feat(auth): user-selectable auth mode (subscription vs api_key)#109
Merged
George-iam merged 1 commit intomainfrom Apr 17, 2026
Merged
feat(auth): user-selectable auth mode (subscription vs api_key)#109George-iam merged 1 commit intomainfrom
George-iam merged 1 commit intomainfrom
Conversation
Adds detection, persistent choice, and runtime enforcement of the credential Claude Code subprocesses use for LLM scanner/auditor work. Fixes "Credit balance is too low" and 401 authentication_error when users have both an empty-balance ANTHROPIC_API_KEY lingering in shell rc and an active Claude Code subscription — Claude Code prefers the env var over OAuth, so axme-code now deletes it from the spawn env when the user chose subscription mode. - detectAuthOptions reports API key (masked) + subscription (macOS Keychain or ~/.claude/.credentials.json). No live API probe. - User-level config at ~/.config/axme-code/auth.yaml (per machine, not per project — D-132). - axme-code setup prompts once on first interactive run; stores choice. Non-TTY contexts skip prompt, fall back to heuristic without persisting. - New subcommands: axme-code auth / auth status / auth use <mode> for re-detection and non-interactive override. - buildAgentEnv() in agent-options.ts strips ANTHROPIC_API_KEY when mode=subscription; session-auditor and memory-extractor switched to share the same helper so auth behavior is consistent across every Claude Code subprocess we spawn. - Tests: auth-detect (env handling, masking), auth-config (save/load roundtrip, corrupt YAML, unknown mode, HOME-based path). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> #!axme pr=none repo=AxmeAI/axme-code
George-iam
added a commit
that referenced
this pull request
Apr 17, 2026
Patch release with auth-mode selection (PR #109) and findClaudePath fallback (PR #110, B-009) + dependabot patches. What's new since v0.2.8: - User-selectable auth mode: setup detects subscription + API key, prompts choice, persists in ~/.config/axme-code/auth.yaml. When subscription chosen, ANTHROPIC_API_KEY removed from subprocess env. New commands: axme-code auth, auth status, auth use <mode>. - findClaudePath resolver: 5-step lookup (env vars, which, standard paths, nvm glob) so users without global claude in PATH don't hit the fileURLToPath crash. - Dep patches: hono 4.12.14, protobufjs 7.5.5 (lockfile only). Files bumped: package.json, .claude-plugin/plugin.json, templates/plugin-README.md. CHANGELOG entry added. Verified: 511/511 tests pass, tsc clean, npm run build clean. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
ANTHROPIC_API_KEYand ignores the user's active subscription (observed on macOS, producesCredit balance is too low/ 401authentication_erroreven thoughclaudeitself is logged in).~/.config/axme-code/auth.yaml, and deletesANTHROPIC_API_KEYfrom the subprocess env when mode issubscription(empty string is not enough — Claude Code treats that as "set").axme-code authsubcommand for re-detecting and re-choosing at any time; non-interactive variantsauth statusandauth use <mode>for scripts. D-132 records the storage + fallback contract.User-facing changes
axme-code setupprompts once (TTY-only) with a detection block showing each option and where we found it (env var with masked tail; macOS Keychain or~/.claude/.credentials.json). Non-TTY setup silently uses the heuristic — no silently-persisted guess.axme-code auth— interactive re-detection and re-choice.axme-code auth status— show current mode + detected options.axme-code auth use subscription|api_key— non-interactive override.Implementation notes
src/utils/auth-detect.ts— pure detection, no API probe. Keychain check runssecurity find-generic-passwordwithstdio: ignoreso we never reveal the secret.src/utils/auth-config.ts— lazy path resolution viahomedir()per call so tests can swap$HOMEwithout module-cache busting.src/utils/auth-prompt.ts— readline-based prompt, split out soauth-configstays dependency-free (scanner/auditor subprocesses can import it without pulling in stdio).buildAgentEnv()inagent-options.tsis now the single source of the env we pass to every Claude Code subprocess.session-auditor.tsandmemory-extractor.tsswitched to use it — previously each built its own env object and only the scanner path would have benefited from the auth mode fix.Test plan
npm run lintcleannpm test— 503/503 pass, including newauth-detectandauth-configsuitesnpm run buildcleanaxme-code auth statuson this dev box detects~/.claude/.credentials.json,auth use subscriptionwrites the yaml correctly,auth statusreads it backaxme-code setup --forceon a fresh project in subscription mode withANTHROPIC_API_KEYstill set in env, verify scanners succeed (no "Credit balance" / 401)axme-code setup --forcein a non-TTY context (piped), verify no prompt + no silently-persisted auth.yaml🤖 Generated with Claude Code