RubyGems - agent-harness - Versions diffs - 0.24.0 → 0.26.0 - Mend

agent-harness 0.24.0 → 0.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

checksums.yaml +4 -4
data/.release-please-manifest.json +1 -1
data/CHANGELOG.md +15 -0
data/lib/agent_harness/authentication.rb +310 -1
data/lib/agent_harness/version.rb +1 -1
data/lib/agent_harness.rb +17 -0
metadata +1 -1

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 898eb630251f7c5f1f328b7e76d8d8e8ef587318b3fe013373329a719b2c9fec
-  data.tar.gz: c3e0c222e24f86e905765beb55439576dcc54c2e25b02b822f1fa350305cf8a3
+  metadata.gz: d5561c80c0a4ccab10925503a30bb20be2c24c929caa58b9d69a4aac2eb27aac
+  data.tar.gz: aae45d0a30105fed84eb442bdbeaaea0c0bc2fc995997bec49bccbed61db4249
 SHA512:
-  metadata.gz: ea46cfbe98a5d31c23e5a8a0feffc05ec2d478ea841c066553b1c05d6487d59a94cb3716a4bff29225e76a83b367b58917b77ee0e29db573cf9e89b8a8532ef3
-  data.tar.gz: 4cf59eaaeec3e2d4d0478e7ecf39ee849a0a66dda12c47449e99d89da852483c595cef6d99a163c947e58a8fdf19e396340b281a49e868d93e2a84d76613e776
+  metadata.gz: 00eb3ec6f37bbdda7bd430abf55eb09f4f6f79f86b565256c7b287cc2f0b9ef840f108b00a33ba84d457d689784772bb4d307191e08e0aae5941247739ceb651
+  data.tar.gz: 51efc497bd800e2d2ef31886ddeb65c502242dee45cfb40947d35f904f76e9ad215bf57520a779bd42a69e1b04759242c37c6b30a6b98b5a75707c759cd66e2a

data/.release-please-manifest.json CHANGED Viewed

@@ -1,3 +1,3 @@
 {
-  ".": "0.24.0"
+  ".": "0.26.0"
 }

data/CHANGELOG.md CHANGED Viewed

@@ -3,8 +3,23 @@
 ### Features
 * add runner model compatibility contract (`AgentHarness.model_compatibility`) with structured `ModelCompatibility::Result` outcomes. Codex exposes static facts for CLI-gated models (e.g. `gpt-5.5` requires Codex CLI `>= 0.116.0`), a baseline supported-model list, supported auth modes, and a `DEFAULT_COMPATIBLE_MODEL_ID` fallback so downstream orchestrators can validate tier/model assignments before scheduling agent runs ([#259](https://github.com/viamin/agent-harness/issues/259)).
+* **auth:** add provider-owned PKCE code-exchange API for Claude OAuth (`AgentHarness::Authentication.exchange_code`). Takes an authorization code plus PKCE verifier (and `redirect_uri`/`client_id`), posts an `authorization_code` grant to the Claude token endpoint, and persists the resulting access/refresh tokens in the native `claudeAiOauth` shape. Adds `exchange_code_supported?` and a `code_exchange` key to `auth_capabilities` ([#266](https://github.com/viamin/agent-harness/issues/266)).
+## [0.26.0](https://github.com/viamin/agent-harness/compare/agent-harness/v0.25.0...agent-harness/v0.26.0) (2026-06-26)
+### Features
+* **auth:** add PKCE code-exchange API for Claude OAuth ([#272](https://github.com/viamin/agent-harness/issues/272)) ([22f873b](https://github.com/viamin/agent-harness/commit/22f873bb5fe58c67ab94c2a7b0c57b3bcbfe38b9)), closes [#266](https://github.com/viamin/agent-harness/issues/266)
+## [0.25.0](https://github.com/viamin/agent-harness/compare/agent-harness/v0.24.0...agent-harness/v0.25.0) (2026-06-26)
+### Features
+* **auth:** add refresh-token exchange API for Claude OAuth ([#269](https://github.com/viamin/agent-harness/issues/269)) ([076b1aa](https://github.com/viamin/agent-harness/commit/076b1aa91a3dcb58280d1c550bdc4329ce162a92)), closes [#265](https://github.com/viamin/agent-harness/issues/265)
 ## [0.24.0](https://github.com/viamin/agent-harness/compare/agent-harness/v0.23.0...agent-harness/v0.24.0) (2026-06-26)

data/lib/agent_harness/authentication.rb CHANGED Viewed

@@ -2,8 +2,10 @@
 require "json"
 require "fileutils"
+require "net/http"
 require "tempfile"
 require "time"
+require "uri"
 module AgentHarness
   # Authentication management for CLI agent providers
@@ -49,7 +51,9 @@ module AgentHarness
         {
           auth_type: provider.auth_type,
           auth_url: flow_supported,
-          refresh: flow_supported
+          refresh: flow_supported,
+          exchange: flow_supported,
+          code_exchange: flow_supported
         }
       end
@@ -126,8 +130,117 @@ module AgentHarness
         end
       end
+      # Check whether refresh-token exchange is supported for a provider.
+      #
+      # @param provider_name [Symbol] the provider name
+      # @return [Boolean] true if exchange_refresh_token can be called
+      # @raise [ProviderNotFoundError] if provider is unknown
+      def exchange_refresh_token_supported?(provider_name)
+        auth_capabilities(provider_name)[:exchange]
+      end
+      # Exchange a stored refresh token for a fresh access token (and rotated refresh token).
+      #
+      # Reads the refresh token from the provider's credentials store, posts it to the
+      # OAuth token endpoint, persists the rotated tokens, and returns the credential
+      # in native claudeAiOauth shape.
+      #
+      # Serializes through a file lock so that concurrent callers do not race on a
+      # single-use/rotating refresh token.  If the token server reports that the
+      # refresh token has already been consumed (`refresh_token_reused`), raises
+      # +AuthenticationError+ so the caller can trigger a full re-auth.
+      #
+      # @param provider_name [Symbol] the provider name
+      # @return [Hash] credential in claudeAiOauth shape:
+      #   +{ claudeAiOauth: { accessToken:, refreshToken:, expiresAt: } }+
+      # @raise [UnsupportedAuthFlowError] if provider doesn't support token exchange
+      # @raise [AuthenticationError] if the refresh token is missing, reused, or exchange fails
+      def exchange_refresh_token(provider_name)
+        provider_name = provider_name.to_sym
+        provider = resolve_provider(provider_name)
+        unless provider.auth_type == :oauth
+          raise UnsupportedAuthFlowError,
+            "Provider #{provider_name} uses #{provider.auth_type} auth and does not support token exchange"
+        end
+        case provider_name
+        when :claude, :anthropic
+          exchange_claude_refresh_token
+        else
+          raise UnsupportedAuthFlowError,
+            "Token exchange is not yet implemented for provider #{provider_name}"
+        end
+      end
+      # Check whether PKCE authorization-code exchange is supported for a provider.
+      #
+      # @param provider_name [Symbol] the provider name
+      # @return [Boolean] true if exchange_code can be called
+      # @raise [ProviderNotFoundError] if provider is unknown
+      def exchange_code_supported?(provider_name)
+        auth_capabilities(provider_name)[:code_exchange]
+      end
+      # Exchange a PKCE authorization code for tokens and persist them in native shape.
+      #
+      # Posts the authorization code and PKCE verifier to the provider's OAuth
+      # token endpoint, then writes the resulting access/refresh tokens to the
+      # credentials store using the provider's native shape (e.g. +claudeAiOauth+
+      # for Claude).
+      #
+      # Serializes through a file lock so that concurrent callers do not race on
+      # credential writes.
+      #
+      # @param provider_name [Symbol] the provider name
+      # @param code [String] authorization code returned from the OAuth redirect (required)
+      # @param code_verifier [String] PKCE code verifier matching the code_challenge sent on the auth URL (required)
+      # @param redirect_uri [String] redirect URI registered with the authorization request (required)
+      # @param client_id [String] OAuth client identifier (required)
+      # @param state [String, nil] optional state parameter echoed from the authorization request
+      # @return [Hash] credential in claudeAiOauth shape for Claude:
+      #   +{ claudeAiOauth: { accessToken:, refreshToken:, expiresAt: } }+
+      # @raise [UnsupportedAuthFlowError] if provider doesn't support PKCE code exchange
+      # @raise [ArgumentError] if any required parameter is blank
+      # @raise [AuthenticationError] if the exchange fails
+      def exchange_code(provider_name, code:, code_verifier:, redirect_uri:, client_id:, state: nil)
+        provider_name = provider_name.to_sym
+        provider = resolve_provider(provider_name)
+        unless provider.auth_type == :oauth
+          raise UnsupportedAuthFlowError,
+            "Provider #{provider_name} uses #{provider.auth_type} auth and does not support code exchange"
+        end
+        validate_code_exchange_params!(code: code, code_verifier: code_verifier,
+          redirect_uri: redirect_uri, client_id: client_id)
+        case provider_name
+        when :claude, :anthropic
+          exchange_claude_code(
+            code: code.strip,
+            code_verifier: code_verifier.strip,
+            redirect_uri: redirect_uri.strip,
+            client_id: client_id.strip,
+            state: state
+          )
+        else
+          raise UnsupportedAuthFlowError,
+            "Code exchange is not yet implemented for provider #{provider_name}"
+        end
+      end
       private
+      def validate_code_exchange_params!(code:, code_verifier:, redirect_uri:, client_id:)
+        {code: code, code_verifier: code_verifier,
+         redirect_uri: redirect_uri, client_id: client_id}.each do |name, value|
+          unless non_blank?(value)
+            raise ArgumentError, "#{name} must be a non-empty string"
+          end
+        end
+      end
       def claude_oauth_flow_provider?(requested_name, canonical_name)
         [:claude, :anthropic].include?(requested_name) || canonical_name == :claude
       end
@@ -251,6 +364,202 @@ module AgentHarness
         {success: true}
       end
+      # Token endpoint used for Claude OAuth refresh-token exchange.
+      CLAUDE_TOKEN_ENDPOINT = URI("https://claude.ai/oauth/token").freeze
+      def exchange_claude_refresh_token
+        credentials_path = claude_credentials_path
+        lock_path = "#{credentials_path}.lock"
+        dir = File.dirname(credentials_path)
+        FileUtils.mkdir_p(dir, mode: 0o700)
+        File.open(lock_path, File::RDWR | File::CREAT, 0o600) do |lock|
+          lock.flock(File::LOCK_EX)
+          credentials = read_claude_credentials
+          refresh_token = credentials&.dig("claudeAiOauth", "refreshToken")
+          refresh_token = nil if refresh_token.is_a?(String) && refresh_token.strip.empty?
+          unless refresh_token
+            raise AuthenticationError.new(
+              "No refresh token found in Claude credentials",
+              provider: :claude
+            )
+          end
+          response_body = post_token_exchange(refresh_token)
+          access_token = response_body["access_token"]
+          new_refresh_token = response_body["refresh_token"]
+          expires_in = response_body["expires_in"]
+          expires_at = expires_in ? (Time.now + expires_in).iso8601 : nil
+          oauth_block = {
+            "accessToken" => access_token,
+            "refreshToken" => new_refresh_token,
+            "expiresAt" => expires_at
+          }
+          credentials["claudeAiOauth"] = oauth_block
+          credentials["oauth_token"] = access_token
+          credentials.delete("expiresAt")
+          credentials.delete("expires_at")
+          credentials["expiresAt"] = expires_at
+          tmpfile = Tempfile.new(".credentials", dir)
+          begin
+            tmpfile.write(JSON.pretty_generate(credentials))
+            tmpfile.close
+            File.chmod(0o600, tmpfile.path)
+            File.rename(tmpfile.path, credentials_path)
+          rescue
+            tmpfile.close!
+            raise
+          end
+          {claudeAiOauth: oauth_block.transform_keys(&:to_sym)}
+        end
+      end
+      def exchange_claude_code(code:, code_verifier:, redirect_uri:, client_id:, state:)
+        credentials_path = claude_credentials_path
+        lock_path = "#{credentials_path}.lock"
+        dir = File.dirname(credentials_path)
+        FileUtils.mkdir_p(dir, mode: 0o700)
+        File.open(lock_path, File::RDWR | File::CREAT, 0o600) do |lock|
+          lock.flock(File::LOCK_EX)
+          response_body = post_code_exchange(
+            code: code,
+            code_verifier: code_verifier,
+            redirect_uri: redirect_uri,
+            client_id: client_id,
+            state: state
+          )
+          access_token = response_body["access_token"]
+          new_refresh_token = response_body["refresh_token"]
+          expires_in = response_body["expires_in"]
+          unless non_blank?(access_token)
+            raise AuthenticationError.new(
+              "Code exchange response did not include an access_token",
+              provider: :claude
+            )
+          end
+          expires_at = expires_in ? (Time.now + expires_in).iso8601 : nil
+          oauth_block = {
+            "accessToken" => access_token,
+            "refreshToken" => new_refresh_token,
+            "expiresAt" => expires_at
+          }
+          credentials = read_claude_credentials
+          credentials = {} unless credentials.is_a?(Hash)
+          credentials["claudeAiOauth"] = oauth_block
+          credentials["oauth_token"] = access_token
+          credentials.delete("expires_at")
+          credentials["expiresAt"] = expires_at
+          tmpfile = Tempfile.new(".credentials", dir)
+          begin
+            tmpfile.write(JSON.pretty_generate(credentials))
+            tmpfile.close
+            File.chmod(0o600, tmpfile.path)
+            File.rename(tmpfile.path, credentials_path)
+          rescue
+            tmpfile.close!
+            raise
+          end
+          {claudeAiOauth: oauth_block.transform_keys(&:to_sym)}
+        end
+      end
+      def post_code_exchange(code:, code_verifier:, redirect_uri:, client_id:, state:)
+        payload = {
+          grant_type: "authorization_code",
+          code: code,
+          code_verifier: code_verifier,
+          redirect_uri: redirect_uri,
+          client_id: client_id
+        }
+        payload[:state] = state if non_blank?(state)
+        http = Net::HTTP.new(CLAUDE_TOKEN_ENDPOINT.host, CLAUDE_TOKEN_ENDPOINT.port)
+        http.use_ssl = true
+        http.open_timeout = 10
+        http.read_timeout = 10
+        request = Net::HTTP::Post.new(CLAUDE_TOKEN_ENDPOINT.path)
+        request["Content-Type"] = "application/json"
+        request.body = JSON.generate(payload)
+        response = http.request(request)
+        body = begin
+          JSON.parse(response.body)
+        rescue JSON::ParserError
+          {}
+        end
+        unless response.is_a?(Net::HTTPSuccess)
+          error_description = body["error_description"] || body["error"] || body["message"] || response.body
+          raise AuthenticationError.new(
+            "Code exchange failed (HTTP #{response.code}): #{error_description}",
+            provider: :claude
+          )
+        end
+        body
+      end
+      def post_token_exchange(refresh_token)
+        http = Net::HTTP.new(CLAUDE_TOKEN_ENDPOINT.host, CLAUDE_TOKEN_ENDPOINT.port)
+        http.use_ssl = true
+        http.open_timeout = 10
+        http.read_timeout = 10
+        request = Net::HTTP::Post.new(CLAUDE_TOKEN_ENDPOINT.path)
+        request["Content-Type"] = "application/json"
+        request.body = JSON.generate({
+          grant_type: "refresh_token",
+          refresh_token: refresh_token
+        })
+        response = http.request(request)
+        body = begin
+          JSON.parse(response.body)
+        rescue JSON::ParserError
+          {}
+        end
+        unless response.is_a?(Net::HTTPSuccess)
+          error_code = body["error"] || body["code"]
+          if error_code.to_s.match?(/refresh_token_reused/i)
+            raise AuthenticationError.new(
+              "Refresh token has already been used (refresh_token_reused). Re-authentication required.",
+              provider: :claude
+            )
+          end
+          error_description = body["error_description"] || body["message"] || response.body
+          raise AuthenticationError.new(
+            "Token exchange failed (HTTP #{response.code}): #{error_description}",
+            provider: :claude
+          )
+        end
+        body
+      end
       # Extract a usable token and expiry from Claude credentials,
       # supporting both the native claudeAiOauth shape and the legacy
       # top-level oauth_token/apiKey shape.

data/lib/agent_harness/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module AgentHarness
-  VERSION = "0.24.0"
+  VERSION = "0.26.0"
 end

data/lib/agent_harness.rb CHANGED Viewed

@@ -339,6 +339,23 @@ module AgentHarness
       Authentication.refresh_auth(provider_name, token: token)
     end
+    # Check whether refresh-token exchange is supported for a provider
+    # @param provider_name [Symbol] the provider name
+    # @return [Boolean] true if exchange_refresh_token can be called
+    # @raise [ProviderNotFoundError] if provider is unknown
+    def exchange_refresh_token_supported?(provider_name)
+      Authentication.exchange_refresh_token_supported?(provider_name)
+    end
+    # Exchange a stored refresh token for a fresh access token
+    # @param provider_name [Symbol] the provider name
+    # @return [Hash] credential in claudeAiOauth shape
+    # @raise [UnsupportedAuthFlowError] if provider doesn't support token exchange
+    # @raise [AuthenticationError] if the refresh token is missing, reused, or exchange fails
+    def exchange_refresh_token(provider_name)
+      Authentication.exchange_refresh_token(provider_name)
+    end
     # Check health of all configured providers.
     #
     # Validates each enabled provider through registration, CLI availability,

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: agent-harness
 version: !ruby/object:Gem::Version
-  version: 0.24.0
+  version: 0.26.0
 platform: ruby
 authors:
 - Bart Agapinan