fix: send_animation metadata, MarkdownV2 inline code splitting, tirith cosign-free install (#1626)

* fix: Anthropic OAuth compatibility — Claude Code identity fingerprinting

Anthropic routes OAuth/subscription requests based on Claude Code's
identity markers. Without them, requests get intermittent 500 errors
(~25% failure rate observed). This matches what pi-ai (clawdbot) and
OpenCode both implement for OAuth compatibility.

Changes (OAuth tokens only — API key users unaffected):

1. Headers: user-agent 'claude-cli/2.1.2 (external, cli)' + x-app 'cli'
2. System prompt: prepend 'You are Claude Code, Anthropic's official CLI'
3. System prompt sanitization: replace Hermes/Nous references
4. Tool names: prefix with 'mcp_' (Claude Code convention for non-native tools)
5. Tool name stripping: remove 'mcp_' prefix from response tool calls

Before: 9/12 OK, 1 hard fail, 4 needed retries (~25% error rate)
After: 16/16 OK, 0 failures, 0 retries (0% error rate)

* fix: three gateway issues from user error logs

1. send_animation missing metadata kwarg (base.py)
   - Base class send_animation lacked the metadata parameter that the
     call site in base.py line 917 passes. Telegram's override accepted
     it, but any platform without an override (Discord, Slack, etc.)
     hit TypeError. Added metadata to base class signature.

2. MarkdownV2 split-inside-inline-code (base.py truncate_message)
   - truncate_message could split at a space inside an inline code span
     (e.g. `function(arg1, arg2)`), leaving an unpaired backtick and
     unescaped parentheses in the chunk. Telegram rejects with
     'character ( is reserved'. Added inline code awareness to the
     split-point finder — detects odd backtick counts and moves the
     split before the code span.

3. tirith auto-install without cosign (tirith_security.py)
   - Previously required cosign on PATH for auto-install, blocking
     install entirely with a warning if missing. Now proceeds with
     SHA-256 checksum verification only when cosign is unavailable.
     Cosign is still used for full supply chain verification when
     present. If cosign IS present but verification explicitly fails,
     install is still aborted (tampered release).

tests/tools/test_tirith_security.py

@@ -522,50 +522,59 @@ class TestCosignVerification:
         assert path is None
         assert reason == "cosign_verification_failed"
 
+    @patch("tools.tirith_security.tarfile.open")
+    @patch("tools.tirith_security._verify_checksum", return_value=True)
     @patch("tools.tirith_security.shutil.which", return_value=None)
     @patch("tools.tirith_security._download_file")
     @patch("tools.tirith_security._detect_target", return_value="aarch64-apple-darwin")
-    def test_install_aborts_when_cosign_missing(self, mock_target, mock_dl,
-                                                 mock_which):
-        """_install_tirith returns cosign_missing when cosign is not on PATH."""
+    def test_install_proceeds_without_cosign(self, mock_target, mock_dl,
+                                              mock_which, mock_checksum,
+                                              mock_tarfile):
+        """_install_tirith proceeds with SHA-256 only when cosign is not on PATH."""
         from tools.tirith_security import _install_tirith
+        mock_tar = MagicMock()
+        mock_tar.__enter__ = MagicMock(return_value=mock_tar)
+        mock_tar.__exit__ = MagicMock(return_value=False)
+        mock_tar.getmembers.return_value = []
+        mock_tarfile.return_value = mock_tar
+
         path, reason = _install_tirith()
+        # Reaches extraction (no binary in mock archive), but got past cosign
         assert path is None
-        assert reason == "cosign_missing"
-
-    @patch("tools.tirith_security.logger.debug")
-    @patch("tools.tirith_security.logger.warning")
-    @patch("tools.tirith_security.shutil.which", return_value=None)
-    @patch("tools.tirith_security._download_file")
-    @patch("tools.tirith_security._detect_target", return_value="aarch64-apple-darwin")
-    def test_install_quiet_mode_downgrades_cosign_missing_log(self, mock_target, mock_dl,
-                                                              mock_which, mock_warning,
-                                                              mock_debug):
-        """Startup prefetch should not surface cosign-missing as a warning."""
-        from tools.tirith_security import _install_tirith
-        path, reason = _install_tirith(log_failures=False)
-        assert path is None
-        assert reason == "cosign_missing"
-        mock_warning.assert_not_called()
-        mock_debug.assert_called()
+        assert reason == "binary_not_in_archive"
+        assert mock_checksum.called  # SHA-256 verification ran
 
+    @patch("tools.tirith_security.tarfile.open")
+    @patch("tools.tirith_security._verify_checksum", return_value=True)
     @patch("tools.tirith_security._verify_cosign", return_value=None)
     @patch("tools.tirith_security.shutil.which", return_value="/usr/local/bin/cosign")
     @patch("tools.tirith_security._download_file")
     @patch("tools.tirith_security._detect_target", return_value="aarch64-apple-darwin")
-    def test_install_aborts_when_cosign_exec_fails(self, mock_target, mock_dl,
-                                                     mock_which, mock_cosign):
-        """_install_tirith returns cosign_exec_failed when cosign exists but fails."""
+    def test_install_proceeds_when_cosign_exec_fails(self, mock_target, mock_dl,
+                                                       mock_which, mock_cosign,
+                                                       mock_checksum, mock_tarfile):
+        """_install_tirith falls back to SHA-256 when cosign exists but fails to execute."""
         from tools.tirith_security import _install_tirith
+        mock_tar = MagicMock()
+        mock_tar.__enter__ = MagicMock(return_value=mock_tar)
+        mock_tar.__exit__ = MagicMock(return_value=False)
+        mock_tar.getmembers.return_value = []
+        mock_tarfile.return_value = mock_tar
+
         path, reason = _install_tirith()
         assert path is None
-        assert reason == "cosign_exec_failed"
+        assert reason == "binary_not_in_archive"  # got past cosign
+        assert mock_checksum.called
 
+    @patch("tools.tirith_security.tarfile.open")
+    @patch("tools.tirith_security._verify_checksum", return_value=True)
+    @patch("tools.tirith_security.shutil.which", return_value="/usr/local/bin/cosign")
     @patch("tools.tirith_security._download_file")
     @patch("tools.tirith_security._detect_target", return_value="aarch64-apple-darwin")
-    def test_install_aborts_when_cosign_artifacts_missing(self, mock_target,
-                                                           mock_dl):
-        """_install_tirith returns None when .sig/.pem downloads fail (404)."""
+    def test_install_proceeds_when_cosign_artifacts_missing(self, mock_target,
+                                                              mock_dl, mock_which,
+                                                              mock_checksum, mock_tarfile):
+        """_install_tirith proceeds with SHA-256 when .sig/.pem downloads fail."""
         from tools.tirith_security import _install_tirith
         import urllib.request
 
@@ -574,10 +583,16 @@ class TestCosignVerification:
                 raise urllib.request.URLError("404 Not Found")
 
         mock_dl.side_effect = _dl_side_effect
+        mock_tar = MagicMock()
+        mock_tar.__enter__ = MagicMock(return_value=mock_tar)
+        mock_tar.__exit__ = MagicMock(return_value=False)
+        mock_tar.getmembers.return_value = []
+        mock_tarfile.return_value = mock_tar
 
         path, reason = _install_tirith()
         assert path is None
-        assert reason == "cosign_artifacts_unavailable"
+        assert reason == "binary_not_in_archive"  # got past cosign
+        assert mock_checksum.called
 
     @patch("tools.tirith_security.tarfile.open")
     @patch("tools.tirith_security._verify_checksum", return_value=True)