opencode-anthropic-multi-account 0.2.23 → 0.2.25

package/dist/{chunk-2SN3UVSM.js → chunk-II7N6KHL.js}

@@ -1,8 +1,8 @@
 import {
   scrubTemplate
-} from "./chunk-RAX4SFCO.js";
+} from "./chunk-3CTML5AX.js";
 
-// src/fingerprint-capture.ts
+// src/claude-code/fingerprint/capture.ts
 import { spawn } from "child_process";
 import { createServer } from "http";
 import { basename, dirname as dirname2, join as join2 } from "path";
@@ -17,11 +17,11 @@ import {
   writeFile as writeFile2
 } from "fs/promises";
 
-// src/fingerprint-data.json
-var fingerprint_data_default = {
+// src/claude-code/fingerprint/data.json
+var data_default = {
   _version: 1,
   _schemaVersion: 1,
-  _captured: "2026-04-19T12:56:25.330Z",
+  _captured: "2026-04-24T13:28:12.469Z",
   _source: "bundled",
   agent_identity: "You are a Claude agent, built on Anthropic's Claude Agent SDK.",
   system_prompt: `You are an interactive agent that helps users with software engineering tasks. Use the instructions below and the tools available to you to assist the user.
@@ -93,6 +93,8 @@ In code: default to writing no comments. Never write multi-paragraph docstrings
  - Use the Agent tool with specialized agents when the task at hand matches the agent's description. Subagents are valuable for parallelizing independent queries or for protecting the main context window from excessive results, but they should not be used excessively when not needed. Importantly, avoid duplicating work that subagents are already doing - if you delegate research to a subagent, do not also perform the same searches yourself.
  - For broad codebase exploration or research that'll take more than 3 queries, spawn Agent with subagent_type=Explore. Otherwise use the Glob or Grep directly.
  - When the user types \`/<skill-name>\`, invoke it via Skill. Only use skills listed in the user-invocable skills section \u2014 don't guess.
+ - When work you just finished has a natural future follow-up, end your reply with a one-line offer to \`/schedule\` a background agent to do it \u2014 name the concrete action and cadence ("Want me to /schedule an agent in 2 weeks to open a cleanup PR for the flag?"). One-time signals: a feature flag/gate/experiment/staged rollout (clean it up or ramp it), a soak window or metric to verify (query it and post results), a long-running job with an ETA (check status and report), a temp workaround/instrumentation/.skip left in (open a removal PR), a "remove once X" TODO. Recurring signals: a sweep/triage/report/queue-drain the user just did by hand, or anything "weekly"/"again"/"piling up" \u2014 offer to run it as a routine. The bar is 70%+ odds the user says yes \u2014 skip it for refactors, bug fixes with tests, docs, renames, routine dep bumps, plain feature merges, or when the user signals closure ("nothing else to do", "should be fine now"). Don't stack offers on back-to-back turns; let most tasks just be tasks.
+ - If the user asks about "ultrareview" or how to run it, explain that /ultrareview launches a multi-agent cloud review of the current branch (or /ultrareview <PR#> for a GitHub PR). It is user-triggered and billed; you cannot launch it yourself, so do not attempt to via Bash or otherwise. It needs a git repository (offer to "git init" if not in one); the no-arg form bundles the local branch and does not need a GitHub remote.
 
 # Language
 Always respond in Korean. Use Korean for all explanations, comments, and communications with the user. Technical terms and code identifiers should remain in their original form.
@@ -100,8 +102,6 @@ Maintain full orthographic correctness for Korean, including all required diacri
 
 When working with tool results, write down any important information you might need later in your response, as the original tool result may be cleared later.
 
-Length limits: keep text between tool calls to \u226425 words. Keep final responses to \u2264100 words unless the task requires more detail.
-
 gitStatus: This is the git status at the start of the conversation. Note that this status is a snapshot in time, and will not update during the conversation.
 
 Current branch: main
@@ -779,7 +779,7 @@ Ensure your plan is complete and unambiguous:
     },
     {
       name: "Monitor",
-      description: 'Start a background monitor that streams events from a long-running script. Each stdout line is an event \u2014 you keep working and notifications arrive in the chat. Events arrive on their own schedule and are not replies from the user, even if one lands while you\'re waiting for the user to answer a question.\n\nMonitor is for the **streaming** case: "tell me every time X happens." For one-shot "wait until X is done," use Bash with run_in_background instead \u2014 you\'ll get a completion notification when it exits.\n\nYour script\'s stdout is the event stream. Each line becomes a notification. Exit ends the watch.\n\n  # Each matching log line is an event\n  tail -f /var/log/app.log | grep --line-buffered "ERROR"\n\n  # Each file change is an event\n  inotifywait -m --format \'%e %f\' /watched/dir\n\n  # Poll GitHub for new PR comments and emit one line per new comment\n  last=$(date -u +%Y-%m-%dT%H:%M:%SZ)\n  while true; do\n    now=$(date -u +%Y-%m-%dT%H:%M:%SZ)\n    gh api "repos/owner/repo/issues/123/comments?since=$last" --jq \'.[] | "\\(.user.login): \\(.body)"\'\n    last=$now; sleep 30\n  done\n\n  # Node script that emits events as they arrive (e.g. WebSocket listener)\n  node watch-for-events.js\n\n**Script quality:**\n- Always use `grep --line-buffered` in pipes \u2014 without it, pipe buffering delays events by minutes.\n- In poll loops, handle transient failures (`curl ... || true`) \u2014 one failed request shouldn\'t kill the monitor.\n- Poll intervals: 30s+ for remote APIs (rate limits), 0.5-1s for local checks.\n- Write a specific `description` \u2014 it appears in every notification ("errors in deploy.log" not "watching logs").\n- Only stdout is the event stream. Stderr goes to the output file (readable via Read) but does not trigger notifications \u2014 for a command you run directly (e.g. `python train.py 2>&1 | grep --line-buffered ...`), merge stderr with `2>&1` so its failures reach your filter. (No effect on `tail -f` of an existing log \u2014 that file only contains what its writer redirected.)\n\n**Coverage \u2014 silence is not success.** When watching a job or process for an outcome, your filter must match every terminal state, not just the happy path. A monitor that greps only for the success marker stays silent through a crashloop, a hung process, or an unexpected exit \u2014 and silence looks identical to "still running." Before arming, ask: *if this process crashed right now, would my filter emit anything?* If not, widen it.\n\n  # Wrong \u2014 silent on crash, hang, or any non-success exit\n  tail -f run.log | grep --line-buffered "elapsed_steps="\n\n  # Right \u2014 one alternation covering progress + the failure signatures you\'d act on\n  tail -f run.log | grep -E --line-buffered "elapsed_steps=|Traceback|Error|FAILED|assert|Killed|OOM"\n\nFor poll loops checking job state, emit on every terminal status (`succeeded|failed|cancelled|timeout`), not just success. If you cannot confidently enumerate the failure signatures, broaden the grep alternation rather than narrow it \u2014 some extra noise is better than missing a crashloop.\n\n**Output volume**: Every stdout line is a conversation message, so the filter should be selective \u2014 but selective means "the lines you\'d act on," not "only good news." Never pipe raw logs; use `grep --line-buffered`, `awk`, or a wrapper that emits exactly the success and failure signals you care about. Monitors that produce too many events are automatically stopped; restart with a tighter filter if this happens.\n\nStdout lines within 200ms are batched into a single notification, so multiline output from a single event groups naturally.\n\nThe script runs in the same shell environment as Bash. Exit ends the watch (exit code is reported). Timeout \u2192 killed. Set `persistent: true` for session-length watches (PR monitoring, log tails) \u2014 the monitor runs until you call TaskStop or the session ends. Use TaskStop to cancel early.',
+      description: 'Start a background monitor that streams events from a long-running script. Each stdout line is an event \u2014 you keep working and notifications arrive in the chat. Events arrive on their own schedule and are not replies from the user, even if one lands while you\'re waiting for the user to answer a question.\n\nPick by how many notifications you need:\n- **One** ("tell me when the server is ready / the build finishes") \u2192 use **Bash with `run_in_background`** and a command that exits when the condition is true, e.g. `until grep -q "Ready in" dev.log; do sleep 0.5; done`. You get a single completion notification when it exits.\n- **One per occurrence, indefinitely** ("tell me every time an ERROR line appears") \u2192 Monitor with an unbounded command (`tail -f`, `inotifywait -m`, `while true`).\n- **One per occurrence, until a known end** ("emit each CI step result, stop when the run completes") \u2192 Monitor with a command that emits lines and then exits.\n\nYour script\'s stdout is the event stream. Each line becomes a notification. Exit ends the watch.\n\n  # Each matching log line is an event\n  tail -f /var/log/app.log | grep --line-buffered "ERROR"\n\n  # Each file change is an event\n  inotifywait -m --format \'%e %f\' /watched/dir\n\n  # Poll GitHub for new PR comments and emit one line per new comment\n  last=$(date -u +%Y-%m-%dT%H:%M:%SZ)\n  while true; do\n    now=$(date -u +%Y-%m-%dT%H:%M:%SZ)\n    gh api "repos/owner/repo/issues/123/comments?since=$last" --jq \'.[] | "\\(.user.login): \\(.body)"\'\n    last=$now; sleep 30\n  done\n\n  # Node script that emits events as they arrive (e.g. WebSocket listener)\n  node watch-for-events.js\n\n  # Per-occurrence with a natural end: emit each CI check as it lands, exit when the run completes\n  prev=""\n  while true; do\n    s=$(gh pr checks 123 --json name,bucket)\n    cur=$(jq -r \'.[] | select(.bucket!="pending") | "\\(.name): \\(.bucket)"\' <<<"$s" | sort)\n    comm -13 <(echo "$prev") <(echo "$cur")\n    prev=$cur\n    jq -e \'all(.bucket!="pending")\' <<<"$s" >/dev/null && break\n    sleep 30\n  done\n\n**Don\'t use an unbounded command for a single notification.** `tail -f`, `inotifywait -m`, and `while true` never exit on their own, so the monitor stays armed until timeout even after the event has fired. For "tell me when X is ready," use Bash `run_in_background` with an `until` loop instead (one notification, ends in seconds). Note that `tail -f log | grep -m 1 ...` does *not* fix this: if the log goes quiet after the match, `tail` never receives SIGPIPE and the pipeline hangs anyway.\n\n**Script quality:**\n- Always use `grep --line-buffered` in pipes \u2014 without it, pipe buffering delays events by minutes.\n- In poll loops, handle transient failures (`curl ... || true`) \u2014 one failed request shouldn\'t kill the monitor.\n- Poll intervals: 30s+ for remote APIs (rate limits), 0.5-1s for local checks.\n- Write a specific `description` \u2014 it appears in every notification ("errors in deploy.log" not "watching logs").\n- Only stdout is the event stream. Stderr goes to the output file (readable via Read) but does not trigger notifications \u2014 for a command you run directly (e.g. `python train.py 2>&1 | grep --line-buffered ...`), merge stderr with `2>&1` so its failures reach your filter. (No effect on `tail -f` of an existing log \u2014 that file only contains what its writer redirected.)\n\n**Coverage \u2014 silence is not success.** When watching a job or process for an outcome, your filter must match every terminal state, not just the happy path. A monitor that greps only for the success marker stays silent through a crashloop, a hung process, or an unexpected exit \u2014 and silence looks identical to "still running." Before arming, ask: *if this process crashed right now, would my filter emit anything?* If not, widen it.\n\n  # Wrong \u2014 silent on crash, hang, or any non-success exit\n  tail -f run.log | grep --line-buffered "elapsed_steps="\n\n  # Right \u2014 one alternation covering progress + the failure signatures you\'d act on\n  tail -f run.log | grep -E --line-buffered "elapsed_steps=|Traceback|Error|FAILED|assert|Killed|OOM"\n\nFor poll loops checking job state, emit on every terminal status (`succeeded|failed|cancelled|timeout`), not just success. If you cannot confidently enumerate the failure signatures, broaden the grep alternation rather than narrow it \u2014 some extra noise is better than missing a crashloop.\n\n**Output volume**: Every stdout line is a conversation message, so the filter should be selective \u2014 but selective means "the lines you\'d act on," not "only good news." Never pipe raw logs; use `grep --line-buffered`, `awk`, or a wrapper that emits exactly the success and failure signals you care about. Monitors that produce too many events are automatically stopped; restart with a tighter filter if this happens.\n\nStdout lines within 200ms are batched into a single notification, so multiline output from a single event groups naturally.\n\nThe script runs in the same shell environment as Bash. Exit ends the watch (exit code is reported). Timeout \u2192 killed. Set `persistent: true` for session-length watches (PR monitoring, log tails) \u2014 the monitor runs until you call TaskStop or the session ends. Use TaskStop to cancel early.',
       input_schema: {
         $schema: "https://json-schema.org/draft/2020-12/schema",
         type: "object",
@@ -889,7 +889,7 @@ If the result says the push wasn't sent, that's expected \u2014 no action needed
     },
     {
       name: "Read",
-      description: 'Reads a file from the local filesystem. You can access any file directly by using this tool.\nAssume this tool is able to read all files on the machine. If the User provides a path to a file assume that path is valid. It is okay to read a file that does not exist; an error will be returned.\n\nUsage:\n- The file_path parameter must be an absolute path, not a relative path\n- By default, it reads up to 2000 lines starting from the beginning of the file\n- When you already know which part of the file you need, only read that part. This can be important for larger files.\n- Results are returned using cat -n format, with line numbers starting at 1\n- This tool allows Claude Code to read images (eg PNG, JPG, etc). When reading an image file the contents are presented visually as Claude Code is a multimodal LLM.\n- This tool can read PDF files (.pdf). For large PDFs (more than 10 pages), you MUST provide the pages parameter to read specific page ranges (e.g., pages: "1-5"). Reading a large PDF without the pages parameter will fail. Maximum 20 pages per request.\n- This tool can read Jupyter notebooks (.ipynb files) and returns all cells with their outputs, combining code, text, and visualizations.\n- This tool can only read files, not directories. To read a directory, use an ls command via the Bash tool.\n- You will regularly be asked to read screenshots. If the user provides a path to a screenshot, ALWAYS use this tool to view the file at the path. This tool will work with all temporary file paths.\n- If you read a file that exists but has empty contents you will receive a system reminder warning in place of file contents.\n- Do NOT re-read a file you just edited to verify \u2014 Edit/Write would have errored if the change failed, and the harness tracks file state for you.',
+      description: 'Reads a file from the local filesystem. You can access any file directly by using this tool.\nAssume this tool is able to read all files on the machine. If the User provides a path to a file assume that path is valid. It is okay to read a file that does not exist; an error will be returned.\n\nUsage:\n- The file_path parameter must be an absolute path, not a relative path\n- By default, it reads up to 2000 lines starting from the beginning of the file\n- When you already know which part of the file you need, only read that part. This can be important for larger files.\n- Results are returned using cat -n format, with line numbers starting at 1\n- This tool allows Claude Code to read images (eg PNG, JPG, etc). When reading an image file the contents are presented visually as Claude Code is a multimodal LLM.\n- This tool can read PDF files (.pdf). For large PDFs (more than 10 pages), you MUST provide the pages parameter to read specific page ranges (e.g., pages: "1-5"). Reading a large PDF without the pages parameter will fail. Maximum 20 pages per request.\n- This tool can read Jupyter notebooks (.ipynb files) and returns all cells with their outputs, combining code, text, and visualizations.\n- This tool can only read files, not directories. To list files in a directory, use the registered shell tool.\n- You will regularly be asked to read screenshots. If the user provides a path to a screenshot, ALWAYS use this tool to view the file at the path. This tool will work with all temporary file paths.\n- If you read a file that exists but has empty contents you will receive a system reminder warning in place of file contents.',
       input_schema: {
         $schema: "https://json-schema.org/draft/2020-12/schema",
         type: "object",
@@ -1417,8 +1417,8 @@ IMPORTANT - Use the correct year in search queries:
     "WebSearch",
     "Write"
   ],
-  anthropic_beta: "claude-code-20250219,oauth-2025-04-20,context-1m-2025-08-07,interleaved-thinking-2025-05-14,context-management-2025-06-27,prompt-caching-scope-2026-01-05,advisor-tool-2026-03-01,effort-2025-11-24",
-  cc_version: "2.1.114",
+  anthropic_beta: "claude-code-20250219,interleaved-thinking-2025-05-14,context-management-2025-06-27,prompt-caching-scope-2026-01-05,advisor-tool-2026-03-01,effort-2025-11-24,afk-mode-2026-01-31",
+  cc_version: "2.1.119",
   header_order: [
     "Accept",
     "Authorization",
@@ -1444,11 +1444,11 @@ IMPORTANT - Use the correct year in search queries:
   ],
   header_values: {
     accept: "application/json",
-    "anthropic-beta": "claude-code-20250219,oauth-2025-04-20,context-1m-2025-08-07,interleaved-thinking-2025-05-14,context-management-2025-06-27,prompt-caching-scope-2026-01-05,advisor-tool-2026-03-01,effort-2025-11-24",
+    "anthropic-beta": "claude-code-20250219,interleaved-thinking-2025-05-14,context-management-2025-06-27,prompt-caching-scope-2026-01-05,advisor-tool-2026-03-01,effort-2025-11-24,afk-mode-2026-01-31",
     "anthropic-dangerous-direct-browser-access": "true",
     "anthropic-version": "2023-06-01",
     "content-type": "application/json",
-    "user-agent": "claude-cli/2.1.114 (external, sdk-cli)",
+    "user-agent": "claude-cli/2.1.119 (external, sdk-cli)",
     "x-app": "cli",
     "x-stainless-timeout": "600"
   },
@@ -1466,15 +1466,22 @@ IMPORTANT - Use the correct year in search queries:
   ]
 };
 
-// src/cli-version.ts
-import { execFileSync } from "child_process";
-var DEFAULT_CLI_VERSION = "2.1.100";
+// src/claude-code/cli-version.ts
+import { execFileSync as defaultExecFileSync } from "child_process";
+var DEFAULT_CLI_VERSION = data_default.cc_version;
 var CLI_VERSION_PATTERN = /(\d+\.\d+\.\d+)/;
 var CLAUDE_VERSION_TIMEOUT_MS = 3e3;
 var detectedVersion = null;
+var cliVersionProbe = defaultExecFileSync;
 function parseCliVersion(output) {
   return output.match(CLI_VERSION_PATTERN)?.[1] ?? null;
 }
+function probeCliVersion() {
+  return cliVersionProbe("claude", ["--version"], {
+    encoding: "utf8",
+    timeout: CLAUDE_VERSION_TIMEOUT_MS
+  });
+}
 function detectCliVersion() {
   if (detectedVersion !== null) {
     return detectedVersion;
@@ -1485,10 +1492,7 @@ function detectCliVersion() {
     return detectedVersion;
   }
   try {
-    const output = execFileSync("claude", ["--version"], {
-      encoding: "utf8",
-      timeout: CLAUDE_VERSION_TIMEOUT_MS
-    });
+    const output = probeCliVersion();
     detectedVersion = parseCliVersion(output) ?? DEFAULT_CLI_VERSION;
   } catch {
     detectedVersion = DEFAULT_CLI_VERSION;
@@ -1496,8 +1500,9 @@ function detectCliVersion() {
   return detectedVersion;
 }
 
-// src/oauth-config-detect.ts
+// src/claude-code/oauth-config/detect.ts
 import { createHash } from "crypto";
+import { execFileSync as defaultExecFileSync2 } from "child_process";
 import { existsSync } from "fs";
 import { mkdir, readFile, writeFile } from "fs/promises";
 import { homedir, platform } from "os";
@@ -1513,14 +1518,14 @@ var cc_derived_defaults_default = {
   },
   oauth: {
     clientId: "9d1c250a-e61b-44d9-88ed-5944d1962f5e",
-    authorizeUrl: "https://claude.com/cai/oauth/authorize",
+    authorizeUrl: "https://claude.ai/oauth/authorize",
     tokenUrl: "https://platform.claude.com/v1/oauth/token",
-    scopes: "user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload",
+    scopes: "org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload",
     baseApiUrl: "https://api.anthropic.com"
   }
 };
 
-// src/utils.ts
+// src/shared/utils.ts
 import {
   createMinimalClient,
   formatWaitTime,
@@ -1530,7 +1535,7 @@ import {
   sleep
 } from "opencode-multi-account-core";
 
-// src/constants.ts
+// src/shared/constants.ts
 import { anthropicOAuthAdapter } from "opencode-multi-account-core";
 var ANTHROPIC_OAUTH_ADAPTER = anthropicOAuthAdapter;
 var ANTHROPIC_CLIENT_ID = ANTHROPIC_OAUTH_ADAPTER.oauthClientId;
@@ -1543,14 +1548,14 @@ var PLAN_LABELS = ANTHROPIC_OAUTH_ADAPTER.planLabels;
 var TOKEN_EXPIRY_BUFFER_MS = 6e4;
 var TOKEN_REFRESH_TIMEOUT_MS = 3e4;
 
-// src/config.ts
+// src/shared/config.ts
 import {
   createConfigLoader
 } from "opencode-multi-account-core";
 var configLoader = createConfigLoader("claude-multiauth.json");
 var { getConfig, loadConfig, resetConfigCache, updateConfigField } = configLoader;
 
-// src/utils.ts
+// src/shared/utils.ts
 async function showToast(client, message, variant) {
   if (getConfig().quiet_mode) return;
   try {
@@ -1566,28 +1571,57 @@ function debugLog(client, message, extra) {
   });
 }
 
-// src/oauth-config-detect.ts
+// src/claude-code/oauth-config/detect.ts
 var CONFIG_SCAN_WINDOW_CHARS = 4096;
 var CONFIG_SCAN_LOOKBACK_CHARS = 512;
-var REJECTED_SCOPE = ["org", "create_api_key"].join(":");
-var SAFE_FALLBACK_SCOPES = "user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload";
+var KNOWN_PROD_CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
+var POLLUTED_CACHED_SCOPE = "https://www.googleapis.com/auth/cloud-platform";
+var SAFE_FALLBACK_SCOPES = "org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload";
 var UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
 var CACHE_FILE_NAME = "anthropic-oauth-config-cache.json";
 var DEFAULT_OVERRIDE_FILE_NAME = "oauth-config.override.json";
 var derivedDefaults = cc_derived_defaults_default;
-var FALLBACK = {
-  clientId: derivedDefaults.oauth?.clientId || "9d1c250a-e61b-44d9-88ed-5944d1962f5e",
-  authorizeUrl: derivedDefaults.oauth?.authorizeUrl || "https://claude.com/cai/oauth/authorize",
+var fallbackPayload = normalizeDetectedOAuthConfigPayload({
+  clientId: derivedDefaults.oauth?.clientId || KNOWN_PROD_CLIENT_ID,
+  authorizeUrl: derivedDefaults.oauth?.authorizeUrl || "https://claude.ai/oauth/authorize",
   tokenUrl: derivedDefaults.oauth?.tokenUrl || "https://platform.claude.com/v1/oauth/token",
-  scopes: sanitizeScopes(derivedDefaults.oauth?.scopes),
-  baseApiUrl: derivedDefaults.oauth?.baseApiUrl || "https://api.anthropic.com",
+  scopes: derivedDefaults.oauth?.scopes || SAFE_FALLBACK_SCOPES,
+  baseApiUrl: derivedDefaults.oauth?.baseApiUrl || "https://api.anthropic.com"
+});
+var FALLBACK = {
+  ...fallbackPayload,
   source: "fallback"
 };
-function sanitizeScopes(scopes) {
-  if (!scopes || scopes.includes(REJECTED_SCOPE)) {
-    return SAFE_FALLBACK_SCOPES;
+function hasPollutedCachedScope(scopes) {
+  const parsedScopes = scopes.split(/\s+/).filter(Boolean);
+  return parsedScopes.includes(POLLUTED_CACHED_SCOPE) || !parsedScopes.includes("org:create_api_key");
+}
+function filterScopesByBinaryPresence(buf, expected) {
+  const verified = [];
+  for (const scope of expected) {
+    const needle = Buffer.from(`"${scope}"`);
+    if (buf.includes(needle)) {
+      verified.push(scope);
+    }
+  }
+  return verified;
+}
+function getVerifiedCanonicalScopes(buf, fallbackScopes) {
+  const expectedScopes = fallbackScopes.split(/\s+/).filter(Boolean);
+  const verifiedScopes = filterScopesByBinaryPresence(buf, expectedScopes);
+  return verifiedScopes.length === expectedScopes.length ? verifiedScopes.join(" ") : null;
+}
+function normalizeAuthorizeUrl(url) {
+  if (url === "https://claude.com/cai/oauth/authorize") {
+    return "https://claude.ai/oauth/authorize";
   }
-  return scopes;
+  return url;
+}
+function normalizeDetectedOAuthConfigPayload(payload) {
+  return {
+    ...payload,
+    authorizeUrl: normalizeAuthorizeUrl(payload.authorizeUrl)
+  };
 }
 function pickNearestScopes(block, centerIndex) {
   return pickNearestValue(block, centerIndex, /SCOPES\s*:\s*"([^"]+)"/gi) || pickNearestValue(block, centerIndex, /scope[s]?\s*:\s*"([^"]+)"/gi) || null;
@@ -1611,10 +1645,12 @@ function extractCandidateBlocks(binaryText) {
     const currentIndex = currentMatch.index ?? 0;
     const previousClientIdIndex = clientIdMatches[index - 1]?.index;
     const nextClientIdIndex = clientIdMatches[index + 1]?.index;
-    const leftBoundary = previousClientIdIndex === void 0 ? Math.max(0, currentIndex - CONFIG_SCAN_LOOKBACK_CHARS) : Math.floor((previousClientIdIndex + currentIndex) / 2);
-    const rightBoundary = nextClientIdIndex === void 0 ? Math.min(binaryText.length, currentIndex + CONFIG_SCAN_WINDOW_CHARS) : Math.floor((currentIndex + nextClientIdIndex) / 2);
-    const start = Math.max(0, leftBoundary);
-    const end = Math.min(binaryText.length, Math.max(currentIndex + 1, rightBoundary));
+    const { start, end } = getCandidateBlockRange(
+      currentIndex,
+      previousClientIdIndex,
+      nextClientIdIndex,
+      binaryText.length
+    );
     const key = `${start}:${end}`;
     if (seenRanges.has(key)) {
       continue;
@@ -1627,6 +1663,19 @@ function extractCandidateBlocks(binaryText) {
   }
   return blocks;
 }
+function midpoint(left, right) {
+  return Math.floor((left + right) / 2);
+}
+function getCandidateBlockRange(currentIndex, previousClientIdIndex, nextClientIdIndex, textLength) {
+  const boundedLeftEdge = currentIndex - CONFIG_SCAN_LOOKBACK_CHARS;
+  const boundedRightEdge = currentIndex + CONFIG_SCAN_WINDOW_CHARS;
+  const leftBoundary = previousClientIdIndex === void 0 ? boundedLeftEdge : Math.max(boundedLeftEdge, midpoint(previousClientIdIndex, currentIndex));
+  const rightBoundary = nextClientIdIndex === void 0 ? boundedRightEdge : Math.min(boundedRightEdge, midpoint(currentIndex, nextClientIdIndex));
+  return {
+    start: Math.max(0, leftBoundary),
+    end: Math.min(textLength, Math.max(currentIndex + 1, rightBoundary))
+  };
+}
 function pickNearestValue(block, centerIndex, pattern) {
   let nearestValue;
   let nearestDistance = Number.POSITIVE_INFINITY;
@@ -1665,7 +1714,7 @@ function extractCandidateFromBlock(block) {
     clientId: clientIdMatch[1],
     authorizeUrl: authorizeUrl || FALLBACK.authorizeUrl,
     tokenUrl: tokenUrl || FALLBACK.tokenUrl,
-    scopes: sanitizeScopes(extractedScopes),
+    scopes: extractedScopes || FALLBACK.scopes,
     baseApiUrl: baseApiUrl || FALLBACK.baseApiUrl
   };
   if (!isDetectedOAuthConfigPayload(payload)) {
@@ -1678,9 +1727,15 @@ function extractCandidateFromBlock(block) {
 }
 var memoizedConfig = null;
 var detectorTestOverrides = {};
+function getPlatform() {
+  return detectorTestOverrides.platform?.() ?? platform();
+}
+function fileExists(path) {
+  return (detectorTestOverrides.existsSync ?? existsSync)(path);
+}
 function candidatePaths() {
   const home = homedir();
-  if (platform() === "win32") {
+  if (getPlatform() === "win32") {
     return [
       join(home, ".local", "bin", "claude.exe"),
       join(home, "AppData", "Roaming", "npm", "node_modules", "@anthropic-ai", "claude-code", "cli.js"),
@@ -1700,6 +1755,49 @@ function candidatePaths() {
     join(home, ".claude", "local", "node_modules", "@anthropic-ai", "claude-code", "cli.mjs")
   ];
 }
+function enumerateCCCandidates() {
+  const seen = /* @__PURE__ */ new Set();
+  const candidates = [];
+  const currentPlatform = getPlatform();
+  const pathDelimiter = currentPlatform === "win32" ? ";" : ":";
+  const pathDirs = (detectorTestOverrides.pathEnv ?? process.env.PATH ?? "").split(pathDelimiter).filter(Boolean);
+  const pathCandidateNames = currentPlatform === "win32" ? ["claude.exe", "claude.cmd", "claude"] : ["claude"];
+  const addCandidate = (candidatePath) => {
+    const key = currentPlatform === "win32" ? candidatePath.toLowerCase() : candidatePath;
+    if (seen.has(key) || !fileExists(candidatePath)) {
+      return;
+    }
+    seen.add(key);
+    candidates.push(candidatePath);
+  };
+  for (const dir of pathDirs) {
+    for (const fileName of pathCandidateNames) {
+      addCandidate(join(dir, fileName));
+    }
+  }
+  for (const candidatePath of candidatePaths()) {
+    addCandidate(candidatePath);
+  }
+  return candidates;
+}
+function probeOneVersion(binPath) {
+  const currentPlatform = getPlatform();
+  if (currentPlatform === "win32" && /\.(cmd|bat)$/i.test(binPath) && /[&|><^"'%\r\n`$;(){}\[\]]/.test(binPath)) {
+    return null;
+  }
+  try {
+    const output = (detectorTestOverrides.execFileSync ?? defaultExecFileSync2)(binPath, ["--version"], {
+      timeout: 2e3,
+      encoding: "utf-8",
+      windowsHide: true,
+      stdio: ["ignore", "pipe", "ignore"],
+      shell: currentPlatform === "win32" && /\.(cmd|bat)$/i.test(binPath)
+    });
+    return output.match(/(\d+\.\d+\.\d+(?:[.\-][\w.\-]+)?)/)?.[1] ?? null;
+  } catch {
+    return null;
+  }
+}
 function getCachePath() {
   return join(getConfigDir(), CACHE_FILE_NAME);
 }
@@ -1721,13 +1819,17 @@ function isDetectedOAuthConfigPayload(value) {
   const candidate = value;
   return typeof candidate.clientId === "string" && UUID_PATTERN.test(candidate.clientId) && typeof candidate.authorizeUrl === "string" && isValidUrl(candidate.authorizeUrl) && typeof candidate.tokenUrl === "string" && isValidUrl(candidate.tokenUrl) && typeof candidate.scopes === "string" && candidate.scopes.length > 0;
 }
-function toFallbackConfig(ccPath, ccHash) {
+function buildResolvedConfig(payload, source, ccPath, ccHash) {
   return {
-    ...FALLBACK,
+    ...payload,
+    source,
     ...ccPath ? { ccPath } : {},
     ...ccHash ? { ccHash } : {}
   };
 }
+function toFallbackConfig(ccPath, ccHash) {
+  return buildResolvedConfig(FALLBACK, "fallback", ccPath, ccHash);
+}
 function isOverrideDisabled() {
   return process.env.ANTHROPIC_MULTI_ACCOUNT_OAUTH_DISABLE_OVERRIDE === "1";
 }
@@ -1741,30 +1843,44 @@ function readOverrideString(value) {
 function getOverridePath() {
   return readOverrideString(process.env.ANTHROPIC_MULTI_ACCOUNT_OAUTH_OVERRIDE_PATH) ?? getDefaultOverridePath();
 }
-function normalizeOverride(value) {
+function readOverrideRecord(value) {
   if (typeof value !== "object" || value === null) {
+    return null;
+  }
+  return value;
+}
+function readOverrideField(candidate, key) {
+  const value = candidate[key];
+  return typeof value === "string" ? readOverrideString(value) : void 0;
+}
+function readOverrideUrl(candidate, key) {
+  const value = readOverrideField(candidate, key);
+  return value && isValidUrl(value) ? value : void 0;
+}
+function normalizeOverride(value) {
+  const candidate = readOverrideRecord(value);
+  if (!candidate) {
     return {};
   }
-  const candidate = value;
   const normalized = {};
-  const clientId = readOverrideString(typeof candidate.clientId === "string" ? candidate.clientId : void 0);
+  const clientId = readOverrideField(candidate, "clientId");
   if (clientId && UUID_PATTERN.test(clientId)) {
     normalized.clientId = clientId;
   }
-  const authorizeUrl = readOverrideString(typeof candidate.authorizeUrl === "string" ? candidate.authorizeUrl : void 0);
-  if (authorizeUrl && isValidUrl(authorizeUrl)) {
-    normalized.authorizeUrl = authorizeUrl;
+  const authorizeUrl = readOverrideUrl(candidate, "authorizeUrl");
+  if (authorizeUrl) {
+    normalized.authorizeUrl = normalizeAuthorizeUrl(authorizeUrl);
   }
-  const tokenUrl = readOverrideString(typeof candidate.tokenUrl === "string" ? candidate.tokenUrl : void 0);
-  if (tokenUrl && isValidUrl(tokenUrl)) {
+  const tokenUrl = readOverrideUrl(candidate, "tokenUrl");
+  if (tokenUrl) {
     normalized.tokenUrl = tokenUrl;
   }
-  const scopes = readOverrideString(typeof candidate.scopes === "string" ? candidate.scopes : void 0);
+  const scopes = readOverrideField(candidate, "scopes");
   if (scopes) {
-    normalized.scopes = sanitizeScopes(scopes);
+    normalized.scopes = scopes;
   }
-  const baseApiUrl = readOverrideString(typeof candidate.baseApiUrl === "string" ? candidate.baseApiUrl : void 0);
-  if (baseApiUrl && isValidUrl(baseApiUrl)) {
+  const baseApiUrl = readOverrideUrl(candidate, "baseApiUrl");
+  if (baseApiUrl) {
     normalized.baseApiUrl = baseApiUrl;
   }
   return normalized;
@@ -1801,16 +1917,22 @@ async function applyManualOverride(baseConfig) {
   };
 }
 function findCCBinary() {
-  const override = process.env.DARIO_CC_PATH;
-  if (override && existsSync(override)) {
+  const override = process.env.ANTHROPIC_CC_PATH;
+  if (override && fileExists(override)) {
     return override;
   }
-  for (const candidatePath of candidatePaths()) {
-    if (existsSync(candidatePath)) {
-      return candidatePath;
-    }
+  const candidates = enumerateCCCandidates();
+  if (candidates.length === 0) {
+    return null;
   }
-  return null;
+  if (candidates.length === 1) {
+    return candidates[0] ?? null;
+  }
+  const probedCandidates = candidates.map((candidatePath) => {
+    const version = probeOneVersion(candidatePath);
+    return version ? { path: candidatePath, version } : null;
+  }).filter((candidate) => candidate !== null).sort((left, right) => compareVersions(right.version, left.version) ?? 0);
+  return probedCandidates[0]?.path ?? candidates[0] ?? null;
 }
 async function fingerprintBinary(path) {
   const binaryContents = await readFile(path);
@@ -1819,19 +1941,24 @@ async function fingerprintBinary(path) {
 function scanBinaryForOAuthConfig(buf) {
   const binaryText = buf.toString("latin1");
   const candidates = extractCandidateBlocks(binaryText).map(extractCandidateFromBlock).filter((candidate) => candidate !== null).sort((left, right) => right.score - left.score);
-  return candidates[0]?.payload ?? null;
+  const preferredCandidate = candidates.find((candidate) => candidate.payload.clientId === KNOWN_PROD_CLIENT_ID);
+  return preferredCandidate?.payload ?? candidates[0]?.payload ?? null;
+}
+async function readRawCacheEntries() {
+  const raw = await readFile(getCachePath(), "utf-8");
+  const parsed = JSON.parse(raw);
+  if (typeof parsed !== "object" || parsed === null || typeof parsed.entries !== "object" || parsed.entries === null) {
+    return {};
+  }
+  return parsed.entries;
 }
 async function loadCache() {
   try {
-    const raw = await readFile(getCachePath(), "utf-8");
-    const parsed = JSON.parse(raw);
-    if (typeof parsed !== "object" || parsed === null || typeof parsed.entries !== "object" || parsed.entries === null) {
-      return {};
-    }
+    const rawEntries = await readRawCacheEntries();
     const validEntries = {};
-    for (const [hash, value] of Object.entries(parsed.entries)) {
-      if (isDetectedOAuthConfigPayload(value)) {
-        validEntries[hash] = value;
+    for (const [hash, value] of Object.entries(rawEntries)) {
+      if (isDetectedOAuthConfigPayload(value) && !hasPollutedCachedScope(value.scopes)) {
+        validEntries[hash] = normalizeDetectedOAuthConfigPayload(value);
       }
     }
     return validEntries;
@@ -1842,7 +1969,11 @@ async function loadCache() {
 async function saveCache(hash, config) {
   try {
     const cachePath = getCachePath();
-    const currentEntries = await loadCache();
+    const currentEntries = {};
+    try {
+      Object.assign(currentEntries, await readRawCacheEntries());
+    } catch {
+    }
     currentEntries[hash] = config;
     await mkdir(dirname(cachePath), { recursive: true });
     await writeFile(
@@ -1867,27 +1998,23 @@ async function detectOAuthConfig() {
     const cachedEntries = await loadCache();
     const cachedConfig = cachedEntries[ccHash];
     if (cachedConfig) {
-      memoizedConfig = await applyManualOverride({
-        ...cachedConfig,
-        source: "cached",
-        ccPath,
-        ccHash
-      });
+      memoizedConfig = await applyManualOverride(buildResolvedConfig(cachedConfig, "cached", ccPath, ccHash));
       return memoizedConfig;
     }
     const readBinaryFile = detectorTestOverrides.readBinaryFile || readFile;
-    const scannedConfig = scanBinaryForOAuthConfig(await readBinaryFile(ccPath));
+    const binaryBuffer = await readBinaryFile(ccPath);
+    const scannedConfig = scanBinaryForOAuthConfig(binaryBuffer);
     if (!scannedConfig) {
       memoizedConfig = await applyManualOverride(toFallbackConfig(ccPath, ccHash));
       return memoizedConfig;
     }
-    await saveCache(ccHash, scannedConfig);
-    memoizedConfig = await applyManualOverride({
-      ...scannedConfig,
-      source: "detected",
-      ccPath,
-      ccHash
-    });
+    const verifiedCanonicalScopes = getVerifiedCanonicalScopes(binaryBuffer, FALLBACK.scopes);
+    if (verifiedCanonicalScopes) {
+      scannedConfig.scopes = verifiedCanonicalScopes;
+    }
+    const runtimeDetectedConfig = normalizeDetectedOAuthConfigPayload(scannedConfig);
+    await saveCache(ccHash, runtimeDetectedConfig);
+    memoizedConfig = await applyManualOverride(buildResolvedConfig(runtimeDetectedConfig, "detected", ccPath, ccHash));
     return memoizedConfig;
   } catch {
     memoizedConfig = await applyManualOverride(FALLBACK);
@@ -1895,7 +2022,7 @@ async function detectOAuthConfig() {
   }
 }
 
-// src/fingerprint-capture.ts
+// src/claude-code/fingerprint/capture.ts
 var CURRENT_SCHEMA_VERSION = 1;
 var LIVE_TTL_MS = 24 * 60 * 60 * 1e3;
 var DEFAULT_CAPTURE_TIMEOUT_MS = 1e4;
@@ -1914,15 +2041,15 @@ var STATIC_HEADER_NAMES = [
 ];
 var SUPPORTED_CC_RANGE = {
   min: "1.0.0",
-  maxTested: "2.1.114"
+  maxTested: "2.1.119"
 };
-var bundledTemplate = fingerprint_data_default;
+var bundledTemplate = data_default;
 var fingerprintCaptureTestOverrides = {};
 function now() {
   return fingerprintCaptureTestOverrides.now?.() ?? Date.now();
 }
 function getCachePath2() {
-  return join2(getConfigDir(), CACHE_FILE_NAME2);
+  return join2(fingerprintCaptureTestOverrides.getConfigDir?.() ?? getConfigDir(), CACHE_FILE_NAME2);
 }
 function isRecord(value) {
   return typeof value === "object" && value !== null;
@@ -2298,23 +2425,26 @@ function parseVersion(version) {
   if (!match) {
     return null;
   }
-  return [Number(match[1]), Number(match[2]), Number(match[3])];
+  const [, major, minor, patch] = match;
+  return [Number(major), Number(minor), Number(patch)];
 }
 function compareVersions(left, right) {
-  const leftVersion = parseVersion(left);
-  const rightVersion = parseVersion(right);
-  if (!leftVersion || !rightVersion) {
+  const leftParts = parseVersion(left);
+  const rightParts = parseVersion(right);
+  if (!leftParts || !rightParts) {
     return null;
   }
-  for (let index = 0; index < leftVersion.length; index += 1) {
-    const leftPart = leftVersion[index] ?? 0;
-    const rightPart = rightVersion[index] ?? 0;
-    const diff = leftPart - rightPart;
-    if (diff !== 0) {
-      return diff;
-    }
+  const [leftMajor, leftMinor, leftPatch] = leftParts;
+  const [rightMajor, rightMinor, rightPatch] = rightParts;
+  const majorDiff = leftMajor - rightMajor;
+  if (majorDiff !== 0) {
+    return majorDiff;
   }
-  return 0;
+  const minorDiff = leftMinor - rightMinor;
+  if (minorDiff !== 0) {
+    return minorDiff;
+  }
+  return leftPatch - rightPatch;
 }
 function detectDrift(template, installedOverride) {
   const cachedVersion = template.cc_version ?? null;
@@ -2401,9 +2531,9 @@ function resetFingerprintCaptureForTest() {
 }
 
 export {
-  fingerprint_data_default,
-  detectCliVersion,
-  cc_derived_defaults_default,
+  getConfig,
+  loadConfig,
+  updateConfigField,
   ANTHROPIC_OAUTH_ADAPTER,
   ANTHROPIC_USAGE_ENDPOINT,
   ANTHROPIC_PROFILE_ENDPOINT,
@@ -2412,9 +2542,9 @@ export {
   PLAN_LABELS,
   TOKEN_EXPIRY_BUFFER_MS,
   TOKEN_REFRESH_TIMEOUT_MS,
-  getConfig,
-  loadConfig,
-  updateConfigField,
+  cc_derived_defaults_default,
+  data_default,
+  detectCliVersion,
   showToast,
   debugLog,
   createMinimalClient,
@@ -2431,9 +2561,10 @@ export {
   extractTemplate,
   captureLiveTemplateAsync,
   refreshLiveFingerprintAsync,
+  compareVersions,
   detectDrift,
   checkCCCompat,
   setFingerprintCaptureTestOverridesForTest,
   resetFingerprintCaptureForTest
 };
-//# sourceMappingURL=chunk-2SN3UVSM.js.map
+//# sourceMappingURL=chunk-II7N6KHL.js.map