versun/claude-code
1
0
Fork 0
mirror of https://github.com/claude-code-best/claude-code.git synced 2026-06-23 16:55:51 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
8cd0e90ca6e0991f8acabd9bf23a7f23dd8bef82
claude-code/docs/jira/P2-AUTH-DIFF-2026-04-30.md
unraid 8945f08708 feat: integrate fork work onto upstream main (squashed) 
Squash-merge of feat/autofix-pr-test (69 commits) onto upstream/main
with -X ours strategy (upstream as authoritative for content conflicts).

Key features brought in from fork:
- LocalMemoryRecall + VaultHttpFetch tools (end-to-end wired)
- /local-memory, /local-vault, /memory-stores, /skill-store interactive panels
- /agents-platform, /schedule, /vault command scaffolding
- /login: switch / replace / remove of workspace API key
- statusline refactor (built-in status row, /statusline as info command)
- autofix-pr command + workflow

Conflict resolutions (upstream-wins):
- 10 .js command stubs kept from upstream (alongside fork's .ts implementations)
- src/components/BuiltinStatusLine.tsx accepted upstream's deletion
  (fork's wire-up references in StatusLine.tsx will be cleaned up next)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-09 14:58:26 +08:00

86 lines
4.7 KiB
Markdown
Raw Blame History

# P2 Auth Diff Investigation — Why /v1/code/triggers works but agents/vaults/memory_stores 401
**Date**: 2026-04-30
**Source**: Reverse-engineering `C:\Users\12180\.local\bin\claude.exe` v2.1.123 (253MB Bun-compiled binary)
**Investigator**: claude-code-bast-autofix-pr fork
## Endpoint reality matrix in official binary
| Endpoint | Has actual code? | URL builder | Method | beta header | Extra X- headers | Auth scheme |
|---|---|---|---|---|---|---|
| `/v1/code/triggers` | **YES** | `${BASE_API_URL}/v1/code/triggers` (template literal) | GET/POST | `ccr-triggers-2026-01-30` (`OS9`) | `x-organization-uuid` | `Authorization: Bearer <subscription token>` |
| `/v1/agents` | **NO** | only in `managed-agents-onboarding.md` documentation strings | — | — | — | — |
| `/v1/vaults` | **NO** | only in API reference markdown tables | — | — | — | — |
| `/v1/memory_stores` | **NO** | only in API reference markdown tables | — | — | — | — |
| `/v1/skills` | yes (different path) | `this._client.post("/v1/skills?beta=true", …)` via Anthropic SDK | GET/POST | `skills-2025-10-02` | none beyond SDK defaults | SDK auth (workspace API key) — **NOT subscription** |
## Decisive evidence
### 1. Only triggers + skills + sessions + ultrareview/preflight + mcp_servers + environment_providers are actually called
```text
$ grep "BASE_API_URL.{0,3}/v1/" claude.exe | sort -u
BASE_API_URL}/v1/code/github/import-token
BASE_API_URL}/v1/code/sessions
BASE_API_URL}/v1/code/triggers
BASE_API_URL}/v1/environment_providers
BASE_API_URL}/v1/environment_providers/cloud/create
BASE_API_URL}/v1/mcp_servers
BASE_API_URL}/v1/session_ingress/session/
BASE_API_URL}/v1/sessions
BASE_API_URL}/v1/ultrareview/preflight
```
`agents`, `vaults`, `memory_stores` are **completely absent** from any call site. They only appear as text in documentation pages (`managed-agents-api-reference`, `managed-agents-overview`).
### 2. Triggers actual request build (decompiled)
```js
let _ = `${f$().BASE_API_URL}/v1/code/triggers`,
A = {
Authorization: `Bearer ${$}`,
"Content-Type": "application/json",
"anthropic-version": "2023-06-01",
"anthropic-beta": OS9, // = "ccr-triggers-2026-01-30"
"x-organization-uuid": K
};
```
Beta is `ccr-triggers-2026-01-30`, **not** `managed-agents-2026-04-01`.
### 3. Skills uses Anthropic SDK client (different auth surface)
```js
this._client.post("/v1/skills?beta=true", qNH({, headers:[{"anthropic-beta":[...$??[], "skills-2025-10-02"]}]
```
Mandatory `?beta=true` query. Auth comes from SDK `_client` (workspace API key path), not subscription OAuth bearer.
### 4. Beta inventory (full sweep)
35 dated beta tokens exist; relevant ones: `ccr-triggers-2026-01-30`, `skills-2025-10-02`, `managed-agents-2026-04-01` (only used in docs prose), `oidc-federation-2026-04-01`, `environments-2025-11-01`. **No** `vaults-*`, `memory-stores-*`, or `agents-2026-*` beta token exists.
## Root cause of fork 401s
`/v1/agents`, `/v1/vaults`, `/v1/memory_stores` are **not consumer endpoints** of the subscription bearer-token path. Anthropic's official CLI never calls them; they live behind the workspace/team API plane (workspace API key + different auth & scope). 401 with subscription bearer is the **expected** server response — no header tweak makes it 200.
`/v1/skills` is callable but only via the SDK `_client` (workspace API key), and requires `?beta=true` query — fork's subscription-bearer + missing `?beta=true` is double-broken.
## Fix recommendations
| Fork API client | Action |
|---|---|
| `triggersApi.ts` | Already correct. Switch beta from `managed-agents-2026-04-01``ccr-triggers-2026-01-30`. |
| `agentsApi.ts` | **Drop** the command. `/v1/agents` is workspace-API-key-only; subscription bearer is wrong auth plane. Mark `/agents-platform` as workspace-only or remove. |
| `vaultsApi.ts` | **Drop**. Same reason. Recommend local file-based credential store instead. |
| `memoryStoresApi.ts` | **Drop**. Same reason. Local memory files (`~/.claude/memory/`) already cover the use case. |
| `skillsApi.ts` | Keep, but: (1) require `ANTHROPIC_API_KEY` (workspace key), not subscription bearer; (2) append `?beta=true` to every URL; (3) use `anthropic-beta: skills-2025-10-02`. |
## Conclusion
This is **not a header-config bug** in fork's `buildHeaders`. Three of the four endpoints (`agents`, `vaults`, `memory_stores`) are not reachable at all from a subscription OAuth token — Anthropic's official binary never calls them. The fork should:
1. Fix triggers beta header value (`ccr-triggers-2026-01-30`).
2. Disable or repurpose agents/vaults/memory_stores commands — they require workspace API keys, not subscription tokens.
3. For skills, switch to workspace API key auth + `?beta=true` query + `skills-2025-10-02` beta.
Reference in New Issue View Git Blame Copy Permalink