fix: scrub blocked URLs from system[] instead of relocating all content

[s2bomb]

Problem

v1.4.8 moved ALL non-core system content to the first user message to avoid Anthropic's 400 rejection. This regresses instruction priority and prompt-cache efficiency — AGENTS.md, env blocks, skills all lose system[] attention priority.

Root cause

Server-side blocklist. One URL triggers rejection: github.com/anomalyco/opencode.

Reproduces with Claude Code itself:

claude -p --append-system-prompt "https://github.com/anomalyco/opencode" "Reply OK."
# → 400 "You're out of extra usage"

Not a client fingerprint. Not an auth issue. Server-side content filter.

Probe results

15 targeted requests varying system[] content. Same OAuth, same billing, same model.

system[] contains	result
billing + identity only	200
+ full OpenCode prompt (no anomalyco URL)	200
+ env block	200
+ AGENTS.md	200
+ skills block	200
+ all three combined	200
+ github.com/anomalyco/opencode	400
word "anomalyco" alone	200
word "opencode" alone	200
opencode.ai URL	200
same path on gitlab	200

Single URL. Nothing else.

Fix

Scrub blocked URL substring in-place. Entry stays in system[]. No content relocation.

OpenCode concatenates the full prompt (identity + agent prompt + env + AGENTS + skills) into one system[] entry. Old approach relocated the whole entry on match → frontloaded everything into user message. This fix removes only the URL string.

const BLOCKED_SYSTEM_STRINGS = ["github.com/anomalyco/opencode"]

for (const entry of parsed.system) {
  if (isBlocked(entry.text)) {
    for (const blocked of BLOCKED_SYSTEM_STRINGS)
      entry.text = entry.text.split(blocked).join("")
  }
}

Wire dump verification

Before (v1.4.10):

• systemCount: 2 (billing + identity)
• userPreview: "You are OpenCode, the best coding agent..." ← frontloaded

After:

• systemCount: 3 (billing + identity + full prompt)
• userPreview: "What tools do you have? List 3." ← clean
• API: 200

Tests

214 pass. No new deps.

[bvironn]

Tested locally — 214/214 tests pass. The empirical probe table in the PR body is excellent: it isolates the server-side trigger to one substring.

Two follow-ups worth considering:

1. Empty replacement leaves text artifacts: replacing github.com/anomalyco/opencode with "" can produce dangling phrases like "Visit for help" in the prompt. Consider replacing with opencode.ai (functionally equivalent project URL — passes the validator per your probe row 11) to keep the prompt grammatically intact.

2. Blocklist extensibility: a single hardcoded string is fine today, but future Anthropic additions would force another release cycle. An optional OPENCODE_CLAUDE_AUTH_BLOCKED_STRINGS (comma-separated) merged with the built-in list would let users self-mitigate. Not blocking.

Strict improvement over v1.4.8 either way. Resolves #154 and #210.

[griffinmartin]

@s2bomb

Getting You're out of extra usage. Add more at claude.ai/settings/usage and keep going.. I can debug later unless you're able to.

Force pushed your original commit, can bring mine back in if this is resolved.