pi-multi-account 1.1.0 → 1.3.0

package/CHANGELOG.md

@@ -5,6 +5,49 @@ All notable changes to this project are documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [1.3.0] - 2026-06-10
+
+### Fixed
+
+- **Manual model/account selection is now respected.** Picking a model (e.g. Opus
+  on another account) no longer gets auto-yanked onto a different provider on the
+  next rate limit — the failover stays put and tells you, until you switch with
+  `/model` or `/multi-account next`. The pin auto-releases after a successful
+  response on that provider.
+- **No more self-resurrecting work.** All background resume timers were removed:
+  continuation now happens only synchronously inside an active turn, so Esc and
+  quitting always stop it. When every account is rate-limited the failover STOPS
+  and asks you to retry, instead of churning between exhausted accounts.
+- **No more "Agent is already processing" / "Cannot continue from message role:
+  assistant".** Continuations are sent only when the agent is idle and not aborting.
+
+### Added
+
+- Test suite (`npm test`) covering the failover edge cases: limit/401 failover,
+  all-accounts-exhausted stop, Esc/abort, manual-selection pinning, idle gating,
+  Anthropic OAuth shaping idempotency, and session shutdown. Wired into CI.
+
+## [1.2.0] - 2026-06-10
+
+### Added
+
+- **Anthropic (Claude Pro/Max) OAuth now works out of the box.** OAuth login is
+  enabled on the base `anthropic` provider and on every `anthropic-account-*`
+  alias, and outgoing Anthropic OAuth requests are shaped (billing header +
+  system-prompt normalization) directly by this package. A separate
+  `pi-anthropic-auth` install is no longer required.
+
+### Changed
+
+- Request shaping is idempotent and only touches OAuth-marked Anthropic requests,
+  so it coexists safely with `pi-anthropic-auth` if both are installed, and leaves
+  API-key Anthropic and OpenAI Codex / Qwen requests untouched.
+
+### Credits
+
+- Anthropic OAuth request-shaping logic vendored from
+  [`gotgenes/pi-anthropic-auth`](https://github.com/gotgenes/pi-anthropic-auth) (MIT).
+
 ## [1.1.0] - 2026-06-10
 
 ### Fixed
@@ -55,5 +98,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Plaintext-free credential handling (SHA-256 fingerprints only); `0600`
   config/state files.
 
+[1.3.0]: https://github.com/Sarrius/pi-multi-account/releases/tag/v1.3.0
+[1.2.0]: https://github.com/Sarrius/pi-multi-account/releases/tag/v1.2.0
 [1.1.0]: https://github.com/Sarrius/pi-multi-account/releases/tag/v1.1.0
 [1.0.0]: https://github.com/Sarrius/pi-multi-account/releases/tag/v1.0.0

package/README.md

@@ -21,7 +21,11 @@ pi install npm:pi-multi-account
 
 Restart Pi or run `/reload` after installation.
 
-> **Anthropic OAuth aliases** (`anthropic-account-2`, …) require [`@gotgenes/pi-anthropic-auth`](https://www.npmjs.com/package/@gotgenes/pi-anthropic-auth) for request shaping. The base `anthropic` provider and all OpenAI Codex / Qwen accounts work without it.
+> **Anthropic (Claude Pro/Max) works out of the box.** OAuth login and request
+> shaping for the base `anthropic` provider and every `anthropic-account-*` alias
+> are built in — no separate `pi-anthropic-auth` install is required. If you
+> already have `pi-anthropic-auth`, the two coexist safely (the shaping is
+> idempotent). OpenAI Codex / ChatGPT and Qwen accounts work as well.
 
 ### Recommended setting
 

package/index.ts

@@ -15,9 +15,11 @@
  *   transparently switches to the next available account/model, optionally
  *   queuing a safe continuation prompt.
  *
- * Anthropic OAuth aliases require `@gotgenes/pi-anthropic-auth` for request
- * shaping (its before_provider_request hook is provider-agnostic and covers
- * every Anthropic OAuth alias this package registers).
+ * Anthropic OAuth (Claude Pro/Max) works out of the box: this package enables
+ * OAuth login on the base `anthropic` provider and on every `anthropic-account-*`
+ * alias, and shapes the outgoing requests itself (billing header + system-prompt
+ * normalization, vendored from gotgenes/pi-anthropic-auth, MIT). No separate
+ * pi-anthropic-auth install is needed; if you have one, both coexist (idempotent).
  *
  * Config:  ~/.pi/agent/provider-failover.json
  * State:   ~/.pi/agent/provider-failover-state.json
@@ -455,7 +457,7 @@ function codexModelDef(id: string) {
 }
 
 function registerAnthropicSlot(pi: ExtensionAPI, id: string) {
-	if (id === ANTHROPIC_BASE) return; // base provider is native / shaped by pi-anthropic-auth
+	if (id === ANTHROPIC_BASE) return; // base provider: oauth + shaping registered in piMultiAccount()
 	const models = DEFAULT_ANTHROPIC_MODELS.map((m) => anthropicModelDef(m, id));
 	pi.registerProvider(id, {
 		name: `Claude Pro/Max (${id})`,
@@ -601,6 +603,193 @@ function getAssistantErrorText(messages: any[]) {
 	return "";
 }
 
+// ===========================================================================
+// Anthropic OAuth request shaping (vendored)
+//
+// Makes Claude Pro/Max (OAuth) accounts work out of the box — no separate
+// pi-anthropic-auth install required. Ported from gotgenes/pi-anthropic-auth
+// (MIT). The logic is idempotent: if pi-anthropic-auth is ALSO installed, both
+// before_provider_request hooks run, but the second sees the request already
+// shaped (billing header present, Pi preamble already replaced) and no-ops.
+//
+// CLAUDE_CODE_VERSION must track the current Claude Code release; if it drifts
+// too far Anthropic may reject or miscount OAuth requests. Check `claude
+// --version` or https://github.com/anthropics/claude-code.
+// ===========================================================================
+
+const PI_DEFAULT_PROMPT_PREFIX = "You are an expert coding assistant operating inside pi, a coding agent harness.";
+const PI_DEFAULT_PROMPT_TERMINATOR =
+	"- Always read pi .md files completely and follow links to related docs (e.g., tui.md for TUI API details)";
+const MINIMAL_ANTHROPIC_OAUTH_PROMPT_PREFIX = "You are an expert coding assistant.";
+const MINIMAL_ANTHROPIC_OAUTH_PROMPT = [
+	MINIMAL_ANTHROPIC_OAUTH_PROMPT_PREFIX,
+	"Be concise and helpful.",
+	"Use the available tools to answer the user's request.",
+	"Show file paths clearly when working with files.",
+].join("\n");
+const CLAUDE_CODE_IDENTITY_PREFIX = "You are Claude Code, Anthropic's official CLI";
+const CLAUDE_CODE_VERSION = "2.1.150";
+const BILLING_HEADER_SALT = "59cf53e54c78";
+const BILLING_HEADER_POSITIONS = [4, 7, 20] as const;
+const CLAUDE_CODE_ENTRYPOINT = "sdk-cli";
+const PARAGRAPH_REMOVAL_ANCHORS: readonly string[] = [
+	"operating inside pi, a coding agent harness",
+	"In addition to the tools above",
+	"Pi documentation (read only when the user asks about pi itself",
+];
+const TEXT_REPLACEMENTS: readonly { match: string; replacement: string }[] = [
+	{
+		match: "Here is some useful information about the environment you are running in:",
+		replacement: "Environment context you are running in:",
+	},
+];
+
+type ShapeTextBlock = { type: "text"; text: string; [key: string]: unknown };
+type ShapeMessageBlock = { type?: string; text?: string; [key: string]: unknown };
+type ShapeMessageParam = { role?: string; content?: string | ShapeMessageBlock[]; [key: string]: unknown };
+type ShapeAnthropicPayload = { model?: unknown; messages?: unknown; system?: unknown; stream?: unknown; [key: string]: unknown };
+
+function isRecord(value: unknown): value is Record<string, unknown> {
+	return value !== null && typeof value === "object" && !Array.isArray(value);
+}
+
+function isAnthropicMessagesPayload(payload: unknown): payload is ShapeAnthropicPayload {
+	return isRecord(payload) && typeof payload.model === "string" && Array.isArray(payload.messages) && typeof payload.stream === "boolean";
+}
+
+function hasOAuthAnthropicSystemMarker(block: unknown): boolean {
+	if (!isRecord(block) || block.type !== "text" || typeof block.text !== "string") return false;
+	return (
+		block.text.includes(CLAUDE_CODE_IDENTITY_PREFIX) ||
+		block.text.includes("x-anthropic-billing-header:") ||
+		block.text.startsWith(MINIMAL_ANTHROPIC_OAUTH_PROMPT_PREFIX)
+	);
+}
+
+// Only requests that Pi already marked as OAuth (Claude Code identity block, or
+// already-shaped) are touched — API-key Anthropic requests pass through untouched.
+function isOAuthAnthropicPayload(payload: ShapeAnthropicPayload): boolean {
+	if (!Array.isArray(payload.system)) return false;
+	return payload.system.some(hasOAuthAnthropicSystemMarker);
+}
+
+function getFirstUserText(messages: ShapeMessageParam[]): string {
+	const firstUserMessage = messages.find((message) => message.role === "user");
+	if (!firstUserMessage) return "";
+	if (typeof firstUserMessage.content === "string") return firstUserMessage.content;
+	if (!Array.isArray(firstUserMessage.content)) return "";
+	const firstTextBlock = firstUserMessage.content.find((block) => block.type === "text" && typeof block.text === "string");
+	return typeof firstTextBlock?.text === "string" ? firstTextBlock.text : "";
+}
+
+function buildBillingHeaderValue(messages: ShapeMessageParam[]): string | undefined {
+	const messageText = getFirstUserText(messages);
+	if (!messageText) return undefined;
+	const cch = createHash("sha256").update(messageText).digest("hex").slice(0, 5);
+	const sampledCharacters = BILLING_HEADER_POSITIONS.map((index) => messageText[index] || "0").join("");
+	const suffix = createHash("sha256")
+		.update(`${BILLING_HEADER_SALT}${sampledCharacters}${CLAUDE_CODE_VERSION}`)
+		.digest("hex")
+		.slice(0, 3);
+	return ["x-anthropic-billing-header:", `cc_version=${CLAUDE_CODE_VERSION}.${suffix};`, `cc_entrypoint=${CLAUDE_CODE_ENTRYPOINT};`, `cch=${cch};`].join(" ");
+}
+
+function normalizeSystemBlock(block: unknown): ShapeTextBlock {
+	if (typeof block === "string") return { type: "text", text: block };
+	if (isRecord(block) && typeof block.text === "string") return { ...block, type: "text", text: block.text };
+	return { type: "text", text: "" };
+}
+
+function prependBillingHeader(system: unknown, messages: ShapeMessageParam[]): unknown {
+	const billingHeader = buildBillingHeaderValue(messages);
+	if (!billingHeader) return system;
+	const systemBlocks = Array.isArray(system) ? system.map(normalizeSystemBlock) : system == null ? [] : [normalizeSystemBlock(system)];
+	// Idempotent: don't add a second billing header (e.g. pi-anthropic-auth also ran).
+	if (systemBlocks.some((block) => block.text.includes("x-anthropic-billing-header:"))) return systemBlocks;
+	const billingBlock: ShapeTextBlock = { type: "text", text: billingHeader };
+	return [billingBlock, ...systemBlocks];
+}
+
+// The Anthropic API rejects assistant turns where non-tool_use blocks follow a
+// tool_use block; Pi's serializer can produce that, so split into two turns.
+function splitAssistantToolUseTrailingContent(messages: ShapeMessageParam[]): ShapeMessageParam[] {
+	return messages.flatMap((message) => {
+		if (message.role !== "assistant" || !Array.isArray(message.content)) return [message];
+		const firstToolUseIndex = message.content.findIndex((block) => block.type === "tool_use");
+		if (firstToolUseIndex === -1) return [message];
+		const trailingBlocks = message.content.slice(firstToolUseIndex);
+		if (!trailingBlocks.some((block) => block.type !== "tool_use")) return [message];
+		const nonToolUseBlocks = message.content.filter((block) => block.type !== "tool_use");
+		const toolUseBlocks = message.content.filter((block) => block.type === "tool_use");
+		return [
+			{ ...message, content: nonToolUseBlocks },
+			{ ...message, content: toolUseBlocks },
+		];
+	});
+}
+
+function sanitizeSystemText(text: string): string {
+	const paragraphs = text.split(/\n\n+/);
+	const filtered = paragraphs.filter((paragraph) => !PARAGRAPH_REMOVAL_ANCHORS.some((anchor) => paragraph.includes(anchor)));
+	let result = filtered.join("\n\n");
+	for (const rule of TEXT_REPLACEMENTS) result = result.replaceAll(rule.match, rule.replacement);
+	return result.trim();
+}
+
+function findProjectContextStart(systemPrompt: string): number {
+	return systemPrompt.indexOf("\n\n# Project Context\n\n");
+}
+
+function shapeAnthropicOAuthSystemPrompt(systemPrompt: string): string {
+	const prefixIdx = systemPrompt.indexOf(PI_DEFAULT_PROMPT_PREFIX);
+	if (prefixIdx === -1) return systemPrompt;
+	const terminatorIdx = systemPrompt.indexOf(PI_DEFAULT_PROMPT_TERMINATOR, prefixIdx);
+	if (terminatorIdx !== -1) {
+		const terminatorEnd = terminatorIdx + PI_DEFAULT_PROMPT_TERMINATOR.length;
+		const preamble = systemPrompt.slice(prefixIdx, terminatorEnd);
+		const sanitized = sanitizeSystemText(preamble);
+		const shapedPreamble = sanitized ? `${MINIMAL_ANTHROPIC_OAUTH_PROMPT}\n\n${sanitized}` : MINIMAL_ANTHROPIC_OAUTH_PROMPT;
+		return systemPrompt.slice(0, prefixIdx) + shapedPreamble + systemPrompt.slice(terminatorEnd);
+	}
+	// Pi reworded its preamble terminator → fall back to slicing from project context.
+	const projectContextStart = findProjectContextStart(systemPrompt);
+	if (projectContextStart === -1) return MINIMAL_ANTHROPIC_OAUTH_PROMPT;
+	return `${MINIMAL_ANTHROPIC_OAUTH_PROMPT}${systemPrompt.slice(projectContextStart)}`;
+}
+
+function shapeSystemBlocks(blocks: ShapeTextBlock[]): ShapeTextBlock[] {
+	return blocks.map((block) => {
+		if (block.type !== "text" || !block.text.includes(PI_DEFAULT_PROMPT_PREFIX)) return block;
+		return { ...block, text: shapeAnthropicOAuthSystemPrompt(block.text) };
+	});
+}
+
+/** before_provider_request shaper: makes Claude Pro/Max OAuth requests acceptable. */
+function shapeAnthropicOAuthPayload(payload: unknown): unknown {
+	if (!isAnthropicMessagesPayload(payload)) return payload;
+	const messages = payload.messages as ShapeMessageParam[];
+	if (!isOAuthAnthropicPayload(payload)) return payload; // API-key / non-OAuth → untouched
+	const normalizedMessages = splitAssistantToolUseTrailingContent(messages);
+	const shapedSystem = Array.isArray(payload.system) ? shapeSystemBlocks(payload.system as ShapeTextBlock[]) : payload.system;
+	const finalSystem = prependBillingHeader(shapedSystem, normalizedMessages);
+	return { ...payload, messages: normalizedMessages, system: finalSystem };
+}
+
+/** OAuth override enabling Claude Pro/Max login on a provider (base or alias). */
+const anthropicOAuthOverride = {
+	name: "Anthropic (Claude Pro/Max)",
+	login: (callbacks: any) => loginAnthropic(callbacks),
+	async refreshToken(credentials: any) {
+		const refreshed = await refreshAnthropicToken(credentials.refresh);
+		return {
+			...credentials,
+			...refreshed,
+			refresh: typeof refreshed.refresh === "string" && refreshed.refresh.trim().length > 0 ? refreshed.refresh : credentials.refresh,
+		};
+	},
+	getApiKey: (credentials: any) => credentials.access,
+};
+
 // ===========================================================================
 // Extension entry point
 // ===========================================================================
@@ -635,6 +824,11 @@ export default function piMultiAccount(pi: ExtensionAPI) {
 	let autoContinueTimer: ReturnType<typeof setTimeout> | undefined; // pending spaced continuation
 	let lastLeftProvider: string | undefined; // account we just failed away from (anti-ping-pong)
 	let lastLeftAt = 0;
+	// When the USER manually picks a model/account, we respect it: auto-failover will not yank
+	// them off it (that's the "I selected opus and it flipped to chatgpt" bug). selfModelSwitch
+	// marks our OWN setModel calls so the model_select event isn't mistaken for a manual pick.
+	let userSelectedProvider: string | undefined;
+	let selfModelSwitch = false;
 	// The thinking level the user intended for this turn. pi.setModel() re-clamps and
 	// persists the thinking level on every model switch, so without this it drifts
 	// downward across failovers ("thinking level keeps dropping"). We capture it before
@@ -910,11 +1104,22 @@ export default function piMultiAccount(pi: ExtensionAPI) {
 		return pool.sort((a, b) => a.remaining - b.remaining || a.rotIndex - b.rotIndex).map((s) => s.model);
 	}
 
-	async function switchToFallback(ctx: any, reason: string, cooldownMs = config.cooldownMs) {
+	async function switchToFallback(ctx: any, reason: string, cooldownMs = config.cooldownMs, manual = false) {
 		if (!config.enabled) return false;
 		const currentModel = ctx.model;
 		if (!currentModel) return false;
 
+		// Respect a manual model choice: if the user just picked this provider, do NOT auto-yank
+		// them onto another one — show the error and let them decide. Manual /multi-account next
+		// bypasses this (manual=true).
+		if (!manual && userSelectedProvider && currentModel.provider === userSelectedProvider) {
+			ctx.ui.notify(
+				`Provider failover: you selected ${currentModel.provider}/${currentModel.id} manually — staying on it (${reason.slice(0, 90)}). Use /model or /multi-account next to switch.`,
+				"warning",
+			);
+			return false;
+		}
+
 		markExhausted(currentModel.provider, cooldownMs);
 		lastLeftProvider = currentModel.provider;
 		lastLeftAt = Date.now();
@@ -938,7 +1143,9 @@ export default function piMultiAccount(pi: ExtensionAPI) {
 		const from = ref(currentModel.provider, currentModel.id);
 		for (const fallback of candidates) {
 			const to = ref(fallback.provider, fallback.id);
+			selfModelSwitch = true; // our own switch — not a manual user pick
 			const ok = await pi.setModel(fallback);
+			selfModelSwitch = false;
 			if (!ok) {
 				// setModel failed → the account has no usable auth right now.
 				ctx.ui.notify(`Provider failover: ${to} has no usable auth, dropping from rotation`, "warning");
@@ -963,35 +1170,31 @@ export default function piMultiAccount(pi: ExtensionAPI) {
 		return config.continuationPrompt.replaceAll("{from}", record.from).replaceAll("{to}", record.to).replaceAll("{reason}", record.reason);
 	}
 
-	/** Mark that the next agent run is our own failover continuation, then send it. */
-	function dispatchSelfContinuation(ctx: any, prompt: string) {
+	/**
+	 * Send our failover continuation — but ONLY when it is genuinely safe:
+	 *   - the user has not aborted (Esc), and the current op isn't aborting, and
+	 *   - the agent is idle (sending mid-turn throws "Agent is already processing" /
+	 *     "Cannot continue from message role: assistant").
+	 * Returns whether it actually sent. No background timer is ever used, so a turn is
+	 * always active for Esc to cancel — Esc/quit therefore always stop the chain.
+	 */
+	function dispatchSelfContinuation(ctx: any, prompt: string): boolean {
+		if (userAbortedChain || ctx.signal?.aborted || !ctx.isIdle()) return false;
 		lastAutoContinueAt = Date.now();
 		lastSentContinuationPrompt = prompt;
 		expectingSelfContinuation = true;
-		pi.sendUserMessage(prompt, ctx.isIdle() ? undefined : { deliverAs: "followUp" });
+		pi.sendUserMessage(prompt);
+		return true;
 	}
 
 	/**
-	 * Send an auto-continuation, but never faster than MIN_AUTOCONTINUE_INTERVAL_MS.
-	 * The spacing keeps a fully rate-limited rotation from pegging CPU/network and gives
-	 * the user a real window in which Esc actually sticks.
+	 * Continue after a successful failover switch — SYNCHRONOUSLY only.
+	 * Deliberately NOT a setTimeout: a deferred timer fires sendUserMessage when there is no
+	 * active turn for Esc to cancel, which is exactly how the chain escaped the user's control
+	 * and resurrected work on its own. Returns whether it sent.
 	 */
-	function scheduleAutoContinue(ctx: any, prompt: string) {
-		if (autoContinueTimer) {
-			clearTimeout(autoContinueTimer);
-			autoContinueTimer = undefined;
-		}
-		const wait = Math.max(0, MIN_AUTOCONTINUE_INTERVAL_MS - (Date.now() - lastAutoContinueAt));
-		if (wait === 0) {
-			dispatchSelfContinuation(ctx, prompt);
-			return;
-		}
-		autoContinueTimer = setTimeout(() => {
-			autoContinueTimer = undefined;
-			if (userAbortedChain || ctx.signal?.aborted) return; // user took over while we waited
-			dispatchSelfContinuation(ctx, prompt);
-		}, wait);
-		ctx.ui.notify(`Provider failover: next auto-continue in ~${Math.ceil(wait / 1000)}s (press Esc to cancel).`, "info");
+	function scheduleAutoContinue(ctx: any, prompt: string): boolean {
+		return dispatchSelfContinuation(ctx, prompt);
 	}
 
 	function clearPendingContinuation() {
@@ -1003,96 +1206,21 @@ export default function piMultiAccount(pi: ExtensionAPI) {
 		persist();
 	}
 
-	function nextPendingWakeDelayMs() {
-		if (!persistedState.pendingContinuationPrompt) return undefined;
-		const now = Date.now();
-		const lastProbe = lastProbeMap();
-		let bestWakeAt = Number.POSITIVE_INFINITY;
-		for (const provider of configuredProviders()) {
-			if (isInvalidated(provider)) continue;
-			const exhaustedUntil = exhaustedUntilByProvider.get(provider) ?? 0;
-			if (exhaustedUntil <= now) return 1000;
-			const probeDueAt = (lastProbe[provider] ?? 0) + config.probeCooldownMs;
-			bestWakeAt = Math.min(bestWakeAt, exhaustedUntil, probeDueAt);
-		}
-		if (!Number.isFinite(bestWakeAt)) return config.probeCooldownMs;
-		return Math.max(1000, Math.min(bestWakeAt - now, 2_147_483_647));
-	}
-
-	function schedulePendingWake(ctx?: any) {
-		if (ctx) latestCtx = ctx;
-		if (pendingWakeTimer) clearTimeout(pendingWakeTimer);
-		const delayMs = nextPendingWakeDelayMs();
-		if (delayMs === undefined) return;
-		pendingWakeTimer = setTimeout(() => {
-			pendingWakeTimer = undefined;
-			void attemptPendingResume();
-		}, delayMs);
-	}
-
 	function setPendingContinuation(ctx: any, reason: string) {
-		// Don't re-arm or re-notify if a pending resume is already queued — switchToFallback
-		// and agent_end can both reach here for the same exhaustion, and the wake timer is
-		// already running.
-		const alreadyPending = !!persistedState.pendingContinuationPrompt;
-		const current = ctx.model ? ref(ctx.model.provider, ctx.model.id) : ("unknown/model" as ModelRef);
-		const record: SwitchRecord = { from: current, to: "next-available/account" as ModelRef, reason, at: Date.now() };
-		persistedState = {
-			...persistedState,
-			pendingContinuationPrompt: persistedState.pendingContinuationPrompt || continuationPrompt(record),
-			pendingSince: persistedState.pendingSince || Date.now(),
-			pendingReason: reason,
-		};
+		// Every available account is rate-limited or unavailable right now. We deliberately do
+		// NOT arm a background timer to auto-resume later: such a timer fires sendUserMessage with
+		// no active turn for Esc to cancel and resurrects work on its own. Instead we STOP cleanly
+		// and tell the user — they retry by sending a message when an account has recovered.
+		const alreadyStopped = persistedState.pendingReason === reason;
+		persistedState = { ...persistedState, pendingReason: reason, pendingContinuationPrompt: undefined, pendingSince: undefined };
 		persist();
-		schedulePendingWake(ctx);
-		if (alreadyPending) return;
-		const delayMs = nextPendingWakeDelayMs();
+		if (alreadyStopped) return;
 		ctx.ui.notify(
-			`Provider failover: all accounts appear exhausted. Will automatically probe/resume in ~${Math.ceil((delayMs ?? config.probeCooldownMs) / 1000)}s if this Pi session stays open.`,
+			`Provider failover: every account is rate-limited or unavailable right now — stopped here. Send a message to retry once one recovers (check /multi-account status).`,
 			"warning",
 		);
 	}
 
-	async function attemptPendingResume() {
-		const ctx = latestCtx;
-		const prompt = persistedState.pendingContinuationPrompt;
-		if (!ctx || !prompt || !config.enabled || !config.autoContinue) return;
-		if (userAbortedChain) {
-			clearPendingContinuation(); // user took over — abandon the background resurrection
-			return;
-		}
-		if (autoContinuesThisPrompt >= config.maxAutoContinuesPerPrompt) {
-			clearPendingContinuation(); // task-level cap reached — stop resurrecting
-			return;
-		}
-		refreshDiscovery();
-		pruneCooldowns();
-		const candidates = findFallbackModels(ctx, ctx.model);
-		if (candidates.length === 0) {
-			schedulePendingWake(ctx);
-			return;
-		}
-		for (const candidate of candidates) {
-			const to = ref(candidate.provider, candidate.id);
-			const ok = await pi.setModel(candidate);
-			if (!ok) {
-				markInvalid(candidate.provider, "setModel failed on resume");
-				continue;
-			}
-			restoreDesiredThinking(); // keep the user's thinking level across the switch
-			setLastProbe(candidate.provider);
-			clearPendingContinuation();
-			// A genuine recovery after a real wait earns a fresh continuation budget so the
-			// agent can keep going whenever an account recovers; rapid flapping (resume that
-			// immediately re-limits) does NOT reset, so the cap still bounds a tight loop.
-			if (Date.now() - lastAutoContinueAt >= config.probeCooldownMs) autoContinuesThisPrompt = 0;
-			ctx.ui.notify(`Provider failover: resuming pending work on ${to}`, "warning");
-			dispatchSelfContinuation(ctx, prompt);
-			return;
-		}
-		schedulePendingWake(ctx);
-	}
-
 	// ----- error classification --------------------------------------------
 
 	function isAuthError(text: string) {
@@ -1139,6 +1267,8 @@ export default function piMultiAccount(pi: ExtensionAPI) {
 			exhaustedUntilByProvider.clear();
 			currentPromptSwitch = undefined;
 			autoContinuesThisPrompt = 0;
+			userAbortedChain = false;
+			userSelectedProvider = undefined;
 			if (pendingWakeTimer) {
 				clearTimeout(pendingWakeTimer);
 				pendingWakeTimer = undefined;
@@ -1151,7 +1281,8 @@ export default function piMultiAccount(pi: ExtensionAPI) {
 			return;
 		}
 		if (command === "next") {
-			await switchToFallback(ctx, "manual /multi-account next", 5 * 60 * 1000);
+			userSelectedProvider = undefined; // explicit request to move — drop any manual pin
+			await switchToFallback(ctx, "manual /multi-account next", 5 * 60 * 1000, true);
 			return;
 		}
 		if (command === "enable" || command === "disable") {
@@ -1186,6 +1317,14 @@ export default function piMultiAccount(pi: ExtensionAPI) {
 		pi.registerCommand(name, { description: "Manage automatic multi-account failover & rotation", handler: handleCommand });
 	}
 
+	// ----- Anthropic OAuth out of the box -----------------------------------
+	// Enable Claude Pro/Max OAuth login on the base `anthropic` provider and shape
+	// every Anthropic OAuth request so subscription tokens are accepted — without
+	// requiring a separate pi-anthropic-auth install. Idempotent, so it coexists
+	// safely if pi-anthropic-auth is also present.
+	pi.registerProvider("anthropic", { oauth: anthropicOAuthOverride } as any);
+	pi.on("before_provider_request", (event: any) => shapeAnthropicOAuthPayload(event.payload));
+
 	// ----- lifecycle hooks --------------------------------------------------
 
 	refreshDiscovery(true);
@@ -1258,11 +1397,21 @@ export default function piMultiAccount(pi: ExtensionAPI) {
 		refreshDiscovery(); // cheap: only re-scans when auth.json changed (new /login)
 	});
 
+	// Detect a MANUAL model/account selection by the user (vs our own failover setModel) and
+	// pin it, so auto-failover won't immediately yank them off it.
+	pi.on("model_select", (event) => {
+		if (selfModelSwitch) return; // our own failover switch — not a manual pick
+		const model = (event as any).model;
+		if (model?.provider) userSelectedProvider = model.provider;
+	});
+
 	pi.on("after_provider_response", async (event, ctx) => {
 		latestCtx = ctx;
 		if (!config.enabled) return;
 		if (userAbortedChain || ctx.signal?.aborted) return; // user is cancelling — don't fail over
 		const status = (event as any).status;
+		// The user's manually-picked model just worked → resume normal auto-failover for it.
+		if (status < 400 && ctx.model && ctx.model.provider === userSelectedProvider) userSelectedProvider = undefined;
 		if (status === 401) {
 			// Authorization is dead → drop this account, then move on.
 			if (ctx.model) markInvalid(ctx.model.provider, `HTTP 401`);
@@ -1339,9 +1488,10 @@ export default function piMultiAccount(pi: ExtensionAPI) {
 		}
 
 		if (currentPromptSwitch) {
-			autoContinuesThisPrompt++;
 			const prompt = continuationPrompt(currentPromptSwitch);
-			scheduleAutoContinue(ctx, prompt); // spaced + Esc-cancellable, not a tight loop
+			// Continue synchronously and only if it actually sent (agent idle, not aborted).
+			// Count the attempt only when we really sent, so the cap reflects real tries.
+			if (scheduleAutoContinue(ctx, prompt)) autoContinuesThisPrompt++;
 		}
 	});
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pi-multi-account",
-  "version": "1.1.0",
+  "version": "1.3.0",
   "description": "Automatic multi-account failover & rotation for Pi Agent across Anthropic (Claude), OpenAI/ChatGPT Codex, and Qwen/Alibaba. Auto-discovers authenticated accounts, grows the rotation on login, and drops accounts on logout, expiry, or quota/rate-limit errors.",
   "type": "module",
   "license": "MIT",
@@ -42,6 +42,7 @@
   ],
   "scripts": {
     "check": "tsc --noEmit",
+    "test": "node --test test/*.test.ts",
     "pack:check": "npm pack --dry-run",
     "prepublishOnly": "npm run check"
   },