@rynfar/meridian
v1.50.0
Published
Local Anthropic API powered by your Claude Max subscription. One subscription, every agent.
Maintainers
Readme
Meridian bridges the Claude Code SDK to the standard Anthropic API. No OAuth interception. No binary patches. No hacks. Just pure, documented SDK calls. Any tool that speaks the Anthropic or OpenAI protocol — OpenCode, ForgeCode, Crush, Cline, Aider, Pi, Droid, Open WebUI, Claude Code — connects to Meridian and gets Claude, with session management, streaming, and prompt caching handled natively by the SDK.
[!NOTE]
How Meridian works with Anthropic
Meridian is built entirely on the Claude Code SDK. Every request flows through
query()— the same documented function Anthropic provides for programmatic access. No OAuth tokens are extracted, no binaries are patched, nothing is reverse-engineered.Because we use the SDK, Anthropic remains in full control of prompt caching, context window management, compaction, rate limiting, and authentication. Meridian doesn't bypass these mechanisms — it depends on them. Max subscription tokens flow through the correct channel, governed by the same guardrails Anthropic built into Claude Code.
What Meridian adds is a presentation and interoperability layer. We translate Claude Code's output into the standard Anthropic API format so developers can connect the editors, terminals, and workflows they prefer. The SDK does the work; Meridian formats the result.
Our philosophy is simple: work within the SDK's constraints, not around them. The generous limits on Claude Max exist because Anthropic can optimize and manage usage through Claude Code. Meridian respects that by building only on the tools Anthropic provides — no shortcuts, no workarounds that create friction. We believe this is how developers keep the freedom to choose their own frontends while keeping the platform sustainable for everyone.
Quick Start
# 1. Install
npm install -g @rynfar/meridian
# 2. Authenticate (one time)
claude login
# 3. Configure OpenCode plugin (one time — OpenCode users only)
meridian setup
# 4. Start
meridianMeridian runs on http://127.0.0.1:3456. Point any Anthropic-compatible tool at it:
ANTHROPIC_API_KEY=x ANTHROPIC_BASE_URL=http://127.0.0.1:3456 opencodeThe API key value is a placeholder — Meridian authenticates through the Claude Code SDK, not API keys. Most Anthropic-compatible tools require this field to be set, but any value works.
NixOS / Nix Flake
Meridian provides a Nix flake for declarative installation.
Add to your flake inputs:
{
inputs.meridian.url = "github:rynfar/meridian";
}Install the package (via overlay or directly):
# Option A: overlay
nixpkgs.overlays = [ meridian.overlays.default ];
environment.systemPackages = [ pkgs.meridian ];
# Option B: direct reference
environment.systemPackages = [ meridian.packages.${system}.meridian ];OpenCode plugin -- the plugin file is included at ${pkgs.meridian}/lib/meridian/plugin/meridian.ts. Since this path lives in the Nix store, you need to make it available to OpenCode:
If you generate your OpenCode config from Nix (e.g. via Home Manager), interpolate the path directly:
# home-manager example
xdg.configFile."opencode/opencode.json".text = builtins.toJSON {
plugin = [ "${pkgs.meridian}/lib/meridian/plugin/meridian.ts" ];
};If you don't manage your OpenCode config through Nix, symlink the plugin to a stable path and reference that instead:
# configuration.nix or home-manager
environment.etc."meridian/plugin/meridian.ts".source =
"${pkgs.meridian}/lib/meridian/plugin/meridian.ts";Then in ~/.config/opencode/opencode.json:
{ "plugin": ["/etc/meridian/plugin/meridian.ts"] }Important: Do not use
meridian setupon NixOS. It writes an absolute Nix store path (e.g./nix/store/...-meridian-1.x.x/lib/...) into your OpenCode config, which will break on the nextnixos-rebuild switchorhome-manager switchwhen the store path changes. Use one of the approaches above instead.
Note: The bundled Claude Code binary (
claude.exe) is patched withautoPatchelfHookat build time, so it runs on NixOS out of the box. If you previously enabledprograms.nix-ld.enable = trueas a workaround forCould not start dynamically linked executable(#501), that is no longer required for Meridian.
Home Manager service -- run Meridian as a user systemd service:
# flake.nix
{
inputs.meridian.url = "github:rynfar/meridian";
}
# home-manager config
{
imports = [ meridian.homeModules.default ];
services.meridian = {
enable = true;
settings = {
port = 3456;
host = "127.0.0.1";
# passthrough = true;
# defaultAgent = "opencode";
# sonnetModel = "sonnet";
};
# Extra env vars not covered by settings
# environment = {
# MERIDIAN_MAX_CONCURRENT = "20";
# };
};
}The service starts automatically on login. Manage it with systemctl --user {start,stop,restart,status} meridian.
The module manages only the systemd user service — it does not put the meridian CLI on your $PATH. If you also want to run meridian from a shell, add the package yourself:
home.packages = [ config.services.meridian.package ];The plugin path is also available as config.services.meridian.opencode.pluginPath for use in your OpenCode config:
xdg.configFile."opencode/opencode.json".text = builtins.toJSON {
plugin = [ config.services.meridian.opencode.pluginPath ];
};Why Meridian?
The Claude Code SDK provides programmatic access to Claude. But your favorite coding tools expect an Anthropic API endpoint. Meridian bridges that gap — it runs locally, accepts standard API requests, and routes them through the SDK. Claude Code does the heavy lifting; Meridian translates the output.
Features
- Standard Anthropic API — drop-in compatible with any tool that supports a custom
base_url - OpenAI-compatible API —
/v1/chat/completionsand/v1/modelsfor tools that only speak the OpenAI protocol (Open WebUI, Continue, etc.) — no LiteLLM needed, includingimage_urlsupport for data URLs - Session management — conversations persist across requests, survive compaction and undo, resume after proxy restarts
- Streaming — full SSE streaming with MCP tool filtering
- Concurrent sessions — run parent and subagent requests in parallel
- Subagent model selection — primary agents get 1M context; subagents get 200k, preserving rate-limit budget
- Auto token refresh — expired OAuth tokens are refreshed automatically; requests continue without interruption
- Passthrough mode — forward tool calls to the client instead of executing internally
- Multimodal — images, documents, file attachments, and multimodal tool results pass through to Claude
- Multi-profile — switch between Claude accounts instantly, no restart needed; opt-in sticky session routing distributes sessions across accounts while keeping per-account prompt caches warm
- Adapter instances — run several configurations of the same adapter side by side (per-instance thinking, system prompt, passthrough) selected by header or match rules — see Adapter instances
- Telemetry dashboard — real-time performance metrics at
/telemetry, including token usage and prompt cache efficiency (MONITORING.md) - Telemetry persistence — opt-in SQLite storage for telemetry data that survives proxy restarts, with configurable retention
- Prometheus metrics —
GET /metricsendpoint for scraping request counters and duration histograms - SDK feature toggles (experimental) — unlock Claude Code features (memory, dreaming, CLAUDE.md) for any connected agent
SDK Feature Toggles (Experimental)
Meridian can expose Claude Code features to any connected agent. Capabilities like auto-memory, dreaming, and CLAUDE.md — normally exclusive to Claude Code — become available to OpenCode, Crush, Droid, and any other harness routed through Meridian. Each agent keeps its own toolchain while gaining access to these additional features.
Configure per-adapter at /settings in the Meridian web UI. Changes take effect on the next request — no restart needed. Config is persisted to ~/.config/meridian/sdk-features.json.
Available features
| Setting | Options | Description |
|---|---|---|
| Claude Code Prompt | on / off | Include the SDK's built-in system prompt (tool usage rules, safety guidelines, coding best practices) |
| Client Prompt | on / off | Include the system prompt sent by the connecting agent (e.g. OpenCode or Crush instructions) |
| CLAUDE.md | off / project / full | Load instruction files — off: none, project: ./CLAUDE.md only, full: ~/.claude/CLAUDE.md + ./CLAUDE.md |
| Memory | on / off | Auto-memory: read and write memories across sessions |
| Auto-Dream | on / off | Background memory consolidation between sessions |
| Thinking | disabled / adaptive / enabled | Extended thinking mode for complex reasoning |
| Thinking Passthrough | on / off | Forward thinking blocks to the client for display |
| Shared Memory | on / off | Share memory directory with Claude Code (~/.claude) instead of isolated storage |
System prompts
The system prompt controls are independent — any combination works:
- Both enabled (recommended): Claude Code instructions come first, followed by your agent's specific instructions. This gives Claude the full context it needs for features like memory and tool use to work correctly.
- Claude Code only: Just the base Claude Code prompt without agent-specific instructions.
- Client only: Just your agent's prompt, passed through as a raw string.
- Neither: No system prompt at all — Claude operates with just the user message.
Note: For features like memory and dreaming to work well, the Claude Code system prompt should be enabled — it contains the instructions Claude needs to read and write memories correctly.
Passthrough Mode and Tool Calling
The core question is who executes the tools — the SDK or the client?
- Passthrough mode (default for OpenCode and Pi) — Claude generates tool calls, but Meridian captures them and sends them back to the client for execution. The client runs the tool using its own implementation, with its own sandboxing, file tracking, and UI, then sends the result in the next request. This is how OpenCode, oh-my-opencagent (OMO), and most coding agents work — they have their own read/write/bash tools and need to stay in control of what runs on the user's machine.
- Internal mode — Claude Code handles everything. The SDK executes tools directly on the host, runs its full agent loop, and returns the final result. This is for clients that are purely chat interfaces (Open WebUI, simple API consumers) with no tool execution of their own.
Most users don't need to configure anything — the adapter sets the right mode automatically. To override:
MERIDIAN_PASSTHROUGH=1 meridian # force passthrough
MERIDIAN_PASSTHROUGH=0 meridian # force internalHow tool calling works in passthrough
- The client sends a request with tool definitions (read, write, edit, bash, glob, grep)
- Meridian registers these as MCP tools so the SDK can generate proper
tool_useblocks - The SDK produces a tool call → Meridian captures it and returns it to the client
- The client executes the tool locally and sends the result back
For large tool sets (>15 tools), non-core tools are automatically deferred via the SDK's ToolSearch mechanism. Core tools (read, write, edit, bash, glob, grep) are always loaded eagerly. The deferral threshold is configurable with MERIDIAN_DEFER_TOOL_THRESHOLD.
Digest-turn elimination — after a tool call is captured, the SDK would normally invoke the model one more time to "digest" the denial before ending the turn. That extra invocation is discarded by the proxy but fully billed — measured at ~400+ wasted output tokens and 2–3× extra latency per tool step (and on always-thinking models like Fable, a full thinking pass each time). Meridian now aborts the SDK query the moment every tool call's denial is persisted, so the digest turn never generates. Sessions remain resumable and tool-result attribution is unaffected. Kill switch: MERIDIAN_PASSTHROUGH_EARLY_STOP=0 restores the old behavior.
Known limitations
- Single tool round-trip per request — in passthrough mode, the SDK is configured with
maxTurns=2(or 3 for deferred tools). Multi-step agentic loops where Claude needs several consecutive tool calls require the client to re-send after each round. - Blocked tools — 13 built-in SDK tools (Read, Write, Bash, etc.) are blocked to prevent conflicts with the client's own tools. 15 additional Claude Code-only tools (CronCreate, EnterWorktree, Agent, etc.) are blocked because they require capabilities that external clients don't support.
- Subagent extraction — Meridian parses the client's Task tool description to extract subagent names and build SDK AgentDefinitions. If the client's agent framework uses a non-standard format, subagent routing may not work automatically.
- Scratchpad suppression (passthrough) — the Claude CLI advertises a proxy-host scratchpad directory that clients can't use; OpenCode 1.18+ permission-blocks writes to it. Meridian suppresses it in passthrough mode (
CLAUDE_CODE_SESSION_KIND=bgon the subprocess). Kill switch:MERIDIAN_SUPPRESS_SCRATCHPAD=0. - Anthropic server tools not supported — native server-side tools (
web_search_*,web_fetch_*) are a raw Anthropic API feature (billed to an API key) that emitsserver_tool_use/web_search_tool_resultblocks the Claude Max / Agent SDK path cannot produce. A request carrying one is rejected with a400explaining the fix. If a plugin needs server-side web search (e.g.opencode-websearch), give it its own provider pointed athttps://api.anthropic.comwith yourANTHROPIC_API_KEY— don't route that call through Meridian.
Multi-Profile Support
Meridian can route requests to different Claude accounts. Each profile is a named auth context — a separate Claude login with its own OAuth tokens. Switch between personal and work accounts, or share a single Meridian instance across teams.
Adding profiles
# Add your personal account
meridian profile add personal
# → Opens browser for Claude login
# Add your work account (sign out of claude.ai first, then sign into the work account)
meridian profile add work⚠ Important: Claude's OAuth reuses your browser session. Before adding a second account, sign out of claude.ai and sign into the other account first.
Headless / SSH: complete Claude OAuth with a pasted code
When you still want a normal Claude Max browser-login profile but the Meridian host cannot open a browser (SSH, WSL, containers, remote servers), use --headless. Meridian prints a Claude OAuth URL, prompts for the returned code, exchanges it with PKCE, and saves the resulting credentials into the profile's isolated CLAUDE_CONFIG_DIR:
meridian profile add work --headlessOpen the printed URL in a browser, sign in to the target Claude account, then paste the returned code at Meridian's Paste code: prompt. For an existing browser-login profile:
meridian profile login work --headlessHeadless / CI: register an OAuth token
When a browser isn't available (containers, CI runners, remote shells), generate a long-lived OAuth token with claude setup-token and register it as a profile:
# Prompt for the token (input is hidden — paste the value from `claude setup-token`)
meridian profile add ci --oauth-token
# Or pass it inline
meridian profile add ci --oauth-token sk-ant-oat01-...OAuth-token profiles store the token in profiles.json and feed it to the SDK via CLAUDE_CODE_OAUTH_TOKEN — no Keychain entry, no browser handshake. To prevent the SDK's 401-recovery from silently falling back to the host's ~/.claude credentials, OAuth-token profiles also pin CLAUDE_CONFIG_DIR to an isolated per-profile directory under ~/.config/meridian/profiles/<name>/. That directory holds only SDK state (sessions, settings) — never .credentials.json, since the token is delivered through the env.
Switching profiles
# CLI (while proxy is running)
meridian profile switch work
# Per-request header (any agent)
curl -H "x-meridian-profile: work" ...You can also switch profiles from the web UI at http://127.0.0.1:3456/profiles — a dropdown appears in the nav bar on all pages when profiles are configured.
Sticky session routing
With multiple profiles (e.g. two Claude Max subscriptions), Meridian can distribute sessions across profiles automatically while preserving session affinity — Anthropic's prompt caching is per-account, so a session must stay on one account to keep its ~99% cache hit rate:
MERIDIAN_ROUTING=sticky meridian # or set "routing": "sticky" in ~/.config/meridian/settings.json- Each session is assigned to a profile by rendezvous hashing of its session id — deterministic and stateless, so assignments survive proxy restarts with no state to lose
- Adding/removing a profile only reassigns the sessions belonging to the changed arm — everything else keeps its warm cache
- A session's subagent/fork requests share its assignment (same session id → same account)
- The
x-meridian-profileheader still overrides everything, per request - Default is
active(all traffic to the active profile — the pre-existing behavior); sticky is opt-in
Request logs show the assignment (profile=work(sticky)), and GET /profiles/list reports the current routing mode.
Profile commands
| Command | Description |
|---------|-------------|
| meridian profile add <name> [--headless] | Add a profile and authenticate via Claude OAuth; --headless prints a URL, prompts for the returned code, and stores the exchanged credentials |
| meridian profile add <name> --oauth-token [TOKEN] | Add a headless profile from a claude setup-token value (prompts when TOKEN is omitted) |
| meridian profile list | List profiles and auth status |
| meridian profile switch <name> | Switch the active profile (requires running proxy) |
| meridian profile login <name> [--headless] | Re-authenticate an expired profile (browser-login profiles only); --headless uses the URL/code flow |
| meridian profile remove <name> | Remove a profile and its credentials |
How it works
Each profile stores its credentials in an isolated CLAUDE_CONFIG_DIR under ~/.config/meridian/profiles/<name>/. OAuth-token profiles use the same isolated directory layout — but the token itself lives in ~/.config/meridian/profiles.json and is fed to the SDK via CLAUDE_CODE_OAUTH_TOKEN, so the per-profile dir holds only SDK state (sessions, settings) and never the credential. When a request arrives, Meridian resolves the profile in priority order:
x-meridian-profilerequest header (per-request override)- Active profile (set via
meridian profile switchor the web UI) - First configured profile
Session state is scoped per profile — switching accounts won't cross-contaminate conversation history.
Environment variable configuration
For advanced setups (CI, Docker), profiles can also be provided via environment variable:
export MERIDIAN_PROFILES='[
{"id":"personal","claudeConfigDir":"/path/to/config1"},
{"id":"work","claudeConfigDir":"/path/to/config2"},
{"id":"ci","oauthToken":"sk-ant-oat01-..."}
]'
export MERIDIAN_DEFAULT_PROFILE=personal
meridianProfile shapes:
claudeConfigDir— points at a~/.claude-style directory; uses Claude Max OAuth from that dirapiKey(with optionalbaseUrl) — direct Anthropic API access; setsANTHROPIC_API_KEY/ANTHROPIC_BASE_URLoauthToken— long-lived token fromclaude setup-token; setsCLAUDE_CODE_OAUTH_TOKEN, no config dir needed
When MERIDIAN_PROFILES is set, it takes precedence over disk-configured profiles. When unset, Meridian auto-discovers profiles from ~/.config/meridian/profiles.json on each request.
Related environment variables:
MERIDIAN_ROUTING=sticky— enable sticky session routing across profiles (defaultactive)MERIDIAN_ADAPTER_INSTANCES='{...}'— define adapter instances inline instead of via~/.config/meridian/adapter-instances.json
Agent Setup
OpenCode
Step 1: Run meridian setup (required, one time)
meridian setupThis adds the Meridian plugin to your OpenCode global config (~/.config/opencode/opencode.json). The plugin enables:
- Session tracking — reliable conversation continuity across requests
- Safe model defaults — Opus uses 1M context (included with Max subscription); Sonnet uses 200k to avoid Extra Usage charges (details)
- Subagent model selection — subagents automatically use
sonnet/opus(200k), preserving rate-limit budget
If the plugin is missing, Meridian warns at startup and reports "plugin": "not-configured" in the health endpoint.
Step 2: Start
ANTHROPIC_API_KEY=x ANTHROPIC_BASE_URL=http://127.0.0.1:3456 opencodeOr set these in your shell profile so they're always active:
export ANTHROPIC_API_KEY=x
export ANTHROPIC_BASE_URL=http://127.0.0.1:3456oh-my-opencagent (OMO)
oh-my-opencagent adds multi-agent orchestration on top of OpenCode. It works transparently through Meridian with no extra configuration — OMO uses the same OpenCode headers and tool format, so Meridian detects it automatically.
Meridian parses OMO's Task tool descriptions to extract subagent names (explore, code-review, etc.) and builds SDK AgentDefinitions so Claude can route to the correct agent. Internal orchestration markers (<!-- OMO_INTERNAL_INITIATOR -->, [SYSTEM DIRECTIVE: OH-MY-OPENCODE ...]) are stripped automatically to prevent context leakage.
OMO requires passthrough mode (the default for OpenCode) — subagent delegation flows through tool calls that must be forwarded back to the client.
Crush
Add a provider to ~/.config/crush/crush.json:
{
"providers": {
"meridian": {
"id": "meridian",
"name": "Meridian",
"type": "anthropic",
"base_url": "http://127.0.0.1:3456",
"api_key": "dummy",
"models": [
{ "id": "claude-opus-4-8", "name": "Claude Opus 4.8 (1M)", "context_window": 1000000, "default_max_tokens": 32768, "can_reason": true, "supports_attachments": true },
{ "id": "claude-opus-4-7", "name": "Claude Opus 4.7 (1M)", "context_window": 1000000, "default_max_tokens": 32768, "can_reason": true, "supports_attachments": true },
{ "id": "claude-sonnet-4-6", "name": "Claude Sonnet 4.6 (1M)", "context_window": 1000000, "default_max_tokens": 64000, "can_reason": true, "supports_attachments": true },
{ "id": "claude-opus-4-6", "name": "Claude Opus 4.6 (1M)", "context_window": 1000000, "default_max_tokens": 32768, "can_reason": true, "supports_attachments": true },
{ "id": "claude-haiku-4-5-20251001", "name": "Claude Haiku 4.5", "context_window": 200000, "default_max_tokens": 16384, "can_reason": true, "supports_attachments": true }
]
}
}
}crush run --model meridian/claude-sonnet-4-6 "refactor this function"
crush --model meridian/claude-opus-4-6 # interactive TUICrush is automatically detected from its Charm-Crush/ User-Agent — no plugin needed.
Droid (Factory AI)
Add Meridian as a custom model provider in ~/.factory/settings.json:
{
"customModels": [
{ "model": "claude-opus-4-8", "name": "Opus 4.8 (Meridian)", "provider": "anthropic", "baseUrl": "http://127.0.0.1:3456", "apiKey": "x" },
{ "model": "claude-opus-4-7", "name": "Opus 4.7 (Meridian)", "provider": "anthropic", "baseUrl": "http://127.0.0.1:3456", "apiKey": "x" },
{ "model": "claude-sonnet-4-6", "name": "Sonnet 4.6 (Meridian)", "provider": "anthropic", "baseUrl": "http://127.0.0.1:3456", "apiKey": "x" },
{ "model": "claude-opus-4-6", "name": "Opus 4.6 (Meridian)", "provider": "anthropic", "baseUrl": "http://127.0.0.1:3456", "apiKey": "x" },
{ "model": "claude-haiku-4-5-20251001", "name": "Haiku 4.5 (Meridian)", "provider": "anthropic", "baseUrl": "http://127.0.0.1:3456", "apiKey": "x" }
]
}Then pick any custom:claude-* model in the Droid TUI. No plugin needed — Droid is automatically detected.
Cline
1. Authenticate:
cline auth --provider anthropic --apikey "dummy" --modelid "claude-sonnet-4-6"2. Set the proxy URL in ~/.cline/data/globalState.json:
{
"anthropicBaseUrl": "http://127.0.0.1:3456",
"actModeApiProvider": "anthropic",
"actModeApiModelId": "claude-sonnet-4-6"
}3. Run:
cline --yolo "refactor the login function"No plugin needed — Cline uses the standard Anthropic SDK.
Aider
ANTHROPIC_API_KEY=x ANTHROPIC_BASE_URL=http://127.0.0.1:3456 \
aider --model anthropic/claude-sonnet-4-6Note:
--no-streamis incompatible due to a litellm parsing issue — use the default streaming mode.
OpenAI-compatible tools (Open WebUI, Continue, etc.)
Meridian speaks the OpenAI protocol natively — no LiteLLM or translation proxy needed.
POST /v1/chat/completions — accepts OpenAI chat format, returns OpenAI completion format (streaming and non-streaming)
image_urlparts are supported when provided as data URLs (data:image/...;base64,...)- multimodal tool flows where a tool returns
tool_result.content = [text, image]are preserved through the structured multimodal path instead of being flattened to text
GET /v1/models — returns available Claude models in OpenAI format
Point any OpenAI-compatible tool at http://127.0.0.1:3456 with any API key value:
# Open WebUI: set OpenAI API base to http://127.0.0.1:3456, API key to any value
# Continue: set apiBase to http://127.0.0.1:3456 with provider: openai
# Any OpenAI SDK: set base_url="http://127.0.0.1:3456", api_key="dummy"Note: Multi-turn conversations work by packing prior turns into the system prompt. Each request is a fresh SDK session — OpenAI clients replay full history themselves and don't use Meridian's session resumption.
Cherry Studio
Cherry Studio is a desktop chat client. Point it at Meridian by setting the Anthropic API base URL to http://127.0.0.1:3456 (any API key value works).
Because Cherry Studio is a chat client rather than a coding agent, select the cherry adapter so Claude's built-in web search is available (coding-agent adapters block it in favour of their own):
MERIDIAN_DEFAULT_AGENT=cherry meridianThe cherry adapter runs in internal mode: Claude executes WebSearch/WebFetch itself and Meridian returns the grounded answer — the internal tool calls are hidden from the client. This resolves the "no WebSearch/WebFetch tool exposed" error (#481).
Cherry Studio doesn't send a Meridian-specific header, so set
MERIDIAN_DEFAULT_AGENT=cherryon a Meridian dedicated to it, or sendx-meridian-agent: cherryif your setup allows custom headers.
ForgeCode
Add a custom provider to ~/forge/.forge.toml:
[[providers]]
id = "meridian"
url = "http://127.0.0.1:3456/v1/messages"
models = "http://127.0.0.1:3456/v1/models"
api_key_vars = "MERIDIAN_FORGE_KEY"
response_type = "Anthropic"
auth_methods = ["api_key"]
[session]
provider_id = "meridian"
model_id = "claude-opus-4-6"Set the API key env var. Any value works unless you've enabled authentication with MERIDIAN_API_KEY, in which case use your auth key here:
export MERIDIAN_FORGE_KEY=xThen log in and select the model:
forge provider login meridian # enter any value when prompted
forge config set provider meridian --model claude-opus-4-6Start Meridian with the ForgeCode adapter:
MERIDIAN_DEFAULT_AGENT=forgecode meridianForgeCode uses reqwest's default User-Agent, so automatic detection isn't possible. The MERIDIAN_DEFAULT_AGENT env var tells Meridian to use the ForgeCode adapter for all unrecognized requests. If you run other agents alongside ForgeCode, use the x-meridian-agent: forgecode header instead (add [providers.headers] to your .forge.toml).
Pi
Pi uses the @mariozechner/pi-ai library which supports a configurable baseUrl on the model. Add a provider-level override in ~/.pi/agent/models.json:
{
"providers": {
"anthropic": {
"baseUrl": "http://127.0.0.1:3456",
"apiKey": "x",
"headers": {
"x-meridian-agent": "pi"
}
}
}
}Pi mimics Claude Code's User-Agent, so automatic detection isn't possible. The x-meridian-agent: pi header in the config above tells Meridian to use the Pi adapter. Alternatively, if Pi is your only agent, you can set MERIDIAN_DEFAULT_AGENT=pi as an env var instead.
Pi runs in passthrough mode by default — it executes its own tools and Meridian just forwards the tool_use blocks. Opt out with MERIDIAN_PASSTHROUGH=0.
Claude Code
Claude Code can point at Meridian like any other Anthropic API client. The common use case is sharing a single Claude Max subscription from one host across other machines on your network — run Meridian on the box that is logged into Claude Max, then run Claude Code anywhere else against it.
# On another machine (or the same one)
ANTHROPIC_AUTH_TOKEN=x ANTHROPIC_BASE_URL=http://meridian-host:3456 claudeNote: Use
ANTHROPIC_AUTH_TOKEN(orANTHROPIC_API_KEY) — Claude Code treats both as bearer credentials. Set the value to yourMERIDIAN_API_KEYif you've enabled authentication, otherwise any string works.
⚠️ Security for multi-machine setups. If you expose Meridian beyond loopback (e.g. bind to
0.0.0.0or a LAN IP), setMERIDIAN_API_KEYto a strong secret and require it on clients. An unprotected network-accessible proxy is a Claude Max credential leak — anyone who can reach the port can burn your subscription.
Claude Code is detected automatically via its claude-cli/* User-Agent.
Requests flow through the Claude Code adapter which:
- Parses the client's real working directory from its
Primary working directory:system-prompt line so Claude answers path-related questions with your local path, not the proxy host's. - Leaves the SDK subprocess cwd on the proxy host (Claude Code's local paths don't exist there).
- Runs in passthrough mode by default — Claude Code executes its own tools on the machine it runs on; Meridian just forwards tool_use blocks.
Adapter instances
Run several configurations of the same adapter side by side — e.g. a passthrough variant with thinking enabled and one without, or a dedicated config for a specific client. Define instances in ~/.config/meridian/adapter-instances.json (or the MERIDIAN_ADAPTER_INSTANCES env var as a JSON string):
{
"oc-thinky": { "base": "opencode", "features": { "thinking": "enabled" } },
"lite-plain": { "base": "passthrough", "passthrough": true,
"match": { "userAgentPrefix": "litellm/" } },
"team-webui": { "base": "opencode", "features": { "codeSystemPrompt": false },
"match": { "header": { "x-team": "alpha" } } }
}base— which built-in adapter provides the behavior (tool handling, session tracking, transforms). Existing plugins and transforms scoped to the base adapter apply to its instances automatically.features— per-instance overrides of the SDK feature toggles (thinking, system prompts, memory, ...) layered over the base's settings. Same keys as the settings UI.passthrough— per-instance passthrough mode, overriding the adapter default andMERIDIAN_PASSTHROUGH.match— optional automatic selection: exact header values and/or a User-Agent prefix. Match rules outrank built-in User-Agent detection (that's their purpose). Withoutmatch, select the instance per request withx-meridian-agent: <instance-name>.
Built-in adapter names are reserved and can't be shadowed. With no instances configured, detection is exactly the built-in chain. Config file changes apply within ~5s, no restart needed.
Any Anthropic-compatible tool
export ANTHROPIC_API_KEY=x
export ANTHROPIC_BASE_URL=http://127.0.0.1:3456Tested Agents
| Agent | Status | Notes |
|-------|--------|-------|
| OpenCode | ✅ Verified | Requires meridian setup — full tool support, session resume, streaming, subagents |
| ForgeCode | ✅ Verified | Provider config (see above) — passthrough tool execution, session resume, streaming |
| Droid (Factory AI) | ✅ Verified | BYOK config (see above) — full tool support, session resume, streaming |
| Crush | ✅ Verified | Provider config (see above) — full tool support, session resume, headless crush run |
| Cline | ✅ Verified | Config (see above) — full tool support, file read/write/edit, bash, session resume |
| Aider | ✅ Verified | Env vars — file editing, streaming; --no-stream broken (litellm bug) |
| Open WebUI | ✅ Verified | OpenAI-compatible endpoints — set base URL to http://127.0.0.1:3456 |
| Pi | ✅ Verified | models.json config (see above) — full tool support via passthrough; detected via x-meridian-agent: pi header |
| Claude Code | ✅ Verified | ANTHROPIC_BASE_URL — remote clients share a Max subscription over the network; client CWD preserved in system prompt |
| Continue | 🔲 Untested | OpenAI-compatible endpoints should work — set apiBase to http://127.0.0.1:3456 |
Tested an agent or built a plugin? Open an issue and we'll add it.
Architecture
src/proxy/
├── server.ts ← HTTP orchestration (routes, SSE streaming, concurrency)
├── adapter.ts ← AgentAdapter interface
├── adapters/
│ ├── detect.ts ← Agent detection from request headers
│ ├── opencode.ts ← OpenCode adapter
│ ├── forgecode.ts ← ForgeCode adapter
│ ├── crush.ts ← Crush adapter
│ ├── droid.ts ← Droid adapter
│ ├── pi.ts ← Pi adapter
│ └── passthrough.ts ← LiteLLM passthrough adapter
├── query.ts ← SDK query options builder
├── errors.ts ← Error classification
├── models.ts ← Model mapping (sonnet/opus/haiku, agentMode)
├── tokenRefresh.ts ← Cross-platform OAuth token refresh
├── openai.ts ← OpenAI ↔ Anthropic format translation (pure)
├── setup.ts ← OpenCode plugin configuration
├── session/
│ ├── lineage.ts ← Per-message hashing, mutation classification (pure)
│ ├── fingerprint.ts ← Conversation fingerprinting
│ └── cache.ts ← LRU session caches
├── profiles.ts ← Multi-profile: resolve, list, switch auth contexts
├── profileCli.ts ← CLI commands for profile management
├── sessionStore.ts ← Cross-proxy file-based session persistence
└── passthroughTools.ts ← Tool forwarding mode
telemetry/
├── ...
├── profileBar.ts ← Shared profile switcher bar
└── profilePage.ts ← Profile management page
plugin/
└── meridian.ts ← OpenCode plugin (session headers + agent mode)Session Management
Every incoming request is classified:
| Classification | What Happened | Action | |---------------|---------------|--------| | Continuation | New messages appended | Resume SDK session | | Compaction | Agent summarized old messages | Resume (suffix preserved) | | Undo | User rolled back messages | Fork at rollback point | | Diverged | Completely different conversation | Start fresh |
Sessions are stored in-memory (LRU) and persisted to ~/.cache/meridian/sessions.json for cross-proxy resume.
Agent Detection
Agents are identified from request headers automatically:
| Signal | Adapter |
|---|---|
| x-meridian-agent header | Explicit override (any adapter) |
| x-opencode-session or x-session-affinity header | OpenCode |
| opencode/ User-Agent | OpenCode |
| factory-cli/ User-Agent | Droid |
| Charm-Crush/ User-Agent | Crush |
| litellm/ UA or x-litellm-* headers | LiteLLM passthrough |
| (anything else) | MERIDIAN_DEFAULT_AGENT env var, or OpenCode |
Adding a New Agent
Implement the AgentAdapter interface in src/proxy/adapters/. See adapters/opencode.ts for a reference.
API Key Authentication
By default, Meridian binds to 127.0.0.1 and requires no authentication — anyone on localhost can use it. If you expose Meridian over a network (Tailscale, LAN, Docker with port mapping), you can enable API key authentication to prevent unauthorized access.
MERIDIAN_API_KEY=your-secret-key meridianWhen set:
- All API routes (
/v1/messages,/v1/chat/completions, etc.) and admin routes (/telemetry,/metrics,/profiles) require a matching key /and/healthremain open (monitoring tools need unauthenticated health checks)- Keys are accepted via
x-api-keyheader orAuthorization: Bearerheader
Clients just set their ANTHROPIC_API_KEY to the shared secret — since most tools already send this header, no workflow changes are needed:
ANTHROPIC_API_KEY=your-secret-key ANTHROPIC_BASE_URL=http://meridian-host:3456 opencodeConfiguration
| Variable | Alias | Default | Description |
|----------|-------|---------|-------------|
| MERIDIAN_API_KEY | — | unset | Shared secret for API key authentication. When set, all API and admin routes require a matching x-api-key or Authorization: Bearer header. / and /health remain open. |
| MERIDIAN_PORT | CLAUDE_PROXY_PORT | 3456 | Port to listen on |
| MERIDIAN_HOST | CLAUDE_PROXY_HOST | 127.0.0.1 | Host to bind to |
| MERIDIAN_PASSTHROUGH | CLAUDE_PROXY_PASSTHROUGH | unset | Forward tool calls to client instead of executing |
| MERIDIAN_MAX_CONCURRENT | CLAUDE_PROXY_MAX_CONCURRENT | 10 | Maximum concurrent SDK sessions |
| MERIDIAN_MAX_SESSIONS | CLAUDE_PROXY_MAX_SESSIONS | 1000 | In-memory LRU session cache size |
| MERIDIAN_MAX_STORED_SESSIONS | CLAUDE_PROXY_MAX_STORED_SESSIONS | 10000 | File-based session store capacity |
| MERIDIAN_WORKDIR | CLAUDE_PROXY_WORKDIR | cwd() | Default working directory for SDK |
| MERIDIAN_IDLE_TIMEOUT_SECONDS | CLAUDE_PROXY_IDLE_TIMEOUT_SECONDS | 120 | HTTP keep-alive timeout |
| MERIDIAN_TELEMETRY_SIZE | CLAUDE_PROXY_TELEMETRY_SIZE | 1000 | Telemetry ring buffer size |
| MERIDIAN_NO_FILE_CHANGES | CLAUDE_PROXY_NO_FILE_CHANGES | unset | Disable "Files changed" summary in responses |
| MERIDIAN_SONNET_MODEL | CLAUDE_PROXY_SONNET_MODEL | sonnet | Sonnet context tier: sonnet (200k, default) or sonnet[1m] (1M, requires Extra Usage†) |
| MERIDIAN_1M_CONTEXT_SUPPORT | CLAUDE_PROXY_1M_CONTEXT_SUPPORT | unset | Set to 0/false/no to disable 1M context entirely — every model resolves to its 200k base variant, so Meridian never requests the extended window (avoids Extra Usage on 1M). |
| MERIDIAN_DEFAULT_AGENT | — | opencode | Default adapter for unrecognized agents: opencode, forgecode, pi, crush, droid, passthrough. Requires restart. |
| MERIDIAN_PROFILES | — | unset | JSON array of profile configs (overrides disk discovery). See Multi-Profile Support. |
| MERIDIAN_DEFER_TOOL_THRESHOLD | — | 15 | Number of tools before non-core tools are deferred via ToolSearch. Set to 0 to disable. |
| MERIDIAN_TELEMETRY_PERSIST | — | unset | Enable SQLite telemetry persistence. Data survives proxy restarts. |
| MERIDIAN_TELEMETRY_DB | — | ~/.config/meridian/telemetry.db | SQLite database path (when persistence is enabled) |
| MERIDIAN_TELEMETRY_RETENTION_DAYS | — | 7 | Days to retain telemetry data before cleanup |
| MERIDIAN_DEFAULT_PROFILE | — | (first profile) | Default profile ID when no header is sent |
†Sonnet 1M requires Extra Usage on all plans including Max (docs). Opus 1M is included with Max/Team/Enterprise at no extra cost.
Endpoints
| Endpoint | Description |
|----------|-------------|
| GET / | Landing page |
| POST /v1/messages | Anthropic Messages API |
| POST /messages | Alias for /v1/messages |
| POST /v1/chat/completions | OpenAI-compatible chat completions |
| GET /v1/models | OpenAI-compatible model list |
| GET /health | Auth status, mode, plugin status |
| POST /auth/refresh | Manually refresh the OAuth token |
| GET /telemetry | Performance dashboard |
| GET /telemetry/requests | Recent request metrics (JSON) |
| GET /telemetry/summary | Aggregate statistics (JSON) |
| GET /telemetry/logs | Diagnostic logs (JSON) |
| GET /metrics | Prometheus exposition format metrics |
| GET /profiles | Profile management page |
| GET /profiles/list | List profiles with auth status (JSON) |
| POST /profiles/active | Switch the active profile |
Health response example:
{
"status": "healthy",
"version": "1.34.1",
"auth": { "loggedIn": true, "email": "[email protected]", "subscriptionType": "max" },
"mode": "internal",
"plugin": { "opencode": "configured" }
}plugin.opencode is "configured" when meridian setup has been run, "not-configured" otherwise.
Plugins
Extend Meridian's behavior with composable plugins — no core modifications needed.
Quick start: Drop a .ts or .js file in ~/.config/meridian/plugins/ and restart.
// ~/.config/meridian/plugins/my-plugin.ts
export default {
name: "my-plugin",
onRequest(ctx) {
// modify request context
return { ...ctx, systemContext: ctx.systemContext + "\nBe concise." }
},
}- Manage plugins at
http://localhost:3456/plugins - Reload without restart:
POST /plugins/reload - Full guide: See PLUGINS.md
Official plugins
Content-scoped scrubbers maintained alongside Meridian. Core stays a clean proxy — anything that rewrites client prompt content ships as one of these opt-in plugins instead:
| Plugin | What it does |
|--------|--------------|
| @rynfar/meridian-plugin-hermes-scrub | Strips Hermes Agent's # Finishing the job harness block from the system prompt. Fixes empty-stream responses when proxying Hermes, and avoids its coding-harness fingerprint. |
| @rynfar/meridian-plugin-pi-scrub | Strips Pi's coding-agent-harness prompt line that Anthropic meters as Extra Usage. |
| @rynfar/meridian-plugin-opencode-scrub | Strips OpenCode harness boilerplate from the system prompt before it reaches Claude. |
Install into Meridian's config dir and register the built file in
~/.config/meridian/plugins.json:
cd ~/.config/meridian
npm install @rynfar/meridian-plugin-hermes-scrub{
"plugins": [
{ "path": "/Users/you/.config/meridian/node_modules/@rynfar/meridian-plugin-hermes-scrub/dist/index.js", "enabled": true }
]
}Paths must be absolute — the loader does not expand ~.
CLI Commands
| Command | Description |
|---------|-------------|
| meridian | Start the proxy server |
| meridian setup | Configure the OpenCode plugin in ~/.config/opencode/opencode.json |
| meridian profile add <name> [--headless] | Add a profile and authenticate via Claude OAuth; --headless prints a URL, prompts for the returned code, and stores the exchanged credentials |
| meridian profile add <name> --oauth-token [TOKEN] | Add a headless profile from a claude setup-token value (prompts when TOKEN is omitted) |
| meridian profile list | List all profiles and their auth status |
| meridian profile switch <name> | Switch the active profile (requires running proxy) |
| meridian profile login <name> [--headless] | Re-authenticate an expired profile (browser-login profiles only); --headless uses the URL/code flow |
| meridian profile remove <name> | Remove a profile and its credentials |
| meridian refresh-token | Manually refresh the Claude OAuth token (exits 0/1) |
Programmatic API
import { startProxyServer } from "@rynfar/meridian"
const instance = await startProxyServer({
port: 3456,
host: "127.0.0.1",
silent: true,
})
// instance.server — underlying http.Server
await instance.close()Docker
Claude Code authentication requires a browser, which isn't available inside containers. Authenticate on your local machine first, then mount the credentials into Docker.
Single account
# 1. Authenticate locally (one time)
claude login
# 2. Run with mounted credentials
docker run -v ~/.claude:/home/claude/.claude -p 3456:3456 meridianMeridian refreshes OAuth tokens automatically — once the credentials are mounted, no further browser access is needed.
Multiple profiles in Docker
Authenticate each profile locally, then pass them to Docker via the MERIDIAN_PROFILES environment variable:
# 1. Authenticate each account locally
meridian profile add personal
meridian profile add work # sign out of claude.ai first, sign into work account
# 2. Run Docker with profile configs pointing to mounted credential directories
docker run \
-v ~/.config/meridian/profiles/personal:/profiles/personal \
-v ~/.config/meridian/profiles/work:/profiles/work \
-e 'MERIDIAN_PROFILES=[{"id":"personal","claudeConfigDir":"/profiles/personal"},{"id":"work","claudeConfigDir":"/profiles/work"}]' \
-e MERIDIAN_DEFAULT_PROFILE=personal \
-p 3456:3456 meridianSwitch profiles at runtime via the x-meridian-profile header or meridian profile switch (see Multi-Profile Support).
OAuth-token profiles in Docker (no volume mount)
If you'd rather not mount a credential directory, generate a long-lived OAuth token on the host with claude setup-token and pass it as a profile. There's nothing to mount — the token alone is the credential:
docker run \
-e 'MERIDIAN_PROFILES=[{"id":"ci","oauthToken":"sk-ant-oat01-..."}]' \
-e MERIDIAN_DEFAULT_PROFILE=ci \
-p 3456:3456 meridianThis is the recommended path for CI runners, ephemeral containers, and cross-host deployments where browser-based login isn't reachable. Treat the token like any other secret — inject it via your platform's secret store rather than committing it to your image or compose file.
Testing
npm test # unit + integration tests
npm run build # build with bun + tsc| Tier | What | Speed |
|------|------|-------|
| Unit | Pure functions, no mocks | Fast |
| Integration | HTTP layer with mocked SDK | Fast |
| E2E | Real proxy + real Claude Max (E2E.md) | Manual |
FAQ
Is this allowed by Anthropic's terms? Meridian uses the official Claude Code SDK — the same SDK Anthropic publishes and documents for programmatic access. It does not intercept credentials, modify binaries, or bypass any authentication. All requests flow through the SDK's own authentication and rate-limiting mechanisms.
How is this different from using an API key? API keys provide direct API access billed per token. Claude Max includes programmatic access through the Claude Code SDK. Meridian translates SDK responses into the standard Anthropic API format, allowing compatible tools to connect through Claude Code.
What happens if my OAuth token expires?
Tokens expire roughly every 8 hours. Meridian detects the expiry, refreshes the token automatically, and retries the request — so requests continue transparently. If the refresh fails (e.g. the refresh token has expired after weeks of inactivity), Meridian returns a clear error telling you to run claude login.
Can I trigger a token refresh manually?
# CLI — works whether the proxy is running or not
meridian refresh-token
# HTTP — while the proxy is running
curl -X POST http://127.0.0.1:3456/auth/refreshI'm getting 400 You're out of extra usage only when tools are present. What do I do?
First confirm the failure pattern: a tiny no-tool request succeeds, but the same client fails once it sends tool definitions. If that is the case, beta-header stripping and model fallback usually will not help because the request body still contains agentic tool context.
For the affected adapter, try disabling the connecting client's system prompt while keeping the Claude Code prompt enabled:
curl -X PATCH http://127.0.0.1:3456/settings/api/features/pi \
-H 'Content-Type: application/json' \
-d '{"clientSystemPrompt":false,"codeSystemPrompt":true}'Replace pi with the adapter you use (opencode, crush, forgecode, droid, passthrough, or openai). You can make the same change in the /settings UI under SDK Feature Toggles. (The openai adapter — used by the /v1/chat/completions endpoint — already defaults codeSystemPrompt to off, so on that one you typically only need clientSystemPrompt:false.)
This keeps the SDK's preset prompt and tool bridge, but removes the external client's large agent prompt from the request. That may help when the error is triggered by the combination of tool definitions plus client prompt context. The tradeoff is that the connected agent may behave more like vanilla Claude Code because its own persona and workflow instructions are no longer included. If it still fails, the remaining options are to use fewer/no tools for that client, enable Extra Usage/API billing, or switch to a local/provider-backed model for that workflow. See #516 for the current debugging thread.
I'm hitting rate limits on 1M context. What do I do?
Meridian defaults Sonnet to 200k context because Sonnet 1M is always billed as Extra Usage on Max plans — even when regular usage isn't exhausted. This is Anthropic's intended billing model, not a bug. Set MERIDIAN_SONNET_MODEL=sonnet[1m] to opt in if you have Extra Usage enabled and understand the billing implications. Opus defaults to 1M context, which is included with Max/Team/Enterprise subscriptions at no extra cost. Note: there is a known upstream bug where Claude Code incorrectly gates Opus 1M behind Extra Usage on Max — this is Anthropic's to fix.
To turn off 1M context entirely for every model (so Meridian never requests the extended window), set MERIDIAN_1M_CONTEXT_SUPPORT=0. Meridian also auto-detects the "out of extra usage" error, falls back to the 200k model, and skips 1M for an hour — so it self-heals after the first occurrence even without the env var.
Why does the health endpoint show "plugin": "not-configured"?
You haven't run meridian setup. Without the plugin, OpenCode requests won't have session tracking or subagent model selection. Run meridian setup and restart OpenCode.
Contributing
Issues and PRs welcome. Join the Discord to discuss ideas before opening issues. See ARCHITECTURE.md for module structure and dependency rules, CLAUDE.md for coding guidelines, E2E.md for end-to-end test procedures, and MONITORING.md for understanding token usage and prompt cache health.
License
MIT
