github-router 0.3.19 → 0.3.21

package/dist/main.js

@@ -1,12 +1,13 @@
 #!/usr/bin/env node
 import { defineCommand, runMain } from "citty";
 import consola from "consola";
+import { randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
 import fs from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
-import { randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
 import process$1 from "node:process";
-import { execFileSync, spawn } from "node:child_process";
+import { execFile, execFileSync, spawn } from "node:child_process";
+import { promisify } from "node:util";
 import fs$1 from "node:fs";
 import { Writable } from "node:stream";
 import { serve } from "srvx";
@@ -37,6 +38,9 @@ const PATHS = {
 	},
 	get CLAUDE_RUNTIME_DIR() {
 		return path.join(appDir(), "runtime");
+	},
+	get CLAUDE_CONFIG_DIR() {
+		return path.join(appDir(), "claude-config");
 	}
 };
 async function ensurePaths() {
@@ -52,6 +56,318 @@ async function ensurePaths() {
 		consola.debug("Peer-agent .md sweep skipped:", err);
 	});
 }
+const CLAUDE_HOME_POLICY = new Map([
+	[".credentials.json", "ISOLATED"],
+	[".credentials.json.lock", "ISOLATED"],
+	[".oauth_refresh.lock", "ISOLATED"],
+	[".github-router-managed", "ISOLATED"],
+	["statsig", "ISOLATED"],
+	["cache", "ISOLATED"],
+	["logs", "ISOLATED"],
+	["paste-cache", "ISOLATED"],
+	["projects", "SHARED"],
+	["sessions", "SHARED"],
+	["tasks", "SHARED"],
+	["todos", "SHARED"],
+	["transcripts", "SHARED"],
+	["shell-snapshots", "SHARED"],
+	["shell_snapshots", "SHARED"],
+	["plans", "SHARED"],
+	["file-history", "SHARED"],
+	["backups", "SHARED"]
+]);
+function policyFor(name$1) {
+	return CLAUDE_HOME_POLICY.get(name$1) ?? "MIRRORED";
+}
+/**
+* Names with `SHARED` policy, materialized once for iteration in
+* `ensureClaudeConfigMirror`'s post-copy phase.
+*/
+const SHARED_TOPLEVEL_NAMES = Array.from(CLAUDE_HOME_POLICY.entries()).filter(([, kind]) => kind === "SHARED").map(([name$1]) => name$1);
+/**
+* Marker file written into the router-owned CLAUDE_CONFIG_DIR so users
+* (and our own future sweeps) can identify that the dir is managed by
+* github-router. Content is informational only; no logic depends on
+* its presence.
+*/
+const MANAGED_MARKER_FILENAME = ".github-router-managed";
+/**
+* Synthetic Console OAuth credential the router writes into its own
+* `CLAUDE_CONFIG_DIR/.credentials.json` so spawned Claude Code (and
+* any teammates it spawns) can authenticate without a real user
+* `/login`.
+*
+* Schema verified verbatim from `claude` v2.1.140 binary, function
+* `guH` (the credentials-save mutation). Fields:
+*   - `accessToken` — sent as `Authorization: Bearer ...` to the
+*     proxy. Proxy accepts any bearer (per CLAUDE.md "doesn't enforce
+*     auth").
+*   - `refreshToken` — only used by Claude Code's reactive refresh
+*     path (function `nH8`), which fires on 401 from upstream. The
+*     proxy maintains the no-401 invariant on the Anthropic-shape
+*     boundary, so this is never invoked. Synthetic value is fine.
+*   - `expiresAt` — far-future (2099-01-01 ms epoch). Sidesteps the
+*     proactive refresh path (`R8H(expiresAt)` returns false).
+*   - `scopes` — claude-ai-shaped so `tB(scopes)` returns true,
+*     making `Hq()` true (full feature surface, not "inference only").
+*   - `subscriptionType` — `"max"`. Pure client-side label
+*     (`e7()` / `Zc_()` / `CZ1()`); no server validation since
+*     `CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1` suppresses
+*     subscription-validation calls. Picks the most-permissive gating.
+*/
+const SYNTHETIC_CREDENTIAL = { claudeAiOauth: {
+	accessToken: "github-router-synthetic",
+	refreshToken: "github-router-synthetic",
+	expiresAt: 40709088e5,
+	scopes: ["user:inference", "user:profile"],
+	subscriptionType: "max",
+	rateLimitTier: null,
+	clientId: "github-router"
+} };
+/**
+* Snapshot-copy the user's `~/.claude/` into the router-owned
+* CLAUDE_CONFIG_DIR (real files, not symlinks — symlinks don't isolate
+* writes), classifying each top-level entry per `CLAUDE_HOME_POLICY`:
+* ISOLATED entries are skipped, MIRRORED entries are copied, and
+* SHARED entries become directory symlinks back to `~/.claude/<X>` so
+* chat history (in `projects/<cwd-hash>/<session-uuid>.jsonl`) and
+* other durable user state flow between proxy and plain-`claude`
+* sessions. Then writes the synthetic `.credentials.json` so spawned
+* Claude Code (and teammates that inherit `CLAUDE_CONFIG_DIR`)
+* authenticate.
+*
+* Idempotent: only re-copies files whose source `mtime` is newer than
+* target; SHARED-symlink creation no-ops when the symlink already
+* points at the right target. Concurrent-safe: `mkdir({recursive:true})`
+* is idempotent; symlinks are created via atomic temp+rename so two
+* parallel github-router-claude startups can't race to EEXIST; the
+* credentials write uses temp-file + atomic rename so Claude Code's
+* `EZ1()` mtime watcher never sees a partial write.
+*
+* Walks with `lstat` (does NOT follow symlinks during traversal — a
+* symlink-into-`/` would otherwise let the walk escape). Symlink leaves
+* in the source tree are skipped during the MIRRORED copy walk (per the
+* symlink-confused-deputy security finding); SHARED symlinks are
+* created on the mirror side only, pointing at predetermined targets
+* inside the user's real `~/.claude/`.
+*
+* Caller is expected to invoke this after `ensurePaths()` and before
+* spawning Claude Code (`launchChild`). The mirror must exist before
+* the child reads it. Currently called from the `claude` subcommand
+* entry point only; `start` and `codex` subcommands don't need it.
+*/
+async function ensureClaudeConfigMirror(opts = {}) {
+	const realHome = opts.realHome ?? os.homedir();
+	const sourceDir = path.join(realHome, ".claude");
+	const targetDir = PATHS.CLAUDE_CONFIG_DIR;
+	await fs.mkdir(targetDir, {
+		recursive: true,
+		mode: 448
+	});
+	await chmodIfPossible(targetDir, 448);
+	let sourceExists = false;
+	try {
+		sourceExists = (await fs.stat(sourceDir)).isDirectory();
+	} catch (err) {
+		if (err.code !== "ENOENT") consola.debug(`ensureClaudeConfigMirror: cannot stat ${sourceDir}:`, err);
+	}
+	if (sourceExists) await mirrorDirRecursive(sourceDir, targetDir, "");
+	await fs.mkdir(path.join(targetDir, "agents"), { recursive: true });
+	for (const name$1 of SHARED_TOPLEVEL_NAMES) await ensureSharedSymlink(name$1, sourceDir, targetDir).catch((err) => {
+		consola.debug(`ensureClaudeConfigMirror: SHARED symlink for ${name$1} skipped:`, err);
+	});
+	const credentialsPath = path.join(targetDir, ".credentials.json");
+	const desiredJson = JSON.stringify(SYNTHETIC_CREDENTIAL, null, 2);
+	let needsWrite = true;
+	try {
+		needsWrite = (await fs.readFile(credentialsPath, "utf8")).trim() !== desiredJson.trim();
+	} catch (err) {
+		if (err.code !== "ENOENT") consola.debug(`ensureClaudeConfigMirror: cannot read existing credentials:`, err);
+	}
+	if (needsWrite) {
+		const tempPath = `${credentialsPath}.${process.pid}.tmp`;
+		try {
+			await fs.writeFile(tempPath, desiredJson + "\n", {
+				mode: 384,
+				flag: "wx"
+			});
+			await fs.rename(tempPath, credentialsPath);
+		} catch (err) {
+			if (err.code === "EEXIST") consola.debug("ensureClaudeConfigMirror: concurrent credentials-write detected, skipping");
+			else {
+				await fs.unlink(tempPath).catch(() => {});
+				throw err;
+			}
+		}
+	}
+	await chmodIfPossible(credentialsPath, 384);
+	const markerPath = path.join(targetDir, MANAGED_MARKER_FILENAME);
+	let markerExists = false;
+	try {
+		const markerStat = await fs.lstat(markerPath);
+		if (markerStat.isFile()) markerExists = true;
+		else {
+			consola.warn(`ensureClaudeConfigMirror: ${markerPath} exists but is not a regular file (mode=${markerStat.mode.toString(8)}); refusing to overwrite. Inspect and remove manually if safe.`);
+			markerExists = true;
+		}
+	} catch (err) {
+		if (err.code !== "ENOENT") {
+			consola.debug(`ensureClaudeConfigMirror: cannot lstat marker:`, err);
+			markerExists = true;
+		}
+	}
+	if (!markerExists) {
+		const body = `Managed by github-router. Created ${(/* @__PURE__ */ new Date()).toISOString()}. Safe to delete (will be recreated).\n`;
+		await fs.writeFile(markerPath, body, {
+			mode: 384,
+			flag: "wx"
+		}).catch((err) => {
+			consola.debug(`ensureClaudeConfigMirror: marker write skipped:`, err);
+		});
+	}
+}
+/**
+* Recursive snapshot-copy helper for `ensureClaudeConfigMirror`. Walks
+* `sourceDir/relPath` and mirrors each entry into `targetDir/relPath`.
+* - Top-level entries are dispatched on `policyFor(name)`:
+*     - `ISOLATED` → skipped entirely (no presence in mirror).
+*     - `SHARED`   → skipped from the copy walk; handled by
+*                    `ensureSharedSymlink` in the post-copy phase.
+*     - `MIRRORED` → copied as today.
+* - Symlinks are skipped (not recreated) so the walk never follows out
+*   of `sourceDir` and we don't reintroduce a confused-deputy vector.
+* - Files copy only if source mtime > target mtime (idempotent).
+*/
+async function mirrorDirRecursive(sourceDir, targetDir, relPath) {
+	const sourcePath = path.join(sourceDir, relPath);
+	let entries;
+	try {
+		entries = await fs.readdir(sourcePath);
+	} catch (err) {
+		if (err.code === "ENOENT") return;
+		consola.debug(`mirrorDirRecursive: cannot readdir ${sourcePath}:`, err);
+		return;
+	}
+	for (const name$1 of entries) {
+		if (relPath === "") {
+			const policy = policyFor(name$1);
+			if (policy === "ISOLATED" || policy === "SHARED") continue;
+		}
+		const childRel = relPath === "" ? name$1 : path.join(relPath, name$1);
+		const childSource = path.join(sourceDir, childRel);
+		const childTarget = path.join(targetDir, childRel);
+		let stats;
+		try {
+			stats = await fs.lstat(childSource);
+		} catch (err) {
+			consola.debug(`mirrorDirRecursive: cannot lstat ${childSource}:`, err);
+			continue;
+		}
+		if (stats.isSymbolicLink()) {
+			consola.debug(`mirrorDirRecursive: skipping symlink ${childSource} (security policy)`);
+			continue;
+		}
+		if (stats.isDirectory()) {
+			await fs.mkdir(childTarget, { recursive: true });
+			await mirrorDirRecursive(sourceDir, targetDir, childRel);
+			continue;
+		}
+		if (stats.isFile()) {
+			let needsCopy = true;
+			try {
+				const targetStat = await fs.lstat(childTarget);
+				if (targetStat.isFile() && targetStat.mtimeMs >= stats.mtimeMs) needsCopy = false;
+			} catch (err) {
+				if (err.code !== "ENOENT") consola.debug(`mirrorDirRecursive: lstat target ${childTarget}:`, err);
+			}
+			if (!needsCopy) continue;
+			try {
+				await fs.copyFile(childSource, childTarget, fs.constants.COPYFILE_FICLONE);
+			} catch (err) {
+				consola.debug(`mirrorDirRecursive: copy ${childSource} → ${childTarget}:`, err);
+			}
+			continue;
+		}
+	}
+}
+/**
+* Create or refresh a directory symlink `<mirrorDir>/<name>` →
+* `<sourceDir>/<name>` (i.e. `~/.local/share/github-router/claude-config/<X>`
+* → `~/.claude/<X>`). Idempotent and concurrent-safe.
+*
+* Behavior depending on what's already at `<mirrorDir>/<name>`:
+*   - Symlink with the correct target → no-op.
+*   - Symlink with the wrong target → replace atomically.
+*   - Empty real directory (legacy mirror leftover with no proxy-session
+*     writes accumulated yet) → `rmdir` and replace with the symlink.
+*     Safe by definition: `fs.rmdir` only succeeds on empty dirs (POSIX),
+*     so there is nothing to lose. Smooths the upgrade path for users
+*     whose legacy mirror dirs were never written to.
+*   - Non-empty real directory or regular file → loud-warn and skip.
+*     Auto-deleting would destroy proxy-session writes from the prior
+*     version. The user is told the exact path and remediation.
+*   - ENOENT → create symlink atomically.
+*
+* Atomic-creation: symlinks are first written at a unique side-path
+* (`<mirrorDir>/<name>.tmp.<pid>.<8 hex>`) and then `fs.rename()`d into
+* place. POSIX `rename` is atomic and replaces an existing symlink in
+* a single step, so two concurrent `github-router claude` startups can't
+* race to `EEXIST` — the loser's rename just overwrites the winner's
+* symlink with an identical one. Gemini-critic 3-lab-review finding.
+*
+* Pre-creates `~/.claude/<name>/` as a real directory if missing so
+* Claude Code's writes through the symlink don't fail with ENOENT.
+*/
+async function ensureSharedSymlink(name$1, sourceDir, mirrorDir) {
+	const sourcePath = path.join(sourceDir, name$1);
+	const mirrorPath = path.join(mirrorDir, name$1);
+	try {
+		await fs.mkdir(sourcePath, { recursive: true });
+	} catch (err) {
+		consola.debug(`ensureSharedSymlink(${name$1}): cannot mkdir source ${sourcePath}:`, err);
+		return;
+	}
+	let existing = null;
+	try {
+		existing = await fs.lstat(mirrorPath);
+	} catch (err) {
+		if (err.code !== "ENOENT") {
+			consola.debug(`ensureSharedSymlink(${name$1}): cannot lstat ${mirrorPath}:`, err);
+			return;
+		}
+	}
+	if (existing?.isSymbolicLink()) {
+		let currentTarget = null;
+		try {
+			currentTarget = await fs.readlink(mirrorPath);
+		} catch (err) {
+			consola.debug(`ensureSharedSymlink(${name$1}): cannot readlink ${mirrorPath}:`, err);
+		}
+		if (currentTarget === sourcePath) return;
+	} else if (existing?.isDirectory()) try {
+		await fs.rmdir(mirrorPath);
+	} catch (err) {
+		consola.warn(`ensureClaudeConfigMirror: ${mirrorPath} is a non-empty real directory from an older github-router version; refusing to clobber. If you want chat-history continuity for "${name$1}", move its contents into ${sourcePath}/ then delete ${mirrorPath}; the mirror will create a symlink on next launch. (rmdir error: ${err.code ?? "unknown"})`);
+		return;
+	}
+	else if (existing) {
+		consola.warn(`ensureClaudeConfigMirror: ${mirrorPath} is a regular file at a SHARED symlink slot; refusing to clobber. Inspect and remove manually if safe; the mirror will create a symlink on next launch.`);
+		return;
+	}
+	const tempPath = `${mirrorPath}.tmp.${process.pid}.${randomBytes(4).toString("hex")}`;
+	try {
+		await fs.symlink(sourcePath, tempPath);
+	} catch (err) {
+		consola.debug(`ensureSharedSymlink(${name$1}): symlink ${tempPath} failed:`, err);
+		return;
+	}
+	try {
+		await fs.rename(tempPath, mirrorPath);
+	} catch (err) {
+		consola.debug(`ensureSharedSymlink(${name$1}): rename ${tempPath} → ${mirrorPath} failed:`, err);
+		await fs.unlink(tempPath).catch(() => {});
+	}
+}
 async function ensureFile(filePath) {
 	try {
 		await fs.access(filePath, fs.constants.W_OK);
@@ -138,12 +454,15 @@ function isPidAlive(pid) {
 	}
 }
 /**
-* Sweep stale peer-* subagent .md files from `~/.claude/agents/`. Phase
-* 2.5 writes one .md per peer agent into the canonical agents directory
-* so they appear in Claude Code's Task `subagent_type` enum. Files are
-* named `peer-<pid>-<rand>-<agentName>.md` so this sweep can drop
-* orphans from crashed prior proxy sessions without touching the user's
-* own .md files.
+* Sweep stale peer-* subagent .md files from the router-owned
+* `CLAUDE_CONFIG_DIR/agents/`. Phase 2.5 writes one .md per peer agent
+* into Claude Code's agents directory (now our config dir's `agents/`
+* subdir, since `getClaudeCodeEnvVars` points `CLAUDE_CONFIG_DIR` at
+* `PATHS.CLAUDE_CONFIG_DIR`) so they appear in Claude Code's Task
+* `subagent_type` enum. Files are named `peer-<pid>-<rand>-<agentName>.md`
+* so this sweep can drop orphans from crashed prior proxy sessions
+* without touching the user's own .md files (which were copied into
+* the same dir during `ensureClaudeConfigMirror`).
 *
 * Same liveness rule as `sweepStaleRuntimeFiles`: only delete when the
 * file's embedded PID is no longer alive. Live PIDs keep their files —
@@ -159,7 +478,7 @@ function isPidAlive(pid) {
 * realistic user filename.
 */
 async function sweepStalePeerAgentMdFiles() {
-	const dir = path.join(os.homedir(), ".claude", "agents");
+	const dir = path.join(PATHS.CLAUDE_CONFIG_DIR, "agents");
 	let entries;
 	try {
 		entries = await fs.readdir(dir);
@@ -272,19 +591,20 @@ async function forwardError(c, error) {
 				}
 			}, 400);
 		}
+		const responseStatus = error.response.status === 401 ? 503 : error.response.status;
 		if (isAnthropicError(errorJson)) {
 			consola.error("HTTP error:", errorJson);
-			return c.json(errorJson, error.response.status);
+			return c.json(errorJson, responseStatus);
 		}
 		const message = resolveErrorMessage(errorJson, errorText);
 		consola.error("HTTP error:", errorJson ?? errorText);
 		return c.json({
 			type: "error",
 			error: {
-				type: resolveErrorType(error.response.status),
+				type: resolveErrorType(responseStatus),
 				message
 			}
-		}, error.response.status);
+		}, responseStatus);
 	}
 	return c.json({
 		type: "error",
@@ -341,6 +661,12 @@ function isContextOverflow(status, errorJson, errorText) {
 }
 /**
 * Map HTTP status to Anthropic error type.
+*
+* Note: a 401 from upstream is remapped to 503 in `forwardError` BEFORE
+* this function is called (no-401 invariant — see comment there). The
+* 401 → "authentication_error" mapping below is preserved for
+* defensive coverage in case any code path calls `resolveErrorType`
+* directly with an unsanitized status.
 */
 function resolveErrorType(status) {
 	if (status === 400) return "invalid_request_error";
@@ -348,6 +674,7 @@ function resolveErrorType(status) {
 	if (status === 403) return "permission_error";
 	if (status === 404) return "not_found_error";
 	if (status === 429) return "rate_limit_error";
+	if (status === 503) return "overloaded_error";
 	if (status === 529) return "overloaded_error";
 	return "api_error";
 }
@@ -494,9 +821,22 @@ const VSCODE_BETA_PREFIXES = [
 * to work with the Copilot API.
 *
 * Notably absent (Copilot 400s on these — verified live):
-*   context-1m-, skills-, files-api-, code-execution-, output-128k-.
+*   context-1m-, skills-, files-api-, code-execution-, output-128k-,
+*   advisor-tool- (see EXPLICITLY_STRIPPED_BETA_PREFIXES below).
 * 1M context is unlocked by selecting `claude-opus-4.7-1m-internal`
 * as the model id, not via a beta header.
+*
+* Empirical verification (2026-05-11 against api.enterprise.githubcopilot.com):
+*   task-budgets-2026-03-13          → 200 ACCEPTED (cost-ceiling leverage)
+*   token-efficient-tools-2026-03-28 → 200 ACCEPTED (per-tool token saving)
+*   summarize-connector-text-2026-03-13 → 200 (Anthropic-internal feature flag,
+*     won't fire for non-ant users; allowlisted defensively for ant edge case)
+*   afk-mode-2026-01-31              → 200 (Anthropic-internal feature flag)
+*   cli-internal-2026-02-09          → 200 (USER_TYPE=ant only)
+*   oauth-2025-04-20                 → 200 (Files-API path; Files-API itself
+*     is not supportable via Copilot, but the header alone is harmless)
+*   prompt-caching-scope-2026-01-05  → 200 even with body cache_control.scope
+*     stripped (already covered by `prompt-caching-` prefix above)
 */
 const EXTENDED_BETA_PREFIXES = [
 	...VSCODE_BETA_PREFIXES,
@@ -513,17 +853,39 @@ const EXTENDED_BETA_PREFIXES = [
 	"mcp-client-",
 	"mcp-servers-",
 	"redact-thinking-",
-	"web-search-"
+	"web-search-",
+	"task-budgets-",
+	"token-efficient-tools-",
+	"summarize-connector-text-",
+	"afk-mode-",
+	"cli-internal-",
+	"oauth-"
 ];
 /**
+* Beta prefixes the proxy explicitly STRIPS even from the extended
+* allowlist (and even if a future leverage mode broadens the allowlist
+* further). Defensive layer: today's allowlist-only filter would already
+* drop these because they're not in any allowlist, but keeping an
+* explicit deny-list catches future changes that broaden allow rules
+* (e.g. a hypothetical pattern-based mode that lets `claude-*` through).
+*
+* Empirical (2026-05-11): Copilot returns HTTP 400
+*   `unsupported beta header(s): advisor-tool-2026-03-01`
+* on every request that includes `advisor-tool-`. Stripping it is the
+* difference between a working request (no ADVISOR semantics) and a
+* fully-failed request. Document upstream limitation in CLAUDE.md.
+*/
+const EXPLICITLY_STRIPPED_BETA_PREFIXES = ["advisor-tool-"];
+/**
 * Filter an `anthropic-beta` header value, keeping only beta flags
-* in the active whitelist. Uses extended prefixes when --extended-betas
-* is enabled, VS Code-only prefixes otherwise.
-* Returns the filtered comma-separated string, or undefined if nothing remains.
+* in the active whitelist AND not in the explicit-strip list.
+* Uses extended prefixes when --extended-betas is enabled, VS Code-only
+* prefixes otherwise. Returns the filtered comma-separated string,
+* or undefined if nothing remains.
 */
 function filterBetaHeader(value) {
 	const prefixes = state.extendedBetas ? EXTENDED_BETA_PREFIXES : VSCODE_BETA_PREFIXES;
-	return value.split(",").map((v) => v.trim()).filter((v) => v && prefixes.some((prefix) => v.startsWith(prefix))).join(",") || void 0;
+	return value.split(",").map((v) => v.trim()).filter((v) => v && prefixes.some((prefix) => v.startsWith(prefix)) && !EXPLICITLY_STRIPPED_BETA_PREFIXES.some((p) => v.startsWith(p))).join(",") || void 0;
 }
 /**
 * Normalize a model ID for fuzzy comparison: lowercase, replace dots with
@@ -579,6 +941,20 @@ function resolveModel(modelId) {
 			return retried;
 		}
 	}
+	if (lower.startsWith("claude-")) {
+		const matchSonnet = /(?:^|-)sonnet(?:-|$)/.test(lower);
+		const matchHaiku = /(?:^|-)haiku(?:-|$)/.test(lower);
+		if (matchSonnet || matchHaiku) {
+			const family = matchSonnet ? "sonnet" : "haiku";
+			const familyMembers = models.filter((m) => (/* @__PURE__ */ new RegExp(`(?:^|-)${family}(?:-|$|\\.)`)).test(m.id));
+			if (familyMembers.length > 0) {
+				familyMembers.sort((a, b) => b.id.localeCompare(a.id, void 0, { numeric: true }));
+				const best = familyMembers[0].id;
+				consola.info(`Model "${modelId}" not in Copilot catalog; falling back to highest available "${best}" (legacy ${family} slug). Pin a current catalog id to silence.`);
+				return best;
+			}
+		}
+	}
 	consola.warn(`Model "${modelId}" not found in Copilot model list. Available: ${models.map((m) => m.id).join(", ")}`);
 	return modelId;
 }
@@ -835,6 +1211,177 @@ const checkUsage = defineCommand({
 	}
 });
 
+//#endregion
+//#region src/lib/claude-version-check.ts
+const execFileAsync = promisify(execFile);
+const NPM_PACKAGE = "@anthropic-ai/claude-code";
+const THROTTLE_HOURS = 1;
+const NPM_VIEW_TIMEOUT_MS = 5e3;
+const NPM_INSTALL_TIMEOUT_MS = 12e4;
+/** Path to the throttle cache. Created on demand. */
+function cacheFilePath() {
+	return path.join(os.homedir(), ".local", "share", "github-router", "last-update-check");
+}
+/**
+* Read the throttle cache. Returns null on missing/corrupt file —
+* triggers a fresh check.
+*/
+async function readCache() {
+	try {
+		const raw = await fs.readFile(cacheFilePath(), "utf8");
+		const parsed = JSON.parse(raw);
+		if (typeof parsed.checkedAt !== "string" || parsed.installedVersion !== null && typeof parsed.installedVersion !== "string" || parsed.latestVersion !== null && typeof parsed.latestVersion !== "string") return null;
+		return parsed;
+	} catch {
+		return null;
+	}
+}
+async function writeCache(cache) {
+	try {
+		await fs.mkdir(path.dirname(cacheFilePath()), { recursive: true });
+		await fs.writeFile(cacheFilePath(), JSON.stringify(cache), { mode: 384 });
+	} catch (err) {
+		consola.debug("Failed to write claude version-check cache:", err);
+	}
+}
+/** Check if it's been more than THROTTLE_HOURS since the last check. */
+function shouldCheckNow(cache) {
+	if (!cache) return true;
+	const lastCheck = new Date(cache.checkedAt).getTime();
+	if (Number.isNaN(lastCheck)) return true;
+	return (Date.now() - lastCheck) / 1e3 / 3600 >= THROTTLE_HOURS;
+}
+/**
+* Read the installed `claude` version. Returns null if claude is not
+* on PATH or the version probe fails (e.g. older versions that don't
+* support `--version` cleanly).
+*/
+function getInstalledVersion() {
+	try {
+		const match = execFileSync("claude", ["--version"], {
+			stdio: [
+				"ignore",
+				"pipe",
+				"ignore"
+			],
+			timeout: 3e3,
+			encoding: "utf8"
+		}).match(/^(\d+\.\d+\.\d+)/);
+		return match ? match[1] : null;
+	} catch {
+		return null;
+	}
+}
+/**
+* Fetch the latest version of @anthropic-ai/claude-code from the npm
+* registry. Returns null on network failure / npm unavailable.
+*/
+async function getLatestVersion() {
+	try {
+		const { stdout } = await execFileAsync("npm", [
+			"view",
+			NPM_PACKAGE,
+			"version",
+			"--silent"
+		], { timeout: NPM_VIEW_TIMEOUT_MS });
+		const v = stdout.trim();
+		return /^\d+\.\d+\.\d+/.test(v) ? v : null;
+	} catch {
+		return null;
+	}
+}
+/**
+* Compare two semver-shaped strings (only the leading X.Y.Z, no
+* pre-release / metadata handling — sufficient for npm-published
+* stable releases). Returns true if `latest` is strictly higher than
+* `installed`.
+*/
+function isNewer(installed, latest) {
+	if (!installed || !latest) return false;
+	const a = installed.split(".").map((n) => parseInt(n, 10));
+	const b = latest.split(".").map((n) => parseInt(n, 10));
+	for (let i = 0; i < 3; i++) {
+		const av = a[i] ?? 0;
+		const bv = b[i] ?? 0;
+		if (av < bv) return true;
+		if (av > bv) return false;
+	}
+	return false;
+}
+/**
+* Run a version check (subject to throttle). Side-effect: updates the
+* throttle cache. Returns the comparison result.
+*/
+async function checkClaudeVersion(opts = {}) {
+	if (opts.noCheck) return {
+		installed: false,
+		installedVersion: null,
+		latestVersion: null,
+		needsUpdate: false,
+		skipped: true,
+		skipReason: "disabled"
+	};
+	const cache = await readCache();
+	if (!opts.force && !shouldCheckNow(cache)) return {
+		installed: cache?.installedVersion !== null,
+		installedVersion: cache?.installedVersion ?? null,
+		latestVersion: cache?.latestVersion ?? null,
+		needsUpdate: isNewer(cache?.installedVersion ?? null, cache?.latestVersion ?? null),
+		skipped: true,
+		skipReason: "throttled"
+	};
+	const installedVersion = getInstalledVersion();
+	if (installedVersion === null) return {
+		installed: false,
+		installedVersion: null,
+		latestVersion: null,
+		needsUpdate: false,
+		skipped: true,
+		skipReason: "no-claude"
+	};
+	const latestVersion = await getLatestVersion();
+	await writeCache({
+		checkedAt: (/* @__PURE__ */ new Date()).toISOString(),
+		installedVersion,
+		latestVersion
+	});
+	if (latestVersion === null) return {
+		installed: true,
+		installedVersion,
+		latestVersion: null,
+		needsUpdate: false,
+		skipped: true,
+		skipReason: "no-npm"
+	};
+	return {
+		installed: true,
+		installedVersion,
+		latestVersion,
+		needsUpdate: isNewer(installedVersion, latestVersion),
+		skipped: false
+	};
+}
+/**
+* Run `npm install -g @anthropic-ai/claude-code@latest` synchronously.
+* Throws on failure — the caller decides whether to abort the launch
+* or continue with the older version.
+*/
+async function autoUpdateClaude(latestVersion) {
+	consola.info(`Updating ${NPM_PACKAGE} to ${latestVersion} (this may take ~30s)...`);
+	try {
+		await execFileAsync("npm", [
+			"install",
+			"-g",
+			`${NPM_PACKAGE}@latest`,
+			"--silent"
+		], { timeout: NPM_INSTALL_TIMEOUT_MS });
+		consola.success(`${NPM_PACKAGE} updated to ${latestVersion}`);
+	} catch (err) {
+		const msg = err instanceof Error ? err.message : String(err);
+		throw new Error(`npm install failed: ${msg}`);
+	}
+}
+
 //#endregion
 //#region src/lib/port.ts
 const DEFAULT_PORT = 8787;
@@ -915,10 +1462,20 @@ const STRIPPED_PARENT_ENV_KEYS = [
 	"ANTHROPIC_CUSTOM_HEADERS",
 	"ANTHROPIC_MODEL",
 	"CLAUDE_CODE_OAUTH_TOKEN",
+	"CLAUDE_CODE_OAUTH_TOKEN_FILE_DESCRIPTOR",
 	"CLAUDE_CODE_USE_BEDROCK",
 	"CLAUDE_CODE_USE_VERTEX",
 	"CLAUDE_CODE_USE_FOUNDRY",
 	"CLAUDE_CONFIG_DIR",
+	"CLAUDE_BRIDGE_OAUTH_TOKEN",
+	"CLAUDE_BRIDGE_BASE_URL",
+	"CLAUDE_BRIDGE_SESSION_INGRESS_URL",
+	"SESSION_INGRESS_URL",
+	"CLAUDE_CODE_REMOTE",
+	"CLAUDE_CODE_CONTAINER_ID",
+	"CLAUDE_CODE_REMOTE_SESSION_ID",
+	"CLAUDE_CODE_SESSION_ID",
+	"CLAUDE_CODE_ADDITIONAL_PROTECTION",
 	"OPENAI_API_KEY",
 	"OPENAI_BASE_URL",
 	"CODEX_HOME"
@@ -1441,12 +1998,16 @@ function buildPeerAgentDefinitions(opts) {
 * Default location Claude Code reads subagent .md files from at session
 * startup. Files placed here populate the Task `subagent_type` enum.
 *
-* We pin to the user's `~/.claude/agents/` because `getClaudeCodeEnvVars`
-* sets `CLAUDE_CONFIG_DIR=$HOME/.claude` (the Spawned-CLI auth isolation
-* trick) — the spawned child reads from this exact path.
+* We point at the router-owned `PATHS.CLAUDE_CONFIG_DIR/agents/` because
+* `getClaudeCodeEnvVars` sets `CLAUDE_CONFIG_DIR=PATHS.CLAUDE_CONFIG_DIR`
+* (the snapshot-mirror substrate fix that gives spawned teammates an
+* authenticatable on-disk credential). The user's own custom-agent .md
+* files were copied into this same dir by `ensureClaudeConfigMirror`,
+* so writing peer-* files here doesn't conflict — and the boot-time
+* sweep is scoped to peer-* names only via the persona-name allowlist.
 */
 function defaultAgentsDir() {
-	return path.join(os.homedir(), ".claude", "agents");
+	return path.join(PATHS.CLAUDE_CONFIG_DIR, "agents");
 }
 /**
 * YAML frontmatter string-escape — sufficient for our use case where
@@ -1783,7 +2344,7 @@ function initProxyFromEnv() {
 //#endregion
 //#region package.json
 var name = "github-router";
-var version = "0.3.19";
+var version = "0.3.21";
 
 //#endregion
 //#region src/lib/approval.ts
@@ -1897,7 +2458,7 @@ function detectCapabilityMismatch(info, model) {
 
 //#endregion
 //#region src/lib/stream-relay.ts
-const ENCODER$2 = new TextEncoder();
+const ENCODER$3 = new TextEncoder();
 /**
 * Detect the family of "controller has already closed" errors that Bun and
 * the WHATWG streams runtime throw when an enqueue/close call races with
@@ -1987,7 +2548,7 @@ function relayAnthropicStream(body, opts) {
 				consola.error(`Upstream stream interrupted at ${opts.routePath}: bytes=${bytesRelayed} errType=${errName} message=${JSON.stringify(errMessage)}`);
 				const event = buildAnthropicErrorEvent(errName, errMessage);
 				try {
-					controller.enqueue(ENCODER$2.encode(event));
+					controller.enqueue(ENCODER$3.encode(event));
 				} catch (enqueueError) {
 					if (!isControllerClosedError(enqueueError)) consola.warn(`Could not deliver error event to consumer at ${opts.routePath}: ${enqueueError instanceof Error ? enqueueError.message : String(enqueueError)}`);
 				}
@@ -2471,7 +3032,7 @@ async function searchWeb(query) {
 
 //#endregion
 //#region src/routes/chat-completions/handler.ts
-const ENCODER$1 = new TextEncoder();
+const ENCODER$2 = new TextEncoder();
 function formatSSE$1(chunk) {
 	const parts = [];
 	if (chunk.event) parts.push(`event: ${chunk.event}`);
@@ -2570,7 +3131,7 @@ async function handleCompletion$1(c) {
 				const chunk = pendingFirstChunk;
 				pendingFirstChunk = void 0;
 				if (debugEnabled) consola.debug("Streaming chunk:", JSON.stringify(chunk));
-				safeEnqueue(controller, ENCODER$1.encode(formatSSE$1(chunk)));
+				safeEnqueue(controller, ENCODER$2.encode(formatSSE$1(chunk)));
 				return;
 			}
 			try {
@@ -2586,7 +3147,7 @@ async function handleCompletion$1(c) {
 				}
 				if (result.value === void 0 || result.value === null) return;
 				if (debugEnabled) consola.debug("Streaming chunk:", JSON.stringify(result.value));
-				safeEnqueue(controller, ENCODER$1.encode(formatSSE$1(result.value)));
+				safeEnqueue(controller, ENCODER$2.encode(formatSSE$1(result.value)));
 			} catch (error) {
 				upstreamFinished = true;
 				if (consumerCancelled) {
@@ -2595,7 +3156,7 @@ async function handleCompletion$1(c) {
 					return;
 				}
 				const { errName, errMessage } = logStreamError(c.req.path, error);
-				safeEnqueue(controller, ENCODER$1.encode(buildOpenAIErrorEvent(errName, errMessage)));
+				safeEnqueue(controller, ENCODER$2.encode(buildOpenAIErrorEvent(errName, errMessage)));
 				releaseUpstream(error);
 				safeClose(controller);
 			}
@@ -2720,7 +3281,13 @@ const createResponses = async (payload, modelHeaders, callerSignal) => {
 	};
 	const response = await tryRefreshAndRetry(doFetch, "/responses");
 	if (!response.ok) {
-		consola.error("Failed to create responses", response);
+		let bodyText;
+		try {
+			bodyText = await response.clone().text();
+		} catch {
+			bodyText = "(failed to read body)";
+		}
+		consola.error(`Failed to create responses: HTTP ${response.status} ${response.statusText} from ${url} — body: ${bodyText.slice(0, 2e3)}`);
 		throw new HTTPError("Failed to create responses", response);
 	}
 	if (payload.stream) return events(response);
@@ -2784,6 +3351,23 @@ function isEffort(v) {
 *  § "Concurrency cap investigation" for the full justification.  */
 const MAX_INFLIGHT_TOOLS_CALL = 8;
 let inFlightToolsCall = 0;
+/**
+* Per-request AbortController registry for `notifications/cancelled`
+* (Phase D P1.5). When a client times out a tools/call before the
+* upstream Copilot fetch completes, the JSON-RPC notification:
+*   { jsonrpc:"2.0", method:"notifications/cancelled",
+*     params:{ requestId: "<id>", reason?: "..." } }
+* arrives. Without handling, the upstream fetch keeps running until
+* natural completion, leaking the inFlightToolsCall slot for tens of
+* minutes. Tracking the AbortController lets us abort the fetch and
+* free the slot immediately.
+*
+* Important: per CLAUDE.md "Bun request-signal quirk", we use OUR own
+* AbortController (NOT c.req.raw.signal which fires after request body
+* is consumed). The signal is threaded into createResponses /
+* createChatCompletions's `callerSignal` parameter.
+*/
+const inflightAborts = /* @__PURE__ */ new Map();
 const RPC_PARSE_ERROR = -32700;
 const RPC_INVALID_REQUEST = -32600;
 const RPC_METHOD_NOT_FOUND = -32601;
@@ -2920,7 +3504,7 @@ function toolError(message) {
 		isError: true
 	};
 }
-async function callPersona(persona, prompt, context, effort) {
+async function callPersona(persona, prompt, context, effort, signal) {
 	const resolvedModel = resolveModel(persona.model);
 	const userText = buildUserText(prompt, context);
 	if (persona.endpoint === "/v1/responses") {
@@ -2936,7 +3520,7 @@ async function callPersona(persona, prompt, context, effort) {
 			}],
 			stream: false,
 			reasoning: { effort }
-		}));
+		}, void 0, signal));
 		if (!text$1) return toolError(`persona ${persona.agentName}: empty assistant output`);
 		return { content: [{
 			type: "text",
@@ -2954,7 +3538,7 @@ async function callPersona(persona, prompt, context, effort) {
 		}],
 		stream: false,
 		reasoning_effort: effort
-	}));
+	}, void 0, signal));
 	if (!text) return toolError(`persona ${persona.agentName}: empty assistant output`);
 	return { content: [{
 		type: "text",
@@ -2996,8 +3580,14 @@ async function handleToolsCall(body) {
 	});
 	inFlightToolsCall++;
 	const startedAt = Date.now();
+	const abortKey = body.id !== void 0 && body.id !== null ? body.id : void 0;
+	let aborter;
+	if (abortKey !== void 0) {
+		aborter = new AbortController();
+		inflightAborts.set(abortKey, aborter);
+	}
 	try {
-		const result = await callPersona(persona, prompt, context, effort);
+		const result = await callPersona(persona, prompt, context, effort, aborter?.signal);
 		logTelemetry({
 			name: persona.agentName,
 			model: persona.model,
@@ -3023,7 +3613,24 @@ async function handleToolsCall(body) {
 		});
 	} finally {
 		inFlightToolsCall--;
+		if (abortKey !== void 0) inflightAborts.delete(abortKey);
+	}
+}
+/**
+* Handle `notifications/cancelled` per JSON-RPC 2.0 + MCP spec.
+* params.requestId is the id of an in-flight tools/call to abort.
+* Notifications return no body (handled by isNotification path in
+* handleRpc); this side-effect frees the in-flight slot.
+*/
+function handleCancelledNotification(body) {
+	const requestId = (body.params ?? {}).requestId;
+	if (requestId === void 0 || typeof requestId !== "string" && typeof requestId !== "number") {
+		consola.debug(`[mcp] notifications/cancelled missing or invalid requestId: ${JSON.stringify(requestId)}`);
+		return;
 	}
+	const aborter = inflightAborts.get(requestId);
+	if (!aborter) return;
+	aborter.abort(/* @__PURE__ */ new Error("client requested cancellation"));
 }
 async function handleRpc(_c, body) {
 	if (body === null || typeof body !== "object" || Array.isArray(body)) return {
@@ -3045,7 +3652,11 @@ async function handleRpc(_c, body) {
 				status: 200,
 				body: rpcResult(body.id, {
 					protocolVersion: MCP_PROTOCOL_VERSION,
-					capabilities: { tools: { listChanged: false } },
+					capabilities: {
+						tools: { listChanged: false },
+						resources: {},
+						prompts: {}
+					},
 					serverInfo: {
 						name: SERVER_NAME,
 						version: SERVER_VERSION
@@ -3074,6 +3685,61 @@ async function handleRpc(_c, body) {
 				status: 200,
 				body: await handleToolsCall(body)
 			};
+		case "resources/list":
+			if (isNotification) return {
+				status: 202,
+				body: null
+			};
+			return {
+				status: 200,
+				body: rpcResult(body.id, { resources: [] })
+			};
+		case "resources/templates/list":
+			if (isNotification) return {
+				status: 202,
+				body: null
+			};
+			return {
+				status: 200,
+				body: rpcResult(body.id, { resourceTemplates: [] })
+			};
+		case "resources/read": {
+			if (isNotification) return {
+				status: 202,
+				body: null
+			};
+			const uri = body.params?.uri;
+			return {
+				status: 200,
+				body: rpcError(body.id, RPC_INVALID_PARAMS, `resources/read: resource URI not found: ${typeof uri === "string" ? uri : "(missing/invalid uri)"}`)
+			};
+		}
+		case "prompts/list":
+			if (isNotification) return {
+				status: 202,
+				body: null
+			};
+			return {
+				status: 200,
+				body: rpcResult(body.id, { prompts: [] })
+			};
+		case "prompts/get": {
+			if (isNotification) return {
+				status: 202,
+				body: null
+			};
+			const name$1 = body.params?.name;
+			return {
+				status: 200,
+				body: rpcError(body.id, RPC_INVALID_PARAMS, `prompts/get: prompt name not found: ${typeof name$1 === "string" ? name$1 : "(missing/invalid name)"}`)
+			};
+		}
+		case "notifications/cancelled":
+			handleCancelledNotification(body);
+			return {
+				status: 202,
+				body: null
+			};
 		case "ping":
 			if (isNotification) return {
 				status: 202,
@@ -3240,6 +3906,742 @@ async function countTokens(body, extraHeaders) {
 	return response;
 }
 
+//#endregion
+//#region src/services/advisor/advisor.ts
+const ENCODER$1 = new TextEncoder();
+/** The tool name we inject for Copilot. Double-underscore prefix
+*  avoids collision with any user MCP server's `advisor` tool. */
+const ADVISOR_INTERNAL_TOOL_NAME = "__anthropic_advisor";
+/** The Anthropic-spec name used in the translated server_tool_use
+*  block sent to the client. cc-backup AdvisorMessage.tsx requires
+*  this exact name to render the advisor spinner. */
+const ADVISOR_CLIENT_TOOL_NAME = "advisor";
+/** Hard cap on advisor calls per request to bound runaway behavior.
+*  Matches Phase G's loop bound; ADVISOR is typically called 1-3
+*  times per session per cc-backup ADVISOR_TOOL_INSTRUCTIONS. */
+const ADVISOR_MAX_TURNS = 16;
+/** Default advisor model + reasoning effort. Per gemini-critic + user
+*  direction: hardcode to a cross-lab model (gpt-5.5 — Copilot's
+*  /responses-only flagship) at xhigh effort. The cross-lab choice
+*  gives a true "second set of eyes" instead of the main model
+*  reviewing itself; xhigh effort buys the deep-dive reasoning that
+*  matches Anthropic's own ADVISOR (which uses a stronger reviewer
+*  model — Opus 4.6/Sonnet 4.6 typically). */
+const ADVISOR_DEFAULT_MODEL = "gpt-5.5";
+const ADVISOR_DEFAULT_EFFORT = "xhigh";
+/** ADVISOR_TOOL_INSTRUCTIONS verbatim from cc-backup
+*  src/utils/advisor.ts — describes when the model should invoke
+*  the advisor. Long-form prose; see source for justification. */
+const ADVISOR_TOOL_INSTRUCTIONS = `# Advisor Tool
+
+You have access to an \`advisor\` tool backed by a stronger reviewer model. It takes NO parameters -- when you call it, your entire conversation history is automatically forwarded. The advisor sees the task, every tool call you've made, every result you've seen.
+
+Call advisor BEFORE substantive work -- before writing code, before committing to an interpretation, before building on an assumption. If the task requires orientation first (finding files, reading code, seeing what's there), do that, then call advisor. Orientation is not substantive work. Writing, editing, and declaring an answer are.
+
+Also call advisor:
+- When you believe the task is complete. BEFORE this call, make your deliverable durable: write the file, stage the change, save the result. The advisor call takes time; if the session ends during it, a durable result persists and an unwritten one doesn't.
+- When stuck -- errors recurring, approach not converging, results that don't fit.
+- When considering a change of approach.
+
+On tasks longer than a few steps, call advisor at least once before committing to an approach and once before declaring done. On short reactive tasks where the next action is dictated by tool output you just read, you don't need to keep calling -- the advisor adds most of its value on the first call, before the approach crystallizes.
+
+Give the advice serious weight. If you follow a step and it fails empirically, or you have primary-source evidence that contradicts a specific claim (the file says X, the code does Y), adapt. A passing self-test is not evidence the advice is wrong -- it's evidence your test doesn't check what the advice is checking.
+
+If you've already retrieved data pointing one way and the advisor points another: don't silently switch. Surface the conflict in one more advisor call -- "I found X, you suggest Y, which constraint breaks the tie?" The advisor saw your evidence but may have underweighted it; a reconcile call is cheaper than committing to the wrong branch.`;
+const ADVISOR_OPT_OUT_ENV = "CLAUDE_CODE_DISABLE_ADVISOR_TOOL";
+/**
+* Detect whether the request asked for ADVISOR (incoming
+* `anthropic-beta` header contains an `advisor-tool-` prefix). Also
+* respects the `CLAUDE_CODE_DISABLE_ADVISOR_TOOL` opt-out env var
+* (set by the user to globally disable; matches cc-backup advisor.ts
+* line 61).
+*/
+function isAdvisorRequested(rawBetaHeader) {
+	if (!rawBetaHeader) return false;
+	if (process.env[ADVISOR_OPT_OUT_ENV]) return false;
+	return rawBetaHeader.split(",").map((s) => s.trim()).some((v) => v.startsWith("advisor-tool-"));
+}
+/**
+* Inject the __anthropic_advisor tool definition into the body's tools
+* array. Returns a new body string. Idempotent — if the tool is already
+* present (e.g. the user's MCP shadowed it) we leave the existing one
+* alone and return the body unchanged.
+*
+* Also strips any tool entry with `type: "advisor_*"` (Anthropic API's
+* native server-side advisor tool — `advisor_20260301` and future
+* variants). When `CLAUDE_CODE_ENABLE_EXPERIMENTAL_ADVISOR_TOOL=1` is
+* set, Claude Code injects its own advisor tool with this type into
+* `tools[]`. Copilot 400s on the unknown tool type ("Input tag
+* 'advisor_20260301' found using 'type' does not match any of the
+* expected tags"), so the proxy must strip it before forwarding while
+* still injecting our custom `__anthropic_advisor` tool that the model
+* can invoke. The proxy's intercept on the response stream then
+* translates the model's `tool_use{__anthropic_advisor}` to the
+* client-shape `server_tool_use{name:"advisor"}` + `advisor_tool_result`
+* blocks the client expects.
+*/
+function injectAdvisorTool(rawBody) {
+	let parsed;
+	try {
+		parsed = JSON.parse(rawBody);
+	} catch {
+		return rawBody;
+	}
+	const rawTools = Array.isArray(parsed.tools) ? parsed.tools : [];
+	const tools = rawTools.filter((t) => {
+		if (typeof t !== "object" || t === null) return true;
+		const type = t.type;
+		return typeof type !== "string" || !type.startsWith("advisor_");
+	});
+	const stripped = tools.length !== rawTools.length;
+	const alreadyInjected = tools.some((t) => t?.name === ADVISOR_INTERNAL_TOOL_NAME);
+	if (alreadyInjected && !stripped) return rawBody;
+	parsed.tools = alreadyInjected ? tools : [...tools, {
+		name: ADVISOR_INTERNAL_TOOL_NAME,
+		description: ADVISOR_TOOL_INSTRUCTIONS,
+		input_schema: {
+			type: "object",
+			properties: {},
+			required: []
+		}
+	}];
+	return JSON.stringify(parsed);
+}
+/** Character budget for rendered conversation text passed to the
+*  advisor model. gpt-5.5 (default advisor) caps prompt input at
+*  272,000 tokens. At a conservative ~3 chars/token (mixed prose +
+*  code + JSON), 720,000 chars renders to ≈240,000 tokens, leaving
+*  ~32,000 tokens of headroom for the system prompt and per-turn
+*  framing overhead. Without this cap, long Claude Code sessions
+*  produce 400 `model_max_prompt_tokens_exceeded` from /v1/responses
+*  and the advisor falls back silently. */
+const ADVISOR_MAX_CONVERSATION_CHARS = 72e4;
+/**
+* Render an Anthropic-shape conversation (messages array with
+* role/content blocks) as a single human-readable text blob. Used
+* as the input to the advisor model (gpt-5.5 via /v1/responses
+* doesn't have a 1:1 mapping for Anthropic's tool_use/tool_result
+* blocks; serializing to text preserves the semantics — the advisor
+* just needs to READ the conversation, not produce more of it).
+*
+* Front-truncates oldest turns when the rendered output would exceed
+* `maxChars`. The advisor cares more about current state (latest
+* tool calls, errors, in-flight task) than the original prompt —
+* mirrors Claude Code's own context-truncation strategy. When any
+* turns are dropped, prepends a `[TRUNCATED: N earlier turn(s)
+* omitted ...]` notice so the advisor knows the transcript is
+* partial and can flag if it needs the missing context.
+*/
+function renderConversationAsText(conversation, maxChars = ADVISOR_MAX_CONVERSATION_CHARS) {
+	const turnBlocks = [];
+	for (let i = 0; i < conversation.length; i++) {
+		const msg = conversation[i];
+		const role = msg.role ?? "unknown";
+		const block = [`### Turn ${i + 1} — ${role}`];
+		const content = msg.content;
+		if (typeof content === "string") block.push(content);
+		else if (Array.isArray(content)) for (const part of content) {
+			if (typeof part !== "object" || part === null) continue;
+			const b = part;
+			if (b.type === "text" && typeof b.text === "string") block.push(b.text);
+			else if (b.type === "tool_use") block.push(`[tool_use ${b.name ?? "?"}(${b.id ?? "?"}): ${JSON.stringify(b.input ?? {})}]`);
+			else if (b.type === "tool_result") {
+				const c = typeof b.content === "string" ? b.content : JSON.stringify(b.content);
+				block.push(`[tool_result ${b.tool_use_id ?? "?"}]:\n${c}`);
+			} else block.push(`[${b.type}: ${JSON.stringify(b).slice(0, 500)}]`);
+		}
+		block.push("");
+		turnBlocks.push(block.join("\n"));
+	}
+	let totalChars = 0;
+	let firstKeptIdx = turnBlocks.length;
+	for (let i = turnBlocks.length - 1; i >= 0; i--) {
+		const len = turnBlocks[i].length + 1;
+		if (totalChars + len > maxChars) break;
+		totalChars += len;
+		firstKeptIdx = i;
+	}
+	if (firstKeptIdx === turnBlocks.length && turnBlocks.length > 0) {
+		const tail = turnBlocks[turnBlocks.length - 1].slice(-(maxChars - 200));
+		return `[TRUNCATED: conversation too long for advisor model context; only the tail of the latest (turn ${turnBlocks.length}) is shown]\n\n` + tail;
+	}
+	const kept = turnBlocks.slice(firstKeptIdx);
+	if (firstKeptIdx > 0) kept.unshift(`[TRUNCATED: ${firstKeptIdx} earlier turn(s) omitted to fit advisor model context budget; ${turnBlocks.length - firstKeptIdx} most-recent turn(s) shown below]\n`);
+	return kept.join("\n");
+}
+/**
+* Run the advisor model with the full conversation context. Returns
+* the advisor's text response.
+*
+* Routes by model family:
+*   - gpt-5.x / codex / o-series (have `/responses` in supported_endpoints):
+*     use createResponses with `reasoning.effort` set. This is the
+*     default path — gpt-5.5 at xhigh effort.
+*   - claude-* (no `/responses`): fall back to createMessages.
+*
+* The conversation is serialized to text via renderConversationAsText
+* so the advisor model (which may not natively understand Anthropic's
+* tool_use/tool_result block shapes) sees a flat readable transcript.
+* This loses some structural fidelity but matches the spirit of
+* Anthropic's own ADVISOR ("see the whole task + every tool call +
+* every result").
+*/
+async function runAdvisor(conversation, advisorModel, advisorEffort) {
+	const advisorSystem = "You are an expert advisor reviewing an in-progress Claude Code session. The transcript below is the work-in-progress (turns numbered, with tool calls and results inlined). Read carefully and provide concrete, actionable advice on the next step or course-correction. Be specific — cite the parts of the transcript you're responding to. If the assistant is on the right track, say so explicitly. If they're stuck or off-track, name the specific assumption or step to revisit. Aim for 2-5 paragraphs of substantive guidance.";
+	const conversationText = renderConversationAsText(conversation);
+	const resolvedAdvisorModel = resolveModel(advisorModel);
+	if (/^(gpt-|o\d|.*codex)/i.test(resolvedAdvisorModel)) {
+		const response = await createResponses({
+			model: resolvedAdvisorModel,
+			instructions: advisorSystem,
+			input: [{
+				role: "user",
+				content: [{
+					type: "input_text",
+					text: conversationText
+				}]
+			}],
+			stream: false,
+			reasoning: { effort: advisorEffort }
+		});
+		const out = [];
+		for (const item of response.output) {
+			if (typeof item !== "object" || item === null) continue;
+			const obj = item;
+			if (obj.type !== "message" || obj.role !== "assistant") continue;
+			const content = obj.content;
+			if (!Array.isArray(content)) continue;
+			for (const part of content) {
+				if (typeof part !== "object" || part === null) continue;
+				const p = part;
+				if ((p.type === "output_text" || p.type === "text") && typeof p.text === "string") out.push(p.text);
+			}
+		}
+		const text$1 = out.join("");
+		if (!text$1) throw new Error(`Advisor model ${resolvedAdvisorModel} returned empty assistant output`);
+		return text$1;
+	}
+	const json = await (await createMessages(JSON.stringify({
+		model: resolvedAdvisorModel,
+		max_tokens: 4096,
+		system: advisorSystem,
+		messages: [{
+			role: "user",
+			content: conversationText
+		}],
+		stream: false
+	}), {})).json();
+	const text = (Array.isArray(json.content) ? json.content : []).filter((b) => b.type === "text" && typeof b.text === "string").map((b) => b.text).join("\n\n");
+	if (!text) throw new Error(`Advisor model ${resolvedAdvisorModel} returned empty response`);
+	return text;
+}
+/**
+* Derive a spec-compliant `srvtoolu_*` id for a client-facing
+* `server_tool_use` (and matching `advisor_tool_result.tool_use_id`)
+* from the upstream model's `toolu_*` id.
+*
+* Anthropic spec: `^srvtoolu_[a-zA-Z0-9_]+$`. If the upstream id
+* suffix contains chars outside that charset (e.g., a hyphenated id
+* from a non-Anthropic provider, or a corrupt id), fall back to a
+* synthesized stable id keyed by the SSE block index. Defensive
+* against edge cases that would otherwise emit a malformed block —
+* spec violation in either direction is a 400.
+*/
+function toClientServerToolUseId(id, fallbackIndex) {
+	const suffix = id.startsWith("toolu_") ? id.slice(6) : id;
+	if (/^[a-zA-Z0-9_]+$/.test(suffix)) return `srvtoolu_${suffix}`;
+	return `srvtoolu_advisor_${fallbackIndex}`;
+}
+/**
+* Build an SSE event line in the canonical Anthropic shape:
+*   event: <type>
+*   data: <json>
+*   <blank>
+*/
+function sseEvent(type, data) {
+	return `event: ${type}\ndata: ${JSON.stringify(data)}\n\n`;
+}
+/**
+* The streaming translate-loop. Returns a ReadableStream<Uint8Array>
+* suitable to wrap with Hono's c.body() / new Response().
+*
+* @param firstResponse The first Copilot streaming response
+* @param initialConversation The conversation messages from the
+*   incoming request (used as the starting context for advisor calls
+*   and continuation Copilot calls).
+* @param baseBody Parsed initial request body (model, max_tokens,
+*   system, etc.) — used as the template for continuation Copilot calls.
+* @param requestHeaders Extra headers (model-specific + filtered
+*   anthropic-beta) for downstream Copilot calls.
+* @param advisorModel Which model to route advisor calls to. Defaults
+*   to ADVISOR_DEFAULT_MODEL (cross-lab).
+*/
+function buildAdvisorStream(opts) {
+	const advisorModel = opts.advisorModel ?? ADVISOR_DEFAULT_MODEL;
+	const advisorEffort = opts.advisorEffort ?? ADVISOR_DEFAULT_EFFORT;
+	return new ReadableStream({ async start(controller) {
+		const conversation = [...opts.initialConversation];
+		let messageStartForwarded = false;
+		let nextSyntheticIndex = 0;
+		let turnsRun = 0;
+		const safeEnqueue = (bytes) => {
+			try {
+				controller.enqueue(bytes);
+				return true;
+			} catch (err) {
+				if (isControllerClosedError(err)) return false;
+				throw err;
+			}
+		};
+		const safeEnqueueEvent = (type, data) => safeEnqueue(ENCODER$1.encode(sseEvent(type, data)));
+		async function processOneTurn(response) {
+			const capturedBlocks = [];
+			let advisorToolUse = null;
+			const indexToBlock = /* @__PURE__ */ new Map();
+			for await (const ev of events(response)) {
+				if (!ev.event || !ev.data) continue;
+				let payload;
+				try {
+					payload = JSON.parse(ev.data);
+				} catch {
+					if (!safeEnqueue(ENCODER$1.encode(`event: ${ev.event}\ndata: ${ev.data}\n\n`))) return {
+						capturedBlocks,
+						advisorToolUse
+					};
+					continue;
+				}
+				switch (ev.event) {
+					case "message_start":
+						if (!messageStartForwarded) {
+							if (!safeEnqueueEvent(ev.event, payload)) return {
+								capturedBlocks,
+								advisorToolUse
+							};
+							messageStartForwarded = true;
+						}
+						continue;
+					case "content_block_start": {
+						const block = payload.content_block;
+						const upstreamIndex = payload.index;
+						if (block && upstreamIndex !== void 0) {
+							const myIndex = nextSyntheticIndex++;
+							if (block.type === "tool_use" && block.name === ADVISOR_INTERNAL_TOOL_NAME) {
+								const id = typeof block.id === "string" ? block.id : `toolu_advisor_${myIndex}`;
+								advisorToolUse = {
+									index: myIndex,
+									id,
+									clientId: toClientServerToolUseId(id, myIndex),
+									inputJson: ""
+								};
+								const translated = {
+									...payload,
+									index: myIndex,
+									content_block: {
+										type: "server_tool_use",
+										id: advisorToolUse.clientId,
+										name: ADVISOR_CLIENT_TOOL_NAME,
+										input: {}
+									}
+								};
+								if (!safeEnqueueEvent(ev.event, translated)) return {
+									capturedBlocks,
+									advisorToolUse
+								};
+								const captured = {
+									block: {
+										type: "tool_use",
+										id,
+										name: ADVISOR_INTERNAL_TOOL_NAME,
+										input: {}
+									},
+									partialJson: "",
+									advisorReplay: { id }
+								};
+								capturedBlocks.push(captured);
+								indexToBlock.set(upstreamIndex, captured);
+							} else {
+								const reindexed = {
+									...payload,
+									index: myIndex
+								};
+								if (!safeEnqueueEvent(ev.event, reindexed)) return {
+									capturedBlocks,
+									advisorToolUse
+								};
+								const captured = {
+									block: { ...block },
+									partialJson: ""
+								};
+								capturedBlocks.push(captured);
+								indexToBlock.set(upstreamIndex, captured);
+							}
+						}
+						continue;
+					}
+					case "content_block_delta": {
+						const upstreamIndex = payload.index;
+						const delta = payload.delta;
+						if (upstreamIndex !== void 0) {
+							const captured = upstreamIndex !== void 0 ? indexToBlock.get(upstreamIndex) : void 0;
+							const reindexed = {
+								...payload,
+								index: captured ? capturedBlocks.indexOf(captured) >= 0 ? nextSyntheticIndex - capturedBlocks.length + capturedBlocks.indexOf(captured) : upstreamIndex : upstreamIndex
+							};
+							if (!safeEnqueueEvent(ev.event, reindexed)) return {
+								capturedBlocks,
+								advisorToolUse
+							};
+							if (captured && delta) {
+								if (delta.type === "text_delta" && typeof delta.text === "string") captured.block.text = (captured.block.text ?? "") + delta.text;
+								else if (delta.type === "thinking_delta" && typeof delta.thinking === "string") captured.block.thinking = (captured.block.thinking ?? "") + delta.thinking;
+								else if (delta.type === "signature_delta" && typeof delta.signature === "string") captured.block.signature = (captured.block.signature ?? "") + delta.signature;
+								else if (delta.type === "input_json_delta" && typeof delta.partial_json === "string") captured.partialJson += delta.partial_json;
+								else if (delta.type === "citations_delta" && delta.citation) {
+									if (!Array.isArray(captured.block.citations)) captured.block.citations = [];
+									captured.block.citations.push(delta.citation);
+								}
+							}
+						} else if (!safeEnqueueEvent(ev.event, payload)) return {
+							capturedBlocks,
+							advisorToolUse
+						};
+						continue;
+					}
+					case "content_block_stop": {
+						const upstreamIndex = payload.index;
+						const captured = upstreamIndex !== void 0 ? indexToBlock.get(upstreamIndex) : void 0;
+						const reindexed = {
+							...payload,
+							index: captured ? nextSyntheticIndex - capturedBlocks.length + capturedBlocks.indexOf(captured) : upstreamIndex ?? 0
+						};
+						if (!safeEnqueueEvent(ev.event, reindexed)) return {
+							capturedBlocks,
+							advisorToolUse
+						};
+						if (captured) {
+							if (captured.block.type === "tool_use" && captured.partialJson.length > 0) try {
+								captured.block.input = JSON.parse(captured.partialJson);
+							} catch (err) {
+								consola.warn(`advisor: malformed input_json_delta for tool_use id=${captured.block.id ?? "?"} name=${captured.block.name ?? "?"} partialJson.length=${captured.partialJson.length} parseError=${err instanceof Error ? err.message : String(err)}`);
+								captured.block.input = {};
+							}
+							if (captured.block.type === "text" && (typeof captured.block.text !== "string" || captured.block.text.length === 0)) captured.dropFromReplay = true;
+						}
+						continue;
+					}
+					case "message_delta":
+						if (!safeEnqueueEvent(ev.event, payload)) return {
+							capturedBlocks,
+							advisorToolUse
+						};
+						continue;
+					case "message_stop":
+						if (advisorToolUse) return {
+							capturedBlocks,
+							advisorToolUse
+						};
+						if (!safeEnqueueEvent(ev.event, payload)) return {
+							capturedBlocks,
+							advisorToolUse
+						};
+						return {
+							capturedBlocks,
+							advisorToolUse
+						};
+					default: if (!safeEnqueueEvent(ev.event, payload)) return {
+						capturedBlocks,
+						advisorToolUse
+					};
+				}
+			}
+			return {
+				capturedBlocks,
+				advisorToolUse
+			};
+		}
+		try {
+			let response = opts.firstResponse;
+			for (turnsRun = 0; turnsRun < ADVISOR_MAX_TURNS; turnsRun++) {
+				const { capturedBlocks, advisorToolUse } = await processOneTurn(response);
+				if (!advisorToolUse) return;
+				const assistantTurn = {
+					role: "assistant",
+					content: capturedBlocks.filter((c) => !c.dropFromReplay).map((c) => {
+						if (c.advisorReplay) {
+							const input = typeof c.block.input === "object" && c.block.input !== null ? c.block.input : {};
+							return {
+								type: "tool_use",
+								id: c.advisorReplay.id,
+								name: ADVISOR_INTERNAL_TOOL_NAME,
+								input
+							};
+						}
+						return c.block;
+					})
+				};
+				conversation.push(assistantTurn);
+				let advisorText;
+				try {
+					advisorText = await runAdvisor(conversation, advisorModel, advisorEffort);
+				} catch (err) {
+					const msg = err instanceof Error ? err.message : String(err);
+					consola.warn(`Advisor model call failed: ${msg}`);
+					advisorText = `[Advisor unavailable: ${msg}. Continuing without external review — proceed with caution and consider self-checking against your primary-source evidence.]`;
+				}
+				const resultIndex = nextSyntheticIndex++;
+				if (!safeEnqueueEvent("content_block_start", {
+					type: "content_block_start",
+					index: resultIndex,
+					content_block: {
+						type: "advisor_tool_result",
+						tool_use_id: advisorToolUse.clientId,
+						content: {
+							type: "advisor_result",
+							text: advisorText
+						}
+					}
+				})) return;
+				if (!safeEnqueueEvent("content_block_stop", {
+					type: "content_block_stop",
+					index: resultIndex
+				})) return;
+				conversation.push({
+					role: "user",
+					content: [{
+						type: "tool_result",
+						tool_use_id: advisorToolUse.id,
+						content: advisorText
+					}]
+				});
+				response = await createMessages(JSON.stringify({
+					...opts.baseBody,
+					messages: conversation,
+					stream: true
+				}), opts.requestHeaders);
+			}
+			const finalIndex = nextSyntheticIndex++;
+			safeEnqueueEvent("content_block_start", {
+				type: "content_block_start",
+				index: finalIndex,
+				content_block: {
+					type: "text",
+					text: ""
+				}
+			});
+			safeEnqueueEvent("content_block_delta", {
+				type: "content_block_delta",
+				index: finalIndex,
+				delta: {
+					type: "text_delta",
+					text: `\n\n[Advisor loop exceeded ${ADVISOR_MAX_TURNS} turns; halting]`
+				}
+			});
+			safeEnqueueEvent("content_block_stop", {
+				type: "content_block_stop",
+				index: finalIndex
+			});
+			safeEnqueueEvent("message_stop", { type: "message_stop" });
+		} catch (err) {
+			const msg = err instanceof Error ? err.message : String(err);
+			consola.error(`Advisor stream error: ${msg}`);
+			safeEnqueueEvent("error", {
+				type: "error",
+				error: {
+					type: "api_error",
+					message: `advisor loop failed: ${msg}`
+				}
+			});
+		} finally {
+			try {
+				controller.close();
+			} catch {}
+		}
+	} });
+}
+
+//#endregion
+//#region src/lib/sanitize-anthropic-body.ts
+/**
+* Convert a `srvtoolu_*` id to the matching `toolu_*` id used in the
+* Copilot-replay shape (`tool_use.id` must match `^toolu_*$`). For
+* any other input shape, fall back to a synthesized `toolu_advisor_N`
+* id.
+*/
+function toCopilotToolUseId(srvId, fallbackIndex) {
+	if (srvId.startsWith("srvtoolu_")) {
+		const suffix = srvId.slice(9);
+		if (/^[a-zA-Z0-9_]+$/.test(suffix)) return `toolu_${suffix}`;
+	}
+	return `toolu_advisor_${fallbackIndex}`;
+}
+/**
+* Fast-path detector: returns true if the raw body has any chance of
+* needing sanitization. Avoids a full JSON parse for the common case
+* where the body is already spec-compliant.
+*
+* Looks for either an Anthropic-native advisor typed tool entry, or
+* any advisor-related block type that would need rewriting/
+* translating.
+*/
+function bodyMightNeedSanitize(rawBody) {
+	return rawBody.includes("\"server_tool_use\"") || rawBody.includes("\"advisor_tool_result\"") || /"type":"advisor_\d+"/.test(rawBody);
+}
+/**
+* Translate one assistant turn's content array, splitting at advisor
+* pairs into the multi-message structure Copilot accepts.
+*
+* Input shape (Claude Code stores everything in one assistant turn):
+*   [text*, server_tool_use{advisor}, advisor_tool_result, text*, ...]
+*
+* Output: array of {role, content[]} message objects, alternating
+* assistant→user→assistant for each advisor pair encountered.
+*/
+function splitAssistantTurnAtAdvisorPairs(originalContent, syntheticIndexRef) {
+	const messages = [];
+	let currentAssistantContent = [];
+	let translated = false;
+	let i = 0;
+	while (i < originalContent.length) {
+		const block = originalContent[i];
+		const b = typeof block === "object" && block !== null ? block : null;
+		if (b && b.type === "server_tool_use" && b.name === ADVISOR_INTERNAL_TOOL_NAME.replace(/^__anthropic_/, "")) {
+			const stuId = typeof b.id === "string" ? b.id : "";
+			const nextBlock = originalContent[i + 1];
+			const next = typeof nextBlock === "object" && nextBlock !== null ? nextBlock : null;
+			const copilotId = stuId.startsWith("srvtoolu_") ? toCopilotToolUseId(stuId, syntheticIndexRef.value++) : stuId.startsWith("toolu_") && /^toolu_[a-zA-Z0-9_]+$/.test(stuId) ? stuId : `toolu_advisor_${syntheticIndexRef.value++}`;
+			currentAssistantContent.push({
+				type: "tool_use",
+				id: copilotId,
+				name: ADVISOR_INTERNAL_TOOL_NAME,
+				input: {}
+			});
+			messages.push({
+				role: "assistant",
+				content: currentAssistantContent
+			});
+			translated = true;
+			let resultText = "";
+			if (next && next.type === "advisor_tool_result") {
+				const c = next.content;
+				if (typeof c === "string") resultText = c;
+				else if (typeof c === "object" && c !== null) {
+					const txt = c.text;
+					if (typeof txt === "string") resultText = txt;
+				}
+				i += 2;
+			} else {
+				resultText = "[Advisor result missing in conversation history.]";
+				i += 1;
+			}
+			messages.push({
+				role: "user",
+				content: [{
+					type: "tool_result",
+					tool_use_id: copilotId,
+					content: resultText
+				}]
+			});
+			currentAssistantContent = [];
+			continue;
+		}
+		if (b && b.type === "advisor_tool_result") {
+			translated = true;
+			i += 1;
+			continue;
+		}
+		currentAssistantContent.push(block);
+		i += 1;
+	}
+	if (currentAssistantContent.length > 0) messages.push({
+		role: "assistant",
+		content: currentAssistantContent
+	});
+	if (!translated) return {
+		messages: [{
+			role: "assistant",
+			content: originalContent
+		}],
+		translated: false
+	};
+	return {
+		messages,
+		translated: true
+	};
+}
+function sanitizeAnthropicBody(rawBody) {
+	if (!bodyMightNeedSanitize(rawBody)) return rawBody;
+	let parsed;
+	try {
+		parsed = JSON.parse(rawBody);
+	} catch {
+		return rawBody;
+	}
+	let mutated = false;
+	if (Array.isArray(parsed.tools)) {
+		const tools = parsed.tools;
+		const before = tools.length;
+		const filtered = tools.filter((t) => {
+			if (typeof t !== "object" || t === null) return true;
+			const type = t.type;
+			return typeof type !== "string" || !type.startsWith("advisor_");
+		});
+		if (filtered.length !== before) {
+			parsed.tools = filtered;
+			mutated = true;
+		}
+	}
+	if (Array.isArray(parsed.messages)) {
+		const original = parsed.messages;
+		const rebuilt = [];
+		let anyTranslated = false;
+		const syntheticIndexRef = { value: 0 };
+		for (const msg of original) {
+			if (typeof msg !== "object" || msg === null || msg.role !== "assistant") {
+				rebuilt.push(msg);
+				continue;
+			}
+			const content = msg.content;
+			if (!Array.isArray(content)) {
+				rebuilt.push(msg);
+				continue;
+			}
+			if (!content.some((b) => {
+				if (typeof b !== "object" || b === null) return false;
+				const type = b.type;
+				const name$1 = b.name;
+				return type === "server_tool_use" && name$1 === "advisor" || type === "advisor_tool_result";
+			})) {
+				rebuilt.push(msg);
+				continue;
+			}
+			const { messages: split, translated } = splitAssistantTurnAtAdvisorPairs(content, syntheticIndexRef);
+			if (translated) {
+				anyTranslated = true;
+				for (const m of split) rebuilt.push(m);
+			} else rebuilt.push(msg);
+		}
+		if (anyTranslated) {
+			parsed.messages = rebuilt;
+			mutated = true;
+			const existingTools = Array.isArray(parsed.tools) ? parsed.tools : [];
+			if (!existingTools.some((t) => {
+				if (typeof t !== "object" || t === null) return false;
+				return t.name === ADVISOR_INTERNAL_TOOL_NAME;
+			})) parsed.tools = [...existingTools, {
+				name: ADVISOR_INTERNAL_TOOL_NAME,
+				description: ADVISOR_TOOL_INSTRUCTIONS,
+				input_schema: {
+					type: "object",
+					properties: {},
+					required: []
+				}
+			}];
+		}
+	}
+	if (!mutated) return rawBody;
+	return JSON.stringify(parsed);
+}
+
 //#endregion
 //#region src/lib/diagnose-response.ts
 const PREVIEW_LIMIT = 200;
@@ -3290,7 +4692,18 @@ function stripWebSearchFromBody(rawBody) {
 */
 async function handleCountTokens(c) {
 	const startTime = Date.now();
-	const { body: finalBody, originalModel, resolvedModel } = resolveModelInBody$1(stripWebSearchFromBody(await c.req.text()));
+	const strippedBody = stripWebSearchFromBody(sanitizeAnthropicBody(await c.req.text()));
+	if (strippedBody.includes("\"mcp_servers\"")) try {
+		const probe = JSON.parse(strippedBody);
+		if (Array.isArray(probe.mcp_servers) && probe.mcp_servers.length > 0) return c.json({
+			type: "error",
+			error: {
+				type: "invalid_request_error",
+				message: "Inline `mcp_servers` body field is not supported by github-router. Configure remote MCP servers as local stdio entries in `~/.claude/mcp.json` instead."
+			}
+		}, 400);
+	} catch {}
+	const { body: finalBody, originalModel, resolvedModel } = resolveModelInBody$1(strippedBody);
 	const extraHeaders = {};
 	const anthropicBeta = c.req.header("anthropic-beta");
 	if (anthropicBeta) {
@@ -3334,6 +4747,7 @@ function resolveModelInBody$1(rawBody) {
 		}
 	}
 	if (rawBody.includes("\"scope\"") && sanitizeCacheControl$1(parsed)) modified = true;
+	if ((rawBody.includes("\"budget\"") || rawBody.includes("\"output_config\"") || rawBody.includes("\"betas\"")) && stripAnthropicOnlyFields$1(parsed)) modified = true;
 	const resolvedModel = typeof parsed.model === "string" ? parsed.model : originalModel;
 	return {
 		body: modified ? JSON.stringify(parsed) : rawBody,
@@ -3360,6 +4774,43 @@ function sanitizeCacheControl$1(body) {
 	if (Array.isArray(body.tools)) for (const tool of body.tools) stripScope(tool);
 	return stripped;
 }
+/**
+* Strip top-level body fields Copilot 400s on (budget, output_config.schema,
+* betas). Duplicated structurally from handler.ts because count_tokens uses
+* its own JSON-pass; the bodies are independent. Behavior must stay in lock-
+* step with handler.ts's stripAnthropicOnlyFields — covered by integration
+* tests (Phase F P2.4).
+*/
+function stripAnthropicOnlyFields$1(body) {
+	let stripped = false;
+	if (body.budget !== void 0) {
+		consola.warn("[count_tokens] Stripping body-level `budget` field (Copilot 400s)");
+		delete body.budget;
+		stripped = true;
+	}
+	if (body.output_config !== void 0) {
+		if (body.output_config && typeof body.output_config === "object") {
+			const oc = body.output_config;
+			const PROXY_OWNED_FIELDS = new Set(["effort"]);
+			let strippedAny = false;
+			for (const key of Object.keys(oc)) if (!PROXY_OWNED_FIELDS.has(key)) {
+				delete oc[key];
+				strippedAny = true;
+			}
+			if (strippedAny) {
+				consola.warn("[count_tokens] Stripping client-set `output_config` Structured-Outputs fields (Copilot 400s on `output_config.*` other than `effort`)");
+				if (Object.keys(oc).length === 0) delete body.output_config;
+				stripped = true;
+			}
+		}
+	}
+	if (Array.isArray(body.betas)) {
+		consola.warn("[count_tokens] Stripping body-level `betas` array (Copilot 400s; conveyed via header)");
+		delete body.betas;
+		stripped = true;
+	}
+	return stripped;
+}
 
 //#endregion
 //#region src/routes/messages/handler.ts
@@ -3470,7 +4921,24 @@ async function handleCompletion(c) {
 	if (debugEnabled) consola.debug("Anthropic request body:", rawBody.slice(0, 2e3));
 	if (state.manualApprove) await awaitApproval();
 	const betaHeaders = extractBetaHeaders(c);
-	const { body: resolvedBody, originalModel, resolvedModel, selectedModel } = resolveModelInBody(await processWebSearch(rawBody));
+	const advisorEnabled = isAdvisorRequested(c.req.header("anthropic-beta"));
+	let finalBody = await processWebSearch(rawBody);
+	finalBody = sanitizeAnthropicBody(finalBody);
+	if (advisorEnabled) {
+		finalBody = injectAdvisorTool(finalBody);
+		consola.info("ADVISOR enabled for this request — injecting __anthropic_advisor tool; will translate tool_use → server_tool_use{advisor} on the SSE stream");
+	}
+	if (finalBody.includes("\"mcp_servers\"")) try {
+		const probe = JSON.parse(finalBody);
+		if (Array.isArray(probe.mcp_servers) && probe.mcp_servers.length > 0) return c.json({
+			type: "error",
+			error: {
+				type: "invalid_request_error",
+				message: "Inline `mcp_servers` body field is not supported by github-router (Copilot returns 400 'Extra inputs are not permitted'; the proxy would need a multi-turn tool-loop translation that has unresolved design holes — see Phase G in the plan). Configure your remote MCP servers as local stdio entries in `~/.claude/mcp.json` instead — Claude Code will spawn them locally and the proxy passes their tool calls through transparently. (https://docs.claude.com/en/docs/claude-code/mcp)"
+			}
+		}, 400);
+	} catch {}
+	const { body: resolvedBody, originalModel, resolvedModel, selectedModel } = resolveModelInBody(finalBody);
 	const modelId = resolvedModel ?? originalModel;
 	if (modelId) logEndpointMismatch(modelId, "/v1/messages");
 	const effectiveBetas = applyDefaultBetas(betaHeaders, resolvedModel ?? originalModel);
@@ -3524,6 +4992,25 @@ async function handleCompletion(c) {
 		if (requestId) streamHeaders["x-request-id"] = requestId;
 		const reqId = response.headers.get("request-id");
 		if (reqId) streamHeaders["request-id"] = reqId;
+		if (advisorEnabled && response.body) {
+			let parsedBase = {};
+			try {
+				parsedBase = JSON.parse(resolvedBody);
+			} catch {}
+			const initialConversation = Array.isArray(parsedBase.messages) ? parsedBase.messages : [];
+			return new Response(buildAdvisorStream({
+				firstResponse: response,
+				initialConversation,
+				baseBody: parsedBase,
+				requestHeaders: {
+					...selectedModel?.requestHeaders,
+					...effectiveBetas
+				}
+			}), {
+				status: response.status,
+				headers: streamHeaders
+			});
+		}
 		return new Response(response.body ? relayAnthropicStream(response.body, { routePath: c.req.path }) : null, {
 			status: response.status,
 			headers: streamHeaders
@@ -3574,6 +5061,7 @@ function resolveModelInBody(rawBody) {
 	const selectedModel = resolvedModel ? state.models?.data.find((m) => m.id === resolvedModel) : void 0;
 	if (translateThinking(parsed, selectedModel)) modified = true;
 	if (rawBody.includes("\"scope\"") && sanitizeCacheControl(parsed)) modified = true;
+	if ((rawBody.includes("\"budget\"") || rawBody.includes("\"output_config\"") || rawBody.includes("\"betas\"")) && stripAnthropicOnlyFields(parsed)) modified = true;
 	return {
 		body: modified ? JSON.stringify(parsed) : rawBody,
 		originalModel,
@@ -3689,6 +5177,81 @@ function applyDefaultBetas(betaHeaders, modelId) {
 		"anthropic-beta": ["interleaved-thinking-2025-05-14", "context-management-2025-06-27"].join(",")
 	};
 }
+/**
+* Strip top-level body fields that Anthropic's Messages API accepts but
+* Copilot rejects with HTTP 400 "Extra inputs are not permitted". Mutates
+* `body` in place; returns true if anything was stripped.
+*
+* Empirical verification (2026-05-11):
+*   POST /v1/messages?beta=true { ..., budget: {total_tokens: 10000} } → 400
+*   POST /v1/messages?beta=true { ..., output_config: {schema: {...}} }  → 400
+*   POST /v1/messages?beta=true { ..., betas: ["..."] }                  → 400
+*
+* Each strip emits a one-line consola.warn so users running with these
+* features (e.g. `claude --max-budget-usd`, `--json-schema`) understand
+* the request succeeds with the *body field* dropped — semantics may
+* differ from upstream Anthropic. The corresponding `anthropic-beta`
+* header is preserved (Phase A allowlist) so the *intent* still flows
+* to Copilot, even if the per-request enforcement field is gone.
+*
+* NOT stripped here:
+*   - `mcp_servers` (Phase G translate path — silent strip causes LLM
+*     to hallucinate tools per gemini-critic finding)
+*   - `metadata` (Copilot 200s, ignores harmlessly)
+*/
+function stripAnthropicOnlyFields(body) {
+	let stripped = false;
+	if (body.budget !== void 0) {
+		consola.warn("Stripping body-level `budget` field (Copilot 400s; the `task-budgets-` beta header is preserved but cost ceiling is not enforced server-side)");
+		delete body.budget;
+		stripped = true;
+	}
+	if (body.output_config !== void 0) {
+		if (body.output_config && typeof body.output_config === "object") {
+			const oc = body.output_config;
+			const PROXY_OWNED_FIELDS = new Set(["effort"]);
+			const schema = oc.schema;
+			const ocType = oc.type;
+			let strippedAny = false;
+			for (const key of Object.keys(oc)) if (!PROXY_OWNED_FIELDS.has(key)) {
+				delete oc[key];
+				strippedAny = true;
+			}
+			if (strippedAny) {
+				consola.warn("Stripping client-set `output_config` Structured-Outputs fields (Copilot 400s on `output_config.*` other than `effort`; injecting schema as system-prompt instruction so the model still produces JSON conforming to the structured-outputs schema, since server-side enforcement is gone)");
+				if (Object.keys(oc).length === 0) delete body.output_config;
+				if (schema !== void 0 || ocType === "json_object") appendStructuredOutputInstruction(body, schema, ocType);
+				stripped = true;
+			}
+		}
+	}
+	if (Array.isArray(body.betas)) {
+		consola.warn("Stripping body-level `betas` array (Copilot 400s; the betas are conveyed via the `anthropic-beta` header instead)");
+		delete body.betas;
+		stripped = true;
+	}
+	return stripped;
+}
+/**
+* Append a system-prompt instruction telling the model to produce JSON
+* conforming to a Structured Outputs schema. Used after the proxy
+* strips `output_config` to preserve the schema enforcement intent
+* via prompt engineering instead of server-side validation.
+*
+* Mutates `body.system` in place. Handles both string and array shapes
+* (Anthropic spec allows either).
+*/
+function appendStructuredOutputInstruction(body, schema, ocType) {
+	let instruction = "\n\nIMPORTANT: Your response MUST be a single valid JSON object. Do not wrap it in markdown code fences. Do not include any text before or after the JSON object.";
+	if (schema !== void 0) instruction += ` The JSON object MUST conform to this JSON Schema:\n${JSON.stringify(schema)}`;
+	else if (typeof ocType === "string") instruction += ` Output type requested: ${ocType}.`;
+	if (typeof body.system === "string") body.system = body.system + instruction;
+	else if (Array.isArray(body.system)) body.system = [...body.system, {
+		type: "text",
+		text: instruction.trimStart()
+	}];
+	else body.system = instruction.trimStart();
+}
 
 //#endregion
 //#region src/routes/messages/route.ts
@@ -4108,6 +5671,13 @@ server.route("/v1/search", searchRoutes);
 server.route("/v1/messages", messageRoutes);
 server.route("/mcp", mcpRoutes);
 server.post("/api/event_logging/batch", (c) => c.body(null, 200));
+server.all("/v1/files/*", (c) => c.json({
+	type: "error",
+	error: {
+		type: "not_found_error",
+		message: "Files API is not supported by github-router (Copilot has no equivalent storage backend). Use the Anthropic API directly for file uploads/downloads."
+	}
+}, 404));
 server.notFound((c) => c.json({
 	type: "error",
 	error: {
@@ -4280,47 +5850,57 @@ function parseSharedArgs(args) {
 * (see `src/lib/launch.ts`) BEFORE these overrides are merged in, so we
 * only need to provide the positive values.
 *
-* Auth precedence in Claude Code (https://code.claude.com/docs/en/iam):
+* Auth precedence in Claude Code (https://code.claude.com/docs/en/iam),
+* after the github-router substrate fix:
 *   1. Cloud provider (CLAUDE_CODE_USE_BEDROCK / VERTEX / FOUNDRY) — stripped at parent.
-*   2. ANTHROPIC_AUTH_TOKEN — set here to "dummy"; wins over #4–#6.
-*   3. ANTHROPIC_API_KEY — stripped at parent, intentionally NOT re-set
-*      (Claude Code emits an Auth conflict warning when both AUTH_TOKEN
-*      and API_KEY are present, even with dummy values).
-*   4. apiKeyHelper in settings.json — beaten by #2.
+*   2. ANTHROPIC_AUTH_TOKEN — NOT set by the proxy. Stripped at parent
+*      (no env-source auth in the spawned child at all).
+*   3. ANTHROPIC_API_KEY — stripped at parent.
+*   4. apiKeyHelper in settings.json — copied into our config dir as
+*      part of the mirror; if the user defined one, it still fires
+*      and may mint an `x-api-key` header. Copilot ignores `x-api-key`,
+*      so behavior is unchanged from before this fix.
 *   5. CLAUDE_CODE_OAUTH_TOKEN — stripped at parent.
-*   6. Subscription OAuth (Keychain / ~/.claude/.credentials.json) —
-*      INVISIBLE to the spawned child via the CLAUDE_CONFIG_DIR trick
-*      below. The credential file is left in place so `claude /logout`
-*      still works outside the proxy.
+*   6. Subscription OAuth (Keychain / `<CLAUDE_CONFIG_DIR>/.credentials.json`)
+*      — the credentials file is OURS (synthetic blob, written by
+*      `ensureClaudeConfigMirror`). Claude Code reads accessToken from
+*      it and sends as `Authorization: Bearer <accessToken>`. The
+*      teammate-spawn allowlist propagates `CLAUDE_CONFIG_DIR` to
+*      children, so spawned teammates find the same synthetic credential
+*      and authenticate (the bug this whole fix addresses).
 *
 * `CLAUDE_CONFIG_DIR` activates Claude Code's per-config-dir keychain
-* isolation. Per binary-grep of Claude Code 2.1.126's `iN()` function:
-*
-*   function iN(H = "") {
-*     let _ = B6(),  // resolved config-dir path
-*         K = !process.env.CLAUDE_CONFIG_DIR ? "" : `-${sha256(_).slice(0, 8)}`;
-*     return `Claude Code${OAUTH_FILE_SUFFIX}${H}${K}`
-*   }
+* isolation (per binary-grep of v2.1.126's `iN()` function: when set,
+* the keychain service name becomes `Claude Code-<sha256(path)[0..8]>`,
+* missing the user's real `Claude Code` entry). Pointing it at our
+* snapshot-copied `PATHS.CLAUDE_CONFIG_DIR` preserves user customization
+* (mirrored settings.json, skills, MCP, hooks, CLAUDE.md, custom
+* agents) while giving teammates a credential they can find on disk.
 *
-* The conditional is on PRESENCE, not value. When CLAUDE_CONFIG_DIR is
-* unset (the user's normal `claude` usage), the keychain service name is
-* "Claude Code" and their `/login` credential is found there. When set
-* (the proxy session), the service name becomes "Claude Code-<hash>" —
-* the user's credential is invisible, `iCH()` returns null, and all
-* three auth-conflict warnings fire `false`. The path resolves to the
-* default config-dir, so settings.json/skills/MCP/plugins/hooks/CLAUDE.md
-* still load from `~/.claude` as normal.
+* No-401 invariant: Claude Code's reactive refresh path (`SZ1` →
+* `D3(0,true,...)`) fires on any 401 from upstream. The synthetic
+* refreshToken would fail any real refresh attempt, so the proxy
+* MUST NOT return 401 on the Anthropic-shape boundary even when
+* upstream Copilot returns 401. See `src/routes/messages/handler.ts`.
 */
 function getClaudeCodeEnvVars(serverUrl, model) {
 	const vars = {
 		ANTHROPIC_BASE_URL: serverUrl,
-		ANTHROPIC_AUTH_TOKEN: "dummy",
-		CLAUDE_CONFIG_DIR: path.join(os.homedir(), ".claude"),
+		CLAUDE_CONFIG_DIR: PATHS.CLAUDE_CONFIG_DIR,
 		MCP_TIMEOUT: "600000",
 		DISABLE_NON_ESSENTIAL_MODEL_CALLS: "1",
-		CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC: "1"
+		CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC: "1",
+		DISABLE_TELEMETRY: "1"
 	};
 	if (model) vars.ANTHROPIC_MODEL = model;
+	if (process.env.ANTHROPIC_SMALL_FAST_MODEL === void 0) vars.ANTHROPIC_SMALL_FAST_MODEL = "claude-haiku-4-5";
+	for (const key of [
+		"CLAUDE_CODE_ENABLE_EXPERIMENTAL_ADVISOR_TOOL",
+		"CLAUDE_CODE_FORK_SUBAGENT",
+		"CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS",
+		"CLAUDE_CODE_ENABLE_FINE_GRAINED_TOOL_STREAMING",
+		"CLAUDE_CODE_ENABLE_TASKS"
+	]) if (process.env[key] === void 0) vars[key] = "1";
 	return vars;
 }
 /**
@@ -4371,6 +5951,21 @@ const claude = defineCommand({
 			type: "boolean",
 			default: false,
 			description: "Pass --strict-mcp-config to claude code so only github-router's MCP servers are loaded (hides user's existing MCP servers)"
+		},
+		stealth: {
+			type: "boolean",
+			default: false,
+			description: "Opt back into VS Code-only beta header filtering. Loses leverage features (task budgets, token-efficient tools, prompt caching, etc.) but minimizes the wire-fingerprint difference from VS Code Copilot Chat. By default the `claude` subcommand enables extended/leverage betas because the spawned Claude Code already identifies itself via UA and other headers — partial stealth doesn't buy much."
+		},
+		"auto-update": {
+			type: "boolean",
+			default: true,
+			description: "Check for and install latest Claude Code on launch (throttled to once per hour via ~/.local/share/github-router/last-update-check). Set to false (--no-auto-update) to keep the current installed version. Falls back gracefully if npm/network unavailable."
+		},
+		"update-check": {
+			type: "boolean",
+			default: true,
+			description: "Check the npm registry for a newer Claude Code version on launch and warn if stale (non-blocking ~500ms cost). Set to false (--no-update-check) to skip the check entirely (useful for offline/CI). Independent from --auto-update: --no-update-check implies no auto-install (nothing to install since we never check)."
 		}
 	},
 	async run({ args }) {
@@ -4379,6 +5974,24 @@ const claude = defineCommand({
 			process$1.exit(1);
 		}
 		const parsed = parseSharedArgs(args);
+		if (args.stealth) {
+			parsed.extendedBetas = false;
+			consola.info("Stealth mode: VS Code-only beta filtering. Leverage features disabled.");
+		} else if (!args["extended-betas"]) parsed.extendedBetas = true;
+		if (args["update-check"] !== false) try {
+			const versionCheck = await checkClaudeVersion({ noCheck: false });
+			if (versionCheck.skipped && versionCheck.skipReason === "no-claude") consola.debug("claude --version probe failed; skipping auto-update.");
+			else if (versionCheck.skipped && versionCheck.skipReason === "no-npm") consola.debug("npm view @anthropic-ai/claude-code failed; skipping auto-update check (likely offline).");
+			else if (versionCheck.needsUpdate && versionCheck.installedVersion && versionCheck.latestVersion) if (args["auto-update"] !== false) try {
+				await autoUpdateClaude(versionCheck.latestVersion);
+			} catch (err) {
+				const msg = err instanceof Error ? err.message : String(err);
+				consola.warn(`Auto-update of Claude Code from ${versionCheck.installedVersion} to ${versionCheck.latestVersion} failed (${msg}); continuing with installed version. Run \`npm install -g @anthropic-ai/claude-code@latest\` manually to retry.`);
+			}
+			else consola.warn(`Claude Code v${versionCheck.installedVersion} is installed; v${versionCheck.latestVersion} is available. Run with --auto-update (the default) to install on launch, or \`npm install -g @anthropic-ai/claude-code@latest\` manually.`);
+		} catch (err) {
+			consola.debug("Claude version check failed:", err);
+		}
 		let server$1;
 		let serverUrl;
 		try {
@@ -4393,6 +6006,12 @@ const claude = defineCommand({
 			consola.error("Failed to start server:", error instanceof Error ? error.message : error);
 			process$1.exit(1);
 		}
+		try {
+			await ensureClaudeConfigMirror();
+		} catch (err) {
+			consola.error(`Failed to provision CLAUDE_CONFIG_DIR mirror: ${err instanceof Error ? err.message : String(err)}. Spawned Claude Code would not be able to authenticate.`);
+			process$1.exit(1);
+		}
 		enableFileLogging();
 		const usingDefault = !args.model;
 		let chosenSlug = args.model ?? DEFAULT_CLAUDE_MODEL;