- Fixed malformed url_for() calls with extra quotes in providers.html
- Corrected uploadCodexFile function JavaScript syntax
- Fixed remaining hardcoded OAuth2 URLs
- All JavaScript template syntax errors resolved
- Updated version in setup.py, pyproject.toml, aisbf/__init__.py, and PYPI.md
- Added changelog entry for 0.99.5

- Fixed malformed url_for() calls in uploadCodexFile function (extra quotes)
- Fixed hardcoded /dashboard/claude/auth/complete URL to use url_for()
- All JavaScript syntax errors resolved for proper template rendering

- Fixed OAuth2 authentication endpoints not respecting reverse proxy subpaths
- Updated all OAuth2 JavaScript fetch calls to use url_for() instead of hardcoded /dashboard/ paths
- Fixed Claude, Kilo, Codex, and Qwen OAuth2 authentication flows for reverse proxy deployments
- Fixed file upload endpoints, rate limits data endpoint, user management endpoints, and autoselect save endpoint
- OAuth2 authentication buttons now work correctly behind nginx reverse proxy with /aisbf/ location
- Updated version in setup.py, pyproject.toml, aisbf/__init__.py, and PYPI.md
- Added changelog entry for 0.99.4

- Fixed malformed Jinja2 template syntax in user_providers.html causing download link issues
- Corrected URL generation for authentication file download links
- Fixed extension download link in providers.html template
- All template syntax errors resolved for proper dashboard rendering
- Updated version in setup.py, pyproject.toml, aisbf/__init__.py, and PYPI.md
- Added changelog entry for 0.99.3

- Fixed Jinja2 template syntax errors in dashboard templates
- Updated version in pyproject.toml, setup.py, and aisbf/__init__.py
- Updated PYPI.md and CHANGELOG.md with new version

- Corrected nested template tags in dashboard templates
- All fetch() calls and URL generations now use proper url_for syntax
- Templates should render correctly now

- Fix login redirect after authentication not respecting proxy subpaths
- Modified url_for function to return relative URLs when behind reverse proxy
- Updated login form action and template URLs to use url_for
- Fixed JavaScript fetch calls in providers and rotations templates
- Bumped version to 0.99.1 in all configuration files
- Updated CHANGELOG.md and PYPI.md with new version

- Implemented complete OAuth2 Device Authorization Grant with PKCE (S256)
- Added aisbf/auth/qwen.py for OAuth2 authentication
- Added aisbf/providers/qwen.py for OpenAI-compatible DashScope API
- Cross-process token synchronization with file locking
- Automatic token refresh with 30-second expiry buffer
- Optional API key mode (bypass OAuth2)
- Dashboard integration ready
- Free tier: 1,000 requests/day, 60 requests/minute
- Available models: qwen-plus, qwen-turbo, qwen-max, coder-model
- Updated documentation in AI.PROMPT, README.md, and CHANGELOG.md
- Version bumped to 0.99.0

v0.9.9: User-based configuration routing for providers, rotations, autoselects, and OAuth2 credentials

- Config admin (from aisbf.json, user_id=None) saves configurations to JSON files
- Database users save configurations to the database (user_providers, user_rotations, user_autoselects tables)
- Dashboard endpoints check user type and route accordingly
- File upload endpoint supports both config admin (files) and database users (database)
- MCP server tools accept user_id parameter and route to appropriate storage
- OAuth2 credential handling already implemented this pattern (Claude, Kilo, Codex)
- Updated CHANGELOG.md, setup.py, and pyproject.toml

- Added find_config_file() to check config locations in correct order
- Added get_host() to read server.host from config (defaults to 127.0.0.1)
- Fixed get_port() to read from server.port instead of top-level port
- Updated start_server() and start_daemon() to use config-based host
- Updated CHANGELOG.md with the fix

- Changed authenticate_with_device_flow() to request_device_code_flow() + poll_device_code_completion()
- /dashboard/codex/auth/start now returns immediately with verification URI and user code
- /dashboard/codex/auth/poll checks for completion status
- Fixed poll_device_code_token to raise exception for 403/404 (pending state)
- Dashboard JavaScript opens popup window with verification URI immediately

- New codex provider type using OpenAI-compatible protocol
- OAuth2 authentication via Device Authorization Grant flow
- Provider handler in aisbf/providers/codex.py
- OAuth2 handler in aisbf/auth/codex.py
- Dashboard integration with authentication UI
- Token refresh with automatic retry
- API key exchange from ID token
- Updated version to 0.9.8 in setup.py and pyproject.toml
- Updated CHANGELOG.md, README.md, PYPI.md with Codex documentation
- Added codex provider configuration to config/providers.json

- Trigger: Press ArrowUp, ArrowDown, ArrowUp in sequence within 10 seconds
- Opens a Snake game in a popup window
- Classic Snake gameplay with difficulty selection
- Retro arcade-style with Press Start 2P font

- Fixed ImportError: count_messages_tokens missing by correcting setup.py data_files structure
- Split data_files into separate entries to preserve subdirectory structure (aisbf/, aisbf/providers/, aisbf/providers/kiro/, aisbf/auth/)
- Added 6 missing dashboard templates (user_index.html, user_providers.html, etc.)
- Removed install_requires from setup.py (dependencies managed via venv)
- Updated aisbf.sh to only install requirements on first venv creation
- Added Kiro-cli and Kilocode OAuth2 provider support documentation
- Removed duplicate entries in documentation (Token Usage Analytics, Claude OAuth2)
- Provider module refactoring documentation updates
- Version bumped to 0.9.4

- Updated README.md with comprehensive documentation for new features:
  * User-Specific API Endpoints with Bearer token authentication
  * Adaptive Rate Limiting with learning from 429 responses
  * Model Metadata Extraction with automatic pricing/rate limit detection
  * Enhanced Analytics Filtering by provider/model/rotation
  * Updated Web Dashboard feature list

- Updated DOCUMENTATION.md with detailed sections:
  * Adaptive Rate Limiting configuration and benefits
  * Model Metadata Extraction features and dashboard integration

- Updated CHANGELOG.md:
  * Moved Unreleased section to version 0.9.2 (2026-04-03)
  * Added comprehensive list of new features and changes

- Version bump to 0.9.2:
  * Updated pyproject.toml version
  * Updated aisbf/__init__.py version

This release focuses on improving documentation coverage for recently
added features including user-specific API endpoints, adaptive rate
limiting, model metadata extraction, and analytics filtering.

Your theory was correct! Claude Code uses the Anthropic SDK with the
authToken parameter (not apiKey) for OAuth2 authentication.

From vendors/claude/src/services/api/client.ts lines 300-315:
    const clientConfig = {
      apiKey: isClaudeAISubscriber() ? null : apiKey || getAnthropicApiKey(),
      authToken: isClaudeAISubscriber()
        ? getClaudeAIOAuthTokens()?.accessToken
        : undefined,
    }
    return new Anthropic(clientConfig)

Changes:
- providers.py: Use auth_token=access_token (not api_key) for SDK client
- claude_auth.py: Remove create_api_key() and get_api_key() methods
  (not needed - OAuth2 token is used directly with SDK auth_token)

The create_api_key endpoint is only for creating API keys for use in
other contexts (CI/CD, IDEs), not for the main CLI.

Claude Code doesn't use the OAuth2 access token directly for API requests.
Instead, it exchanges the OAuth2 token for an API key via:
  POST https://api.anthropic.com/api/oauth/claude_cli/create_api_key
  Authorization: Bearer {oauth_access_token}

This returns a 'raw_key' which is the actual API key used for API requests.

Changes:
- claude_auth.py: Add create_api_key() and get_api_key() methods
  - create_api_key(): Exchanges OAuth2 token for API key
  - get_api_key(): Gets stored API key or creates one if needed
- providers.py: Update _get_sdk_client() to use API key instead of OAuth2 token

This matches the Claude Code flow in vendors/claude/src/services/oauth/client.ts

The Anthropic SDK's messages.stream() is a synchronous context manager,
not async. For async streaming, we need to use messages.create(..., stream=True)
which returns an async iterator of ServerSentEvent objects.

Changed from:
    async with client.messages.stream(**request_kwargs) as stream:
To:
    stream = await client.messages.create(**request_kwargs, stream=True)
    async for event in stream:

Major rewrite to use the official Anthropic Python SDK instead of direct
HTTP calls, while maintaining our OAuth2 authentication flow.

Key changes:
- Use Anthropic SDK client with OAuth2 token as api_key
- SDK handles proper message format conversion
- SDK handles automatic retries (max_retries=3)
- SDK handles proper streaming event parsing
- SDK handles correct headers and beta features
- Better error handling and rate limit management

This should fix the rate limiting issues we were seeing with direct HTTP
calls, as the SDK implements proper retry logic and request formatting.

New methods:
- _get_sdk_client(): Creates SDK client with OAuth2 token
- _handle_streaming_request_sdk(): SDK-based streaming handler
- get_cache_stats(): Returns cache usage statistics

Removed methods:
- _request_with_retry(): No longer needed (SDK handles retries)
- _handle_streaming_request_with_retry(): Replaced by SDK streaming
- _handle_streaming_request(): Replaced by SDK streaming

Phase 1.2 - Automatic retry with exponential backoff:
- Add _request_with_retry() method for non-streaming requests
- Retries on 429 (with x-should-retry header), 529, 503 errors
- Exponential backoff with jitter (1s, 2s, 4s max 30s)
- Handles timeouts and HTTP errors gracefully

Phase 1.3 - Streaming idle watchdog:
- Add 90s idle timeout detection (matches vendors/claude)
- Tracks last_event_time and raises TimeoutError on idle
- Prevents indefinite hangs on dropped connections

Phase 2.3 - Cache token tracking:
- Add cache_stats dict to track cache hits/misses
- Track cache_tokens_read and cache_tokens_created
- Add get_cache_stats() method for analytics
- Updates stats during streaming message_delta events

Also includes:
- Temperature fix (skip 0.0 when thinking beta active)
- Rate limit config update (5s default for Claude)

- Comprehensive analysis of potential improvements
- Recommended improvements without SDK migration:
  1. Message validation pipeline (HIGH priority)
  2. Automatic retry with exponential backoff (HIGH)
  3. Streaming idle watchdog (MEDIUM)
  4. Token counting and context management (MEDIUM)
  5. Cache token tracking (LOW)
- SDK migration analysis with pros/cons
- Recommendation: Don't migrate yet, implement quick wins first
- Hybrid approach evaluation for future consideration

- Claude API requires temperature: 1.0 when thinking is enabled
- Our Anthropic-Beta header includes interleaved-thinking-2025-05-14
- Sending temperature: 0.0 with thinking beta causes API errors
- Now only add temperature to payload if > 0

- Changed rate_limit from 0 to 5 seconds for Claude provider
- Changed rate_limit from 0 to 5 seconds for all Claude models
- This adds a minimum 5-second delay between requests to avoid
  hitting Anthropic's OAuth2 API rate limits

- Handle 'thinking' and 'redacted_thinking' in content_block_start events
- Handle 'thinking_delta' events to accumulate thinking content during streaming
- Handle 'signature_delta' events for thinking block signatures
- Log thinking block completion with character count
- Thinking content is accumulated but not emitted to client (stored for final response)
- Matches original Claude Code streaming thinking implementation

- Added detailed analysis of 3419-line claude.ts implementation
- Expanded streaming comparison with 30+ features from original source
- Updated message conversion comparison with normalizeMessagesForAPI details
- Added comprehensive feature comparison table for streaming implementations
- Documented advanced features: idle watchdog, stall detection, VCR support,
  cache break detection, cost tracking, memory cleanup, request ID tracking

Analysis of debug.log showed 429 rate limit errors during streaming
were not being caught by the retry logic because:
1. Streaming generators don't raise exceptions until consumed
2. Error message 'Claude API error (429): Error' didn't contain retry keywords

Changes:
1. Added _handle_streaming_request_with_retry() wrapper that catches
   rate limit errors and re-raises with proper keywords
2. Added _wrap_streaming_with_retry() method that consumes streaming
   generator and retries with fallback models on rate limit errors
3. Updated retry logic to check for '429' keyword in error messages
4. Added exponential backoff with jitter before retry attempts
5. Improved error messages to include rate limit context

This ensures that when streaming hits a 429 rate limit, the system
will automatically retry with fallback models instead of failing.

Add image content block handling to ClaudeProviderHandler:

1. Image Extraction (_extract_images_from_content):
   - Extract images from OpenAI message content format
   - Handle base64 data URLs (data:image/jpeg;base64,...)
   - Handle HTTP/HTTPS URL-based images
   - Convert to Anthropic image source format
   - Validate image size (5MB limit for base64)
   - Pass through existing Anthropic-format image blocks

2. Image Integration in Message Conversion:
   - Extract images from user message content blocks
   - Convert image_url blocks to Anthropic image source format
   - Add image blocks to anthropic_messages content array
   - Preserve text content alongside images

Reference: vendors/kilocode image handling + vendors/claude multimodal support

Add three robustness improvements to ClaudeProviderHandler:

1. Message Role Validation (_validate_messages):
   - Validate roles are one of: user, assistant, system, tool
   - Auto-fix unknown roles to 'user'
   - Ensure system messages only appear at start
   - Insert synthetic assistant messages between consecutive user messages
   - Merge consecutive assistant messages
   - Validate tool messages have tool_call_id
   - Reference: vendors/kilocode normalizeMessages() + ensure_alternating_roles()

2. Tool Result Size Validation (_truncate_tool_result):
   - Truncate oversized tool results with configurable limit (default 100k chars)
   - Add truncation notice with original length info
   - Reference: vendors/claude applyToolResultBudget

3. Model Fallback Support (handle_request refactoring):
   - Add _get_fallback_models() to read fallback list from config
   - Retry with fallback models on retryable errors (rate limit, overloaded)
   - Split into handle_request() (with retry) and _handle_request_with_model() (actual logic)
   - Log fallback attempts for debugging

All methods integrated into handle_request() for automatic application.