#21517: fix: preserve pi-ai default betas when context1m/anthropicBeta overrides anthropic-beta header

## Summary - Fixes #21011 - When `context1m: true` or `anthropicBeta` is configured, `createAnthropicBetaHeadersWrapper` sets `options.headers["anthropic-beta"]` which gets passed to pi-ai's `createClient`. Because the Anthropic SDK's `buildHeaders` uses `Object.assign` semantics where `options.headers` comes last, this **completely replaces** pi-ai's `defaultHeaders["anthropic-beta"]` — which contains `oauth-2025-04-20` for OAuth tokens (`sk-ant-oat01-*`). Without that beta, OAuth tokens get HTTP 401. - The fix detects OAuth tokens at stream time via `options.apiKey` (set by pi-agent-core's agent loop) and includes pi-ai's default betas (`oauth-2025-04-20`, `claude-code-20250219`, `fine-grained-tool-streaming-2025-05-14`, `interleaved-thinking-2025-05-14`) in the merged header so they are never dropped. ## Test plan - [x] `pnpm build` succeeds - [x] `pnpm check` (lint + format) passes - [x] New test: context1m + OAuth token preserves all OAuth betas alongside `context-1m-2025-08-07` - [x] New test: context1m + regular API key does NOT include OAuth-only betas - [x] New test: custom `anthropicBeta` + OAuth preserves OAuth betas alongside custom betas - [x] New test: no extra betas configured → wrapper is NOT applied (regression check) - [x] Updated existing beta header tests to expect pi-ai base betas in output - [ ] Manual: re-enable `context1m: true` locally, restart gateway, verify agent responds without 401 > This PR was authored with AI assistance. <!-- greptile_comment --> <h3>Greptile Summary</h3> Fixed OAuth token authentication by preserving pi-ai's default beta headers when `context1m` or custom `anthropicBeta` config overrides the `anthropic-beta` header. The fix detects OAuth tokens at stream time and ensures required betas (`oauth-2025-04-20`, `claude-code-20250219`) are never dropped, preventing HTTP 401 errors. - Detects OAuth tokens via `sk-ant-oat` prefix check at stream time - Merges pi-ai default betas with user-configured betas instead of replacing them - Comprehensive test coverage for OAuth and regular API key scenarios - Clean implementation with well-documented constants <h3>Confidence Score: 5/5</h3> - Safe to merge - fixes a critical OAuth authentication bug with comprehensive test coverage - The implementation correctly addresses the root cause (header replacement via Object.assign), includes thorough test coverage for all scenarios (OAuth/regular keys, context1m/custom betas), and follows the codebase patterns. No logical errors or edge cases identified. - No files require special attention _{Last reviewed commit: b8a8f60} <!-- greptile_other_comments_section --> _{(2/5) Greptile learns from your feedback when you react with thumbs up/down!} <!-- /greptile_comment -->