Fix Kilo OAuth2 device auth for remote servers:
- Changed from data={} to explicit content=b'' with Content-Type header
- This ensures proper form-urlencoded POST request format
- Fixes 500 error when calling from remote servers behind nginx

- Added version number to debug startup message
- Fixed Kilo OAuth2 device auth endpoint (form encoding)
- Fixed dashboard save endpoints (rotations/autoselect)
- Fixed analytics page template syntax error
- Fixed Kilo provider model prefetch at startup
- Added favicon to PyPI package

Fixes:
- Kilo OAuth2 device auth endpoint now uses form encoding instead of JSON
- Final fix for Kilo device auth 500 Internal Server Error

Fixes:
- Kilo OAuth2 device auth initiation 500 error (missing empty json payload)
- Kilo provider model prefetch at startup for OAuth2 credentials
- Rotations save endpoint 500 error
- Autoselect save endpoint config shadowing bug
- Analytics page Jinja2 TemplateSyntaxError

Fixes:
- Kilo provider model prefetch at startup for OAuth2 credentials
- Rotations save endpoint 500 error (form parameter mismatch, config shadowing)
- Autoselect save endpoint config shadowing bug
- Analytics page Jinja2 TemplateSyntaxError (missing closing parenthesis)
- FormData JSON serialization in validation error handler

v0.99.7 - Fixed undefined provider_key variable bug in OAuth2 handlers, fixed config shadowing bug in rotations save handler

- Remove automatic model detection during provider save operations
- OAuth2 providers now only show models when 'Get Models from Provider' is clicked
- Users have full control over when models are fetched and saved
- Bump version to 0.99.6

- Fixed malformed url_for() calls with extra quotes in providers.html
- Corrected uploadCodexFile function JavaScript syntax
- Fixed remaining hardcoded OAuth2 URLs
- All JavaScript template syntax errors resolved
- Updated version in setup.py, pyproject.toml, aisbf/__init__.py, and PYPI.md
- Added changelog entry for 0.99.5

- Fixed malformed url_for() calls in uploadCodexFile function (extra quotes)
- Fixed hardcoded /dashboard/claude/auth/complete URL to use url_for()
- All JavaScript syntax errors resolved for proper template rendering

- Fixed OAuth2 authentication endpoints not respecting reverse proxy subpaths
- Updated all OAuth2 JavaScript fetch calls to use url_for() instead of hardcoded /dashboard/ paths
- Fixed Claude, Kilo, Codex, and Qwen OAuth2 authentication flows for reverse proxy deployments
- Fixed file upload endpoints, rate limits data endpoint, user management endpoints, and autoselect save endpoint
- OAuth2 authentication buttons now work correctly behind nginx reverse proxy with /aisbf/ location
- Updated version in setup.py, pyproject.toml, aisbf/__init__.py, and PYPI.md
- Added changelog entry for 0.99.4

- Fixed malformed Jinja2 template syntax in user_providers.html causing download link issues
- Corrected URL generation for authentication file download links
- Fixed extension download link in providers.html template
- All template syntax errors resolved for proper dashboard rendering
- Updated version in setup.py, pyproject.toml, aisbf/__init__.py, and PYPI.md
- Added changelog entry for 0.99.3

- Fixed Jinja2 template syntax errors in dashboard templates
- Updated version in pyproject.toml, setup.py, and aisbf/__init__.py
- Updated PYPI.md and CHANGELOG.md with new version

- Corrected nested template tags in dashboard templates
- All fetch() calls and URL generations now use proper url_for syntax
- Templates should render correctly now

- Fix login redirect after authentication not respecting proxy subpaths
- Modified url_for function to return relative URLs when behind reverse proxy
- Updated login form action and template URLs to use url_for
- Fixed JavaScript fetch calls in providers and rotations templates
- Bumped version to 0.99.1 in all configuration files
- Updated CHANGELOG.md and PYPI.md with new version

- Implemented complete OAuth2 Device Authorization Grant with PKCE (S256)
- Added aisbf/auth/qwen.py for OAuth2 authentication
- Added aisbf/providers/qwen.py for OpenAI-compatible DashScope API
- Cross-process token synchronization with file locking
- Automatic token refresh with 30-second expiry buffer
- Optional API key mode (bypass OAuth2)
- Dashboard integration ready
- Free tier: 1,000 requests/day, 60 requests/minute
- Available models: qwen-plus, qwen-turbo, qwen-max, coder-model
- Updated documentation in AI.PROMPT, README.md, and CHANGELOG.md
- Version bumped to 0.99.0

v0.9.9: User-based configuration routing for providers, rotations, autoselects, and OAuth2 credentials

- Config admin (from aisbf.json, user_id=None) saves configurations to JSON files
- Database users save configurations to the database (user_providers, user_rotations, user_autoselects tables)
- Dashboard endpoints check user type and route accordingly
- File upload endpoint supports both config admin (files) and database users (database)
- MCP server tools accept user_id parameter and route to appropriate storage
- OAuth2 credential handling already implemented this pattern (Claude, Kilo, Codex)
- Updated CHANGELOG.md, setup.py, and pyproject.toml

- Added find_config_file() to check config locations in correct order
- Added get_host() to read server.host from config (defaults to 127.0.0.1)
- Fixed get_port() to read from server.port instead of top-level port
- Updated start_server() and start_daemon() to use config-based host
- Updated CHANGELOG.md with the fix

- Changed authenticate_with_device_flow() to request_device_code_flow() + poll_device_code_completion()
- /dashboard/codex/auth/start now returns immediately with verification URI and user code
- /dashboard/codex/auth/poll checks for completion status
- Fixed poll_device_code_token to raise exception for 403/404 (pending state)
- Dashboard JavaScript opens popup window with verification URI immediately

- New codex provider type using OpenAI-compatible protocol
- OAuth2 authentication via Device Authorization Grant flow
- Provider handler in aisbf/providers/codex.py
- OAuth2 handler in aisbf/auth/codex.py
- Dashboard integration with authentication UI
- Token refresh with automatic retry
- API key exchange from ID token
- Updated version to 0.9.8 in setup.py and pyproject.toml
- Updated CHANGELOG.md, README.md, PYPI.md with Codex documentation
- Added codex provider configuration to config/providers.json

- Trigger: Press ArrowUp, ArrowDown, ArrowUp in sequence within 10 seconds
- Opens a Snake game in a popup window
- Classic Snake gameplay with difficulty selection
- Retro arcade-style with Press Start 2P font

- Fixed ImportError: count_messages_tokens missing by correcting setup.py data_files structure
- Split data_files into separate entries to preserve subdirectory structure (aisbf/, aisbf/providers/, aisbf/providers/kiro/, aisbf/auth/)
- Added 6 missing dashboard templates (user_index.html, user_providers.html, etc.)
- Removed install_requires from setup.py (dependencies managed via venv)
- Updated aisbf.sh to only install requirements on first venv creation
- Added Kiro-cli and Kilocode OAuth2 provider support documentation
- Removed duplicate entries in documentation (Token Usage Analytics, Claude OAuth2)
- Provider module refactoring documentation updates
- Version bumped to 0.9.4

- Updated README.md with comprehensive documentation for new features:
  * User-Specific API Endpoints with Bearer token authentication
  * Adaptive Rate Limiting with learning from 429 responses
  * Model Metadata Extraction with automatic pricing/rate limit detection
  * Enhanced Analytics Filtering by provider/model/rotation
  * Updated Web Dashboard feature list

- Updated DOCUMENTATION.md with detailed sections:
  * Adaptive Rate Limiting configuration and benefits
  * Model Metadata Extraction features and dashboard integration

- Updated CHANGELOG.md:
  * Moved Unreleased section to version 0.9.2 (2026-04-03)
  * Added comprehensive list of new features and changes

- Version bump to 0.9.2:
  * Updated pyproject.toml version
  * Updated aisbf/__init__.py version

This release focuses on improving documentation coverage for recently
added features including user-specific API endpoints, adaptive rate
limiting, model metadata extraction, and analytics filtering.

Your theory was correct! Claude Code uses the Anthropic SDK with the
authToken parameter (not apiKey) for OAuth2 authentication.

From vendors/claude/src/services/api/client.ts lines 300-315:
    const clientConfig = {
      apiKey: isClaudeAISubscriber() ? null : apiKey || getAnthropicApiKey(),
      authToken: isClaudeAISubscriber()
        ? getClaudeAIOAuthTokens()?.accessToken
        : undefined,
    }
    return new Anthropic(clientConfig)

Changes:
- providers.py: Use auth_token=access_token (not api_key) for SDK client
- claude_auth.py: Remove create_api_key() and get_api_key() methods
  (not needed - OAuth2 token is used directly with SDK auth_token)

The create_api_key endpoint is only for creating API keys for use in
other contexts (CI/CD, IDEs), not for the main CLI.

Claude Code doesn't use the OAuth2 access token directly for API requests.
Instead, it exchanges the OAuth2 token for an API key via:
  POST https://api.anthropic.com/api/oauth/claude_cli/create_api_key
  Authorization: Bearer {oauth_access_token}

This returns a 'raw_key' which is the actual API key used for API requests.

Changes:
- claude_auth.py: Add create_api_key() and get_api_key() methods
  - create_api_key(): Exchanges OAuth2 token for API key
  - get_api_key(): Gets stored API key or creates one if needed
- providers.py: Update _get_sdk_client() to use API key instead of OAuth2 token

This matches the Claude Code flow in vendors/claude/src/services/oauth/client.ts

The Anthropic SDK's messages.stream() is a synchronous context manager,
not async. For async streaming, we need to use messages.create(..., stream=True)
which returns an async iterator of ServerSentEvent objects.

Changed from:
    async with client.messages.stream(**request_kwargs) as stream:
To:
    stream = await client.messages.create(**request_kwargs, stream=True)
    async for event in stream:

Major rewrite to use the official Anthropic Python SDK instead of direct
HTTP calls, while maintaining our OAuth2 authentication flow.

Key changes:
- Use Anthropic SDK client with OAuth2 token as api_key
- SDK handles proper message format conversion
- SDK handles automatic retries (max_retries=3)
- SDK handles proper streaming event parsing
- SDK handles correct headers and beta features
- Better error handling and rate limit management

This should fix the rate limiting issues we were seeing with direct HTTP
calls, as the SDK implements proper retry logic and request formatting.

New methods:
- _get_sdk_client(): Creates SDK client with OAuth2 token
- _handle_streaming_request_sdk(): SDK-based streaming handler
- get_cache_stats(): Returns cache usage statistics

Removed methods:
- _request_with_retry(): No longer needed (SDK handles retries)
- _handle_streaming_request_with_retry(): Replaced by SDK streaming
- _handle_streaming_request(): Replaced by SDK streaming

Phase 1.2 - Automatic retry with exponential backoff:
- Add _request_with_retry() method for non-streaming requests
- Retries on 429 (with x-should-retry header), 529, 503 errors
- Exponential backoff with jitter (1s, 2s, 4s max 30s)
- Handles timeouts and HTTP errors gracefully

Phase 1.3 - Streaming idle watchdog:
- Add 90s idle timeout detection (matches vendors/claude)
- Tracks last_event_time and raises TimeoutError on idle
- Prevents indefinite hangs on dropped connections

Phase 2.3 - Cache token tracking:
- Add cache_stats dict to track cache hits/misses
- Track cache_tokens_read and cache_tokens_created
- Add get_cache_stats() method for analytics
- Updates stats during streaming message_delta events

Also includes:
- Temperature fix (skip 0.0 when thinking beta active)
- Rate limit config update (5s default for Claude)