ccs bar now spawns the web-server as a detached background process and
exits immediately instead of hosting it in the foreground, so closing the
terminal no longer takes the bar offline. Adds 'bar serve' (the long-lived
host), 'bar stop', and 'bar status', and records ~/.ccs/bar/launch.json at
install so the app can start the server without a shell PATH.
Refs #1526
Use version-aware CLIProxy Plus asset names so current
no-plugin releases install without breaking older fallback releases.
Tag latest-version caches with their GitHub repo and ignore
legacy or cross-repo cache entries.
Closes#1522
Some providers (e.g. Kimi, Anthropic-API mirrors) reject OpenAI-format
chat-completions requests and/or only accept requests from a recognized
coding-agent User-Agent (e.g. Claude Code, Roo Code, Kilo Code). The
OpenAI-compat proxy previously translated every profile's request to
OpenAI format and overwrote the User-Agent with a fixed sentinel,
which made these providers unreachable.
This change adds an opt-in Anthropic passthrough mode:
- New CCS_OPENAI_PROXY_PASSTHROUGH=1 env var on a profile opts it in.
- The base URL is auto-detected as Anthropic-style for known hosts
(api.kimi.com, api.minimax.com, api.anthropic.com) or any base URL
ending in /v1.
- In passthrough mode the proxy forwards the incoming Anthropic body
verbatim to the upstream /v1/messages endpoint, preserving the
original User-Agent (or x-stainless-user-agent) so coding-agent
provider checks pass.
- The Anthropic-format response is streamed back unchanged.
Adds:
- isAnthropicPassthroughProfile() + passthrough option on
resolveOpenAIChatCompletionsUrl/resolveOpenAIModelsUrl
- CCS_OPENAI_PROXY_PASSTHROUGH env var on OpenAICompatProfileConfig
- readRawBody() helper for the passthrough path
- Preserved User-Agent (or x-stainless-user-agent) on the upstream
request, falling back to CCS-OpenAI-Compat-Proxy/1.0
- Skip SSE response transformation in passthrough mode (upstream
already returns Anthropic-format bytes)
Tests:
- 9 new tests in upstream-url.test.ts covering auto-detection and the
passthrough URL contract
- 2 new tests in profile-router.test.ts covering the env var
Verified end-to-end against api.kimi.com: a request through the
modified proxy returned a real Kimi response (model kimi-k2p7-coding)
with the original claude-cli/2.1.170 User-Agent preserved.
- create-command: show the pool onboarding hint only after profile
creation fully succeeds; the pre-create placement burned the
once-per-install dismissal when creation failed or rolled back
- remote env (claude): skip the read-level stale-pin filter once the
migration marker exists - a post-migration pin is user-intentional
(e.g. an explicit --config pick equal to a historical default)
- unified-config loader: document that loadOrCreateUnifiedConfig never
writes to disk, so read paths on legacy installs stay side-effect free
Legacy profiles.json-only installs get pool guidance exclusively from
ccs doctor (once-per-install semantics); printing a migrate notice on
every account add nagged with no dismissal available. Also document why
type === 'account' profiles are Claude by schema in the onboarding
counter, so the filter is not misread as over-counting.
- pool --enable/--disable: refuse remote targets with manual config
guidance; resolve the lifecycle port instead of assuming 8317
- enablePoolRouting: roll back the pool flag when config regeneration
fails; already-enabled path re-runs regeneration (repairable state)
- pool opt-in prompt: gate on hasUnifiedConfig (legacy installs skip);
never auto-accept consent under --yes/CCS_YES
- order show (file mode): render selector pick order incl. residual
on-disk priorities and surface drift instead of alphabetical order
- order --reset: clear residual priority fields via management-API
PATCH when proxy runs, atomic direct write when stopped
- quota pool section: classify in-proxy 429 cooldowns as cooling with
reset times (graceful degradation when proxy or endpoint is absent);
honest paused label plus resume hint
- routing state: remote targets report pool as not manageable instead
of echoing the local flag; strategy/affinity apply warns when pool
routing overrides the change (CLI, API message, and dashboard)
- claude model-neutral: --config explicit pins survive the stale-pin
migration; remote env path filters historical default pins read from
claude.settings.json without mutating the file
- cross-lane guard: also checks account-profile CLAUDE_CONFIG_DIR lanes
for email overlap, not only the ambient ~/.claude login
- onboarding hint: opt-in copy naming ccs cliproxy pool --enable
- dashboard card: pool-ON shows drain-order pointer, pool-OFF shows the
enable command, local-only note for remote proxies (i18n x5)
- ccs cliproxy quota: per-provider Pool context section with routing
mode (pool on/off, strategy, affinity, effective retry cap), drain
order resolved exactly as the selector picks (incl. residual on-disk
priorities reordering display + drift warning), and per-account state
named distinctly: available / cooling-until-<time> / paused - these
produce different client errors so they read differently
- cooling visibility degrades honestly when pool cooling is disabled
(no cooldown data exists; renderer says so)
- dashboard routing card: pool badge + retry cap + drain-order hint in
compact and full variants via additive poolRouting state block
- no Bar summary fields, no per-session pin introspection (cut per
plan); policy_quota_unsupported semantics untouched
Part of #1464 account pools (phase 6).
- ccs doctor, native account launch, and ccs auth create now surface a
one-line pool suggestion when >=2 native Claude profiles exist and no
pool is enabled; shared once-per-install dismissal; TTY-gated; hint
failures can never break a launch (guarded, single config read)
- credential import from native profiles evaluated and REJECTED:
refresh tokens are client_id-bound and not replayable cross-client;
pool setup requires fresh OAuth per account (verdict report in plan)
Part of #1464 account pools (phase 5).
- ccs cliproxy accounts order <provider>: show effective drain order
exactly as the selector resolves it (priority bucket desc, then
file-name tie-break, Windows-only case folding to match upstream)
- --by-tier derives priorities from tier metadata where present;
claude pools state tier-unknown and fall back to file order
- --set for manual order; duplicate IDs rejected; priority always >= 1
- dual write path: management-API PATCH when proxy running (avoids
MarkResult persist clobber), atomic direct write when stopped
- drift warning when stored order no longer matches auth files;
usage-attribution stability covered by regression test
Part of #1464 account pools (phase 4).
- pool opt-in writes disable-cooling: false, routing.strategy fill-first,
session-affinity on (1h TTL), max-retry-credentials 3; all emissions
pool-gated so non-pool generated config stays content-identical
- cooling re-enable is safe on current CLIProxy binaries: the v5
disable-cooling workaround targeted upstream cooldown bugs fixed by
Apr 2026 (see plan archaeology report)
- informed-consent prompt at the 1->2 account-add transition enumerates
every provider with multiple accounts (instance-global effect) and is
gated per provider on spike-verified limit signals
- disablePoolRouting restores the non-pool config including
disable-cooling: true and prints single-account rollback guidance
- cross-lane guard warns when a pool account email is also active in a
native Claude profile (concurrency is the documented ban vector)
- routing strategy and affinity subcommands warn when pool routing
manages those keys
Part of #1464 account pools (phase 3).
- claude provider launch env no longer pins ANTHROPIC_MODEL/tier defaults;
one-shot migration strips CCS-written stale pins across all historically
shipped default generations while preserving explicit user pins
- TTY-gated once-per-install warning when a user profile named claude or
anthropic is shadowed by the built-in provider, with rename guidance
- account-safety ban messaging parameterized by provider; Anthropic
patterns gated to claude accounts only
- first-run notice that ccs claude routes through the local CLIProxy
instance
Part of #1464 account pools (phase 2).
'open -a' only activates a running app, so suggesting 'ccs bar' as an
alternative to quitting could not load the new binary. The hint now
says to quit from the menu bar first, then run 'ccs bar' to relaunch
the updated app.
The reinstall guard deleted the existing bundle before download, so a
transient download or extraction failure left no app on disk. The
archive now extracts into a hidden staging directory inside the
Applications folder; the old bundle is removed only after the new one
is verified in staging, then renamed into place. Every failure before
the swap leaves the previous install untouched, and staging is cleaned
up on all paths.
Three review/CI corrections to the install flow:
The compat handshake now runs before the quarantine-clear and launch
block. It is a server-side check unrelated to Gatekeeper, and the
previous ordering let a failed quarantine clear (always the case where
xattr is absent, e.g. Linux CI) skip the handshake entirely.
Reinstalls remove the existing bundle before extraction so the
post-extraction existence check actually proves the fresh bundle
landed; an unremovable bundle aborts install instead of extracting
over it.
Declining the launch prompt now prints the same run-ccs-bar hint as
the non-TTY path instead of ending silently. Install tests inject the
newer deps (clearQuarantine, isBarRunning, promptLaunch) everywhere
the defaults could touch host binaries, keeping results identical on
macOS and Linux runners.
A failed quarantine clear previously fell through to the launch
handoff, so a default-yes prompt (or --launch) opened the still
quarantined app straight into the Gatekeeper block. Install now ends
after printing the manual xattr guidance, with a hint to run 'ccs bar'
once quarantine is cleared; --launch does not override a failed clear.
Pin xattr and pgrep to absolute /usr/bin paths so quarantine clearing
and process detection cannot be hijacked through a caller-controlled
PATH. Gate the launch prompt on stdin being a TTY instead of stdout, so
piping install output through tee no longer silently skips the
handoff. Detect an already-running CCS Bar via pgrep before prompting:
a running instance gets a quit-and-reopen hint instead of a redundant
launch prompt, while --launch still proceeds explicitly.
'ccs bar install' previously ended with two manual steps: clearing the
Gatekeeper quarantine by hand and running 'ccs bar' separately.
Install now detects an existing installation and says so before
reinstalling, clears the quarantine attribute itself via execFile with
a graceful fallback to the printed hint when xattr fails, and ends with
a TTY-aware 'Launch CCS Bar now?' prompt (default yes) that hands off
to the existing launch flow. --launch forces the handoff and
--no-launch suppresses it for scripted installs; non-TTY runs skip the
prompt and print the manual command instead.
Closes#1504
Sequential probing of up to 10 loopback targets at 1.5s timeout each
could stall 'ccs bar' for ~15s when a non-CCS service occupied a
candidate port without answering. All probes now run concurrently and
the first success in priority order (bar.json port first, IPv4 before
IPv6 per port) is selected, bounding detection at roughly one probe
timeout.
'ccs config' starts the web-server on host 'localhost', which macOS
resolves to ::1, so a reuse probe limited to 127.0.0.1 missed the most
common already-running server and launch started a redundant second
instance. Each candidate port is now probed on 127.0.0.1 first and then
[::1]; an IPv6 hit writes the bracketed-literal baseUrl into bar.json,
which URLSession in the Swift app resolves correctly.
'ccs bar' always tried to start its own web-server. With a CCS server
already listening on 127.0.0.1:3000, get-port (probing the unspecified
address, which macOS allows to bind alongside a specific loopback
listener) reported 3000 as free, and the subsequent 127.0.0.1 bind
failed with EADDRINUSE, aborting launch.
Launch now probes candidate ports (bar.json port first, then the
default list) with a short-timeout GET /api/bar/summary and reuses the
first live CCS server it finds; only when none responds does it start a
new server. The get-port probe also passes host 127.0.0.1 so the
availability check matches the actual bind target. Probe failures are
treated as no-server-found and never break launch.
Closes#1500
The floating ccs-bar-latest release tag carries no version, so deriving the
app version from tag_name printed 'vccs-bar-latest' and pinned that literal
string. The version now comes from CFBundleShortVersionString in the
extracted bundle's Info.plist; an unreadable plist skips pinning and clears
any stale pin.
The post-install check compared app semver major against the CCS server
major, but the app is versioned independently of the CLI, so the mismatch
warning fired on every install. It is now a capability handshake against
GET /api/bar/summary: 200 confirms the server serves the bar API, 404 warns
the server predates CCS Bar, and anything else keeps the soft warning.
Install never hard-fails on the handshake.
Closes#1497
--help and -h are honored anywhere in the args so 'ccs bar install --help'
shows help instead of running the installer. Also wires the 'ccs help bar'
topic, shell-completion flag suggestions, and a more-help table entry.
defaultTailLines used Bun.spawn(['tail',...]), but the ccs server (and
'ccs bar launch') runs under node where Bun is undefined — it threw, the
per-path catch swallowed it, and Codex quota silently never appeared in real
deployments (it only worked under the bun-run dev harness). Replace with a
pure fs read: runtime- and OS-agnostic, no subprocess. Verified under node:
surfaces a live rollout's rate_limits (primary/secondary).
startServer was called without a host, defaulting to 'localhost' which
resolves to ::1 (IPv6) on macOS, while bar.json's baseUrl and the menu-bar
app use 127.0.0.1 — so the app could not reach its own server (connection
refused) and showed offline. Pass host 127.0.0.1 explicitly to match.
Gate /api/bar/* behind the localhost-when-auth-disabled guard (single DRY
choke point) so native quota/tier/cost can't leak on a non-loopback bind with
auth disabled; add a guard test. Delete the dishonest maxRedirections test that
asserted the opposite of the production redirect hardening. Key per-account
today-cost on the local day (matching analytics) instead of UTC. Stop the
inner 429 retry in the Claude usage fetch so the outer cache + circuit breaker
honor Retry-After. Narrow the usage-transformer map type and fix stale
doc-comments; clarify the one-alert-per-reset-window quota rule; gitignore the
local demo scaffolding.
Expose per-window detail (5h / weekly / Opus / Sonnet) on native subscription
rows instead of collapsing to a single percentage, so the bar can show the
binding window, resets, and a burn-rate pace line. Fix the Codex collector to
scan recent session rollouts newest-first for the latest non-null rate_limits
(today's exec-mode session is null) and mark the result stale with its source
time, so Codex quota appears instead of silently vanishing.
Surface the logged-in Claude Code and Codex subscription quota as first-class
summary rows so the existing gauge and alert engine render them with no new UI.
Claude Code: read the native token (~/.claude/.credentials.json, macOS Keychain
fallback) and reuse the existing Anthropic usage fetch+normalize via a new
token-fed entry point. The /oauth/usage endpoint is hostile to polling, so the
fetch is server-side only behind a 10-minute on-demand cache, in-flight
coalescing, Retry-After + exponential backoff with jitter, a 3-strike circuit
breaker with a 15-minute cooldown, and serve-stale-on-failure; logged-out or
unsupported subscriptions never spend a token call. Codex: zero-network read of
the latest rate_limits from local session rollouts, omitted when absent.
Native rows side-load bounded so a slow or failed fetch degrades to CLIProxy
rows, never an error.
monthToDate (calendar 1st-of-month to now, local) on BarAnalytics in both
compute paths, kept distinct from the rolling last30d so a fresh month resets
toward zero. Feeds the monthly-spend alert and the month-spend glance without
a rolling-window false breach.
Derive a tri-state quotaStatus (ok|unsupported|error) per account so a
provider with no quota API renders as 'no quota' with a healthy dot instead
of an alarming bare dash, and treat unsupported as healthy in deriveHealth.
Switch the analytics endpoint off the CLIProxy snapshot, which freezes
whenever the proxy restarts (usage is in-memory only), and onto the merged
daily/hourly usage the dashboard uses. Recent activity from Claude Code,
Codex, and Droid now shows, and a per-surface breakdown answers where usage
goes. Add lastActivityAt, daysSinceLastActivity, hasRecentData and a 30-day
series; per-account today_cost reads null (unknown) rather than a misleading 0.
Summary aggregator could block indefinitely: it ran the full system health
audit (a synchronous execSync) on every request and had no per-account or
request-level timeout. Now:
- per-account fetch is bounded; whole response is raced against a deadline
- health is derived per-account from each quota result (no blocking audit)
- stale-while-revalidate keeps the last value when a refresh is slow/fails
Adds GET /api/bar/analytics plus a pure, tested aggregator rolling up
today/7d/30d/all-time spend, a 7-day sparkline, and top models.
normalizeCliproxyUsageHistoryDetail passed calculateHistoryDetailCost (a
~6ms model-pricing lookup) as an eager default argument to
normalizePersistedNumber, so it ran for every record even when a persisted
cost was already present. A few thousand records turned into a multi-second
synchronous stall that wedged the bar summary aggregator and the dashboard
startup prewarm. Compute the fallback only when cost is actually missing.
Only managed-quota providers (agy/claude/codex/gemini/ghcp) enforce tier_lock;
validate the provider against that set so locking a non-managed provider returns
400 instead of persisting a silently-unenforced config entry.
Resolve the app path via os.homedir() in launch to match install/uninstall;
validate the host on every redirect hop (manual follow, not blind
maxRedirections); reject zip-slip entries before extracting into ~/Applications.
Drop the detail.source fallback and dead numeric-key lookup in the usage
transformer so unmapped auth_index rows go to the 'unknown' bucket instead of
mis-keying cost; null out today_cost when an email cost-key is shared by more
than one account (duplicate-email providers) instead of double-displaying the
combined spend.
Add ccs bar (install/launch/uninstall/version) and the ~/.ccs/bar.json
discovery handshake the app reads. install resolves a floating release asset,
follows redirects, validates the download host over HTTPS, checks status,
verifies the extracted app, and runs a real version-compat handshake against
/api/overview.
Make tier_lock a per-provider map and honor it in findHealthyAccount and
preflightCheck for the selected provider only, so locking one provider never
disables failover for others. Add POST /api/accounts/tier-lock with tier
validation against known tiers, and serialize quota_management on config write
so the lock persists.
Single endpoint merging per-account quota, tier, paused, health and today cost
for the menu bar. Cached by default; ?refresh=true invalidates the quota cache
and pulls live server-side, debounced ~15s. Per-account errors degrade one row
without failing the payload; force-fresh skips paused accounts and caps fetch
concurrency.
Carry the CLIProxy auth_index through the usage transformer and aggregator,
build an auth_index->account map from the auth files, and wire it into the
usage syncer so persisted snapshots stamp accountId. Adds getTodayCostByAccount
and a snapshot detail reader. Backward-compatible: accountId is optional and
profile-based aggregation is unchanged.
Final review polish:
- Add an inline comment on the claude-opus-4-7-thinking registry entry
explaining it is a pricing-only id kept for historical analytics data
(no catalog model after Opus 4.7 moved to adaptive thinking levels),
and why it carries no fast tier.
- Add a test asserting applyServiceTier preserves the serviceTiers map on
its result, guarding against a future simplification dropping it.
Built [OnSteroids](https://onsteroids.ai)
Address presto review on the fast-tier work:
- Move the claude-opus-4-8 entry after claude-opus-4-7-thinking so the
registry keeps chronological 4.6 -> 4.7 -> 4.8 ordering (the 4.8 insert
had split the 4-7 / 4-7-thinking pair).
- Drop the fast serviceTier from claude-opus-4-7-thinking: that id is a
legacy pricing-only entry with no catalog model, so a fast premium on it
is meaningless. The active 4.6-thinking variant (agy provider) keeps its
fast tier.
- Extend the 4.7 fast-tier test with cache-rate assertions and add an
equivalent 4.6 fast-tier test so the derived buildRates math is covered
for every premium-tier model.
Built [OnSteroids](https://onsteroids.ai)