📝 feat: update TypeScript configuration and add API support

- Changed root directory in tsconfig.json to include all source files. - Updated server.json to include npm package configuration for claude-code-explorer-mcp. - Enhanced x402 command to support non-interactive mode. - Refactored x402 command call function to simplify argument handling. - Introduced .mcp.json for MCP server configuration. - Added bunfig.toml for Bun development mode configuration. - Created bridge.md documentation for IDE integration and architecture overview. - Added .npmignore to exclude unnecessary files from npm package. - Implemented build-bundle script for production and development builds. - Developed bun-plugin-shims for Bun preload plugin. - Created ci-build.sh for CI/CD build pipeline. - Added dev.ts for development launcher using Bun's TS runtime. - Implemented package-npm.ts to generate a publishable npm package. - Created test-auth.ts to verify API key configuration. - Developed test-mcp.ts for MCP client/server roundtrip testing. - Implemented test-services.ts to ensure all services initialize correctly. - Added stub.ts for bridge functionality when BRIDGE_MODE is disabled.
2026-03-31 10:59:36 +00:00
parent c0b205208d
commit d35ea47ba7
22 changed files with 1377 additions and 29 deletions
--- a/.env.example
+++ b/.env.example
@@ -3,15 +3,61 @@
 # =============================================================================
 # Copy this file to .env and fill in the values you need.
 # All variables are optional unless noted otherwise.
+#
+# ─── HOW AUTHENTICATION WORKS ───────────────────────────────────────────────
+#
+# The CLI supports multiple authentication backends, resolved in this order:
+#
+# 1. PROVIDER SELECTION (src/utils/model/providers.ts — getAPIProvider()):
+#    Checks CLAUDE_CODE_USE_BEDROCK, CLAUDE_CODE_USE_VERTEX, or
+#    CLAUDE_CODE_USE_FOUNDRY. If set, routes to that 3rd-party provider.
+#    Otherwise uses Direct Anthropic API.
+#
+# 2. OAUTH vs API KEY DECISION (src/utils/auth.ts — isAnthropicAuthEnabled()):
+#    OAuth is DISABLED (API-key-only mode) when any of these are true:
+#      - --bare flag is used (sets CLAUDE_CODE_SIMPLE=1)
+#      - CLAUDE_CODE_USE_BEDROCK / VERTEX / FOUNDRY is set
+#      - ANTHROPIC_API_KEY env var is set (and not in managed OAuth context)
+#      - ANTHROPIC_AUTH_TOKEN env var is set
+#      - An apiKeyHelper is configured in settings
+#    If none of the above, OAuth is attempted via ~/.claude/.credentials.json.
+#
+# 3. API KEY RESOLUTION (src/utils/auth.ts — getAnthropicApiKey()):
+#    Priority order when OAuth is not active:
+#      a. CLAUDE_CODE_API_KEY_FILE_DESCRIPTOR (pipe-passed key)
+#      b. apiKeyHelper (configured external command in settings)
+#      c. ANTHROPIC_API_KEY env var
+#      d. System keychain
+#      e. ~/.claude/.credentials config
+#
+# 4. CLIENT CONSTRUCTION (src/services/api/client.ts — getAnthropicClient()):
+#    Creates the appropriate SDK client (Anthropic, Bedrock, Vertex, or
+#    Foundry) using the resolved auth credentials plus any custom headers
+#    from ANTHROPIC_CUSTOM_HEADERS.
+#
+# FOR DEVELOPMENT: The simplest path is to set ANTHROPIC_API_KEY below.
+# The auth system will detect the external key and skip OAuth entirely.
 # =============================================================================

 # ── Authentication ───────────────────────────────────────────────────────────
 # Your Anthropic API key (required for direct API access)
 ANTHROPIC_API_KEY=

+# Bearer auth token (alternative to API key — used by bridge/remote)
+# ANTHROPIC_AUTH_TOKEN=
+
 # Custom API base URL (default: https://api.anthropic.com)
 # ANTHROPIC_BASE_URL=

+# Custom headers sent with every API request (multiline, "Name: Value" per line)
+# ANTHROPIC_CUSTOM_HEADERS=
+
+# Add additional protection header to API requests
+# CLAUDE_CODE_ADDITIONAL_PROTECTION=true
+
+# Pipe-pass API key via file descriptor (advanced — for managed environments)
+# CLAUDE_CODE_API_KEY_FILE_DESCRIPTOR=
+
 # ── Model Selection ──────────────────────────────────────────────────────────
 # Override the default model
 # ANTHROPIC_MODEL=
@@ -38,16 +84,67 @@ ANTHROPIC_API_KEY=
 # Model for sub-agents / teammates
 # CLAUDE_CODE_SUBAGENT_MODEL=

-# ── Alternative Providers ────────────────────────────────────────────────────
-# Use AWS Bedrock instead of direct Anthropic API
+# ── AWS Bedrock ──────────────────────────────────────────────────────────────
+# Enable Bedrock backend (uses AWS SDK default credentials: IAM, profile, env)
 # CLAUDE_CODE_USE_BEDROCK=true
+
+# Custom Bedrock endpoint URL
 # ANTHROPIC_BEDROCK_BASE_URL=
+
+# AWS region for Bedrock (default: us-east-1)
+# AWS_REGION=us-east-1
+# AWS_DEFAULT_REGION=us-east-1
+
+# Override AWS region specifically for the small fast model (Haiku)
+# ANTHROPIC_SMALL_FAST_MODEL_AWS_REGION=
+
+# Bearer token auth for Bedrock (alternative to IAM)
 # AWS_BEARER_TOKEN_BEDROCK=
+
+# Skip Bedrock auth (for testing without real AWS credentials)
 # CLAUDE_CODE_SKIP_BEDROCK_AUTH=false

-# Use Google Vertex AI
+# ── Google Vertex AI ─────────────────────────────────────────────────────────
+# Enable Vertex AI backend
 # CLAUDE_CODE_USE_VERTEX=true

+# Required: Your GCP project ID
+# ANTHROPIC_VERTEX_PROJECT_ID=
+
+# Default GCP region for all models
+# CLOUD_ML_REGION=us-east5
+
+# Model-specific region overrides (highest priority)
+# VERTEX_REGION_CLAUDE_3_5_HAIKU=
+# VERTEX_REGION_CLAUDE_HAIKU_4_5=
+# VERTEX_REGION_CLAUDE_3_5_SONNET=
+# VERTEX_REGION_CLAUDE_3_7_SONNET=
+
+# Custom Vertex base URL
+# ANTHROPIC_VERTEX_BASE_URL=
+
+# GCP service account credentials JSON file
+# GOOGLE_APPLICATION_CREDENTIALS=
+
+# Skip Vertex auth (for testing without real GCP credentials)
+# CLAUDE_CODE_SKIP_VERTEX_AUTH=false
+
+# ── Azure Foundry ────────────────────────────────────────────────────────────
+# Enable Azure Foundry backend
+# CLAUDE_CODE_USE_FOUNDRY=true
+
+# Azure resource name (creates URL: https://{resource}.services.ai.azure.com/...)
+# ANTHROPIC_FOUNDRY_RESOURCE=
+
+# Alternative: provide full base URL directly instead of resource name
+# ANTHROPIC_FOUNDRY_BASE_URL=
+
+# Foundry API key (if not set, uses Azure AD / DefaultAzureCredential)
+# ANTHROPIC_FOUNDRY_API_KEY=
+
+# Skip Foundry auth (for testing without real Azure credentials)
+# CLAUDE_CODE_SKIP_FOUNDRY_AUTH=false
+
 # ── Shell & Environment ─────────────────────────────────────────────────────
 # Override shell used for BashTool (default: auto-detected)
 # CLAUDE_CODE_SHELL=/bin/bash
@@ -75,7 +172,7 @@ ANTHROPIC_API_KEY=
 # NODE_OPTIONS=--max-old-space-size=8192

 # ── Features & Modes ────────────────────────────────────────────────────────
-# Enable simplified/worker mode
+# Enable simplified/worker mode (also set by --bare flag)
 # CLAUDE_CODE_SIMPLE=true

 # Enable coordinator (multi-agent) mode
@@ -119,10 +216,24 @@ ANTHROPIC_API_KEY=
 # Environment kind (e.g. bridge)
 # CLAUDE_CODE_ENVIRONMENT_KIND=

-# OAuth tokens for bridge
+# OAuth token injected by bridge/CCR
+# CLAUDE_CODE_OAUTH_TOKEN=
+
+# OAuth refresh token for bridge
 # CLAUDE_CODE_OAUTH_REFRESH_TOKEN=
+
+# OAuth scopes
 # CLAUDE_CODE_OAUTH_SCOPES=

+# Session access token for remote
+# CLAUDE_CODE_SESSION_ACCESS_TOKEN=
+
+# Unix socket for SSH remote auth
+# ANTHROPIC_UNIX_SOCKET=
+
+# Entrypoint identifier (cli, mcp, remote, sdk-*, etc.)
+# CLAUDE_CODE_ENTRYPOINT=cli
+
 # ── Debugging ────────────────────────────────────────────────────────────────
 # Debug log level (error, warn, info, debug, trace)
 # CLAUDE_CODE_DEBUG_LOG_LEVEL=info
@@ -150,7 +261,37 @@ ANTHROPIC_API_KEY=
 # Custom SSL certificate
 # SSL_CERT_FILE=

-# Unix socket for Anthropic API
-# ANTHROPIC_UNIX_SOCKET=
+# =============================================================================
+# ─── OAUTH STUB NOTES (Part D) ─────────────────────────────────────────────
+# =============================================================================
+#
+# The OAuth flow (src/services/oauth/) requires a browser and Anthropic's
+# OAuth endpoints. For development, you do NOT need to stub anything —
+# just set ANTHROPIC_API_KEY and the auth system will skip OAuth automatically.
+#
+# How it works:
+#   src/utils/auth.ts — isAnthropicAuthEnabled() checks whether OAuth should
+#   be attempted. When it detects ANTHROPIC_API_KEY in the environment (and
+#   the context is not a "managed OAuth" context like Claude Desktop), it
+#   returns false, which causes the entire OAuth path to be bypassed.
+#
+# Decision chain:
+#   1. isAnthropicAuthEnabled() in src/utils/auth.ts (line ~111)
+#      → returns false if external API key is detected
+#   2. isClaudeAISubscriber() in src/utils/auth.ts (line ~1715)
+#      → checks OAuth tokens for user:inference scope (never reached if #1 is false)
+#   3. getAnthropicApiKey() in src/utils/auth.ts (line ~201)
+#      → resolves API key from env/keychain/config
+#
+# If you needed to FORCE bypass OAuth in all cases (e.g. for testing the
+# OAuth code paths themselves), you could:
+#   - Use --bare flag (sets CLAUDE_CODE_SIMPLE=1, disables OAuth in isBareMode())
+#   - Set CLAUDE_CODE_USE_BEDROCK=true + CLAUDE_CODE_SKIP_BEDROCK_AUTH=true
+#     (routes around OAuth entirely but creates a Bedrock-shaped client)
+#   - Directly modify isAnthropicAuthEnabled() to return false (not recommended
+#     for production)
+#
+# Bottom line: export ANTHROPIC_API_KEY="sk-ant-..." is sufficient for dev.
+# =============================================================================