opencode-anthropic-multi-account 0.2.3 → 0.2.5

package/dist/index.js

@@ -1,5 +1,4 @@
 // src/index.ts
-import { AnthropicAuthPlugin as AnthropicAuthPlugin2 } from "opencode-anthropic-auth";
 import { tool } from "@opencode-ai/plugin";
 
 // ../multi-account-core/src/account-manager.ts
@@ -85,6 +84,23 @@ var PluginConfigSchema = v.object({
   quiet_mode: v.optional(v.boolean(), false),
   debug: v.optional(v.boolean(), false)
 });
+var TokenRefreshError = class _TokenRefreshError extends Error {
+  status;
+  permanent;
+  constructor(permanent, status) {
+    super(status === void 0 ? "Token refresh failed" : `Token refresh failed: ${status}`);
+    this.name = "TokenRefreshError";
+    this.status = status;
+    this.permanent = permanent;
+    Object.setPrototypeOf(this, _TokenRefreshError.prototype);
+  }
+};
+function isTokenRefreshError(error) {
+  if (error instanceof TokenRefreshError) return true;
+  if (!(error instanceof Error)) return false;
+  const candidate = error;
+  return candidate.name === "TokenRefreshError" && typeof candidate.permanent === "boolean" && (candidate.status === void 0 || typeof candidate.status === "number");
+}
 
 // ../multi-account-core/src/config.ts
 var DEFAULT_CONFIG_FILENAME = "multiauth-config.json";
@@ -225,6 +241,14 @@ function createMinimalClient() {
     }
   };
 }
+function getClearedOAuthBody() {
+  return {
+    type: "oauth",
+    refresh: "",
+    access: "",
+    expires: 0
+  };
+}
 
 // ../multi-account-core/src/claims.ts
 var CLAIMS_FILENAME = "multiauth-claims.json";
@@ -648,13 +672,7 @@ function createAccountManagerForProvider(dependencies) {
       });
     }
     async markRevoked(uuid) {
-      await this.store.mutateAccount(uuid, (account) => {
-        account.isAuthDisabled = true;
-        account.authDisabledReason = "OAuth token revoked (403)";
-        account.accessToken = void 0;
-        account.expiresAt = void 0;
-      });
-      this.runtimeFactory?.invalidate(uuid);
+      await this.removeAccountByUuid(uuid);
     }
     async markSuccess(uuid) {
       this.last429Map.delete(uuid);
@@ -677,15 +695,32 @@ function createAccountManagerForProvider(dependencies) {
       }).catch(() => {
       });
     }
+    async clearOpenCodeAuthIfNoAccountsRemain() {
+      if (!this.client) return;
+      const storage = await this.store.load();
+      if (storage.accounts.length > 0) return;
+      await this.client.auth.set({
+        path: { id: providerAuthId },
+        body: getClearedOAuthBody()
+      }).catch(() => {
+      });
+    }
+    async removeAccountByUuid(uuid) {
+      const removed = await this.store.removeAccount(uuid);
+      if (!removed) return;
+      this.last429Map.delete(uuid);
+      this.runtimeFactory?.invalidate(uuid);
+      await this.refresh();
+      await this.clearOpenCodeAuthIfNoAccountsRemain();
+    }
     async markAuthFailure(uuid, result) {
+      if (!result.ok && result.permanent) {
+        await this.removeAccountByUuid(uuid);
+        return;
+      }
       await this.store.mutateStorage((storage) => {
         const account = storage.accounts.find((entry) => entry.uuid === uuid);
         if (!account) return;
-        if (!result.ok && result.permanent) {
-          account.isAuthDisabled = true;
-          account.authDisabledReason = "Token permanently rejected (400/401/403)";
-          return;
-        }
         account.consecutiveAuthFailures = (account.consecutiveAuthFailures ?? 0) + 1;
         const maxFailures = getConfig().max_consecutive_auth_failures;
         const usableCount = storage.accounts.filter(
@@ -782,11 +817,21 @@ function createAccountManagerForProvider(dependencies) {
       this.cached = [];
       this.activeAccountUuid = void 0;
     }
-    async addAccount(auth) {
+    async addAccount(auth, email) {
       if (!auth.refresh) return;
-      const existing = this.cached.find((account) => account.refreshToken === auth.refresh);
-      if (existing) return;
+      const existingByToken = this.cached.find((account) => account.refreshToken === auth.refresh);
+      if (existingByToken) return;
+      if (email) {
+        const existingByEmail = this.cached.find(
+          (account) => account.email && account.email === email
+        );
+        if (existingByEmail?.uuid) {
+          await this.replaceAccountCredentials(existingByEmail.uuid, auth);
+          return;
+        }
+      }
       const newAccount = this.createNewAccount(auth, Date.now());
+      if (email) newAccount.email = email;
       await this.store.addAccount(newAccount);
       this.activeAccountUuid = newAccount.uuid;
       await this.store.setActiveUuid(newAccount.uuid);
@@ -1112,7 +1157,6 @@ var MAX_SERVER_RETRIES_PER_ATTEMPT = 2;
 var MAX_RESOLVE_ATTEMPTS = 10;
 var SERVER_RETRY_BASE_MS = 1e3;
 var SERVER_RETRY_MAX_MS = 4e3;
-var PERMANENT_AUTH_FAILURE_STATUSES = /* @__PURE__ */ new Set([400, 401, 403]);
 function isAbortError(error) {
   return error instanceof Error && error.name === "AbortError";
 }
@@ -1126,80 +1170,49 @@ function createExecutorForProvider(providerName, dependencies) {
   } = dependencies;
   async function executeWithAccountRotation2(manager, runtimeFactory, client, input, init) {
     const maxRetries = Math.max(MIN_MAX_RETRIES, manager.getAccountCount() * RETRIES_PER_ACCOUNT);
-    let retries = 0;
     let previousAccountUuid;
-    while (true) {
-      if (++retries > maxRetries) {
-        throw new Error(
-          `Exhausted ${maxRetries} retries across all accounts. All attempts failed due to auth errors, rate limits, or token issues.`
-        );
-      }
-      await manager.refresh();
-      const account = await resolveAccount(manager, client);
-      const accountUuid = account.uuid;
-      if (!accountUuid) continue;
-      if (previousAccountUuid && accountUuid !== previousAccountUuid && manager.getAccountCount() > 1) {
-        void showToast2(client, `Switched to ${getAccountLabel2(account)}`, "info");
-      }
-      previousAccountUuid = accountUuid;
-      let runtime;
-      let response;
-      try {
-        runtime = await runtimeFactory.getRuntime(accountUuid);
-        response = await runtime.fetch(input, init);
-      } catch (error) {
-        if (isAbortError(error)) throw error;
-        if (await handleRuntimeFetchFailure(manager, runtimeFactory, client, account, error)) {
-          continue;
+    async function retryServerErrors(account, runtime) {
+      for (let attempt = 0; attempt < MAX_SERVER_RETRIES_PER_ATTEMPT; attempt++) {
+        const backoff = Math.min(SERVER_RETRY_BASE_MS * 2 ** attempt, SERVER_RETRY_MAX_MS);
+        const jitteredBackoff = backoff * (0.5 + Math.random() * 0.5);
+        await sleep2(jitteredBackoff);
+        let retryResponse;
+        try {
+          retryResponse = await runtime.fetch(input, init);
+        } catch (error) {
+          if (isAbortError(error)) throw error;
+          if (await handleRuntimeFetchFailure(manager, runtimeFactory, client, account, error)) {
+            return null;
+          }
+          void showToast2(client, `${getAccountLabel2(account)} network error \u2014 switching`, "warning");
+          return null;
         }
-        void showToast2(client, `${getAccountLabel2(account)} network error \u2014 switching`, "warning");
-        continue;
+        if (retryResponse.status < 500) return retryResponse;
       }
+      return null;
+    }
+    const dispatchResponseStatus = async (account, accountUuid, runtime, response, allow401Retry, from401RefreshRetry) => {
       if (response.status >= 500) {
-        let serverResponse = response;
-        let networkErrorDuringServerRetry = false;
-        let authFailureDuringServerRetry = false;
-        for (let attempt = 0; attempt < MAX_SERVER_RETRIES_PER_ATTEMPT; attempt++) {
-          const backoff = Math.min(SERVER_RETRY_BASE_MS * 2 ** attempt, SERVER_RETRY_MAX_MS);
-          const jitteredBackoff = backoff * (0.5 + Math.random() * 0.5);
-          await sleep2(jitteredBackoff);
+        const recovered = await retryServerErrors(account, runtime);
+        if (recovered === null) {
+          return { type: "retryOuter" };
+        }
+        response = recovered;
+      }
+      if (response.status === 401) {
+        if (allow401Retry) {
+          runtimeFactory.invalidate(accountUuid);
           try {
-            serverResponse = await runtime.fetch(input, init);
+            const retryRuntime = await runtimeFactory.getRuntime(accountUuid);
+            const retryResponse = await retryRuntime.fetch(input, init);
+            return dispatchResponseStatus(account, accountUuid, retryRuntime, retryResponse, false, true);
           } catch (error) {
             if (isAbortError(error)) throw error;
             if (await handleRuntimeFetchFailure(manager, runtimeFactory, client, account, error)) {
-              authFailureDuringServerRetry = true;
-              break;
+              return { type: "retryOuter" };
             }
-            networkErrorDuringServerRetry = true;
-            void showToast2(client, `${getAccountLabel2(account)} network error \u2014 switching`, "warning");
-            break;
-          }
-          if (serverResponse.status < 500) break;
-        }
-        if (authFailureDuringServerRetry) {
-          continue;
-        }
-        if (networkErrorDuringServerRetry || serverResponse.status >= 500) {
-          continue;
-        }
-        response = serverResponse;
-      }
-      if (response.status === 401) {
-        runtimeFactory.invalidate(accountUuid);
-        try {
-          const retryRuntime = await runtimeFactory.getRuntime(accountUuid);
-          const retryResponse = await retryRuntime.fetch(input, init);
-          if (retryResponse.status !== 401) {
-            await manager.markSuccess(accountUuid);
-            return retryResponse;
-          }
-        } catch (error) {
-          if (isAbortError(error)) throw error;
-          if (await handleRuntimeFetchFailure(manager, runtimeFactory, client, account, error)) {
-            continue;
+            return { type: "retryOuter" };
           }
-          continue;
         }
         await manager.markAuthFailure(accountUuid, { ok: false, permanent: false });
         await manager.refresh();
@@ -1210,7 +1223,7 @@ function createExecutorForProvider(providerName, dependencies) {
           );
         }
         void showToast2(client, `${getAccountLabel2(account)} auth failed \u2014 switching to next account.`, "warning");
-        continue;
+        return { type: "retryOuter" };
       }
       if (response.status === 403) {
         const revoked = await isRevokedTokenResponse(response);
@@ -1227,26 +1240,62 @@ function createExecutorForProvider(providerName, dependencies) {
               `All ${providerName} accounts have been revoked or disabled. Re-authenticate with \`opencode auth login\`.`
             );
           }
-          continue;
+          return { type: "retryOuter" };
+        }
+        if (from401RefreshRetry) {
+          return { type: "handled", response };
         }
       }
       if (response.status === 429) {
         await handleRateLimitResponse2(manager, client, account, response);
+        return { type: "handled" };
+      }
+      return { type: "success", response };
+    };
+    for (let retries = 1; retries <= maxRetries; retries++) {
+      await manager.refresh();
+      const account = await resolveAccount(manager, client);
+      const accountUuid = account.uuid;
+      if (!accountUuid) continue;
+      if (previousAccountUuid && accountUuid !== previousAccountUuid && manager.getAccountCount() > 1) {
+        void showToast2(client, `Switched to ${getAccountLabel2(account)}`, "info");
+      }
+      previousAccountUuid = accountUuid;
+      let runtime;
+      let response;
+      try {
+        runtime = await runtimeFactory.getRuntime(accountUuid);
+        response = await runtime.fetch(input, init);
+      } catch (error) {
+        if (isAbortError(error)) throw error;
+        if (await handleRuntimeFetchFailure(manager, runtimeFactory, client, account, error)) {
+          continue;
+        }
+        void showToast2(client, `${getAccountLabel2(account)} network error \u2014 switching`, "warning");
+        continue;
+      }
+      const transition = await dispatchResponseStatus(account, accountUuid, runtime, response, true, false);
+      if (transition.type === "retryOuter" || transition.type === "handled") {
+        if (transition.type === "handled" && transition.response) {
+          return transition.response;
+        }
         continue;
       }
       await manager.markSuccess(accountUuid);
-      return response;
+      return transition.response;
     }
+    throw new Error(
+      `Exhausted ${maxRetries} retries across all accounts. All attempts failed due to auth errors, rate limits, or token issues.`
+    );
   }
   async function handleRuntimeFetchFailure(manager, runtimeFactory, client, account, error) {
-    const refreshFailureStatus = getRefreshFailureStatus(error);
-    if (refreshFailureStatus === void 0) return false;
+    if (!isTokenRefreshError(error)) return false;
     if (!account.uuid) return false;
     const accountUuid = account.uuid;
     runtimeFactory.invalidate(accountUuid);
     await manager.markAuthFailure(accountUuid, {
       ok: false,
-      permanent: PERMANENT_AUTH_FAILURE_STATUSES.has(refreshFailureStatus)
+      permanent: error.permanent
     });
     await manager.refresh();
     if (!manager.hasAnyUsableAccount()) {
@@ -1291,13 +1340,6 @@ function createExecutorForProvider(providerName, dependencies) {
     executeWithAccountRotation: executeWithAccountRotation2
   };
 }
-function getRefreshFailureStatus(error) {
-  if (!(error instanceof Error)) return void 0;
-  const matched = error.message.match(/Token refresh failed:\s*(\d{3})/);
-  if (!matched) return void 0;
-  const status = Number(matched[1]);
-  return Number.isFinite(status) ? status : void 0;
-}
 async function isRevokedTokenResponse(response) {
   try {
     const cloned = response.clone();
@@ -1312,6 +1354,7 @@ async function isRevokedTokenResponse(response) {
 var INITIAL_DELAY_MS = 5e3;
 function createProactiveRefreshQueueForProvider(dependencies) {
   const {
+    providerAuthId,
     getConfig: getConfig2,
     refreshToken: refreshToken2,
     isTokenExpired: isTokenExpired2,
@@ -1330,6 +1373,10 @@ function createProactiveRefreshQueueForProvider(dependencies) {
       const config = getConfig2();
       if (!config.proactive_refresh) return;
       this.runToken++;
+      if (this.timeoutHandle) {
+        clearTimeout(this.timeoutHandle);
+        this.timeoutHandle = null;
+      }
       this.scheduleNext(this.runToken, INITIAL_DELAY_MS);
       debugLog2(this.client, "Proactive refresh started", {
         intervalSeconds: config.proactive_refresh_interval_seconds,
@@ -1404,23 +1451,41 @@ function createProactiveRefreshQueueForProvider(dependencies) {
     }
     async persistFailure(account, permanent) {
       try {
-        await this.store.mutateAccount(account.uuid, (target) => {
-          if (permanent) {
+        const accountUuid = account.uuid;
+        if (!accountUuid) return;
+        if (permanent) {
+          const removed = await this.store.removeAccount(accountUuid);
+          if (!removed) return;
+          this.onInvalidate?.(accountUuid);
+          await this.clearOpenCodeAuthIfNoAccountsRemain();
+          return;
+        }
+        await this.store.mutateStorage((storage) => {
+          const target = storage.accounts.find((entry) => entry.uuid === accountUuid);
+          if (!target) return;
+          target.consecutiveAuthFailures = (target.consecutiveAuthFailures ?? 0) + 1;
+          const maxFailures = getConfig2().max_consecutive_auth_failures;
+          const usableCount = storage.accounts.filter(
+            (entry) => entry.enabled && !entry.isAuthDisabled && entry.uuid !== accountUuid
+          ).length;
+          if (target.consecutiveAuthFailures >= maxFailures && usableCount > 0) {
             target.isAuthDisabled = true;
-            target.authDisabledReason = "Token permanently rejected (proactive refresh)";
-          } else {
-            target.consecutiveAuthFailures = (target.consecutiveAuthFailures ?? 0) + 1;
-            const maxFailures = getConfig2().max_consecutive_auth_failures;
-            if (target.consecutiveAuthFailures >= maxFailures) {
-              target.isAuthDisabled = true;
-              target.authDisabledReason = `${maxFailures} consecutive auth failures (proactive refresh)`;
-            }
+            target.authDisabledReason = `${maxFailures} consecutive auth failures (proactive refresh)`;
           }
         });
       } catch {
         debugLog2(this.client, `Failed to persist auth failure for ${account.uuid}`);
       }
     }
+    async clearOpenCodeAuthIfNoAccountsRemain() {
+      const storage = await this.store.load();
+      if (storage.accounts.length > 0) return;
+      await this.client.auth.set({
+        path: { id: providerAuthId },
+        body: getClearedOAuthBody()
+      }).catch(() => {
+      });
+    }
   };
 }
 
@@ -1769,6 +1834,8 @@ var anthropicOAuthAdapter = {
   oauthBetaHeader: "oauth-2025-04-20",
   requestBetaHeader: "oauth-2025-04-20,interleaved-thinking-2025-05-14",
   cliUserAgent: "claude-cli/2.1.2 (external, cli)",
+  cliVersion: "2.1.80",
+  billingSalt: "59cf53e54c78",
   toolPrefix: "mcp_",
   accountStorageFilename: "anthropic-multi-account-accounts.json",
   transform: {
@@ -1785,6 +1852,336 @@ var anthropicOAuthAdapter = {
   supported: true
 };
 
+// ../multi-account-core/src/pool-types.ts
+import * as v5 from "valibot";
+var PoolConfigSchema = v5.object({
+  name: v5.string(),
+  baseProvider: v5.string(),
+  members: v5.array(v5.string()),
+  enabled: v5.boolean()
+});
+var ChainEntryConfigSchema = v5.object({
+  pool: v5.string(),
+  model: v5.optional(v5.string()),
+  enabled: v5.boolean()
+});
+var ChainConfigSchema = v5.object({
+  name: v5.string(),
+  entries: v5.array(ChainEntryConfigSchema),
+  enabled: v5.boolean()
+});
+var PoolChainConfigSchema = v5.object({
+  pools: v5.optional(v5.array(PoolConfigSchema), []),
+  chains: v5.optional(v5.array(ChainConfigSchema), [])
+});
+
+// ../multi-account-core/src/pool-config-store.ts
+import { promises as fs6 } from "node:fs";
+import { dirname as dirname5, join as join7 } from "node:path";
+import lockfile2 from "proper-lockfile";
+import * as v6 from "valibot";
+var POOL_CONFIG_FILENAME = "multiauth-pools.json";
+function createEmptyConfig() {
+  return { pools: [], chains: [] };
+}
+function getGlobalConfigPath() {
+  return join7(getConfigDir2(), POOL_CONFIG_FILENAME);
+}
+async function resolveConfigPath() {
+  const projectPath = join7(process.cwd(), ".opencode", POOL_CONFIG_FILENAME);
+  try {
+    await fs6.access(projectPath);
+    return projectPath;
+  } catch {
+  }
+  return getGlobalConfigPath();
+}
+function parsePoolChainConfig(content) {
+  let parsed;
+  try {
+    parsed = JSON.parse(content);
+  } catch {
+    return null;
+  }
+  const validation = v6.safeParse(PoolChainConfigSchema, parsed);
+  return validation.success ? validation.output : null;
+}
+async function loadPoolChainConfig() {
+  const path = await resolveConfigPath();
+  try {
+    const content = await fs6.readFile(path, "utf-8");
+    return parsePoolChainConfig(content) ?? createEmptyConfig();
+  } catch {
+    return createEmptyConfig();
+  }
+}
+
+// ../multi-account-core/src/pool-manager.ts
+var DEFAULT_EXHAUSTED_COOLDOWN_MS = 5 * 60 * 1e3;
+var PoolManager = class {
+  poolsByName = /* @__PURE__ */ new Map();
+  exhaustedUntilByAccount = /* @__PURE__ */ new Map();
+  exhaustedCooldownMs;
+  constructor(options) {
+    this.exhaustedCooldownMs = options?.exhaustedCooldownMs ?? DEFAULT_EXHAUSTED_COOLDOWN_MS;
+  }
+  loadPools(configs) {
+    this.poolsByName.clear();
+    for (const pool of configs) {
+      this.poolsByName.set(pool.name, pool);
+    }
+  }
+  getPoolForAccount(accountUuid) {
+    for (const pool of this.poolsByName.values()) {
+      if (!pool.enabled) continue;
+      if (pool.members.includes(accountUuid)) return pool;
+    }
+    return null;
+  }
+  getAvailableMembers(pool, accountManager) {
+    if (!pool.enabled) return [];
+    this.clearExpiredExhausted();
+    const accountsByUuid = /* @__PURE__ */ new Map();
+    for (const account of accountManager.getAccounts()) {
+      if (!account.uuid) continue;
+      accountsByUuid.set(account.uuid, account);
+    }
+    return pool.members.filter((accountUuid) => {
+      const account = accountsByUuid.get(accountUuid);
+      if (!account) return false;
+      if (!account.enabled || account.isAuthDisabled) return false;
+      if (this.isExhausted(accountUuid)) return false;
+      if (accountManager.isRateLimited(account)) return false;
+      return true;
+    });
+  }
+  markExhausted(accountUuid) {
+    this.exhaustedUntilByAccount.set(accountUuid, Date.now() + this.exhaustedCooldownMs);
+  }
+  async getNextMember(pool, currentUuid, accountManager) {
+    const availableMembers = this.getAvailableMembers(pool, accountManager);
+    if (availableMembers.length === 0) return null;
+    const excluded = /* @__PURE__ */ new Set();
+    if (currentUuid) excluded.add(currentUuid);
+    const preferred = await this.selectPreferredMember(availableMembers, excluded, accountManager);
+    if (preferred) return preferred;
+    for (const candidate of availableMembers) {
+      if (candidate !== currentUuid) return candidate;
+    }
+    return null;
+  }
+  async buildFailoverPlan(currentAccount, config, accountManager, options) {
+    this.loadPools(config.pools ?? []);
+    if ((config.pools?.length ?? 0) === 0 && (config.chains?.length ?? 0) === 0) {
+      return { candidates: [], skips: [] };
+    }
+    const attemptedAccounts = options?.attemptedAccounts ?? /* @__PURE__ */ new Set();
+    const visitedChainIndexes = options?.visitedChainIndexes ?? /* @__PURE__ */ new Set();
+    const currentUuid = currentAccount?.uuid;
+    const candidates = [];
+    const skips = [];
+    const addedCandidateUuids = /* @__PURE__ */ new Set();
+    const appendPoolCandidates = async (poolName, source, chainIndex) => {
+      const pool = this.poolsByName.get(poolName);
+      if (!pool || !pool.enabled) {
+        skips.push({
+          type: "chain_disabled",
+          poolName,
+          reason: "Pool is missing or disabled"
+        });
+        return;
+      }
+      const available = this.getAvailableMembers(pool, accountManager);
+      if (available.length === 0) {
+        skips.push({
+          type: "pool_exhausted",
+          poolName,
+          reason: "No available members"
+        });
+        return;
+      }
+      const poolExclusions = /* @__PURE__ */ new Set();
+      if (currentUuid) poolExclusions.add(currentUuid);
+      while (poolExclusions.size < available.length + (currentUuid ? 1 : 0)) {
+        const nextMember = await this.selectPreferredMember(available, poolExclusions, accountManager);
+        if (!nextMember) break;
+        poolExclusions.add(nextMember);
+        if (attemptedAccounts.has(nextMember)) {
+          skips.push({
+            type: "account_attempted",
+            poolName,
+            reason: "Already attempted in this cascade",
+            detail: nextMember
+          });
+          continue;
+        }
+        if (addedCandidateUuids.has(nextMember)) continue;
+        candidates.push({
+          poolName,
+          accountUuid: nextMember,
+          source,
+          chainIndex
+        });
+        addedCandidateUuids.add(nextMember);
+      }
+      for (const memberUuid of available) {
+        if (poolExclusions.has(memberUuid)) continue;
+        if (attemptedAccounts.has(memberUuid)) {
+          skips.push({
+            type: "account_attempted",
+            poolName,
+            reason: "Already attempted in this cascade",
+            detail: memberUuid
+          });
+          continue;
+        }
+        if (addedCandidateUuids.has(memberUuid)) continue;
+        candidates.push({
+          poolName,
+          accountUuid: memberUuid,
+          source,
+          chainIndex
+        });
+        addedCandidateUuids.add(memberUuid);
+      }
+    };
+    if (currentUuid) {
+      const currentPool = this.getPoolForAccount(currentUuid);
+      if (currentPool) {
+        await appendPoolCandidates(currentPool.name, "pool");
+      }
+    }
+    let flattenedChainIndex = 0;
+    for (const chain of config.chains ?? []) {
+      if (!chain.enabled) {
+        for (let i = 0; i < chain.entries.length; i++) {
+          skips.push({
+            type: "chain_disabled",
+            poolName: chain.entries[i]?.pool ?? chain.name,
+            reason: `Chain '${chain.name}' is disabled`
+          });
+          flattenedChainIndex += 1;
+        }
+        continue;
+      }
+      for (const entry of chain.entries) {
+        if (visitedChainIndexes.has(flattenedChainIndex)) {
+          skips.push({
+            type: "chain_disabled",
+            poolName: entry.pool,
+            reason: "Chain entry already visited in this cascade",
+            detail: `${flattenedChainIndex}`
+          });
+          flattenedChainIndex += 1;
+          continue;
+        }
+        if (!entry.enabled) {
+          skips.push({
+            type: "chain_disabled",
+            poolName: entry.pool,
+            reason: "Chain entry is disabled",
+            detail: `${flattenedChainIndex}`
+          });
+          flattenedChainIndex += 1;
+          continue;
+        }
+        await appendPoolCandidates(entry.pool, "chain", flattenedChainIndex);
+        flattenedChainIndex += 1;
+      }
+    }
+    return { candidates, skips };
+  }
+  isExhausted(accountUuid) {
+    const exhaustedUntil = this.exhaustedUntilByAccount.get(accountUuid);
+    if (!exhaustedUntil) return false;
+    if (Date.now() >= exhaustedUntil) {
+      this.exhaustedUntilByAccount.delete(accountUuid);
+      return false;
+    }
+    return true;
+  }
+  clearExpiredExhausted() {
+    const now = Date.now();
+    for (const [accountUuid, exhaustedUntil] of this.exhaustedUntilByAccount.entries()) {
+      if (now >= exhaustedUntil) this.exhaustedUntilByAccount.delete(accountUuid);
+    }
+  }
+  async selectPreferredMember(availableMembers, excludedMembers, accountManager) {
+    const availableSet = new Set(availableMembers);
+    const maxAttempts = Math.max(availableMembers.length * 2, 6);
+    for (let attempt = 0; attempt < maxAttempts; attempt++) {
+      const selected = await accountManager.selectAccount();
+      if (!selected?.uuid) continue;
+      if (!availableSet.has(selected.uuid)) continue;
+      if (excludedMembers.has(selected.uuid)) continue;
+      return selected.uuid;
+    }
+    for (const memberUuid of availableMembers) {
+      if (!excludedMembers.has(memberUuid)) return memberUuid;
+    }
+    return null;
+  }
+};
+
+// ../multi-account-core/src/cascade-state.ts
+function createCascadeState(prompt, currentAccountUuid) {
+  const attemptedAccounts = /* @__PURE__ */ new Set();
+  if (currentAccountUuid) {
+    attemptedAccounts.add(currentAccountUuid);
+  }
+  return {
+    prompt,
+    attemptedAccounts,
+    visitedChainIndexes: /* @__PURE__ */ new Set()
+  };
+}
+var CascadeStateManager = class {
+  suppressNextStartTurn = false;
+  cascadeState = null;
+  startTurn(prompt, currentAccountUuid) {
+    if (this.suppressNextStartTurn) {
+      this.suppressNextStartTurn = false;
+      return this.ensureCascadeState(prompt, currentAccountUuid);
+    }
+    const shouldReset = !this.cascadeState || this.cascadeState.prompt !== prompt;
+    if (shouldReset) {
+      this.cascadeState = createCascadeState(prompt, currentAccountUuid);
+      return this.cascadeState;
+    }
+    return this.ensureCascadeState(prompt, currentAccountUuid);
+  }
+  ensureCascadeState(prompt, currentAccountUuid) {
+    if (!this.cascadeState || this.cascadeState.prompt !== prompt) {
+      this.cascadeState = createCascadeState(prompt, currentAccountUuid);
+      return this.cascadeState;
+    }
+    if (currentAccountUuid) {
+      this.cascadeState.attemptedAccounts.add(currentAccountUuid);
+    }
+    return this.cascadeState;
+  }
+  markAttempted(accountUuid) {
+    if (!this.cascadeState) return;
+    this.cascadeState.attemptedAccounts.add(accountUuid);
+  }
+  markVisitedChainIndex(index) {
+    if (!this.cascadeState) return;
+    this.cascadeState.visitedChainIndexes.add(index);
+  }
+  clearCascadeState() {
+    this.cascadeState = null;
+    this.suppressNextStartTurn = false;
+  }
+  getSnapshot() {
+    if (!this.cascadeState) return null;
+    return {
+      prompt: this.cascadeState.prompt,
+      attemptedAccounts: new Set(this.cascadeState.attemptedAccounts),
+      visitedChainIndexes: new Set(this.cascadeState.visitedChainIndexes)
+    };
+  }
+};
+
 // src/constants.ts
 var ANTHROPIC_OAUTH_ADAPTER = anthropicOAuthAdapter;
 var ANTHROPIC_CLIENT_ID = ANTHROPIC_OAUTH_ADAPTER.oauthClientId;
@@ -1799,182 +2196,199 @@ var PLAN_LABELS = ANTHROPIC_OAUTH_ADAPTER.planLabels;
 var TOKEN_EXPIRY_BUFFER_MS = 6e4;
 var TOKEN_REFRESH_TIMEOUT_MS = 3e4;
 
-// src/token.ts
-import * as v6 from "valibot";
+// src/pi-ai-adapter.ts
+import { AsyncLocalStorage } from "node:async_hooks";
+import * as piAiOauth from "@mariozechner/pi-ai/oauth";
 
-// src/types.ts
-import * as v5 from "valibot";
-var OAuthCredentialsSchema2 = v5.object({
-  type: v5.literal("oauth"),
-  refresh: v5.string(),
-  access: v5.string(),
-  expires: v5.number()
+// src/token-node-request.ts
+import * as childProcess from "node:child_process";
+function buildNodeTokenRequestScript() {
+  return `
+const https = require("node:https");
+const endpoint = process.env.ANTHROPIC_REFRESH_ENDPOINT;
+const timeoutMs = Number(process.env.ANTHROPIC_REFRESH_TIMEOUT_MS || "30000");
+const payload = process.env.ANTHROPIC_REFRESH_REQUEST_BODY || "";
+
+function printSuccess(body) {
+  console.log(JSON.stringify({ ok: true, body }));
+}
+
+function printFailure(error) {
+  console.log(JSON.stringify({ ok: false, ...error }));
+}
+
+const request = https.request(endpoint, {
+  method: "POST",
+  headers: {
+    "Content-Type": "application/json",
+    Accept: "application/json",
+    "Content-Length": Buffer.byteLength(payload).toString(),
+  },
+}, (response) => {
+  let body = "";
+  response.setEncoding("utf8");
+  response.on("data", (chunk) => {
+    body += chunk;
+  });
+  response.on("end", () => {
+    const status = response.statusCode ?? 0;
+    if (status < 200 || status >= 300) {
+      printFailure({ status, body });
+      return;
+    }
+
+    printSuccess(body);
+  });
 });
-var UsageLimitEntrySchema2 = v5.object({
-  utilization: v5.number(),
-  resets_at: v5.nullable(v5.string())
+
+request.setTimeout(timeoutMs, () => {
+  request.destroy(new Error("Request timed out after " + timeoutMs + "ms"));
 });
-var UsageLimitsSchema2 = v5.object({
-  five_hour: v5.optional(v5.nullable(UsageLimitEntrySchema2), null),
-  seven_day: v5.optional(v5.nullable(UsageLimitEntrySchema2), null),
-  seven_day_sonnet: v5.optional(v5.nullable(UsageLimitEntrySchema2), null)
+
+request.on("error", (error) => {
+  printFailure({ error: error instanceof Error ? error.name + ": " + error.message : String(error) });
 });
-var CredentialRefreshPatchSchema2 = v5.object({
-  accessToken: v5.string(),
-  expiresAt: v5.number(),
-  refreshToken: v5.optional(v5.string()),
-  uuid: v5.optional(v5.string()),
-  email: v5.optional(v5.string())
+
+request.write(payload);
+request.end();
+`;
+}
+async function defaultRunNodeTokenRequest(options) {
+  const script = buildNodeTokenRequestScript();
+  return await new Promise((resolve, reject) => {
+    childProcess.execFile(
+      options.executable,
+      ["-e", script],
+      {
+        timeout: options.timeoutMs + 1e3,
+        maxBuffer: 1024 * 1024,
+        env: {
+          ...process.env,
+          ANTHROPIC_REFRESH_ENDPOINT: options.endpoint,
+          ANTHROPIC_REFRESH_REQUEST_BODY: options.body,
+          ANTHROPIC_REFRESH_TIMEOUT_MS: String(options.timeoutMs)
+        }
+      },
+      (error, stdout, stderr) => {
+        const trimmedStdout = stdout.trim();
+        if (error) {
+          reject(new Error(stderr.trim() || error.message));
+          return;
+        }
+        if (!trimmedStdout) {
+          reject(new Error("Empty response from Node refresh helper"));
+          return;
+        }
+        resolve(trimmedStdout);
+      }
+    );
+  });
+}
+var nodeTokenRequestRunner = defaultRunNodeTokenRequest;
+async function runNodeTokenRequest(options) {
+  return await nodeTokenRequestRunner(options);
+}
+
+// src/config.ts
+initCoreConfig("claude-multiauth.json");
+
+// src/utils.ts
+setConfigGetter(getConfig);
+
+// src/usage.ts
+import * as v8 from "valibot";
+
+// src/types.ts
+import * as v7 from "valibot";
+var OAuthCredentialsSchema2 = v7.object({
+  type: v7.literal("oauth"),
+  refresh: v7.string(),
+  access: v7.string(),
+  expires: v7.number()
 });
-var StoredAccountSchema2 = v5.object({
-  uuid: v5.optional(v5.string()),
-  label: v5.optional(v5.string()),
-  email: v5.optional(v5.string()),
-  planTier: v5.optional(v5.string(), ""),
-  refreshToken: v5.string(),
-  accessToken: v5.optional(v5.string()),
-  expiresAt: v5.optional(v5.number()),
-  addedAt: v5.number(),
-  lastUsed: v5.number(),
-  enabled: v5.optional(v5.boolean(), true),
-  rateLimitResetAt: v5.optional(v5.number()),
-  cachedUsage: v5.optional(UsageLimitsSchema2),
-  cachedUsageAt: v5.optional(v5.number()),
-  consecutiveAuthFailures: v5.optional(v5.number(), 0),
-  isAuthDisabled: v5.optional(v5.boolean(), false),
-  authDisabledReason: v5.optional(v5.string())
+var UsageLimitEntrySchema2 = v7.object({
+  utilization: v7.number(),
+  resets_at: v7.nullable(v7.string())
 });
-var AccountStorageSchema2 = v5.object({
-  version: v5.literal(1),
-  accounts: v5.optional(v5.array(StoredAccountSchema2), []),
-  activeAccountUuid: v5.optional(v5.string())
+var UsageLimitsSchema2 = v7.object({
+  five_hour: v7.optional(v7.nullable(UsageLimitEntrySchema2), null),
+  seven_day: v7.optional(v7.nullable(UsageLimitEntrySchema2), null),
+  seven_day_sonnet: v7.optional(v7.nullable(UsageLimitEntrySchema2), null)
 });
-var TokenResponseSchema = v5.object({
-  access_token: v5.string(),
-  refresh_token: v5.optional(v5.string()),
-  expires_in: v5.number(),
-  account: v5.optional(v5.object({
-    uuid: v5.optional(v5.string()),
-    email_address: v5.optional(v5.string())
+var CredentialRefreshPatchSchema2 = v7.object({
+  accessToken: v7.string(),
+  expiresAt: v7.number(),
+  refreshToken: v7.optional(v7.string()),
+  uuid: v7.optional(v7.string()),
+  email: v7.optional(v7.string())
+});
+var StoredAccountSchema2 = v7.object({
+  uuid: v7.optional(v7.string()),
+  label: v7.optional(v7.string()),
+  email: v7.optional(v7.string()),
+  planTier: v7.optional(v7.string(), ""),
+  refreshToken: v7.string(),
+  accessToken: v7.optional(v7.string()),
+  expiresAt: v7.optional(v7.number()),
+  addedAt: v7.number(),
+  lastUsed: v7.number(),
+  enabled: v7.optional(v7.boolean(), true),
+  rateLimitResetAt: v7.optional(v7.number()),
+  cachedUsage: v7.optional(UsageLimitsSchema2),
+  cachedUsageAt: v7.optional(v7.number()),
+  consecutiveAuthFailures: v7.optional(v7.number(), 0),
+  isAuthDisabled: v7.optional(v7.boolean(), false),
+  authDisabledReason: v7.optional(v7.string())
+});
+var AccountStorageSchema2 = v7.object({
+  version: v7.literal(1),
+  accounts: v7.optional(v7.array(StoredAccountSchema2), []),
+  activeAccountUuid: v7.optional(v7.string())
+});
+var TokenResponseSchema = v7.object({
+  access_token: v7.string(),
+  refresh_token: v7.optional(v7.string()),
+  expires_in: v7.number(),
+  account: v7.optional(v7.object({
+    uuid: v7.optional(v7.string()),
+    email_address: v7.optional(v7.string())
   }))
 });
-var AccountSelectionStrategySchema2 = v5.picklist(["sticky", "round-robin", "hybrid"]);
-var PluginConfigSchema2 = v5.object({
+var AccountSelectionStrategySchema2 = v7.picklist(["sticky", "round-robin", "hybrid"]);
+var PluginConfigSchema2 = v7.object({
   /** sticky: same account until failure, round-robin: rotate every request, hybrid: health+usage scoring */
-  account_selection_strategy: v5.optional(AccountSelectionStrategySchema2, "sticky"),
+  account_selection_strategy: v7.optional(AccountSelectionStrategySchema2, "sticky"),
   /** Use cross-process claim file to distribute parallel sessions across accounts */
-  cross_process_claims: v5.optional(v5.boolean(), true),
+  cross_process_claims: v7.optional(v7.boolean(), true),
   /** Skip account when any usage tier utilization >= this % (100 = disabled) */
-  soft_quota_threshold_percent: v5.optional(v5.pipe(v5.number(), v5.minValue(0), v5.maxValue(100)), 100),
+  soft_quota_threshold_percent: v7.optional(v7.pipe(v7.number(), v7.minValue(0), v7.maxValue(100)), 100),
   /** Minimum backoff after rate limit (ms) */
-  rate_limit_min_backoff_ms: v5.optional(v5.pipe(v5.number(), v5.minValue(0)), 3e4),
+  rate_limit_min_backoff_ms: v7.optional(v7.pipe(v7.number(), v7.minValue(0)), 3e4),
   /** Default retry-after when header is missing (ms) */
-  default_retry_after_ms: v5.optional(v5.pipe(v5.number(), v5.minValue(0)), 6e4),
+  default_retry_after_ms: v7.optional(v7.pipe(v7.number(), v7.minValue(0)), 6e4),
   /** Consecutive auth failures before disabling account */
-  max_consecutive_auth_failures: v5.optional(v5.pipe(v5.number(), v5.integer(), v5.minValue(1)), 3),
+  max_consecutive_auth_failures: v7.optional(v7.pipe(v7.number(), v7.integer(), v7.minValue(1)), 3),
   /** Backoff after token refresh failure (ms) */
-  token_failure_backoff_ms: v5.optional(v5.pipe(v5.number(), v5.minValue(0)), 3e4),
+  token_failure_backoff_ms: v7.optional(v7.pipe(v7.number(), v7.minValue(0)), 3e4),
   /** Enable proactive background token refresh */
-  proactive_refresh: v5.optional(v5.boolean(), true),
+  proactive_refresh: v7.optional(v7.boolean(), true),
   /** Seconds before expiry to trigger proactive refresh (default 30 min) */
-  proactive_refresh_buffer_seconds: v5.optional(v5.pipe(v5.number(), v5.minValue(60)), 1800),
+  proactive_refresh_buffer_seconds: v7.optional(v7.pipe(v7.number(), v7.minValue(60)), 1800),
   /** Interval between background refresh checks in seconds (default 5 min) */
-  proactive_refresh_interval_seconds: v5.optional(v5.pipe(v5.number(), v5.minValue(30)), 300),
+  proactive_refresh_interval_seconds: v7.optional(v7.pipe(v7.number(), v7.minValue(30)), 300),
   /** Suppress toast notifications */
-  quiet_mode: v5.optional(v5.boolean(), false),
+  quiet_mode: v7.optional(v7.boolean(), false),
   /** Enable debug logging */
-  debug: v5.optional(v5.boolean(), false)
-});
-
-// src/token.ts
-var PERMANENT_FAILURE_STATUSES = /* @__PURE__ */ new Set([400, 401, 403]);
-var refreshMutexByAccountId = /* @__PURE__ */ new Map();
-function isTokenExpired(account) {
-  if (!account.accessToken || !account.expiresAt) return true;
-  return account.expiresAt <= Date.now() + TOKEN_EXPIRY_BUFFER_MS;
-}
-async function refreshToken(currentRefreshToken, accountId, client) {
-  if (!currentRefreshToken) return { ok: false, permanent: true };
-  const inFlightRefresh = refreshMutexByAccountId.get(accountId);
-  if (inFlightRefresh) return inFlightRefresh;
-  const refreshPromise = (async () => {
-    const controller = new AbortController();
-    const timeout = setTimeout(() => controller.abort(), TOKEN_REFRESH_TIMEOUT_MS);
-    try {
-      const startTime = Date.now();
-      const response = await fetch(ANTHROPIC_TOKEN_ENDPOINT, {
-        method: "POST",
-        headers: { "Content-Type": "application/json" },
-        body: JSON.stringify({
-          grant_type: "refresh_token",
-          refresh_token: currentRefreshToken,
-          client_id: ANTHROPIC_CLIENT_ID
-        }),
-        signal: controller.signal
-      });
-      if (!response.ok) {
-        const isPermanent = PERMANENT_FAILURE_STATUSES.has(response.status);
-        await client.app.log({
-          body: {
-            service: ANTHROPIC_OAUTH_ADAPTER.serviceLogName,
-            level: isPermanent ? "error" : "warn",
-            message: `Token refresh failed: ${response.status}${isPermanent ? " (permanent)" : ""}`,
-            extra: { accountId }
-          }
-        }).catch(() => {
-        });
-        return { ok: false, permanent: isPermanent };
-      }
-      const json = v6.parse(TokenResponseSchema, await response.json());
-      const patch = {
-        accessToken: json.access_token,
-        expiresAt: startTime + json.expires_in * 1e3,
-        refreshToken: json.refresh_token,
-        uuid: json.account?.uuid,
-        email: json.account?.email_address
-      };
-      return { ok: true, patch };
-    } catch (error) {
-      await client.app.log({
-        body: {
-          service: ANTHROPIC_OAUTH_ADAPTER.serviceLogName,
-          level: "warn",
-          message: `Token refresh network error: ${error instanceof Error ? error.message : String(error)}`,
-          extra: { accountId }
-        }
-      }).catch(() => {
-      });
-      return { ok: false, permanent: false };
-    } finally {
-      clearTimeout(timeout);
-      refreshMutexByAccountId.delete(accountId);
-    }
-  })();
-  refreshMutexByAccountId.set(accountId, refreshPromise);
-  return refreshPromise;
-}
-
-// src/account-manager.ts
-var AccountManager = createAccountManagerForProvider({
-  providerAuthId: "anthropic",
-  isTokenExpired,
-  refreshToken
+  debug: v7.optional(v7.boolean(), false)
 });
 
-// src/config.ts
-initCoreConfig("claude-multiauth.json");
-
-// src/utils.ts
-setConfigGetter(getConfig);
-
 // src/usage.ts
-import * as v7 from "valibot";
 var OAUTH_BETA_HEADER = ANTHROPIC_OAUTH_ADAPTER.oauthBetaHeader;
-var ProfileResponseSchema = v7.object({
-  account: v7.object({
-    email: v7.optional(v7.string()),
-    has_claude_pro: v7.optional(v7.boolean(), false),
-    has_claude_max: v7.optional(v7.boolean(), false)
+var ProfileResponseSchema = v8.object({
+  account: v8.object({
+    email: v8.optional(v8.string()),
+    has_claude_pro: v8.optional(v8.boolean(), false),
+    has_claude_max: v8.optional(v8.boolean(), false)
   })
 });
 async function fetchUsage(accessToken) {
@@ -1989,7 +2403,7 @@ async function fetchUsage(accessToken) {
     if (!response.ok) {
       return { ok: false, reason: `HTTP ${response.status} ${response.statusText}` };
     }
-    const result = v7.safeParse(UsageLimitsSchema2, await response.json());
+    const result = v8.safeParse(UsageLimitsSchema2, await response.json());
     if (!result.success) {
       return { ok: false, reason: `Invalid response: ${result.issues[0]?.message ?? "unknown"}` };
     }
@@ -2011,7 +2425,7 @@ async function fetchProfile(accessToken) {
     if (!response.ok) {
       return { ok: false, reason: `HTTP ${response.status} ${response.statusText}` };
     }
-    const result = v7.safeParse(ProfileResponseSchema, await response.json());
+    const result = v8.safeParse(ProfileResponseSchema, await response.json());
     if (!result.success) {
       return { ok: false, reason: `Invalid response: ${result.issues[0]?.message ?? "unknown"}` };
     }
@@ -2047,6 +2461,220 @@ function getPlanLabel(account) {
   return PLAN_LABELS[account.planTier] ?? account.planTier.charAt(0).toUpperCase() + account.planTier.slice(1);
 }
 
+// src/pi-ai-adapter.ts
+function fromPiAiCredentials(creds) {
+  return {
+    accessToken: creds.access,
+    refreshToken: creds.refresh,
+    expiresAt: creds.expires
+  };
+}
+var ANTHROPIC_REFRESH_ENDPOINT = "https://platform.claude.com/v1/oauth/token";
+var REFRESH_NODE_EXECUTABLE = process.env.OPENCODE_REFRESH_NODE_EXECUTABLE || "node";
+var tokenProxyContext = new AsyncLocalStorage();
+var tokenProxyInstalled = false;
+var tokenProxyOriginalFetch = null;
+var refreshEndpointUrl = new URL(ANTHROPIC_REFRESH_ENDPOINT);
+function buildRefreshRequestError(details) {
+  return new Error(`Anthropic token refresh request failed. url=${ANTHROPIC_REFRESH_ENDPOINT}; details=${details}`);
+}
+function buildRefreshInvalidJsonError(body, details) {
+  return new Error(`Anthropic token refresh returned invalid JSON. url=${ANTHROPIC_REFRESH_ENDPOINT}; body=${body}; details=${details}`);
+}
+function getRequestUrlString(input) {
+  if (typeof input === "string") return input;
+  if (input instanceof URL) return input.toString();
+  return input.url;
+}
+function isAnthropicTokenEndpoint(input) {
+  const rawUrl = getRequestUrlString(input);
+  try {
+    const url = new URL(rawUrl);
+    return url.origin === refreshEndpointUrl.origin && url.pathname === refreshEndpointUrl.pathname;
+  } catch {
+    return rawUrl === ANTHROPIC_REFRESH_ENDPOINT;
+  }
+}
+function getRequestBodySource(input, init) {
+  if (init?.body !== void 0) {
+    return init.body;
+  }
+  if (input instanceof Request) {
+    return input.body;
+  }
+  return void 0;
+}
+function stringifyBinaryBody(body) {
+  if (body instanceof ArrayBuffer) {
+    return Buffer.from(body).toString("utf8");
+  }
+  return Buffer.from(body.buffer, body.byteOffset, body.byteLength).toString("utf8");
+}
+async function getRequestBody(input, init) {
+  const body = getRequestBodySource(input, init);
+  if (typeof body === "string") return body;
+  if (body instanceof URLSearchParams) return body.toString();
+  if (body instanceof Uint8Array || body instanceof ArrayBuffer || ArrayBuffer.isView(body)) {
+    return stringifyBinaryBody(body);
+  }
+  if (typeof Blob !== "undefined" && body instanceof Blob) return await body.text();
+  if (body instanceof ReadableStream) return await new Response(body).text();
+  if (input instanceof Request && init?.body === void 0) return await input.clone().text();
+  if (body == null) return "";
+  throw buildRefreshRequestError(`Unsupported token request body type: ${Object.prototype.toString.call(body)}`);
+}
+function getRequestMethod(input, init) {
+  return init?.method ?? (input instanceof Request ? input.method : "GET");
+}
+function shouldProxyTokenRequest(input) {
+  return tokenProxyContext.getStore() === true && isAnthropicTokenEndpoint(input);
+}
+async function postAnthropicTokenViaNode(body) {
+  let output;
+  try {
+    output = await runNodeTokenRequest({
+      body,
+      endpoint: ANTHROPIC_REFRESH_ENDPOINT,
+      executable: REFRESH_NODE_EXECUTABLE,
+      timeoutMs: TOKEN_REFRESH_TIMEOUT_MS
+    });
+  } catch (error) {
+    const details = error instanceof Error ? error.message : String(error);
+    throw buildRefreshRequestError(details);
+  }
+  let parsed;
+  try {
+    parsed = JSON.parse(output);
+  } catch (error) {
+    const details = error instanceof Error ? `${error.name}: ${error.message}` : String(error);
+    throw buildRefreshInvalidJsonError(output, details);
+  }
+  const result = parsed;
+  if (!result.ok) {
+    if (result.error) {
+      throw buildRefreshRequestError(result.error);
+    }
+    throw buildRefreshRequestError(`Error: HTTP request failed. status=${result.status ?? 0}; url=${ANTHROPIC_REFRESH_ENDPOINT}; body=${result.body ?? ""}`);
+  }
+  return new Response(result.body ?? "", {
+    status: 200,
+    headers: {
+      "content-type": "application/json"
+    }
+  });
+}
+function createAnthropicTokenProxyFetch(originalFetch) {
+  return (async (input, init) => {
+    if (!shouldProxyTokenRequest(input)) {
+      return originalFetch(input, init);
+    }
+    const method = getRequestMethod(input, init).toUpperCase();
+    if (method !== "POST") {
+      throw buildRefreshRequestError(`Unsupported token endpoint method: ${method}`);
+    }
+    return await postAnthropicTokenViaNode(await getRequestBody(input, init));
+  });
+}
+function ensureAnthropicTokenProxyFetchInstalled() {
+  if (tokenProxyInstalled) return;
+  tokenProxyOriginalFetch = globalThis.fetch;
+  globalThis.fetch = createAnthropicTokenProxyFetch(tokenProxyOriginalFetch);
+  tokenProxyInstalled = true;
+}
+async function withAnthropicTokenProxyFetch(operation) {
+  ensureAnthropicTokenProxyFetchInstalled();
+  return await tokenProxyContext.run(true, operation);
+}
+async function fetchProfileWithSingleRetry(accessToken) {
+  let profileResult = await fetchProfile(accessToken);
+  if (profileResult.ok) {
+    return profileResult;
+  }
+  await new Promise((resolve) => setTimeout(resolve, 1e3));
+  profileResult = await fetchProfile(accessToken);
+  return profileResult;
+}
+async function loginWithPiAi(callbacks) {
+  const piCreds = await withAnthropicTokenProxyFetch(() => piAiOauth.loginAnthropic({
+    onAuth: callbacks.onAuth,
+    onPrompt: callbacks.onPrompt,
+    onProgress: callbacks.onProgress,
+    onManualCodeInput: callbacks.onManualCodeInput
+  }));
+  const base = fromPiAiCredentials(piCreds);
+  const profileResult = await fetchProfileWithSingleRetry(piCreds.access);
+  const profileData = profileResult.ok ? profileResult.data : void 0;
+  return {
+    ...base,
+    email: profileData?.email,
+    planTier: profileData?.planTier ?? "",
+    addedAt: Date.now(),
+    lastUsed: Date.now()
+  };
+}
+async function refreshWithPiAi(currentRefreshToken) {
+  const piCreds = await withAnthropicTokenProxyFetch(() => piAiOauth.refreshAnthropicToken(currentRefreshToken));
+  return {
+    accessToken: piCreds.access,
+    refreshToken: piCreds.refresh,
+    expiresAt: piCreds.expires
+  };
+}
+var PI_AI_ADAPTER_SERVICE = ANTHROPIC_OAUTH_ADAPTER.serviceLogName;
+
+// src/token.ts
+var PERMANENT_FAILURE_HTTP_STATUSES = /* @__PURE__ */ new Set([400, 401, 403]);
+var PERMANENT_FAILURE_MESSAGE_PATTERNS = [
+  /\binvalid_grant\b/i,
+  /\binvalid_scope\b/i,
+  /\bunauthorized_client\b/i,
+  /\brefresh token\b.*\b(invalid|expired|revoked|no longer valid)\b/i,
+  /\bauth(?:entication)?(?:[_\s-]+)?invalid\b/i
+];
+var refreshMutexByAccountId = /* @__PURE__ */ new Map();
+function isTokenExpired(account) {
+  if (!account.accessToken || !account.expiresAt) return true;
+  return account.expiresAt <= Date.now() + TOKEN_EXPIRY_BUFFER_MS;
+}
+async function refreshToken(currentRefreshToken, accountId, client) {
+  if (!currentRefreshToken) return { ok: false, permanent: true };
+  const inFlightRefresh = refreshMutexByAccountId.get(accountId);
+  if (inFlightRefresh) return inFlightRefresh;
+  const refreshPromise = (async () => {
+    try {
+      const patch = await refreshWithPiAi(currentRefreshToken);
+      return { ok: true, patch };
+    } catch (error) {
+      const message = error instanceof Error ? error.message : String(error);
+      const statusMatch = message.match(/\b(400|401|403)\b/);
+      const hasPermanentStatus = statusMatch !== null && PERMANENT_FAILURE_HTTP_STATUSES.has(Number(statusMatch[1]));
+      const hasPermanentMessage = PERMANENT_FAILURE_MESSAGE_PATTERNS.some((pattern) => pattern.test(message));
+      const isPermanent = hasPermanentStatus || hasPermanentMessage;
+      await client.app.log({
+        body: {
+          service: ANTHROPIC_OAUTH_ADAPTER.serviceLogName,
+          level: isPermanent ? "error" : "warn",
+          message: `Token refresh failed: ${message}${isPermanent ? " (permanent)" : ""}`,
+          extra: { accountId }
+        }
+      }).catch(() => {
+      });
+      return { ok: false, permanent: isPermanent };
+    } finally {
+      refreshMutexByAccountId.delete(accountId);
+    }
+  })();
+  refreshMutexByAccountId.set(accountId, refreshPromise);
+  return refreshPromise;
+}
+
+// src/account-manager.ts
+var AccountManager = createAccountManagerForProvider({
+  providerAuthId: "anthropic",
+  isTokenExpired,
+  refreshToken
+});
+
 // src/rate-limit.ts
 var {
   fetchUsageLimits,
@@ -2061,8 +2689,92 @@ var {
   showToast
 });
 
+// src/pool-chain-executor.ts
+function buildCascadePrompt(input, init) {
+  if (typeof init?.body === "string" && init.body.length > 0) {
+    return init.body;
+  }
+  const method = init?.method ?? "GET";
+  return `${method}:${String(input)}`;
+}
+function createQueueAwareManager(manager, queue, cascadeStateManager) {
+  return Object.create(manager, {
+    selectAccount: { value: async function selectAccount() {
+      await manager.refresh();
+      while (queue.length > 0) {
+        const next = queue.shift();
+        if (!next) break;
+        const account = manager.getAccounts().find((candidate) => candidate.uuid === next.accountUuid);
+        if (!account?.uuid) continue;
+        if (!account.enabled || account.isAuthDisabled) continue;
+        if (manager.isRateLimited(account)) continue;
+        cascadeStateManager.markAttempted(account.uuid);
+        if (next.chainIndex !== void 0) {
+          cascadeStateManager.markVisitedChainIndex(next.chainIndex);
+        }
+        return account;
+      }
+      return manager.selectAccount();
+    } }
+  });
+}
+async function executeWithPoolChainRotation(manager, runtimeFactory, poolManager, cascadeStateManager, poolChainConfig, client, input, init) {
+  const cascadePrompt = buildCascadePrompt(input, init);
+  const currentAccountUuid = manager.getActiveAccount()?.uuid;
+  cascadeStateManager.startTurn(cascadePrompt, currentAccountUuid);
+  const queue = [];
+  const queuedAccountUuids = /* @__PURE__ */ new Set();
+  const queueAwareManager = createQueueAwareManager(manager, queue, cascadeStateManager);
+  const { executeWithAccountRotation: executeWithAccountRotation2 } = createExecutorForProvider("Anthropic", {
+    handleRateLimitResponse: async (rawManager, rawClient, account, response) => {
+      await handleRateLimitResponse(
+        rawManager,
+        rawClient,
+        account,
+        response
+      );
+      if (!account.uuid) return;
+      poolManager.markExhausted(account.uuid);
+      cascadeStateManager.markAttempted(account.uuid);
+      const cascadeState = cascadeStateManager.ensureCascadeState(cascadePrompt, account.uuid);
+      const failoverPlan = await poolManager.buildFailoverPlan(
+        account,
+        poolChainConfig,
+        manager,
+        {
+          attemptedAccounts: cascadeState.attemptedAccounts,
+          visitedChainIndexes: cascadeState.visitedChainIndexes
+        }
+      );
+      for (const candidate of failoverPlan.candidates) {
+        if (queuedAccountUuids.has(candidate.accountUuid)) continue;
+        queue.push({
+          accountUuid: candidate.accountUuid,
+          chainIndex: candidate.chainIndex
+        });
+        queuedAccountUuids.add(candidate.accountUuid);
+      }
+    },
+    formatWaitTime,
+    sleep,
+    showToast,
+    getAccountLabel
+  });
+  try {
+    return await executeWithAccountRotation2(
+      queueAwareManager,
+      runtimeFactory,
+      client,
+      input,
+      init
+    );
+  } finally {
+    cascadeStateManager.clearCascadeState();
+  }
+}
+
 // src/executor.ts
-var { executeWithAccountRotation } = createExecutorForProvider("Anthropic", {
+var { executeWithAccountRotation: executeWithCoreAccountRotation } = createExecutorForProvider("Anthropic", {
   handleRateLimitResponse: async (manager, client, account, response) => handleRateLimitResponse(
     manager,
     client,
@@ -2074,6 +2786,44 @@ var { executeWithAccountRotation } = createExecutorForProvider("Anthropic", {
   showToast,
   getAccountLabel
 });
+function isAllAccountsTerminalError(error) {
+  if (!(error instanceof Error)) return false;
+  return error.message.includes("All Anthropic accounts");
+}
+async function clearAuthIfNoUsableAccount(manager, client) {
+  await manager.refresh();
+  if (manager.hasAnyUsableAccount()) return;
+  await client.auth.set({
+    path: { id: ANTHROPIC_OAUTH_ADAPTER.authProviderId },
+    body: getClearedOAuthBody()
+  }).catch(() => {
+  });
+}
+function hasPoolChainEntries(config) {
+  return (config.pools?.length ?? 0) > 0 || (config.chains?.length ?? 0) > 0;
+}
+async function executeWithAccountRotation(manager, runtimeFactory, client, input, init, options) {
+  try {
+    if (!options || !hasPoolChainEntries(options.poolChainConfig)) {
+      return await executeWithCoreAccountRotation(manager, runtimeFactory, client, input, init);
+    }
+    return await executeWithPoolChainRotation(
+      manager,
+      runtimeFactory,
+      options.poolManager,
+      options.cascadeStateManager,
+      options.poolChainConfig,
+      client,
+      input,
+      init
+    );
+  } catch (error) {
+    if (isAllAccountsTerminalError(error)) {
+      await clearAuthIfNoUsableAccount(manager, client);
+    }
+    throw error;
+  }
+}
 
 // src/ui/auth-menu.ts
 function formatRelativeTime(timestamp) {
@@ -2294,23 +3044,77 @@ function makeFailedFlowResult(message) {
     callback: async () => ({ type: "failed" })
   };
 }
-function delegateToOriginalAuth(originalAuth, manager, inputs) {
-  const originalMethod = originalAuth.methods?.[0];
-  if (!originalMethod?.authorize) {
-    return Promise.resolve(makeFailedFlowResult("Original OAuth method not available"));
+function toOAuthCredentials(result) {
+  return { type: "oauth", refresh: result.refresh, access: result.access, expires: result.expires };
+}
+function asOAuthCallbackResponse(account) {
+  if (!account.refreshToken || !account.accessToken || typeof account.expiresAt !== "number") {
+    return { type: "failed" };
   }
-  return originalMethod.authorize(inputs).then(
-    (result) => wrapCallbackWithManagerSync(result, manager, originalAuth, inputs)
-  );
+  return {
+    type: "success",
+    refresh: account.refreshToken,
+    access: account.accessToken,
+    expires: account.expiresAt
+  };
 }
-function delegateReauthForAccount(originalAuth, manager, targetAccount, inputs) {
-  const originalMethod = originalAuth.methods?.[0];
-  if (!originalMethod?.authorize) {
-    return Promise.resolve(makeFailedFlowResult("Original OAuth method not available"));
+function promptLine(message) {
+  if (!isTTY()) return Promise.resolve("");
+  const rl = createInterface({ input: process.stdin, output: process.stdout });
+  return new Promise((resolve) => {
+    rl.question(message, (answer) => {
+      rl.close();
+      resolve(answer.trim());
+    });
+  });
+}
+function normalizePromptMessage(prompt) {
+  return prompt.message ?? prompt.text ?? prompt.label ?? prompt.title ?? prompt.placeholder ?? "Continue authentication: ";
+}
+var ANTHROPIC_TOKEN_HOST = "platform.claude.com";
+async function startPiAiFlow() {
+  const originalFetch = globalThis.fetch;
+  globalThis.fetch = ((input, init) => {
+    const url = typeof input === "string" ? input : input instanceof URL ? input.href : input.url;
+    if (url.includes(ANTHROPIC_TOKEN_HOST)) {
+      const headers = new Headers(init?.headers);
+      headers.set("user-agent", CLAUDE_CLI_USER_AGENT);
+      return originalFetch(input, { ...init, headers });
+    }
+    return originalFetch(input, init);
+  });
+  try {
+    const completedAccount = await loginWithPiAi({
+      onAuth: (info) => {
+        if (info.url) {
+          openBrowser(info.url);
+        }
+        const instruction = info.instructions ?? "Complete authorization in your browser.";
+        const urlLine = info.url ? `
+Auth URL (manual fallback): ${info.url}` : "";
+        console.log(`
+${instruction}${urlLine}
+`);
+      },
+      onPrompt: async (prompt) => {
+        const text = normalizePromptMessage(prompt);
+        return promptLine(text.endsWith(":") || text.endsWith("?") ? `${text} ` : `${text}: `);
+      }
+    });
+    const completedResult = asOAuthCallbackResponse(completedAccount);
+    const accountEmail = completedAccount.email;
+    return {
+      url: "",
+      instructions: "",
+      method: "auto",
+      callback: async () => completedResult,
+      _email: accountEmail
+    };
+  } catch {
+    return makeFailedFlowResult("Failed to start OAuth flow");
+  } finally {
+    globalThis.fetch = originalFetch;
   }
-  return originalMethod.authorize(inputs).then(
-    (result) => wrapCallbackWithAccountReplace(result, manager, targetAccount)
-  );
 }
 function wrapCallbackWithAccountReplace(result, manager, targetAccount) {
   const originalCallback = result.callback;
@@ -2319,126 +3123,53 @@ function wrapCallbackWithAccountReplace(result, manager, targetAccount) {
     callback: async function(code) {
       const callbackResult = await originalCallback(code);
       if (callbackResult?.type === "success" && callbackResult.refresh) {
-        const auth = {
-          type: "oauth",
-          refresh: callbackResult.refresh,
-          access: callbackResult.access,
-          expires: callbackResult.expires
-        };
         if (targetAccount.uuid) {
-          await manager.replaceAccountCredentials(targetAccount.uuid, auth);
+          await manager.replaceAccountCredentials(targetAccount.uuid, toOAuthCredentials(callbackResult));
         }
-        const label = getAccountLabel(targetAccount);
         console.log(`
-\u2705 ${label} re-authenticated successfully.
+\u2705 ${getAccountLabel(targetAccount)} re-authenticated successfully.
 `);
       }
       return callbackResult;
     }
   };
 }
-function wrapCallbackWithManagerSync(result, manager, originalAuth, inputs) {
+function wrapCallbackWithManagerSync(result, manager) {
   const originalCallback = result.callback;
+  const email = result._email;
   return {
     ...result,
     callback: async function(code) {
       const callbackResult = await originalCallback(code);
       if (callbackResult?.type === "success" && callbackResult.refresh) {
-        const auth = {
-          type: "oauth",
-          refresh: callbackResult.refresh,
-          access: callbackResult.access,
-          expires: callbackResult.expires
-        };
+        const auth = toOAuthCredentials(callbackResult);
         if (manager) {
           const countBefore = manager.getAccounts().length;
-          await manager.addAccount(auth);
+          await manager.addAccount(auth, email);
           const countAfter = manager.getAccounts().length;
-          if (countAfter > countBefore) {
-            console.log(`
+          const added = countAfter > countBefore;
+          console.log(added ? `
 \u2705 Account added to multi-auth pool (${countAfter} total).
-`);
-          } else {
-            console.log(`
+` : `
 \u2139\uFE0F  Account already exists in multi-auth pool (${countAfter} total).
 `);
-          }
-          if (originalAuth && inputs && isTTY()) {
-            await addMoreAccountsLoop(manager, originalAuth, inputs);
-          }
         } else {
           await persistFallback(auth);
-          console.log(`
-\u2705 Account saved.
-`);
+          console.log("\n\u2705 Account saved.\n");
         }
       }
       return callbackResult;
     }
   };
 }
-function promptYesNo(message) {
-  if (!isTTY()) return Promise.resolve(false);
-  const rl = createInterface({ input: process.stdin, output: process.stdout });
-  return new Promise((resolve) => {
-    rl.question(message, (answer) => {
-      rl.close();
-      resolve(answer.trim().toLowerCase() === "y");
-    });
-  });
-}
 function openBrowser(url) {
-  const cmd = process.platform === "darwin" ? "open" : process.platform === "win32" ? "start" : "xdg-open";
+  const commands = {
+    darwin: "open",
+    win32: "start"
+  };
+  const cmd = commands[process.platform] ?? "xdg-open";
   exec(`${cmd} ${JSON.stringify(url)}`);
 }
-async function addMoreAccountsLoop(manager, originalAuth, inputs) {
-  const originalMethod = originalAuth.methods?.[0];
-  if (!originalMethod?.authorize) return;
-  while (true) {
-    const currentCount = manager.getAccounts().length;
-    const shouldAdd = await promptYesNo(`Add another account? (${currentCount} added) (y/n): `);
-    if (!shouldAdd) break;
-    let flow;
-    try {
-      flow = await originalMethod.authorize(inputs);
-    } catch {
-      console.log("\n\u274C Failed to start OAuth flow.\n");
-      break;
-    }
-    if (flow.url) {
-      openBrowser(flow.url);
-    }
-    let callbackResult;
-    try {
-      callbackResult = await flow.callback();
-    } catch {
-      console.log("\n\u274C Authentication failed.\n");
-      break;
-    }
-    if (callbackResult?.type !== "success" || !("refresh" in callbackResult)) {
-      console.log("\n\u274C Authentication failed.\n");
-      break;
-    }
-    const auth = {
-      type: "oauth",
-      refresh: callbackResult.refresh,
-      access: callbackResult.access,
-      expires: callbackResult.expires
-    };
-    const countBefore = manager.getAccounts().length;
-    await manager.addAccount(auth);
-    const countAfter = manager.getAccounts().length;
-    if (countAfter > countBefore) {
-      console.log(`
-\u2705 Account added to multi-auth pool (${countAfter} total).
-`);
-    } else {
-      console.log(`
-\u2139\uFE0F  Account already exists in multi-auth pool (${countAfter} total).
-`);
-    }
-  }
-}
 async function persistFallback(auth) {
   try {
     const store = new AccountStore();
@@ -2460,15 +3191,15 @@ async function persistFallback(auth) {
   } catch {
   }
 }
-async function handleAuthorize(originalAuth, manager, inputs, client) {
+async function handleAuthorize(manager, inputs, client) {
   if (!inputs || !isTTY()) {
-    return delegateToOriginalAuth(originalAuth, manager, inputs);
+    return wrapCallbackWithManagerSync(await startPiAiFlow(), manager);
   }
   const effectiveManager = manager ?? await loadManagerFromDisk(client);
   if (!effectiveManager || effectiveManager.getAccounts().length === 0) {
-    return delegateToOriginalAuth(originalAuth, manager, inputs);
+    return wrapCallbackWithManagerSync(await startPiAiFlow(), manager);
   }
-  return runAccountManagementMenu(originalAuth, effectiveManager, inputs, client);
+  return runAccountManagementMenu(effectiveManager, client);
 }
 async function loadManagerFromDisk(client) {
   const store = new AccountStore();
@@ -2478,13 +3209,13 @@ async function loadManagerFromDisk(client) {
   const mgr = await AccountManager.create(store, emptyAuth, client);
   return mgr;
 }
-async function runAccountManagementMenu(originalAuth, manager, inputs, client) {
+async function runAccountManagementMenu(manager, client) {
   while (true) {
     const allAccounts = manager.getAccounts();
     const menuAction = await showAuthMenu(allAccounts);
     switch (menuAction.type) {
       case "add":
-        return delegateToOriginalAuth(originalAuth, manager, inputs);
+        return wrapCallbackWithManagerSync(await startPiAiFlow(), manager);
       case "check-quotas":
         await handleCheckQuotas(manager, client);
         continue;
@@ -2493,7 +3224,7 @@ async function runAccountManagementMenu(originalAuth, manager, inputs, client) {
         if (result.action === "back" || result.action === "cancel") continue;
         const manageResult = await handleManageAction(manager, result.action, result.account, client);
         if (manageResult.triggerOAuth) {
-          return delegateReauthForAccount(originalAuth, manager, manageResult.account, inputs);
+          return wrapCallbackWithAccountReplace(await startPiAiFlow(), manager, manageResult.account);
         }
         continue;
       }
@@ -2503,7 +3234,7 @@ async function runAccountManagementMenu(originalAuth, manager, inputs, client) {
       case "delete-all":
         await manager.clearAllAccounts();
         console.log("\nAll accounts deleted.\n");
-        return delegateToOriginalAuth(originalAuth, manager, inputs);
+        return wrapCallbackWithManagerSync(await startPiAiFlow(), manager);
       case "cancel":
         return makeFailedFlowResult("Authentication cancelled");
     }
@@ -2518,46 +3249,56 @@ async function handleCheckQuotas(manager, client) {
 \u{1F4CA} Checking quotas for ${accounts.length} account(s)...
 `);
   for (const account of accounts) {
-    if (account.isAuthDisabled || !account.accessToken || isTokenExpired(account)) {
-      if (!account.uuid) {
-        printQuotaError(account, "Missing account UUID");
-        continue;
-      }
-      const result = await manager.ensureValidToken(account.uuid, effectiveClient);
-      if (!result.ok) {
-        printQuotaError(account, account.isAuthDisabled ? `${account.authDisabledReason ?? "Auth disabled"} (refresh failed)` : "Failed to refresh token");
-        continue;
-      }
-      await manager.refresh();
-    }
-    const freshAccounts = manager.getAccounts();
-    const freshAccount = freshAccounts.find((candidate) => candidate.uuid === account.uuid);
-    if (!freshAccount?.accessToken) {
-      printQuotaError(account, "No access token available");
-      continue;
+    await checkAccountQuota(manager, account, effectiveClient);
+  }
+}
+async function checkAccountQuota(manager, account, client) {
+  if (account.isAuthDisabled || !account.accessToken || isTokenExpired(account)) {
+    if (!account.uuid) {
+      printQuotaError(account, "Missing account UUID");
+      return;
     }
-    const usageResult = await fetchUsage(freshAccount.accessToken);
-    if (!usageResult.ok) {
-      printQuotaError(freshAccount, `Failed to fetch usage: ${usageResult.reason}`);
-      continue;
+    const refreshResult = await manager.ensureValidToken(account.uuid, client);
+    if (!refreshResult.ok) {
+      await manager.markAuthFailure(account.uuid, refreshResult);
+      await manager.refresh();
+      const updatedAccount = manager.getAccounts().find((candidate) => candidate.uuid === account.uuid);
+      if (!updatedAccount) {
+        printQuotaError(account, refreshResult.permanent ? "Refresh failed permanently; account removed" : "Failed to refresh token");
+        return;
+      }
+      printQuotaError(updatedAccount, updatedAccount.isAuthDisabled ? `${updatedAccount.authDisabledReason ?? "Auth disabled"} (refresh failed)` : "Failed to refresh token");
+      return;
     }
+    await manager.refresh();
+  }
+  const freshAccounts = manager.getAccounts();
+  const freshAccount = freshAccounts.find((candidate) => candidate.uuid === account.uuid);
+  if (!freshAccount?.accessToken) {
+    printQuotaError(account, "No access token available");
+    return;
+  }
+  const usageResult = await fetchUsage(freshAccount.accessToken);
+  if (!usageResult.ok) {
+    printQuotaError(freshAccount, `Failed to fetch usage: ${usageResult.reason}`);
+    return;
+  }
+  if (freshAccount.uuid) {
+    await manager.applyUsageCache(freshAccount.uuid, usageResult.data);
+  }
+  let reportAccount = freshAccount;
+  const profileResult = await fetchProfile(freshAccount.accessToken);
+  if (profileResult.ok) {
     if (freshAccount.uuid) {
-      await manager.applyUsageCache(freshAccount.uuid, usageResult.data);
-    }
-    let reportAccount = freshAccount;
-    const profileResult = await fetchProfile(freshAccount.accessToken);
-    if (profileResult.ok) {
-      if (freshAccount.uuid) {
-        await manager.applyProfileCache(freshAccount.uuid, profileResult.data);
-      }
-      reportAccount = {
-        ...freshAccount,
-        email: profileResult.data.email ?? freshAccount.email,
-        planTier: profileResult.data.planTier
-      };
+      await manager.applyProfileCache(freshAccount.uuid, profileResult.data);
     }
-    printQuotaReport(reportAccount, usageResult.data);
+    reportAccount = {
+      ...freshAccount,
+      email: profileResult.data.email ?? freshAccount.email,
+      planTier: profileResult.data.planTier
+    };
   }
+  printQuotaReport(reportAccount, usageResult.data);
 }
 async function handleLoadBalancing() {
   const current = getConfig().account_selection_strategy;
@@ -2601,8 +3342,7 @@ Retrying authentication for ${label}...
         console.log(`\u2705 ${label} re-authenticated successfully.
 `);
       } else {
-        console.log(`Token refresh failed \u2014 starting OAuth flow...
-`);
+        console.log("Token refresh failed \u2014 starting OAuth flow...\n");
         return { triggerOAuth: true, account };
       }
       break;
@@ -2611,8 +3351,362 @@ Retrying authentication for ${label}...
   return { triggerOAuth: false };
 }
 
+// src/request-transform.ts
+import { createHash } from "node:crypto";
+
+// src/anthropic-prompt.ts
+var SYSTEM_PROMPT = `You are an interactive CLI tool that helps users with software engineering tasks. Use the instructions below and the tools available to you to assist the user.
+
+IMPORTANT: Assist with defensive security tasks only. Refuse to create, modify, or improve code that may be used maliciously. Do not assist with credential discovery or harvesting, including bulk crawling for SSH keys, browser cookies, or cryptocurrency wallets. Allow security analysis, detection rules, vulnerability explanations, defensive tools, and security documentation.
+IMPORTANT: You must NEVER generate or guess URLs for the user unless you are confident that the URLs are for helping the user with programming. You may use URLs provided by the user in their messages or local files.
+
+If the user asks for help or wants to give feedback inform them of the following: 
+- /help: Get help with using Claude Code
+- To give feedback, users should report the issue at https://github.com/anthropics/claude-code/issues
+
+When the user directly asks about Claude Code (eg. "can Claude Code do...", "does Claude Code have..."), or asks in second person (eg. "are you able...", "can you do..."), or asks how to use a specific Claude Code feature (eg. implement a hook, or write a slash command), use the WebFetch tool to gather information to answer the question from Claude Code docs. The list of available docs is available at https://docs.claude.com/en/docs/claude-code/claude_code_docs_map.md.
+
+# Tone and style
+You should be concise, direct, and to the point, while providing complete information and matching the level of detail you provide in your response with the level of complexity of the user's query or the work you have completed. 
+A concise response is generally less than 4 lines, not including tool calls or code generated. You should provide more detail when the task is complex or when the user asks you to.
+IMPORTANT: You should minimize output tokens as much as possible while maintaining helpfulness, quality, and accuracy. Only address the specific task at hand, avoiding tangential information unless absolutely critical for completing the request. If you can answer in 1-3 sentences or a short paragraph, please do.
+IMPORTANT: You should NOT answer with unnecessary preamble or postamble (such as explaining your code or summarizing your action), unless the user asks you to.
+Do not add additional code explanation summary unless requested by the user. After working on a file, briefly confirm that you have completed the task, rather than providing an explanation of what you did.
+Answer the user's question directly, avoiding any elaboration, explanation, introduction, conclusion, or excessive details. Brief answers are best, but be sure to provide complete information. You MUST avoid extra preamble before/after your response, such as "The answer is <answer>.", "Here is the content of the file..." or "Based on the information provided, the answer is..." or "Here is what I will do next...".
+
+Here are some examples to demonstrate appropriate verbosity:
+<example>
+user: 2 + 2
+assistant: 4
+</example>
+
+<example>
+user: what is 2+2?
+assistant: 4
+</example>
+
+<example>
+user: is 11 a prime number?
+assistant: Yes
+</example>
+
+<example>
+user: what command should I run to list files in the current directory?
+assistant: ls
+</example>
+
+<example>
+user: what command should I run to watch files in the current directory?
+assistant: [runs ls to list the files in the current directory, then read docs/commands in the relevant file to find out how to watch files]
+npm run dev
+</example>
+
+<example>
+user: How many golf balls fit inside a jetta?
+assistant: 150000
+</example>
+
+<example>
+user: what files are in the directory src/?
+assistant: [runs ls and sees foo.c, bar.c, baz.c]
+user: which file contains the implementation of foo?
+assistant: src/foo.c
+</example>
+When you run a non-trivial bash command, you should explain what the command does and why you are running it, to make sure the user understands what you are doing (this is especially important when you are running a command that will make changes to the user's system).
+Remember that your output will be displayed on a command line interface. Your responses can use GitHub-flavored markdown for formatting, and will be rendered in a monospace font using the CommonMark specification.
+Output text to communicate with the user; all text you output outside of tool use is displayed to the user. Only use tools to complete tasks. Never use tools like Bash or code comments as means to communicate with the user during the session.
+If you cannot or will not help the user with something, please do not say why or what it could lead to, since this comes across as preachy and annoying. Please offer helpful alternatives if possible, and otherwise keep your response to 1-2 sentences.
+Only use emojis if the user explicitly requests it. Avoid using emojis in all communication unless asked.
+IMPORTANT: Keep your responses short, since they will be displayed on a command line interface.
+
+# Proactiveness
+You are allowed to be proactive, but only when the user asks you to do something. You should strive to strike a balance between:
+- Doing the right thing when asked, including taking actions and follow-up actions
+- Not surprising the user with actions you take without asking
+For example, if the user asks you how to approach something, you should do your best to answer their question first, and not immediately jump into taking actions.
+
+# Professional objectivity
+Prioritize technical accuracy and truthfulness over validating the user's beliefs. Focus on facts and problem-solving, providing direct, objective technical info without any unnecessary superlatives, praise, or emotional validation. It is best for the user if Claude honestly applies the same rigorous standards to all ideas and disagrees when necessary, even if it may not be what the user wants to hear. Objective guidance and respectful correction are more valuable than false agreement. Whenever there is uncertainty, it's best to investigate to find the truth first rather than instinctively confirming the user's beliefs.
+
+# Task Management
+You have access to the TodoWrite tools to help you manage and plan tasks. Use these tools VERY frequently to ensure that you are tracking your tasks and giving the user visibility into your progress.
+These tools are also EXTREMELY helpful for planning tasks, and for breaking down larger complex tasks into smaller steps. If you do not use this tool when planning, you may forget to do important tasks - and that is unacceptable.
+
+It is critical that you mark todos as completed as soon as you are done with a task. Do not batch up multiple tasks before marking them as completed.
+
+Examples:
+
+<example>
+user: Run the build and fix any type errors
+assistant: I'm going to use the TodoWrite tool to write the following items to the todo list: 
+- Run the build
+- Fix any type errors
+
+I'm now going to run the build using Bash.
+
+Looks like I found 10 type errors. I'm going to use the TodoWrite tool to write 10 items to the todo list.
+
+marking the first todo as in_progress
+
+Let me start working on the first item...
+
+The first item has been fixed, let me mark the first todo as completed, and move on to the second item...
+..
+..
+</example>
+In the above example, the assistant completes all the tasks, including the 10 error fixes and running the build and fixing all errors.
+
+<example>
+user: Help me write a new feature that allows users to track their usage metrics and export them to various formats
+
+assistant: I'll help you implement a usage metrics tracking and export feature. Let me first use the TodoWrite tool to plan this task.
+Adding the following todos to the todo list:
+1. Research existing metrics tracking in the codebase
+2. Design the metrics collection system
+3. Implement core metrics tracking functionality
+4. Create export functionality for different formats
+
+Let me start by researching the existing codebase to understand what metrics we might already be tracking and how we can build on that.
+
+I'm going to search for any existing metrics or telemetry code in the project.
+
+I've found some existing telemetry code. Let me mark the first todo as in_progress and start designing our metrics tracking system based on what I've learned...
+
+[Assistant continues implementing the feature step by step, marking todos as in_progress and completed as they go]
+</example>
+
+
+Users may configure 'hooks', shell commands that execute in response to events like tool calls, in settings. Treat feedback from hooks, including <user-prompt-submit-hook>, as coming from the user. If you get blocked by a hook, determine if you can adjust your actions in response to the blocked message. If not, ask the user to check their hooks configuration.
+
+# Doing tasks
+The user will primarily request you perform software engineering tasks. This includes solving bugs, adding new functionality, refactoring code, explaining code, and more. For these tasks the following steps are recommended:
+- Use the TodoWrite tool to plan the task if required
+
+- Tool results and user messages may include <system-reminder> tags. <system-reminder> tags contain useful information and reminders. They are automatically added by the system, and bear no direct relation to the specific tool results or user messages in which they appear.
+
+
+# Tool usage policy
+- When doing file search, prefer to use the Task tool in order to reduce context usage.
+- You should proactively use the Task tool with specialized agents when the task at hand matches the agent's description.
+
+- When WebFetch returns a message about a redirect to a different host, you should immediately make a new WebFetch request with the redirect URL provided in the response.
+- You have the capability to call multiple tools in a single response. When multiple independent pieces of information are requested, batch your tool calls together for optimal performance. When making multiple bash tool calls, you MUST send a single message with multiple tools calls to run the calls in parallel. For example, if you need to run "git status" and "git diff", send a single message with two tool calls to run the calls in parallel.
+- If the user specifies that they want you to run tools "in parallel", you MUST send a single message with multiple tool use content blocks. For example, if you need to launch multiple agents in parallel, send a single message with multiple Task tool calls.
+- Use specialized tools instead of bash commands when possible, as this provides a better user experience. For file operations, use dedicated tools: Read for reading files instead of cat/head/tail, Edit for editing instead of sed/awk, and Write for creating files instead of cat with heredoc or echo redirection. Reserve bash tools exclusively for actual system commands and terminal operations that require shell execution. NEVER use bash echo or other command-line tools to communicate thoughts, explanations, or instructions to the user. Output all communication directly in your response text instead.
+
+
+Here is useful information about the environment you are running in:
+<env>
+Working directory: /home/thdxr/dev/projects/anomalyco/opencode/packages/opencode
+Is directory a git repo: Yes
+Platform: linux
+OS Version: Linux 6.12.4-arch1-1
+Today's date: 2025-09-30
+</env>
+You are powered by the model named Sonnet 4.5. The exact model ID is claude-sonnet-4-5-20250929.
+
+Assistant knowledge cutoff is January 2025.
+
+
+IMPORTANT: Assist with defensive security tasks only. Refuse to create, modify, or improve code that may be used maliciously. Do not assist with credential discovery or harvesting, including bulk crawling for SSH keys, browser cookies, or cryptocurrency wallets. Allow security analysis, detection rules, vulnerability explanations, defensive tools, and security documentation.
+
+
+IMPORTANT: Always use the TodoWrite tool to plan and track tasks throughout the conversation.
+
+# Code References
+
+When referencing specific functions or pieces of code include the pattern \`file_path:line_number\` to allow the user to easily navigate to the source code location.
+
+<example>
+user: Where are errors from the client handled?
+assistant: Clients are marked as failed in the \`connectToServer\` function in src/services/process.ts:712.
+</example>`;
+
+// src/request-transform.ts
+function getSystemPrompt() {
+  return SYSTEM_PROMPT;
+}
+function sampleCodeUnits(text, indices) {
+  return indices.map((i) => i < text.length ? text.charCodeAt(i).toString(16) : "30").join("");
+}
+function buildBillingHeader(firstUserMessage) {
+  const version = ANTHROPIC_OAUTH_ADAPTER.cliVersion;
+  const salt = ANTHROPIC_OAUTH_ADAPTER.billingSalt;
+  if (!version || !salt) return "";
+  const sampled = sampleCodeUnits(firstUserMessage, [4, 7, 20]);
+  const hash = createHash("sha256").update(`${salt}${sampled}${version}`).digest("hex").slice(0, 3);
+  return `x-anthropic-billing-header: cc_version=${version}.${hash}; cc_entrypoint=cli; cch=00000;`;
+}
+var OPENCODE_CAMEL_RE = /OpenCode/g;
+var OPENCODE_LOWER_RE = /(?<!\/)opencode/gi;
+var TOOL_PREFIX_RESPONSE_RE = /"name"\s*:\s*"mcp_([^"]+)"/g;
+function addToolPrefix(name) {
+  if (!ANTHROPIC_OAUTH_ADAPTER.transform.addToolPrefix) {
+    return name;
+  }
+  if (!name || name.startsWith(TOOL_PREFIX)) {
+    return name;
+  }
+  return `${TOOL_PREFIX}${name}`;
+}
+function stripToolPrefixFromLine(line) {
+  if (!ANTHROPIC_OAUTH_ADAPTER.transform.stripToolPrefixInResponse) {
+    return line;
+  }
+  return line.replace(TOOL_PREFIX_RESPONSE_RE, '"name": "$1"');
+}
+function processCompleteLines(buffer) {
+  const lines = buffer.split("\n");
+  const remaining = lines.pop() ?? "";
+  if (lines.length === 0) {
+    return { output: "", remaining };
+  }
+  const output = `${lines.map(stripToolPrefixFromLine).join("\n")}
+`;
+  return { output, remaining };
+}
+function buildRequestHeaders(input, init, accessToken) {
+  const headers = new Headers();
+  if (input instanceof Request) {
+    input.headers.forEach((value, key) => {
+      headers.set(key, value);
+    });
+  }
+  if (init?.headers) {
+    if (init.headers instanceof Headers) {
+      init.headers.forEach((value, key) => {
+        headers.set(key, value);
+      });
+    } else if (Array.isArray(init.headers)) {
+      for (const [key, value] of init.headers) {
+        if (value !== void 0) headers.set(key, String(value));
+      }
+    } else {
+      for (const [key, value] of Object.entries(init.headers)) {
+        if (value !== void 0) headers.set(key, String(value));
+      }
+    }
+  }
+  const incomingBetas = (headers.get("anthropic-beta") || "").split(",").map((b) => b.trim()).filter(Boolean);
+  const mergedBetas = [.../* @__PURE__ */ new Set([
+    ...ANTHROPIC_BETA_HEADER.split(","),
+    ...incomingBetas
+  ])].join(",");
+  headers.set("authorization", `Bearer ${accessToken}`);
+  headers.set("anthropic-beta", mergedBetas);
+  headers.set("user-agent", CLAUDE_CLI_USER_AGENT);
+  headers.set("anthropic-dangerous-direct-browser-access", "true");
+  headers.set("x-app", "cli");
+  headers.delete("x-api-key");
+  return headers;
+}
+function transformRequestBody(body) {
+  if (!body) return body;
+  try {
+    const parsed = JSON.parse(body);
+    if (parsed.system && Array.isArray(parsed.system)) {
+      parsed.system = parsed.system.map((systemEntry) => {
+        if (ANTHROPIC_OAUTH_ADAPTER.transform.rewriteOpenCodeBranding && systemEntry.type === "text" && systemEntry.text) {
+          return {
+            ...systemEntry,
+            text: systemEntry.text.replace(OPENCODE_CAMEL_RE, "Claude Code").replace(OPENCODE_LOWER_RE, "Claude")
+          };
+        }
+        return systemEntry;
+      });
+    }
+    if (parsed.tools && Array.isArray(parsed.tools)) {
+      parsed.tools = parsed.tools.map((tool2) => ({
+        ...tool2,
+        name: addToolPrefix(tool2.name)
+      }));
+    }
+    if (parsed.messages && Array.isArray(parsed.messages)) {
+      parsed.messages = parsed.messages.map((message) => {
+        if (message.content && Array.isArray(message.content)) {
+          message.content = message.content.map((contentBlock) => {
+            if (contentBlock.type === "tool_use" && contentBlock.name) {
+              return { ...contentBlock, name: addToolPrefix(contentBlock.name) };
+            }
+            return contentBlock;
+          });
+        }
+        return message;
+      });
+    }
+    return JSON.stringify(parsed);
+  } catch {
+    return body;
+  }
+}
+function transformRequestUrl(input) {
+  let url = null;
+  try {
+    if (typeof input === "string" || input instanceof URL) {
+      url = new URL(input.toString());
+    } else if (input instanceof Request) {
+      url = new URL(input.url);
+    }
+  } catch {
+    return input;
+  }
+  if (ANTHROPIC_OAUTH_ADAPTER.transform.enableMessagesBetaQuery && url && url.pathname === "/v1/messages" && !url.searchParams.has("beta")) {
+    url.searchParams.set("beta", "true");
+    return input instanceof Request ? new Request(url.toString(), input) : url;
+  }
+  return input;
+}
+function createResponseStreamTransform(response) {
+  if (!response.body) return response;
+  const reader = response.body.getReader();
+  const decoder = new TextDecoder();
+  const encoder = new TextEncoder();
+  let buffer = "";
+  const stream = new ReadableStream({
+    async pull(controller) {
+      try {
+        while (true) {
+          const { done, value } = await reader.read();
+          if (done) {
+            buffer += decoder.decode();
+            if (buffer) {
+              controller.enqueue(encoder.encode(stripToolPrefixFromLine(buffer)));
+              buffer = "";
+            }
+            controller.close();
+            return;
+          }
+          buffer += decoder.decode(value, { stream: true });
+          const { output, remaining } = processCompleteLines(buffer);
+          buffer = remaining;
+          if (output) {
+            controller.enqueue(encoder.encode(output));
+            return;
+          }
+        }
+      } catch (error) {
+        try {
+          reader.cancel().catch(() => {
+          });
+        } catch {
+        }
+        controller.error(error);
+      }
+    },
+    async cancel(reason) {
+      await reader.cancel(reason);
+    }
+  });
+  return new Response(stream, {
+    status: response.status,
+    statusText: response.statusText,
+    headers: response.headers
+  });
+}
+
 // src/proactive-refresh.ts
 var ProactiveRefreshQueue = createProactiveRefreshQueueForProvider({
+  providerAuthId: "anthropic",
   getConfig,
   isTokenExpired,
   refreshToken,
@@ -2620,13 +3714,11 @@ var ProactiveRefreshQueue = createProactiveRefreshQueueForProvider({
 });
 
 // src/runtime-factory.ts
-import { AnthropicAuthPlugin } from "opencode-anthropic-auth";
+var TOKEN_REFRESH_PERMANENT_FAILURE_STATUS = 401;
 var AccountRuntimeFactory = class {
-  constructor(pluginCtx, store, client, provider) {
-    this.pluginCtx = pluginCtx;
+  constructor(store, client) {
     this.store = store;
     this.client = client;
-    this.provider = provider;
   }
   runtimes = /* @__PURE__ */ new Map();
   initLocks = /* @__PURE__ */ new Map();
@@ -2651,77 +3743,116 @@ var AccountRuntimeFactory = class {
   invalidateAll() {
     this.runtimes.clear();
   }
-  async createRuntime(uuid) {
-    const scopedClient = this.createScopedClient(uuid);
-    const scopedCtx = {
-      ...this.pluginCtx,
-      client: scopedClient
-    };
-    const hooks = await AnthropicAuthPlugin(scopedCtx);
-    const auth = hooks.auth;
-    if (!auth?.loader) {
-      throw new Error(`Base plugin loader unavailable for account ${uuid}`);
-    }
-    const scopedGetAuth = this.createScopedGetAuth(uuid);
-    const result = await auth.loader(scopedGetAuth, this.provider);
-    if (!result?.fetch) {
-      throw new Error(`Base plugin returned no fetch for account ${uuid}`);
+  async ensureFreshToken(storedAccount, uuid) {
+    const refreshed = await refreshToken(storedAccount.refreshToken, uuid, this.client);
+    if (!refreshed.ok) {
+      throw new TokenRefreshError(
+        refreshed.permanent,
+        refreshed.permanent ? TOKEN_REFRESH_PERMANENT_FAILURE_STATUS : void 0
+      );
     }
-    debugLog(this.client, `Runtime created for account ${uuid.slice(0, 8)}`);
-    return { fetch: result.fetch };
-  }
-  createScopedGetAuth(uuid) {
-    const store = this.store;
-    return async () => {
-      const credentials = await store.readCredentials(uuid);
-      if (!credentials) {
-        return { type: "oauth", refresh: "", access: "", expires: 0 };
-      }
-      return {
+    await this.store.mutateAccount(uuid, (account) => {
+      account.accessToken = refreshed.patch.accessToken;
+      account.expiresAt = refreshed.patch.expiresAt;
+      if (refreshed.patch.refreshToken) account.refreshToken = refreshed.patch.refreshToken;
+      if (refreshed.patch.uuid) account.uuid = refreshed.patch.uuid;
+      if (refreshed.patch.email) account.email = refreshed.patch.email;
+      account.consecutiveAuthFailures = 0;
+      account.isAuthDisabled = false;
+      account.authDisabledReason = void 0;
+    });
+    this.client.auth.set({
+      path: { id: ANTHROPIC_OAUTH_ADAPTER.authProviderId },
+      body: {
         type: "oauth",
-        refresh: credentials.refreshToken,
-        access: credentials.accessToken ?? "",
-        expires: credentials.expiresAt ?? 0
-      };
-    };
+        refresh: refreshed.patch.refreshToken ?? storedAccount.refreshToken,
+        access: refreshed.patch.accessToken,
+        expires: refreshed.patch.expiresAt
+      }
+    }).catch(() => {
+    });
+    return { accessToken: refreshed.patch.accessToken, expiresAt: refreshed.patch.expiresAt };
+  }
+  async executeTransformedFetch(input, init, accessToken) {
+    const transformedInput = transformRequestUrl(input);
+    const headers = buildRequestHeaders(transformedInput, init, accessToken);
+    const transformedBody = typeof init?.body === "string" ? transformRequestBody(init.body) : init?.body;
+    const response = await fetch(transformedInput, {
+      ...init,
+      headers,
+      body: transformedBody
+    });
+    return createResponseStreamTransform(response);
   }
-  createScopedClient(uuid) {
-    const store = this.store;
-    const originalClient = this.client;
-    return {
-      auth: {
-        async set(params) {
-          const { body } = params;
-          await store.mutateAccount(uuid, (account) => {
-            account.accessToken = body.access;
-            account.expiresAt = body.expires;
-            if (body.refresh) account.refreshToken = body.refresh;
-            account.consecutiveAuthFailures = 0;
-            account.isAuthDisabled = false;
-            account.authDisabledReason = void 0;
-          });
-          originalClient.auth.set(params).catch(() => {
-          });
-        }
-      },
-      tui: originalClient.tui,
-      app: originalClient.app
+  async createRuntime(uuid) {
+    const fetchWithAccount = async (input, init) => {
+      const storage = await this.store.load();
+      const storedAccount = storage.accounts.find((account) => account.uuid === uuid);
+      if (!storedAccount) {
+        throw new Error(`No credentials found for account ${uuid}`);
+      }
+      let accessToken = storedAccount.accessToken;
+      let expiresAt = storedAccount.expiresAt;
+      if (!accessToken || !expiresAt || isTokenExpired({ accessToken, expiresAt })) {
+        ({ accessToken, expiresAt } = await this.ensureFreshToken(storedAccount, uuid));
+      }
+      if (!accessToken) {
+        throw new Error(`No access token available for account ${uuid}`);
+      }
+      return this.executeTransformedFetch(input, init, accessToken);
     };
+    debugLog(this.client, `Runtime created for account ${uuid.slice(0, 8)}`);
+    return { fetch: fetchWithAccount };
   }
 };
 
 // src/index.ts
+function extractFirstUserText(input) {
+  try {
+    const raw = input;
+    const messages = raw.messages ?? raw.request?.messages;
+    if (!Array.isArray(messages)) return "";
+    for (const msg of messages) {
+      if (msg.role !== "user") continue;
+      if (typeof msg.content === "string") return msg.content;
+      if (Array.isArray(msg.content)) {
+        for (const block of msg.content) {
+          if (block.type === "text" && block.text) return block.text;
+        }
+      }
+    }
+  } catch {
+  }
+  return "";
+}
+function injectSystemPrompt(output) {
+  const systemPrompt = getSystemPrompt();
+  if (!Array.isArray(output.system)) {
+    output.system = [systemPrompt];
+    return;
+  }
+  if (!output.system.includes(systemPrompt)) {
+    output.system.unshift(systemPrompt);
+  }
+}
 var ClaudeMultiAuthPlugin = async (ctx) => {
   const { client } = ctx;
   await loadConfig();
-  const originalHooks = await AnthropicAuthPlugin2(ctx);
-  const originalAuth = originalHooks.auth;
   const store = new AccountStore();
   let manager = null;
   let runtimeFactory = null;
   let refreshQueue = null;
+  let poolManager = null;
+  let cascadeStateManager = null;
+  let poolChainConfig = { pools: [], chains: [] };
   return {
-    "experimental.chat.system.transform": originalHooks["experimental.chat.system.transform"],
+    "experimental.chat.system.transform": (input, output) => {
+      injectSystemPrompt(output);
+      const billingHeader = buildBillingHeader(extractFirstUserText(input));
+      if (billingHeader && !output.system?.includes(billingHeader)) {
+        output.system?.unshift(billingHeader);
+      }
+    },
     tool: {
       [ANTHROPIC_OAUTH_ADAPTER.statusToolName]: tool({
         description: "Show status of all multi-auth accounts including rate limits and usage.",
@@ -2749,9 +3880,13 @@ var ClaudeMultiAuthPlugin = async (ctx) => {
             if (account.isAuthDisabled) statusParts.push(`AUTH DISABLED: ${account.authDisabledReason}`);
             else if (!account.enabled) statusParts.push("disabled");
             else statusParts.push("enabled");
-            if (account.rateLimitResetAt && account.rateLimitResetAt > Date.now()) {
-              const remaining = formatWaitTime(account.rateLimitResetAt - Date.now());
-              statusParts.push(`RATE LIMITED (resets in ${remaining})`);
+            if (account.rateLimitResetAt) {
+              if (account.rateLimitResetAt > Date.now()) {
+                const remaining = formatWaitTime(account.rateLimitResetAt - Date.now());
+                statusParts.push(`RATE LIMITED (resets in ${remaining})`);
+              } else {
+                statusParts.push("RATE LIMIT RESET");
+              }
             }
             if (account.cachedUsage) {
               const now = Date.now();
@@ -2779,7 +3914,7 @@ var ClaudeMultiAuthPlugin = async (ctx) => {
           type: "oauth",
           async authorize() {
             const inputs = arguments.length > 0 ? arguments[0] : void 0;
-            return handleAuthorize(originalAuth, manager, inputs, client);
+            return handleAuthorize(manager, inputs, client);
           }
         },
         { type: "api", label: "Create an API Key" },
@@ -2788,7 +3923,7 @@ var ClaudeMultiAuthPlugin = async (ctx) => {
       async loader(getAuth, provider) {
         const auth = await getAuth();
         if (auth.type !== "oauth") {
-          return originalAuth.loader(getAuth, provider);
+          return { apiKey: "", fetch };
         }
         for (const model of Object.values(provider.models ?? {})) {
           if (model) {
@@ -2798,8 +3933,12 @@ var ClaudeMultiAuthPlugin = async (ctx) => {
         const credentials = auth;
         await migrateFromAuthJson("anthropic", store);
         manager = await AccountManager.create(store, credentials, client);
-        runtimeFactory = new AccountRuntimeFactory(ctx, store, client, provider);
+        runtimeFactory = new AccountRuntimeFactory(store, client);
         manager.setRuntimeFactory(runtimeFactory);
+        poolChainConfig = await loadPoolChainConfig();
+        poolManager = new PoolManager();
+        poolManager.loadPools(poolChainConfig.pools);
+        cascadeStateManager = new CascadeStateManager();
         if (manager.getAccountCount() > 0) {
           const activeLabel = manager.getActiveAccount() ? getAccountLabel(manager.getActiveAccount()) : "none";
           void showToast(
@@ -2822,12 +3961,21 @@ var ClaudeMultiAuthPlugin = async (ctx) => {
           refreshQueue = new ProactiveRefreshQueue(
             client,
             store,
-            (uuid) => runtimeFactory?.invalidate(uuid)
+            (uuid) => {
+              runtimeFactory?.invalidate(uuid);
+              void manager?.refresh();
+            }
           );
           refreshQueue.start();
         }
         return {
           apiKey: "",
+          "chat.headers": async (input, output) => {
+            if (input.provider?.info?.id !== ANTHROPIC_OAUTH_ADAPTER.authProviderId) return;
+            output.headers["user-agent"] = CLAUDE_CLI_USER_AGENT;
+            output.headers["anthropic-beta"] = ANTHROPIC_BETA_HEADER;
+            output.headers["x-app"] = "cli";
+          },
           async fetch(input, init) {
             if (!manager || !runtimeFactory) {
               return fetch(input, init);
@@ -2837,7 +3985,23 @@ var ClaudeMultiAuthPlugin = async (ctx) => {
                 "No Anthropic accounts configured. Run `opencode auth login` to add an account."
               );
             }
-            return executeWithAccountRotation(manager, runtimeFactory, client, input, init);
+            if (!poolManager || !cascadeStateManager) {
+              poolManager = new PoolManager();
+              poolManager.loadPools(poolChainConfig.pools);
+              cascadeStateManager = new CascadeStateManager();
+            }
+            return executeWithAccountRotation(
+              manager,
+              runtimeFactory,
+              client,
+              input,
+              init,
+              {
+                poolManager,
+                cascadeStateManager,
+                poolChainConfig
+              }
+            );
           }
         };
       }