Commit Graph
1031 Commits
Author SHA1 Message Date
Kai (Tam Nhu) TranandGitHub 65c2964050 Merge pull request #1519 from itzrnvr/fix/openai-compat-preserve-user-agent
fix(proxy): add Anthropic passthrough mode for coding-agent-only endpoints
2026-06-14 11:22:39 -04:00
Tam Nhu Tran bb9d23ad6a fix(proxy): route Anthropic passthrough by upstream profile 2026-06-14 11:19:58 -04:00
Sanskar Singh b98b0df084 fix(proxy): add Anthropic passthrough mode for coding-agent-only endpoints
Some providers (e.g. Kimi, Anthropic-API mirrors) reject OpenAI-format
chat-completions requests and/or only accept requests from a recognized
coding-agent User-Agent (e.g. Claude Code, Roo Code, Kilo Code). The
OpenAI-compat proxy previously translated every profile's request to
OpenAI format and overwrote the User-Agent with a fixed sentinel,
which made these providers unreachable.

This change adds an opt-in Anthropic passthrough mode:

- New CCS_OPENAI_PROXY_PASSTHROUGH=1 env var on a profile opts it in.
- The base URL is auto-detected as Anthropic-style for known hosts
  (api.kimi.com, api.minimax.com, api.anthropic.com) or any base URL
  ending in /v1.
- In passthrough mode the proxy forwards the incoming Anthropic body
  verbatim to the upstream /v1/messages endpoint, preserving the
  original User-Agent (or x-stainless-user-agent) so coding-agent
  provider checks pass.
- The Anthropic-format response is streamed back unchanged.

Adds:
- isAnthropicPassthroughProfile() + passthrough option on
  resolveOpenAIChatCompletionsUrl/resolveOpenAIModelsUrl
- CCS_OPENAI_PROXY_PASSTHROUGH env var on OpenAICompatProfileConfig
- readRawBody() helper for the passthrough path
- Preserved User-Agent (or x-stainless-user-agent) on the upstream
  request, falling back to CCS-OpenAI-Compat-Proxy/1.0
- Skip SSE response transformation in passthrough mode (upstream
  already returns Anthropic-format bytes)

Tests:
- 9 new tests in upstream-url.test.ts covering auto-detection and the
  passthrough URL contract
- 2 new tests in profile-router.test.ts covering the env var

Verified end-to-end against api.kimi.com: a request through the
modified proxy returned a real Kimi response (model kimi-k2p7-coding)
with the original claude-cli/2.1.170 User-Agent preserved.
2026-06-13 01:39:49 +05:30
Tam Nhu Tran 22d4c72717 test(ci): allow temporary epic branch in PR trigger assertion
The ci-workflow meta-test pinned the literal branch list [main, dev];
the account-pools epic adds its integration branch to pull_request
triggers so phase PRs get full CI. Assert main+dev coverage via
pattern instead of exact list.
2026-06-11 00:18:00 -04:00
Tam Nhu Tran 3aab14ca85 fix(bar): correct the already-running reinstall hint
'open -a' only activates a running app, so suggesting 'ccs bar' as an
alternative to quitting could not load the new binary. The hint now
says to quit from the menu bar first, then run 'ccs bar' to relaunch
the updated app.
2026-06-10 15:25:55 -04:00
Tam Nhu Tran cf3bd8a5ef fix(bar): stage downloads and swap so reinstall never strands the user
The reinstall guard deleted the existing bundle before download, so a
transient download or extraction failure left no app on disk. The
archive now extracts into a hidden staging directory inside the
Applications folder; the old bundle is removed only after the new one
is verified in staging, then renamed into place. Every failure before
the swap leaves the previous install untouched, and staging is cleaned
up on all paths.
2026-06-10 14:09:28 -04:00
Tam Nhu Tran f68c08ede3 fix(bar): verify server compat before Gatekeeper steps and harden reinstall
Three review/CI corrections to the install flow:

The compat handshake now runs before the quarantine-clear and launch
block. It is a server-side check unrelated to Gatekeeper, and the
previous ordering let a failed quarantine clear (always the case where
xattr is absent, e.g. Linux CI) skip the handshake entirely.

Reinstalls remove the existing bundle before extraction so the
post-extraction existence check actually proves the fresh bundle
landed; an unremovable bundle aborts install instead of extracting
over it.

Declining the launch prompt now prints the same run-ccs-bar hint as
the non-TTY path instead of ending silently. Install tests inject the
newer deps (clearQuarantine, isBarRunning, promptLaunch) everywhere
the defaults could touch host binaries, keeping results identical on
macOS and Linux runners.
2026-06-10 13:59:08 -04:00
Tam Nhu Tran 015cc4dd32 fix(bar): stop install at the manual step when quarantine clearing fails
A failed quarantine clear previously fell through to the launch
handoff, so a default-yes prompt (or --launch) opened the still
quarantined app straight into the Gatekeeper block. Install now ends
after printing the manual xattr guidance, with a hint to run 'ccs bar'
once quarantine is cleared; --launch does not override a failed clear.
2026-06-10 13:42:52 -04:00
Tam Nhu Tran dfc8b7d1dc fix(bar): harden install handoff per review
Pin xattr and pgrep to absolute /usr/bin paths so quarantine clearing
and process detection cannot be hijacked through a caller-controlled
PATH. Gate the launch prompt on stdin being a TTY instead of stdout, so
piping install output through tee no longer silently skips the
handoff. Detect an already-running CCS Bar via pgrep before prompting:
a running instance gets a quit-and-reopen hint instead of a redundant
launch prompt, while --launch still proceeds explicitly.
2026-06-10 13:36:35 -04:00
Tam Nhu Tran 4eef3f77a4 feat(bar): one-flow install with quarantine automation and launch handoff
'ccs bar install' previously ended with two manual steps: clearing the
Gatekeeper quarantine by hand and running 'ccs bar' separately.

Install now detects an existing installation and says so before
reinstalling, clears the quarantine attribute itself via execFile with
a graceful fallback to the printed hint when xattr fails, and ends with
a TTY-aware 'Launch CCS Bar now?' prompt (default yes) that hands off
to the existing launch flow. --launch forces the handoff and
--no-launch suppresses it for scripted installs; non-TTY runs skip the
prompt and print the manual command instead.

Closes #1504
2026-06-10 13:25:07 -04:00
Kai (Tam Nhu) TranandGitHub f743677d5d Merge pull request #1501 from kaitranntt/kai/fix/1500-bar-launch-reuse
fix(bar): reuse a running CCS web-server instead of failing to bind
2026-06-10 13:17:18 -04:00
SergeyandGitHub 298c89f2c3 feat(catalog): add Claude Fable 5 to Anthropic model registry 2026-06-10 13:03:38 -04:00
walker1211andGitHub cf90f48240 fix(mcp): retry Claude user config locks 2026-06-10 13:03:25 -04:00
Tam Nhu Tran 2fd90fff9b perf(bar): probe reuse candidates concurrently to avoid launch stalls
Sequential probing of up to 10 loopback targets at 1.5s timeout each
could stall 'ccs bar' for ~15s when a non-CCS service occupied a
candidate port without answering. All probes now run concurrently and
the first success in priority order (bar.json port first, IPv4 before
IPv6 per port) is selected, bounding detection at roughly one probe
timeout.
2026-06-10 12:57:39 -04:00
Tam Nhu Tran 3569297b6d fix(bar): probe IPv6 loopback when detecting a running CCS server
'ccs config' starts the web-server on host 'localhost', which macOS
resolves to ::1, so a reuse probe limited to 127.0.0.1 missed the most
common already-running server and launch started a redundant second
instance. Each candidate port is now probed on 127.0.0.1 first and then
[::1]; an IPv6 hit writes the bracketed-literal baseUrl into bar.json,
which URLSession in the Swift app resolves correctly.
2026-06-10 12:04:10 -04:00
Tam Nhu Tran af1a2a0f5d fix(bar): reuse a running CCS web-server and probe ports on the bind host
'ccs bar' always tried to start its own web-server. With a CCS server
already listening on 127.0.0.1:3000, get-port (probing the unspecified
address, which macOS allows to bind alongside a specific loopback
listener) reported 3000 as free, and the subsequent 127.0.0.1 bind
failed with EADDRINUSE, aborting launch.

Launch now probes candidate ports (bar.json port first, then the
default list) with a short-timeout GET /api/bar/summary and reuses the
first live CCS server it finds; only when none responds does it start a
new server. The get-port probe also passes host 127.0.0.1 so the
availability check matches the actual bind target. Probe failures are
treated as no-server-found and never break launch.

Closes #1500
2026-06-10 11:09:41 -04:00
Tam Nhu Tran c572d9f860 fix(bar): read app version from Info.plist and verify bar API instead of version majors
The floating ccs-bar-latest release tag carries no version, so deriving the
app version from tag_name printed 'vccs-bar-latest' and pinned that literal
string. The version now comes from CFBundleShortVersionString in the
extracted bundle's Info.plist; an unreadable plist skips pinning and clears
any stale pin.

The post-install check compared app semver major against the CCS server
major, but the app is versioned independently of the CLI, so the mismatch
warning fired on every install. It is now a capability handshake against
GET /api/bar/summary: 200 confirms the server serves the bar API, 404 warns
the server predates CCS Bar, and anything else keeps the soft warning.
Install never hard-fails on the handshake.

Closes #1497
2026-06-10 00:11:29 -04:00
Tam Nhu Tran ad9bdd5794 fix(test): restore real account modules in tier-lock to fully stop mock leak
The prior fix only corrected PROVIDERS_WITHOUT_EMAIL, but the mock still stubbed
validateNickname -> null, hasAccountNameConflict -> false, and registry paths -> '',
which leak to cliproxy-auth-routes (same bun worker) and broke nickname validation
+ registry ops (9 CI failures). Now every mock factory spreads the REAL
account-manager and overrides only the account-DATA reads + IO; afterAll restores
the real account-manager/account-safety modules. tier-lock 8/0, combined ordering
39/0, tsc clean.
2026-06-09 21:25:21 -04:00
Tam Nhu Tran 0770b89037 fix(test): stop tier-lock mock.module leaking an empty PROVIDERS_WITHOUT_EMAIL
bun's mock.module is global and sticky; this test mocked account-manager with
PROVIDERS_WITHOUT_EMAIL: [] at top level and in beforeEach, poisoning the module
registry for later files in the same bun worker. cliproxy-auth-routes imports
PROVIDERS_WITHOUT_EMAIL at load time, got [], and getStartAuthNicknameError's
guard returned null for all providers -> 9 flaky CI failures (ordering-dependent).
Use the real ['kiro','ghcp'] in every mock factory and re-register safe defaults
in afterAll. Verified: worst-case ordering 39/39, full fast bucket 2500/0.
2026-06-09 21:11:10 -04:00
Tam Nhu Tran 7d3a11a452 fix(bar): resolve pre-dev review findings (security gate, honesty, correctness)
Gate /api/bar/* behind the localhost-when-auth-disabled guard (single DRY
choke point) so native quota/tier/cost can't leak on a non-loopback bind with
auth disabled; add a guard test. Delete the dishonest maxRedirections test that
asserted the opposite of the production redirect hardening. Key per-account
today-cost on the local day (matching analytics) instead of UTC. Stop the
inner 429 retry in the Claude usage fetch so the outer cache + circuit breaker
honor Retry-After. Narrow the usage-transformer map type and fix stale
doc-comments; clarify the one-alert-per-reset-window quota rule; gitignore the
local demo scaffolding.
2026-06-09 18:04:31 -04:00
Tam Nhu Tran e96967c224 feat(bar): per-window subscription quota detail + codex multi-session scan
Expose per-window detail (5h / weekly / Opus / Sonnet) on native subscription
rows instead of collapsing to a single percentage, so the bar can show the
binding window, resets, and a burn-rate pace line. Fix the Codex collector to
scan recent session rollouts newest-first for the latest non-null rate_limits
(today's exec-mode session is null) and mark the result stale with its source
time, so Codex quota appears instead of silently vanishing.
2026-06-09 14:39:41 -04:00
Tam Nhu Tran dbeb0c543a feat(bar): native Claude Code + Codex subscription quota (safe, server-side)
Surface the logged-in Claude Code and Codex subscription quota as first-class
summary rows so the existing gauge and alert engine render them with no new UI.

Claude Code: read the native token (~/.claude/.credentials.json, macOS Keychain
fallback) and reuse the existing Anthropic usage fetch+normalize via a new
token-fed entry point. The /oauth/usage endpoint is hostile to polling, so the
fetch is server-side only behind a 10-minute on-demand cache, in-flight
coalescing, Retry-After + exponential backoff with jitter, a 3-strike circuit
breaker with a 15-minute cooldown, and serve-stale-on-failure; logged-out or
unsupported subscriptions never spend a token call. Codex: zero-network read of
the latest rate_limits from local session rollouts, omitted when absent.
Native rows side-load bounded so a slow or failed fetch degrades to CLIProxy
rows, never an error.
2026-06-09 13:37:38 -04:00
Tam Nhu Tran 68f0231f48 feat(bar): add calendar month-to-date spend to analytics
monthToDate (calendar 1st-of-month to now, local) on BarAnalytics in both
compute paths, kept distinct from the rolling last30d so a fresh month resets
toward zero. Feeds the monthly-spend alert and the month-spend glance without
a rolling-window false breach.
2026-06-09 13:03:25 -04:00
Tam Nhu Tran 5f850c4899 feat(bar): honest quota state and merged multi-source analytics
Derive a tri-state quotaStatus (ok|unsupported|error) per account so a
provider with no quota API renders as 'no quota' with a healthy dot instead
of an alarming bare dash, and treat unsupported as healthy in deriveHealth.

Switch the analytics endpoint off the CLIProxy snapshot, which freezes
whenever the proxy restarts (usage is in-memory only), and onto the merged
daily/hourly usage the dashboard uses. Recent activity from Claude Code,
Codex, and Droid now shows, and a per-surface breakdown answers where usage
goes. Add lastActivityAt, daysSinceLastActivity, hasRecentData and a 30-day
series; per-account today_cost reads null (unknown) rather than a misleading 0.
2026-06-09 11:49:36 -04:00
Tam Nhu Tran 78f9fc7c0b feat(bar): harden summary against provider hangs and add analytics endpoint
Summary aggregator could block indefinitely: it ran the full system health
audit (a synchronous execSync) on every request and had no per-account or
request-level timeout. Now:
- per-account fetch is bounded; whole response is raced against a deadline
- health is derived per-account from each quota result (no blocking audit)
- stale-while-revalidate keeps the last value when a refresh is slow/fails

Adds GET /api/bar/analytics plus a pure, tested aggregator rolling up
today/7d/30d/all-time spend, a 7-day sparkline, and top models.
2026-06-08 09:31:18 -04:00
Tam Nhu Tran b9a1084bd4 fix(quota): reject tier-lock for non-managed providers
Only managed-quota providers (agy/claude/codex/gemini/ghcp) enforce tier_lock;
validate the provider against that set so locking a non-managed provider returns
400 instead of persisting a silently-unenforced config entry.
2026-06-07 16:38:18 -04:00
Tam Nhu Tran 63d10cb2d0 fix(cli): harden ccs bar install + align launch path
Resolve the app path via os.homedir() in launch to match install/uninstall;
validate the host on every redirect hop (manual follow, not blind
maxRedirections); reject zip-slip entries before extracting into ~/Applications.
2026-06-07 16:38:08 -04:00
Tam Nhu Tran cc7ac553e3 fix(usage): correct per-account cost attribution
Drop the detail.source fallback and dead numeric-key lookup in the usage
transformer so unmapped auth_index rows go to the 'unknown' bucket instead of
mis-keying cost; null out today_cost when an email cost-key is shared by more
than one account (duplicate-email providers) instead of double-displaying the
combined spend.
2026-06-07 16:37:59 -04:00
Tam Nhu Tran 205c2f3cd6 feat(cli): add ccs bar command for the macOS menu bar app
Add ccs bar (install/launch/uninstall/version) and the ~/.ccs/bar.json
discovery handshake the app reads. install resolves a floating release asset,
follows redirects, validates the download host over HTTPS, checks status,
verifies the extracted app, and runs a real version-compat handshake against
/api/overview.
2026-06-07 15:32:51 -04:00
Tam Nhu Tran 40f32ebbf0 feat(quota): add per-provider tier-lock account selection
Make tier_lock a per-provider map and honor it in findHealthyAccount and
preflightCheck for the selected provider only, so locking one provider never
disables failover for others. Add POST /api/accounts/tier-lock with tier
validation against known tiers, and serialize quota_management on config write
so the lock persists.
2026-06-07 15:32:40 -04:00
Tam Nhu Tran 6d3fde9ed3 feat(web-server): add /api/bar/summary aggregator with force-fresh
Single endpoint merging per-account quota, tier, paused, health and today cost
for the menu bar. Cached by default; ?refresh=true invalidates the quota cache
and pulls live server-side, debounced ~15s. Per-account errors degrade one row
without failing the payload; force-fresh skips paused accounts and caps fetch
concurrency.
2026-06-07 15:32:29 -04:00
Tam Nhu Tran 1867116472 feat(usage): attribute CLIProxy usage to accounts for per-account cost
Carry the CLIProxy auth_index through the usage transformer and aggregator,
build an auth_index->account map from the auth files, and wire it into the
usage syncer so persisted snapshots stamp accountId. Adds getTodayCostByAccount
and a snapshot detail reader. Backward-compatible: accountId is optional and
profile-based aggregation is unchanged.
2026-06-07 15:32:19 -04:00
Tam Nhu Tran 8282ff68a1 fix(proxy): support opt-in OpenAI reasoning shaping 2026-06-03 11:08:41 -04:00
Sergey Galuza 1fc595f10c docs(pricing): document legacy 4-7-thinking entry; cover tier metadata
Final review polish:

- Add an inline comment on the claude-opus-4-7-thinking registry entry
  explaining it is a pricing-only id kept for historical analytics data
  (no catalog model after Opus 4.7 moved to adaptive thinking levels),
  and why it carries no fast tier.
- Add a test asserting applyServiceTier preserves the serviceTiers map on
  its result, guarding against a future simplification dropping it.

Built [OnSteroids](https://onsteroids.ai)
2026-05-31 20:23:14 +02:00
Sergey Galuza 5a79b47506 fix(pricing): restore opus version order; cover 4.6/4.7 fast-tier rates
Address presto review on the fast-tier work:

- Move the claude-opus-4-8 entry after claude-opus-4-7-thinking so the
  registry keeps chronological 4.6 -> 4.7 -> 4.8 ordering (the 4.8 insert
  had split the 4-7 / 4-7-thinking pair).
- Drop the fast serviceTier from claude-opus-4-7-thinking: that id is a
  legacy pricing-only entry with no catalog model, so a fast premium on it
  is meaningless. The active 4.6-thinking variant (agy provider) keeps its
  fast tier.
- Extend the 4.7 fast-tier test with cache-rate assertions and add an
  equivalent 4.6 fast-tier test so the derived buildRates math is covered
  for every premium-tier model.

Built [OnSteroids](https://onsteroids.ai)
2026-05-31 18:52:54 +02:00
Sergey Galuza 254fc88f71 refactor(pricing): derive fast-tier cache rates via buildRates helper
Address review feedback on the per-service-tier pricing:

- Extract `buildRates(input, output)` plus named CACHE_5M_WRITE_MULTIPLIER
  / CACHE_READ_MULTIPLIER constants so fast-tier cache rates are derived
  from Anthropic's documented multipliers instead of hand-computed numbers.
  This removes the inconsistency where Opus 4.6 fast-tier lacked the
  explanatory inline comments that 4.7/4.8 carried (presto suggestion #3).
- Document in `applyServiceTier` that no production caller passes
  `serviceTier` yet (Anthropic's service_tier is not captured on
  CliproxyRequestDetail), so fast-mode usage is currently billed at the
  standard rate until the usage pipeline records the tier.
- Add a combined date-suffix + fast-tier lookup test to prove the two
  resolution stages compose.

Built [OnSteroids](https://onsteroids.ai)
2026-05-31 10:34:50 +02:00
Sergey Galuza c74ad22bd4 Merge remote-tracking branch 'upstream/dev' into feat/claude-opus-4-8 2026-05-30 22:31:55 +02:00
Sergey Galuza 878775f5b6 feat(pricing): support per-service-tier rates; wire Opus fast mode
Extend `ModelPricing` with an optional `serviceTiers` map keyed by
Anthropic's `service_tier` request parameter. `getModelPricing(model,
{ serviceTier })` returns the matching tier rates when present and
transparently falls through to base rates otherwise — existing call
sites keep current behavior.

Registry entries added (per Anthropic Fast mode pricing docs):
- claude-opus-4-8 fast: $10/$50 input/output (2x premium)
- claude-opus-4-7 fast: $30/$150 (6x premium)
- claude-opus-4-6 fast: $30/$150 (6x premium)

Cache rates derived from the documented Prompt caching multipliers
(1.25x for 5-min cache write, 0.1x for cache read).

Note: tier tracking through CliproxyRequestDetail is not wired yet —
that's a follow-up so usage transformers can pass `serviceTier` when
Anthropic returns it on the response. Schema is in place; integration
can land independently.

Also adds a defensive `claude-opus-4-8-20260530` pricing test to exercise
`stripDateSuffix` even though Anthropic no longer issues date-stamped IDs
for the 4.6+ generation (addresses presto-review suggestion #1).

Built [OnSteroids](https://onsteroids.ai)
2026-05-30 22:17:21 +02:00
Tam Nhu Tran ced9317565 Merge remote-tracking branch 'origin/dev' into codex/fix-cliproxy-v3-snapshot-migration-issue
# Conflicts:
#	src/web-server/usage/cliproxy-usage-transformer.ts
#	tests/unit/web-server/cliproxy-usage-transformer.test.ts
2026-05-30 16:13:49 -04:00
Kai (Tam Nhu) TranandGitHub dce968fdf7 Merge pull request #1425 from kaitranntt/codex/fix-unvalidated-codex-quota-labels
fix(cliproxy): sanitize Codex quota labels
2026-05-30 16:12:22 -04:00
Kai (Tam Nhu) TranandGitHub e2d487883f Merge pull request #1430 from kaitranntt/codex/fix-vulnerability-in-shell-completion-scripts
fix: avoid relative completion backend execution
2026-05-30 16:12:15 -04:00
Kai (Tam Nhu) TranandGitHub e7db1d65f5 Merge pull request #1452 from kaitranntt/codex/propose-fix-for-codex-target-rejection
Mark Codex as a persisted target and align UI/validation
2026-05-30 16:12:03 -04:00
Kai (Tam Nhu) TranandGitHub 5ca9b7b1e2 Merge pull request #1448 from kaitranntt/codex/fix-browser-page-open/close-handlers
fix(browser): handle DevTools close endpoint response
2026-05-30 16:09:17 -04:00
Kai (Tam Nhu) TranandGitHub d028329d2c Merge pull request #1426 from kaitranntt/codex/fix-cliproxy-usage-cache-vulnerability
fix(cliproxy): avoid persisting account identifiers and harden usage cache permissions
2026-05-30 16:08:26 -04:00
Kai (Tam Nhu) TranandGitHub bbb717ff2f Merge pull request #1441 from kaitranntt/codex/propose-fix-for-provider-alias-crash
fix: harden provider alias normalization
2026-05-30 16:07:28 -04:00
Kai (Tam Nhu) TranandGitHub 1d1b9fbe6d Merge pull request #1443 from kaitranntt/codex/fix-ccsxp-codex-config-check
fix(codex): gate ccsxp config overrides
2026-05-30 16:07:21 -04:00
Kai (Tam Nhu) TranandGitHub 41e550e92f Merge pull request #1428 from kaitranntt/codex/propose-fix-for-symlinked-cleanup-issue
fix: reject symlinked cleanup directories
2026-05-30 16:05:05 -04:00
Kai (Tam Nhu) TranandGitHub 43046f3047 Merge pull request #1455 from kaitranntt/codex/propose-fix-for-overbroad-issue-parsing
fix(ci): narrow issue reference parsing
2026-05-30 16:04:57 -04:00
Kai (Tam Nhu) TranandGitHub 5ac0e808b4 Merge pull request #1432 from kaitranntt/codex/fix-ccsxp-argument-parsing-bug
fix: stop ccsxp model alias parsing at option terminator
2026-05-30 16:01:55 -04:00
Kai (Tam Nhu) TranandGitHub ee50c0c59a Merge pull request #1422 from kaitranntt/codex/fix-codex-usage-cache-permissions
fix: restrict Codex usage cache permissions
2026-05-30 16:01:00 -04:00