From ad27e0069db09c277830da2712846fa5b41af22e Mon Sep 17 00:00:00 2001 From: Neerav Makwana <261249544+neeravmakwana@users.noreply.github.com> Date: Fri, 24 Apr 2026 21:40:07 -0400 Subject: [PATCH] fix(models): avoid externalizing Claude CLI auth --- extensions/anthropic/index.test.ts | 27 ------------- extensions/anthropic/openclaw.plugin.json | 1 - extensions/anthropic/register.runtime.ts | 21 ---------- src/agents/auth-health.test.ts | 46 ++++++++++++++++++++-- src/agents/auth-health.ts | 45 +++++++++++++++++---- src/commands/models/list.status-command.ts | 2 +- src/commands/models/list.status.test.ts | 5 +-- 7 files changed, 82 insertions(+), 65 deletions(-) diff --git a/extensions/anthropic/index.test.ts b/extensions/anthropic/index.test.ts index 79a49852b79..f7df1c72bad 100644 --- a/extensions/anthropic/index.test.ts +++ b/extensions/anthropic/index.test.ts @@ -332,33 +332,6 @@ describe("anthropic provider replay hooks", () => { }); }); - it("exposes Claude CLI auth as a runtime-only external profile", async () => { - readClaudeCliCredentialsForRuntimeMock.mockReset(); - readClaudeCliCredentialsForRuntimeMock.mockReturnValue({ - type: "oauth", - provider: "anthropic", - access: "fresh-cli-access", - refresh: "fresh-cli-refresh", - expires: 123, - }); - - const provider = await registerSingleProviderPlugin(anthropicPlugin); - - expect(provider.resolveExternalAuthProfiles?.({} as never)).toEqual([ - { - profileId: "anthropic:claude-cli", - credential: { - type: "oauth", - provider: "claude-cli", - access: "fresh-cli-access", - refresh: "fresh-cli-refresh", - expires: 123, - }, - persistence: "runtime-only", - }, - ]); - }); - it("stores a claude-cli auth profile during anthropic cli migration", async () => { readClaudeCliCredentialsForSetupMock.mockReset(); readClaudeCliCredentialsForSetupMock.mockReturnValue({ diff --git a/extensions/anthropic/openclaw.plugin.json b/extensions/anthropic/openclaw.plugin.json index 93ae2875e32..27ba950e472 100644 --- a/extensions/anthropic/openclaw.plugin.json +++ b/extensions/anthropic/openclaw.plugin.json @@ -49,7 +49,6 @@ } ], "contracts": { - "externalAuthProviders": ["claude-cli"], "mediaUnderstandingProviders": ["anthropic"] }, "mediaUnderstandingProviderMetadata": { diff --git a/extensions/anthropic/register.runtime.ts b/extensions/anthropic/register.runtime.ts index 3896319df62..3e5b2074d4a 100644 --- a/extensions/anthropic/register.runtime.ts +++ b/extensions/anthropic/register.runtime.ts @@ -422,26 +422,6 @@ function resolveClaudeCliSyntheticAuth() { }; } -function resolveClaudeCliExternalAuthProfiles() { - const credential = claudeCliAuth.readClaudeCliCredentialsForRuntime(); - if (!credential || credential.type !== "oauth") { - return []; - } - return [ - { - profileId: "anthropic:claude-cli", - credential: { - type: "oauth" as const, - provider: CLAUDE_CLI_BACKEND_ID, - access: credential.access, - refresh: credential.refresh, - expires: credential.expires, - }, - persistence: "runtime-only" as const, - }, - ]; -} - async function runAnthropicCliMigration(ctx: ProviderAuthContext): Promise { const credential = claudeCliAuth.readClaudeCliCredentialsForSetup(); if (!credential) { @@ -607,7 +587,6 @@ export function buildAnthropicProvider(): ProviderPlugin { normalizeLowercaseStringOrEmpty(provider) === CLAUDE_CLI_BACKEND_ID ? resolveClaudeCliSyntheticAuth() : undefined, - resolveExternalAuthProfiles: () => resolveClaudeCliExternalAuthProfiles(), buildReplayPolicy: buildAnthropicReplayPolicy, isModernModelRef: ({ modelId }) => matchesAnthropicModernModel(modelId), resolveReasoningOutputMode: () => "native", diff --git a/src/agents/auth-health.test.ts b/src/agents/auth-health.test.ts index 830af5aad1c..4fbbe62e245 100644 --- a/src/agents/auth-health.test.ts +++ b/src/agents/auth-health.test.ts @@ -1,12 +1,16 @@ import { afterEach, beforeEach, describe, expect, it, vi } from "vitest"; import type { OAuthCredential } from "./auth-profiles/types.js"; +import type { ClaudeCliCredential } from "./cli-credentials.js"; -const { readCodexCliCredentialsCachedMock } = vi.hoisted(() => ({ - readCodexCliCredentialsCachedMock: vi.fn<() => OAuthCredential | null>(() => null), -})); +const { readClaudeCliCredentialsCachedMock, readCodexCliCredentialsCachedMock } = vi.hoisted( + () => ({ + readClaudeCliCredentialsCachedMock: vi.fn<() => ClaudeCliCredential | null>(() => null), + readCodexCliCredentialsCachedMock: vi.fn<() => OAuthCredential | null>(() => null), + }), +); vi.mock("./cli-credentials.js", () => ({ - readClaudeCliCredentialsCached: () => null, + readClaudeCliCredentialsCached: readClaudeCliCredentialsCachedMock, readCodexCliCredentialsCached: readCodexCliCredentialsCachedMock, readMiniMaxCliCredentialsCached: () => null, resetCliCredentialCachesForTest: () => undefined, @@ -59,6 +63,8 @@ describe("buildAuthHealthSummary", () => { }); beforeEach(() => { + readClaudeCliCredentialsCachedMock.mockReset(); + readClaudeCliCredentialsCachedMock.mockReturnValue(null); readCodexCliCredentialsCachedMock.mockReset(); readCodexCliCredentialsCachedMock.mockReturnValue(null); }); @@ -138,6 +144,38 @@ describe("buildAuthHealthSummary", () => { expect(statuses["google:no-refresh"]).toBe("expired"); }); + it("uses fresh Claude CLI OAuth credentials for claude-cli profile health", () => { + vi.spyOn(Date, "now").mockReturnValue(now); + readClaudeCliCredentialsCachedMock.mockReturnValue({ + type: "oauth", + provider: "anthropic", + access: "fresh-cli-access", + refresh: "fresh-cli-refresh", + expires: now + DEFAULT_OAUTH_WARN_MS + 60_000, + }); + const store = { + version: 1, + profiles: { + "anthropic:claude-cli": { + type: "oauth" as const, + provider: "claude-cli", + access: "stale-access", + refresh: "stale-refresh", + expires: now - 10_000, + }, + }, + }; + + const summary = buildAuthHealthSummary({ + store, + warnAfterMs: DEFAULT_OAUTH_WARN_MS, + }); + + const profile = summary.profiles.find((entry) => entry.profileId === "anthropic:claude-cli"); + expect(profile?.status).toBe("ok"); + expect(profile?.expiresAt).toBe(now + DEFAULT_OAUTH_WARN_MS + 60_000); + }); + it("does not let fresh .codex state override expired canonical health", () => { vi.spyOn(Date, "now").mockReturnValue(now); mockFreshCodexCliCredentials(); diff --git a/src/agents/auth-health.ts b/src/agents/auth-health.ts index da68d8c75e6..fbd7c581487 100644 --- a/src/agents/auth-health.ts +++ b/src/agents/auth-health.ts @@ -1,4 +1,5 @@ import type { OpenClawConfig } from "../config/types.openclaw.js"; +import { CLAUDE_CLI_PROFILE_ID } from "./auth-profiles/constants.js"; import { DEFAULT_OAUTH_REFRESH_MARGIN_MS, type AuthCredentialReasonCode, @@ -8,6 +9,7 @@ import { import { resolveAuthProfileDisplayLabel } from "./auth-profiles/display.js"; import { resolveEffectiveOAuthCredential } from "./auth-profiles/effective-oauth.js"; import type { AuthProfileCredential, AuthProfileStore } from "./auth-profiles/types.js"; +import { readClaudeCliCredentialsCached } from "./cli-credentials.js"; import { normalizeProviderId } from "./provider-id.js"; export type AuthProfileSource = "store"; @@ -101,6 +103,34 @@ function resolveOAuthStatus( return { status: "ok", remainingMs }; } +function resolveClaudeCliStatusCredential(params: { + profileId: string; + credential: AuthProfileCredential; +}): AuthProfileCredential { + if (params.profileId !== CLAUDE_CLI_PROFILE_ID) { + return params.credential; + } + const cliCredential = readClaudeCliCredentialsCached({ allowKeychainPrompt: false }); + if (!cliCredential) { + return params.credential; + } + if (cliCredential.type === "oauth") { + return { + type: "oauth", + provider: params.credential.provider, + access: cliCredential.access, + refresh: cliCredential.refresh, + expires: cliCredential.expires, + }; + } + return { + type: "token", + provider: params.credential.provider, + token: cliCredential.token, + expires: cliCredential.expires, + }; +} + function buildProfileHealth(params: { profileId: string; credential: AuthProfileCredential; @@ -112,9 +142,10 @@ function buildProfileHealth(params: { const { profileId, credential, store, cfg, now, warnAfterMs } = params; const label = resolveAuthProfileDisplayLabel({ cfg, store, profileId }); const source = resolveAuthProfileSource(profileId); - const provider = normalizeProviderId(credential.provider); + const healthCredential = resolveClaudeCliStatusCredential({ profileId, credential }); + const provider = normalizeProviderId(healthCredential.provider); - if (credential.type === "api_key") { + if (healthCredential.type === "api_key") { return { profileId, provider, @@ -125,9 +156,9 @@ function buildProfileHealth(params: { }; } - if (credential.type === "token") { + if (healthCredential.type === "token") { const eligibility = evaluateStoredCredentialEligibility({ - credential, + credential: healthCredential, now, }); if (!eligibility.eligible) { @@ -143,8 +174,8 @@ function buildProfileHealth(params: { label, }; } - const expiryState = resolveTokenExpiryState(credential.expires, now); - const expiresAt = expiryState === "valid" ? credential.expires : undefined; + const expiryState = resolveTokenExpiryState(healthCredential.expires, now); + const expiresAt = expiryState === "valid" ? healthCredential.expires : undefined; if (!expiresAt) { return { profileId, @@ -171,7 +202,7 @@ function buildProfileHealth(params: { const effectiveCredential = resolveEffectiveOAuthCredential({ profileId, - credential, + credential: healthCredential, }); const oauthWarnAfterMs = Math.max(warnAfterMs, DEFAULT_OAUTH_REFRESH_MARGIN_MS); const { status: rawStatus, remainingMs } = resolveOAuthStatus( diff --git a/src/commands/models/list.status-command.ts b/src/commands/models/list.status-command.ts index db30426f33b..ed5ac8b1ad9 100644 --- a/src/commands/models/list.status-command.ts +++ b/src/commands/models/list.status-command.ts @@ -11,7 +11,7 @@ import { formatRemainingShort, } from "../../agents/auth-health.js"; import { resolveAuthStorePathForDisplay } from "../../agents/auth-profiles/paths.js"; -import { ensureAuthProfileStore } from "../../agents/auth-profiles/store.js"; +import { ensureAuthProfileStoreWithoutExternalProfiles as ensureAuthProfileStore } from "../../agents/auth-profiles/store.js"; import { resolveProfileUnusableUntilForDisplay } from "../../agents/auth-profiles/usage.js"; import { resolveProviderEnvApiKeyCandidates } from "../../agents/model-auth-env-vars.js"; import { resolveEnvApiKey } from "../../agents/model-auth.js"; diff --git a/src/commands/models/list.status.test.ts b/src/commands/models/list.status.test.ts index 85de69c5d0a..bcda666929e 100644 --- a/src/commands/models/list.status.test.ts +++ b/src/commands/models/list.status.test.ts @@ -43,7 +43,6 @@ const mocks = vi.hoisted(() => { resolveAgentModelFallbacksOverride: vi.fn().mockReturnValue(undefined), listAgentIds: vi.fn().mockReturnValue(["main", "jeremiah"]), ensureAuthProfileStore: vi.fn().mockReturnValue(store), - ensureAuthProfileStoreWithoutExternalProfiles: vi.fn().mockReturnValue(store), listProfilesForProvider: vi.fn((s: typeof store, provider: string) => { return Object.entries(s.profiles) .filter(([, cred]) => cred.provider === provider) @@ -147,8 +146,7 @@ vi.mock("../../agents/auth-profiles/profiles.js", () => ({ })); vi.mock("../../agents/auth-profiles/store.js", () => ({ ensureAuthProfileStore: mocks.ensureAuthProfileStore, - ensureAuthProfileStoreWithoutExternalProfiles: - mocks.ensureAuthProfileStoreWithoutExternalProfiles, + ensureAuthProfileStoreWithoutExternalProfiles: mocks.ensureAuthProfileStore, })); vi.mock("../../agents/auth-profiles/usage.js", () => ({ resolveProfileUnusableUntilForDisplay: mocks.resolveProfileUnusableUntilForDisplay, @@ -287,7 +285,6 @@ describe("modelsStatusCommand auth overview", () => { expect(mocks.resolveOpenClawAgentDir).toHaveBeenCalled(); expect(mocks.ensureAuthProfileStore).toHaveBeenCalled(); - expect(mocks.ensureAuthProfileStoreWithoutExternalProfiles).not.toHaveBeenCalled(); expect(payload.defaultModel).toBe("anthropic/claude-opus-4-6"); expect(payload.configPath).toBe("/tmp/openclaw-dev/openclaw.json"); expect(payload.auth.storePath).toBe("/tmp/openclaw-agent/auth-profiles.json");