@0dai-dev/cli 4.3.6 → 4.3.7

package/lib/python/capi_profile_guard.py

@@ -0,0 +1,477 @@
+#!/usr/bin/env python3
+"""Guard the capi custom API profile from leaked interactive Claude auth state."""
+from __future__ import annotations
+
+import argparse
+import json
+import os
+import pathlib
+import time
+from typing import Any
+
+
+CAPI_HOME = pathlib.Path(os.environ.get("ODAI_CAPI_HOME", "/root/.custom-api")).expanduser()
+PROFILE_JSON = CAPI_HOME / ".claude.json"
+CREDENTIALS_JSON = CAPI_HOME / ".claude" / ".credentials.json"
+BACKUPS_DIR = CAPI_HOME / ".claude" / "backups"
+STATE_FILE = CAPI_HOME / ".0dai-capi-profile-guard.json"
+SETTINGS_JSON = CAPI_HOME / ".claude" / "settings.json"
+ENV_FILE = CAPI_HOME / os.environ.get("ODAI_CAPI_ENV_FILE", "custom-api.env")
+LEGACY_ENV_FILE = CAPI_HOME / "anthropic.env"
+
+PROFILE_AUTH_KEYS = ("oauthAccount", "hasAvailableSubscription")
+BACKUP_MARKERS = ("oauthAccount", "claudeAiOauth", "emailAddress", "organizationUuid", "accountUuid")
+SETTINGS_SCHEMA_URL = "https://json.schemastore.org/claude-code-settings.json"
+SETTINGS_MODEL_DEFAULT = "claude-opus-4-6"
+PRESERVED_ENV_KEYS = ("ANTHROPIC_BASE_URL",)
+UPSTREAM_ENV_KEY = "CAPI_UPSTREAM_BASE_URL"
+PROVIDER_KIND_ENV_KEY = "CAPI_PROVIDER_KIND"
+SECRET_ENV_KEY = "CAPI_SECRET_ENV_KEY"
+SETTINGS_ENV_DEFAULTS = {
+    "CLAUDE_CODE_EXPERIMENTAL_AGENT_TEAMS": "0",
+    "CLAUDE_CODE_EFFORT_LEVEL": "high",
+    "CLAUDE_AUTOCOMPACT_PCT_OVERRIDE": "80",
+    "CLAUDE_CODE_MAX_OUTPUT_TOKENS": "64000",
+    "CLAUDE_CODE_FILE_READ_MAX_OUTPUT_TOKENS": "100000",
+    "CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC": "1",
+    "DISABLE_TELEMETRY": "1",
+    "DISABLE_ERROR_REPORTING": "1",
+    "DISABLE_AUTOUPDATER": "1",
+    "DISABLE_BUG_COMMAND": "1",
+    "DISABLE_COST_WARNINGS": "1",
+    "DISABLE_NON_ESSENTIAL_MODEL_CALLS": "1",
+    "CLAUDE_CODE_DISABLE_FEEDBACK_SURVEY": "1",
+    "BASH_DEFAULT_TIMEOUT_MS": "120000",
+    "BASH_MAX_TIMEOUT_MS": "600000",
+    "BASH_MAX_OUTPUT_LENGTH": "100000",
+    "MAX_THINKING_TOKENS": "31999",
+}
+
+
+def _now() -> str:
+    return time.strftime("%Y-%m-%dT%H:%M:%S+00:00", time.gmtime())
+
+
+def _safe_rel(path: pathlib.Path) -> str:
+    try:
+        return str(path.relative_to(CAPI_HOME))
+    except ValueError:
+        return str(path)
+
+
+def _load_json(path: pathlib.Path) -> dict[str, Any]:
+    if not _is_file(path):
+        return {}
+    try:
+        data = json.loads(path.read_text(encoding="utf-8"))
+    except (json.JSONDecodeError, OSError):
+        return {}
+    return data if isinstance(data, dict) else {}
+
+
+def _write_json(path: pathlib.Path, payload: dict[str, Any]) -> None:
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_text(
+        json.dumps(payload, indent=2, ensure_ascii=False) + "\n",
+        encoding="utf-8",
+    )
+
+
+def _load_guard_state() -> dict[str, Any]:
+    return _load_json(STATE_FILE)
+
+
+def _save_guard_state(payload: dict[str, Any]) -> None:
+    current = _load_guard_state()
+    merged = {**current, **payload, "updated_at": _now()}
+    _write_json(STATE_FILE, merged)
+
+
+def _is_file(path: pathlib.Path) -> bool:
+    try:
+        return path.is_file()
+    except OSError:
+        return False
+
+
+def _is_dir(path: pathlib.Path) -> bool:
+    try:
+        return path.is_dir()
+    except OSError:
+        return False
+
+
+def _profile_auth_keys(path: pathlib.Path) -> tuple[list[str], str | None]:
+    if not _is_file(path):
+        return [], None
+    try:
+        data = json.loads(path.read_text(encoding="utf-8"))
+    except (json.JSONDecodeError, OSError) as exc:
+        text = ""
+        try:
+            text = path.read_text(encoding="utf-8", errors="ignore")
+        except OSError:
+            pass
+        if any(marker in text for marker in BACKUP_MARKERS):
+            return list(PROFILE_AUTH_KEYS), f"invalid profile json: {exc}"
+        return [], None
+    if not isinstance(data, dict):
+        return [], None
+    return [key for key in PROFILE_AUTH_KEYS if key in data], None
+
+
+def _backup_files_with_auth() -> list[pathlib.Path]:
+    if not _is_dir(BACKUPS_DIR):
+        return []
+    matches: list[pathlib.Path] = []
+    for path in sorted(BACKUPS_DIR.glob(".claude.json.backup.*")):
+        try:
+            text = path.read_text(encoding="utf-8", errors="ignore")
+        except OSError:
+            continue
+        if any(marker in text for marker in BACKUP_MARKERS):
+            matches.append(path)
+    return matches
+
+
+def _base_result() -> dict[str, Any]:
+    return {
+        "clean": True,
+        "leaked_auth_detected": False,
+        "sanitized": False,
+        "removed_files": [],
+        "removed_keys": [],
+        "warnings": [],
+        "error": None,
+        "state": "clean",
+    }
+
+
+def _env_assignments(path: pathlib.Path) -> dict[str, str]:
+    if not _is_file(path):
+        return {}
+    assignments: dict[str, str] = {}
+    try:
+        text = path.read_text(encoding="utf-8")
+    except OSError:
+        return {}
+    for raw_line in text.splitlines():
+        line = raw_line.strip()
+        if not line or line.startswith("#"):
+            continue
+        if line.startswith("export "):
+            line = line[len("export ") :].strip()
+        if "=" not in line:
+            continue
+        key, value = line.split("=", 1)
+        key = key.strip()
+        if not key:
+            continue
+        assignments[key] = value.strip().strip('"').strip("'")
+    return assignments
+
+
+def load_env_contract() -> dict[str, str]:
+    assignments = _env_assignments(ENV_FILE)
+    if assignments:
+        return assignments
+    if LEGACY_ENV_FILE != ENV_FILE:
+        return _env_assignments(LEGACY_ENV_FILE)
+    return {}
+
+
+def _provider_profile_env_contract(target: pathlib.Path | None) -> dict[str, str]:
+    if target is None:
+        return {}
+    try:
+        try:
+            from . import provider_profiles  # type: ignore
+        except ImportError:
+            import provider_profiles  # type: ignore
+    except ImportError:
+        return {}
+    try:
+        profile = provider_profiles.resolve_profile(pathlib.Path(target).resolve(), "capi")
+    except (OSError, ValueError, KeyError, TypeError, AttributeError):
+        # resolve_profile reads JSON/YAML configs (OSError, ValueError covers
+        # JSONDecodeError), looks up dict keys (KeyError), and accesses
+        # attributes on the parsed shape (AttributeError/TypeError). Profile
+        # lookup is optional — return empty env on any of these.
+        return {}
+    if not isinstance(profile, dict) or not profile:
+        return {}
+    try:
+        api_key = str(provider_profiles._secret_value(profile) or "").strip()
+        secret_key = str(profile.get("secret_env_key") or "").strip()
+        provider_kind = str(profile.get("provider_kind") or "").strip()
+        upstream = str(
+            provider_profiles._invoke_base_url(
+                provider_kind,
+                str(profile.get("base_url") or ""),
+            )
+            or ""
+        ).strip()
+    except (AttributeError, KeyError, TypeError, ValueError):
+        # Profile is expected to be a dict (.get / attribute access) and
+        # _secret_value / _invoke_base_url accept str inputs. The handler
+        # absorbs shape drift only — raising on these makes the guard fail
+        # closed instead of being usable as a best-effort env builder.
+        return {}
+    if not secret_key:
+        secret_key = "OPENAI_API_KEY" if provider_kind == "openai_compatible" else "ANTHROPIC_API_KEY"
+    if not api_key or not upstream:
+        return {}
+    return {
+        PROVIDER_KIND_ENV_KEY: provider_kind,
+        SECRET_ENV_KEY: secret_key,
+        secret_key: api_key,
+        UPSTREAM_ENV_KEY: upstream,
+    }
+
+
+def _write_env_contract(path: pathlib.Path, assignments: dict[str, str]) -> None:
+    path.parent.mkdir(parents=True, exist_ok=True)
+    ordered_keys = [
+        PROVIDER_KIND_ENV_KEY,
+        SECRET_ENV_KEY,
+        "OPENAI_API_KEY",
+        "OPENROUTER_API_KEY",
+        "ANTHROPIC_API_KEY",
+        UPSTREAM_ENV_KEY,
+        "ANTHROPIC_BASE_URL",
+    ]
+    remaining = sorted(key for key in assignments if key not in ordered_keys)
+    lines: list[str] = []
+    for key in ordered_keys + remaining:
+        value = str(assignments.get(key) or "").strip()
+        if not value:
+            continue
+        lines.append(f"export {key}={value}")
+    path.write_text("\n".join(lines) + ("\n" if lines else ""), encoding="utf-8")
+    try:
+        path.chmod(0o600)
+    except OSError:
+        pass
+
+
+def _canonical_settings(existing: dict[str, Any]) -> dict[str, Any]:
+    existing_env = existing.get("env")
+    normalized_env: dict[str, str] = {}
+    if isinstance(existing_env, dict):
+        for key in PRESERVED_ENV_KEYS:
+            value = existing_env.get(key)
+            if value is not None and str(value).strip():
+                normalized_env[key] = str(value)
+    normalized_env.update(SETTINGS_ENV_DEFAULTS)
+    return {
+        "$schema": SETTINGS_SCHEMA_URL,
+        "autoUpdatesChannel": str(existing.get("autoUpdatesChannel") or "latest"),
+        "env": normalized_env,
+        "model": str(existing.get("model") or SETTINGS_MODEL_DEFAULT),
+        "skipDangerousModePermissionPrompt": True,
+    }
+
+
+def detect_profile() -> dict[str, Any]:
+    result = _base_result()
+    profile_keys, profile_error = _profile_auth_keys(PROFILE_JSON)
+    leaked_files: list[str] = []
+    if _is_file(CREDENTIALS_JSON):
+        leaked_files.append(_safe_rel(CREDENTIALS_JSON))
+    leaked_backups = _backup_files_with_auth()
+    leaked_files.extend(_safe_rel(path) for path in leaked_backups)
+    if profile_error:
+        result["warnings"].append(profile_error)
+    if profile_keys or leaked_files:
+        result["clean"] = False
+        result["leaked_auth_detected"] = True
+        result["removed_keys"] = list(profile_keys)
+        result["removed_files"] = leaked_files
+        result["state"] = "leaked_auth_detected"
+        return result
+    state = _load_guard_state()
+    if state.get("last_sanitized_at"):
+        result["state"] = "leaked_auth_removed"
+    return result
+
+
+def sanitize_profile() -> dict[str, Any]:
+    detected = detect_profile()
+    if not detected.get("leaked_auth_detected"):
+        return detected
+
+    removed_files: list[str] = []
+    removed_keys: list[str] = []
+    warnings = list(detected.get("warnings") or [])
+
+    if _is_file(CREDENTIALS_JSON):
+        try:
+            CREDENTIALS_JSON.unlink()
+            removed_files.append(_safe_rel(CREDENTIALS_JSON))
+        except OSError as exc:
+            detected["error"] = f"failed to remove {_safe_rel(CREDENTIALS_JSON)}: {exc}"
+            detected["clean"] = False
+            detected["state"] = "error"
+            return detected
+
+    profile_keys, profile_error = _profile_auth_keys(PROFILE_JSON)
+    if profile_error:
+        detected["error"] = profile_error
+        detected["clean"] = False
+        detected["state"] = "error"
+        return detected
+    if profile_keys:
+        try:
+            data = json.loads(PROFILE_JSON.read_text(encoding="utf-8"))
+            if not isinstance(data, dict):
+                raise ValueError("profile root is not an object")
+            for key in profile_keys:
+                data.pop(key, None)
+            PROFILE_JSON.write_text(
+                json.dumps(data, indent=2, ensure_ascii=False) + "\n",
+                encoding="utf-8",
+            )
+            removed_keys.extend(profile_keys)
+        except (OSError, ValueError, json.JSONDecodeError) as exc:
+            detected["error"] = f"failed to sanitize {_safe_rel(PROFILE_JSON)}: {exc}"
+            detected["clean"] = False
+            detected["state"] = "error"
+            return detected
+
+    for backup in _backup_files_with_auth():
+        try:
+            backup.unlink()
+            removed_files.append(_safe_rel(backup))
+        except OSError as exc:
+            warnings.append(f"failed to remove {_safe_rel(backup)}: {exc}")
+
+    post = detect_profile()
+    if post.get("leaked_auth_detected"):
+        post["error"] = "leaked auth markers remain after sanitize"
+        post["clean"] = False
+        post["state"] = "error"
+        return post
+
+    payload = {
+        **post,
+        "sanitized": bool(removed_files or removed_keys),
+        "removed_files": removed_files,
+        "removed_keys": removed_keys,
+        "warnings": warnings,
+        "state": "leaked_auth_removed" if (removed_files or removed_keys) else post.get("state", "clean"),
+    }
+    if payload["sanitized"]:
+        _save_guard_state(
+            {
+                "last_sanitized_at": _now(),
+                "last_removed_files": removed_files,
+                "last_removed_keys": removed_keys,
+            }
+        )
+    return payload
+
+
+def ensure_profile_contract(*, target: pathlib.Path | None = None) -> dict[str, Any]:
+    result = sanitize_profile()
+    result.setdefault("warnings", [])
+    result["contract_ok"] = False
+    result["settings_rewritten"] = False
+    result["env_rewritten"] = False
+    result["env_file_present"] = _is_file(ENV_FILE)
+    result["api_key_present"] = False
+    result["upstream_present"] = False
+    result["secret_env_key"] = ""
+    result["provider_kind"] = ""
+    if result.get("error"):
+        return result
+
+    SETTINGS_JSON.parent.mkdir(parents=True, exist_ok=True)
+    (CAPI_HOME / ".cache").mkdir(parents=True, exist_ok=True)
+    (CAPI_HOME / ".local" / "state").mkdir(parents=True, exist_ok=True)
+    (CAPI_HOME / ".config").mkdir(parents=True, exist_ok=True)
+
+    existing_settings = _load_json(SETTINGS_JSON)
+    canonical_settings = _canonical_settings(existing_settings)
+    if existing_settings != canonical_settings:
+        _write_json(SETTINGS_JSON, canonical_settings)
+        result["settings_rewritten"] = True
+
+    provider_env = _provider_profile_env_contract(target)
+    if provider_env:
+        existing_assignments = load_env_contract()
+        merged_assignments = dict(existing_assignments)
+        merged_assignments.update(provider_env)
+        if merged_assignments != existing_assignments or not _is_file(ENV_FILE):
+            _write_env_contract(ENV_FILE, merged_assignments)
+            result["env_rewritten"] = True
+    elif not _is_file(ENV_FILE):
+        existing_assignments = load_env_contract()
+        if existing_assignments:
+            _write_env_contract(ENV_FILE, existing_assignments)
+            result["env_rewritten"] = True
+
+    result["env_file_present"] = _is_file(ENV_FILE)
+    if not result["env_file_present"]:
+        result["clean"] = False
+        result["error"] = f"missing capi env file: {ENV_FILE}"
+        result["state"] = "error"
+        return result
+
+    assignments = load_env_contract()
+    secret_key = str(assignments.get(SECRET_ENV_KEY) or "").strip()
+    if not secret_key:
+        secret_key = "OPENAI_API_KEY" if assignments.get("OPENAI_API_KEY") else "ANTHROPIC_API_KEY"
+    result["secret_env_key"] = secret_key
+    provider_kind = str(assignments.get(PROVIDER_KIND_ENV_KEY) or "").strip()
+    if not provider_kind:
+        provider_kind = (
+            "openai_compatible"
+            if secret_key.startswith("OPENAI") or secret_key.startswith("OPENROUTER")
+            else "anthropic_compatible"
+        )
+    result["provider_kind"] = provider_kind
+    result["api_key_present"] = bool(assignments.get(secret_key))
+    if not result["api_key_present"]:
+        result["clean"] = False
+        result["error"] = f"missing {secret_key} in {ENV_FILE}"
+        result["state"] = "error"
+        return result
+
+    result["upstream_present"] = bool(assignments.get(UPSTREAM_ENV_KEY))
+    if not result["upstream_present"]:
+        result["clean"] = False
+        result["error"] = f"missing {UPSTREAM_ENV_KEY} in {ENV_FILE}"
+        result["state"] = "error"
+        return result
+    result["upstream_base_url"] = str(assignments.get(UPSTREAM_ENV_KEY) or "").strip()
+
+    result["contract_ok"] = True
+    if result["settings_rewritten"] and result.get("state") == "clean":
+        result["state"] = "contract_repaired"
+    return result
+
+
+def _build_parser() -> argparse.ArgumentParser:
+    parser = argparse.ArgumentParser(description=__doc__)
+    parser.add_argument("mode", choices=("detect", "sanitize", "ensure"))
+    parser.add_argument("--json", action="store_true", dest="json_output")
+    return parser
+
+
+def main() -> None:
+    args = _build_parser().parse_args()
+    if args.mode == "detect":
+        result = detect_profile()
+    elif args.mode == "sanitize":
+        result = sanitize_profile()
+    else:
+        result = ensure_profile_contract()
+    if args.json_output:
+        print(json.dumps(result, ensure_ascii=False))
+    else:
+        print(result.get("state") or "unknown")
+    raise SystemExit(1 if result.get("error") else 0)
+
+
+if __name__ == "__main__":
+    main()