@vacbo/opencode-anthropic-fix 0.1.4 → 0.1.6

package/dist/opencode-anthropic-auth-plugin.js

@@ -3370,13 +3370,28 @@ var init_cli = __esm({
 });
 
 // src/index.ts
-import { randomUUID as randomUUID2 } from "node:crypto";
+import { randomUUID as randomUUID3 } from "node:crypto";
 
 // src/backoff.ts
 var QUOTA_EXHAUSTED_BACKOFFS = [6e4, 3e5, 18e5, 72e5];
 var AUTH_FAILED_BACKOFF = 5e3;
 var RATE_LIMIT_EXCEEDED_BACKOFF = 3e4;
 var MIN_BACKOFF_MS = 2e3;
+var RETRIABLE_NETWORK_ERROR_CODES = /* @__PURE__ */ new Set(["ECONNRESET", "ECONNREFUSED", "EPIPE", "ETIMEDOUT", "UND_ERR_SOCKET"]);
+var NON_RETRIABLE_ERROR_NAMES = /* @__PURE__ */ new Set(["AbortError", "TimeoutError", "APIUserAbortError"]);
+var RETRIABLE_NETWORK_ERROR_MESSAGES = [
+  "bun proxy upstream error",
+  "connection reset by peer",
+  "connection reset by server",
+  "econnreset",
+  "econnrefused",
+  "epipe",
+  "etimedout",
+  "fetch failed",
+  "network connection lost",
+  "socket hang up",
+  "und_err_socket"
+];
 function parseRetryAfterHeader(response) {
   const header = response.headers.get("retry-after");
   if (!header) return null;
@@ -3463,6 +3478,54 @@ function bodyHasAccountError(body) {
   ];
   return typeSignals.some((signal) => errorType.includes(signal)) || messageSignals.some((signal) => message.includes(signal)) || messageSignals.some((signal) => text.includes(signal));
 }
+function collectErrorChain(error) {
+  const queue = [error];
+  const visited = /* @__PURE__ */ new Set();
+  const chain = [];
+  while (queue.length > 0) {
+    const candidate = queue.shift();
+    if (candidate == null || visited.has(candidate)) {
+      continue;
+    }
+    visited.add(candidate);
+    if (candidate instanceof Error) {
+      const typedCandidate = candidate;
+      chain.push(typedCandidate);
+      if (typedCandidate.cause !== void 0) {
+        queue.push(typedCandidate.cause);
+      }
+      continue;
+    }
+    if (typeof candidate === "object" && "cause" in candidate) {
+      queue.push(candidate.cause);
+    }
+  }
+  return chain;
+}
+function isRetriableNetworkError(error) {
+  if (typeof error === "string") {
+    const text = error.toLowerCase();
+    return RETRIABLE_NETWORK_ERROR_MESSAGES.some((signal) => text.includes(signal));
+  }
+  const chain = collectErrorChain(error);
+  if (chain.length === 0) {
+    return false;
+  }
+  for (const candidate of chain) {
+    if (NON_RETRIABLE_ERROR_NAMES.has(candidate.name)) {
+      return false;
+    }
+    const code = candidate.code?.toUpperCase();
+    if (code && RETRIABLE_NETWORK_ERROR_CODES.has(code)) {
+      return true;
+    }
+    const message = candidate.message.toLowerCase();
+    if (RETRIABLE_NETWORK_ERROR_MESSAGES.some((signal) => message.includes(signal))) {
+      return true;
+    }
+  }
+  return false;
+}
 function isAccountSpecificError(status, body) {
   if (status === 429) return true;
   if (status === 401) return true;
@@ -5947,6 +6010,107 @@ function buildRequestHeaders(input, requestInit, accessToken, requestBody, reque
 // src/index.ts
 init_oauth();
 
+// src/headers/cch.ts
+var MASK64 = 0xffffffffffffffffn;
+var CCH_MASK = 0x0fffffn;
+var PRIME1 = 0x9e3779b185ebca87n;
+var PRIME2 = 0xc2b2ae3d27d4eb4fn;
+var PRIME3 = 0x165667b19e3779f9n;
+var PRIME4 = 0x85ebca77c2b2ae63n;
+var PRIME5 = 0x27d4eb2f165667c5n;
+var CCH_FIELD_PREFIX = "cch=";
+var CCH_PLACEHOLDER = "00000";
+var CCH_SEED = 0x6e52736ac806831en;
+var encoder = new TextEncoder();
+function toUint64(value) {
+  return value & MASK64;
+}
+function rotateLeft64(value, bits) {
+  const shift = BigInt(bits);
+  return toUint64(value << shift | value >> 64n - shift);
+}
+function readUint32LE(view, offset) {
+  return BigInt(view.getUint32(offset, true));
+}
+function readUint64LE(view, offset) {
+  return view.getBigUint64(offset, true);
+}
+function round64(acc, input) {
+  const mixed = toUint64(acc + toUint64(input * PRIME2));
+  return toUint64(rotateLeft64(mixed, 31) * PRIME1);
+}
+function mergeRound64(acc, value) {
+  const mixed = acc ^ round64(0n, value);
+  return toUint64(toUint64(mixed) * PRIME1 + PRIME4);
+}
+function avalanche64(hash) {
+  let mixed = hash ^ hash >> 33n;
+  mixed = toUint64(mixed * PRIME2);
+  mixed ^= mixed >> 29n;
+  mixed = toUint64(mixed * PRIME3);
+  mixed ^= mixed >> 32n;
+  return toUint64(mixed);
+}
+function xxHash64(input, seed = CCH_SEED) {
+  const view = new DataView(input.buffer, input.byteOffset, input.byteLength);
+  const length = input.byteLength;
+  let offset = 0;
+  let hash;
+  if (length >= 32) {
+    let v1 = toUint64(seed + PRIME1 + PRIME2);
+    let v2 = toUint64(seed + PRIME2);
+    let v3 = toUint64(seed);
+    let v4 = toUint64(seed - PRIME1);
+    while (offset <= length - 32) {
+      v1 = round64(v1, readUint64LE(view, offset));
+      v2 = round64(v2, readUint64LE(view, offset + 8));
+      v3 = round64(v3, readUint64LE(view, offset + 16));
+      v4 = round64(v4, readUint64LE(view, offset + 24));
+      offset += 32;
+    }
+    hash = toUint64(rotateLeft64(v1, 1) + rotateLeft64(v2, 7) + rotateLeft64(v3, 12) + rotateLeft64(v4, 18));
+    hash = mergeRound64(hash, v1);
+    hash = mergeRound64(hash, v2);
+    hash = mergeRound64(hash, v3);
+    hash = mergeRound64(hash, v4);
+  } else {
+    hash = toUint64(seed + PRIME5);
+  }
+  hash = toUint64(hash + BigInt(length));
+  while (offset <= length - 8) {
+    const lane = round64(0n, readUint64LE(view, offset));
+    hash ^= lane;
+    hash = toUint64(rotateLeft64(hash, 27) * PRIME1 + PRIME4);
+    offset += 8;
+  }
+  if (offset <= length - 4) {
+    hash ^= toUint64(readUint32LE(view, offset) * PRIME1);
+    hash = toUint64(rotateLeft64(hash, 23) * PRIME2 + PRIME3);
+    offset += 4;
+  }
+  while (offset < length) {
+    hash ^= toUint64(BigInt(view.getUint8(offset)) * PRIME5);
+    hash = toUint64(rotateLeft64(hash, 11) * PRIME1);
+    offset += 1;
+  }
+  return avalanche64(hash);
+}
+function computeNativeStyleCch(serializedBody) {
+  const hash = xxHash64(encoder.encode(serializedBody), CCH_SEED);
+  return (hash & CCH_MASK).toString(16).padStart(5, "0");
+}
+function replaceNativeStyleCch(serializedBody) {
+  const sentinel = `${CCH_FIELD_PREFIX}${CCH_PLACEHOLDER}`;
+  const fieldIndex = serializedBody.indexOf(sentinel);
+  if (fieldIndex === -1) {
+    return serializedBody;
+  }
+  const valueStart = fieldIndex + CCH_FIELD_PREFIX.length;
+  const valueEnd = valueStart + CCH_PLACEHOLDER.length;
+  const cch = computeNativeStyleCch(serializedBody);
+  return `${serializedBody.slice(0, valueStart)}${cch}${serializedBody.slice(valueEnd)}`;
+}
+
 // src/headers/billing.ts
 import { createHash as createHash2 } from "node:crypto";
 function buildAnthropicBillingHeader(claudeCliVersion, messages) {
@@ -5976,16 +6140,7 @@ function buildAnthropicBillingHeader(claudeCliVersion, messages) {
     }
   }
   const entrypoint = process.env.CLAUDE_CODE_ENTRYPOINT ?? "cli";
-  let cchValue;
-  if (Array.isArray(messages) && messages.length > 0) {
-    const bodyHint = JSON.stringify(messages).slice(0, 512);
-    const cchHash = createHash2("sha256").update(bodyHint + claudeCliVersion + Date.now().toString(36)).digest("hex");
-    cchValue = cchHash.slice(0, 5);
-  } else {
-    const buf = createHash2("sha256").update(Date.now().toString(36) + Math.random().toString(36)).digest("hex");
-    cchValue = buf.slice(0, 5);
-  }
-  return `x-anthropic-billing-header: cc_version=${claudeCliVersion}${versionSuffix}; cc_entrypoint=${entrypoint}; cch=${cchValue};`;
+  return `x-anthropic-billing-header: cc_version=${claudeCliVersion}${versionSuffix}; cc_entrypoint=${entrypoint}; cch=${CCH_PLACEHOLDER};`;
 }
 
 // src/system-prompt/normalize.ts
@@ -6352,7 +6507,7 @@ function transformRequestBody(body, signature, runtime, relocateThirdPartyPrompt
         return msg;
       });
     }
-    return JSON.stringify(parsed);
+    return replaceNativeStyleCch(JSON.stringify(parsed));
   } catch (err) {
     if (err instanceof SyntaxError) {
       debugLog?.("body parse failed:", err.message);
@@ -6382,20 +6537,36 @@ function shouldRetryStatus(status, shouldRetryHeader) {
   if (shouldRetryHeader === false) return false;
   return status === 408 || status === 409 || status === 429 || status >= 500;
 }
-async function fetchWithRetry(doFetch, config = {}) {
-  const resolvedConfig = { ...DEFAULT_RETRY_CONFIG, ...config };
+async function fetchWithRetry(doFetch, options = {}) {
+  const resolvedConfig = { ...DEFAULT_RETRY_CONFIG, ...options };
+  const shouldRetryError = options.shouldRetryError ?? isRetriableNetworkError;
+  const shouldRetryResponse = options.shouldRetryResponse ?? ((response) => {
+    const shouldRetryHeader = parseShouldRetryHeader(response);
+    return shouldRetryStatus(response.status, shouldRetryHeader);
+  });
+  let forceFreshConnection = false;
   for (let attempt = 0; ; attempt++) {
-    const response = await doFetch();
+    let response;
+    try {
+      response = await doFetch({ attempt, forceFreshConnection });
+    } catch (error) {
+      if (!shouldRetryError(error) || attempt >= resolvedConfig.maxRetries) {
+        throw error;
+      }
+      const delayMs2 = calculateRetryDelay(attempt, resolvedConfig);
+      await waitFor(delayMs2);
+      forceFreshConnection = true;
+      continue;
+    }
     if (response.ok) {
       return response;
     }
-    const shouldRetryHeader = parseShouldRetryHeader(response);
-    const shouldRetry = shouldRetryStatus(response.status, shouldRetryHeader);
-    if (!shouldRetry || attempt >= resolvedConfig.maxRetries) {
+    if (!shouldRetryResponse(response) || attempt >= resolvedConfig.maxRetries) {
       return response;
     }
     const delayMs = parseRetryAfterMsHeader(response) ?? parseRetryAfterHeader(response) ?? calculateRetryDelay(attempt, resolvedConfig);
     await waitFor(delayMs);
+    forceFreshConnection = false;
   }
 }
 
@@ -6730,7 +6901,7 @@ function transformResponse(response, onUsage, onAccountError, onStreamError) {
   if (!response.body || !isEventStreamResponse(response)) return response;
   const reader = response.body.getReader();
   const decoder = new TextDecoder("utf-8", { fatal: true });
-  const encoder = new TextEncoder();
+  const encoder2 = new TextEncoder();
   const stats = {
     inputTokens: 0,
     outputTokens: 0,
@@ -6788,7 +6959,7 @@ function transformResponse(response, onUsage, onAccountError, onStreamError) {
     if (eventType === "error") {
       hasSeenError = true;
     }
-    controller.enqueue(encoder.encode(formatSSEEventBlock(eventType, parsedRecord, strictEventValidation)));
+    controller.enqueue(encoder2.encode(formatSSEEventBlock(eventType, parsedRecord, strictEventValidation)));
     if (eventType === "error" && strictEventValidation) {
       throw new Error(getErrorMessage(parsedRecord));
     }
@@ -6927,7 +7098,7 @@ async function acquireRefreshLock(accountId, options = {}) {
       const handle = await fs2.open(lockPath, "wx", 384);
       try {
         await handle.writeFile(JSON.stringify({ pid: process.pid, createdAt: Date.now(), owner }), "utf-8");
-        const stat = await handle.stat();
+        const stat = await handle.stat({ bigint: true });
         return { acquired: true, lockPath, owner, lockInode: stat.ino };
       } finally {
         await handle.close();
@@ -6938,8 +7109,8 @@ async function acquireRefreshLock(accountId, options = {}) {
         throw error;
       }
       try {
-        const stat = await fs2.stat(lockPath);
-        if (Date.now() - stat.mtimeMs > staleMs) {
+        const stat = await fs2.stat(lockPath, { bigint: true });
+        if (Date.now() - Number(stat.mtimeMs) > staleMs) {
           await fs2.unlink(lockPath);
           continue;
         }
@@ -6956,7 +7127,7 @@ async function acquireRefreshLock(accountId, options = {}) {
 async function releaseRefreshLock(lock) {
   const lockPath = typeof lock === "string" || lock === null ? lock : lock.lockPath;
   const owner = typeof lock === "object" && lock ? lock.owner || null : null;
-  const lockInode = typeof lock === "object" && lock ? lock.lockInode || null : null;
+  const lockInode = typeof lock === "object" && lock ? lock.lockInode ?? null : null;
   if (!lockPath) return;
   if (owner) {
     try {
@@ -6966,7 +7137,7 @@ async function releaseRefreshLock(lock) {
         return;
       }
       if (lockInode) {
-        const stat = await fs2.stat(lockPath);
+        const stat = await fs2.stat(lockPath, { bigint: true });
         if (stat.ino !== lockInode) {
           return;
         }
@@ -7178,6 +7349,7 @@ function formatSwitchReason(status, reason) {
 
 // src/bun-fetch.ts
 import { execFileSync, spawn } from "node:child_process";
+import { randomUUID as randomUUID2 } from "node:crypto";
 import { existsSync as existsSync5 } from "node:fs";
 import { dirname as dirname4, join as join6 } from "node:path";
 import * as readline from "node:readline";
@@ -7397,20 +7569,38 @@ function buildProxyRequestInit(input, init) {
     ...signal ? { signal } : {}
   };
 }
+var DEBUG_DUMP_DIR = "/tmp";
+var DEBUG_LATEST_REQUEST_PATH = `${DEBUG_DUMP_DIR}/opencode-last-request.json`;
+var DEBUG_LATEST_HEADERS_PATH = `${DEBUG_DUMP_DIR}/opencode-last-headers.json`;
+function makeDebugDumpId() {
+  const filesystemSafeTimestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+  const subMillisecondCollisionGuard = randomUUID2().slice(0, 8);
+  return `${filesystemSafeTimestamp}-${subMillisecondCollisionGuard}`;
+}
 async function writeDebugArtifacts(url, init) {
   if (!init.body || !url.includes("/v1/messages") || url.includes("count_tokens")) {
-    return;
+    return null;
   }
   const { writeFileSync: writeFileSync5 } = await import("node:fs");
-  writeFileSync5(
-    "/tmp/opencode-last-request.json",
-    typeof init.body === "string" ? init.body : JSON.stringify(init.body)
-  );
+  const id = makeDebugDumpId();
+  const requestPath = `${DEBUG_DUMP_DIR}/opencode-request-${id}.json`;
+  const headersPath = `${DEBUG_DUMP_DIR}/opencode-headers-${id}.json`;
+  const bodyText = typeof init.body === "string" ? init.body : JSON.stringify(init.body);
   const logHeaders = {};
   toHeaders(init.headers).forEach((value, key) => {
     logHeaders[key] = key === "authorization" ? "Bearer ***" : value;
   });
-  writeFileSync5("/tmp/opencode-last-headers.json", JSON.stringify(logHeaders, null, 2));
+  const headersText = JSON.stringify(logHeaders, null, 2);
+  writeFileSync5(requestPath, bodyText);
+  writeFileSync5(headersPath, headersText);
+  writeFileSync5(DEBUG_LATEST_REQUEST_PATH, bodyText);
+  writeFileSync5(DEBUG_LATEST_HEADERS_PATH, headersText);
+  return {
+    requestPath,
+    headersPath,
+    latestRequestPath: DEBUG_LATEST_REQUEST_PATH,
+    latestHeadersPath: DEBUG_LATEST_HEADERS_PATH
+  };
 }
 function createBunFetch(options = {}) {
   const breaker = createCircuitBreaker({
@@ -7624,9 +7814,11 @@ function createBunFetch(options = {}) {
       }
       if (resolveDebug(debugOverride)) {
         try {
-          await writeDebugArtifacts(url, init ?? {});
-          if ((init?.body ?? null) !== null && url.includes("/v1/messages") && !url.includes("count_tokens")) {
-            console.error("[opencode-anthropic-auth] Dumped request to /tmp/opencode-last-request.json");
+          const dumped = await writeDebugArtifacts(url, init ?? {});
+          if (dumped) {
+            console.error(
+              `[opencode-anthropic-auth] Dumped request to ${dumped.requestPath} (latest alias: ${dumped.latestRequestPath})`
+            );
           }
         } catch (error) {
           console.error("[opencode-anthropic-auth] Failed to dump request:", error);
@@ -7944,7 +8136,7 @@ async function AnthropicAuthPlugin({
     return bunFetchInstance.fetch(input, init);
   };
   let claudeCliVersion = FALLBACK_CLAUDE_CLI_VERSION;
-  const signatureSessionId = randomUUID2();
+  const signatureSessionId = randomUUID3();
   const signatureUserId = getOrCreateSignatureUserId();
   if (shouldFetchClaudeCodeVersion) {
     fetchLatestClaudeCodeVersion().then((version) => {
@@ -8250,12 +8442,33 @@ ${message}`);
                 }
                 let response;
                 const fetchInput = requestInput;
-                try {
-                  response = await fetchWithTransport(fetchInput, {
+                const buildTransportRequestInit = (headers, requestBody, forceFreshConnection) => {
+                  const requestHeadersForTransport = new Headers(headers);
+                  if (forceFreshConnection) {
+                    requestHeadersForTransport.set("connection", "close");
+                    requestHeadersForTransport.set("x-proxy-disable-keepalive", "true");
+                  } else {
+                    requestHeadersForTransport.delete("connection");
+                    requestHeadersForTransport.delete("x-proxy-disable-keepalive");
+                  }
+                  return {
                     ...requestInit,
-                    body,
-                    headers: requestHeaders
-                  });
+                    body: requestBody,
+                    headers: requestHeadersForTransport,
+                    ...forceFreshConnection ? { keepalive: false } : {}
+                  };
+                };
+                try {
+                  response = await fetchWithRetry(
+                    async ({ forceFreshConnection }) => fetchWithTransport(
+                      fetchInput,
+                      buildTransportRequestInit(requestHeaders, body, forceFreshConnection)
+                    ),
+                    {
+                      maxRetries: 2,
+                      shouldRetryResponse: () => false
+                    }
+                  );
                 } catch (err) {
                   const fetchError = err instanceof Error ? err : new Error(String(err));
                   if (accountManager && account) {
@@ -8308,7 +8521,7 @@ ${message}`);
                     });
                     let retryCount = 0;
                     const retried = await fetchWithRetry(
-                      async () => {
+                      async ({ forceFreshConnection }) => {
                         if (retryCount === 0) {
                           retryCount += 1;
                           return response;
@@ -8318,11 +8531,10 @@ ${message}`);
                         retryCount += 1;
                         const retryUrl = fetchInput instanceof Request ? fetchInput.url : fetchInput.toString();
                         const retryBody = requestContext.preparedBody === void 0 ? void 0 : cloneBodyForRetry(requestContext.preparedBody);
-                        return fetchWithTransport(retryUrl, {
-                          ...requestInit,
-                          body: retryBody,
-                          headers: headersForRetry
-                        });
+                        return fetchWithTransport(
+                          retryUrl,
+                          buildTransportRequestInit(headersForRetry, retryBody, forceFreshConnection)
+                        );
                       },
                       { maxRetries: 2 }
                     );

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vacbo/opencode-anthropic-fix",
-  "version": "0.1.4",
+  "version": "0.1.6",
   "main": "dist/opencode-anthropic-auth-plugin.js",
   "bin": {
     "opencode-anthropic-auth": "dist/opencode-anthropic-auth-cli.mjs",
@@ -20,6 +20,8 @@
     "build": "bun scripts/build.ts",
     "prepublishOnly": "npm run build && npm test",
     "test": "vitest run",
+    "check:cch-drift": "bun scripts/drift-checker/check-cch-constants.ts --fail-on-drift",
+    "check:cch-drift:npm": "bun scripts/drift-checker/check-cch-constants.ts --npm-version latest --fail-on-drift",
     "test:watch": "vitest",
     "lint": "eslint .",
     "lint:fix": "eslint --fix .",

package/src/__tests__/cc-comparison.test.ts

@@ -57,7 +57,7 @@ describe("CC 2.1.98 — Full request fingerprint comparison", () => {
     console.log(`║ Axios version:   1.13.6 (token endpoint UA)`);
     console.log(`║ anthropic-ver:   2023-06-01`);
     console.log(`║ x-app:           cli`);
-    console.log(`║ cch:             00000 (placeholder, not attested on Node.js)`);
+    console.log(`║ cch:             00000 placeholder → xxHash64(serialized body, seed 0x6E52736AC806831E)`);
     console.log(`║ Identity:        You are Claude Code, Anthropic's official CLI for Claude.`);
     console.log(`║ Identity cache:  {"type":"ephemeral","scope":"global","ttl":"1h"}`);
     console.log(`║ Client ID:       9d1c250a-e61b-44d9-88ed-5944d1962f5e`);

package/src/__tests__/cch-drift-checker.test.ts

@@ -0,0 +1,61 @@
+import { describe, expect, it } from "vitest";
+
+import {
+  EXPECTED_CCH_PLACEHOLDER,
+  EXPECTED_CCH_SALT,
+  EXPECTED_CCH_SEED,
+  EXPECTED_XXHASH64_PRIMES,
+  bigintToLittleEndianBytes,
+  findAllOccurrences,
+  scanCchConstants,
+} from "../drift/cch-constants.js";
+
+describe("cch drift checker helpers", () => {
+  it("encodes bigint constants as little-endian bytes", () => {
+    expect(Array.from(bigintToLittleEndianBytes(EXPECTED_CCH_SEED))).toEqual([
+      0x1e, 0x83, 0x06, 0xc8, 0x6a, 0x73, 0x52, 0x6e,
+    ]);
+  });
+
+  it("finds all occurrences of a byte pattern", () => {
+    const haystack = new Uint8Array([1, 2, 3, 1, 2, 3, 4]);
+    const needle = new Uint8Array([1, 2, 3]);
+    expect(findAllOccurrences(haystack, needle)).toEqual([0, 3]);
+  });
+});
+
+describe("scanCchConstants", () => {
+  it("passes when all standalone constants are present", () => {
+    const bytes = new Uint8Array([
+      ...new TextEncoder().encode(`xx cch=${EXPECTED_CCH_PLACEHOLDER} yy ${EXPECTED_CCH_SALT} zz`),
+      ...bigintToLittleEndianBytes(EXPECTED_CCH_SEED),
+      ...EXPECTED_XXHASH64_PRIMES.flatMap((prime) => Array.from(bigintToLittleEndianBytes(prime))),
+    ]);
+
+    const report = scanCchConstants(bytes, "synthetic-standalone", "standalone");
+    expect(report.passed).toBe(true);
+    expect(report.findings).toEqual([]);
+    expect(report.checked.placeholder).toBeGreaterThan(0);
+    expect(report.checked.salt).toBeGreaterThan(0);
+    expect(report.checked.seed).toBeGreaterThan(0);
+    expect(report.checked.primes.every((count) => count > 0)).toBe(true);
+  });
+
+  it("fails critically when placeholder and seed are missing", () => {
+    const bytes = new TextEncoder().encode(`missing ${EXPECTED_CCH_SALT}`);
+    const report = scanCchConstants(bytes, "broken-standalone", "standalone");
+
+    expect(report.passed).toBe(false);
+    expect(report.findings.map((finding) => finding.name)).toContain("cch placeholder");
+    expect(report.findings.map((finding) => finding.name)).toContain("native cch seed");
+  });
+
+  it("only requires placeholder and salt for npm cli bundles", () => {
+    const bytes = new TextEncoder().encode(`prefix cch=${EXPECTED_CCH_PLACEHOLDER}; ${EXPECTED_CCH_SALT} suffix`);
+    const report = scanCchConstants(bytes, "synthetic-bundle", "bundle");
+
+    expect(report.passed).toBe(true);
+    expect(report.checked.seed).toBe(0);
+    expect(report.findings).toEqual([]);
+  });
+});

package/src/__tests__/cch-native-style.test.ts

@@ -0,0 +1,76 @@
+import { describe, expect, it } from "vitest";
+
+import { buildAnthropicBillingHeader } from "../headers/billing.js";
+import { CCH_PLACEHOLDER, computeNativeStyleCch, replaceNativeStyleCch, xxHash64 } from "../headers/cch.js";
+import { transformRequestBody } from "../request/body.js";
+
+describe("native-style cch", () => {
+  it("matches independently verified xxHash64 reference values", () => {
+    expect(xxHash64(new TextEncoder().encode(""))).toBe(0x6e798575d82647edn);
+    expect(xxHash64(new TextEncoder().encode("a"))).toBe(0x8404a7f0a8a6bcaen);
+    expect(xxHash64(new TextEncoder().encode("hello"))).toBe(0x95ab2f66e009922an);
+  });
+
+  it("derives the expected 5-char cch from independently verified vectors", () => {
+    expect(computeNativeStyleCch("")).toBe("647ed");
+    expect(computeNativeStyleCch("cch=00000")).toBe("1d7f8");
+    expect(
+      computeNativeStyleCch("x-anthropic-billing-header: cc_version=2.1.101.0e7; cc_entrypoint=cli; cch=00000;"),
+    ).toBe("101fb");
+  });
+
+  it("replaces the placeholder in a serialized body", () => {
+    const serialized =
+      '{"system":[{"type":"text","text":"x-anthropic-billing-header: cc_version=2.1.101.0e7; cc_entrypoint=cli; cch=00000;"}],"messages":[{"role":"user","content":"Reply with the single word: OK"}]}';
+
+    expect(replaceNativeStyleCch(serialized)).toContain("cch=0ca30");
+    expect(replaceNativeStyleCch(serialized)).not.toContain(`cch=${CCH_PLACEHOLDER}`);
+  });
+
+  it("leaves strings without the placeholder unchanged", () => {
+    const serialized = '{"system":[{"type":"text","text":"no billing block here"}]}';
+    expect(replaceNativeStyleCch(serialized)).toBe(serialized);
+  });
+});
+
+describe("billing header placeholder + transformRequestBody replacement", () => {
+  const signature = {
+    enabled: true,
+    claudeCliVersion: "2.1.101",
+    promptCompactionMode: "minimal" as const,
+    sanitizeSystemPrompt: false,
+  };
+  const runtime = {
+    persistentUserId: "0".repeat(64),
+    accountId: "acct-1",
+    sessionId: "session-1",
+  };
+
+  it("buildAnthropicBillingHeader emits the native placeholder", () => {
+    process.env.CLAUDE_CODE_ATTRIBUTION_HEADER = "true";
+    const header = buildAnthropicBillingHeader("2.1.101", [{ role: "user", content: "Hello world from a test" }]);
+    expect(header).toContain(`cch=${CCH_PLACEHOLDER};`);
+  });
+
+  it("transformRequestBody replaces the placeholder after serialization", () => {
+    const body = JSON.stringify({
+      model: "claude-sonnet-4-5",
+      max_tokens: 1024,
+      stream: false,
+      messages: [{ role: "user", content: "Reply with the single word: OK" }],
+      system: "You are a helpful assistant.",
+    });
+
+    const transformed = transformRequestBody(body, signature, runtime);
+    expect(transformed).toBeDefined();
+    expect(transformed).not.toContain(`cch=${CCH_PLACEHOLDER}`);
+
+    const actualCch = transformed?.match(/cch=([0-9a-f]{5})/)?.[1];
+    const placeholderBody = transformed?.replace(/cch=[0-9a-f]{5}/, `cch=${CCH_PLACEHOLDER}`);
+
+    expect(actualCch).toBeDefined();
+    expect(placeholderBody).toBeDefined();
+    expect(actualCch).toBe(computeNativeStyleCch(placeholderBody!));
+    expect(transformed).toBe(replaceNativeStyleCch(placeholderBody!));
+  });
+});

package/src/__tests__/fingerprint-regression.test.ts

@@ -176,10 +176,9 @@ describe("CC 2.1.98 — Billing header", () => {
     restoreEnv(originalEnv);
   });
 
-  it("contains a 5-char hex cch value (not the literal 00000 placeholder)", () => {
+  it("contains the native placeholder cch before post-serialization replacement", () => {
     const header = buildAnthropicBillingHeader(CC_VERSION, []);
-    expect(header).toMatch(/cch=[0-9a-f]{5};/);
-    expect(header).not.toContain("cch=00000;");
+    expect(header).toContain("cch=00000;");
   });
 
   it("contains the correct cc_version", () => {

package/src/backoff.test.ts

@@ -2,6 +2,7 @@ import { describe, expect, it } from "vitest";
 import {
   calculateBackoffMs,
   isAccountSpecificError,
+  isRetriableNetworkError,
   parseRateLimitReason,
   parseRetryAfterHeader,
   parseRetryAfterMsHeader,
@@ -235,6 +236,30 @@ describe("parseRateLimitReason", () => {
   });
 });
 
+// ---------------------------------------------------------------------------
+// isRetriableNetworkError
+// ---------------------------------------------------------------------------
+
+describe("isRetriableNetworkError", () => {
+  it("returns true for retryable connection reset codes", () => {
+    const error = Object.assign(new Error("socket died"), {
+      code: "ECONNRESET",
+    });
+
+    expect(isRetriableNetworkError(error)).toBe(true);
+  });
+
+  it("returns true for Bun proxy upstream reset messages", () => {
+    expect(isRetriableNetworkError(new Error("Bun proxy upstream error: Connection reset by server"))).toBe(true);
+  });
+
+  it("returns false for user abort errors", () => {
+    const error = new DOMException("The operation was aborted", "AbortError");
+
+    expect(isRetriableNetworkError(error)).toBe(false);
+  });
+});
+
 // ---------------------------------------------------------------------------
 // calculateBackoffMs
 // ---------------------------------------------------------------------------