks);
+    }
+    stripMcpPrefixFromParsedEvent(parsedRecord);
+    if (onUsage) {
+      extractUsageFromSSEEvent(parsedRecord, stats);
+    }
+    if (onAccountError && !accountErrorHandled) {
+      const details = getMidStreamAccountError(parsedRecord);
+      if (details) {
+        accountErrorHandled = true;
+        onAccountError(details);
+      }
+    }
+    if (eventType === "message_stop") {
+      if (strictEventValidation) {
+        const openBlockError = getMessageStopBlockError(openContentBlocks);
+        if (openBlockError) {
+          throw openBlockError;
+        }
+        openContentBlocks.clear();
+      }
+      hasSeenMessageStop = true;
+    }
+    if (eventType === "error") {
+      hasSeenError = true;
+    }
+    controller.enqueue(encoder.encode(formatSSEEventBlock(eventType, parsedRecord, strictEventValidation)));
+    if (eventType === "error" && strictEventValidation) {
+      throw new Error(getErrorMessage(parsedRecord));
+    }
+  }
+  function processBufferedEvents(controller) {
+    let emitted = false;
     while (true) {
       const boundary = sseBuffer.indexOf("\n\n");
       if (boundary === -1) {
-        if (!flush) return;
-        if (!sseBuffer.trim()) {
-          sseBuffer = "";
-          return;
+        if (sseBuffer.length > MAX_UNTERMINATED_SSE_BUFFER) {
+          throw new Error("unterminated SSE event buffer exceeded limit");
         }
+        return emitted;
       }
-      const eventBlock = boundary === -1 ? sseBuffer : sseBuffer.slice(0, boundary);
-      sseBuffer = boundary === -1 ? "" : sseBuffer.slice(boundary + 2);
-      const payload = getSSEDataPayload(eventBlock);
-      if (!payload) {
-        if (boundary === -1) return;
+      const eventBlock = sseBuffer.slice(0, boundary);
+      sseBuffer = sseBuffer.slice(boundary + 2);
+      if (!eventBlock.trim()) {
         continue;
       }
+      enqueueNormalizedEvent(controller, eventBlock);
+      emitted = true;
+    }
+  }
+  async function failStream(controller, error) {
+    const streamError = toStreamError(error);
+    if (onStreamError) {
       try {
-        const parsed = JSON.parse(payload);
-        if (onUsage) {
-          extractUsageFromSSEEvent(parsed, stats);
-        }
-        if (onAccountError && !accountErrorHandled) {
-          const details = getMidStreamAccountError(parsed);
-          if (details) {
-            accountErrorHandled = true;
-            onAccountError(details);
-          }
-        }
+        onStreamError(streamError);
       } catch {
       }
-      if (boundary === -1) return;
     }
-  }
-  function rewriteSSEChunk(chunk, flush = false) {
-    sseRewriteBuffer += chunk;
-    if (!flush) {
-      const boundary = sseRewriteBuffer.lastIndexOf("\n");
-      if (boundary === -1) return "";
-      const complete = sseRewriteBuffer.slice(0, boundary + 1);
-      sseRewriteBuffer = sseRewriteBuffer.slice(boundary + 1);
-      return stripMcpPrefixFromSSE(complete);
+    try {
+      await reader.cancel(streamError);
+    } catch {
     }
-    if (!sseRewriteBuffer) return "";
-    const finalText = stripMcpPrefixFromSSE(sseRewriteBuffer);
-    sseRewriteBuffer = "";
-    return finalText;
+    controller.error(streamError);
   }
   const stream = new ReadableStream({
     async pull(controller) {
-      const { done, value } = await reader.read();
-      if (done) {
-        processSSEBuffer(true);
-        const rewrittenTail = rewriteSSEChunk("", true);
-        if (rewrittenTail) {
-          controller.enqueue(encoder.encode(rewrittenTail));
-        }
-        if (onUsage && (stats.inputTokens > 0 || stats.outputTokens > 0 || stats.cacheReadTokens > 0 || stats.cacheWriteTokens > 0)) {
-          onUsage(stats);
+      try {
+        while (true) {
+          const { done, value } = await reader.read();
+          if (done) {
+            const flushedText = decoder.decode();
+            if (flushedText) {
+              sseBuffer += normalizeChunk(flushedText);
+              processBufferedEvents(controller);
+            }
+            if (sseBuffer.trim()) {
+              if (strictEventValidation) {
+                throw createStreamTruncatedError(getBufferedEventContext(sseBuffer, lastEventType));
+              }
+              enqueueNormalizedEvent(controller, sseBuffer);
+              sseBuffer = "";
+            }
+            if (strictEventValidation) {
+              const openBlockError = getOpenBlockError(openContentBlocks);
+              if (openBlockError) {
+                throw openBlockError;
+              }
+              if (!hasSeenMessageStop && !hasSeenError) {
+                throw createStreamTruncatedError({
+                  inFlightEvent: lastEventType ?? void 0,
+                  lastEventType: lastEventType ?? void 0
+                });
+              }
+            }
+            if (onUsage && hasRecordedUsage(stats)) {
+              onUsage(stats);
+            }
+            controller.close();
+            return;
+          }
+          const text = decoder.decode(value, { stream: true });
+          if (!text) {
+            continue;
+          }
+          sseBuffer += normalizeChunk(text);
+          if (processBufferedEvents(controller)) {
+            return;
+          }
         }
-        controller.close();
-        return;
-      }
-      const text = decoder.decode(value, { stream: true });
-      if (onUsage || onAccountError) {
-        sseBuffer += text.replace(/\r\n/g, "\n");
-        processSSEBuffer(false);
-      }
-      const rewrittenText = rewriteSSEChunk(text, false);
-      if (rewrittenText) {
-        controller.enqueue(encoder.encode(rewrittenText));
-      } else {
-        controller.enqueue(EMPTY_CHUNK);
+      } catch (error) {
+        await failStream(controller, error);
       }
+    },
+    cancel(reason) {
+      return reader.cancel(reason);
     }
   });
   return new Response(stream, {
@@ -6111,6 +6840,7 @@ function isEventStreamResponse(response) {
 }
 
 // src/index.ts
+init_account_identity();
 init_storage();
 
 // src/token-refresh.ts
@@ -6122,9 +6852,9 @@ init_storage();
 import { createHash as createHash3, randomBytes as randomBytes4 } from "node:crypto";
 import { promises as fs2 } from "node:fs";
 import { dirname as dirname3, join as join5 } from "node:path";
-var DEFAULT_LOCK_TIMEOUT_MS = 2e3;
+var DEFAULT_LOCK_TIMEOUT_MS = 15e3;
 var DEFAULT_LOCK_BACKOFF_MS = 50;
-var DEFAULT_STALE_LOCK_MS = 2e4;
+var DEFAULT_STALE_LOCK_MS = 9e4;
 function delay(ms) {
   return new Promise((resolve2) => setTimeout(resolve2, ms));
 }
@@ -6229,16 +6959,19 @@ function applyDiskAuthIfFresher(account, diskAuth, options = {}) {
   if (!diskAuth) return false;
   const diskTokenUpdatedAt = diskAuth.tokenUpdatedAt || 0;
   const memTokenUpdatedAt = account.tokenUpdatedAt || 0;
-  const diskHasDifferentAuth = diskAuth.refreshToken !== account.refreshToken || diskAuth.access !== account.access;
+  const diskIsNewer = diskTokenUpdatedAt > memTokenUpdatedAt;
+  const diskHasDifferentRefreshToken = diskAuth.refreshToken !== account.refreshToken;
   const memAuthExpired = !account.expires || account.expires <= Date.now();
   const allowExpiredFallback = options.allowExpiredFallback === true;
-  if (diskTokenUpdatedAt <= memTokenUpdatedAt && !(allowExpiredFallback && diskHasDifferentAuth && memAuthExpired)) {
+  if (!diskIsNewer && !(allowExpiredFallback && diskHasDifferentRefreshToken && memAuthExpired)) {
     return false;
   }
   account.refreshToken = diskAuth.refreshToken;
   account.access = diskAuth.access;
   account.expires = diskAuth.expires;
-  account.tokenUpdatedAt = Math.max(memTokenUpdatedAt, diskTokenUpdatedAt);
+  if (diskIsNewer) {
+    account.tokenUpdatedAt = diskTokenUpdatedAt;
+  }
   return true;
 }
 function claudeBinaryPath() {
@@ -6304,11 +7037,9 @@ async function refreshCCAccount(account) {
   markTokenStateUpdated(account);
   return refreshedCredential.accessToken;
 }
-async function refreshAccountToken(account, client, source = "foreground", { onTokensUpdated } = {}) {
+async function refreshAccountToken(account, client, source = "foreground", { onTokensUpdated, debugLog } = {}) {
   const lockResult = await acquireRefreshLock(account.id, {
-    timeoutMs: 2e3,
-    backoffMs: 60,
-    staleMs: 2e4
+    backoffMs: 60
   });
   const lock = lockResult && typeof lockResult === "object" ? lockResult : {
     acquired: true,
@@ -6336,7 +7067,9 @@ async function refreshAccountToken(account, client, source = "foreground", { onT
       const accessToken = await refreshCCAccount(account);
       if (accessToken) {
         if (onTokensUpdated) {
-          await onTokensUpdated().catch(() => void 0);
+          await onTokensUpdated().catch((err) => {
+            debugLog?.("onTokensUpdated failed:", err.message);
+          });
         }
         await client.auth?.set({
           path: { id: "anthropic" },
@@ -6346,7 +7079,9 @@ async function refreshAccountToken(account, client, source = "foreground", { onT
             access: account.access,
             expires: account.expires
           }
-        }).catch(() => void 0);
+        }).catch((err) => {
+          debugLog?.("auth.set failed:", err.message);
+        });
         return accessToken;
       }
       throw new Error("CC credential refresh failed");
@@ -6392,28 +7127,181 @@ function formatSwitchReason(status, reason) {
 
 // src/bun-fetch.ts
 import { execFileSync, spawn } from "node:child_process";
-import { existsSync as existsSync5, readFileSync as readFileSync6, writeFileSync as writeFileSync5, unlinkSync } from "node:fs";
+import { existsSync as existsSync5 } from "node:fs";
 import { dirname as dirname4, join as join6 } from "node:path";
-import { tmpdir } from "node:os";
+import * as readline from "node:readline";
 import { fileURLToPath } from "node:url";
-var proxyPort = null;
-var proxyProcess = null;
-var starting = null;
-var healthCheckFails = 0;
-var FIXED_PORT = 48372;
-var PID_FILE = join6(tmpdir(), "opencode-bun-proxy.pid");
-var MAX_HEALTH_FAILS = 2;
-var exitHandlerRegistered = false;
-function registerExitHandler() {
-  if (exitHandlerRegistered) return;
-  exitHandlerRegistered = true;
-  const cleanup = () => {
-    stopBunProxy();
+
+// src/circuit-breaker.ts
+var DEFAULT_FAILURE_THRESHOLD = 5;
+var DEFAULT_RESET_TIMEOUT_MS = 3e4;
+var pendingClientBreakers = /* @__PURE__ */ new Map();
+function normalizeConfig(options = {}) {
+  return {
+    clientId: options.clientId,
+    failureThreshold: Math.max(1, Math.trunc(options.failureThreshold ?? DEFAULT_FAILURE_THRESHOLD)),
+    resetTimeoutMs: Math.max(0, Math.trunc(options.resetTimeoutMs ?? DEFAULT_RESET_TIMEOUT_MS))
   };
-  process.on("exit", cleanup);
-  process.on("SIGINT", cleanup);
-  process.on("SIGTERM", cleanup);
 }
+function getErrorMessage2(error) {
+  if (error instanceof Error && error.message) {
+    return error.message;
+  }
+  if (typeof error === "string" && error) {
+    return error;
+  }
+  return "Unknown error";
+}
+function isPromiseLike(value) {
+  return typeof value === "object" && value !== null && "then" in value;
+}
+function releasePendingClientBreaker(clientId, breaker) {
+  queueMicrotask(() => {
+    if (pendingClientBreakers.get(clientId) === breaker) {
+      pendingClientBreakers.delete(clientId);
+    }
+  });
+}
+var CircuitBreaker = class {
+  config;
+  state = "CLOSED" /* CLOSED */;
+  failureCount = 0;
+  openedAt = null;
+  resetTimer = null;
+  constructor(options = {}) {
+    this.config = normalizeConfig(options);
+  }
+  getState() {
+    return this.state;
+  }
+  getFailureCount() {
+    return this.failureCount;
+  }
+  getOpenedAt() {
+    return this.openedAt;
+  }
+  getConfig() {
+    return { ...this.config };
+  }
+  canExecute() {
+    return this.state !== "OPEN" /* OPEN */;
+  }
+  recordSuccess() {
+    if (this.state === "HALF_OPEN" /* HALF_OPEN */) {
+      this.transitionToClosed();
+      return;
+    }
+    if (this.state === "CLOSED" /* CLOSED */) {
+      this.failureCount = 0;
+    }
+  }
+  recordFailure() {
+    if (this.state === "HALF_OPEN" /* HALF_OPEN */) {
+      this.transitionToOpen();
+      return;
+    }
+    if (this.state === "OPEN" /* OPEN */) {
+      return;
+    }
+    this.failureCount += 1;
+    if (this.failureCount >= this.config.failureThreshold) {
+      this.transitionToOpen();
+    }
+  }
+  transitionToHalfOpen() {
+    this.clearResetTimer();
+    this.state = "HALF_OPEN" /* HALF_OPEN */;
+    this.openedAt = null;
+    this.failureCount = 0;
+  }
+  execute(operation) {
+    if (!this.canExecute()) {
+      return {
+        success: false,
+        error: "Circuit breaker is OPEN"
+      };
+    }
+    try {
+      const result = operation();
+      if (isPromiseLike(result)) {
+        return result.then((data) => {
+          this.recordSuccess();
+          return {
+            success: true,
+            data
+          };
+        }).catch((error) => {
+          this.recordFailure();
+          return {
+            success: false,
+            error: getErrorMessage2(error)
+          };
+        });
+      }
+      this.recordSuccess();
+      return {
+        success: true,
+        data: result
+      };
+    } catch (error) {
+      this.recordFailure();
+      return {
+        success: false,
+        error: getErrorMessage2(error)
+      };
+    }
+  }
+  dispose() {
+    this.clearResetTimer();
+  }
+  transitionToClosed() {
+    this.clearResetTimer();
+    this.state = "CLOSED" /* CLOSED */;
+    this.failureCount = 0;
+    this.openedAt = null;
+  }
+  transitionToOpen() {
+    this.clearResetTimer();
+    this.state = "OPEN" /* OPEN */;
+    this.openedAt = Date.now();
+    this.scheduleHalfOpenTransition();
+  }
+  scheduleHalfOpenTransition() {
+    this.resetTimer = setTimeout(() => {
+      this.resetTimer = null;
+      if (this.state === "OPEN" /* OPEN */) {
+        this.transitionToHalfOpen();
+      }
+    }, this.config.resetTimeoutMs);
+    this.resetTimer.unref?.();
+  }
+  clearResetTimer() {
+    if (!this.resetTimer) {
+      return;
+    }
+    clearTimeout(this.resetTimer);
+    this.resetTimer = null;
+  }
+};
+function createCircuitBreaker(options = {}) {
+  if (!options.clientId) {
+    return new CircuitBreaker(options);
+  }
+  const existingBreaker = pendingClientBreakers.get(options.clientId);
+  if (existingBreaker) {
+    return existingBreaker;
+  }
+  const breaker = new CircuitBreaker(options);
+  pendingClientBreakers.set(options.clientId, breaker);
+  releasePendingClientBreaker(options.clientId, breaker);
+  return breaker;
+}
+
+// src/bun-fetch.ts
+var DEFAULT_PROXY_HOST = "127.0.0.1";
+var DEFAULT_STARTUP_TIMEOUT_MS = 5e3;
+var DEFAULT_BREAKER_FAILURE_THRESHOLD = 2;
+var DEFAULT_BREAKER_RESET_TIMEOUT_MS = 1e4;
 function findProxyScript() {
   const dir = typeof __dirname !== "undefined" ? __dirname : dirname4(fileURLToPath(import.meta.url));
   for (const candidate of [
@@ -6421,206 +7309,337 @@ function findProxyScript() {
     join6(dir, "..", "dist", "bun-proxy.mjs"),
     join6(dir, "bun-proxy.ts")
   ]) {
-    if (existsSync5(candidate)) return candidate;
+    if (existsSync5(candidate)) {
+      return candidate;
+    }
   }
   return null;
 }
-var _hasBun = null;
-function hasBun() {
-  if (_hasBun !== null) return _hasBun;
+function detectBunAvailability() {
   try {
-    execFileSync("which", ["bun"], { stdio: "ignore" });
-    _hasBun = true;
+    execFileSync("bun", ["--version"], { stdio: "ignore" });
+    return true;
   } catch {
-    _hasBun = false;
+    return false;
   }
-  return _hasBun;
 }
-function killStaleProxy() {
-  try {
-    const raw = readFileSync6(PID_FILE, "utf-8").trim();
-    const pid = parseInt(raw, 10);
-    if (pid > 0) {
-      try {
-        process.kill(pid, "SIGTERM");
-      } catch {
-      }
-    }
-    unlinkSync(PID_FILE);
-  } catch {
+function toHeaders(headersInit) {
+  return new Headers(headersInit ?? void 0);
+}
+function toRequestUrl(input) {
+  return typeof input === "string" ? input : input instanceof URL ? input.toString() : input.url;
+}
+function resolveProxySignal(input, init) {
+  if (init?.signal) {
+    return init.signal;
   }
+  return input instanceof Request ? input.signal : void 0;
 }
-async function isProxyHealthy(port) {
-  try {
-    const resp = await fetch(`http://127.0.0.1:${port}/__health`, {
-      signal: AbortSignal.timeout(2e3)
-    });
-    return resp.ok;
-  } catch {
-    return false;
+function buildProxyRequestInit(input, init) {
+  const targetUrl = toRequestUrl(input);
+  const headers = toHeaders(init?.headers);
+  const signal = resolveProxySignal(input, init);
+  headers.set("x-proxy-url", targetUrl);
+  return {
+    ...init,
+    headers,
+    ...signal ? { signal } : {}
+  };
+}
+async function writeDebugArtifacts(url, init) {
+  if (!init.body || !url.includes("/v1/messages") || url.includes("count_tokens")) {
+    return;
   }
+  const { writeFileSync: writeFileSync5 } = await import("node:fs");
+  writeFileSync5(
+    "/tmp/opencode-last-request.json",
+    typeof init.body === "string" ? init.body : JSON.stringify(init.body)
+  );
+  const logHeaders = {};
+  toHeaders(init.headers).forEach((value, key) => {
+    logHeaders[key] = key === "authorization" ? "Bearer ***" : value;
+  });
+  writeFileSync5("/tmp/opencode-last-headers.json", JSON.stringify(logHeaders, null, 2));
 }
-function spawnProxy() {
-  return new Promise((resolve2) => {
+function createBunFetch(options = {}) {
+  const breaker = createCircuitBreaker({
+    failureThreshold: DEFAULT_BREAKER_FAILURE_THRESHOLD,
+    resetTimeoutMs: DEFAULT_BREAKER_RESET_TIMEOUT_MS
+  });
+  const closingChildren = /* @__PURE__ */ new WeakSet();
+  const defaultDebug = options.debug ?? false;
+  const onProxyStatus = options.onProxyStatus;
+  const state = {
+    activeChild: null,
+    activePort: null,
+    startingChild: null,
+    startPromise: null,
+    bunAvailable: null,
+    pendingFetches: []
+  };
+  const getStatus = (reason = "idle", status = "state") => ({
+    status,
+    mode: state.activePort !== null ? "proxy" : state.startPromise ? "starting" : "native",
+    port: state.activePort,
+    bunAvailable: state.bunAvailable,
+    childPid: state.activeChild?.pid ?? state.startingChild?.pid ?? null,
+    circuitState: breaker.getState(),
+    circuitFailureCount: breaker.getFailureCount(),
+    reason
+  });
+  const reportStatus = (reason) => {
+    onProxyStatus?.(getStatus(reason));
+  };
+  const reportFallback = (reason, _debugOverride) => {
+    onProxyStatus?.(getStatus(reason, "fallback"));
+    console.error(
+      `[opencode-anthropic-auth] Native fetch fallback engaged (${reason}); Bun proxy fingerprint mimicry disabled for this request`
+    );
+  };
+  const resolveDebug = (debugOverride) => debugOverride ?? defaultDebug;
+  const clearActiveProxy = (child) => {
+    if (child && state.activeChild === child) {
+      state.activeChild = null;
+      state.activePort = null;
+    }
+    if (child && state.startingChild === child) {
+      state.startingChild = null;
+    }
+  };
+  const flushPendingFetches = (mode, reason = "proxy-unavailable") => {
+    const pendingFetches = state.pendingFetches.splice(0, state.pendingFetches.length);
+    const useForwardFetch = pendingFetches.length <= 2;
+    for (const pendingFetch of pendingFetches) {
+      if (mode === "proxy") {
+        pendingFetch.runProxy(useForwardFetch);
+        continue;
+      }
+      pendingFetch.runNative(reason);
+    }
+  };
+  const startProxy = async (debugOverride) => {
+    if (state.activeChild && state.activePort !== null && !state.activeChild.killed) {
+      return state.activePort;
+    }
+    if (state.startPromise) {
+      return state.startPromise;
+    }
+    if (!breaker.canExecute()) {
+      reportStatus("breaker-open");
+      flushPendingFetches("native", "breaker-open");
+      return null;
+    }
+    if (state.bunAvailable === false) {
+      reportStatus("bun-unavailable");
+      flushPendingFetches("native", "bun-unavailable");
+      return null;
+    }
     const script = findProxyScript();
-    if (!script || !hasBun()) {
-      resolve2(null);
-      return;
+    state.bunAvailable = detectBunAvailability();
+    if (!script || !state.bunAvailable) {
+      breaker.recordFailure();
+      reportStatus(script ? "bun-unavailable" : "proxy-script-missing");
+      flushPendingFetches("native", script ? "bun-unavailable" : "proxy-script-missing");
+      return null;
     }
-    killStaleProxy();
-    try {
-      const child = spawn("bun", ["run", script, String(FIXED_PORT)], {
-        stdio: ["ignore", "pipe", "pipe"],
-        detached: false
-      });
-      proxyProcess = child;
-      registerExitHandler();
-      let done = false;
-      const finish = (port) => {
-        if (done) return;
-        done = true;
-        if (port && child.pid) {
-          try {
-            writeFileSync5(PID_FILE, String(child.pid));
-          } catch {
+    state.startPromise = new Promise((resolve2) => {
+      const debugEnabled = resolveDebug(debugOverride);
+      let child;
+      try {
+        child = spawn("bun", ["run", script, "--parent-pid", String(process.pid)], {
+          stdio: ["ignore", "pipe", "pipe"],
+          env: {
+            ...process.env,
+            OPENCODE_ANTHROPIC_DEBUG: debugEnabled ? "1" : "0"
           }
+        });
+      } catch {
+        breaker.recordFailure();
+        reportStatus("spawn-failed");
+        flushPendingFetches("native", "spawn-failed");
+        resolve2(null);
+        return;
+      }
+      state.startingChild = child;
+      reportStatus("starting");
+      const stdout2 = child.stdout;
+      if (!stdout2) {
+        clearActiveProxy(child);
+        breaker.recordFailure();
+        reportStatus("stdout-missing");
+        flushPendingFetches("native", "stdout-missing");
+        resolve2(null);
+        return;
+      }
+      let settled = false;
+      const stdoutLines = readline.createInterface({ input: stdout2 });
+      const startupTimeout = setTimeout(() => {
+        finalize(null, "startup-timeout");
+      }, DEFAULT_STARTUP_TIMEOUT_MS);
+      startupTimeout.unref?.();
+      const cleanupStartupResources = () => {
+        clearTimeout(startupTimeout);
+        stdoutLines.close();
+      };
+      const finalize = (result, reason) => {
+        if (settled) {
+          return;
         }
-        resolve2(port);
+        settled = true;
+        cleanupStartupResources();
+        if (result) {
+          state.startingChild = null;
+          state.activeChild = result.child;
+          state.activePort = result.port;
+          breaker.recordSuccess();
+          reportStatus(reason);
+          flushPendingFetches("proxy");
+          resolve2(result.port);
+          return;
+        }
+        clearActiveProxy(child);
+        breaker.recordFailure();
+        reportStatus(reason);
+        flushPendingFetches("native", reason);
+        resolve2(null);
       };
-      child.stdout?.on("data", (chunk) => {
-        const m = chunk.toString().match(/BUN_PROXY_PORT=(\d+)/);
-        if (m) {
-          proxyPort = parseInt(m[1], 10);
-          healthCheckFails = 0;
-          finish(proxyPort);
+      stdoutLines.on("line", (line) => {
+        const match = line.match(/^BUN_PROXY_PORT=(\d+)$/);
+        if (!match) {
+          return;
         }
+        finalize(
+          {
+            child,
+            port: Number.parseInt(match[1], 10)
+          },
+          "proxy-ready"
+        );
       });
-      child.on("error", () => {
-        finish(null);
-        proxyPort = null;
-        proxyProcess = null;
-        starting = null;
-      });
-      child.on("exit", () => {
-        proxyPort = null;
-        proxyProcess = null;
-        starting = null;
-        finish(null);
+      child.once("error", () => {
+        finalize(null, "child-error");
       });
-      setTimeout(() => finish(null), 5e3);
-    } catch {
-      resolve2(null);
-    }
-  });
-}
-async function ensureBunProxy() {
-  if (process.env.VITEST || process.env.NODE_ENV === "test") return null;
-  if (proxyPort && proxyProcess && !proxyProcess.killed) {
-    return proxyPort;
-  }
-  if (!proxyPort && await isProxyHealthy(FIXED_PORT)) {
-    proxyPort = FIXED_PORT;
-    console.error("[bun-fetch] Reusing existing Bun proxy on port", FIXED_PORT);
-    return proxyPort;
-  }
-  if (proxyPort && (!proxyProcess || proxyProcess.killed)) {
-    proxyPort = null;
-    proxyProcess = null;
-    starting = null;
-  }
-  if (starting) return starting;
-  starting = spawnProxy();
-  const port = await starting;
-  starting = null;
-  if (port) console.error("[bun-fetch] Bun proxy started on port", port);
-  else console.error("[bun-fetch] Failed to start Bun proxy, falling back to Node.js fetch");
-  return port;
-}
-function stopBunProxy() {
-  if (proxyProcess) {
-    try {
-      proxyProcess.kill();
-    } catch {
-    }
-    proxyProcess = null;
-  }
-  proxyPort = null;
-  starting = null;
-  killStaleProxy();
-}
-async function fetchViaBun(input, init) {
-  const port = await ensureBunProxy();
-  const url = typeof input === "string" ? input : input instanceof URL ? input.toString() : input.url;
-  if (!port) {
-    console.error("[bun-fetch] WARNING: No proxy available, using Node.js fetch (will route to extra usage!)");
-    return fetch(input, init);
-  }
-  console.error(`[bun-fetch] Routing through Bun proxy at :${port} \u2192 ${url}`);
-  if (init.body && url.includes("/v1/messages") && !url.includes("count_tokens")) {
-    try {
-      const { writeFileSync: writeFileSync6 } = __require("node:fs");
-      writeFileSync6("/tmp/opencode-last-request.json", typeof init.body === "string" ? init.body : JSON.stringify(init.body));
-      const hdrs = {};
-      init.headers.forEach((v, k) => {
-        hdrs[k] = k === "authorization" ? "Bearer ***" : v;
+      child.once("exit", () => {
+        const shutdownOwned = closingChildren.has(child);
+        const isCurrentChild = state.activeChild === child || state.startingChild === child;
+        clearActiveProxy(child);
+        if (!settled) {
+          finalize(null, shutdownOwned ? "shutdown-complete" : "child-exit-before-ready");
+          return;
+        }
+        if (!shutdownOwned && isCurrentChild) {
+          breaker.recordFailure();
+          reportStatus("child-exited");
+        }
       });
-      writeFileSync6("/tmp/opencode-last-headers.json", JSON.stringify(hdrs, null, 2));
-      console.error("[bun-fetch] Dumped request to /tmp/opencode-last-request.json");
-    } catch {
-    }
-  }
-  const headers = new Headers(init.headers);
-  headers.set("x-proxy-url", url);
-  try {
-    const resp = await fetch(`http://127.0.0.1:${port}/`, {
-      method: init.method || "POST",
-      headers,
-      body: init.body
+    }).finally(() => {
+      state.startPromise = null;
     });
-    if (resp.status === 502) {
-      const errText = await resp.text();
-      throw new Error(`Bun proxy upstream error: ${errText}`);
-    }
-    healthCheckFails = 0;
-    return resp;
-  } catch (err) {
-    healthCheckFails++;
-    if (healthCheckFails >= MAX_HEALTH_FAILS) {
-      stopBunProxy();
-      const newPort = await ensureBunProxy();
-      if (newPort) {
-        healthCheckFails = 0;
-        const retryHeaders = new Headers(init.headers);
-        retryHeaders.set("x-proxy-url", url);
-        return fetch(`http://127.0.0.1:${newPort}/`, {
-          method: init.method || "POST",
-          headers: retryHeaders,
-          body: init.body
-        });
+    return state.startPromise;
+  };
+  const shutdown = async () => {
+    const children = [state.startingChild, state.activeChild].filter(
+      (child) => child !== null
+    );
+    state.startPromise = null;
+    state.startingChild = null;
+    state.activeChild = null;
+    state.activePort = null;
+    for (const child of children) {
+      closingChildren.add(child);
+      if (!child.killed) {
+        try {
+          child.kill("SIGTERM");
+        } catch {
+        }
       }
     }
-    throw err;
-  }
+    breaker.dispose();
+    reportStatus("shutdown-requested");
+  };
+  const fetchThroughProxy = async (input, init, debugOverride) => {
+    const url = toRequestUrl(input);
+    const fetchNative = async (reason) => {
+      reportFallback(reason, debugOverride);
+      return globalThis.fetch(input, init);
+    };
+    const fetchFromActiveProxy = async (useForwardFetch) => {
+      const port = state.activePort;
+      if (port === null) {
+        return fetchNative("proxy-port-missing");
+      }
+      if (resolveDebug(debugOverride)) {
+        console.error(`[opencode-anthropic-auth] Routing through Bun proxy at :${port} \u2192 ${url}`);
+      }
+      if (resolveDebug(debugOverride)) {
+        try {
+          await writeDebugArtifacts(url, init ?? {});
+          if ((init?.body ?? null) !== null && url.includes("/v1/messages") && !url.includes("count_tokens")) {
+            console.error("[opencode-anthropic-auth] Dumped request to /tmp/opencode-last-request.json");
+          }
+        } catch (error) {
+          console.error("[opencode-anthropic-auth] Failed to dump request:", error);
+        }
+      }
+      const proxyInit = buildProxyRequestInit(input, init);
+      const forwardFetch = state.activeChild?.forwardFetch;
+      const response = await (useForwardFetch && typeof forwardFetch === "function" ? forwardFetch(`http://${DEFAULT_PROXY_HOST}:${port}/`, proxyInit) : fetch(`http://${DEFAULT_PROXY_HOST}:${port}/`, proxyInit));
+      if (response.status === 502) {
+        const errorText = await response.text();
+        throw new Error(`Bun proxy upstream error: ${errorText}`);
+      }
+      return response;
+    };
+    if (state.activeChild && state.activePort !== null && !state.activeChild.killed) {
+      return fetchFromActiveProxy(true);
+    }
+    return new Promise((resolve2, reject) => {
+      let settled = false;
+      const pendingFetch = {
+        runProxy: (useForwardFetch) => {
+          if (settled) {
+            return;
+          }
+          settled = true;
+          void fetchFromActiveProxy(useForwardFetch).then(resolve2, reject);
+        },
+        runNative: (reason) => {
+          if (settled) {
+            return;
+          }
+          settled = true;
+          void fetchNative(reason).then(resolve2, reject);
+        }
+      };
+      state.pendingFetches.push(pendingFetch);
+      void startProxy(debugOverride).catch(() => {
+        state.pendingFetches = state.pendingFetches.filter((candidate) => candidate !== pendingFetch);
+        pendingFetch.runNative("proxy-start-error");
+      });
+    });
+  };
+  const instance = {
+    fetch(input, init) {
+      return fetchThroughProxy(input, init);
+    },
+    ensureProxy: startProxy,
+    fetchWithDebug: fetchThroughProxy,
+    shutdown,
+    getStatus: () => getStatus()
+  };
+  return instance;
 }
 
-// src/index.ts
-async function AnthropicAuthPlugin({ client }) {
-  const config = loadConfig();
-  const signatureEmulationEnabled = config.signature_emulation.enabled;
-  const promptCompactionMode = config.signature_emulation.prompt_compaction === "off" ? "off" : "minimal";
-  const shouldFetchClaudeCodeVersion = signatureEmulationEnabled && config.signature_emulation.fetch_claude_code_version_on_startup;
-  let accountManager = null;
-  let lastToastedIndex = -1;
+// src/plugin-helpers.ts
+var DEBOUNCE_TOAST_MAP_MAX_SIZE = 50;
+function createPluginHelpers({
+  client,
+  config,
+  debugLog,
+  getAccountManager,
+  setAccountManager
+}) {
   const debouncedToastTimestamps = /* @__PURE__ */ new Map();
-  const refreshInFlight = /* @__PURE__ */ new Map();
-  const idleRefreshLastAttempt = /* @__PURE__ */ new Map();
-  const idleRefreshInFlight = /* @__PURE__ */ new Set();
-  const IDLE_REFRESH_ENABLED = config.idle_refresh.enabled;
-  const IDLE_REFRESH_WINDOW_MS = config.idle_refresh.window_minutes * 60 * 1e3;
-  const IDLE_REFRESH_MIN_INTERVAL_MS = config.idle_refresh.min_interval_minutes * 60 * 1e3;
-  let initialAccountPinned = false;
-  const pendingSlashOAuth = /* @__PURE__ */ new Map();
-  const fileAccountMap = /* @__PURE__ */ new Map();
   async function sendCommandMessage(sessionID, text) {
     await client.session?.prompt({
       path: { id: sessionID },
@@ -6628,8 +7647,8 @@ async function AnthropicAuthPlugin({ client }) {
     });
   }
   async function reloadAccountManagerFromDisk() {
-    if (!accountManager) return;
-    accountManager = await AccountManager.load(config, null);
+    if (!getAccountManager()) return;
+    setAccountManager(await AccountManager.load(config, null));
   }
   async function persistOpenCodeAuth(refresh, access, expires) {
     await client.auth?.set({
@@ -6666,29 +7685,36 @@ async function AnthropicAuthPlugin({ client }) {
         const now = Date.now();
         const lastAt = debouncedToastTimestamps.get(options.debounceKey) ?? 0;
         if (now - lastAt < minGapMs) return;
+        if (!debouncedToastTimestamps.has(options.debounceKey) && debouncedToastTimestamps.size >= DEBOUNCE_TOAST_MAP_MAX_SIZE) {
+          const oldestKey = debouncedToastTimestamps.keys().next().value;
+          if (oldestKey !== void 0) debouncedToastTimestamps.delete(oldestKey);
+        }
         debouncedToastTimestamps.set(options.debounceKey, now);
       }
     }
     try {
       await client.tui?.showToast({ body: { message, variant } });
-    } catch {
+    } catch (err) {
+      if (!(err instanceof TypeError)) debugLog("toast failed:", err);
     }
   }
-  function debugLog(...args) {
-    if (!config.debug) return;
-    console.error("[opencode-anthropic-auth]", ...args);
-  }
-  let claudeCliVersion = FALLBACK_CLAUDE_CLI_VERSION;
-  const signatureSessionId = randomUUID2();
-  const signatureUserId = getOrCreateSignatureUserId();
-  if (shouldFetchClaudeCodeVersion) {
-    fetchLatestClaudeCodeVersion().then((version) => {
-      if (!version) return;
-      claudeCliVersion = version;
-      debugLog("resolved claude-code version from npm", version);
-    }).catch(() => {
-    });
-  }
+  return {
+    toast,
+    sendCommandMessage,
+    runCliCommand,
+    reloadAccountManagerFromDisk,
+    persistOpenCodeAuth
+  };
+}
+
+// src/refresh-helpers.ts
+function createRefreshHelpers({ client, config, getAccountManager, debugLog }) {
+  const refreshInFlight = /* @__PURE__ */ new Map();
+  const idleRefreshLastAttempt = /* @__PURE__ */ new Map();
+  const idleRefreshInFlight = /* @__PURE__ */ new Set();
+  const IDLE_REFRESH_ENABLED = config.idle_refresh.enabled;
+  const IDLE_REFRESH_WINDOW_MS = config.idle_refresh.window_minutes * 60 * 1e3;
+  const IDLE_REFRESH_MIN_INTERVAL_MS = config.idle_refresh.min_interval_minutes * 60 * 1e3;
   function parseRefreshFailure(refreshError) {
     const message = refreshError instanceof Error ? refreshError.message : String(refreshError);
     const status = typeof refreshError === "object" && refreshError && "status" in refreshError ? Number(refreshError.status) : NaN;
@@ -6707,9 +7733,14 @@ async function AnthropicAuthPlugin({ client }) {
       if (source === "foreground" && existing.source === "idle") {
         try {
           await existing.promise;
-        } catch {
+        } catch (err) {
+          void err;
         }
         if (account.access && account.expires && account.expires > Date.now()) return account.access;
+        const retried = refreshInFlight.get(key);
+        if (retried && retried !== existing) {
+          return retried.promise;
+        }
       } else {
         return existing.promise;
       }
@@ -6723,12 +7754,13 @@ async function AnthropicAuthPlugin({ client }) {
         return await refreshAccountToken(account, client, source, {
           onTokensUpdated: async () => {
             try {
-              await accountManager.saveToDisk();
+              await getAccountManager().saveToDisk();
             } catch {
-              accountManager.requestSaveToDisk();
+              getAccountManager().requestSaveToDisk();
               throw new Error("save failed, debounced retry scheduled");
             }
-          }
+          },
+          debugLog
         });
       } finally {
         if (refreshInFlight.get(key) === entry) refreshInFlight.delete(key);
@@ -6739,7 +7771,7 @@ async function AnthropicAuthPlugin({ client }) {
     return p2;
   }
   async function refreshIdleAccount(account) {
-    if (!accountManager) return;
+    if (!getAccountManager()) return;
     if (idleRefreshInFlight.has(account.id)) return;
     idleRefreshInFlight.add(account.id);
     const attemptedRefreshToken = account.refreshToken;
@@ -6782,6 +7814,7 @@ async function AnthropicAuthPlugin({ client }) {
     }
   }
   function maybeRefreshIdleAccounts(activeAccount) {
+    const accountManager = getAccountManager();
     if (!IDLE_REFRESH_ENABLED || !accountManager) return;
     const now = Date.now();
     const excluded = /* @__PURE__ */ new Set([activeAccount.index]);
@@ -6794,6 +7827,80 @@ async function AnthropicAuthPlugin({ client }) {
     idleRefreshLastAttempt.set(target.id, now);
     void refreshIdleAccount(target);
   }
+  return {
+    parseRefreshFailure,
+    refreshAccountTokenSingleFlight,
+    refreshIdleAccount,
+    maybeRefreshIdleAccounts
+  };
+}
+
+// src/index.ts
+async function finalizeResponse(response, onUsage, onAccountError, onStreamError) {
+  if (!isEventStreamResponse(response)) {
+    const body = stripMcpPrefixFromJsonBody(await response.text());
+    return new Response(body, {
+      status: response.status,
+      statusText: response.statusText,
+      headers: new Headers(response.headers)
+    });
+  }
+  return transformResponse(response, onUsage, onAccountError, onStreamError);
+}
+async function AnthropicAuthPlugin({
+  client
+}) {
+  const config = loadConfig();
+  const signatureEmulationEnabled = config.signature_emulation.enabled;
+  const promptCompactionMode = config.signature_emulation.prompt_compaction === "off" ? "off" : "minimal";
+  const shouldFetchClaudeCodeVersion = signatureEmulationEnabled && config.signature_emulation.fetch_claude_code_version_on_startup;
+  let accountManager = null;
+  let lastToastedIndex = -1;
+  let initialAccountPinned = false;
+  const pendingSlashOAuth = /* @__PURE__ */ new Map();
+  const fileAccountMap = /* @__PURE__ */ new Map();
+  function debugLog(...args) {
+    if (!config.debug) return;
+    console.error("[opencode-anthropic-auth]", ...args);
+  }
+  const { toast, sendCommandMessage, runCliCommand, reloadAccountManagerFromDisk, persistOpenCodeAuth } = createPluginHelpers({
+    client,
+    config,
+    debugLog,
+    getAccountManager: () => accountManager,
+    setAccountManager: (nextAccountManager) => {
+      accountManager = nextAccountManager;
+    }
+  });
+  const { parseRefreshFailure, refreshAccountTokenSingleFlight, maybeRefreshIdleAccounts } = createRefreshHelpers({
+    client,
+    config,
+    getAccountManager: () => accountManager,
+    debugLog
+  });
+  const bunFetchInstance = createBunFetch({
+    debug: config.debug,
+    onProxyStatus: (status) => {
+      debugLog("bun fetch status", status);
+    }
+  });
+  const fetchWithTransport = async (input, init) => {
+    const activeFetch = globalThis.fetch;
+    if (typeof activeFetch === "function" && activeFetch.mock) {
+      return activeFetch(input, init);
+    }
+    return bunFetchInstance.fetch(input, init);
+  };
+  let claudeCliVersion = FALLBACK_CLAUDE_CLI_VERSION;
+  const signatureSessionId = randomUUID2();
+  const signatureUserId = getOrCreateSignatureUserId();
+  if (shouldFetchClaudeCodeVersion) {
+    fetchLatestClaudeCodeVersion().then((version) => {
+      if (!version) return;
+      claudeCliVersion = version;
+      debugLog("resolved claude-code version from npm", version);
+    }).catch((err) => debugLog("CC version fetch failed:", err.message));
+  }
   const commandDeps = {
     sendCommandMessage,
     get accountManager() {
@@ -6811,6 +7918,10 @@ async function AnthropicAuthPlugin({ client }) {
     refreshAccountTokenSingleFlight
   };
   return {
+    dispose: async () => {
+      await bunFetchInstance.shutdown();
+    },
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- OpenCode plugin hook API boundary
     "experimental.chat.system.transform": (input, output) => {
       const prefix = CLAUDE_CODE_IDENTITY_STRING;
       if (!signatureEmulationEnabled && input.model?.providerID === "anthropic") {
@@ -6818,6 +7929,7 @@ async function AnthropicAuthPlugin({ client }) {
         if (output.system[1]) output.system[1] = prefix + "\n\n" + output.system[1];
       }
     },
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- OpenCode plugin hook API boundary
     config: async (input) => {
       input.command ??= {};
       input.command["anthropic"] = {
@@ -6825,6 +7937,7 @@ async function AnthropicAuthPlugin({ client }) {
         description: "Manage Anthropic auth, config, and betas (usage, login, config, set, betas, switch)"
       };
     },
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any -- OpenCode plugin hook API boundary
     "command.execute.before": async (input) => {
       if (input.command !== "anthropic") return;
       try {
@@ -6864,8 +7977,6 @@ ${message}`);
             const ccCount = accountManager.getCCAccounts().length;
             if (ccCount > 0) {
               await toast(`Using Claude Code credentials (${ccCount} found)`, "success");
-            } else {
-              await toast("No Claude Code credentials \u2014 using OAuth", "info");
             }
           }
           const initialAccountEnv = process.env.OPENCODE_ANTHROPIC_INITIAL_ACCOUNT?.trim();
@@ -6896,8 +8007,17 @@ ${message}`);
             async fetch(input, init) {
               const currentAuth = await getAuth();
               if (currentAuth.type !== "oauth") return fetch(input, init);
-              const requestInit = init ?? {};
+              const requestInit = { ...init ?? {} };
               const { requestInput, requestUrl } = transformRequestUrl(input);
+              const resolvedBody = requestInit.body !== void 0 ? requestInit.body : requestInput instanceof Request && requestInput.body ? await requestInput.clone().text() : void 0;
+              if (resolvedBody !== void 0) {
+                requestInit.body = resolvedBody;
+              }
+              const requestContext = {
+                attempt: 0,
+                cloneBody: typeof resolvedBody === "string" ? cloneBodyForRetry(resolvedBody) : void 0,
+                preparedBody: void 0
+              };
               const requestMethod = String(
                 requestInit.method || (requestInput instanceof Request ? requestInput.method : "POST")
               ).toUpperCase();
@@ -6937,6 +8057,7 @@ ${message}`);
                 }
               }
               for (let attempt = 0; attempt < maxAttempts; attempt++) {
+                requestContext.attempt = attempt + 1;
                 const account = attempt === 0 && pinnedAccount && !transientRefreshSkips.has(pinnedAccount.index) ? pinnedAccount : accountManager.getCurrentAccount(transientRefreshSkips);
                 if (showUsageToast && account && accountManager) {
                   const currentIndex = accountManager.getCurrentIndex();
@@ -7021,19 +8142,26 @@ ${message}`);
                   accessToken = account.access;
                 }
                 maybeRefreshIdleAccounts(account);
-                const body = transformRequestBody(
-                  requestInit.body,
-                  {
-                    enabled: signatureEmulationEnabled,
-                    claudeCliVersion,
-                    promptCompactionMode
-                  },
-                  {
-                    persistentUserId: signatureUserId,
-                    sessionId: signatureSessionId,
-                    accountId: getAccountIdentifier(account)
-                  }
-                );
+                const buildAttemptBody = () => {
+                  const transformedBody = transformRequestBody(
+                    requestContext.cloneBody === void 0 ? void 0 : cloneBodyForRetry(requestContext.cloneBody),
+                    {
+                      enabled: signatureEmulationEnabled,
+                      claudeCliVersion,
+                      promptCompactionMode
+                    },
+                    {
+                      persistentUserId: signatureUserId,
+                      sessionId: signatureSessionId,
+                      accountId: getAccountIdentifier(account)
+                    },
+                    config.relocate_third_party_prompts,
+                    debugLog
+                  );
+                  requestContext.preparedBody = typeof transformedBody === "string" ? cloneBodyForRetry(transformedBody) : void 0;
+                  return transformedBody;
+                };
+                const body = buildAttemptBody();
                 logTransformedSystemPrompt(body);
                 const requestHeaders = buildRequestHeaders(input, requestInit, accessToken, body, requestUrl, {
                   enabled: signatureEmulationEnabled,
@@ -7069,7 +8197,7 @@ ${message}`);
                 let response;
                 const fetchInput = requestInput;
                 try {
-                  response = await fetchViaBun(fetchInput, {
+                  response = await fetchWithTransport(fetchInput, {
                     ...requestInit,
                     body,
                     headers: requestHeaders
@@ -7109,6 +8237,7 @@ ${message}`);
                       reason
                     });
                     accountManager.markRateLimited(account, reason, authOrPermissionIssue ? null : retryAfterMs);
+                    transientRefreshSkips.add(account.index);
                     const name = account.email || `Account ${accountManager.getCurrentIndex() + 1}`;
                     const total = accountManager.getAccountCount();
                     if (total > 1) {
@@ -7134,23 +8263,24 @@ ${message}`);
                         headersForRetry.set("x-stainless-retry-count", String(retryCount));
                         retryCount += 1;
                         const retryUrl = fetchInput instanceof Request ? fetchInput.url : fetchInput.toString();
-                        return fetchViaBun(retryUrl, {
+                        const retryBody = requestContext.preparedBody === void 0 ? void 0 : cloneBodyForRetry(requestContext.preparedBody);
+                        return fetchWithTransport(retryUrl, {
                           ...requestInit,
-                          body,
+                          body: retryBody,
                           headers: headersForRetry
                         });
                       },
                       { maxRetries: 2 }
                     );
                     if (!retried.ok) {
-                      return transformResponse(retried);
+                      return finalizeResponse(retried);
                     }
                     response = retried;
                   } else {
                     debugLog("non-account-specific response error, returning directly", {
                       status: response.status
                     });
-                    return transformResponse(response);
+                    return finalizeResponse(response);
                   }
                 }
                 if (account && accountManager && response.ok) {
@@ -7160,15 +8290,28 @@ ${message}`);
                 const usageCallback = shouldInspectStream ? (usage) => {
                   accountManager.recordUsage(account.index, usage);
                 } : null;
-                const accountErrorCallback = shouldInspectStream ? (details) => {
-                  if (details.invalidateToken) {
-                    account.access = void 0;
-                    account.expires = void 0;
-                    markTokenStateUpdated(account);
+                const accountErrorCallback = shouldInspectStream ? (
+                  // eslint-disable-next-line @typescript-eslint/no-explicit-any -- reason carries opaque rate-limit metadata; shape stabilized at callsite
+                  (details) => {
+                    if (details.invalidateToken) {
+                      account.access = void 0;
+                      account.expires = void 0;
+                      markTokenStateUpdated(account);
+                    }
+                    accountManager.markRateLimited(account, details.reason, null);
+                  }
+                ) : null;
+                const streamErrorCallback = response.ok && isEventStreamResponse(response) ? (error) => {
+                  if (!(error instanceof StreamTruncatedError)) {
+                    return;
                   }
-                  accountManager.markRateLimited(account, details.reason, null);
+                  debugLog("stream truncated during response consumption", {
+                    accountIndex: account?.index,
+                    message: error.message,
+                    context: error.context
+                  });
                 } : null;
-                return transformResponse(response, usageCallback, accountErrorCallback);
+                return finalizeResponse(response, usageCallback, accountErrorCallback, streamErrorCallback);
               }
               if (lastError) throw lastError;
               throw new Error("All accounts exhausted \u2014 no account could serve this request");
@@ -7198,11 +8341,38 @@ ${message}`);
             if (!accountManager) {
               accountManager = await AccountManager.load(config, null);
             }
-            const exists = accountManager.getAccountsSnapshot().some((acc) => acc.refreshToken === ccCred.refreshToken);
-            if (!exists) {
-              const added = accountManager.addAccount(ccCred.refreshToken, ccCred.accessToken, ccCred.expiresAt);
+            const identity = resolveIdentityFromCCCredential(ccCred);
+            const existing = findByIdentity(accountManager.getCCAccounts(), identity);
+            if (existing) {
+              existing.refreshToken = ccCred.refreshToken;
+              existing.identity = identity;
+              existing.source = ccCred.source;
+              existing.label = ccCred.label;
+              existing.enabled = true;
+              if (ccCred.accessToken) {
+                existing.access = ccCred.accessToken;
+              }
+              if (ccCred.expiresAt >= (existing.expires ?? 0)) {
+                existing.expires = ccCred.expiresAt;
+              }
+              existing.tokenUpdatedAt = Math.max(existing.tokenUpdatedAt || 0, ccCred.expiresAt || 0);
+              await accountManager.saveToDisk();
+            } else {
+              const added = accountManager.addAccount(
+                ccCred.refreshToken,
+                ccCred.accessToken,
+                ccCred.expiresAt,
+                void 0,
+                {
+                  identity,
+                  label: ccCred.label,
+                  source: ccCred.source
+                }
+              );
               if (added) {
                 added.source = ccCred.source;
+                added.label = ccCred.label;
+                added.identity = identity;
               }
               await accountManager.saveToDisk();
               await toast("Added Claude Code credentials", "success");
@@ -7263,17 +8433,35 @@ ${message}`);
                 if (!accountManager) {
                   accountManager = await AccountManager.load(config, null);
                 }
+                const identity = resolveIdentityFromOAuthExchange(credentials);
                 const countBefore = accountManager.getAccountCount();
-                accountManager.addAccount(
-                  credentials.refresh,
-                  credentials.access,
-                  credentials.expires,
-                  credentials.email
-                );
+                const existing = identity.kind === "oauth" ? findByIdentity(accountManager.getOAuthAccounts(), identity) : null;
+                if (existing) {
+                  existing.refreshToken = credentials.refresh;
+                  existing.access = credentials.access;
+                  existing.expires = credentials.expires;
+                  existing.email = credentials.email ?? existing.email;
+                  existing.identity = identity;
+                  existing.source = "oauth";
+                  existing.enabled = true;
+                  existing.tokenUpdatedAt = Date.now();
+                } else {
+                  accountManager.addAccount(
+                    credentials.refresh,
+                    credentials.access,
+                    credentials.expires,
+                    credentials.email,
+                    {
+                      identity,
+                      source: "oauth"
+                    }
+                  );
+                }
                 await accountManager.saveToDisk();
                 const total = accountManager.getAccountCount();
                 const name = credentials.email || "account";
-                if (countBefore > 0) await toast(`Added ${name} \u2014 ${total} accounts`, "success");
+                if (existing) await toast(`Re-authenticated (${name})`, "success");
+                else if (countBefore > 0) await toast(`Added ${name} \u2014 ${total} accounts`, "success");
                 else await toast(`Authenticated (${name})`, "success");
                 return credentials;
               }