kimaki 0.4.89 → 0.4.91

package/dist/anthropic-auth-plugin.js

@@ -6,12 +6,13 @@
  *
  *   cd ~/.config/opencode
  *   bun init -y
- *   bun add @openauthjs/openauth proper-lockfile
+ *   bun add proper-lockfile
  *
- * Handles two concerns:
+ * Handles three concerns:
  * 1. OAuth login + token refresh (PKCE flow against claude.ai)
  * 2. Request/response rewriting (tool names, system prompt, beta headers)
  *    so the Anthropic API treats requests as Claude Code CLI requests.
+ * 3. Multi-account OAuth rotation after Anthropic rate-limit/auth failures.
  *
  * Login mode is chosen from environment:
  * - `KIMAKI` set: remote-first pasted callback URL/raw code flow
@@ -21,53 +22,67 @@
  * - https://github.com/badlogic/pi-mono/blob/main/packages/ai/src/utils/oauth/anthropic.ts
  * - https://github.com/badlogic/pi-mono/blob/main/packages/ai/src/providers/anthropic.ts
  */
-import { generatePKCE } from "@openauthjs/openauth/pkce";
-import { spawn } from "node:child_process";
-import * as fs from "node:fs/promises";
-import { createServer } from "node:http";
-import { homedir } from "node:os";
-import path from "node:path";
-import lockfile from "proper-lockfile";
+import { loadAccountStore, rememberAnthropicOAuth, rotateAnthropicAccount, saveAccountStore, setAnthropicAuth, shouldRotateAuth, upsertAccount, withAuthStateLock, } from './anthropic-auth-state.js';
+// PKCE (Proof Key for Code Exchange) using Web Crypto API.
+// Reference: https://github.com/badlogic/pi-mono/blob/main/packages/ai/src/utils/oauth/pkce.ts
+function base64urlEncode(bytes) {
+    let binary = '';
+    for (const byte of bytes) {
+        binary += String.fromCharCode(byte);
+    }
+    return btoa(binary).replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
+}
+async function generatePKCE() {
+    const verifierBytes = new Uint8Array(32);
+    crypto.getRandomValues(verifierBytes);
+    const verifier = base64urlEncode(verifierBytes);
+    const data = new TextEncoder().encode(verifier);
+    const hashBuffer = await crypto.subtle.digest('SHA-256', data);
+    const challenge = base64urlEncode(new Uint8Array(hashBuffer));
+    return { verifier, challenge };
+}
+import { spawn } from 'node:child_process';
+import { createServer } from 'node:http';
 // --- Constants ---
 const CLIENT_ID = (() => {
-    const encoded = "OWQxYzI1MGEtZTYxYi00NGQ5LTg4ZWQtNTk0NGQxOTYyZjVl";
-    return typeof atob === "function"
+    const encoded = 'OWQxYzI1MGEtZTYxYi00NGQ5LTg4ZWQtNTk0NGQxOTYyZjVl';
+    return typeof atob === 'function'
         ? atob(encoded)
-        : Buffer.from(encoded, "base64").toString("utf8");
+        : Buffer.from(encoded, 'base64').toString('utf8');
 })();
-const TOKEN_URL = "https://platform.claude.com/v1/oauth/token";
-const CREATE_API_KEY_URL = "https://api.anthropic.com/api/oauth/claude_cli/create_api_key";
+const TOKEN_URL = 'https://platform.claude.com/v1/oauth/token';
+const CREATE_API_KEY_URL = 'https://api.anthropic.com/api/oauth/claude_cli/create_api_key';
 const CALLBACK_PORT = 53692;
-const CALLBACK_PATH = "/callback";
+const CALLBACK_PATH = '/callback';
 const REDIRECT_URI = `http://localhost:${CALLBACK_PORT}${CALLBACK_PATH}`;
-const SCOPES = "org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload";
+const SCOPES = 'org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload';
 const OAUTH_TIMEOUT_MS = 5 * 60 * 1000;
-const CLAUDE_CODE_VERSION = "2.1.75";
+const CLAUDE_CODE_VERSION = '2.1.75';
 const CLAUDE_CODE_IDENTITY = "You are Claude Code, Anthropic's official CLI for Claude.";
-const OPENCODE_IDENTITY = "You are OpenCode, the best coding agent on the planet.";
-const CLAUDE_CODE_BETA = "claude-code-20250219";
-const OAUTH_BETA = "oauth-2025-04-20";
-const FINE_GRAINED_TOOL_STREAMING_BETA = "fine-grained-tool-streaming-2025-05-14";
-const INTERLEAVED_THINKING_BETA = "interleaved-thinking-2025-05-14";
+const OPENCODE_IDENTITY = 'You are OpenCode, the best coding agent on the planet.';
+const CLAUDE_CODE_BETA = 'claude-code-20250219';
+const OAUTH_BETA = 'oauth-2025-04-20';
+const FINE_GRAINED_TOOL_STREAMING_BETA = 'fine-grained-tool-streaming-2025-05-14';
+const INTERLEAVED_THINKING_BETA = 'interleaved-thinking-2025-05-14';
 const ANTHROPIC_HOSTS = new Set([
-    "api.anthropic.com",
-    "claude.ai",
-    "console.anthropic.com",
-    "platform.claude.com",
+    'api.anthropic.com',
+    'claude.ai',
+    'console.anthropic.com',
+    'platform.claude.com',
 ]);
 const OPENCODE_TO_CLAUDE_CODE_TOOL_NAME = {
-    bash: "Bash",
-    edit: "Edit",
-    glob: "Glob",
-    grep: "Grep",
-    question: "AskUserQuestion",
-    read: "Read",
-    skill: "Skill",
-    task: "Task",
-    todowrite: "TodoWrite",
-    webfetch: "WebFetch",
-    websearch: "WebSearch",
-    write: "Write",
+    bash: 'Bash',
+    edit: 'Edit',
+    glob: 'Glob',
+    grep: 'Grep',
+    question: 'AskUserQuestion',
+    read: 'Read',
+    skill: 'Skill',
+    task: 'Task',
+    todowrite: 'TodoWrite',
+    webfetch: 'WebFetch',
+    websearch: 'WebSearch',
+    write: 'Write',
 };
 // --- HTTP helpers ---
 // Claude OAuth token exchange can 429 when this runs inside the opencode auth
@@ -82,7 +97,9 @@ async function requestText(urlString, options) {
             method: options.method,
             url: urlString,
         });
-        const child = spawn("node", ["-e", `
+        const child = spawn('node', [
+            '-e',
+            `
 const input = JSON.parse(process.argv[1]);
 (async () => {
   const response = await fetch(input.url, {
@@ -100,33 +117,35 @@ const input = JSON.parse(process.argv[1]);
   console.error(error instanceof Error ? error.stack ?? error.message : String(error));
   process.exit(1);
 });
-    `.trim(), payload], {
-            stdio: ["ignore", "pipe", "pipe"],
+    `.trim(),
+            payload,
+        ], {
+            stdio: ['ignore', 'pipe', 'pipe'],
         });
-        let stdout = "";
-        let stderr = "";
+        let stdout = '';
+        let stderr = '';
         const timeout = setTimeout(() => {
             child.kill();
             reject(new Error(`Request timed out. url=${urlString}`));
         }, 30_000);
-        child.stdout.on("data", (chunk) => {
+        child.stdout.on('data', (chunk) => {
             stdout += String(chunk);
         });
-        child.stderr.on("data", (chunk) => {
+        child.stderr.on('data', (chunk) => {
             stderr += String(chunk);
         });
-        child.on("error", (error) => {
+        child.on('error', (error) => {
             clearTimeout(timeout);
             reject(error);
         });
-        child.on("close", (code) => {
+        child.on('close', (code) => {
             clearTimeout(timeout);
             if (code !== 0) {
                 let details = stderr.trim();
                 try {
                     const parsed = JSON.parse(details);
-                    if (typeof parsed.status === "number") {
-                        reject(new Error(`HTTP ${parsed.status} from ${urlString}: ${parsed.body ?? ""}`));
+                    if (typeof parsed.status === 'number') {
+                        reject(new Error(`HTTP ${parsed.status} from ${urlString}: ${parsed.body ?? ''}`));
                         return;
                     }
                 }
@@ -143,42 +162,17 @@ const input = JSON.parse(process.argv[1]);
 async function postJson(url, body) {
     const requestBody = JSON.stringify(body);
     const responseText = await requestText(url, {
-        method: "POST",
+        method: 'POST',
         headers: {
-            Accept: "application/json",
-            "Content-Length": String(Buffer.byteLength(requestBody)),
-            "Content-Type": "application/json",
+            Accept: 'application/json',
+            'Content-Length': String(Buffer.byteLength(requestBody)),
+            'Content-Type': 'application/json',
         },
         body: requestBody,
     });
     return JSON.parse(responseText);
 }
-// --- File lock for token refresh ---
-let pendingRefresh;
-function authFilePath() {
-    if (process.env.XDG_DATA_HOME) {
-        return path.join(process.env.XDG_DATA_HOME, "opencode", "auth.json");
-    }
-    return path.join(homedir(), ".local", "share", "opencode", "auth.json");
-}
-async function withAuthRefreshLock(fn) {
-    const file = authFilePath();
-    await fs.mkdir(path.dirname(file), { recursive: true });
-    await fs.appendFile(file, "");
-    const release = await lockfile.lock(file, {
-        realpath: false,
-        stale: 30_000,
-        update: 15_000,
-        retries: { factor: 1.3, forever: true, maxTimeout: 1_000, minTimeout: 100 },
-        onCompromised: () => { },
-    });
-    try {
-        return await fn();
-    }
-    finally {
-        await release().catch(() => { });
-    }
-}
+const pendingRefresh = new Map();
 // --- OAuth token exchange & refresh ---
 function parseTokenResponse(json) {
     const data = json;
@@ -192,7 +186,7 @@ function tokenExpiry(expiresIn) {
 }
 async function exchangeAuthorizationCode(code, state, verifier, redirectUri) {
     const json = await postJson(TOKEN_URL, {
-        grant_type: "authorization_code",
+        grant_type: 'authorization_code',
         client_id: CLIENT_ID,
         code,
         state,
@@ -201,7 +195,7 @@ async function exchangeAuthorizationCode(code, state, verifier, redirectUri) {
     });
     const data = parseTokenResponse(json);
     return {
-        type: "success",
+        type: 'success',
         refresh: data.refresh_token,
         access: data.access_token,
         expires: tokenExpiry(data.expires_in),
@@ -209,13 +203,13 @@ async function exchangeAuthorizationCode(code, state, verifier, redirectUri) {
 }
 async function refreshAnthropicToken(refreshToken) {
     const json = await postJson(TOKEN_URL, {
-        grant_type: "refresh_token",
+        grant_type: 'refresh_token',
         client_id: CLIENT_ID,
         refresh_token: refreshToken,
     });
     const data = parseTokenResponse(json);
     return {
-        type: "oauth",
+        type: 'oauth',
         refresh: data.refresh_token,
         access: data.access_token,
         expires: tokenExpiry(data.expires_in),
@@ -223,15 +217,15 @@ async function refreshAnthropicToken(refreshToken) {
 }
 async function createApiKey(accessToken) {
     const responseText = await requestText(CREATE_API_KEY_URL, {
-        method: "POST",
+        method: 'POST',
         headers: {
-            Accept: "application/json",
+            Accept: 'application/json',
             authorization: `Bearer ${accessToken}`,
-            "Content-Type": "application/json",
+            'Content-Type': 'application/json',
         },
     });
     const json = JSON.parse(responseText);
-    return { type: "success", key: json.raw_key };
+    return { type: 'success', key: json.raw_key };
 }
 async function startCallbackServer(expectedState) {
     return new Promise((resolve, reject) => {
@@ -247,37 +241,45 @@ async function startCallbackServer(expectedState) {
         });
         const server = createServer((req, res) => {
             try {
-                const url = new URL(req.url || "", "http://localhost");
+                const url = new URL(req.url || '', 'http://localhost');
                 if (url.pathname !== CALLBACK_PATH) {
-                    res.writeHead(404).end("Not found");
+                    res.writeHead(404).end('Not found');
                     return;
                 }
-                const code = url.searchParams.get("code");
-                const state = url.searchParams.get("state");
-                const error = url.searchParams.get("error");
+                const code = url.searchParams.get('code');
+                const state = url.searchParams.get('state');
+                const error = url.searchParams.get('error');
                 if (error || !code || !state || state !== expectedState) {
-                    res.writeHead(400).end("Authentication failed: " + (error || "missing code/state"));
+                    res.writeHead(400).end('Authentication failed: ' + (error || 'missing code/state'));
                     return;
                 }
-                res.writeHead(200, { "Content-Type": "text/plain" }).end("Authentication successful. You can close this window.");
+                res
+                    .writeHead(200, { 'Content-Type': 'text/plain' })
+                    .end('Authentication successful. You can close this window.');
                 settle?.({ code, state });
             }
             catch {
-                res.writeHead(500).end("Internal error");
+                res.writeHead(500).end('Internal error');
             }
         });
-        server.once("error", reject);
-        server.listen(CALLBACK_PORT, "127.0.0.1", () => {
+        server.once('error', reject);
+        server.listen(CALLBACK_PORT, '127.0.0.1', () => {
             resolve({
                 server,
-                cancelWait: () => { settle?.(null); },
+                cancelWait: () => {
+                    settle?.(null);
+                },
                 waitForCode: () => waitPromise,
             });
         });
     });
 }
 function closeServer(server) {
-    return new Promise((resolve) => { server.close(() => { resolve(); }); });
+    return new Promise((resolve) => {
+        server.close(() => {
+            resolve();
+        });
+    });
 }
 // --- Authorization flow ---
 // Unified flow: beginAuthorizationFlow starts PKCE + callback server,
@@ -286,13 +288,13 @@ async function beginAuthorizationFlow() {
     const pkce = await generatePKCE();
     const callbackServer = await startCallbackServer(pkce.verifier);
     const authParams = new URLSearchParams({
-        code: "true",
+        code: 'true',
         client_id: CLIENT_ID,
-        response_type: "code",
+        response_type: 'code',
         redirect_uri: REDIRECT_URI,
         scope: SCOPES,
         code_challenge: pkce.challenge,
-        code_challenge_method: "S256",
+        code_challenge_method: 'S256',
         state: pkce.verifier,
     });
     return {
@@ -306,7 +308,11 @@ async function waitForCallback(callbackServer, manualInput) {
         // Try localhost callback first (instant check)
         const quick = await Promise.race([
             callbackServer.waitForCode(),
-            new Promise((r) => { setTimeout(() => { r(null); }, 50); }),
+            new Promise((r) => {
+                setTimeout(() => {
+                    r(null);
+                }, 50);
+            }),
         ]);
         if (quick?.code)
             return quick;
@@ -318,10 +324,14 @@ async function waitForCallback(callbackServer, manualInput) {
         // Wait for localhost callback with timeout
         const result = await Promise.race([
             callbackServer.waitForCode(),
-            new Promise((r) => { setTimeout(() => { r(null); }, OAUTH_TIMEOUT_MS); }),
+            new Promise((r) => {
+                setTimeout(() => {
+                    r(null);
+                }, OAUTH_TIMEOUT_MS);
+            }),
         ]);
         if (!result?.code) {
-            throw new Error("Timed out waiting for OAuth callback");
+            throw new Error('Timed out waiting for OAuth callback');
         }
         return result;
     }
@@ -333,25 +343,25 @@ async function waitForCallback(callbackServer, manualInput) {
 function parseManualInput(input) {
     try {
         const url = new URL(input);
-        const code = url.searchParams.get("code");
-        const state = url.searchParams.get("state");
+        const code = url.searchParams.get('code');
+        const state = url.searchParams.get('state');
         if (code)
-            return { code, state: state || "" };
+            return { code, state: state || '' };
     }
     catch {
         // not a URL
     }
-    if (input.includes("#")) {
-        const [code = "", state = ""] = input.split("#", 2);
+    if (input.includes('#')) {
+        const [code = '', state = ''] = input.split('#', 2);
         return { code, state };
     }
-    if (input.includes("code=")) {
+    if (input.includes('code=')) {
         const params = new URLSearchParams(input);
-        const code = params.get("code");
+        const code = params.get('code');
         if (code)
-            return { code, state: params.get("state") || "" };
+            return { code, state: params.get('state') || '' };
     }
-    return { code: input, state: "" };
+    return { code: input, state: '' };
 }
 // Unified authorize handler: returns either OAuth tokens or an API key,
 // for both auto and remote-first modes.
@@ -363,16 +373,22 @@ function buildAuthorizeHandler(mode) {
         const finalize = async (result) => {
             const verifier = auth.verifier;
             const creds = await exchangeAuthorizationCode(result.code, result.state || verifier, verifier, REDIRECT_URI);
-            if (mode === "apikey") {
+            if (mode === 'apikey') {
                 return createApiKey(creds.access);
             }
+            await rememberAnthropicOAuth({
+                type: 'oauth',
+                refresh: creds.refresh,
+                access: creds.access,
+                expires: creds.expires,
+            });
             return creds;
         };
         if (!isRemote) {
             return {
                 url: auth.url,
-                instructions: "Complete login in your browser on this machine. OpenCode will catch the localhost callback automatically.",
-                method: "auto",
+                instructions: 'Complete login in your browser on this machine. OpenCode will catch the localhost callback automatically.',
+                method: 'auto',
                 callback: async () => {
                     pendingAuthResult ??= (async () => {
                         try {
@@ -381,7 +397,7 @@ function buildAuthorizeHandler(mode) {
                         }
                         catch (error) {
                             console.error(`[anthropic-auth] ${error}`);
-                            return { type: "failed" };
+                            return { type: 'failed' };
                         }
                     })();
                     return pendingAuthResult;
@@ -390,8 +406,8 @@ function buildAuthorizeHandler(mode) {
         }
         return {
             url: auth.url,
-            instructions: "Complete login in your browser, then paste the final redirect URL from the address bar here. Pasting just the authorization code also works.",
-            method: "code",
+            instructions: 'Complete login in your browser, then paste the final redirect URL from the address bar here. Pasting just the authorization code also works.',
+            method: 'code',
             callback: async (input) => {
                 pendingAuthResult ??= (async () => {
                     try {
@@ -400,7 +416,7 @@ function buildAuthorizeHandler(mode) {
                     }
                     catch (error) {
                         console.error(`[anthropic-auth] ${error}`);
-                        return { type: "failed" };
+                        return { type: 'failed' };
                     }
                 })();
                 return pendingAuthResult;
@@ -418,23 +434,23 @@ function sanitizeSystemText(text) {
     return text.replaceAll(OPENCODE_IDENTITY, CLAUDE_CODE_IDENTITY);
 }
 function prependClaudeCodeIdentity(system) {
-    const identityBlock = { type: "text", text: CLAUDE_CODE_IDENTITY };
-    if (typeof system === "undefined")
+    const identityBlock = { type: 'text', text: CLAUDE_CODE_IDENTITY };
+    if (typeof system === 'undefined')
         return [identityBlock];
-    if (typeof system === "string") {
+    if (typeof system === 'string') {
         const sanitized = sanitizeSystemText(system);
         if (sanitized === CLAUDE_CODE_IDENTITY)
             return [identityBlock];
-        return [identityBlock, { type: "text", text: sanitized }];
+        return [identityBlock, { type: 'text', text: sanitized }];
     }
     if (!Array.isArray(system))
         return [identityBlock, system];
     const sanitized = system.map((item) => {
-        if (typeof item === "string")
-            return { type: "text", text: sanitizeSystemText(item) };
-        if (item && typeof item === "object" && item.type === "text") {
+        if (typeof item === 'string')
+            return { type: 'text', text: sanitizeSystemText(item) };
+        if (item && typeof item === 'object' && item.type === 'text') {
             const text = item.text;
-            if (typeof text === "string") {
+            if (typeof text === 'string') {
                 return { ...item, text: sanitizeSystemText(text) };
             }
         }
@@ -442,8 +458,8 @@ function prependClaudeCodeIdentity(system) {
     });
     const first = sanitized[0];
     if (first &&
-        typeof first === "object" &&
-        first.type === "text" &&
+        typeof first === 'object' &&
+        first.type === 'text' &&
         first.text === CLAUDE_CODE_IDENTITY) {
         return sanitized;
     }
@@ -455,14 +471,14 @@ function rewriteRequestPayload(body) {
     try {
         const payload = JSON.parse(body);
         const reverseToolNameMap = new Map();
-        const modelId = typeof payload.model === "string" ? payload.model : undefined;
+        const modelId = typeof payload.model === 'string' ? payload.model : undefined;
         // Build reverse map and rename tools
         if (Array.isArray(payload.tools)) {
             payload.tools = payload.tools.map((tool) => {
-                if (!tool || typeof tool !== "object")
+                if (!tool || typeof tool !== 'object')
                     return tool;
                 const name = tool.name;
-                if (typeof name !== "string")
+                if (typeof name !== 'string')
                     return tool;
                 const mapped = toClaudeCodeToolName(name);
                 reverseToolNameMap.set(mapped, name);
@@ -473,10 +489,10 @@ function rewriteRequestPayload(body) {
         payload.system = prependClaudeCodeIdentity(payload.system);
         // Rename tool_choice
         if (payload.tool_choice &&
-            typeof payload.tool_choice === "object" &&
-            payload.tool_choice.type === "tool") {
+            typeof payload.tool_choice === 'object' &&
+            payload.tool_choice.type === 'tool') {
             const name = payload.tool_choice.name;
-            if (typeof name === "string") {
+            if (typeof name === 'string') {
                 payload.tool_choice = {
                     ...payload.tool_choice,
                     name: toClaudeCodeToolName(name),
@@ -486,7 +502,7 @@ function rewriteRequestPayload(body) {
         // Rename tool_use blocks in messages
         if (Array.isArray(payload.messages)) {
             payload.messages = payload.messages.map((message) => {
-                if (!message || typeof message !== "object")
+                if (!message || typeof message !== 'object')
                     return message;
                 const content = message.content;
                 if (!Array.isArray(content))
@@ -494,10 +510,10 @@ function rewriteRequestPayload(body) {
                 return {
                     ...message,
                     content: content.map((block) => {
-                        if (!block || typeof block !== "object")
+                        if (!block || typeof block !== 'object')
                             return block;
                         const b = block;
-                        if (b.type !== "tool_use" || typeof b.name !== "string")
+                        if (b.type !== 'tool_use' || typeof b.name !== 'string')
                             return block;
                         return { ...block, name: toClaudeCodeToolName(b.name) };
                     }),
@@ -516,7 +532,7 @@ function wrapResponseStream(response, reverseToolNameMap) {
     const reader = response.body.getReader();
     const decoder = new TextDecoder();
     const encoder = new TextEncoder();
-    let carry = "";
+    let carry = '';
     const transform = (text) => {
         return text.replace(/"name"\s*:\s*"([^"]+)"/g, (full, name) => {
             const original = reverseToolNameMap.get(name);
@@ -554,10 +570,10 @@ function wrapResponseStream(response, reverseToolNameMap) {
 // --- Beta headers ---
 function getRequiredBetas(modelId) {
     const betas = [CLAUDE_CODE_BETA, OAUTH_BETA, FINE_GRAINED_TOOL_STREAMING_BETA];
-    const isAdaptive = modelId?.includes("opus-4-6") ||
-        modelId?.includes("opus-4.6") ||
-        modelId?.includes("sonnet-4-6") ||
-        modelId?.includes("sonnet-4.6");
+    const isAdaptive = modelId?.includes('opus-4-6') ||
+        modelId?.includes('opus-4.6') ||
+        modelId?.includes('sonnet-4-6') ||
+        modelId?.includes('sonnet-4.6');
     if (!isAdaptive)
         betas.push(INTERLEAVED_THINKING_BETA);
     return betas;
@@ -566,13 +582,16 @@ function mergeBetas(existing, required) {
     return [
         ...new Set([
             ...required,
-            ...(existing || "").split(",").map((s) => s.trim()).filter(Boolean),
+            ...(existing || '')
+                .split(',')
+                .map((s) => s.trim())
+                .filter(Boolean),
         ]),
-    ].join(",");
+    ].join(',');
 }
 // --- Token refresh with dedup ---
 function isOAuthStored(auth) {
-    return auth.type === "oauth";
+    return auth.type === 'oauth';
 }
 async function getFreshOAuth(getAuth, client) {
     const auth = await getAuth();
@@ -580,38 +599,46 @@ async function getFreshOAuth(getAuth, client) {
         return undefined;
     if (auth.access && auth.expires > Date.now())
         return auth;
-    if (!pendingRefresh) {
-        pendingRefresh = withAuthRefreshLock(async () => {
-            const latest = await getAuth();
-            if (!isOAuthStored(latest)) {
-                throw new Error("Anthropic OAuth credentials disappeared during refresh");
-            }
-            if (latest.access && latest.expires > Date.now())
-                return latest;
-            const refreshed = await refreshAnthropicToken(latest.refresh);
-            await client.auth.set({ path: { id: "anthropic" }, body: refreshed });
-            return refreshed;
-        }).finally(() => {
-            pendingRefresh = undefined;
-        });
+    const pending = pendingRefresh.get(auth.refresh);
+    if (pending) {
+        return pending;
     }
-    return pendingRefresh;
+    const refreshPromise = withAuthStateLock(async () => {
+        const latest = await getAuth();
+        if (!isOAuthStored(latest)) {
+            throw new Error('Anthropic OAuth credentials disappeared during refresh');
+        }
+        if (latest.access && latest.expires > Date.now())
+            return latest;
+        const refreshed = await refreshAnthropicToken(latest.refresh);
+        await setAnthropicAuth(refreshed, client);
+        const store = await loadAccountStore();
+        if (store.accounts.length > 0) {
+            upsertAccount(store, refreshed);
+            await saveAccountStore(store);
+        }
+        return refreshed;
+    });
+    pendingRefresh.set(auth.refresh, refreshPromise);
+    return refreshPromise.finally(() => {
+        pendingRefresh.delete(auth.refresh);
+    });
 }
 // --- Plugin export ---
 const AnthropicAuthPlugin = async ({ client }) => {
     return {
         auth: {
-            provider: "anthropic",
+            provider: 'anthropic',
             async loader(getAuth, provider) {
                 const auth = await getAuth();
-                if (auth.type !== "oauth")
+                if (auth.type !== 'oauth')
                     return {};
                 // Zero out costs for OAuth users (Claude Pro/Max subscription)
                 for (const model of Object.values(provider.models)) {
                     model.cost = { input: 0, output: 0, cache: { read: 0, write: 0 } };
                 }
                 return {
-                    apiKey: "",
+                    apiKey: '',
                     async fetch(input, init) {
                         const url = (() => {
                             try {
@@ -623,55 +650,79 @@ const AnthropicAuthPlugin = async ({ client }) => {
                         })();
                         if (!url || !ANTHROPIC_HOSTS.has(url.hostname))
                             return fetch(input, init);
-                        const freshAuth = await getFreshOAuth(getAuth, client);
-                        if (!freshAuth)
-                            return fetch(input, init);
-                        const originalBody = typeof init?.body === "string"
+                        const originalBody = typeof init?.body === 'string'
                             ? init.body
                             : input instanceof Request
-                                ? await input.clone().text().catch(() => undefined)
+                                ? await input
+                                    .clone()
+                                    .text()
+                                    .catch(() => undefined)
                                 : undefined;
                         const rewritten = rewriteRequestPayload(originalBody);
                         const headers = new Headers(init?.headers);
                         if (input instanceof Request) {
-                            input.headers.forEach((v, k) => { if (!headers.has(k))
-                                headers.set(k, v); });
+                            input.headers.forEach((v, k) => {
+                                if (!headers.has(k))
+                                    headers.set(k, v);
+                            });
                         }
                         const betas = getRequiredBetas(rewritten.modelId);
-                        headers.set("accept", "application/json");
-                        headers.set("anthropic-beta", mergeBetas(headers.get("anthropic-beta"), betas));
-                        headers.set("anthropic-dangerous-direct-browser-access", "true");
-                        headers.set("authorization", `Bearer ${freshAuth.access}`);
-                        headers.set("user-agent", process.env.OPENCODE_ANTHROPIC_USER_AGENT || `claude-cli/${CLAUDE_CODE_VERSION}`);
-                        headers.set("x-app", "cli");
-                        headers.delete("x-api-key");
-                        const response = await fetch(input, {
-                            ...(init ?? {}),
-                            body: rewritten.body,
-                            headers,
-                        });
+                        const runRequest = async (auth) => {
+                            const requestHeaders = new Headers(headers);
+                            requestHeaders.set('accept', 'application/json');
+                            requestHeaders.set('anthropic-beta', mergeBetas(requestHeaders.get('anthropic-beta'), betas));
+                            requestHeaders.set('anthropic-dangerous-direct-browser-access', 'true');
+                            requestHeaders.set('authorization', `Bearer ${auth.access}`);
+                            requestHeaders.set('user-agent', process.env.OPENCODE_ANTHROPIC_USER_AGENT || `claude-cli/${CLAUDE_CODE_VERSION}`);
+                            requestHeaders.set('x-app', 'cli');
+                            requestHeaders.delete('x-api-key');
+                            return fetch(input, {
+                                ...(init ?? {}),
+                                body: rewritten.body,
+                                headers: requestHeaders,
+                            });
+                        };
+                        const freshAuth = await getFreshOAuth(getAuth, client);
+                        if (!freshAuth)
+                            return fetch(input, init);
+                        let response = await runRequest(freshAuth);
+                        if (!response.ok) {
+                            const bodyText = await response
+                                .clone()
+                                .text()
+                                .catch(() => '');
+                            if (shouldRotateAuth(response.status, bodyText)) {
+                                const rotated = await rotateAnthropicAccount(freshAuth, client);
+                                if (rotated) {
+                                    const retryAuth = await getFreshOAuth(getAuth, client);
+                                    if (retryAuth) {
+                                        response = await runRequest(retryAuth);
+                                    }
+                                }
+                            }
+                        }
                         return wrapResponseStream(response, rewritten.reverseToolNameMap);
                     },
                 };
             },
             methods: [
                 {
-                    label: "Claude Pro/Max",
-                    type: "oauth",
-                    authorize: buildAuthorizeHandler("oauth"),
+                    label: 'Claude Pro/Max',
+                    type: 'oauth',
+                    authorize: buildAuthorizeHandler('oauth'),
                 },
                 {
-                    label: "Create an API Key",
-                    type: "oauth",
-                    authorize: buildAuthorizeHandler("apikey"),
+                    label: 'Create an API Key',
+                    type: 'oauth',
+                    authorize: buildAuthorizeHandler('apikey'),
                 },
                 {
-                    provider: "anthropic",
-                    label: "Manually enter API Key",
-                    type: "api",
+                    provider: 'anthropic',
+                    label: 'Manually enter API Key',
+                    type: 'api',
                 },
             ],
         },
     };
 };
-export { AnthropicAuthPlugin as anthropicAuthPlugin };
+export { AnthropicAuthPlugin as anthropicAuthPlugin, };