github-router 0.3.20 → 0.3.21

package/dist/main.js

@@ -1,10 +1,10 @@
 #!/usr/bin/env node
 import { defineCommand, runMain } from "citty";
 import consola from "consola";
+import { randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
 import fs from "node:fs/promises";
 import os from "node:os";
 import path from "node:path";
-import { randomBytes, randomUUID, timingSafeEqual } from "node:crypto";
 import process$1 from "node:process";
 import { execFile, execFileSync, spawn } from "node:child_process";
 import { promisify } from "node:util";
@@ -38,6 +38,9 @@ const PATHS = {
 	},
 	get CLAUDE_RUNTIME_DIR() {
 		return path.join(appDir(), "runtime");
+	},
+	get CLAUDE_CONFIG_DIR() {
+		return path.join(appDir(), "claude-config");
 	}
 };
 async function ensurePaths() {
@@ -53,6 +56,318 @@ async function ensurePaths() {
 		consola.debug("Peer-agent .md sweep skipped:", err);
 	});
 }
+const CLAUDE_HOME_POLICY = new Map([
+	[".credentials.json", "ISOLATED"],
+	[".credentials.json.lock", "ISOLATED"],
+	[".oauth_refresh.lock", "ISOLATED"],
+	[".github-router-managed", "ISOLATED"],
+	["statsig", "ISOLATED"],
+	["cache", "ISOLATED"],
+	["logs", "ISOLATED"],
+	["paste-cache", "ISOLATED"],
+	["projects", "SHARED"],
+	["sessions", "SHARED"],
+	["tasks", "SHARED"],
+	["todos", "SHARED"],
+	["transcripts", "SHARED"],
+	["shell-snapshots", "SHARED"],
+	["shell_snapshots", "SHARED"],
+	["plans", "SHARED"],
+	["file-history", "SHARED"],
+	["backups", "SHARED"]
+]);
+function policyFor(name$1) {
+	return CLAUDE_HOME_POLICY.get(name$1) ?? "MIRRORED";
+}
+/**
+* Names with `SHARED` policy, materialized once for iteration in
+* `ensureClaudeConfigMirror`'s post-copy phase.
+*/
+const SHARED_TOPLEVEL_NAMES = Array.from(CLAUDE_HOME_POLICY.entries()).filter(([, kind]) => kind === "SHARED").map(([name$1]) => name$1);
+/**
+* Marker file written into the router-owned CLAUDE_CONFIG_DIR so users
+* (and our own future sweeps) can identify that the dir is managed by
+* github-router. Content is informational only; no logic depends on
+* its presence.
+*/
+const MANAGED_MARKER_FILENAME = ".github-router-managed";
+/**
+* Synthetic Console OAuth credential the router writes into its own
+* `CLAUDE_CONFIG_DIR/.credentials.json` so spawned Claude Code (and
+* any teammates it spawns) can authenticate without a real user
+* `/login`.
+*
+* Schema verified verbatim from `claude` v2.1.140 binary, function
+* `guH` (the credentials-save mutation). Fields:
+*   - `accessToken` — sent as `Authorization: Bearer ...` to the
+*     proxy. Proxy accepts any bearer (per CLAUDE.md "doesn't enforce
+*     auth").
+*   - `refreshToken` — only used by Claude Code's reactive refresh
+*     path (function `nH8`), which fires on 401 from upstream. The
+*     proxy maintains the no-401 invariant on the Anthropic-shape
+*     boundary, so this is never invoked. Synthetic value is fine.
+*   - `expiresAt` — far-future (2099-01-01 ms epoch). Sidesteps the
+*     proactive refresh path (`R8H(expiresAt)` returns false).
+*   - `scopes` — claude-ai-shaped so `tB(scopes)` returns true,
+*     making `Hq()` true (full feature surface, not "inference only").
+*   - `subscriptionType` — `"max"`. Pure client-side label
+*     (`e7()` / `Zc_()` / `CZ1()`); no server validation since
+*     `CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1` suppresses
+*     subscription-validation calls. Picks the most-permissive gating.
+*/
+const SYNTHETIC_CREDENTIAL = { claudeAiOauth: {
+	accessToken: "github-router-synthetic",
+	refreshToken: "github-router-synthetic",
+	expiresAt: 40709088e5,
+	scopes: ["user:inference", "user:profile"],
+	subscriptionType: "max",
+	rateLimitTier: null,
+	clientId: "github-router"
+} };
+/**
+* Snapshot-copy the user's `~/.claude/` into the router-owned
+* CLAUDE_CONFIG_DIR (real files, not symlinks — symlinks don't isolate
+* writes), classifying each top-level entry per `CLAUDE_HOME_POLICY`:
+* ISOLATED entries are skipped, MIRRORED entries are copied, and
+* SHARED entries become directory symlinks back to `~/.claude/<X>` so
+* chat history (in `projects/<cwd-hash>/<session-uuid>.jsonl`) and
+* other durable user state flow between proxy and plain-`claude`
+* sessions. Then writes the synthetic `.credentials.json` so spawned
+* Claude Code (and teammates that inherit `CLAUDE_CONFIG_DIR`)
+* authenticate.
+*
+* Idempotent: only re-copies files whose source `mtime` is newer than
+* target; SHARED-symlink creation no-ops when the symlink already
+* points at the right target. Concurrent-safe: `mkdir({recursive:true})`
+* is idempotent; symlinks are created via atomic temp+rename so two
+* parallel github-router-claude startups can't race to EEXIST; the
+* credentials write uses temp-file + atomic rename so Claude Code's
+* `EZ1()` mtime watcher never sees a partial write.
+*
+* Walks with `lstat` (does NOT follow symlinks during traversal — a
+* symlink-into-`/` would otherwise let the walk escape). Symlink leaves
+* in the source tree are skipped during the MIRRORED copy walk (per the
+* symlink-confused-deputy security finding); SHARED symlinks are
+* created on the mirror side only, pointing at predetermined targets
+* inside the user's real `~/.claude/`.
+*
+* Caller is expected to invoke this after `ensurePaths()` and before
+* spawning Claude Code (`launchChild`). The mirror must exist before
+* the child reads it. Currently called from the `claude` subcommand
+* entry point only; `start` and `codex` subcommands don't need it.
+*/
+async function ensureClaudeConfigMirror(opts = {}) {
+	const realHome = opts.realHome ?? os.homedir();
+	const sourceDir = path.join(realHome, ".claude");
+	const targetDir = PATHS.CLAUDE_CONFIG_DIR;
+	await fs.mkdir(targetDir, {
+		recursive: true,
+		mode: 448
+	});
+	await chmodIfPossible(targetDir, 448);
+	let sourceExists = false;
+	try {
+		sourceExists = (await fs.stat(sourceDir)).isDirectory();
+	} catch (err) {
+		if (err.code !== "ENOENT") consola.debug(`ensureClaudeConfigMirror: cannot stat ${sourceDir}:`, err);
+	}
+	if (sourceExists) await mirrorDirRecursive(sourceDir, targetDir, "");
+	await fs.mkdir(path.join(targetDir, "agents"), { recursive: true });
+	for (const name$1 of SHARED_TOPLEVEL_NAMES) await ensureSharedSymlink(name$1, sourceDir, targetDir).catch((err) => {
+		consola.debug(`ensureClaudeConfigMirror: SHARED symlink for ${name$1} skipped:`, err);
+	});
+	const credentialsPath = path.join(targetDir, ".credentials.json");
+	const desiredJson = JSON.stringify(SYNTHETIC_CREDENTIAL, null, 2);
+	let needsWrite = true;
+	try {
+		needsWrite = (await fs.readFile(credentialsPath, "utf8")).trim() !== desiredJson.trim();
+	} catch (err) {
+		if (err.code !== "ENOENT") consola.debug(`ensureClaudeConfigMirror: cannot read existing credentials:`, err);
+	}
+	if (needsWrite) {
+		const tempPath = `${credentialsPath}.${process.pid}.tmp`;
+		try {
+			await fs.writeFile(tempPath, desiredJson + "\n", {
+				mode: 384,
+				flag: "wx"
+			});
+			await fs.rename(tempPath, credentialsPath);
+		} catch (err) {
+			if (err.code === "EEXIST") consola.debug("ensureClaudeConfigMirror: concurrent credentials-write detected, skipping");
+			else {
+				await fs.unlink(tempPath).catch(() => {});
+				throw err;
+			}
+		}
+	}
+	await chmodIfPossible(credentialsPath, 384);
+	const markerPath = path.join(targetDir, MANAGED_MARKER_FILENAME);
+	let markerExists = false;
+	try {
+		const markerStat = await fs.lstat(markerPath);
+		if (markerStat.isFile()) markerExists = true;
+		else {
+			consola.warn(`ensureClaudeConfigMirror: ${markerPath} exists but is not a regular file (mode=${markerStat.mode.toString(8)}); refusing to overwrite. Inspect and remove manually if safe.`);
+			markerExists = true;
+		}
+	} catch (err) {
+		if (err.code !== "ENOENT") {
+			consola.debug(`ensureClaudeConfigMirror: cannot lstat marker:`, err);
+			markerExists = true;
+		}
+	}
+	if (!markerExists) {
+		const body = `Managed by github-router. Created ${(/* @__PURE__ */ new Date()).toISOString()}. Safe to delete (will be recreated).\n`;
+		await fs.writeFile(markerPath, body, {
+			mode: 384,
+			flag: "wx"
+		}).catch((err) => {
+			consola.debug(`ensureClaudeConfigMirror: marker write skipped:`, err);
+		});
+	}
+}
+/**
+* Recursive snapshot-copy helper for `ensureClaudeConfigMirror`. Walks
+* `sourceDir/relPath` and mirrors each entry into `targetDir/relPath`.
+* - Top-level entries are dispatched on `policyFor(name)`:
+*     - `ISOLATED` → skipped entirely (no presence in mirror).
+*     - `SHARED`   → skipped from the copy walk; handled by
+*                    `ensureSharedSymlink` in the post-copy phase.
+*     - `MIRRORED` → copied as today.
+* - Symlinks are skipped (not recreated) so the walk never follows out
+*   of `sourceDir` and we don't reintroduce a confused-deputy vector.
+* - Files copy only if source mtime > target mtime (idempotent).
+*/
+async function mirrorDirRecursive(sourceDir, targetDir, relPath) {
+	const sourcePath = path.join(sourceDir, relPath);
+	let entries;
+	try {
+		entries = await fs.readdir(sourcePath);
+	} catch (err) {
+		if (err.code === "ENOENT") return;
+		consola.debug(`mirrorDirRecursive: cannot readdir ${sourcePath}:`, err);
+		return;
+	}
+	for (const name$1 of entries) {
+		if (relPath === "") {
+			const policy = policyFor(name$1);
+			if (policy === "ISOLATED" || policy === "SHARED") continue;
+		}
+		const childRel = relPath === "" ? name$1 : path.join(relPath, name$1);
+		const childSource = path.join(sourceDir, childRel);
+		const childTarget = path.join(targetDir, childRel);
+		let stats;
+		try {
+			stats = await fs.lstat(childSource);
+		} catch (err) {
+			consola.debug(`mirrorDirRecursive: cannot lstat ${childSource}:`, err);
+			continue;
+		}
+		if (stats.isSymbolicLink()) {
+			consola.debug(`mirrorDirRecursive: skipping symlink ${childSource} (security policy)`);
+			continue;
+		}
+		if (stats.isDirectory()) {
+			await fs.mkdir(childTarget, { recursive: true });
+			await mirrorDirRecursive(sourceDir, targetDir, childRel);
+			continue;
+		}
+		if (stats.isFile()) {
+			let needsCopy = true;
+			try {
+				const targetStat = await fs.lstat(childTarget);
+				if (targetStat.isFile() && targetStat.mtimeMs >= stats.mtimeMs) needsCopy = false;
+			} catch (err) {
+				if (err.code !== "ENOENT") consola.debug(`mirrorDirRecursive: lstat target ${childTarget}:`, err);
+			}
+			if (!needsCopy) continue;
+			try {
+				await fs.copyFile(childSource, childTarget, fs.constants.COPYFILE_FICLONE);
+			} catch (err) {
+				consola.debug(`mirrorDirRecursive: copy ${childSource} → ${childTarget}:`, err);
+			}
+			continue;
+		}
+	}
+}
+/**
+* Create or refresh a directory symlink `<mirrorDir>/<name>` →
+* `<sourceDir>/<name>` (i.e. `~/.local/share/github-router/claude-config/<X>`
+* → `~/.claude/<X>`). Idempotent and concurrent-safe.
+*
+* Behavior depending on what's already at `<mirrorDir>/<name>`:
+*   - Symlink with the correct target → no-op.
+*   - Symlink with the wrong target → replace atomically.
+*   - Empty real directory (legacy mirror leftover with no proxy-session
+*     writes accumulated yet) → `rmdir` and replace with the symlink.
+*     Safe by definition: `fs.rmdir` only succeeds on empty dirs (POSIX),
+*     so there is nothing to lose. Smooths the upgrade path for users
+*     whose legacy mirror dirs were never written to.
+*   - Non-empty real directory or regular file → loud-warn and skip.
+*     Auto-deleting would destroy proxy-session writes from the prior
+*     version. The user is told the exact path and remediation.
+*   - ENOENT → create symlink atomically.
+*
+* Atomic-creation: symlinks are first written at a unique side-path
+* (`<mirrorDir>/<name>.tmp.<pid>.<8 hex>`) and then `fs.rename()`d into
+* place. POSIX `rename` is atomic and replaces an existing symlink in
+* a single step, so two concurrent `github-router claude` startups can't
+* race to `EEXIST` — the loser's rename just overwrites the winner's
+* symlink with an identical one. Gemini-critic 3-lab-review finding.
+*
+* Pre-creates `~/.claude/<name>/` as a real directory if missing so
+* Claude Code's writes through the symlink don't fail with ENOENT.
+*/
+async function ensureSharedSymlink(name$1, sourceDir, mirrorDir) {
+	const sourcePath = path.join(sourceDir, name$1);
+	const mirrorPath = path.join(mirrorDir, name$1);
+	try {
+		await fs.mkdir(sourcePath, { recursive: true });
+	} catch (err) {
+		consola.debug(`ensureSharedSymlink(${name$1}): cannot mkdir source ${sourcePath}:`, err);
+		return;
+	}
+	let existing = null;
+	try {
+		existing = await fs.lstat(mirrorPath);
+	} catch (err) {
+		if (err.code !== "ENOENT") {
+			consola.debug(`ensureSharedSymlink(${name$1}): cannot lstat ${mirrorPath}:`, err);
+			return;
+		}
+	}
+	if (existing?.isSymbolicLink()) {
+		let currentTarget = null;
+		try {
+			currentTarget = await fs.readlink(mirrorPath);
+		} catch (err) {
+			consola.debug(`ensureSharedSymlink(${name$1}): cannot readlink ${mirrorPath}:`, err);
+		}
+		if (currentTarget === sourcePath) return;
+	} else if (existing?.isDirectory()) try {
+		await fs.rmdir(mirrorPath);
+	} catch (err) {
+		consola.warn(`ensureClaudeConfigMirror: ${mirrorPath} is a non-empty real directory from an older github-router version; refusing to clobber. If you want chat-history continuity for "${name$1}", move its contents into ${sourcePath}/ then delete ${mirrorPath}; the mirror will create a symlink on next launch. (rmdir error: ${err.code ?? "unknown"})`);
+		return;
+	}
+	else if (existing) {
+		consola.warn(`ensureClaudeConfigMirror: ${mirrorPath} is a regular file at a SHARED symlink slot; refusing to clobber. Inspect and remove manually if safe; the mirror will create a symlink on next launch.`);
+		return;
+	}
+	const tempPath = `${mirrorPath}.tmp.${process.pid}.${randomBytes(4).toString("hex")}`;
+	try {
+		await fs.symlink(sourcePath, tempPath);
+	} catch (err) {
+		consola.debug(`ensureSharedSymlink(${name$1}): symlink ${tempPath} failed:`, err);
+		return;
+	}
+	try {
+		await fs.rename(tempPath, mirrorPath);
+	} catch (err) {
+		consola.debug(`ensureSharedSymlink(${name$1}): rename ${tempPath} → ${mirrorPath} failed:`, err);
+		await fs.unlink(tempPath).catch(() => {});
+	}
+}
 async function ensureFile(filePath) {
 	try {
 		await fs.access(filePath, fs.constants.W_OK);
@@ -139,12 +454,15 @@ function isPidAlive(pid) {
 	}
 }
 /**
-* Sweep stale peer-* subagent .md files from `~/.claude/agents/`. Phase
-* 2.5 writes one .md per peer agent into the canonical agents directory
-* so they appear in Claude Code's Task `subagent_type` enum. Files are
-* named `peer-<pid>-<rand>-<agentName>.md` so this sweep can drop
-* orphans from crashed prior proxy sessions without touching the user's
-* own .md files.
+* Sweep stale peer-* subagent .md files from the router-owned
+* `CLAUDE_CONFIG_DIR/agents/`. Phase 2.5 writes one .md per peer agent
+* into Claude Code's agents directory (now our config dir's `agents/`
+* subdir, since `getClaudeCodeEnvVars` points `CLAUDE_CONFIG_DIR` at
+* `PATHS.CLAUDE_CONFIG_DIR`) so they appear in Claude Code's Task
+* `subagent_type` enum. Files are named `peer-<pid>-<rand>-<agentName>.md`
+* so this sweep can drop orphans from crashed prior proxy sessions
+* without touching the user's own .md files (which were copied into
+* the same dir during `ensureClaudeConfigMirror`).
 *
 * Same liveness rule as `sweepStaleRuntimeFiles`: only delete when the
 * file's embedded PID is no longer alive. Live PIDs keep their files —
@@ -160,7 +478,7 @@ function isPidAlive(pid) {
 * realistic user filename.
 */
 async function sweepStalePeerAgentMdFiles() {
-	const dir = path.join(os.homedir(), ".claude", "agents");
+	const dir = path.join(PATHS.CLAUDE_CONFIG_DIR, "agents");
 	let entries;
 	try {
 		entries = await fs.readdir(dir);
@@ -273,19 +591,20 @@ async function forwardError(c, error) {
 				}
 			}, 400);
 		}
+		const responseStatus = error.response.status === 401 ? 503 : error.response.status;
 		if (isAnthropicError(errorJson)) {
 			consola.error("HTTP error:", errorJson);
-			return c.json(errorJson, error.response.status);
+			return c.json(errorJson, responseStatus);
 		}
 		const message = resolveErrorMessage(errorJson, errorText);
 		consola.error("HTTP error:", errorJson ?? errorText);
 		return c.json({
 			type: "error",
 			error: {
-				type: resolveErrorType(error.response.status),
+				type: resolveErrorType(responseStatus),
 				message
 			}
-		}, error.response.status);
+		}, responseStatus);
 	}
 	return c.json({
 		type: "error",
@@ -342,6 +661,12 @@ function isContextOverflow(status, errorJson, errorText) {
 }
 /**
 * Map HTTP status to Anthropic error type.
+*
+* Note: a 401 from upstream is remapped to 503 in `forwardError` BEFORE
+* this function is called (no-401 invariant — see comment there). The
+* 401 → "authentication_error" mapping below is preserved for
+* defensive coverage in case any code path calls `resolveErrorType`
+* directly with an unsanitized status.
 */
 function resolveErrorType(status) {
 	if (status === 400) return "invalid_request_error";
@@ -349,6 +674,7 @@ function resolveErrorType(status) {
 	if (status === 403) return "permission_error";
 	if (status === 404) return "not_found_error";
 	if (status === 429) return "rate_limit_error";
+	if (status === 503) return "overloaded_error";
 	if (status === 529) return "overloaded_error";
 	return "api_error";
 }
@@ -1136,6 +1462,7 @@ const STRIPPED_PARENT_ENV_KEYS = [
 	"ANTHROPIC_CUSTOM_HEADERS",
 	"ANTHROPIC_MODEL",
 	"CLAUDE_CODE_OAUTH_TOKEN",
+	"CLAUDE_CODE_OAUTH_TOKEN_FILE_DESCRIPTOR",
 	"CLAUDE_CODE_USE_BEDROCK",
 	"CLAUDE_CODE_USE_VERTEX",
 	"CLAUDE_CODE_USE_FOUNDRY",
@@ -1671,12 +1998,16 @@ function buildPeerAgentDefinitions(opts) {
 * Default location Claude Code reads subagent .md files from at session
 * startup. Files placed here populate the Task `subagent_type` enum.
 *
-* We pin to the user's `~/.claude/agents/` because `getClaudeCodeEnvVars`
-* sets `CLAUDE_CONFIG_DIR=$HOME/.claude` (the Spawned-CLI auth isolation
-* trick) — the spawned child reads from this exact path.
+* We point at the router-owned `PATHS.CLAUDE_CONFIG_DIR/agents/` because
+* `getClaudeCodeEnvVars` sets `CLAUDE_CONFIG_DIR=PATHS.CLAUDE_CONFIG_DIR`
+* (the snapshot-mirror substrate fix that gives spawned teammates an
+* authenticatable on-disk credential). The user's own custom-agent .md
+* files were copied into this same dir by `ensureClaudeConfigMirror`,
+* so writing peer-* files here doesn't conflict — and the boot-time
+* sweep is scoped to peer-* names only via the persona-name allowlist.
 */
 function defaultAgentsDir() {
-	return path.join(os.homedir(), ".claude", "agents");
+	return path.join(PATHS.CLAUDE_CONFIG_DIR, "agents");
 }
 /**
 * YAML frontmatter string-escape — sufficient for our use case where
@@ -2013,7 +2344,7 @@ function initProxyFromEnv() {
 //#endregion
 //#region package.json
 var name = "github-router";
-var version = "0.3.20";
+var version = "0.3.21";
 
 //#endregion
 //#region src/lib/approval.ts
@@ -5519,48 +5850,50 @@ function parseSharedArgs(args) {
 * (see `src/lib/launch.ts`) BEFORE these overrides are merged in, so we
 * only need to provide the positive values.
 *
-* Auth precedence in Claude Code (https://code.claude.com/docs/en/iam):
+* Auth precedence in Claude Code (https://code.claude.com/docs/en/iam),
+* after the github-router substrate fix:
 *   1. Cloud provider (CLAUDE_CODE_USE_BEDROCK / VERTEX / FOUNDRY) — stripped at parent.
-*   2. ANTHROPIC_AUTH_TOKEN — set here to "dummy"; wins over #4–#6.
-*   3. ANTHROPIC_API_KEY — stripped at parent, intentionally NOT re-set
-*      (Claude Code emits an Auth conflict warning when both AUTH_TOKEN
-*      and API_KEY are present, even with dummy values).
-*   4. apiKeyHelper in settings.json — beaten by #2.
+*   2. ANTHROPIC_AUTH_TOKEN — NOT set by the proxy. Stripped at parent
+*      (no env-source auth in the spawned child at all).
+*   3. ANTHROPIC_API_KEY — stripped at parent.
+*   4. apiKeyHelper in settings.json — copied into our config dir as
+*      part of the mirror; if the user defined one, it still fires
+*      and may mint an `x-api-key` header. Copilot ignores `x-api-key`,
+*      so behavior is unchanged from before this fix.
 *   5. CLAUDE_CODE_OAUTH_TOKEN — stripped at parent.
-*   6. Subscription OAuth (Keychain / ~/.claude/.credentials.json) —
-*      INVISIBLE to the spawned child via the CLAUDE_CONFIG_DIR trick
-*      below. The credential file is left in place so `claude /logout`
-*      still works outside the proxy.
+*   6. Subscription OAuth (Keychain / `<CLAUDE_CONFIG_DIR>/.credentials.json`)
+*      — the credentials file is OURS (synthetic blob, written by
+*      `ensureClaudeConfigMirror`). Claude Code reads accessToken from
+*      it and sends as `Authorization: Bearer <accessToken>`. The
+*      teammate-spawn allowlist propagates `CLAUDE_CONFIG_DIR` to
+*      children, so spawned teammates find the same synthetic credential
+*      and authenticate (the bug this whole fix addresses).
 *
 * `CLAUDE_CONFIG_DIR` activates Claude Code's per-config-dir keychain
-* isolation. Per binary-grep of Claude Code 2.1.126's `iN()` function:
-*
-*   function iN(H = "") {
-*     let _ = B6(),  // resolved config-dir path
-*         K = !process.env.CLAUDE_CONFIG_DIR ? "" : `-${sha256(_).slice(0, 8)}`;
-*     return `Claude Code${OAUTH_FILE_SUFFIX}${H}${K}`
-*   }
+* isolation (per binary-grep of v2.1.126's `iN()` function: when set,
+* the keychain service name becomes `Claude Code-<sha256(path)[0..8]>`,
+* missing the user's real `Claude Code` entry). Pointing it at our
+* snapshot-copied `PATHS.CLAUDE_CONFIG_DIR` preserves user customization
+* (mirrored settings.json, skills, MCP, hooks, CLAUDE.md, custom
+* agents) while giving teammates a credential they can find on disk.
 *
-* The conditional is on PRESENCE, not value. When CLAUDE_CONFIG_DIR is
-* unset (the user's normal `claude` usage), the keychain service name is
-* "Claude Code" and their `/login` credential is found there. When set
-* (the proxy session), the service name becomes "Claude Code-<hash>" —
-* the user's credential is invisible, `iCH()` returns null, and all
-* three auth-conflict warnings fire `false`. The path resolves to the
-* default config-dir, so settings.json/skills/MCP/plugins/hooks/CLAUDE.md
-* still load from `~/.claude` as normal.
+* No-401 invariant: Claude Code's reactive refresh path (`SZ1` →
+* `D3(0,true,...)`) fires on any 401 from upstream. The synthetic
+* refreshToken would fail any real refresh attempt, so the proxy
+* MUST NOT return 401 on the Anthropic-shape boundary even when
+* upstream Copilot returns 401. See `src/routes/messages/handler.ts`.
 */
 function getClaudeCodeEnvVars(serverUrl, model) {
 	const vars = {
 		ANTHROPIC_BASE_URL: serverUrl,
-		ANTHROPIC_AUTH_TOKEN: "dummy",
-		CLAUDE_CONFIG_DIR: path.join(os.homedir(), ".claude"),
+		CLAUDE_CONFIG_DIR: PATHS.CLAUDE_CONFIG_DIR,
 		MCP_TIMEOUT: "600000",
 		DISABLE_NON_ESSENTIAL_MODEL_CALLS: "1",
 		CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC: "1",
 		DISABLE_TELEMETRY: "1"
 	};
 	if (model) vars.ANTHROPIC_MODEL = model;
+	if (process.env.ANTHROPIC_SMALL_FAST_MODEL === void 0) vars.ANTHROPIC_SMALL_FAST_MODEL = "claude-haiku-4-5";
 	for (const key of [
 		"CLAUDE_CODE_ENABLE_EXPERIMENTAL_ADVISOR_TOOL",
 		"CLAUDE_CODE_FORK_SUBAGENT",
@@ -5673,6 +6006,12 @@ const claude = defineCommand({
 			consola.error("Failed to start server:", error instanceof Error ? error.message : error);
 			process$1.exit(1);
 		}
+		try {
+			await ensureClaudeConfigMirror();
+		} catch (err) {
+			consola.error(`Failed to provision CLAUDE_CONFIG_DIR mirror: ${err instanceof Error ? err.message : String(err)}. Spawned Claude Code would not be able to authenticate.`);
+			process$1.exit(1);
+		}
 		enableFileLogging();
 		const usingDefault = !args.model;
 		let chosenSlug = args.model ?? DEFAULT_CLAUDE_MODEL;