Skip to content

fix(agents-login): capture a full user:profile-scoped Claude credential#739

Merged
ExtraToast merged 2 commits into
mainfrom
fix/agents-login-claudeai-full-scope
Jun 26, 2026
Merged

fix(agents-login): capture a full user:profile-scoped Claude credential#739
ExtraToast merged 2 commits into
mainfrom
fix/agents-login-claudeai-full-scope

Conversation

@ExtraToast

Copy link
Copy Markdown
Owner

Problem

Runner Claude sessions showed "Claude API" instead of the Claude subscription. The worker captured a claude setup-token token, which is inferenceOnly — scoped user:inference only, no user:profile. Claude Code resolves its subscription/header label from the OAuth account profile (oauthAccount), which needs user:profile; without it, it falls back to "Claude API". (Live runner confirmed: /api/oauth/profilepermission_error … any_of(user:profile, user:office).)

Change

Switch Claude capture from setup-token to the interactive "Claude account with subscription" (claudeai) login, which mints the full-scope credential (user:profile + user:inference + refresh) and writes both ~/.claude/.credentials.json and ~/.claude.json (oauthAccount):

  • Launch bare claude; seed onboarding flags in ~/.claude.json (only when absent) and write a managed-settings.json with forceLoginMethod=claudeai via CLAUDE_CODE_MANAGED_SETTINGS_PATH so the subscription method is pre-selected.
  • Bounded Enter-through navigation past the theme/intro screens until the authorize URL appears (reuses the existing authorize-URL parse + code-paste machinery — UI flow unchanged).
  • Capture the verbatim credentials_json + extracted oauthAccount (account_json); post both to agents-api (oauth_token kept optional for back-compat). Completion now keys off the credentials file, not a stdout token.

Validated live that the claudeai authorize URL carries …user:profile user:inference user:sessions:claude_code…. Pairs with the agents-repo change (ExtraToast/agents#121) that injects credentials_json + account_json into runners.

Tests

vitest run: 10 files / 94 tests pass; tsc --noEmit clean.

Note: the real-claude TUI flow still needs one validation pass in the worker container (Enter-through reaching the URL, code completion, resulting .credentials.json carrying user:profile + subscriptionType).

🤖 Generated with Claude Code

ExtraToast and others added 2 commits June 26, 2026 16:21
`claude setup-token` mints an inferenceOnly token (scope user:inference
only, no user:profile), so runner Claude sessions could not resolve the
account profile and showed "Claude API" instead of the subscription.

Switch the Claude capture from `setup-token` to the interactive
"Claude account with subscription" (claudeai) login, which mints the
full-scope credential (user:profile + user:inference + refresh) and
writes ~/.claude/.credentials.json + ~/.claude.json (oauthAccount):

- Launch bare `claude`; seed onboarding flags in ~/.claude.json (only
  when absent) and write a managed-settings.json with
  forceLoginMethod=claudeai via CLAUDE_CODE_MANAGED_SETTINGS_PATH so the
  subscription method is pre-selected.
- Bounded Enter-through navigation past the theme/intro screens until the
  authorize URL appears (reuses the existing URL-parse + code-paste path).
- Capture the verbatim credentials_json + extracted oauthAccount
  (account_json); post both to agents-api (oauth_token kept optional for
  back-compat). Completion now keys off the credentials file, not a
  stdout token.

Validated live that the claudeai authorize URL carries user:profile.
Pairs with the agents-repo change that injects credentials_json +
account_json into runners.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…anch threshold

The full-credential capture added branches in credentials.ts
(extractClaudeOauthToken / findStringField / extractClaudeAccountJson)
that dropped global branch coverage to 79.57% (threshold 80%). Add
focused tests for: token extraction from a nested accessToken field and
from invalid JSON, and account_json presence/absence based on whether
~/.claude.json carries oauthAccount. Branch coverage now 83.37%.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ExtraToast ExtraToast merged commit a80fefa into main Jun 26, 2026
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant