skalpel 2.0.23 → 3.0.0

package/dist/cli/proxy-runner.js

@@ -1,1649 +0,0 @@
-#!/usr/bin/env node
-var __defProp = Object.defineProperty;
-var __getOwnPropNames = Object.getOwnPropertyNames;
-var __esm = (fn, res) => function __init() {
-  return fn && (res = (0, fn[__getOwnPropNames(fn)[0]])(fn = 0)), res;
-};
-var __export = (target, all) => {
-  for (var name in all)
-    __defProp(target, name, { get: all[name], enumerable: true });
-};
-
-// src/proxy/dispatcher.ts
-import { Agent } from "undici";
-var skalpelDispatcher;
-var init_dispatcher = __esm({
-  "src/proxy/dispatcher.ts"() {
-    "use strict";
-    skalpelDispatcher = new Agent({
-      keepAliveTimeout: 1e4,
-      keepAliveMaxTimeout: 6e4,
-      connections: 100,
-      pipelining: 1,
-      allowH2: false
-      // Force HTTP/1.1 to prevent GCP LB WebSocket downgrade
-    });
-  }
-});
-
-// src/proxy/envelope.ts
-function isAnthropicShaped(body) {
-  if (typeof body !== "object" || body === null) return false;
-  const b = body;
-  if (b.type !== "error") return false;
-  if (typeof b.error !== "object" || b.error === null) return false;
-  return true;
-}
-function defaultErrorTypeFor(status) {
-  if (status === 400) return "invalid_request_error";
-  if (status === 401 || status === 403) return "authentication_error";
-  if (status === 404) return "not_found_error";
-  if (status === 408) return "timeout_error";
-  if (status === 429) return "rate_limit_error";
-  if (status >= 500) return "api_error";
-  if (status >= 400) return "invalid_request_error";
-  return "api_error";
-}
-function buildErrorEnvelope(status, upstreamBody, origin, hint, retryAfter) {
-  let parsed = upstreamBody;
-  if (typeof upstreamBody === "string" && upstreamBody.length > 0) {
-    try {
-      parsed = JSON.parse(upstreamBody);
-    } catch {
-      parsed = upstreamBody;
-    }
-  }
-  let type = defaultErrorTypeFor(status);
-  let message;
-  if (isAnthropicShaped(parsed)) {
-    const inner = parsed.error;
-    if (typeof inner.type === "string" && inner.type.length > 0) {
-      type = inner.type;
-    }
-    message = typeof inner.message === "string" && inner.message.length > 0 ? inner.message : defaultMessageForStatus(status);
-  } else if (typeof parsed === "string" && parsed.length > 0) {
-    message = parsed;
-  } else {
-    message = defaultMessageForStatus(status);
-  }
-  const envelope = {
-    type: "error",
-    error: {
-      type,
-      message,
-      status_code: status,
-      origin
-    }
-  };
-  if (hint !== void 0) envelope.error.hint = hint;
-  if (retryAfter !== void 0) envelope.error.retry_after = retryAfter;
-  return envelope;
-}
-function defaultMessageForStatus(status) {
-  if (status === 401) return "Authentication failed";
-  if (status === 403) return "Forbidden";
-  if (status === 404) return "Not found";
-  if (status === 408) return "Request timed out";
-  if (status === 429) return "Rate limit exceeded";
-  if (status === 502) return "Bad gateway";
-  if (status === 503) return "Service unavailable";
-  if (status === 504) return "Gateway timeout";
-  if (status >= 500) return "Upstream error";
-  if (status >= 400) return "Client error";
-  return "Error";
-}
-var init_envelope = __esm({
-  "src/proxy/envelope.ts"() {
-    "use strict";
-  }
-});
-
-// src/proxy/recovery.ts
-import { createHash } from "crypto";
-function parseRetryAfterHeader(header) {
-  if (!header) return void 0;
-  const trimmed = header.trim();
-  if (!trimmed) return void 0;
-  const n = Number(trimmed);
-  if (Number.isFinite(n) && n >= 0) return Math.floor(n);
-  const dateMs = Date.parse(trimmed);
-  if (Number.isFinite(dateMs)) {
-    return Math.max(0, Math.ceil((dateMs - Date.now()) / 1e3));
-  }
-  return void 0;
-}
-function sleep(ms) {
-  return new Promise((resolve) => setTimeout(resolve, ms));
-}
-async function handle429WithRetryAfter(response, retryFn, logger) {
-  const headerVal = response.headers.get("retry-after");
-  const parsed = parseRetryAfterHeader(headerVal);
-  logger.debug(`429 recovery retryAfterHeader=${headerVal ?? "none"} parsed=${parsed ?? "none"}`);
-  if (parsed === void 0) {
-    await sleep(DEFAULT_BACKOFF_SECONDS * 1e3);
-    const retried2 = await retryFn();
-    logger.info("proxy.recovery.429_retry_count increment");
-    return retried2;
-  }
-  if (parsed > MAX_RETRY_AFTER_SECONDS) {
-    logger.warn(`429 recovery capped: retryAfter=${parsed}s exceeds max=${MAX_RETRY_AFTER_SECONDS}s, passing 429 through`);
-    return response;
-  }
-  await sleep(parsed * 1e3);
-  const retried = await retryFn();
-  logger.info("proxy.recovery.429_retry_count increment");
-  return retried;
-}
-async function handleTimeoutWithRetry(err, retryFn, logger) {
-  const code = err.code;
-  if (!code || !TIMEOUT_CODES.has(code)) {
-    throw err;
-  }
-  logger.warn(`timeout recovery code=${code}`);
-  await sleep(DEFAULT_BACKOFF_SECONDS * 1e3);
-  const retried = await retryFn();
-  logger.info("proxy.recovery.timeout_retry_count increment");
-  return retried;
-}
-function tokenFingerprint(authHeader) {
-  if (authHeader === void 0) return "none";
-  return createHash("sha256").update(authHeader).digest("hex").slice(0, 12);
-}
-var MAX_RETRY_AFTER_SECONDS, DEFAULT_BACKOFF_SECONDS, TIMEOUT_CODES, MUTEX_MAX_ENTRIES, LruMutexMap, refreshMutex;
-var init_recovery = __esm({
-  "src/proxy/recovery.ts"() {
-    "use strict";
-    MAX_RETRY_AFTER_SECONDS = 60;
-    DEFAULT_BACKOFF_SECONDS = 2;
-    TIMEOUT_CODES = /* @__PURE__ */ new Set(["ETIMEDOUT", "TIMEOUT", "UND_ERR_HEADERS_TIMEOUT"]);
-    MUTEX_MAX_ENTRIES = 1024;
-    LruMutexMap = class extends Map {
-      set(key, value) {
-        if (this.has(key)) {
-          super.delete(key);
-        } else if (this.size >= MUTEX_MAX_ENTRIES) {
-          const oldest = this.keys().next().value;
-          if (oldest !== void 0) super.delete(oldest);
-        }
-        return super.set(key, value);
-      }
-    };
-    refreshMutex = new LruMutexMap();
-  }
-});
-
-// src/proxy/fetch-error.ts
-function formatFetchErrorForLog(err, url) {
-  const parts = [];
-  const top = err;
-  if (top && typeof top === "object") {
-    if (top.name) parts.push(`name=${top.name}`);
-    if (top.code) parts.push(`code=${top.code}`);
-    if (top.message) parts.push(`msg=${top.message}`);
-    let cause = top.cause;
-    let depth = 0;
-    while (cause && depth < 4) {
-      const c = cause;
-      const causeBits = [];
-      if (c.name) causeBits.push(`name=${c.name}`);
-      if (c.code) causeBits.push(`code=${c.code}`);
-      if (c.message) causeBits.push(`msg=${c.message}`);
-      if (causeBits.length > 0) parts.push(`cause[${causeBits.join(",")}]`);
-      cause = c.cause;
-      depth += 1;
-    }
-  } else if (err !== void 0 && err !== null) {
-    parts.push(String(err));
-  }
-  parts.push(`url=${url}`);
-  return parts.join(" ");
-}
-var init_fetch_error = __esm({
-  "src/proxy/fetch-error.ts"() {
-    "use strict";
-  }
-});
-
-// src/proxy/trace-context.ts
-import { randomBytes } from "crypto";
-function parseTraceparent(header) {
-  if (!header) return null;
-  const trimmed = header.trim().toLowerCase();
-  const match = trimmed.match(TRACEPARENT_REGEX);
-  if (!match) return null;
-  const [, traceId, spanId, traceFlags] = match;
-  if (traceId === "00000000000000000000000000000000") return null;
-  if (spanId === "0000000000000000") return null;
-  return { traceId, spanId, traceFlags };
-}
-function generateTraceContext() {
-  return {
-    traceId: randomBytes(16).toString("hex"),
-    spanId: randomBytes(8).toString("hex"),
-    traceFlags: "01"
-    // sampled
-  };
-}
-function formatTraceparent(ctx) {
-  return `00-${ctx.traceId}-${ctx.spanId}-${ctx.traceFlags}`;
-}
-var TRACEPARENT_REGEX;
-var init_trace_context = __esm({
-  "src/proxy/trace-context.ts"() {
-    "use strict";
-    TRACEPARENT_REGEX = /^00-([0-9a-f]{32})-([0-9a-f]{16})-([0-9a-f]{2})$/;
-  }
-});
-
-// src/proxy/streaming.ts
-function parseRetryAfter(header) {
-  if (!header) return void 0;
-  const trimmed = header.trim();
-  if (!trimmed) return void 0;
-  const n = Number(trimmed);
-  if (Number.isFinite(n) && n >= 0) return Math.floor(n);
-  const dateMs = Date.parse(trimmed);
-  if (Number.isFinite(dateMs)) {
-    const delta = Math.max(0, Math.ceil((dateMs - Date.now()) / 1e3));
-    return delta;
-  }
-  return void 0;
-}
-function stripSkalpelHeaders(headers) {
-  const cleaned = { ...headers };
-  delete cleaned["X-Skalpel-API-Key"];
-  delete cleaned["X-Skalpel-Source"];
-  delete cleaned["X-Skalpel-Agent-Type"];
-  delete cleaned["X-Skalpel-SDK-Version"];
-  delete cleaned["X-Skalpel-Auth-Mode"];
-  return cleaned;
-}
-async function doStreamingFetch(url, body, headers) {
-  return fetch(url, { method: "POST", headers, body, dispatcher: skalpelDispatcher });
-}
-async function handleStreamingRequest(_req, res, _config, _source, body, skalpelUrl, directUrl, useSkalpel, forwardHeaders, logger, traceCtx) {
-  let response = null;
-  let fetchError = null;
-  let usedFallback = false;
-  if (useSkalpel) {
-    logger.info(`streaming fetch sending url=${skalpelUrl}`);
-    try {
-      response = await doStreamingFetch(skalpelUrl, body, forwardHeaders);
-    } catch (err) {
-      fetchError = err;
-    }
-    if (response && !fetchError) logger.info(`streaming fetch received status=${response.status} url=${skalpelUrl}`);
-    if (await isSkalpelBackendFailure(response, fetchError, logger)) {
-      logger.warn(`streaming: Skalpel backend failed (${fetchError ? formatFetchErrorForLog(fetchError, skalpelUrl) : `status ${response?.status}`}), falling back to direct Anthropic API`);
-      usedFallback = true;
-      response = null;
-      fetchError = null;
-      const directHeaders = stripSkalpelHeaders(forwardHeaders);
-      logger.info(`streaming fetch sending url=${directUrl} fallback=true`);
-      try {
-        response = await doStreamingFetch(directUrl, body, directHeaders);
-      } catch (err) {
-        fetchError = err;
-      }
-      if (response && !fetchError) logger.info(`streaming fetch received status=${response.status} url=${directUrl} fallback=true`);
-    }
-  } else {
-    logger.info(`streaming fetch sending url=${directUrl}`);
-    try {
-      response = await doStreamingFetch(directUrl, body, forwardHeaders);
-    } catch (err) {
-      fetchError = err;
-    }
-    if (response && !fetchError) logger.info(`streaming fetch received status=${response.status} url=${directUrl}`);
-  }
-  const finalUrl = usedFallback || !useSkalpel ? directUrl : skalpelUrl;
-  const finalHeaders = usedFallback ? stripSkalpelHeaders(forwardHeaders) : forwardHeaders;
-  if (fetchError) {
-    const code = fetchError.code;
-    if (code && TIMEOUT_CODES2.has(code)) {
-      try {
-        response = await handleTimeoutWithRetry(
-          fetchError,
-          () => doStreamingFetch(finalUrl, body, finalHeaders),
-          logger
-        );
-        fetchError = null;
-      } catch (retryErr) {
-        fetchError = retryErr;
-      }
-    }
-  }
-  if (response && response.status === 429) {
-    response = await handle429WithRetryAfter(
-      response,
-      () => doStreamingFetch(finalUrl, body, finalHeaders),
-      logger
-    );
-  }
-  if (!response || fetchError) {
-    const errMsg = fetchError ? formatFetchErrorForLog(fetchError, finalUrl) : "no response from upstream";
-    logger.error(`streaming fetch failed: ${errMsg}`);
-    res.writeHead(HTTP_BAD_GATEWAY, {
-      "Content-Type": "text/event-stream",
-      "Cache-Control": "no-cache"
-    });
-    const envelope = buildErrorEnvelope(HTTP_BAD_GATEWAY, errMsg, "skalpel-proxy");
-    res.write(`event: error
-data: ${JSON.stringify(envelope)}
-
-`);
-    res.end();
-    return;
-  }
-  if (usedFallback) {
-    logger.info("streaming: using direct Anthropic API fallback");
-  }
-  if (response.status >= 300) {
-    const retryAfter = parseRetryAfter(response.headers.get("retry-after"));
-    const originHeader = response.headers.get("x-skalpel-origin");
-    let origin;
-    if (originHeader === "backend") origin = "skalpel-backend";
-    else if (originHeader === "provider") origin = "provider";
-    else origin = "provider";
-    let rawBody = "";
-    let bodyReadFailed = false;
-    try {
-      rawBody = Buffer.from(await response.arrayBuffer()).toString();
-    } catch (readErr) {
-      bodyReadFailed = true;
-      logger.error(`streaming body-read failed after upstream status: ${readErr.message}`);
-    }
-    if (!bodyReadFailed) {
-      logger.error(`streaming upstream error: status=${response.status} body=${rawBody.slice(0, 500)}`);
-    }
-    const envelope = bodyReadFailed ? buildErrorEnvelope(
-      response.status,
-      "",
-      "skalpel-proxy",
-      "mid-stream abort",
-      retryAfter
-    ) : buildErrorEnvelope(response.status, rawBody, origin, void 0, retryAfter);
-    res.writeHead(response.status, {
-      "Content-Type": "text/event-stream",
-      "Cache-Control": "no-cache"
-    });
-    res.write(`event: error
-data: ${JSON.stringify(envelope)}
-
-`);
-    res.end();
-    return;
-  }
-  const sseHeaders = {};
-  for (const [key, value] of response.headers.entries()) {
-    if (!STRIP_HEADERS.has(key) && key !== "content-type") {
-      sseHeaders[key] = value;
-    }
-  }
-  sseHeaders["Content-Type"] = "text/event-stream";
-  sseHeaders["Cache-Control"] = "no-cache";
-  if (traceCtx) {
-    sseHeaders["traceparent"] = formatTraceparent(traceCtx);
-  }
-  res.writeHead(response.status, sseHeaders);
-  if (!response.body) {
-    res.write(`event: error
-data: ${JSON.stringify({ error: "no response body" })}
-
-`);
-    res.end();
-    return;
-  }
-  try {
-    const reader = response.body.getReader();
-    const decoder = new TextDecoder();
-    let chunkCount = 0;
-    let totalBytes = 0;
-    logger.info("streaming started");
-    while (true) {
-      const { done, value } = await reader.read();
-      if (done) break;
-      chunkCount++;
-      totalBytes += value.byteLength;
-      logger.debug(`streaming chunk #${chunkCount} bytes=${value.byteLength} totalBytes=${totalBytes}`);
-      const chunk = decoder.decode(value, { stream: true });
-      res.write(chunk);
-    }
-    logger.info(`streaming completed chunks=${chunkCount} totalBytes=${totalBytes}`);
-  } catch (err) {
-    logger.error(`streaming error: ${err.message}`);
-    const retryAfter = parseRetryAfter(response.headers.get("retry-after"));
-    const envelope = buildErrorEnvelope(
-      response.status,
-      err.message,
-      "skalpel-proxy",
-      "mid-stream abort",
-      retryAfter
-    );
-    res.write(`event: error
-data: ${JSON.stringify(envelope)}
-
-`);
-  }
-  res.end();
-}
-var TIMEOUT_CODES2, HTTP_BAD_GATEWAY, HOP_BY_HOP, STRIP_HEADERS;
-var init_streaming = __esm({
-  "src/proxy/streaming.ts"() {
-    "use strict";
-    init_dispatcher();
-    init_handler();
-    init_envelope();
-    init_recovery();
-    init_fetch_error();
-    init_trace_context();
-    TIMEOUT_CODES2 = /* @__PURE__ */ new Set(["ETIMEDOUT", "TIMEOUT", "UND_ERR_HEADERS_TIMEOUT"]);
-    HTTP_BAD_GATEWAY = 502;
-    HOP_BY_HOP = /* @__PURE__ */ new Set([
-      "connection",
-      "keep-alive",
-      "proxy-authenticate",
-      "proxy-authorization",
-      "te",
-      "trailer",
-      "transfer-encoding",
-      "upgrade"
-    ]);
-    STRIP_HEADERS = /* @__PURE__ */ new Set([
-      ...HOP_BY_HOP,
-      "content-encoding",
-      "content-length"
-    ]);
-  }
-});
-
-// src/proxy/codex-oauth.ts
-import { readFileSync } from "fs";
-import { homedir } from "os";
-import { join } from "path";
-function authFilePath() {
-  return join(homedir(), ".codex", "auth.json");
-}
-function readCodexAuth() {
-  const path4 = authFilePath();
-  let raw;
-  try {
-    raw = readFileSync(path4, "utf-8");
-  } catch (err) {
-    const code = err?.code;
-    if (code !== "ENOENT") {
-      process.stderr.write(`skalpel: codex-oauth: cannot read auth file (${code ?? "unknown"})
-`);
-    }
-    return null;
-  }
-  let parsed;
-  try {
-    parsed = JSON.parse(raw);
-  } catch {
-    process.stderr.write("skalpel: codex-oauth: auth file is not valid JSON\n");
-    return null;
-  }
-  if (parsed === null || typeof parsed !== "object" || typeof parsed.access_token !== "string" || typeof parsed.refresh_token !== "string" || typeof parsed.expires_at !== "string") {
-    process.stderr.write("skalpel: codex-oauth: auth file missing required fields\n");
-    return null;
-  }
-  const obj = parsed;
-  const auth = {
-    access_token: obj.access_token,
-    refresh_token: obj.refresh_token,
-    expires_at: obj.expires_at
-  };
-  if (typeof obj.account_id === "string") {
-    auth.account_id = obj.account_id;
-  }
-  return auth;
-}
-function isTokenFresh(auth) {
-  const expiresAtMs = Date.parse(auth.expires_at);
-  if (!Number.isFinite(expiresAtMs)) return false;
-  return expiresAtMs > Date.now() + TOKEN_FRESHNESS_BUFFER_MS;
-}
-function getFreshAccessToken() {
-  const auth = readCodexAuth();
-  if (auth === null) return null;
-  if (!isTokenFresh(auth)) return null;
-  return auth.access_token;
-}
-var TOKEN_FRESHNESS_BUFFER_MS;
-var init_codex_oauth = __esm({
-  "src/proxy/codex-oauth.ts"() {
-    "use strict";
-    TOKEN_FRESHNESS_BUFFER_MS = 1e4;
-  }
-});
-
-// src/proxy/ws-client.ts
-import { EventEmitter } from "events";
-import https from "https";
-import http from "http";
-import WebSocket from "ws";
-function pickAgent(url) {
-  return url.startsWith("wss://") ? H1_HTTPS_AGENT : H1_HTTP_AGENT;
-}
-function defaultBackoffBaseMs() {
-  const raw = process.env.SKALPEL_WS_BACKOFF_BASE_MS;
-  const parsed = raw === void 0 ? NaN : parseInt(raw, 10);
-  return Number.isFinite(parsed) && parsed > 0 ? parsed : 1e3;
-}
-function computeBackoff(attempt, baseMs) {
-  const exp = Math.min(MAX_BACKOFF_MS, baseMs * Math.pow(2, attempt));
-  const jitter = exp * (0.2 * (Math.random() * 2 - 1));
-  return Math.max(0, Math.floor(exp + jitter));
-}
-var WS_SUBPROTOCOL, MAX_RECONNECTS, MAX_BACKOFF_MS, NON_TRANSIENT_CLOSE_CODES, H1_HTTPS_AGENT, H1_HTTP_AGENT, BackendWsClient;
-var init_ws_client = __esm({
-  "src/proxy/ws-client.ts"() {
-    "use strict";
-    init_codex_oauth();
-    init_trace_context();
-    WS_SUBPROTOCOL = "skalpel-codex-v1";
-    MAX_RECONNECTS = 5;
-    MAX_BACKOFF_MS = 6e4;
-    NON_TRANSIENT_CLOSE_CODES = /* @__PURE__ */ new Set([4e3, 4001, 4002, 4004]);
-    H1_HTTPS_AGENT = new https.Agent({
-      ALPNProtocols: ["http/1.1"],
-      keepAlive: true
-    });
-    H1_HTTP_AGENT = new http.Agent({ keepAlive: true });
-    BackendWsClient = class extends EventEmitter {
-      opts;
-      ws = null;
-      reconnectAttempts = 0;
-      closedByUser = false;
-      pendingReconnect = null;
-      constructor(opts) {
-        super();
-        this.opts = opts;
-      }
-      async connect() {
-        const freshToken = getFreshAccessToken();
-        const bearer = freshToken ?? this.opts.oauthToken;
-        return new Promise((resolve, reject) => {
-          const headers = {
-            "X-Skalpel-API-Key": this.opts.apiKey,
-            Authorization: `Bearer ${bearer}`,
-            "x-skalpel-source": this.opts.source
-          };
-          if (this.opts.traceCtx) {
-            headers["traceparent"] = formatTraceparent(this.opts.traceCtx);
-          }
-          const ws = new WebSocket(this.opts.url, [WS_SUBPROTOCOL], {
-            agent: pickAgent(this.opts.url),
-            headers
-          });
-          this.ws = ws;
-          ws.once("unexpected-response", (_req, res) => {
-            const status = res.statusCode ?? 0;
-            this.opts.logger.warn(
-              `ws-client handshake rejected status=${status} \u2014 no retry, falling back to HTTP`
-            );
-            this.closedByUser = true;
-            this.emit("fallback", `handshake_${status}`);
-            try {
-              res.destroy?.();
-            } catch {
-            }
-            this.ws = null;
-            reject(new Error(`ws handshake status ${status}`));
-          });
-          ws.once("open", () => {
-            this.emit("open");
-            resolve();
-          });
-          ws.on("message", (data) => {
-            const text = data.toString("utf-8");
-            let parsed = null;
-            try {
-              parsed = JSON.parse(text);
-            } catch {
-              this.emit("error", new Error(`invalid frame: ${text.slice(0, 100)}`));
-              return;
-            }
-            this.emit("frame", parsed);
-          });
-          ws.on("error", (err) => {
-            this.opts.logger.debug(`ws-client error: ${err.message}`);
-            this.emit("error", err);
-          });
-          ws.once("close", (code, reasonBuf) => {
-            const reason = reasonBuf.toString("utf-8");
-            this.opts.logger.info(`ws-client close code=${code} reason=${reason}`);
-            this.ws = null;
-            if (this.closedByUser || code === 1e3) {
-              this.emit("close", code, reason);
-              return;
-            }
-            if (NON_TRANSIENT_CLOSE_CODES.has(code)) {
-              this.emit("close", code, reason);
-              this.emit("fallback", `close_${code}:${reason}`);
-              return;
-            }
-            this.scheduleReconnect(resolve, reject);
-            this.emit("close", code, reason);
-          });
-        });
-      }
-      scheduleReconnect(initialResolve, initialReject) {
-        if (this.reconnectAttempts >= MAX_RECONNECTS) {
-          this.emit("fallback", "reconnect_exhausted");
-          return;
-        }
-        this.reconnectAttempts += 1;
-        const delay = computeBackoff(this.reconnectAttempts, defaultBackoffBaseMs());
-        this.opts.logger.info(
-          `ws-client reconnect attempt=${this.reconnectAttempts} delay=${delay}ms`
-        );
-        this.pendingReconnect = setTimeout(() => {
-          this.pendingReconnect = null;
-          this.connect().catch((err) => {
-            this.opts.logger.debug(`reconnect failed: ${err.message}`);
-          });
-        }, delay);
-        void initialResolve;
-        void initialReject;
-      }
-      send(frame) {
-        if (this.ws === null || this.ws.readyState !== WebSocket.OPEN) {
-          throw new Error("ws-client send: socket not open");
-        }
-        this.ws.send(JSON.stringify(frame));
-      }
-      close(code = 1e3, reason = "client close") {
-        this.closedByUser = true;
-        if (this.pendingReconnect !== null) {
-          clearTimeout(this.pendingReconnect);
-          this.pendingReconnect = null;
-        }
-        if (this.ws !== null) {
-          try {
-            this.ws.close(code, reason);
-          } catch {
-          }
-          this.ws = null;
-        }
-      }
-    };
-  }
-});
-
-// src/proxy/handler.ts
-var handler_exports = {};
-__export(handler_exports, {
-  buildForwardHeaders: () => buildForwardHeaders,
-  handleRequest: () => handleRequest,
-  handleWebSocketBridge: () => handleWebSocketBridge,
-  isSkalpelBackendFailure: () => isSkalpelBackendFailure,
-  shouldRouteToSkalpel: () => shouldRouteToSkalpel
-});
-function validateCodexAuth(oauthToken, inboundAuth) {
-  if (!oauthToken && !inboundAuth) {
-    return { valid: false, error: "no_credentials" };
-  }
-  return { valid: true };
-}
-function collectBody(req) {
-  return new Promise((resolve, reject) => {
-    const chunks = [];
-    req.on("data", (chunk) => chunks.push(chunk));
-    req.on("end", () => resolve(Buffer.concat(chunks).toString()));
-    req.on("error", reject);
-  });
-}
-function shouldRouteToSkalpel(path4, source) {
-  if (source !== "claude-code") return true;
-  const pathname = path4.split("?")[0];
-  return SKALPEL_EXACT_PATHS.has(pathname);
-}
-async function isSkalpelBackendFailure(response, err, logger) {
-  if (err) return true;
-  if (!response) return true;
-  if (response.status < 500) return false;
-  const origin = response.headers?.get("x-skalpel-origin");
-  if (origin === "provider") return false;
-  if (origin === "backend") return true;
-  try {
-    const text = await response.clone().text();
-    if (!text) {
-      logger?.debug(`isSkalpelBackendFailure heuristic: status=${response.status} result=true shape=non-anthropic`);
-      return true;
-    }
-    let shape = "non-anthropic";
-    try {
-      const parsed = JSON.parse(text);
-      if (parsed && typeof parsed === "object" && parsed.type === "error" && parsed.error && typeof parsed.error === "object" && typeof parsed.error.type === "string" && typeof parsed.error.message === "string") {
-        shape = "anthropic";
-        logger?.debug(`isSkalpelBackendFailure heuristic: status=${response.status} result=false shape=${shape}`);
-        return false;
-      }
-    } catch {
-    }
-    logger?.debug(`isSkalpelBackendFailure heuristic: status=${response.status} result=true shape=${shape}`);
-    return true;
-  } catch {
-    logger?.debug(`isSkalpelBackendFailure heuristic: status=${response?.status ?? "null"} result=true shape=non-anthropic`);
-    return true;
-  }
-}
-function buildForwardHeaders(req, config2, source, useSkalpel, traceCtx) {
-  const forwardHeaders = {};
-  for (const [key, value] of Object.entries(req.headers)) {
-    if (value === void 0) continue;
-    if (FORWARD_HEADER_STRIP.has(key.toLowerCase())) continue;
-    forwardHeaders[key] = Array.isArray(value) ? value.join(", ") : value;
-  }
-  if (traceCtx) {
-    forwardHeaders["traceparent"] = formatTraceparent(traceCtx);
-  }
-  if (useSkalpel) {
-    forwardHeaders["X-Skalpel-API-Key"] = config2.apiKey;
-    forwardHeaders["X-Skalpel-Source"] = source;
-    forwardHeaders["X-Skalpel-Agent-Type"] = source;
-    forwardHeaders["X-Skalpel-SDK-Version"] = "proxy-1.0.0";
-    forwardHeaders["X-Skalpel-Auth-Mode"] = "passthrough";
-    if (source === "claude-code" && !forwardHeaders["x-api-key"]) {
-      const authHeader = forwardHeaders["authorization"] ?? "";
-      if (authHeader.toLowerCase().startsWith("bearer ")) {
-        const token = authHeader.slice(7).trim();
-        if (token.startsWith("sk-ant-")) {
-          forwardHeaders["x-api-key"] = token;
-          delete forwardHeaders["authorization"];
-        }
-      }
-    }
-    if (source === "codex") {
-      const oauthToken = getFreshAccessToken();
-      if (oauthToken !== null) {
-        forwardHeaders["authorization"] = `Bearer ${oauthToken}`;
-        delete forwardHeaders["Authorization"];
-      }
-    }
-  }
-  return forwardHeaders;
-}
-function stripSkalpelHeaders2(headers) {
-  const cleaned = { ...headers };
-  delete cleaned["X-Skalpel-API-Key"];
-  delete cleaned["X-Skalpel-Source"];
-  delete cleaned["X-Skalpel-Agent-Type"];
-  delete cleaned["X-Skalpel-SDK-Version"];
-  delete cleaned["X-Skalpel-Auth-Mode"];
-  return cleaned;
-}
-function extractResponseHeaders(response) {
-  const headers = {};
-  for (const [key, value] of response.headers.entries()) {
-    if (!STRIP_RESPONSE_HEADERS.has(key)) {
-      headers[key] = value;
-    }
-  }
-  return headers;
-}
-async function handleRequest(req, res, config2, source, logger) {
-  const start = Date.now();
-  const method = req.method ?? "GET";
-  const path4 = req.url ?? "/";
-  const fp = tokenFingerprint(
-    typeof req.headers.authorization === "string" ? req.headers.authorization : void 0
-  );
-  logger.info(`${source} ${method} ${path4} token=${fp}`);
-  if (source === "codex") {
-    const ua = req.headers["user-agent"] ?? "";
-    const authScheme = typeof req.headers.authorization === "string" ? req.headers.authorization.split(" ")[0] ?? "none" : "none";
-    const upgrade = req.headers.upgrade ?? "";
-    const connection = req.headers.connection ?? "";
-    const contentType = req.headers["content-type"] ?? "";
-    logger.debug(`codex-diag method=${method} path=${path4} ua=${ua} authScheme=${authScheme} upgrade=${upgrade} connection=${connection} contentType=${contentType} hasBody=${method !== "GET" && method !== "HEAD"}`);
-  }
-  let response = null;
-  try {
-    const body = await collectBody(req);
-    logger.info(`body collected bytes=${body.length}`);
-    const inboundTraceparent = req.headers["traceparent"];
-    const traceCtx = parseTraceparent(
-      typeof inboundTraceparent === "string" ? inboundTraceparent : null
-    ) ?? generateTraceContext();
-    const useSkalpel = shouldRouteToSkalpel(path4, source);
-    logger.info(`routing useSkalpel=${useSkalpel} traceId=${traceCtx.traceId}`);
-    const forwardHeaders = buildForwardHeaders(req, config2, source, useSkalpel, traceCtx);
-    logger.debug(`headers built skalpelHeaders=${useSkalpel} authConverted=${!forwardHeaders["authorization"] && !!forwardHeaders["x-api-key"]}`);
-    let isStreaming = false;
-    if (body) {
-      try {
-        const parsed = JSON.parse(body);
-        isStreaming = parsed.stream === true;
-      } catch {
-      }
-    }
-    logger.info(`stream detection isStreaming=${isStreaming}`);
-    if (isStreaming) {
-      const skalpelUrl2 = `${config2.remoteBaseUrl}${path4}`;
-      const directUrl2 = source === "claude-code" ? `${config2.anthropicDirectUrl}${path4}` : source === "cursor" ? `${config2.cursorDirectUrl}${path4}` : `${config2.openaiDirectUrl}${path4}`;
-      await handleStreamingRequest(req, res, config2, source, body, skalpelUrl2, directUrl2, useSkalpel, forwardHeaders, logger, traceCtx);
-      logger.info(`${method} ${path4} source=${source} streaming latency=${Date.now() - start}ms`);
-      return;
-    }
-    const skalpelUrl = `${config2.remoteBaseUrl}${path4}`;
-    const directUrl = source === "claude-code" ? `${config2.anthropicDirectUrl}${path4}` : source === "cursor" ? `${config2.cursorDirectUrl}${path4}` : `${config2.openaiDirectUrl}${path4}`;
-    const fetchBody = method !== "GET" && method !== "HEAD" ? body : void 0;
-    let fetchError = null;
-    let usedFallback = false;
-    if (useSkalpel) {
-      logger.info(`fetch sending url=${skalpelUrl} method=${method}`);
-      try {
-        response = await fetch(skalpelUrl, { method, headers: forwardHeaders, body: fetchBody, dispatcher: skalpelDispatcher });
-      } catch (err) {
-        fetchError = err;
-      }
-      if (response && !fetchError) logger.info(`fetch received status=${response.status} url=${skalpelUrl}`);
-      if (await isSkalpelBackendFailure(response, fetchError, logger)) {
-        logger.warn(`${method} ${path4} Skalpel backend failed (${fetchError ? formatFetchErrorForLog(fetchError, skalpelUrl) : `status ${response?.status}`}), falling back to direct Anthropic API`);
-        usedFallback = true;
-        response = null;
-        fetchError = null;
-        const directHeaders = stripSkalpelHeaders2(forwardHeaders);
-        logger.info(`fetch sending url=${directUrl} method=${method} fallback=true`);
-        try {
-          response = await fetch(directUrl, { method, headers: directHeaders, body: fetchBody, dispatcher: skalpelDispatcher });
-        } catch (err) {
-          fetchError = err;
-        }
-        if (response && !fetchError) logger.info(`fetch received status=${response.status} url=${directUrl} fallback=true`);
-      }
-    } else {
-      logger.info(`fetch sending url=${directUrl} method=${method}`);
-      try {
-        response = await fetch(directUrl, { method, headers: forwardHeaders, body: fetchBody, dispatcher: skalpelDispatcher });
-      } catch (err) {
-        fetchError = err;
-      }
-      if (response && !fetchError) logger.info(`fetch received status=${response.status} url=${directUrl}`);
-    }
-    const fetchUrl = usedFallback || !useSkalpel ? directUrl : skalpelUrl;
-    const fetchHeaders = usedFallback ? stripSkalpelHeaders2(forwardHeaders) : forwardHeaders;
-    if (fetchError) {
-      const code = fetchError.code;
-      if (code && TIMEOUT_CODES3.has(code)) {
-        logger.warn(`timeout detected code=${code} url=${fetchUrl}`);
-        try {
-          response = await handleTimeoutWithRetry(
-            fetchError,
-            () => fetch(fetchUrl, {
-              method,
-              headers: fetchHeaders,
-              body: fetchBody,
-              dispatcher: skalpelDispatcher
-            }),
-            logger
-          );
-          fetchError = null;
-        } catch (retryErr) {
-          fetchError = retryErr;
-        }
-      }
-    }
-    if (!response || fetchError) {
-      response = null;
-      throw fetchError ?? new Error("no response from upstream");
-    }
-    if (response.status === 429) {
-      logger.info(`429 received url=${fetchUrl}`);
-      response = await handle429WithRetryAfter(
-        response,
-        () => fetch(fetchUrl, {
-          method,
-          headers: fetchHeaders,
-          body: fetchBody,
-          dispatcher: skalpelDispatcher
-        }),
-        logger
-      );
-    }
-    if (response.status === 401 && (source === "claude-code" || source === "codex")) {
-      const fp2 = tokenFingerprint(
-        typeof req.headers.authorization === "string" ? req.headers.authorization : void 0
-      );
-      logger.debug(`handler: upstream 401 origin=provider token=${fp2} passthrough`);
-      const body401 = Buffer.from(await response.arrayBuffer());
-      const envelope = buildErrorEnvelope(401, body401.toString(), "provider");
-      res.writeHead(401, { "Content-Type": "application/json" });
-      res.end(JSON.stringify(envelope));
-      logger.info(`${method} ${path4} source=${source} status=401 (passthrough) latency=${Date.now() - start}ms`);
-      return;
-    }
-    const responseHeaders = extractResponseHeaders(response);
-    const responseBody = Buffer.from(await response.arrayBuffer());
-    responseHeaders["content-length"] = String(responseBody.length);
-    responseHeaders["traceparent"] = formatTraceparent(traceCtx);
-    logger.info(`response forwarding status=${response.status} bodyBytes=${responseBody.length}`);
-    res.writeHead(response.status, responseHeaders);
-    res.end(responseBody);
-    logger.info(`${method} ${path4} source=${source} status=${response.status}${usedFallback ? " (fallback)" : ""} latency=${Date.now() - start}ms`);
-  } catch (err) {
-    logger.error(`${method} ${path4} source=${source} error=${formatFetchErrorForLog(err, path4)}`);
-    if (!res.headersSent) {
-      if (response !== null) {
-        const upstreamStatus = response.status;
-        const envelope = buildErrorEnvelope(
-          upstreamStatus,
-          "",
-          "skalpel-proxy",
-          "body read failed after upstream status"
-        );
-        res.writeHead(upstreamStatus, { "Content-Type": "application/json" });
-        res.end(JSON.stringify(envelope));
-      } else {
-        const envelope = buildErrorEnvelope(
-          HTTP_BAD_GATEWAY2,
-          err.message,
-          "skalpel-proxy"
-        );
-        res.writeHead(HTTP_BAD_GATEWAY2, { "Content-Type": "application/json" });
-        res.end(JSON.stringify(envelope));
-      }
-    }
-  }
-}
-async function handleWebSocketBridge(clientWs, req, config2, source, logger) {
-  const backendUrl = buildBackendWsUrl(config2);
-  const freshOauthToken = getFreshAccessToken();
-  let oauthToken;
-  if (freshOauthToken !== null) {
-    oauthToken = freshOauthToken;
-  } else {
-    const oauthHeader = req.headers["authorization"] ?? "";
-    oauthToken = oauthHeader.toLowerCase().startsWith("bearer ") ? oauthHeader.slice(7).trim() : "";
-  }
-  const authResult = validateCodexAuth(freshOauthToken, oauthToken);
-  if (!authResult.valid) {
-    clientWs.send(JSON.stringify({
-      type: "error",
-      error: {
-        code: "no_credentials",
-        message: "Codex requires OAuth login. Run: codex login"
-      }
-    }));
-    clientWs.close(4e3, "no credentials");
-    return;
-  }
-  const backend = new BackendWsClient({
-    url: backendUrl,
-    apiKey: config2.apiKey,
-    oauthToken,
-    source,
-    logger
-  });
-  let fallbackActive = false;
-  let backendOpen = false;
-  const pendingClientText = [];
-  let firstClientFrameBody = null;
-  const flushPending = () => {
-    if (!backendOpen || fallbackActive) return;
-    while (pendingClientText.length > 0) {
-      const text = pendingClientText.shift();
-      if (text === void 0) break;
-      try {
-        const parsed = JSON.parse(text);
-        backend.send(parsed);
-      } catch (err) {
-        logger.warn(`bridge: flush backend.send failed: ${err.message}`);
-        pendingClientText.unshift(text);
-        return;
-      }
-    }
-  };
-  clientWs.on("message", (data) => {
-    const text = data.toString("utf-8");
-    if (firstClientFrameBody === null) {
-      firstClientFrameBody = text;
-    }
-    pendingClientText.push(text);
-    flushPending();
-  });
-  clientWs.on("close", (code, reason) => {
-    logger.info(`bridge: client closed code=${code} reason=${String(reason)}`);
-    backend.close(1e3, "client closed");
-  });
-  backend.on("open", () => {
-    backendOpen = true;
-    flushPending();
-  });
-  backend.on("frame", (frame) => {
-    try {
-      clientWs.send(JSON.stringify(frame));
-    } catch (err) {
-      logger.debug(`bridge: client.send failed: ${err.message}`);
-    }
-  });
-  backend.on("close", (code, reason) => {
-    logger.info(`bridge: backend closed code=${code} reason=${reason}`);
-    backendOpen = false;
-  });
-  backend.on("error", (err) => {
-    logger.debug(`bridge: backend error: ${err.message}`);
-  });
-  backend.on("fallback", (reason) => {
-    if (fallbackActive) return;
-    fallbackActive = true;
-    backendOpen = false;
-    logger.warn(`bridge: backend fallback reason=${reason} \u2014 switching to HTTP POST`);
-    const body = firstClientFrameBody ?? (pendingClientText.length > 0 ? pendingClientText[0] : null);
-    if (body === null) {
-      logger.warn("bridge: no request body cached for HTTP fallback");
-      return;
-    }
-    const inboundAuth = req.headers["authorization"] ?? "";
-    fallbackToHttp(clientWs, config2, source, logger, body, inboundAuth).catch((httpErr) => {
-      logger.error(`bridge HTTP drain failed: ${httpErr.message}`);
-      try {
-        clientWs.close(4003, "fallback drain failed");
-      } catch {
-      }
-    });
-  });
-  try {
-    await backend.connect();
-  } catch (err) {
-    logger.error(`bridge: initial connect failed: ${err.message}`);
-  }
-}
-function buildBackendWsUrl(config2) {
-  const base = config2.remoteBaseUrl.replace(/^http/, "ws");
-  return `${base}/v1/responses`;
-}
-function parseSseEvents(buffer) {
-  const events = [];
-  let rest = buffer.replace(/\r\n/g, "\n");
-  while (rest.includes("\n\n")) {
-    const idx = rest.indexOf("\n\n");
-    const block = rest.slice(0, idx);
-    rest = rest.slice(idx + 2);
-    const dataLines = [];
-    for (const line of block.split("\n")) {
-      const trimmed = line.replace(/^\s+/, "");
-      if (trimmed.startsWith("data:")) {
-        dataLines.push(trimmed.slice(5).replace(/^\s+/, ""));
-      }
-    }
-    if (dataLines.length === 0) continue;
-    const joined = dataLines.join("\n").trim();
-    if (joined.length === 0 || joined === "[DONE]") continue;
-    events.push(joined);
-  }
-  return { events, rest };
-}
-async function fallbackToHttp(clientWs, config2, source, logger, requestBody, inboundAuth) {
-  const preflightAuth = validateCodexAuth(getFreshAccessToken(), inboundAuth);
-  if (!preflightAuth.valid) {
-    clientWs.send(JSON.stringify({
-      type: "error",
-      error: {
-        code: "no_credentials",
-        message: "Codex requires OAuth login. Run: codex login"
-      }
-    }));
-    clientWs.close(4e3, "no credentials");
-    return;
-  }
-  try {
-    const freshToken = getFreshAccessToken();
-    const authHeader = freshToken !== null ? `Bearer ${freshToken}` : inboundAuth;
-    if (!authHeader) {
-      logger.error("http fallback aborted: no Authorization available");
-      try {
-        clientWs.send(
-          JSON.stringify({
-            type: "error",
-            error: { code: 401, message: "no credentials available for fallback" }
-          })
-        );
-        clientWs.close(1011, "no credentials");
-      } catch {
-      }
-      return;
-    }
-    const resp = await fetch(`${config2.remoteBaseUrl}/v1/responses`, {
-      method: "POST",
-      headers: {
-        "Content-Type": "application/json",
-        "X-Skalpel-API-Key": config2.apiKey,
-        "X-Skalpel-Source": source,
-        "X-Skalpel-Auth-Mode": "passthrough",
-        Authorization: authHeader,
-        Accept: "text/event-stream"
-      },
-      body: requestBody,
-      dispatcher: skalpelDispatcher
-    });
-    if (!resp.ok) {
-      let errorBody = "";
-      try {
-        const bodyPromise = resp.text();
-        const timeoutPromise = new Promise(
-          (_, reject) => setTimeout(() => reject(new Error("body read timeout")), 5e3)
-        );
-        errorBody = await Promise.race([bodyPromise, timeoutPromise]);
-      } catch (e) {
-        errorBody = `status ${resp.status}`;
-      }
-      let errorMessage = `Backend error: ${resp.status}`;
-      try {
-        const parsed = JSON.parse(errorBody);
-        errorMessage = parsed?.error?.message || parsed?.detail || errorMessage;
-      } catch {
-        if (errorBody.length < 200) errorMessage = errorBody;
-      }
-      clientWs.send(JSON.stringify({
-        type: "error",
-        error: { code: resp.status, message: errorMessage }
-      }));
-      clientWs.close(1011, "backend error");
-      return;
-    }
-    if (resp.body === null) {
-      clientWs.send(JSON.stringify({
-        type: "error",
-        error: { code: resp.status, message: "empty response body" }
-      }));
-      clientWs.close(1011, "empty body");
-      return;
-    }
-    const reader = resp.body.getReader();
-    const decoder = new TextDecoder("utf-8");
-    let buf = "";
-    while (true) {
-      const { done, value } = await reader.read();
-      if (done) break;
-      if (value === void 0) continue;
-      buf += decoder.decode(value, { stream: true });
-      const { events: events2, rest } = parseSseEvents(buf);
-      buf = rest;
-      for (const evt of events2) {
-        try {
-          clientWs.send(evt);
-        } catch {
-        }
-      }
-    }
-    const { events } = parseSseEvents(buf + "\n\n");
-    for (const evt of events) {
-      try {
-        clientWs.send(evt);
-      } catch {
-      }
-    }
-    try {
-      clientWs.close(1e3, "fallback complete");
-    } catch {
-    }
-  } catch (err) {
-    logger.warn(`http fallback failed: ${err.message}`);
-    try {
-      clientWs.send(
-        JSON.stringify({
-          type: "error",
-          error: { code: 502, message: err.message }
-        })
-      );
-      clientWs.close(1011, "http fallback error");
-    } catch {
-    }
-  }
-}
-var TIMEOUT_CODES3, HTTP_BAD_GATEWAY2, SKALPEL_EXACT_PATHS, FORWARD_HEADER_STRIP, STRIP_RESPONSE_HEADERS;
-var init_handler = __esm({
-  "src/proxy/handler.ts"() {
-    "use strict";
-    init_streaming();
-    init_dispatcher();
-    init_envelope();
-    init_ws_client();
-    init_codex_oauth();
-    init_recovery();
-    init_fetch_error();
-    init_trace_context();
-    TIMEOUT_CODES3 = /* @__PURE__ */ new Set(["ETIMEDOUT", "TIMEOUT", "UND_ERR_HEADERS_TIMEOUT"]);
-    HTTP_BAD_GATEWAY2 = 502;
-    SKALPEL_EXACT_PATHS = /* @__PURE__ */ new Set(["/v1/messages"]);
-    FORWARD_HEADER_STRIP = /* @__PURE__ */ new Set([
-      "host",
-      "connection",
-      "keep-alive",
-      "proxy-authenticate",
-      "proxy-authorization",
-      "te",
-      "trailer",
-      "transfer-encoding",
-      "upgrade"
-    ]);
-    STRIP_RESPONSE_HEADERS = /* @__PURE__ */ new Set([
-      "connection",
-      "keep-alive",
-      "proxy-authenticate",
-      "proxy-authorization",
-      "te",
-      "trailer",
-      "transfer-encoding",
-      "upgrade",
-      "content-encoding",
-      "content-length"
-    ]);
-  }
-});
-
-// src/proxy/server.ts
-init_handler();
-import http2 from "http";
-
-// src/proxy/health.ts
-function handleHealthRequest(res, config2, startTime, logger) {
-  logger?.debug("health check served");
-  const body = JSON.stringify({
-    status: "ok",
-    uptime: Date.now() - startTime,
-    ports: {
-      anthropic: config2.anthropicPort,
-      openai: config2.openaiPort,
-      cursor: config2.cursorPort
-    },
-    version: "proxy-1.0.0"
-  });
-  res.writeHead(200, { "Content-Type": "application/json" });
-  res.end(body);
-}
-
-// src/proxy/pid.ts
-import fs from "fs";
-import path from "path";
-import { execSync } from "child_process";
-function writePid(pidFile) {
-  fs.mkdirSync(path.dirname(pidFile), { recursive: true });
-  const record = {
-    pid: process.pid,
-    startTime: getStartTime(process.pid)
-  };
-  fs.writeFileSync(pidFile, JSON.stringify(record));
-}
-function getStartTime(pid) {
-  try {
-    if (process.platform === "linux") {
-      const stat = fs.readFileSync(`/proc/${pid}/stat`, "utf-8");
-      const rparen = stat.lastIndexOf(")");
-      if (rparen < 0) return null;
-      const fields = stat.slice(rparen + 2).split(" ");
-      return fields[19] ?? null;
-    }
-    if (process.platform === "darwin") {
-      const out = execSync(`ps -p ${pid} -o lstart=`, { timeout: 2e3, stdio: ["ignore", "pipe", "ignore"] });
-      const text = out.toString().trim();
-      return text || null;
-    }
-    return null;
-  } catch {
-    return null;
-  }
-}
-function removePid(pidFile) {
-  try {
-    fs.unlinkSync(pidFile);
-  } catch {
-  }
-}
-
-// src/proxy/logger.ts
-import fs2 from "fs";
-import path2 from "path";
-var MAX_SIZE = 5 * 1024 * 1024;
-var MAX_ROTATIONS = 3;
-var LEVELS = { debug: 0, info: 1, warn: 2, error: 3 };
-var Logger = class _Logger {
-  logFile;
-  level;
-  prefix;
-  constructor(logFile, level = "info", prefix = "") {
-    this.logFile = logFile;
-    this.level = level;
-    this.prefix = prefix;
-    fs2.mkdirSync(path2.dirname(logFile), { recursive: true });
-  }
-  debug(msg) {
-    this.log("debug", msg);
-  }
-  info(msg) {
-    this.log("info", msg);
-  }
-  warn(msg) {
-    this.log("warn", msg);
-  }
-  error(msg) {
-    this.log("error", msg);
-  }
-  /** Returns a new Logger that writes to the same file but prefixes every
-   *  emitted line with `[conn=<connId>] ` or `[conn=<connId> trace=<traceId>] `.
-   *  The parent logger continues to work unchanged. IPv6 colons should already
-   *  be sanitized by the caller. */
-  child(connId, traceId) {
-    const prefix = traceId ? `[conn=${connId} trace=${traceId}] ` : `[conn=${connId}] `;
-    const child = new _Logger(this.logFile, this.level, prefix);
-    return child;
-  }
-  log(level, msg) {
-    if (LEVELS[level] < LEVELS[this.level]) return;
-    const line = `${(/* @__PURE__ */ new Date()).toISOString()} [${level.toUpperCase()}] ${this.prefix}${msg}
-`;
-    if (level === "debug" || level === "error") {
-      process.stderr.write(line);
-    }
-    try {
-      this.rotate();
-      fs2.appendFileSync(this.logFile, line);
-    } catch {
-    }
-  }
-  rotate() {
-    try {
-      const stat = fs2.statSync(this.logFile);
-      if (stat.size < MAX_SIZE) return;
-    } catch {
-      return;
-    }
-    for (let i = MAX_ROTATIONS; i >= 1; i--) {
-      const src = i === 1 ? this.logFile : `${this.logFile}.${i - 1}`;
-      const dst = `${this.logFile}.${i}`;
-      try {
-        fs2.renameSync(src, dst);
-      } catch {
-      }
-    }
-  }
-};
-
-// src/proxy/ws-server.ts
-import { WebSocketServer } from "ws";
-var WS_SUBPROTOCOL2 = "skalpel-codex-v1";
-var wss = new WebSocketServer({
-  noServer: true,
-  handleProtocols: (protocols) => protocols.has(WS_SUBPROTOCOL2) ? WS_SUBPROTOCOL2 : false
-});
-function reject426(socket, payload) {
-  const body = JSON.stringify(payload);
-  socket.write(
-    `HTTP/1.1 426 Upgrade Required\r
-Content-Type: application/json\r
-Content-Length: ${Buffer.byteLength(body)}\r
-Connection: close\r
-\r
-` + body
-  );
-  socket.destroy();
-}
-function handleCodexUpgrade(req, socket, head, config2, logger) {
-  const wsFlag = process.env.SKALPEL_CODEX_WS ?? "1";
-  if (wsFlag === "0") {
-    logger.warn("ws-upgrade rejected: feature flag SKALPEL_CODEX_WS=0");
-    reject426(socket, { error: "ws_disabled" });
-    return;
-  }
-  wss.handleUpgrade(req, socket, head, (clientWs) => {
-    logger.info(`ws-upgrade accepted path=${req.url ?? ""} subproto=${WS_SUBPROTOCOL2}`);
-    Promise.resolve().then(() => (init_handler(), handler_exports)).then((mod) => {
-      const bridge = mod.handleWebSocketBridge;
-      if (typeof bridge !== "function") {
-        clientWs.send(
-          JSON.stringify({
-            type: "error",
-            payload: { code: "not_implemented" }
-          })
-        );
-        clientWs.close(4003, "bridge pending");
-        return;
-      }
-      void bridge(clientWs, req, config2, "codex", logger);
-    }).catch((err) => {
-      logger.error(`ws bridge import failed: ${err?.message ?? String(err)}`);
-      try {
-        clientWs.send(
-          JSON.stringify({
-            type: "error",
-            payload: { code: "bridge_import_failed" }
-          })
-        );
-      } catch {
-      }
-      clientWs.close(4003, "bridge import failed");
-    });
-  });
-}
-
-// src/proxy/server.ts
-init_codex_oauth();
-var proxyStartTime = 0;
-var connCounter = 0;
-function computeConnId(req) {
-  const addr = req.socket.remoteAddress ?? "unknown";
-  const port = req.socket.remotePort ?? 0;
-  const counter = (++connCounter).toString(36);
-  const raw = addr + "|" + port + "|" + Date.now().toString(36) + "|" + counter + "|" + Math.floor(Math.random() * 4096).toString(16);
-  return raw.replace(/:/g, "_");
-}
-function startProxy(config2) {
-  const logger = new Logger(config2.logFile, config2.logLevel);
-  const startTime = Date.now();
-  proxyStartTime = Date.now();
-  const anthropicServer = http2.createServer((req, res) => {
-    if (req.url === "/health" && req.method === "GET") {
-      handleHealthRequest(res, config2, startTime, logger.child("health"));
-      return;
-    }
-    const connId = computeConnId(req);
-    handleRequest(req, res, config2, "claude-code", logger.child(connId));
-  });
-  const openaiServer = http2.createServer((req, res) => {
-    if (req.url === "/health" && req.method === "GET") {
-      handleHealthRequest(res, config2, startTime, logger.child("health"));
-      return;
-    }
-    const connId = computeConnId(req);
-    handleRequest(req, res, config2, "codex", logger.child(connId));
-  });
-  const cursorServer = http2.createServer((req, res) => {
-    if (req.url === "/health" && req.method === "GET") {
-      handleHealthRequest(res, config2, startTime, logger.child("health"));
-      return;
-    }
-    const connId = computeConnId(req);
-    handleRequest(req, res, config2, "cursor", logger.child(connId));
-  });
-  anthropicServer.on("upgrade", (req, socket, _head) => {
-    const ua = req.headers["user-agent"] ?? "";
-    logger.warn(`upgrade-attempt port=${config2.anthropicPort} method=${req.method} url=${req.url} ua=${ua} origin=${req.headers.origin ?? ""}`);
-    const body = JSON.stringify({
-      error: "upgrade_required",
-      message: "Skalpel proxy is HTTP-only",
-      hint: 'Use wire_api="responses" over HTTP in your Codex config. See docs/codex-integration-fix.md.'
-    });
-    socket.write(
-      `HTTP/1.1 426 Upgrade Required\r
-Content-Type: application/json\r
-Content-Length: ${Buffer.byteLength(body)}\r
-Connection: close\r
-\r
-` + body
-    );
-    socket.destroy();
-  });
-  openaiServer.on("upgrade", (req, socket, head) => {
-    const ua = req.headers["user-agent"] ?? "";
-    logger.warn(`upgrade-attempt port=${config2.openaiPort} method=${req.method} url=${req.url} ua=${ua} origin=${req.headers.origin ?? ""}`);
-    const pathname = (req.url ?? "").split("?")[0];
-    if (pathname === "/v1/responses") {
-      const oauthPresent = getFreshAccessToken() !== null;
-      logger.info(`codex-upgrade oauth_present=${oauthPresent}`);
-      handleCodexUpgrade(req, socket, head, config2, logger);
-      return;
-    }
-    const body = JSON.stringify({
-      error: "upgrade_required",
-      message: "Skalpel proxy is HTTP-only",
-      hint: 'Use wire_api="responses" over HTTP in your Codex config. See docs/codex-integration-fix.md.'
-    });
-    socket.write(
-      `HTTP/1.1 426 Upgrade Required\r
-Content-Type: application/json\r
-Content-Length: ${Buffer.byteLength(body)}\r
-Connection: close\r
-\r
-` + body
-    );
-    socket.destroy();
-  });
-  cursorServer.on("upgrade", (req, socket, _head) => {
-    const ua = req.headers["user-agent"] ?? "";
-    logger.warn(`upgrade-attempt port=${config2.cursorPort} method=${req.method} url=${req.url} ua=${ua} origin=${req.headers.origin ?? ""}`);
-    const body = JSON.stringify({
-      error: "upgrade_required",
-      message: "Skalpel proxy is HTTP-only",
-      hint: 'Use wire_api="responses" over HTTP in your Codex config. See docs/codex-integration-fix.md.'
-    });
-    socket.write(
-      `HTTP/1.1 426 Upgrade Required\r
-Content-Type: application/json\r
-Content-Length: ${Buffer.byteLength(body)}\r
-Connection: close\r
-\r
-` + body
-    );
-    socket.destroy();
-  });
-  anthropicServer.on("error", (err) => {
-    if (err.code === "EADDRINUSE") {
-      logger.error(`Port ${config2.anthropicPort} is already in use. Another Skalpel proxy or process may be running.`);
-    } else {
-      logger.error(`Anthropic proxy failed to bind port ${config2.anthropicPort}: ${err.message}`);
-    }
-    removePid(config2.pidFile);
-    process.exit(1);
-  });
-  openaiServer.on("error", (err) => {
-    if (err.code === "EADDRINUSE") {
-      logger.error(`Port ${config2.openaiPort} is already in use. Another Skalpel proxy or process may be running.`);
-    } else {
-      logger.error(`OpenAI proxy failed to bind port ${config2.openaiPort}: ${err.message}`);
-    }
-    removePid(config2.pidFile);
-    process.exit(1);
-  });
-  cursorServer.on("error", (err) => {
-    if (err.code === "EADDRINUSE") {
-      logger.error(`Port ${config2.cursorPort} is already in use. Another Skalpel proxy or process may be running.`);
-    } else {
-      logger.error(`Cursor proxy failed to bind port ${config2.cursorPort}: ${err.message}`);
-    }
-    removePid(config2.pidFile);
-    process.exit(1);
-  });
-  let bound = 0;
-  const onBound = () => {
-    bound++;
-    if (bound === 3) {
-      writePid(config2.pidFile);
-      logger.info(`Proxy started (pid=${process.pid}) ports=${config2.anthropicPort},${config2.openaiPort},${config2.cursorPort}`);
-    }
-  };
-  anthropicServer.listen(config2.anthropicPort, () => {
-    logger.info(`Anthropic proxy listening on port ${config2.anthropicPort}`);
-    onBound();
-  });
-  openaiServer.listen(config2.openaiPort, () => {
-    logger.info(`OpenAI proxy listening on port ${config2.openaiPort}`);
-    onBound();
-  });
-  cursorServer.listen(config2.cursorPort, () => {
-    logger.info(`Cursor proxy listening on port ${config2.cursorPort}`);
-    onBound();
-  });
-  const cleanup = () => {
-    logger.info("Shutting down proxy...");
-    anthropicServer.close();
-    openaiServer.close();
-    cursorServer.close();
-    removePid(config2.pidFile);
-    process.exit(0);
-  };
-  process.on("SIGTERM", cleanup);
-  process.on("SIGINT", cleanup);
-  process.on("uncaughtException", (err) => {
-    logger.error(`Uncaught exception: ${err.message}`);
-    removePid(config2.pidFile);
-    process.exit(1);
-  });
-  process.on("unhandledRejection", (reason) => {
-    logger.error(`Unhandled rejection: ${reason}`);
-    removePid(config2.pidFile);
-    process.exit(1);
-  });
-  return { anthropicServer, openaiServer, cursorServer };
-}
-
-// src/proxy/config.ts
-import fs3 from "fs";
-import path3 from "path";
-import os from "os";
-function expandHome(filePath) {
-  if (filePath.startsWith("~")) {
-    return path3.join(os.homedir(), filePath.slice(1));
-  }
-  return filePath;
-}
-var DEFAULTS = {
-  apiKey: "",
-  remoteBaseUrl: "https://api.skalpel.ai",
-  anthropicDirectUrl: "https://api.anthropic.com",
-  openaiDirectUrl: "https://api.openai.com",
-  anthropicPort: 18100,
-  openaiPort: 18101,
-  cursorPort: 18102,
-  cursorDirectUrl: "https://api.openai.com",
-  logLevel: "info",
-  logFile: "~/.skalpel/logs/proxy.log",
-  pidFile: "~/.skalpel/proxy.pid",
-  configFile: "~/.skalpel/config.json",
-  mode: "proxy"
-};
-function coerceMode(value) {
-  return value === "direct" ? "direct" : "proxy";
-}
-function loadConfig(configPath) {
-  const filePath = expandHome(configPath ?? DEFAULTS.configFile);
-  let fileConfig = {};
-  try {
-    const raw = fs3.readFileSync(filePath, "utf-8");
-    fileConfig = JSON.parse(raw);
-  } catch {
-  }
-  return {
-    apiKey: fileConfig.apiKey ?? DEFAULTS.apiKey,
-    remoteBaseUrl: fileConfig.remoteBaseUrl ?? DEFAULTS.remoteBaseUrl,
-    anthropicDirectUrl: fileConfig.anthropicDirectUrl ?? DEFAULTS.anthropicDirectUrl,
-    openaiDirectUrl: fileConfig.openaiDirectUrl ?? DEFAULTS.openaiDirectUrl,
-    anthropicPort: fileConfig.anthropicPort ?? DEFAULTS.anthropicPort,
-    openaiPort: fileConfig.openaiPort ?? DEFAULTS.openaiPort,
-    cursorPort: fileConfig.cursorPort ?? DEFAULTS.cursorPort,
-    cursorDirectUrl: fileConfig.cursorDirectUrl ?? DEFAULTS.cursorDirectUrl,
-    logLevel: fileConfig.logLevel ?? DEFAULTS.logLevel,
-    logFile: expandHome(fileConfig.logFile ?? DEFAULTS.logFile),
-    pidFile: expandHome(fileConfig.pidFile ?? DEFAULTS.pidFile),
-    configFile: filePath,
-    mode: coerceMode(fileConfig.mode)
-  };
-}
-
-// src/cli/proxy-runner.ts
-var config = loadConfig();
-startProxy(config);
-//# sourceMappingURL=proxy-runner.js.map