feat(auth): add Claude Code OAuth support for Anthropic provider

[sunipan]

Summary

Adds Claude Code OAuth support for ForgeCode’s Anthropic provider.

This is a ForgeCode port of the Claude/Anthropic auth behavior from:

https://github.com/ex-machina-co/opencode-anthropic-auth

I’m opening this as a draft/community PR because it helps users who want to authenticate ForgeCode with Claude subscription-style OAuth rather than a normal Anthropic API key, but it includes provider-specific behavior that maintainers should explicitly review before deciding whether it belongs upstream.

Context

This PR was prepared with AI assistance.

I’ve mirrored the relevant changes from opencode-anthropic-auth for ForgeCode’s Rust provider stack. I want to stress that using this provider for Claude Code may carry potential account or policy risks, although I personally have not had any issues.

Changes

• Add Claude Code OAuth provider config updates:

  • Claude platform token URL
  • Claude platform callback URL
  • additional Claude Code scopes
  • provider-level anthropic-client custom header

• Extend Anthropic OAuth code exchange parsing:

  • full callback URL
  • code#state
  • query-string code=...&state=...
  • raw code fallback

• Update Anthropic request headers for OAuth:

  • use Authorization: Bearer ... for OAuth credentials
  • include OAuth beta flag
  • include Claude Code user-agent
  • preserve provider-level custom headers

• Add Claude Code request transforms for OAuth-backed Anthropic requests:

  • billing metadata system block
  • Claude Code auth system message
  • MCP tool name conversion
  • tool name capitalization

• Cap Anthropic cache_control blocks at Anthropic’s 4-block limit.

Source / Provenance

The Claude Code OAuth-specific behavior is ported from:

https://github.com/ex-machina-co/opencode-anthropic-auth

The current branch was reconciled against the source repo’s current mainline behavior, including Claude Code version/user-agent and billing metadata constants.

Risk / Maintainer Decision Points

This PR intentionally does not hide that the feature may have product, policy, or provider-relationship implications.

Things maintainers should decide before merging:

• Whether ForgeCode wants first-class Claude subscription OAuth support in-tree.
• Whether this should instead live behind a provider/plugin/proxy architecture.
• Whether the Claude Code billing metadata/request-shaping behavior is acceptable for upstream.
• Whether additional docs, user opt-in, or maintainership boundaries are needed.

If maintainers prefer not to carry this behavior, I’m happy to close this PR and keep it as a fork-only patch or move toward an external proxy/plugin-style approach.

Testing

Ran:

cargo fmt -p forge_app -p forge_repo -p forge_infra -- --check
cargo test -p forge_app billing_header
cargo test -p forge_app set_cache
cargo test -p forge_infra auth::http::anthropic
cargo check -p forge_app -p forge_repo -p forge_infra

Results:

• billing_header: 4 passed
• set_cache: 20 passed
• auth::http::anthropic: 1 passed
• cargo check: passed for changed packages