mobygate 0.9.2 → 0.9.5

package/CHANGELOG.md

@@ -4,6 +4,114 @@ All notable changes to mobygate are documented here. Format loosely follows
 [Keep a Changelog](https://keepachangelog.com/en/1.1.0/); version numbers are
 [Semantic Versioning](https://semver.org/).
 
+## [0.9.5] — 2026-06-17
+
+Claude Agent SDK upgrade: `0.2.112` → `0.3.181`. Pure dependency bump —
+no mobygate behavior change. Closes a 58-release gap and re-aligns the
+SDK with the current `claude` CLI generation (CLI 2.1.181 ↔ SDK 0.3.181
+ship in lockstep).
+
+### Changed
+
+- **`@anthropic-ai/claude-agent-sdk` `^0.2.112` → `^0.3.181`.** Resolves
+  alongside `@anthropic-ai/sdk@0.104.2`. Lockfile regenerated.
+
+### Verification
+
+Vetted on an isolated worktree before merge:
+
+- **Static surface diff (0.2.112 vs 0.3.181):** every SDK API mobygate
+  depends on is identical — `query()` signature, the
+  `{ type:'preset', preset:'claude_code', append }` systemPrompt shape,
+  `permissionMode`, `allowDangerouslySkipPermissions`, `persistSession`,
+  `resume`, `betas`, `mcpServers`. Nothing removed or reshaped.
+- **Boot:** server starts, binds, `/health` 200, no import errors.
+- **Smoke suite 11/11** against the real API on 0.3.181 — including
+  every runtime path: `/v1/messages` and `/v1/chat/completions`
+  (non-streaming, streaming, tools), `/quiet` scrub, and the SQLite
+  capture index.
+
+### Notes
+
+- The SDK reads OAuth from the macOS Keychain (`Claude Code-credentials`),
+  not `~/.claude/.credentials.json` — the latter is a stale secondary
+  cache and can read "expired" even when auth is healthy. If mobygate
+  ever 401s with "proxy refresh failed", re-auth via `claude` → `/login`
+  (renews the Keychain credential); restarting mobygate alone won't fix
+  a genuinely expired token.
+
+## [0.9.4] — 2026-05-29
+
+Fable 5 support. Anthropic shipped the Fable 5 model family (parallel to
+the Opus 4.x line); this adds it to the model map so `claude-fable-5`
+(and the `fable` alias) resolve to the 1M-context variant instead of
+silently falling back to the default.
+
+### Added
+
+- **Fable 5 model map entries:** `claude-fable-5`, `claude-fable-5[1m]`,
+  `claude-fable-5-1m`, `claude-fable-5-200k`, plus the `fable` /
+  `fable-200k` short aliases. The bare `claude-fable-5` and `fable`
+  aliases route to `claude-fable-5[1m]` (1M context, verified
+  Max-included — the probe ran on Claude Max OAuth with no extra-usage
+  rejection). Use `claude-fable-5-200k` for the standard 200k variant.
+
+### Notes
+
+- Additive only. Opus 4.8 stays the default model; Fable resolves only
+  when explicitly requested. All Opus / Sonnet / Haiku entries unchanged.
+- Verified live 2026-05-29 against Anthropic via the `claude` CLI:
+  `claude-fable-5` accepted and self-identifies; `claude-fable-9`
+  (control) rejected as nonexistent.
+
+## [0.9.3] — 2026-05-29
+
+Opus 4.8 support + control-plane Host-header hardening.
+
+Two threads land together. (1) Anthropic shipped Opus 4.8; mobygate was
+silently downgrading every `claude-opus-4-8` request to `4-7[1m]` because
+the alias wasn't in the model map — so clients (including Taste, which
+already targets 4-8) were unknowingly running on the older model. (2) A
+batch of sensitive control-plane GET endpoints were reachable from
+non-local Host headers (DNS-rebinding / CSRF surface).
+
+### Added
+
+- **Opus 4.8 model map entries:** `claude-opus-4-8`,
+  `claude-opus-4-8[1m]`, `claude-opus-4-8-1m`, `claude-opus-4-8-200k`.
+  Bare `claude-opus-4-8`, the `opus` alias, and the catch-all
+  `claude-opus-4` now resolve to `claude-opus-4-8[1m]` (1M, Max-included
+  — verified live). All `claude-opus-4-7*` entries retained so explicit
+  4-7 requests still resolve correctly.
+- **`DEFAULT_MODEL` bumped** `claude-opus-4-7[1m]` → `claude-opus-4-8[1m]`.
+
+### Changed (security)
+
+- **`requireLocalOrigin` now guards** `/sessions`, `/sessions/:key`,
+  `/dashboard/recent`, `/dashboard/sessions`, `/auth/status`,
+  `/update/check`, `/update/status`. These previously answered requests
+  with hostile `Host` headers, exposing session IDs, dashboard event
+  metadata, auth state, and update logs to DNS-rebinding / CSRF.
+- **Extracted `serializeSession()`** — collapses the duplicated
+  session-JSON formatting that the `/sessions` routes and dashboard
+  shared into one helper (dashboard vs API shape via an option flag).
+
+### Added (dashboard)
+
+- **`GET /dashboard.css`** serves the bundled dashboard stylesheet
+  (extracted from inline `index.html`), with no-cache headers so edits
+  show on reload. Added `dashboard.css` to the published `files[]`.
+- **`test/smoke.test.mjs`** gains a raw-`node:http` case that spoofs
+  `Host: evil.example` to assert the guarded endpoints reject it. Full
+  suite: 11/11 passing.
+
+### Fixed
+
+- **Silent model downgrade.** A `claude-opus-4-8` request returned
+  `model: claude-opus-4-7[1m]` in the response body before this fix.
+  Confirmed in a real capture (requested 4-8, ran as 4-7) — the bug had
+  been quietly affecting live Claude Code and Taste traffic.
+
 ## [0.9.2] — 2026-05-03
 
 Return `405 Method Not Allowed` (with `Allow: POST` header) for `GET`

package/dashboard.css

@@ -0,0 +1 @@
+*,:after,:before{--tw-border-spacing-x:0;--tw-border-spacing-y:0;--tw-translate-x:0;--tw-translate-y:0;--tw-rotate:0;--tw-skew-x:0;--tw-skew-y:0;--tw-scale-x:1;--tw-scale-y:1;--tw-pan-x: ;--tw-pan-y: ;--tw-pinch-zoom: ;--tw-scroll-snap-strictness:proximity;--tw-gradient-from-position: ;--tw-gradient-via-position: ;--tw-gradient-to-position: ;--tw-ordinal: ;--tw-slashed-zero: ;--tw-numeric-figure: ;--tw-numeric-spacing: ;--tw-numeric-fraction: ;--tw-ring-inset: ;--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-color:rgba(59,130,246,.5);--tw-ring-offset-shadow:0 0 #0000;--tw-ring-shadow:0 0 #0000;--tw-shadow:0 0 #0000;--tw-shadow-colored:0 0 #0000;--tw-blur: ;--tw-brightness: ;--tw-contrast: ;--tw-grayscale: ;--tw-hue-rotate: ;--tw-invert: ;--tw-saturate: ;--tw-sepia: ;--tw-drop-shadow: ;--tw-backdrop-blur: ;--tw-backdrop-brightness: ;--tw-backdrop-contrast: ;--tw-backdrop-grayscale: ;--tw-backdrop-hue-rotate: ;--tw-backdrop-invert: ;--tw-backdrop-opacity: ;--tw-backdrop-saturate: ;--tw-backdrop-sepia: ;--tw-contain-size: ;--tw-contain-layout: ;--tw-contain-paint: ;--tw-contain-style: }::backdrop{--tw-border-spacing-x:0;--tw-border-spacing-y:0;--tw-translate-x:0;--tw-translate-y:0;--tw-rotate:0;--tw-skew-x:0;--tw-skew-y:0;--tw-scale-x:1;--tw-scale-y:1;--tw-pan-x: ;--tw-pan-y: ;--tw-pinch-zoom: ;--tw-scroll-snap-strictness:proximity;--tw-gradient-from-position: ;--tw-gradient-via-position: ;--tw-gradient-to-position: ;--tw-ordinal: ;--tw-slashed-zero: ;--tw-numeric-figure: ;--tw-numeric-spacing: ;--tw-numeric-fraction: ;--tw-ring-inset: ;--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-color:rgba(59,130,246,.5);--tw-ring-offset-shadow:0 0 #0000;--tw-ring-shadow:0 0 #0000;--tw-shadow:0 0 #0000;--tw-shadow-colored:0 0 #0000;--tw-blur: ;--tw-brightness: ;--tw-contrast: ;--tw-grayscale: ;--tw-hue-rotate: ;--tw-invert: ;--tw-saturate: ;--tw-sepia: ;--tw-drop-shadow: ;--tw-backdrop-blur: ;--tw-backdrop-brightness: ;--tw-backdrop-contrast: ;--tw-backdrop-grayscale: ;--tw-backdrop-hue-rotate: ;--tw-backdrop-invert: ;--tw-backdrop-opacity: ;--tw-backdrop-saturate: ;--tw-backdrop-sepia: ;--tw-contain-size: ;--tw-contain-layout: ;--tw-contain-paint: ;--tw-contain-style: }/*! tailwindcss v3.4.17 | MIT License | https://tailwindcss.com*/*,:after,:before{box-sizing:border-box;border:0 solid #e5e7eb}:after,:before{--tw-content:""}:host,html{line-height:1.5;-webkit-text-size-adjust:100%;-moz-tab-size:4;-o-tab-size:4;tab-size:4;font-family:ui-sans-serif,system-ui,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji;font-feature-settings:normal;font-variation-settings:normal;-webkit-tap-highlight-color:transparent}body{margin:0;line-height:inherit}hr{height:0;color:inherit;border-top-width:1px}abbr:where([title]){-webkit-text-decoration:underline dotted;text-decoration:underline dotted}h1,h2,h3,h4,h5,h6{font-size:inherit;font-weight:inherit}a{color:inherit;text-decoration:inherit}b,strong{font-weight:bolder}code,kbd,pre,samp{font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,Liberation Mono,Courier New,monospace;font-feature-settings:normal;font-variation-settings:normal;font-size:1em}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sub{bottom:-.25em}sup{top:-.5em}table{text-indent:0;border-color:inherit;border-collapse:collapse}button,input,optgroup,select,textarea{font-family:inherit;font-feature-settings:inherit;font-variation-settings:inherit;font-size:100%;font-weight:inherit;line-height:inherit;letter-spacing:inherit;color:inherit;margin:0;padding:0}button,select{text-transform:none}button,input:where([type=button]),input:where([type=reset]),input:where([type=submit]){-webkit-appearance:button;background-color:transparent;background-image:none}:-moz-focusring{outline:auto}:-moz-ui-invalid{box-shadow:none}progress{vertical-align:baseline}::-webkit-inner-spin-button,::-webkit-outer-spin-button{height:auto}[type=search]{-webkit-appearance:textfield;outline-offset:-2px}::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}summary{display:list-item}blockquote,dd,dl,figure,h1,h2,h3,h4,h5,h6,hr,p,pre{margin:0}fieldset{margin:0}fieldset,legend{padding:0}menu,ol,ul{list-style:none;margin:0;padding:0}dialog{padding:0}textarea{resize:vertical}input::-moz-placeholder,textarea::-moz-placeholder{opacity:1;color:#9ca3af}input::placeholder,textarea::placeholder{opacity:1;color:#9ca3af}[role=button],button{cursor:pointer}:disabled{cursor:default}audio,canvas,embed,iframe,img,object,svg,video{display:block;vertical-align:middle}img,video{max-width:100%;height:auto}[hidden]:where(:not([hidden=until-found])){display:none}.container{width:100%}@media (min-width:640px){.container{max-width:640px}}@media (min-width:768px){.container{max-width:768px}}@media (min-width:1024px){.container{max-width:1024px}}@media (min-width:1280px){.container{max-width:1280px}}@media (min-width:1536px){.container{max-width:1536px}}.visible{visibility:visible}.fixed{position:fixed}.relative{position:relative}.inset-0{inset:0}.z-50{z-index:50}.m-0{margin:0}.mx-auto{margin-left:auto;margin-right:auto}.-ml-3{margin-left:-.75rem}.mt-1{margin-top:.25rem}.mt-10{margin-top:2.5rem}.mt-auto{margin-top:auto}.inline-block{display:inline-block}.flex{display:flex}.grid{display:grid}.hidden{display:none}.h-1\.5{height:.375rem}.h-2{height:.5rem}.h-3{height:.75rem}.h-\[110px\]{height:110px}.h-\[22px\]{height:22px}.h-full{height:100%}.max-h-\[180px\]{max-height:180px}.max-h-\[240px\]{max-height:240px}.max-h-\[40vh\]{max-height:40vh}.max-h-\[52vh\]{max-height:52vh}.max-h-\[70vh\]{max-height:70vh}.min-h-screen{min-height:100vh}.w-1\.5{width:.375rem}.w-2{width:.5rem}.w-\[100px\]{width:100px}.w-\[110px\]{width:110px}.w-\[160px\]{width:160px}.w-\[180px\]{width:180px}.w-\[20\%\]{width:20%}.w-\[60px\]{width:60px}.w-\[6px\]{width:6px}.w-\[70px\]{width:70px}.w-\[72px\]{width:72px}.w-\[80px\]{width:80px}.w-full{width:100%}.w-px{width:1px}.min-w-0{min-width:0}.max-w-3xl{max-width:48rem}.max-w-\[1440px\]{max-width:1440px}.shrink{flex-shrink:1}.shrink-0{flex-shrink:0}.grow{flex-grow:1}.basis-0{flex-basis:0px}@keyframes pulse{50%{opacity:.5}}.animate-pulse{animation:pulse 2s cubic-bezier(.4,0,.6,1) infinite}.cursor-pointer{cursor:pointer}.grid-cols-3{grid-template-columns:repeat(3,minmax(0,1fr))}.grid-cols-4{grid-template-columns:repeat(4,minmax(0,1fr))}.flex-col{flex-direction:column}.items-start{align-items:flex-start}.items-end{align-items:flex-end}.items-center{align-items:center}.items-baseline{align-items:baseline}.justify-end{justify-content:flex-end}.justify-center{justify-content:center}.justify-between{justify-content:space-between}.gap-0\.5{gap:.125rem}.gap-1{gap:.25rem}.gap-1\.5{gap:.375rem}.gap-2{gap:.5rem}.gap-2\.5{gap:.625rem}.gap-3{gap:.75rem}.gap-4{gap:1rem}.gap-6{gap:1.5rem}.gap-\[22px\]{gap:22px}.gap-\[3px\]{gap:3px}.gap-\[5px\]{gap:5px}.overflow-auto{overflow:auto}.truncate{overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.whitespace-pre-wrap{white-space:pre-wrap}.rounded-full{border-radius:9999px}.rounded-md{border-radius:.375rem}.rounded-r-md{border-top-right-radius:.375rem;border-bottom-right-radius:.375rem}.border{border-width:1px}.border-b{border-bottom-width:1px}.border-l-2{border-left-width:2px}.border-r{border-right-width:1px}.border-t{border-top-width:1px}.border-\[\#1A1A15\]{--tw-border-opacity:1;border-color:rgb(26 26 21/var(--tw-border-opacity,1))}.border-\[\#2A2A1F\]{--tw-border-opacity:1;border-color:rgb(42 42 31/var(--tw-border-opacity,1))}.border-\[\#B7E56D\]{--tw-border-opacity:1;border-color:rgb(183 229 109/var(--tw-border-opacity,1))}.border-l-\[\#4EA4C4\]{--tw-border-opacity:1;border-left-color:rgb(78 164 196/var(--tw-border-opacity,1))}.border-l-\[\#B7E56D\]{--tw-border-opacity:1;border-left-color:rgb(183 229 109/var(--tw-border-opacity,1))}.border-l-\[\#E89B2E\]{--tw-border-opacity:1;border-left-color:rgb(232 155 46/var(--tw-border-opacity,1))}.bg-\[\#0B0B09\]{--tw-bg-opacity:1;background-color:rgb(11 11 9/var(--tw-bg-opacity,1))}.bg-\[\#121210\]{--tw-bg-opacity:1;background-color:rgb(18 18 16/var(--tw-bg-opacity,1))}.bg-\[\#1A1A15\]{--tw-bg-opacity:1;background-color:rgb(26 26 21/var(--tw-bg-opacity,1))}.bg-\[\#2A2A1F\]{--tw-bg-opacity:1;background-color:rgb(42 42 31/var(--tw-bg-opacity,1))}.bg-\[\#4EA4C4\]{--tw-bg-opacity:1;background-color:rgb(78 164 196/var(--tw-bg-opacity,1))}.bg-\[\#5A5F54\]{--tw-bg-opacity:1;background-color:rgb(90 95 84/var(--tw-bg-opacity,1))}.bg-\[\#B7E56D1A\]{background-color:#b7e56d1a}.bg-\[\#B7E56D\]{--tw-bg-opacity:1;background-color:rgb(183 229 109/var(--tw-bg-opacity,1))}.bg-\[\#E89B2E\]{--tw-bg-opacity:1;background-color:rgb(232 155 46/var(--tw-bg-opacity,1))}.bg-black\/70{background-color:rgba(0,0,0,.7)}.p-4{padding:1rem}.p-6{padding:1.5rem}.px-1\.5{padding-left:.375rem;padding-right:.375rem}.px-12{padding-left:3rem;padding-right:3rem}.px-2{padding-left:.5rem;padding-right:.5rem}.px-2\.5{padding-left:.625rem;padding-right:.625rem}.px-3{padding-left:.75rem;padding-right:.75rem}.px-3\.5{padding-left:.875rem;padding-right:.875rem}.px-4{padding-left:1rem;padding-right:1rem}.px-5{padding-left:1.25rem;padding-right:1.25rem}.px-6{padding-left:1.5rem;padding-right:1.5rem}.py-0\.5{padding-top:.125rem;padding-bottom:.125rem}.py-1{padding-top:.25rem;padding-bottom:.25rem}.py-1\.5{padding-top:.375rem;padding-bottom:.375rem}.py-10{padding-top:2.5rem;padding-bottom:2.5rem}.py-2{padding-top:.5rem;padding-bottom:.5rem}.py-2\.5{padding-top:.625rem;padding-bottom:.625rem}.py-3{padding-top:.75rem;padding-bottom:.75rem}.py-6{padding-top:1.5rem;padding-bottom:1.5rem}.py-\[14px\]{padding-top:14px;padding-bottom:14px}.py-\[18px\]{padding-top:18px;padding-bottom:18px}.py-\[22px\]{padding-top:22px;padding-bottom:22px}.py-\[3px\]{padding-top:3px;padding-bottom:3px}.pb-2{padding-bottom:.5rem}.pb-7{padding-bottom:1.75rem}.pr-1{padding-right:.25rem}.pt-2{padding-top:.5rem}.pt-8{padding-top:2rem}.text-center{text-align:center}.text-right{text-align:right}.text-4xl{font-size:2.25rem;line-height:2.5rem}.text-\[10px\]{font-size:10px}.text-\[11px\]{font-size:11px}.text-\[64px\]{font-size:64px}.text-\[9px\]{font-size:9px}.text-xs{font-size:.75rem;line-height:1rem}.font-bold{font-weight:700}.font-medium{font-weight:500}.uppercase{text-transform:uppercase}.leading-3{line-height:.75rem}.leading-4{line-height:1rem}.leading-8{line-height:2rem}.leading-\[14px\]{line-height:14px}.leading-\[15px\]{line-height:15px}.leading-\[16px\]{line-height:16px}.leading-\[18px\]{line-height:18px}.leading-\[56px\]{line-height:56px}.tracking-\[0\.04em\]{letter-spacing:.04em}.tracking-\[0\.06em\]{letter-spacing:.06em}.tracking-\[0\.08em\]{letter-spacing:.08em}.tracking-\[0\.12em\]{letter-spacing:.12em}.tracking-\[0\.14em\]{letter-spacing:.14em}.tracking-\[0\.18em\]{letter-spacing:.18em}.tracking-\[0\.22em\]{letter-spacing:.22em}.tracking-widest{letter-spacing:.1em}.text-\[\#0B0B09\]{--tw-text-opacity:1;color:rgb(11 11 9/var(--tw-text-opacity,1))}.text-\[\#4EA4C4\]{--tw-text-opacity:1;color:rgb(78 164 196/var(--tw-text-opacity,1))}.text-\[\#5A5F54\]{--tw-text-opacity:1;color:rgb(90 95 84/var(--tw-text-opacity,1))}.text-\[\#8A9A6A\]{--tw-text-opacity:1;color:rgb(138 154 106/var(--tw-text-opacity,1))}.text-\[\#B7E56D\]{--tw-text-opacity:1;color:rgb(183 229 109/var(--tw-text-opacity,1))}.text-\[\#C9D9A8\]{--tw-text-opacity:1;color:rgb(201 217 168/var(--tw-text-opacity,1))}.text-\[\#E89B2E\]{--tw-text-opacity:1;color:rgb(232 155 46/var(--tw-text-opacity,1))}.text-\[\#F3EFE4\]{--tw-text-opacity:1;color:rgb(243 239 228/var(--tw-text-opacity,1))}.underline{text-decoration-line:underline}.decoration-dotted{text-decoration-style:dotted}.antialiased{-webkit-font-smoothing:antialiased;-moz-osx-font-smoothing:grayscale}.accent-\[\#4EA4C4\]{accent-color:#4ea4c4}.opacity-50{opacity:.5}.filter{filter:var(--tw-blur) var(--tw-brightness) var(--tw-contrast) var(--tw-grayscale) var(--tw-hue-rotate) var(--tw-invert) var(--tw-saturate) var(--tw-sepia) var(--tw-drop-shadow)}.transition{transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,-webkit-backdrop-filter;transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,backdrop-filter;transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,backdrop-filter,-webkit-backdrop-filter;transition-timing-function:cubic-bezier(.4,0,.2,1);transition-duration:.15s}.hover\:border-\[\#5A5F54\]:hover{--tw-border-opacity:1;border-color:rgb(90 95 84/var(--tw-border-opacity,1))}.hover\:bg-\[\#1A1F12\]:hover{--tw-bg-opacity:1;background-color:rgb(26 31 18/var(--tw-bg-opacity,1))}.hover\:text-\[\#C9D9A8\]:hover{--tw-text-opacity:1;color:rgb(201 217 168/var(--tw-text-opacity,1))}.hover\:brightness-110:hover{--tw-brightness:brightness(1.1);filter:var(--tw-blur) var(--tw-brightness) var(--tw-contrast) var(--tw-grayscale) var(--tw-hue-rotate) var(--tw-invert) var(--tw-saturate) var(--tw-sepia) var(--tw-drop-shadow)}

package/index.html

@@ -7,21 +7,7 @@
   <link rel="preconnect" href="https://fonts.googleapis.com">
   <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
   <link href="https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;500;700&family=VT323&display=swap" rel="stylesheet">
-  <script src="https://cdn.tailwindcss.com"></script>
-  <script>
-    /* Design tokens transcribed from the Paper artboard C1-0.
-       Using arbitrary Tailwind values for exact fidelity with the design. */
-    tailwind.config = {
-      theme: {
-        extend: {
-          fontFamily: {
-            display: ['VT323', 'system-ui', 'monospace'],
-            mono: ['"JetBrains Mono"', 'ui-monospace', 'SFMono-Regular', 'Menlo', 'monospace'],
-          },
-        },
-      },
-    };
-  </script>
+  <link rel="stylesheet" href="/dashboard.css">
   <style>
     html, body { background: #0B0B09; color: #F3EFE4; font-family: 'JetBrains Mono', ui-monospace, Menlo, monospace; }
     .whale-ascii {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mobygate",
-  "version": "0.9.2",
+  "version": "0.9.5",
   "description": "OpenAI-compatible local proxy for Claude Max. The Möbius-strip gateway: OpenAI shape in, Claude Max out.",
   "type": "module",
   "main": "server.js",
@@ -18,7 +18,7 @@
     "postinstall": "node scripts/postinstall.js || true"
   },
   "dependencies": {
-    "@anthropic-ai/claude-agent-sdk": "^0.2.112",
+    "@anthropic-ai/claude-agent-sdk": "^0.3.181",
     "better-sqlite3": "^12.9.0",
     "express": "^5.1.0",
     "js-yaml": "^4.1.1",
@@ -60,6 +60,7 @@
     "launchd",
     "server.js",
     "index.html",
+    "dashboard.css",
     "inspector.html",
     "mcp-inspect.mjs",
     "README.md",

package/server.js

@@ -87,7 +87,7 @@ const PORT = parseInt(process.env.PORT || '3456', 10);
 // want to share the proxy on a network can set bind: 0.0.0.0 (or a specific
 // interface) in ~/.mobygate/config.yaml, but should add auth in front of it.
 const BIND = process.env.BIND || '127.0.0.1';
-const DEFAULT_MODEL = process.env.DEFAULT_MODEL || 'claude-opus-4-7[1m]';
+const DEFAULT_MODEL = process.env.DEFAULT_MODEL || 'claude-opus-4-8[1m]';
 // SESSION_TTL_MS: how long mobygate holds onto an idle SDK session before
 // expiring it from its in-memory + on-disk session store. v0.8.5 raises
 // the default from 1h → 4h based on real-world usage data: most multi-
@@ -203,7 +203,13 @@ for (const sig of ['SIGTERM', 'SIGINT', 'SIGHUP']) {
 // falling back to opus or returning a zero-billed response. Fixed in
 // v0.8.2 by routing 4-6 through directly.
 const MODEL_MAP = {
-  'claude-opus-4': 'claude-opus-4-7[1m]',
+  // Latest opus → 4-8 (1M, Max-included — verified live 2026-05-29).
+  // 4-7 entries kept so explicit 4-7 requests still resolve.
+  'claude-opus-4': 'claude-opus-4-8[1m]',
+  'claude-opus-4-8': 'claude-opus-4-8[1m]',
+  'claude-opus-4-8[1m]': 'claude-opus-4-8[1m]',
+  'claude-opus-4-8-1m': 'claude-opus-4-8[1m]',
+  'claude-opus-4-8-200k': 'claude-opus-4-8',
   'claude-opus-4-6': 'claude-opus-4-6',
   'claude-opus-4-7': 'claude-opus-4-7[1m]',
   'claude-opus-4-7[1m]': 'claude-opus-4-7[1m]',
@@ -222,7 +228,16 @@ const MODEL_MAP = {
   'claude-sonnet-4-6-200k': 'claude-sonnet-4-6',      // explicit 200k alias (redundant, kept for clarity)
   'claude-haiku-4': 'claude-haiku-4-5-20251001',
   'claude-haiku-4-5': 'claude-haiku-4-5-20251001',
-  'opus': 'claude-opus-4-7[1m]',                      // Opus 1M is Max-included
+  // Fable 5 — distinct recent model family (parallel to Opus 4.x).
+  // 1M variant Max-included (verified live 2026-05-29). Additive: opus
+  // stays the default; fable resolves only when explicitly requested.
+  'claude-fable-5': 'claude-fable-5[1m]',
+  'claude-fable-5[1m]': 'claude-fable-5[1m]',
+  'claude-fable-5-1m': 'claude-fable-5[1m]',
+  'claude-fable-5-200k': 'claude-fable-5',
+  'fable': 'claude-fable-5[1m]',
+  'fable-200k': 'claude-fable-5',
+  'opus': 'claude-opus-4-8[1m]',                      // latest opus, 1M Max-included
   'sonnet': 'claude-sonnet-4-6',                      // 200k default; use 'sonnet-1m' for explicit 1M
   'sonnet-1m': 'claude-sonnet-4-6[1m]',               // alias for 'sonnet' + explicit 1M opt-in
   'haiku': 'claude-haiku-4-5-20251001',
@@ -298,6 +313,36 @@ function requireLocalOrigin(req, res, next) {
   next();
 }
 
+function serializeSession(key, entry, { dashboard = false } = {}) {
+  const now = Date.now();
+  const idleMs = now - entry.lastUsed;
+  const ttlRemainingMs = Math.max(0, SESSION_TTL_MS - idleMs);
+
+  if (dashboard) {
+    return {
+      key,
+      sdkSessionId: entry.sdkSessionId,
+      model: entry.model,
+      messageCount: entry.messageCount,
+      createdAt: new Date(entry.createdAt).toISOString(),
+      lastUsedAt: new Date(entry.lastUsed).toISOString(),
+      idleSec: Math.floor(idleMs / 1000),
+      ttlRemainingSec: Math.floor(ttlRemainingMs / 1000),
+    };
+  }
+
+  return {
+    sessionKey: key,
+    sdkSessionId: entry.sdkSessionId,
+    model: entry.model,
+    messageCount: entry.messageCount,
+    createdAt: new Date(entry.createdAt).toISOString(),
+    lastUsed: new Date(entry.lastUsed).toISOString(),
+    idleSeconds: Math.round(idleMs / 1000),
+    ttlRemainingSeconds: Math.round(ttlRemainingMs / 1000),
+  };
+}
+
 // GET / — serve dashboard. No-cache headers so browsers always re-fetch
 // after a mobygate upgrade; otherwise they keep serving the old index.html
 // from cache and users see a stale dashboard long after the service updated.
@@ -330,6 +375,19 @@ app.get('/', async (_req, res) => {
   }
 });
 
+app.get('/dashboard.css', async (_req, res) => {
+  res.setHeader('Cache-Control', 'no-cache, no-store, must-revalidate');
+  res.setHeader('Pragma', 'no-cache');
+  res.setHeader('Expires', '0');
+  try {
+    const { readFile } = await import('fs/promises');
+    const css = await readFile(join(__dirname, 'dashboard.css'), 'utf8');
+    res.type('css').send(css);
+  } catch (e) {
+    res.status(404).type('text').send('dashboard.css not found at ' + join(__dirname, 'dashboard.css'));
+  }
+});
+
 // /inspector — session inspector UI for browsing captures.
 // Backed by /dashboard/captures and /dashboard/captures/:filename.
 app.get('/inspector', async (_req, res) => {
@@ -619,37 +677,19 @@ app.get('/v1/models', (_req, res) => {
 });
 
 // GET /sessions — list active sessions
-app.get('/sessions', (_req, res) => {
+app.get('/sessions', requireLocalOrigin, (_req, res) => {
   const list = [];
   for (const [key, entry] of sessions) {
-    list.push({
-      sessionKey: key,
-      sdkSessionId: entry.sdkSessionId,
-      model: entry.model,
-      messageCount: entry.messageCount,
-      createdAt: new Date(entry.createdAt).toISOString(),
-      lastUsed: new Date(entry.lastUsed).toISOString(),
-      idleSeconds: Math.round((Date.now() - entry.lastUsed) / 1000),
-      ttlRemainingSeconds: Math.max(0, Math.round((SESSION_TTL_MS - (Date.now() - entry.lastUsed)) / 1000)),
-    });
+    list.push(serializeSession(key, entry));
   }
   res.json({ active: list.length, sessions: list });
 });
 
 // GET /sessions/:key — get specific session
-app.get('/sessions/:key', (req, res) => {
+app.get('/sessions/:key', requireLocalOrigin, (req, res) => {
   const entry = sessions.get(req.params.key);
   if (!entry) return res.status(404).json({ error: 'Session not found' });
-  res.json({
-    sessionKey: req.params.key,
-    sdkSessionId: entry.sdkSessionId,
-    model: entry.model,
-    messageCount: entry.messageCount,
-    createdAt: new Date(entry.createdAt).toISOString(),
-    lastUsed: new Date(entry.lastUsed).toISOString(),
-    idleSeconds: Math.round((Date.now() - entry.lastUsed) / 1000),
-    ttlRemainingSeconds: Math.max(0, Math.round((SESSION_TTL_MS - (Date.now() - entry.lastUsed)) / 1000)),
-  });
+  res.json(serializeSession(req.params.key, entry));
 });
 
 // DELETE /sessions/:key — clear a session
@@ -686,7 +726,7 @@ app.get('/health', (_req, res) => {
 // GET /auth/status
 // Reports CLI-side auth state plus (optionally) a real probe against Anthropic.
 // Pass ?quick=1 to skip the probe (reads keychain only — cheap).
-app.get('/auth/status', async (req, res) => {
+app.get('/auth/status', requireLocalOrigin, async (req, res) => {
   const quick = req.query.quick === '1' || req.query.quick === 'true';
   const status = await getAuthStatus();
   if (!quick && status.ok && status.loggedIn) {
@@ -759,7 +799,7 @@ async function loadBuildMeta() {
 }
 
 // GET /dashboard/recent — ring-buffer snapshot for initial page load
-app.get('/dashboard/recent', async (req, res) => {
+app.get('/dashboard/recent', requireLocalOrigin, async (req, res) => {
   const limit = Math.min(500, parseInt(req.query.limit || '100', 10));
   res.json({
     recent: dashboardBus.getRecent({ limit }),
@@ -772,20 +812,10 @@ app.get('/dashboard/recent', async (req, res) => {
 });
 
 // GET /dashboard/sessions — active session detail for the dashboard
-app.get('/dashboard/sessions', (_req, res) => {
-  const now = Date.now();
+app.get('/dashboard/sessions', requireLocalOrigin, (_req, res) => {
   const list = [];
   for (const [key, entry] of sessions) {
-    list.push({
-      key,
-      sdkSessionId: entry.sdkSessionId,
-      model: entry.model,
-      messageCount: entry.messageCount,
-      createdAt: new Date(entry.createdAt).toISOString(),
-      lastUsedAt: new Date(entry.lastUsed).toISOString(),
-      idleSec: Math.floor((now - entry.lastUsed) / 1000),
-      ttlRemainingSec: Math.max(0, Math.floor((SESSION_TTL_MS - (now - entry.lastUsed)) / 1000)),
-    });
+    list.push(serializeSession(key, entry, { dashboard: true }));
   }
   // Most recently used first
   list.sort((a, b) => a.idleSec - b.idleSec);
@@ -1139,7 +1169,7 @@ app.get('/dashboard/session-costs', requireLocalOrigin, async (_req, res) => {
 // GET /update/check — is there a newer mobygate on npm?
 // Response: { current, latest, updateAvailable, installMode, canApply, cached, error }
 // Safe to poll: the npm registry call is cached for 15 min in-process.
-app.get('/update/check', async (req, res) => {
+app.get('/update/check', requireLocalOrigin, async (req, res) => {
   try {
     const force = req.query.force === '1' || req.query.force === 'true';
     const info = await getUpdateCheck({ force });
@@ -1171,7 +1201,7 @@ app.post('/update/apply', requireLocalOrigin, (_req, res) => {
 // The dashboard polls this during apply. `running` is determined by
 // PID liveness, so even if our process is the one getting restarted,
 // the new one answers correctly.
-app.get('/update/status', (req, res) => {
+app.get('/update/status', requireLocalOrigin, (req, res) => {
   const state = readUpdateState();
   let running = false;
   if (state.pid) {