opencode-anthropic-multi-account 0.2.24 → 0.2.26

package/dist/{chunk-2SN3UVSM.js → chunk-5PQ3VP24.js}

@@ -1,8 +1,8 @@
 import {
   scrubTemplate
-} from "./chunk-RAX4SFCO.js";
+} from "./chunk-3CTML5AX.js";
 
-// src/fingerprint-capture.ts
+// src/claude-code/fingerprint/capture.ts
 import { spawn } from "child_process";
 import { createServer } from "http";
 import { basename, dirname as dirname2, join as join2 } from "path";
@@ -17,11 +17,11 @@ import {
   writeFile as writeFile2
 } from "fs/promises";
 
-// src/fingerprint-data.json
-var fingerprint_data_default = {
+// src/claude-code/fingerprint/data.json
+var data_default = {
   _version: 1,
   _schemaVersion: 1,
-  _captured: "2026-04-19T12:56:25.330Z",
+  _captured: "2026-04-28T13:59:47.421Z",
   _source: "bundled",
   agent_identity: "You are a Claude agent, built on Anthropic's Claude Agent SDK.",
   system_prompt: `You are an interactive agent that helps users with software engineering tasks. Use the instructions below and the tools available to you to assist the user.
@@ -93,15 +93,16 @@ In code: default to writing no comments. Never write multi-paragraph docstrings
  - Use the Agent tool with specialized agents when the task at hand matches the agent's description. Subagents are valuable for parallelizing independent queries or for protecting the main context window from excessive results, but they should not be used excessively when not needed. Importantly, avoid duplicating work that subagents are already doing - if you delegate research to a subagent, do not also perform the same searches yourself.
  - For broad codebase exploration or research that'll take more than 3 queries, spawn Agent with subagent_type=Explore. Otherwise use the Glob or Grep directly.
  - When the user types \`/<skill-name>\`, invoke it via Skill. Only use skills listed in the user-invocable skills section \u2014 don't guess.
+ - When work you just finished has a natural future follow-up, end your reply with a one-line offer to \`/schedule\` a background agent to do it \u2014 name the concrete action and cadence ("Want me to /schedule an agent in 2 weeks to open a cleanup PR for the flag?"). One-time signals: a feature flag/gate/experiment/staged rollout (clean it up or ramp it), a soak window or metric to verify (query it and post results), a long-running job with an ETA (check status and report), a temp workaround/instrumentation/.skip left in (open a removal PR), a "remove once X" TODO. Recurring signals: a sweep/triage/report/queue-drain the user just did by hand, or anything "weekly"/"again"/"piling up" \u2014 offer to run it as a routine. The bar is 70%+ odds the user says yes \u2014 skip it for refactors, bug fixes with tests, docs, renames, routine dep bumps, plain feature merges, or when the user signals closure ("nothing else to do", "should be fine now"). Don't stack offers on back-to-back turns; let most tasks just be tasks.
+ - If the user asks about "ultrareview" or how to run it, explain that /ultrareview launches a multi-agent cloud review of the current branch (or /ultrareview <PR#> for a GitHub PR). It is user-triggered and billed; you cannot launch it yourself, so do not attempt to via Bash or otherwise. It needs a git repository (offer to "git init" if not in one); the no-arg form bundles the local branch and does not need a GitHub remote.
 
 # Language
 Always respond in Korean. Use Korean for all explanations, comments, and communications with the user. Technical terms and code identifiers should remain in their original form.
 Maintain full orthographic correctness for Korean, including all required diacritical marks, accents, and special characters. Never substitute accented characters with their ASCII equivalents (e.g., never write "nao" for "n\xE3o", "fur" for "f\xFCr", or "loeschen" for "l\xF6schen").
 
+# Context management
 When working with tool results, write down any important information you might need later in your response, as the original tool result may be cleared later.
 
-Length limits: keep text between tool calls to \u226425 words. Keep final responses to \u2264100 words unless the task requires more detail.
-
 gitStatus: This is the git status at the start of the conversation. Note that this status is a snapshot in time, and will not update during the conversation.
 
 Current branch: main
@@ -121,7 +122,7 @@ Recent commits:
       description: `Launch a new agent to handle complex, multi-step tasks. Each agent type has specific capabilities and tools available to it.
 
 Available agent types and the tools they have access to:
-- Explore: Fast agent specialized for exploring codebases. Use this when you need to quickly find files by patterns (eg. "src/components/**/*.tsx"), search code for keywords (eg. "API endpoints"), or answer questions about the codebase (eg. "how do API endpoints work?"). When calling this agent, specify the desired thoroughness level: "quick" for basic searches, "medium" for moderate exploration, or "very thorough" for comprehensive analysis across multiple locations and naming conventions. (Tools: All tools except Agent, ExitPlanMode, Edit, Write, NotebookEdit)
+- Explore: Fast read-only search agent for locating code. Use it to find files by pattern (eg. "src/components/**/*.tsx"), grep for symbols or keywords (eg. "API endpoints"), or answer "where is X defined / which files reference Y." Do NOT use it for code review, design-doc auditing, cross-file consistency checks, or open-ended analysis \u2014 it reads excerpts rather than whole files and will miss content past its read window. When calling, specify search breadth: "quick" for a single targeted lookup, "medium" for moderate exploration, or "very thorough" to search across multiple locations and naming conventions. (Tools: All tools except Agent, ExitPlanMode, Edit, Write, NotebookEdit)
 - general-purpose: General-purpose agent for researching complex questions, searching for code, and executing multi-step tasks. When you are searching for a keyword or file and are not confident that you will find the right match in the first few tries use this agent to perform the search for you. (Tools: *)
 - Plan: Software architect agent for designing implementation plans. Use this when you need to plan the implementation strategy for a task. Returns step-by-step plans, identifies critical files, and considers architectural trade-offs. (Tools: All tools except Agent, ExitPlanMode, Edit, Write, NotebookEdit)
 - statusline-setup: Use this agent to configure the user's Claude Code status line setting. (Tools: Read, Edit)
@@ -347,7 +348,7 @@ The agent starts with no context from this conversation, so the prompt briefs it
     },
     {
       name: "Bash",
-      description: 'Executes a given bash command and returns its output.\n\nThe working directory persists between commands, but shell state does not. The shell environment is initialized from the user\'s profile (bash or zsh).\n\nIMPORTANT: Avoid using this tool to run `find`, `grep`, `cat`, `head`, `tail`, `sed`, `awk`, or `echo` commands, unless explicitly instructed or after you have verified that a dedicated tool cannot accomplish your task. Instead, use the appropriate dedicated tool as this will provide a much better experience for the user:\n\n - File search: Use Glob (NOT find or ls)\n - Content search: Use Grep (NOT grep or rg)\n - Read files: Use Read (NOT cat/head/tail)\n - Edit files: Use Edit (NOT sed/awk)\n - Write files: Use Write (NOT echo >/cat <<EOF)\n - Communication: Output text directly (NOT echo/printf)\nWhile the Bash tool can do similar things, it\u2019s better to use the built-in tools as they provide a better user experience and make it easier to review tool calls and give permission.\n\n# Instructions\n - If your command will create new directories or files, first use this tool to run `ls` to verify the parent directory exists and is the correct location.\n - Always quote file paths that contain spaces with double quotes in your command (e.g., cd "path with spaces/file.txt")\n - Try to maintain your current working directory throughout the session by using absolute paths and avoiding usage of `cd`. You may use `cd` if the User explicitly requests it. In particular, never prepend `cd <current-directory>` to a `git` command \u2014 `git` already operates on the current working tree, and the compound triggers a permission prompt.\n - You may specify an optional timeout in milliseconds (up to 600000ms / 10 minutes). By default, your command will timeout after 120000ms (2 minutes).\n - You can use the `run_in_background` parameter to run the command in the background. Only use this if you don\'t need the result immediately and are OK being notified when the command completes later. You do not need to check the output right away - you\'ll be notified when it finishes. You do not need to use \'&\' at the end of the command when using this parameter.\n - When issuing multiple commands:\n  - If the commands are independent and can run in parallel, make multiple Bash tool calls in a single message. Example: if you need to run "git status" and "git diff", send a single message with two Bash tool calls in parallel.\n  - If the commands depend on each other and must run sequentially, use a single Bash call with \'&&\' to chain them together.\n  - Use \';\' only when you need to run commands sequentially but don\'t care if earlier commands fail.\n  - DO NOT use newlines to separate commands (newlines are ok in quoted strings).\n - For git commands:\n  - Prefer to create a new commit rather than amending an existing commit.\n  - Before running destructive operations (e.g., git reset --hard, git push --force, git checkout --), consider whether there is a safer alternative that achieves the same goal. Only use destructive operations when they are truly the best approach.\n  - Never skip hooks (--no-verify) or bypass signing (--no-gpg-sign, -c commit.gpgsign=false) unless the user has explicitly asked for it. If a hook fails, investigate and fix the underlying issue.\n - Avoid unnecessary `sleep` commands:\n  - Do not sleep between commands that can run immediately \u2014 just run them.\n  - Use the Monitor tool to stream events from a background process (each stdout line is a notification). For one-shot "wait until done," use Bash with run_in_background instead.\n  - If your command is long running and you would like to be notified when it finishes \u2014 use `run_in_background`. No sleep needed.\n  - Do not retry failing commands in a sleep loop \u2014 diagnose the root cause.\n  - If waiting for a background task you started with `run_in_background`, you will be notified when it completes \u2014 do not poll.\n  - Long leading `sleep` commands are blocked. To poll until a condition is met, use Monitor with an until-loop (e.g. `until <check>; do sleep 2; done`) \u2014 you get a notification when the loop exits. Do not chain shorter sleeps to work around the block.\n\n\n# Committing changes with git\n\nOnly create commits when requested by the user. If unclear, ask first. When the user asks you to create a new git commit, follow these steps carefully:\n\nYou can call multiple tools in a single response. When multiple independent pieces of information are requested and all commands are likely to succeed, run multiple tool calls in parallel for optimal performance. The numbered steps below indicate which commands should be batched in parallel.\n\nGit Safety Protocol:\n- NEVER update the git config\n- NEVER run destructive git commands (push --force, reset --hard, checkout ., restore ., clean -f, branch -D) unless the user explicitly requests these actions. Taking unauthorized destructive actions is unhelpful and can result in lost work, so it\'s best to ONLY run these commands when given direct instructions \n- NEVER skip hooks (--no-verify, --no-gpg-sign, etc) unless the user explicitly requests it\n- NEVER run force push to main/master, warn the user if they request it\n- CRITICAL: Always create NEW commits rather than amending, unless the user explicitly requests a git amend. When a pre-commit hook fails, the commit did NOT happen \u2014 so --amend would modify the PREVIOUS commit, which may result in destroying work or losing previous changes. Instead, after hook failure, fix the issue, re-stage, and create a NEW commit\n- When staging files, prefer adding specific files by name rather than using "git add -A" or "git add .", which can accidentally include sensitive files (.env, credentials) or large binaries\n- NEVER commit changes unless the user explicitly asks you to. It is VERY IMPORTANT to only commit when explicitly asked, otherwise the user will feel that you are being too proactive\n\n1. Run the following bash commands in parallel, each using the Bash tool:\n  - Run a git status command to see all untracked files. IMPORTANT: Never use the -uall flag as it can cause memory issues on large repos.\n  - Run a git diff command to see both staged and unstaged changes that will be committed.\n  - Run a git log command to see recent commit messages, so that you can follow this repository\'s commit message style.\n2. Analyze all staged changes (both previously staged and newly added) and draft a commit message:\n  - Summarize the nature of the changes (eg. new feature, enhancement to an existing feature, bug fix, refactoring, test, docs, etc.). Ensure the message accurately reflects the changes and their purpose (i.e. "add" means a wholly new feature, "update" means an enhancement to an existing feature, "fix" means a bug fix, etc.).\n  - Do not commit files that likely contain secrets (.env, credentials.json, etc). Warn the user if they specifically request to commit those files\n  - Draft a concise (1-2 sentences) commit message that focuses on the "why" rather than the "what"\n  - Ensure it accurately reflects the changes and their purpose\n3. Run the following commands in parallel:\n   - Add relevant untracked files to the staging area.\n   - Create the commit with a message ending with:\n   Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>\n   - Run git status after the commit completes to verify success.\n   Note: git status depends on the commit completing, so run it sequentially after the commit.\n4. If the commit fails due to pre-commit hook: fix the issue and create a NEW commit\n\nImportant notes:\n- NEVER run additional commands to read or explore code, besides git bash commands\n- NEVER use the TodoWrite or Agent tools\n- DO NOT push to the remote repository unless the user explicitly asks you to do so\n- IMPORTANT: Never use git commands with the -i flag (like git rebase -i or git add -i) since they require interactive input which is not supported.\n- IMPORTANT: Do not use --no-edit with git rebase commands, as the --no-edit flag is not a valid option for git rebase.\n- If there are no changes to commit (i.e., no untracked files and no modifications), do not create an empty commit\n- In order to ensure good formatting, ALWAYS pass the commit message via a HEREDOC, a la this example:\n<example>\ngit commit -m "$(cat <<\'EOF\'\n   Commit message here.\n\n   Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>\n   EOF\n   )"\n</example>\n\n# Creating pull requests\nUse the gh command via the Bash tool for ALL GitHub-related tasks including working with issues, pull requests, checks, and releases. If given a Github URL use the gh command to get the information needed.\n\nIMPORTANT: When the user asks you to create a pull request, follow these steps carefully:\n\n1. Run the following bash commands in parallel using the Bash tool, in order to understand the current state of the branch since it diverged from the main branch:\n   - Run a git status command to see all untracked files (never use -uall flag)\n   - Run a git diff command to see both staged and unstaged changes that will be committed\n   - Check if the current branch tracks a remote branch and is up to date with the remote, so you know if you need to push to the remote\n   - Run a git log command and `git diff [base-branch]...HEAD` to understand the full commit history for the current branch (from the time it diverged from the base branch)\n2. Analyze all changes that will be included in the pull request, making sure to look at all relevant commits (NOT just the latest commit, but ALL commits that will be included in the pull request!!!), and draft a pull request title and summary:\n   - Keep the PR title short (under 70 characters)\n   - Use the description/body for details, not the title\n3. Run the following commands in parallel:\n   - Create new branch if needed\n   - Push to remote with -u flag if needed\n   - Create PR using gh pr create with the format below. Use a HEREDOC to pass the body to ensure correct formatting.\n<example>\ngh pr create --title "the pr title" --body "$(cat <<\'EOF\'\n## Summary\n<1-3 bullet points>\n\n## Test plan\n[Bulleted markdown checklist of TODOs for testing the pull request...]\n\n\u{1F916} Generated with [Claude Code](https://claude.com/claude-code)\nEOF\n)"\n</example>\n\nImportant:\n- DO NOT use the TodoWrite or Agent tools\n- Return the PR URL when you\'re done, so the user can see it\n\n# Other common operations\n- View comments on a Github PR: gh api repos/foo/bar/pulls/123/comments',
+      description: 'Executes a given bash command and returns its output.\n\nThe working directory persists between commands, but shell state does not. The shell environment is initialized from the user\'s profile (bash or zsh).\n\nIMPORTANT: Avoid using this tool to run `find`, `grep`, `cat`, `head`, `tail`, `sed`, `awk`, or `echo` commands, unless explicitly instructed or after you have verified that a dedicated tool cannot accomplish your task. Instead, use the appropriate dedicated tool as this will provide a much better experience for the user:\n\n - File search: Use Glob (NOT find or ls)\n - Content search: Use Grep (NOT grep or rg)\n - Read files: Use Read (NOT cat/head/tail)\n - Edit files: Use Edit (NOT sed/awk)\n - Write files: Use Write (NOT echo >/cat <<EOF)\n - Communication: Output text directly (NOT echo/printf)\nWhile the Bash tool can do similar things, it\u2019s better to use the built-in tools as they provide a better user experience and make it easier to review tool calls and give permission.\n\n# Instructions\n - If your command will create new directories or files, first use this tool to run `ls` to verify the parent directory exists and is the correct location.\n - Always quote file paths that contain spaces with double quotes in your command (e.g., cd "path with spaces/file.txt")\n - Try to maintain your current working directory throughout the session by using absolute paths and avoiding usage of `cd`. You may use `cd` if the User explicitly requests it. In particular, never prepend `cd <current-directory>` to a `git` command \u2014 `git` already operates on the current working tree, and the compound triggers a permission prompt.\n - You may specify an optional timeout in milliseconds (up to 600000ms / 10 minutes). By default, your command will timeout after 120000ms (2 minutes).\n - You can use the `run_in_background` parameter to run the command in the background. Only use this if you don\'t need the result immediately and are OK being notified when the command completes later. You do not need to check the output right away - you\'ll be notified when it finishes. You do not need to use \'&\' at the end of the command when using this parameter.\n - For git commands:\n  - Prefer to create a new commit rather than amending an existing commit.\n  - Before running destructive operations (e.g., git reset --hard, git push --force, git checkout --), consider whether there is a safer alternative that achieves the same goal. Only use destructive operations when they are truly the best approach.\n  - Never skip hooks (--no-verify) or bypass signing (--no-gpg-sign, -c commit.gpgsign=false) unless the user has explicitly asked for it. If a hook fails, investigate and fix the underlying issue.\n - Avoid unnecessary `sleep` commands:\n  - Do not sleep between commands that can run immediately \u2014 just run them.\n  - Use the Monitor tool to stream events from a background process (each stdout line is a notification). For one-shot "wait until done," use Bash with run_in_background instead.\n  - If your command is long running and you would like to be notified when it finishes \u2014 use `run_in_background`. No sleep needed.\n  - Do not retry failing commands in a sleep loop \u2014 diagnose the root cause.\n  - If waiting for a background task you started with `run_in_background`, you will be notified when it completes \u2014 do not poll.\n  - Long leading `sleep` commands are blocked. To poll until a condition is met, use Monitor with an until-loop (e.g. `until <check>; do sleep 2; done`) \u2014 you get a notification when the loop exits. Do not chain shorter sleeps to work around the block.\n\n\n# Committing changes with git\n\nOnly create commits when requested by the user. If unclear, ask first. When the user asks you to create a new git commit, follow these steps carefully:\n\nYou can call multiple tools in a single response. When multiple independent pieces of information are requested and all commands are likely to succeed, run multiple tool calls in parallel for optimal performance. The numbered steps below indicate which commands should be batched in parallel.\n\nGit Safety Protocol:\n- NEVER update the git config\n- NEVER run destructive git commands (push --force, reset --hard, checkout ., restore ., clean -f, branch -D) unless the user explicitly requests these actions. Taking unauthorized destructive actions is unhelpful and can result in lost work, so it\'s best to ONLY run these commands when given direct instructions \n- NEVER skip hooks (--no-verify, --no-gpg-sign, etc) unless the user explicitly requests it\n- NEVER run force push to main/master, warn the user if they request it\n- CRITICAL: Always create NEW commits rather than amending, unless the user explicitly requests a git amend. When a pre-commit hook fails, the commit did NOT happen \u2014 so --amend would modify the PREVIOUS commit, which may result in destroying work or losing previous changes. Instead, after hook failure, fix the issue, re-stage, and create a NEW commit\n- When staging files, prefer adding specific files by name rather than using "git add -A" or "git add .", which can accidentally include sensitive files (.env, credentials) or large binaries\n- NEVER commit changes unless the user explicitly asks you to. It is VERY IMPORTANT to only commit when explicitly asked, otherwise the user will feel that you are being too proactive\n\n1. Run the following bash commands in parallel, each using the Bash tool:\n  - Run a git status command to see all untracked files. IMPORTANT: Never use the -uall flag as it can cause memory issues on large repos.\n  - Run a git diff command to see both staged and unstaged changes that will be committed.\n  - Run a git log command to see recent commit messages, so that you can follow this repository\'s commit message style.\n2. Analyze all staged changes (both previously staged and newly added) and draft a commit message:\n  - Summarize the nature of the changes (eg. new feature, enhancement to an existing feature, bug fix, refactoring, test, docs, etc.). Ensure the message accurately reflects the changes and their purpose (i.e. "add" means a wholly new feature, "update" means an enhancement to an existing feature, "fix" means a bug fix, etc.).\n  - Do not commit files that likely contain secrets (.env, credentials.json, etc). Warn the user if they specifically request to commit those files\n  - Draft a concise (1-2 sentences) commit message that focuses on the "why" rather than the "what"\n  - Ensure it accurately reflects the changes and their purpose\n3. Run the following commands in parallel:\n   - Add relevant untracked files to the staging area.\n   - Create the commit with a message ending with:\n   Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>\n   - Run git status after the commit completes to verify success.\n   Note: git status depends on the commit completing, so run it sequentially after the commit.\n4. If the commit fails due to pre-commit hook: fix the issue and create a NEW commit\n\nImportant notes:\n- NEVER run additional commands to read or explore code, besides git bash commands\n- NEVER use the TodoWrite or Agent tools\n- DO NOT push to the remote repository unless the user explicitly asks you to do so\n- IMPORTANT: Never use git commands with the -i flag (like git rebase -i or git add -i) since they require interactive input which is not supported.\n- IMPORTANT: Do not use --no-edit with git rebase commands, as the --no-edit flag is not a valid option for git rebase.\n- If there are no changes to commit (i.e., no untracked files and no modifications), do not create an empty commit\n- In order to ensure good formatting, ALWAYS pass the commit message via a HEREDOC, a la this example:\n<example>\ngit commit -m "$(cat <<\'EOF\'\n   Commit message here.\n\n   Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>\n   EOF\n   )"\n</example>\n\n# Creating pull requests\nUse the gh command via the Bash tool for ALL GitHub-related tasks including working with issues, pull requests, checks, and releases. If given a Github URL use the gh command to get the information needed.\n\nIMPORTANT: When the user asks you to create a pull request, follow these steps carefully:\n\n1. Run the following bash commands in parallel using the Bash tool, in order to understand the current state of the branch since it diverged from the main branch:\n   - Run a git status command to see all untracked files (never use -uall flag)\n   - Run a git diff command to see both staged and unstaged changes that will be committed\n   - Check if the current branch tracks a remote branch and is up to date with the remote, so you know if you need to push to the remote\n   - Run a git log command and `git diff [base-branch]...HEAD` to understand the full commit history for the current branch (from the time it diverged from the base branch)\n2. Analyze all changes that will be included in the pull request, making sure to look at all relevant commits (NOT just the latest commit, but ALL commits that will be included in the pull request!!!), and draft a pull request title and summary:\n   - Keep the PR title short (under 70 characters)\n   - Use the description/body for details, not the title\n3. Run the following commands in parallel:\n   - Create new branch if needed\n   - Push to remote with -u flag if needed\n   - Create PR using gh pr create with the format below. Use a HEREDOC to pass the body to ensure correct formatting.\n<example>\ngh pr create --title "the pr title" --body "$(cat <<\'EOF\'\n## Summary\n<1-3 bullet points>\n\n## Test plan\n[Bulleted markdown checklist of TODOs for testing the pull request...]\n\n\u{1F916} Generated with [Claude Code](https://claude.com/claude-code)\nEOF\n)"\n</example>\n\nImportant:\n- DO NOT use the TodoWrite or Agent tools\n- Return the PR URL when you\'re done, so the user can see it\n\n# Other common operations\n- View comments on a Github PR: gh api repos/foo/bar/pulls/123/comments',
       input_schema: {
         $schema: "https://json-schema.org/draft/2020-12/schema",
         type: "object",
@@ -779,7 +780,7 @@ Ensure your plan is complete and unambiguous:
     },
     {
       name: "Monitor",
-      description: 'Start a background monitor that streams events from a long-running script. Each stdout line is an event \u2014 you keep working and notifications arrive in the chat. Events arrive on their own schedule and are not replies from the user, even if one lands while you\'re waiting for the user to answer a question.\n\nMonitor is for the **streaming** case: "tell me every time X happens." For one-shot "wait until X is done," use Bash with run_in_background instead \u2014 you\'ll get a completion notification when it exits.\n\nYour script\'s stdout is the event stream. Each line becomes a notification. Exit ends the watch.\n\n  # Each matching log line is an event\n  tail -f /var/log/app.log | grep --line-buffered "ERROR"\n\n  # Each file change is an event\n  inotifywait -m --format \'%e %f\' /watched/dir\n\n  # Poll GitHub for new PR comments and emit one line per new comment\n  last=$(date -u +%Y-%m-%dT%H:%M:%SZ)\n  while true; do\n    now=$(date -u +%Y-%m-%dT%H:%M:%SZ)\n    gh api "repos/owner/repo/issues/123/comments?since=$last" --jq \'.[] | "\\(.user.login): \\(.body)"\'\n    last=$now; sleep 30\n  done\n\n  # Node script that emits events as they arrive (e.g. WebSocket listener)\n  node watch-for-events.js\n\n**Script quality:**\n- Always use `grep --line-buffered` in pipes \u2014 without it, pipe buffering delays events by minutes.\n- In poll loops, handle transient failures (`curl ... || true`) \u2014 one failed request shouldn\'t kill the monitor.\n- Poll intervals: 30s+ for remote APIs (rate limits), 0.5-1s for local checks.\n- Write a specific `description` \u2014 it appears in every notification ("errors in deploy.log" not "watching logs").\n- Only stdout is the event stream. Stderr goes to the output file (readable via Read) but does not trigger notifications \u2014 for a command you run directly (e.g. `python train.py 2>&1 | grep --line-buffered ...`), merge stderr with `2>&1` so its failures reach your filter. (No effect on `tail -f` of an existing log \u2014 that file only contains what its writer redirected.)\n\n**Coverage \u2014 silence is not success.** When watching a job or process for an outcome, your filter must match every terminal state, not just the happy path. A monitor that greps only for the success marker stays silent through a crashloop, a hung process, or an unexpected exit \u2014 and silence looks identical to "still running." Before arming, ask: *if this process crashed right now, would my filter emit anything?* If not, widen it.\n\n  # Wrong \u2014 silent on crash, hang, or any non-success exit\n  tail -f run.log | grep --line-buffered "elapsed_steps="\n\n  # Right \u2014 one alternation covering progress + the failure signatures you\'d act on\n  tail -f run.log | grep -E --line-buffered "elapsed_steps=|Traceback|Error|FAILED|assert|Killed|OOM"\n\nFor poll loops checking job state, emit on every terminal status (`succeeded|failed|cancelled|timeout`), not just success. If you cannot confidently enumerate the failure signatures, broaden the grep alternation rather than narrow it \u2014 some extra noise is better than missing a crashloop.\n\n**Output volume**: Every stdout line is a conversation message, so the filter should be selective \u2014 but selective means "the lines you\'d act on," not "only good news." Never pipe raw logs; use `grep --line-buffered`, `awk`, or a wrapper that emits exactly the success and failure signals you care about. Monitors that produce too many events are automatically stopped; restart with a tighter filter if this happens.\n\nStdout lines within 200ms are batched into a single notification, so multiline output from a single event groups naturally.\n\nThe script runs in the same shell environment as Bash. Exit ends the watch (exit code is reported). Timeout \u2192 killed. Set `persistent: true` for session-length watches (PR monitoring, log tails) \u2014 the monitor runs until you call TaskStop or the session ends. Use TaskStop to cancel early.',
+      description: 'Start a background monitor that streams events from a long-running script. Each stdout line is an event \u2014 you keep working and notifications arrive in the chat. Events arrive on their own schedule and are not replies from the user, even if one lands while you\'re waiting for the user to answer a question.\n\nPick by how many notifications you need:\n- **One** ("tell me when the server is ready / the build finishes") \u2192 use **Bash with `run_in_background`** and a command that exits when the condition is true, e.g. `until grep -q "Ready in" dev.log; do sleep 0.5; done`. You get a single completion notification when it exits.\n- **One per occurrence, indefinitely** ("tell me every time an ERROR line appears") \u2192 Monitor with an unbounded command (`tail -f`, `inotifywait -m`, `while true`).\n- **One per occurrence, until a known end** ("emit each CI step result, stop when the run completes") \u2192 Monitor with a command that emits lines and then exits.\n\nYour script\'s stdout is the event stream. Each line becomes a notification. Exit ends the watch.\n\n  # Each matching log line is an event\n  tail -f /var/log/app.log | grep --line-buffered "ERROR"\n\n  # Each file change is an event\n  inotifywait -m --format \'%e %f\' /watched/dir\n\n  # Poll GitHub for new PR comments and emit one line per new comment\n  last=$(date -u +%Y-%m-%dT%H:%M:%SZ)\n  while true; do\n    now=$(date -u +%Y-%m-%dT%H:%M:%SZ)\n    gh api "repos/owner/repo/issues/123/comments?since=$last" --jq \'.[] | "\\(.user.login): \\(.body)"\'\n    last=$now; sleep 30\n  done\n\n  # Node script that emits events as they arrive (e.g. WebSocket listener)\n  node watch-for-events.js\n\n  # Per-occurrence with a natural end: emit each CI check as it lands, exit when the run completes\n  prev=""\n  while true; do\n    s=$(gh pr checks 123 --json name,bucket)\n    cur=$(jq -r \'.[] | select(.bucket!="pending") | "\\(.name): \\(.bucket)"\' <<<"$s" | sort)\n    comm -13 <(echo "$prev") <(echo "$cur")\n    prev=$cur\n    jq -e \'all(.bucket!="pending")\' <<<"$s" >/dev/null && break\n    sleep 30\n  done\n\n**Don\'t use an unbounded command for a single notification.** `tail -f`, `inotifywait -m`, and `while true` never exit on their own, so the monitor stays armed until timeout even after the event has fired. For "tell me when X is ready," use Bash `run_in_background` with an `until` loop instead (one notification, ends in seconds). Note that `tail -f log | grep -m 1 ...` does *not* fix this: if the log goes quiet after the match, `tail` never receives SIGPIPE and the pipeline hangs anyway.\n\n**Script quality:**\n- Always use `grep --line-buffered` in pipes \u2014 without it, pipe buffering delays events by minutes.\n- In poll loops, handle transient failures (`curl ... || true`) \u2014 one failed request shouldn\'t kill the monitor.\n- Poll intervals: 30s+ for remote APIs (rate limits), 0.5-1s for local checks.\n- Write a specific `description` \u2014 it appears in every notification ("errors in deploy.log" not "watching logs").\n- Only stdout is the event stream. Stderr goes to the output file (readable via Read) but does not trigger notifications \u2014 for a command you run directly (e.g. `python train.py 2>&1 | grep --line-buffered ...`), merge stderr with `2>&1` so its failures reach your filter. (No effect on `tail -f` of an existing log \u2014 that file only contains what its writer redirected.)\n\n**Coverage \u2014 silence is not success.** When watching a job or process for an outcome, your filter must match every terminal state, not just the happy path. A monitor that greps only for the success marker stays silent through a crashloop, a hung process, or an unexpected exit \u2014 and silence looks identical to "still running." Before arming, ask: *if this process crashed right now, would my filter emit anything?* If not, widen it.\n\n  # Wrong \u2014 silent on crash, hang, or any non-success exit\n  tail -f run.log | grep --line-buffered "elapsed_steps="\n\n  # Right \u2014 one alternation covering progress + the failure signatures you\'d act on\n  tail -f run.log | grep -E --line-buffered "elapsed_steps=|Traceback|Error|FAILED|assert|Killed|OOM"\n\nFor poll loops checking job state, emit on every terminal status (`succeeded|failed|cancelled|timeout`), not just success. If you cannot confidently enumerate the failure signatures, broaden the grep alternation rather than narrow it \u2014 some extra noise is better than missing a crashloop.\n\n**Output volume**: Every stdout line is a conversation message, so the filter should be selective \u2014 but selective means "the lines you\'d act on," not "only good news." Never pipe raw logs; use `grep --line-buffered`, `awk`, or a wrapper that emits exactly the success and failure signals you care about. Monitors that produce too many events are automatically stopped; restart with a tighter filter if this happens.\n\nStdout lines within 200ms are batched into a single notification, so multiline output from a single event groups naturally.\n\nThe script runs in the same shell environment as Bash. Exit ends the watch (exit code is reported). Timeout \u2192 killed. Set `persistent: true` for session-length watches (PR monitoring, log tails) \u2014 the monitor runs until you call TaskStop or the session ends. Use TaskStop to cancel early.',
       input_schema: {
         $schema: "https://json-schema.org/draft/2020-12/schema",
         type: "object",
@@ -889,7 +890,7 @@ If the result says the push wasn't sent, that's expected \u2014 no action needed
     },
     {
       name: "Read",
-      description: 'Reads a file from the local filesystem. You can access any file directly by using this tool.\nAssume this tool is able to read all files on the machine. If the User provides a path to a file assume that path is valid. It is okay to read a file that does not exist; an error will be returned.\n\nUsage:\n- The file_path parameter must be an absolute path, not a relative path\n- By default, it reads up to 2000 lines starting from the beginning of the file\n- When you already know which part of the file you need, only read that part. This can be important for larger files.\n- Results are returned using cat -n format, with line numbers starting at 1\n- This tool allows Claude Code to read images (eg PNG, JPG, etc). When reading an image file the contents are presented visually as Claude Code is a multimodal LLM.\n- This tool can read PDF files (.pdf). For large PDFs (more than 10 pages), you MUST provide the pages parameter to read specific page ranges (e.g., pages: "1-5"). Reading a large PDF without the pages parameter will fail. Maximum 20 pages per request.\n- This tool can read Jupyter notebooks (.ipynb files) and returns all cells with their outputs, combining code, text, and visualizations.\n- This tool can only read files, not directories. To read a directory, use an ls command via the Bash tool.\n- You will regularly be asked to read screenshots. If the user provides a path to a screenshot, ALWAYS use this tool to view the file at the path. This tool will work with all temporary file paths.\n- If you read a file that exists but has empty contents you will receive a system reminder warning in place of file contents.\n- Do NOT re-read a file you just edited to verify \u2014 Edit/Write would have errored if the change failed, and the harness tracks file state for you.',
+      description: 'Reads a file from the local filesystem. You can access any file directly by using this tool.\nAssume this tool is able to read all files on the machine. If the User provides a path to a file assume that path is valid. It is okay to read a file that does not exist; an error will be returned.\n\nUsage:\n- The file_path parameter must be an absolute path, not a relative path\n- By default, it reads up to 2000 lines starting from the beginning of the file\n- When you already know which part of the file you need, only read that part. This can be important for larger files.\n- Results are returned using cat -n format, with line numbers starting at 1\n- This tool allows Claude Code to read images (eg PNG, JPG, etc). When reading an image file the contents are presented visually as Claude Code is a multimodal LLM.\n- This tool can read PDF files (.pdf). For large PDFs (more than 10 pages), you MUST provide the pages parameter to read specific page ranges (e.g., pages: "1-5"). Reading a large PDF without the pages parameter will fail. Maximum 20 pages per request.\n- This tool can read Jupyter notebooks (.ipynb files) and returns all cells with their outputs, combining code, text, and visualizations.\n- This tool can only read files, not directories. To list files in a directory, use the registered shell tool.\n- You will regularly be asked to read screenshots. If the user provides a path to a screenshot, ALWAYS use this tool to view the file at the path. This tool will work with all temporary file paths.\n- If you read a file that exists but has empty contents you will receive a system reminder warning in place of file contents.\n- Do NOT re-read a file you just edited to verify \u2014 Edit/Write would have errored if the change failed, and the harness tracks file state for you.',
       input_schema: {
         $schema: "https://json-schema.org/draft/2020-12/schema",
         type: "object",
@@ -1418,7 +1419,7 @@ IMPORTANT - Use the correct year in search queries:
     "Write"
   ],
   anthropic_beta: "claude-code-20250219,oauth-2025-04-20,context-1m-2025-08-07,interleaved-thinking-2025-05-14,context-management-2025-06-27,prompt-caching-scope-2026-01-05,advisor-tool-2026-03-01,effort-2025-11-24",
-  cc_version: "2.1.114",
+  cc_version: "2.1.121",
   header_order: [
     "Accept",
     "Authorization",
@@ -1448,7 +1449,7 @@ IMPORTANT - Use the correct year in search queries:
     "anthropic-dangerous-direct-browser-access": "true",
     "anthropic-version": "2023-06-01",
     "content-type": "application/json",
-    "user-agent": "claude-cli/2.1.114 (external, sdk-cli)",
+    "user-agent": "claude-cli/2.1.121 (external, sdk-cli)",
     "x-app": "cli",
     "x-stainless-timeout": "600"
   },
@@ -1466,15 +1467,22 @@ IMPORTANT - Use the correct year in search queries:
   ]
 };
 
-// src/cli-version.ts
-import { execFileSync } from "child_process";
-var DEFAULT_CLI_VERSION = "2.1.100";
+// src/claude-code/cli-version.ts
+import { execFileSync as defaultExecFileSync } from "child_process";
+var DEFAULT_CLI_VERSION = data_default.cc_version;
 var CLI_VERSION_PATTERN = /(\d+\.\d+\.\d+)/;
 var CLAUDE_VERSION_TIMEOUT_MS = 3e3;
 var detectedVersion = null;
+var cliVersionProbe = defaultExecFileSync;
 function parseCliVersion(output) {
   return output.match(CLI_VERSION_PATTERN)?.[1] ?? null;
 }
+function probeCliVersion() {
+  return cliVersionProbe("claude", ["--version"], {
+    encoding: "utf8",
+    timeout: CLAUDE_VERSION_TIMEOUT_MS
+  });
+}
 function detectCliVersion() {
   if (detectedVersion !== null) {
     return detectedVersion;
@@ -1485,10 +1493,7 @@ function detectCliVersion() {
     return detectedVersion;
   }
   try {
-    const output = execFileSync("claude", ["--version"], {
-      encoding: "utf8",
-      timeout: CLAUDE_VERSION_TIMEOUT_MS
-    });
+    const output = probeCliVersion();
     detectedVersion = parseCliVersion(output) ?? DEFAULT_CLI_VERSION;
   } catch {
     detectedVersion = DEFAULT_CLI_VERSION;
@@ -1496,8 +1501,9 @@ function detectCliVersion() {
   return detectedVersion;
 }
 
-// src/oauth-config-detect.ts
+// src/claude-code/oauth-config/detect.ts
 import { createHash } from "crypto";
+import { execFileSync as defaultExecFileSync2 } from "child_process";
 import { existsSync } from "fs";
 import { mkdir, readFile, writeFile } from "fs/promises";
 import { homedir, platform } from "os";
@@ -1513,14 +1519,14 @@ var cc_derived_defaults_default = {
   },
   oauth: {
     clientId: "9d1c250a-e61b-44d9-88ed-5944d1962f5e",
-    authorizeUrl: "https://claude.com/cai/oauth/authorize",
+    authorizeUrl: "https://claude.ai/oauth/authorize",
     tokenUrl: "https://platform.claude.com/v1/oauth/token",
-    scopes: "user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload",
+    scopes: "org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload",
     baseApiUrl: "https://api.anthropic.com"
   }
 };
 
-// src/utils.ts
+// src/shared/utils.ts
 import {
   createMinimalClient,
   formatWaitTime,
@@ -1530,7 +1536,7 @@ import {
   sleep
 } from "opencode-multi-account-core";
 
-// src/constants.ts
+// src/shared/constants.ts
 import { anthropicOAuthAdapter } from "opencode-multi-account-core";
 var ANTHROPIC_OAUTH_ADAPTER = anthropicOAuthAdapter;
 var ANTHROPIC_CLIENT_ID = ANTHROPIC_OAUTH_ADAPTER.oauthClientId;
@@ -1543,14 +1549,14 @@ var PLAN_LABELS = ANTHROPIC_OAUTH_ADAPTER.planLabels;
 var TOKEN_EXPIRY_BUFFER_MS = 6e4;
 var TOKEN_REFRESH_TIMEOUT_MS = 3e4;
 
-// src/config.ts
+// src/shared/config.ts
 import {
   createConfigLoader
 } from "opencode-multi-account-core";
 var configLoader = createConfigLoader("claude-multiauth.json");
 var { getConfig, loadConfig, resetConfigCache, updateConfigField } = configLoader;
 
-// src/utils.ts
+// src/shared/utils.ts
 async function showToast(client, message, variant) {
   if (getConfig().quiet_mode) return;
   try {
@@ -1566,28 +1572,57 @@ function debugLog(client, message, extra) {
   });
 }
 
-// src/oauth-config-detect.ts
+// src/claude-code/oauth-config/detect.ts
 var CONFIG_SCAN_WINDOW_CHARS = 4096;
 var CONFIG_SCAN_LOOKBACK_CHARS = 512;
-var REJECTED_SCOPE = ["org", "create_api_key"].join(":");
-var SAFE_FALLBACK_SCOPES = "user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload";
+var KNOWN_PROD_CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
+var POLLUTED_CACHED_SCOPE = "https://www.googleapis.com/auth/cloud-platform";
+var SAFE_FALLBACK_SCOPES = "org:create_api_key user:profile user:inference user:sessions:claude_code user:mcp_servers user:file_upload";
 var UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
 var CACHE_FILE_NAME = "anthropic-oauth-config-cache.json";
 var DEFAULT_OVERRIDE_FILE_NAME = "oauth-config.override.json";
 var derivedDefaults = cc_derived_defaults_default;
-var FALLBACK = {
-  clientId: derivedDefaults.oauth?.clientId || "9d1c250a-e61b-44d9-88ed-5944d1962f5e",
-  authorizeUrl: derivedDefaults.oauth?.authorizeUrl || "https://claude.com/cai/oauth/authorize",
+var fallbackPayload = normalizeDetectedOAuthConfigPayload({
+  clientId: derivedDefaults.oauth?.clientId || KNOWN_PROD_CLIENT_ID,
+  authorizeUrl: derivedDefaults.oauth?.authorizeUrl || "https://claude.ai/oauth/authorize",
   tokenUrl: derivedDefaults.oauth?.tokenUrl || "https://platform.claude.com/v1/oauth/token",
-  scopes: sanitizeScopes(derivedDefaults.oauth?.scopes),
-  baseApiUrl: derivedDefaults.oauth?.baseApiUrl || "https://api.anthropic.com",
+  scopes: derivedDefaults.oauth?.scopes || SAFE_FALLBACK_SCOPES,
+  baseApiUrl: derivedDefaults.oauth?.baseApiUrl || "https://api.anthropic.com"
+});
+var FALLBACK = {
+  ...fallbackPayload,
   source: "fallback"
 };
-function sanitizeScopes(scopes) {
-  if (!scopes || scopes.includes(REJECTED_SCOPE)) {
-    return SAFE_FALLBACK_SCOPES;
+function hasPollutedCachedScope(scopes) {
+  const parsedScopes = scopes.split(/\s+/).filter(Boolean);
+  return parsedScopes.includes(POLLUTED_CACHED_SCOPE) || !parsedScopes.includes("org:create_api_key");
+}
+function filterScopesByBinaryPresence(buf, expected) {
+  const verified = [];
+  for (const scope of expected) {
+    const needle = Buffer.from(`"${scope}"`);
+    if (buf.includes(needle)) {
+      verified.push(scope);
+    }
+  }
+  return verified;
+}
+function getVerifiedCanonicalScopes(buf, fallbackScopes) {
+  const expectedScopes = fallbackScopes.split(/\s+/).filter(Boolean);
+  const verifiedScopes = filterScopesByBinaryPresence(buf, expectedScopes);
+  return verifiedScopes.length === expectedScopes.length ? verifiedScopes.join(" ") : null;
+}
+function normalizeAuthorizeUrl(url) {
+  if (url === "https://claude.com/cai/oauth/authorize") {
+    return "https://claude.ai/oauth/authorize";
   }
-  return scopes;
+  return url;
+}
+function normalizeDetectedOAuthConfigPayload(payload) {
+  return {
+    ...payload,
+    authorizeUrl: normalizeAuthorizeUrl(payload.authorizeUrl)
+  };
 }
 function pickNearestScopes(block, centerIndex) {
   return pickNearestValue(block, centerIndex, /SCOPES\s*:\s*"([^"]+)"/gi) || pickNearestValue(block, centerIndex, /scope[s]?\s*:\s*"([^"]+)"/gi) || null;
@@ -1611,10 +1646,12 @@ function extractCandidateBlocks(binaryText) {
     const currentIndex = currentMatch.index ?? 0;
     const previousClientIdIndex = clientIdMatches[index - 1]?.index;
     const nextClientIdIndex = clientIdMatches[index + 1]?.index;
-    const leftBoundary = previousClientIdIndex === void 0 ? Math.max(0, currentIndex - CONFIG_SCAN_LOOKBACK_CHARS) : Math.floor((previousClientIdIndex + currentIndex) / 2);
-    const rightBoundary = nextClientIdIndex === void 0 ? Math.min(binaryText.length, currentIndex + CONFIG_SCAN_WINDOW_CHARS) : Math.floor((currentIndex + nextClientIdIndex) / 2);
-    const start = Math.max(0, leftBoundary);
-    const end = Math.min(binaryText.length, Math.max(currentIndex + 1, rightBoundary));
+    const { start, end } = getCandidateBlockRange(
+      currentIndex,
+      previousClientIdIndex,
+      nextClientIdIndex,
+      binaryText.length
+    );
     const key = `${start}:${end}`;
     if (seenRanges.has(key)) {
       continue;
@@ -1627,6 +1664,19 @@ function extractCandidateBlocks(binaryText) {
   }
   return blocks;
 }
+function midpoint(left, right) {
+  return Math.floor((left + right) / 2);
+}
+function getCandidateBlockRange(currentIndex, previousClientIdIndex, nextClientIdIndex, textLength) {
+  const boundedLeftEdge = currentIndex - CONFIG_SCAN_LOOKBACK_CHARS;
+  const boundedRightEdge = currentIndex + CONFIG_SCAN_WINDOW_CHARS;
+  const leftBoundary = previousClientIdIndex === void 0 ? boundedLeftEdge : Math.max(boundedLeftEdge, midpoint(previousClientIdIndex, currentIndex));
+  const rightBoundary = nextClientIdIndex === void 0 ? boundedRightEdge : Math.min(boundedRightEdge, midpoint(currentIndex, nextClientIdIndex));
+  return {
+    start: Math.max(0, leftBoundary),
+    end: Math.min(textLength, Math.max(currentIndex + 1, rightBoundary))
+  };
+}
 function pickNearestValue(block, centerIndex, pattern) {
   let nearestValue;
   let nearestDistance = Number.POSITIVE_INFINITY;
@@ -1665,7 +1715,7 @@ function extractCandidateFromBlock(block) {
     clientId: clientIdMatch[1],
     authorizeUrl: authorizeUrl || FALLBACK.authorizeUrl,
     tokenUrl: tokenUrl || FALLBACK.tokenUrl,
-    scopes: sanitizeScopes(extractedScopes),
+    scopes: extractedScopes || FALLBACK.scopes,
     baseApiUrl: baseApiUrl || FALLBACK.baseApiUrl
   };
   if (!isDetectedOAuthConfigPayload(payload)) {
@@ -1678,9 +1728,15 @@ function extractCandidateFromBlock(block) {
 }
 var memoizedConfig = null;
 var detectorTestOverrides = {};
+function getPlatform() {
+  return detectorTestOverrides.platform?.() ?? platform();
+}
+function fileExists(path) {
+  return (detectorTestOverrides.existsSync ?? existsSync)(path);
+}
 function candidatePaths() {
   const home = homedir();
-  if (platform() === "win32") {
+  if (getPlatform() === "win32") {
     return [
       join(home, ".local", "bin", "claude.exe"),
       join(home, "AppData", "Roaming", "npm", "node_modules", "@anthropic-ai", "claude-code", "cli.js"),
@@ -1700,6 +1756,49 @@ function candidatePaths() {
     join(home, ".claude", "local", "node_modules", "@anthropic-ai", "claude-code", "cli.mjs")
   ];
 }
+function enumerateCCCandidates() {
+  const seen = /* @__PURE__ */ new Set();
+  const candidates = [];
+  const currentPlatform = getPlatform();
+  const pathDelimiter = currentPlatform === "win32" ? ";" : ":";
+  const pathDirs = (detectorTestOverrides.pathEnv ?? process.env.PATH ?? "").split(pathDelimiter).filter(Boolean);
+  const pathCandidateNames = currentPlatform === "win32" ? ["claude.exe", "claude.cmd", "claude"] : ["claude"];
+  const addCandidate = (candidatePath) => {
+    const key = currentPlatform === "win32" ? candidatePath.toLowerCase() : candidatePath;
+    if (seen.has(key) || !fileExists(candidatePath)) {
+      return;
+    }
+    seen.add(key);
+    candidates.push(candidatePath);
+  };
+  for (const dir of pathDirs) {
+    for (const fileName of pathCandidateNames) {
+      addCandidate(join(dir, fileName));
+    }
+  }
+  for (const candidatePath of candidatePaths()) {
+    addCandidate(candidatePath);
+  }
+  return candidates;
+}
+function probeOneVersion(binPath) {
+  const currentPlatform = getPlatform();
+  if (currentPlatform === "win32" && /\.(cmd|bat)$/i.test(binPath) && /[&|><^"'%\r\n`$;(){}\[\]]/.test(binPath)) {
+    return null;
+  }
+  try {
+    const output = (detectorTestOverrides.execFileSync ?? defaultExecFileSync2)(binPath, ["--version"], {
+      timeout: 2e3,
+      encoding: "utf-8",
+      windowsHide: true,
+      stdio: ["ignore", "pipe", "ignore"],
+      shell: currentPlatform === "win32" && /\.(cmd|bat)$/i.test(binPath)
+    });
+    return output.match(/(\d+\.\d+\.\d+(?:[.\-][\w.\-]+)?)/)?.[1] ?? null;
+  } catch {
+    return null;
+  }
+}
 function getCachePath() {
   return join(getConfigDir(), CACHE_FILE_NAME);
 }
@@ -1721,13 +1820,17 @@ function isDetectedOAuthConfigPayload(value) {
   const candidate = value;
   return typeof candidate.clientId === "string" && UUID_PATTERN.test(candidate.clientId) && typeof candidate.authorizeUrl === "string" && isValidUrl(candidate.authorizeUrl) && typeof candidate.tokenUrl === "string" && isValidUrl(candidate.tokenUrl) && typeof candidate.scopes === "string" && candidate.scopes.length > 0;
 }
-function toFallbackConfig(ccPath, ccHash) {
+function buildResolvedConfig(payload, source, ccPath, ccHash) {
   return {
-    ...FALLBACK,
+    ...payload,
+    source,
     ...ccPath ? { ccPath } : {},
     ...ccHash ? { ccHash } : {}
   };
 }
+function toFallbackConfig(ccPath, ccHash) {
+  return buildResolvedConfig(FALLBACK, "fallback", ccPath, ccHash);
+}
 function isOverrideDisabled() {
   return process.env.ANTHROPIC_MULTI_ACCOUNT_OAUTH_DISABLE_OVERRIDE === "1";
 }
@@ -1741,30 +1844,44 @@ function readOverrideString(value) {
 function getOverridePath() {
   return readOverrideString(process.env.ANTHROPIC_MULTI_ACCOUNT_OAUTH_OVERRIDE_PATH) ?? getDefaultOverridePath();
 }
-function normalizeOverride(value) {
+function readOverrideRecord(value) {
   if (typeof value !== "object" || value === null) {
+    return null;
+  }
+  return value;
+}
+function readOverrideField(candidate, key) {
+  const value = candidate[key];
+  return typeof value === "string" ? readOverrideString(value) : void 0;
+}
+function readOverrideUrl(candidate, key) {
+  const value = readOverrideField(candidate, key);
+  return value && isValidUrl(value) ? value : void 0;
+}
+function normalizeOverride(value) {
+  const candidate = readOverrideRecord(value);
+  if (!candidate) {
     return {};
   }
-  const candidate = value;
   const normalized = {};
-  const clientId = readOverrideString(typeof candidate.clientId === "string" ? candidate.clientId : void 0);
+  const clientId = readOverrideField(candidate, "clientId");
   if (clientId && UUID_PATTERN.test(clientId)) {
     normalized.clientId = clientId;
   }
-  const authorizeUrl = readOverrideString(typeof candidate.authorizeUrl === "string" ? candidate.authorizeUrl : void 0);
-  if (authorizeUrl && isValidUrl(authorizeUrl)) {
-    normalized.authorizeUrl = authorizeUrl;
+  const authorizeUrl = readOverrideUrl(candidate, "authorizeUrl");
+  if (authorizeUrl) {
+    normalized.authorizeUrl = normalizeAuthorizeUrl(authorizeUrl);
   }
-  const tokenUrl = readOverrideString(typeof candidate.tokenUrl === "string" ? candidate.tokenUrl : void 0);
-  if (tokenUrl && isValidUrl(tokenUrl)) {
+  const tokenUrl = readOverrideUrl(candidate, "tokenUrl");
+  if (tokenUrl) {
     normalized.tokenUrl = tokenUrl;
   }
-  const scopes = readOverrideString(typeof candidate.scopes === "string" ? candidate.scopes : void 0);
+  const scopes = readOverrideField(candidate, "scopes");
   if (scopes) {
-    normalized.scopes = sanitizeScopes(scopes);
+    normalized.scopes = scopes;
   }
-  const baseApiUrl = readOverrideString(typeof candidate.baseApiUrl === "string" ? candidate.baseApiUrl : void 0);
-  if (baseApiUrl && isValidUrl(baseApiUrl)) {
+  const baseApiUrl = readOverrideUrl(candidate, "baseApiUrl");
+  if (baseApiUrl) {
     normalized.baseApiUrl = baseApiUrl;
   }
   return normalized;
@@ -1801,16 +1918,22 @@ async function applyManualOverride(baseConfig) {
   };
 }
 function findCCBinary() {
-  const override = process.env.DARIO_CC_PATH;
-  if (override && existsSync(override)) {
+  const override = process.env.ANTHROPIC_CC_PATH;
+  if (override && fileExists(override)) {
     return override;
   }
-  for (const candidatePath of candidatePaths()) {
-    if (existsSync(candidatePath)) {
-      return candidatePath;
-    }
+  const candidates = enumerateCCCandidates();
+  if (candidates.length === 0) {
+    return null;
   }
-  return null;
+  if (candidates.length === 1) {
+    return candidates[0] ?? null;
+  }
+  const probedCandidates = candidates.map((candidatePath) => {
+    const version = probeOneVersion(candidatePath);
+    return version ? { path: candidatePath, version } : null;
+  }).filter((candidate) => candidate !== null).sort((left, right) => compareVersions(right.version, left.version) ?? 0);
+  return probedCandidates[0]?.path ?? candidates[0] ?? null;
 }
 async function fingerprintBinary(path) {
   const binaryContents = await readFile(path);
@@ -1819,19 +1942,24 @@ async function fingerprintBinary(path) {
 function scanBinaryForOAuthConfig(buf) {
   const binaryText = buf.toString("latin1");
   const candidates = extractCandidateBlocks(binaryText).map(extractCandidateFromBlock).filter((candidate) => candidate !== null).sort((left, right) => right.score - left.score);
-  return candidates[0]?.payload ?? null;
+  const preferredCandidate = candidates.find((candidate) => candidate.payload.clientId === KNOWN_PROD_CLIENT_ID);
+  return preferredCandidate?.payload ?? candidates[0]?.payload ?? null;
+}
+async function readRawCacheEntries() {
+  const raw = await readFile(getCachePath(), "utf-8");
+  const parsed = JSON.parse(raw);
+  if (typeof parsed !== "object" || parsed === null || typeof parsed.entries !== "object" || parsed.entries === null) {
+    return {};
+  }
+  return parsed.entries;
 }
 async function loadCache() {
   try {
-    const raw = await readFile(getCachePath(), "utf-8");
-    const parsed = JSON.parse(raw);
-    if (typeof parsed !== "object" || parsed === null || typeof parsed.entries !== "object" || parsed.entries === null) {
-      return {};
-    }
+    const rawEntries = await readRawCacheEntries();
     const validEntries = {};
-    for (const [hash, value] of Object.entries(parsed.entries)) {
-      if (isDetectedOAuthConfigPayload(value)) {
-        validEntries[hash] = value;
+    for (const [hash, value] of Object.entries(rawEntries)) {
+      if (isDetectedOAuthConfigPayload(value) && !hasPollutedCachedScope(value.scopes)) {
+        validEntries[hash] = normalizeDetectedOAuthConfigPayload(value);
       }
     }
     return validEntries;
@@ -1842,7 +1970,11 @@ async function loadCache() {
 async function saveCache(hash, config) {
   try {
     const cachePath = getCachePath();
-    const currentEntries = await loadCache();
+    const currentEntries = {};
+    try {
+      Object.assign(currentEntries, await readRawCacheEntries());
+    } catch {
+    }
     currentEntries[hash] = config;
     await mkdir(dirname(cachePath), { recursive: true });
     await writeFile(
@@ -1867,27 +1999,23 @@ async function detectOAuthConfig() {
     const cachedEntries = await loadCache();
     const cachedConfig = cachedEntries[ccHash];
     if (cachedConfig) {
-      memoizedConfig = await applyManualOverride({
-        ...cachedConfig,
-        source: "cached",
-        ccPath,
-        ccHash
-      });
+      memoizedConfig = await applyManualOverride(buildResolvedConfig(cachedConfig, "cached", ccPath, ccHash));
       return memoizedConfig;
     }
     const readBinaryFile = detectorTestOverrides.readBinaryFile || readFile;
-    const scannedConfig = scanBinaryForOAuthConfig(await readBinaryFile(ccPath));
+    const binaryBuffer = await readBinaryFile(ccPath);
+    const scannedConfig = scanBinaryForOAuthConfig(binaryBuffer);
     if (!scannedConfig) {
       memoizedConfig = await applyManualOverride(toFallbackConfig(ccPath, ccHash));
       return memoizedConfig;
     }
-    await saveCache(ccHash, scannedConfig);
-    memoizedConfig = await applyManualOverride({
-      ...scannedConfig,
-      source: "detected",
-      ccPath,
-      ccHash
-    });
+    const verifiedCanonicalScopes = getVerifiedCanonicalScopes(binaryBuffer, FALLBACK.scopes);
+    if (verifiedCanonicalScopes) {
+      scannedConfig.scopes = verifiedCanonicalScopes;
+    }
+    const runtimeDetectedConfig = normalizeDetectedOAuthConfigPayload(scannedConfig);
+    await saveCache(ccHash, runtimeDetectedConfig);
+    memoizedConfig = await applyManualOverride(buildResolvedConfig(runtimeDetectedConfig, "detected", ccPath, ccHash));
     return memoizedConfig;
   } catch {
     memoizedConfig = await applyManualOverride(FALLBACK);
@@ -1895,7 +2023,7 @@ async function detectOAuthConfig() {
   }
 }
 
-// src/fingerprint-capture.ts
+// src/claude-code/fingerprint/capture.ts
 var CURRENT_SCHEMA_VERSION = 1;
 var LIVE_TTL_MS = 24 * 60 * 60 * 1e3;
 var DEFAULT_CAPTURE_TIMEOUT_MS = 1e4;
@@ -1914,15 +2042,15 @@ var STATIC_HEADER_NAMES = [
 ];
 var SUPPORTED_CC_RANGE = {
   min: "1.0.0",
-  maxTested: "2.1.114"
+  maxTested: "2.1.121"
 };
-var bundledTemplate = fingerprint_data_default;
+var bundledTemplate = data_default;
 var fingerprintCaptureTestOverrides = {};
 function now() {
   return fingerprintCaptureTestOverrides.now?.() ?? Date.now();
 }
 function getCachePath2() {
-  return join2(getConfigDir(), CACHE_FILE_NAME2);
+  return join2(fingerprintCaptureTestOverrides.getConfigDir?.() ?? getConfigDir(), CACHE_FILE_NAME2);
 }
 function isRecord(value) {
   return typeof value === "object" && value !== null;
@@ -2298,23 +2426,26 @@ function parseVersion(version) {
   if (!match) {
     return null;
   }
-  return [Number(match[1]), Number(match[2]), Number(match[3])];
+  const [, major, minor, patch] = match;
+  return [Number(major), Number(minor), Number(patch)];
 }
 function compareVersions(left, right) {
-  const leftVersion = parseVersion(left);
-  const rightVersion = parseVersion(right);
-  if (!leftVersion || !rightVersion) {
+  const leftParts = parseVersion(left);
+  const rightParts = parseVersion(right);
+  if (!leftParts || !rightParts) {
     return null;
   }
-  for (let index = 0; index < leftVersion.length; index += 1) {
-    const leftPart = leftVersion[index] ?? 0;
-    const rightPart = rightVersion[index] ?? 0;
-    const diff = leftPart - rightPart;
-    if (diff !== 0) {
-      return diff;
-    }
+  const [leftMajor, leftMinor, leftPatch] = leftParts;
+  const [rightMajor, rightMinor, rightPatch] = rightParts;
+  const majorDiff = leftMajor - rightMajor;
+  if (majorDiff !== 0) {
+    return majorDiff;
   }
-  return 0;
+  const minorDiff = leftMinor - rightMinor;
+  if (minorDiff !== 0) {
+    return minorDiff;
+  }
+  return leftPatch - rightPatch;
 }
 function detectDrift(template, installedOverride) {
   const cachedVersion = template.cc_version ?? null;
@@ -2401,9 +2532,9 @@ function resetFingerprintCaptureForTest() {
 }
 
 export {
-  fingerprint_data_default,
-  detectCliVersion,
-  cc_derived_defaults_default,
+  getConfig,
+  loadConfig,
+  updateConfigField,
   ANTHROPIC_OAUTH_ADAPTER,
   ANTHROPIC_USAGE_ENDPOINT,
   ANTHROPIC_PROFILE_ENDPOINT,
@@ -2412,9 +2543,9 @@ export {
   PLAN_LABELS,
   TOKEN_EXPIRY_BUFFER_MS,
   TOKEN_REFRESH_TIMEOUT_MS,
-  getConfig,
-  loadConfig,
-  updateConfigField,
+  cc_derived_defaults_default,
+  data_default,
+  detectCliVersion,
   showToast,
   debugLog,
   createMinimalClient,
@@ -2431,9 +2562,10 @@ export {
   extractTemplate,
   captureLiveTemplateAsync,
   refreshLiveFingerprintAsync,
+  compareVersions,
   detectDrift,
   checkCCCompat,
   setFingerprintCaptureTestOverridesForTest,
   resetFingerprintCaptureForTest
 };
-//# sourceMappingURL=chunk-2SN3UVSM.js.map
+//# sourceMappingURL=chunk-5PQ3VP24.js.map