fix(models): avoid externalizing Claude CLI auth

2026-05-06 13:10:43 +00:00 · 2026-04-24 21:40:07 -04:00
parent 911fcb47f1
commit ad27e0069d
7 changed files with 82 additions and 65 deletions
--- a/extensions/anthropic/index.test.ts
+++ b/extensions/anthropic/index.test.ts
@@ -332,33 +332,6 @@ describe("anthropic provider replay hooks", () => {
    });
  });

-  it("exposes Claude CLI auth as a runtime-only external profile", async () => {
-    readClaudeCliCredentialsForRuntimeMock.mockReset();
-    readClaudeCliCredentialsForRuntimeMock.mockReturnValue({
-      type: "oauth",
-      provider: "anthropic",
-      access: "fresh-cli-access",
-      refresh: "fresh-cli-refresh",
-      expires: 123,
-    });
-
-    const provider = await registerSingleProviderPlugin(anthropicPlugin);
-
-    expect(provider.resolveExternalAuthProfiles?.({} as never)).toEqual([
-      {
-        profileId: "anthropic:claude-cli",
-        credential: {
-          type: "oauth",
-          provider: "claude-cli",
-          access: "fresh-cli-access",
-          refresh: "fresh-cli-refresh",
-          expires: 123,
-        },
-        persistence: "runtime-only",
-      },
-    ]);
-  });
-
  it("stores a claude-cli auth profile during anthropic cli migration", async () => {
    readClaudeCliCredentialsForSetupMock.mockReset();
    readClaudeCliCredentialsForSetupMock.mockReturnValue({
--- a/extensions/anthropic/openclaw.plugin.json
+++ b/extensions/anthropic/openclaw.plugin.json
@@ -49,7 +49,6 @@
    }
  ],
  "contracts": {
-    "externalAuthProviders": ["claude-cli"],
    "mediaUnderstandingProviders": ["anthropic"]
  },
  "mediaUnderstandingProviderMetadata": {
--- a/extensions/anthropic/register.runtime.ts
+++ b/extensions/anthropic/register.runtime.ts
@@ -422,26 +422,6 @@ function resolveClaudeCliSyntheticAuth() {
      };
 }

-function resolveClaudeCliExternalAuthProfiles() {
-  const credential = claudeCliAuth.readClaudeCliCredentialsForRuntime();
-  if (!credential || credential.type !== "oauth") {
-    return [];
-  }
-  return [
-    {
-      profileId: "anthropic:claude-cli",
-      credential: {
-        type: "oauth" as const,
-        provider: CLAUDE_CLI_BACKEND_ID,
-        access: credential.access,
-        refresh: credential.refresh,
-        expires: credential.expires,
-      },
-      persistence: "runtime-only" as const,
-    },
-  ];
-}
-
 async function runAnthropicCliMigration(ctx: ProviderAuthContext): Promise<ProviderAuthResult> {
  const credential = claudeCliAuth.readClaudeCliCredentialsForSetup();
  if (!credential) {
@@ -607,7 +587,6 @@ export function buildAnthropicProvider(): ProviderPlugin {
      normalizeLowercaseStringOrEmpty(provider) === CLAUDE_CLI_BACKEND_ID
        ? resolveClaudeCliSyntheticAuth()
        : undefined,
-    resolveExternalAuthProfiles: () => resolveClaudeCliExternalAuthProfiles(),
    buildReplayPolicy: buildAnthropicReplayPolicy,
    isModernModelRef: ({ modelId }) => matchesAnthropicModernModel(modelId),
    resolveReasoningOutputMode: () => "native",
--- a/src/agents/auth-health.test.ts
+++ b/src/agents/auth-health.test.ts
@@ -1,12 +1,16 @@
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import type { OAuthCredential } from "./auth-profiles/types.js";
+import type { ClaudeCliCredential } from "./cli-credentials.js";

-const { readCodexCliCredentialsCachedMock } = vi.hoisted(() => ({
-  readCodexCliCredentialsCachedMock: vi.fn<() => OAuthCredential | null>(() => null),
-}));
+const { readClaudeCliCredentialsCachedMock, readCodexCliCredentialsCachedMock } = vi.hoisted(
+  () => ({
+    readClaudeCliCredentialsCachedMock: vi.fn<() => ClaudeCliCredential | null>(() => null),
+    readCodexCliCredentialsCachedMock: vi.fn<() => OAuthCredential | null>(() => null),
+  }),
+);

 vi.mock("./cli-credentials.js", () => ({
-  readClaudeCliCredentialsCached: () => null,
+  readClaudeCliCredentialsCached: readClaudeCliCredentialsCachedMock,
  readCodexCliCredentialsCached: readCodexCliCredentialsCachedMock,
  readMiniMaxCliCredentialsCached: () => null,
  resetCliCredentialCachesForTest: () => undefined,
@@ -59,6 +63,8 @@ describe("buildAuthHealthSummary", () => {
  });

  beforeEach(() => {
+    readClaudeCliCredentialsCachedMock.mockReset();
+    readClaudeCliCredentialsCachedMock.mockReturnValue(null);
    readCodexCliCredentialsCachedMock.mockReset();
    readCodexCliCredentialsCachedMock.mockReturnValue(null);
  });
@@ -138,6 +144,38 @@ describe("buildAuthHealthSummary", () => {
    expect(statuses["google:no-refresh"]).toBe("expired");
  });

+  it("uses fresh Claude CLI OAuth credentials for claude-cli profile health", () => {
+    vi.spyOn(Date, "now").mockReturnValue(now);
+    readClaudeCliCredentialsCachedMock.mockReturnValue({
+      type: "oauth",
+      provider: "anthropic",
+      access: "fresh-cli-access",
+      refresh: "fresh-cli-refresh",
+      expires: now + DEFAULT_OAUTH_WARN_MS + 60_000,
+    });
+    const store = {
+      version: 1,
+      profiles: {
+        "anthropic:claude-cli": {
+          type: "oauth" as const,
+          provider: "claude-cli",
+          access: "stale-access",
+          refresh: "stale-refresh",
+          expires: now - 10_000,
+        },
+      },
+    };
+
+    const summary = buildAuthHealthSummary({
+      store,
+      warnAfterMs: DEFAULT_OAUTH_WARN_MS,
+    });
+
+    const profile = summary.profiles.find((entry) => entry.profileId === "anthropic:claude-cli");
+    expect(profile?.status).toBe("ok");
+    expect(profile?.expiresAt).toBe(now + DEFAULT_OAUTH_WARN_MS + 60_000);
+  });
+
  it("does not let fresh .codex state override expired canonical health", () => {
    vi.spyOn(Date, "now").mockReturnValue(now);
    mockFreshCodexCliCredentials();
--- a/src/agents/auth-health.ts
+++ b/src/agents/auth-health.ts
@@ -1,4 +1,5 @@
 import type { OpenClawConfig } from "../config/types.openclaw.js";
+import { CLAUDE_CLI_PROFILE_ID } from "./auth-profiles/constants.js";
 import {
  DEFAULT_OAUTH_REFRESH_MARGIN_MS,
  type AuthCredentialReasonCode,
@@ -8,6 +9,7 @@ import {
 import { resolveAuthProfileDisplayLabel } from "./auth-profiles/display.js";
 import { resolveEffectiveOAuthCredential } from "./auth-profiles/effective-oauth.js";
 import type { AuthProfileCredential, AuthProfileStore } from "./auth-profiles/types.js";
+import { readClaudeCliCredentialsCached } from "./cli-credentials.js";
 import { normalizeProviderId } from "./provider-id.js";

 export type AuthProfileSource = "store";
@@ -101,6 +103,34 @@ function resolveOAuthStatus(
  return { status: "ok", remainingMs };
 }

+function resolveClaudeCliStatusCredential(params: {
+  profileId: string;
+  credential: AuthProfileCredential;
+}): AuthProfileCredential {
+  if (params.profileId !== CLAUDE_CLI_PROFILE_ID) {
+    return params.credential;
+  }
+  const cliCredential = readClaudeCliCredentialsCached({ allowKeychainPrompt: false });
+  if (!cliCredential) {
+    return params.credential;
+  }
+  if (cliCredential.type === "oauth") {
+    return {
+      type: "oauth",
+      provider: params.credential.provider,
+      access: cliCredential.access,
+      refresh: cliCredential.refresh,
+      expires: cliCredential.expires,
+    };
+  }
+  return {
+    type: "token",
+    provider: params.credential.provider,
+    token: cliCredential.token,
+    expires: cliCredential.expires,
+  };
+}
+
 function buildProfileHealth(params: {
  profileId: string;
  credential: AuthProfileCredential;
@@ -112,9 +142,10 @@ function buildProfileHealth(params: {
  const { profileId, credential, store, cfg, now, warnAfterMs } = params;
  const label = resolveAuthProfileDisplayLabel({ cfg, store, profileId });
  const source = resolveAuthProfileSource(profileId);
-  const provider = normalizeProviderId(credential.provider);
+  const healthCredential = resolveClaudeCliStatusCredential({ profileId, credential });
+  const provider = normalizeProviderId(healthCredential.provider);

-  if (credential.type === "api_key") {
+  if (healthCredential.type === "api_key") {
    return {
      profileId,
      provider,
@@ -125,9 +156,9 @@ function buildProfileHealth(params: {
    };
  }

-  if (credential.type === "token") {
+  if (healthCredential.type === "token") {
    const eligibility = evaluateStoredCredentialEligibility({
-      credential,
+      credential: healthCredential,
      now,
    });
    if (!eligibility.eligible) {
@@ -143,8 +174,8 @@ function buildProfileHealth(params: {
        label,
      };
    }
-    const expiryState = resolveTokenExpiryState(credential.expires, now);
-    const expiresAt = expiryState === "valid" ? credential.expires : undefined;
+    const expiryState = resolveTokenExpiryState(healthCredential.expires, now);
+    const expiresAt = expiryState === "valid" ? healthCredential.expires : undefined;
    if (!expiresAt) {
      return {
        profileId,
@@ -171,7 +202,7 @@ function buildProfileHealth(params: {

  const effectiveCredential = resolveEffectiveOAuthCredential({
    profileId,
-    credential,
+    credential: healthCredential,
  });
  const oauthWarnAfterMs = Math.max(warnAfterMs, DEFAULT_OAUTH_REFRESH_MARGIN_MS);
  const { status: rawStatus, remainingMs } = resolveOAuthStatus(
--- a/src/commands/models/list.status-command.ts
+++ b/src/commands/models/list.status-command.ts
@@ -11,7 +11,7 @@ import {
  formatRemainingShort,
 } from "../../agents/auth-health.js";
 import { resolveAuthStorePathForDisplay } from "../../agents/auth-profiles/paths.js";
-import { ensureAuthProfileStore } from "../../agents/auth-profiles/store.js";
+import { ensureAuthProfileStoreWithoutExternalProfiles as ensureAuthProfileStore } from "../../agents/auth-profiles/store.js";
 import { resolveProfileUnusableUntilForDisplay } from "../../agents/auth-profiles/usage.js";
 import { resolveProviderEnvApiKeyCandidates } from "../../agents/model-auth-env-vars.js";
 import { resolveEnvApiKey } from "../../agents/model-auth.js";
--- a/src/commands/models/list.status.test.ts
+++ b/src/commands/models/list.status.test.ts
@@ -43,7 +43,6 @@ const mocks = vi.hoisted(() => {
    resolveAgentModelFallbacksOverride: vi.fn().mockReturnValue(undefined),
    listAgentIds: vi.fn().mockReturnValue(["main", "jeremiah"]),
    ensureAuthProfileStore: vi.fn().mockReturnValue(store),
-    ensureAuthProfileStoreWithoutExternalProfiles: vi.fn().mockReturnValue(store),
    listProfilesForProvider: vi.fn((s: typeof store, provider: string) => {
      return Object.entries(s.profiles)
        .filter(([, cred]) => cred.provider === provider)
@@ -147,8 +146,7 @@ vi.mock("../../agents/auth-profiles/profiles.js", () => ({
 }));
 vi.mock("../../agents/auth-profiles/store.js", () => ({
  ensureAuthProfileStore: mocks.ensureAuthProfileStore,
-  ensureAuthProfileStoreWithoutExternalProfiles:
-    mocks.ensureAuthProfileStoreWithoutExternalProfiles,
+  ensureAuthProfileStoreWithoutExternalProfiles: mocks.ensureAuthProfileStore,
 }));
 vi.mock("../../agents/auth-profiles/usage.js", () => ({
  resolveProfileUnusableUntilForDisplay: mocks.resolveProfileUnusableUntilForDisplay,
@@ -287,7 +285,6 @@ describe("modelsStatusCommand auth overview", () => {

    expect(mocks.resolveOpenClawAgentDir).toHaveBeenCalled();
    expect(mocks.ensureAuthProfileStore).toHaveBeenCalled();
-    expect(mocks.ensureAuthProfileStoreWithoutExternalProfiles).not.toHaveBeenCalled();
    expect(payload.defaultModel).toBe("anthropic/claude-opus-4-6");
    expect(payload.configPath).toBe("/tmp/openclaw-dev/openclaw.json");
    expect(payload.auth.storePath).toBe("/tmp/openclaw-agent/auth-profiles.json");