opencode-anthropic-multi-account 0.2.15 → 0.2.16

package/dist/index.js

@@ -1,3 +1,33 @@
+import {
+  ACCOUNTS_FILENAME,
+  ANTHROPIC_OAUTH_ADAPTER,
+  ANTHROPIC_PROFILE_ENDPOINT,
+  ANTHROPIC_USAGE_ENDPOINT,
+  CLAIMS_FILENAME,
+  PLAN_LABELS,
+  TOKEN_EXPIRY_BUFFER_MS,
+  TOKEN_REFRESH_TIMEOUT_MS,
+  cc_derived_defaults_default,
+  checkCCCompat,
+  createMinimalClient,
+  debugLog,
+  detectCliVersion,
+  detectDrift,
+  detectOAuthConfig,
+  fingerprint_data_default,
+  formatWaitTime,
+  getAccountLabel,
+  getConfig,
+  getConfigDir,
+  loadConfig,
+  loadTemplate,
+  refreshLiveFingerprintAsync,
+  showToast,
+  sleep,
+  updateConfigField
+} from "./chunk-RVXWLAVK.js";
+import "./chunk-IETVH43F.js";
+
 // src/index.ts
 import { tool } from "@opencode-ai/plugin";
 import {
@@ -10,33 +40,8 @@ import {
 // src/account-manager.ts
 import { createAccountManagerForProvider } from "opencode-multi-account-core";
 
-// src/config.ts
-import {
-  createConfigLoader
-} from "opencode-multi-account-core";
-var configLoader = createConfigLoader("claude-multiauth.json");
-var { getConfig, loadConfig, resetConfigCache, updateConfigField } = configLoader;
-
 // src/claims.ts
 import { createClaimsManager } from "opencode-multi-account-core";
-
-// src/constants.ts
-import { anthropicOAuthAdapter } from "opencode-multi-account-core";
-var ANTHROPIC_OAUTH_ADAPTER = anthropicOAuthAdapter;
-var ANTHROPIC_CLIENT_ID = ANTHROPIC_OAUTH_ADAPTER.oauthClientId;
-var ANTHROPIC_TOKEN_ENDPOINT = ANTHROPIC_OAUTH_ADAPTER.tokenEndpoint;
-var ANTHROPIC_USAGE_ENDPOINT = ANTHROPIC_OAUTH_ADAPTER.usageEndpoint;
-var ANTHROPIC_PROFILE_ENDPOINT = ANTHROPIC_OAUTH_ADAPTER.profileEndpoint;
-var ANTHROPIC_BETA_HEADER = ANTHROPIC_OAUTH_ADAPTER.requestBetaHeader;
-var CLAUDE_CLI_USER_AGENT = ANTHROPIC_OAUTH_ADAPTER.cliUserAgent;
-var TOOL_PREFIX = ANTHROPIC_OAUTH_ADAPTER.toolPrefix;
-var ACCOUNTS_FILENAME = ANTHROPIC_OAUTH_ADAPTER.accountStorageFilename;
-var CLAIMS_FILENAME = "anthropic-multi-account-claims.json";
-var PLAN_LABELS = ANTHROPIC_OAUTH_ADAPTER.planLabels;
-var TOKEN_EXPIRY_BUFFER_MS = 6e4;
-var TOKEN_REFRESH_TIMEOUT_MS = 3e4;
-
-// src/claims.ts
 var claimsManager = createClaimsManager(CLAIMS_FILENAME);
 var {
   isClaimedByOther,
@@ -45,9 +50,155 @@ var {
   writeClaim
 } = claimsManager;
 
-// src/pi-ai-adapter.ts
-import { AsyncLocalStorage } from "async_hooks";
-import * as piAiOauth from "@mariozechner/pi-ai/oauth";
+// src/anthropic-oauth.ts
+import { exec } from "child_process";
+import * as v3 from "valibot";
+
+// src/cc-derived-profile.ts
+var bundledTemplate = fingerprint_data_default;
+var derivedDefaults = cc_derived_defaults_default;
+var DEFAULT_BASE_API_URL = derivedDefaults.request?.baseApiUrl || "https://api.anthropic.com";
+var DEFAULT_ANTHROPIC_VERSION = bundledTemplate.header_values?.["anthropic-version"] || derivedDefaults.request?.anthropicVersion || "2023-06-01";
+var DEFAULT_X_APP = bundledTemplate.header_values?.["x-app"] || derivedDefaults.request?.xApp || "cli";
+var DEFAULT_BETA_HEADER = bundledTemplate.anthropic_beta || bundledTemplate.header_values?.["anthropic-beta"] || derivedDefaults.request?.betaHeader || "oauth-2025-04-20,interleaved-thinking-2025-05-14";
+function loadCCDerivedRequestProfile() {
+  const template = loadTemplate();
+  const cliVersion = detectCliVersion();
+  const anthropicVersion = template.header_values?.["anthropic-version"] || DEFAULT_ANTHROPIC_VERSION;
+  const betaHeader = template.anthropic_beta || template.header_values?.["anthropic-beta"] || DEFAULT_BETA_HEADER;
+  const xApp = template.header_values?.["x-app"] || DEFAULT_X_APP;
+  return {
+    template,
+    cliVersion,
+    userAgent: `claude-cli/${cliVersion} (external, cli)`,
+    anthropicVersion,
+    betaHeader,
+    xApp,
+    baseApiUrl: DEFAULT_BASE_API_URL,
+    apiV1BaseUrl: `${DEFAULT_BASE_API_URL}/v1`
+  };
+}
+async function loadCCDerivedAuthProfile() {
+  const requestProfile = loadCCDerivedRequestProfile();
+  const oauthConfig = await detectOAuthConfig();
+  const baseApiUrl = oauthConfig.baseApiUrl || requestProfile.baseApiUrl;
+  return {
+    ...requestProfile,
+    oauthConfig,
+    baseApiUrl,
+    apiV1BaseUrl: `${baseApiUrl}/v1`
+  };
+}
+
+// src/oauth-callback-server.ts
+import { createServer } from "http";
+var DEFAULT_TIMEOUT_MS = 3e5;
+var SUCCESS_REDIRECT_URL = "https://platform.claude.com/oauth/code/success?app=claude-code";
+function startCallbackServer(options) {
+  const { expectedState, timeoutMs = DEFAULT_TIMEOUT_MS } = options;
+  return new Promise((resolveServer, rejectServer) => {
+    let settled = false;
+    let resolveCode = null;
+    let rejectCode = null;
+    let timeoutHandle = null;
+    const waitForCode = new Promise((resolve, reject) => {
+      resolveCode = resolve;
+      rejectCode = reject;
+    });
+    function settle(error, result) {
+      if (settled) return;
+      settled = true;
+      if (timeoutHandle !== null) {
+        clearTimeout(timeoutHandle);
+        timeoutHandle = null;
+      }
+      if (error) {
+        rejectCode?.(error);
+      } else if (result) {
+        resolveCode?.(result);
+      }
+      resolveCode = null;
+      rejectCode = null;
+      server.close();
+    }
+    function stop() {
+      settle(new Error("OAuth callback server stopped"));
+    }
+    function sendResponse(res, status, headers, body, onFinish) {
+      res.writeHead(status, { ...headers, Connection: "close" });
+      res.end(body ?? "", onFinish);
+    }
+    const server = createServer(
+      (req, res) => {
+        const url = new URL(req.url ?? "/", `http://localhost`);
+        if (url.pathname !== "/callback") {
+          res.writeHead(404, {
+            "Content-Type": "text/plain",
+            Connection: "close"
+          });
+          res.end("Not Found");
+          return;
+        }
+        const code = url.searchParams.get("code");
+        const state = url.searchParams.get("state");
+        if (state !== expectedState) {
+          sendResponse(
+            res,
+            400,
+            { "Content-Type": "text/plain" },
+            "State mismatch",
+            () => settle(new Error("OAuth callback state mismatch"))
+          );
+          return;
+        }
+        if (!code) {
+          sendResponse(
+            res,
+            400,
+            { "Content-Type": "text/plain" },
+            "Missing code",
+            () => settle(new Error("OAuth callback missing code"))
+          );
+          return;
+        }
+        sendResponse(
+          res,
+          302,
+          { Location: SUCCESS_REDIRECT_URL },
+          void 0,
+          () => settle(null, { code, state })
+        );
+      }
+    );
+    server.listen(0, "localhost", () => {
+      const addr = server.address();
+      const port = addr.port;
+      timeoutHandle = setTimeout(() => {
+        settle(new Error("OAuth callback timed out"));
+      }, timeoutMs);
+      resolveServer({ port, waitForCode, stop });
+    });
+    server.on("error", (err) => {
+      if (!settled) {
+        rejectServer(err);
+      }
+    });
+  });
+}
+
+// src/oauth-pkce.ts
+import { createHash, randomBytes } from "crypto";
+function base64url(buffer) {
+  return buffer.toString("base64").replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
+}
+function generatePKCE() {
+  const verifier = base64url(randomBytes(32));
+  const challenge = base64url(createHash("sha256").update(verifier).digest());
+  return { verifier, challenge };
+}
+function generateState() {
+  return base64url(randomBytes(32));
+}
 
 // src/token-node-request.ts
 import * as childProcess from "child_process";
@@ -55,8 +206,10 @@ function buildNodeTokenRequestScript() {
   return `
 const https = require("node:https");
 const endpoint = process.env.ANTHROPIC_REFRESH_ENDPOINT;
+const contentType = process.env.ANTHROPIC_REFRESH_CONTENT_TYPE || "application/json";
 const timeoutMs = Number(process.env.ANTHROPIC_REFRESH_TIMEOUT_MS || "30000");
 const payload = process.env.ANTHROPIC_REFRESH_REQUEST_BODY || "";
+const userAgent = process.env.ANTHROPIC_REFRESH_USER_AGENT;
 
 function printSuccess(body) {
   console.log(JSON.stringify({ ok: true, body }));
@@ -69,9 +222,10 @@ function printFailure(error) {
 const request = https.request(endpoint, {
   method: "POST",
   headers: {
-    "Content-Type": "application/json",
+    "Content-Type": contentType,
     Accept: "application/json",
     "Content-Length": Buffer.byteLength(payload).toString(),
+    ...(userAgent ? { "User-Agent": userAgent } : {}),
   },
 }, (response) => {
   let body = "";
@@ -104,6 +258,7 @@ request.end();
 }
 async function defaultRunNodeTokenRequest(options) {
   const script = buildNodeTokenRequestScript();
+  const contentType = options.contentType ?? "application/json";
   return await new Promise((resolve, reject) => {
     childProcess.execFile(
       options.executable,
@@ -113,9 +268,11 @@ async function defaultRunNodeTokenRequest(options) {
         maxBuffer: 1024 * 1024,
         env: {
           ...process.env,
+          ANTHROPIC_REFRESH_CONTENT_TYPE: contentType,
           ANTHROPIC_REFRESH_ENDPOINT: options.endpoint,
           ANTHROPIC_REFRESH_REQUEST_BODY: options.body,
-          ANTHROPIC_REFRESH_TIMEOUT_MS: String(options.timeoutMs)
+          ANTHROPIC_REFRESH_TIMEOUT_MS: String(options.timeoutMs),
+          ANTHROPIC_REFRESH_USER_AGENT: options.userAgent ?? ""
         }
       },
       (error, stdout, stderr) => {
@@ -138,30 +295,6 @@ async function runNodeTokenRequest(options) {
   return await nodeTokenRequestRunner(options);
 }
 
-// src/utils.ts
-import {
-  createMinimalClient,
-  formatWaitTime,
-  getAccountLabel,
-  getConfigDir,
-  getErrorCode,
-  sleep
-} from "opencode-multi-account-core";
-async function showToast(client, message, variant) {
-  if (getConfig().quiet_mode) return;
-  try {
-    await client.tui.showToast({ body: { message, variant } });
-  } catch {
-  }
-}
-function debugLog(client, message, extra) {
-  if (!getConfig().debug) return;
-  client.app.log({
-    body: { service: ANTHROPIC_OAUTH_ADAPTER.serviceLogName, level: "debug", message, extra }
-  }).catch(() => {
-  });
-}
-
 // src/usage.ts
 import * as v2 from "valibot";
 
@@ -328,186 +461,180 @@ function getPlanLabel(account) {
   return PLAN_LABELS[account.planTier] ?? account.planTier.charAt(0).toUpperCase() + account.planTier.slice(1);
 }
 
-// src/pi-ai-adapter.ts
-function fromPiAiCredentials(creds) {
-  return {
-    accessToken: creds.access,
-    refreshToken: creds.refresh,
-    expiresAt: creds.expires
-  };
+// src/anthropic-oauth.ts
+var TOKEN_REQUEST_EXECUTABLE = process.env.OPENCODE_REFRESH_NODE_EXECUTABLE || "node";
+var browserExec = (command, callback) => {
+  exec(command, callback);
+};
+var callbackServerStarter = startCallbackServer;
+var profileFetcher = fetchProfile;
+var usageFetcher = fetchUsage;
+function buildTokenRequestError(url, details) {
+  return new Error(`Anthropic token request failed. url=${url}; details=${details}`);
 }
-var ANTHROPIC_REFRESH_ENDPOINT = "https://platform.claude.com/v1/oauth/token";
-var ANTHROPIC_TOKEN_HOST = "platform.claude.com";
-var REFRESH_NODE_EXECUTABLE = process.env.OPENCODE_REFRESH_NODE_EXECUTABLE || "node";
-var tokenProxyContext = new AsyncLocalStorage();
-var tokenProxyInstalled = false;
-var tokenProxyOriginalFetch = null;
-var refreshEndpointUrl = new URL(ANTHROPIC_REFRESH_ENDPOINT);
-function buildRefreshRequestError(details) {
-  return new Error(`Anthropic token refresh request failed. url=${ANTHROPIC_REFRESH_ENDPOINT}; details=${details}`);
-}
-function buildRefreshInvalidJsonError(body, details) {
-  return new Error(`Anthropic token refresh returned invalid JSON. url=${ANTHROPIC_REFRESH_ENDPOINT}; body=${body}; details=${details}`);
-}
-function getRequestUrlString(input) {
-  if (typeof input === "string") return input;
-  if (input instanceof URL) return input.toString();
-  return input.url;
-}
-function isAnthropicTokenEndpoint(input) {
-  const rawUrl = getRequestUrlString(input);
+function buildTokenInvalidJsonError(url, body, details) {
+  return new Error(`Anthropic token request returned invalid JSON. url=${url}; body=${body}; details=${details}`);
+}
+function parseNodeTokenEnvelope(output, endpoint) {
   try {
-    const url = new URL(rawUrl);
-    return url.origin === refreshEndpointUrl.origin && url.pathname === refreshEndpointUrl.pathname;
-  } catch {
-    return rawUrl === ANTHROPIC_REFRESH_ENDPOINT;
+    return JSON.parse(output);
+  } catch (error) {
+    const details = error instanceof Error ? `${error.name}: ${error.message}` : String(error);
+    throw buildTokenInvalidJsonError(endpoint, output, details);
   }
 }
-function getRequestBodySource(input, init) {
-  if (init?.body !== void 0) {
-    return init.body;
-  }
-  if (input instanceof Request) {
-    return input.body;
+function parseTokenResponseBody(body, endpoint) {
+  let parsed;
+  try {
+    parsed = JSON.parse(body);
+  } catch (error) {
+    const details = error instanceof Error ? `${error.name}: ${error.message}` : String(error);
+    throw buildTokenInvalidJsonError(endpoint, body, details);
   }
-  return void 0;
+  return v3.parse(TokenResponseSchema, parsed);
 }
-function stringifyBinaryBody(body) {
-  if (body instanceof ArrayBuffer) {
-    return Buffer.from(body).toString("utf8");
+function getOpenBrowserCommand(url, platform = process.platform) {
+  if (platform === "win32") {
+    return `start "" ${JSON.stringify(url)}`;
   }
-  return Buffer.from(body.buffer, body.byteOffset, body.byteLength).toString("utf8");
-}
-async function getRequestBody(input, init) {
-  const body = getRequestBodySource(input, init);
-  if (typeof body === "string") return body;
-  if (body instanceof URLSearchParams) return body.toString();
-  if (body instanceof Uint8Array || body instanceof ArrayBuffer || ArrayBuffer.isView(body)) {
-    return stringifyBinaryBody(body);
+  if (platform === "darwin") {
+    return `open ${JSON.stringify(url)}`;
   }
-  if (typeof Blob !== "undefined" && body instanceof Blob) return await body.text();
-  if (body instanceof ReadableStream) return await new Response(body).text();
-  if (input instanceof Request && init?.body === void 0) return await input.clone().text();
-  if (body == null) return "";
-  throw buildRefreshRequestError(`Unsupported token request body type: ${Object.prototype.toString.call(body)}`);
-}
-function getRequestMethod(input, init) {
-  return init?.method ?? (input instanceof Request ? input.method : "GET");
+  return `xdg-open ${JSON.stringify(url)}`;
 }
-function shouldProxyTokenRequest(input) {
-  return tokenProxyContext.getStore()?.proxyTokenRequests === true && isAnthropicTokenEndpoint(input);
-}
-function shouldInjectAnthropicUserAgent(input) {
-  const userAgent = tokenProxyContext.getStore()?.userAgent;
-  if (!userAgent) return false;
-  const rawUrl = getRequestUrlString(input);
+function openBrowser(url) {
   try {
-    const url = new URL(rawUrl);
-    return url.host === ANTHROPIC_TOKEN_HOST;
+    browserExec(getOpenBrowserCommand(url), () => {
+    });
   } catch {
-    return rawUrl.includes(ANTHROPIC_TOKEN_HOST);
   }
 }
-async function postAnthropicTokenViaNode(body) {
+async function postTokenEndpoint(contentType, body, timeoutMs = TOKEN_REFRESH_TIMEOUT_MS, userAgent) {
+  const derivedProfile = await loadCCDerivedAuthProfile();
+  const oauthConfig = derivedProfile.oauthConfig;
+  const endpoint = oauthConfig.tokenUrl;
+  const resolvedUserAgent = userAgent ?? derivedProfile.userAgent;
   let output;
   try {
     output = await runNodeTokenRequest({
       body,
-      endpoint: ANTHROPIC_REFRESH_ENDPOINT,
-      executable: REFRESH_NODE_EXECUTABLE,
-      timeoutMs: TOKEN_REFRESH_TIMEOUT_MS
+      contentType,
+      endpoint,
+      executable: TOKEN_REQUEST_EXECUTABLE,
+      timeoutMs,
+      userAgent: resolvedUserAgent
     });
   } catch (error) {
     const details = error instanceof Error ? error.message : String(error);
-    throw buildRefreshRequestError(details);
+    throw buildTokenRequestError(endpoint, details);
   }
-  let parsed;
-  try {
-    parsed = JSON.parse(output);
-  } catch (error) {
-    const details = error instanceof Error ? `${error.name}: ${error.message}` : String(error);
-    throw buildRefreshInvalidJsonError(output, details);
+  const result = parseNodeTokenEnvelope(output, endpoint);
+  if (result.ok) {
+    return parseTokenResponseBody(result.body ?? "", endpoint);
   }
-  const result = parsed;
-  if (!result.ok) {
-    if (result.error) {
-      throw buildRefreshRequestError(result.error);
-    }
-    throw buildRefreshRequestError(`Error: HTTP request failed. status=${result.status ?? 0}; url=${ANTHROPIC_REFRESH_ENDPOINT}; body=${result.body ?? ""}`);
+  if (result.error) {
+    throw buildTokenRequestError(endpoint, result.error);
   }
-  return new Response(result.body ?? "", {
-    status: 200,
-    headers: {
-      "content-type": "application/json"
-    }
-  });
+  throw buildTokenRequestError(
+    endpoint,
+    `Error: HTTP request failed. status=${result.status ?? 0}; url=${endpoint}; body=${result.body ?? ""}`
+  );
 }
-function createAnthropicTokenProxyFetch(originalFetch) {
-  return (async (input, init) => {
-    if (shouldProxyTokenRequest(input)) {
-      const method = getRequestMethod(input, init).toUpperCase();
-      if (method !== "POST") {
-        throw buildRefreshRequestError(`Unsupported token endpoint method: ${method}`);
-      }
-      return await postAnthropicTokenViaNode(await getRequestBody(input, init));
-    }
-    if (shouldInjectAnthropicUserAgent(input)) {
-      const headers = new Headers(init?.headers ?? (input instanceof Request ? input.headers : void 0));
-      headers.set("user-agent", tokenProxyContext.getStore().userAgent);
-      return originalFetch(input, { ...init, headers });
-    }
-    return originalFetch(input, init);
+var CODE_EXCHANGE_TIMEOUT_MS = 3e4;
+async function exchangeCodeForTokens(params) {
+  const derivedProfile = await loadCCDerivedAuthProfile();
+  const oauthConfig = derivedProfile.oauthConfig;
+  const body = JSON.stringify({
+    grant_type: "authorization_code",
+    client_id: oauthConfig.clientId,
+    code: params.code,
+    redirect_uri: params.redirectUri,
+    code_verifier: params.codeVerifier,
+    state: params.state
   });
+  return postTokenEndpoint("application/json", body, CODE_EXCHANGE_TIMEOUT_MS);
+}
+async function loginWithOAuth(callbacks) {
+  const { oauthConfig: cfg } = await loadCCDerivedAuthProfile();
+  const { verifier: codeVerifier, challenge: codeChallenge } = generatePKCE();
+  const state = generateState();
+  const { port, waitForCode, stop } = await callbackServerStarter({ expectedState: state });
+  const redirectUri = `http://localhost:${port}/callback`;
+  try {
+    const authorizeUrl = `${cfg.authorizeUrl}?${new URLSearchParams({
+      code: "true",
+      client_id: cfg.clientId,
+      response_type: "code",
+      redirect_uri: redirectUri,
+      scope: cfg.scopes,
+      code_challenge: codeChallenge,
+      code_challenge_method: "S256",
+      state
+    }).toString()}`;
+    callbacks.onAuth({
+      url: authorizeUrl,
+      instructions: "Complete authorization in your browser."
+    });
+    openBrowser(authorizeUrl);
+    callbacks.onProgress?.("Waiting for browser authorization...");
+    const { code } = await waitForCode;
+    callbacks.onProgress?.("Exchanging authorization code...");
+    const tokens = await exchangeCodeForTokens({
+      code,
+      codeVerifier,
+      state,
+      redirectUri
+    });
+    callbacks.onProgress?.("Fetching profile...");
+    const profileResult = await profileFetcher(tokens.access_token);
+    try {
+      await usageFetcher(tokens.access_token);
+    } catch {
+    }
+    const profileData = profileResult.ok ? profileResult.data : void 0;
+    const now2 = Date.now();
+    return {
+      accessToken: tokens.access_token,
+      refreshToken: tokens.refresh_token,
+      expiresAt: now2 + tokens.expires_in * 1e3,
+      email: profileData?.email,
+      planTier: profileData?.planTier ?? "",
+      addedAt: now2,
+      lastUsed: now2
+    };
+  } catch (error) {
+    stop();
+    throw error;
+  }
 }
-function ensureAnthropicTokenProxyFetchInstalled() {
-  if (tokenProxyInstalled) return;
-  tokenProxyOriginalFetch = globalThis.fetch;
-  globalThis.fetch = createAnthropicTokenProxyFetch(tokenProxyOriginalFetch);
-  tokenProxyInstalled = true;
-}
-async function withAnthropicTokenProxyFetch(operation, options) {
-  ensureAnthropicTokenProxyFetchInstalled();
-  return await tokenProxyContext.run({ proxyTokenRequests: true, userAgent: options?.userAgent }, operation);
-}
-async function fetchProfileWithSingleRetry(accessToken) {
-  let profileResult = await fetchProfile(accessToken);
-  if (profileResult.ok) {
-    return profileResult;
-  }
-  await new Promise((resolve) => setTimeout(resolve, 1e3));
-  profileResult = await fetchProfile(accessToken);
-  return profileResult;
-}
-async function loginWithPiAi(callbacks) {
-  const piCreds = await withAnthropicTokenProxyFetch(
-    () => piAiOauth.loginAnthropic({
-      onAuth: callbacks.onAuth,
-      onPrompt: callbacks.onPrompt,
-      onProgress: callbacks.onProgress,
-      onManualCodeInput: callbacks.onManualCodeInput
-    }),
-    { userAgent: callbacks.userAgent }
+var REFRESH_TIMEOUT_MS = 15e3;
+async function refreshWithOAuth(currentRefreshToken) {
+  const { oauthConfig } = await loadCCDerivedAuthProfile();
+  const body = new URLSearchParams({
+    grant_type: "refresh_token",
+    refresh_token: currentRefreshToken,
+    client_id: oauthConfig.clientId
+  }).toString();
+  const response = await postTokenEndpoint(
+    "application/x-www-form-urlencoded",
+    body,
+    REFRESH_TIMEOUT_MS
   );
-  const base = fromPiAiCredentials(piCreds);
-  const profileResult = await fetchProfileWithSingleRetry(piCreds.access);
-  const profileData = profileResult.ok ? profileResult.data : void 0;
-  return {
-    ...base,
-    email: profileData?.email,
-    planTier: profileData?.planTier ?? "",
-    addedAt: Date.now(),
-    lastUsed: Date.now()
-  };
-}
-async function refreshWithPiAi(currentRefreshToken) {
-  const piCreds = await withAnthropicTokenProxyFetch(() => piAiOauth.refreshAnthropicToken(currentRefreshToken));
-  return {
-    accessToken: piCreds.access,
-    refreshToken: piCreds.refresh,
-    expiresAt: piCreds.expires
+  const patch = {
+    accessToken: response.access_token,
+    expiresAt: Date.now() + response.expires_in * 1e3
   };
+  if (response.refresh_token) {
+    patch.refreshToken = response.refresh_token;
+  }
+  if (response.account?.uuid) {
+    patch.uuid = response.account.uuid;
+  }
+  if (response.account?.email_address) {
+    patch.email = response.account.email_address;
+  }
+  return patch;
 }
-var PI_AI_ADAPTER_SERVICE = ANTHROPIC_OAUTH_ADAPTER.serviceLogName;
 
 // src/token.ts
 var PERMANENT_FAILURE_HTTP_STATUSES = /* @__PURE__ */ new Set([400, 401, 403]);
@@ -529,7 +656,7 @@ async function refreshToken(currentRefreshToken, accountId, client) {
   if (inFlightRefresh) return inFlightRefresh;
   const refreshPromise = (async () => {
     try {
-      const patch = await refreshWithPiAi(currentRefreshToken);
+      const patch = await refreshWithOAuth(currentRefreshToken);
       return { ok: true, patch };
     } catch (error) {
       const message = error instanceof Error ? error.message : String(error);
@@ -754,11 +881,11 @@ function getAccountStatus(account) {
   if (account.isAuthDisabled) return "auth-disabled";
   if (!account.enabled) return "disabled";
   if (account.cachedUsage) {
-    const now = Date.now();
+    const now2 = Date.now();
     const usage = account.cachedUsage;
     const hasEvaluableUsageTier = [usage.five_hour, usage.seven_day].some((tier) => tier != null);
     const exhaustedTiers = [usage.five_hour, usage.seven_day].filter(
-      (tier) => tier && tier.utilization >= 100 && tier.resets_at != null && Date.parse(tier.resets_at) > now
+      (tier) => tier && tier.utilization >= 100 && tier.resets_at != null && Date.parse(tier.resets_at) > now2
     );
     if (exhaustedTiers.length > 0) {
       return "rate-limited";
@@ -870,10 +997,10 @@ function createProgressBar(utilization, width = 20) {
 function formatResetTime(resetAt) {
   if (!resetAt) return "";
   const date = new Date(resetAt);
-  const now = /* @__PURE__ */ new Date();
+  const now2 = /* @__PURE__ */ new Date();
   const tz = Intl.DateTimeFormat().resolvedOptions().timeZone;
   const timeStr = date.toLocaleTimeString(void 0, { hour: "numeric", minute: "2-digit", hour12: true });
-  const isSameDay = date.getFullYear() === now.getFullYear() && date.getMonth() === now.getMonth() && date.getDate() === now.getDate();
+  const isSameDay = date.getFullYear() === now2.getFullYear() && date.getMonth() === now2.getMonth() && date.getDate() === now2.getDate();
   if (isSameDay) {
     return ` (resets ${timeStr}, ${tz})`;
   }
@@ -952,8 +1079,7 @@ var AccountStore = class extends CoreAccountStore {
 
 // src/auth-handler.ts
 import { randomUUID } from "crypto";
-import { createInterface } from "readline";
-import { exec } from "child_process";
+import { exec as exec2 } from "child_process";
 function makeFailedFlowResult(message) {
   return {
     url: "",
@@ -976,38 +1102,17 @@ function asOAuthCallbackResponse(account) {
     expires: account.expiresAt
   };
 }
-function promptLine(message) {
-  if (!isTTY()) return Promise.resolve("");
-  const rl = createInterface({ input: process.stdin, output: process.stdout });
-  return new Promise((resolve) => {
-    rl.question(message, (answer) => {
-      rl.close();
-      resolve(answer.trim());
-    });
-  });
-}
-function normalizePromptMessage(prompt) {
-  return prompt.message ?? prompt.text ?? prompt.label ?? prompt.title ?? prompt.placeholder ?? "Continue authentication: ";
-}
-async function startPiAiFlow() {
+async function startOAuthFlow() {
   try {
-    const completedAccount = await loginWithPiAi({
+    const completedAccount = await loginWithOAuth({
       onAuth: (info) => {
-        if (info.url) {
-          openBrowser(info.url);
-        }
         const instruction = info.instructions ?? "Complete authorization in your browser.";
         const urlLine = info.url ? `
 Auth URL (manual fallback): ${info.url}` : "";
         console.log(`
 ${instruction}${urlLine}
 `);
-      },
-      onPrompt: async (prompt) => {
-        const text = normalizePromptMessage(prompt);
-        return promptLine(text.endsWith(":") || text.endsWith("?") ? `${text} ` : `${text}: `);
-      },
-      userAgent: CLAUDE_CLI_USER_AGENT
+      }
     });
     const completedResult = asOAuthCallbackResponse(completedAccount);
     const accountEmail = completedAccount.email;
@@ -1028,7 +1133,7 @@ function wrapCallbackWithAccountReplace(result, manager, targetAccount) {
     ...result,
     callback: async function(code) {
       const callbackResult = await originalCallback(code);
-      if (callbackResult.type === "success" && callbackResult.refresh) {
+      if (callbackResult.type === "success") {
         if (targetAccount.uuid) {
           await manager.replaceAccountCredentials(targetAccount.uuid, toOAuthCredentials(callbackResult));
         }
@@ -1047,7 +1152,7 @@ function wrapCallbackWithManagerSync(result, manager) {
     ...result,
     callback: async function(code) {
       const callbackResult = await originalCallback(code);
-      if (callbackResult.type === "success" && callbackResult.refresh) {
+      if (callbackResult.type === "success") {
         const auth = toOAuthCredentials(callbackResult);
         if (manager) {
           const countBefore = manager.getAccounts().length;
@@ -1068,25 +1173,17 @@ function wrapCallbackWithManagerSync(result, manager) {
     }
   };
 }
-function openBrowser(url) {
-  const commands = {
-    darwin: "open",
-    win32: "start"
-  };
-  const cmd = commands[process.platform] ?? "xdg-open";
-  exec(`${cmd} ${JSON.stringify(url)}`);
-}
 async function persistFallback(auth) {
   try {
     const store = new AccountStore();
-    const now = Date.now();
+    const now2 = Date.now();
     const account = {
       uuid: randomUUID(),
       refreshToken: auth.refresh,
       accessToken: auth.access,
       expiresAt: auth.expires,
-      addedAt: now,
-      lastUsed: now,
+      addedAt: now2,
+      lastUsed: now2,
       enabled: true,
       planTier: "",
       consecutiveAuthFailures: 0,
@@ -1099,11 +1196,11 @@ async function persistFallback(auth) {
 }
 async function handleAuthorize(manager, inputs, client) {
   if (!inputs || !isTTY()) {
-    return wrapCallbackWithManagerSync(await startPiAiFlow(), manager);
+    return wrapCallbackWithManagerSync(await startOAuthFlow(), manager);
   }
   const effectiveManager = manager ?? await loadManagerFromDisk(client);
   if (!effectiveManager || effectiveManager.getAccounts().length === 0) {
-    return wrapCallbackWithManagerSync(await startPiAiFlow(), manager);
+    return wrapCallbackWithManagerSync(await startOAuthFlow(), manager);
   }
   return runAccountManagementMenu(effectiveManager, client);
 }
@@ -1120,7 +1217,7 @@ async function runAccountManagementMenu(manager, client) {
     const menuAction = await showAuthMenu(allAccounts);
     switch (menuAction.type) {
       case "add":
-        return wrapCallbackWithManagerSync(await startPiAiFlow(), manager);
+        return wrapCallbackWithManagerSync(await startOAuthFlow(), manager);
       case "check-quotas":
         await handleCheckQuotas(manager, client);
         continue;
@@ -1129,7 +1226,7 @@ async function runAccountManagementMenu(manager, client) {
         if (result.action === "back" || result.action === "cancel") continue;
         const manageResult = await handleManageAction(manager, result.action, result.account, client);
         if (manageResult.triggerOAuth) {
-          return wrapCallbackWithAccountReplace(await startPiAiFlow(), manager, manageResult.account);
+          return wrapCallbackWithAccountReplace(await startOAuthFlow(), manager, manageResult.account);
         }
         continue;
       }
@@ -1139,7 +1236,7 @@ async function runAccountManagementMenu(manager, client) {
       case "delete-all":
         await manager.clearAllAccounts();
         console.log("\nAll accounts deleted.\n");
-        return wrapCallbackWithManagerSync(await startPiAiFlow(), manager);
+        return wrapCallbackWithManagerSync(await startOAuthFlow(), manager);
       case "cancel":
         return makeFailedFlowResult("Authentication cancelled");
     }
@@ -1256,15 +1353,27 @@ Retrying authentication for ${label}...
   return { triggerOAuth: false };
 }
 
+// src/proactive-refresh.ts
+import { createProactiveRefreshQueueForProvider } from "opencode-multi-account-core";
+var ProactiveRefreshQueue = createProactiveRefreshQueueForProvider({
+  providerAuthId: "anthropic",
+  getConfig,
+  isTokenExpired,
+  refreshToken,
+  debugLog
+});
+
+// src/runtime-factory.ts
+import { TokenRefreshError } from "opencode-multi-account-core";
+
 // src/request-transform.ts
-import { createHash } from "crypto";
+import { randomUUID as randomUUID4 } from "crypto";
 
 // src/model-config.ts
 function splitBetaFlags(value) {
   return value.split(",").map((entry) => entry.trim()).filter(Boolean);
 }
 var config = {
-  ccVersion: ANTHROPIC_OAUTH_ADAPTER.cliVersion,
   baseBetas: splitBetaFlags(ANTHROPIC_OAUTH_ADAPTER.requestBetaHeader),
   longContextBetas: ["context-1m-2025-08-07", "interleaved-thinking-2025-05-14"],
   modelOverrides: {
@@ -1273,18 +1382,6 @@ var config = {
     }
   }
 };
-function getCliVersion() {
-  return process.env.ANTHROPIC_CLI_VERSION ?? config.ccVersion;
-}
-function getUserAgent() {
-  if (process.env.ANTHROPIC_USER_AGENT) {
-    return process.env.ANTHROPIC_USER_AGENT;
-  }
-  if (process.env.ANTHROPIC_CLI_VERSION) {
-    return `claude-cli/${getCliVersion()} (external, cli)`;
-  }
-  return ANTHROPIC_OAUTH_ADAPTER.cliUserAgent;
-}
 function getRequiredBetas() {
   return splitBetaFlags(process.env.ANTHROPIC_BETA_FLAGS ?? config.baseBetas.join(","));
 }
@@ -1374,590 +1471,449 @@ function getModelBetas(modelId, excluded) {
   return betas.filter((beta) => !excluded.has(beta));
 }
 
-// src/anthropic-prompt.ts
-var INJECTED_SYSTEM_PROMPT = "You are Claude Code, an interactive CLI tool that helps users with software engineering tasks.";
-var SYSTEM_PROMPT = `You are an interactive CLI tool that helps users with software engineering tasks. Use the instructions below and the tools available to you to assist the user.
-
-IMPORTANT: Assist with defensive security tasks only. Refuse to create, modify, or improve code that may be used maliciously. Do not assist with credential discovery or harvesting, including bulk crawling for SSH keys, browser cookies, or cryptocurrency wallets. Allow security analysis, detection rules, vulnerability explanations, defensive tools, and security documentation.
-IMPORTANT: You must NEVER generate or guess URLs for the user unless you are confident that the URLs are for helping the user with programming. You may use URLs provided by the user in their messages or local files.
-
-If the user asks for help or wants to give feedback inform them of the following: 
-- /help: Get help with using Claude Code
-- To give feedback, users should report the issue at https://github.com/anthropics/claude-code/issues
-
-When the user directly asks about Claude Code (eg. "can Claude Code do...", "does Claude Code have..."), or asks in second person (eg. "are you able...", "can you do..."), or asks how to use a specific Claude Code feature (eg. implement a hook, or write a slash command), use the WebFetch tool to gather information to answer the question from Claude Code docs. The list of available docs is available at https://docs.claude.com/en/docs/claude-code/claude_code_docs_map.md.
-
-# Tone and style
-You should be concise, direct, and to the point, while providing complete information and matching the level of detail you provide in your response with the level of complexity of the user's query or the work you have completed. 
-A concise response is generally less than 4 lines, not including tool calls or code generated. You should provide more detail when the task is complex or when the user asks you to.
-IMPORTANT: You should minimize output tokens as much as possible while maintaining helpfulness, quality, and accuracy. Only address the specific task at hand, avoiding tangential information unless absolutely critical for completing the request. If you can answer in 1-3 sentences or a short paragraph, please do.
-IMPORTANT: You should NOT answer with unnecessary preamble or postamble (such as explaining your code or summarizing your action), unless the user asks you to.
-Do not add additional code explanation summary unless requested by the user. After working on a file, briefly confirm that you have completed the task, rather than providing an explanation of what you did.
-Answer the user's question directly, avoiding any elaboration, explanation, introduction, conclusion, or excessive details. Brief answers are best, but be sure to provide complete information. You MUST avoid extra preamble before/after your response, such as "The answer is <answer>.", "Here is the content of the file..." or "Based on the information provided, the answer is..." or "Here is what I will do next...".
-
-Here are some examples to demonstrate appropriate verbosity:
-<example>
-user: 2 + 2
-assistant: 4
-</example>
-
-<example>
-user: what is 2+2?
-assistant: 4
-</example>
-
-<example>
-user: is 11 a prime number?
-assistant: Yes
-</example>
-
-<example>
-user: what command should I run to list files in the current directory?
-assistant: ls
-</example>
-
-<example>
-user: what command should I run to watch files in the current directory?
-assistant: [runs ls to list the files in the current directory, then read docs/commands in the relevant file to find out how to watch files]
-npm run dev
-</example>
-
-<example>
-user: How many golf balls fit inside a jetta?
-assistant: 150000
-</example>
-
-<example>
-user: what files are in the directory src/?
-assistant: [runs ls and sees foo.c, bar.c, baz.c]
-user: which file contains the implementation of foo?
-assistant: src/foo.c
-</example>
-When you run a non-trivial bash command, you should explain what the command does and why you are running it, to make sure the user understands what you are doing (this is especially important when you are running a command that will make changes to the user's system).
-Remember that your output will be displayed on a command line interface. Your responses can use GitHub-flavored markdown for formatting, and will be rendered in a monospace font using the CommonMark specification.
-Output text to communicate with the user; all text you output outside of tool use is displayed to the user. Only use tools to complete tasks. Never use tools like Bash or code comments as means to communicate with the user during the session.
-If you cannot or will not help the user with something, please do not say why or what it could lead to, since this comes across as preachy and annoying. Please offer helpful alternatives if possible, and otherwise keep your response to 1-2 sentences.
-Only use emojis if the user explicitly requests it. Avoid using emojis in all communication unless asked.
-IMPORTANT: Keep your responses short, since they will be displayed on a command line interface.
-
-# Proactiveness
-You are allowed to be proactive, but only when the user asks you to do something. You should strive to strike a balance between:
-- Doing the right thing when asked, including taking actions and follow-up actions
-- Not surprising the user with actions you take without asking
-For example, if the user asks you how to approach something, you should do your best to answer their question first, and not immediately jump into taking actions.
-
-# Professional objectivity
-Prioritize technical accuracy and truthfulness over validating the user's beliefs. Focus on facts and problem-solving, providing direct, objective technical info without any unnecessary superlatives, praise, or emotional validation. It is best for the user if Claude honestly applies the same rigorous standards to all ideas and disagrees when necessary, even if it may not be what the user wants to hear. Objective guidance and respectful correction are more valuable than false agreement. Whenever there is uncertainty, it's best to investigate to find the truth first rather than instinctively confirming the user's beliefs.
-
-# Task Management
-You have access to the TodoWrite tools to help you manage and plan tasks. Use these tools VERY frequently to ensure that you are tracking your tasks and giving the user visibility into your progress.
-These tools are also EXTREMELY helpful for planning tasks, and for breaking down larger complex tasks into smaller steps. If you do not use this tool when planning, you may forget to do important tasks - and that is unacceptable.
-
-It is critical that you mark todos as completed as soon as you are done with a task. Do not batch up multiple tasks before marking them as completed.
-
-Examples:
-
-<example>
-user: Run the build and fix any type errors
-assistant: I'm going to use the TodoWrite tool to write the following items to the todo list: 
-- Run the build
-- Fix any type errors
-
-I'm now going to run the build using Bash.
-
-Looks like I found 10 type errors. I'm going to use the TodoWrite tool to write 10 items to the todo list.
-
-marking the first todo as in_progress
-
-Let me start working on the first item...
-
-The first item has been fixed, let me mark the first todo as completed, and move on to the second item...
-..
-..
-</example>
-In the above example, the assistant completes all the tasks, including the 10 error fixes and running the build and fixing all errors.
-
-<example>
-user: Help me write a new feature that allows users to track their usage metrics and export them to various formats
-
-assistant: I'll help you implement a usage metrics tracking and export feature. Let me first use the TodoWrite tool to plan this task.
-Adding the following todos to the todo list:
-1. Research existing metrics tracking in the codebase
-2. Design the metrics collection system
-3. Implement core metrics tracking functionality
-4. Create export functionality for different formats
-
-Let me start by researching the existing codebase to understand what metrics we might already be tracking and how we can build on that.
-
-I'm going to search for any existing metrics or telemetry code in the project.
-
-I've found some existing telemetry code. Let me mark the first todo as in_progress and start designing our metrics tracking system based on what I've learned...
-
-[Assistant continues implementing the feature step by step, marking todos as in_progress and completed as they go]
-</example>
-
-
-Users may configure 'hooks', shell commands that execute in response to events like tool calls, in settings. Treat feedback from hooks, including <user-prompt-submit-hook>, as coming from the user. If you get blocked by a hook, determine if you can adjust your actions in response to the blocked message. If not, ask the user to check their hooks configuration.
-
-# Doing tasks
-The user will primarily request you perform software engineering tasks. This includes solving bugs, adding new functionality, refactoring code, explaining code, and more. For these tasks the following steps are recommended:
-- Use the TodoWrite tool to plan the task if required
-
-- Tool results and user messages may include <system-reminder> tags. <system-reminder> tags contain useful information and reminders. They are automatically added by the system, and bear no direct relation to the specific tool results or user messages in which they appear.
-
-
-# Tool usage policy
-- When doing file search, prefer to use the Task tool in order to reduce context usage.
-- You should proactively use the Task tool with specialized agents when the task at hand matches the agent's description.
-
-- When WebFetch returns a message about a redirect to a different host, you should immediately make a new WebFetch request with the redirect URL provided in the response.
-- You have the capability to call multiple tools in a single response. When multiple independent pieces of information are requested, batch your tool calls together for optimal performance. When making multiple bash tool calls, you MUST send a single message with multiple tools calls to run the calls in parallel. For example, if you need to run "git status" and "git diff", send a single message with two tool calls to run the calls in parallel.
-- If the user specifies that they want you to run tools "in parallel", you MUST send a single message with multiple tool use content blocks. For example, if you need to launch multiple agents in parallel, send a single message with multiple Task tool calls.
-- Use specialized tools instead of bash commands when possible, as this provides a better user experience. For file operations, use dedicated tools: Read for reading files instead of cat/head/tail, Edit for editing instead of sed/awk, and Write for creating files instead of cat with heredoc or echo redirection. Reserve bash tools exclusively for actual system commands and terminal operations that require shell execution. NEVER use bash echo or other command-line tools to communicate thoughts, explanations, or instructions to the user. Output all communication directly in your response text instead.
-
-
-Here is useful information about the environment you are running in:
-<env>
-Working directory: /home/thdxr/dev/projects/anomalyco/opencode/packages/opencode
-Is directory a git repo: Yes
-Platform: linux
-OS Version: Linux 6.12.4-arch1-1
-Today's date: 2025-09-30
-</env>
-You are powered by the model named Sonnet 4.5. The exact model ID is claude-sonnet-4-5-20250929.
-
-Assistant knowledge cutoff is January 2025.
-
-
-IMPORTANT: Assist with defensive security tasks only. Refuse to create, modify, or improve code that may be used maliciously. Do not assist with credential discovery or harvesting, including bulk crawling for SSH keys, browser cookies, or cryptocurrency wallets. Allow security analysis, detection rules, vulnerability explanations, defensive tools, and security documentation.
-
-
-IMPORTANT: Always use the TodoWrite tool to plan and track tasks throughout the conversation.
-
-# Code References
-
-When referencing specific functions or pieces of code include the pattern \`file_path:line_number\` to allow the user to easily navigate to the source code location.
-
-<example>
-user: Where are errors from the client handled?
-assistant: Clients are marked as failed in the \`connectToServer\` function in src/services/process.ts:712.
-</example>`;
-
-// src/request-transform.ts
-function getInjectedSystemPrompt() {
-  return INJECTED_SYSTEM_PROMPT;
-}
-function sampleCodeUnits(text, indices) {
-  return indices.map((i) => i < text.length ? text.charCodeAt(i).toString(16) : "30").join("");
-}
-function buildBillingHeader(firstUserMessage) {
-  const version = ANTHROPIC_OAUTH_ADAPTER.cliVersion;
-  const salt = ANTHROPIC_OAUTH_ADAPTER.billingSalt;
-  if (!version || !salt) return "";
-  const sampled = sampleCodeUnits(firstUserMessage, [4, 7, 20]);
-  const hash = createHash("sha256").update(`${salt}${sampled}${version}`).digest("hex").slice(0, 3);
-  return `x-anthropic-billing-header: cc_version=${version}.${hash}; cc_entrypoint=cli; cch=00000;`;
-}
-var OPENCODE_CAMEL_RE = /OpenCode/g;
-var OPENCODE_LOWER_RE = /(?<!\/)opencode/gi;
-var TOOL_MASK_PREFIX = "tool_";
-var PARAGRAPH_REMOVAL_ANCHORS = [
-  "github.com/anomalyco/opencode",
-  "opencode.ai/docs"
-];
-var BILLING_HEADER_PREFIX = "x-anthropic-billing-header:";
-var DOCUMENTED_BUILTIN_TOOL_NAMES = /* @__PURE__ */ new Set([
-  "Agent",
-  "AskUserQuestion",
-  "Bash",
-  "CronCreate",
-  "CronDelete",
-  "CronList",
-  "Edit",
-  "EnterPlanMode",
-  "EnterWorktree",
-  "ExitPlanMode",
-  "ExitWorktree",
-  "Glob",
-  "Grep",
-  "ListMcpResourcesTool",
-  "LSP",
-  "Monitor",
-  "NotebookEdit",
-  "PowerShell",
-  "Read",
-  "ReadMcpResourceTool",
-  "SendMessage",
-  "Skill",
-  "TaskCreate",
-  "TaskGet",
-  "TaskList",
-  "TaskOutput",
-  "TaskStop",
-  "TaskUpdate",
-  "TeamCreate",
-  "TeamDelete",
-  "TodoWrite",
-  "ToolSearch",
-  "WebFetch",
-  "WebSearch",
-  "Write"
-]);
-function isTypedTool(tool2) {
-  return typeof tool2.type === "string" && tool2.type.trim().length > 0;
+// src/claude-identity.ts
+import { readFileSync, readdirSync } from "fs";
+import { homedir } from "os";
+import { join } from "path";
+var EMPTY_IDENTITY = {
+  deviceId: "",
+  accountUuid: ""
+};
+var testOverrideIdentity = null;
+function getCandidatePaths() {
+  const home = homedir();
+  const paths = [
+    join(home, ".claude.json"),
+    join(home, ".claude", ".claude.json"),
+    join(home, ".claude", "claude.json")
+  ];
+  try {
+    const backupDir = join(home, ".claude", "backups");
+    const backups = readdirSync(backupDir).filter((file) => file.startsWith(".claude.json.backup.")).sort().reverse();
+    for (const backup of backups) {
+      paths.push(join(backupDir, backup));
+    }
+  } catch {
+  }
+  return paths;
 }
-function shouldMaskToolName(name) {
-  if (!name) {
-    return false;
+function parseIdentityFile(path) {
+  try {
+    const data = JSON.parse(readFileSync(path, "utf-8"));
+    if (!data.userID) {
+      return null;
+    }
+    return {
+      deviceId: data.userID,
+      accountUuid: data.oauthAccount?.accountUuid ?? data.accountUuid ?? ""
+    };
+  } catch {
+    return null;
   }
-  return !DOCUMENTED_BUILTIN_TOOL_NAMES.has(name) && !name.startsWith(TOOL_MASK_PREFIX);
 }
-function extractFirstUserTextFromMessageContent(content) {
-  if (typeof content === "string") {
-    return content;
+function loadClaudeIdentity() {
+  if (testOverrideIdentity) {
+    return testOverrideIdentity;
   }
-  if (!Array.isArray(content)) {
-    return "";
+  try {
+    for (const path of getCandidatePaths()) {
+      const identity = parseIdentityFile(path);
+      if (identity) {
+        return identity;
+      }
+    }
+  } catch {
   }
-  return content.filter((block) => isRecord(block) && block.type === "text" && typeof block.text === "string").map((block) => String(block.text)).join("\n\n");
+  return EMPTY_IDENTITY;
+}
+
+// src/upstream-request.ts
+import { createHash as createHash2, randomUUID as randomUUID2 } from "crypto";
+var BILLING_SEED = "59cf53e54c78";
+var DEFAULT_CC_VERSION = "2.1.100";
+var SESSION_IDLE_ROTATE_MS = 15 * 60 * 1e3;
+var MAX_TOOL_RESULT_TEXT_LENGTH = 30 * 1024;
+var TRUNCATION_SUFFIX = "[...truncated]";
+var DEFAULT_CONTEXT_MANAGEMENT = {};
+var DEFAULT_OUTPUT_CONFIG = {};
+var ORCHESTRATION_TAG_NAMES = [
+  "system-reminder",
+  "env",
+  "system_information",
+  "current_working_directory",
+  "operating_system",
+  "default_shell",
+  "home_directory",
+  "task_metadata",
+  "directories",
+  "thinking",
+  "agent_persona",
+  "agent_context",
+  "tool_context",
+  "persona",
+  "tool_call"
+];
+var ORCHESTRATION_PATTERNS = ORCHESTRATION_TAG_NAMES.flatMap((tag) => [
+  new RegExp(`<${tag}\\b[^>]*>[\\s\\S]*?<\\/${tag}>`, "gi"),
+  new RegExp(`<${tag}\\b[^>]*/>`, "gi")
+]);
+var FRAMEWORK_PATTERNS = [
+  /\b(roo[- ]?cline|roo[- ]?code|big[- ]?agi|claude[- ]?bridge|amazon\s+q)\b/gi,
+  /\b(openclaw|hermes|aider|cursor|windsurf|cline|continue|copilot|cody)\b/gi,
+  /\b(zed|plandex|tabby|opencode|daytona)\b/gi,
+  /\b(librechat|typingmind)\b/gi,
+  /\b(openai|gpt-4|gpt-3\.5)\b/gi,
+  /powered by [a-z]+/gi,
+  /\bgateway\b/gi,
+  /\bsessions_[a-z_]+\b/gi
+];
+var upstreamRequestTestOverrides = {};
+var sessionId = randomUUID2();
+var sessionLastUsed = 0;
+function now() {
+  return upstreamRequestTestOverrides.now?.() ?? Date.now();
 }
-function extractFirstUserText(parsed) {
-  if (!Array.isArray(parsed.messages)) {
-    return "";
+function createSessionId() {
+  return upstreamRequestTestOverrides.createSessionId?.() ?? randomUUID2();
+}
+function getActiveSessionId() {
+  const currentTime = now();
+  if (sessionLastUsed === 0 || currentTime - sessionLastUsed > SESSION_IDLE_ROTATE_MS) {
+    sessionId = createSessionId();
   }
-  const firstUserMessage = parsed.messages.find((message) => message.role === "user");
-  if (!firstUserMessage) {
-    return "";
+  sessionLastUsed = currentTime;
+  return sessionId;
+}
+function getUpstreamSessionId() {
+  return getActiveSessionId();
+}
+function isRecord(value) {
+  return typeof value === "object" && value !== null;
+}
+function cloneBody(value) {
+  return structuredClone(value);
+}
+function sanitizeContent(text) {
+  let result = text;
+  for (const pattern of ORCHESTRATION_PATTERNS) {
+    pattern.lastIndex = 0;
+    result = result.replace(pattern, "");
   }
-  return extractFirstUserTextFromMessageContent(firstUserMessage.content).trim();
+  return result.replace(/\n{3,}/g, "\n\n").trim();
 }
-function buildMaskedToolName(seed, toolName, length = 8) {
-  const digest = createHash("sha256").update(`tool-mask:${seed}:${toolName}`).digest("hex").slice(0, length);
-  return `${TOOL_MASK_PREFIX}${digest}`;
+function sanitizeAndScrubText(text) {
+  return scrubFrameworkIdentifiers(sanitizeContent(text)).replace(/\n{3,}/g, "\n\n").trim();
 }
-function collectMaskCandidates(parsed) {
-  const candidates = /* @__PURE__ */ new Set();
-  if (Array.isArray(parsed.tools)) {
-    for (const tool2 of parsed.tools) {
-      if (!isRecord(tool2) || isTypedTool(tool2) || !shouldMaskToolName(tool2.name)) {
-        continue;
-      }
-      candidates.add(tool2.name);
+function stripCacheControl(value) {
+  if (Array.isArray(value)) {
+    for (const item of value) {
+      stripCacheControl(item);
     }
+    return;
   }
-  if (Array.isArray(parsed.messages)) {
-    for (const message of parsed.messages) {
-      if (!Array.isArray(message.content)) {
-        continue;
-      }
-      for (const contentBlock of message.content) {
-        if (contentBlock.type !== "tool_use" || !shouldMaskToolName(contentBlock.name)) {
-          continue;
-        }
-        candidates.add(contentBlock.name);
-      }
-    }
+  if (!isRecord(value)) {
+    return;
   }
-  if (parsed.tool_choice?.type === "tool" && shouldMaskToolName(parsed.tool_choice.name)) {
-    candidates.add(parsed.tool_choice.name);
+  delete value.cache_control;
+  for (const nested of Object.values(value)) {
+    stripCacheControl(nested);
   }
-  return [...candidates];
 }
-function buildToolMaskMap(parsed) {
-  const maskMap = /* @__PURE__ */ new Map();
-  const candidates = collectMaskCandidates(parsed);
-  const firstUserText = extractFirstUserText(parsed);
-  const usedMaskedNames = /* @__PURE__ */ new Set();
-  for (const candidate of candidates) {
-    let hashLength = 8;
-    let maskedName = buildMaskedToolName(firstUserText, candidate, hashLength);
-    while (usedMaskedNames.has(maskedName)) {
-      hashLength += 2;
-      maskedName = buildMaskedToolName(firstUserText, candidate, hashLength);
-    }
-    maskMap.set(candidate, maskedName);
-    usedMaskedNames.add(maskedName);
+function sanitizeMessageBlock(block) {
+  if (typeof block.text === "string") {
+    block.text = sanitizeAndScrubText(block.text);
   }
-  return maskMap;
-}
-function extractRequestToolMaskMap(body) {
-  if (!body) {
-    return /* @__PURE__ */ new Map();
+  if (block.type !== "tool_result") {
+    return;
   }
-  try {
-    const parsed = JSON.parse(body);
-    return buildToolMaskMap(parsed);
-  } catch {
-    return /* @__PURE__ */ new Map();
+  if (typeof block.content === "string") {
+    block.content = truncateToolResultText(sanitizeAndScrubText(block.content));
+    return;
+  }
+  if (!Array.isArray(block.content)) {
+    return;
+  }
+  for (const item of block.content) {
+    if (isRecord(item) && typeof item.text === "string") {
+      item.text = truncateToolResultText(sanitizeAndScrubText(item.text));
+    }
   }
 }
-function renameMaskedToolName(name, maskMap) {
-  if (!name) {
-    return name;
+function stripAssistantThinkingBlocks(messages) {
+  for (const message of messages) {
+    if (message.role !== "assistant" || !Array.isArray(message.content)) {
+      continue;
+    }
+    message.content = message.content.filter((block) => block.type !== "thinking");
   }
-  return maskMap.get(name) ?? name;
 }
-function remapToolUseNames(messages, maskMap) {
-  if (!Array.isArray(messages)) {
-    return messages;
+function hasMeaningfulContent(content) {
+  if (typeof content === "string") {
+    return content.trim().length > 0;
   }
-  return messages.map((message) => {
-    if (!Array.isArray(message.content)) {
-      return message;
+  if (!Array.isArray(content)) {
+    return false;
+  }
+  return content.some((block) => {
+    if (!isRecord(block)) {
+      return false;
     }
-    return {
-      ...message,
-      content: message.content.map((contentBlock) => {
-        if (contentBlock.type !== "tool_use" || !contentBlock.name) {
-          return contentBlock;
-        }
-        const nextName = renameMaskedToolName(contentBlock.name, maskMap);
-        return nextName === contentBlock.name ? contentBlock : { ...contentBlock, name: nextName };
-      })
-    };
+    if (typeof block.text === "string" && block.text.trim().length > 0) {
+      return true;
+    }
+    if (typeof block.content === "string" && block.content.trim().length > 0) {
+      return true;
+    }
+    return false;
   });
 }
-function remapToolChoice(toolChoice, maskMap) {
-  if (!toolChoice || toolChoice.type !== "tool" || typeof toolChoice.name !== "string") {
-    return toolChoice;
+function trimTrailingEmptyTurns(messages) {
+  while (messages.length > 0) {
+    const lastMessage = messages[messages.length - 1];
+    if (!lastMessage || hasMeaningfulContent(lastMessage.content)) {
+      return;
+    }
+    messages.pop();
   }
-  const nextName = renameMaskedToolName(toolChoice.name, maskMap);
-  return nextName === toolChoice.name ? toolChoice : { ...toolChoice, name: nextName };
 }
-function isRecord(value) {
-  return typeof value === "object" && value !== null;
-}
-function isProtectedSystemText(text) {
-  return text === SYSTEM_PROMPT || text === INJECTED_SYSTEM_PROMPT || text.startsWith(BILLING_HEADER_PREFIX);
-}
-function sanitizeSystemText(text) {
-  const paragraphs = text.split(/\n\n+/).map((paragraph) => paragraph.trim()).filter(Boolean).filter((paragraph) => !PARAGRAPH_REMOVAL_ANCHORS.some((anchor) => paragraph.includes(anchor)));
-  return paragraphs.join("\n\n").replace(OPENCODE_CAMEL_RE, "Claude Code").replace(OPENCODE_LOWER_RE, "Claude").replace(/\n{3,}/g, "\n\n").trim();
-}
-function normalizeSystemEntries(system) {
+function normalizeSystemTexts(system) {
   if (typeof system === "string") {
-    const text = system.trim();
-    return text ? [{ type: "text", text }] : [];
+    const next = sanitizeAndScrubText(system);
+    return next ? [next] : [];
   }
   if (!Array.isArray(system)) {
     return [];
   }
-  const normalized = [];
+  const texts = [];
   for (const entry of system) {
     if (typeof entry === "string") {
-      const text = entry.trim();
-      if (text) {
-        normalized.push({ type: "text", text });
+      const next = sanitizeAndScrubText(entry);
+      if (next) {
+        texts.push(next);
       }
       continue;
     }
-    if (!isRecord(entry)) {
-      continue;
-    }
-    const rawText = typeof entry.text === "string" ? entry.text.trim() : "";
-    if (!rawText) {
-      continue;
+    if (isRecord(entry) && typeof entry.text === "string") {
+      const next = sanitizeAndScrubText(entry.text);
+      if (next) {
+        texts.push(next);
+      }
     }
-    normalized.push({
-      ...entry,
-      type: "text",
-      text: rawText
-    });
   }
-  return normalized;
+  return texts;
 }
-function prependToMessageContent(content, prefix) {
-  if (!prefix) {
-    return content;
-  }
-  if (typeof content === "string") {
-    return content ? `${prefix}
-
-${content}` : prefix;
-  }
-  if (!Array.isArray(content)) {
-    return [{ type: "text", text: prefix }];
-  }
-  const firstTextIndex = content.findIndex(
-    (block) => isRecord(block) && block.type === "text" && typeof block.text === "string"
-  );
-  if (firstTextIndex === -1) {
-    return [{ type: "text", text: prefix }, ...content];
-  }
-  return content.map((block, index) => {
-    if (index !== firstTextIndex || !isRecord(block) || typeof block.text !== "string") {
-      return block;
-    }
-    return {
-      ...block,
-      text: block.text ? `${prefix}
-
-${block.text}` : prefix
-    };
-  });
+function filterInjectedSystemTexts(systemTexts, template, billingHeader) {
+  return systemTexts.filter((entry) => entry !== billingHeader && entry !== template.agent_identity && entry !== template.system_prompt && !entry.startsWith("x-anthropic-billing-header:"));
 }
-function relocateSystemTextToFirstUser(parsed, systemEntries) {
-  if (!Array.isArray(parsed.messages) || parsed.messages.length === 0) {
-    return systemEntries.map((entry) => isProtectedSystemText(entry.text) ? entry : { ...entry, text: sanitizeSystemText(entry.text) }).filter((entry) => entry.text);
+function extractFirstUserMessage(messages) {
+  if (!Array.isArray(messages)) {
+    return "";
   }
-  const preservedEntries = [];
-  const relocatedTexts = [];
-  for (const entry of systemEntries) {
-    if (isProtectedSystemText(entry.text)) {
-      preservedEntries.push(entry);
+  for (const message of messages) {
+    if (message.role !== "user") {
       continue;
     }
-    const sanitizedText = sanitizeSystemText(entry.text);
-    if (!sanitizedText) {
-      continue;
+    if (typeof message.content === "string") {
+      return message.content;
+    }
+    if (!Array.isArray(message.content)) {
+      return "";
     }
-    relocatedTexts.push(sanitizedText);
+    const text = message.content.filter((block) => typeof block.text === "string").map((block) => block.text).join("\n\n").trim();
+    return text;
   }
-  if (relocatedTexts.length === 0) {
-    return systemEntries.map((entry) => isProtectedSystemText(entry.text) ? entry : { ...entry, text: sanitizeSystemText(entry.text) }).filter((entry) => entry.text);
+  return "";
+}
+function hasCompleteToolSchemas(tools) {
+  return tools.length > 0 && tools.every((tool2) => typeof tool2 === "object" && tool2 !== null && "input_schema" in tool2);
+}
+function getCcVersion(template) {
+  return template.cc_version ?? DEFAULT_CC_VERSION;
+}
+function buildBillingHeader(firstUserMessage, template) {
+  const version = getCcVersion(template);
+  const buildTag = computeBuildTag(firstUserMessage, version);
+  return `x-anthropic-billing-header: cc_version=${version}.${buildTag}; cc_entrypoint=cli; cch=00000;`;
+}
+function truncateToolResultText(text) {
+  if (text.length <= MAX_TOOL_RESULT_TEXT_LENGTH) {
+    return text;
   }
-  const prefix = relocatedTexts.join("\n\n");
-  const nextMessages = [...parsed.messages];
-  const userMessageIndex = nextMessages.findIndex((message) => message.role === "user");
-  if (userMessageIndex === -1) {
-    return systemEntries.map((entry) => isProtectedSystemText(entry.text) ? entry : { ...entry, text: sanitizeSystemText(entry.text) }).filter((entry) => entry.text);
+  return `${text.slice(0, MAX_TOOL_RESULT_TEXT_LENGTH)}${TRUNCATION_SUFFIX}`;
+}
+function getReverseName(name, reverseLookup) {
+  if (!reverseLookup) {
+    return name;
   }
-  const userMessage = nextMessages[userMessageIndex];
-  if (!userMessage) {
-    return systemEntries.map((entry) => isProtectedSystemText(entry.text) ? entry : { ...entry, text: sanitizeSystemText(entry.text) }).filter((entry) => entry.text);
+  if (reverseLookup instanceof Map) {
+    return reverseLookup.get(name) ?? name;
   }
-  nextMessages[userMessageIndex] = {
-    ...userMessage,
-    content: prependToMessageContent(userMessage.content, prefix)
-  };
-  parsed.messages = nextMessages;
-  return preservedEntries;
+  return typeof reverseLookup[name] === "string" ? String(reverseLookup[name]) : name;
 }
-function extractToolNamesFromRequestBody(body) {
-  if (!body) {
-    return [];
+function reverseMapToolUseNames(value, reverseLookup) {
+  if (Array.isArray(value)) {
+    return value.map((item) => reverseMapToolUseNames(item, reverseLookup));
   }
-  try {
-    const parsed = JSON.parse(body);
-    if (!Array.isArray(parsed.tools)) {
-      return [];
-    }
-    return parsed.tools.map((tool2) => typeof tool2.name === "string" ? tool2.name : null).filter((toolName) => Boolean(toolName));
-  } catch {
-    return [];
+  if (!isRecord(value)) {
+    return value;
+  }
+  const cloned = {};
+  for (const [key, nested] of Object.entries(value)) {
+    cloned[key] = reverseMapToolUseNames(nested, reverseLookup);
   }
+  if (cloned.type === "tool_use" && typeof cloned.name === "string") {
+    cloned.name = getReverseName(cloned.name, reverseLookup);
+  }
+  return cloned;
 }
-function stripToolPrefixFromLine(line, maskMap) {
-  if (!ANTHROPIC_OAUTH_ADAPTER.transform.stripToolPrefixInResponse) {
+function remapSseLine(line, reverseLookup) {
+  if (!line.startsWith("data:")) {
     return line;
   }
-  let nextLine = line;
-  for (const [originalName, maskedName] of maskMap) {
-    nextLine = nextLine.replace(
-      new RegExp(`"name"\\s*:\\s*"${maskedName}"`, "g"),
-      `"name": "${originalName}"`
-    );
+  const payload = line.slice(5).trimStart();
+  if (payload.length === 0 || payload === "[DONE]") {
+    return line;
   }
-  return nextLine;
-}
-function processCompleteLines(buffer, maskMap) {
-  const lines = buffer.split("\n");
-  const remaining = lines.pop() ?? "";
-  if (lines.length === 0) {
-    return { output: "", remaining };
+  try {
+    const parsed = JSON.parse(payload);
+    return `data: ${JSON.stringify(reverseMapResponse(parsed, reverseLookup))}`;
+  } catch {
+    return line;
   }
-  const output = `${lines.map((line) => stripToolPrefixFromLine(line, maskMap)).join("\n")}
-`;
-  return { output, remaining };
 }
-function buildRequestHeaders(input, init, accessToken, modelId = "unknown", excludedBetas2) {
-  const headers = new Headers();
-  if (input instanceof Request) {
-    input.headers.forEach((value, key) => {
-      headers.set(key, value);
-    });
+function sanitizeMessages(body) {
+  const messages = body.messages;
+  if (!Array.isArray(messages)) {
+    return;
   }
-  if (init?.headers) {
-    if (init.headers instanceof Headers) {
-      init.headers.forEach((value, key) => {
-        headers.set(key, value);
-      });
-    } else if (Array.isArray(init.headers)) {
-      for (const [key, value] of init.headers) {
-        if (value !== void 0) headers.set(key, String(value));
-      }
-    } else {
-      for (const [key, value] of Object.entries(init.headers)) {
-        if (value !== void 0) headers.set(key, String(value));
+  for (const message of messages) {
+    if (!isRecord(message)) {
+      continue;
+    }
+    if (typeof message.content === "string") {
+      message.content = sanitizeContent(message.content);
+      continue;
+    }
+    if (!Array.isArray(message.content)) {
+      continue;
+    }
+    for (const block of message.content) {
+      if (isRecord(block) && typeof block.text === "string") {
+        block.text = sanitizeContent(block.text);
       }
     }
   }
-  const incomingBetas = (headers.get("anthropic-beta") || "").split(",").map((b) => b.trim()).filter(Boolean);
-  const modelBetas = getModelBetas(modelId, excludedBetas2);
-  const mergedBetas = [.../* @__PURE__ */ new Set([
-    ...modelBetas,
-    ...incomingBetas
-  ])].join(",");
-  headers.set("authorization", `Bearer ${accessToken}`);
-  headers.set("anthropic-beta", mergedBetas);
-  headers.set("user-agent", getUserAgent());
-  headers.set("anthropic-dangerous-direct-browser-access", "true");
-  headers.set("x-app", "cli");
-  headers.delete("x-api-key");
-  return headers;
-}
-function transformRequestBody(body) {
-  if (!body) return body;
-  try {
-    const parsed = JSON.parse(body);
-    const toolMaskMap = buildToolMaskMap(parsed);
-    if (ANTHROPIC_OAUTH_ADAPTER.transform.rewriteOpenCodeBranding) {
-      const normalizedSystemEntries = normalizeSystemEntries(parsed.system);
-      parsed.system = relocateSystemTextToFirstUser(parsed, normalizedSystemEntries);
-    }
-    if (parsed.tools && Array.isArray(parsed.tools)) {
-      parsed.tools = parsed.tools.map((tool2) => ({
-        ...tool2,
-        name: renameMaskedToolName(tool2.name, toolMaskMap)
-      }));
-    }
-    parsed.messages = remapToolUseNames(parsed.messages, toolMaskMap);
-    parsed.tool_choice = remapToolChoice(parsed.tool_choice, toolMaskMap);
-    return JSON.stringify(parsed);
-  } catch {
-    return body;
-  }
 }
-function extractModelIdFromBody(body) {
-  if (typeof body !== "string") {
-    return "unknown";
+function scrubFrameworkIdentifiers(text) {
+  let result = text;
+  for (const pattern of FRAMEWORK_PATTERNS) {
+    pattern.lastIndex = 0;
+    result = result.replace(pattern, (match, ...args) => {
+      const offset = args.at(-2);
+      const source = args.at(-1);
+      if (typeof offset !== "number" || typeof source !== "string") {
+        return match;
+      }
+      const before = offset > 0 ? source[offset - 1] ?? "" : "";
+      const after = offset + match.length < source.length ? source[offset + match.length] ?? "" : "";
+      if (before === "." || before === "/" || before === "\\" || before === "-" || before === "_") {
+        return match;
+      }
+      if (after === "/" || after === "\\") {
+        return match;
+      }
+      return "";
+    });
   }
-  try {
-    const parsed = JSON.parse(body);
-    return parsed.model ?? "unknown";
-  } catch {
-    return "unknown";
+  return result;
+}
+function computeBuildTag(userMessage, version) {
+  const chars = [4, 7, 20].map((index) => userMessage[index] ?? "0").join("");
+  return createHash2("sha256").update(`${BILLING_SEED}${chars}${version}`).digest("hex").slice(0, 3);
+}
+function buildUpstreamRequest(inputBody, identity, template, options) {
+  const body = cloneBody(inputBody);
+  const messages = Array.isArray(body.messages) ? body.messages : [];
+  const systemTexts = normalizeSystemTexts(body.system);
+  stripCacheControl(body);
+  sanitizeMessages(body);
+  stripAssistantThinkingBlocks(messages);
+  for (const message of messages) {
+    if (typeof message.content === "string") {
+      message.content = sanitizeAndScrubText(message.content);
+      continue;
+    }
+    if (!Array.isArray(message.content)) {
+      continue;
+    }
+    for (const block of message.content) {
+      sanitizeMessageBlock(block);
+    }
   }
-}
-function transformRequestUrl(input) {
-  let url = null;
-  try {
-    if (typeof input === "string" || input instanceof URL) {
-      url = new URL(input.toString());
-    } else if (input instanceof Request) {
-      url = new URL(input.url);
+  trimTrailingEmptyTurns(messages);
+  const firstUserMessage = extractFirstUserMessage(messages);
+  const billingHeader = buildBillingHeader(firstUserMessage, template);
+  const mergedSystemPrompt = [
+    template.system_prompt,
+    ...filterInjectedSystemTexts(systemTexts, template, billingHeader)
+  ].map((entry) => sanitizeAndScrubText(entry)).filter(Boolean).join("\n\n");
+  const activeSessionId = options?.sessionId ?? getActiveSessionId();
+  body.messages = messages;
+  const incomingTools = Array.isArray(body.tools) ? body.tools : [];
+  body.tools = hasCompleteToolSchemas(template.tools) ? template.tools.map((tool2) => ({ ...tool2 })) : incomingTools;
+  body.system = [
+    {
+      type: "text",
+      text: billingHeader
+    },
+    {
+      type: "text",
+      text: template.agent_identity,
+      cache_control: { type: "ephemeral" }
+    },
+    {
+      type: "text",
+      text: mergedSystemPrompt,
+      cache_control: { type: "ephemeral" }
+    }
+  ];
+  body.metadata = {
+    ...isRecord(body.metadata) ? body.metadata : {},
+    user_id: JSON.stringify({
+      device_id: identity.deviceId,
+      account_uuid: identity.accountUuid,
+      session_id: activeSessionId
+    })
+  };
+  body.thinking = { type: "adaptive" };
+  body.context_management = DEFAULT_CONTEXT_MANAGEMENT;
+  body.output_config = DEFAULT_OUTPUT_CONFIG;
+  body.max_tokens = 64e3;
+  return orderBodyForOutbound(body, template.body_field_order);
+}
+function orderBodyForOutbound(body, overrideOrder) {
+  if (!Array.isArray(overrideOrder) || overrideOrder.length === 0) return body;
+  const ordered = {};
+  const seen = /* @__PURE__ */ new Set();
+  for (const name of overrideOrder) {
+    if (seen.has(name)) continue;
+    if (Object.prototype.hasOwnProperty.call(body, name)) {
+      ordered[name] = body[name];
+      seen.add(name);
     }
-  } catch {
-    return input;
   }
-  if (ANTHROPIC_OAUTH_ADAPTER.transform.enableMessagesBetaQuery && url && url.pathname === "/v1/messages" && !url.searchParams.has("beta")) {
-    url.searchParams.set("beta", "true");
-    return input instanceof Request ? new Request(url.toString(), input) : url;
+  for (const k of Object.keys(body)) {
+    if (!seen.has(k)) ordered[k] = body[k];
   }
-  return input;
+  return ordered;
+}
+function reverseMapResponse(response, reverseLookup) {
+  return reverseMapToolUseNames(response, reverseLookup);
 }
-function createResponseStreamTransform(response, maskMap = /* @__PURE__ */ new Map()) {
-  if (!response.body) return response;
+function createStreamingReverseMapper(response, reverseLookup) {
+  if (!response.body) {
+    return response;
+  }
   const reader = response.body.getReader();
   const decoder = new TextDecoder();
   const encoder = new TextEncoder();
@@ -1970,24 +1926,26 @@ function createResponseStreamTransform(response, maskMap = /* @__PURE__ */ new M
           if (done) {
             buffer += decoder.decode();
             if (buffer) {
-              controller.enqueue(encoder.encode(stripToolPrefixFromLine(buffer, maskMap)));
+              const lines2 = buffer.split("\n").map((line) => remapSseLine(line, reverseLookup));
+              controller.enqueue(encoder.encode(lines2.join("\n")));
               buffer = "";
             }
             controller.close();
             return;
           }
           buffer += decoder.decode(value, { stream: true });
-          const { output, remaining } = processCompleteLines(buffer, maskMap);
-          buffer = remaining;
-          if (output) {
-            controller.enqueue(encoder.encode(output));
+          const lines = buffer.split("\n");
+          buffer = lines.pop() ?? "";
+          if (lines.length > 0) {
+            const remapped = `${lines.map((line) => remapSseLine(line, reverseLookup)).join("\n")}
+`;
+            controller.enqueue(encoder.encode(remapped));
             return;
           }
         }
       } catch (error) {
         try {
-          reader.cancel().catch(() => {
-          });
+          await reader.cancel();
         } catch {
         }
         controller.error(error);
@@ -2004,26 +1962,142 @@ function createResponseStreamTransform(response, maskMap = /* @__PURE__ */ new M
   });
 }
 
-// src/proactive-refresh.ts
-import { createProactiveRefreshQueueForProvider } from "opencode-multi-account-core";
-var ProactiveRefreshQueue = createProactiveRefreshQueueForProvider({
-  providerAuthId: "anthropic",
-  getConfig,
-  isTokenExpired,
-  refreshToken,
-  debugLog
-});
+// src/upstream-headers.ts
+import { randomUUID as randomUUID3 } from "crypto";
+var UPSTREAM_TIMEOUT_MS = 3e5;
+var STAINLESS_PACKAGE_VERSION = "0.81.0";
+var BILLABLE_BETA_PREFIXES = ["extended-cache-ttl-"];
+function getOsName() {
+  const platform = process.platform;
+  if (platform === "win32") return "Windows";
+  if (platform === "darwin") return "MacOS";
+  return "Linux";
+}
+function getStaticHeaders() {
+  const profile = loadCCDerivedRequestProfile();
+  const headers = {
+    "accept": "application/json",
+    "content-type": "application/json",
+    "anthropic-dangerous-direct-browser-access": "true",
+    "user-agent": profile.userAgent,
+    "x-app": profile.xApp,
+    "x-stainless-arch": process.arch,
+    "x-stainless-lang": "js",
+    "x-stainless-os": getOsName(),
+    "x-stainless-package-version": STAINLESS_PACKAGE_VERSION,
+    "x-stainless-retry-count": "0",
+    "x-stainless-runtime": "node",
+    "x-stainless-runtime-version": process.version
+  };
+  const { template } = profile;
+  if (template.header_values) {
+    for (const [key, value] of Object.entries(template.header_values)) {
+      headers[key] = value;
+    }
+  }
+  return headers;
+}
+function getPerRequestHeaders(sessionId2) {
+  return {
+    "x-claude-code-session-id": sessionId2,
+    "x-client-request-id": randomUUID3(),
+    "anthropic-version": getAnthropicVersion(),
+    "x-stainless-timeout": String(UPSTREAM_TIMEOUT_MS / 1e3)
+  };
+}
+function getAnthropicVersion() {
+  return loadCCDerivedRequestProfile().anthropicVersion;
+}
+function getBetaHeader() {
+  return loadCCDerivedRequestProfile().betaHeader;
+}
+function orderHeadersForOutbound(headers, overrideHeaderOrder) {
+  const { template } = loadCCDerivedRequestProfile();
+  const order = overrideHeaderOrder ?? template.header_order;
+  if (!Array.isArray(order) || order.length === 0) {
+    return headers;
+  }
+  const lowerToValue = /* @__PURE__ */ new Map();
+  for (const [key, value] of Object.entries(headers)) {
+    lowerToValue.set(key.toLowerCase(), value);
+  }
+  const ordered = [];
+  const seen = /* @__PURE__ */ new Set();
+  for (const name of order) {
+    const key = name.toLowerCase();
+    if (seen.has(key)) {
+      continue;
+    }
+    const value = lowerToValue.get(key);
+    if (value !== void 0) {
+      ordered.push([name, value]);
+      seen.add(key);
+    }
+  }
+  for (const [key, value] of Object.entries(headers)) {
+    if (!seen.has(key.toLowerCase())) {
+      ordered.push([key, value]);
+    }
+  }
+  return ordered;
+}
+function filterBillableBetas(betas) {
+  return betas.split(",").map((beta) => beta.trim()).filter(
+    (beta) => beta.length > 0 && !BILLABLE_BETA_PREFIXES.some((prefix) => beta.startsWith(prefix))
+  ).join(",");
+}
 
-// src/runtime-factory.ts
-import { TokenRefreshError } from "opencode-multi-account-core";
+// src/request-transform.ts
+function extractModelIdFromBody(body) {
+  if (typeof body !== "string") {
+    return "unknown";
+  }
+  try {
+    const parsed = JSON.parse(body);
+    return typeof parsed.model === "string" ? parsed.model : "unknown";
+  } catch {
+    return "unknown";
+  }
+}
+function transformRequestUrl(input) {
+  let url = null;
+  try {
+    if (typeof input === "string" || input instanceof URL) {
+      url = new URL(input.toString());
+    } else if (input instanceof Request) {
+      url = new URL(input.url);
+    }
+  } catch {
+    return input;
+  }
+  if (ANTHROPIC_OAUTH_ADAPTER.transform.enableMessagesBetaQuery && url && url.pathname === "/v1/messages" && !url.searchParams.has("beta")) {
+    url.searchParams.set("beta", "true");
+    return input instanceof Request ? new Request(url.toString(), input) : url;
+  }
+  return input;
+}
+function extractToolNamesFromRequestBody(body) {
+  if (!body) {
+    return [];
+  }
+  try {
+    const parsed = JSON.parse(body);
+    if (!Array.isArray(parsed.tools)) {
+      return [];
+    }
+    return parsed.tools.map((tool2) => typeof tool2.name === "string" ? tool2.name : null).filter((toolName) => Boolean(toolName));
+  } catch {
+    return [];
+  }
+}
 
 // src/tool-observation.ts
 import { promises as fs } from "fs";
-import { dirname, join } from "path";
+import { dirname, join as join2 } from "path";
 var OBSERVED_TOOL_FILE = "anthropic-observed-tools.json";
 var FILE_MODE = 384;
 function getObservedToolPath() {
-  return join(getConfigDir(), OBSERVED_TOOL_FILE);
+  return join2(getConfigDir(), OBSERVED_TOOL_FILE);
 }
 async function loadObservedToolInventory() {
   try {
@@ -2047,34 +2121,194 @@ async function recordObservedToolNames(toolNames) {
     return;
   }
   const inventory = await loadObservedToolInventory();
-  const now = (/* @__PURE__ */ new Date()).toISOString();
+  const now2 = (/* @__PURE__ */ new Date()).toISOString();
   for (const toolName of toolNames) {
     const entry = inventory.observedTools[toolName];
     if (!entry) {
       inventory.observedTools[toolName] = {
         count: 1,
-        firstSeenAt: now,
-        lastSeenAt: now
+        firstSeenAt: now2,
+        lastSeenAt: now2
       };
       continue;
     }
     entry.count += 1;
-    entry.lastSeenAt = now;
+    entry.lastSeenAt = now2;
   }
   await saveObservedToolInventory(inventory);
 }
 
+// src/error-utils.ts
+function sanitizeError(err) {
+  const msg = err instanceof Error ? err.message : String(err);
+  return msg.replace(/sk-ant-[a-zA-Z0-9_-]+/g, "[REDACTED]").replace(/eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+/g, "[REDACTED_JWT]").replace(/Bearer\s+[^\s,;]+/gi, "Bearer [REDACTED]");
+}
+function enrich429(body, headers) {
+  try {
+    const parsed = JSON.parse(body);
+    const error = parsed.error;
+    if (error && (error.message === "Error" || !error.message)) {
+      const claim = headers.get("anthropic-ratelimit-unified-representative-claim") || "unknown";
+      const status = headers.get("anthropic-ratelimit-unified-status") || "rejected";
+      const util5h = headers.get("anthropic-ratelimit-unified-5h-utilization");
+      const util7d = headers.get("anthropic-ratelimit-unified-7d-utilization");
+      const reset = headers.get("anthropic-ratelimit-unified-reset");
+      const parts = [`Rate limited (${status}). Limiting window: ${claim}`];
+      if (util5h) {
+        const parsedUtil5h = Number.parseFloat(util5h);
+        if (Number.isFinite(parsedUtil5h)) {
+          parts.push(`5h utilization: ${Math.round(parsedUtil5h * 100)}%`);
+        }
+      }
+      if (util7d) {
+        const parsedUtil7d = Number.parseFloat(util7d);
+        if (Number.isFinite(parsedUtil7d)) {
+          parts.push(`7d utilization: ${Math.round(parsedUtil7d * 100)}%`);
+        }
+      }
+      if (reset) {
+        const parsedReset = Number.parseInt(reset, 10);
+        if (Number.isFinite(parsedReset)) {
+          const resetDate = new Date(parsedReset * 1e3);
+          const minutesUntilReset = Math.max(0, Math.round((resetDate.getTime() - Date.now()) / 6e4));
+          parts.push(`resets in ${minutesUntilReset}m`);
+        }
+      }
+      error.message = parts.join(". ");
+    }
+    return JSON.stringify(parsed);
+  } catch {
+    return body;
+  }
+}
+
+// src/pacing.ts
+function pickNonNegativeInt(...values) {
+  for (const v4 of values) {
+    if (v4 === void 0 || v4 === null) continue;
+    const n = typeof v4 === "number" ? v4 : Number.parseInt(v4, 10);
+    if (Number.isFinite(n) && n >= 0) return n;
+  }
+  return void 0;
+}
+function computePacingDelay(now2, lastRequestTime, cfg, rng = Math.random) {
+  if (lastRequestTime <= 0) return 0;
+  const minGap = Math.max(0, cfg.minGapMs);
+  const jitter = Math.max(0, cfg.jitterMs);
+  const jitterAdd = jitter > 0 ? Math.floor(rng() * jitter) : 0;
+  const effectiveGap = minGap + jitterAdd;
+  const elapsed = now2 - lastRequestTime;
+  if (elapsed >= effectiveGap) return 0;
+  return effectiveGap - elapsed;
+}
+function resolvePacingConfig(explicit = {}, env = process.env) {
+  const minGap = pickNonNegativeInt(explicit.minGapMs, env.ANTHROPIC_PACE_MIN_MS, env.MIN_REQUEST_INTERVAL_MS) ?? 500;
+  const jitter = pickNonNegativeInt(explicit.jitterMs, env.ANTHROPIC_PACE_JITTER_MS) ?? 0;
+  return { minGapMs: minGap, jitterMs: jitter };
+}
+
 // src/runtime-factory.ts
 var TOKEN_REFRESH_PERMANENT_FAILURE_STATUS = 401;
+function mergeHeaders(target, headers) {
+  if (!headers) {
+    return;
+  }
+  if (headers instanceof Headers) {
+    headers.forEach((value, key) => {
+      target[key.toLowerCase()] = value;
+    });
+    return;
+  }
+  if (Array.isArray(headers)) {
+    for (const [key, value] of headers) {
+      target[String(key).toLowerCase()] = String(value);
+    }
+    return;
+  }
+  for (const [key, value] of Object.entries(headers)) {
+    if (value !== void 0) {
+      target[key.toLowerCase()] = String(value);
+    }
+  }
+}
+function extractIncomingHeaders(input, init) {
+  const headers = {};
+  if (input instanceof Request) {
+    mergeHeaders(headers, input.headers);
+  }
+  mergeHeaders(headers, init?.headers);
+  return headers;
+}
+function splitBetaValues(value) {
+  if (!value) {
+    return [];
+  }
+  return value.split(",").map((entry) => entry.trim()).filter(Boolean);
+}
+function deduplicateBetas(values) {
+  return [...new Set(values.filter(Boolean))];
+}
+function excludeBetas(values, excludedBetas2) {
+  if (excludedBetas2.size === 0) {
+    return values;
+  }
+  return values.filter((beta) => !excludedBetas2.has(beta));
+}
+function transformBodyToUpstream(body, identity, sessionId2) {
+  try {
+    const parsed = JSON.parse(body);
+    if (typeof parsed !== "object" || parsed === null || Array.isArray(parsed)) {
+      return body;
+    }
+    return JSON.stringify(
+      buildUpstreamRequest(
+        parsed,
+        identity,
+        loadTemplate(),
+        { sessionId: sessionId2 }
+      )
+    );
+  } catch {
+    return body;
+  }
+}
+async function enrichRateLimitResponse(response) {
+  if (response.status !== 429) {
+    return response;
+  }
+  const body = await response.clone().text();
+  const enrichedBody = enrich429(body, response.headers);
+  if (enrichedBody === body) {
+    return response;
+  }
+  return new Response(enrichedBody, {
+    status: response.status,
+    statusText: response.statusText,
+    headers: new Headers(response.headers)
+  });
+}
 var AccountRuntimeFactory = class {
-  constructor(store, client) {
+  constructor(store, client, identity = loadClaudeIdentity()) {
     this.store = store;
     this.client = client;
+    this.identity = identity;
   }
   store;
   client;
+  identity;
   runtimes = /* @__PURE__ */ new Map();
   initLocks = /* @__PURE__ */ new Map();
+  lastRequestTime = 0;
+  pacingGate = Promise.resolve();
+  pacingTestOverrides = {};
+  setPacingTestOverrides(overrides) {
+    this.pacingTestOverrides = overrides;
+  }
+  resetPacingForTest() {
+    this.lastRequestTime = 0;
+    this.pacingGate = Promise.resolve();
+    this.pacingTestOverrides = {};
+  }
   async getRuntime(uuid) {
     const cached = this.runtimes.get(uuid);
     if (cached) return cached;
@@ -2126,22 +2360,77 @@ var AccountRuntimeFactory = class {
     });
     return { accessToken: refreshed.patch.accessToken, expiresAt: refreshed.patch.expiresAt };
   }
+  buildOutboundHeaders(incomingHeaders, sessionId2, accessToken, modelId, excludedBetas2) {
+    const mergedBetas = deduplicateBetas([
+      ...excludeBetas(splitBetaValues(getBetaHeader()), excludedBetas2),
+      ...getModelBetas(modelId, excludedBetas2),
+      ...excludeBetas(splitBetaValues(incomingHeaders["anthropic-beta"]), excludedBetas2)
+    ]).join(",");
+    const outbound = {
+      ...incomingHeaders,
+      ...getStaticHeaders(),
+      ...getPerRequestHeaders(sessionId2),
+      "authorization": `Bearer ${accessToken}`,
+      "anthropic-beta": filterBillableBetas(mergedBetas)
+    };
+    delete outbound["x-api-key"];
+    return orderHeadersForOutbound(outbound);
+  }
   async executeTransformedFetch(input, init, accessToken) {
     const transformedInput = transformRequestUrl(input);
     const modelId = extractModelIdFromBody(init?.body);
     const excludedBetas2 = getExcludedBetas(modelId);
-    const headers = buildRequestHeaders(transformedInput, init, accessToken, modelId, excludedBetas2);
+    const incomingHeaders = extractIncomingHeaders(transformedInput, init);
+    const sessionId2 = incomingHeaders["x-claude-code-session-id"] ?? getUpstreamSessionId();
+    const headers = this.buildOutboundHeaders(
+      incomingHeaders,
+      sessionId2,
+      accessToken,
+      modelId,
+      excludedBetas2
+    );
     if (typeof init?.body === "string") {
       void recordObservedToolNames(extractToolNamesFromRequestBody(init.body)).catch(() => {
       });
     }
-    const toolMaskMap = typeof init?.body === "string" ? extractRequestToolMaskMap(init.body) : /* @__PURE__ */ new Map();
-    const transformedBody = typeof init?.body === "string" ? transformRequestBody(init.body) : init?.body;
-    let response = await fetch(transformedInput, {
-      ...init,
-      headers,
-      body: transformedBody
-    });
+    const transformedBody = typeof init?.body === "string" ? transformBodyToUpstream(init.body, this.identity, sessionId2) : init?.body;
+    const pacingCfg = resolvePacingConfig();
+    const getNow = this.pacingTestOverrides.now ?? Date.now;
+    const sleepFn = this.pacingTestOverrides.sleep ?? ((ms) => new Promise((resolve) => setTimeout(resolve, ms)));
+    const reservePacingSlot = async () => {
+      let releaseGate;
+      const previousGate = this.pacingGate;
+      this.pacingGate = new Promise((resolve) => {
+        releaseGate = resolve;
+      });
+      await previousGate;
+      try {
+        const delay = computePacingDelay(getNow(), this.lastRequestTime, pacingCfg);
+        if (delay > 0) {
+          await sleepFn(delay);
+        }
+        this.lastRequestTime = getNow();
+      } finally {
+        releaseGate?.();
+      }
+    };
+    const performFetch = async (requestHeaders) => {
+      await reservePacingSlot();
+      try {
+        const response2 = await fetch(transformedInput, {
+          ...init,
+          headers: requestHeaders,
+          body: transformedBody
+        });
+        return await enrichRateLimitResponse(response2);
+      } catch (error) {
+        debugLog(this.client, "Anthropic upstream fetch failed", {
+          error: sanitizeError(error)
+        });
+        throw error;
+      }
+    };
+    let response = await performFetch(headers);
     for (let attempt = 0; attempt < LONG_CONTEXT_BETAS.length; attempt += 1) {
       if (response.status !== 400 && response.status !== 429) {
         break;
@@ -2155,20 +2444,16 @@ var AccountRuntimeFactory = class {
         break;
       }
       addExcludedBeta(modelId, betaToExclude);
-      const retryHeaders = buildRequestHeaders(
-        transformedInput,
-        init,
+      const retryHeaders = this.buildOutboundHeaders(
+        incomingHeaders,
+        sessionId2,
         accessToken,
         modelId,
         getExcludedBetas(modelId)
       );
-      response = await fetch(transformedInput, {
-        ...init,
-        headers: retryHeaders,
-        body: transformedBody
-      });
+      response = await performFetch(retryHeaders);
     }
-    return createResponseStreamTransform(response, toolMaskMap);
+    return createStreamingReverseMapper(response);
   }
   async createRuntime(uuid) {
     const fetchWithAccount = async (input, init) => {
@@ -2194,7 +2479,7 @@ var AccountRuntimeFactory = class {
 
 // src/bootstrap-auth.ts
 import { promises as fs2 } from "fs";
-import { join as join2 } from "path";
+import { join as join3 } from "path";
 import { getConfigDir as getConfigDir2 } from "opencode-multi-account-core";
 var AUTH_JSON_FILENAME = "auth.json";
 function hasCompleteOAuthCredential(account) {
@@ -2215,7 +2500,7 @@ function selectBootstrapAccount(accounts, activeAccountUuid) {
   return firstUsableAccount ?? completeAccounts[0] ?? null;
 }
 async function readCurrentAuth(providerId) {
-  const authPath = join2(getConfigDir2(), AUTH_JSON_FILENAME);
+  const authPath = join3(getConfigDir2(), AUTH_JSON_FILENAME);
   let raw;
   try {
     raw = await fs2.readFile(authPath, "utf-8");
@@ -2270,6 +2555,70 @@ async function syncBootstrapAuth(client, store) {
   return true;
 }
 
+// src/session-heartbeat.ts
+var DEFAULT_HEARTBEAT_INTERVAL_MS = 3e4;
+var CLIENT_PLATFORM = "cli";
+var testOverrides = {};
+function presenceUrl(sessionId2) {
+  return `${loadCCDerivedRequestProfile().baseApiUrl}/v1/code/sessions/${sessionId2}/client/presence`;
+}
+function fetchFn() {
+  return testOverrides.fetch ?? globalThis.fetch;
+}
+function startHeartbeat(options) {
+  testOverrides.onStart?.(options);
+  const {
+    sessionId: sessionId2,
+    deviceId,
+    accessToken,
+    intervalMs = DEFAULT_HEARTBEAT_INTERVAL_MS
+  } = options;
+  let activeController = null;
+  let stopped = false;
+  const sendPresence = async () => {
+    if (stopped) return;
+    const controller = new AbortController();
+    activeController = controller;
+    try {
+      await fetchFn()(presenceUrl(sessionId2), {
+        method: "POST",
+        headers: {
+          Authorization: `Bearer ${accessToken}`,
+          "anthropic-version": getAnthropicVersion(),
+          "anthropic-client-platform": CLIENT_PLATFORM,
+          "Content-Type": "application/json"
+        },
+        body: JSON.stringify({
+          client_id: deviceId,
+          connected_at: (/* @__PURE__ */ new Date()).toISOString()
+        }),
+        signal: controller.signal
+      });
+    } catch {
+    } finally {
+      if (activeController === controller) {
+        activeController = null;
+      }
+    }
+  };
+  const timer = setInterval(sendPresence, intervalMs);
+  if (typeof timer === "object" && "unref" in timer && typeof timer.unref === "function") {
+    timer.unref();
+  }
+  return {
+    stop() {
+      if (stopped) return;
+      stopped = true;
+      clearInterval(timer);
+      activeController?.abort();
+      activeController = null;
+    }
+  };
+}
+function getSessionId() {
+  return getUpstreamSessionId();
+}
+
 // src/index.ts
 var EMPTY_OAUTH_CREDENTIALS = {
   type: "oauth",
@@ -2277,7 +2626,7 @@ var EMPTY_OAUTH_CREDENTIALS = {
   access: "",
   expires: 0
 };
-function extractFirstUserText2(input) {
+function extractFirstUserText(input) {
   try {
     const raw = input;
     const messages = raw.messages ?? raw.request?.messages;
@@ -2295,19 +2644,118 @@ function extractFirstUserText2(input) {
   }
   return "";
 }
-function injectSystemPrompt(output) {
-  const systemPrompt = getInjectedSystemPrompt();
-  if (!Array.isArray(output.system)) {
-    output.system = [systemPrompt];
-    return;
-  }
-  if (!output.system.includes(systemPrompt)) {
-    output.system.unshift(systemPrompt);
+function composeBillingSystemEntry(firstUserMessage, version) {
+  const buildTag = computeBuildTag(firstUserMessage, version);
+  return `x-anthropic-billing-header: cc_version=${version}.${buildTag}; cc_entrypoint=cli; cch=00000;`;
+}
+function prependMissingSystemEntries(output, entries) {
+  output.system ??= [];
+  for (const entry of entries.toReversed()) {
+    if (entry && !output.system.includes(entry)) {
+      output.system.unshift(entry);
+    }
   }
 }
+function applyOrderedHeaders(output, headers) {
+  const orderedHeaders = orderHeadersForOutbound(headers);
+  output.headers = Array.isArray(orderedHeaders) ? Object.fromEntries(orderedHeaders) : orderedHeaders;
+}
 var ClaudeMultiAuthPlugin = async (ctx) => {
   const { client } = ctx;
   await loadConfig();
+  const requestProfile = loadCCDerivedRequestProfile();
+  const template = requestProfile.template;
+  const claudeIdentity = loadClaudeIdentity();
+  const claudeCodeVersion = template.cc_version ?? requestProfile.cliVersion;
+  const upstreamAgentIdentity = template.agent_identity;
+  const upstreamSystemPrompt = template.system_prompt;
+  let heartbeatHandle = null;
+  let heartbeatToken = null;
+  let heartbeatSessionId = null;
+  const stopHeartbeat = () => {
+    heartbeatHandle?.stop();
+    heartbeatHandle = null;
+    heartbeatToken = null;
+    heartbeatSessionId = null;
+  };
+  const ensureHeartbeat = (accessToken) => {
+    if (!accessToken || !claudeIdentity.deviceId) {
+      stopHeartbeat();
+      return;
+    }
+    const sessionId2 = getSessionId();
+    if (heartbeatHandle && heartbeatToken === accessToken && heartbeatSessionId === sessionId2) {
+      return;
+    }
+    stopHeartbeat();
+    heartbeatToken = accessToken;
+    heartbeatSessionId = sessionId2;
+    heartbeatHandle = startHeartbeat({
+      sessionId: sessionId2,
+      deviceId: claudeIdentity.deviceId,
+      accessToken
+    });
+  };
+  const startupDrift = detectDrift(template);
+  if (startupDrift.drifted) {
+    client.app.log({
+      body: {
+        service: ANTHROPIC_OAUTH_ADAPTER.serviceLogName,
+        level: "warn",
+        message: startupDrift.message,
+        extra: {
+          cachedVersion: startupDrift.cachedVersion,
+          installedVersion: startupDrift.installedVersion
+        }
+      }
+    }).catch(() => {
+    });
+  }
+  const compat = checkCCCompat();
+  if (compat.status !== "ok" && compat.status !== "unknown") {
+    client.app.log({
+      body: {
+        service: ANTHROPIC_OAUTH_ADAPTER.serviceLogName,
+        level: "warn",
+        message: compat.message,
+        extra: {
+          installedVersion: compat.installedVersion,
+          range: compat.range
+        }
+      }
+    }).catch(() => {
+    });
+  }
+  void refreshLiveFingerprintAsync({ silent: true }).then((refreshedTemplate) => {
+    const refreshedDrift = detectDrift(refreshedTemplate ?? template);
+    if (!refreshedDrift.drifted) {
+      return;
+    }
+    return client.app.log({
+      body: {
+        service: ANTHROPIC_OAUTH_ADAPTER.serviceLogName,
+        level: "warn",
+        message: refreshedDrift.message,
+        extra: {
+          cachedVersion: refreshedDrift.cachedVersion,
+          installedVersion: refreshedDrift.installedVersion
+        }
+      }
+    }).catch(() => {
+    });
+  }).catch((error) => {
+    client.app.log({
+      body: {
+        service: ANTHROPIC_OAUTH_ADAPTER.serviceLogName,
+        level: "debug",
+        message: "live fingerprint refresh failed",
+        extra: {
+          error: sanitizeError(error)
+        }
+      }
+    }).catch(() => {
+    });
+  });
   const store = new AccountStore();
   await syncBootstrapAuth(client, store).catch(() => {
   });
@@ -2318,7 +2766,7 @@ var ClaudeMultiAuthPlugin = async (ctx) => {
   let cascadeStateManager = null;
   let poolChainConfig = { pools: [], chains: [] };
   async function ensureExecutionInfrastructure() {
-    runtimeFactory ??= new AccountRuntimeFactory(store, client);
+    runtimeFactory ??= new AccountRuntimeFactory(store, client, claudeIdentity);
     poolChainConfig = await loadPoolChainConfig();
     poolManager ??= new PoolManager();
     poolManager.loadPools(poolChainConfig.pools);
@@ -2357,6 +2805,7 @@ var ClaudeMultiAuthPlugin = async (ctx) => {
     manager = await AccountManager.create(store, EMPTY_OAUTH_CREDENTIALS, client);
     await ensureExecutionInfrastructure();
     await startRefreshQueueIfNeeded();
+    ensureHeartbeat(manager.getActiveAccount()?.accessToken);
     return manager.getAccountCount() > 0;
   }
   async function initializeManagerFromAuth(credentials) {
@@ -2370,11 +2819,12 @@ var ClaudeMultiAuthPlugin = async (ctx) => {
   });
   return {
     "experimental.chat.system.transform": (input, output) => {
-      injectSystemPrompt(output);
-      const billingHeader = buildBillingHeader(extractFirstUserText2(input));
-      if (billingHeader && !output.system?.includes(billingHeader)) {
-        output.system?.unshift(billingHeader);
-      }
+      const billingHeader = composeBillingSystemEntry(extractFirstUserText(input), claudeCodeVersion);
+      prependMissingSystemEntries(output, [
+        billingHeader,
+        upstreamAgentIdentity,
+        upstreamSystemPrompt
+      ]);
     },
     tool: {
       [ANTHROPIC_OAUTH_ADAPTER.statusToolName]: tool({
@@ -2412,10 +2862,10 @@ var ClaudeMultiAuthPlugin = async (ctx) => {
               }
             }
             if (account.cachedUsage) {
-              const now = Date.now();
+              const now2 = Date.now();
               const usage2 = account.cachedUsage;
               const exhaustedTiers = [usage2.five_hour, usage2.seven_day].filter(
-                (tier) => tier && tier.utilization >= 100 && tier.resets_at != null && Date.parse(tier.resets_at) > now
+                (tier) => tier && tier.utilization >= 100 && tier.resets_at != null && Date.parse(tier.resets_at) > now2
               );
               if (exhaustedTiers.length > 0) {
                 statusParts.push("USAGE EXHAUSTED");
@@ -2446,6 +2896,7 @@ var ClaudeMultiAuthPlugin = async (ctx) => {
       async loader(getAuth, provider) {
         const auth = await getAuth();
         if (auth.type !== "oauth") {
+          stopHeartbeat();
           return { apiKey: "", fetch };
         }
         for (const model of Object.values(provider.models ?? {})) {
@@ -2456,6 +2907,7 @@ var ClaudeMultiAuthPlugin = async (ctx) => {
         const credentials = auth;
         await migrateFromAuthJson("anthropic", store);
         await initializeManagerFromAuth(credentials);
+        ensureHeartbeat(credentials.access);
         const initializedManager = manager;
         if (!initializedManager) {
           return { apiKey: "", fetch };
@@ -2478,24 +2930,32 @@ var ClaudeMultiAuthPlugin = async (ctx) => {
             );
           }
         }
+        const authProfile = await loadCCDerivedAuthProfile();
         return {
           apiKey: "",
-          baseURL: "https://api.anthropic.com/v1",
+          baseURL: authProfile.apiV1BaseUrl,
           "chat.headers": async (input, output) => {
             if (input.provider?.info?.id !== ANTHROPIC_OAUTH_ADAPTER.authProviderId) return;
-            output.headers["user-agent"] = getUserAgent();
-            output.headers["anthropic-beta"] = ANTHROPIC_BETA_HEADER;
-            output.headers["x-app"] = "cli";
+            const sessionId2 = getUpstreamSessionId();
+            applyOrderedHeaders(output, {
+              ...output.headers,
+              ...getStaticHeaders(),
+              ...getPerRequestHeaders(sessionId2),
+              "anthropic-beta": getBetaHeader()
+            });
           },
           async fetch(input, init) {
             if (!initializedManager || !runtimeFactory) {
+              stopHeartbeat();
               return fetch(input, init);
             }
             if (initializedManager.getAccountCount() === 0) {
+              stopHeartbeat();
               throw new Error(
                 "No Anthropic accounts configured. Run `opencode auth login` to add an account."
               );
             }
+            ensureHeartbeat(initializedManager.getActiveAccount()?.accessToken);
             if (!poolManager || !cascadeStateManager) {
               poolManager = new PoolManager();
               poolManager.loadPools(poolChainConfig.pools);