Skip to content

feat(claude): add bounded host auth context#151

Merged
steipete merged 2 commits into
mainfrom
maint/claude-auth-context
Jul 1, 2026
Merged

feat(claude): add bounded host auth context#151
steipete merged 2 commits into
mainfrom
maint/claude-auth-context

Conversation

@steipete

@steipete steipete commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

  • keep the current isolated Claude path as the default
  • add explicit CLAWPATCH_CLAUDE_AUTH_CONTEXT=host for the configured Claude binary's login/setup-token context
  • use Claude Code --safe-mode instead of --bare in host mode while retaining the scrubbed allowlist env, temp XDG/cache/data dirs, strict empty MCP config, tool limits, disabled slash commands, and disabled browser integration
  • validate host-mode authentication with a minimal structured doctor query
  • classify the reported authentication_failed / is_error / not-logged-in envelope without echoing arbitrary result or error text

Closes #149.
Supersedes duplicate #150.

Security boundary

Host mode is opt-in and requires Claude Code 2.1.169+. It exposes only HOME/USERPROFILE, optional CLAUDE_CONFIG_DIR, the existing auth allowlist, and CLAUDE_CODE_OAUTH_TOKEN; it does not inherit the whole host environment. Unknown string errors remain redacted behind provider-error; only the exact public authentication_failed code is surfaced.

The implementation follows Claude Code's current primary contracts: bare mode skips OAuth/keychain reads, safe mode was introduced in 2.1.169, and credential locations plus setup-token behavior are documented here.

Proof

  • pnpm vitest run src/provider.test.ts — 136 passed
  • pnpm format:check
  • pnpm lint
  • pnpm typecheck
  • pnpm test
  • pnpm build
  • pnpm pack:smoke
  • built dist/cli.js host-mode doctor passed an executable boundary probe that asserted safe mode, no bare mode, strict MCP/slash isolation, host auth locator, temp XDG, OAuth-token forwarding, and no unrelated env leakage
  • built dist/cli.js against actual Claude Code 2.1.197 converted the current not-logged-in envelope into redacted provider-auth exit 4
  • autoreview: accepted and fixed one P1 token-shaped string-error leak; final branch re-review clean
  • Public Model Identifier Gate: pass; no model identifiers added or changed

Risk: medium — explicit auth-boundary opt-in, default behavior unchanged.

@steipete steipete requested a review from a team as a code owner July 1, 2026 06:42
@steipete steipete merged commit 87f0350 into main Jul 1, 2026
6 checks passed
@steipete

steipete commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Landed in 87f0350.

Exact-head proof for 5a1d68d:

  • focused provider tests: 136 passed
  • full test suite, typecheck, lint, format check, build, and package smoke passed
  • built host-mode doctor boundary probe verified safe mode, no bare mode, strict empty MCP/slash isolation, host auth locator, temp XDG, OAuth-token forwarding, and no unrelated env leakage
  • actual Claude Code 2.1.197 live negative control produced redacted not-logged-in and provider-auth exit 4
  • autoreview accepted one token-shaped string-error redaction finding; fixed in 5a1d68d; final branch re-review clean
  • Public Model Identifier Gate: pass; no model identifiers added or changed
  • CI: test, CodeQL, and Secret Scan succeeded

Canonical issue: #149. Duplicate #150 is closed as duplicate.

Jercik added a commit to Jercik/clawpatch that referenced this pull request Jul 5, 2026
Fork build on upstream 140b0ac carrying three local patches: 20-minute
Claude timeout, OpenCode --variant reasoning effort, and the dist/cli.js
executable-bit build step. Subscription auth now comes from upstream's
CLAWPATCH_CLAUDE_AUTH_CONTEXT=host (openclaw#151) instead of a fork patch.
Jercik added a commit to Jercik/clawpatch that referenced this pull request Jul 5, 2026
Fork build on upstream 140b0ac carrying four local patches: 20-minute
Claude timeout, OpenCode --variant reasoning effort, the dist/cli.js
executable-bit build step, and the USER keychain fix for host auth
context. Subscription auth now comes from upstream's
CLAWPATCH_CLAUDE_AUTH_CONTEXT=host (openclaw#151) instead of a fork patch.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Claude provider should use configured claude binary auth context by default

1 participant