agent-control-plane 0.1.0 → 0.1.2

package/README.md

@@ -1,7 +1,7 @@
 # agent-control-plane
 
 <p>
-  <a href="https://github.com/ducminhuyen0319/agent-control-plane/actions/workflows/ci.yml"><img alt="CI" src="https://github.com/ducminhuyen0319/agent-control-plane/actions/workflows/ci.yml/badge.svg?branch=main"></a>
+  <a href="https://github.com/ducminhnguyen0319/agent-control-plane/actions/workflows/ci.yml"><img alt="CI" src="https://github.com/ducminhnguyen0319/agent-control-plane/actions/workflows/ci.yml/badge.svg?branch=main"></a>
   <a href="https://www.npmjs.com/package/agent-control-plane"><img alt="npm version" src="https://img.shields.io/npm/v/agent-control-plane?style=flat-square"></a>
   <a href="https://www.npmjs.com/package/agent-control-plane"><img alt="node version" src="https://img.shields.io/node/v/agent-control-plane?style=flat-square"></a>
   <a href="./LICENSE"><img alt="license" src="https://img.shields.io/npm/l/agent-control-plane?style=flat-square"></a>

package/package.json

@@ -1,14 +1,14 @@
 {
   "name": "agent-control-plane",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "Help a repo keep GitHub-driven coding agents running reliably without constant human babysitting",
-  "homepage": "https://github.com/ducminhuyen0319/agent-control-plane",
+  "homepage": "https://github.com/ducminhnguyen0319/agent-control-plane",
   "bugs": {
-    "url": "https://github.com/ducminhuyen0319/agent-control-plane/issues"
+    "url": "https://github.com/ducminhnguyen0319/agent-control-plane/issues"
   },
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/ducminhuyen0319/agent-control-plane.git"
+    "url": "git+https://github.com/ducminhnguyen0319/agent-control-plane.git"
   },
   "license": "MIT",
   "funding": [
@@ -41,7 +41,7 @@
   "scripts": {
     "doctor": "node ./npm/bin/agent-control-plane.js doctor",
     "smoke": "node ./npm/bin/agent-control-plane.js smoke",
-    "test": "bash tools/tests/test-agent-control-plane-npm-cli.sh"
+    "test": "bash tools/tests/test-agent-control-plane-npm-cli.sh && bash tools/tests/test-vendored-codex-quota-claude-oauth-only.sh"
   },
   "keywords": [
     "agents",

package/tools/bin/check-skill-contracts.sh

@@ -73,7 +73,7 @@ pr_review_template="${SKILL_ROOT}/tools/templates/pr-review-template.md"
 pr_fix_template="${SKILL_ROOT}/tools/templates/pr-fix-template.md"
 pr_merge_repair_template="${SKILL_ROOT}/tools/templates/pr-merge-repair-template.md"
 legacy_profile_repo_name="$(printf 'f-%s' 'losning')"
-legacy_profile_repo_slug="$(printf '%s/%s' 'ducminhuyen0319' "${legacy_profile_repo_name}")"
+legacy_profile_repo_slug="$(printf '%s/%s' 'example-owner' "${legacy_profile_repo_name}")"
 legacy_profile_package_scope="@${legacy_profile_repo_name}"
 commands_map="${SKILL_ROOT}/references/commands.md"
 skill_doc="${SKILL_ROOT}/SKILL.md"

package/tools/tests/test-agent-control-plane-npm-cli.sh

@@ -4,6 +4,7 @@ set -euo pipefail
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 FLOW_ROOT="$(cd "${SCRIPT_DIR}/../.." && pwd)"
 CLI_SCRIPT="${FLOW_ROOT}/npm/bin/agent-control-plane.js"
+PACKAGE_VERSION="$(node -p "require('${FLOW_ROOT}/package.json').version")"
 
 tmpdir="$(mktemp -d)"
 trap 'rm -rf "${tmpdir}"' EXIT
@@ -74,7 +75,7 @@ version_output="$(
   node "${CLI_SCRIPT}" version
 )"
 
-grep -q '^0\.1\.0$' <<<"${version_output}"
+grep -q "^${PACKAGE_VERSION}$" <<<"${version_output}"
 
 HOME="${home_dir}" \
 AGENT_PLATFORM_HOME="${platform_home}" \

package/tools/tests/test-package-public-metadata.sh

@@ -11,13 +11,13 @@ const pkg = JSON.parse(fs.readFileSync(process.argv[1], "utf8"));
 if (!pkg.description || !pkg.description.includes("running reliably without constant human babysitting")) {
   process.exit(1);
 }
-if (pkg.homepage !== "https://github.com/ducminhuyen0319/agent-control-plane") {
+if (pkg.homepage !== "https://github.com/ducminhnguyen0319/agent-control-plane") {
   process.exit(10);
 }
-if (!pkg.bugs || pkg.bugs.url !== "https://github.com/ducminhuyen0319/agent-control-plane/issues") {
+if (!pkg.bugs || pkg.bugs.url !== "https://github.com/ducminhnguyen0319/agent-control-plane/issues") {
   process.exit(11);
 }
-if (!pkg.repository || pkg.repository.type !== "git" || pkg.repository.url !== "git+https://github.com/ducminhuyen0319/agent-control-plane.git") {
+if (!pkg.repository || pkg.repository.type !== "git" || pkg.repository.url !== "git+https://github.com/ducminhnguyen0319/agent-control-plane.git") {
   process.exit(12);
 }
 if (pkg.license !== "MIT") {

package/tools/tests/test-public-repo-docs.sh

@@ -25,6 +25,8 @@ test -f "$ROOT_DIR/assets/architecture/state-dashboard-infographic.png"
 grep -q 'Use GitHub private vulnerability reporting or a GitHub security advisory' "$ROOT_DIR/SECURITY.md"
 grep -q 'For undisclosed security issues, use \[SECURITY.md\](\./SECURITY.md)' "$ROOT_DIR/CODE_OF_CONDUCT.md"
 grep -q '^## \[Unreleased\]$' "$ROOT_DIR/CHANGELOG.md"
+grep -q '^## \[0.1.2\] - 2026-03-30$' "$ROOT_DIR/CHANGELOG.md"
+grep -q '^## \[0.1.1\] - 2026-03-30$' "$ROOT_DIR/CHANGELOG.md"
 grep -q '^## \[0.1.0\] - 2026-03-27$' "$ROOT_DIR/CHANGELOG.md"
 grep -q '^# Roadmap$' "$ROOT_DIR/ROADMAP.md"
 grep -q '^## Platform Support$' "$ROOT_DIR/ROADMAP.md"
@@ -91,11 +93,11 @@ grep -q '^| `ollama` | local model runtime | Candidate local-model substrate beh
 grep -q '^| `nanoclaw` | adjacent agent shell | Ecosystem reference for containerized and WSL2-friendly workflows | exploratory interoperability target |$' "$ROOT_DIR/README.md"
 grep -q '^| `picoclaw` | adjacent agent shell | Ecosystem reference for lightweight Linux and edge-style agent runtimes | exploratory interoperability target |$' "$ROOT_DIR/README.md"
 grep -q 'If you are trying ACP on a real repo right now, start with `codex`, `claude`,' "$ROOT_DIR/README.md"
-grep -q 'github.com/ducminhuyen0319/agent-control-plane/actions/workflows/ci.yml/badge.svg?branch=main' "$ROOT_DIR/README.md"
+grep -q 'github.com/ducminhnguyen0319/agent-control-plane/actions/workflows/ci.yml/badge.svg?branch=main' "$ROOT_DIR/README.md"
 grep -q 'img.shields.io/npm/v/agent-control-plane' "$ROOT_DIR/README.md"
 grep -q 'img.shields.io/node/v/agent-control-plane' "$ROOT_DIR/README.md"
 grep -q 'img.shields.io/npm/l/agent-control-plane' "$ROOT_DIR/README.md"
-grep -q 'https://github.com/ducminhuyen0319/agent-control-plane/actions/workflows/ci.yml' "$ROOT_DIR/README.md"
+grep -q 'https://github.com/ducminhnguyen0319/agent-control-plane/actions/workflows/ci.yml' "$ROOT_DIR/README.md"
 grep -q 'https://www.npmjs.com/package/agent-control-plane' "$ROOT_DIR/README.md"
 grep -q '\./assets/readme/dashboard-demo.png' "$ROOT_DIR/README.md"
 grep -q '\./assets/readme/dashboard-demo.gif' "$ROOT_DIR/README.md"

package/tools/tests/test-vendored-codex-quota-claude-oauth-only.sh

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+ROOT_DIR="$(cd "${SCRIPT_DIR}/../.." && pwd)"
+
+CLAUDE_USAGE_FILE="${ROOT_DIR}/tools/vendor/codex-quota/lib/claude-usage.js"
+CLAUDE_README_FILE="${ROOT_DIR}/tools/vendor/codex-quota/README.md"
+CLAUDE_DISPLAY_FILE="${ROOT_DIR}/tools/vendor/codex-quota/lib/display.js"
+
+if rg -n "CLAUDE_COOKIE_DB_PATH|secret-tool|sqlite3|decryptChromeCookie|readClaudeCookiesFromDb|Browser cookies" \
+  "${CLAUDE_USAGE_FILE}" "${CLAUDE_README_FILE}" "${CLAUDE_DISPLAY_FILE}" >/dev/null 2>&1; then
+  echo "vendored codex-quota still contains browser-cookie Claude usage logic" >&2
+  exit 1
+fi
+
+grep -q "Uses OAuth credentials only" "${CLAUDE_DISPLAY_FILE}"
+grep -q "Claude usage in the bundled public package is OAuth-only." "${CLAUDE_README_FILE}"
+
+node --input-type=module <<'EOF'
+import { fetchClaudeUsageForCredentials, fetchClaudeUsage } from "./tools/vendor/codex-quota/lib/claude-usage.js";
+
+const missingAccount = await fetchClaudeUsageForCredentials({ label: "demo", source: "test" });
+if (missingAccount.success || missingAccount.error !== "Claude OAuth token required") {
+  throw new Error(`unexpected credential fallback result: ${JSON.stringify(missingAccount)}`);
+}
+
+const missingOauth = await fetchClaudeUsage();
+const oauthError = String(missingOauth.error || "").toLowerCase();
+if (
+  missingOauth.success ||
+  (!oauthError.includes("oauth") && !oauthError.includes("credentials not found"))
+) {
+  throw new Error(`unexpected Claude usage fallback result: ${JSON.stringify(missingOauth)}`);
+}
+EOF
+
+echo "vendored codex-quota Claude OAuth-only test passed"

package/tools/vendor/codex-quota/README.md

@@ -280,7 +280,7 @@ Root-level fields are preserved on write; unknown root fields are kept intact.
 
 Claude multi-account files (`~/.claude-accounts.json`) use the same root fields
 (`schemaVersion`, `activeLabel`) and store account entries that include a
-`sessionKey` or OAuth tokens.
+Claude OAuth token and refresh metadata.
 
 ## OAuth Flow
 
@@ -400,17 +400,13 @@ To add a Claude credential interactively:
 codex-quota claude add
 ```
 
-This uses your local Claude session to call:
-- `https://claude.ai/api/organizations`
-- `https://claude.ai/api/organizations/{orgId}/usage`
-- `https://claude.ai/api/organizations/{orgId}/overage_spend_limit`
-- `https://claude.ai/api/account`
+This uses OAuth credentials to call:
+- `https://api.anthropic.com/api/oauth/usage`
 
 Authentication sources (in order):
 1. `CLAUDE_ACCOUNTS` env var (JSON array or `{ accounts: [...] }`)
-2. `~/.claude-accounts.json` (multi-account format)
-3. Browser cookies (Chromium/Chrome) to read `sessionKey` and `lastActiveOrg`
-4. `~/.claude/.credentials.json` OAuth `accessToken`
+2. `~/.claude-accounts.json` (multi-account format with `oauthToken`)
+3. `~/.claude/.credentials.json` OAuth `accessToken`
 
 Multi-account format (Claude):
 ```json
@@ -418,8 +414,6 @@ Multi-account format (Claude):
   "accounts": [
     {
       "label": "personal",
-      "sessionKey": "sk-ant-oat...",
-      "cfClearance": "cf_clearance...",
       "oauthToken": "claude-ai-access-token",
       "orgId": "org_uuid_optional"
     }
@@ -428,13 +422,12 @@ Multi-account format (Claude):
 ```
 
 Notes:
-- Only `label` plus one of `sessionKey` or `oauthToken` is required.
-- `cfClearance`, `orgId`, and `cookies` are optional.
+- `label` plus `oauthToken` is required.
+- `orgId` is optional.
 
 Environment overrides:
 - `CLAUDE_ACCOUNTS` to supply multi-account JSON directly
 - `CLAUDE_CREDENTIALS_PATH` to point to a different credentials file
-- `CLAUDE_COOKIE_DB_PATH` to point to a specific Chromium/Chrome Cookies DB
 
 Codex overrides:
 - `CODEX_ACCOUNTS` to supply multi-account JSON directly (read-only)
@@ -443,8 +436,7 @@ Codex overrides:
 - `PI_AUTH_PATH` to point to a different pi auth file
 
 Notes:
-- On Linux, cookie access requires `sqlite3` and `secret-tool` (libsecret) to decrypt cookies.
-- For best results, keep `claude.ai` logged in within your Chromium/Chrome profile.
+- Claude usage in the bundled public package is OAuth-only.
 
 ## Releasing
 

package/tools/vendor/codex-quota/lib/claude-accounts.js

@@ -1,5 +1,5 @@
 /**
- * Claude account loading, session/OAuth resolution.
+ * Claude account loading and OAuth resolution.
  * Depends on: lib/constants.js, lib/container.js, lib/paths.js
  */
 
@@ -8,52 +8,18 @@ import { CLAUDE_CREDENTIALS_PATH, CLAUDE_MULTI_ACCOUNT_PATHS } from "./constants
 import { readMultiAccountContainer, writeMultiAccountContainer } from "./container.js";
 import { getOpencodeAuthPath } from "./paths.js";
 
-export function isClaudeSessionKey(value) {
-	return typeof value === "string" && value.startsWith("sk-ant-");
-}
-
-export function findClaudeSessionKey(value) {
-	if (isClaudeSessionKey(value)) return value;
-	if (typeof value === "string") {
-		const match = value.match(/sk-ant-[a-z0-9_-]+/i);
-		if (match) return match[0];
-	}
-	if (!value || typeof value !== "object") return null;
-
-	const direct = value.sessionKey
-		?? value.session_key
-		?? value.token
-		?? value.sessionToken
-		?? value.accessToken
-		?? value.access_token
-		?? value.oauthAccessToken;
-	if (isClaudeSessionKey(direct)) return direct;
-
-	for (const child of Object.values(value)) {
-		const found = findClaudeSessionKey(child);
-		if (found) return found;
-	}
-	return null;
-}
-
 export function normalizeClaudeAccount(raw, source) {
 	if (!raw || typeof raw !== "object") return null;
 	const label = raw.label ?? null;
-	const sessionKey = raw.sessionKey ?? raw.session_key ?? null;
 	const oauthToken = raw.oauthToken ?? raw.oauth_token ?? raw.accessToken ?? raw.access_token ?? null;
-	const cfClearance = raw.cfClearance ?? raw.cf_clearance ?? null;
 	const orgId = raw.orgId ?? raw.org_id ?? null;
-	const cookies = raw.cookies && typeof raw.cookies === "object" ? raw.cookies : null;
 	const oauthRefreshToken = raw.oauthRefreshToken ?? raw.oauth_refresh_token ?? null;
 	const oauthExpiresAt = raw.oauthExpiresAt ?? raw.oauth_expires_at ?? null;
 	const oauthScopes = raw.oauthScopes ?? raw.oauth_scopes ?? null;
 	return {
 		label,
-		sessionKey,
 		oauthToken,
-		cfClearance,
 		orgId,
-		cookies,
 		oauthRefreshToken,
 		oauthExpiresAt,
 		oauthScopes,
@@ -63,9 +29,8 @@ export function normalizeClaudeAccount(raw, source) {
 
 export function isValidClaudeAccount(account) {
 	if (!account?.label) return false;
-	const sessionKey = account.sessionKey ?? findClaudeSessionKey(account.cookies);
 	const oauthToken = account.oauthToken ?? null;
-	return Boolean(sessionKey || oauthToken);
+	return Boolean(oauthToken);
 }
 
 export function loadClaudeAccountsFromEnv() {
@@ -147,37 +112,6 @@ export function saveClaudeAccounts(accounts) {
 	return result.path;
 }
 
-export function loadClaudeSessionFromCredentials() {
-	const credentialsPath = process.env.CLAUDE_CREDENTIALS_PATH || CLAUDE_CREDENTIALS_PATH;
-	if (!existsSync(credentialsPath)) {
-		return {
-			sessionKey: null,
-			source: credentialsPath,
-			error: `Claude credentials not found at ${credentialsPath}`,
-		};
-	}
-
-	try {
-		const raw = readFileSync(credentialsPath, "utf-8");
-		const parsed = JSON.parse(raw);
-		const sessionKey = findClaudeSessionKey(parsed);
-		if (!sessionKey) {
-			return {
-				sessionKey: null,
-				source: credentialsPath,
-				error: "No Claude sessionKey found in credentials file",
-			};
-		}
-		return { sessionKey, source: credentialsPath };
-	} catch (err) {
-		return {
-			sessionKey: null,
-			source: credentialsPath,
-			error: `Failed to read Claude credentials: ${err?.message ?? String(err)}`,
-		};
-	}
-}
-
 export function loadClaudeOAuthToken() {
 	const credentialsPath = process.env.CLAUDE_CREDENTIALS_PATH || CLAUDE_CREDENTIALS_PATH;
 	if (!existsSync(credentialsPath)) {