@vacbo/opencode-anthropic-fix 0.1.5 → 0.1.6

package/dist/opencode-anthropic-auth-plugin.js

@@ -3370,7 +3370,7 @@ var init_cli = __esm({
 });
 
 // src/index.ts
-import { randomUUID as randomUUID2 } from "node:crypto";
+import { randomUUID as randomUUID3 } from "node:crypto";
 
 // src/backoff.ts
 var QUOTA_EXHAUSTED_BACKOFFS = [6e4, 3e5, 18e5, 72e5];
@@ -6010,6 +6010,107 @@ function buildRequestHeaders(input, requestInit, accessToken, requestBody, reque
 // src/index.ts
 init_oauth();
 
+// src/headers/cch.ts
+var MASK64 = 0xffffffffffffffffn;
+var CCH_MASK = 0x0fffffn;
+var PRIME1 = 0x9e3779b185ebca87n;
+var PRIME2 = 0xc2b2ae3d27d4eb4fn;
+var PRIME3 = 0x165667b19e3779f9n;
+var PRIME4 = 0x85ebca77c2b2ae63n;
+var PRIME5 = 0x27d4eb2f165667c5n;
+var CCH_FIELD_PREFIX = "cch=";
+var CCH_PLACEHOLDER = "00000";
+var CCH_SEED = 0x6e52736ac806831en;
+var encoder = new TextEncoder();
+function toUint64(value) {
+  return value & MASK64;
+}
+function rotateLeft64(value, bits) {
+  const shift = BigInt(bits);
+  return toUint64(value << shift | value >> 64n - shift);
+}
+function readUint32LE(view, offset) {
+  return BigInt(view.getUint32(offset, true));
+}
+function readUint64LE(view, offset) {
+  return view.getBigUint64(offset, true);
+}
+function round64(acc, input) {
+  const mixed = toUint64(acc + toUint64(input * PRIME2));
+  return toUint64(rotateLeft64(mixed, 31) * PRIME1);
+}
+function mergeRound64(acc, value) {
+  const mixed = acc ^ round64(0n, value);
+  return toUint64(toUint64(mixed) * PRIME1 + PRIME4);
+}
+function avalanche64(hash) {
+  let mixed = hash ^ hash >> 33n;
+  mixed = toUint64(mixed * PRIME2);
+  mixed ^= mixed >> 29n;
+  mixed = toUint64(mixed * PRIME3);
+  mixed ^= mixed >> 32n;
+  return toUint64(mixed);
+}
+function xxHash64(input, seed = CCH_SEED) {
+  const view = new DataView(input.buffer, input.byteOffset, input.byteLength);
+  const length = input.byteLength;
+  let offset = 0;
+  let hash;
+  if (length >= 32) {
+    let v1 = toUint64(seed + PRIME1 + PRIME2);
+    let v2 = toUint64(seed + PRIME2);
+    let v3 = toUint64(seed);
+    let v4 = toUint64(seed - PRIME1);
+    while (offset <= length - 32) {
+      v1 = round64(v1, readUint64LE(view, offset));
+      v2 = round64(v2, readUint64LE(view, offset + 8));
+      v3 = round64(v3, readUint64LE(view, offset + 16));
+      v4 = round64(v4, readUint64LE(view, offset + 24));
+      offset += 32;
+    }
+    hash = toUint64(rotateLeft64(v1, 1) + rotateLeft64(v2, 7) + rotateLeft64(v3, 12) + rotateLeft64(v4, 18));
+    hash = mergeRound64(hash, v1);
+    hash = mergeRound64(hash, v2);
+    hash = mergeRound64(hash, v3);
+    hash = mergeRound64(hash, v4);
+  } else {
+    hash = toUint64(seed + PRIME5);
+  }
+  hash = toUint64(hash + BigInt(length));
+  while (offset <= length - 8) {
+    const lane = round64(0n, readUint64LE(view, offset));
+    hash ^= lane;
+    hash = toUint64(rotateLeft64(hash, 27) * PRIME1 + PRIME4);
+    offset += 8;
+  }
+  if (offset <= length - 4) {
+    hash ^= toUint64(readUint32LE(view, offset) * PRIME1);
+    hash = toUint64(rotateLeft64(hash, 23) * PRIME2 + PRIME3);
+    offset += 4;
+  }
+  while (offset < length) {
+    hash ^= toUint64(BigInt(view.getUint8(offset)) * PRIME5);
+    hash = toUint64(rotateLeft64(hash, 11) * PRIME1);
+    offset += 1;
+  }
+  return avalanche64(hash);
+}
+function computeNativeStyleCch(serializedBody) {
+  const hash = xxHash64(encoder.encode(serializedBody), CCH_SEED);
+  return (hash & CCH_MASK).toString(16).padStart(5, "0");
+}
+function replaceNativeStyleCch(serializedBody) {
+  const sentinel = `${CCH_FIELD_PREFIX}${CCH_PLACEHOLDER}`;
+  const fieldIndex = serializedBody.indexOf(sentinel);
+  if (fieldIndex === -1) {
+    return serializedBody;
+  }
+  const valueStart = fieldIndex + CCH_FIELD_PREFIX.length;
+  const valueEnd = valueStart + CCH_PLACEHOLDER.length;
+  const cch = computeNativeStyleCch(serializedBody);
+  return `${serializedBody.slice(0, valueStart)}${cch}${serializedBody.slice(valueEnd)}`;
+}
+
 // src/headers/billing.ts
 import { createHash as createHash2 } from "node:crypto";
 function buildAnthropicBillingHeader(claudeCliVersion, messages) {
@@ -6039,16 +6140,7 @@ function buildAnthropicBillingHeader(claudeCliVersion, messages) {
     }
   }
   const entrypoint = process.env.CLAUDE_CODE_ENTRYPOINT ?? "cli";
-  let cchValue;
-  if (Array.isArray(messages) && messages.length > 0) {
-    const bodyHint = JSON.stringify(messages).slice(0, 512);
-    const cchHash = createHash2("sha256").update(bodyHint + claudeCliVersion + Date.now().toString(36)).digest("hex");
-    cchValue = cchHash.slice(0, 5);
-  } else {
-    const buf = createHash2("sha256").update(Date.now().toString(36) + Math.random().toString(36)).digest("hex");
-    cchValue = buf.slice(0, 5);
-  }
-  return `x-anthropic-billing-header: cc_version=${claudeCliVersion}${versionSuffix}; cc_entrypoint=${entrypoint}; cch=${cchValue};`;
+  return `x-anthropic-billing-header: cc_version=${claudeCliVersion}${versionSuffix}; cc_entrypoint=${entrypoint}; cch=${CCH_PLACEHOLDER};`;
 }
 
 // src/system-prompt/normalize.ts
@@ -6415,7 +6507,7 @@ function transformRequestBody(body, signature, runtime, relocateThirdPartyPrompt
         return msg;
       });
     }
-    return JSON.stringify(parsed);
+    return replaceNativeStyleCch(JSON.stringify(parsed));
   } catch (err) {
     if (err instanceof SyntaxError) {
       debugLog?.("body parse failed:", err.message);
@@ -6809,7 +6901,7 @@ function transformResponse(response, onUsage, onAccountError, onStreamError) {
   if (!response.body || !isEventStreamResponse(response)) return response;
   const reader = response.body.getReader();
   const decoder = new TextDecoder("utf-8", { fatal: true });
-  const encoder = new TextEncoder();
+  const encoder2 = new TextEncoder();
   const stats = {
     inputTokens: 0,
     outputTokens: 0,
@@ -6867,7 +6959,7 @@ function transformResponse(response, onUsage, onAccountError, onStreamError) {
     if (eventType === "error") {
       hasSeenError = true;
     }
-    controller.enqueue(encoder.encode(formatSSEEventBlock(eventType, parsedRecord, strictEventValidation)));
+    controller.enqueue(encoder2.encode(formatSSEEventBlock(eventType, parsedRecord, strictEventValidation)));
     if (eventType === "error" && strictEventValidation) {
       throw new Error(getErrorMessage(parsedRecord));
     }
@@ -7006,7 +7098,7 @@ async function acquireRefreshLock(accountId, options = {}) {
       const handle = await fs2.open(lockPath, "wx", 384);
       try {
         await handle.writeFile(JSON.stringify({ pid: process.pid, createdAt: Date.now(), owner }), "utf-8");
-        const stat = await handle.stat();
+        const stat = await handle.stat({ bigint: true });
         return { acquired: true, lockPath, owner, lockInode: stat.ino };
       } finally {
         await handle.close();
@@ -7017,8 +7109,8 @@ async function acquireRefreshLock(accountId, options = {}) {
         throw error;
       }
       try {
-        const stat = await fs2.stat(lockPath);
-        if (Date.now() - stat.mtimeMs > staleMs) {
+        const stat = await fs2.stat(lockPath, { bigint: true });
+        if (Date.now() - Number(stat.mtimeMs) > staleMs) {
           await fs2.unlink(lockPath);
           continue;
         }
@@ -7035,7 +7127,7 @@ async function acquireRefreshLock(accountId, options = {}) {
 async function releaseRefreshLock(lock) {
   const lockPath = typeof lock === "string" || lock === null ? lock : lock.lockPath;
   const owner = typeof lock === "object" && lock ? lock.owner || null : null;
-  const lockInode = typeof lock === "object" && lock ? lock.lockInode || null : null;
+  const lockInode = typeof lock === "object" && lock ? lock.lockInode ?? null : null;
   if (!lockPath) return;
   if (owner) {
     try {
@@ -7045,7 +7137,7 @@ async function releaseRefreshLock(lock) {
         return;
       }
       if (lockInode) {
-        const stat = await fs2.stat(lockPath);
+        const stat = await fs2.stat(lockPath, { bigint: true });
         if (stat.ino !== lockInode) {
           return;
         }
@@ -7257,6 +7349,7 @@ function formatSwitchReason(status, reason) {
 
 // src/bun-fetch.ts
 import { execFileSync, spawn } from "node:child_process";
+import { randomUUID as randomUUID2 } from "node:crypto";
 import { existsSync as existsSync5 } from "node:fs";
 import { dirname as dirname4, join as join6 } from "node:path";
 import * as readline from "node:readline";
@@ -7476,20 +7569,38 @@ function buildProxyRequestInit(input, init) {
     ...signal ? { signal } : {}
   };
 }
+var DEBUG_DUMP_DIR = "/tmp";
+var DEBUG_LATEST_REQUEST_PATH = `${DEBUG_DUMP_DIR}/opencode-last-request.json`;
+var DEBUG_LATEST_HEADERS_PATH = `${DEBUG_DUMP_DIR}/opencode-last-headers.json`;
+function makeDebugDumpId() {
+  const filesystemSafeTimestamp = (/* @__PURE__ */ new Date()).toISOString().replace(/[:.]/g, "-");
+  const subMillisecondCollisionGuard = randomUUID2().slice(0, 8);
+  return `${filesystemSafeTimestamp}-${subMillisecondCollisionGuard}`;
+}
 async function writeDebugArtifacts(url, init) {
   if (!init.body || !url.includes("/v1/messages") || url.includes("count_tokens")) {
-    return;
+    return null;
   }
   const { writeFileSync: writeFileSync5 } = await import("node:fs");
-  writeFileSync5(
-    "/tmp/opencode-last-request.json",
-    typeof init.body === "string" ? init.body : JSON.stringify(init.body)
-  );
+  const id = makeDebugDumpId();
+  const requestPath = `${DEBUG_DUMP_DIR}/opencode-request-${id}.json`;
+  const headersPath = `${DEBUG_DUMP_DIR}/opencode-headers-${id}.json`;
+  const bodyText = typeof init.body === "string" ? init.body : JSON.stringify(init.body);
   const logHeaders = {};
   toHeaders(init.headers).forEach((value, key) => {
     logHeaders[key] = key === "authorization" ? "Bearer ***" : value;
   });
-  writeFileSync5("/tmp/opencode-last-headers.json", JSON.stringify(logHeaders, null, 2));
+  const headersText = JSON.stringify(logHeaders, null, 2);
+  writeFileSync5(requestPath, bodyText);
+  writeFileSync5(headersPath, headersText);
+  writeFileSync5(DEBUG_LATEST_REQUEST_PATH, bodyText);
+  writeFileSync5(DEBUG_LATEST_HEADERS_PATH, headersText);
+  return {
+    requestPath,
+    headersPath,
+    latestRequestPath: DEBUG_LATEST_REQUEST_PATH,
+    latestHeadersPath: DEBUG_LATEST_HEADERS_PATH
+  };
 }
 function createBunFetch(options = {}) {
   const breaker = createCircuitBreaker({
@@ -7703,9 +7814,11 @@ function createBunFetch(options = {}) {
       }
       if (resolveDebug(debugOverride)) {
         try {
-          await writeDebugArtifacts(url, init ?? {});
-          if ((init?.body ?? null) !== null && url.includes("/v1/messages") && !url.includes("count_tokens")) {
-            console.error("[opencode-anthropic-auth] Dumped request to /tmp/opencode-last-request.json");
+          const dumped = await writeDebugArtifacts(url, init ?? {});
+          if (dumped) {
+            console.error(
+              `[opencode-anthropic-auth] Dumped request to ${dumped.requestPath} (latest alias: ${dumped.latestRequestPath})`
+            );
           }
         } catch (error) {
           console.error("[opencode-anthropic-auth] Failed to dump request:", error);
@@ -8023,7 +8136,7 @@ async function AnthropicAuthPlugin({
     return bunFetchInstance.fetch(input, init);
   };
   let claudeCliVersion = FALLBACK_CLAUDE_CLI_VERSION;
-  const signatureSessionId = randomUUID2();
+  const signatureSessionId = randomUUID3();
   const signatureUserId = getOrCreateSignatureUserId();
   if (shouldFetchClaudeCodeVersion) {
     fetchLatestClaudeCodeVersion().then((version) => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vacbo/opencode-anthropic-fix",
-  "version": "0.1.5",
+  "version": "0.1.6",
   "main": "dist/opencode-anthropic-auth-plugin.js",
   "bin": {
     "opencode-anthropic-auth": "dist/opencode-anthropic-auth-cli.mjs",
@@ -20,6 +20,8 @@
     "build": "bun scripts/build.ts",
     "prepublishOnly": "npm run build && npm test",
     "test": "vitest run",
+    "check:cch-drift": "bun scripts/drift-checker/check-cch-constants.ts --fail-on-drift",
+    "check:cch-drift:npm": "bun scripts/drift-checker/check-cch-constants.ts --npm-version latest --fail-on-drift",
     "test:watch": "vitest",
     "lint": "eslint .",
     "lint:fix": "eslint --fix .",

package/src/__tests__/cc-comparison.test.ts

@@ -57,7 +57,7 @@ describe("CC 2.1.98 — Full request fingerprint comparison", () => {
     console.log(`║ Axios version:   1.13.6 (token endpoint UA)`);
     console.log(`║ anthropic-ver:   2023-06-01`);
     console.log(`║ x-app:           cli`);
-    console.log(`║ cch:             00000 (placeholder, not attested on Node.js)`);
+    console.log(`║ cch:             00000 placeholder → xxHash64(serialized body, seed 0x6E52736AC806831E)`);
     console.log(`║ Identity:        You are Claude Code, Anthropic's official CLI for Claude.`);
     console.log(`║ Identity cache:  {"type":"ephemeral","scope":"global","ttl":"1h"}`);
     console.log(`║ Client ID:       9d1c250a-e61b-44d9-88ed-5944d1962f5e`);

package/src/__tests__/cch-drift-checker.test.ts

@@ -0,0 +1,61 @@
+import { describe, expect, it } from "vitest";
+
+import {
+  EXPECTED_CCH_PLACEHOLDER,
+  EXPECTED_CCH_SALT,
+  EXPECTED_CCH_SEED,
+  EXPECTED_XXHASH64_PRIMES,
+  bigintToLittleEndianBytes,
+  findAllOccurrences,
+  scanCchConstants,
+} from "../drift/cch-constants.js";
+
+describe("cch drift checker helpers", () => {
+  it("encodes bigint constants as little-endian bytes", () => {
+    expect(Array.from(bigintToLittleEndianBytes(EXPECTED_CCH_SEED))).toEqual([
+      0x1e, 0x83, 0x06, 0xc8, 0x6a, 0x73, 0x52, 0x6e,
+    ]);
+  });
+
+  it("finds all occurrences of a byte pattern", () => {
+    const haystack = new Uint8Array([1, 2, 3, 1, 2, 3, 4]);
+    const needle = new Uint8Array([1, 2, 3]);
+    expect(findAllOccurrences(haystack, needle)).toEqual([0, 3]);
+  });
+});
+
+describe("scanCchConstants", () => {
+  it("passes when all standalone constants are present", () => {
+    const bytes = new Uint8Array([
+      ...new TextEncoder().encode(`xx cch=${EXPECTED_CCH_PLACEHOLDER} yy ${EXPECTED_CCH_SALT} zz`),
+      ...bigintToLittleEndianBytes(EXPECTED_CCH_SEED),
+      ...EXPECTED_XXHASH64_PRIMES.flatMap((prime) => Array.from(bigintToLittleEndianBytes(prime))),
+    ]);
+
+    const report = scanCchConstants(bytes, "synthetic-standalone", "standalone");
+    expect(report.passed).toBe(true);
+    expect(report.findings).toEqual([]);
+    expect(report.checked.placeholder).toBeGreaterThan(0);
+    expect(report.checked.salt).toBeGreaterThan(0);
+    expect(report.checked.seed).toBeGreaterThan(0);
+    expect(report.checked.primes.every((count) => count > 0)).toBe(true);
+  });
+
+  it("fails critically when placeholder and seed are missing", () => {
+    const bytes = new TextEncoder().encode(`missing ${EXPECTED_CCH_SALT}`);
+    const report = scanCchConstants(bytes, "broken-standalone", "standalone");
+
+    expect(report.passed).toBe(false);
+    expect(report.findings.map((finding) => finding.name)).toContain("cch placeholder");
+    expect(report.findings.map((finding) => finding.name)).toContain("native cch seed");
+  });
+
+  it("only requires placeholder and salt for npm cli bundles", () => {
+    const bytes = new TextEncoder().encode(`prefix cch=${EXPECTED_CCH_PLACEHOLDER}; ${EXPECTED_CCH_SALT} suffix`);
+    const report = scanCchConstants(bytes, "synthetic-bundle", "bundle");
+
+    expect(report.passed).toBe(true);
+    expect(report.checked.seed).toBe(0);
+    expect(report.findings).toEqual([]);
+  });
+});

package/src/__tests__/cch-native-style.test.ts

@@ -0,0 +1,76 @@
+import { describe, expect, it } from "vitest";
+
+import { buildAnthropicBillingHeader } from "../headers/billing.js";
+import { CCH_PLACEHOLDER, computeNativeStyleCch, replaceNativeStyleCch, xxHash64 } from "../headers/cch.js";
+import { transformRequestBody } from "../request/body.js";
+
+describe("native-style cch", () => {
+  it("matches independently verified xxHash64 reference values", () => {
+    expect(xxHash64(new TextEncoder().encode(""))).toBe(0x6e798575d82647edn);
+    expect(xxHash64(new TextEncoder().encode("a"))).toBe(0x8404a7f0a8a6bcaen);
+    expect(xxHash64(new TextEncoder().encode("hello"))).toBe(0x95ab2f66e009922an);
+  });
+
+  it("derives the expected 5-char cch from independently verified vectors", () => {
+    expect(computeNativeStyleCch("")).toBe("647ed");
+    expect(computeNativeStyleCch("cch=00000")).toBe("1d7f8");
+    expect(
+      computeNativeStyleCch("x-anthropic-billing-header: cc_version=2.1.101.0e7; cc_entrypoint=cli; cch=00000;"),
+    ).toBe("101fb");
+  });
+
+  it("replaces the placeholder in a serialized body", () => {
+    const serialized =
+      '{"system":[{"type":"text","text":"x-anthropic-billing-header: cc_version=2.1.101.0e7; cc_entrypoint=cli; cch=00000;"}],"messages":[{"role":"user","content":"Reply with the single word: OK"}]}';
+
+    expect(replaceNativeStyleCch(serialized)).toContain("cch=0ca30");
+    expect(replaceNativeStyleCch(serialized)).not.toContain(`cch=${CCH_PLACEHOLDER}`);
+  });
+
+  it("leaves strings without the placeholder unchanged", () => {
+    const serialized = '{"system":[{"type":"text","text":"no billing block here"}]}';
+    expect(replaceNativeStyleCch(serialized)).toBe(serialized);
+  });
+});
+
+describe("billing header placeholder + transformRequestBody replacement", () => {
+  const signature = {
+    enabled: true,
+    claudeCliVersion: "2.1.101",
+    promptCompactionMode: "minimal" as const,
+    sanitizeSystemPrompt: false,
+  };
+  const runtime = {
+    persistentUserId: "0".repeat(64),
+    accountId: "acct-1",
+    sessionId: "session-1",
+  };
+
+  it("buildAnthropicBillingHeader emits the native placeholder", () => {
+    process.env.CLAUDE_CODE_ATTRIBUTION_HEADER = "true";
+    const header = buildAnthropicBillingHeader("2.1.101", [{ role: "user", content: "Hello world from a test" }]);
+    expect(header).toContain(`cch=${CCH_PLACEHOLDER};`);
+  });
+
+  it("transformRequestBody replaces the placeholder after serialization", () => {
+    const body = JSON.stringify({
+      model: "claude-sonnet-4-5",
+      max_tokens: 1024,
+      stream: false,
+      messages: [{ role: "user", content: "Reply with the single word: OK" }],
+      system: "You are a helpful assistant.",
+    });
+
+    const transformed = transformRequestBody(body, signature, runtime);
+    expect(transformed).toBeDefined();
+    expect(transformed).not.toContain(`cch=${CCH_PLACEHOLDER}`);
+
+    const actualCch = transformed?.match(/cch=([0-9a-f]{5})/)?.[1];
+    const placeholderBody = transformed?.replace(/cch=[0-9a-f]{5}/, `cch=${CCH_PLACEHOLDER}`);
+
+    expect(actualCch).toBeDefined();
+    expect(placeholderBody).toBeDefined();
+    expect(actualCch).toBe(computeNativeStyleCch(placeholderBody!));
+    expect(transformed).toBe(replaceNativeStyleCch(placeholderBody!));
+  });
+});

package/src/__tests__/fingerprint-regression.test.ts

@@ -176,10 +176,9 @@ describe("CC 2.1.98 — Billing header", () => {
     restoreEnv(originalEnv);
   });
 
-  it("contains a 5-char hex cch value (not the literal 00000 placeholder)", () => {
+  it("contains the native placeholder cch before post-serialization replacement", () => {
     const header = buildAnthropicBillingHeader(CC_VERSION, []);
-    expect(header).toMatch(/cch=[0-9a-f]{5};/);
-    expect(header).not.toContain("cch=00000;");
+    expect(header).toContain("cch=00000;");
   });
 
   it("contains the correct cc_version", () => {

package/src/bun-fetch.test.ts

@@ -379,3 +379,106 @@ describe("createBunFetch runtime lifecycle (RED until T20)", () => {
     expect(proxyA.child.killSignals).toEqual([]);
   });
 });
+
+describe("createBunFetch debug request dumping", () => {
+  const UNIQUE_REQUEST_PATTERN =
+    /^\/tmp\/opencode-request-\d{4}-\d{2}-\d{2}T\d{2}-\d{2}-\d{2}-\d{3}Z-[0-9a-f]{8}\.json$/;
+  const UNIQUE_HEADERS_PATTERN =
+    /^\/tmp\/opencode-headers-\d{4}-\d{2}-\d{2}T\d{2}-\d{2}-\d{2}-\d{3}Z-[0-9a-f]{8}\.json$/;
+  const LATEST_REQUEST_PATH = "/tmp/opencode-last-request.json";
+  const LATEST_HEADERS_PATH = "/tmp/opencode-last-headers.json";
+
+  function writtenPaths(): string[] {
+    return writeFileSyncMock.mock.calls.map((call) => String(call[0]));
+  }
+
+  it("writes a uniquely-named request file AND a latest-alias file when debug=true", async () => {
+    const proxy = createMockBunProxy();
+    spawnMock.mockImplementation(proxy.mockSpawn);
+    installMockFetch();
+
+    const moduleNs = await loadBunFetchModule();
+    const createBunFetch = getCreateBunFetch(moduleNs);
+    const instance = createBunFetch({ debug: true });
+
+    proxy.simulateStdoutBanner(42001);
+
+    await instance.fetch("https://api.anthropic.com/v1/messages?beta=true", {
+      method: "POST",
+      body: JSON.stringify({ hello: "world" }),
+    });
+
+    const paths = writtenPaths();
+    const uniqueRequest = paths.find((path) => UNIQUE_REQUEST_PATTERN.test(path));
+    const uniqueHeaders = paths.find((path) => UNIQUE_HEADERS_PATTERN.test(path));
+
+    expect(uniqueRequest, "expected a uniquely-named request dump").toBeDefined();
+    expect(uniqueHeaders, "expected a uniquely-named headers dump").toBeDefined();
+    expect(paths).toContain(LATEST_REQUEST_PATH);
+    expect(paths).toContain(LATEST_HEADERS_PATH);
+  });
+
+  it("produces a different unique path for each sequential debug request", async () => {
+    const proxy = createMockBunProxy();
+    spawnMock.mockImplementation(proxy.mockSpawn);
+    installMockFetch();
+
+    const moduleNs = await loadBunFetchModule();
+    const createBunFetch = getCreateBunFetch(moduleNs);
+    const instance = createBunFetch({ debug: true });
+
+    proxy.simulateStdoutBanner(42002);
+
+    await instance.fetch("https://api.anthropic.com/v1/messages?beta=true", {
+      method: "POST",
+      body: JSON.stringify({ n: 1 }),
+    });
+    await instance.fetch("https://api.anthropic.com/v1/messages?beta=true", {
+      method: "POST",
+      body: JSON.stringify({ n: 2 }),
+    });
+
+    const uniquePaths = writtenPaths().filter((path) => UNIQUE_REQUEST_PATTERN.test(path));
+
+    expect(uniquePaths).toHaveLength(2);
+    expect(uniquePaths[0]).not.toBe(uniquePaths[1]);
+  });
+
+  it("does not dump any artifact for count_tokens requests even when debug=true", async () => {
+    const proxy = createMockBunProxy();
+    spawnMock.mockImplementation(proxy.mockSpawn);
+    installMockFetch();
+
+    const moduleNs = await loadBunFetchModule();
+    const createBunFetch = getCreateBunFetch(moduleNs);
+    const instance = createBunFetch({ debug: true });
+
+    proxy.simulateStdoutBanner(42003);
+
+    await instance.fetch("https://api.anthropic.com/v1/messages/count_tokens", {
+      method: "POST",
+      body: JSON.stringify({ hello: "world" }),
+    });
+
+    expect(writeFileSyncMock).not.toHaveBeenCalled();
+  });
+
+  it("does not dump any artifact when debug=false", async () => {
+    const proxy = createMockBunProxy();
+    spawnMock.mockImplementation(proxy.mockSpawn);
+    installMockFetch();
+
+    const moduleNs = await loadBunFetchModule();
+    const createBunFetch = getCreateBunFetch(moduleNs);
+    const instance = createBunFetch({ debug: false });
+
+    proxy.simulateStdoutBanner(42004);
+
+    await instance.fetch("https://api.anthropic.com/v1/messages?beta=true", {
+      method: "POST",
+      body: JSON.stringify({ hello: "world" }),
+    });
+
+    expect(writeFileSyncMock).not.toHaveBeenCalled();
+  });
+});

package/src/bun-fetch.ts

@@ -1,4 +1,5 @@
 import { execFileSync, spawn, type ChildProcess } from "node:child_process";
+import { randomUUID } from "node:crypto";
 import { existsSync } from "node:fs";
 import { dirname, join } from "node:path";
 import * as readline from "node:readline";
@@ -119,23 +120,52 @@ function buildProxyRequestInit(input: FetchInput, init?: RequestInit): RequestIn
   };
 }
 
-async function writeDebugArtifacts(url: string, init: RequestInit): Promise<void> {
+const DEBUG_DUMP_DIR = "/tmp";
+const DEBUG_LATEST_REQUEST_PATH = `${DEBUG_DUMP_DIR}/opencode-last-request.json`;
+const DEBUG_LATEST_HEADERS_PATH = `${DEBUG_DUMP_DIR}/opencode-last-headers.json`;
+
+interface DebugDumpPaths {
+  requestPath: string;
+  headersPath: string;
+  latestRequestPath: string;
+  latestHeadersPath: string;
+}
+
+function makeDebugDumpId(): string {
+  const filesystemSafeTimestamp = new Date().toISOString().replace(/[:.]/g, "-");
+  const subMillisecondCollisionGuard = randomUUID().slice(0, 8);
+  return `${filesystemSafeTimestamp}-${subMillisecondCollisionGuard}`;
+}
+
+async function writeDebugArtifacts(url: string, init: RequestInit): Promise<DebugDumpPaths | null> {
   if (!init.body || !url.includes("/v1/messages") || url.includes("count_tokens")) {
-    return;
+    return null;
   }
 
   const { writeFileSync } = await import("node:fs");
-  writeFileSync(
-    "/tmp/opencode-last-request.json",
-    typeof init.body === "string" ? init.body : JSON.stringify(init.body),
-  );
+  const id = makeDebugDumpId();
+  const requestPath = `${DEBUG_DUMP_DIR}/opencode-request-${id}.json`;
+  const headersPath = `${DEBUG_DUMP_DIR}/opencode-headers-${id}.json`;
+
+  const bodyText = typeof init.body === "string" ? init.body : JSON.stringify(init.body);
 
   const logHeaders: Record<string, string> = {};
   toHeaders(init.headers).forEach((value, key) => {
     logHeaders[key] = key === "authorization" ? "Bearer ***" : value;
   });
+  const headersText = JSON.stringify(logHeaders, null, 2);
+
+  writeFileSync(requestPath, bodyText);
+  writeFileSync(headersPath, headersText);
+  writeFileSync(DEBUG_LATEST_REQUEST_PATH, bodyText);
+  writeFileSync(DEBUG_LATEST_HEADERS_PATH, headersText);
 
-  writeFileSync("/tmp/opencode-last-headers.json", JSON.stringify(logHeaders, null, 2));
+  return {
+    requestPath,
+    headersPath,
+    latestRequestPath: DEBUG_LATEST_REQUEST_PATH,
+    latestHeadersPath: DEBUG_LATEST_HEADERS_PATH,
+  };
 }
 
 export function createBunFetch(options: BunFetchOptions = {}): BunFetchInstance {
@@ -400,10 +430,12 @@ export function createBunFetch(options: BunFetchOptions = {}): BunFetchInstance
 
       if (resolveDebug(debugOverride)) {
         try {
-          await writeDebugArtifacts(url, init ?? {});
-          if ((init?.body ?? null) !== null && url.includes("/v1/messages") && !url.includes("count_tokens")) {
+          const dumped = await writeDebugArtifacts(url, init ?? {});
+          if (dumped) {
             // eslint-disable-next-line no-console -- debug-gated diagnostic; confirms request artifact dump location
-            console.error("[opencode-anthropic-auth] Dumped request to /tmp/opencode-last-request.json");
+            console.error(
+              `[opencode-anthropic-auth] Dumped request to ${dumped.requestPath} (latest alias: ${dumped.latestRequestPath})`,
+            );
           }
         } catch (error) {
           // eslint-disable-next-line no-console -- error-path diagnostic surfaced to stderr for operator visibility

package/src/drift/cch-constants.ts

@@ -0,0 +1,133 @@
+export const EXPECTED_CCH_PLACEHOLDER = "00000";
+export const EXPECTED_CCH_SALT = "59cf53e54c78";
+export const EXPECTED_CCH_SEED = 0x6e52_736a_c806_831en;
+
+export const EXPECTED_XXHASH64_PRIMES = [
+  0x9e37_79b1_85eb_ca87n,
+  0xc2b2_ae3d_27d4_eb4fn,
+  0x1656_67b1_9e37_79f9n,
+  0x85eb_ca77_c2b2_ae63n,
+  0x27d4_eb2f_1656_67c5n,
+] as const;
+
+export type DriftSeverity = "critical" | "warning";
+
+export interface DriftFinding {
+  name: string;
+  severity: DriftSeverity;
+  expected: string;
+  actual: string;
+  count: number;
+}
+
+export interface DriftScanReport {
+  target: string;
+  mode: "standalone" | "bundle";
+  findings: DriftFinding[];
+  checked: {
+    placeholder: number;
+    salt: number;
+    seed: number;
+    primes: number[];
+  };
+  passed: boolean;
+}
+
+function encodeAscii(value: string): Uint8Array {
+  return new TextEncoder().encode(value);
+}
+
+export function bigintToLittleEndianBytes(value: bigint): Uint8Array {
+  const bytes = new Uint8Array(8);
+  let remaining = value;
+  for (let index = 0; index < bytes.length; index += 1) {
+    bytes[index] = Number(remaining & 0xffn);
+    remaining >>= 8n;
+  }
+  return bytes;
+}
+
+export function findAllOccurrences(haystack: Uint8Array, needle: Uint8Array): number[] {
+  if (needle.length === 0 || haystack.length < needle.length) {
+    return [];
+  }
+
+  const matches: number[] = [];
+  outer: for (let start = 0; start <= haystack.length - needle.length; start += 1) {
+    for (let offset = 0; offset < needle.length; offset += 1) {
+      if (haystack[start + offset] !== needle[offset]) {
+        continue outer;
+      }
+    }
+    matches.push(start);
+  }
+  return matches;
+}
+
+function addFinding(
+  findings: DriftFinding[],
+  count: number,
+  name: string,
+  severity: DriftSeverity,
+  expected: string,
+  actual: string,
+): void {
+  if (count > 0) {
+    return;
+  }
+  findings.push({ name, severity, expected, actual, count });
+}
+
+export function scanCchConstants(bytes: Uint8Array, target: string, mode: "standalone" | "bundle"): DriftScanReport {
+  const placeholderMatches = findAllOccurrences(bytes, encodeAscii(`cch=${EXPECTED_CCH_PLACEHOLDER}`));
+  const saltMatches = findAllOccurrences(bytes, encodeAscii(EXPECTED_CCH_SALT));
+  const seedMatches = findAllOccurrences(bytes, bigintToLittleEndianBytes(EXPECTED_CCH_SEED));
+  const primeMatches = EXPECTED_XXHASH64_PRIMES.map(
+    (prime) => findAllOccurrences(bytes, bigintToLittleEndianBytes(prime)).length,
+  );
+
+  const findings: DriftFinding[] = [];
+  addFinding(
+    findings,
+    placeholderMatches.length,
+    "cch placeholder",
+    "critical",
+    `cch=${EXPECTED_CCH_PLACEHOLDER}`,
+    "not found",
+  );
+  addFinding(findings, saltMatches.length, "cc_version salt", "critical", EXPECTED_CCH_SALT, "not found");
+
+  if (mode === "standalone") {
+    addFinding(
+      findings,
+      seedMatches.length,
+      "native cch seed",
+      "critical",
+      `0x${EXPECTED_CCH_SEED.toString(16)}`,
+      "not found",
+    );
+    for (const [index, count] of primeMatches.entries()) {
+      addFinding(
+        findings,
+        count,
+        `xxHash64 prime ${index + 1}`,
+        "warning",
+        `0x${EXPECTED_XXHASH64_PRIMES[index].toString(16)}`,
+        "not found",
+      );
+    }
+  }
+
+  return {
+    target,
+    mode,
+    findings,
+    checked: {
+      placeholder: placeholderMatches.length,
+      salt: saltMatches.length,
+      seed: seedMatches.length,
+      primes: primeMatches,
+    },
+    passed: findings.length === 0,
+  };
+}

package/src/headers/billing.ts

@@ -1,12 +1,14 @@
 import { createHash } from "node:crypto";
+import { CCH_PLACEHOLDER } from "./cch.js";
 import { isFalsyEnv } from "../env.js";
 
 export function buildAnthropicBillingHeader(claudeCliVersion: string, messages: unknown[]): string {
   if (isFalsyEnv(process.env.CLAUDE_CODE_ATTRIBUTION_HEADER)) return "";
 
-  // CC derives a 3-char hash from the first user message content using SHA-256
-  // with salt "59cf53e54c78", extracting chars at positions [4,7,20] and appending
-  // the CLI version, then taking the first 3 hex chars of that combined string.
+  // CC derives the 3-char cc_version suffix from the first user message using
+  // SHA-256 with salt "59cf53e54c78" and positions [4,7,20]. The cch field is
+  // emitted here as the literal placeholder "00000" and replaced later, after
+  // full-body serialization, by replaceNativeStyleCch() in src/headers/cch.ts.
   let versionSuffix = "";
   if (Array.isArray(messages)) {
     // Find first user message (CC uses first non-meta user turn)
@@ -38,34 +40,5 @@ export function buildAnthropicBillingHeader(claudeCliVersion: string, messages:
 
   const entrypoint = process.env.CLAUDE_CODE_ENTRYPOINT ?? "cli";
 
-  // ---------------------------------------------------------------------------
-  // Billing header construction — mimics CC's mk_() function with two deliberate gaps:
-  // 1. cc_workload field: CC tracks this via AsyncLocalStorage for session-level
-  //    workload attribution. Not applicable to the plugin (no workload tracking).
-  //    See .omc/research/cch-source-analysis.md:124-131
-  // 2. cch value: CC uses placeholder "00000". Plugin computes a deterministic hash
-  //    from prompt content for consistent routing. See cch-source-analysis.md:28-39
-  // ---------------------------------------------------------------------------
-
-  // CC's Bun binary computes a 5-char hex attestation hash via Attestation.zig
-  // and overwrites the "00000" placeholder before sending. On Node.js (npm CC)
-  // the placeholder is sent as-is. The server may reject literal "00000" and
-  // route to extra usage. Generate a body-derived 5-char hex hash to mimic
-  // the attestation without the Zig layer.
-  let cchValue: string;
-  if (Array.isArray(messages) && messages.length > 0) {
-    const bodyHint = JSON.stringify(messages).slice(0, 512);
-    const cchHash = createHash("sha256")
-      .update(bodyHint + claudeCliVersion + Date.now().toString(36))
-      .digest("hex");
-    cchValue = cchHash.slice(0, 5);
-  } else {
-    // Fallback: random 5-char hex
-    const buf = createHash("sha256")
-      .update(Date.now().toString(36) + Math.random().toString(36))
-      .digest("hex");
-    cchValue = buf.slice(0, 5);
-  }
-
-  return `x-anthropic-billing-header: cc_version=${claudeCliVersion}${versionSuffix}; cc_entrypoint=${entrypoint}; cch=${cchValue};`;
+  return `x-anthropic-billing-header: cc_version=${claudeCliVersion}${versionSuffix}; cc_entrypoint=${entrypoint}; cch=${CCH_PLACEHOLDER};`;
 }

package/src/headers/cch.ts

@@ -0,0 +1,120 @@
+const MASK64 = 0xffff_ffff_ffff_ffffn;
+const CCH_MASK = 0x0f_ffffn;
+const PRIME1 = 0x9e37_79b1_85eb_ca87n;
+const PRIME2 = 0xc2b2_ae3d_27d4_eb4fn;
+const PRIME3 = 0x1656_67b1_9e37_79f9n;
+const PRIME4 = 0x85eb_ca77_c2b2_ae63n;
+const PRIME5 = 0x27d4_eb2f_1656_67c5n;
+const CCH_FIELD_PREFIX = "cch=";
+
+export const CCH_PLACEHOLDER = "00000";
+export const CCH_SEED = 0x6e52_736a_c806_831en;
+
+const encoder = new TextEncoder();
+
+function toUint64(value: bigint): bigint {
+  return value & MASK64;
+}
+
+function rotateLeft64(value: bigint, bits: number): bigint {
+  const shift = BigInt(bits);
+  return toUint64((value << shift) | (value >> (64n - shift)));
+}
+
+function readUint32LE(view: DataView, offset: number): bigint {
+  return BigInt(view.getUint32(offset, true));
+}
+
+function readUint64LE(view: DataView, offset: number): bigint {
+  return view.getBigUint64(offset, true);
+}
+
+function round64(acc: bigint, input: bigint): bigint {
+  const mixed = toUint64(acc + toUint64(input * PRIME2));
+  return toUint64(rotateLeft64(mixed, 31) * PRIME1);
+}
+
+function mergeRound64(acc: bigint, value: bigint): bigint {
+  const mixed = acc ^ round64(0n, value);
+  return toUint64(toUint64(mixed) * PRIME1 + PRIME4);
+}
+
+function avalanche64(hash: bigint): bigint {
+  let mixed = hash ^ (hash >> 33n);
+  mixed = toUint64(mixed * PRIME2);
+  mixed ^= mixed >> 29n;
+  mixed = toUint64(mixed * PRIME3);
+  mixed ^= mixed >> 32n;
+  return toUint64(mixed);
+}
+
+export function xxHash64(input: Uint8Array, seed: bigint = CCH_SEED): bigint {
+  const view = new DataView(input.buffer, input.byteOffset, input.byteLength);
+  const length = input.byteLength;
+  let offset = 0;
+  let hash: bigint;
+
+  if (length >= 32) {
+    let v1 = toUint64(seed + PRIME1 + PRIME2);
+    let v2 = toUint64(seed + PRIME2);
+    let v3 = toUint64(seed);
+    let v4 = toUint64(seed - PRIME1);
+
+    while (offset <= length - 32) {
+      v1 = round64(v1, readUint64LE(view, offset));
+      v2 = round64(v2, readUint64LE(view, offset + 8));
+      v3 = round64(v3, readUint64LE(view, offset + 16));
+      v4 = round64(v4, readUint64LE(view, offset + 24));
+      offset += 32;
+    }
+
+    hash = toUint64(rotateLeft64(v1, 1) + rotateLeft64(v2, 7) + rotateLeft64(v3, 12) + rotateLeft64(v4, 18));
+    hash = mergeRound64(hash, v1);
+    hash = mergeRound64(hash, v2);
+    hash = mergeRound64(hash, v3);
+    hash = mergeRound64(hash, v4);
+  } else {
+    hash = toUint64(seed + PRIME5);
+  }
+
+  hash = toUint64(hash + BigInt(length));
+
+  while (offset <= length - 8) {
+    const lane = round64(0n, readUint64LE(view, offset));
+    hash ^= lane;
+    hash = toUint64(rotateLeft64(hash, 27) * PRIME1 + PRIME4);
+    offset += 8;
+  }
+
+  if (offset <= length - 4) {
+    hash ^= toUint64(readUint32LE(view, offset) * PRIME1);
+    hash = toUint64(rotateLeft64(hash, 23) * PRIME2 + PRIME3);
+    offset += 4;
+  }
+
+  while (offset < length) {
+    hash ^= toUint64(BigInt(view.getUint8(offset)) * PRIME5);
+    hash = toUint64(rotateLeft64(hash, 11) * PRIME1);
+    offset += 1;
+  }
+
+  return avalanche64(hash);
+}
+
+export function computeNativeStyleCch(serializedBody: string): string {
+  const hash = xxHash64(encoder.encode(serializedBody), CCH_SEED);
+  return (hash & CCH_MASK).toString(16).padStart(5, "0");
+}
+
+export function replaceNativeStyleCch(serializedBody: string): string {
+  const sentinel = `${CCH_FIELD_PREFIX}${CCH_PLACEHOLDER}`;
+  const fieldIndex = serializedBody.indexOf(sentinel);
+  if (fieldIndex === -1) {
+    return serializedBody;
+  }
+
+  const valueStart = fieldIndex + CCH_FIELD_PREFIX.length;
+  const valueEnd = valueStart + CCH_PLACEHOLDER.length;
+  const cch = computeNativeStyleCch(serializedBody);
+  return `${serializedBody.slice(0, valueStart)}${cch}${serializedBody.slice(valueEnd)}`;
+}

package/src/refresh-lock.test.ts

@@ -102,15 +102,23 @@ describe("refresh-lock", () => {
     const first = await acquireRefreshLock("acc-4");
     expect(first.acquired).toBe(true);
     const firstLockPath = first.lockPath!;
+    const originalLockInode = first.lockInode;
+    expect(originalLockInode).not.toBeNull();
 
-    // Replace lock file with a new inode that reuses owner text.
-    await fs.unlink(firstLockPath);
+    // Keep the same owner text but pass a deliberately mismatched inode. This
+    // tests the safety check directly without relying on filesystem-specific
+    // inode allocation behavior, which can aggressively recycle inode numbers
+    // on Linux CI runners.
     await fs.writeFile(firstLockPath, JSON.stringify({ owner: first.owner, createdAt: Date.now() }), {
       encoding: "utf-8",
       mode: 0o600,
     });
 
-    await releaseRefreshLock(first);
+    await releaseRefreshLock({
+      lockPath: firstLockPath,
+      owner: first.owner,
+      lockInode: originalLockInode! + 1n,
+    });
 
     await expect(fs.stat(firstLockPath)).resolves.toBeTruthy();
 

package/src/refresh-lock.ts

@@ -20,7 +20,7 @@ export interface RefreshLockResult {
   acquired: boolean;
   lockPath: string | null;
   owner: string | null;
-  lockInode: number | null;
+  lockInode: bigint | null;
 }
 
 export interface AcquireLockOptions {
@@ -51,7 +51,7 @@ export async function acquireRefreshLock(
       const handle = await fs.open(lockPath, "wx", 0o600);
       try {
         await handle.writeFile(JSON.stringify({ pid: process.pid, createdAt: Date.now(), owner }), "utf-8");
-        const stat = await handle.stat();
+        const stat = await handle.stat({ bigint: true });
         return { acquired: true, lockPath, owner, lockInode: stat.ino };
       } finally {
         await handle.close();
@@ -63,8 +63,8 @@ export async function acquireRefreshLock(
       }
 
       try {
-        const stat = await fs.stat(lockPath);
-        if (Date.now() - stat.mtimeMs > staleMs) {
+        const stat = await fs.stat(lockPath, { bigint: true });
+        if (Date.now() - Number(stat.mtimeMs) > staleMs) {
           await fs.unlink(lockPath);
           continue;
         }
@@ -86,7 +86,7 @@ export type ReleaseLockInput =
   | {
       lockPath: string | null;
       owner?: string | null;
-      lockInode?: number | null;
+      lockInode?: bigint | null;
     }
   | string
   | null;
@@ -97,7 +97,7 @@ export type ReleaseLockInput =
 export async function releaseRefreshLock(lock: ReleaseLockInput): Promise<void> {
   const lockPath = typeof lock === "string" || lock === null ? lock : lock.lockPath;
   const owner = typeof lock === "object" && lock ? lock.owner || null : null;
-  const lockInode = typeof lock === "object" && lock ? lock.lockInode || null : null;
+  const lockInode = typeof lock === "object" && lock ? (lock.lockInode ?? null) : null;
 
   if (!lockPath) return;
 
@@ -112,7 +112,7 @@ export async function releaseRefreshLock(lock: ReleaseLockInput): Promise<void>
       }
 
       if (lockInode) {
-        const stat = await fs.stat(lockPath);
+        const stat = await fs.stat(lockPath, { bigint: true });
         if (stat.ino !== lockInode) {
           return;
         }

package/src/request/body.history.test.ts

@@ -126,21 +126,9 @@ describe("transformRequestBody - body cloning for retries", () => {
       tools: [{ name: "read_file", description: "Read a file" }],
     });
 
-    // The cch billing hash mixes Date.now() into its input (src/headers/billing.ts)
-    // to mimic CC's per-request attestation. Freeze the clock so the two calls
-    // produce byte-identical output and this test stays about clone-safety, not
-    // about an accidental millisecond collision. Without this, the idempotency
-    // assertion flakes whenever the two calls cross a millisecond boundary under
-    // load (husky pre-push, CI workers, etc.).
-    vi.useFakeTimers();
-    vi.setSystemTime(new Date("2026-01-01T00:00:00.000Z"));
-    try {
-      const result1 = transformRequestBody(originalBody, mockSignature, mockRuntime);
-      const result2 = transformRequestBody(originalBody, mockSignature, mockRuntime);
-      expect(result1).toBe(result2);
-    } finally {
-      vi.useRealTimers();
-    }
+    const result1 = transformRequestBody(originalBody, mockSignature, mockRuntime);
+    const result2 = transformRequestBody(originalBody, mockSignature, mockRuntime);
+    expect(result1).toBe(result2);
 
     const parsedOriginal = JSON.parse(originalBody);
     expect(parsedOriginal.tools[0].name).toBe("read_file");
@@ -156,22 +144,12 @@ describe("transformRequestBody - body cloning for retries", () => {
       messages: [{ role: "user", content: "test" }],
     });
 
-    // Same Date.now()-in-cch flake as the clone-safety test above. Freeze the
-    // clock so two transformRequestBody calls on the same body produce
-    // byte-identical output. See src/headers/billing.ts:59 for why the hash
-    // is time-mixed, and the clone-safety test above for the full rationale.
-    vi.useFakeTimers();
-    vi.setSystemTime(new Date("2026-01-01T00:00:00.000Z"));
-    try {
-      const result1 = transformRequestBody(body, mockSignature, mockRuntime);
-      expect(result1).toBeDefined();
-
-      const result2 = transformRequestBody(body, mockSignature, mockRuntime);
-      expect(result2).toBeDefined();
-      expect(result1).toBe(result2);
-    } finally {
-      vi.useRealTimers();
-    }
+    const result1 = transformRequestBody(body, mockSignature, mockRuntime);
+    expect(result1).toBeDefined();
+
+    const result2 = transformRequestBody(body, mockSignature, mockRuntime);
+    expect(result2).toBeDefined();
+    expect(result1).toBe(result2);
   });
 });
 

package/src/request/body.ts

@@ -3,6 +3,7 @@
 // ---------------------------------------------------------------------------
 
 import { CLAUDE_CODE_IDENTITY_STRING, KNOWN_IDENTITY_STRINGS } from "../constants.js";
+import { replaceNativeStyleCch } from "../headers/cch.js";
 import { buildSystemPromptBlocks } from "../system-prompt/builder.js";
 import { normalizeSystemTextBlocks } from "../system-prompt/normalize.js";
 import { normalizeThinkingBlock } from "../thinking.js";
@@ -319,7 +320,7 @@ export function transformRequestBody(
         return msg;
       });
     }
-    return JSON.stringify(parsed);
+    return replaceNativeStyleCch(JSON.stringify(parsed));
   } catch (err) {
     if (err instanceof SyntaxError) {
       debugLog?.("body parse failed:", err.message);

package/src/system-prompt/builder.ts

@@ -29,7 +29,8 @@
 // - CC tool naming conventions can evolve independently from this file. Current
 //   plugin-specific tool prefix notes live in body/request docs, not here.
 //
-// See src/headers/billing.ts for billing-specific gaps and attestation notes.
+// See src/headers/billing.ts for version-suffix derivation and src/headers/cch.ts
+// for placeholder replacement and native-style cch computation.
 // ===========================================================================
 
 import {