teleton 0.7.2 → 0.7.4

package/README.md

@@ -21,7 +21,7 @@
 
 - **Full Telegram access** - Operates as a real user via MTProto (GramJS), not a limited bot
 - **Agentic loop** - Up to 5 iterations of tool calling per message, the agent thinks, acts, observes, and repeats
-- **Multi-Provider LLM** - Anthropic, OpenAI, Google Gemini, xAI Grok, Groq, OpenRouter, Moonshot, Mistral, Cocoon, Local
+- **Multi-Provider LLM** - Anthropic, Claude Code, OpenAI, Google Gemini, xAI Grok, Groq, OpenRouter, Moonshot, Mistral, Cocoon, Local (11 providers)
 - **TON Blockchain** - Built-in W5R1 wallet, send/receive TON & jettons, swap on STON.fi and DeDust, NFTs, DNS domains
 - **Persistent memory** - Hybrid RAG (sqlite-vec + FTS5), auto-compaction with AI summarization, daily logs
 - **100+ built-in tools** - Messaging, media, blockchain, DEX trading, deals, DNS, journaling, and more
@@ -37,7 +37,7 @@
 
 | Category      | Tools | Description                                                                                                        |
 | ------------- | ----- | ------------------------------------------------------------------------------------------------------------------ |
-| Telegram      | 66    | Messaging, media, chats, groups, polls, stickers, gifts, stars, stories, contacts, folders, profile, memory, tasks |
+| Telegram      | 73    | Messaging, media, chats, groups, polls, stickers, gifts, stars, stories, contacts, folders, profile, memory, tasks, voice transcription, scheduled messages |
 | TON & Jettons | 15    | W5R1 wallet, send/receive TON & jettons, balances, prices, holders, history, charts, NFTs, smart DEX router        |
 | STON.fi DEX   | 5     | Swap, quote, search, trending tokens, liquidity pools                                                              |
 | DeDust DEX    | 5     | Swap, quote, pools, prices, token analytics (holders, top traders, buy/sell tax)                                   |
@@ -51,7 +51,7 @@
 
 | Capability              | Description                                                                                                                 |
 | ----------------------- | --------------------------------------------------------------------------------------------------------------------------- |
-| **Multi-Provider LLM**  | Switch between Anthropic, OpenAI, Google, xAI, Groq, OpenRouter, Moonshot, Mistral, Cocoon, or Local with one config change  |
+| **Multi-Provider LLM**  | Switch between Anthropic, Claude Code, OpenAI, Google, xAI, Groq, OpenRouter, Moonshot, Mistral, Cocoon, or Local — Dashboard validates API key before switching |
 | **RAG + Hybrid Search** | Local ONNX embeddings (384d) or Voyage AI (512d/1024d) with FTS5 keyword + sqlite-vec cosine similarity, fused via RRF      |
 | **Auto-Compaction**     | AI-summarized context management prevents overflow, preserves key information in `memory/*.md` files                        |
 | **Observation Masking** | Compresses old tool results to one-line summaries, saving ~90% context window                                               |
@@ -71,7 +71,7 @@
 ## Prerequisites
 
 - **Node.js 20.0.0+** - [Download](https://nodejs.org/)
-- **LLM API Key** - One of: [Anthropic](https://console.anthropic.com/) (recommended), [OpenAI](https://platform.openai.com/), [Google](https://aistudio.google.com/), [xAI](https://console.x.ai/), [Groq](https://console.groq.com/), [OpenRouter](https://openrouter.ai/)
+- **LLM API Key** - One of: [Anthropic](https://console.anthropic.com/) (recommended), [OpenAI](https://platform.openai.com/), [Google](https://aistudio.google.com/), [xAI](https://console.x.ai/), [Groq](https://console.groq.com/), [OpenRouter](https://openrouter.ai/), [Moonshot](https://platform.moonshot.ai/), [Mistral](https://console.mistral.ai/) — or keyless: Claude Code (auto-detect), Cocoon (TON), Local (Ollama/vLLM)
 - **Telegram Account** - Dedicated account recommended for security
 - **Telegram API Credentials** - From [my.telegram.org/apps](https://my.telegram.org/apps)
 - **Your Telegram User ID** - Message [@userinfobot](https://t.me/userinfobot)
@@ -109,7 +109,7 @@ teleton setup
 ```
 
 The wizard will configure:
-- LLM provider selection (Anthropic, OpenAI, Google, xAI, Groq, OpenRouter)
+- LLM provider selection (11 providers: Anthropic, Claude Code, OpenAI, Google, xAI, Groq, OpenRouter, Moonshot, Mistral, Cocoon, Local)
 - Telegram authentication (API credentials, phone, login code)
 - Access policies (DM/group response rules)
 - Admin user ID
@@ -152,10 +152,10 @@ The `teleton setup` wizard generates a fully configured `~/.teleton/config.yaml`
 
 ```yaml
 agent:
-  provider: "anthropic"              # anthropic | openai | google | xai | groq | openrouter
+  provider: "anthropic"              # anthropic | claude-code | openai | google | xai | groq | openrouter | moonshot | mistral | cocoon | local
   api_key: "sk-ant-api03-..."
-  model: "claude-opus-4-5-20251101"
-  utility_model: "claude-3-5-haiku-20241022"  # for summarization, compaction, vision
+  model: "claude-opus-4-6"
+  utility_model: "claude-haiku-4-5-20251001"  # for summarization, compaction, vision
   max_agentic_iterations: 5
 
 telegram:
@@ -183,6 +183,24 @@ webui:                       # Optional: Web dashboard
   # auth_token: "..."        # Auto-generated if omitted
 ```
 
+### Supported Models
+
+All models are defined in `src/config/model-catalog.ts` and shared across the CLI setup, WebUI setup wizard, and Dashboard. To add a model, add it there — it will appear everywhere automatically.
+
+| Provider | Models |
+|----------|--------|
+| **Anthropic** | Claude Opus 4.6, Claude Opus 4.5, Claude Sonnet 4.6, Claude Haiku 4.5 |
+| **Claude Code** | Same as Anthropic (auto-detected credentials) |
+| **OpenAI** | GPT-5, GPT-5 Pro, GPT-5 Mini, GPT-5.1, GPT-4o, GPT-4.1, GPT-4.1 Mini, o4 Mini, o3, Codex Mini |
+| **Google** | Gemini 3 Pro (preview), Gemini 3 Flash (preview), Gemini 2.5 Pro, Gemini 2.5 Flash, Gemini 2.5 Flash Lite, Gemini 2.0 Flash |
+| **xAI** | Grok 4.1 Fast, Grok 4 Fast, Grok 4, Grok Code, Grok 3 |
+| **Groq** | Llama 4 Maverick, Qwen3 32B, DeepSeek R1 70B, Llama 3.3 70B |
+| **OpenRouter** | Claude Opus/Sonnet, GPT-5, Gemini, DeepSeek R1/V3, Qwen3 Coder/Max/235B, Nemotron, Sonar Pro, MiniMax, Grok 4 |
+| **Moonshot** | Kimi K2.5, Kimi K2 Thinking |
+| **Mistral** | Devstral Small/Medium, Mistral Large, Magistral Small |
+| **Cocoon** | Qwen/Qwen3-32B (decentralized, pays in TON) |
+| **Local** | Auto-detected (Ollama, vLLM, LM Studio) |
+
 ### MCP Servers
 
 Connect external tool servers via the [Model Context Protocol](https://modelcontextprotocol.io/). No code needed - tools are auto-discovered and registered at startup.
@@ -283,7 +301,7 @@ Teleton includes an **optional web dashboard** for monitoring and configuration.
 
 ### Features
 
-- **Dashboard**: System status, uptime, model info, session count, memory stats
+- **Dashboard**: System status, uptime, model info, session count, memory stats, provider switching with API key validation
 - **Tools Management**: View all tools grouped by module, toggle enable/disable, change scope per tool
 - **Plugin Marketplace**: Install, update, and manage plugins from registry with secrets management
 - **Soul Editor**: Edit SOUL.md, SECURITY.md, STRATEGY.md, MEMORY.md with unsaved changes warning
@@ -386,7 +404,7 @@ All admin commands support `/`, `!`, or `.` prefix:
 
 | Layer | Technology |
 |-------|------------|
-| LLM | Multi-provider via [pi-ai](https://github.com/mariozechner/pi-ai) (Anthropic, OpenAI, Google, xAI, Groq, OpenRouter) |
+| LLM | Multi-provider via [pi-ai](https://github.com/mariozechner/pi-ai) (11 providers: Anthropic, Claude Code, OpenAI, Google, xAI, Groq, OpenRouter, Moonshot, Mistral, Cocoon, Local) |
 | Telegram Userbot | [GramJS](https://gram.js.org/) (MTProto) |
 | Inline Bot | [Grammy](https://grammy.dev/) (Bot API, for deals) |
 | Blockchain | [TON SDK](https://github.com/ton-org/ton) (W5R1 wallet) |
@@ -414,7 +432,7 @@ src/
 │       ├── module-loader.ts    # Built-in module loading (deals → +5 tools)
 │       ├── plugin-loader.ts    # External plugin discovery, validation, hot-reload
 │       ├── mcp-loader.ts       # MCP client (stdio/SSE), tool discovery, lifecycle
-│       ├── telegram/       # Telegram operations (66 tools)
+│       ├── telegram/       # Telegram operations (73 tools)
 │       ├── ton/            # TON blockchain + jettons + DEX router (15 tools)
 │       ├── stonfi/         # STON.fi DEX (5 tools)
 │       ├── dedust/         # DeDust DEX (5 tools)
@@ -463,7 +481,8 @@ src/
 │   └── loader.ts           # 10 sections: soul + security + strategy + memory + context + ...
 ├── config/                 # Configuration
 │   ├── schema.ts           # Zod schemas + validation
-│   └── providers.ts        # Multi-provider LLM registry (10 providers)
+│   ├── providers.ts        # Multi-provider LLM registry (11 providers)
+│   └── model-catalog.ts    # Shared model catalog (60+ models across all providers)
 ├── webui/                  # Optional web dashboard
 │   ├── server.ts           # Hono server, auth middleware, static serving
 │   └── routes/             # 11 API route groups (status, tools, logs, memory, soul, plugins, mcp, tasks, workspace, config, marketplace)

package/dist/{chunk-ND2X5FWB.js → chunk-5PLZ3KSO.js}

@@ -1,6 +1,10 @@
+import {
+  getClaudeCodeApiKey,
+  refreshClaudeCodeApiKey
+} from "./chunk-JQDLW7IE.js";
 import {
   getProviderMetadata
-} from "./chunk-LRCPA7SC.js";
+} from "./chunk-RMLQS3X6.js";
 import {
   appendToTranscript,
   readTranscript
@@ -92,12 +96,13 @@ function sanitizeToolsForGemini(tools) {
 // src/agent/client.ts
 var log = createLogger("LLM");
 function isOAuthToken(apiKey, provider) {
-  if (provider && provider !== "anthropic") return false;
+  if (provider && provider !== "anthropic" && provider !== "claude-code") return false;
   return apiKey.startsWith("sk-ant-oat01-");
 }
 function getEffectiveApiKey(provider, rawKey) {
   if (provider === "local") return "local";
   if (provider === "cocoon") return "";
+  if (provider === "claude-code") return getClaudeCodeApiKey(rawKey);
   return rawKey;
 }
 var modelCache = /* @__PURE__ */ new Map();
@@ -307,7 +312,15 @@ async function chatWithContext(config, options) {
     const { stripCocoonPayload } = await import("./tool-adapter-Y3TCEQOC.js");
     completeOptions.onPayload = stripCocoonPayload;
   }
-  const response = await complete(model, context, completeOptions);
+  let response = await complete(model, context, completeOptions);
+  if (provider === "claude-code" && response.stopReason === "error" && response.errorMessage && (response.errorMessage.includes("401") || response.errorMessage.toLowerCase().includes("unauthorized"))) {
+    log.warn("Claude Code token rejected (401), refreshing credentials and retrying...");
+    const refreshedKey = refreshClaudeCodeApiKey();
+    if (refreshedKey) {
+      completeOptions.apiKey = refreshedKey;
+      response = await complete(model, context, completeOptions);
+    }
+  }
   if (isCocoon) {
     const textBlock = response.content.find((b) => b.type === "text");
     if (textBlock?.type === "text" && textBlock.text.includes("<tool_call>")) {

package/dist/{chunk-NERLQY2H.js → chunk-BGC2IUM5.js}

@@ -1,6 +1,3 @@
-import {
-  getCachedHttpEndpoint
-} from "./chunk-QUAPFI2N.js";
 import {
   COINGECKO_API_URL,
   tonapiFetch
@@ -25,10 +22,55 @@ import { mnemonicNew, mnemonicToPrivateKey, mnemonicValidate } from "@ton/crypto
 import { WalletContractV5R1, TonClient, fromNano } from "@ton/ton";
 import { readFileSync, writeFileSync, existsSync, mkdirSync } from "fs";
 import { join, dirname } from "path";
+
+// src/ton/endpoint.ts
+var ENDPOINT_CACHE_TTL_MS = 6e4;
+var ORBS_HOST = "ton.access.orbs.network";
+var ORBS_TOPOLOGY_URL = `https://${ORBS_HOST}/mngr/nodes?npm_version=2.3.3`;
+var TONCENTER_FALLBACK = `https://toncenter.com/api/v2/jsonRPC`;
+var _cache = null;
+async function discoverOrbsEndpoint() {
+  const res = await fetch(ORBS_TOPOLOGY_URL);
+  const nodes = await res.json();
+  const healthy = nodes.filter(
+    (n) => n.Healthy === "1" && n.Weight > 0 && n.Mngr?.health?.["v2-mainnet"]
+  );
+  if (healthy.length === 0) throw new Error("no healthy orbs nodes");
+  const totalWeight = healthy.reduce((sum, n) => sum + n.Weight, 0);
+  let r = Math.floor(Math.random() * totalWeight);
+  let chosen = healthy[0];
+  for (const node of healthy) {
+    r -= node.Weight;
+    if (r < 0) {
+      chosen = node;
+      break;
+    }
+  }
+  return `https://${ORBS_HOST}/${chosen.NodeId}/1/mainnet/toncenter-api-v2/jsonRPC`;
+}
+async function getCachedHttpEndpoint() {
+  if (_cache && Date.now() - _cache.ts < ENDPOINT_CACHE_TTL_MS) {
+    return _cache.url;
+  }
+  let url;
+  try {
+    url = await discoverOrbsEndpoint();
+  } catch {
+    url = TONCENTER_FALLBACK;
+  }
+  _cache = { url, ts: Date.now() };
+  return url;
+}
+function invalidateEndpointCache() {
+  _cache = null;
+}
+
+// src/ton/wallet-service.ts
 var log = createLogger("TON");
 var WALLET_FILE = join(TELETON_ROOT, "wallet.json");
 var _walletCache;
 var _keyPairCache = null;
+var _tonClientCache = null;
 async function generateWallet() {
   const mnemonic = await mnemonicNew(24);
   const keyPair = await mnemonicToPrivateKey(mnemonic);
@@ -100,6 +142,19 @@ function getWalletAddress() {
   const wallet = loadWallet();
   return wallet?.address || null;
 }
+async function getCachedTonClient() {
+  const endpoint = await getCachedHttpEndpoint();
+  if (_tonClientCache && _tonClientCache.endpoint === endpoint) {
+    return _tonClientCache.client;
+  }
+  const client = new TonClient({ endpoint });
+  _tonClientCache = { client, endpoint };
+  return client;
+}
+function invalidateTonClientCache() {
+  _tonClientCache = null;
+  invalidateEndpointCache();
+}
 async function getKeyPair() {
   if (_keyPairCache) return _keyPairCache;
   const wallet = loadWallet();
@@ -109,8 +164,7 @@ async function getKeyPair() {
 }
 async function getWalletBalance(address) {
   try {
-    const endpoint = await getCachedHttpEndpoint();
-    const client = new TonClient({ endpoint });
+    const client = await getCachedTonClient();
     const { Address } = await import("@ton/core");
     const addressObj = Address.parse(address);
     const balance = await client.getBalance(addressObj);
@@ -163,7 +217,7 @@ async function getTonPrice() {
 
 // src/config/schema.ts
 import { z } from "zod";
-var DMPolicy = z.enum(["pairing", "allowlist", "open", "disabled"]);
+var DMPolicy = z.enum(["allowlist", "open", "disabled"]);
 var GroupPolicy = z.enum(["open", "allowlist", "disabled"]);
 var SessionResetPolicySchema = z.object({
   daily_reset_enabled: z.boolean().default(true).describe("Enable daily session reset"),
@@ -174,6 +228,7 @@ var SessionResetPolicySchema = z.object({
 var AgentConfigSchema = z.object({
   provider: z.enum([
     "anthropic",
+    "claude-code",
     "openai",
     "google",
     "xai",
@@ -186,7 +241,7 @@ var AgentConfigSchema = z.object({
   ]).default("anthropic"),
   api_key: z.string().default(""),
   base_url: z.string().url().optional().describe("Base URL for local LLM server (e.g. http://localhost:11434/v1)"),
-  model: z.string().default("claude-opus-4-5-20251101"),
+  model: z.string().default("claude-opus-4-6"),
   utility_model: z.string().optional().describe("Cheap model for summarization (auto-detected if omitted)"),
   max_tokens: z.number().default(4096),
   temperature: z.number().default(0.7),
@@ -200,7 +255,7 @@ var TelegramConfigSchema = z.object({
   phone: z.string(),
   session_name: z.string().default("teleton_session"),
   session_path: z.string().default("~/.teleton"),
-  dm_policy: DMPolicy.default("pairing"),
+  dm_policy: DMPolicy.default("allowlist"),
   allow_from: z.array(z.number()).default([]),
   group_policy: GroupPolicy.default("open"),
   group_allow_from: z.array(z.number()).default([]),
@@ -220,7 +275,6 @@ var TelegramConfigSchema = z.object({
 });
 var StorageConfigSchema = z.object({
   sessions_file: z.string().default("~/.teleton/sessions.json"),
-  pairing_file: z.string().default("~/.teleton/pairing.json"),
   memory_file: z.string().default("~/.teleton/memory.json"),
   history_limit: z.number().default(100)
 });
@@ -233,7 +287,7 @@ var MetaConfigSchema = z.object({
 var _DealsObject = z.object({
   enabled: z.boolean().default(true),
   expiry_seconds: z.number().default(120),
-  buy_max_floor_percent: z.number().default(100),
+  buy_max_floor_percent: z.number().default(95),
   sell_min_floor_percent: z.number().default(105),
   poll_interval_ms: z.number().default(5e3),
   max_verification_retries: z.number().default(12),
@@ -327,13 +381,14 @@ function findPackageRoot() {
 }
 var TEMPLATES_DIR = join2(findPackageRoot(), "src", "templates");
 async function ensureWorkspace(config) {
+  const silent = config?.silent ?? false;
   if (!existsSync2(TELETON_ROOT)) {
     mkdirSync2(TELETON_ROOT, { recursive: true });
-    log2.info(`Created Teleton root at ${TELETON_ROOT}`);
+    if (!silent) log2.info(`Created Teleton root at ${TELETON_ROOT}`);
   }
   if (!existsSync2(WORKSPACE_ROOT)) {
     mkdirSync2(WORKSPACE_ROOT, { recursive: true });
-    log2.info(`Created workspace at ${WORKSPACE_ROOT}`);
+    if (!silent) log2.info(`Created workspace at ${WORKSPACE_ROOT}`);
   }
   const directories = [
     WORKSPACE_PATHS.MEMORY_DIR,
@@ -369,11 +424,11 @@ async function ensureWorkspace(config) {
     walletPath: join2(TELETON_ROOT, "wallet.json")
   };
   if (config?.ensureTemplates) {
-    await bootstrapTemplates(workspace);
+    await bootstrapTemplates(workspace, silent);
   }
   return workspace;
 }
-async function bootstrapTemplates(workspace) {
+async function bootstrapTemplates(workspace, silent = false) {
   const templates = [
     { name: "SOUL.md", path: workspace.soulPath },
     { name: "MEMORY.md", path: workspace.memoryPath },
@@ -387,7 +442,7 @@ async function bootstrapTemplates(workspace) {
       const templateSource = join2(TEMPLATES_DIR, template.name);
       if (existsSync2(templateSource)) {
         copyFileSync(templateSource, template.path);
-        log2.info(`Created ${template.name}`);
+        if (!silent) log2.info(`Created ${template.name}`);
       }
     }
   }
@@ -409,12 +464,15 @@ export {
   ensureWorkspace,
   isNewWorkspace,
   loadTemplate,
+  getCachedHttpEndpoint,
   generateWallet,
   saveWallet,
   loadWallet,
   walletExists,
   importWallet,
   getWalletAddress,
+  getCachedTonClient,
+  invalidateTonClientCache,
   getKeyPair,
   getWalletBalance,
   getTonPrice

package/dist/{chunk-FNV5FF35.js → chunk-EK7M5K26.js}

@@ -91,14 +91,22 @@ var AnthropicEmbeddingProvider = class {
 // src/memory/embeddings/local.ts
 import { pipeline, env } from "@huggingface/transformers";
 import { join } from "path";
+import { mkdirSync } from "fs";
 var log = createLogger("Memory");
-env.cacheDir = join(TELETON_ROOT, "models");
+var modelCacheDir = join(TELETON_ROOT, "models");
+try {
+  mkdirSync(modelCacheDir, { recursive: true });
+} catch {
+}
+env.cacheDir = modelCacheDir;
 var extractorPromise = null;
 function getExtractor(model) {
   if (!extractorPromise) {
-    log.info(`Loading local embedding model: ${model} (cache: ${env.cacheDir})`);
+    log.info(`Loading local embedding model: ${model} (cache: ${modelCacheDir})`);
     extractorPromise = pipeline("feature-extraction", model, {
-      dtype: "fp32"
+      dtype: "fp32",
+      // Explicit cache_dir to avoid any env race condition
+      cache_dir: modelCacheDir
     }).then((ext) => {
       log.info(`Local embedding model ready`);
       return ext;
@@ -121,21 +129,29 @@ var LocalEmbeddingProvider = class {
   }
   /**
    * Pre-download and load the model at startup.
-   * If loading fails, marks this provider as disabled (returns empty embeddings).
+   * If loading fails, retries once then marks provider as disabled (FTS5-only).
    * Call this once during app init — avoids retry spam on every message.
    * @returns true if model loaded successfully, false if fallback to noop
    */
   async warmup() {
-    try {
-      await getExtractor(this.model);
-      return true;
-    } catch (err) {
-      log.warn(
-        `Local embedding model unavailable \u2014 falling back to FTS5-only search (no vector embeddings)`
-      );
-      this._disabled = true;
-      return false;
+    for (let attempt = 1; attempt <= 2; attempt++) {
+      try {
+        await getExtractor(this.model);
+        return true;
+      } catch (err) {
+        if (attempt === 1) {
+          log.warn(`Embedding model load failed (attempt 1), retrying...`);
+          await new Promise((r) => setTimeout(r, 1e3));
+        } else {
+          log.warn(
+            `Local embedding model unavailable \u2014 falling back to FTS5-only search (no vector embeddings)`
+          );
+          this._disabled = true;
+          return false;
+        }
+      }
     }
+    return false;
   }
   async embedQuery(text) {
     if (this._disabled) return [];

package/dist/chunk-JQDLW7IE.js

@@ -0,0 +1,107 @@
+import {
+  createLogger
+} from "./chunk-RCMD3U65.js";
+
+// src/providers/claude-code-credentials.ts
+import { readFileSync, existsSync } from "fs";
+import { execSync } from "child_process";
+import { homedir } from "os";
+import { join } from "path";
+var log = createLogger("ClaudeCodeCreds");
+var cachedToken = null;
+var cachedExpiresAt = 0;
+function getClaudeConfigDir() {
+  return process.env.CLAUDE_CONFIG_DIR || join(homedir(), ".claude");
+}
+function getCredentialsFilePath() {
+  return join(getClaudeConfigDir(), ".credentials.json");
+}
+function readCredentialsFile() {
+  const filePath = getCredentialsFilePath();
+  if (!existsSync(filePath)) return null;
+  try {
+    const raw = readFileSync(filePath, "utf-8");
+    return JSON.parse(raw);
+  } catch (e) {
+    log.warn({ err: e, path: filePath }, "Failed to parse Claude Code credentials file");
+    return null;
+  }
+}
+function readKeychainCredentials() {
+  const serviceNames = ["Claude Code-credentials", "Claude Code"];
+  for (const service of serviceNames) {
+    try {
+      const raw = execSync(`security find-generic-password -s "${service}" -w`, {
+        encoding: "utf-8",
+        stdio: ["pipe", "pipe", "pipe"]
+      }).trim();
+      return JSON.parse(raw);
+    } catch {
+    }
+  }
+  return null;
+}
+function readCredentials() {
+  if (process.platform === "darwin") {
+    const keychainCreds = readKeychainCredentials();
+    if (keychainCreds) return keychainCreds;
+    log.debug("Keychain read failed, falling back to credentials file");
+  }
+  return readCredentialsFile();
+}
+function extractToken(creds) {
+  const oauth = creds.claudeAiOauth;
+  if (!oauth?.accessToken) {
+    log.warn("Claude Code credentials found but missing accessToken");
+    return null;
+  }
+  return {
+    token: oauth.accessToken,
+    expiresAt: oauth.expiresAt ?? 0
+  };
+}
+function getClaudeCodeApiKey(fallbackKey) {
+  if (cachedToken && Date.now() < cachedExpiresAt) {
+    return cachedToken;
+  }
+  const creds = readCredentials();
+  if (creds) {
+    const extracted = extractToken(creds);
+    if (extracted) {
+      cachedToken = extracted.token;
+      cachedExpiresAt = extracted.expiresAt;
+      log.debug("Claude Code credentials loaded successfully");
+      return cachedToken;
+    }
+  }
+  if (fallbackKey && fallbackKey.length > 0) {
+    log.warn("Claude Code credentials not found, using fallback api_key from config");
+    return fallbackKey;
+  }
+  throw new Error("No Claude Code credentials found. Run 'claude login' or set api_key in config.");
+}
+function refreshClaudeCodeApiKey() {
+  cachedToken = null;
+  cachedExpiresAt = 0;
+  const creds = readCredentials();
+  if (creds) {
+    const extracted = extractToken(creds);
+    if (extracted) {
+      cachedToken = extracted.token;
+      cachedExpiresAt = extracted.expiresAt;
+      log.info("Claude Code credentials refreshed from disk");
+      return cachedToken;
+    }
+  }
+  log.warn("Failed to refresh Claude Code credentials from disk");
+  return null;
+}
+function isClaudeCodeTokenValid() {
+  return cachedToken !== null && Date.now() < cachedExpiresAt;
+}
+
+export {
+  getClaudeCodeApiKey,
+  refreshClaudeCodeApiKey,
+  isClaudeCodeTokenValid
+};