fix(auth): add oauth-2025-04-20 beta header + debug logging

Ensure anthropic-beta includes oauth-2025-04-20 when using OAuth tokens,
fixing 401 "OAuth authentication is currently not supported" errors.
Add debug-level logging for upstream requests/responses, sniffed headers,
and token refresh operations.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/auth/refresh.go

@@ -64,6 +64,13 @@ func RefreshToken(ctx context.Context, cred *Credential) error {
 	}
 	req.Header.Set("Content-Type", "application/json")
 
+	log.Debug().
+		Str("url", tokenEndpoint).
+		Str("grant_type", "refresh_token").
+		Str("client_id", clientID).
+		Str("scope", oauthScopes).
+		Msg("token refresh request")
+
 	resp, err := utlsClient.Do(req)
 	if err != nil {
 		return fmt.Errorf("execute request: %w", err)
@@ -71,6 +78,12 @@ func RefreshToken(ctx context.Context, cred *Credential) error {
 	defer resp.Body.Close()
 
 	body, _ := io.ReadAll(resp.Body)
+
+	log.Debug().
+		Int("status", resp.StatusCode).
+		Int("response_size", len(body)).
+		Msg("token refresh response")
+
 	if resp.StatusCode != http.StatusOK {
 		return fmt.Errorf("refresh returned %d: %s", resp.StatusCode, string(body))
 	}

internal/proxy/sniff.go

@@ -122,6 +122,11 @@ func SniffClaudeCode(claudeBinary string) (*SniffedProfile, error) {
 		Int("headers", len(profile.Headers)).
 		Int("body_size", len(profile.Body)).
 		Msg("sniffed claude-code profile")
+
+	for _, h := range profile.Headers {
+		log.Debug().Str("header", h[0]).Str("value", h[1]).Msg("sniffed header")
+	}
+
 	return profile, nil
 }
 

internal/proxy/upstream.go

@@ -9,8 +9,10 @@ import (
 	"strings"
 
 	"github.com/google/uuid"
+	"github.com/rs/zerolog/log"
 
 	"github.com/fujin/anthropic-proxy/internal/auth"
+	"github.com/fujin/anthropic-proxy/internal/logging"
 )
 
 const messagesURL = "https://api.anthropic.com/v1/messages?beta=true"
@@ -84,6 +86,12 @@ func (u *UpstreamClient) Execute(ctx context.Context, cred *auth.Credential, bod
 	}
 	u.applyHeaders(req, cred.Token(), false)
 
+	log.Debug().
+		Str("url", messagesURL).
+		Str("upstream_headers", logging.RedactHeaders(req.Header)).
+		Int("body_size", len(body)).
+		Msg("upstream request")
+
 	resp, err := u.client.Do(req)
 	if err != nil {
 		return nil, nil, 0, fmt.Errorf("upstream request: %w", err)
@@ -94,6 +102,12 @@ func (u *UpstreamClient) Execute(ctx context.Context, cred *auth.Credential, bod
 	if err != nil {
 		return nil, nil, resp.StatusCode, fmt.Errorf("read upstream response: %w", err)
 	}
+	log.Debug().
+		Int("status", resp.StatusCode).
+		Str("response_headers", logging.RedactHeaders(resp.Header)).
+		Int("response_size", len(respBody)).
+		Msg("upstream response")
+
 	return respBody, resp.Header, resp.StatusCode, nil
 }
 
@@ -106,9 +120,21 @@ func (u *UpstreamClient) ExecuteStream(ctx context.Context, cred *auth.Credentia
 	}
 	u.applyHeaders(req, cred.Token(), true)
 
+	log.Debug().
+		Str("url", messagesURL).
+		Str("upstream_headers", logging.RedactHeaders(req.Header)).
+		Int("body_size", len(body)).
+		Msg("upstream stream request")
+
 	resp, err := u.client.Do(req)
 	if err != nil {
 		return nil, fmt.Errorf("upstream stream request: %w", err)
 	}
+
+	log.Debug().
+		Int("status", resp.StatusCode).
+		Str("response_headers", logging.RedactHeaders(resp.Header)).
+		Msg("upstream stream response")
+
 	return resp, nil
 }