auto-claude: 219-investigate-and-fix-authentication-subscription-sy (#1810)

* auto-claude: subtask-1-1 - Add debug logging to setupProcessEnvironment() and spawnProcess()

Add debugLog traces in agent-process.ts to track CLAUDE_CONFIG_DIR,
CLAUDE_CODE_OAUTH_TOKEN, and ANTHROPIC_API_KEY values at each stage of
the environment merge chain (profile result, extraEnv, oauthModeClearVars,
apiProfileEnv, and final merged env). Uses debugLog from debug-logger
so output only appears when DEBUG=true.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* auto-claude: subtask-1-2 - Add debug logging to getBestAvailableProfileEnv()

Add DEBUG-gated logging to getBestAvailableProfileEnv() and
ensureCleanProfileEnv() to trace profile environment construction
and verify CLAUDE_CONFIG_DIR survives the clean step.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* auto-claude: subtask-1-3 - Add diagnostic logging to profile manager initialization

Add logging to initialize() and populateSubscriptionMetadata() to verify
subscription metadata is correctly populated on startup for profiles with configDir.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* auto-claude: subtask-2-1 - Fix setupProcessEnvironment() in agent-process.ts

- Add warning when profileEnv lacks CLAUDE_CONFIG_DIR (profile has no configDir)
- Clear CLAUDE_CODE_OAUTH_TOKEN from spawn env when profile provides
  CLAUDE_CONFIG_DIR, matching the terminal pattern where configDir is preferred
  over direct token injection
- Profile env is spread last in merge chain to ensure CLAUDE_CONFIG_DIR
  cannot be overwritten by extraEnv or augmentedEnv

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* auto-claude: subtask-2-2 - Harden getBestAvailableProfileEnv() and ensureCleanProfileEnv()

- Clear ANTHROPIC_API_KEY in ensureCleanProfileEnv() when CLAUDE_CONFIG_DIR is set,
  preventing shell env API keys from overriding config dir credentials
- Add fallback warning when profile env is empty to aid debugging misconfigured profiles
- Update JSDoc to document the new behavior

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* auto-claude: subtask-2-3 - Handle edge case in getActiveProfileEnv() for profiles without configDir

Add Keychain token fallback when profile.configDir is missing. Retrieves
CLAUDE_CODE_OAUTH_TOKEN directly from Keychain and injects it into the
environment, with warnings about degraded subscription display.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* auto-claude: subtask-3-1 - Add diagnostic logging to auth.py's get_auth_token

Add DEBUG-gated logging to get_auth_token() and configure_sdk_authentication()
to trace which auth method is used (env var, config dir, or Keychain).
Logs presence/absence of auth env vars and CLAUDE_CONFIG_DIR without
exposing actual token values.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* auto-claude: subtask-4-1 - Add CLAUDE_CONFIG_DIR propagation tests to agent-process.test.ts

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* auto-claude: subtask-4-2 - Add ensureCleanProfileEnv tests to rate-limit-detector

Add comprehensive tests for ensureCleanProfileEnv verifying it preserves
CLAUDE_CONFIG_DIR while clearing CLAUDE_CODE_OAUTH_TOKEN and ANTHROPIC_API_KEY.
Includes edge case tests for empty env, empty string config dir, and immutability.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* Address PR review findings: fix asymmetric auth fallback, standardize logging, fix token clearing

- Add Keychain fallback to getProfileEnv() for profiles without configDir,
  matching the existing fallback in getActiveProfileEnv() (fixes auth failure
  when rate-limit detector swaps to a profile lacking configDir)
- Replace inline `if (process.env.DEBUG === 'true')` checks with debugLog()
  utility in rate-limit-detector.ts for consistency with agent-process.ts
- Gate verbose per-profile console.log/warn calls behind debugLog() in
  claude-profile-manager.ts to reduce production log noise
- Change `delete mergedEnv.CLAUDE_CODE_OAUTH_TOKEN` to empty string assignment
  in agent-process.ts to match ensureCleanProfileEnv() semantics

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Andy
2026-02-13 14:59:40 +01:00
committed by GitHub
parent f735f0b49b
commit 6204d5fc2b
6 changed files with 488 additions and 39 deletions
+54 -7
View File
@@ -694,10 +694,25 @@ def get_auth_token(config_dir: str | None = None) -> str | None:
Returns:
Token string if found, None otherwise
"""
_debug = os.environ.get("DEBUG", "").lower() in ("true", "1")
if _debug:
# Log which auth env vars are set (presence only, never values)
set_vars = [v for v in AUTH_TOKEN_ENV_VARS if os.environ.get(v)]
logger.info(
"[Auth] get_auth_token() called — config_dir param=%s, "
"env vars present: %s, CLAUDE_CONFIG_DIR env=%s",
repr(config_dir),
set_vars or "(none)",
"set" if os.environ.get("CLAUDE_CONFIG_DIR") else "unset",
)
# First check environment variables (highest priority)
for var in AUTH_TOKEN_ENV_VARS:
token = os.environ.get(var)
if token:
if _debug:
logger.info("[Auth] Token resolved from env var: %s", var)
return _try_decrypt_token(token)
# Check CLAUDE_CONFIG_DIR environment variable (profile's custom config directory)
@@ -705,12 +720,13 @@ def get_auth_token(config_dir: str | None = None) -> str | None:
effective_config_dir = config_dir or env_config_dir
# Debug: Log which config_dir is being used for credential resolution
debug = os.environ.get("DEBUG", "").lower() in ("true", "1")
if debug and effective_config_dir:
if _debug and effective_config_dir:
service_name = _get_keychain_service_name(effective_config_dir)
logger.info(
f"[Auth] Resolving credentials for profile config_dir: {effective_config_dir} "
f"(Keychain service: {service_name})"
"[Auth] Resolving credentials for profile config_dir: %s "
"(Keychain service: %s)",
effective_config_dir,
service_name,
)
# If a custom config directory is specified, read from there first
@@ -718,24 +734,37 @@ def get_auth_token(config_dir: str | None = None) -> str | None:
# Try reading from .credentials.json file in the config directory
token = _get_token_from_config_dir(effective_config_dir)
if token:
if _debug:
logger.info(
"[Auth] Token resolved from config dir file: %s",
effective_config_dir,
)
return _try_decrypt_token(token)
# Also try the system credential store with hash-based service name
# This is needed because macOS stores credentials in Keychain, not files
token = get_token_from_keychain(effective_config_dir)
if token:
if _debug:
logger.info("[Auth] Token resolved from Keychain (profile-specific)")
return _try_decrypt_token(token)
# If config_dir was explicitly provided, DON'T fall back to default keychain
# - that would return the wrong profile's token
logger.debug(
f"No credentials found for config_dir '{effective_config_dir}' "
"in file or keychain"
"No credentials found for config_dir '%s' in file or keychain",
effective_config_dir,
)
return None
# No config_dir specified - use default system credential store
return _try_decrypt_token(get_token_from_keychain())
keychain_token = get_token_from_keychain()
if _debug:
logger.info(
"[Auth] Token resolved from default Keychain: %s",
"found" if keychain_token else "not found",
)
return _try_decrypt_token(keychain_token)
def get_auth_token_source(config_dir: str | None = None) -> str | None:
@@ -970,8 +999,18 @@ def configure_sdk_authentication(config_dir: str | None = None) -> None:
- API profile mode: requires ANTHROPIC_AUTH_TOKEN
- OAuth mode: requires CLAUDE_CODE_OAUTH_TOKEN (from Keychain or env)
"""
_debug = os.environ.get("DEBUG", "").lower() in ("true", "1")
api_profile_mode = bool(os.environ.get("ANTHROPIC_BASE_URL", "").strip())
if _debug:
logger.info(
"[Auth] configure_sdk_authentication() — mode=%s, config_dir=%s, "
"CLAUDE_CONFIG_DIR env=%s",
"api_profile" if api_profile_mode else "oauth",
repr(config_dir),
"set" if os.environ.get("CLAUDE_CONFIG_DIR") else "unset",
)
if api_profile_mode:
# API profile mode: ensure ANTHROPIC_AUTH_TOKEN is present
if not os.environ.get("ANTHROPIC_AUTH_TOKEN"):
@@ -999,6 +1038,14 @@ def configure_sdk_authentication(config_dir: str | None = None) -> None:
os.environ["CLAUDE_CODE_OAUTH_TOKEN"] = oauth_token
logger.info("Using OAuth authentication")
if _debug:
logger.info(
"[Auth] SDK env check — CLAUDE_CONFIG_DIR=%s, "
"CLAUDE_CODE_OAUTH_TOKEN=%s",
"set" if os.environ.get("CLAUDE_CONFIG_DIR") else "unset",
"set" if os.environ.get("CLAUDE_CODE_OAUTH_TOKEN") else "unset",
)
def ensure_claude_code_oauth_token() -> None:
"""
@@ -1012,3 +1012,115 @@ Please add credits to continue.`;
});
});
});
describe('ensureCleanProfileEnv', () => {
beforeEach(() => {
vi.resetModules();
});
afterEach(() => {
vi.clearAllMocks();
});
describe('with CLAUDE_CONFIG_DIR set', () => {
it('should preserve CLAUDE_CONFIG_DIR while clearing CLAUDE_CODE_OAUTH_TOKEN', async () => {
const { ensureCleanProfileEnv } = await import('../rate-limit-detector');
const env = {
CLAUDE_CONFIG_DIR: '/tmp/profile-1',
CLAUDE_CODE_OAUTH_TOKEN: 'oauth-token-123',
ANTHROPIC_API_KEY: 'sk-ant-key-456'
};
const result = ensureCleanProfileEnv(env);
expect(result.CLAUDE_CONFIG_DIR).toBe('/tmp/profile-1');
expect(result.CLAUDE_CODE_OAUTH_TOKEN).toBe('');
expect(result.ANTHROPIC_API_KEY).toBe('');
});
it('should preserve other environment variables', async () => {
const { ensureCleanProfileEnv } = await import('../rate-limit-detector');
const env = {
CLAUDE_CONFIG_DIR: '/tmp/profile-1',
CLAUDE_CODE_OAUTH_TOKEN: 'token',
ANTHROPIC_API_KEY: 'key',
SOME_OTHER_VAR: 'value'
};
const result = ensureCleanProfileEnv(env);
expect(result.CLAUDE_CONFIG_DIR).toBe('/tmp/profile-1');
expect(result.SOME_OTHER_VAR).toBe('value');
expect(result.CLAUDE_CODE_OAUTH_TOKEN).toBe('');
expect(result.ANTHROPIC_API_KEY).toBe('');
});
it('should clear tokens even if they are not present in input', async () => {
const { ensureCleanProfileEnv } = await import('../rate-limit-detector');
const env = {
CLAUDE_CONFIG_DIR: '/tmp/profile-1'
};
const result = ensureCleanProfileEnv(env);
expect(result.CLAUDE_CONFIG_DIR).toBe('/tmp/profile-1');
expect(result.CLAUDE_CODE_OAUTH_TOKEN).toBe('');
expect(result.ANTHROPIC_API_KEY).toBe('');
});
});
describe('without CLAUDE_CONFIG_DIR', () => {
it('should return env unchanged when CLAUDE_CONFIG_DIR is not set', async () => {
const { ensureCleanProfileEnv } = await import('../rate-limit-detector');
const env = {
CLAUDE_CODE_OAUTH_TOKEN: 'oauth-token-123',
ANTHROPIC_API_KEY: 'sk-ant-key-456'
};
const result = ensureCleanProfileEnv(env);
expect(result).toEqual(env);
expect(result.CLAUDE_CODE_OAUTH_TOKEN).toBe('oauth-token-123');
expect(result.ANTHROPIC_API_KEY).toBe('sk-ant-key-456');
});
});
describe('edge cases', () => {
it('should handle empty profile env', async () => {
const { ensureCleanProfileEnv } = await import('../rate-limit-detector');
const result = ensureCleanProfileEnv({});
// Empty env has no CLAUDE_CONFIG_DIR, so should return as-is
expect(result).toEqual({});
});
it('should handle env with empty string CLAUDE_CONFIG_DIR', async () => {
const { ensureCleanProfileEnv } = await import('../rate-limit-detector');
const env = {
CLAUDE_CONFIG_DIR: '',
CLAUDE_CODE_OAUTH_TOKEN: 'token'
};
const result = ensureCleanProfileEnv(env);
// Empty string is falsy, so should not trigger clearing
expect(result.CLAUDE_CODE_OAUTH_TOKEN).toBe('token');
});
it('should return a new object when clearing (not mutate input)', async () => {
const { ensureCleanProfileEnv } = await import('../rate-limit-detector');
const env = {
CLAUDE_CONFIG_DIR: '/tmp/profile-1',
CLAUDE_CODE_OAUTH_TOKEN: 'token'
};
const result = ensureCleanProfileEnv(env);
// Original should not be mutated
expect(env.CLAUDE_CODE_OAUTH_TOKEN).toBe('token');
expect(result.CLAUDE_CODE_OAUTH_TOKEN).toBe('');
expect(result).not.toBe(env);
});
});
});
@@ -799,4 +799,127 @@ describe('AgentProcessManager - API Profile Env Injection (Story 2.3)', () => {
expect(envArg.GITHUB_CLI_PATH).toBe('/opt/homebrew/bin/gh');
});
});
describe('CLAUDE_CONFIG_DIR Propagation', () => {
let originalEnv: NodeJS.ProcessEnv;
beforeEach(() => {
originalEnv = { ...process.env };
delete process.env.CLAUDE_CONFIG_DIR;
});
afterEach(() => {
process.env = originalEnv;
});
it('should propagate CLAUDE_CONFIG_DIR from profile env in OAuth mode', async () => {
// OAuth mode - no active API profile
vi.mocked(profileService.getAPIProfileEnv).mockResolvedValue({});
// Profile provides CLAUDE_CONFIG_DIR (OAuth subscription profile)
vi.mocked(rateLimitDetector.getBestAvailableProfileEnv).mockReturnValue({
env: {
CLAUDE_CONFIG_DIR: '/home/user/.config/claude-profile-1',
CLAUDE_CODE_OAUTH_TOKEN: 'oauth-token-abc'
},
profileId: 'profile-1',
profileName: 'Profile 1',
wasSwapped: false
});
await processManager.spawnProcess('task-1', '/fake/cwd', ['run.py'], {}, 'task-execution');
expect(spawnCalls).toHaveLength(1);
const envArg = spawnCalls[0].options.env as Record<string, unknown>;
// CLAUDE_CONFIG_DIR should be present in spawn env
expect(envArg.CLAUDE_CONFIG_DIR).toBe('/home/user/.config/claude-profile-1');
});
it('should clear ANTHROPIC_API_KEY in OAuth mode with CLAUDE_CONFIG_DIR', async () => {
// Simulate stale ANTHROPIC_API_KEY in process.env
process.env.ANTHROPIC_API_KEY = 'sk-stale-key';
// OAuth mode - no active API profile
vi.mocked(profileService.getAPIProfileEnv).mockResolvedValue({});
// Profile provides CLAUDE_CONFIG_DIR
vi.mocked(rateLimitDetector.getBestAvailableProfileEnv).mockReturnValue({
env: {
CLAUDE_CONFIG_DIR: '/home/user/.config/claude-profile-2',
CLAUDE_CODE_OAUTH_TOKEN: 'oauth-token-def'
},
profileId: 'profile-2',
profileName: 'Profile 2',
wasSwapped: false
});
await processManager.spawnProcess('task-1', '/fake/cwd', ['run.py'], {}, 'task-execution');
expect(spawnCalls).toHaveLength(1);
const envArg = spawnCalls[0].options.env as Record<string, unknown>;
// ANTHROPIC_API_KEY should be cleared (empty string) in OAuth mode
expect(envArg.ANTHROPIC_API_KEY).toBe('');
// CLAUDE_CONFIG_DIR should still be set
expect(envArg.CLAUDE_CONFIG_DIR).toBe('/home/user/.config/claude-profile-2');
});
it('should pass ANTHROPIC_* vars without CLAUDE_CONFIG_DIR interference in API profile mode', async () => {
// API Profile mode - active profile with custom endpoint
const mockApiProfileEnv = {
ANTHROPIC_AUTH_TOKEN: 'sk-api-profile-key',
ANTHROPIC_BASE_URL: 'https://custom-api.example.com',
ANTHROPIC_MODEL: 'claude-sonnet-4-5-20250929'
};
vi.mocked(profileService.getAPIProfileEnv).mockResolvedValue(mockApiProfileEnv);
// Profile env without CLAUDE_CONFIG_DIR (API profile mode)
vi.mocked(rateLimitDetector.getBestAvailableProfileEnv).mockReturnValue({
env: {},
profileId: 'api-profile-1',
profileName: 'Custom API',
wasSwapped: false
});
await processManager.spawnProcess('task-1', '/fake/cwd', ['run.py'], {}, 'task-execution');
expect(spawnCalls).toHaveLength(1);
const envArg = spawnCalls[0].options.env as Record<string, unknown>;
// ANTHROPIC_* vars from API profile should be passed through
expect(envArg.ANTHROPIC_AUTH_TOKEN).toBe('sk-api-profile-key');
expect(envArg.ANTHROPIC_BASE_URL).toBe('https://custom-api.example.com');
expect(envArg.ANTHROPIC_MODEL).toBe('claude-sonnet-4-5-20250929');
// CLAUDE_CONFIG_DIR should NOT be present since profile didn't provide it
expect(envArg.CLAUDE_CONFIG_DIR).toBeUndefined();
});
it('should clear CLAUDE_CODE_OAUTH_TOKEN when CLAUDE_CONFIG_DIR is provided by profile', async () => {
// OAuth mode
vi.mocked(profileService.getAPIProfileEnv).mockResolvedValue({});
// Profile provides CLAUDE_CONFIG_DIR - agent should use config dir for auth
vi.mocked(rateLimitDetector.getBestAvailableProfileEnv).mockReturnValue({
env: {
CLAUDE_CONFIG_DIR: '/home/user/.config/claude-profile-3',
CLAUDE_CODE_OAUTH_TOKEN: 'oauth-token-ghi'
},
profileId: 'profile-3',
profileName: 'Profile 3',
wasSwapped: false
});
await processManager.spawnProcess('task-1', '/fake/cwd', ['run.py'], {}, 'task-execution');
expect(spawnCalls).toHaveLength(1);
const envArg = spawnCalls[0].options.env as Record<string, unknown>;
// When CLAUDE_CONFIG_DIR is present, CLAUDE_CODE_OAUTH_TOKEN should be cleared
// because Claude Code resolves auth from the config dir instead
expect(envArg.CLAUDE_CONFIG_DIR).toBe('/home/user/.config/claude-profile-3');
expect(envArg.CLAUDE_CODE_OAUTH_TOKEN).toBeFalsy();
});
});
});
+65 -1
View File
@@ -26,6 +26,7 @@ import { getOAuthModeClearVars } from './env-utils';
import { getAugmentedEnv } from '../env-utils';
import { getToolInfo, getClaudeCliPathForSdk } from '../cli-tool-manager';
import { killProcessGracefully, isWindows } from '../platform';
import { debugLog } from '../../shared/utils/debug-logger';
/**
* Type for supported CLI tools
@@ -178,6 +179,29 @@ export class AgentProcessManager {
// Get best available Claude profile environment (automatically handles rate limits)
const profileResult = getBestAvailableProfileEnv();
const profileEnv = profileResult.env;
debugLog('[AgentProcess:setupEnv] Profile result:', {
profileId: profileResult.profileId,
hasOAuthToken: !!profileEnv.CLAUDE_CODE_OAUTH_TOKEN,
hasApiKey: !!profileEnv.ANTHROPIC_API_KEY,
hasConfigDir: !!profileEnv.CLAUDE_CONFIG_DIR,
configDir: profileEnv.CLAUDE_CONFIG_DIR || '(not set)',
oauthTokenPrefix: profileEnv.CLAUDE_CODE_OAUTH_TOKEN?.substring(0, 8) || '(not set)',
apiKeyPrefix: profileEnv.ANTHROPIC_API_KEY?.substring(0, 8) || '(not set)',
});
// Warn if profile lacks CLAUDE_CONFIG_DIR - this means the profile has no configDir
// and subscription metadata may not propagate correctly to the agent subprocess
if (!profileEnv.CLAUDE_CONFIG_DIR) {
console.warn('[AgentProcess:setupEnv] WARNING: Profile env lacks CLAUDE_CONFIG_DIR - profile may not have a configDir set. Subscription metadata may not reach agent subprocess.');
}
debugLog('[AgentProcess:setupEnv] extraEnv auth keys:', {
hasOAuthToken: !!extraEnv.CLAUDE_CODE_OAUTH_TOKEN,
hasApiKey: !!extraEnv.ANTHROPIC_API_KEY,
hasConfigDir: !!extraEnv.CLAUDE_CONFIG_DIR,
});
// Use getAugmentedEnv() to ensure common tool paths (dotnet, homebrew, etc.)
// are available even when app is launched from Finder/Dock
const augmentedEnv = getAugmentedEnv();
@@ -205,7 +229,9 @@ export class AgentProcessManager {
const ghCliEnv = this.detectAndSetCliPath('gh');
const glabCliEnv = this.detectAndSetCliPath('glab');
return {
// Profile env is spread last to ensure CLAUDE_CONFIG_DIR and auth vars
// from the active profile always win over extraEnv or augmentedEnv.
const mergedEnv = {
...augmentedEnv,
...gitBashEnv,
...claudeCliEnv,
@@ -217,6 +243,29 @@ export class AgentProcessManager {
PYTHONIOENCODING: 'utf-8',
PYTHONUTF8: '1'
} as NodeJS.ProcessEnv;
// When the active profile provides CLAUDE_CONFIG_DIR, clear CLAUDE_CODE_OAUTH_TOKEN
// from the spawn environment. CLAUDE_CONFIG_DIR lets Claude Code resolve its own
// OAuth tokens from the config directory, making an explicit token unnecessary.
// This matches the terminal pattern in claude-integration-handler.ts where
// configDir is preferred over direct token injection.
// We check profileEnv specifically (not mergedEnv) to avoid clearing the token
// when CLAUDE_CONFIG_DIR comes from the shell environment rather than the profile.
if (profileEnv.CLAUDE_CONFIG_DIR) {
mergedEnv.CLAUDE_CODE_OAUTH_TOKEN = '';
debugLog('[AgentProcess:setupEnv] Profile provides CLAUDE_CONFIG_DIR, cleared CLAUDE_CODE_OAUTH_TOKEN from spawn env');
}
debugLog('[AgentProcess:setupEnv] Final merged env auth state:', {
hasOAuthToken: !!mergedEnv.CLAUDE_CODE_OAUTH_TOKEN,
hasApiKey: !!mergedEnv.ANTHROPIC_API_KEY,
hasConfigDir: !!mergedEnv.CLAUDE_CONFIG_DIR,
configDir: mergedEnv.CLAUDE_CONFIG_DIR || '(not set)',
oauthTokenPrefix: mergedEnv.CLAUDE_CODE_OAUTH_TOKEN?.substring(0, 8) || '(not set)',
apiKeyPrefix: mergedEnv.ANTHROPIC_API_KEY?.substring(0, 8) || '(not set)',
});
return mergedEnv;
}
private handleProcessFailure(
@@ -615,6 +664,21 @@ export class AgentProcessManager {
// Get OAuth mode clearing vars (clears stale ANTHROPIC_* vars when in OAuth mode)
const oauthModeClearVars = getOAuthModeClearVars(apiProfileEnv);
debugLog('[AgentProcess:spawnProcess] Environment merge chain for task:', taskId, {
baseEnv: {
hasOAuthToken: !!env.CLAUDE_CODE_OAUTH_TOKEN,
hasApiKey: !!env.ANTHROPIC_API_KEY,
hasConfigDir: !!env.CLAUDE_CONFIG_DIR,
configDir: env.CLAUDE_CONFIG_DIR || '(not set)',
},
oauthModeClearVars: Object.keys(oauthModeClearVars),
apiProfileEnv: {
hasApiKey: !!apiProfileEnv.ANTHROPIC_API_KEY,
hasBaseUrl: !!apiProfileEnv.ANTHROPIC_BASE_URL,
apiKeyPrefix: apiProfileEnv.ANTHROPIC_API_KEY?.substring(0, 8) || '(not set)',
},
});
// Parse Python commandto handle space-separated commands like "py -3"
const [pythonCommand, pythonBaseArgs] = parsePythonCommand(this.getPythonPath());
let childProcess;
@@ -56,6 +56,7 @@ import {
expandHomePath,
getEmailFromConfigDir
} from './claude-profile/profile-utils';
import { debugLog } from '../shared/utils/debug-logger';
/**
* Manages Claude Code profiles for multi-account support.
@@ -86,6 +87,8 @@ export class ClaudeProfileManager {
return;
}
console.log('[ClaudeProfileManager] Starting initialization...');
// Ensure directory exists (async) - mkdir with recursive:true is idempotent
await mkdir(this.configDir, { recursive: true });
@@ -93,6 +96,9 @@ export class ClaudeProfileManager {
const loadedData = await loadProfileStoreAsync(this.storePath);
if (loadedData) {
this.data = loadedData;
debugLog('[ClaudeProfileManager] Loaded profile store with', this.data.profiles.length, 'profiles');
} else {
debugLog('[ClaudeProfileManager] No existing profile store found, using defaults');
}
// Run one-time migration to fix corrupted emails
@@ -104,6 +110,7 @@ export class ClaudeProfileManager {
this.populateSubscriptionMetadata();
this.initialized = true;
console.log('[ClaudeProfileManager] Initialization complete');
}
/**
@@ -149,13 +156,20 @@ export class ClaudeProfileManager {
private populateSubscriptionMetadata(): void {
let needsSave = false;
debugLog('[ClaudeProfileManager] populateSubscriptionMetadata: checking', this.data.profiles.length, 'profiles');
for (const profile of this.data.profiles) {
if (!profile.configDir) {
debugLog('[ClaudeProfileManager] populateSubscriptionMetadata: skipping profile', profile.id, '(no configDir)');
continue;
}
// Skip if profile already has subscription metadata
if (profile.subscriptionType && profile.rateLimitTier) {
debugLog('[ClaudeProfileManager] populateSubscriptionMetadata: profile', profile.id, 'already has metadata:', {
subscriptionType: profile.subscriptionType,
rateLimitTier: profile.rateLimitTier
});
continue;
}
@@ -542,8 +556,27 @@ export class ClaudeProfileManager {
if (process.env.DEBUG === 'true') {
console.warn('[ClaudeProfileManager] Using CLAUDE_CONFIG_DIR for profile:', profile.name, expandedConfigDir);
}
} else {
console.warn('[ClaudeProfileManager] Profile has no configDir configured:', profile?.name);
} else if (profile) {
// Fallback: retrieve OAuth token directly from Keychain when configDir is missing.
// Without configDir, Claude CLI cannot resolve credentials automatically,
// so we inject CLAUDE_CODE_OAUTH_TOKEN as a direct override.
debugLog(
'[ClaudeProfileManager] Profile has no configDir configured:',
profile.name,
'- falling back to Keychain token lookup. Subscription display may be degraded.'
);
const credentials = getCredentialsFromKeychain(undefined, true);
if (credentials.token) {
env.CLAUDE_CODE_OAUTH_TOKEN = credentials.token;
debugLog('[ClaudeProfileManager] Injected CLAUDE_CODE_OAUTH_TOKEN from Keychain for profile:', profile.name);
} else {
debugLog(
'[ClaudeProfileManager] No token found in Keychain for profile without configDir:',
profile.name,
credentials.error ? `(error: ${credentials.error})` : ''
);
}
}
return env;
@@ -801,8 +834,26 @@ export class ClaudeProfileManager {
return {};
}
// If no configDir is defined, fall back to default
if (!profile.configDir) {
// Fallback: retrieve OAuth token directly from Keychain when configDir is missing.
// Without configDir, Claude CLI cannot resolve credentials automatically,
// so we inject CLAUDE_CODE_OAUTH_TOKEN as a direct override.
// This mirrors the fallback in getActiveProfileEnv().
debugLog(
'[ClaudeProfileManager] getProfileEnv: profile has no configDir:',
profile.name,
'- falling back to Keychain token lookup.'
);
const credentials = getCredentialsFromKeychain(undefined, true);
if (credentials.token) {
debugLog('[ClaudeProfileManager] getProfileEnv: injected CLAUDE_CODE_OAUTH_TOKEN from Keychain for profile:', profile.name);
return { CLAUDE_CODE_OAUTH_TOKEN: credentials.token };
}
debugLog(
'[ClaudeProfileManager] getProfileEnv: no token found in Keychain for profile without configDir:',
profile.name
);
return {};
}
+80 -28
View File
@@ -5,6 +5,7 @@
import { getClaudeProfileManager } from './claude-profile-manager';
import { getUsageMonitor } from './claude-profile/usage-monitor';
import { debugLog } from '../shared/utils/debug-logger';
/**
* Regex pattern to detect Claude Code rate limit messages
@@ -476,6 +477,14 @@ export function getBestAvailableProfileEnv(): BestProfileEnvResult {
const profileManager = getClaudeProfileManager();
const activeProfile = profileManager.getActiveProfile();
debugLog('[RateLimitDetector] getBestAvailableProfileEnv() called:', {
activeProfileId: activeProfile.id,
activeProfileName: activeProfile.name,
hasConfigDir: !!activeProfile.configDir,
configDir: activeProfile.configDir,
weeklyUsagePercent: activeProfile.usage?.weeklyUsagePercent,
});
// Check for explicit rate limit (from previous API errors)
const rateLimitStatus = profileManager.isProfileRateLimited(activeProfile.id);
@@ -492,28 +501,24 @@ export function getBestAvailableProfileEnv(): BestProfileEnvResult {
: undefined;
if (needsSwap) {
if (process.env.DEBUG === 'true') {
console.warn('[RateLimitDetector] Active profile needs swap:', {
activeProfile: activeProfile.name,
isRateLimited: rateLimitStatus.limited,
isAtCapacity,
weeklyUsage: activeProfile.usage?.weeklyUsagePercent,
limitType: rateLimitStatus.type,
resetAt: rateLimitStatus.resetAt
});
}
debugLog('[RateLimitDetector] Active profile needs swap:', {
activeProfile: activeProfile.name,
isRateLimited: rateLimitStatus.limited,
isAtCapacity,
weeklyUsage: activeProfile.usage?.weeklyUsagePercent,
limitType: rateLimitStatus.type,
resetAt: rateLimitStatus.resetAt
});
// Try to find a better profile
const bestProfile = profileManager.getBestAvailableProfile(activeProfile.id);
if (bestProfile) {
if (process.env.DEBUG === 'true') {
console.warn('[RateLimitDetector] Using alternative profile:', {
originalProfile: activeProfile.name,
alternativeProfile: bestProfile.name,
reason: swapReason
});
}
debugLog('[RateLimitDetector] Using alternative profile:', {
originalProfile: activeProfile.name,
alternativeProfile: bestProfile.name,
reason: swapReason
});
// Persist the swap by updating the active profile
// This ensures the UI reflects which account is actually being used
@@ -564,6 +569,14 @@ export function getBestAvailableProfileEnv(): BestProfileEnvResult {
const profileEnv = profileManager.getProfileEnv(bestProfile.id);
debugLog('[RateLimitDetector] Profile env for swapped profile:', {
profileId: bestProfile.id,
hasClaudeConfigDir: !!profileEnv.CLAUDE_CONFIG_DIR,
claudeConfigDir: profileEnv.CLAUDE_CONFIG_DIR,
hasOAuthToken: !!profileEnv.CLAUDE_CODE_OAUTH_TOKEN,
envKeys: Object.keys(profileEnv),
});
return {
env: ensureCleanProfileEnv(profileEnv),
profileId: bestProfile.id,
@@ -576,14 +589,21 @@ export function getBestAvailableProfileEnv(): BestProfileEnvResult {
}
};
} else {
if (process.env.DEBUG === 'true') {
console.warn('[RateLimitDetector] No alternative profile available, using rate-limited/at-capacity profile');
}
debugLog('[RateLimitDetector] No alternative profile available, using rate-limited/at-capacity profile');
}
}
// Use active profile (either it's fine, or no better alternative exists)
const activeEnv = profileManager.getActiveProfileEnv();
debugLog('[RateLimitDetector] Using active profile env (no swap):', {
profileId: activeProfile.id,
hasClaudeConfigDir: !!activeEnv.CLAUDE_CONFIG_DIR,
claudeConfigDir: activeEnv.CLAUDE_CONFIG_DIR,
hasOAuthToken: !!activeEnv.CLAUDE_CODE_OAUTH_TOKEN,
envKeys: Object.keys(activeEnv),
});
return {
env: ensureCleanProfileEnv(activeEnv),
profileId: activeProfile.id,
@@ -595,23 +615,55 @@ export function getBestAvailableProfileEnv(): BestProfileEnvResult {
/**
* Ensure the profile environment is clean for subprocess invocation.
*
* When CLAUDE_CONFIG_DIR is set, we MUST clear CLAUDE_CODE_OAUTH_TOKEN to prevent
* the Claude Agent SDK from using a hardcoded/cached token (e.g., from .env file)
* instead of reading fresh credentials from the specified config directory.
* When CLAUDE_CONFIG_DIR is set, we MUST clear both CLAUDE_CODE_OAUTH_TOKEN and
* ANTHROPIC_API_KEY to prevent the Claude Agent SDK from using hardcoded/cached
* tokens or API keys (e.g., from .env file or shell environment) instead of reading
* fresh credentials from the specified config directory.
*
* ANTHROPIC_API_KEY is cleared to prevent Claude Code from using API keys present
* in the shell environment, which would cause it to show "Claude API" instead of
* "Claude Max" and bypass the intended config dir credentials.
*
* This is critical for multi-account switching: when switching from a rate-limited
* account to an available one, the subprocess must use the new account's credentials.
*
* Also warns if the profile env is empty, which indicates a misconfigured profile.
*
* @param env - Profile environment from getProfileEnv() or getActiveProfileEnv()
* @returns Environment with CLAUDE_CODE_OAUTH_TOKEN cleared if CLAUDE_CONFIG_DIR is set
* @returns Environment with CLAUDE_CODE_OAUTH_TOKEN and ANTHROPIC_API_KEY cleared if CLAUDE_CONFIG_DIR is set
*/
function ensureCleanProfileEnv(env: Record<string, string>): Record<string, string> {
export function ensureCleanProfileEnv(env: Record<string, string>): Record<string, string> {
debugLog('[RateLimitDetector] ensureCleanProfileEnv() input:', {
hasClaudeConfigDir: !!env.CLAUDE_CONFIG_DIR,
claudeConfigDir: env.CLAUDE_CONFIG_DIR,
hasOAuthToken: !!env.CLAUDE_CODE_OAUTH_TOKEN,
willClearOAuthToken: !!env.CLAUDE_CONFIG_DIR,
willClearApiKey: !!env.CLAUDE_CONFIG_DIR,
});
// Warn if the profile environment is empty — this likely indicates a misconfigured profile
if (Object.keys(env).length === 0) {
console.warn('[RateLimitDetector] ensureCleanProfileEnv() received empty profile env — profile may be misconfigured');
}
if (env.CLAUDE_CONFIG_DIR) {
// Clear CLAUDE_CODE_OAUTH_TOKEN to ensure SDK uses credentials from CLAUDE_CONFIG_DIR
return {
// Clear CLAUDE_CODE_OAUTH_TOKEN and ANTHROPIC_API_KEY to ensure SDK uses credentials from CLAUDE_CONFIG_DIR
// ANTHROPIC_API_KEY must also be cleared to prevent Claude Code from using
// API keys that may be present in the shell environment instead of the config dir credentials.
const cleanedEnv = {
...env,
CLAUDE_CODE_OAUTH_TOKEN: ''
CLAUDE_CODE_OAUTH_TOKEN: '',
ANTHROPIC_API_KEY: ''
};
debugLog('[RateLimitDetector] ensureCleanProfileEnv() output:', {
claudeConfigDirPreserved: 'CLAUDE_CONFIG_DIR' in cleanedEnv,
claudeConfigDir: (cleanedEnv as Record<string, string>).CLAUDE_CONFIG_DIR,
oauthTokenCleared: cleanedEnv.CLAUDE_CODE_OAUTH_TOKEN === '',
envKeys: Object.keys(cleanedEnv),
});
return cleanedEnv;
}
return env;
}