fix(v2.9.7): active Claude-CLI auth probe + 401 on cli auth failure#18
Merged
Conversation
Periodic background coroutine probes claude-agent-sdk via existing verify_cli() (1-turn Hello query) when CLAUDE_AUTH_METHOD=claude_cli. Default interval 600s, configurable via CLI_AUTH_PROBE_INTERVAL_SECONDS, 0 to disable. /v1/auth/status exposes new cli_health block (ok, last_probed_at, last_ok_at, error_kind, error_message). POST /v1/chat/completions and POST /v1/messages now return HTTP 401 with error.type=authentication_error and code=claude_cli_not_authenticated when the most recent probe failed, instead of letting the request reach the SDK and surface as 502 or fall through to the 503 config check. OpenAI / Anthropic client libraries route 401 as AuthenticationError. Defense-in-depth: _build_sdk_error_response now scans stderr_tail + error_message for known CLI-auth markers (not logged in, please run /login, invalid api key, authentication_error, 401). On a match it returns 401 instead of 502 and seeds cli_health failed so the next request fails fast. Auth-failure responses bypass the global http_exception_handler (which rewrites bodies to error.type=api_error) by returning JSONResponse directly, so the authentication_error literal reaches clients. Tests: 673 passing, 31 skipped (+9 from v2.9.6 baseline of 664/31). - TestProbeCliAuth: 3 async tests for probe classification - TestChatCompletionsCliHealthGate + TestAnthropicMessagesCliHealthGate: in-process TestClient assertions on the 401 surface - TestCliAuthFailureToFourOhOne: 4 stderr-mapping tests including a 502 regression guard and a cli_health-seeding test
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CLAUDE_AUTH_METHOD=claude_cli, the lifespan now runs a periodic background coroutine that calls the existingclaude_cli.verify_cli()(a 1-turnquery(prompt="Hello", max_turns=1)) and updates a sharedcli_healthstate. Default interval 600s, configurable viaCLI_AUTH_PROBE_INTERVAL_SECONDS, set 0 to disable. Skipped for non-cli auth methods.POST /v1/chat/completionsandPOST /v1/messagesnow return HTTP 401 witherror.type=authentication_erroranderror.code=claude_cli_not_authenticatedwhen the most recent probe failed. OpenAI / Anthropic client libraries route 401 asAuthenticationError, giving callers a durable signal instead of a transient 502/503./v1/auth/statusexposes the newcli_healthblock:ok,last_probed_at,last_ok_at,error_kind(auth_failure|unknown|null),error_message._build_sdk_error_responsescansstderr_tail+error_messagefor known CLI-auth markers (not logged in,please run /login,invalid api key,authentication_error,401). On a match it returns 401 instead of 502 and seedscli_healthfailed so the next request fails fast.http_exception_handler(which would rewrite bodies toerror.type=api_error) by returningJSONResponsedirectly.Version
2.9.7(bumped insrc/__init__.pyandpyproject.toml).Test plan
CLAUDE_CONFIG_DIR=\$(mktemp -d)): both/v1/chat/completionsand/v1/messagesreturn HTTP 401 with the OpenAI-shaped body before any SDK round-trip;/v1/auth/statusshowscli_health.ok=false./v1/auth/statusreturnscli_health.ok=truewith timestamps populated.Docker
Image
ttlequals0/claude-code-openai-wrapper:2.9.7already pushed (sha256:39fc12f1dd5fa15b8752a384f03b839f89684d356bc5de40ab05f477975ca22f);:latestrepointed. Trivy: 14 HIGH/CRITICAL CVEs, all unfixed Debian base packages, identical set to v2.9.6 per prior triage. Portainer webhook fired.Note: future builds should run PR -> CodeQL green -> build/push, not the other way around. The image was published ahead of CodeQL this time; saved as feedback so the next release waits on the scanner.