@vacbo/opencode-anthropic-fix 0.1.7 → 0.1.9

package/src/accounts/repair.ts

@@ -0,0 +1,407 @@
+// ---------------------------------------------------------------------------
+// Load-time repair pass for corrupted CC account records.
+//
+// Historical context
+// ------------------
+// An older version of the plugin (or a partial write outside the current
+// mutation sites) could leave a CC-imported row with `source="oauth"`,
+// `identity={kind:"legacy",…}`, and missing `label`/`email`. The row's `id`
+// still starts with `cc-cc-keychain-…` / `cc-cc-file-…` because the id
+// prefix is set once at CC-import time (see accounts.ts createManagedAccount
+// call for the import branch) and never rewritten by any current code path.
+//
+// When the loader sees that corrupted row it computes its identity as
+// `{kind:"legacy", refreshToken}`. After CC rotates the refresh token
+// through `claude -p . --model haiku`, the row can no longer dedupe
+// against the current CC credential — the identity kinds differ (`legacy`
+// vs `cc`) and the refresh tokens differ — so a second CC row gets
+// created, producing two rows for the same upstream Anthropic account.
+//
+// What this pass does
+// -------------------
+// 1. Detect rows whose `id` proves they were born as CC imports.
+// 2. If the row looks corrupted (wrong source, legacy identity, or
+//    missing label/identity), try to rehydrate from the live CC
+//    credentials. If that fails, at least restore `source` from the
+//    id prefix and clear the bogus legacy identity so the existing
+//    unlabeled fallback in AccountManager.load() can finish the heal.
+// 3. Collapse any duplicates that now share a `{kind:"cc",…}` identity.
+//    When merging, keep the freshest auth by `tokenUpdatedAt`, keep
+//    `max(lastUsed)`, OR-enable, and preserve the richer identity.
+//    Stats are NOT summed — both rows represent the same upstream
+//    account and summation would double-count local counters.
+// ---------------------------------------------------------------------------
+
+import type { CCCredential } from "../cc-credentials.js";
+import { readCCCredentials } from "../cc-credentials.js";
+import { identitiesMatch, resolveIdentity, type AccountIdentity } from "../account-identity.js";
+import type { ManagedAccount } from "../accounts.js";
+import type { AccountMetadata, AccountStorage } from "../storage.js";
+import { loadAccounts, saveAccounts } from "../storage.js";
+
+type CCAccountSource = "cc-keychain" | "cc-file";
+
+const CC_ID_PATTERN = /^cc-(cc-keychain|cc-file)-\d+:/;
+
+export interface RepairResult {
+    repaired: number;
+    collapsed: number;
+}
+
+/**
+ * Infer the intended CC source from an account id generated by the CC
+ * auto-import path. Returns null for ids that were not born as CC imports.
+ */
+export function inferCCSourceFromId(id: string): CCAccountSource | null {
+    const match = CC_ID_PATTERN.exec(id);
+    if (!match) return null;
+    const source = match[1];
+    return source === "cc-keychain" || source === "cc-file" ? source : null;
+}
+
+function isCCIdentity(identity: AccountIdentity | undefined): identity is Extract<AccountIdentity, { kind: "cc" }> {
+    return identity?.kind === "cc";
+}
+
+function looksCorrupted(account: ManagedAccount, inferredSource: CCAccountSource): boolean {
+    if (account.source !== inferredSource) return true;
+    if (!isCCIdentity(account.identity)) return true;
+    if (!account.label) return true;
+    return false;
+}
+
+function findMatchingCredential(
+    account: ManagedAccount,
+    inferredSource: CCAccountSource,
+    ccCredentials: CCCredential[],
+): CCCredential | null {
+    const sameSource = ccCredentials.filter((credential) => credential.source === inferredSource);
+    if (sameSource.length === 0) return null;
+
+    const byRefresh = sameSource.find((credential) => credential.refreshToken === account.refreshToken);
+    if (byRefresh) return byRefresh;
+
+    if (account.access) {
+        const byAccess = sameSource.find((credential) => credential.accessToken === account.access);
+        if (byAccess) return byAccess;
+    }
+
+    // Last-resort: when there's exactly one live credential of the inferred
+    // source, the row must be that credential — CC's keychain holds at most
+    // one credential per service name, so a single-source match is unique.
+    // This mirrors the unlabeled-fallback in AccountManager.load() at the
+    // CC auto-import loop and is what enables collapse against a healthy
+    // sibling row that was already promoted by auto-import.
+    if (sameSource.length === 1) return sameSource[0]!;
+
+    return null;
+}
+
+function repairAccount(
+    account: ManagedAccount,
+    inferredSource: CCAccountSource,
+    ccCredentials: CCCredential[],
+): boolean {
+    const matched = findMatchingCredential(account, inferredSource, ccCredentials);
+
+    if (matched) {
+        account.source = matched.source;
+        account.label = matched.label;
+        account.identity = {
+            kind: "cc",
+            source: matched.source,
+            label: matched.label,
+        };
+        return true;
+    }
+
+    // Partial heal: restore the source from the id prefix and drop the bogus
+    // legacy identity. The unlabeled-CC fallback in AccountManager.load() at
+    // the CC auto-detect step can then reclaim the row on the same load pass.
+    let mutated = false;
+    if (account.source !== inferredSource) {
+        account.source = inferredSource;
+        mutated = true;
+    }
+    if (account.identity?.kind === "legacy") {
+        account.identity = undefined;
+        mutated = true;
+    }
+    return mutated;
+}
+
+function mergeDuplicate(keep: ManagedAccount, loser: ManagedAccount): void {
+    const keepTokenTs = keep.tokenUpdatedAt ?? 0;
+    const loserTokenTs = loser.tokenUpdatedAt ?? 0;
+    const loserHasFresherAuth = loserTokenTs > keepTokenTs;
+
+    if (loserHasFresherAuth) {
+        keep.refreshToken = loser.refreshToken;
+        keep.access = loser.access;
+        keep.expires = loser.expires;
+        keep.tokenUpdatedAt = loserTokenTs;
+    }
+
+    keep.lastUsed = Math.max(keep.lastUsed, loser.lastUsed);
+    keep.enabled = keep.enabled || loser.enabled;
+    keep.addedAt = Math.min(keep.addedAt, loser.addedAt);
+
+    // Prefer a non-legacy identity. If keep is legacy and loser is richer,
+    // adopt loser's identity metadata. This preserves the best representation
+    // of the underlying account.
+    const keepIsLegacy = keep.identity?.kind === "legacy" || keep.identity === undefined;
+    const loserIsRicher = loser.identity !== undefined && loser.identity.kind !== "legacy";
+    if (keepIsLegacy && loserIsRicher) {
+        keep.identity = loser.identity;
+        if (loser.source) keep.source = loser.source;
+        if (loser.label !== undefined) keep.label = loser.label;
+        if (loser.email !== undefined) keep.email = loser.email;
+    }
+}
+
+function collapseDuplicates(accounts: ManagedAccount[]): { kept: ManagedAccount[]; collapsed: number } {
+    const kept: ManagedAccount[] = [];
+    let collapsed = 0;
+
+    for (const account of accounts) {
+        const identity = resolveIdentity(account);
+        // Never collapse rows whose identity is `legacy` — those are not
+        // confidently the same account, and collapsing them could destroy
+        // a legitimately distinct user's record.
+        if (identity.kind === "legacy") {
+            kept.push(account);
+            continue;
+        }
+
+        const duplicate = kept.find((existing) => identitiesMatch(resolveIdentity(existing), identity));
+        if (duplicate) {
+            mergeDuplicate(duplicate, account);
+            collapsed += 1;
+            continue;
+        }
+
+        kept.push(account);
+    }
+
+    return { kept, collapsed };
+}
+
+/**
+ * Apply the full repair pass to a list of managed accounts. Mutates rows in
+ * place for healing; returns a possibly-shorter array when duplicates are
+ * collapsed. Call from AccountManager.load() after records are loaded into
+ * memory but before the CC auto-import loop.
+ */
+export function repairCorruptedCCAccounts(
+    accounts: ManagedAccount[],
+    ccCredentials: CCCredential[],
+): { accounts: ManagedAccount[]; result: RepairResult } {
+    let repaired = 0;
+
+    for (const account of accounts) {
+        const inferredSource = inferCCSourceFromId(account.id);
+        if (!inferredSource) continue;
+        if (!looksCorrupted(account, inferredSource)) continue;
+        if (repairAccount(account, inferredSource, ccCredentials)) {
+            repaired += 1;
+        }
+    }
+
+    const { kept, collapsed } = collapseDuplicates(accounts);
+    return {
+        accounts: kept,
+        result: { repaired, collapsed },
+    };
+}
+
+// ---------------------------------------------------------------------------
+// Storage-level variant — operates on AccountMetadata so the standalone CLI
+// commands (which use raw loadAccounts) get the same heal that AccountManager
+// already gets in-memory. Field shapes are nearly identical to ManagedAccount
+// except for `token_updated_at` (snake_case) instead of `tokenUpdatedAt`.
+// ---------------------------------------------------------------------------
+
+function looksCorruptedStored(account: AccountMetadata, inferredSource: CCAccountSource): boolean {
+    if (account.source !== inferredSource) return true;
+    if (!isCCIdentity(account.identity)) return true;
+    if (!account.label) return true;
+    return false;
+}
+
+function findMatchingCredentialStored(
+    account: AccountMetadata,
+    inferredSource: CCAccountSource,
+    ccCredentials: CCCredential[],
+): CCCredential | null {
+    const sameSource = ccCredentials.filter((credential) => credential.source === inferredSource);
+    if (sameSource.length === 0) return null;
+
+    const byRefresh = sameSource.find((credential) => credential.refreshToken === account.refreshToken);
+    if (byRefresh) return byRefresh;
+
+    if (account.access) {
+        const byAccess = sameSource.find((credential) => credential.accessToken === account.access);
+        if (byAccess) return byAccess;
+    }
+
+    if (sameSource.length === 1) return sameSource[0]!;
+
+    return null;
+}
+
+function repairStoredAccount(
+    account: AccountMetadata,
+    inferredSource: CCAccountSource,
+    ccCredentials: CCCredential[],
+): boolean {
+    const matched = findMatchingCredentialStored(account, inferredSource, ccCredentials);
+
+    if (matched) {
+        account.source = matched.source;
+        account.label = matched.label;
+        account.identity = {
+            kind: "cc",
+            source: matched.source,
+            label: matched.label,
+        };
+        return true;
+    }
+
+    let mutated = false;
+    if (account.source !== inferredSource) {
+        account.source = inferredSource;
+        mutated = true;
+    }
+    if (account.identity?.kind === "legacy") {
+        account.identity = undefined;
+        mutated = true;
+    }
+    return mutated;
+}
+
+function mergeStoredDuplicate(keep: AccountMetadata, loser: AccountMetadata): void {
+    const keepTokenTs = keep.token_updated_at ?? 0;
+    const loserTokenTs = loser.token_updated_at ?? 0;
+
+    if (loserTokenTs > keepTokenTs) {
+        keep.refreshToken = loser.refreshToken;
+        keep.access = loser.access;
+        keep.expires = loser.expires;
+        keep.token_updated_at = loserTokenTs;
+    }
+
+    keep.lastUsed = Math.max(keep.lastUsed, loser.lastUsed);
+    keep.enabled = keep.enabled || loser.enabled;
+    keep.addedAt = Math.min(keep.addedAt, loser.addedAt);
+
+    const keepIsLegacy = keep.identity?.kind === "legacy" || keep.identity === undefined;
+    const loserIsRicher = loser.identity !== undefined && loser.identity.kind !== "legacy";
+    if (keepIsLegacy && loserIsRicher) {
+        keep.identity = loser.identity;
+        if (loser.source) keep.source = loser.source;
+        if (loser.label !== undefined) keep.label = loser.label;
+        if (loser.email !== undefined) keep.email = loser.email;
+    }
+}
+
+function collapseStoredDuplicates(accounts: AccountMetadata[]): {
+    kept: AccountMetadata[];
+    collapsed: number;
+    droppedIds: string[];
+} {
+    const kept: AccountMetadata[] = [];
+    const droppedIds: string[] = [];
+    let collapsed = 0;
+
+    for (const account of accounts) {
+        const identity = resolveIdentity(account);
+        if (identity.kind === "legacy") {
+            kept.push(account);
+            continue;
+        }
+
+        const duplicate = kept.find((existing) => identitiesMatch(resolveIdentity(existing), identity));
+        if (duplicate) {
+            mergeStoredDuplicate(duplicate, account);
+            droppedIds.push(account.id);
+            collapsed += 1;
+            continue;
+        }
+
+        kept.push(account);
+    }
+
+    return { kept, collapsed, droppedIds };
+}
+
+/**
+ * Storage-level variant of `repairCorruptedCCAccounts` that operates on raw
+ * `AccountMetadata` rows. Used by `loadAccountsWithRepair` so the standalone
+ * CLI commands and any other consumer of `loadAccounts()` get the same heal
+ * that `AccountManager.load()` already provides in-memory. The returned
+ * `droppedIds` must be forwarded to `saveAccounts` so the disk-only union
+ * does not restore the collapsed rows.
+ */
+export function repairStoredCCAccounts(
+    accounts: AccountMetadata[],
+    ccCredentials: CCCredential[],
+): { accounts: AccountMetadata[]; result: RepairResult; droppedIds: string[] } {
+    let repaired = 0;
+
+    for (const account of accounts) {
+        const inferredSource = inferCCSourceFromId(account.id);
+        if (!inferredSource) continue;
+        if (!looksCorruptedStored(account, inferredSource)) continue;
+        if (repairStoredAccount(account, inferredSource, ccCredentials)) {
+            repaired += 1;
+        }
+    }
+
+    const { kept, collapsed, droppedIds } = collapseStoredDuplicates(accounts);
+    return {
+        accounts: kept,
+        result: { repaired, collapsed },
+        droppedIds,
+    };
+}
+
+/**
+ * Drop-in replacement for `loadAccounts()` that runs the load-time repair
+ * pass and persists the healed state when something changed. Returns the
+ * healed storage object, or null if the file does not exist.
+ */
+export async function loadAccountsWithRepair(): Promise<AccountStorage | null> {
+    const stored = await loadAccounts();
+    if (!stored) return stored;
+
+    let ccCredentials: CCCredential[];
+    try {
+        ccCredentials = readCCCredentials();
+    } catch {
+        ccCredentials = [];
+    }
+
+    const { accounts, result, droppedIds } = repairStoredCCAccounts(stored.accounts, ccCredentials);
+
+    if (result.repaired === 0 && result.collapsed === 0) {
+        return stored;
+    }
+
+    const healed: AccountStorage = {
+        ...stored,
+        accounts,
+        activeIndex: accounts.length === 0 ? 0 : Math.max(0, Math.min(stored.activeIndex, accounts.length - 1)),
+    };
+
+    try {
+        await saveAccounts(healed, { droppedIds: new Set(droppedIds) });
+    } catch (err) {
+        // Best-effort persistence: the in-memory healed state is still correct
+        // for this call's caller even if writing back failed. Surface the error
+        // on stderr so misconfigurations don't fail silently.
+        // eslint-disable-next-line no-console -- diagnostic for an unexpected save failure
+        console.error("[opencode-anthropic-auth] loadAccountsWithRepair: save failed:", (err as Error).message);
+    }
+
+    return healed;
+}