ai-cc-router 0.4.1 → 0.4.3

package/dist/cli/cmd-client.js

@@ -122,7 +122,7 @@ export function registerClient(program) {
             });
         }
         if (wantsDesktop) {
-            await setupDesktopInterception(url);
+            await setupDesktopInterception(url, secret);
             cfg.client.desktopEnabled = true;
             writeConfig(cfg);
         }
@@ -277,7 +277,7 @@ export function registerClient(program) {
             process.exit(1);
         }
         if (!cfg.client.desktopEnabled) {
-            await setupDesktopInterception(cfg.client.remoteUrl);
+            await setupDesktopInterception(cfg.client.remoteUrl, cfg.client.remoteSecret);
             cfg.client.desktopEnabled = true;
             writeConfig(cfg);
         }
@@ -305,11 +305,12 @@ export function registerClient(program) {
             }
         }
         const target = cfg.client.remoteUrl;
+        const secret = cfg.client.remoteSecret;
         const processName = getProcessName();
         console.log(chalk.cyan(`\nStarting mitmproxy interceptor for "${processName}"...`));
         console.log(chalk.gray(`  Redirecting api.anthropic.com/v1/messages → ${target}`));
         try {
-            await startInterceptor(target);
+            await startInterceptor(target, secret);
         }
         catch (e) {
             console.error(chalk.red(`\n✗ Failed to start interceptor:\n`));
@@ -325,7 +326,7 @@ export function registerClient(program) {
                 default: true,
             });
             if (autoStart) {
-                const ok = await installInterceptorService(target);
+                const ok = await installInterceptorService(target, secret);
                 if (ok) {
                     cfg.client.desktopAutoStart = true;
                     writeConfig(cfg);
@@ -408,7 +409,7 @@ export function printNetworkExtensionInstructions() {
     console.log("    " + chalk.cyan("5.") + " Enter your Mac admin password when prompted\n");
     console.log(chalk.gray("  You only need to do this ONCE per machine.\n"));
 }
-async function setupDesktopInterception(target) {
+async function setupDesktopInterception(target, secret) {
     console.log(chalk.bold("\n🖥  Claude Desktop Setup\n"));
     // 0. Explain what actually works before anything else
     printDesktopSupportExplainer();
@@ -474,8 +475,8 @@ async function setupDesktopInterception(target) {
             console.log(chalk.gray("      ~/.mitmproxy/mitmproxy-ca-cert.pem"));
         }
     }
-    // 4. Write addon script
-    writeAddonScript(target);
+    // 4. Write addon script (with secret so intercepted requests authenticate)
+    writeAddonScript(target, secret);
     console.log(chalk.green("✓ Redirect addon configured"));
     // 5. macOS Network Extension — THIS is the step people miss
     if (isMacos()) {

package/dist/cli/cmd-setup.js

@@ -400,7 +400,7 @@ async function runClientSetupFromWizard() {
             default: false,
         });
         if (wantsDesktop) {
-            await setupDesktopFromWizard(url);
+            await setupDesktopFromWizard(url, secret);
             cfg.client.desktopEnabled = true;
             writeConfig(cfg);
         }
@@ -413,7 +413,7 @@ async function runClientSetupFromWizard() {
     }
     console.log();
 }
-async function setupDesktopFromWizard(target) {
+async function setupDesktopFromWizard(target, secret) {
     console.log(chalk.bold("\n🖥  Claude Desktop — Cowork / Agent Setup\n"));
     // 1. Check mitmproxy
     if (!(await checkMitmproxyInstalled())) {
@@ -459,8 +459,8 @@ async function setupDesktopFromWizard(target) {
             console.log(chalk.gray("    -k /Library/Keychains/System.keychain ~/.mitmproxy/mitmproxy-ca-cert.pem"));
         }
     }
-    // 3. Addon
-    writeAddonScript(target);
+    // 3. Addon (with secret so intercepted requests authenticate against the proxy)
+    writeAddonScript(target, secret);
     console.log(chalk.green("✓ Redirect addon configured"));
     // 4. Network Extension walkthrough (macOS)
     if (isMacos()) {

package/dist/interceptor/mitmproxy-manager.js

@@ -192,19 +192,22 @@ export async function installCaCert() {
  * Write the redirect addon to ~/.cc-router/interceptor/addon.py.
  * Uses the bundled template as source.
  */
-export function writeAddonScript(target) {
+export function writeAddonScript(target, secret) {
     if (!existsSync(ADDON_DIR))
         mkdirSync(ADDON_DIR, { recursive: true });
     // Try to use the bundled addon as template; fall back to a minimal inline version.
-    // In BOTH cases we inject the actual target URL so the addon is self-contained
-    // and doesn't depend on the CC_ROUTER_TARGET env var being present at runtime.
+    // In BOTH cases we inject the actual target URL (and secret) so the addon is
+    // self-contained and doesn't depend on the CC_ROUTER_TARGET / CC_ROUTER_SECRET
+    // env vars being present at runtime.
     const bundled = addonSourcePath();
     let src;
     if (existsSync(bundled)) {
         src = readFileSync(bundled, "utf-8");
     }
     else {
-        // Inline fallback — minimal addon (only redirects /v1/messages and /v1/models)
+        // Inline fallback — minimal addon (handles /v1/messages and /v1/models
+        // for both api.anthropic.com traffic and requests already pointed at the
+        // CC-Router target, injecting the secret in both cases).
         src = `
 import os
 from mitmproxy import http
@@ -217,22 +220,38 @@ _target_parsed = urlparse(_target)
 if not _target_parsed.scheme or not _target_parsed.netloc:
     raise RuntimeError(f"CC_ROUTER_TARGET is not a valid URL: {_target_raw!r}")
 
+_target_host = (_target_parsed.hostname or "").lower()
+_target_port = _target_parsed.port or (443 if _target_parsed.scheme == "https" else 80)
+
+_secret = os.environ.get("CC_ROUTER_SECRET", "")
+
 _REDIRECT_PREFIXES = ("/v1/messages", "/v1/models")
 
 def request(flow: http.HTTPFlow) -> None:
-    if flow.request.pretty_host != "api.anthropic.com":
+    host = (flow.request.pretty_host or "").lower()
+    port = flow.request.port
+    is_anthropic = host == "api.anthropic.com"
+    is_target = host == _target_host and port == _target_port
+    if not is_anthropic and not is_target:
         return
     if not flow.request.path.startswith(_REDIRECT_PREFIXES):
         return
-    flow.request.scheme = _target_parsed.scheme
-    flow.request.host = _target_parsed.hostname or "localhost"
-    flow.request.port = _target_parsed.port or (443 if _target_parsed.scheme == "https" else 80)
-    flow.request.headers["host"] = flow.request.host + (f":{flow.request.port}" if flow.request.port not in (80, 443) else "")
+    if is_anthropic:
+        flow.request.scheme = _target_parsed.scheme
+        flow.request.host = _target_host or "localhost"
+        flow.request.port = _target_port
+        flow.request.headers["host"] = flow.request.host + (f":{flow.request.port}" if flow.request.port not in (80, 443) else "")
+    if _secret:
+        flow.request.headers["x-api-key"] = _secret
 `.trimStart();
     }
-    // Inject the actual target URL into the default so the addon works even
-    // without the CC_ROUTER_TARGET env var (e.g. manual mitmdump restarts).
+    // Inject the target URL and (optionally) secret into the default values so
+    // the addon works even without the CC_ROUTER_TARGET / CC_ROUTER_SECRET env
+    // vars being present at runtime (manual mitmdump restarts, launchd, etc.).
     src = src.replace('"http://localhost:3456"', JSON.stringify(target));
+    if (secret) {
+        src = src.replace('os.environ.get("CC_ROUTER_SECRET", "")', `os.environ.get("CC_ROUTER_SECRET", ${JSON.stringify(secret)})`);
+    }
     writeFileSync(ADDON_PATH, src, "utf-8");
 }
 // ─── Interceptor lifecycle ────────────────────────────────────────────────────
@@ -240,7 +259,7 @@ def request(flow: http.HTTPFlow) -> None:
  * Start mitmdump in local mode, intercepting the Claude process and redirecting
  * api.anthropic.com traffic to CC-Router via the addon script.
  */
-export async function startInterceptor(target) {
+export async function startInterceptor(target, secret) {
     // On macOS, verify the Network Extension is enabled before attempting to start.
     // If it's "waiting", mitmdump starts silently but captures zero traffic.
     if (isMacos()) {
@@ -261,7 +280,7 @@ export async function startInterceptor(target) {
     }
     // Always (re)write the addon script so package updates and target-URL
     // changes are picked up automatically without requiring a fresh setup.
-    writeAddonScript(target);
+    writeAddonScript(target, secret);
     const processName = getProcessName();
     const args = [
         "--mode", `local:${processName}`,
@@ -269,10 +288,13 @@ export async function startInterceptor(target) {
         "--set", "connection_strategy=lazy",
         "--quiet",
     ];
+    const env = { ...process.env, CC_ROUTER_TARGET: target };
+    if (secret)
+        env["CC_ROUTER_SECRET"] = secret;
     const child = spawn("mitmdump", args, {
         detached: true,
         stdio: "ignore",
-        env: { ...process.env, CC_ROUTER_TARGET: target },
+        env,
     });
     child.unref();
     if (child.pid) {
@@ -337,8 +359,12 @@ async function resolveMitmdumpPath() {
         return "mitmdump"; // fallback — hope it's on PATH at boot time
     }
 }
-function buildInterceptorPlist(mitmdumpPath, target) {
+function buildInterceptorPlist(mitmdumpPath, target, secret) {
     const processName = getProcessName();
+    const secretEntry = secret
+        ? `        <key>CC_ROUTER_SECRET</key>
+        <string>${secret}</string>`
+        : "";
     return `<?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
@@ -375,13 +401,15 @@ function buildInterceptorPlist(mitmdumpPath, target) {
         <string>${process.env["PATH"] ?? "/usr/local/bin:/opt/homebrew/bin:/usr/bin:/bin"}</string>
         <key>CC_ROUTER_TARGET</key>
         <string>${target}</string>
+${secretEntry}
     </dict>
 </dict>
 </plist>
 `;
 }
-function buildInterceptorSystemdUnit(mitmdumpPath, target) {
+function buildInterceptorSystemdUnit(mitmdumpPath, target, secret) {
     const processName = getProcessName();
+    const secretLine = secret ? `\nEnvironment=CC_ROUTER_SECRET=${secret}` : "";
     return `[Unit]
 Description=CC-Router Interceptor — mitmproxy for Claude Desktop
 After=network-online.target
@@ -395,7 +423,7 @@ RestartSec=5
 StartLimitIntervalSec=60
 StartLimitBurst=5
 Environment=PATH=${process.env["PATH"] ?? "/usr/local/bin:/usr/bin:/bin"}
-Environment=CC_ROUTER_TARGET=${target}
+Environment=CC_ROUTER_TARGET=${target}${secretLine}
 
 [Install]
 WantedBy=default.target
@@ -405,17 +433,17 @@ WantedBy=default.target
  * Install the mitmproxy interceptor as an OS service so it starts on boot.
  * Stops any existing detached mitmdump process first — the OS service takes over.
  */
-export async function installInterceptorService(target) {
-    // Ensure the addon script is up-to-date with the target URL
-    writeAddonScript(target);
+export async function installInterceptorService(target, secret) {
+    // Ensure the addon script is up-to-date with the target URL and secret
+    writeAddonScript(target, secret);
     // Stop any manually-spawned mitmdump — OS service will manage it now
     await stopInterceptor();
     const mitmdumpPath = await resolveMitmdumpPath();
     const platform = detectPlatform();
     switch (platform) {
-        case "macos": return installInterceptorMacOS(mitmdumpPath, target);
-        case "linux": return installInterceptorLinux(mitmdumpPath, target);
-        case "windows": return installInterceptorWindows(mitmdumpPath, target);
+        case "macos": return installInterceptorMacOS(mitmdumpPath, target, secret);
+        case "linux": return installInterceptorLinux(mitmdumpPath, target, secret);
+        case "windows": return installInterceptorWindows(mitmdumpPath, target, secret);
     }
 }
 export async function uninstallInterceptorService() {
@@ -435,7 +463,7 @@ export function isInterceptorServiceInstalled() {
     }
 }
 // ─── macOS LaunchAgent ──────────────────────────────────────────────────────
-async function installInterceptorMacOS(mitmdumpPath, target) {
+async function installInterceptorMacOS(mitmdumpPath, target, secret) {
     const launchAgentsDir = dirname(LAUNCHD_PLIST);
     if (!existsSync(launchAgentsDir))
         mkdirSync(launchAgentsDir, { recursive: true });
@@ -443,7 +471,7 @@ async function installInterceptorMacOS(mitmdumpPath, target) {
     if (existsSync(LAUNCHD_PLIST)) {
         await interceptorLaunchctlUnload();
     }
-    writeFileSync(LAUNCHD_PLIST, buildInterceptorPlist(mitmdumpPath, target), "utf-8");
+    writeFileSync(LAUNCHD_PLIST, buildInterceptorPlist(mitmdumpPath, target, secret), "utf-8");
     // Load — try modern `bootstrap` first, fallback to legacy `load`
     const uid = String(process.getuid?.() ?? 501);
     try {
@@ -483,10 +511,10 @@ async function interceptorLaunchctlUnload() {
     }
 }
 // ─── Linux systemd user service ─────────────────────────────────────────────
-async function installInterceptorLinux(mitmdumpPath, target) {
+async function installInterceptorLinux(mitmdumpPath, target, secret) {
     if (!existsSync(SYSTEMD_DIR))
         mkdirSync(SYSTEMD_DIR, { recursive: true });
-    writeFileSync(SYSTEMD_SERVICE, buildInterceptorSystemdUnit(mitmdumpPath, target), "utf-8");
+    writeFileSync(SYSTEMD_SERVICE, buildInterceptorSystemdUnit(mitmdumpPath, target, secret), "utf-8");
     try {
         await execFileP("systemctl", ["--user", "daemon-reload"]);
         await execFileP("systemctl", ["--user", "enable", "cc-router-interceptor"]);
@@ -517,9 +545,10 @@ async function uninstallInterceptorLinux() {
     catch { /* ok */ }
 }
 // ─── Windows Registry ───────────────────────────────────────────────────────
-async function installInterceptorWindows(mitmdumpPath, target) {
+async function installInterceptorWindows(mitmdumpPath, target, secret) {
     const processName = getProcessName();
-    const cmd = `cmd /c "set CC_ROUTER_TARGET=${target} && "${mitmdumpPath}" --mode local:${processName} -s "${ADDON_PATH}" --set connection_strategy=lazy --quiet"`;
+    const secretEnv = secret ? `set CC_ROUTER_SECRET=${secret} && ` : "";
+    const cmd = `cmd /c "set CC_ROUTER_TARGET=${target} && ${secretEnv}"${mitmdumpPath}" --mode local:${processName} -s "${ADDON_PATH}" --set connection_strategy=lazy --quiet"`;
     try {
         await execFileP("reg", [
             "add", WINDOWS_REG_KEY,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ai-cc-router",
-  "version": "0.4.1",
+  "version": "0.4.3",
   "description": "Round-robin proxy for Claude Max OAuth tokens — use multiple Claude Max accounts with Claude Code",
   "type": "module",
   "bin": {

package/src/interceptor/addon.py

@@ -1,14 +1,25 @@
-# mitmproxy addon — redirects ONLY /v1/messages traffic to CC-Router.
+# mitmproxy addon — redirects ONLY /v1/messages traffic to CC-Router and
+# injects the proxy secret as an auth header.
 #
-# Claude Desktop sends many types of requests to api.anthropic.com:
-#   /v1/messages         → LLM inference (this is what we redirect)
-#   /v1/messages/count_tokens → token counting (redirect too)
-#   /v1/oauth/*          → session auth (must NOT redirect)
-#   /v1/environments/*   → bridge/cowork (must NOT redirect)
-#   /v1/models           → model listing (redirect — CC-Router proxies this)
-#   /api/*               → desktop features (must NOT redirect)
+# There are TWO cases to handle:
 #
-# Only /v1/messages* and /v1/models are safe to redirect because CC-Router
+# 1. Requests to api.anthropic.com  (Claude Desktop native features)
+#    → rewrite host/port to CC-Router target + inject x-api-key
+#
+# 2. Requests already pointed at the CC-Router target host  (Claude Code
+#    inside Desktop Cowork/Agent mode, which reads ~/.claude/settings.json
+#    and goes direct to ANTHROPIC_BASE_URL)
+#    → inject x-api-key (no rewrite needed)
+#
+# Claude Desktop sends many types of requests:
+#   /v1/messages         → LLM inference (redirect + auth)
+#   /v1/messages/count_tokens → token counting (redirect + auth)
+#   /v1/oauth/*          → session auth (must NOT touch)
+#   /v1/environments/*   → bridge/cowork (must NOT touch)
+#   /v1/models           → model listing (redirect + auth)
+#   /api/*               → desktop features (must NOT touch)
+#
+# Only /v1/messages* and /v1/models are safe to touch because CC-Router
 # injects its own OAuth token. Everything else carries the user's own
 # session token for features CC-Router doesn't handle.
 
@@ -24,6 +35,12 @@ _target_parsed = urlparse(_target)
 if not _target_parsed.scheme or not _target_parsed.netloc:
     raise RuntimeError(f"CC_ROUTER_TARGET is not a valid URL: {_target_raw!r}")
 
+_target_host = (_target_parsed.hostname or "").lower()
+_target_port = _target_parsed.port or (443 if _target_parsed.scheme == "https" else 80)
+
+# Optional proxy secret — when set, injected as x-api-key on routed requests
+_secret = os.environ.get("CC_ROUTER_SECRET", "")
+
 # Paths that CC-Router can handle (it injects its own OAuth token)
 _REDIRECT_PREFIXES = (
     "/v1/messages",
@@ -32,18 +49,30 @@ _REDIRECT_PREFIXES = (
 
 
 def request(flow: http.HTTPFlow) -> None:
-    if flow.request.pretty_host != "api.anthropic.com":
+    host = (flow.request.pretty_host or "").lower()
+    port = flow.request.port
+    is_anthropic = host == "api.anthropic.com"
+    is_target = host == _target_host and port == _target_port
+
+    # Not a host we care about — pass through untouched
+    if not is_anthropic and not is_target:
         return
 
-    # Only redirect inference and model-listing paths
+    # Only touch inference and model-listing paths
     if not flow.request.path.startswith(_REDIRECT_PREFIXES):
         return
 
-    flow.request.scheme = _target_parsed.scheme
-    flow.request.host = _target_parsed.hostname or "localhost"
-    flow.request.port = _target_parsed.port or (443 if _target_parsed.scheme == "https" else 80)
-    flow.request.headers["host"] = flow.request.host + (
-        f":{flow.request.port}"
-        if flow.request.port not in (80, 443)
-        else ""
-    )
+    # Case 1: rewrite api.anthropic.com → CC-Router target
+    if is_anthropic:
+        flow.request.scheme = _target_parsed.scheme
+        flow.request.host = _target_host or "localhost"
+        flow.request.port = _target_port
+        flow.request.headers["host"] = flow.request.host + (
+            f":{flow.request.port}"
+            if flow.request.port not in (80, 443)
+            else ""
+        )
+
+    # Case 1 and 2: authenticate against the proxy if a secret is configured
+    if _secret:
+        flow.request.headers["x-api-key"] = _secret