clawmoney 0.13.15 → 0.14.0

package/dist/relay/provider.js

@@ -4,10 +4,29 @@ import { homedir } from "node:os";
 import YAML from "yaml";
 import { RelayWsClient } from "./ws-client.js";
 import { spawnCli, buildCliArgs, parseCliOutput, ensureEmptyMcpConfig, ensureSandboxDir, } from "./executor.js";
-import { callClaudeApi, preflightClaudeApi, getRateGuardSnapshot } from "./upstream/claude-api.js";
-import { callCodexApi, preflightCodexApi } from "./upstream/codex-api.js";
-import { callGeminiApi, preflightGeminiApi } from "./upstream/gemini-api.js";
-import { callAntigravityApi, preflightAntigravityApi, } from "./upstream/antigravity-api.js";
+import { callClaudeApi, preflightClaudeApi, getRateGuardSnapshot as getClaudeRateGuardSnapshot, } from "./upstream/claude-api.js";
+import { callCodexApi, preflightCodexApi, getRateGuardSnapshot as getCodexRateGuardSnapshot, } from "./upstream/codex-api.js";
+import { callGeminiApi, preflightGeminiApi, getGeminiRateGuardSnapshot, } from "./upstream/gemini-api.js";
+import { callAntigravityApi, preflightAntigravityApi, getAntigravityRateGuardSnapshot, } from "./upstream/antigravity-api.js";
+/**
+ * Pick the rate-guard snapshot matching this request's cli_type. Fixes a
+ * pre-existing bug where gemini/codex responses were piggy-backing Claude's
+ * session_window telemetry because provider.ts always called the claude-api
+ * snapshot regardless of upstream.
+ */
+function getRateGuardSnapshotForCli(cli) {
+    switch (cli) {
+        case "codex":
+            return getCodexRateGuardSnapshot();
+        case "gemini":
+            return getGeminiRateGuardSnapshot();
+        case "antigravity":
+            return getAntigravityRateGuardSnapshot();
+        case "claude":
+        default:
+            return getClaudeRateGuardSnapshot();
+    }
+}
 import { calculateCost } from "./pricing.js";
 import { relayLogger as logger } from "./logger.js";
 const CONFIG_DIR = join(homedir(), ".clawmoney");
@@ -222,7 +241,7 @@ async function executeRelayRequest(request, config) {
         // actually surfaced the headers this turn.
         let sessionWindowTelemetry;
         if (useApiMode) {
-            const snap = getRateGuardSnapshot();
+            const snap = getRateGuardSnapshotForCli(cliType);
             if (snap?.sessionWindow) {
                 sessionWindowTelemetry = {
                     reset_at_ms: snap.sessionWindow.endMs,

package/dist/relay/upstream/antigravity-api.js

@@ -225,7 +225,13 @@ export function loadAccounts() {
 }
 export function saveAccounts(file) {
     ensureClawmoneyDir();
-    writeFileSync(ACCOUNTS_FILE, JSON.stringify(file, null, 2), "utf-8");
+    // mode 0o600 so other local users / rogue processes can't read the
+    // refresh_token. Google's fraud detection treats a refresh_token seen
+    // from two machines / user-agents as account hijacking.
+    writeFileSync(ACCOUNTS_FILE, JSON.stringify(file, null, 2), {
+        encoding: "utf-8",
+        mode: 0o600,
+    });
 }
 function loadPrimaryAccount() {
     const file = loadAccounts();
@@ -240,17 +246,18 @@ function loadPrimaryAccount() {
     }
     return primary;
 }
+/**
+ * Persist a partial update to the primary account record. Throws on write
+ * failure — refresh callers must treat that as a reason to keep the old
+ * token (see the "two valid tokens in flight" rationale in claude-api.ts).
+ * Non-refresh callers (project_id cache) can swallow the error.
+ */
 function persistPrimaryAccount(patch) {
     const file = loadAccounts();
     if (file.accounts.length === 0)
         return;
     file.accounts[0] = { ...file.accounts[0], ...patch };
-    try {
-        saveAccounts(file);
-    }
-    catch (err) {
-        logger.warn(`[antigravity-api] could not persist account update: ${err.message}`);
-    }
+    saveAccounts(file);
 }
 async function refreshUpstreamToken(refreshToken) {
     const params = new URLSearchParams({
@@ -291,11 +298,19 @@ async function doRefreshAndPersist(current) {
         refresh_token: fresh.refresh_token,
         expiry_ms: fresh.expiry_ms,
     };
-    persistPrimaryAccount({
-        access_token: next.access_token,
-        refresh_token: next.refresh_token,
-        expiry_ms: next.expiry_ms,
-    });
+    // Persist FIRST. If writing to antigravity-accounts.json fails, keep
+    // using the old token — see claude-api.ts doRefreshAndPersist for why.
+    try {
+        persistPrimaryAccount({
+            access_token: next.access_token,
+            refresh_token: next.refresh_token,
+            expiry_ms: next.expiry_ms,
+        });
+    }
+    catch (err) {
+        logger.error(`[antigravity-api] CRITICAL: persist failed — keeping old token to avoid account-hijack detection signal: ${err.message}`);
+        return current;
+    }
     return next;
 }
 async function getFreshAccount() {
@@ -510,7 +525,14 @@ export async function preflightAntigravityApi(config) {
         logger.info("[antigravity-api] resolving project ID via loadCodeAssist...");
         const projectId = await resolveAntigravityProjectId(account.access_token);
         account.project_id = projectId;
-        persistPrimaryAccount({ project_id: projectId });
+        // Persist is non-critical here: failure just means we'll re-resolve on
+        // next daemon restart instead of hitting the cache.
+        try {
+            persistPrimaryAccount({ project_id: projectId });
+        }
+        catch (err) {
+            logger.warn(`[antigravity-api] failed to cache project_id: ${err.message}`);
+        }
         cachedAccount = account;
     }
     logger.info(`[antigravity-api] preflight OK (project=${account.project_id}, email=${account.email ?? "?"})`);

package/dist/relay/upstream/claude-api.js

@@ -149,26 +149,37 @@ function buildMetadataUserID(fingerprint, sessionId) {
         session_id: sessionId,
     });
 }
-// ── Masked session id (15-minute sliding window) ──
+// ── Masked session id (3-minute sliding window, jittered) ──
 //
 // Real Claude Code reuses the same session_id across many requests in the
 // same conversation. If we randomize a new UUID per request, from Anthropic's
 // side this account produces dozens of single-request "sessions" per hour,
 // which is a strong bot signal. sub2api (identity_service.go) solves this
-// with a 15-minute masked session id — every request within the window gets
-// the same id, sliding forward on each hit. We do the same in-process.
-const MASKED_SESSION_TTL_MS = 15 * 60 * 1000;
+// with a masked session id — every request within the window gets the same
+// id, sliding forward on each hit.
+//
+// We use a **3-minute** window (not 15) because that matches the median real
+// human coding rhythm better: a user types a prompt, reads the answer, types
+// a follow-up, reads, context-switches. 15 minutes of same-session traffic
+// at machine-paced intervals is itself suspicious for a human operator. We
+// also add ±30s jitter so multiple providers don't all roll their sessions
+// in lockstep at :00 / :03 / :06 etc — that kind of coordinated reset is an
+// obvious relay-farm signature.
+const MASKED_SESSION_TTL_MS = 3 * 60 * 1000; // 3 minutes
+const MASKED_SESSION_JITTER_MS = 30 * 1000; // ±30s
 let maskedSessionId = null;
-let maskedSessionLastUsedMs = 0;
+let maskedSessionExpiresAt = 0;
 function getMaskedSessionId() {
     const now = Date.now();
-    if (maskedSessionId && now - maskedSessionLastUsedMs < MASKED_SESSION_TTL_MS) {
-        maskedSessionLastUsedMs = now;
+    if (maskedSessionId && now < maskedSessionExpiresAt) {
         return maskedSessionId;
     }
     maskedSessionId = randomUUID();
-    maskedSessionLastUsedMs = now;
-    logger.info(`[claude-api] new masked session_id ${maskedSessionId.slice(0, 8)}... (previous expired)`);
+    // New window starts now, expires TTL + jitter from here.
+    const jitter = Math.floor((Math.random() * 2 - 1) * MASKED_SESSION_JITTER_MS);
+    maskedSessionExpiresAt = now + MASKED_SESSION_TTL_MS + jitter;
+    logger.info(`[claude-api] new masked session_id ${maskedSessionId.slice(0, 8)}... ` +
+        `(window=${Math.round((MASKED_SESSION_TTL_MS + jitter) / 1000)}s)`);
     return maskedSessionId;
 }
 // ── Prompt sanitization ──
@@ -275,12 +286,12 @@ function readCredentialsFromKeychain() {
         return null;
     }
 }
+const CLAUDE_CREDENTIALS_FILE_PATH = join(homedir(), ".claude", ".credentials.json");
 function readCredentialsFromFile() {
-    const path = join(homedir(), ".claude", ".credentials.json");
-    if (!existsSync(path))
+    if (!existsSync(CLAUDE_CREDENTIALS_FILE_PATH))
         return null;
     try {
-        return JSON.parse(readFileSync(path, "utf-8"));
+        return JSON.parse(readFileSync(CLAUDE_CREDENTIALS_FILE_PATH, "utf-8"));
     }
     catch {
         return null;
@@ -299,6 +310,7 @@ function loadClaudeOAuth() {
     }
     return {
         source: fromKeychain ? "keychain" : "file",
+        filePath: fromKeychain ? undefined : CLAUDE_CREDENTIALS_FILE_PATH,
         accessToken: oauth.accessToken,
         refreshToken: oauth.refreshToken,
         expiresAt: oauth.expiresAt,
@@ -368,13 +380,31 @@ async function doRefreshAndPersist(current) {
             ? fresh.scopes
             : wrapper.claudeAiOauth.scopes,
     };
+    // IMPORTANT: persist BEFORE advancing the in-memory state. If the keychain
+    // write silently fails we must NOT start using the new access/refresh token
+    // — doing so creates a "two valid tokens in flight" pattern that looks to
+    // Anthropic like account hijacking (same account_id, two access_tokens
+    // issued within the 3-minute refresh skew window). The correct fallback is
+    // to keep serving on the old token until the next refresh cycle retries
+    // the persist, so on-disk and in-memory state always agree.
     if (current.source === "keychain") {
         try {
             writeCredentialsToKeychain(wrapper);
             logger.info("[claude-api] keychain updated");
         }
         catch (err) {
-            logger.warn(`[claude-api] keychain write failed: ${err.message}`);
+            logger.error(`[claude-api] CRITICAL: keychain write failed — keeping old token to avoid account-hijack detection signal: ${err.message}`);
+            return current;
+        }
+    }
+    else if (current.source === "file" && current.filePath) {
+        try {
+            writeFileSync(current.filePath, JSON.stringify(wrapper, null, 2), { encoding: "utf-8", mode: 0o600 });
+            logger.info(`[claude-api] ${current.filePath} updated`);
+        }
+        catch (err) {
+            logger.error(`[claude-api] CRITICAL: credential file write failed — keeping old token to avoid account-hijack detection signal: ${err.message}`);
+            return current;
         }
     }
     const next = {

package/dist/relay/upstream/codex-api.js

@@ -62,7 +62,10 @@ const DEFAULT_USER_AGENT = "";
 // openai-beta header value for the 0.118+ WebSocket protocol.
 const OPENAI_BETA_WS_VALUE = "responses_websockets=2026-02-06";
 const REFRESH_SKEW_MS = 3 * 60 * 1000;
-const MASKED_SESSION_TTL_MS = 15 * 60 * 1000;
+// Matches claude-api.ts MASKED_SESSION_TTL_MS — 3 minutes with ±30s jitter
+// to mimic human coding rhythm and avoid all providers rolling in lockstep.
+const MASKED_SESSION_TTL_MS = 3 * 60 * 1000;
+const MASKED_SESSION_JITTER_MS = 30 * 1000;
 const MAX_TRANSIENT_RETRIES = 2;
 // Per-call upper bound on how long we wait for a terminal WS frame.
 // Codex responses on small prompts come back in <10s; we give a generous
@@ -213,12 +216,17 @@ async function doRefreshAndPersist(current) {
             refresh_token: fresh.refreshToken,
         },
     };
+    // Persist FIRST, then advance in-memory state. If the on-disk write fails
+    // we keep serving on the old token — see claude-api.ts doRefreshAndPersist
+    // for the full rationale (OpenAI/ChatGPT would see two valid access tokens
+    // in flight for the same account and mark it as hijacked otherwise).
     try {
         writeCodexAuth(updatedFile);
         logger.info("[codex-api] ~/.codex/auth.json updated");
     }
     catch (err) {
-        logger.warn(`[codex-api] failed to persist refreshed token: ${err.message}`);
+        logger.error(`[codex-api] CRITICAL: persist failed — keeping old token to avoid account-hijack detection signal: ${err.message}`);
+        return current;
     }
     return {
         accessToken: fresh.accessToken,
@@ -244,18 +252,22 @@ async function getFreshCreds() {
     cachedCreds = await refreshInflight;
     return cachedCreds;
 }
-// ── Masked session id (15-minute sliding window) ──
+// ── Masked session id (3-minute sliding window, jittered) ──
+// See the claude-api.ts copy of this block for the full rationale — real
+// Codex reuses the same id across consecutive requests in a conversation;
+// rolling one per request screams bot. Kept in sync with claude's TTL.
 let maskedSessionId = null;
-let maskedSessionLastUsedMs = 0;
+let maskedSessionExpiresAt = 0;
 function getMaskedSessionId() {
     const now = Date.now();
-    if (maskedSessionId && now - maskedSessionLastUsedMs < MASKED_SESSION_TTL_MS) {
-        maskedSessionLastUsedMs = now;
+    if (maskedSessionId && now < maskedSessionExpiresAt) {
         return maskedSessionId;
     }
     maskedSessionId = randomUUID();
-    maskedSessionLastUsedMs = now;
-    logger.info(`[codex-api] new masked session_id ${maskedSessionId.slice(0, 8)}... (previous expired)`);
+    const jitter = Math.floor((Math.random() * 2 - 1) * MASKED_SESSION_JITTER_MS);
+    maskedSessionExpiresAt = now + MASKED_SESSION_TTL_MS + jitter;
+    logger.info(`[codex-api] new masked session_id ${maskedSessionId.slice(0, 8)}... ` +
+        `(window=${Math.round((MASKED_SESSION_TTL_MS + jitter) / 1000)}s)`);
     return maskedSessionId;
 }
 // ── Rate-limit cooldown parsing ──

package/dist/relay/upstream/gemini-api.js

@@ -125,28 +125,33 @@ function loadGeminiOAuth() {
     }
     return raw;
 }
+/**
+ * Persist refreshed credentials to ~/.gemini/oauth_creds.json. Throws on
+ * failure — the caller (doRefreshAndPersist) must treat a failed write as
+ * a reason to keep the OLD token rather than advancing in-memory state, to
+ * avoid the "two valid access tokens for the same account" signal that
+ * Google's fraud detection interprets as account hijacking.
+ */
 function writeGeminiOAuth(creds) {
-    try {
-        const existing = existsSync(GEMINI_CREDS_FILE)
-            ? JSON.parse(readFileSync(GEMINI_CREDS_FILE, "utf-8"))
-            : {};
-        const merged = {
-            ...existing,
-            access_token: creds.access_token,
-            refresh_token: creds.refresh_token,
-            expiry_date: creds.expiry_date,
-            token_type: creds.token_type ?? existing["token_type"] ?? "Bearer",
-        };
-        if (creds.id_token)
-            merged["id_token"] = creds.id_token;
-        if (creds.scope)
-            merged["scope"] = creds.scope;
-        writeFileSync(GEMINI_CREDS_FILE, JSON.stringify(merged, null, 2), "utf-8");
-        logger.info("[gemini-api] ~/.gemini/oauth_creds.json updated");
-    }
-    catch (err) {
-        logger.warn(`[gemini-api] could not persist refreshed token: ${err.message}`);
-    }
+    const existing = existsSync(GEMINI_CREDS_FILE)
+        ? JSON.parse(readFileSync(GEMINI_CREDS_FILE, "utf-8"))
+        : {};
+    const merged = {
+        ...existing,
+        access_token: creds.access_token,
+        refresh_token: creds.refresh_token,
+        expiry_date: creds.expiry_date,
+        token_type: creds.token_type ?? existing["token_type"] ?? "Bearer",
+    };
+    if (creds.id_token)
+        merged["id_token"] = creds.id_token;
+    if (creds.scope)
+        merged["scope"] = creds.scope;
+    writeFileSync(GEMINI_CREDS_FILE, JSON.stringify(merged, null, 2), {
+        encoding: "utf-8",
+        mode: 0o600,
+    });
+    logger.info("[gemini-api] ~/.gemini/oauth_creds.json updated");
 }
 async function refreshUpstreamToken(refreshToken) {
     // Google OAuth2 uses application/x-www-form-urlencoded (not JSON like Claude's).
@@ -193,7 +198,15 @@ async function doRefreshAndPersist(current) {
         scope: fresh.scope ?? current.scope,
         token_type: fresh.token_type,
     };
-    writeGeminiOAuth(next);
+    // Persist FIRST. If writing to ~/.gemini/oauth_creds.json fails, keep the
+    // old token — see claude-api.ts doRefreshAndPersist for the rationale.
+    try {
+        writeGeminiOAuth(next);
+    }
+    catch (err) {
+        logger.error(`[gemini-api] CRITICAL: persist failed — keeping old token to avoid account-hijack detection signal: ${err.message}`);
+        return current;
+    }
     return next;
 }
 async function getFreshCreds() {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "clawmoney",
-  "version": "0.13.15",
+  "version": "0.14.0",
   "description": "ClawMoney CLI -- Earn rewards with your AI agent",
   "type": "module",
   "bin": {

package/scripts/install-daemon-launchd.sh

@@ -0,0 +1,128 @@
+#!/usr/bin/env bash
+# Install the ClawMoney relay daemon as a launchd user agent on macOS.
+#
+# Why: macOS Keychain is locked in non-interactive SSH sessions, so running
+# `clawmoney relay start` via `ssh host clawmoney relay start` silently fails
+# to read Claude Code's OAuth token. A launchd *user* agent (LaunchAgents)
+# runs in the user's GUI session context, where the Keychain is unlocked as
+# long as the user is logged in at the console.
+#
+# This script generates ~/Library/LaunchAgents/ai.clawmoney.relay.plist, wires
+# it up to the absolute path of the clawmoney binary, and loads it. After
+# running this once, the daemon will auto-start on login and auto-restart if
+# it crashes — no more "why did my daemon die overnight" pages.
+#
+# Usage:
+#   ./scripts/install-daemon-launchd.sh           # install + start
+#   ./scripts/install-daemon-launchd.sh uninstall # unload + remove plist
+#
+# Pre-reqs:
+#   - `clawmoney setup` has already written ~/.clawmoney/config.yaml
+#   - `clawmoney antigravity login` (if using antigravity)
+#   - You've installed clawmoney globally (npm i -g clawmoney)
+
+set -euo pipefail
+
+LABEL="ai.clawmoney.relay"
+PLIST_PATH="$HOME/Library/LaunchAgents/$LABEL.plist"
+LOG_DIR="$HOME/.clawmoney"
+STDOUT_LOG="$LOG_DIR/launchd.out.log"
+STDERR_LOG="$LOG_DIR/launchd.err.log"
+
+if [[ "$(uname)" != "Darwin" ]]; then
+  echo "error: this script is for macOS only (launchd)" >&2
+  exit 1
+fi
+
+if [[ "${1:-}" == "uninstall" ]]; then
+  echo "Unloading $LABEL..."
+  launchctl bootout "gui/$(id -u)/$LABEL" 2>/dev/null || true
+  rm -f "$PLIST_PATH"
+  echo "Removed $PLIST_PATH."
+  exit 0
+fi
+
+CLAWMONEY_BIN="$(command -v clawmoney || true)"
+if [[ -z "$CLAWMONEY_BIN" ]]; then
+  echo "error: clawmoney not found in PATH. Install with: npm i -g clawmoney" >&2
+  exit 1
+fi
+
+# launchd executes with a minimal PATH, so we resolve the real node too and
+# pass it through EnvironmentVariables. The clawmoney binary itself is a
+# Node shebang, so we need node on PATH at run time.
+NODE_BIN="$(command -v node || true)"
+if [[ -z "$NODE_BIN" ]]; then
+  echo "error: node not found in PATH" >&2
+  exit 1
+fi
+NODE_DIR="$(dirname "$NODE_BIN")"
+
+mkdir -p "$LOG_DIR"
+mkdir -p "$(dirname "$PLIST_PATH")"
+
+cat > "$PLIST_PATH" <<EOF
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>$LABEL</string>
+
+  <key>ProgramArguments</key>
+  <array>
+    <string>$CLAWMONEY_BIN</string>
+    <string>relay</string>
+    <string>start</string>
+  </array>
+
+  <key>RunAtLoad</key>
+  <true/>
+
+  <key>KeepAlive</key>
+  <true/>
+
+  <!-- Restart no more than once per 10 seconds if it crashes in a loop. -->
+  <key>ThrottleInterval</key>
+  <integer>10</integer>
+
+  <!-- Run inside the user's GUI login session so the Keychain is unlocked
+       and we can read Claude Code's OAuth token via `security`. -->
+  <key>ProcessType</key>
+  <string>Interactive</string>
+
+  <key>EnvironmentVariables</key>
+  <dict>
+    <!-- launchd's default PATH doesn't include Homebrew / nvm. Point at the
+         real node dir so the clawmoney shebang can find its interpreter. -->
+    <key>PATH</key>
+    <string>$NODE_DIR:/usr/local/bin:/opt/homebrew/bin:/usr/bin:/bin</string>
+    <key>HOME</key>
+    <string>$HOME</string>
+  </dict>
+
+  <key>WorkingDirectory</key>
+  <string>$HOME</string>
+
+  <key>StandardOutPath</key>
+  <string>$STDOUT_LOG</string>
+  <key>StandardErrorPath</key>
+  <string>$STDERR_LOG</string>
+</dict>
+</plist>
+EOF
+
+chmod 0644 "$PLIST_PATH"
+
+echo "Wrote $PLIST_PATH."
+echo "Loading into launchd..."
+
+# bootout first in case we're reinstalling.
+launchctl bootout "gui/$(id -u)/$LABEL" 2>/dev/null || true
+launchctl bootstrap "gui/$(id -u)" "$PLIST_PATH"
+
+echo ""
+echo "Daemon is running under launchd."
+echo "  logs: $STDOUT_LOG / $STDERR_LOG"
+echo "  check: clawmoney relay status"
+echo "  stop:  ./scripts/install-daemon-launchd.sh uninstall"