agent-harness 0.3.0 → 0.5.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: cb82dfba3d7a36312cfcb32c86b39f88726b558828643361be96a3b69ca1a3ea
-  data.tar.gz: 19d643749ed639f4932f82ebdb8ef92f984cb7a4fc12c8c3d05a201103464d5a
+  metadata.gz: 22137a8f8e81a58503c1e19a2349c6a8e1c8617cc5e12a38470fdc6477b483de
+  data.tar.gz: 185d6003da7d94edfc5fc48cb55f4916b3ca06601bed95de5cfe3db88d0d49bb
 SHA512:
-  metadata.gz: 575d764e422d9b465233ea8ffd0db147165be8cc6f6e70fd19cb549d13677da5054acf8d2ec0632d20a95f22c02d27a9add9c12f137a62133a88ebce0b00a70b
-  data.tar.gz: 87122eb8b3feef772bbd7b8d8fb6a29bd99a18cadd5e260eb74b00a55c489b01e5b0c9d82d93412e270b339ca7fab5ab559999fcd1a9171a2ab7c79325bd688d
+  metadata.gz: 030b8e627328572ad8d01c5245a6f21b2e3070be6255505eb6e6a3df3a2040083218ee0b28c36dd0584622604fd93319ea6e7675308f2d7212007a4b7369320a
+  data.tar.gz: 23cb19b897faf13438bfdc875c2f151eadcefa13c704cf9f80d443db3e99b7317856d9d744514b082a9f2abd813a26c7dcbf84f243c3e35879f564f979fe180f

data/.release-please-manifest.json

@@ -1,3 +1,3 @@
 {
-  ".": "0.3.0"
+  ".": "0.5.0"
 }

data/.rubocop.yml

@@ -0,0 +1,2 @@
+inherit_gem:
+  standard: config/base.yml

data/CHANGELOG.md

@@ -1,5 +1,39 @@
 ## [Unreleased]
 
+## [0.5.0](https://github.com/viamin/agent-harness/compare/agent-harness/v0.4.0...agent-harness/v0.5.0) (2026-03-03)
+
+
+### Features
+
+* parse token usage from Claude CLI JSON output ([a0e6d7c](https://github.com/viamin/agent-harness/commit/a0e6d7cafb5f5b74806a44d3d4f487e87fdfa05e)), closes [#19](https://github.com/viamin/agent-harness/issues/19)
+* support authentication error detection and token refresh for CLI agents ([83f2c71](https://github.com/viamin/agent-harness/commit/83f2c71c555483322c8a19d8a6ae195bd7720296)), closes [#20](https://github.com/viamin/agent-harness/issues/20)
+
+
+### Bug Fixes
+
+* add file lock to refresh_claude_auth to prevent lost-update races ([eb00e19](https://github.com/viamin/agent-harness/commit/eb00e1935dcd574f952ea37c263e9794de23f9a7))
+* address code review feedback for authentication module ([6d11067](https://github.com/viamin/agent-harness/commit/6d1106743c79f5ae4c3a98f078e4c4d4c93db465))
+* address code review feedback for resolve_provider and conductor docs ([5975b3b](https://github.com/viamin/agent-harness/commit/5975b3b8e087f681b57cc9935499e0691f865360))
+* address PR review feedback for auth error handling ([70d7ea7](https://github.com/viamin/agent-harness/commit/70d7ea7eb4d13fd80d7c2724af57053a6dea9972))
+* address PR review feedback for authentication module ([b098682](https://github.com/viamin/agent-harness/commit/b098682448104a833a3e50c89531bcb838910b52))
+* address PR review feedback for token handling in authentication ([03398b9](https://github.com/viamin/agent-harness/commit/03398b9be4b43c12c31694d8c7864dfde891da29))
+* address remaining PR review feedback for auth behavior ([893b549](https://github.com/viamin/agent-harness/commit/893b549bb080345bb1c0dfe718bb1840ff2a1f5e))
+* align ErrorTaxonomy auth_expired action with Conductor behavior ([7697637](https://github.com/viamin/agent-harness/commit/76976375708f56c4fbcaf635bebafd8da9f35de1))
+* clear expiry metadata on token refresh and align docs with API ([9bba06e](https://github.com/viamin/agent-harness/commit/9bba06e00c7b65722afef4b4492ec777e65578e0))
+* correct method for checking module inclusion in provider validation ([4cf57fc](https://github.com/viamin/agent-harness/commit/4cf57fcebed92261e065aa6cf526f1f3851f57e7))
+* differentiate credential read errors instead of returning generic nil ([cada3c5](https://github.com/viamin/agent-harness/commit/cada3c5404144b4eaf122d5dbe5f023eb30e5d95))
+* guard against non-Hash JSON in refresh_claude_auth credentials ([74e1301](https://github.com/viamin/agent-harness/commit/74e1301ec7835f929bd43dc15f4a87e62bcf7237))
+* remove accidentally committed bundler binstubs ([8207ef0](https://github.com/viamin/agent-harness/commit/8207ef0df67add5d1db8f3af9ef495c0b832d0b6))
+* validate tokens are non-empty strings in authentication module ([55a12e4](https://github.com/viamin/agent-harness/commit/55a12e45616839079afe509e079c771a1a71a1a5))
+
+## [0.4.0](https://github.com/viamin/agent-harness/compare/agent-harness/v0.3.0...agent-harness/v0.4.0) (2026-02-16)
+
+
+### Features
+
+* add DockerCommandExecutor for container-based command execution ([85826e5](https://github.com/viamin/agent-harness/commit/85826e5ece76d9f073329902769093f846cfd8b7))
+* add DockerCommandExecutor for container-based command execution ([cb18f2e](https://github.com/viamin/agent-harness/commit/cb18f2e2f1d16ef52ea2ce54c51970d73fcae6c8))
+
 ## [0.3.0](https://github.com/viamin/agent-harness/compare/agent-harness-v0.2.2...agent-harness/v0.3.0) (2026-01-26)
 
 

data/README.md

@@ -227,6 +227,9 @@ AgentHarness.token_tracker.summary
 ```ruby
 begin
   response = AgentHarness.send_message("Hello")
+rescue AgentHarness::AuthenticationError => e
+  puts "Auth failed for provider: #{e.provider}"
+  # Optionally trigger re-auth flow (see Authentication Management below)
 rescue AgentHarness::TimeoutError => e
   puts "Request timed out"
 rescue AgentHarness::RateLimitError => e
@@ -253,6 +256,76 @@ AgentHarness::ErrorTaxonomy.action_for(category)
 # => :switch_provider
 ```
 
+## Authentication Management
+
+AgentHarness can detect authentication failures and manage credentials for CLI agents.
+
+### Auth Type
+
+Providers declare their authentication type:
+
+```ruby
+provider = AgentHarness.provider(:claude)
+provider.auth_type
+# => :oauth  (token-based auth that can expire)
+
+provider = AgentHarness.provider(:aider)
+provider.auth_type
+# => :api_key  (static API key, no refresh needed)
+```
+
+### Auth Status Check
+
+Pre-flight check auth before starting a run:
+
+```ruby
+AgentHarness.auth_valid?(:claude)
+# => true/false
+
+AgentHarness.auth_status(:claude)
+# => { valid: false, expires_at: <Time>, error: "Session expired" }
+```
+
+For providers without a built-in auth check (including `:api_key` providers), `auth_valid?` returns `false` and `auth_status` returns an error indicating the check is not implemented. Custom providers can implement an `auth_status` instance method to provide their own check.
+
+### Auth Error Detection
+
+When a CLI agent fails due to expired or invalid authentication, `send_message` raises `AuthenticationError` with the provider name. Authentication errors are always surfaced directly to the caller (never auto-switched to another provider) so your application can trigger the appropriate re-auth flow:
+
+```ruby
+begin
+  AgentHarness.send_message("Hello", provider: :claude)
+rescue AgentHarness::AuthenticationError => e
+  puts e.provider  # => :claude
+  puts e.message   # => "oauth token expired"
+  # Trigger re-authentication flow for the specific provider
+end
+```
+
+### OAuth URL Generation
+
+For OAuth providers, get the URL the user should visit to start the login flow:
+
+```ruby
+AgentHarness.auth_url(:claude)
+# => "https://claude.ai/oauth/authorize"
+```
+
+This raises `NotImplementedError` for `:api_key` providers.
+
+### Credential Refresh
+
+Accept a pre-exchanged OAuth token and update the provider's stored credentials. The OAuth authorization code exchange is provider-specific and should be handled by your application or CLI login command before calling this method:
+
+```ruby
+AgentHarness.refresh_auth(:claude, token: "new-oauth-token")
+# => { success: true }
+```
+
+Any existing expiry metadata in the credentials file is cleared on refresh so that `auth_valid?` returns `true` immediately after a successful refresh.
+
+This raises `NotImplementedError` for `:api_key` providers. Credential file paths respect the `CLAUDE_CONFIG_DIR` environment variable.
+
 ## Development
 
 ```bash

data/lib/agent_harness/authentication.rb

@@ -0,0 +1,224 @@
+# frozen_string_literal: true
+
+require "json"
+require "fileutils"
+require "tempfile"
+require "time"
+
+module AgentHarness
+  # Authentication management for CLI agent providers
+  #
+  # Provides methods for checking auth status, generating OAuth URLs,
+  # and refreshing credentials for providers that support it.
+  module Authentication
+    class << self
+      # Check if authentication is valid for a provider
+      #
+      # @param provider_name [Symbol] the provider name
+      # @return [Boolean] true if auth is valid, false otherwise
+      def auth_valid?(provider_name)
+        status = auth_status(provider_name)
+        !!status[:valid]
+      end
+
+      # Get detailed authentication status for a provider
+      #
+      # @param provider_name [Symbol] the provider name
+      # @return [Hash] status with :valid, :expires_at, :error keys
+      def auth_status(provider_name)
+        provider_name = provider_name.to_sym
+        case provider_name
+        when :claude, :anthropic
+          claude_auth_status
+        else
+          generic_auth_status(provider_name)
+        end
+      end
+
+      # Generate an OAuth URL for a provider
+      #
+      # Only supported for :oauth auth type providers.
+      #
+      # @param provider_name [Symbol] the provider name
+      # @return [String] the OAuth authorization URL
+      # @raise [NotImplementedError] if provider doesn't support OAuth
+      def auth_url(provider_name)
+        provider_name = provider_name.to_sym
+        provider = resolve_provider(provider_name)
+
+        unless provider.auth_type == :oauth
+          raise NotImplementedError,
+            "Provider #{provider_name} uses #{provider.auth_type} auth and does not support OAuth URL generation"
+        end
+
+        case provider_name
+        when :claude, :anthropic
+          claude_auth_url
+        else
+          raise NotImplementedError,
+            "OAuth URL generation is not yet implemented for provider #{provider_name}"
+        end
+      end
+
+      # Refresh authentication credentials for a provider
+      #
+      # For OAuth providers, stores a pre-exchanged token directly.
+      # This method accepts a token (not an authorization code) because
+      # the OAuth code-exchange flow is provider-specific and should be
+      # handled by the caller or a CLI login command before calling this.
+      # For API key providers, raises NotImplementedError.
+      #
+      # @param provider_name [Symbol] the provider name
+      # @param token [String] OAuth token to store (must be non-blank)
+      # @return [Hash] result with :success key
+      # @raise [NotImplementedError] if provider doesn't support credential refresh
+      def refresh_auth(provider_name, token: nil)
+        provider_name = provider_name.to_sym
+        provider = resolve_provider(provider_name)
+
+        unless provider.auth_type == :oauth
+          raise NotImplementedError,
+            "Provider #{provider_name} uses #{provider.auth_type} auth and does not support credential refresh"
+        end
+
+        case provider_name
+        when :claude, :anthropic
+          refresh_claude_auth(token: token)
+        else
+          raise NotImplementedError,
+            "Credential refresh is not yet implemented for provider #{provider_name}"
+        end
+      end
+
+      private
+
+      def resolve_provider(provider_name)
+        klass = Providers::Registry.instance.get(provider_name)
+        # Construct the provider with config/executor/logger to match
+        # ProviderManager#create_provider and support custom providers
+        # that may rely on these initializer arguments.
+        config = AgentHarness.configuration.providers[provider_name]
+        klass.new(
+          config: config,
+          executor: AgentHarness.configuration.command_executor,
+          logger: AgentHarness.logger
+        )
+      rescue ConfigurationError
+        raise ProviderNotFoundError, "Unknown provider: #{provider_name}"
+      end
+
+      # Claude Code auth status check
+      def claude_auth_status
+        credentials = read_claude_credentials
+        return {valid: false, expires_at: nil, error: "No credentials found"} unless credentials
+
+        # Check if the credentials file has a token, preferring a non-blank oauth_token over apiKey
+        oauth_token = credentials["oauth_token"]
+        api_key = credentials["apiKey"]
+        token = [oauth_token, api_key].find { |t| t.is_a?(String) && !t.strip.empty? }
+        if token
+          expires_at = parse_expiry(credentials["expiresAt"] || credentials["expires_at"])
+          if expires_at && expires_at < Time.now
+            {valid: false, expires_at: expires_at, error: "Session expired"}
+          else
+            {valid: true, expires_at: expires_at, error: nil}
+          end
+        else
+          {valid: false, expires_at: nil, error: "No authentication token found"}
+        end
+      rescue IOError, JSON::ParserError => e
+        {valid: false, expires_at: nil, error: e.message}
+      end
+
+      # Generic auth status for non-Claude providers
+      def generic_auth_status(provider_name)
+        provider = resolve_provider(provider_name)
+
+        # Prefer a provider-specific auth_status hook when available
+        if provider.respond_to?(:auth_status)
+          return provider.auth_status
+        end
+
+        if provider.auth_type == :api_key
+          {valid: false, expires_at: nil, error: "Auth status check not implemented for api_key providers"}
+        else
+          {valid: false, expires_at: nil, error: "Auth status check not implemented for #{provider_name}"}
+        end
+      rescue ProviderNotFoundError => e
+        {valid: false, expires_at: nil, error: e.message}
+      end
+
+      def claude_auth_url
+        "https://claude.ai/oauth/authorize"
+      end
+
+      def refresh_claude_auth(token: nil)
+        raise ArgumentError, "token must be a non-empty string" unless token.is_a?(String) && !token.strip.empty?
+
+        credentials_path = claude_credentials_path
+        dir = File.dirname(credentials_path)
+        FileUtils.mkdir_p(dir, mode: 0o700)
+
+        lock_path = "#{credentials_path}.lock"
+        File.open(lock_path, File::RDWR | File::CREAT, 0o600) do |lock|
+          lock.flock(File::LOCK_EX)
+
+          credentials = read_claude_credentials
+          credentials = {} unless credentials.is_a?(Hash)
+          credentials["oauth_token"] = token.strip
+          # Clear any existing expiry metadata so refreshed tokens are not treated as expired
+          credentials.delete("expiresAt")
+          credentials.delete("expires_at")
+
+          # Write under a file lock using tempfile + rename to avoid corruption and lost updates on concurrent refreshes
+          tmpfile = Tempfile.new(".credentials", dir)
+          begin
+            tmpfile.write(JSON.pretty_generate(credentials))
+            tmpfile.close
+            File.chmod(0o600, tmpfile.path)
+            File.rename(tmpfile.path, credentials_path)
+          rescue
+            tmpfile.close!
+            raise
+          end
+        end
+
+        {success: true}
+      end
+
+      def read_claude_credentials
+        path = claude_credentials_path
+        return nil unless File.exist?(path)
+
+        JSON.parse(File.read(path))
+      rescue Errno::ENOENT
+        # File was removed between the existence check and the read; treat as missing
+        nil
+      rescue Errno::EACCES => e
+        raise IOError, "Permission denied when reading Claude credentials at #{path}: #{e.message}"
+      rescue JSON::ParserError => e
+        raise JSON::ParserError, "Invalid JSON in Claude credentials at #{path}: #{e.message}"
+      end
+
+      def claude_credentials_path
+        config_dir = ENV["CLAUDE_CONFIG_DIR"] || File.expand_path("~/.claude")
+        File.join(config_dir, ".credentials.json")
+      end
+
+      def parse_expiry(value)
+        return nil unless value
+
+        case value
+        when Time
+          value
+        when Integer, Float
+          Time.at(value)
+        when String
+          Time.parse(value)
+        end
+      rescue ArgumentError
+        nil
+      end
+    end
+  end
+end

data/lib/agent_harness/command_executor.rb

@@ -87,7 +87,7 @@ module AgentHarness
       !which(binary).nil?
     end
 
-    private
+    protected
 
     def normalize_command(command)
       case command
@@ -100,6 +100,8 @@ module AgentHarness
       end
     end
 
+    private
+
     def execute_with_timeout(cmd_array, timeout:, env:, stdin_data:)
       stdout = ""
       stderr = ""

data/lib/agent_harness/docker_command_executor.rb

@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+module AgentHarness
+  # Executes commands inside a Docker container
+  #
+  # Wraps commands with `docker exec` so they run inside
+  # the specified container rather than on the host.
+  #
+  # @example Basic usage
+  #   executor = AgentHarness::DockerCommandExecutor.new(container_id: "abc123")
+  #   result = executor.execute(["python", "script.py"])
+  #
+  # @example With environment variables
+  #   result = executor.execute("echo $FOO", env: { "FOO" => "bar" })
+  class DockerCommandExecutor < CommandExecutor
+    attr_reader :container_id
+
+    # Initialize the Docker command executor
+    #
+    # @param container_id [String] the Docker container ID or name
+    # @param logger [Logger, nil] optional logger
+    # @raise [CommandExecutionError] if Docker CLI is not found on the host
+    def initialize(container_id:, logger: nil)
+      raise ArgumentError, "container_id cannot be nil or empty" if container_id.nil? || container_id.empty?
+
+      super(logger: logger)
+      @container_id = container_id
+      validate_docker!
+    end
+
+    # Execute a command inside the Docker container
+    #
+    # Wraps the given command with `docker exec` and delegates
+    # to the parent class for actual process execution.
+    #
+    # @param command [Array<String>, String] command to execute
+    # @param timeout [Integer, nil] timeout in seconds
+    # @param env [Hash] environment variables to set in the container
+    # @param stdin_data [String, nil] data to send to stdin
+    # @return [Result] execution result
+    def execute(command, timeout: nil, env: {}, stdin_data: nil)
+      docker_cmd = build_docker_command(command, env: env, stdin_data: stdin_data)
+      super(docker_cmd, timeout: timeout, env: {}, stdin_data: stdin_data)
+    end
+
+    # Check if a binary exists inside the container
+    #
+    # @param binary [String] binary name
+    # @return [String, nil] full path or nil
+    def which(binary)
+      result = execute(["which", binary], timeout: 5)
+      result.success? ? result.stdout.strip : nil
+    end
+
+    private
+
+    def validate_docker!
+      return if ENV["PATH"]&.split(File::PATH_SEPARATOR)&.any? { |path| File.executable?(File.join(path, "docker")) }
+
+      raise CommandExecutionError, "Docker CLI not found on host PATH"
+    end
+
+    def build_docker_command(command, env:, stdin_data:)
+      cmd = ["docker", "exec"]
+
+      env.each { |key, value| cmd.push("--env", "#{key}=#{value}") }
+      cmd.push("-i") if stdin_data
+
+      cmd.push(@container_id)
+
+      cmd.concat(normalize_command(command))
+    end
+  end
+end

data/lib/agent_harness/error_taxonomy.rb

@@ -16,7 +16,7 @@ module AgentHarness
       },
       auth_expired: {
         description: "Authentication failed or expired",
-        action: :switch_provider,
+        action: :reauthenticate,
         retryable: false
       },
       quota_exceeded: {

data/lib/agent_harness/errors.rb

@@ -45,7 +45,14 @@ module AgentHarness
   end
 
   # Authentication errors
-  class AuthenticationError < Error; end
+  class AuthenticationError < Error
+    attr_reader :provider
+
+    def initialize(message = nil, provider: nil, **kwargs)
+      @provider = provider
+      super(message, **kwargs)
+    end
+  end
 
   # Configuration errors
   class ConfigurationError < Error; end

data/lib/agent_harness/orchestration/conductor.rb

@@ -101,6 +101,17 @@ module AgentHarness
           @provider_manager.record_success(provider_name)
 
           response
+        rescue AuthenticationError => e
+          # Authentication errors are intentionally NOT retried or switched.
+          # Unlike transient provider errors, auth failures indicate expired
+          # or invalid credentials that require user re-authentication — switching
+          # to another provider would mask the real problem. The error is surfaced
+          # directly so callers can trigger a re-auth flow (e.g. via Authentication.refresh_auth).
+          # We also skip @provider_manager.record_failure to avoid tripping the
+          # circuit breaker, since auth failures are credential issues, not
+          # provider health issues.
+          @metrics.record_failure(provider_name, e)
+          raise
         rescue RateLimitError => e
           @provider_manager.mark_rate_limited(provider_name, reset_at: e.reset_time)
           handle_provider_failure(e, provider_name, :switch)

data/lib/agent_harness/providers/adapter.rb

@@ -102,6 +102,14 @@ module AgentHarness
         {}
       end
 
+      # Authentication type for this provider
+      #
+      # @return [Symbol] :oauth for token-based auth that can expire,
+      #   :api_key for static API key auth
+      def auth_type
+        :api_key
+      end
+
       # Check if provider supports MCP
       #
       # @return [Boolean] true if MCP is supported

data/lib/agent_harness/providers/anthropic.rb

@@ -184,6 +184,10 @@ module AgentHarness
         ["--dangerously-skip-permissions"]
       end
 
+      def auth_type
+        :oauth
+      end
+
       def error_patterns
         {
           rate_limited: [
@@ -198,7 +202,11 @@ module AgentHarness
             /authentication.*error/i,
             /invalid.*api.*key/i,
             /unauthorized/i,
-            /401/
+            /401/,
+            /session.*expired/i,
+            /not.*logged.*in/i,
+            /login.*required/i,
+            /credentials.*expired/i
           ],
           quota_exceeded: [
             /quota.*exceeded/i,
@@ -246,7 +254,7 @@ module AgentHarness
       def build_command(prompt, options)
         cmd = [self.class.binary_name]
 
-        cmd += ["--print", "--output-format=text"]
+        cmd += ["--print", "--output-format=json"]
 
         # Add model if specified
         if @config.model && !@config.model.empty?
@@ -269,18 +277,27 @@ module AgentHarness
       def parse_response(result, duration:)
         output = result.stdout
         error = nil
+        tokens = nil
 
         if result.failed?
           combined = [result.stdout, result.stderr].compact.join("\n")
           error = classify_error_message(combined)
         end
 
+        # Parse JSON output to extract result text and token usage
+        parsed = parse_json_output(output)
+        if parsed
+          output = parsed["result"] || output
+          tokens = extract_tokens(parsed)
+        end
+
         Response.new(
           output: output,
           exit_code: result.exit_code,
           duration: duration,
           provider: self.class.provider_name,
           model: @config.model,
+          tokens: tokens,
           error: error
         )
       end
@@ -291,6 +308,28 @@ module AgentHarness
 
       private
 
+      def parse_json_output(output)
+        return nil if output.nil? || output.empty?
+
+        JSON.parse(output)
+      rescue JSON::ParserError
+        nil
+      end
+
+      def extract_tokens(parsed)
+        usage = parsed["usage"]
+        return nil unless usage
+
+        input = usage["input_tokens"]
+        output = usage["output_tokens"]
+        return nil unless input || output
+
+        input ||= 0
+        output ||= 0
+
+        {input: input, output: output, total: input + output}
+      end
+
       def classify_error_message(message)
         msg_lower = message.downcase
 

data/lib/agent_harness/providers/base.rb

@@ -32,7 +32,8 @@ module AgentHarness
     class Base
       include Adapter
 
-      attr_reader :config, :executor, :logger
+      attr_reader :config, :logger
+      attr_accessor :executor
 
       # Initialize the provider
       #
@@ -178,7 +179,11 @@ module AgentHarness
         when :rate_limited
           RateLimitError.new(original_error.message, original_error: original_error)
         when :auth_expired
-          AuthenticationError.new(original_error.message, original_error: original_error)
+          AuthenticationError.new(
+            original_error.message,
+            provider: self.class.provider_name,
+            original_error: original_error
+          )
         when :timeout
           TimeoutError.new(original_error.message, original_error: original_error)
         else

data/lib/agent_harness/providers/cursor.rb

@@ -114,6 +114,10 @@ module AgentHarness
         fetch_mcp_servers_cli || fetch_mcp_servers_config
       end
 
+      def auth_type
+        :oauth
+      end
+
       def error_patterns
         {
           rate_limited: [
@@ -265,7 +269,7 @@ module AgentHarness
         when :rate_limited
           raise RateLimitError.new(error.message, original_error: error)
         when :auth_expired
-          raise AuthenticationError.new(error.message, original_error: error)
+          raise AuthenticationError.new(error.message, provider: self.class.provider_name, original_error: error)
         when :timeout
           raise TimeoutError.new(error.message, original_error: error)
         else

data/lib/agent_harness/providers/gemini.rb

@@ -92,6 +92,10 @@ module AgentHarness
         }
       end
 
+      def auth_type
+        :oauth
+      end
+
       def error_patterns
         {
           rate_limited: [

data/lib/agent_harness/providers/github_copilot.rb

@@ -106,6 +106,10 @@ module AgentHarness
         ["--resume", session_id]
       end
 
+      def auth_type
+        :oauth
+      end
+
       def error_patterns
         {
           auth_expired: [

data/lib/agent_harness/providers/registry.rb

@@ -95,7 +95,7 @@ module AgentHarness
       end
 
       def validate_provider_class!(klass)
-        includes_adapter = klass.included_modules.include?(Adapter)
+        includes_adapter = klass.include?(Adapter)
         has_required_methods = klass.respond_to?(:provider_name) &&
           klass.respond_to?(:available?) &&
           klass.respond_to?(:binary_name)

data/lib/agent_harness/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module AgentHarness
-  VERSION = "0.3.0"
+  VERSION = "0.5.0"
 end

data/lib/agent_harness.rb

@@ -82,6 +82,37 @@ module AgentHarness
     def provider(name)
       conductor.provider_manager.get_provider(name)
     end
+
+    # Check if authentication is valid for a provider
+    # @param provider_name [Symbol] the provider name
+    # @return [Boolean] true if auth is valid
+    def auth_valid?(provider_name)
+      Authentication.auth_valid?(provider_name)
+    end
+
+    # Get detailed authentication status for a provider
+    # @param provider_name [Symbol] the provider name
+    # @return [Hash] status with :valid, :expires_at, :error keys
+    def auth_status(provider_name)
+      Authentication.auth_status(provider_name)
+    end
+
+    # Generate an OAuth URL for a provider
+    # @param provider_name [Symbol] the provider name
+    # @return [String] the OAuth authorization URL
+    # @raise [NotImplementedError] if provider doesn't support OAuth
+    def auth_url(provider_name)
+      Authentication.auth_url(provider_name)
+    end
+
+    # Refresh authentication credentials for a provider
+    # @param provider_name [Symbol] the provider name
+    # @param token [String, nil] OAuth token to store
+    # @return [Hash] result with :success key
+    # @raise [NotImplementedError] if provider doesn't support credential refresh
+    def refresh_auth(provider_name, token: nil)
+      Authentication.refresh_auth(provider_name, token: token)
+    end
   end
 end
 
@@ -89,9 +120,11 @@ end
 require_relative "agent_harness/errors"
 require_relative "agent_harness/configuration"
 require_relative "agent_harness/command_executor"
+require_relative "agent_harness/docker_command_executor"
 require_relative "agent_harness/response"
 require_relative "agent_harness/token_tracker"
 require_relative "agent_harness/error_taxonomy"
+require_relative "agent_harness/authentication"
 
 # Provider layer
 require_relative "agent_harness/providers/registry"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: agent-harness
 version: !ruby/object:Gem::Version
-  version: 0.3.0
+  version: 0.5.0
 platform: ruby
 authors:
 - Bart Agapinan
@@ -66,6 +66,7 @@ files:
 - ".markdownlintignore"
 - ".release-please-manifest.json"
 - ".rspec"
+- ".rubocop.yml"
 - ".simplecov"
 - ".tool-versions"
 - CHANGELOG.md
@@ -76,8 +77,10 @@ files:
 - bin/console
 - bin/setup
 - lib/agent_harness.rb
+- lib/agent_harness/authentication.rb
 - lib/agent_harness/command_executor.rb
 - lib/agent_harness/configuration.rb
+- lib/agent_harness/docker_command_executor.rb
 - lib/agent_harness/error_taxonomy.rb
 - lib/agent_harness/errors.rb
 - lib/agent_harness/orchestration/circuit_breaker.rb
@@ -116,7 +119,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="
     - !ruby/object:Gem::Version
-      version: 3.3.0
+      version: 3.2.0
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
   - - ">="