npm - @gotgenes/pi-anthropic-auth - Versions diffs - 0.5.0 → 0.5.1 - Mend

@gotgenes/pi-anthropic-auth 0.5.0 → 0.5.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,24 @@
 # Changelog
+## [0.5.1](https://github.com/gotgenes/pi-anthropic-auth/compare/v0.5.0...v0.5.1) (2026-06-11)
+### Bug Fixes
+* shape Anthropic OAuth requests at the transport layer ([a8c2015](https://github.com/gotgenes/pi-anthropic-auth/commit/a8c2015c293c6b60d1110f73620dd3825057c6e6))
+### Documentation
+* document the OAuth transport-wrapper architecture ([6ce28a4](https://github.com/gotgenes/pi-anthropic-auth/commit/6ce28a484189a3f1500bc0eb3e18c87fcb1e5c6f))
+* note prek rumdl-fmt pre-commit hook in markdown-conventions skill ([5838075](https://github.com/gotgenes/pi-anthropic-auth/commit/58380753961e3fa1bb0b10c1cd72ca936b926e48))
+* port reusable skills from pi-packages ([1e606a9](https://github.com/gotgenes/pi-anthropic-auth/commit/1e606a97d2dfd509ad4b8c5b29f9b2eea2771afc))
+### Miscellaneous Chores
+* bump dependencies and establish Pi 0.79.1 base ([62696c9](https://github.com/gotgenes/pi-anthropic-auth/commit/62696c97934a3bdbd67091fb30ee2af7d8959f8b))
 ## [0.5.0](https://github.com/gotgenes/pi-anthropic-auth/compare/v0.4.6...v0.5.0) (2026-05-24)

package/README.md CHANGED Viewed

@@ -16,7 +16,10 @@ This extension fills in the gaps for users who want to use their **Claude Pro or
 It keeps everything you'd expect — the built-in `anthropic` provider, the full model list, API-key behavior, and the native `/login anthropic` flow — and layers on the compatibility fixes needed to make OAuth subscriptions work reliably.
-Requests to non-Anthropic providers and plain API-key Anthropic requests pass through completely untouched — the extension only activates when it detects an Anthropic OAuth payload.
+Requests to non-Anthropic providers and plain API-key Anthropic requests pass through completely untouched — the extension only activates when it detects an Anthropic OAuth access token (`sk-ant-oat`).
+Shaping runs in a thin transport wrapper around Pi's own Anthropic transport, so it applies to every OAuth call path — the interactive loop, compaction, and any background-agent work — not just the main turn.
+See [docs/architecture.md](docs/architecture.md) for how this works.
 ## Install

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@gotgenes/pi-anthropic-auth",
-  "version": "0.5.0",
+  "version": "0.5.1",
   "description": "Pi extension package for Anthropic OAuth compatibility",
   "author": {
     "name": "Chris Lasher"
@@ -43,22 +43,22 @@
     ]
   },
   "peerDependencies": {
-    "@earendil-works/pi-ai": ">=0.75.0",
-    "@earendil-works/pi-coding-agent": ">=0.75.0"
+    "@earendil-works/pi-ai": ">=0.79.1",
+    "@earendil-works/pi-coding-agent": ">=0.79.1"
   },
   "devDependencies": {
-    "@anthropic-ai/sdk": "^0.95.0",
-    "@biomejs/biome": "^2.4.14",
-    "@earendil-works/pi-ai": "0.75.5",
-    "@earendil-works/pi-coding-agent": "0.75.5",
+    "@anthropic-ai/sdk": "^0.104.1",
+    "@biomejs/biome": "^2.4.16",
+    "@earendil-works/pi-ai": "0.79.1",
+    "@earendil-works/pi-coding-agent": "0.79.1",
     "@eslint/js": "^10.0.1",
     "@types/node": "^22.15.3",
-    "eslint": "^10.4.0",
+    "eslint": "^10.4.1",
     "globals": "^17.6.0",
-    "rumdl": "^0.1.93",
+    "rumdl": "^0.2.14",
     "typescript": "^6.0.3",
-    "typescript-eslint": "^8.59.4",
-    "vitest": "^4.1.5"
+    "typescript-eslint": "^8.61.0",
+    "vitest": "^4.1.8"
   },
   "scripts": {
     "check": "tsc --noEmit",

package/src/index.ts CHANGED Viewed

@@ -1,13 +1,36 @@
+import { getApiProvider } from "@earendil-works/pi-ai";
 import type { ExtensionAPI } from "@earendil-works/pi-coding-agent";
 import { anthropicOAuthOverride } from "./anthropic-oauth";
-import { shapeAnthropicOAuthPayload } from "./request-shaping";
+import { createAnthropicOAuthStreamSimple } from "./oauth-transport";
 export default function (pi: ExtensionAPI) {
+  // Capture Pi's built-in anthropic-messages transport BEFORE we override it,
+  // so our wrapper can delegate to it (delegating to the registered wrapper
+  // instead would recurse).  pi-ai registers its built-ins on import, so this
+  // is resolved by the time extensions load.
+  const builtinTransport = getApiProvider("anthropic-messages");
+  // Re-register the built-in `anthropic` provider with:
+  //   1. our OAuth login + refresh override (`oauth`), and
+  //   2. a thin transport wrapper (`streamSimple`) that applies Claude Code
+  //      OAuth request shaping on every Anthropic call path.
+  //
+  // Omitting `models` preserves Pi's built-in Anthropic model list.  The
+  // transport wrapper replaces our previous `before_provider_request` handler:
+  // that hook only fires for the interactive agent loop, so auxiliary OAuth
+  // requests (built-in compaction, third-party background agents) bypassed it
+  // and failed with Anthropic "extra usage" 400s.  Registering `streamSimple`
+  // routes through Pi's singleton API registry, so the same shaping now covers
+  // the main loop, `completeSimple` compaction, and `agentLoop` background work.
   pi.registerProvider("anthropic", {
     oauth: anthropicOAuthOverride,
-  });
-  pi.on("before_provider_request", (event) => {
-    return shapeAnthropicOAuthPayload(event.payload);
+    ...(builtinTransport
+      ? {
+          api: "anthropic-messages",
+          streamSimple: createAnthropicOAuthStreamSimple(
+            builtinTransport.streamSimple,
+          ),
+        }
+      : {}),
   });
 }

package/src/oauth-transport.ts ADDED Viewed

@@ -0,0 +1,97 @@
+import type {
+  Api,
+  AssistantMessageEventStream,
+  Context,
+  Model,
+  SimpleStreamOptions,
+} from "@earendil-works/pi-ai";
+import { shapeAnthropicOAuthPayload } from "./request-shaping";
+/**
+ * Anthropic OAuth access tokens are issued with an `sk-ant-oat` prefix.
+ *
+ * This is the same signal Pi's built-in Anthropic provider uses internally to
+ * decide whether to emit Claude Code identity headers, so gating on it keeps
+ * our shaping aligned with Pi's own OAuth detection.
+ */
+const ANTHROPIC_OAUTH_TOKEN_MARKER = "sk-ant-oat";
+/**
+ * The transport-level `streamSimple` handler shape Pi's API registry uses.
+ *
+ * It matches `ApiStreamSimpleFunction` from `@earendil-works/pi-ai` and is
+ * intentionally wider than a single concrete model type because Pi registers
+ * it per `Api`, not per model.
+ */
+export type AnthropicStreamSimple = (
+  model: Model<Api>,
+  context: Context,
+  options?: SimpleStreamOptions,
+) => AssistantMessageEventStream;
+/**
+ * Returns true when the resolved API key is an Anthropic OAuth access token.
+ *
+ * API-key requests (and OAuth tokens for other providers) return false, so the
+ * caller leaves their payloads untouched.
+ */
+export function isAnthropicOAuthToken(
+  apiKey: string | undefined,
+): apiKey is string {
+  return (
+    typeof apiKey === "string" && apiKey.includes(ANTHROPIC_OAUTH_TOKEN_MARKER)
+  );
+}
+/**
+ * Wraps Pi's built-in Anthropic `streamSimple` transport so OAuth request
+ * shaping runs on **every** Anthropic call path, not only the main agent loop.
+ *
+ * Pi only threads its `before_provider_request` hook into the interactive agent
+ * loop.  Auxiliary calls — built-in compaction/summarization (`completeSimple`)
+ * and third-party background agents (e.g. pi-observational-memory's observer /
+ * reflector / dropper running via `agentLoop`) — issue requests through the
+ * same singleton API-registry transport but without that hook.  Those OAuth
+ * requests then reach Anthropic with no Claude Code billing header and are
+ * classified as third-party app usage, producing the misleading "extra usage"
+ * HTTP 400.
+ *
+ * By injecting our shaping as an `onPayload` on the underlying transport, every
+ * Anthropic OAuth request is shaped regardless of which Pi code path issued it.
+ * The wrapper composes (does not replace) any caller-provided `onPayload`, so
+ * other extensions' `before_provider_request` handlers continue to run on the
+ * main loop, and our shaping is applied last — closest to the wire.
+ *
+ * Gating is strictly OAuth-only: when the request is not an Anthropic OAuth
+ * token, the payload passes through untouched, preserving Pi's normal
+ * API-key and non-Anthropic transport behavior.
+ *
+ * @param delegate The built-in Anthropic `streamSimple` transport, captured via
+ *   `getApiProvider("anthropic-messages")` **before** this wrapper is
+ *   registered.  It must be the underlying transport, never the registered
+ *   wrapper, otherwise calls would recurse.
+ */
+export function createAnthropicOAuthStreamSimple(
+  delegate: AnthropicStreamSimple,
+): AnthropicStreamSimple {
+  return (model, context, options) => {
+    const callerOnPayload = options?.onPayload;
+    const onPayload: SimpleStreamOptions["onPayload"] = async (
+      payload,
+      payloadModel,
+    ) => {
+      const upstream = callerOnPayload
+        ? ((await callerOnPayload(payload, payloadModel)) ?? payload)
+        : payload;
+      if (!isAnthropicOAuthToken(options?.apiKey)) {
+        return upstream;
+      }
+      return shapeAnthropicOAuthPayload(upstream);
+    };
+    return delegate(model, context, { ...options, onPayload });
+  };
+}

package/src/request-shaping.ts CHANGED Viewed

@@ -3,9 +3,7 @@ import {
   BILLING_HEADER_POSITIONS,
   BILLING_HEADER_SALT,
   CLAUDE_CODE_ENTRYPOINT,
-  CLAUDE_CODE_IDENTITY_PREFIX,
   CLAUDE_CODE_VERSION,
-  MINIMAL_ANTHROPIC_OAUTH_PROMPT_PREFIX,
 } from "./constants";
 import { debugLog, isToolUseOnlyDebugEnabled } from "./debug";
 import { shapeSystemBlocks } from "./system-prompt-shaping";
@@ -52,30 +50,6 @@ function isAnthropicMessagesPayload(
   );
 }
-function isOAuthAnthropicPayload(payload: AnthropicPayload): boolean {
-  if (!Array.isArray(payload.system)) {
-    return false;
-  }
-  return payload.system.some(hasOAuthAnthropicSystemMarker);
-}
-function hasOAuthAnthropicSystemMarker(block: unknown): boolean {
-  if (
-    !isRecord(block) ||
-    block.type !== "text" ||
-    typeof block.text !== "string"
-  ) {
-    return false;
-  }
-  return (
-    block.text.includes(CLAUDE_CODE_IDENTITY_PREFIX) ||
-    block.text.includes("x-anthropic-billing-header:") ||
-    block.text.startsWith(MINIMAL_ANTHROPIC_OAUTH_PROMPT_PREFIX)
-  );
-}
 function getFirstUserText(messages: MessageParam[]): string {
   const firstUserMessage = messages.find((message) => message.role === "user");
   if (!firstUserMessage) return "";
@@ -249,16 +223,22 @@ function shouldLogRequestDebug(messages: MessageParam[]): boolean {
   return getToolUseNames(messages).length > 0;
 }
+/**
+ * Applies Anthropic Claude Code OAuth shaping to a built provider payload.
+ *
+ * This function assumes the caller has already confirmed the request is an
+ * Anthropic OAuth request.  OAuth gating lives at the transport seam
+ * (`createAnthropicOAuthStreamSimple`), which only invokes this shaping when
+ * the request carries an `sk-ant-oat` access token.  We therefore do not
+ * sniff system-prompt markers here; non-Anthropic-messages payloads are still
+ * returned untouched as a structural guard.
+ */
 export function shapeAnthropicOAuthPayload(payload: unknown): unknown {
   if (!isAnthropicMessagesPayload(payload)) {
     return payload;
   }
   const messages = payload.messages as MessageParam[];
-  if (!isOAuthAnthropicPayload(payload)) {
-    return payload;
-  }
   const normalizedMessages = splitAssistantToolUseTrailingContent(messages);
   const shapedSystem = Array.isArray(payload.system)