cdx-manager 0.6.2 → 0.6.3

package/README.md

@@ -1,6 +1,6 @@
 # CDX Manager
 
-[![License](https://img.shields.io/badge/license-MIT-4C8BF5)](LICENSE) ![Version](https://img.shields.io/badge/version-v0.6.2-4C8BF5) ![Python](https://img.shields.io/badge/python-3.9%2B-3776AB?logo=python&logoColor=white)
+[![License](https://img.shields.io/badge/license-MIT-4C8BF5)](LICENSE) ![Version](https://img.shields.io/badge/version-v0.6.3-4C8BF5) ![Python](https://img.shields.io/badge/python-3.9%2B-3776AB?logo=python&logoColor=white)
 
 **Run multiple Codex, Claude, Antigravity, and Ollama sessions from one terminal. Switch between accounts instantly.**
 
@@ -134,7 +134,7 @@ For a specific version:
 
 ```bash
 curl -fsSL https://raw.githubusercontent.com/AlexAgo83/cdx-manager/main/install.sh -o install.sh
-CDX_VERSION=v0.6.2 sh install.sh
+CDX_VERSION=v0.6.3 sh install.sh
 ```
 
 From source:

package/changelogs/CHANGELOGS_0_6_3.md

@@ -0,0 +1,28 @@
+# Changelog (`0.6.2 -> 0.6.3`)
+
+Release date: 2026-05-29
+
+## Claude Authentication
+
+- Fixed Claude Code 2.1.145 isolated auth handling by using `ANTHROPIC_CONFIG_DIR` instead of the older `CLAUDE_CONFIG_DIR` override.
+- Removed leaked `CODEX_HOME` from Claude auth, launch, and status environments so Claude sessions do not write nested `.cdx` state inside isolated Claude homes.
+- Stopped running a destructive Claude logout before `cdx login <name>`, preserving existing credentials when reauthenticating a session.
+- Added profile email hints to Claude login so account-specific sessions open the expected Claude account in the browser.
+
+## Claude Token Fallback
+
+- Added automatic `claude setup-token` fallback when browser login completes but does not create isolated credentials.
+- Captured the one-time setup token through a temporary transcript, wrote it to `claude-home/credentials/default.json`, and removed the temporary transcript after extraction.
+- Added support for the new Anthropic `credentials/default.json` OAuth format during auth probes, launches, status refreshes, and auth bundle exports.
+
+## Release Metadata and Documentation
+
+- Updated package metadata, CLI version output, README badge, and pinned installer example to `v0.6.3`.
+
+## Validation and Regression Coverage
+
+- Added regression coverage for Claude login without pre-logout, email-hinted login, setup-token fallback, modern Anthropic credentials, and cleaned Claude environments.
+
+## Validation and Regression Evidence
+
+- `python3 -m unittest discover -s test -p 'test_*_py.py'`

package/checksums/release-archives.json

@@ -12,6 +12,10 @@
     "v0.6.1": {
       "github_tarball_sha256": "5ae4032894e1806ffb3a713e555c12b2faa3bfa6fd7c9fa468664a8577abe827",
       "github_zip_sha256": "7949e99dcfe21dc4e2b82f720b515aea8f0ac9f2059142032d488bcfbc4dfaf1"
+    },
+    "v0.6.2": {
+      "github_tarball_sha256": "0a00fba132453d265a72fa551bff750a9a400011f895d9da33149b335324e02e",
+      "github_zip_sha256": "424b1c9652da5054bdc4cf26f31764ea34ddc4609d6eb8075efbf8068112cd50"
     }
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "cdx-manager",
-  "version": "0.6.2",
+  "version": "0.6.3",
   "description": "Terminal session manager for Codex and Claude accounts.",
   "license": "MIT",
   "author": "Alexandre Agostini",

package/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "cdx-manager"
-version = "0.6.2"
+version = "0.6.3"
 description = "Terminal session manager for Codex and Claude accounts."
 readme = "README.md"
 requires-python = ">=3.9"

package/src/claude_usage.py

@@ -15,6 +15,16 @@ CLAUDE_AUTH_STATUS_TIMEOUT_SECONDS = 15
 
 
 def _read_claude_credentials(auth_home):
+    anthropic_cred_path = os.path.join(auth_home, "credentials", "default.json")
+    try:
+        with open(anthropic_cred_path, "r", encoding="utf-8") as f:
+            data = json.load(f)
+        token = data.get("access_token") if isinstance(data, dict) else None
+        if token:
+            return {"accessToken": token}
+    except (FileNotFoundError, json.JSONDecodeError, OSError):
+        pass
+
     cred_path = os.path.join(auth_home, ".claude", ".credentials.json")
     try:
         with open(cred_path, "r", encoding="utf-8") as f:
@@ -27,7 +37,7 @@ def _read_claude_credentials(auth_home):
 def _home_env_overrides(auth_home):
     overrides = {
         "HOME": auth_home,
-        "CLAUDE_CONFIG_DIR": auth_home,
+        "ANTHROPIC_CONFIG_DIR": auth_home,
         "CLAUDE_CODE_DISABLE_GIT_INSTRUCTIONS": "1",
     }
     if sys.platform == "win32":

package/src/cli.py

@@ -55,7 +55,7 @@ from .status_view import (
 )
 from .update_check import check_for_update
 
-VERSION = "0.6.2"
+VERSION = "0.6.3"
 
 
 # ---------------------------------------------------------------------------

package/src/cli_commands.py

@@ -9,7 +9,7 @@ from datetime import datetime, timedelta
 
 from .claude_refresh import _refresh_claude_sessions
 from .cli_render import _dim, _info, _success, _warn
-from .config import PROVIDER_ANTIGRAVITY, PROVIDER_CODEX, PROVIDER_OLLAMA, PROVIDERS
+from .config import PROVIDER_ANTIGRAVITY, PROVIDER_CLAUDE, PROVIDER_CODEX, PROVIDER_OLLAMA, PROVIDERS
 from .context_store import (
     clear_context,
     edit_context,
@@ -837,6 +837,72 @@ def _resolve_confirmation(confirm_fn, name):
     return confirmed
 
 
+def _extract_claude_oauth_token(text):
+    if not text:
+        return None
+    patterns = [
+        r"CLAUDE_CODE_OAUTH_TOKEN=([^\s\"']+)",
+        r"(sk-ant-oat[0-9A-Za-z._-]+)",
+    ]
+    for pattern in patterns:
+        match = re.search(pattern, text)
+        if match:
+            return match.group(1).strip()
+    return None
+
+
+def _write_claude_oauth_token(auth_home, token):
+    cred_dir = os.path.join(auth_home, "credentials")
+    os.makedirs(cred_dir, exist_ok=True)
+    cred_path = os.path.join(cred_dir, "default.json")
+    payload = {
+        "version": "1.0",
+        "type": "oauth_token",
+        "access_token": token,
+    }
+    with open(cred_path, "w", encoding="utf-8") as handle:
+        json.dump(payload, handle, indent=2)
+        handle.write("\n")
+    try:
+        os.chmod(cred_path, 0o600)
+    except OSError:
+        pass
+    return cred_path
+
+
+def _bootstrap_claude_setup_token(session, ctx):
+    ctx["out"](
+        "Claude login did not create isolated credentials; falling back to claude setup-token.\n"
+    )
+    run_info = _run_interactive_provider_command(
+        session,
+        "setup-token",
+        spawn=ctx.get("spawn"),
+        env_override=ctx.get("env"),
+        signal_emitter=ctx.get("signal_emitter"),
+    )
+    transcript_path = run_info.get("transcript_path")
+    if not transcript_path or not os.path.isfile(transcript_path):
+        raise CdxError(
+            "Claude setup-token completed, but cdx could not capture the token. "
+            "Run claude setup-token and save the token under credentials/default.json."
+        )
+    try:
+        with open(transcript_path, "r", encoding="utf-8", errors="replace") as handle:
+            transcript = handle.read()
+    finally:
+        try:
+            os.remove(transcript_path)
+        except OSError:
+            pass
+    token = _extract_claude_oauth_token(transcript)
+    if not token:
+        raise CdxError(
+            "Claude setup-token completed, but cdx could not find CLAUDE_CODE_OAUTH_TOKEN in the output."
+        )
+    return _write_claude_oauth_token(session.get("authHome") or "", token)
+
+
 def handle_add(rest, ctx):
     json_flag, args = _parse_json_flag(rest)
     parsed = _parse_add_args(args)
@@ -1666,7 +1732,7 @@ def handle_login(rest, ctx):
     session = ctx["service"]["get_session"](args[0])
     if not session:
         raise CdxError(f"Unknown session: {args[0]}")
-    if session["provider"] not in (PROVIDER_ANTIGRAVITY, PROVIDER_OLLAMA):
+    if session["provider"] == PROVIDER_CODEX:
         _run_interactive_provider_command(
             session, "logout", spawn=ctx.get("spawn"), env_override=ctx.get("env"),
             signal_emitter=ctx.get("signal_emitter")
@@ -1675,6 +1741,26 @@ def handle_login(rest, ctx):
         session, "login", spawn=ctx.get("spawn"), env_override=ctx.get("env"),
         signal_emitter=ctx.get("signal_emitter")
     )
+    auth_probe = _ensure_session_authentication(
+        session,
+        ctx["service"],
+        spawn_sync=ctx.get("spawn_sync"),
+        env_override=ctx.get("env"),
+        behavior="probe-only",
+    )
+    if not auth_probe.get("authenticated") and session["provider"] == PROVIDER_CLAUDE:
+        _bootstrap_claude_setup_token(session, ctx)
+        auth_probe = _ensure_session_authentication(
+            session,
+            ctx["service"],
+            spawn_sync=ctx.get("spawn_sync"),
+            env_override=ctx.get("env"),
+            behavior="probe-only",
+        )
+    if not auth_probe.get("authenticated"):
+        raise CdxError(
+            f"Login command completed, but session {session['name']} is still not authenticated."
+        )
     now = _local_now_iso()
     ctx["service"]["update_auth_state"](args[0], lambda auth: {
         **auth, "status": "authenticated",

package/src/provider_runtime.py

@@ -31,13 +31,16 @@ LAUNCH_PERMISSION_ARGS = {
 def _home_env_overrides(auth_home):
     """Return env vars that point the claude CLI to the given home directory.
 
-    On Unix, only HOME is needed.  On Windows, Node.js resolves the home
-    directory via USERPROFILE (and falls back to HOMEDRIVE+HOMEPATH), so we
-    set all three to ensure profile isolation works regardless of the platform.
+    On Unix, only HOME is needed. Claude Code resolves its auth files relative
+    to HOME; forcing CLAUDE_CONFIG_DIR to this directory makes current Claude
+    Code builds ignore otherwise valid isolated credentials. On Windows, Node.js
+    resolves the home directory via USERPROFILE (and falls back to
+    HOMEDRIVE+HOMEPATH), so we set all three to ensure profile isolation works
+    regardless of the platform.
     """
     overrides = {
         "HOME": auth_home,
-        "CLAUDE_CONFIG_DIR": auth_home,
+        "ANTHROPIC_CONFIG_DIR": auth_home,
         "CLAUDE_CODE_DISABLE_GIT_INSTRUCTIONS": "1",
     }
     if sys.platform == "win32":
@@ -47,6 +50,48 @@ def _home_env_overrides(auth_home):
     return overrides
 
 
+def _anthropic_profile_name():
+    return "default"
+
+
+def _anthropic_credentials_path(auth_home):
+    return os.path.join(auth_home, "credentials", f"{_anthropic_profile_name()}.json")
+
+
+def _claude_env(base_env, auth_home):
+    env = {**base_env, **_home_env_overrides(auth_home)}
+    env.pop("CLAUDE_CONFIG_DIR", None)
+    env.pop("CODEX_HOME", None)
+    env.setdefault("ANTHROPIC_PROFILE", _anthropic_profile_name())
+    return env
+
+
+def _read_anthropic_oauth_token(auth_home):
+    try:
+        with open(_anthropic_credentials_path(auth_home), "r", encoding="utf-8") as handle:
+            credentials = json.load(handle)
+    except (FileNotFoundError, OSError, json.JSONDecodeError):
+        return None
+    token = credentials.get("access_token") if isinstance(credentials, dict) else None
+    if not token:
+        return None
+    return str(token)
+
+
+def _read_claude_account_email(auth_home):
+    config_path = os.path.join(auth_home, ".claude.json")
+    try:
+        with open(config_path, "r", encoding="utf-8") as handle:
+            config = json.load(handle)
+    except (FileNotFoundError, OSError, json.JSONDecodeError):
+        return None
+    account = config.get("oauthAccount") if isinstance(config, dict) else None
+    email = account.get("emailAddress") if isinstance(account, dict) else None
+    if not email:
+        return None
+    return str(email).strip()
+
+
 def _antigravity_env_overrides(auth_home):
     overrides = {"HOME": auth_home}
     if sys.platform == "win32":
@@ -187,12 +232,17 @@ def _build_launch_spec(session, cwd=None, env_override=None, initial_prompt=None
         args = ["--name", session["name"]] + _launch_config_args(session)
         if initial_prompt:
             args.append(initial_prompt)
+        auth_home = _get_auth_home(session)
+        claude_env = _claude_env(env, auth_home)
+        oauth_token = _read_anthropic_oauth_token(auth_home)
+        if oauth_token:
+            claude_env["CLAUDE_CODE_OAUTH_TOKEN"] = oauth_token
         return _wrap_launch_with_transcript(session, {
             "command": "claude",
             "args": args,
             "options": {
                 "cwd": cwd,
-                "env": {**env, **_home_env_overrides(_get_auth_home(session))},
+                "env": claude_env,
             },
             "label": "claude",
         }, env=env)
@@ -241,7 +291,11 @@ def _build_launch_spec(session, cwd=None, env_override=None, initial_prompt=None
 def _build_login_status_spec(session, env_override=None):
     env = {**os.environ, **(env_override or {})}
     if session["provider"] == PROVIDER_CLAUDE:
-        env.update(_home_env_overrides(_get_auth_home(session)))
+        auth_home = _get_auth_home(session)
+        env = _claude_env(env, auth_home)
+        oauth_token = _read_anthropic_oauth_token(auth_home)
+        if oauth_token:
+            env["CLAUDE_CODE_OAUTH_TOKEN"] = oauth_token
 
         def parser(output):
             try:
@@ -273,9 +327,20 @@ def _build_auth_action_spec(session, action, cwd=None, env_override=None):
     cwd = cwd or os.getcwd()
     env = {**os.environ, **(env_override or {})}
     if session["provider"] == PROVIDER_CLAUDE:
-        env.update(_home_env_overrides(_get_auth_home(session)))
-        return {"command": "claude", "args": ["auth", action],
-                "options": {"cwd": cwd, "env": env}, "label": f"claude auth {action}"}
+        auth_home = _get_auth_home(session)
+        env = _claude_env(env, auth_home)
+        args = ["auth", action]
+        label = f"claude auth {action}"
+        if action == "setup-token":
+            spec = {"command": "claude", "args": ["setup-token"],
+                    "options": {"cwd": cwd, "env": env}, "label": "claude setup-token"}
+            return _wrap_launch_with_transcript(session, spec, env=env)
+        if action == "login":
+            email = _read_claude_account_email(auth_home)
+            if email:
+                args += ["--email", email]
+        return {"command": "claude", "args": args,
+                "options": {"cwd": cwd, "env": env}, "label": label}
     if session["provider"] == PROVIDER_ANTIGRAVITY:
         if action == "logout":
             raise CdxError("Antigravity logout is managed inside agy. Launch the session and run /logout.")

package/src/session_service.py

@@ -433,6 +433,8 @@ def create_session_service(options=None):
     def _auth_bundle_paths(provider):
         if provider == PROVIDER_CLAUDE:
             return [
+                "claude-home/configs/default.json",
+                "claude-home/credentials/default.json",
                 "claude-home/.claude/.credentials.json",
                 "claude-home/.claude.json",
                 "claude-home/auth.json",