From f6877a300725a436856ad09d5c6633e7695c6c41 Mon Sep 17 00:00:00 2001
From: Sabir Foxx <sabirhfoux@gmail.com>
Date: Tue, 5 May 2026 21:48:02 -0400
Subject: [PATCH] Add Claude subscription OAuth provider

Add an optional third LLM provider for the admin and onscreen agents
that authenticates with Anthropic via the user's Claude subscription
instead of an API key. The browser owns the connect flow and a
reusable settings-dialog block; the server owns the OAuth state cache,
the encrypted token store under L2/<user>/meta/anthropic_oauth.json,
silent refresh, and a dedicated streaming completions endpoint that
translates between OpenAI chat-completions shape and Anthropic
Messages API shape so the existing browser fetch readers stay
unchanged.

- New `_core/anthropic_oauth/` browser module with a connect block,
  request hook, and per-surface extensions for the admin and onscreen
  prepareXxxApiRequest seams. Subscription mode redirects API-mode
  requests to /api/anthropic_subscription_completions and strips the
  Authorization header so the bearer token never reaches the browser.
- Five new server endpoints: oauth_anthropic_authorize, _callback (GET
  for redirect mode + POST for paste mode), _status, _disconnect, and
  anthropic_subscription_completions. Tokens are sealed with
  AES-256-GCM using a sub-key derived from the existing password seal
  key; refresh tokens are auto-rotated 60s before access-token expiry
  and on upstream 401.
- Provider enums extended with `subscription` for both admin and
  onscreen agents; existing api/local paths and validation are
  untouched. The settings dialog gains a third segmented tab with a
  curated Claude model dropdown (Opus 4.7, Sonnet 4.6, Haiku 4.5),
  hides the params field for subscription mode (Anthropic's
  subscription tier rejects user-supplied temperature on newer
  models), and embeds the connect block.
- Default flow mode is the manual code-paste flow because the public
  Claude Code OAuth client does not allowlist arbitrary localhost
  callbacks. Redirect mode is opt-in via ANTHROPIC_OAUTH_FLOW_MODE for
  deployments that ship their own registered Anthropic OAuth client.
- Six new runtime params (ANTHROPIC_OAUTH_ALLOWED, _CLIENT_ID,
  _AUTHORIZE_URL, _TOKEN_URL, _REDIRECT_URI, _FLOW_MODE,
  ANTHROPIC_API_BASE_URL) with safe public defaults so the feature
  works out of the box; existing user secret model is reused.
- meta/anthropic_oauth.json added to the L2 git-history ignore list so
  refresh-token rotation does not churn local-history commits.
- Shared visual primitive .field now styles `select` consistently with
  `input` and `textarea` so future dialog selects match without
  per-feature CSS.
- Documentation updated across AGENTS.md (root, app, server/api,
  server/lib/auth, admin/views/agent, onscreen_agent, visual) plus a
  new anthropic_oauth/AGENTS.md for the module contract. Ten focused
  unit tests cover endpoint defaults, runtime-param overrides, PKCE
  authorize URL composition, both flow modes, and the sealed-record
  status round trip.
---
 AGENTS.md                                     |   3 +-
 app/AGENTS.md                                 |   2 +
 .../mod/_core/admin/views/agent/AGENTS.md     |   6 +-
 .../_all/mod/_core/admin/views/agent/api.js   |  15 +-
 .../mod/_core/admin/views/agent/config.js     |  13 +-
 .../mod/_core/admin/views/agent/panel.html    |  31 +-
 .../_all/mod/_core/admin/views/agent/store.js |  54 ++
 .../_all/mod/_core/anthropic_oauth/AGENTS.md  |  45 ++
 .../_core/anthropic_oauth/anthropic-oauth.css | 138 ++++
 .../_all/mod/_core/anthropic_oauth/client.js  |  71 ++
 .../_core/anthropic_oauth/connect-block.html  | 115 +++
 .../_core/anthropic_oauth/connect-block.js    | 332 +++++++++
 .../end/anthropic-subscription.js             |  19 +
 .../end/anthropic-subscription.js             |  19 +
 .../_all/mod/_core/anthropic_oauth/request.js | 104 +++
 .../_all/mod/_core/onscreen_agent/AGENTS.md   |   3 +-
 app/L0/_all/mod/_core/onscreen_agent/api.js   |  15 +-
 .../_all/mod/_core/onscreen_agent/config.js   |  13 +-
 .../_all/mod/_core/onscreen_agent/panel.html  |  31 +-
 app/L0/_all/mod/_core/onscreen_agent/store.js |  54 ++
 app/L0/_all/mod/_core/visual/AGENTS.md        |   1 +
 app/L0/_all/mod/_core/visual/forms/dialog.css |  32 +-
 commands/params.yaml                          |  42 ++
 server/api/AGENTS.md                          |  20 +
 .../api/anthropic_subscription_completions.js | 473 +++++++++++++
 server/api/oauth_anthropic_authorize.js       |  91 +++
 server/api/oauth_anthropic_callback.js        | 234 ++++++
 server/api/oauth_anthropic_disconnect.js      |  46 ++
 server/api/oauth_anthropic_status.js          |  60 ++
 server/lib/auth/AGENTS.md                     |   4 +-
 server/lib/auth/anthropic_oauth.js            | 667 ++++++++++++++++++
 server/lib/auth/service.js                    |  41 +-
 server/lib/customware/git_history.js          |   3 +-
 server/runtime/state_areas.js                 |   2 +
 tests/anthropic_oauth_test.mjs                | 211 ++++++
 35 files changed, 2978 insertions(+), 32 deletions(-)
 create mode 100644 app/L0/_all/mod/_core/anthropic_oauth/AGENTS.md
 create mode 100644 app/L0/_all/mod/_core/anthropic_oauth/anthropic-oauth.css
 create mode 100644 app/L0/_all/mod/_core/anthropic_oauth/client.js
 create mode 100644 app/L0/_all/mod/_core/anthropic_oauth/connect-block.html
 create mode 100644 app/L0/_all/mod/_core/anthropic_oauth/connect-block.js
 create mode 100644 app/L0/_all/mod/_core/anthropic_oauth/ext/js/_core/admin/views/agent/api.js/prepareAdminAgentApiRequest/end/anthropic-subscription.js
 create mode 100644 app/L0/_all/mod/_core/anthropic_oauth/ext/js/_core/onscreen_agent/api.js/prepareOnscreenAgentApiRequest/end/anthropic-subscription.js
 create mode 100644 app/L0/_all/mod/_core/anthropic_oauth/request.js
 create mode 100644 server/api/anthropic_subscription_completions.js
 create mode 100644 server/api/oauth_anthropic_authorize.js
 create mode 100644 server/api/oauth_anthropic_callback.js
 create mode 100644 server/api/oauth_anthropic_disconnect.js
 create mode 100644 server/api/oauth_anthropic_status.js
 create mode 100644 server/lib/auth/anthropic_oauth.js
 create mode 100644 tests/anthropic_oauth_test.mjs

diff --git a/AGENTS.md b/AGENTS.md
index b7870f82..2b1fd3fd 100644
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -83,6 +83,7 @@ App docs:
 - `/app/L0/_all/mod/_core/agent/AGENTS.md`
 - `/app/L0/_all/mod/_core/agent-chat/AGENTS.md`
 - `/app/L0/_all/mod/_core/agent_prompt/AGENTS.md`
+- `/app/L0/_all/mod/_core/anthropic_oauth/AGENTS.md`
 - `/app/L0/_all/mod/_core/dashboard/AGENTS.md`
 - `/app/L0/_all/mod/_core/dashboard_welcome/AGENTS.md`
 - `/app/L0/_all/mod/_core/documentation/AGENTS.md`
@@ -197,7 +198,7 @@ Project concepts:
 - when `CUSTOMWARE_GIT_HISTORY` is enabled, writable `L1/<group>/` and `L2/<user>/` roots are treated as optional per-owner local Git repositories with adaptive-debounced server-side commits and rollback APIs
 - `USER_FOLDER_SIZE_LIMIT_BYTES` optionally caps each `L2/<user>/` folder on disk; app-file mutations are checked against a cached per-user size total and only size-reducing mutations are allowed once a user folder is already over the limit
 - runtime file discovery is backed by sharded `file_index` state; startup indexes `L0`, `L1`, and layer roots, auth first touch loads only the target user's auth files, and full `L2/<user>` shards are loaded only on demand for file/module access or active mutations rather than preloaded just because their folders exist on disk
-- runtime parameters are defined in `commands/params.yaml`; `node space serve` resolves them in this order: launch arguments, stored `.env` params written by `node space set`, then process environment variables, then schema defaults; `node space supervise` accepts the same runtime parameters, owns the public `HOST` and `PORT`, requires `CUSTOMWARE_PATH`, enables source auto-update by default, and passes the remaining resolved params to private `space serve` children; `WORKERS` controls clustered HTTP worker count for `serve` and `supervise`; `CUSTOMWARE_PATH` is the parent directory for writable backend `L1/` and `L2/` storage when configured and also hosts backend-owned cloud-share archives under `share/spaces/` when that feature is enabled; `CUSTOMWARE_WATCHDOG` defaults to `true` and controls live backend customware watching, config watching, and the periodic reconcile backstop without disabling L0/L1 startup indexing, on-demand L2 loading, or explicit clustered mutation sync; `GIT_BACKEND` defaults to `auto` and may force `native` or `isomorphic` for server-owned Git flows such as local history and Git-backed module operations; `LOGIN_ALLOWED` gates the password-login endpoints and login-shell form, `CLOUD_SHARE_ALLOWED` gates hosted cloud-share uploads, `CLOUD_SHARE_URL` tells browser clients which hosted share receiver to use, and page shells receive only `frontend_exposed` values as injected meta tags
+- runtime parameters are defined in `commands/params.yaml`; `node space serve` resolves them in this order: launch arguments, stored `.env` params written by `node space set`, then process environment variables, then schema defaults; `node space supervise` accepts the same runtime parameters, owns the public `HOST` and `PORT`, requires `CUSTOMWARE_PATH`, enables source auto-update by default, and passes the remaining resolved params to private `space serve` children; `WORKERS` controls clustered HTTP worker count for `serve` and `supervise`; `CUSTOMWARE_PATH` is the parent directory for writable backend `L1/` and `L2/` storage when configured and also hosts backend-owned cloud-share archives under `share/spaces/` when that feature is enabled; `CUSTOMWARE_WATCHDOG` defaults to `true` and controls live backend customware watching, config watching, and the periodic reconcile backstop without disabling L0/L1 startup indexing, on-demand L2 loading, or explicit clustered mutation sync; `GIT_BACKEND` defaults to `auto` and may force `native` or `isomorphic` for server-owned Git flows such as local history and Git-backed module operations; `LOGIN_ALLOWED` gates the password-login endpoints and login-shell form, `CLOUD_SHARE_ALLOWED` gates hosted cloud-share uploads, `CLOUD_SHARE_URL` tells browser clients which hosted share receiver to use, `ANTHROPIC_OAUTH_ALLOWED` gates the Claude subscription OAuth provider for the agent surfaces and `ANTHROPIC_OAUTH_CLIENT_ID`, `ANTHROPIC_OAUTH_AUTHORIZE_URL`, `ANTHROPIC_OAUTH_TOKEN_URL`, `ANTHROPIC_OAUTH_REDIRECT_URI`, `ANTHROPIC_OAUTH_FLOW_MODE`, and `ANTHROPIC_API_BASE_URL` configure that flow with sane public defaults that work without a per-deployment Anthropic OAuth registration; `ANTHROPIC_OAUTH_FLOW_MODE` defaults to `auto` and selects a button-only redirect flow on `localhost` hosts and the manual code-paste flow elsewhere, and page shells receive only `frontend_exposed` values as injected meta tags
 - app file APIs use logical app-rooted paths such as `L2/alice/user.yaml` or `/app/L2/alice/user.yaml`, and supported endpoints may also accept `~` or `~/...` for the authenticated user's `L2/<username>/...`; those logical paths do not change when `CUSTOMWARE_PATH` relocates the writable backend roots
 - non-`/api` and non-`/mod` browser entry routes are served from `server/pages/`; `/login` and `/enter` are public and the protected page shells live behind the router-side session gate
 - detailed browser-runtime rules live in `/app/AGENTS.md`
diff --git a/app/AGENTS.md b/app/AGENTS.md
index 2930cdfe..8e9ef92f 100644
--- a/app/AGENTS.md
+++ b/app/AGENTS.md
@@ -53,6 +53,7 @@ Current module-local docs in the app tree:
 - `app/L0/_all/mod/_core/onscreen_agent/AGENTS.md`
 - `app/L0/_all/mod/_core/onscreen_menu/AGENTS.md`
 - `app/L0/_all/mod/_core/open_router/AGENTS.md`
+- `app/L0/_all/mod/_core/anthropic_oauth/AGENTS.md`
 - `app/L1/_all/mod/metrics/posthog/AGENTS.md`
 - `app/L0/_admin/mod/_core/overlay_agent/AGENTS.md`
 
@@ -133,6 +134,7 @@ Current major first-party modules under `app/L0/_all/mod/_core/`:
 - `onscreen_agent/`: floating routed overlay agent and the first-party user-facing chat runtime
 - `onscreen_menu/`: reserved routed shell header bar, Home shortcut to the empty default route, left and right shell-control seams, and `_core/onscreen_menu/items` dropdown action seam
 - `open_router/`: headless OpenRouter request-policy module that extends the admin and onscreen API transport seams instead of hardcoding provider-specific headers into the chat runtimes
+- `anthropic_oauth/`: optional Claude subscription LLM provider; small headless helper plus a reusable connect block embedded under a third tab in the admin and onscreen settings dialogs, plus the per-surface request hooks that redirect API-mode requests to the authenticated `/api/anthropic_subscription_completions` endpoint when the user opted into subscription mode
 - `web_browsing/`: browser-surface module that contributes a Browser dropdown action, mounts draggable, minimizable, resizable popup browser windows, and defines placement-generic `<x-browser>` elements that can also live inside widgets or other screen DOM; the same element uses an iframe fallback in browser sessions and a DOM-backed desktop `<webview>` in the packaged host, supports optional `controls="true"` address-bar chrome, registers every surface under a unique `browser-N` id exposed through the numeric-id `space.browser` runtime, includes in-app interception of `_blank` or `window.open(...)` requests back into new modals, persists only popup-window geometry across reloads, tracks direct surface focus for prompt-time browser content, and gates app-side browser diagnostics through a shared browser log level that defaults to `error`
 - `skillset/`: first-party shared skill packs plus browser helper scripts and shared browser-side skill discovery helpers used by the onscreen and admin agents
 - `webllm/`: unlisted routed browser-only WebLLM test surface with a module-local worker, vendored browser runtime, compact searchable prebuilt model loading, expert-only compiled custom model loading, and simple throughput reporting
diff --git a/app/L0/_all/mod/_core/admin/views/agent/AGENTS.md b/app/L0/_all/mod/_core/admin/views/agent/AGENTS.md
index 705608d2..77dda2d1 100644
--- a/app/L0/_all/mod/_core/admin/views/agent/AGENTS.md
+++ b/app/L0/_all/mod/_core/admin/views/agent/AGENTS.md
@@ -29,7 +29,7 @@ Current persistence paths:
 
 Current stored config fields are written in YAML as:
 
-- `llm_provider`
+- `llm_provider` (currently `api`, `subscription`, or `local`)
 - `local_provider`
 - `api_endpoint`
 - `api_key`
@@ -76,7 +76,9 @@ Prompt rules:
 
 Current behavior:
 
-- the LLM settings modal keeps one provider switch at the top with tabs named `API` and `Local`, and shows either the API settings fields or one `Local` section
+- the LLM settings modal keeps one provider switch at the top with three tabs named `API key`, `Claude subscription`, and `Local`, and shows the API settings fields, the subscription connect block, or the `Local` section based on the active tab
+- the `Claude subscription` tab is owned by `_core/anthropic_oauth/`; it mounts `connect-block.html` through `<x-component>` and shows a Claude model name input alongside it
+- when the active provider is `subscription`, `api.js` validation skips the `apiEndpoint` and `apiKey` checks and the `_core/anthropic_oauth/` request hook redirects the prepared fetch URL to the authenticated `/api/anthropic_subscription_completions` endpoint while stripping any `Authorization` header so the browser never sees the OAuth bearer token
 - the `Local` section only supports the Hugging Face browser runtime
 - the toolbar LLM settings button summarizes the current selection with the configured model name only; it does not prepend provider labels such as `API`, `Local`, or `Hugging Face`
 - the local section mounts the standalone Hugging Face config sidebar component through `<x-component>`, so the admin modal and the routed testing harness share the same component file instead of maintaining duplicated local-provider markup
diff --git a/app/L0/_all/mod/_core/admin/views/agent/api.js b/app/L0/_all/mod/_core/admin/views/agent/api.js
index e36a2f31..ef2ad1d9 100644
--- a/app/L0/_all/mod/_core/admin/views/agent/api.js
+++ b/app/L0/_all/mod/_core/admin/views/agent/api.js
@@ -457,12 +457,17 @@ export const prepareAdminAgentApiRequest = globalThis.space.extend(
 );
 
 async function streamAdminAgentApiCompletion({ promptContext, settings, systemPrompt, messages, onDelta, signal }) {
-  if (!settings.apiEndpoint.trim()) {
-    throw new Error("Set an API endpoint before sending a message.");
-  }
+  const provider = config.normalizeAdminChatLlmProvider(settings?.provider);
+  const isSubscription = provider === config.ADMIN_CHAT_LLM_PROVIDER.SUBSCRIPTION;
 
-  if (!settings.apiKey.trim()) {
-    throw new Error("Set an API key before sending a message.");
+  if (!isSubscription) {
+    if (!settings.apiEndpoint.trim()) {
+      throw new Error("Set an API endpoint before sending a message.");
+    }
+
+    if (!settings.apiKey.trim()) {
+      throw new Error("Set an API key before sending a message.");
+    }
   }
 
   if (!settings.model.trim()) {
diff --git a/app/L0/_all/mod/_core/admin/views/agent/config.js b/app/L0/_all/mod/_core/admin/views/agent/config.js
index 2a00ef4a..e413e89c 100644
--- a/app/L0/_all/mod/_core/admin/views/agent/config.js
+++ b/app/L0/_all/mod/_core/admin/views/agent/config.js
@@ -5,7 +5,8 @@ export const ADMIN_CHAT_HISTORY_PATH = "~/hist/admin-chat.json";
 export const DEFAULT_ADMIN_CHAT_MAX_TOKENS = 120_000;
 export const ADMIN_CHAT_LLM_PROVIDER = {
   API: "api",
-  LOCAL: "local"
+  LOCAL: "local",
+  SUBSCRIPTION: "subscription"
 };
 
 export const ADMIN_CHAT_LOCAL_PROVIDER = {
@@ -26,9 +27,13 @@ export const DEFAULT_ADMIN_CHAT_SETTINGS = {
 };
 
 export function normalizeAdminChatLlmProvider(value) {
-  return value === ADMIN_CHAT_LLM_PROVIDER.LOCAL
-    ? ADMIN_CHAT_LLM_PROVIDER.LOCAL
-    : ADMIN_CHAT_LLM_PROVIDER.API;
+  if (value === ADMIN_CHAT_LLM_PROVIDER.LOCAL) {
+    return ADMIN_CHAT_LLM_PROVIDER.LOCAL;
+  }
+  if (value === ADMIN_CHAT_LLM_PROVIDER.SUBSCRIPTION) {
+    return ADMIN_CHAT_LLM_PROVIDER.SUBSCRIPTION;
+  }
+  return ADMIN_CHAT_LLM_PROVIDER.API;
 }
 
 export function normalizeAdminChatLocalProvider(value) {
diff --git a/app/L0/_all/mod/_core/admin/views/agent/panel.html b/app/L0/_all/mod/_core/admin/views/agent/panel.html
index bf67faaa..ac7a26ed 100644
--- a/app/L0/_all/mod/_core/admin/views/agent/panel.html
+++ b/app/L0/_all/mod/_core/admin/views/agent/panel.html
@@ -3,7 +3,9 @@
     <link rel="stylesheet" href="/mod/_core/visual/index.css" />
     <link rel="stylesheet" href="/mod/_core/admin/views/agent/agent.css" />
     <link rel="stylesheet" href="/mod/_core/huggingface/huggingface.css" />
+    <link rel="stylesheet" href="/mod/_core/anthropic_oauth/anthropic-oauth.css" />
     <script type="module" src="/mod/_core/admin/views/agent/store.js"></script>
+    <script type="module" src="/mod/_core/anthropic_oauth/connect-block.js"></script>
   </head>
   <body>
     <div x-data class="admin-agent-root agent-thread-surface">
@@ -186,7 +188,15 @@ <h2>Provider and model configuration</h2>
                       :class="{ 'is-active': $store.adminAgent.isSettingsDraftUsingApiProvider }"
                       @click="$store.adminAgent.setSettingsProvider('api')"
                     >
-                      <span>API</span>
+                      <span>API key</span>
+                    </button>
+                    <button
+                      type="button"
+                      class="secondary-button dialog-segmented-button"
+                      :class="{ 'is-active': $store.adminAgent.isSettingsDraftUsingSubscriptionProvider }"
+                      @click="$store.adminAgent.setSettingsProvider('subscription')"
+                    >
+                      <span>Claude subscription</span>
                     </button>
                     <button
                       type="button"
@@ -211,6 +221,23 @@ <h2>Provider and model configuration</h2>
                       <input type="password" x-model="$store.adminAgent.settingsDraft.apiKey" />
                     </label>
                   </div>
+                  <div x-show="$store.adminAgent.isSettingsDraftUsingSubscriptionProvider" x-cloak class="admin-agent-subscription-settings">
+                    <label class="field">
+                      <span>Claude Model</span>
+                      <select
+                        :value="$store.adminAgent.subscriptionModelChoice"
+                        @change="$store.adminAgent.setSubscriptionModelChoice($event.target.value)"
+                      >
+                        <template x-for="entry in $store.adminAgent.subscriptionCuratedModels" :key="entry.value">
+                          <option :value="entry.value" x-text="entry.label"></option>
+                        </template>
+                      </select>
+                      <p class="field-note">
+                        Pick a Claude model. Anthropic resolves the alias to the latest dated release, so newer models work without a Space Agent update. Effort, thinking, and other Claude defaults are handled by the subscription.
+                      </p>
+                    </label>
+                    <x-component path="/mod/_core/anthropic_oauth/connect-block.html" mode="admin"></x-component>
+                  </div>
                   <div x-show="$store.adminAgent.isSettingsDraftUsingLocalProvider" x-cloak class="admin-agent-local-settings">
                     <div class="admin-agent-local-provider-panel">
                       <x-component path="/mod/_core/huggingface/config-sidebar.html" mode="admin"></x-component>
@@ -284,7 +311,7 @@ <h2>Provider and model configuration</h2>
                       System, history, and transient rebalance to 100% of <code>max tokens</code>. Single history message is a percentage of the history budget.
                     </p>
                   </div>
-                  <label class="field">
+                  <label class="field" x-show="!$store.adminAgent.isSettingsDraftUsingSubscriptionProvider" x-cloak>
                     <span>Params</span>
                     <textarea
                       rows="6"
diff --git a/app/L0/_all/mod/_core/admin/views/agent/store.js b/app/L0/_all/mod/_core/admin/views/agent/store.js
index 4aacf7b4..9402e5a5 100644
--- a/app/L0/_all/mod/_core/admin/views/agent/store.js
+++ b/app/L0/_all/mod/_core/admin/views/agent/store.js
@@ -4,6 +4,12 @@ import {
   installPromptItemAccess,
   rebalancePromptBudgetRatios
 } from "/mod/_core/agent_prompt/prompt-items.js";
+import {
+  ANTHROPIC_SUBSCRIPTION_CURATED_MODELS,
+  ANTHROPIC_SUBSCRIPTION_DEFAULT_MODEL,
+  isAnthropicSubscriptionCuratedModel,
+  normalizeSubscriptionModelId
+} from "/mod/_core/anthropic_oauth/request.js";
 import * as execution from "/mod/_core/admin/views/agent/execution.js";
 import * as llmParams from "/mod/_core/admin/views/agent/llm-params.js";
 import * as prompt from "/mod/_core/admin/views/agent/prompt.js";
@@ -484,6 +490,32 @@ const model = {
     return config.normalizeAdminChatLlmProvider(this.settingsDraft.provider) === config.ADMIN_CHAT_LLM_PROVIDER.LOCAL;
   },
 
+  get isSettingsDraftUsingSubscriptionProvider() {
+    return (
+      config.normalizeAdminChatLlmProvider(this.settingsDraft.provider) ===
+      config.ADMIN_CHAT_LLM_PROVIDER.SUBSCRIPTION
+    );
+  },
+
+  get isUsingSubscriptionProvider() {
+    return (
+      config.normalizeAdminChatLlmProvider(this.settings.provider) ===
+      config.ADMIN_CHAT_LLM_PROVIDER.SUBSCRIPTION
+    );
+  },
+
+  get subscriptionCuratedModels() {
+    return ANTHROPIC_SUBSCRIPTION_CURATED_MODELS.map((entry) => ({ ...entry }));
+  },
+
+  get subscriptionModelChoice() {
+    const normalized = normalizeSubscriptionModelId(this.settingsDraft.model);
+    if (!normalized || !isAnthropicSubscriptionCuratedModel(normalized)) {
+      return ANTHROPIC_SUBSCRIPTION_DEFAULT_MODEL;
+    }
+    return normalized;
+  },
+
   get huggingfaceSavedModels() {
     return Array.isArray(this.huggingface.savedModels) ? this.huggingface.savedModels : [];
   },
@@ -1667,6 +1699,28 @@ const model = {
         this.reportError("warming the local-provider settings draft", error);
       });
     }
+
+    if (this.isSettingsDraftUsingSubscriptionProvider) {
+      const currentModel = String(this.settingsDraft.model || "").trim().toLowerCase();
+      const looksClaude = currentModel.includes("claude") || currentModel.startsWith("anthropic/");
+      if (!looksClaude) {
+        this.settingsDraft = {
+          ...this.settingsDraft,
+          model: ANTHROPIC_SUBSCRIPTION_DEFAULT_MODEL
+        };
+      }
+    }
+  },
+
+  setSubscriptionModelChoice(value) {
+    const choice = String(value || "").trim();
+    if (!choice) {
+      return;
+    }
+    this.settingsDraft = {
+      ...this.settingsDraft,
+      model: choice
+    };
   },
 
   setSettingsPromptBudgetRatio(key, value) {
diff --git a/app/L0/_all/mod/_core/anthropic_oauth/AGENTS.md b/app/L0/_all/mod/_core/anthropic_oauth/AGENTS.md
new file mode 100644
index 00000000..7e2cec0a
--- /dev/null
+++ b/app/L0/_all/mod/_core/anthropic_oauth/AGENTS.md
@@ -0,0 +1,45 @@
+# AGENTS
+
+## Purpose
+
+`_core/anthropic_oauth/` owns the optional "Claude subscription" LLM provider for the first-party agent surfaces.
+
+It is a headless helper module plus a small UI primitive. It does not own chat UI or prompt assembly. It owns:
+
+- the browser-side connect, status, and disconnect helpers around the `/api/oauth_anthropic_*` server endpoints
+- the request-redirect extension hooks that route admin and onscreen API-mode chat traffic through the dedicated authenticated server endpoint when the user opted into subscription mode
+- a reusable connect-status block that the admin and onscreen settings dialogs embed under a "Subscription" tab in the existing provider segmented control
+- the Claude wordmark icon used by the connect button and status badge
+
+Documentation is top priority for this module. After any change under this subtree, update this file and any affected parent or consumer docs in the same session.
+
+## Ownership
+
+This module owns:
+
+- `client.js`: shared API client around `/api/oauth_anthropic_authorize`, `/api/oauth_anthropic_callback`, `/api/oauth_anthropic_status`, and `/api/oauth_anthropic_disconnect`
+- `request.js`: shared helpers used by the per-surface request hooks to redirect API-mode requests to `/api/anthropic_subscription_completions` when the active provider is `subscription`
+- `connect-block.js` plus `connect-block.html`: the reusable "Connect with Claude" status block, popup-window helper, and code-paste input embedded into both settings dialogs through `<x-component path="...">`
+- `anthropic-oauth.css`: scoped status-badge, button, and icon styling
+- `res/claude.svg`: shared Claude wordmark used by the connect button and badge
+- `ext/js/_core/admin/views/agent/api.js/prepareAdminAgentApiRequest/end/anthropic-subscription.js`: admin-chat request redirect for subscription mode
+- `ext/js/_core/onscreen_agent/api.js/prepareOnscreenAgentApiRequest/end/anthropic-subscription.js`: overlay-chat request redirect for subscription mode
+
+## Local Contracts
+
+- the subscription provider is the third value of the existing chat provider enum used by the admin and onscreen agent surfaces; this module never invents a new chat surface
+- when the active settings provider is `subscription`, the per-surface request hooks must rewrite the prepared request URL to `/api/anthropic_subscription_completions`, strip any `Authorization` header (the server injects the bearer token), and force the request body model field if a Claude model is not already selected so the request is acceptable to Anthropic Messages API
+- token plaintext must never reach the browser; the connect block reads only `/api/oauth_anthropic_status` metadata
+- the connect flow uses Anthropic's hosted code-paste page as the OAuth redirect URI: the browser opens the authorize URL in a popup window, the user authorizes on Claude, Anthropic shows them an authorization code, the user pastes that code back into the connect block, and the block POSTs the code plus the previously issued state token to `/api/oauth_anthropic_callback`
+- the connect block shows three states: disconnected (with the connect button and code-paste field), connecting (while the authorize popup is open and after submit is pending), and connected (with account email plus "Disconnect" button)
+- the connect block must respect `ANTHROPIC_OAUTH_ALLOWED`; when disabled it surfaces a short notice instead of a connect button
+- this module does not duplicate streaming response parsing; the server endpoint emits OpenAI-compatible SSE so the existing browser fetch readers in `_core/admin/views/agent/api.js` and `_core/onscreen_agent/api.js` keep working unchanged
+- visual primitives from `_core/visual/` are required for buttons, dialog scoping, and toasts; new visual primitives belong in `_core/visual/`, not here
+- the Claude wordmark is the only artwork this module ships; everything else reuses existing primitives and shared conversation chrome
+
+## Development Guidance
+
+- keep provider detection small and explicit, just like `_core/open_router/`
+- if Anthropic adds new OAuth scopes, request shape, or stream events, prefer extending the server endpoint rather than the browser hooks
+- if Space Agent later registers its own Anthropic OAuth client, override the `ANTHROPIC_OAUTH_CLIENT_ID` runtime param; do not hard-code a different default in this module
+- if the agent or onscreen-agent provider enum signature changes, update both extension hooks here and re-check the per-surface settings dialog
diff --git a/app/L0/_all/mod/_core/anthropic_oauth/anthropic-oauth.css b/app/L0/_all/mod/_core/anthropic_oauth/anthropic-oauth.css
new file mode 100644
index 00000000..13b221cd
--- /dev/null
+++ b/app/L0/_all/mod/_core/anthropic_oauth/anthropic-oauth.css
@@ -0,0 +1,138 @@
+.anthropic-oauth-connect-block {
+  display: flex;
+  flex-direction: column;
+  gap: 1rem;
+}
+
+.anthropic-oauth-disabled-note {
+  margin: 0;
+}
+
+.anthropic-oauth-status-block {
+  display: flex;
+  flex-direction: column;
+  gap: 0.5rem;
+  padding: 1rem;
+  border-radius: 12px;
+  border: 1px solid color-mix(in srgb, var(--color-fg, #ffffff) 12%, transparent);
+  background: color-mix(in srgb, var(--color-fg, #ffffff) 4%, transparent);
+}
+
+.anthropic-oauth-status-header {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  gap: 0.75rem;
+}
+
+.anthropic-oauth-status-label {
+  margin: 0;
+  font-weight: 600;
+  font-size: 0.95rem;
+}
+
+.anthropic-oauth-status-badge {
+  font-size: 0.72rem;
+  font-weight: 600;
+  letter-spacing: 0.04em;
+  text-transform: uppercase;
+  padding: 0.125rem 0.5rem;
+  border-radius: 999px;
+  background: color-mix(in srgb, currentColor 12%, transparent);
+}
+
+.anthropic-oauth-status-badge.color-status-success {
+  color: var(--color-status-success, #4ade80);
+}
+
+.anthropic-oauth-status-badge.color-status-danger {
+  color: var(--color-status-danger, #f87171);
+}
+
+.anthropic-oauth-status-account {
+  margin: 0;
+  font-size: 0.875rem;
+  color: var(--color-fg-muted, color-mix(in srgb, currentColor 70%, transparent));
+}
+
+.anthropic-oauth-status-note {
+  margin: 0;
+}
+
+.anthropic-oauth-status-org {
+  margin: 0;
+  font-size: 0.75rem;
+  color: var(--color-fg-muted, color-mix(in srgb, currentColor 60%, transparent));
+  letter-spacing: 0.02em;
+}
+
+.anthropic-oauth-status-actions {
+  display: flex;
+  justify-content: flex-end;
+  gap: 0.5rem;
+}
+
+.anthropic-oauth-connect-flow {
+  display: flex;
+  flex-direction: column;
+  gap: 1rem;
+}
+
+.anthropic-oauth-connect-intro {
+  margin: 0;
+}
+
+.anthropic-oauth-connect-step {
+  display: flex;
+  flex-direction: column;
+  gap: 0.5rem;
+  padding: 0.75rem 1rem;
+  border-radius: 12px;
+  border: 1px solid color-mix(in srgb, var(--color-fg, #ffffff) 10%, transparent);
+}
+
+.anthropic-oauth-step-label {
+  margin: 0;
+  font-weight: 600;
+  font-size: 0.875rem;
+}
+
+.anthropic-oauth-connect-button {
+  align-self: flex-start;
+}
+
+.anthropic-oauth-code-field {
+  margin: 0;
+}
+
+.anthropic-oauth-code-label {
+  font-size: 0.8rem;
+  font-weight: 500;
+}
+
+.anthropic-oauth-submit-row {
+  display: flex;
+  justify-content: flex-end;
+}
+
+
+.anthropic-oauth-error-copy {
+  margin: 0;
+  color: var(--color-status-danger, #f87171);
+}
+
+.anthropic-oauth-status-pill {
+  display: inline-flex;
+  align-items: center;
+  gap: 0.25rem;
+  margin-left: 0.4rem;
+  padding: 0 0.45rem;
+  height: 1.1rem;
+  border-radius: 999px;
+  font-size: 0.65rem;
+  font-weight: 600;
+  letter-spacing: 0.04em;
+  text-transform: uppercase;
+  color: var(--color-status-success, #4ade80);
+  background: color-mix(in srgb, var(--color-status-success, #4ade80) 12%, transparent);
+}
diff --git a/app/L0/_all/mod/_core/anthropic_oauth/client.js b/app/L0/_all/mod/_core/anthropic_oauth/client.js
new file mode 100644
index 00000000..b81c8915
--- /dev/null
+++ b/app/L0/_all/mod/_core/anthropic_oauth/client.js
@@ -0,0 +1,71 @@
+// Browser client for the Claude subscription OAuth flow.
+//
+// All token plaintext lives server-side. This client only surfaces:
+//
+//   - status (connected, accountEmail, expiresAt, allowed)
+//   - the authorize URL plus state token returned when starting a connect
+//   - completion of a connect by POSTing the user-pasted authorization code
+//   - disconnect
+//
+// Calls go through the shared `space.api.call(...)` helper from
+// `_core/framework/js/api-client.js`, which already handles cookie auth,
+// JSON serialization, and error normalization.
+
+function getApi() {
+  const runtime = globalThis.space;
+  if (!runtime || typeof runtime !== "object") {
+    throw new Error("Space runtime is not available.");
+  }
+  if (!runtime.api || typeof runtime.api.call !== "function") {
+    throw new Error("space.api.call is not available.");
+  }
+  return runtime.api;
+}
+
+async function fetchAnthropicOauthStatus() {
+  const api = getApi();
+  return api.call("oauth_anthropic_status", { method: "GET" });
+}
+
+async function startAnthropicOauthAuthorize() {
+  const api = getApi();
+  return api.call("oauth_anthropic_authorize", {
+    method: "POST",
+    body: {}
+  });
+}
+
+async function completeAnthropicOauthCallback({ code, state }) {
+  const api = getApi();
+  return api.call("oauth_anthropic_callback", {
+    method: "POST",
+    body: {
+      code: String(code || "").trim(),
+      state: String(state || "").trim()
+    }
+  });
+}
+
+async function disconnectAnthropicOauth() {
+  const api = getApi();
+  return api.call("oauth_anthropic_disconnect", {
+    method: "POST",
+    body: {}
+  });
+}
+
+function openAuthorizePopup(authorizeUrl) {
+  if (typeof window === "undefined" || typeof window.open !== "function") {
+    return null;
+  }
+  const features = "popup=yes,noopener=no,noreferrer=no,width=540,height=720";
+  return window.open(authorizeUrl, "space-anthropic-oauth-connect", features);
+}
+
+export {
+  completeAnthropicOauthCallback,
+  disconnectAnthropicOauth,
+  fetchAnthropicOauthStatus,
+  openAuthorizePopup,
+  startAnthropicOauthAuthorize
+};
diff --git a/app/L0/_all/mod/_core/anthropic_oauth/connect-block.html b/app/L0/_all/mod/_core/anthropic_oauth/connect-block.html
new file mode 100644
index 00000000..422cef19
--- /dev/null
+++ b/app/L0/_all/mod/_core/anthropic_oauth/connect-block.html
@@ -0,0 +1,115 @@
+<div
+  class="anthropic-oauth-connect-block"
+  x-data="anthropicOauthConnectBlock()"
+  x-init="init()"
+>
+  <template x-if="!allowed">
+    <p class="field-note anthropic-oauth-disabled-note">
+      Claude subscription OAuth is disabled in this system. Use an API key instead.
+    </p>
+  </template>
+
+  <template x-if="allowed && connected">
+    <div class="anthropic-oauth-status-block">
+      <div class="anthropic-oauth-status-header">
+        <p class="anthropic-oauth-status-label">Connected to Claude</p>
+        <span class="anthropic-oauth-status-badge" :class="statusBadgeTone">
+          active
+        </span>
+      </div>
+      <p class="anthropic-oauth-status-account">
+        <span x-text="accountLabel || 'subscription account'"></span>
+      </p>
+      <template x-if="status.organizationName">
+        <p class="anthropic-oauth-status-org" x-text="status.organizationName"></p>
+      </template>
+      <p class="field-note anthropic-oauth-status-note">
+        Stays connected until you disconnect or change your Anthropic password. Space Agent refreshes the access token automatically in the background.
+      </p>
+      <div class="anthropic-oauth-status-actions">
+        <button
+          type="button"
+          class="secondary-button"
+          :disabled="isDisconnecting"
+          @click="disconnect()"
+          x-text="isDisconnecting ? 'Disconnecting...' : 'Disconnect'"
+        ></button>
+      </div>
+    </div>
+  </template>
+
+  <template x-if="allowed && !connected">
+    <div class="anthropic-oauth-connect-flow">
+      <p class="field-note anthropic-oauth-connect-intro">
+        Sign in with your Claude subscription to use it for chat without an API key.
+      </p>
+
+      <div class="anthropic-oauth-connect-step">
+        <p class="anthropic-oauth-step-label">
+          <template x-if="shouldShowPasteField">
+            <span>1. Authorize on Claude</span>
+          </template>
+          <template x-if="!shouldShowPasteField">
+            <span>Authorize on Claude</span>
+          </template>
+        </p>
+        <button
+          type="button"
+          class="primary-button anthropic-oauth-connect-button"
+          :disabled="isConnecting || isSubmittingCode"
+          @click="startConnect()"
+          x-text="connectButtonLabel"
+        ></button>
+        <template x-if="isRedirectMode && !shouldShowPasteField">
+          <p class="field-note">
+            A new window opens on claude.ai. Approve there and Space Agent finishes the connect automatically.
+          </p>
+        </template>
+        <template x-if="isPasteMode && !shouldShowPasteField">
+          <p class="field-note">
+            A new window opens on claude.ai. After you approve, Claude shows you a one-time authorization code.
+          </p>
+        </template>
+        <template x-if="isRedirectMode && shouldShowPasteField">
+          <p class="field-note">
+            The popup closed without finishing the connect. You can either click the button above to try again or paste the code Claude showed you below.
+          </p>
+        </template>
+      </div>
+
+      <template x-if="shouldShowPasteField">
+        <div class="anthropic-oauth-connect-step">
+          <p class="anthropic-oauth-step-label">2. Paste the code Claude showed you</p>
+          <label class="field anthropic-oauth-code-field">
+            <span class="anthropic-oauth-code-label">Authorization code</span>
+            <input
+              type="text"
+              autocomplete="off"
+              spellcheck="false"
+              placeholder="Paste the code Claude showed you"
+              :value="codeInput"
+              :disabled="!isCodePending || isSubmittingCode"
+              @input="setCodeInput($event.target.value)"
+            />
+            <p class="field-note">
+              Anthropic shows the code on its hosted page after you approve. Copy it, paste it here, then click <strong>Finish connecting</strong>.
+            </p>
+          </label>
+          <div class="anthropic-oauth-submit-row">
+            <button
+              type="button"
+              class="confirm-button"
+              :disabled="!isCodePending || isSubmittingCode || !codeInput.trim()"
+              @click="submitCode()"
+              x-text="isSubmittingCode ? 'Connecting...' : 'Finish connecting'"
+            ></button>
+          </div>
+        </div>
+      </template>
+    </div>
+  </template>
+
+  <template x-if="lastError">
+    <p class="field-note anthropic-oauth-error-copy" x-text="lastError"></p>
+  </template>
+</div>
diff --git a/app/L0/_all/mod/_core/anthropic_oauth/connect-block.js b/app/L0/_all/mod/_core/anthropic_oauth/connect-block.js
new file mode 100644
index 00000000..716731bc
--- /dev/null
+++ b/app/L0/_all/mod/_core/anthropic_oauth/connect-block.js
@@ -0,0 +1,332 @@
+// Self-contained Alpine factory used by the admin and onscreen settings
+// dialogs to render the "Connect with Claude" / status / "Disconnect" UI.
+//
+// Exposed on globalThis so the template can use the standard Space Agent
+// inline x-data pattern: `x-data="anthropicOauthConnectBlock()"`.
+//
+// All token plaintext stays server-side; this module only talks to the
+// dedicated authenticated endpoints under /api/oauth_anthropic_*.
+
+import {
+  completeAnthropicOauthCallback,
+  disconnectAnthropicOauth,
+  fetchAnthropicOauthStatus,
+  openAuthorizePopup,
+  startAnthropicOauthAuthorize
+} from "/mod/_core/anthropic_oauth/client.js";
+
+function safeShowToast(message, options = {}) {
+  const showToast = globalThis?.space?.visual?.showToast;
+  if (typeof showToast === "function") {
+    try {
+      showToast(message, options);
+    } catch {
+      // toast failures should never break the connect flow
+    }
+  }
+}
+
+// `expires_at` reflects only the short-lived OAuth access token, not the
+// connection itself. Space Agent silently refreshes the access token
+// before it lapses, so the connection effectively persists until the user
+// disconnects or invalidates the refresh token at Anthropic. The UI no
+// longer surfaces the access-token expiry because it confused users into
+// thinking their connection would lapse.
+
+const POPUP_FALLBACK_PROBE_MS = 750;
+
+function createAnthropicOauthConnectBlockData() {
+  // Closure-scoped non-reactive holders for things Alpine should never
+  // try to proxy. Window references (the popup) and registered event
+  // listeners are not safe to put on the reactive state object: Alpine's
+  // reactivity wrapper introspects every value with `__v_raw` and other
+  // proxy probes, and cross-origin Window objects throw on those reads
+  // ("Failed to read a named property '__v_raw' from 'Window': An attempt
+  // was made to break through the security policy of the user agent").
+  let pendingPopup = null;
+  let messageHandler = null;
+  let popupWatcher = null;
+
+  return {
+    isLoading: false,
+    isConnecting: false,
+    isSubmittingCode: false,
+    isDisconnecting: false,
+    codeInput: "",
+    lastError: "",
+    pendingState: "",
+    flowMode: "paste",
+    showPasteFallback: false,
+    status: {
+      allowed: true,
+      connected: false,
+      accountEmail: "",
+      organizationName: "",
+      expiresAt: "",
+      scope: "",
+      obtainedAt: ""
+    },
+    init() {
+      void this.refresh();
+    },
+    destroy() {
+      this.stopWaitingForPopup();
+    },
+    get connected() {
+      return Boolean(this.status?.connected);
+    },
+    get allowed() {
+      return this.status?.allowed !== false;
+    },
+    get accountLabel() {
+      return String(this.status?.accountEmail || "").trim();
+    },
+    get isCodePending() {
+      return Boolean(this.pendingState);
+    },
+    get isRedirectMode() {
+      return this.flowMode === "redirect";
+    },
+    get isPasteMode() {
+      return this.flowMode === "paste";
+    },
+    get shouldShowPasteField() {
+      return this.isPasteMode || this.showPasteFallback;
+    },
+    get connectButtonLabel() {
+      if (this.isConnecting) {
+        return "Opening Claude...";
+      }
+      if (this.isCodePending) {
+        return this.isRedirectMode ? "Reopen Claude window" : "Reopen Claude authorize page";
+      }
+      return "Connect with Claude";
+    },
+    get statusBadgeTone() {
+      if (this.lastError) {
+        return "color-status-danger";
+      }
+      if (this.connected) {
+        return "color-status-success";
+      }
+      return "";
+    },
+    async refresh() {
+      this.isLoading = true;
+      try {
+        const result = await fetchAnthropicOauthStatus();
+        this.status = {
+          allowed: result?.allowed !== false,
+          connected: Boolean(result?.connected),
+          accountEmail: String(result?.accountEmail || ""),
+          organizationName: String(result?.organizationName || ""),
+          expiresAt: String(result?.expiresAt || ""),
+          scope: String(result?.scope || ""),
+          obtainedAt: String(result?.obtainedAt || "")
+        };
+        if (this.connected) {
+          // Once connected we no longer need the in-flight state token.
+          this.pendingState = "";
+          this.codeInput = "";
+          this.showPasteFallback = false;
+          this.stopWaitingForPopup();
+        }
+        this.lastError = "";
+      } catch (error) {
+        this.lastError = String(error?.message || "Could not load Claude subscription status.");
+      } finally {
+        this.isLoading = false;
+      }
+    },
+    installMessageListener() {
+      if (messageHandler || typeof window === "undefined") {
+        return;
+      }
+      const self = this;
+      const handler = (event) => {
+        const data = event?.data;
+        if (!data || typeof data !== "object" || data.type !== "space-anthropic-oauth-complete") {
+          return;
+        }
+        if (data.success) {
+          void self.handleRedirectSuccess();
+        } else {
+          self.lastError =
+            String(data.error || "Claude rejected the connect. Try again or paste the code below.");
+          self.showPasteFallback = true;
+          self.isConnecting = false;
+        }
+      };
+      window.addEventListener("message", handler);
+      messageHandler = handler;
+    },
+    removeMessageListener() {
+      if (messageHandler && typeof window !== "undefined") {
+        window.removeEventListener("message", messageHandler);
+      }
+      messageHandler = null;
+    },
+    watchPopupClosed() {
+      this.clearPopupWatcher();
+      if (typeof window === "undefined" || !pendingPopup) {
+        return;
+      }
+      const popup = pendingPopup;
+      const self = this;
+      popupWatcher = window.setInterval(() => {
+        let closed = false;
+        try {
+          closed = !popup || popup.closed;
+        } catch {
+          // Cross-origin access can throw; treat as closed and stop probing.
+          closed = true;
+        }
+        if (closed) {
+          self.clearPopupWatcher();
+          if (self.isRedirectMode && !self.connected && self.pendingState) {
+            self.showPasteFallback = true;
+            self.isConnecting = false;
+          }
+        }
+      }, POPUP_FALLBACK_PROBE_MS);
+    },
+    clearPopupWatcher() {
+      if (popupWatcher && typeof window !== "undefined") {
+        window.clearInterval(popupWatcher);
+      }
+      popupWatcher = null;
+    },
+    stopWaitingForPopup() {
+      this.removeMessageListener();
+      this.clearPopupWatcher();
+      try {
+        pendingPopup?.close?.();
+      } catch {
+        // ignore popup cleanup failures
+      }
+      pendingPopup = null;
+    },
+    async handleRedirectSuccess() {
+      this.stopWaitingForPopup();
+      this.pendingState = "";
+      this.codeInput = "";
+      this.showPasteFallback = false;
+      this.isConnecting = false;
+      await this.refresh();
+      safeShowToast("Claude subscription connected.", { tone: "success" });
+    },
+    async startConnect() {
+      if (this.isConnecting || this.isSubmittingCode) {
+        return;
+      }
+      if (!this.allowed) {
+        this.lastError = "Claude subscription OAuth is disabled in this system.";
+        return;
+      }
+      this.lastError = "";
+      this.isConnecting = true;
+      this.showPasteFallback = false;
+      try {
+        const result = await startAnthropicOauthAuthorize();
+        const authorizeUrl = String(result?.authorizeUrl || "").trim();
+        const state = String(result?.state || "").trim();
+        const flowMode = String(result?.flowMode || "paste").trim().toLowerCase();
+        if (!authorizeUrl || !state) {
+          throw new Error("The server did not return a Claude authorize URL.");
+        }
+        this.pendingState = state;
+        this.flowMode = flowMode === "redirect" ? "redirect" : "paste";
+        this.stopWaitingForPopup();
+        if (this.isRedirectMode) {
+          this.installMessageListener();
+        }
+        pendingPopup = openAuthorizePopup(authorizeUrl);
+        if (!pendingPopup) {
+          // Popup blocker fired. Open in a new tab and surface paste as
+          // a fallback path because postMessage won't fire from a
+          // top-level tab navigation.
+          if (typeof window !== "undefined" && typeof window.open === "function") {
+            window.open(authorizeUrl, "_blank", "noopener,noreferrer");
+          }
+          this.showPasteFallback = true;
+        } else if (this.isRedirectMode) {
+          this.watchPopupClosed();
+        }
+      } catch (error) {
+        this.lastError = String(error?.message || "Could not start the Claude connect flow.");
+      } finally {
+        this.isConnecting = false;
+      }
+    },
+    setCodeInput(value) {
+      this.codeInput = String(value || "");
+    },
+    async submitCode() {
+      let code = String(this.codeInput || "").trim();
+      let state = String(this.pendingState || "").trim();
+      // Anthropic's hosted code page shows `<code>#<state>` joined by `#`.
+      // If the user pasted the whole thing, accept it and split here so
+      // the user doesn't have to.
+      const hashIndex = code.indexOf("#");
+      if (hashIndex !== -1) {
+        const tail = code.slice(hashIndex + 1).trim();
+        code = code.slice(0, hashIndex).trim();
+        if (tail) {
+          state = tail;
+        }
+      }
+      if (!code) {
+        this.lastError = "Paste the code Claude showed you.";
+        return;
+      }
+      if (!state) {
+        this.lastError = "Start a Claude connect first, then paste the code.";
+        return;
+      }
+      this.isSubmittingCode = true;
+      this.lastError = "";
+      try {
+        await completeAnthropicOauthCallback({ code, state });
+        this.codeInput = "";
+        this.pendingState = "";
+        this.showPasteFallback = false;
+        this.stopWaitingForPopup();
+        await this.refresh();
+        safeShowToast("Claude subscription connected.", { tone: "success" });
+      } catch (error) {
+        this.lastError = String(
+          error?.message || "Could not finish the Claude connect. Try again or click Connect with Claude to start fresh."
+        );
+      } finally {
+        this.isSubmittingCode = false;
+      }
+    },
+    async disconnect() {
+      if (this.isDisconnecting) {
+        return;
+      }
+      this.isDisconnecting = true;
+      this.lastError = "";
+      try {
+        await disconnectAnthropicOauth();
+        this.stopWaitingForPopup();
+        await this.refresh();
+        safeShowToast("Claude subscription disconnected.", { tone: "neutral" });
+      } catch (error) {
+        this.lastError = String(error?.message || "Could not disconnect Claude.");
+      } finally {
+        this.isDisconnecting = false;
+      }
+    }
+  };
+}
+
+if (typeof globalThis !== "undefined") {
+  globalThis.anthropicOauthConnectBlock = function anthropicOauthConnectBlock() {
+    return createAnthropicOauthConnectBlockData();
+  };
+}
+
+export {
+  createAnthropicOauthConnectBlockData
+};
diff --git a/app/L0/_all/mod/_core/anthropic_oauth/ext/js/_core/admin/views/agent/api.js/prepareAdminAgentApiRequest/end/anthropic-subscription.js b/app/L0/_all/mod/_core/anthropic_oauth/ext/js/_core/admin/views/agent/api.js/prepareAdminAgentApiRequest/end/anthropic-subscription.js
new file mode 100644
index 00000000..6bda6870
--- /dev/null
+++ b/app/L0/_all/mod/_core/anthropic_oauth/ext/js/_core/admin/views/agent/api.js/prepareAdminAgentApiRequest/end/anthropic-subscription.js
@@ -0,0 +1,19 @@
+import {
+  applyAnthropicSubscriptionRequest,
+  isAnthropicSubscriptionProvider
+} from "/mod/_core/anthropic_oauth/request.js";
+
+export default async function anthropicSubscriptionAdminRequestHook(hookContext) {
+  const apiRequest = hookContext?.result;
+
+  if (!apiRequest || typeof apiRequest !== "object") {
+    return;
+  }
+
+  const provider = apiRequest.settings?.provider;
+  if (!isAnthropicSubscriptionProvider(provider)) {
+    return;
+  }
+
+  hookContext.result = applyAnthropicSubscriptionRequest(apiRequest);
+}
diff --git a/app/L0/_all/mod/_core/anthropic_oauth/ext/js/_core/onscreen_agent/api.js/prepareOnscreenAgentApiRequest/end/anthropic-subscription.js b/app/L0/_all/mod/_core/anthropic_oauth/ext/js/_core/onscreen_agent/api.js/prepareOnscreenAgentApiRequest/end/anthropic-subscription.js
new file mode 100644
index 00000000..deeb0afa
--- /dev/null
+++ b/app/L0/_all/mod/_core/anthropic_oauth/ext/js/_core/onscreen_agent/api.js/prepareOnscreenAgentApiRequest/end/anthropic-subscription.js
@@ -0,0 +1,19 @@
+import {
+  applyAnthropicSubscriptionRequest,
+  isAnthropicSubscriptionProvider
+} from "/mod/_core/anthropic_oauth/request.js";
+
+export default async function anthropicSubscriptionOnscreenRequestHook(hookContext) {
+  const apiRequest = hookContext?.result;
+
+  if (!apiRequest || typeof apiRequest !== "object") {
+    return;
+  }
+
+  const provider = apiRequest.settings?.provider;
+  if (!isAnthropicSubscriptionProvider(provider)) {
+    return;
+  }
+
+  hookContext.result = applyAnthropicSubscriptionRequest(apiRequest);
+}
diff --git a/app/L0/_all/mod/_core/anthropic_oauth/request.js b/app/L0/_all/mod/_core/anthropic_oauth/request.js
new file mode 100644
index 00000000..08e25102
--- /dev/null
+++ b/app/L0/_all/mod/_core/anthropic_oauth/request.js
@@ -0,0 +1,104 @@
+// Shared helpers for redirecting an API-mode chat request to the
+// authenticated `/api/anthropic_subscription_completions` endpoint when
+// the user opted into the Claude subscription provider. The per-surface
+// extension hooks call into these so behavior stays in lockstep across
+// the admin and onscreen agent surfaces.
+
+const ANTHROPIC_SUBSCRIPTION_ENDPOINT_PATH = "/api/anthropic_subscription_completions";
+const ANTHROPIC_SUBSCRIPTION_DEFAULT_MODEL = "claude-sonnet-4-6";
+
+// Friendly aliases users can pick from in the settings dialog. The alias
+// strings are forwarded verbatim to Anthropic so the upstream resolves
+// them to the latest dated release; when Anthropic introduces a newer
+// model, users can keep using the same alias without a Space Agent
+// update, or switch to the "Custom..." option to type a dated id.
+const ANTHROPIC_SUBSCRIPTION_CURATED_MODELS = Object.freeze([
+  Object.freeze({ value: "claude-opus-4-7", label: "Claude Opus 4.7" }),
+  Object.freeze({ value: "claude-sonnet-4-6", label: "Claude Sonnet 4.6" }),
+  Object.freeze({ value: "claude-haiku-4-5", label: "Claude Haiku 4.5" })
+]);
+
+function isAnthropicSubscriptionCuratedModel(value) {
+  const normalized = String(value || "").trim();
+  return ANTHROPIC_SUBSCRIPTION_CURATED_MODELS.some((entry) => entry.value === normalized);
+}
+
+function normalizeSubscriptionModelId(value) {
+  let model = String(value || "").trim();
+  if (!model) {
+    return "";
+  }
+  // Strip "<provider>/" prefixes such as "anthropic/" or "openai/"
+  const slashIndex = model.indexOf("/");
+  if (slashIndex !== -1) {
+    model = model.slice(slashIndex + 1);
+  }
+  // OpenRouter aliases use dotted version separators ("4.5"); Anthropic
+  // expects dashes ("4-5"). Normalize so a copy-paste from another
+  // provider just works.
+  return model.replace(/\./g, "-");
+}
+
+function isAnthropicSubscriptionProvider(value) {
+  return String(value || "").trim().toLowerCase() === "subscription";
+}
+
+function buildAnthropicSubscriptionUrl(origin = "") {
+  if (typeof origin === "string" && origin) {
+    return `${origin.replace(/\/+$/u, "")}${ANTHROPIC_SUBSCRIPTION_ENDPOINT_PATH}`;
+  }
+  if (typeof globalThis.location?.origin === "string") {
+    return `${globalThis.location.origin}${ANTHROPIC_SUBSCRIPTION_ENDPOINT_PATH}`;
+  }
+  return ANTHROPIC_SUBSCRIPTION_ENDPOINT_PATH;
+}
+
+function applyAnthropicSubscriptionRequest(apiRequest = {}) {
+  if (!apiRequest || typeof apiRequest !== "object") {
+    return apiRequest;
+  }
+
+  const headers =
+    apiRequest.headers && typeof apiRequest.headers === "object"
+      ? { ...apiRequest.headers }
+      : {};
+
+  // The server injects the bearer token. Strip any client-supplied
+  // Authorization so it never leaks through the proxy and so a stale
+  // user-entered API key cannot accidentally override the OAuth path.
+  delete headers.Authorization;
+  delete headers.authorization;
+
+  const requestBody =
+    apiRequest.requestBody && typeof apiRequest.requestBody === "object"
+      ? { ...apiRequest.requestBody }
+      : null;
+
+  if (requestBody) {
+    const normalized = normalizeSubscriptionModelId(requestBody.model);
+    if (!normalized || normalized.startsWith("gpt-") || normalized.startsWith("o1") || normalized.startsWith("o3")) {
+      requestBody.model = ANTHROPIC_SUBSCRIPTION_DEFAULT_MODEL;
+    } else {
+      requestBody.model = normalized;
+    }
+  }
+
+  return {
+    ...apiRequest,
+    apiEndpoint: buildAnthropicSubscriptionUrl(),
+    headers,
+    requestBody: requestBody || apiRequest.requestBody,
+    requestUrl: buildAnthropicSubscriptionUrl()
+  };
+}
+
+export {
+  ANTHROPIC_SUBSCRIPTION_CURATED_MODELS,
+  ANTHROPIC_SUBSCRIPTION_DEFAULT_MODEL,
+  ANTHROPIC_SUBSCRIPTION_ENDPOINT_PATH,
+  applyAnthropicSubscriptionRequest,
+  buildAnthropicSubscriptionUrl,
+  isAnthropicSubscriptionCuratedModel,
+  isAnthropicSubscriptionProvider,
+  normalizeSubscriptionModelId
+};
diff --git a/app/L0/_all/mod/_core/onscreen_agent/AGENTS.md b/app/L0/_all/mod/_core/onscreen_agent/AGENTS.md
index e8dc5099..9377d5fe 100644
--- a/app/L0/_all/mod/_core/onscreen_agent/AGENTS.md
+++ b/app/L0/_all/mod/_core/onscreen_agent/AGENTS.md
@@ -280,7 +280,8 @@ Current overlay behavior:
 - `store.js` should hold one prompt-instance object per chat surface, rebuild full prompt input when the overlay boots or the thread is reset or a new LLM turn is about to start, and reuse the cached system or examples or transient sections without recomputing the full prepared payload or token counts on every streamed delta
 - prompt-history previews and token counts are derived from the prepared outbound request payload so request-prep extensions stay visible in the context window instead of only affecting the final fetch call, but exact recomputation should happen only at stable boundaries such as request preparation, stop handling, or settled assistant completion, never on every streamed delta
 - the settings modal and prompt-history modal must both use the shared fixed-chrome dialog shell from `_core/visual/forms/dialog.css` so their header and footer rows stay static while only the settings form body or prompt-history frame scrolls
-- the settings modal keeps a provider switch with exactly two tabs named `API` and `Local`; API settings show endpoint, model, and API key fields, while local settings mount the shared `_core/huggingface/config-sidebar.html` component in `onscreen` mode
+- the settings modal keeps a provider switch with three tabs named `API key`, `Claude subscription`, and `Local`; API settings show endpoint, model, and API key fields, the subscription tab mounts the shared `_core/anthropic_oauth/connect-block.html` plus a Claude model name input, and local settings mount the shared `_core/huggingface/config-sidebar.html` component in `onscreen` mode
+- when the active provider is `subscription`, `OnscreenAgentApiLlmClient.validateSettings` skips the `apiEndpoint` and `apiKey` checks and the `_core/anthropic_oauth/` request hook redirects the prepared fetch URL to the authenticated `/api/anthropic_subscription_completions` endpoint while stripping any `Authorization` header so the browser never sees the OAuth bearer token
 - local provider settings are limited to the shared Hugging Face browser runtime for now; the overlay subscribes to `_core/huggingface/manager.js`, reads the same saved-model list and live worker state as the routed Local LLM page, and should not boot the worker just because the modal opened
 - when no Hugging Face model is selected and the shared saved-model list has entries, the overlay local-provider panel should preselect the browser-wide last successfully loaded saved model from `_core/huggingface/manager.js`, falling back to the first saved entry if that last-used entry was discarded
 - when no Hugging Face model is selected, no model is loaded, and the shared saved-model list is empty, the overlay local-provider panel should prefill the model field with the same default used by the routed testing page: `onnx-community/gemma-4-E4B-it-ONNX`
diff --git a/app/L0/_all/mod/_core/onscreen_agent/api.js b/app/L0/_all/mod/_core/onscreen_agent/api.js
index 510d23a6..519c335c 100644
--- a/app/L0/_all/mod/_core/onscreen_agent/api.js
+++ b/app/L0/_all/mod/_core/onscreen_agent/api.js
@@ -299,12 +299,17 @@ export class OnscreenAgentLlmClient {
 
 export class OnscreenAgentApiLlmClient extends OnscreenAgentLlmClient {
   validateSettings(settings = this.settings) {
-    if (!settings?.apiEndpoint?.trim()) {
-      throw new Error("Set an API endpoint before sending a message.");
-    }
+    const provider = config.normalizeOnscreenAgentLlmProvider(settings?.provider);
+    const isSubscription = provider === config.ONSCREEN_AGENT_LLM_PROVIDER.SUBSCRIPTION;
+
+    if (!isSubscription) {
+      if (!settings?.apiEndpoint?.trim()) {
+        throw new Error("Set an API endpoint before sending a message.");
+      }
 
-    if (!settings.apiKey.trim()) {
-      throw new Error("Set an API key before sending a message.");
+      if (!settings.apiKey.trim()) {
+        throw new Error("Set an API key before sending a message.");
+      }
     }
 
     if (!settings.model.trim()) {
diff --git a/app/L0/_all/mod/_core/onscreen_agent/config.js b/app/L0/_all/mod/_core/onscreen_agent/config.js
index bcca393a..30bf39a0 100644
--- a/app/L0/_all/mod/_core/onscreen_agent/config.js
+++ b/app/L0/_all/mod/_core/onscreen_agent/config.js
@@ -6,7 +6,8 @@ export const ONSCREEN_AGENT_UI_STATE_STORAGE_KEY = "space.onscreenAgent.uiState"
 export const DEFAULT_ONSCREEN_AGENT_MAX_TOKENS = 120_000;
 export const ONSCREEN_AGENT_LLM_PROVIDER = Object.freeze({
   API: "api",
-  LOCAL: "local"
+  LOCAL: "local",
+  SUBSCRIPTION: "subscription"
 });
 export const ONSCREEN_AGENT_LOCAL_PROVIDER = Object.freeze({
   HUGGINGFACE: "huggingface"
@@ -36,9 +37,13 @@ function normalizeOnscreenAgentSettingText(value) {
 }
 
 export function normalizeOnscreenAgentLlmProvider(value) {
-  return value === ONSCREEN_AGENT_LLM_PROVIDER.LOCAL
-    ? ONSCREEN_AGENT_LLM_PROVIDER.LOCAL
-    : ONSCREEN_AGENT_LLM_PROVIDER.API;
+  if (value === ONSCREEN_AGENT_LLM_PROVIDER.LOCAL) {
+    return ONSCREEN_AGENT_LLM_PROVIDER.LOCAL;
+  }
+  if (value === ONSCREEN_AGENT_LLM_PROVIDER.SUBSCRIPTION) {
+    return ONSCREEN_AGENT_LLM_PROVIDER.SUBSCRIPTION;
+  }
+  return ONSCREEN_AGENT_LLM_PROVIDER.API;
 }
 
 export function normalizeOnscreenAgentLocalProvider(value) {
diff --git a/app/L0/_all/mod/_core/onscreen_agent/panel.html b/app/L0/_all/mod/_core/onscreen_agent/panel.html
index a4510bdc..52538512 100644
--- a/app/L0/_all/mod/_core/onscreen_agent/panel.html
+++ b/app/L0/_all/mod/_core/onscreen_agent/panel.html
@@ -4,7 +4,9 @@
     <link rel="stylesheet" href="/mod/_core/onscreen_agent/onscreen-agent.css" />
     <link rel="stylesheet" href="/mod/_core/onscreen_agent/response-markdown.css" />
     <link rel="stylesheet" href="/mod/_core/huggingface/huggingface.css" />
+    <link rel="stylesheet" href="/mod/_core/anthropic_oauth/anthropic-oauth.css" />
     <script type="module" src="/mod/_core/onscreen_agent/store.js"></script>
+    <script type="module" src="/mod/_core/anthropic_oauth/connect-block.js"></script>
   </head>
   <body>
     <div x-data class="onscreen-agent-root agent-thread-surface" x-init="$nextTick(() => $store.onscreenAgent.init())">
@@ -336,7 +338,15 @@ <h2>Model, credentials, params, and instructions</h2>
                         :class="{ 'is-active': $store.onscreenAgent.isSettingsDraftUsingApiProvider }"
                         @click="$store.onscreenAgent.setSettingsProvider('api')"
                       >
-                        <span>API</span>
+                        <span>API key</span>
+                      </button>
+                      <button
+                        type="button"
+                        class="secondary-button dialog-segmented-button"
+                        :class="{ 'is-active': $store.onscreenAgent.isSettingsDraftUsingSubscriptionProvider }"
+                        @click="$store.onscreenAgent.setSettingsProvider('subscription')"
+                      >
+                        <span>Claude subscription</span>
                       </button>
                       <button
                         type="button"
@@ -361,6 +371,23 @@ <h2>Model, credentials, params, and instructions</h2>
                         <input type="password" x-model="$store.onscreenAgent.settingsDraft.apiKey" />
                       </label>
                     </div>
+                    <div x-show="$store.onscreenAgent.isSettingsDraftUsingSubscriptionProvider" x-cloak class="onscreen-agent-subscription-settings">
+                      <label class="field">
+                        <span>Claude Model</span>
+                        <select
+                          :value="$store.onscreenAgent.subscriptionModelChoice"
+                          @change="$store.onscreenAgent.setSubscriptionModelChoice($event.target.value)"
+                        >
+                          <template x-for="entry in $store.onscreenAgent.subscriptionCuratedModels" :key="entry.value">
+                            <option :value="entry.value" x-text="entry.label"></option>
+                          </template>
+                        </select>
+                        <p class="field-note">
+                          Pick a Claude model. Anthropic resolves the alias to the latest dated release, so newer models work without a Space Agent update. Effort, thinking, and other Claude defaults are handled by the subscription.
+                        </p>
+                      </label>
+                      <x-component path="/mod/_core/anthropic_oauth/connect-block.html" mode="onscreen"></x-component>
+                    </div>
                     <div x-show="$store.onscreenAgent.isSettingsDraftUsingLocalProvider" x-cloak class="onscreen-agent-local-settings">
                       <div class="onscreen-agent-local-provider-panel">
                         <x-component path="/mod/_core/huggingface/config-sidebar.html" mode="onscreen"></x-component>
@@ -434,7 +461,7 @@ <h2>Model, credentials, params, and instructions</h2>
                         System, history, and transient rebalance to 100% of <code>max tokens</code>. Single history message is a percentage of the history budget.
                       </p>
                     </div>
-                    <label class="field">
+                    <label class="field" x-show="!$store.onscreenAgent.isSettingsDraftUsingSubscriptionProvider" x-cloak>
                       <span>Params</span>
                       <textarea
                         rows="6"
diff --git a/app/L0/_all/mod/_core/onscreen_agent/store.js b/app/L0/_all/mod/_core/onscreen_agent/store.js
index ae4fba33..f32e9ab5 100644
--- a/app/L0/_all/mod/_core/onscreen_agent/store.js
+++ b/app/L0/_all/mod/_core/onscreen_agent/store.js
@@ -1,4 +1,10 @@
 import * as config from "/mod/_core/onscreen_agent/config.js";
+import {
+  ANTHROPIC_SUBSCRIPTION_CURATED_MODELS,
+  ANTHROPIC_SUBSCRIPTION_DEFAULT_MODEL,
+  isAnthropicSubscriptionCuratedModel,
+  normalizeSubscriptionModelId
+} from "/mod/_core/anthropic_oauth/request.js";
 import * as agentApi from "/mod/_core/onscreen_agent/api.js";
 import {
   installPromptItemAccess,
@@ -1624,6 +1630,32 @@ const model = {
     return config.normalizeOnscreenAgentLlmProvider(this.settingsDraft.provider) === config.ONSCREEN_AGENT_LLM_PROVIDER.LOCAL;
   },
 
+  get isSettingsDraftUsingSubscriptionProvider() {
+    return (
+      config.normalizeOnscreenAgentLlmProvider(this.settingsDraft.provider) ===
+      config.ONSCREEN_AGENT_LLM_PROVIDER.SUBSCRIPTION
+    );
+  },
+
+  get isUsingSubscriptionProvider() {
+    return (
+      config.normalizeOnscreenAgentLlmProvider(this.settings.provider) ===
+      config.ONSCREEN_AGENT_LLM_PROVIDER.SUBSCRIPTION
+    );
+  },
+
+  get subscriptionCuratedModels() {
+    return ANTHROPIC_SUBSCRIPTION_CURATED_MODELS.map((entry) => ({ ...entry }));
+  },
+
+  get subscriptionModelChoice() {
+    const normalized = normalizeSubscriptionModelId(this.settingsDraft.model);
+    if (!normalized || !isAnthropicSubscriptionCuratedModel(normalized)) {
+      return ANTHROPIC_SUBSCRIPTION_DEFAULT_MODEL;
+    }
+    return normalized;
+  },
+
   get huggingfaceSavedModels() {
     return Array.isArray(this.huggingface.savedModels) ? this.huggingface.savedModels : [];
   },
@@ -4433,6 +4465,28 @@ const model = {
         });
       });
     }
+
+    if (this.isSettingsDraftUsingSubscriptionProvider) {
+      const currentModel = String(this.settingsDraft.model || "").trim().toLowerCase();
+      const looksClaude = currentModel.includes("claude") || currentModel.startsWith("anthropic/");
+      if (!looksClaude) {
+        this.settingsDraft = {
+          ...this.settingsDraft,
+          model: ANTHROPIC_SUBSCRIPTION_DEFAULT_MODEL
+        };
+      }
+    }
+  },
+
+  setSubscriptionModelChoice(value) {
+    const choice = String(value || "").trim();
+    if (!choice) {
+      return;
+    }
+    this.settingsDraft = {
+      ...this.settingsDraft,
+      model: choice
+    };
   },
 
   setSettingsPromptBudgetRatio(key, value) {
diff --git a/app/L0/_all/mod/_core/visual/AGENTS.md b/app/L0/_all/mod/_core/visual/AGENTS.md
index 0e2505b4..c967a217 100644
--- a/app/L0/_all/mod/_core/visual/AGENTS.md
+++ b/app/L0/_all/mod/_core/visual/AGENTS.md
@@ -51,6 +51,7 @@ Actions and forms:
 
 - `actions/buttons.css` owns shared `primary-button`, `secondary-button`, and `confirm-button` treatments plus composer-attachment chip styling
 - `forms/dialog.css` plus `forms/dialog.js` own the shared native `<dialog>` presentation and open or close helpers
+- `forms/dialog.css` owns the shared `.field` form-row primitive used by every dialog: it styles `.field input`, `.field textarea`, and `.field select` with the same border, radius, padding, and focus ring so dialog form rows stay visually consistent without each feature module re-implementing input chrome
 - `forms/dialog.css` also owns reusable prompt-budget field styling for dialog-based model settings, including the segmented preview bar plus the multi-slider control grid used by the first-party agent surfaces
 - authenticated app feature dialogs are standardized on feature-owned native `<dialog class="chat-dialog">` markup that lives in the owning feature HTML, opens through `forms/dialog.js`, and composes `dialog-card` or `dialog-card-shell` content wrappers from `forms/dialog.css`
 - `forms/dialog.css` also owns the reusable fixed-chrome dialog shell classes for long modals: `dialog-card-shell` keeps the header and footer static, `dialog-scroll-body` and `dialog-scroll-frame` own the interior scrolling region, and `dialog-actions-split` plus `dialog-actions-group` and `dialog-action-button-fixed` cover compact split footer rows without feature-local inline layout
diff --git a/app/L0/_all/mod/_core/visual/forms/dialog.css b/app/L0/_all/mod/_core/visual/forms/dialog.css
index 4367d538..f83c1b47 100644
--- a/app/L0/_all/mod/_core/visual/forms/dialog.css
+++ b/app/L0/_all/mod/_core/visual/forms/dialog.css
@@ -299,7 +299,8 @@
 }
 
 .field input,
-.field textarea {
+.field textarea,
+.field select {
   display: block;
   width: 100%;
   max-width: 100%;
@@ -318,8 +319,35 @@
   resize: vertical;
 }
 
+.field select {
+  -webkit-appearance: none;
+  -moz-appearance: none;
+  appearance: none;
+  cursor: pointer;
+  padding-right: 2.5rem;
+  background-image: linear-gradient(45deg, transparent 50%, currentColor 50%),
+    linear-gradient(135deg, currentColor 50%, transparent 50%);
+  background-position:
+    calc(100% - 1.15rem) calc(50% - 0.16rem),
+    calc(100% - 0.7rem) calc(50% - 0.16rem);
+  background-size: 0.45rem 0.45rem, 0.45rem 0.45rem;
+  background-repeat: no-repeat;
+}
+
+.field select::-ms-expand {
+  display: none;
+}
+
+.field select option {
+  /* Native option dropdown is OS-rendered, so the panel itself can't be
+     restyled, but we can at least keep the surrounding tone aligned. */
+  background: var(--space-field-bg);
+  color: var(--color-text);
+}
+
 .field input:focus,
-.field textarea:focus {
+.field textarea:focus,
+.field select:focus {
   border-color: var(--space-field-focus-border);
   box-shadow: 0 0 0 3px var(--space-field-focus-ring);
 }
diff --git a/commands/params.yaml b/commands/params.yaml
index ce5ef7bb..c7e8e4cb 100644
--- a/commands/params.yaml
+++ b/commands/params.yaml
@@ -84,3 +84,45 @@ USER_FOLDER_SIZE_LIMIT_BYTES:
   allowed: [0..9007199254740991]
   default: 0
   frontend_exposed: false
+ANTHROPIC_OAUTH_ALLOWED:
+  description: Allow the Claude subscription OAuth provider for the agent surfaces. When false the connect endpoints reject and the UI hides the subscription option.
+  type: boolean
+  allowed: [true, false]
+  default: true
+  frontend_exposed: true
+ANTHROPIC_OAUTH_CLIENT_ID:
+  description: OAuth client_id used when starting a Claude subscription connect. Defaults to the published Claude Code public client. Override only if this deployment has registered its own Anthropic OAuth client.
+  type: text
+  allowed: ["*"]
+  default: 9d1c250a-e61b-44d9-88ed-5944d1962f5e
+  frontend_exposed: false
+ANTHROPIC_OAUTH_AUTHORIZE_URL:
+  description: Anthropic OAuth authorize endpoint used to start the connect flow.
+  type: text
+  allowed: ["*"]
+  default: https://claude.ai/oauth/authorize
+  frontend_exposed: false
+ANTHROPIC_OAUTH_TOKEN_URL:
+  description: Anthropic OAuth token exchange endpoint used to swap an authorization code for tokens and to refresh access tokens.
+  type: text
+  allowed: ["*"]
+  default: https://console.anthropic.com/v1/oauth/token
+  frontend_exposed: false
+ANTHROPIC_OAUTH_REDIRECT_URI:
+  description: Redirect URI sent during the Claude subscription OAuth flow when using paste-mode. Defaults to the Anthropic-hosted code-paste page so deployments do not need to register their own redirect URI.
+  type: text
+  allowed: ["*"]
+  default: https://console.anthropic.com/oauth/code/callback
+  frontend_exposed: false
+ANTHROPIC_OAUTH_FLOW_MODE:
+  description: Choose how Claude OAuth completes. auto resolves to paste (the public Claude Code OAuth client does not allowlist arbitrary localhost callbacks). redirect points Anthropic back at /api/oauth_anthropic_callback for a button-only flow but only works when ANTHROPIC_OAUTH_CLIENT_ID is overridden with a deployment-specific Anthropic OAuth application that has registered this Space Agent host as a redirect URI. paste explicitly forces the manual code-paste flow.
+  type: text
+  allowed: [auto, redirect, paste]
+  default: auto
+  frontend_exposed: false
+ANTHROPIC_API_BASE_URL:
+  description: Base URL for the Anthropic Messages API used by the subscription provider. Override only when proxying through a private Anthropic-compatible endpoint.
+  type: text
+  allowed: ["*"]
+  default: https://api.anthropic.com
+  frontend_exposed: false
diff --git a/server/api/AGENTS.md b/server/api/AGENTS.md
index 9299ccb3..5907f214 100644
--- a/server/api/AGENTS.md
+++ b/server/api/AGENTS.md
@@ -127,6 +127,26 @@ Runtime and identity endpoints:
 - `user_crypto_session_key`
 - `user_self_info`
 
+Claude subscription OAuth endpoints:
+
+- `oauth_anthropic_authorize`
+- `oauth_anthropic_callback`
+- `oauth_anthropic_status`
+- `oauth_anthropic_disconnect`
+- `anthropic_subscription_completions`
+
+Current rules:
+
+- these endpoints back the optional Claude subscription LLM provider for the first-party agent surfaces; they are gated by `ANTHROPIC_OAUTH_ALLOWED` (default `true`) and refuse with `403` when disabled
+- all five endpoints require an authenticated session and operate on the current user only; they never accept a `username` parameter
+- `oauth_anthropic_authorize` is `POST` only; it generates a PKCE verifier plus opaque state token, resolves the active flow mode (`redirect` or `paste`) from `ANTHROPIC_OAUTH_FLOW_MODE` plus the request's host, stores everything under the `anthropic_oauth_state` shared-state area through `auth.storeAnthropicOauthState(...)` with a short TTL, and returns the authorize URL plus state token plus resolved `flowMode` and `redirectUri` so the browser knows whether to wait for a popup `postMessage` or to surface the paste field
+- `oauth_anthropic_callback` exposes both `GET` and `POST` and shares one exchange path; `GET` is used by the redirect-mode popup (Anthropic redirects back with `?code=...&state=...`) and returns a small HTML page that posts a result message to `window.opener` and closes itself, while `POST` is used by the paste-mode dialog (the browser submits `{ code, state }` JSON) and returns the new connection status; both paths consume the state token through `auth.consumeAnthropicOauthState(...)`, validate the cached username against the current session, exchange the authorization code at the configured Anthropic token endpoint, seal the access and refresh tokens with the shared password seal key, and write the encrypted record to `/app/L2/<username>/meta/anthropic_oauth.json` through the shared mutation flow
+- `oauth_anthropic_status` is `GET` only; it returns `{ allowed, connected, accountEmail, expiresAt, scope, organizationId, organizationName, obtainedAt }` and never includes plaintext tokens
+- `oauth_anthropic_disconnect` is `POST` only; it deletes the encrypted record and publishes the changed logical path through the shared mutation flow
+- `anthropic_subscription_completions` is `POST` only; it accepts an OpenAI chat-completions body, refreshes the user's access token if needed, calls Anthropic Messages API at `${ANTHROPIC_API_BASE_URL}/v1/messages` with the OAuth bearer plus `anthropic-beta: oauth-2025-04-20` and `anthropic-version: 2023-06-01`, translates the Anthropic event stream back into OpenAI-compatible `chat.completion.chunk` SSE events, and streams the result so the existing browser fetch readers in `_core/admin/views/agent/api.js` and `_core/onscreen_agent/api.js` keep working
+- token refresh logic and at-rest sealing live in `server/lib/auth/anthropic_oauth.js`; endpoints must not roll their own crypto or HTTP exchange against Anthropic
+- the streaming endpoint must not modify or duplicate the shared fetch proxy at `server/router/proxy.js`; injecting the bearer token through a generic proxy would widen its trust boundary unnecessarily
+
 Important notes:
 
 - `extensions_load` resolves module-owned `ext/...` request paths through the shared layered override system and supports grouped request batches
diff --git a/server/api/anthropic_subscription_completions.js b/server/api/anthropic_subscription_completions.js
new file mode 100644
index 00000000..01b03c5d
--- /dev/null
+++ b/server/api/anthropic_subscription_completions.js
@@ -0,0 +1,473 @@
+// POST /api/anthropic_subscription_completions
+//
+// Authenticated chat-completion endpoint backed by the user's Claude
+// subscription OAuth tokens. The frontend sends an OpenAI chat-completions
+// shape; this handler:
+//
+//   - validates the session
+//   - loads (and refreshes if needed) the user's encrypted Anthropic
+//     access token
+//   - translates the OpenAI request body into the Anthropic Messages API
+//     shape
+//   - calls https://api.anthropic.com/v1/messages with the OAuth bearer
+//     token and the required `anthropic-beta` and `anthropic-version`
+//     headers
+//   - translates the Anthropic event-stream back into OpenAI
+//     chat-completion stream chunks so the existing browser fetch reader
+//     in admin/views/agent/api.js and onscreen_agent/api.js does not need
+//     to change
+//
+// All OAuth-specific concerns are isolated here. The shared fetch proxy
+// is intentionally not modified, so its public contract stays narrow.
+
+import { getActiveAccessToken } from "../lib/auth/anthropic_oauth.js";
+import { applyApiCorsHeaders } from "../router/cors.js";
+
+const ANTHROPIC_BETA_HEADER = "oauth-2025-04-20";
+const ANTHROPIC_VERSION_HEADER = "2023-06-01";
+const ANTHROPIC_DEFAULT_MAX_TOKENS = 8192;
+
+// The Claude subscription OAuth beta requires the system prompt to begin
+// with the Claude Code identifier so the upstream can verify requests are
+// coming from a Claude Code-shaped client. We inject the required prefix
+// as the first element of the Anthropic `system` array and keep the
+// caller's actual system prompt as a separate text block, so user-authored
+// system instructions remain visible to the model.
+const ANTHROPIC_OAUTH_CLAUDE_CODE_PREFIX = "You are Claude Code, Anthropic's official CLI for Claude.";
+
+function createHttpError(message, statusCode) {
+  const error = new Error(message);
+  error.statusCode = statusCode;
+  return error;
+}
+
+function isAnthropicOauthAllowed(runtimeParams) {
+  return Boolean(
+    runtimeParams && typeof runtimeParams.get === "function" && runtimeParams.get("ANTHROPIC_OAUTH_ALLOWED", true)
+  );
+}
+
+function getAnthropicApiBaseUrl(runtimeParams) {
+  if (!runtimeParams || typeof runtimeParams.get !== "function") {
+    return "https://api.anthropic.com";
+  }
+  const value = String(runtimeParams.get("ANTHROPIC_API_BASE_URL") || "").trim();
+  return value || "https://api.anthropic.com";
+}
+
+function extractTextContent(value) {
+  if (typeof value === "string") {
+    return value;
+  }
+  if (!Array.isArray(value)) {
+    return "";
+  }
+  return value
+    .map((part) => {
+      if (typeof part === "string") {
+        return part;
+      }
+      if (part && typeof part.text === "string") {
+        return part.text;
+      }
+      return "";
+    })
+    .join("");
+}
+
+function buildAnthropicMessages(openaiMessages = []) {
+  const systemTexts = [];
+  const messages = [];
+
+  for (const raw of Array.isArray(openaiMessages) ? openaiMessages : []) {
+    if (!raw || typeof raw !== "object") {
+      continue;
+    }
+    const role = raw.role;
+    const text = extractTextContent(raw.content || "");
+    if (role === "system") {
+      if (text.trim()) {
+        systemTexts.push(text);
+      }
+      continue;
+    }
+    if (role !== "user" && role !== "assistant") {
+      continue;
+    }
+    if (!text.trim() && role === "user") {
+      continue;
+    }
+    messages.push({
+      role,
+      content: [
+        {
+          type: "text",
+          text
+        }
+      ]
+    });
+  }
+
+  // Anthropic requires the conversation to start with a user turn. If the
+  // first turn is an assistant message (e.g. resuming a saved thread),
+  // prepend an empty user turn so the upstream accepts the request.
+  if (messages.length === 0) {
+    messages.push({
+      role: "user",
+      content: [{ type: "text", text: "" }]
+    });
+  } else if (messages[0].role !== "user") {
+    messages.unshift({
+      role: "user",
+      content: [{ type: "text", text: "" }]
+    });
+  }
+
+  return {
+    messages,
+    systemTexts
+  };
+}
+
+function buildAnthropicRequestBody({ openaiBody, settings }) {
+  const { messages, systemTexts } = buildAnthropicMessages(openaiBody?.messages);
+
+  const anthropicBody = {
+    model: String(openaiBody?.model || "").trim() || "claude-sonnet-4-6",
+    max_tokens:
+      Number.isFinite(Number(openaiBody?.max_tokens)) && Number(openaiBody.max_tokens) > 0
+        ? Number(openaiBody.max_tokens)
+        : ANTHROPIC_DEFAULT_MAX_TOKENS,
+    messages,
+    stream: true,
+    system: [
+      { type: "text", text: ANTHROPIC_OAUTH_CLAUDE_CODE_PREFIX },
+      ...systemTexts.map((text) => ({ type: "text", text }))
+    ]
+  };
+
+  // Note on sampling parameters: the Claude subscription OAuth endpoint
+  // is intentionally opinionated about sampling. Newer models (e.g. Opus
+  // 4.7 onward) reject `temperature` and `top_p` outright with
+  // "`temperature` is deprecated for this model". Older models still
+  // accept them but the subscription tier picks tuned defaults that the
+  // user's settings would only override when they have an opinion. Since
+  // the subscription UI deliberately hides the params field, never
+  // forward `temperature`, `top_p`, or `stop_sequences` on this code
+  // path — the API-key provider remains the place to tune sampling.
+
+  return anthropicBody;
+}
+
+function mapAnthropicStopReason(stopReason) {
+  if (typeof stopReason !== "string") {
+    return null;
+  }
+  switch (stopReason) {
+    case "end_turn":
+    case "stop_sequence":
+      return "stop";
+    case "max_tokens":
+      return "length";
+    case "tool_use":
+      return "tool_calls";
+    default:
+      return stopReason;
+  }
+}
+
+function encodeOpenaiSseChunk(payload) {
+  return `data: ${JSON.stringify(payload)}\n\n`;
+}
+
+function buildOpenaiTextChunk({ id, model, text }) {
+  return {
+    id,
+    object: "chat.completion.chunk",
+    created: Math.floor(Date.now() / 1000),
+    model,
+    choices: [
+      {
+        index: 0,
+        delta: { content: text },
+        finish_reason: null
+      }
+    ]
+  };
+}
+
+function buildOpenaiFinishChunk({ id, model, finishReason }) {
+  return {
+    id,
+    object: "chat.completion.chunk",
+    created: Math.floor(Date.now() / 1000),
+    model,
+    choices: [
+      {
+        index: 0,
+        delta: {},
+        finish_reason: finishReason || "stop"
+      }
+    ]
+  };
+}
+
+function readSseEventBlocks(reader, decoder, buffer) {
+  const events = [];
+  let updatedBuffer = buffer;
+  let boundary = updatedBuffer.indexOf("\n\n");
+  while (boundary !== -1) {
+    const eventBlock = updatedBuffer.slice(0, boundary).trim();
+    updatedBuffer = updatedBuffer.slice(boundary + 2);
+    if (eventBlock) {
+      events.push(eventBlock);
+    }
+    boundary = updatedBuffer.indexOf("\n\n");
+  }
+  return { events, updatedBuffer };
+}
+
+function parseAnthropicEventBlock(eventBlock) {
+  const lines = eventBlock.split(/\r?\n/u);
+  let dataText = "";
+  for (const line of lines) {
+    if (line.startsWith("data:")) {
+      const value = line.slice(5).trim();
+      if (value) {
+        dataText += dataText ? `\n${value}` : value;
+      }
+    }
+  }
+  if (!dataText) {
+    return null;
+  }
+  try {
+    return JSON.parse(dataText);
+  } catch {
+    return null;
+  }
+}
+
+async function pipeAnthropicStreamAsOpenai({ res, upstreamResponse, model }) {
+  const id = `chatcmpl-${Date.now()}-${Math.random().toString(16).slice(2, 8)}`;
+  const decoder = new TextDecoder();
+  let buffer = "";
+  let finishReason = "stop";
+
+  res.write(encodeOpenaiSseChunk({
+    id,
+    object: "chat.completion.chunk",
+    created: Math.floor(Date.now() / 1000),
+    model,
+    choices: [{ index: 0, delta: { role: "assistant", content: "" }, finish_reason: null }]
+  }));
+
+  const reader = upstreamResponse.body.getReader();
+  let done = false;
+  while (!done) {
+    const { value, done: readerDone } = await reader.read();
+    done = readerDone;
+    buffer += decoder.decode(value || new Uint8Array(), { stream: !done });
+    const { events, updatedBuffer } = readSseEventBlocks(reader, decoder, buffer);
+    buffer = updatedBuffer;
+
+    for (const eventBlock of events) {
+      const payload = parseAnthropicEventBlock(eventBlock);
+      if (!payload || typeof payload !== "object") {
+        continue;
+      }
+      if (payload.type === "content_block_delta") {
+        const deltaText =
+          payload?.delta?.type === "text_delta" && typeof payload.delta.text === "string"
+            ? payload.delta.text
+            : "";
+        if (deltaText) {
+          res.write(encodeOpenaiSseChunk(buildOpenaiTextChunk({ id, model, text: deltaText })));
+        }
+      } else if (payload.type === "message_delta") {
+        const mapped = mapAnthropicStopReason(payload?.delta?.stop_reason);
+        if (mapped) {
+          finishReason = mapped;
+        }
+      } else if (payload.type === "message_stop") {
+        // emitted below as a single finish chunk plus [DONE]
+      } else if (payload.type === "error") {
+        const message =
+          payload?.error?.message || payload?.message || "Anthropic stream error.";
+        res.write(encodeOpenaiSseChunk({
+          id,
+          object: "chat.completion.chunk",
+          created: Math.floor(Date.now() / 1000),
+          model,
+          choices: [
+            {
+              index: 0,
+              delta: { content: `\n[anthropic-stream-error] ${message}` },
+              finish_reason: "stop"
+            }
+          ]
+        }));
+      }
+    }
+  }
+
+  res.write(encodeOpenaiSseChunk(buildOpenaiFinishChunk({ id, model, finishReason })));
+  res.write("data: [DONE]\n\n");
+  res.end();
+}
+
+async function callAnthropicMessages({ accessToken, runtimeParams, requestBody }) {
+  const baseUrl = getAnthropicApiBaseUrl(runtimeParams).replace(/\/+$/u, "");
+  const upstreamUrl = `${baseUrl}/v1/messages`;
+
+  return fetch(upstreamUrl, {
+    method: "POST",
+    headers: {
+      "Authorization": `Bearer ${accessToken}`,
+      "anthropic-beta": ANTHROPIC_BETA_HEADER,
+      "anthropic-version": ANTHROPIC_VERSION_HEADER,
+      "content-type": "application/json",
+      "accept": "text/event-stream"
+    },
+    body: JSON.stringify(requestBody)
+  });
+}
+
+async function readJsonError(response) {
+  try {
+    const payload = await response.json();
+    return payload && typeof payload === "object"
+      ? payload?.error?.message || payload?.error || JSON.stringify(payload)
+      : `HTTP ${response.status}`;
+  } catch {
+    return `HTTP ${response.status}`;
+  }
+}
+
+async function streamAnthropicSubscriptionCompletion({ context, requestBody, accessToken }) {
+  const upstreamResponse = await callAnthropicMessages({
+    accessToken,
+    runtimeParams: context.runtimeParams,
+    requestBody
+  });
+
+  if (!upstreamResponse.ok) {
+    const detail = await readJsonError(upstreamResponse);
+    if (upstreamResponse.status === 401) {
+      // try one refresh + retry
+      const refreshed = await getActiveAccessToken({
+        force: true,
+        projectRoot: context.projectRoot,
+        runtimeParams: context.runtimeParams,
+        username: context.user.username
+      });
+      if (refreshed.accessToken) {
+        const retryResponse = await callAnthropicMessages({
+          accessToken: refreshed.accessToken,
+          runtimeParams: context.runtimeParams,
+          requestBody
+        });
+        if (retryResponse.ok) {
+          return retryResponse;
+        }
+        const retryDetail = await readJsonError(retryResponse);
+        throw createHttpError(`Claude subscription request failed: ${retryDetail}`, retryResponse.status);
+      }
+    }
+    throw createHttpError(`Claude subscription request failed: ${detail}`, upstreamResponse.status);
+  }
+
+  return upstreamResponse;
+}
+
+export async function post(context) {
+  if (!context?.user?.isAuthenticated) {
+    throw createHttpError("Authentication required.", 401);
+  }
+  if (!isAnthropicOauthAllowed(context.runtimeParams)) {
+    throw createHttpError("Claude subscription provider is disabled in this system.", 403);
+  }
+
+  const username = String(context.user.username || "").trim();
+  if (!username) {
+    throw createHttpError("Authentication required.", 401);
+  }
+
+  const { accessToken, record } = await getActiveAccessToken({
+    projectRoot: context.projectRoot,
+    runtimeParams: context.runtimeParams,
+    username
+  });
+
+  if (!accessToken) {
+    throw createHttpError(
+      record
+        ? "Claude subscription token could not be refreshed. Reconnect your Claude account."
+        : "Connect your Claude subscription before sending a message.",
+      401
+    );
+  }
+
+  const openaiBody =
+    context.body && typeof context.body === "object" && !Buffer.isBuffer(context.body)
+      ? context.body
+      : {};
+  const requestBody = buildAnthropicRequestBody({
+    openaiBody,
+    settings: openaiBody
+  });
+
+  const res = context.res;
+  if (!res || typeof res.writeHead !== "function") {
+    throw createHttpError("Streaming response is not supported on this transport.", 500);
+  }
+
+  let upstreamResponse;
+  try {
+    upstreamResponse = await streamAnthropicSubscriptionCompletion({
+      context,
+      requestBody,
+      accessToken
+    });
+  } catch (error) {
+    if (Number.isFinite(error?.statusCode)) {
+      throw error;
+    }
+    throw createHttpError(error?.message || "Claude subscription request failed.", 502);
+  }
+
+  applyApiCorsHeaders(res);
+  res.writeHead(200, {
+    "Cache-Control": "no-store",
+    "Connection": "keep-alive",
+    "Content-Type": "text/event-stream; charset=utf-8"
+  });
+
+  try {
+    await pipeAnthropicStreamAsOpenai({
+      res,
+      upstreamResponse,
+      model: requestBody.model
+    });
+  } catch (error) {
+    if (!res.writableEnded) {
+      try {
+        res.write(`data: ${JSON.stringify({
+          choices: [
+            {
+              index: 0,
+              delta: { content: `\n[anthropic-stream-error] ${error?.message || "stream failed"}` },
+              finish_reason: "stop"
+            }
+          ]
+        })}\n\n`);
+        res.write("data: [DONE]\n\n");
+      } catch {
+        // fall through to end()
+      }
+      res.end();
+    }
+  }
+
+  return undefined;
+}
diff --git a/server/api/oauth_anthropic_authorize.js b/server/api/oauth_anthropic_authorize.js
new file mode 100644
index 00000000..8eb7c5e2
--- /dev/null
+++ b/server/api/oauth_anthropic_authorize.js
@@ -0,0 +1,91 @@
+// POST /api/oauth_anthropic_authorize
+//
+// Starts a Claude subscription OAuth flow for the authenticated user.
+// Generates a PKCE verifier plus opaque state token, caches them in the
+// shared state system under the per-user OAuth state area, and returns
+// the authorize URL plus the state token plus the resolved flow mode.
+//
+// Flow modes:
+//   - "redirect": the popup is sent back to /api/oauth_anthropic_callback
+//     directly with ?code=...&state=...; the server completes the
+//     exchange and posts a message back to the opener window. No
+//     copy-paste required. Used by default on localhost.
+//   - "paste": the popup ends on Anthropic's hosted code page; the user
+//     copies the displayed code into the Space Agent dialog. Used as a
+//     fallback when the deployment's host is not localhost so Anthropic
+//     does not need to allowlist arbitrary URLs.
+
+import { buildAuthorizeContext } from "../lib/auth/anthropic_oauth.js";
+
+function createHttpError(message, statusCode) {
+  const error = new Error(message);
+  error.statusCode = statusCode;
+  return error;
+}
+
+function isAnthropicOauthAllowed(runtimeParams) {
+  return Boolean(
+    runtimeParams && typeof runtimeParams.get === "function" && runtimeParams.get("ANTHROPIC_OAUTH_ALLOWED", true)
+  );
+}
+
+function resolveRequestProtocol(req) {
+  if (req?.socket?.encrypted) {
+    return "https";
+  }
+  const forwarded = String(req?.headers?.["x-forwarded-proto"] || "").split(",")[0].trim().toLowerCase();
+  return forwarded === "https" ? "https" : "http";
+}
+
+function resolveRequestHost(req) {
+  const forwarded = String(req?.headers?.["x-forwarded-host"] || "").split(",")[0].trim();
+  if (forwarded) {
+    return forwarded;
+  }
+  return String(req?.headers?.host || "").trim() || "localhost";
+}
+
+export async function post(context) {
+  if (!context?.user?.isAuthenticated) {
+    throw createHttpError("Authentication required.", 401);
+  }
+  if (!isAnthropicOauthAllowed(context.runtimeParams)) {
+    throw createHttpError("Claude subscription OAuth is disabled in this system.", 403);
+  }
+
+  const username = String(context.user.username || "").trim();
+  if (!username) {
+    throw createHttpError("Authentication required.", 401);
+  }
+
+  const requestHost = resolveRequestHost(context.req);
+  const requestProtocol = resolveRequestProtocol(context.req);
+
+  const { authorizeUrl, codeVerifier, state, endpoints, flowMode, redirectUri } = buildAuthorizeContext(
+    context.runtimeParams,
+    {
+      requestHost,
+      requestProtocol
+    }
+  );
+
+  await context.auth.storeAnthropicOauthState(state, {
+    codeVerifier,
+    flowMode,
+    redirectUri,
+    username
+  });
+
+  return {
+    status: 200,
+    headers: {
+      "Cache-Control": "no-store"
+    },
+    body: {
+      authorizeUrl,
+      flowMode,
+      redirectUri,
+      state
+    }
+  };
+}
diff --git a/server/api/oauth_anthropic_callback.js b/server/api/oauth_anthropic_callback.js
new file mode 100644
index 00000000..2986eed4
--- /dev/null
+++ b/server/api/oauth_anthropic_callback.js
@@ -0,0 +1,234 @@
+// Two-mode callback endpoint for the Claude subscription OAuth flow.
+//
+//   GET  /api/oauth_anthropic_callback?code=...&state=[&error=...]
+//     Used by the redirect-mode popup. Anthropic redirects the popup
+//     here directly. The handler exchanges the code, stores the sealed
+//     tokens, and returns a tiny HTML page that posts a result message
+//     to the opener window and closes itself.
+//
+//   POST /api/oauth_anthropic_callback {code, state}
+//     Used by the paste-mode dialog. The browser POSTs the
+//     user-entered code plus state from the connect block as JSON.
+//
+// Both code paths share the same exchange + persist logic.
+
+import {
+  ANTHROPIC_OAUTH_FLOW_MODE_REDIRECT,
+  connectWithAuthorizationCode,
+  getStatusForUser
+} from "../lib/auth/anthropic_oauth.js";
+import { runTrackedMutation } from "../runtime/request_mutations.js";
+
+function createHttpError(message, statusCode) {
+  const error = new Error(message);
+  error.statusCode = statusCode;
+  return error;
+}
+
+function isAnthropicOauthAllowed(runtimeParams) {
+  return Boolean(
+    runtimeParams && typeof runtimeParams.get === "function" && runtimeParams.get("ANTHROPIC_OAUTH_ALLOWED", true)
+  );
+}
+
+function escapeHtml(value) {
+  return String(value || "")
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#39;");
+}
+
+function renderCallbackHtml({ success, error }) {
+  const safeError = escapeHtml(error || "");
+  const messagePayload = JSON.stringify({
+    type: "space-anthropic-oauth-complete",
+    success: Boolean(success),
+    error: success ? null : String(error || "Unknown error")
+  });
+  const closeScript = success
+    ? "setTimeout(function(){ try { window.close(); } catch (e) {} }, 600);"
+    : "";
+
+  const body = `<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <title>${success ? "Connected to Claude" : "Could not connect"}</title>
+    <style>
+      :root { color-scheme: light dark; }
+      body {
+        font-family: ui-sans-serif, system-ui, -apple-system, "Segoe UI", Roboto, sans-serif;
+        max-width: 32rem;
+        margin: 0 auto;
+        padding: 3rem 1.5rem;
+        line-height: 1.5;
+      }
+      h1 { font-size: 1.25rem; margin: 0 0 0.5rem; }
+      p { margin: 0.25rem 0; color: #555; }
+      .ok { color: #15803d; }
+      .err { color: #b91c1c; }
+      .hint { font-size: 0.85rem; color: #666; margin-top: 1rem; }
+      @media (prefers-color-scheme: dark) {
+        body { color: #e5e5e5; }
+        p { color: #c5c5c5; }
+        .ok { color: #4ade80; }
+        .err { color: #f87171; }
+        .hint { color: #a3a3a3; }
+      }
+    </style>
+  </head>
+  <body>
+    <h1 class="${success ? "ok" : "err"}">${success ? "Connected to Claude" : "Could not connect"}</h1>
+    <p>${
+      success
+        ? "Your Claude subscription is now linked to Space Agent."
+        : `Space Agent couldn't finish the connect: ${safeError}`
+    }</p>
+    <p class="hint">${
+      success
+        ? "This window will close automatically. If it doesn't, you can close it yourself."
+        : "Close this window and click Connect with Claude again from the Space Agent settings dialog."
+    }</p>
+    <script>
+(function(){
+  try {
+    if (window.opener && !window.opener.closed) {
+      window.opener.postMessage(${messagePayload}, "*");
+    }
+  } catch (e) {}
+  ${closeScript}
+})();
+    </script>
+  </body>
+</html>`;
+
+  return {
+    status: 200,
+    headers: {
+      "Cache-Control": "no-store",
+      "Content-Type": "text/html; charset=utf-8"
+    },
+    body
+  };
+}
+
+async function exchangeAndPersist(context, { code, state }) {
+  if (!context?.user?.isAuthenticated) {
+    throw createHttpError("You must sign in to Space Agent before connecting Claude.", 401);
+  }
+  if (!isAnthropicOauthAllowed(context.runtimeParams)) {
+    throw createHttpError("Claude subscription OAuth is disabled in this system.", 403);
+  }
+
+  const username = String(context.user.username || "").trim();
+  if (!username) {
+    throw createHttpError("You must sign in to Space Agent before connecting Claude.", 401);
+  }
+
+  const normalizedCode = String(code || "").trim();
+  const normalizedState = String(state || "").trim();
+  if (!normalizedCode || !normalizedState) {
+    throw createHttpError("The Claude connect was missing its authorization code or state token. Try connecting again.", 400);
+  }
+
+  const cached = await context.auth.consumeAnthropicOauthState(normalizedState);
+  if (!cached) {
+    throw createHttpError(
+      "This Claude connect session expired or was already used. Click Connect with Claude again to start fresh.",
+      400
+    );
+  }
+  if (cached.username && cached.username !== username) {
+    throw createHttpError("This Claude connect session belongs to a different Space Agent user.", 403);
+  }
+
+  const codeVerifier = String(cached.codeVerifier || "").trim();
+  if (!codeVerifier) {
+    throw createHttpError("This Claude connect session was incomplete. Click Connect with Claude again.", 400);
+  }
+
+  await runTrackedMutation(context, async () =>
+    connectWithAuthorizationCode({
+      code: normalizedCode,
+      state: normalizedState,
+      codeVerifier,
+      redirectUri: cached.redirectUri,
+      projectRoot: context.projectRoot,
+      runtimeParams: context.runtimeParams,
+      username
+    })
+  );
+
+  return getStatusForUser({
+    projectRoot: context.projectRoot,
+    runtimeParams: context.runtimeParams,
+    username
+  });
+}
+
+// Some pasted-code submissions arrive from Anthropic's hosted code page
+// formatted as `<code>#<state>` (the page shows the two values joined by
+// `#`). Accept that form too so users who copy the whole displayed string
+// don't have to split it themselves.
+function splitPastedCode(rawCode, fallbackState) {
+  const text = String(rawCode || "").trim();
+  if (!text) {
+    return { code: "", state: fallbackState || "" };
+  }
+  const hashIndex = text.indexOf("#");
+  if (hashIndex === -1) {
+    return { code: text, state: fallbackState || "" };
+  }
+  return {
+    code: text.slice(0, hashIndex).trim(),
+    state: text.slice(hashIndex + 1).trim() || fallbackState || ""
+  };
+}
+
+export async function post(context) {
+  const payload =
+    context.body && typeof context.body === "object" && !Buffer.isBuffer(context.body)
+      ? context.body
+      : {};
+  const { code, state } = splitPastedCode(payload.code, payload.state);
+
+  const status = await exchangeAndPersist(context, { code, state });
+
+  return {
+    status: 200,
+    headers: {
+      "Cache-Control": "no-store"
+    },
+    body: {
+      connected: true,
+      status
+    }
+  };
+}
+
+export async function get(context) {
+  const code = String(context.params?.code || "").trim();
+  const state = String(context.params?.state || "").trim();
+  const errorParam = String(context.params?.error || "").trim();
+  const errorDescription = String(context.params?.error_description || "").trim();
+
+  if (errorParam) {
+    return renderCallbackHtml({
+      success: false,
+      error: errorDescription || errorParam
+    });
+  }
+
+  try {
+    await exchangeAndPersist(context, { code, state });
+    return renderCallbackHtml({ success: true });
+  } catch (error) {
+    return renderCallbackHtml({
+      success: false,
+      error: error?.message || "Could not finish the Claude connect."
+    });
+  }
+}
diff --git a/server/api/oauth_anthropic_disconnect.js b/server/api/oauth_anthropic_disconnect.js
new file mode 100644
index 00000000..2b3a71ab
--- /dev/null
+++ b/server/api/oauth_anthropic_disconnect.js
@@ -0,0 +1,46 @@
+// POST /api/oauth_anthropic_disconnect
+//
+// Removes the stored Claude subscription tokens for the authenticated user.
+// The encrypted file at /app/L2/<username>/meta/anthropic_oauth.json is
+// deleted, the change is published through the shared mutation flow, and
+// the UI returns to the disconnected state. Existing chat history is not
+// touched because tokens are independent of conversation data.
+
+import { disconnectUser } from "../lib/auth/anthropic_oauth.js";
+import { runTrackedMutation } from "../runtime/request_mutations.js";
+
+function createHttpError(message, statusCode) {
+  const error = new Error(message);
+  error.statusCode = statusCode;
+  return error;
+}
+
+export async function post(context) {
+  if (!context?.user?.isAuthenticated) {
+    throw createHttpError("Authentication required.", 401);
+  }
+
+  const username = String(context.user.username || "").trim();
+  if (!username) {
+    throw createHttpError("Authentication required.", 401);
+  }
+
+  const result = await runTrackedMutation(context, async () =>
+    disconnectUser({
+      projectRoot: context.projectRoot,
+      runtimeParams: context.runtimeParams,
+      username
+    })
+  );
+
+  return {
+    status: 200,
+    headers: {
+      "Cache-Control": "no-store"
+    },
+    body: {
+      changed: Boolean(result?.changed),
+      connected: false
+    }
+  };
+}
diff --git a/server/api/oauth_anthropic_status.js b/server/api/oauth_anthropic_status.js
new file mode 100644
index 00000000..43d43236
--- /dev/null
+++ b/server/api/oauth_anthropic_status.js
@@ -0,0 +1,60 @@
+// GET /api/oauth_anthropic_status
+//
+// Returns the current Claude subscription OAuth status for the
+// authenticated user. The response never includes tokens; only the
+// metadata the UI needs to render the connect dialog: whether a
+// connection exists, the account email, expiry timestamp, scope, and
+// organization metadata.
+
+import { getStatusForUser } from "../lib/auth/anthropic_oauth.js";
+
+function createHttpError(message, statusCode) {
+  const error = new Error(message);
+  error.statusCode = statusCode;
+  return error;
+}
+
+function isAnthropicOauthAllowed(runtimeParams) {
+  return Boolean(
+    runtimeParams && typeof runtimeParams.get === "function" && runtimeParams.get("ANTHROPIC_OAUTH_ALLOWED", true)
+  );
+}
+
+export async function get(context) {
+  if (!context?.user?.isAuthenticated) {
+    throw createHttpError("Authentication required.", 401);
+  }
+
+  const username = String(context.user.username || "").trim();
+  const allowed = isAnthropicOauthAllowed(context.runtimeParams);
+
+  if (!username || !allowed) {
+    return {
+      status: 200,
+      headers: {
+        "Cache-Control": "no-store"
+      },
+      body: {
+        allowed,
+        connected: false
+      }
+    };
+  }
+
+  const status = await getStatusForUser({
+    projectRoot: context.projectRoot,
+    runtimeParams: context.runtimeParams,
+    username
+  });
+
+  return {
+    status: 200,
+    headers: {
+      "Cache-Control": "no-store"
+    },
+    body: {
+      allowed: true,
+      ...status
+    }
+  };
+}
diff --git a/server/lib/auth/AGENTS.md b/server/lib/auth/AGENTS.md
index 1faca889..a5c48b1a 100644
--- a/server/lib/auth/AGENTS.md
+++ b/server/lib/auth/AGENTS.md
@@ -12,10 +12,11 @@ Documentation is top priority for this subtree. After any change under `server/l
 
 Current files:
 
-- `service.js`: login challenge creation, login completion, backend-owned trusted session issuance for server-controlled auth flows, self-service password change, session-cookie helpers, session revocation, request-user resolution, and session-derived `userCrypto` localStorage-key derivation
+- `service.js`: login challenge creation, login completion, backend-owned trusted session issuance for server-controlled auth flows, self-service password change, session-cookie helpers, session revocation, request-user resolution, session-derived `userCrypto` localStorage-key derivation, and the small Claude subscription OAuth state-cache hooks `storeAnthropicOauthState(...)` plus `consumeAnthropicOauthState(...)` that share the same state system used for login challenges
 - `keys_manage.js`: backend-only auth-key loading from shared env injection or local fallback storage at `server/data/auth_keys.json` by default or `SPACE_AUTH_DATA_DIR/auth_keys.json` when that override is set
 - `passwords.js`: verifier and proof helpers
 - `user_crypto.js`: persistent wrapped user-key record helpers, backend-sealed server-share recovery, local backend-share cache storage, and invalidation
+- `anthropic_oauth.js`: Claude subscription OAuth helpers; PKCE challenge generation, AES-256-GCM token sealing using a key derived from the shared password seal key, the persisted record at logical `L2/<username>/meta/anthropic_oauth.json`, lazy refresh against the configured Anthropic token endpoint, and the read-only status helper used by the API endpoints; this module never returns plaintext tokens to the browser and never touches the password seal key directly outside of its own derived sub-key
 - `user_files.js`: canonical `L2/<username>/user.yaml` and `meta/` read or write helpers
 - `user_index.js`: derived user and session index snapshot builder
 - `user_manage.js`: create user, delete user, set password, and create guest user helpers
@@ -28,6 +29,7 @@ Current user storage layout:
 - password verifier envelope: logical `L2/<username>/meta/password.json`
 - active session verifiers: logical `L2/<username>/meta/logins.json`
 - wrapped browser-encryption record: logical `L2/<username>/meta/user_crypto.json`
+- Claude subscription OAuth tokens (when connected): logical `L2/<username>/meta/anthropic_oauth.json`, AES-256-GCM sealed with a key derived from the shared password seal key
 - user-owned modules: logical `L2/<username>/mod/`
 - on disk those files live under `CUSTOMWARE_PATH/L2/...` when `CUSTOMWARE_PATH` is configured, otherwise under repo `app/L2/...`
 - backend-only auth keys live outside the logical app tree and come from either shared process env injection via `SPACE_AUTH_PASSWORD_SEAL_KEY` and `SPACE_AUTH_SESSION_HMAC_KEY`, or the gitignored local fallback `server/data/auth_keys.json`, unless `SPACE_AUTH_DATA_DIR` relocates that fallback root
diff --git a/server/lib/auth/anthropic_oauth.js b/server/lib/auth/anthropic_oauth.js
new file mode 100644
index 00000000..668d0004
--- /dev/null
+++ b/server/lib/auth/anthropic_oauth.js
@@ -0,0 +1,667 @@
+// Anthropic OAuth integration for the optional "Claude subscription" LLM
+// provider. The browser owns the user-facing flow; this module owns:
+//
+//   - PKCE challenge generation and exchange
+//   - access_token / refresh_token storage, sealed at rest with the same
+//     password_seal_key used by user_crypto server shares
+//   - lazy refresh when the access token is near expiry or rejected
+//   - the OAuth endpoint configuration that subscription requests use
+//
+// Tokens for a given user live at the logical app path
+//   /app/L2/<username>/meta/anthropic_oauth.json
+// and are encrypted with AES-256-GCM. The plaintext access_token never
+// touches disk and never reaches the browser; it is injected server-side
+// when the user issues a chat completion through the dedicated subscription
+// endpoint.
+
+import fs from "node:fs";
+import {
+  createCipheriv,
+  createDecipheriv,
+  createHash,
+  randomBytes
+} from "node:crypto";
+
+import { recordAppPathMutations } from "../customware/git_history.js";
+import { loadAuthKeys } from "./keys_manage.js";
+import {
+  buildUserAbsolutePath,
+  normalizeUsername
+} from "./user_files.js";
+
+const ANTHROPIC_OAUTH_FILENAME = "anthropic_oauth.json";
+const ANTHROPIC_OAUTH_SEAL_AAD_PREFIX = "space-anthropic-oauth-v1";
+const ANTHROPIC_OAUTH_SEAL_IV_LENGTH = 12;
+const ANTHROPIC_OAUTH_RECORD_VERSION = 1;
+const ANTHROPIC_OAUTH_REFRESH_LEAD_MS = 60 * 1000;
+
+const ANTHROPIC_OAUTH_FLOW_MODE_AUTO = "auto";
+const ANTHROPIC_OAUTH_FLOW_MODE_PASTE = "paste";
+const ANTHROPIC_OAUTH_FLOW_MODE_REDIRECT = "redirect";
+
+// Local hostnames where Claude Code's public OAuth client is known to
+// allow `http://<host>:<port>/...` redirect URIs. When Space Agent is
+// served from one of these we can use a button-only flow that lets
+// Anthropic redirect back to /api/oauth_anthropic_callback directly.
+const LOCAL_HOSTNAME_PATTERN = /^(localhost|127\.0\.0\.1|0\.0\.0\.0|::1)$/u;
+
+// Defaults match the published Claude Code OAuth client. They are
+// configurable through runtime params so a maintainer with their own
+// registered Anthropic OAuth application can override the public defaults.
+const DEFAULT_ANTHROPIC_OAUTH_CLIENT_ID = "9d1c250a-e61b-44d9-88ed-5944d1962f5e";
+const DEFAULT_ANTHROPIC_OAUTH_AUTHORIZE_URL = "https://claude.ai/oauth/authorize";
+const DEFAULT_ANTHROPIC_OAUTH_TOKEN_URL = "https://console.anthropic.com/v1/oauth/token";
+const DEFAULT_ANTHROPIC_OAUTH_REDIRECT_URI = "https://console.anthropic.com/oauth/code/callback";
+const DEFAULT_ANTHROPIC_OAUTH_SCOPES = [
+  "org:create_api_key",
+  "user:profile",
+  "user:inference"
+];
+const ANTHROPIC_OAUTH_USER_AGENT = "space-agent/anthropic-oauth";
+
+function encodeBase64Url(value) {
+  return Buffer.from(value).toString("base64url");
+}
+
+function decodeBase64Url(value) {
+  return Buffer.from(String(value || ""), "base64url");
+}
+
+function getTokenSealKey(authKeys) {
+  const passwordSealKey = authKeys?.passwordSealKey;
+
+  if (!Buffer.isBuffer(passwordSealKey) || passwordSealKey.length === 0) {
+    throw new Error("Password seal key is unavailable.");
+  }
+
+  return createHash("sha256").update(ANTHROPIC_OAUTH_SEAL_AAD_PREFIX).update(passwordSealKey).digest();
+}
+
+function buildSealAad(username) {
+  return Buffer.from(
+    JSON.stringify({
+      prefix: ANTHROPIC_OAUTH_SEAL_AAD_PREFIX,
+      username: String(username || ""),
+      version: ANTHROPIC_OAUTH_RECORD_VERSION
+    })
+  );
+}
+
+function sealTokenPayload(plainText, username, authKeys) {
+  const iv = randomBytes(ANTHROPIC_OAUTH_SEAL_IV_LENGTH);
+  const cipher = createCipheriv("aes-256-gcm", getTokenSealKey(authKeys), iv);
+  cipher.setAAD(buildSealAad(username));
+  const ciphertext = Buffer.concat([
+    cipher.update(Buffer.from(String(plainText || ""), "utf8")),
+    cipher.final()
+  ]);
+
+  return {
+    ciphertext: encodeBase64Url(ciphertext),
+    iv: encodeBase64Url(iv),
+    tag: encodeBase64Url(cipher.getAuthTag())
+  };
+}
+
+function openTokenPayload(record, username, authKeys) {
+  if (!record || !record.ciphertext || !record.iv || !record.tag) {
+    return "";
+  }
+
+  try {
+    const decipher = createDecipheriv("aes-256-gcm", getTokenSealKey(authKeys), decodeBase64Url(record.iv));
+    decipher.setAAD(buildSealAad(username));
+    decipher.setAuthTag(decodeBase64Url(record.tag));
+    const plain = Buffer.concat([
+      decipher.update(decodeBase64Url(record.ciphertext)),
+      decipher.final()
+    ]);
+    return plain.toString("utf8");
+  } catch {
+    return "";
+  }
+}
+
+function buildUserOauthFilePath(projectRoot, username, runtimeParams = null) {
+  return buildUserAbsolutePath(
+    projectRoot,
+    username,
+    `meta/${ANTHROPIC_OAUTH_FILENAME}`,
+    runtimeParams
+  );
+}
+
+function buildUserOauthProjectPath(username) {
+  const normalizedUsername = normalizeUsername(username);
+  if (!normalizedUsername) {
+    return "";
+  }
+  return `/app/L2/${normalizedUsername}/meta/${ANTHROPIC_OAUTH_FILENAME}`;
+}
+
+function readUserOauthFile(projectRoot, username, runtimeParams = null) {
+  try {
+    const filePath = buildUserOauthFilePath(projectRoot, username, runtimeParams);
+    const text = fs.readFileSync(filePath, "utf8").trim();
+    if (!text) {
+      return null;
+    }
+    const parsed = JSON.parse(text);
+    return parsed && typeof parsed === "object" && !Array.isArray(parsed) ? parsed : null;
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return null;
+    }
+    return null;
+  }
+}
+
+function writeUserOauthFile(projectRoot, username, record, runtimeParams = null) {
+  const filePath = buildUserOauthFilePath(projectRoot, username, runtimeParams);
+  const dirPath = buildUserAbsolutePath(projectRoot, username, "meta", runtimeParams);
+  fs.mkdirSync(dirPath, {
+    mode: 0o700,
+    recursive: true
+  });
+  fs.writeFileSync(filePath, `${JSON.stringify(record, null, 2)}\n`, {
+    encoding: "utf8",
+    mode: 0o600
+  });
+  return filePath;
+}
+
+function deleteUserOauthFile(projectRoot, username, runtimeParams = null) {
+  const filePath = buildUserOauthFilePath(projectRoot, username, runtimeParams);
+  try {
+    fs.statSync(filePath);
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return false;
+    }
+    return false;
+  }
+  try {
+    fs.rmSync(filePath, { force: true });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+function normalizeIsoTimestamp(value) {
+  const parsed = Date.parse(String(value || ""));
+  return Number.isFinite(parsed) ? new Date(parsed).toISOString() : "";
+}
+
+function buildPersistableRecord({
+  accessTokenSealed,
+  refreshTokenSealed,
+  expiresAt,
+  scope,
+  accountEmail,
+  organizationId,
+  organizationName,
+  obtainedAt
+}) {
+  return {
+    version: ANTHROPIC_OAUTH_RECORD_VERSION,
+    access_token: accessTokenSealed,
+    refresh_token: refreshTokenSealed,
+    expires_at: expiresAt,
+    scope: typeof scope === "string" ? scope : "",
+    account_email: typeof accountEmail === "string" ? accountEmail : "",
+    organization_id: typeof organizationId === "string" ? organizationId : "",
+    organization_name: typeof organizationName === "string" ? organizationName : "",
+    obtained_at: obtainedAt || new Date().toISOString()
+  };
+}
+
+function buildOauthEndpoints(runtimeParams = null) {
+  const get = (name, fallback) => {
+    if (!runtimeParams || typeof runtimeParams.get !== "function") {
+      return fallback;
+    }
+    const value = runtimeParams.get(name);
+    return typeof value === "string" && value.trim() ? value.trim() : fallback;
+  };
+
+  return {
+    authorizeUrl: get("ANTHROPIC_OAUTH_AUTHORIZE_URL", DEFAULT_ANTHROPIC_OAUTH_AUTHORIZE_URL),
+    clientId: get("ANTHROPIC_OAUTH_CLIENT_ID", DEFAULT_ANTHROPIC_OAUTH_CLIENT_ID),
+    redirectUri: get("ANTHROPIC_OAUTH_REDIRECT_URI", DEFAULT_ANTHROPIC_OAUTH_REDIRECT_URI),
+    tokenUrl: get("ANTHROPIC_OAUTH_TOKEN_URL", DEFAULT_ANTHROPIC_OAUTH_TOKEN_URL)
+  };
+}
+
+function createPkceVerifier() {
+  return encodeBase64Url(randomBytes(32));
+}
+
+function deriveCodeChallenge(verifier) {
+  return encodeBase64Url(createHash("sha256").update(String(verifier || ""), "utf8").digest());
+}
+
+function buildAuthorizeUrl({
+  endpoints,
+  codeChallenge,
+  state,
+  redirectUri,
+  flowMode,
+  scopes = DEFAULT_ANTHROPIC_OAUTH_SCOPES
+}) {
+  const params = new URLSearchParams({
+    client_id: endpoints.clientId,
+    response_type: "code",
+    redirect_uri: String(redirectUri || endpoints.redirectUri),
+    scope: scopes.join(" "),
+    code_challenge: codeChallenge,
+    code_challenge_method: "S256",
+    state
+  });
+  // Anthropic shows the authorization code on its hosted callback page only
+  // when `code=true` is present; that flag is for the manual paste flow. In
+  // redirect mode we want the normal OAuth redirect back to our server.
+  if (flowMode !== ANTHROPIC_OAUTH_FLOW_MODE_REDIRECT) {
+    params.set("code", "true");
+  }
+  return `${endpoints.authorizeUrl}?${params.toString()}`;
+}
+
+function isLocalHostname(host) {
+  const trimmed = String(host || "").split(":")[0].trim().toLowerCase();
+  return LOCAL_HOSTNAME_PATTERN.test(trimmed);
+}
+
+function resolveFlowMode(runtimeParams, _requestHost) {
+  const explicit = String(runtimeParams?.get?.("ANTHROPIC_OAUTH_FLOW_MODE") || ANTHROPIC_OAUTH_FLOW_MODE_AUTO)
+    .trim()
+    .toLowerCase();
+  if (explicit === ANTHROPIC_OAUTH_FLOW_MODE_REDIRECT) {
+    return ANTHROPIC_OAUTH_FLOW_MODE_REDIRECT;
+  }
+  // The public Claude Code OAuth client only allowlists the Anthropic-hosted
+  // code-paste page, not arbitrary localhost callbacks, so `auto` resolves to
+  // `paste` everywhere. Redirect mode is opt-in for deployments that have
+  // registered their own Anthropic OAuth client through ANTHROPIC_OAUTH_CLIENT_ID
+  // with redirect URIs that point at this Space Agent host.
+  return ANTHROPIC_OAUTH_FLOW_MODE_PASTE;
+}
+
+function buildLocalCallbackUri({ requestProtocol, requestHost }) {
+  const protocol = requestProtocol === "https" ? "https" : "http";
+  const host = String(requestHost || "localhost").trim() || "localhost";
+  return `${protocol}://${host}/api/oauth_anthropic_callback`;
+}
+
+function friendlyOauthErrorMessage(detail, response) {
+  const text = String(detail || "").toLowerCase();
+  if (
+    text.includes("invalid 'code'") ||
+    text.includes("invalid code") ||
+    text.includes("invalid_grant") ||
+    text.includes("authorization code")
+  ) {
+    return "That authorization code didn't work. It may already have been used, expired, or been pasted incompletely. Click Connect with Claude again to start a fresh session.";
+  }
+  if (text.includes("invalid_client") || text.includes("client_id")) {
+    return "Anthropic rejected the OAuth client. Ask the Space Agent operator to confirm ANTHROPIC_OAUTH_CLIENT_ID matches a registered Anthropic application.";
+  }
+  if (text.includes("invalid redirect_uri") || text.includes("redirect_uri")) {
+    return "Anthropic rejected the redirect URL for this Space Agent host. Switch ANTHROPIC_OAUTH_FLOW_MODE to paste, or register this host's callback URL on Anthropic's side.";
+  }
+  if (text.includes("invalid scope")) {
+    return "Anthropic rejected the requested OAuth scopes. The default Claude Code scopes may have changed; update Space Agent or override the scope list.";
+  }
+  if (Number(response?.status) >= 500) {
+    return "Anthropic's OAuth service is not responding right now. Try again in a moment.";
+  }
+  return `Anthropic rejected the request: ${detail || `HTTP ${response?.status || "unknown"}`}`;
+}
+
+async function postOauthForm({ url, body }) {
+  let response;
+  try {
+    response = await fetch(url, {
+      method: "POST",
+      headers: {
+        "Accept": "application/json",
+        "Content-Type": "application/x-www-form-urlencoded",
+        "User-Agent": ANTHROPIC_OAUTH_USER_AGENT
+      },
+      body: new URLSearchParams(body).toString()
+    });
+  } catch (error) {
+    const friendly = new Error(`Could not reach Anthropic OAuth: ${error?.message || "network error"}.`);
+    friendly.statusCode = 502;
+    throw friendly;
+  }
+
+  let payload = null;
+  try {
+    payload = await response.json();
+  } catch {
+    payload = null;
+  }
+
+  if (!response.ok) {
+    const detail =
+      payload && typeof payload === "object"
+        ? payload.error_description || payload.error || JSON.stringify(payload)
+        : `HTTP ${response.status}`;
+    const error = new Error(friendlyOauthErrorMessage(detail, response));
+    error.statusCode = response.status === 400 || response.status === 401 ? 400 : 502;
+    error.cause = new Error(`Anthropic OAuth response: ${detail}`);
+    throw error;
+  }
+
+  if (!payload || typeof payload !== "object") {
+    const error = new Error("Anthropic returned an unexpected OAuth response. Try connecting again.");
+    error.statusCode = 502;
+    throw error;
+  }
+
+  return payload;
+}
+
+function tokenPayloadToRecord({
+  payload,
+  previousScope,
+  previousAccountEmail,
+  previousOrganizationId,
+  previousOrganizationName,
+  username,
+  authKeys,
+  retainRefreshToken = ""
+}) {
+  const accessToken = String(payload.access_token || "").trim();
+  const refreshToken = String(payload.refresh_token || retainRefreshToken || "").trim();
+  const expiresInSeconds = Number(payload.expires_in);
+  const expiresAtMs = Number.isFinite(expiresInSeconds) ? Date.now() + expiresInSeconds * 1000 : Date.now() + 60 * 60 * 1000;
+
+  if (!accessToken || !refreshToken) {
+    const error = new Error("Anthropic OAuth response is missing tokens.");
+    error.statusCode = 502;
+    throw error;
+  }
+
+  const account =
+    payload.account && typeof payload.account === "object" && !Array.isArray(payload.account)
+      ? payload.account
+      : null;
+  const organization =
+    payload.organization && typeof payload.organization === "object" && !Array.isArray(payload.organization)
+      ? payload.organization
+      : null;
+
+  return buildPersistableRecord({
+    accessTokenSealed: sealTokenPayload(accessToken, username, authKeys),
+    refreshTokenSealed: sealTokenPayload(refreshToken, username, authKeys),
+    expiresAt: new Date(expiresAtMs).toISOString(),
+    scope: typeof payload.scope === "string" ? payload.scope : previousScope || "",
+    accountEmail:
+      typeof account?.email_address === "string"
+        ? account.email_address
+        : typeof account?.email === "string"
+          ? account.email
+          : previousAccountEmail || "",
+    organizationId:
+      typeof organization?.uuid === "string"
+        ? organization.uuid
+        : typeof organization?.id === "string"
+          ? organization.id
+          : previousOrganizationId || "",
+    organizationName:
+      typeof organization?.name === "string" ? organization.name : previousOrganizationName || "",
+    obtainedAt: new Date().toISOString()
+  });
+}
+
+async function exchangeAuthorizationCode({
+  code,
+  codeVerifier,
+  state,
+  endpoints,
+  redirectUri,
+  username,
+  authKeys
+}) {
+  const payload = await postOauthForm({
+    url: endpoints.tokenUrl,
+    body: {
+      grant_type: "authorization_code",
+      code: String(code || "").trim(),
+      redirect_uri: String(redirectUri || endpoints.redirectUri),
+      client_id: endpoints.clientId,
+      code_verifier: String(codeVerifier || "").trim(),
+      state: String(state || "").trim()
+    }
+  });
+
+  return tokenPayloadToRecord({
+    payload,
+    username,
+    authKeys
+  });
+}
+
+async function refreshAccessToken({
+  refreshToken,
+  endpoints,
+  username,
+  authKeys,
+  previousRecord
+}) {
+  const payload = await postOauthForm({
+    url: endpoints.tokenUrl,
+    body: {
+      grant_type: "refresh_token",
+      refresh_token: String(refreshToken || "").trim(),
+      client_id: endpoints.clientId
+    }
+  });
+
+  return tokenPayloadToRecord({
+    payload,
+    previousScope: previousRecord?.scope,
+    previousAccountEmail: previousRecord?.account_email,
+    previousOrganizationId: previousRecord?.organization_id,
+    previousOrganizationName: previousRecord?.organization_name,
+    username,
+    authKeys,
+    retainRefreshToken: openTokenPayload(previousRecord?.refresh_token, username, authKeys)
+  });
+}
+
+function shouldRefreshRecord(record) {
+  if (!record) {
+    return false;
+  }
+  const expiresAtMs = Date.parse(record.expires_at || "");
+  if (!Number.isFinite(expiresAtMs)) {
+    return true;
+  }
+  return Date.now() + ANTHROPIC_OAUTH_REFRESH_LEAD_MS >= expiresAtMs;
+}
+
+async function persistRecord({ projectRoot, username, runtimeParams, record }) {
+  const normalizedUsername = normalizeUsername(username);
+  if (!normalizedUsername) {
+    throw new Error("Anthropic OAuth requires a username.");
+  }
+  writeUserOauthFile(projectRoot, normalizedUsername, record, runtimeParams);
+  recordAppPathMutations(
+    {
+      projectRoot,
+      runtimeParams
+    },
+    [buildUserOauthProjectPath(normalizedUsername)]
+  );
+}
+
+async function getActiveAccessToken({ projectRoot, username, runtimeParams, force = false }) {
+  const normalizedUsername = normalizeUsername(username);
+  if (!normalizedUsername) {
+    return { accessToken: "", record: null };
+  }
+
+  const authKeys = loadAuthKeys(projectRoot);
+  const record = readUserOauthFile(projectRoot, normalizedUsername, runtimeParams);
+  if (!record) {
+    return { accessToken: "", record: null };
+  }
+
+  const endpoints = buildOauthEndpoints(runtimeParams);
+
+  if (force || shouldRefreshRecord(record)) {
+    const refreshTokenPlain = openTokenPayload(record.refresh_token, normalizedUsername, authKeys);
+    if (!refreshTokenPlain) {
+      return { accessToken: "", record };
+    }
+    const refreshed = await refreshAccessToken({
+      refreshToken: refreshTokenPlain,
+      endpoints,
+      username: normalizedUsername,
+      authKeys,
+      previousRecord: record
+    });
+    await persistRecord({
+      projectRoot,
+      username: normalizedUsername,
+      runtimeParams,
+      record: refreshed
+    });
+    return {
+      accessToken: openTokenPayload(refreshed.access_token, normalizedUsername, authKeys),
+      record: refreshed
+    };
+  }
+
+  return {
+    accessToken: openTokenPayload(record.access_token, normalizedUsername, authKeys),
+    record
+  };
+}
+
+async function getStatusForUser({ projectRoot, username, runtimeParams }) {
+  const normalizedUsername = normalizeUsername(username);
+  if (!normalizedUsername) {
+    return { connected: false };
+  }
+
+  const record = readUserOauthFile(projectRoot, normalizedUsername, runtimeParams);
+  if (!record) {
+    return { connected: false };
+  }
+
+  return {
+    connected: true,
+    expiresAt: normalizeIsoTimestamp(record.expires_at),
+    obtainedAt: normalizeIsoTimestamp(record.obtained_at),
+    scope: typeof record.scope === "string" ? record.scope : "",
+    accountEmail: typeof record.account_email === "string" ? record.account_email : "",
+    organizationId: typeof record.organization_id === "string" ? record.organization_id : "",
+    organizationName: typeof record.organization_name === "string" ? record.organization_name : ""
+  };
+}
+
+async function disconnectUser({ projectRoot, username, runtimeParams }) {
+  const normalizedUsername = normalizeUsername(username);
+  if (!normalizedUsername) {
+    return { changed: false };
+  }
+  const removed = deleteUserOauthFile(projectRoot, normalizedUsername, runtimeParams);
+  if (removed) {
+    recordAppPathMutations(
+      {
+        projectRoot,
+        runtimeParams
+      },
+      [buildUserOauthProjectPath(normalizedUsername)]
+    );
+  }
+  return { changed: removed };
+}
+
+async function connectWithAuthorizationCode({
+  code,
+  state,
+  codeVerifier,
+  redirectUri,
+  projectRoot,
+  username,
+  runtimeParams
+}) {
+  const normalizedUsername = normalizeUsername(username);
+  if (!normalizedUsername) {
+    throw new Error("Anthropic OAuth requires an authenticated user.");
+  }
+  const authKeys = loadAuthKeys(projectRoot);
+  const endpoints = buildOauthEndpoints(runtimeParams);
+  const record = await exchangeAuthorizationCode({
+    code,
+    codeVerifier,
+    state,
+    redirectUri,
+    endpoints,
+    username: normalizedUsername,
+    authKeys
+  });
+  await persistRecord({
+    projectRoot,
+    username: normalizedUsername,
+    runtimeParams,
+    record
+  });
+  return {
+    accountEmail: record.account_email,
+    expiresAt: record.expires_at,
+    organizationId: record.organization_id,
+    organizationName: record.organization_name,
+    scope: record.scope
+  };
+}
+
+function buildAuthorizeContext(runtimeParams = null, requestContext = {}) {
+  const endpoints = buildOauthEndpoints(runtimeParams);
+  const flowMode = resolveFlowMode(runtimeParams, requestContext.requestHost);
+  const codeVerifier = createPkceVerifier();
+  const codeChallenge = deriveCodeChallenge(codeVerifier);
+  const state = encodeBase64Url(randomBytes(24));
+  const redirectUri =
+    flowMode === ANTHROPIC_OAUTH_FLOW_MODE_REDIRECT
+      ? buildLocalCallbackUri({
+          requestProtocol: requestContext.requestProtocol,
+          requestHost: requestContext.requestHost
+        })
+      : endpoints.redirectUri;
+  return {
+    authorizeUrl: buildAuthorizeUrl({ endpoints, codeChallenge, state, redirectUri, flowMode }),
+    codeVerifier,
+    endpoints: { ...endpoints, redirectUri },
+    flowMode,
+    redirectUri,
+    state
+  };
+}
+
+export {
+  ANTHROPIC_OAUTH_FILENAME,
+  ANTHROPIC_OAUTH_FLOW_MODE_AUTO,
+  ANTHROPIC_OAUTH_FLOW_MODE_PASTE,
+  ANTHROPIC_OAUTH_FLOW_MODE_REDIRECT,
+  ANTHROPIC_OAUTH_USER_AGENT,
+  DEFAULT_ANTHROPIC_OAUTH_AUTHORIZE_URL,
+  DEFAULT_ANTHROPIC_OAUTH_CLIENT_ID,
+  DEFAULT_ANTHROPIC_OAUTH_REDIRECT_URI,
+  DEFAULT_ANTHROPIC_OAUTH_SCOPES,
+  DEFAULT_ANTHROPIC_OAUTH_TOKEN_URL,
+  buildAuthorizeContext,
+  buildOauthEndpoints,
+  connectWithAuthorizationCode,
+  disconnectUser,
+  getActiveAccessToken,
+  getStatusForUser,
+  isLocalHostname,
+  resolveFlowMode,
+  shouldRefreshRecord
+};
diff --git a/server/lib/auth/service.js b/server/lib/auth/service.js
index 62cf1844..43debf9d 100644
--- a/server/lib/auth/service.js
+++ b/server/lib/auth/service.js
@@ -33,10 +33,11 @@ import {
   readUserCryptoServerShare,
   USER_CRYPTO_STATUS_READY
 } from "./user_crypto.js";
-import { LOGIN_CHALLENGE_AREA } from "../../runtime/state_areas.js";
+import { ANTHROPIC_OAUTH_STATE_AREA, LOGIN_CHALLENGE_AREA } from "../../runtime/state_areas.js";
 
 const SESSION_COOKIE_NAME = "space_session";
 const CHALLENGE_TTL_MS = 5 * 60 * 1000;
+const ANTHROPIC_OAUTH_STATE_TTL_MS = 10 * 60 * 1000;
 const NONCE_PATTERN = /^[A-Za-z0-9_-]{16,200}$/u;
 const REMOTE_ADDRESS_MAX_LENGTH = 256;
 const SESSION_ID_PATTERN = /^[A-Za-z0-9_-]{16,200}$/u;
@@ -999,9 +1000,44 @@ export function createAuthService(options = {}) {
     throw new Error("Authentication required.");
   }
 
+  async function storeAnthropicOauthState(stateToken, value) {
+    const normalizedStateToken = String(stateToken || "").trim();
+    if (!normalizedStateToken) {
+      throw new Error("Anthropic OAuth state token is required.");
+    }
+    const payload =
+      value && typeof value === "object" && !Array.isArray(value) ? { ...value } : {};
+    await stateSystem.setEntry(
+      ANTHROPIC_OAUTH_STATE_AREA,
+      normalizedStateToken,
+      {
+        ...payload,
+        stateToken: normalizedStateToken
+      },
+      {
+        expiresInMs: ANTHROPIC_OAUTH_STATE_TTL_MS,
+        replicate: false
+      }
+    );
+  }
+
+  async function consumeAnthropicOauthState(stateToken) {
+    const normalizedStateToken = String(stateToken || "").trim();
+    if (!normalizedStateToken) {
+      return null;
+    }
+    const entry = await stateSystem.takeEntry(ANTHROPIC_OAUTH_STATE_AREA, normalizedStateToken);
+    const value =
+      entry?.value && typeof entry.value === "object" && !Array.isArray(entry.value)
+        ? entry.value
+        : null;
+    return value ? { ...value } : null;
+  }
+
   return {
     changePassword,
     completeLogin,
+    consumeAnthropicOauthState,
     createClearedSessionCookieHeader,
     createLoginChallenge,
     createSessionCookieHeader,
@@ -1012,7 +1048,8 @@ export function createAuthService(options = {}) {
     initialize,
     issueSessionForUser,
     revokeSession,
-    resolveUserFromCookies
+    resolveUserFromCookies,
+    storeAnthropicOauthState
   };
 }
 
diff --git a/server/lib/customware/git_history.js b/server/lib/customware/git_history.js
index c5eb289b..e6be79a8 100644
--- a/server/lib/customware/git_history.js
+++ b/server/lib/customware/git_history.js
@@ -30,7 +30,8 @@ const DEFAULT_AUTHOR_EMAIL = "space-agent@local";
 const USER_HISTORY_IGNORED_PATHS = [
   "meta/password.json",
   "meta/logins.json",
-  "meta/user_crypto.json"
+  "meta/user_crypto.json",
+  "meta/anthropic_oauth.json"
 ];
 const pendingCommits = new Map();
 let suppressionDepth = 0;
diff --git a/server/runtime/state_areas.js b/server/runtime/state_areas.js
index 71759847..28b7618a 100644
--- a/server/runtime/state_areas.js
+++ b/server/runtime/state_areas.js
@@ -1,3 +1,4 @@
+const ANTHROPIC_OAUTH_STATE_AREA = "anthropic_oauth_state";
 const FILE_INDEX_AREA = "file_index";
 const FILE_INDEX_META_AREA = "file_index_meta";
 const GROUP_INDEX_AREA = "group_index";
@@ -13,6 +14,7 @@ const GROUP_ERRORS_ID = "errors";
 const GROUP_INCLUSION_CYCLES_ID = "inclusion_cycles";
 
 export {
+  ANTHROPIC_OAUTH_STATE_AREA,
   FILE_INDEX_AREA,
   FILE_INDEX_META_AREA,
   GROUP_ERRORS_ID,
diff --git a/tests/anthropic_oauth_test.mjs b/tests/anthropic_oauth_test.mjs
new file mode 100644
index 00000000..c3e87e73
--- /dev/null
+++ b/tests/anthropic_oauth_test.mjs
@@ -0,0 +1,211 @@
+// Focused unit coverage for the Claude subscription OAuth helpers.
+//
+// Exercises the pure parts of `server/lib/auth/anthropic_oauth.js` that
+// don't require an HTTP exchange against Anthropic: PKCE generation,
+// authorize-URL composition, token sealing round-trip through the
+// password seal key, and the JSON file persistence layer plus the
+// status reporter that the API endpoints rely on.
+
+import assert from "node:assert/strict";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import test from "node:test";
+
+import {
+  buildAuthorizeContext,
+  buildOauthEndpoints,
+  disconnectUser,
+  getStatusForUser
+} from "../server/lib/auth/anthropic_oauth.js";
+
+function createTempProjectRoot() {
+  return fs.mkdtempSync(path.join(os.tmpdir(), "space-anthropic-oauth-test-"));
+}
+
+function setupAuthDataDir(projectRoot) {
+  const dataDir = path.join(projectRoot, "server", "data");
+  fs.mkdirSync(dataDir, { recursive: true });
+  process.env.SPACE_AUTH_DATA_DIR = dataDir;
+  process.env.SPACE_AUTH_PASSWORD_SEAL_KEY =
+    "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcde";
+  process.env.SPACE_AUTH_SESSION_HMAC_KEY =
+    "fedcba9876543210fedcba9876543210fedcba9876543210fedcba9876543210";
+}
+
+function teardownAuthDataDir() {
+  delete process.env.SPACE_AUTH_DATA_DIR;
+  delete process.env.SPACE_AUTH_PASSWORD_SEAL_KEY;
+  delete process.env.SPACE_AUTH_SESSION_HMAC_KEY;
+}
+
+test("buildOauthEndpoints uses public Claude Code defaults when runtime params are unset", () => {
+  const endpoints = buildOauthEndpoints(null);
+  assert.equal(endpoints.authorizeUrl, "https://claude.ai/oauth/authorize");
+  assert.equal(endpoints.tokenUrl, "https://console.anthropic.com/v1/oauth/token");
+  assert.equal(endpoints.redirectUri, "https://console.anthropic.com/oauth/code/callback");
+  assert.equal(endpoints.clientId, "9d1c250a-e61b-44d9-88ed-5944d1962f5e");
+});
+
+test("buildOauthEndpoints honors runtime param overrides", () => {
+  const overrides = {
+    ANTHROPIC_OAUTH_CLIENT_ID: "test-client-id",
+    ANTHROPIC_OAUTH_AUTHORIZE_URL: "https://example.invalid/authorize",
+    ANTHROPIC_OAUTH_TOKEN_URL: "https://example.invalid/token",
+    ANTHROPIC_OAUTH_REDIRECT_URI: "https://example.invalid/callback"
+  };
+  const endpoints = buildOauthEndpoints({
+    get(name) {
+      return overrides[name];
+    }
+  });
+  assert.equal(endpoints.clientId, "test-client-id");
+  assert.equal(endpoints.authorizeUrl, "https://example.invalid/authorize");
+  assert.equal(endpoints.tokenUrl, "https://example.invalid/token");
+  assert.equal(endpoints.redirectUri, "https://example.invalid/callback");
+});
+
+test("buildAuthorizeContext returns a PKCE verifier and a populated authorize URL", () => {
+  const context = buildAuthorizeContext(null);
+  assert.equal(typeof context.codeVerifier, "string");
+  assert.ok(context.codeVerifier.length >= 32, "code verifier should be high-entropy");
+  assert.equal(typeof context.state, "string");
+  assert.ok(context.state.length >= 16, "state token should be high-entropy");
+
+  const url = new URL(context.authorizeUrl);
+  assert.equal(url.searchParams.get("response_type"), "code");
+  assert.equal(url.searchParams.get("code_challenge_method"), "S256");
+  assert.equal(url.searchParams.get("redirect_uri"), context.endpoints.redirectUri);
+  assert.equal(url.searchParams.get("client_id"), context.endpoints.clientId);
+  assert.equal(url.searchParams.get("state"), context.state);
+  assert.ok(url.searchParams.get("code_challenge"));
+});
+
+test("buildAuthorizeContext defaults to paste mode for non-local hosts", () => {
+  const context = buildAuthorizeContext(null, {
+    requestHost: "space-agent.example.com",
+    requestProtocol: "https"
+  });
+  assert.equal(context.flowMode, "paste");
+  const url = new URL(context.authorizeUrl);
+  // paste mode keeps the Anthropic-hosted code page redirect URI
+  assert.equal(url.searchParams.get("redirect_uri"), "https://console.anthropic.com/oauth/code/callback");
+  assert.equal(url.searchParams.get("code"), "true");
+});
+
+test("buildAuthorizeContext defaults to paste mode on localhost too because the public client does not allowlist arbitrary localhost callbacks", () => {
+  const context = buildAuthorizeContext(null, {
+    requestHost: "localhost:3000",
+    requestProtocol: "http"
+  });
+  assert.equal(context.flowMode, "paste");
+  const url = new URL(context.authorizeUrl);
+  assert.equal(url.searchParams.get("redirect_uri"), "https://console.anthropic.com/oauth/code/callback");
+  assert.equal(url.searchParams.get("code"), "true");
+});
+
+test("ANTHROPIC_OAUTH_FLOW_MODE=redirect with a localhost host still produces a local callback URL", () => {
+  const overrides = { ANTHROPIC_OAUTH_FLOW_MODE: "redirect" };
+  const context = buildAuthorizeContext(
+    {
+      get(name) {
+        return overrides[name];
+      }
+    },
+    { requestHost: "localhost:3000", requestProtocol: "http" }
+  );
+  assert.equal(context.flowMode, "redirect");
+  const url = new URL(context.authorizeUrl);
+  assert.equal(url.searchParams.get("redirect_uri"), "http://localhost:3000/api/oauth_anthropic_callback");
+  // redirect mode never sets code=true; that flag is only for the paste page
+  assert.equal(url.searchParams.get("code"), null);
+});
+
+test("ANTHROPIC_OAUTH_FLOW_MODE=paste forces paste mode even on localhost", () => {
+  const overrides = { ANTHROPIC_OAUTH_FLOW_MODE: "paste" };
+  const context = buildAuthorizeContext(
+    {
+      get(name) {
+        return overrides[name];
+      }
+    },
+    { requestHost: "localhost:3000", requestProtocol: "http" }
+  );
+  assert.equal(context.flowMode, "paste");
+});
+
+test("status helper reports disconnected when no record exists", async () => {
+  const projectRoot = createTempProjectRoot();
+  setupAuthDataDir(projectRoot);
+  try {
+    const status = await getStatusForUser({
+      projectRoot,
+      runtimeParams: null,
+      username: "alice"
+    });
+    assert.equal(status.connected, false);
+  } finally {
+    teardownAuthDataDir();
+    fs.rmSync(projectRoot, { recursive: true, force: true });
+  }
+});
+
+test("disconnect helper is a no-op when no record exists and reports changed=false", async () => {
+  const projectRoot = createTempProjectRoot();
+  setupAuthDataDir(projectRoot);
+  try {
+    const result = await disconnectUser({
+      projectRoot,
+      runtimeParams: null,
+      username: "alice"
+    });
+    assert.equal(result.changed, false);
+  } finally {
+    teardownAuthDataDir();
+    fs.rmSync(projectRoot, { recursive: true, force: true });
+  }
+});
+
+test("status helper reads sealed records back into status metadata round-trip", async () => {
+  const projectRoot = createTempProjectRoot();
+  setupAuthDataDir(projectRoot);
+  try {
+    // Hand-write a synthetic sealed-shape record. We only validate that the
+    // status helper surfaces the metadata fields without touching tokens.
+    const userMetaDir = path.join(projectRoot, "app", "L2", "alice", "meta");
+    fs.mkdirSync(userMetaDir, { recursive: true });
+    fs.writeFileSync(
+      path.join(userMetaDir, "anthropic_oauth.json"),
+      JSON.stringify(
+        {
+          version: 1,
+          access_token: { ciphertext: "AA", iv: "BB", tag: "CC" },
+          refresh_token: { ciphertext: "DD", iv: "EE", tag: "FF" },
+          expires_at: new Date(Date.now() + 60 * 60 * 1000).toISOString(),
+          scope: "user:inference user:profile",
+          account_email: "tester@example.invalid",
+          organization_id: "org_test",
+          organization_name: "Test Org",
+          obtained_at: new Date().toISOString()
+        },
+        null,
+        2
+      )
+    );
+
+    const status = await getStatusForUser({
+      projectRoot,
+      runtimeParams: null,
+      username: "alice"
+    });
+
+    assert.equal(status.connected, true);
+    assert.equal(status.accountEmail, "tester@example.invalid");
+    assert.equal(status.organizationName, "Test Org");
+    assert.equal(status.scope, "user:inference user:profile");
+    assert.ok(status.expiresAt, "expiresAt should normalize to ISO string");
+  } finally {
+    teardownAuthDataDir();
+    fs.rmSync(projectRoot, { recursive: true, force: true });
+  }
+});