feat(sse): refresh Claude OAuth wire image to claude-cli/2.1.131

[Tentoxa]

Summary

Refresh the native Claude OAuth wire image to match claude-cli/2.1.131, and
extend the cloak so it fires on any sk-ant-oat token regardless of upstream
client. This resolves the upstream 429s seen when routing Claude Max OAuth
credentials through non-CLI clients (ForgeCode, Cursor, Cline).

Highlights:

• Per-OAuth-account cliUserID / accountUUID / sessionId generated and
  persisted via mapTokens; preserved across token refresh.
• postExchange calls /api/claude_cli/bootstrap to capture real account
  metadata at provisioning time (best-effort — failure does not block OAuth).
• Adaptive anthropic-beta selection per request shape (probe / structured
  / full-agent) replaces the previous static set.
• Per-request behavior overrides via x-omniroute-effort and
  x-omniroute-thinking headers; auto-mirror context_management whenever
  thinking is set.
• Migrate deprecated top-level output_format → output_config.format in
  chatCore to fix the 400 some clients trigger.
• Dashboard "Test Model" for OAuth Claude now routes through the executor
  instead of duplicating cloak logic — single source of truth.

Related Issues

• Closes #
• Related to All Claude accounts returning 429 Upstream on every model. Accounts have full quota #1995

Validation

• npm run lint
• npm run test:unit
• npm run test:coverage
• Coverage is still >= 60% for statements, lines, functions, and branches
• SonarQube PR analysis is green or any remaining issues are explicitly documented below

Tests Added Or Updated

No new test files. Existing Claude unit suites all pass (69 tests, 12 suites).

Coverage Notes

Touched files in open-sse/ and src/lib/ are covered by existing
claude-* suites. The new helper module open-sse/executors/claudeIdentity.ts
is exercised transitively by claude-code-parity and
anthropic-cache-fingerprint. Happy to add focused unit tests for
selectBetaFlags / parseUpstreamMetadataUserId / resolveCliUserID if
reviewers want them.

Reviewer Notes

• Cloak gate widened: now fires on sk-ant-oat token detection in
  addition to isClaudeCodeClient. API-key Claude (sk-ant-api) and all
  other providers are unaffected.
• Existing OAuth connections keep working but only get persistent
  accountUUID / cliUserID after re-auth. Pre-existing accounts use a
  background bootstrap fetch + in-memory cache as a stopgap.
• New opt-in headers x-omniroute-effort and x-omniroute-thinking documented
  inline in base.ts; default is pure passthrough.

[gemini-code-assist]

Code Review

This pull request implements a comprehensive "cloak" for Claude OAuth traffic to ensure it mimics the official Anthropic CLI, addressing issues with rate limiting and prompt cache affinity. Key changes include the introduction of claudeIdentity.ts for session and device ID management, updating the pinned CLI version to 2.1.131, and refining header and body field ordering to match official fingerprints. Feedback focuses on ensuring fingerprinting is applied to all OAuth requests, managing memory for identity caches, adding timeouts to background fetch operations, and centralizing version constants for better maintainability.

[gemini-code-assist]

The fingerprinting logic (which controls header and body field ordering) should be applied to all Claude OAuth requests to ensure they are indistinguishable from official CLI traffic. Currently, this is only triggered if isClaudeCodeClient is true, but the 'cloak' logic earlier in this method (lines 519-718) correctly applies to any hasClaudeOAuthToken. Missing this ordering on non-CLI clients using OAuth tokens increases the risk of 429 errors on the claude_code scope.

Suggested change

	const shouldFingerprint =
	isCliCompatEnabled(this.provider) ||
	(this.provider === "claude" && isClaudeCodeClient);
	const shouldFingerprint =
	isCliCompatEnabled(this.provider) ||
	(this.provider === "claude" && (isClaudeCodeClient || hasClaudeOAuthToken));

[gemini-code-assist]

The sessionCache, lazyCliUserIDCache, and accountUuidCache maps are unbounded and will grow indefinitely as new OAuth tokens or seeds are processed. In a long-running server environment, this constitutes a memory leak. Consider using an LRU cache or a Map with a maximum size limit to prune old entries.

[gemini-code-assist]

The fetch call to the bootstrap endpoint lacks a timeout. While this is a background operation, a hanging network request can indefinitely consume a socket and memory. It is recommended to use an AbortSignal with a reasonable timeout (e.g., 10 seconds).

[gemini-code-assist]

The fetch call to the bootstrap endpoint lacks a timeout. Network issues or slow upstream responses could cause this call to hang, potentially delaying the completion of the OAuth flow. Consider adding a timeout via AbortController.

[gemini-code-assist]

The User-Agent string is hardcoded here. To ensure consistency across the codebase and simplify future version bumps, consider importing CLAUDE_CODE_VERSION from @omniroute/open-sse/executors/claudeIdentity.ts and using it in a template literal.

[Tentoxa]

Addressed all issues found by Gemini in a07657b

[diegosouzapw]

Thank you @Tentoxa for your contribution! This has been reviewed and is now merged into release/v3.8.0 for the upcoming release. Amazing work!