Summary
Clawpatch's Claude provider currently runs the claude binary in an isolated temporary HOME / XDG environment and forwards only a narrow set of API/provider auth env vars. That prevents normal Claude Code OAuth login state from being used.
For local developer usage, this means clawpatch --provider claude ... can fail even when the user's normal claude binary is installed and intended to use Claude Code OAuth/subscription usage.
Observed behavior
The installed Clawpatch 0.7.0 Claude provider:
- creates a temp dir for each Claude invocation
- sets:
HOME=<tmp>/home
XDG_CONFIG_HOME=<tmp>/xdg-config
XDG_CACHE_HOME=<tmp>/xdg-cache
XDG_DATA_HOME=<tmp>/xdg-data
- runs with
replaceEnv: true
- forwards only selected auth env vars such as
ANTHROPIC_API_KEY, ANTHROPIC_AUTH_TOKEN, Vertex/Bedrock/AWS vars
When no API-token env var is present, Claude Code starts inside that isolated home with no OAuth login state.
A minimal reproduction with the same structured-output style produced:
Not logged in · Please run /login
error: authentication_failed
apiKeySource: none
Clawpatch then surfaced a weaker error shape like:
claude provider failed: type=result; subtype=success; terminal_reason=completed
Expected behavior
For normal local usage, Clawpatch should be able to run the configured Claude Code binary as-is, preserving the caller's normal auth/home environment, so Claude Code OAuth/subscription usage works without requiring ANTHROPIC_API_KEY or API credits.
Why this likely matters now
This isolation may have been defensive when there was concern that claude -p usage would be forced onto extra/API-credit billing. That billing direction appears to have changed, and for local users the desired behavior is now to let the normal Claude Code binary use its normal OAuth/subscription auth path.
Suggested fix
Add or change the Claude provider auth mode so local invocations can inherit the normal Claude Code environment:
- do not override
HOME / XDG auth/cache/data dirs for this mode
- do not require API-token env vars
- continue preserving Clawpatch's existing safety flags:
--no-session-persistence
--strict-mcp-config
- empty MCP config
--disable-slash-commands
--no-chrome
- read-only tools for read-only operations
If CI isolation is still desired, a clean split could be:
- local/default: inherit normal Claude Code binary environment
- CI/isolated: current temp-home/env-token mode
Also useful: include top-level Claude envelope fields like error, is_error, and result in failure extraction so auth failures report authentication_failed / Not logged in directly.
Summary
Clawpatch's Claude provider currently runs the
claudebinary in an isolated temporaryHOME/ XDG environment and forwards only a narrow set of API/provider auth env vars. That prevents normal Claude Code OAuth login state from being used.For local developer usage, this means
clawpatch --provider claude ...can fail even when the user's normalclaudebinary is installed and intended to use Claude Code OAuth/subscription usage.Observed behavior
The installed Clawpatch 0.7.0 Claude provider:
HOME=<tmp>/homeXDG_CONFIG_HOME=<tmp>/xdg-configXDG_CACHE_HOME=<tmp>/xdg-cacheXDG_DATA_HOME=<tmp>/xdg-datareplaceEnv: trueANTHROPIC_API_KEY,ANTHROPIC_AUTH_TOKEN, Vertex/Bedrock/AWS varsWhen no API-token env var is present, Claude Code starts inside that isolated home with no OAuth login state.
A minimal reproduction with the same structured-output style produced:
Clawpatch then surfaced a weaker error shape like:
Expected behavior
For normal local usage, Clawpatch should be able to run the configured Claude Code binary as-is, preserving the caller's normal auth/home environment, so Claude Code OAuth/subscription usage works without requiring
ANTHROPIC_API_KEYor API credits.Why this likely matters now
This isolation may have been defensive when there was concern that
claude -pusage would be forced onto extra/API-credit billing. That billing direction appears to have changed, and for local users the desired behavior is now to let the normal Claude Code binary use its normal OAuth/subscription auth path.Suggested fix
Add or change the Claude provider auth mode so local invocations can inherit the normal Claude Code environment:
HOME/ XDG auth/cache/data dirs for this mode--no-session-persistence--strict-mcp-config--disable-slash-commands--no-chromeIf CI isolation is still desired, a clean split could be:
Also useful: include top-level Claude envelope fields like
error,is_error, andresultin failure extraction so auth failures reportauthentication_failed/Not logged indirectly.