@adaptic/maestro 1.9.1 → 1.9.2

package/.env.example

@@ -16,11 +16,29 @@
 # The agent's reasoning engines. At minimum you need Anthropic (Claude).
 #
 
-# REQUIRED — Primary reasoning engine (Claude Code uses this)
-# Get your key: https://console.anthropic.com/settings/keys
-# Subscription: Anthropic API plan (pay-per-token) or Max subscription
+# REQUIRED — Primary reasoning engine. Two ways to authenticate:
+#
+#   Option A — API key (pay-per-token)
+#     Set ANTHROPIC_API_KEY below to a valid sk-ant-api03-... key.
+#     Get one: https://console.anthropic.com/settings/keys
+#
+#   Option B — Claude Code subscription (Pro/Max, OAuth via Keychain)
+#     LEAVE ANTHROPIC_API_KEY EMPTY *and* set MAESTRO_PREFER_SUBSCRIPTION_AUTH=1.
+#     This tells the cadence consumer to strip ANTHROPIC_API_KEY from every
+#     sub-session spawn so claude --print falls back to the keychain OAuth
+#     token. Most agents on a Mac mini with a Claude Code subscription
+#     should use this option — routine cadence ticks cost zero API credits.
+#
+# Doctor validates the key against api.anthropic.com on every run; an
+# invalid key here will cascade 401s through every sub-session spawn.
 ANTHROPIC_API_KEY=
 
+# OPTIONAL — When set to 1, the cadence consumer strips ANTHROPIC_API_KEY
+# from every claude --print sub-session env so claude falls back to
+# Claude Code subscription auth (Keychain OAuth). Use this when the
+# agent's Mac has a Claude Code Pro/Max subscription.
+MAESTRO_PREFER_SUBSCRIPTION_AUTH=
+
 # OPTIONAL — Supplemental model access (GPT-4, embeddings)
 # Get your key: https://platform.openai.com/api-keys
 # Subscription: OpenAI API plan (pay-per-token)

package/bin/maestro.mjs

@@ -1462,6 +1462,43 @@ function doctor() {
     check("ANTHROPIC_API_KEY", true);
     check("SLACK_USER_TOKEN", false);
     check("GMAIL_APP_PASSWORD", false);
+
+    // Auth validity: if ANTHROPIC_API_KEY is set, ping the API to
+    // verify it works. An invalid key in .env will silently be sent
+    // to every `claude --print` sub-session and cause cascading 401s
+    // (exactly the ravi-ai inbox-processor runaway). Better to catch
+    // it here. Skips the check if the user opted out via
+    // MAESTRO_PREFER_SUBSCRIPTION_AUTH=1 (subscription wins).
+    const keyMatch = env.match(/^ANTHROPIC_API_KEY=(.+)$/m);
+    const preferSubsMatch = env.match(/^MAESTRO_PREFER_SUBSCRIPTION_AUTH=(.+)$/m);
+    const preferSubs = preferSubsMatch && /^1|true|yes$/i.test(preferSubsMatch[1].trim());
+    if (keyMatch && !preferSubs) {
+      const key = keyMatch[1].trim().replace(/^"|"$/g, "");
+      try {
+        const result = spawnSync("curl", [
+          "-s", "-o", "/dev/null", "-w", "%{http_code}",
+          "-X", "POST",
+          "-H", `x-api-key: ${key}`,
+          "-H", "anthropic-version: 2023-06-01",
+          "-H", "content-type: application/json",
+          "--max-time", "8",
+          "https://api.anthropic.com/v1/messages",
+          "-d", JSON.stringify({ model: "claude-haiku-4-5", max_tokens: 5, messages: [{ role: "user", content: "ping" }] }),
+        ], { encoding: "utf-8" });
+        const code = (result.stdout || "").trim();
+        if (code === "200") ok("ANTHROPIC_API_KEY validated against api.anthropic.com");
+        else if (code === "401") {
+          warn(`ANTHROPIC_API_KEY is INVALID (HTTP 401 from api.anthropic.com).`);
+          warn(`  This will cause every sub-session spawn to fail. Either:`);
+          warn(`    1. Replace the key in .env with a valid one, OR`);
+          warn(`    2. Set MAESTRO_PREFER_SUBSCRIPTION_AUTH=1 in .env to use Claude Code subscription auth.`);
+          issues++;
+        } else if (code) warn(`ANTHROPIC_API_KEY check returned HTTP ${code} (expected 200)`);
+        else warn(`ANTHROPIC_API_KEY check skipped (no network / curl missing)`);
+      } catch { warn("ANTHROPIC_API_KEY check failed (curl error)"); }
+    } else if (preferSubs) {
+      ok("MAESTRO_PREFER_SUBSCRIPTION_AUTH=1 — using Claude Code subscription (Keychain OAuth)");
+    }
   } else {
     fail(".env file not found — copy from .env.example");
     issues++;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@adaptic/maestro",
-  "version": "1.9.1",
+  "version": "1.9.2",
   "description": "Maestro — Autonomous AI agent operating system. Deploy AI employees on dedicated Mac minis.",
   "type": "module",
   "bin": {

package/scripts/daemon/cadence-consumer.mjs

@@ -183,6 +183,20 @@ function realSpawnSession({ agentRoot, cadence, promptPath, timeoutMs, log }) {
       AGENT_DIR: agentRoot,
       PATH: augmentedPath,
     };
+    // Auth handling. Claude Code authenticates via macOS Keychain
+    // (OAuth from the user's Pro/Max subscription) when no API key is
+    // set, OR via the ANTHROPIC_API_KEY env var when one is present.
+    // If the env key is present BUT looks like a placeholder / empty
+    // string, we strip it so claude can fall back to Keychain OAuth.
+    // Set MAESTRO_PREFER_SUBSCRIPTION_AUTH=1 in .env to always strip
+    // the API key (force subscription auth) — useful when the agent
+    // owns a Claude Code Pro/Max subscription and shouldn't burn API
+    // credits for routine ticks.
+    const preferSubscription = process.env.MAESTRO_PREFER_SUBSCRIPTION_AUTH === "1";
+    const apiKey = env.ANTHROPIC_API_KEY || "";
+    if (preferSubscription || !apiKey.trim() || /^(your-api-key|placeholder|xxx+|sk-ant-xxx)/i.test(apiKey)) {
+      delete env.ANTHROPIC_API_KEY;
+    }
     const started = Date.now();
 
     // Per-run log file. Pattern is short enough to be tail-friendly.