npm - agent-control-plane - Versions diffs - 0.1.1 → 0.1.3 - Mend

agent-control-plane 0.1.1 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (184) hide show

package/tools/vendor/codex-quota/lib/claude-usage.js CHANGED Viewed

@@ -1,31 +1,19 @@
 /**
- * Claude usage API fetch (session + OAuth).
+ * Claude usage API fetch (OAuth only).
  * Depends on: lib/constants.js, lib/paths.js, lib/claude-accounts.js, lib/claude-tokens.js
  */
-import { existsSync, readFileSync, copyFileSync, unlinkSync } from "node:fs";
-import { spawnSync } from "node:child_process";
-import { randomBytes, pbkdf2Sync, createDecipheriv } from "node:crypto";
-import { homedir, tmpdir } from "node:os";
-import { join } from "node:path";
+import { existsSync, readFileSync } from "node:fs";
 import {
-	CLAUDE_CREDENTIALS_PATH,
 	CLAUDE_MULTI_ACCOUNT_PATHS,
-	CLAUDE_API_BASE,
-	CLAUDE_ORIGIN,
-	CLAUDE_ORGS_URL,
-	CLAUDE_ACCOUNT_URL,
 	CLAUDE_TIMEOUT_MS,
-	CLAUDE_USER_AGENT,
 	CLAUDE_OAUTH_USAGE_URL,
 	CLAUDE_OAUTH_VERSION,
 	CLAUDE_OAUTH_BETA,
 } from "./constants.js";
 import { getOpencodeAuthPath } from "./paths.js";
 import {
-	findClaudeSessionKey,
 	loadClaudeAccountsFromFile,
-	loadClaudeSessionFromCredentials,
 	loadClaudeOAuthToken,
 } from "./claude-accounts.js";
 import { ensureFreshClaudeOAuthToken } from "./claude-tokens.js";
@@ -40,39 +28,46 @@ export function normalizeClaudeOrgId(orgId) {
 export function isClaudeAuthError(error) {
 	if (!error) return false;
-	return /account_session_invalid|invalid authorization|http 401|http 403/i.test(String(error));
+	return /invalid authorization|http 401|http 403/i.test(String(error));
 }
 export function loadClaudeOAuthFromClaudeCode() {
-	const credentialsPath = process.env.CLAUDE_CREDENTIALS_PATH || CLAUDE_CREDENTIALS_PATH;
-	if (!existsSync(credentialsPath)) return [];
+	const credentials = loadClaudeOAuthToken();
+	if (!credentials.token) return [];
+	let scopes = [];
+	let refreshToken = null;
+	let expiresAt = null;
+	let subscriptionType = null;
+	let rateLimitTier = null;
 	try {
-		const raw = readFileSync(credentialsPath, "utf-8");
+		const raw = readFileSync(credentials.source, "utf-8");
 		const parsed = JSON.parse(raw);
-		const oauth = parsed?.claudeAiOauth ?? parsed?.claude_ai_oauth;
-		if (!oauth?.accessToken) return [];
-		// Check if token has user:profile scope (required for usage API)
-		const scopes = oauth.scopes ?? [];
-		if (!scopes.includes("user:profile")) {
-			return [];
-		}
-		return [{
-			label: "claude-code",
-			accessToken: oauth.accessToken,
-			refreshToken: oauth.refreshToken,
-			expiresAt: oauth.expiresAt,
-			subscriptionType: oauth.subscriptionType,
-			rateLimitTier: oauth.rateLimitTier,
-			scopes,
-			source: credentialsPath,
-		}];
+		const oauth = parsed?.claudeAiOauth ?? parsed?.claude_ai_oauth ?? null;
+		scopes = Array.isArray(oauth?.scopes) ? oauth.scopes : [];
+		refreshToken = oauth?.refreshToken ?? null;
+		expiresAt = oauth?.expiresAt ?? null;
+		subscriptionType = oauth?.subscriptionType ?? null;
+		rateLimitTier = oauth?.rateLimitTier ?? null;
 	} catch {
+		// Ignore parse failures and return the token-only shape.
+	}
+	if (!scopes.includes("user:profile")) {
 		return [];
 	}
+	return [{
+		label: "claude-code",
+		accessToken: credentials.token,
+		refreshToken,
+		expiresAt,
+		subscriptionType,
+		rateLimitTier,
+		scopes,
+		source: credentials.source,
+	}];
 }
 /**
@@ -124,21 +119,13 @@ export function loadClaudeOAuthFromEnv() {
 /**
  * Deduplicate Claude OAuth accounts by refresh token
- * This handles the case where the same Claude account is sourced from multiple files
- * (e.g., claude-code and opencode both storing the same credentials)
- *
- * We use refreshToken because:
- * - Access tokens change on refresh, but refresh tokens stay constant
- * - Two entries with same refresh token are the same underlying account
- * @param {Array<{accessToken: string, refreshToken?: string, ...}>} accounts - Array of accounts
- * @returns {Array<{accessToken: string, ...}>} Deduplicated accounts
+ * This handles the case where the same Claude account is sourced from multiple files.
  */
 export function deduplicateClaudeOAuthAccounts(accounts) {
 	const seenTokens = new Set();
 	return accounts.filter(account => {
-		if (!account.accessToken) return true; // Keep accounts without token (shouldn't happen)
-		// Use refresh token if available (stays constant), otherwise fall back to access token
-		const tokenKey = account.refreshToken
+		if (!account.accessToken) return true;
+		const tokenKey = account.refreshToken
 			? account.refreshToken.substring(0, 50)
 			: account.accessToken.substring(0, 50);
 		if (seenTokens.has(tokenKey)) return false;
@@ -148,32 +135,20 @@ export function deduplicateClaudeOAuthAccounts(accounts) {
 }
 /**
- * Deduplicate Claude usage results by comparing usage fingerprints
- * This catches cases where the same account has different OAuth tokens
- * (e.g., claude-code and opencode both logged into the same Claude account)
- *
- * We consider two results identical if they have the same utilization values.
- * Reset times are NOT included since they can differ by milliseconds between calls.
- *
- * @param {Array<{usage: object, ...}>} results - Array of fetched usage results
- * @returns {Array<{usage: object, ...}>} Deduplicated results
+ * Deduplicate Claude usage results by comparing usage fingerprints.
  */
 export function deduplicateClaudeResultsByUsage(results) {
 	const seen = new Set();
 	return results.filter(result => {
-		if (!result.success || !result.usage) return true; // Keep errors/failures
-		// Create a fingerprint from utilization values only (not reset times)
+		if (!result.success || !result.usage) return true;
 		const usage = result.usage;
 		const fiveHour = usage.five_hour?.utilization ?? "null";
 		const sevenDay = usage.seven_day?.utilization ?? "null";
 		const sevenDayOpus = usage.seven_day_opus?.utilization ?? "null";
 		const sevenDaySonnet = usage.seven_day_sonnet?.utilization ?? "null";
-		// Fingerprint: all utilization values concatenated
-		// Same account will have identical utilization regardless of which OAuth token is used
 		const fingerprint = `${fiveHour}|${sevenDay}|${sevenDayOpus}|${sevenDaySonnet}`;
 		if (seen.has(fingerprint)) return false;
 		seen.add(fingerprint);
 		return true;
@@ -181,21 +156,12 @@ export function deduplicateClaudeResultsByUsage(results) {
 }
 /**
- * Load all Claude OAuth accounts from all sources
- * Sources (in priority order):
- *   1. CLAUDE_OAUTH_ACCOUNTS env var
- *   2. ~/.claude-accounts.json (accounts with oauthToken field)
- *   3. ~/.claude/.credentials.json (Claude Code)       [skipped when local=true]
- *   4. ~/.local/share/opencode/auth.json (OpenCode)    [skipped when local=true]
- * Deduplicates by accessToken to prevent showing same account twice
- * @param {{ local?: boolean }} [options] - When local=true, skip harness auth files
- * @returns {Array<{ label: string, accessToken: string, refreshToken?: string, expiresAt?: number, subscriptionType?: string, rateLimitTier?: string, source: string }>}
+ * Load all Claude OAuth accounts from all supported sources.
  */
 export function loadAllClaudeOAuthAccounts(options = {}) {
 	const all = [];
 	const seenLabels = new Set();
-	// 1. Environment variable
 	for (const account of loadClaudeOAuthFromEnv()) {
 		if (!seenLabels.has(account.label)) {
 			seenLabels.add(account.label);
@@ -203,7 +169,6 @@ export function loadAllClaudeOAuthAccounts(options = {}) {
 		}
 	}
-	// 2. Multi-account file (accounts with oauthToken)
 	for (const path of CLAUDE_MULTI_ACCOUNT_PATHS) {
 		const accounts = loadClaudeAccountsFromFile(path);
 		for (const account of accounts) {
@@ -212,7 +177,6 @@ export function loadAllClaudeOAuthAccounts(options = {}) {
 				all.push({
 					label: account.label,
 					accessToken: account.oauthToken,
-					// Pass through new OAuth metadata fields (optional, may be null for legacy accounts)
 					refreshToken: account.oauthRefreshToken || null,
 					expiresAt: account.oauthExpiresAt || null,
 					scopes: account.oauthScopes || null,
@@ -222,7 +186,6 @@ export function loadAllClaudeOAuthAccounts(options = {}) {
 		}
 	}
-	// 3. Claude Code credentials (skip in local mode)
 	if (!options.local) {
 		for (const account of loadClaudeOAuthFromClaudeCode()) {
 			if (!seenLabels.has(account.label)) {
@@ -230,10 +193,6 @@ export function loadAllClaudeOAuthAccounts(options = {}) {
 				all.push(account);
 			}
 		}
-	}
-	// 4. OpenCode credentials (skip in local mode)
-	if (!options.local) {
 		for (const account of loadClaudeOAuthFromOpenCode()) {
 			if (!seenLabels.has(account.label)) {
 				seenLabels.add(account.label);
@@ -242,19 +201,11 @@ export function loadAllClaudeOAuthAccounts(options = {}) {
 		}
 	}
-	// 5. Deduplicate by accessToken (same account from multiple sources with different labels)
 	return deduplicateClaudeOAuthAccounts(all);
 }
 /**
- * Fetch Claude usage via OAuth API (new official endpoint)
- * Endpoint: GET https://api.anthropic.com/api/oauth/usage
- * Required headers:
- *   - Authorization: Bearer <access_token>
- *   - anthropic-version: 2023-06-01
- *   - anthropic-beta: oauth-2025-04-20
- * @param {string} accessToken - OAuth access token with user:profile scope
- * @returns {Promise<{ success: boolean, data?: object, error?: string }>}
+ * Fetch Claude usage via OAuth API.
  */
 export async function fetchClaudeOAuthUsage(accessToken) {
 	const controller = new AbortController();
@@ -290,9 +241,7 @@ export async function fetchClaudeOAuthUsage(accessToken) {
 }
 /**
- * Fetch usage for a Claude OAuth account
- * @param {{ label: string, accessToken: string, ... }} account - OAuth account
- * @returns {Promise<{ success: boolean, label: string, source: string, usage?: object, ... }>}
+ * Fetch usage for a Claude OAuth account.
  */
 export async function fetchClaudeOAuthUsageForAccount(account) {
 	const refreshed = await ensureFreshClaudeOAuthToken(account);
@@ -311,7 +260,6 @@ export async function fetchClaudeOAuthUsageForAccount(account) {
 	}
 	const result = await fetchClaudeOAuthUsage(account.accessToken);
 	if (!result.success) {
 		return {
 			success: false,
@@ -333,597 +281,58 @@ export async function fetchClaudeOAuthUsageForAccount(account) {
 	};
 }
-export function getChromeSafeStoragePassword() {
-	const candidates = ["chromium", "chrome", "google-chrome", "google-chrome-canary"];
-	for (const app of candidates) {
-		try {
-			const result = spawnSync("secret-tool", ["lookup", "application", app], {
-				encoding: "utf-8",
-			});
-			if (result.status === 0) {
-				const value = (result.stdout || "").trim();
-				if (value) return value;
-			}
-		} catch {
-			// ignore
-		}
-	}
-	return "peanuts";
-}
-export function decryptChromeCookie(encryptedValue, password) {
-	if (!encryptedValue || encryptedValue.length < 4) return null;
-	const prefix = encryptedValue.slice(0, 3).toString("utf-8");
-	if (prefix !== "v10" && prefix !== "v11") {
-		try {
-			return encryptedValue.toString("utf-8");
-		} catch {
-			return null;
-		}
-	}
-	try {
-		const ciphertext = encryptedValue.slice(3);
-		const key = pbkdf2Sync(password, "saltysalt", 1, 16, "sha1");
-		const iv = Buffer.alloc(16, " ");
-		const decipher = createDecipheriv("aes-128-cbc", key, iv);
-		let decrypted = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
-		const pad = decrypted[decrypted.length - 1];
-		if (pad > 0 && pad <= 16) {
-			decrypted = decrypted.slice(0, -pad);
-		}
-		return decrypted.toString("utf-8");
-	} catch {
-		return null;
-	}
-}
-export function stripNonPrintable(value) {
-	if (!value) return value;
-	return value.replace(/^[^\x20-\x7E]+/, "").replace(/[^\x20-\x7E]+$/, "");
-}
-export function extractClaudeCookieValue(value, name = null) {
-	const cleaned = stripNonPrintable(value);
-	if (!cleaned) return null;
-	const asciiOnly = cleaned.replace(/[^\x20-\x7E]/g, "");
-	if (!asciiOnly) return null;
-	if (name === "sessionKey") {
-		const match = asciiOnly.match(/sk-ant-[a-z0-9_-]+/i);
-		return match ? match[0] : null;
-	}
-	if (name === "cf_clearance") {
-		const match = asciiOnly.match(/[A-Za-z0-9._-]{20,}/);
-		return match ? match[0] : null;
-	}
-	if (name === "lastActiveOrg") {
-		const match = asciiOnly.match(/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/i);
-		return match ? match[0] : null;
-	}
-	return asciiOnly;
-}
-export function readClaudeCookiesFromDb(cookiePath) {
-	const tempPath = join(tmpdir(), `cq-claude-cookies-${randomBytes(6).toString("hex")}.db`);
-	try {
-		copyFileSync(cookiePath, tempPath);
-		const query = [
-			"select name, value, hex(encrypted_value)",
-			"from cookies",
-			"where host_key like '%claude.ai%'",
-			";",
-		].join(" ");
-		const result = spawnSync("sqlite3", ["-readonly", "-separator", "\t", tempPath, query], {
-			encoding: "utf-8",
-		});
-		if (result.status !== 0) {
-			return { error: result.stderr?.trim() || "Failed to read cookie DB" };
-		}
-		const lines = (result.stdout || "").trim().split("\n").filter(Boolean);
-		if (!lines.length) {
-			return { error: "No Claude cookies found in DB" };
-		}
-		const password = getChromeSafeStoragePassword();
-		const cookies = {};
-		for (const line of lines) {
-			const [name, plainValue, hexValue] = line.split("\t");
-			if (!name) continue;
-			if (plainValue) {
-				const value = extractClaudeCookieValue(plainValue, name);
-				if (value) cookies[name] = value;
-				continue;
-			}
-			if (hexValue) {
-				const buffer = Buffer.from(hexValue, "hex");
-				const decrypted = decryptChromeCookie(buffer, password);
-				const value = extractClaudeCookieValue(decrypted, name);
-				if (value) cookies[name] = value;
-			}
-		}
-		return {
-			sessionKey: cookies.sessionKey ?? null,
-			cfClearance: cookies.cf_clearance ?? null,
-			cookies,
-		};
-	} catch (err) {
-		return { error: err?.message ?? String(err) };
-	} finally {
-		try {
-			unlinkSync(tempPath);
-		} catch {
-			// ignore
-		}
-	}
-}
-export function loadClaudeCookieCandidates() {
-	const overridePath = process.env.CLAUDE_COOKIE_DB_PATH;
-	const candidates = overridePath
-		? [overridePath]
-		: [
-			join(homedir(), ".config", "chromium", "Default", "Cookies"),
-			join(homedir(), ".config", "google-chrome", "Default", "Cookies"),
-			join(homedir(), ".config", "google-chrome-canary", "Default", "Cookies"),
-			join(homedir(), ".config", "google-chrome-for-testing", "Default", "Cookies"),
-		];
-	const sessions = [];
-	for (const cookiePath of candidates) {
-		if (!existsSync(cookiePath)) continue;
-		const result = readClaudeCookiesFromDb(cookiePath);
-		if (result.sessionKey) {
-			sessions.push({
-				sessionKey: result.sessionKey,
-				cfClearance: result.cfClearance ?? null,
-				cookies: result.cookies ?? null,
-				source: cookiePath,
-			});
-		}
-	}
-	return sessions;
-}
-export function loadClaudeSessionCandidates() {
-	const sessions = [];
-	const cookieSessions = loadClaudeCookieCandidates();
-	const oauth = loadClaudeOAuthToken();
-	for (const session of cookieSessions) {
-		sessions.push({
-			...session,
-			oauthToken: oauth.token ?? null,
-		});
-	}
-	const credentialsSession = loadClaudeSessionFromCredentials();
-	if (credentialsSession.sessionKey) {
-		sessions.push({
-			...credentialsSession,
-			oauthToken: oauth.token ?? credentialsSession.sessionKey,
-		});
-	}
-	return sessions;
-}
-export function buildClaudeHeaders(sessionKey, cfClearance, bearerToken, mode, cookies) {
-	const headers = {
-		accept: "application/json, text/plain, */*",
-		"accept-language": "en-US,en;q=0.9",
-		"cache-control": "no-cache",
-		pragma: "no-cache",
-		origin: CLAUDE_ORIGIN,
-		referer: `${CLAUDE_ORIGIN}/`,
-		"user-agent": CLAUDE_USER_AGENT,
-		"sec-fetch-dest": "empty",
-		"sec-fetch-mode": "cors",
-		"sec-fetch-site": "same-origin",
-		"x-requested-with": "XMLHttpRequest",
-	};
-	if (mode.includes("cookie")) {
-		if (!sessionKey && !(cookies && typeof cookies === "object")) {
-			return headers;
-		}
-		let parts = [];
-		if (cookies && typeof cookies === "object") {
-			parts = Object.entries(cookies)
-				.filter(([, value]) => typeof value === "string" && value.length)
-				.map(([name, value]) => `${name}=${value}`);
-		} else {
-			parts = [`sessionKey=${sessionKey}`];
-			if (cfClearance) {
-				parts.push(`cf_clearance=${cfClearance}`);
-			}
-		}
-		headers.Cookie = parts.join("; ");
-	}
-	if (mode.includes("bearer")) {
-		if (bearerToken) {
-			headers.Authorization = `Bearer ${bearerToken}`;
-		}
-	}
-	return headers;
-}
-export async function fetchClaudeJson(url, sessionKey, cfClearance, oauthToken, cookies) {
-	const controller = new AbortController();
-	const timeout = setTimeout(() => controller.abort(), CLAUDE_TIMEOUT_MS);
-	try {
-		const attempts = [];
-		const hasCookie = Boolean(sessionKey || (cookies && typeof cookies === "object"));
-		const hasSessionBearer = Boolean(sessionKey);
-		const hasOauthBearer = Boolean(oauthToken);
-		if (hasCookie) attempts.push({ mode: "cookie", bearer: null });
-		if (hasSessionBearer) attempts.push({ mode: "bearer", bearer: sessionKey });
-		if (hasOauthBearer) attempts.push({ mode: "bearer", bearer: oauthToken });
-		if (hasCookie && hasSessionBearer) attempts.push({ mode: "cookie+bearer", bearer: sessionKey });
-		if (hasCookie && hasOauthBearer) attempts.push({ mode: "cookie+bearer", bearer: oauthToken });
-		let lastError = null;
-		for (const attempt of attempts) {
-			const res = await fetch(url, {
-				method: "GET",
-				headers: buildClaudeHeaders(
-					sessionKey,
-					cfClearance,
-					attempt.bearer,
-					attempt.mode,
-					cookies
-				),
-				signal: controller.signal,
-			});
-			if (res.ok) {
-				const text = await res.text();
-				if (!text) {
-					return { data: null };
-				}
-				try {
-					return { data: JSON.parse(text) };
-				} catch {
-					return { error: "Invalid JSON response" };
-				}
-			}
-			let detail = "";
-			try {
-				const text = await res.text();
-				if (text) {
-					detail = text.trim().slice(0, 200);
-				}
-			} catch {
-				// ignore body parse errors
-			}
-			const error = {
-				status: res.status,
-				error: detail ? `HTTP ${res.status}: ${detail}` : `HTTP ${res.status}`,
-			};
-			lastError = error;
-			if (res.status !== 401 && res.status !== 403) {
-				return error;
-			}
-		}
-		return lastError ?? { error: "HTTP 403" };
-	} catch (err) {
-		const message = err?.name === "AbortError" ? "Request timed out" : err?.message ?? String(err);
-		return { error: message };
-	} finally {
-		clearTimeout(timeout);
-	}
-}
-export function extractClaudeOrgId(payload) {
-	if (!payload) return null;
-	if (typeof payload === "string") return payload;
-	const isUuidLike = (value) => {
-		if (typeof value !== "string") return false;
-		if (/^[0-9a-f]{32}$/i.test(value)) return true;
-		if (/^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i.test(value)) {
-			return true;
-		}
-		return false;
-	};
-	const searchUuid = (root) => {
-		const stack = [root];
-		const seen = new Set();
-		while (stack.length) {
-			const current = stack.pop();
-			if (!current || typeof current !== "object") continue;
-			if (seen.has(current)) continue;
-			seen.add(current);
-			if (Array.isArray(current)) {
-				for (const item of current) {
-					if (isUuidLike(item)) return item;
-					if (item && typeof item === "object") stack.push(item);
-				}
-			} else {
-				for (const value of Object.values(current)) {
-					if (isUuidLike(value)) return value;
-					if (value && typeof value === "object") stack.push(value);
-				}
-			}
-		}
-		return null;
-	};
-	const uuidCandidate = searchUuid(payload);
-	if (uuidCandidate) return uuidCandidate;
-	const direct = payload.id ?? payload.uuid ?? payload.organizationId ?? payload.orgId ?? payload.org_id;
-	if (direct) return direct;
-	if (payload.current_organization_uuid) return payload.current_organization_uuid;
-	const orgs = Array.isArray(payload)
-		? payload
-		: payload.organizations ?? payload.orgs ?? payload.items ?? payload.data;
-	if (!Array.isArray(orgs) || orgs.length === 0) return null;
-	const first = orgs[0];
-	if (typeof first === "string") return first;
-	return first?.id ?? first?.uuid ?? first?.organizationId ?? first?.orgId ?? first?.org_id ?? null;
-}
+/**
+ * Backward-compatible wrapper for stored Claude credentials.
+ * Only OAuth-backed credentials are supported.
+ */
 export async function fetchClaudeUsageForCredentials(credentials) {
-	const sessionKey = credentials.sessionKey ?? findClaudeSessionKey(credentials.cookies);
-	const oauthToken = credentials.oauthToken ?? null;
-	const cfClearance = credentials.cfClearance ?? credentials.cookies?.cf_clearance ?? credentials.cookies?.cfClearance ?? null;
-	const cookies = credentials.cookies ?? null;
-	if (!sessionKey && !oauthToken && !cookies) {
-		return {
-			success: false,
-			label: credentials.label ?? null,
-			source: credentials.source ?? null,
-			error: "Missing Claude session key or OAuth token",
-		};
-	}
-	let lastAuthError = null;
-	const tryUsageForOrg = async (orgId) => {
-		const normalizedOrgId = normalizeClaudeOrgId(orgId);
-		const usageUrl = `${CLAUDE_API_BASE}/organizations/${normalizedOrgId}/usage`;
-		const overageUrl = `${CLAUDE_API_BASE}/organizations/${normalizedOrgId}/overage_spend_limit`;
-		const [usageResponse, overageResponse, accountResponse] = await Promise.all([
-			fetchClaudeJson(
-				usageUrl,
-				sessionKey,
-				cfClearance,
-				oauthToken,
-				cookies
-			),
-			fetchClaudeJson(
-				overageUrl,
-				sessionKey,
-				cfClearance,
-				oauthToken,
-				cookies
-			),
-			fetchClaudeJson(
-				CLAUDE_ACCOUNT_URL,
-				sessionKey,
-				cfClearance,
-				oauthToken,
-				cookies
-			),
-		]);
-		const errors = {};
-		if (usageResponse.error) errors.usage = usageResponse.error;
-		if (overageResponse.error) errors.overage = overageResponse.error;
-		if (accountResponse.error) errors.account = accountResponse.error;
-		return { usageResponse, overageResponse, accountResponse, errors, orgId };
-	};
-	const cookieOrg = credentials.cookies?.lastActiveOrg;
-	const configuredOrg = credentials.orgId ?? null;
-	if (configuredOrg || cookieOrg) {
-		const orgAttempt = await tryUsageForOrg(configuredOrg ?? cookieOrg);
-		const authErrors = Object.values(orgAttempt.errors).some(isClaudeAuthError);
-		if (!authErrors) {
-			return {
-				success: true,
-				label: credentials.label ?? null,
-				source: credentials.source ?? null,
-				orgId: orgAttempt.orgId,
-				usage: orgAttempt.usageResponse.data ?? null,
-				overage: orgAttempt.overageResponse.data ?? null,
-				account: orgAttempt.accountResponse.data ?? null,
-				errors: Object.keys(orgAttempt.errors).length ? orgAttempt.errors : null,
-			};
-		}
-		lastAuthError = orgAttempt.errors.usage || orgAttempt.errors.overage || lastAuthError;
-	}
-	const orgsResponse = await fetchClaudeJson(
-		CLAUDE_ORGS_URL,
-		sessionKey,
-		cfClearance,
-		oauthToken,
-		cookies
-	);
-	if (orgsResponse.error) {
-		const errorText = String(orgsResponse.error);
-		const isAuthError = /account_session_invalid|invalid authorization|http 401|http 403/i.test(errorText);
-		if (isAuthError) {
-			lastAuthError = orgsResponse.error;
-			return {
-				success: false,
-				label: credentials.label ?? null,
-				source: credentials.source ?? null,
-				error: `Organizations request failed: ${lastAuthError}`,
-			};
-		}
+	if (!credentials?.oauthToken) {
 		return {
 			success: false,
-			label: credentials.label ?? null,
-			source: credentials.source ?? null,
-			error: `Organizations request failed: ${orgsResponse.error}`,
-		};
-	}
-	const orgId = extractClaudeOrgId(orgsResponse.data);
-	if (!orgId) {
-		return {
-			success: false,
-			label: credentials.label ?? null,
-			source: credentials.source ?? null,
-			error: "No Claude organization ID found",
-		};
-	}
-	const orgAttempt = await tryUsageForOrg(orgId);
-	const authErrors = Object.values(orgAttempt.errors).some(isClaudeAuthError);
-	if (!authErrors) {
-		return {
-			success: true,
-			label: credentials.label ?? null,
-			source: credentials.source ?? null,
-			orgId,
-			usage: orgAttempt.usageResponse.data ?? null,
-			overage: orgAttempt.overageResponse.data ?? null,
-			account: orgAttempt.accountResponse.data ?? null,
-			errors: Object.keys(orgAttempt.errors).length ? orgAttempt.errors : null,
+			label: credentials?.label ?? null,
+			source: credentials?.source ?? null,
+			error: "Claude OAuth token required",
 		};
 	}
-	return {
-		success: false,
+	return fetchClaudeOAuthUsageForAccount({
 		label: credentials.label ?? null,
 		source: credentials.source ?? null,
-		error: `Organizations request failed: ${lastAuthError || "Invalid authorization"}`,
-	};
+		accessToken: credentials.oauthToken,
+		refreshToken: credentials.oauthRefreshToken ?? null,
+		expiresAt: credentials.oauthExpiresAt ?? null,
+		scopes: credentials.oauthScopes ?? null,
+		subscriptionType: credentials.subscriptionType,
+		rateLimitTier: credentials.rateLimitTier,
+	});
 }
+/**
+ * Backward-compatible wrapper for Claude Code credentials.
+ * Only OAuth-backed credentials are supported.
+ */
 export async function fetchClaudeUsage() {
-	const candidates = loadClaudeSessionCandidates();
-	if (!candidates.length) {
-		const credentials = loadClaudeSessionFromCredentials();
+	const oauth = loadClaudeOAuthToken();
+	if (!oauth.token) {
 		return {
 			success: false,
-			source: credentials.source,
-			error: credentials.error ?? "Missing Claude session key",
+			source: oauth.source,
+			error: oauth.error ?? "Claude OAuth token required",
 		};
 	}
-	let lastAuthError = null;
-	for (const credentials of candidates) {
-		const tryUsageForOrg = async (orgId) => {
-			const normalizedOrgId = normalizeClaudeOrgId(orgId);
-			const usageUrl = `${CLAUDE_API_BASE}/organizations/${normalizedOrgId}/usage`;
-			const overageUrl = `${CLAUDE_API_BASE}/organizations/${normalizedOrgId}/overage_spend_limit`;
-			const [usageResponse, overageResponse, accountResponse] = await Promise.all([
-				fetchClaudeJson(
-					usageUrl,
-					credentials.sessionKey,
-					credentials.cfClearance,
-					credentials.oauthToken,
-					credentials.cookies
-				),
-				fetchClaudeJson(
-					overageUrl,
-					credentials.sessionKey,
-					credentials.cfClearance,
-					credentials.oauthToken,
-					credentials.cookies
-				),
-				fetchClaudeJson(
-					CLAUDE_ACCOUNT_URL,
-					credentials.sessionKey,
-					credentials.cfClearance,
-					credentials.oauthToken,
-					credentials.cookies
-				),
-			]);
-			const errors = {};
-			if (usageResponse.error) errors.usage = usageResponse.error;
-			if (overageResponse.error) errors.overage = overageResponse.error;
-			if (accountResponse.error) errors.account = accountResponse.error;
-			return { usageResponse, overageResponse, accountResponse, errors, orgId };
+	const result = await fetchClaudeOAuthUsage(oauth.token);
+	if (!result.success) {
+		return {
+			success: false,
+			source: oauth.source,
+			error: result.error,
 		};
-		const cookieOrg = credentials.cookies?.lastActiveOrg;
-		if (cookieOrg) {
-			const cookieAttempt = await tryUsageForOrg(cookieOrg);
-			const authErrors = Object.values(cookieAttempt.errors).some(isClaudeAuthError);
-			if (!authErrors) {
-				return {
-					success: true,
-					source: credentials.source,
-					orgId: cookieAttempt.orgId,
-					usage: cookieAttempt.usageResponse.data ?? null,
-					overage: cookieAttempt.overageResponse.data ?? null,
-					account: cookieAttempt.accountResponse.data ?? null,
-					errors: Object.keys(cookieAttempt.errors).length ? cookieAttempt.errors : null,
-				};
-			}
-			lastAuthError = cookieAttempt.errors.usage || cookieAttempt.errors.overage || lastAuthError;
-		}
-		const orgsResponse = await fetchClaudeJson(
-			CLAUDE_ORGS_URL,
-			credentials.sessionKey,
-			credentials.cfClearance,
-			credentials.oauthToken,
-		credentials.cookies
-	);
-		if (orgsResponse.error) {
-			const errorText = String(orgsResponse.error);
-			const isAuthError = /account_session_invalid|invalid authorization|http 401|http 403/i.test(errorText);
-			if (isAuthError) {
-				lastAuthError = orgsResponse.error;
-				continue;
-			}
-			return {
-				success: false,
-				source: credentials.source,
-				error: `Organizations request failed: ${orgsResponse.error}`,
-			};
-		}
-		const orgId = extractClaudeOrgId(orgsResponse.data);
-		if (!orgId) {
-			return {
-				success: false,
-				source: credentials.source,
-				error: "No Claude organization ID found",
-			};
-		}
-		const orgAttempt = await tryUsageForOrg(orgId);
-		const authErrors = Object.values(orgAttempt.errors).some(isClaudeAuthError);
-		if (!authErrors) {
-			return {
-				success: true,
-				source: credentials.source,
-				orgId,
-				usage: orgAttempt.usageResponse.data ?? null,
-				overage: orgAttempt.overageResponse.data ?? null,
-				account: orgAttempt.accountResponse.data ?? null,
-				errors: Object.keys(orgAttempt.errors).length ? orgAttempt.errors : null,
-			};
-		}
-		lastAuthError = orgAttempt.errors.usage || orgAttempt.errors.overage || lastAuthError;
 	}
 	return {
-		success: false,
-		source: candidates[0]?.source ?? null,
-		error: `Organizations request failed: ${lastAuthError || "Invalid authorization"}`,
+		success: true,
+		source: oauth.source,
+		usage: result.data,
 	};
 }