feat: selective tool proxying, session isolation, MCP bridging, and streaming fixes

[khalilgharbaoui]

Summary

This PR brings 18 commits that address the three known limitations listed in the original README and add significant new functionality. The changes fall into four areas:

1. Selective Tool Proxy — route dangerous tools through opencode's permission system

The headline feature. Claude CLI normally executes tools (Bash, Edit, Write, WebFetch) internally, bypassing opencode's permission UI entirely. This PR adds a proxyTools option that selectively disables Claude's built-in tools and replaces them with equivalent MCP proxy tools hosted by an in-process HTTP server.

How it works:

• An embedded MCP server starts on 127.0.0.1 (random port) when proxyTools is configured.
• For each proxied tool, --disallowedTools <ToolName> is passed to the CLI.
• Claude calls the MCP proxy tool instead → the plugin emits a client-executed tool-call to opencode → opencode runs the real tool with its native permission checks → the result flows back to Claude.
• Non-proxied tools (Read, Glob, Grep, etc.) remain fully native to Claude CLI for performance.

New files: src/proxy-mcp.ts (MCP server), src/proxy-broker.ts (pause/resume broker).

Supported proxy tools: Bash, Edit, Write, WebFetch.

Config:

{
  "options": {
    "proxyTools": ["Bash", "Edit", "Write", "WebFetch"]
  }
}

2. Session isolation — no more cross-chat interference

Sessions are now keyed by (cwd, model, x-session-affinity) instead of just (cwd, model). The x-session-affinity header is set by opencode on LLM calls to third-party providers, so two simultaneous chats in the same project get separate CLI processes. An LRU cap (16 processes) prevents subprocess accumulation.

3. MCP config auto-bridging — one config, not two

The plugin now auto-discovers opencode.json / opencode.jsonc (via cwd, OPENCODE_CONFIG, OPENCODE_CONFIG_DIR, $XDG_CONFIG_HOME/opencode) and translates its mcp block into Claude CLI's --mcp-config format. Local servers get type: \"stdio\", remote servers get type: \"http\", disabled servers are skipped. This means MCP servers configured in opencode are automatically available to Claude CLI without maintaining a separate ~/.claude/settings.json.

New file: src/mcp-bridge.ts.

Config overrides: bridgeOpencodeMcp (default true), mcpConfig (extra paths), strictMcpConfig.

4. Streaming correctness fixes

• Empty content sentinel (0736306, 5def53c): replaced \"(continue)\" with \"(empty)\" so the model doesn't interpret the sentinel as an instruction to resume the previous turn.
• Tool-execution semantics (33cb03a): TodoWrite and WebSearch are now forwarded as client-executed (not provider-executed), so opencode's todo UI and search results populate correctly.
• Object-shaped tools (c665524): opencode sometimes passes tools as an object map rather than an array; the scope classifier now handles both.
• CLI error surfacing (09db874): if Claude returns only a result message with error text (rate limit, auth failure), it's now emitted as visible text instead of a blank turn.
• Control request handling (70badf9): can_use_tool control requests get immediate control_response replies with configurable allow/deny policy, preventing stream deadlocks.
• Per-iteration usage (6d126c3, refined in 4af2a96): uses usage.iterations[-1] instead of cumulative totals and computes inputTokens.total = noCache + cacheRead + cacheWrite, preventing inflated context estimates and fixing cache-aware token accounting.
• Per-block text emission (6d126c3, refined in 4af2a96): each text content block gets its own text-start/delta/text-end lifecycle so partial text is preserved on stream abort.
• Result fallback timing (6d126c3, refined in 4af2a96, tightened in ce5701c): a 5-second timeout closes the stream gracefully if the CLI emits content but never sends a result event. The timer is now only armed on assistant text without tool use, abort starts a grace period instead of closing immediately, and the non-streaming path now honors proxied tools consistently.
• Anthropic cache metadata (4af2a96): emits providerMetadata.anthropic.cacheCreationInputTokens so OpenCode can display cache write tokens correctly.
• Lazy cwd resolution (ce3eb26): provider init no longer freezes process.cwd(), so each request resolves cwd at call time.

Other improvements

• AI SDK v3 compatibility (0ae354c)
• Reasoning effort levels (93d610c): --thinking-effort passthrough for low/medium/high/xhigh/max
• Image input support (93d610c, hardened in 4af2a96): base64 image parts forwarded to Claude CLI, plus MIME allowlist, robust data URI parsing, and early rejection of unsupported remote URL images
• --permission-mode passthrough (ea27f17)
• Windows compatibility (6d126c3): shell: process.platform === \"win32\" on both spawn sites so claude.cmd works on Windows
• Comprehensive README rewrite with architecture diagrams, config reference, and proxy documentation

---

Relationship to other open PRs

This PR subsumes or addresses the core concerns of several other open PRs. We developed these independently and discovered many of the same issues:

Open PR	Author	What it does	How this PR addresses it
#6	@simonseo	Stream finish handling + effort passthrough + session scoping by effort	We fix stream finish (result fallback timer, per-block text), pass --thinking-effort, and scope sessions by x-session-affinity header. We intentionally keep our variant-based effort approach rather than model-suffix ergonomics.
#9	@nbalzotti	Windows shell:true for .cmd spawn	Included in 6d126c3 — same fix on both spawn sites.
#12	@Aptul9	AI SDK V3 migration, per-iteration usage, per-block text, result fallback timer, providerExecuted flag, empty content	We independently implemented all of these and then tightened the last details in 4af2a96: V3 spec (0ae354c), lastIterationUsage via iterations[-1] (6d126c3), cache-aware totals + noCache (4af2a96), per-block text emission (6d126c3), smarter fallback timing + abort grace (4af2a96), providerExecuted (33cb03a, refined in 4af2a96), empty content sentinel (0736306, 5def53c).
#13	@Aptul9	Image support in user messages	Included in 93d610c; hardened in 4af2a96 with supported MIME allowlist, robust data URI parsing, and remote URL rejection.
#15	@waveywaves	--effort flag via provider option	Included in 93d610c — reasoning effort passthrough.

PR #4 is only partially addressed here. Commit ce3eb26 adopts the safe cross-platform piece by resolving cwd lazily per request instead of freezing process.cwd() at provider initialization. We intentionally did not adopt the desktop-specific SQLite/session lookup fallback, request-option sessionID/cwd plumbing, or hard-coded path logic from #4, so #4 remains distinct draft work for desktop-specific cwd recovery.

PR #14 is independent and useful, but it's a standalone migration utility rather than a runtime plugin improvement.

Issues addressed

• Error: undefined is not an object (evaluating 'Z.inputTokens.total') #11 (inputTokens.total crash): fixed by AI SDK v3 usage rewrite in 0ae354c and the cache-aware usage refinements in 4af2a96.
• Doesn't work - Anthropic API breaking change #7 (blank responses / API breaking change): fixed by commits 0736306, 5def53c, 09db874, c665524, a663266, and 6d126c3/4af2a96.

---

Commits (chronological)

1. 0ae354c fix: make claude-code provider compatible with AI SDK v3
2. 93d610c feat: add reasoning effort levels and image input support
3. 0736306 fix: use neutral sentinel instead of "(continue)" for empty user content
4. 33cb03a fix: correct tool-execution semantics for opencode-hosted tools
5. 5def53c fix: use "(empty)" sentinel matching provider's parenthetical meta-note convention
6. ea27f17 feat: expose --mcp-config passthrough and fix known-limitations wording
7. 1941685 feat: fix session sharing and auto-bridge opencode MCP config to Claude CLI
8. 70badf9 feat: handle Claude control-request permissions in stream-json mode
9. 09db874 fix: surface CLI error text from stream-json result messages
10. c665524 fix: detect object-shaped tools when choosing stream scope
11. a663266 fix: emit Claude-compatible MCP transport types in bridge
12. 4145493 feat: proxy Bash through opencode tools and permissions
13. 9230421 feat: proxy Edit and Write through opencode tools
14. 820cc22 feat: proxy WebFetch through opencode tools and permissions
15. 6d126c3 fix: per-iteration usage, per-block text emission, result fallback timer, Windows spawn
16. 4af2a96 fix: refine usage accounting, text emission, fallback timing, and image handling
17. ce5701c fix: honor proxied tools in doGenerate and tighten fallback handling
18. ce3eb26 fix: resolve cwd lazily per request

Test plan

• tsc --noEmit passes
• tsup build passes
• opencode run \"hi\" -m claude-code/claude-sonnet-4-6 returns visible output (or explicit rate-limit text, not blank)
• Proxy Bash: Claude calls mcp__opencode_proxy__bash, opencode executes, result flows back
• Proxy Edit: Claude calls mcp__opencode_proxy__edit, opencode executes file diff
• Proxy Write: Claude calls mcp__opencode_proxy__write, opencode writes file
• Proxy WebFetch: proxied MCP tool is exposed and wired through the same selective proxy path
• Proxy with bash: ask permission rule: opencode's permission.asked fires, auto-rejected in headless mode
• MCP bridge: opencode MCP config translated to Claude CLI format (local → stdio, remote → http, disabled → skipped)
• Session isolation: two chats with different x-session-affinity headers get separate CLI processes
• Empty content: whitespace-only messages produce \"(empty)\" sentinel, not blank or \"(continue)\"
• Rate-limit: 429 responses surface visible error text instead of blank turn
• Per-iteration usage: usage.iterations[-1] used when present, falls back to cumulative
• Cache-aware input totals: inputTokens.total includes cache read/write, noCache is populated
• Windows: shell: true gated on process.platform === \"win32\"
• Image handling: supported MIME types accepted, malformed data URIs and remote URLs rejected early
• Lazy cwd resolution: provider no longer freezes init-time process.cwd()

Breaking changes

None. All new features are opt-in via config. Default behavior is unchanged from upstream.

Known limitations

• Proxy tool set: only Bash, Edit, Write, and WebFetch are supported. More can be added when opencode gains matching built-in executors.
• Non-proxied tools bypass opencode permissions: Read, Glob, Grep, etc. remain native to Claude CLI for performance.
• Claude upstream bug #34046: Claude CLI does not emit can_use_tool control requests for built-in tools. The selective proxy approach works around this entirely.

[emreycolakoglu]

@khalilgharbaoui would you consider publishing to npm yourself? this repo is likely dead. I'm looking forward to use your fixes but I couldn't use it locally (clone + build).

[khalilgharbaoui]

@emreycolakoglu yep — I went ahead and published a maintained fork. It is on npm now, no clone/build needed:

• Package: https://www.npmjs.com/package/@khalilgharbaoui/opencode-claude-code-plugin
• Repo: https://github.com/khalilgharbaoui/opencode-claude-code-plugin

Just add it to the plugin array in your opencode.json — the README has the up-to-date install/config and a few quirks worth knowing about (selective tool proxying, MCP bridge discovery order, MultiEdit pass-through, plan mode handling). Worth a quick read before wiring it up.

Includes the fixes from this PR plus a couple of regressions I hit afterwards (empty-text-block 400s, variant selection on model pick, lazy cwd resolution). Issues / PRs welcome over on the fork.