8945f08708
Squash-merge of feat/autofix-pr-test (69 commits) onto upstream/main with -X ours strategy (upstream as authoritative for content conflicts). Key features brought in from fork: - LocalMemoryRecall + VaultHttpFetch tools (end-to-end wired) - /local-memory, /local-vault, /memory-stores, /skill-store interactive panels - /agents-platform, /schedule, /vault command scaffolding - /login: switch / replace / remove of workspace API key - statusline refactor (built-in status row, /statusline as info command) - autofix-pr command + workflow Conflict resolutions (upstream-wins): - 10 .js command stubs kept from upstream (alongside fork's .ts implementations) - src/components/BuiltinStatusLine.tsx accepted upstream's deletion (fork's wire-up references in StatusLine.tsx will be cleaned up next) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
4.7 KiB
P2 Auth Diff Investigation — Why /v1/code/triggers works but agents/vaults/memory_stores 401
Date: 2026-04-30
Source: Reverse-engineering C:\Users\12180\.local\bin\claude.exe v2.1.123 (253MB Bun-compiled binary)
Investigator: claude-code-bast-autofix-pr fork
Endpoint reality matrix in official binary
| Endpoint | Has actual code? | URL builder | Method | beta header | Extra X- headers | Auth scheme |
|---|---|---|---|---|---|---|
/v1/code/triggers |
YES | ${BASE_API_URL}/v1/code/triggers (template literal) |
GET/POST | ccr-triggers-2026-01-30 (OS9) |
x-organization-uuid |
Authorization: Bearer <subscription token> |
/v1/agents |
NO | only in managed-agents-onboarding.md documentation strings |
— | — | — | — |
/v1/vaults |
NO | only in API reference markdown tables | — | — | — | — |
/v1/memory_stores |
NO | only in API reference markdown tables | — | — | — | — |
/v1/skills |
yes (different path) | this._client.post("/v1/skills?beta=true", …) via Anthropic SDK |
GET/POST | skills-2025-10-02 |
none beyond SDK defaults | SDK auth (workspace API key) — NOT subscription |
Decisive evidence
1. Only triggers + skills + sessions + ultrareview/preflight + mcp_servers + environment_providers are actually called
$ grep "BASE_API_URL.{0,3}/v1/" claude.exe | sort -u
BASE_API_URL}/v1/code/github/import-token
BASE_API_URL}/v1/code/sessions
BASE_API_URL}/v1/code/triggers
BASE_API_URL}/v1/environment_providers
BASE_API_URL}/v1/environment_providers/cloud/create
BASE_API_URL}/v1/mcp_servers
BASE_API_URL}/v1/session_ingress/session/
BASE_API_URL}/v1/sessions
BASE_API_URL}/v1/ultrareview/preflight
agents, vaults, memory_stores are completely absent from any call site. They only appear as text in documentation pages (managed-agents-api-reference, managed-agents-overview).
2. Triggers actual request build (decompiled)
let _ = `${f$().BASE_API_URL}/v1/code/triggers`,
A = {
Authorization: `Bearer ${$}`,
"Content-Type": "application/json",
"anthropic-version": "2023-06-01",
"anthropic-beta": OS9, // = "ccr-triggers-2026-01-30"
"x-organization-uuid": K
};
Beta is ccr-triggers-2026-01-30, not managed-agents-2026-04-01.
3. Skills uses Anthropic SDK client (different auth surface)
this._client.post("/v1/skills?beta=true", qNH({…, headers:[{"anthropic-beta":[...$??[], "skills-2025-10-02"]…}]
Mandatory ?beta=true query. Auth comes from SDK _client (workspace API key path), not subscription OAuth bearer.
4. Beta inventory (full sweep)
35 dated beta tokens exist; relevant ones: ccr-triggers-2026-01-30, skills-2025-10-02, managed-agents-2026-04-01 (only used in docs prose), oidc-federation-2026-04-01, environments-2025-11-01. No vaults-*, memory-stores-*, or agents-2026-* beta token exists.
Root cause of fork 401s
/v1/agents, /v1/vaults, /v1/memory_stores are not consumer endpoints of the subscription bearer-token path. Anthropic's official CLI never calls them; they live behind the workspace/team API plane (workspace API key + different auth & scope). 401 with subscription bearer is the expected server response — no header tweak makes it 200.
/v1/skills is callable but only via the SDK _client (workspace API key), and requires ?beta=true query — fork's subscription-bearer + missing ?beta=true is double-broken.
Fix recommendations
| Fork API client | Action |
|---|---|
triggersApi.ts |
Already correct. Switch beta from managed-agents-2026-04-01 → ccr-triggers-2026-01-30. |
agentsApi.ts |
Drop the command. /v1/agents is workspace-API-key-only; subscription bearer is wrong auth plane. Mark /agents-platform as workspace-only or remove. |
vaultsApi.ts |
Drop. Same reason. Recommend local file-based credential store instead. |
memoryStoresApi.ts |
Drop. Same reason. Local memory files (~/.claude/memory/) already cover the use case. |
skillsApi.ts |
Keep, but: (1) require ANTHROPIC_API_KEY (workspace key), not subscription bearer; (2) append ?beta=true to every URL; (3) use anthropic-beta: skills-2025-10-02. |
Conclusion
This is not a header-config bug in fork's buildHeaders. Three of the four endpoints (agents, vaults, memory_stores) are not reachable at all from a subscription OAuth token — Anthropic's official binary never calls them. The fork should:
- Fix triggers beta header value (
ccr-triggers-2026-01-30). - Disable or repurpose agents/vaults/memory_stores commands — they require workspace API keys, not subscription tokens.
- For skills, switch to workspace API key auth +
?beta=truequery +skills-2025-10-02beta.