agent-control-plane 0.1.1 → 0.1.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-control-plane",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "description": "Help a repo keep GitHub-driven coding agents running reliably without constant human babysitting",
   "homepage": "https://github.com/ducminhnguyen0319/agent-control-plane",
   "bugs": {
@@ -41,7 +41,7 @@
   "scripts": {
     "doctor": "node ./npm/bin/agent-control-plane.js doctor",
     "smoke": "node ./npm/bin/agent-control-plane.js smoke",
-    "test": "bash tools/tests/test-agent-control-plane-npm-cli.sh"
+    "test": "bash tools/tests/test-agent-control-plane-npm-cli.sh && bash tools/tests/test-vendored-codex-quota-claude-oauth-only.sh"
   },
   "keywords": [
     "agents",

package/tools/tests/test-public-repo-docs.sh

@@ -25,6 +25,7 @@ test -f "$ROOT_DIR/assets/architecture/state-dashboard-infographic.png"
 grep -q 'Use GitHub private vulnerability reporting or a GitHub security advisory' "$ROOT_DIR/SECURITY.md"
 grep -q 'For undisclosed security issues, use \[SECURITY.md\](\./SECURITY.md)' "$ROOT_DIR/CODE_OF_CONDUCT.md"
 grep -q '^## \[Unreleased\]$' "$ROOT_DIR/CHANGELOG.md"
+grep -q '^## \[0.1.2\] - 2026-03-30$' "$ROOT_DIR/CHANGELOG.md"
 grep -q '^## \[0.1.1\] - 2026-03-30$' "$ROOT_DIR/CHANGELOG.md"
 grep -q '^## \[0.1.0\] - 2026-03-27$' "$ROOT_DIR/CHANGELOG.md"
 grep -q '^# Roadmap$' "$ROOT_DIR/ROADMAP.md"

package/tools/tests/test-vendored-codex-quota-claude-oauth-only.sh

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+ROOT_DIR="$(cd "${SCRIPT_DIR}/../.." && pwd)"
+
+CLAUDE_USAGE_FILE="${ROOT_DIR}/tools/vendor/codex-quota/lib/claude-usage.js"
+CLAUDE_README_FILE="${ROOT_DIR}/tools/vendor/codex-quota/README.md"
+CLAUDE_DISPLAY_FILE="${ROOT_DIR}/tools/vendor/codex-quota/lib/display.js"
+
+if rg -n "CLAUDE_COOKIE_DB_PATH|secret-tool|sqlite3|decryptChromeCookie|readClaudeCookiesFromDb|Browser cookies" \
+  "${CLAUDE_USAGE_FILE}" "${CLAUDE_README_FILE}" "${CLAUDE_DISPLAY_FILE}" >/dev/null 2>&1; then
+  echo "vendored codex-quota still contains browser-cookie Claude usage logic" >&2
+  exit 1
+fi
+
+grep -q "Uses OAuth credentials only" "${CLAUDE_DISPLAY_FILE}"
+grep -q "Claude usage in the bundled public package is OAuth-only." "${CLAUDE_README_FILE}"
+
+node --input-type=module <<'EOF'
+import { fetchClaudeUsageForCredentials, fetchClaudeUsage } from "./tools/vendor/codex-quota/lib/claude-usage.js";
+
+const missingAccount = await fetchClaudeUsageForCredentials({ label: "demo", source: "test" });
+if (missingAccount.success || missingAccount.error !== "Claude OAuth token required") {
+  throw new Error(`unexpected credential fallback result: ${JSON.stringify(missingAccount)}`);
+}
+
+const missingOauth = await fetchClaudeUsage();
+const oauthError = String(missingOauth.error || "").toLowerCase();
+if (
+  missingOauth.success ||
+  (!oauthError.includes("oauth") && !oauthError.includes("credentials not found"))
+) {
+  throw new Error(`unexpected Claude usage fallback result: ${JSON.stringify(missingOauth)}`);
+}
+EOF
+
+echo "vendored codex-quota Claude OAuth-only test passed"

package/tools/vendor/codex-quota/README.md

@@ -280,7 +280,7 @@ Root-level fields are preserved on write; unknown root fields are kept intact.
 
 Claude multi-account files (`~/.claude-accounts.json`) use the same root fields
 (`schemaVersion`, `activeLabel`) and store account entries that include a
-`sessionKey` or OAuth tokens.
+Claude OAuth token and refresh metadata.
 
 ## OAuth Flow
 
@@ -400,17 +400,13 @@ To add a Claude credential interactively:
 codex-quota claude add
 ```
 
-This uses your local Claude session to call:
-- `https://claude.ai/api/organizations`
-- `https://claude.ai/api/organizations/{orgId}/usage`
-- `https://claude.ai/api/organizations/{orgId}/overage_spend_limit`
-- `https://claude.ai/api/account`
+This uses OAuth credentials to call:
+- `https://api.anthropic.com/api/oauth/usage`
 
 Authentication sources (in order):
 1. `CLAUDE_ACCOUNTS` env var (JSON array or `{ accounts: [...] }`)
-2. `~/.claude-accounts.json` (multi-account format)
-3. Browser cookies (Chromium/Chrome) to read `sessionKey` and `lastActiveOrg`
-4. `~/.claude/.credentials.json` OAuth `accessToken`
+2. `~/.claude-accounts.json` (multi-account format with `oauthToken`)
+3. `~/.claude/.credentials.json` OAuth `accessToken`
 
 Multi-account format (Claude):
 ```json
@@ -418,8 +414,6 @@ Multi-account format (Claude):
   "accounts": [
     {
       "label": "personal",
-      "sessionKey": "sk-ant-oat...",
-      "cfClearance": "cf_clearance...",
       "oauthToken": "claude-ai-access-token",
       "orgId": "org_uuid_optional"
     }
@@ -428,13 +422,12 @@ Multi-account format (Claude):
 ```
 
 Notes:
-- Only `label` plus one of `sessionKey` or `oauthToken` is required.
-- `cfClearance`, `orgId`, and `cookies` are optional.
+- `label` plus `oauthToken` is required.
+- `orgId` is optional.
 
 Environment overrides:
 - `CLAUDE_ACCOUNTS` to supply multi-account JSON directly
 - `CLAUDE_CREDENTIALS_PATH` to point to a different credentials file
-- `CLAUDE_COOKIE_DB_PATH` to point to a specific Chromium/Chrome Cookies DB
 
 Codex overrides:
 - `CODEX_ACCOUNTS` to supply multi-account JSON directly (read-only)
@@ -443,8 +436,7 @@ Codex overrides:
 - `PI_AUTH_PATH` to point to a different pi auth file
 
 Notes:
-- On Linux, cookie access requires `sqlite3` and `secret-tool` (libsecret) to decrypt cookies.
-- For best results, keep `claude.ai` logged in within your Chromium/Chrome profile.
+- Claude usage in the bundled public package is OAuth-only.
 
 ## Releasing
 

package/tools/vendor/codex-quota/lib/claude-accounts.js

@@ -1,5 +1,5 @@
 /**
- * Claude account loading, session/OAuth resolution.
+ * Claude account loading and OAuth resolution.
  * Depends on: lib/constants.js, lib/container.js, lib/paths.js
  */
 
@@ -8,52 +8,18 @@ import { CLAUDE_CREDENTIALS_PATH, CLAUDE_MULTI_ACCOUNT_PATHS } from "./constants
 import { readMultiAccountContainer, writeMultiAccountContainer } from "./container.js";
 import { getOpencodeAuthPath } from "./paths.js";
 
-export function isClaudeSessionKey(value) {
-	return typeof value === "string" && value.startsWith("sk-ant-");
-}
-
-export function findClaudeSessionKey(value) {
-	if (isClaudeSessionKey(value)) return value;
-	if (typeof value === "string") {
-		const match = value.match(/sk-ant-[a-z0-9_-]+/i);
-		if (match) return match[0];
-	}
-	if (!value || typeof value !== "object") return null;
-
-	const direct = value.sessionKey
-		?? value.session_key
-		?? value.token
-		?? value.sessionToken
-		?? value.accessToken
-		?? value.access_token
-		?? value.oauthAccessToken;
-	if (isClaudeSessionKey(direct)) return direct;
-
-	for (const child of Object.values(value)) {
-		const found = findClaudeSessionKey(child);
-		if (found) return found;
-	}
-	return null;
-}
-
 export function normalizeClaudeAccount(raw, source) {
 	if (!raw || typeof raw !== "object") return null;
 	const label = raw.label ?? null;
-	const sessionKey = raw.sessionKey ?? raw.session_key ?? null;
 	const oauthToken = raw.oauthToken ?? raw.oauth_token ?? raw.accessToken ?? raw.access_token ?? null;
-	const cfClearance = raw.cfClearance ?? raw.cf_clearance ?? null;
 	const orgId = raw.orgId ?? raw.org_id ?? null;
-	const cookies = raw.cookies && typeof raw.cookies === "object" ? raw.cookies : null;
 	const oauthRefreshToken = raw.oauthRefreshToken ?? raw.oauth_refresh_token ?? null;
 	const oauthExpiresAt = raw.oauthExpiresAt ?? raw.oauth_expires_at ?? null;
 	const oauthScopes = raw.oauthScopes ?? raw.oauth_scopes ?? null;
 	return {
 		label,
-		sessionKey,
 		oauthToken,
-		cfClearance,
 		orgId,
-		cookies,
 		oauthRefreshToken,
 		oauthExpiresAt,
 		oauthScopes,
@@ -63,9 +29,8 @@ export function normalizeClaudeAccount(raw, source) {
 
 export function isValidClaudeAccount(account) {
 	if (!account?.label) return false;
-	const sessionKey = account.sessionKey ?? findClaudeSessionKey(account.cookies);
 	const oauthToken = account.oauthToken ?? null;
-	return Boolean(sessionKey || oauthToken);
+	return Boolean(oauthToken);
 }
 
 export function loadClaudeAccountsFromEnv() {
@@ -147,37 +112,6 @@ export function saveClaudeAccounts(accounts) {
 	return result.path;
 }
 
-export function loadClaudeSessionFromCredentials() {
-	const credentialsPath = process.env.CLAUDE_CREDENTIALS_PATH || CLAUDE_CREDENTIALS_PATH;
-	if (!existsSync(credentialsPath)) {
-		return {
-			sessionKey: null,
-			source: credentialsPath,
-			error: `Claude credentials not found at ${credentialsPath}`,
-		};
-	}
-
-	try {
-		const raw = readFileSync(credentialsPath, "utf-8");
-		const parsed = JSON.parse(raw);
-		const sessionKey = findClaudeSessionKey(parsed);
-		if (!sessionKey) {
-			return {
-				sessionKey: null,
-				source: credentialsPath,
-				error: "No Claude sessionKey found in credentials file",
-			};
-		}
-		return { sessionKey, source: credentialsPath };
-	} catch (err) {
-		return {
-			sessionKey: null,
-			source: credentialsPath,
-			error: `Failed to read Claude credentials: ${err?.message ?? String(err)}`,
-		};
-	}
-}
-
 export function loadClaudeOAuthToken() {
 	const credentialsPath = process.env.CLAUDE_CREDENTIALS_PATH || CLAUDE_CREDENTIALS_PATH;
 	if (!existsSync(credentialsPath)) {